all | frequencies |
|
|
|
|
|
|
|
|
|
|
|
|
exhibits | applications |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
manuals |
app s | submitted / available | |||||||
---|---|---|---|---|---|---|---|---|
1 2 3 4 |
|
Extreme Wireless V10.41.06 User Guide Part 1 | Users Manual | 5.50 MiB | ||||
1 2 3 4 |
|
Extreme Wireless V10.41.06 User Guide Part 2 | Users Manual | 5.49 MiB | ||||
1 2 3 4 |
|
Extreme Wireless V10.41.06 User Guide Part 3 | Users Manual | 5.49 MiB | ||||
1 2 3 4 |
|
Extreme Wireless V10.41.06 User Guide Part 4 | Users Manual | 1.19 MiB | ||||
1 2 3 4 |
|
User Manual-AP3917e | Users Manual | 718.51 KiB | ||||
1 2 3 4 |
|
User Manual-AP3917e R1 | Users Manual | 230.56 KiB | ||||
1 2 3 4 |
|
User Manual-AP7662 | Users Manual | 769.21 KiB | ||||
1 2 3 4 |
|
User Manual-AP7662 R1 | Users Manual | 246.13 KiB | ||||
1 2 3 4 |
|
WiNG 5.9.1 CLI Reference Guide Part 1 | Users Manual | 5.50 MiB | ||||
1 2 3 4 |
|
WiNG 5.9.1 CLI Reference Guide Part 2 | Users Manual | 5.11 MiB | ||||
1 2 3 4 |
|
WiNG 5.9.1 System Reference Guide Part 1 | Users Manual | 5.50 MiB | ||||
1 2 3 4 |
|
WiNG 5.9.1 System Reference Guide Part 2 | Users Manual | 5.50 MiB | ||||
1 2 3 4 |
|
WiNG 5.9.1 System Reference Guide Part 3 | Users Manual | 5.48 MiB | ||||
1 2 3 4 |
|
WiNG 5.9.1 System Reference Guide Part 4 | Users Manual | 753.64 KiB | ||||
1 2 3 4 | Cover Letter(s) | |||||||
1 2 3 4 | Cover Letter(s) | |||||||
1 2 3 4 | Attestation Statements | |||||||
1 2 3 4 | Cover Letter(s) | |||||||
1 2 3 4 | RF Exposure Info | |||||||
1 2 3 4 | Test Report | |||||||
1 2 3 4 | Test Report | |||||||
1 2 3 4 | Test Report | |||||||
1 2 3 4 | Test Setup Photos | |||||||
1 2 3 4 | Test Setup Photos | |||||||
1 2 3 4 | Cover Letter(s) | |||||||
1 2 3 4 | External Photos | |||||||
1 2 3 4 | External Photos | |||||||
1 2 3 4 | Internal Photos | |||||||
1 2 3 4 | Cover Letter(s) | |||||||
1 2 3 4 | Cover Letter(s) | |||||||
1 2 3 4 | Cover Letter(s) | |||||||
1 2 3 4 | RF Exposure Info | |||||||
1 2 3 4 | Test Report | |||||||
1 2 3 4 | Test Report | |||||||
1 2 3 4 | Test Setup Photos | |||||||
1 2 3 4 | ID Label/Location Info | |||||||
1 2 3 4 | Cover Letter(s) | |||||||
1 2 3 4 | Test Report | |||||||
1 2 3 4 | Test Report | |||||||
1 2 3 4 | Test Report |
1 2 3 4 | Extreme Wireless V10.41.06 User Guide Part 1 | Users Manual | 5.50 MiB |
D ExtremeWireless V10.41.06 User Guide raft 9035198-03-REV01 Published April 2018 Copyright 2018 Extreme Networks, Inc. All rights reserved. D LLegal Notice Extreme Networks, Inc. reserves the right to make changes in specications and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made. The hardware, rmware, software or any specications described or referred to in this document are subject to change without notice. Trademarks Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names (including any product names) mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies/owners. For additional information on Extreme Networks trademarks, please see:
www.extremenetworks.com/company/legal/trademarks Software Licensing Some software les have been licensed under certain open source or third-party licenses. End-
user license agreements and open source declarations can be found at:
www.extremenetworks.com/support/policies/software-licensing Support For product support, phone the Global Technical Assistance Center (GTAC) at 1-800-998-2408
(toll-free in U.S. and Canada) or +1-408-579-2826. For the support phone number in other countries, visit: http://www.extremenetworks.com/support/contact/
For product documentation online, visit: https://www.extremenetworks.com/documentation/
raft Table of Contents D Preface......................................................................................................................................... 7 Text Conventions................................................................................................................................................................... 7 Safety Information................................................................................................................................................................ 7 Sicherheitshinweise..............................................................................................................................................................8 Consignes De Scurit....................................................................................................................................................... 9 Providing Feedback to Us...............................................................................................................................................10 Getting Help............................................................................................................................................................................ 11 Extreme Networks Documentation............................................................................................................................. 11 Chapter 1: About This Guide................................................................................................... 12 Who Should Use This Guide...........................................................................................................................................12 How to Use This Guide......................................................................................................................................................12 Chapter 2: Overview of the ExtremeWireless Solution...................................................... 14 Introduction............................................................................................................................................................................14 Conventional Wireless LANs.......................................................................................................................................... 15 Elements of the ExtremeWireless Solution.............................................................................................................15 ExtremeWireless and Your Network.......................................................................................................................... 19 ExtremeWireless Appliance Product Family.........................................................................................................29 Chapter 3: Conguring the ExtremeWireless Appliance....................................................31 System Conguration Overview...................................................................................................................................31 Logging on to the ExtremeWireless Appliance...................................................................................................33 Wireless Assistant Home Screen................................................................................................................................ 34 Working with the Basic Installation Wizard.......................................................................................................... 39 Conguring the ExtremeWireless Appliance for the First Time................................................................. 45 Using a Third-party Location-based Solution...................................................................................................... 95 Additional Ongoing Operations of the System................................................................................................... 99 Chapter 4: Conguring the ExtremeWireless APs.............................................................101 Wireless AP Overview..................................................................................................................................................... 101 Discovery and Registration..........................................................................................................................................120 Viewing a List of All APs................................................................................................................................................125 Wireless AP Default Conguration...........................................................................................................................134 Conguring Wireless AP Properties........................................................................................................................ 156 Outdoor Access Point Installation............................................................................................................................ 167 Assigning Wireless AP Radios to a VNS............................................................................................................... 168 Conguring Wireless AP Radio Properties...........................................................................................................174 Conguring IoT Applications...................................................................................................................................... 189 Setting Up the Wireless AP Using Static Conguration................................................................................199 Setting Up 802.1x Authentication for a Wireless AP......................................................................................203 Conguring Co-Located APs in Load Balance Groups.................................................................................. 213 Conguring an AP Cluster...........................................................................................................................................220 Conguring an AP as a Guardian.............................................................................................................................. 221 Conguring a Captive Portal on an AP................................................................................................................. 222 AP3916ic Integrated Camera Deployment.......................................................................................................... 226 Performing AP Software Maintenance.................................................................................................................. 235 Understanding the ExtremeWireless LED Status............................................................................................ 242 raft ExtremeWireless V10.41.06 User Guide 33 Table of Contents D Chapter 5: Conguring Topologies.....................................................................................262 Topology Overview......................................................................................................................................................... 262 Conguring the Admin Port....................................................................................................................................... 263 Conguring a Basic Data Port Topology..............................................................................................................266 Creating a Topology Group........................................................................................................................................ 270 Edit or Delete a Topology Group...............................................................................................................................271 Enabling Management Traffic.................................................................................................................................... 272 Layer 3 Conguration.................................................................................................................................................... 272 Exception Filtering.......................................................................................................................................................... 278 Multicast Filtering..............................................................................................................................................................281 Chapter 6: Conguring Roles.............................................................................................. 284 Roles Overview................................................................................................................................................................. 284 Conguring Default VLAN and Class of Service for a Role........................................................................284 Policy Rules.........................................................................................................................................................................288 Chapter 7: Conguring WLAN Services..............................................................................318 WLAN Services Overview.............................................................................................................................................318 Third-party AP WLAN Service Type....................................................................................................................... 319 Conguring a Basic WLAN Service......................................................................................................................... 319 Conguring Privacy.........................................................................................................................................................327 Conguring Accounting and Authentication.....................................................................................................334 Conguring QoS Modes...............................................................................................................................................370 Conguring Hotspots.................................................................................................................................................... 376 Chapter 8: Conguring a VNS............................................................................................. 390 Conguring a VNS.......................................................................................................................................................... 390 VNS Global Settings.......................................................................................................................................................392 Methods for Conguring a VNS............................................................................................................................... 423 Manually Creating a VNS............................................................................................................................................. 423 Creating a VNS Using the Wizard........................................................................................................................... 426 Enabling and Disabling a VNS...................................................................................................................................485 Renaming a VNS..............................................................................................................................................................486 Deleting a VNS................................................................................................................................................................. 486 Chapter 9: Conguring Classes of Service........................................................................ 487 Classes of Service Overview...................................................................................................................................... 487 Conguring Classes of Service................................................................................................................................. 487 CoS Rule Classication.................................................................................................................................................490 Priority and ToS/DSCP Marking................................................................................................................................ 491 Rate Limiting......................................................................................................................................................................492 Chapter 10: Conguring Sites............................................................................................. 494 VNS Sites Overview....................................................................................................................................................... 494 Conguring Sites............................................................................................................................................................. 494 Recommended Deployment Guidelines...............................................................................................................495 Radius Conguration..................................................................................................................................................... 499 Selecting AP Assignments......................................................................................................................................... 500 Selecting WLAN Assignments...................................................................................................................................501 Chapter 11: Working with a Mesh Network........................................................................ 502 About Mesh........................................................................................................................................................................ 502 raft ExtremeWireless V10.41.06 User Guide 44 Table of Contents D Simple Mesh Conguration.........................................................................................................................................502 Wireless Repeater Conguration.............................................................................................................................503 Wireless Bridge Conguration..................................................................................................................................504 Examples of Deployment............................................................................................................................................ 505 Mesh WLAN Services.................................................................................................................................................... 505 Key Features of Mesh....................................................................................................................................................509 Deploying the Mesh System......................................................................................................................................... 511 Changing the Pre-shared Key in a Mesh WLAN Service............................................................................... 517 Chapter 12: Working with a Wireless Distribution System...............................................518 About WDS..........................................................................................................................................................................518 Simple WDS Conguration.......................................................................................................................................... 518 Wireless Repeater Conguration.............................................................................................................................. 519 Wireless Bridge Conguration.................................................................................................................................. 520 Examples of Deployment..............................................................................................................................................521 WDS WLAN Services...................................................................................................................................................... 521 Key Features of WDS.....................................................................................................................................................525 Deploying the WDS System....................................................................................................................................... 528 Changing the Pre-shared Key in a WDS WLAN Service.............................................................................. 536 Chapter 13: Availability and Session Availability.............................................................. 537 Availability........................................................................................................................................................................... 537 Session Availability..........................................................................................................................................................545 Viewing SLP Activity......................................................................................................................................................553 Chapter 14: Conguring Mobility........................................................................................ 555 Mobility Overview............................................................................................................................................................ 555 Mobility Domain Topologies.......................................................................................................................................556 Conguring a Mobility Domain................................................................................................................................. 558 Chapter 15: Working with Third-party APs.........................................................................561 Dening Authentication by Captive Portal for the Third-party AP WLAN Service......................... 561 Dening the Third-party APs List............................................................................................................................. 561 Dening Policy Rules for the Third-party APs....................................................................................................561 Chapter 16: Working with ExtremeWireless Radar.......................................................... 563 Radar Overview................................................................................................................................................................ 563 Radar Components.........................................................................................................................................................564 Radar License Requirements..................................................................................................................................... 565 Enabling the Analysis Engine.....................................................................................................................................565 Radar Scan Proles.........................................................................................................................................................566 AirDefense Prole............................................................................................................................................................567 Viewing Existing Radar Proles................................................................................................................................. 571 Adding a New Radar Prole....................................................................................................................................... 573 Conguring an In-Service Scan Prole..................................................................................................................574 Conguring a Guardian Scan Prole...................................................................................................................... 577 Assigning an AP to a Prole........................................................................................................................................ 581 Viewing the List of Assigned APs.............................................................................................................................581 Maintaining the Radar List of APs........................................................................................................................... 582 Working with Radar Reports..................................................................................................................................... 593 Chapter 17: Working with Location Engine.......................................................................605 Location Engine Overview..........................................................................................................................................605 raft ExtremeWireless V10.41.06 User Guide 55 Table of Contents D Location Engine on the Controller..........................................................................................................................607 Deploying APs for Location Aware Services.....................................................................................................608 Conguring the Location Engine............................................................................................................................ 609 ExtremeLocation Support............................................................................................................................................619 Chapter 18: Working with Reports and Statistics..............................................................621 Application Visibility and Device ID.........................................................................................................................621 Viewing AP Reports and Statistics..........................................................................................................................627 Available Client Reports............................................................................................................................................... 642 Viewing Role Filter Statistics..................................................................................................................................... 646 Viewing Topology Reports......................................................................................................................................... 648 Viewing Mobility Reports............................................................................................................................................ 650 Viewing Controller Status Information..................................................................................................................654 Viewing Routing Protocol Reports..........................................................................................................................657 Viewing RADIUS Reports............................................................................................................................................660 Call Detail Records (CDRs).........................................................................................................................................663 Chapter 19: Performing System Administration................................................................669 Performing Wireless AP Client Management.................................................................................................... 669 Dening Wireless Assistant Administrators and Login Groups................................................................ 673 Chapter 20: Logs, Traces, Audits and DHCP Messages................................................... 676 ExtremeWireless Appliance Messages..................................................................................................................676 Working with Logs..........................................................................................................................................................676 Viewing Wireless AP Traces....................................................................................................................................... 684 Viewing Audit Messages..............................................................................................................................................684 Viewing the DHCP Messages.....................................................................................................................................685 Viewing the NTP Messages........................................................................................................................................ 686 Viewing Software Upgrade Messages...................................................................................................................687 Viewing Conguration Restore/Import Messages.......................................................................................... 689 Chapter 21: Working with GuestPortal Administration................................................... 690 About GuestPortals........................................................................................................................................................690 Adding New Guest Accounts....................................................................................................................................690 Enabling or Disabling Guest Accounts................................................................................................................. 693 Editing Guest Accounts................................................................................................................................................693 Removing Guest Accounts......................................................................................................................................... 694 Importing and Exporting a Guest File...................................................................................................................695 Viewing and Printing a GuestPortal Account Ticket......................................................................................698 Working with the Guest Portal Ticket Page.......................................................................................................700 Conguring Guest Password Patterns................................................................................................................... 701 Conguring Web Session Timeouts.......................................................................................................................704 Appendix A: Regulatory Information................................................................................. 705 ExtremeWireless APs 37XX , 38XX, and 39XX................................................................................................. 705 Appendix B: Default GuestPortal Ticket Page.................................................................. 706 Example Ticket Page..................................................................................................................................................... 706 raft Glossary.........................................................................................................................................709 ExtremeWireless V10.41.06 User Guide 66 Preface This section discusses the conventions used in this guide, ways to provide feedback, additional help, and other Extreme Networks publications. Text Conventions The following tables list text conventions that are used throughout this guide. Table 1: Notice Icons IIcon Notice Type Alerts you to... Helpful tips and notices for using the product. General Notice D Note Important features or instructions. Caution Warning New Content Risk of severe personal injury. Risk of personal injury, system damage, or loss of data. Displayed next to new content. This is searchable text within the PDF. raft Key names are written with brackets, such as [Return] or [Esc]. If you must press two or more keys simultaneously, the key names are linked with a plus sign (+). Example:
Press [Ctrl]+[Alt]+[Del]
When you see the word enter in this guide, you must type something, and then press the Return or Enter key. Do not press the Return or Enter key when an instruction simply says type. This typeface indicates command syntax, or represents information as it appears on the screen. Italics emphasize a point or denote new terms at the place where they are dened in the text. Italics are also used when referring to publication titles. Description New!
Table 2: Text Conventions Convention Screen displays The words eenter and type
[Key] names Words in italicized type Safety Information Dangers Replace the power cable immediately if it shows any sign of damage. Replace any damaged safety equipment (covers, labels and protective cables) immediately. ExtremeWireless V10.41.06 User Guide 7 Preface Use only original accessories or components approved for the system. Failure to observe these instructions may damage the equipment or even violate safety and EMC regulations. Only authorized Extreme Networks service personnel are permitted to service the system. Warnings This device must not be connected to a LAN segment with outdoor wiring. Ensure that all cables are run correctly to avoid strain. Replace the power supply adapter immediately if it shows any sign of damage. Disconnect all power before working near power supplies unless otherwise instructed by a maintenance procedure. Exercise caution when servicing hot swappable components: power supplies or fans. Rotating fans can cause serious personal injury. replaced only by an identical battery or one recommended by the manufacturer. Always dispose of lithium batteries properly. Do not attempt to lift objects that you think are too heavy for you. This unit may have more than one power supply cord. To avoid electrical shock, disconnect all power D supply cords before servicing. In the case of unit failure of one of the power supply modules, the module can be replaced without interruption of power to the ExtremeWireless Appliance. However, this procedure must be carried out with caution. Wear gloves to avoid contact with the module, which will be extremely hot. There is a risk of explosion if a lithium battery is not correctly replaced. The lithium battery must be Cautions Check the nominal voltage set for the equipment (operating instructions and type plate). High voltages capable of causing shock are used in this equipment. Exercise caution when measuring high voltages and when servicing cards, panels, and boards while the system is powered on. raft Lay cables so as to prevent any risk of them being damaged or causing accidents, such as tripping. To protect electrostatic sensitive devices (ESD), wear a wristband before carrying out any work on Only use tools and equipment that are in perfect condition. Do not use equipment with visible hardware. damage. Sicherheitshinweise Gefahrenhinweise Sollte das Netzkabel Anzeichen von Beschdigungen aufweisen, tauschen Sie es sofort aus. Tauschen Sie beschdigte Sicherheitsausrstungen (Abdeckungen, Typenschilder und Schutzkabel) sofort aus. Verwenden Sie ausschlielich Originalzubehr oder systemspezisch zugelassene Komponenten. Die Nichtbeachtung dieser Hinweise kann zur Beschdigung der Ausrstung oder zur Verletzung von Sicherheits- und EMV-Vorschriften fhren. Das System darf nur von autorisiertem Extreme Networks-Servicepersonal gewartet werden. ExtremeWireless V10.41.06 User Guide 88 Preface Warnhinweise Dieses Gert darf nicht ber Auenverdrahtung an ein LAN-Segment angeschlossen werden. Stellen Sie sicher, dass alle Kabel korrekt gefhrt werden, um Zugbelastung zu vermeiden. Sollte das Netzteil Anzeichen von Beschdigung aufweisen, tauschen Sie es sofort aus. Trennen Sie alle Stromverbindungen, bevor Sie Arbeiten im Bereich der Stromversorgung vornehmen, sofern dies nicht fr eine Wartungsprozedur anders verlangt wird. Gehen Sie vorsichtig vor, wenn Sie an Hotswap-fhigen Wireless Controller-Komponenten
(Stromversorgungen oder Lftern) Servicearbeiten durchfhren. Rotierende Lfter knnen ernsthafte Verletzungen verursachen. Dieses Gert ist mglicherweise ber mehr als ein Netzkabel angeschlossen. Um die Gefahr eines elektrischen Schlages zu vermeiden, sollten Sie vor Durchfhrung von Servicearbeiten alle Netzkabel trennen. Falls eines der Stromversorgungsmodule ausfllt, kann es ausgetauscht werden, ohne die Stromversorgung zum Wireless Controller zu unterbrechen. Bei dieser Prozedur ist jedoch mit Vorsicht vorzugehen. Das Modul kann extrem hei sein. Tragen Sie Handschuhe, um Verbrennungen zu vermeiden. D Achten Sie bei Lithium-Batterien auf die ordnungsgeme Entsorgung. Versuchen Sie niemals, ohne Hilfe schwere Gegenstnde zu heben. Bei unsachgemem Austausch der Lithium-Batterie besteht Explosionsgefahr. Die Lithium-Batterie darf nur durch identische oder vom Hndler empfohlene Typen ersetzt werden. Vorsichtshinweise berprfen Sie die fr die Ausrstung festgelegte Nennspannung (Bedienungsanleitung und Typenschild). Diese Ausrstung arbeitet mit Hochspannung, die mit der Gefahr eines elektrischen Schlages verbunden ist. Gehen Sie mit groer Vorsicht vor, wenn Sie bei eingeschaltetem System Hochspannungen messen oder Karten, Schalttafeln und Baugruppen warten. Verwenden Sie nur Werkzeuge und Ausrstung in einwandfreiem Zustand. Verwenden Sie keine raft Verlegen Sie Leitungen so, dass sie keine Unfallquelle (Stolpergefahr) bilden und nicht beschdigt Tragen Sie bei Arbeiten an Hardwarekomponenten ein Armband, um elektrostatisch gefhrdete Bauelemente (EGB) vor Beschdigungen zu schtzen. Ausrstung mit sichtbaren Beschdigungen. werden. Consignes De Scurit Dangers Si le cordon de raccordement au secteur est endommag, remplacez-le immdiatement. Remplacez sans dlai les quipements de scurit endommags (caches, tiquettes et conducteurs de protection). Utilisez uniquement les accessoires d'origine ou les modules agrs spciques au systme. Dans le cas contraire, vous risquez d'endommager l'installation ou d'enfreindre les consignes en matire de scurit et de compatibilit lectromagntique. Seul le personnel de service Extreme Networks est autoris maintenir/rparer le systme. ExtremeWireless V10.41.06 User Guide 99 Preface Avertissements Cet appareil ne doit pas tre connect un segment de LAN l'aide d'un cblage extrieur. Vriez que tous les cbles fonctionnent correctement pour viter une contrainte excessive. Si l'adaptateur d'alimentation prsente des dommages, remplacez-le immdiatement. Coupez toujours l'alimentation avant de travailler sur les alimentations lectriques, sauf si la procdure de maintenance mentionne le contraire. Prenez toutes les prcautions ncessaires lors de l'entretien/rparations des modules du Wireless Controller pouvant tre branchs chaud : alimentations lectriques ou ventilateurs.Les ventilateurs rotatifs peuvent provoquer des blessures graves. Cette unit peut avoir plusieurs cordons d'alimentation.Pour viter tout choc lectrique, dbranchez tous les cordons d'alimentation avant de procder la maintenance.En cas de panne d'un des modules d'alimentation, le module dfectueux peut tre chang sans teindre le Wireless Controller. Toutefois, ce remplacement doit tre effectu avec prcautions. Portez des gants pour viter de toucher le module qui peut tre trs chaud. D Sa mise au rebut doit tre conforme aux prescriptions en vigueur. N'essayez jamais de soulever des objets qui risquent d'tre trop lourds pour vous. Le remplacement non conforme de la batterie au lithium peut provoquer une explosion. Remplacez la batterie au lithium par un modle identique ou par un modle recommand par le revendeur. Prcautions Contrlez la tension nominale paramtre sur l'installation (voir le mode d'emploi et la plaque signaltique). Des tensions leves pouvant entraner des chocs lectriques sont utilises dans cet quipement. Lorsque le systme est sous tension, prenez toutes les prcautions ncessaires lors de la mesure des hautes tensions et de l'entretien/rparation des cartes, des panneaux, des plaques. N'utilisez que des appareils et des outils en parfait tat. Ne mettez jamais en service des appareils raft Acheminez les cbles de manire ce qu'ils ne puissent pas tre endommags et qu'ils ne constituent pas une source de danger (par exemple, en provoquant la chute de personnes). We are always striving to improve our documentation and help you work better, so we want to hear from you! We welcome all feedback but especially want to know about:
Content errors or confusing or conicting information. Ideas for improvements to our documentation so you can nd the information you need faster. Broken links or usability issues. Pour protger les dispositifs sensibles l'lectricit statique, portez un bracelet antistatique lors du prsentant des dommages visibles. travail sur le matriel. Providing Feedback to Us If you would like to provide feedback to the Extreme Networks Information Development team about this document, please contact us using our short online feedback form. You can also email us directly at internalinfodev@extremenetworks.com. ExtremeWireless V10.41.06 User Guide 110 Preface Getting Help If you require assistance, contact Extreme Networks using one of the following methods:
GGTAC (Global Technical Assistance Center) for Immediate Support Phone: 1-800-998-2408 (toll-free in U.S. and Canada) or +1 408-579-2826. For the support phone number in your country, visit: www.extremenetworks.com/support/contact Email: support@extremenetworks.com. To expedite your message, enter the product name or model number in the subject line. Extreme Portal Search the GTAC knowledge base, manage support cases and service contracts, download software, and obtain product licensing, training, and certications. information) problem) Network load at the time of trouble (if known) The device history (for example, if you have returned the device before, or if this is a recurring The Hub A forum for Extreme customers to connect with one another, answer questions, and share ideas and feedback. This community is monitored by Extreme Networks employees, but is not intended to replace specic guidance from GTAC. Before contacting Extreme Networks for technical support, have the following information ready:
Your Extreme Networks service contract number and/or serial numbers for all involved Extreme D Networks products A description of the failure A description of any action(s) already taken to resolve the problem A description of your network environment (such as layout, cable type, other relevant environmental raft www.extremenetworks.com/support/documentation-archives/
www.extremenetworks.com/support/release-notes www.extremenetworks.com/documentation/
Current Product Documentation Archived Documentation (for earlier versions and legacy products) Release Notes Any related RMA (Return Material Authorization) numbers To nd Extreme Networks product guides, visit our documentation pages at:
Open Source Declarations Some software les have been licensed under certain open source licenses. More information is available at: www.extremenetworks.com/support/policies/software-licensing. Extreme Networks Documentation ExtremeWireless V10.41.06 User Guide 11 1 About This Guide WWho Should Use This Guide How to Use This Guide This guide describes how to install, congure, and manage the Extreme Networks ExtremeWireless software. This guide is also available as an online help system. To access the online help, click Help in the ExtremeWireless Assistant top menu bar. How to Use This Guide Who Should Use This Guide D For... This guide is a reference for system administrators who install and manage the ExtremeWireless system. An overview of the product, its features and functionality. To locate information about various subjects in this guide, refer to the following table. Any administrator performing tasks described in this guide must have an account with administrative privileges. raft Conguring the ExtremeWireless Appliance on page 31 Conguring the ExtremeWireless APs on page 101 Overview of the ExtremeWireless Solution on page 14 Conguring Topologies on page 262 Conguring Roles on page 284 Refer to... Information about how to perform the installation, rst time setup and conguration of the controller, as well as conguring the data ports and dening routing. Information on how to install the ExtremeWireless AP, how it discovers and registers with the controller, and how to view and modify radio conguration. An overview of topologies and provides detailed information about how to congure them. An overview of roles and provides detailed information about how to congure them. An overview of WLAN (Wireless Local Area Network) services and provides detailed information about how to congure them. An overview of Virtual Network Services (VNS), provides detailed instructions in how to congure a VNS, either using the Wizards or by manually creating the component parts of a VNS. Information about conguring CoS (Class of Service) which are a conguration entity containing QoS Marking (802.1p and ToS/
DSCP), Inbound/Outbound Rate Limiting and Transmit Queue Assignments. Conguring WLAN Services on page 318 Conguring a VNS on page 390 Conguring Classes of Service on page 487 ExtremeWireless V10.41.06 User Guide 12 About This Guide FFor... Information about conguring Sites which is a mechanism for grouping APs and refers to specic Roles, Classes of Service
(CoS) and RADIUS servers that are grouped to form a single conguration. Refer to... Conguring Sites on page 494 An overview of Mesh networks and provides detailed information about how to create a Mesh network. Working with a Mesh Network on page 502 An overview of a Wireless Distribution System (WDS) network conguration and provides detailed information about how to create a Mesh network. Working with a Wireless Distribution System on page 518 Information on how to set up the features that maintain service availability in the event of a controller failover. Availability and Session Availability on page 537 Conguring Mobility on page 555 Information on how to set up the mobility domain that provides mobility for a wireless device user when the user roams from one ExtremeWireless AP to another in the mobility domain. D Information on how to use the ExtremeWireless AP features with third-party wireless access points. Information on the security tool that scans for, detects, provides countermeasures, and reports on rogue APs. Information on the various reports and displays available in the system. Information on system administration activities, such as performing ExtremeWireless AP client management, dening management users, conguring the network time, and conguring Web session timeouts. Information on how to view and interpret the logs, traces, audits and DHCP (Dynamic Host Conguration Protocol) messages. Working with Third-party APs on page 561 Performing System Administration on page 669 Working with Reports and Statistics on page 621 Working with ExtremeWireless Radar on page 563 raft Glossary terms are displayed as links in the text. Hover over a glossary term to display the denition, or click the link to go to the Glossary. Working with GuestPortal Administration on page 690 Logs, Traces, Audits and DHCP Messages on page 676 Default GuestPortal Ticket Page on page 706 Regulatory Information on page 705 A list of terms and denitions for the ExtremeWireless Appliance and the ExtremeWireless AP as well as standard industry terms used in this guide. Regulatory information for the ExtremeWireless Appliances and the ExtremeWireless APs. Information on how to congure GuestPortal accounts. The default GuestPortal ticket page source code. ExtremeWireless V10.41.06 User Guide 13 2 Overview of the ExtremeWireless Solution IIntroduction Conventional Wireless LANs Elements of the ExtremeWireless Solution ExtremeWireless and Your Network ExtremeWireless Appliance Product Family Introduction D The ExtremeWireless system is a highly scalable Wireless Local Area Network (WLAN) solution. Based on a third generation WLAN topology, the ExtremeWireless system makes wireless practical for service providers as well as medium and large-scale enterprises. The next generation of wireless networking devices provides a truly scalable WLAN (Wireless Local Area Network) solution. ExtremeWireless Access Points (APs, wireless APs) are t access points controlled through a sophisticated network device, the controller. This solution provides the security and manageability required by enterprises and service providers for huge industrial wireless networks. raft The ExtremeWireless controller provides a secure, highly scalable, cost-effective solution based on the IEEE 802.11 standard. The system is intended for enterprise networks operating on multiple oors in more than one building, and is ideal for public environments, such as airports and convention centers that require multiple access points. The ExtremeWireless Appliance is a network device designed to integrate with an existing wired Local Area Network (LAN). The rack-mountable controller provides centralized management, network access, and routing to wireless devices that use Wireless APs to access the network. It can also be congured to handle data traffic from third-party access points. This chapter provides an overview of the fundamental principles of the ExtremeWireless System. The ExtremeWireless Appliance The controller provides the following functionality:
Controls and congures Wireless APs, providing centralized management. Authenticates wireless devices that contact a Wireless AP. Assigns each wireless device to a VNS when it connects. Routes traffic from wireless devices, using VNS, to the wired network. Applies ltering roles to the wireless device session. Provides session logging and accounting capability. ExtremeWireless V10.41.06 User Guide 14 Overview of the ExtremeWireless Solution Conventional Wireless LANs Wireless communication between multiple computers requires that each computer be equipped with a receiver/transmittera WLAN Network Interface Card (NIC)capable of exchanging digital information over a common radio frequency. This is called an ad hoc network conguration. An ad hoc network conguration allows wireless devices to communicate together. This setup is dened as an independent basic service set (IBSS). An alternative to the ad hoc conguration is the use of an access point. This may be a dedicated hardware bridge or a computer running special software. Computers and other wireless devices communicate with each other through this access point. The 802.11 standard denes access point communications as devices that allow wireless devices to communicate with a distribution system. This setup is dened as a basic service set (BSS) or infrastructure network. To allow the wireless devices to communicate with computers on a wired network, the access points must be connected to the wired network providing access to the networked computers. This topology is called bridging. With bridging, security and management scalability is often a concern. D raft Figure 1: Standard Wireless Network Solution Example The wireless devices and the wired networks communicate with each other using standard networking protocols and addressing schemes. Most commonly, Internet Protocol (IP) addressing is used. Elements of the ExtremeWireless Solution The ExtremeWireless solution consists of two devices:
ExtremeWireless V10.41.06 User Guide 15 Overview of the ExtremeWireless Solution ExtremeWireless Appliance ExtremeWireless AP This architecture allows a single controller to control many APs, making the administration and management of large networks much easier. There can be several controllers in the network, each with a set of registered APs. The controllers can also act as backups to each other, providing stable network availability. In addition to the controllers and APs, the solution requires three other components, all of which are standard for enterprise and service provider networks:
RADIUS Server (Remote Access Dial-In User Service) or other authentication server DHCP (Dynamic Host Conguration Protocol) Server (Dynamic Host Conguration Protocol). If you do not have a DHCP Server on your network, you can enable the local DHCP Server on the controller. The local DHCP Server is useful as a general purpose DHCP Server for small subnets. For more information, see Setting Up the Data Ports on page 51. D SLP (Service Location Protocol) raft Figure 2: ExtremeWireless Appliance Solution As illustrated in ExtremeWireless Appliance Solution, the ExtremeWireless Appliance appears to the existing network as if it were an access point, but in fact one controller controls many APs. The controller has built-in capabilities to recognize and manage the APs. The controller:
ExtremeWireless V10.41.06 User Guide 16 Overview of the ExtremeWireless Solution Activates the APs Enables APs to receive wireless traffic from wireless devices Processes the data traffic from the APs Forwards or routes the processed data traffic out to the network Authenticates requests and applies access roles Simplifying the APs makes them cost-effective, easy to manage, and easy to deploy. Putting control on an intelligent centralized controller enables:
Centralized conguration, management, reporting, and maintenance High security Flexibility to suit enterprise Scalable and resilient deployments with a few controllers controlling hundreds of APs The ExtremeWireless system:
Scales up to Enterprise capacity ExtremeWireless Appliances are scalable:
D C5215 Up to 1000 APs, 2000 APs in Controller availability mode C5210 Up to 1000 APs, 2000 APs in Controller availability mode C5110 Up to 525 APs, 1050 APs in Controller availability mode C4110 Up to 250 APs, 500 APs in Controller availability mode C25 Up to 50 APs, 100 APs in Controller availability mode C35 Up to 125 APs, 250 APs in Controller availability mode V2110 (Small Prole) Up to 50 APs, 100 APs in Controller availability mode V2110 (Medium Prole) Up to 250 APs, 500 APs in Controller availability mode V2110 (Large Prole) Up to 525 APs, 1050 APs in Controller availability mode raft Integrates with existing network A controller can be added to an existing enterprise network as a new network device, greatly enhancing its capability without interfering with existing functionality. Integration of the controllers and APs does not require any re-conguration of the existing infrastructure (for example, VLAN (Virtual LAN)s). In turn, each wireless AP can handle a mixture of secure and non-secure clients. AP per radio support is up to 200 clients, of which 127 are clients with security. With additional controllers, the number of wireless devices the solution can support can reach into the thousands. Integrates with the Extreme Networks Extreme Management Center Suite of products. For more information, see Extreme Networks Extreme Management Center Integration on page 18. Inventory Manager Plug-in applications include:
Automated Security Manager NAC Manager Role Control Console Policy Manager Offers centralized management and control An administrator accesses the controller in its centralized location to monitor and administer the entire wireless network. From the controller the administrator can recognize, congure, and manage the APs and distribute new software releases. Provides easy deployment of APs The initial conguration of the APs on the centralized controller can be done with an automatic discovery technique. ExtremeWireless V10.41.06 User Guide 17 Overview of the ExtremeWireless Solution Provides security via user authentication Uses existing authentication (AAA) servers to authenticate and authorize users. Provides security via lters and privileges Uses virtual networking techniques to create separate virtual networks with dened authentication and billing services, access roles, and privileges. Supports seamless mobility and roaming Supports seamless roaming of a wireless device from one wireless AP to another on the same controller or on a different controller. Integrates third-party access points Uses a combination of network routing and authentication techniques. Prevents rogue devices Unauthorized access points are detected and identied as either harmless or dangerous rogue APs. Provides accounting services Logs wireless user sessions, user group activity, and other activity reporting, enabling the generation of consolidated billing records. Extreme Networks Extreme Management Center Integration Offers troubleshooting capability Logs system and session activity and provides reports to aid in Offers dynamic RF management Automatically selects channels and adjusts Radio Frequency troubleshooting analysis. D
(RF) signal propagation and power levels without user intervention. The ExtremeWireless solution now integrates with the Extreme Management Center suite of products, a collection of tools to help you manage networks. Its client/server architecture lets you manage your network from a single workstation or, for networks of greater complexity, from one or more client workstations. It is designed to facilitate specic network management tasks while sharing data and providing common controls and a consistent user interface. raft The Extreme Management Center is a family of products comprising the Extreme Management Center Console and a suite of plug-in applications, including:
Automated Security Manager Automated Security Manager is a unique threat response solution that translates security intelligence into security enforcement. It provides sophisticated identication and management of threats and vulnerabilities. For information on how the ExtremeWireless solution integrates with the Automated Security Manager application, see the Maintenance Guide. NAC Manager NAC Manager is a leading-edge NAC solution to ensure only the right users have access to the right information from the right place at the right time. The Extreme Networks NAC solution performs multi-user, multi-method authentication, vulnerability assessment and assisted remediation. For information on how the ExtremeWireless solution integrates with the Extreme Networks NAC solution, see NAC Integration with the Wireless WLAN on page 24. details of the ever-changing network. For information on how the ExtremeWireless solution integrates with the Automated Security Manager application, see the Maintenance Guide . Inventory Manager Inventory Manager is a tool for efficiently documenting and updating the Policy Manager Policy Manager recognizes the ExtremeWireless suite as role capable devices that accept partial conguration from Policy Manager. Currently this integration is partial in the sense that Extreme Management Center is unable to create WLAN services directly; The WLAN services need to be directly provisioned on the controller and are represented to Policy Manager as logical ports. The ExtremeWireless Appliance allows Policy Manager to:
ExtremeWireless V10.41.06 User Guide 18 Overview of the ExtremeWireless Solution Attach Topologies (assign VLAN to port) to the ExtremeWireless Appliance physical ports
(Console). Attach role to the logical ports (WLAN Service/SSID), Assign a Default Role/Role to a WLAN Service, thus creating the VNS. Perform authentication operations which can then reference dened roles for station-specic role enforcement. This can be seen as a three-step process:
1 Deploy the controller and perform local conguration The ExtremeWireless Appliance ships with a default SSID, attached by default to all AP radios, when enabled. Use the basic installation wizard to complete the ExtremeWireless Appliance conguration. Push the VLAN list to the ExtremeWireless Appliance (Topologies) Attach VLANs to ExtremeWireless Appliance physical ports (Console - Complete Topology 2 Use Policy Manager to:
D denition) Appliance for a bridged at controller or routed topologies and associated VNSs. 3 Fine tune controller settings. For example, conguring ltering at APs and ExtremeWireless Push RADIUS server conguration to the ExtremeWireless Appliance Push role denitions to the ExtremeWireless Appliance Attach the default role to create a VNS Note Complete information about integration with Policy Manager is outside the scope of this document. raft This section is a summary of the components of the ExtremeWireless solution on your enterprise network. The following are described in detail in this guide, unless otherwise stated:
ExtremeWireless Appliance A rack-mountable network device or virtual appliance that provides centralized control over all access points and manages the network assignment of wireless device clients associating through access points. Wireless AP A wireless LAN t access point that communicates with a controller. RADIUS Server (Remote Access Dial-In User Service) (RFC2865), or other authentication server An authentication server that assigns and manages ID and Password protection throughout the network. Used for authentication of the wireless users in either 802.1x or Captive Portal security modes. The RADIUS Server system can be set up for certain standard attributes, such as lter ID, and for the Vendor Specic Attributes (VSAs). In addition, RADIUS Disconnect (RFC3576) which permits dynamic adjustment of user role (user disconnect) is supported. ExtremeWireless and Your Network DHCP Server (Dynamic Host Conguration Protocol) (RFC2131) A server that assigns dynamically IP addresses, gateways, and subnet masks. IP address assignment for clients can be done by the DHCP server internal to the controller, or by existing servers using DHCP relay. It is also used by the APs to discover the location of the controller during the initial registration process using Options 43, 60, and Option 78. Options 43 and 60 specify the vendor class identier (VCI) and vendor specic ExtremeWireless V10.41.06 User Guide 19 Overview of the ExtremeWireless Solution information. Option 78 species the location of one or more SLP Directory Agents. For SLP, DHCP should have Option 78 enabled. Service Location Protocol (SLP) (SLP RFC2608) Client applications are User Agents and services that are advertised by a Service Agent. In larger installations, a Directory Agent collects information from Service Agents and creates a central repository. The Extreme Networks solution relies on registering Extreme Networks as an SLP Service Agent. Domain Name Server (DNS) A server used as an alternate mechanism (if present on the enterprise network) for the automatic discovery process. Controller, Access Points and Convergence Software relies on the DNS for Layer 3 deployments and for static conguration of the APs. The controller can be registered in DNS, to provide DNS assisted AP discovery. In addition, DNS can also be used for resolving RADIUS server hostnames. Web Authentication Server A server that can be used for external Captive Portal and external authentication. The controller has an internal Captive portal presentation page, which allows web authentication (web redirection) to take place without the need for an external Captive Portal server. RADIUS Accounting Server (Remote Access Dial-In User Service) (RFC2866) A server that is required if RADIUS Accounting is enabled. D SNMP messages is enabled. Some features also require the denition of static routes. SNMP (Simple Network Management Protocol) A Manager Server that is required if forwarding Network Infrastructure The Ethernet switches and routers must be congured to allow routing Web Browser A browser provides access to the controller Management user interface to congure between the various services noted above. Routing must also be enabled between multiple controllers for the following features to operate successfully:
Availability Mobility ExtremeWireless Radar for detection of rogue access points raft Zone Integrity The Zone integrity server enhances network security by ensuring clients accessing your network are compliant with your security roles before gaining access. Zone Integrity Release 5 is supported. SSH Enabled Device A device that supports Secure Shell (SSH) is used for remote (IP) shell access
(Optional) Online Signup Server For use with Hotspot Networks. the ExtremeWireless system. to the system. Network Traffic Flow Figure 3 illustrates a simple conguration with a single controller and two APs, each supporting a wireless device. A RADIUS server on the network provides authentication, and a DHCP server is used by the APs to discover the location of the controller during the initial registration process. Network inter-
connectivity is provided by the infrastructure routing and switching devices. ExtremeWireless V10.41.06 User Guide 20 Overview of the ExtremeWireless Solution D Figure 3: Traffic Flow Diagram Each wireless device sends IP packets in the 802.11 standard to the AP. The AP uses a UDP (User Datagram Protocol) based tunnelling protocol. In tunneled mode of operation, it encapsulates the packets and forwards them to the controller. The controller decapsulates the packets and routes these to destinations on the network. In a typical conguration, access points can be congured to locally bridge traffic (to a congured VLAN) directly at their network point of attachment. raft The controller functions like a standard L3 router or L2 switch. It is congured to route the network traffic associated with wireless connected users. The controller can also be congured to simply forward traffic to a default or static route if dynamic routing is not preferred or available. The Extreme Networks ExtremeWireless system provides features and functionality to control network access. These are based on standard wireless network security practices. Network Security Current wireless network security methods provide protection. These methods include:
Shared Key authentication that relies on Wired Equivalent Privacy (WEP) keys Open System that relies on Service Set Identiers (SSIDs) 802.1x that is compliant with Wi-Fi Protected Access (WPA) Captive Portal based on Secure Sockets Layer (SSL) protocol The Extreme Networks ExtremeWireless system provides the centralized mechanism by which the corresponding security parameters are congured for a group of users. Wired Equivalent Privacy (WEP) is a security protocol for wireless local area networks dened in the 802.11b standard ExtremeWireless V10.41.06 User Guide 21 Overview of the ExtremeWireless Solution Wi-Fi Protected Access version 1 (WPA1) with Temporal Key Integrity Protocol (TKIP) Wi-Fi Protected Access version 2 (WPA2) with Advanced Encryption Standard (AES) and Counter Mode with Cipher Block Chaining Message Authentication Code (CCMP) Authentication The controller relies on a RADIUS server, or authentication server, on the enterprise network to provide the authentication information (whether the user is to be allowed or denied access to the network). A RADIUS client is implemented to interact with infrastructure RADIUS servers. The controller provides authentication using:
Captive Portal a browser-based mechanism that forces users to a Web page RADIUS (using IEEE 802.1x) D The 802.1x mechanism is a standard for authentication developed within the 802.11 standard. This mechanism is implemented at the wireless port, blocking all data traffic between the wireless device and the network until authentication is complete. Authentication by 802.1x standard uses Extensible Authentication Protocol (EAP) for the message exchange between the controller and the RADIUS server. When 802.1x is used for authentication, the controller provides the capability to dynamically assign per-
wireless-device WEP keys (called per session WEP keys in 802.11). In the case of WPA, the controller is not involved in key assignment. Instead, the controller is involved in the information exchange between RADIUS server and the users wireless device to negotiate the appropriate set of keys. With WPA2 the material exchange produces a Pairwise Master Key which is used by the AP and the user to derive their temporal keys. (The keys change over time.) raft The Extreme Networks ExtremeWireless solution provide a RADIUS redundancy feature that enables you to dene a failover RADIUS server in the event that the active RADIUS server becomes unresponsive. Extreme Networks ExtremeWireless supports the Wired Equivalent Privacy (WEP) standard common to conventional access points. Privacy is a mechanism that protects data over wireless and wired networks, usually by encryption techniques. It also provides Wi-Fi Protected Access version 1 (WPA v.1) encryption, based on Pairwise Master Key
(PMK) and Temporal Key Integrity Protocol (TKIP). The most secure encryption mechanism is WPA version 2, using Advanced Encryption Standard (AES). Privacy Virtual Network Services Virtual Network Services (VNS) provide a versatile method of mapping wireless networks to the topology of an existing wired network. In releases prior to V7.0, a VNS was a collection of operational entities. Starting with Release V7.0, a VNS becomes the binding of reusable components:
ExtremeWireless V10.41.06 User Guide 222 Overview of the ExtremeWireless Solution WLAN Service components that dene the radio attributes, privacy and authentication settings, and QoS attributes of the VNS Role components that dene the topology (typically a VLAN), policy rules, and Class of Service applied to the traffic of a station. Figure 4 illustrates the transition of the concept of a VNS to a binding of reusable components. D raft WLAN Service components and Role components can be congured separately and associated with a VNS when the VNS is created or modied. Alternatively, they can be congured during the process of creating a VNS. Additionally, Roles can be created using the Extreme Networks Extreme Management Center Policy Manager or Extreme Management Center Wireless Manager and pushed to the ExtremeWireless Appliance. Role assignment ensures that the correct topology and traffic behavior are applied to a user regardless of WLAN service used or VNS assignment. Figure 4: VNS as a Binding of Reusable Components When VNS components are set up on the controller, among other things, a range of IP addresses is set aside for the controllers DHCP server to assign to wireless devices. If the OSPF (Open Shortest Path First) routing protocol is enabled, the controller advertises the routed topologies as reachable segments to the wired network infrastructure. The controller routes traffic between the wireless devices and the wired network. The controller also supports VLAN-bridged assignment for VNSs. This allows the controller to directly bridge the set of wireless devices associated with a WLAN service directly to a specied core VLAN. ExtremeWireless V10.41.06 User Guide 23 Overview of the ExtremeWireless Solution Each controller model can support a denable number and an active number of VNSs. See Table 3. 128 64 16 16 64 128 128 Max Number of Dened VNS Max Number of Dened WLAN Services Max Number of Active WLAN Services Table 3: VNS and WLAN Service Capacity CController Model C5110 C4110 C25 V2110 Small V2110 Medium V2110-HyperV 256 128 32 32 128 256 128 32 32 128 C5215 V2110 Large D C5210 C35 256 256 256 256 32 16 The AP3912 has three additional client ports that can be assigned to a single WLAN Service. For more information, see Assigning WLAN Services to Client Ports on page 170. The AP radios can be assigned to each of the congured WLAN services and, therefore, VNSs in a system. Each AP can be the subject of 16 service assignmentseight assignments per radiowhich corresponds to the number of SSIDs it can support. Once a radio has all eight slots assigned, it is no longer eligible for further assignment. 32 128 256 256 raft The Extreme Networks Wireless WLAN supports integration with a NAC (Network Admission Control) Gateway. The NAC Gateway can provide your network with authentication, registration, assessment, remediation, and access control for mobile users. Figure 5 depicts the topology and workow relationship between Wireless WLAN that is congured for external captive portal and a NAC Gateway. With this conguration, the NAC Gateway acts like a RADIUS proxy server. An alternative is to congure the NAC Gateway to perform MAC-based authentication itself, using its own database of MAC addresses and permissions. For more information, see Creating a NAC VNS Using the VNS Wizard on page 426. NAC Gateway integration with Wireless WLAN supports SSID VNSs when used in conjunction with MAC-based external captive portal authentication. NAC Integration with the Wireless WLAN ExtremeWireless V10.41.06 User Guide 24 Overview of the ExtremeWireless Solution D 11 The client laptop connects to the AP. Figure 5: WLAN and NAC Integration with External Captive Portal Authentication raft Note RADIUS servers with captive portal and EAP authentication can be tested for connectivity using the radtest command. For more information, see the ExtremeWireless CLI Guide. The NAC Gateway forwards the access-request to the RADIUS server. The NAC Gateway acts like a RADIUS proxy server. The AP determines that authentication is required, and sends an association request to the appliance. 3 The RADIUS server evaluates the access-request and sends an AccessAccept message back to the NAC. 2 The appliance forwards to the NAC Gateway an access-request message for the client laptop, which is identied by its MAC address. The NAC receives the access-accept packet. Using its local database, the NAC determines the correct role to apply to this client laptop and updates the access-accept packet with the role assignment. The updated AccessAccept message is forwarded to the appliance and AP. 4 The appliance and the AP apply role against the client laptop accordingly. The appliance assigns a set of lters to the client laptops session and the AP allows the client laptop access to the network. 5 The client laptop interacts with a DHCP server to obtain an IP address. 6 Eventually the client laptop uses its web browser to access a website. The appliance determines that the target website is blocked and that the client laptop still requires authentication. ExtremeWireless V10.41.06 User Guide 25 Overview of the ExtremeWireless Solution The appliance sends an HTTP redirect to the client laptops browser. The redirect sends the browser to the web server on the NAC Gateway. The NAC displays an appropriate web page in the client laptops browser. The contents of the page depend on the current role assignment (enterprise, remediation, assessing, quarantine, or unregistered) for the MAC address. 77 When the NAC determines that the client laptop is ready for a different role assignment, it sends a disconnect message (RFC 3576) to the appliance. When the appliance receives the disconnect message sent by the NAC, the appliance terminates the session for the client laptop. The appliance forwards the command to terminate the client laptops session to the AP, which disconnects the client laptop. Topology VNS Components D The distinct constituent high-level congurable umbrella elements of a VNS are:
Topology Role Classes of Service WLAN Service Topologies represent the networks with which the controller and its APs interact. The main congurable attributes of a topology are:
Name - a string of alphanumeric characters designated by the administrator. VLAN ID - the VLAN identier as specied in the IEEE 802.1Q denition. VLAN tagging options. Port of presence for the topology on the controller. (This attribute is not required for Routed and raft Physical - the topology is the native topology of a data plane and it represents the actual Ethernet ports Management - the native topology of the controller management port Routed - the controller is the routing gateway for the routed topology. Bridged at Controller - the user traffic is bridged (in the L2 sense) between wireless clients and the core network infrastructure. Bridged at AP - the user traffic is bridged locally at the AP without being redirected to the controller Interface. This attribute is the IP (L3) address assigned to the controller on the network described by Type. This attribute describes how traffic is forwarded on the topology. Options are:
Bridged at AP topologies.) the topology. (Optional.) Exception Filters. Species which traffic has access to the controller from the wireless clients or the infrastructure network. Certicates. ExtremeWireless V10.41.06 User Guide 26 Overview of the ExtremeWireless Solution Multicast lters. Denes the multicast groups that are allowed on a specic topology segment. For information about Topology groups, see Creating a Topology Group on page 270. Role A Role is a collection of attributes and rules that determine actions taken user traffic accesses the wired network through the WLAN service (associated to the WLAN Service's SSID). Depending upon its type, a VNS can have between one and three Authorization Roles associated with it:
1 Default non-authorized role This is a mandatory role that covers all traffic from stations that have not authenticated. At the administrator's discretion the default non-authorized role can be applied to the traffic of authenticated stations as well. 2 Default authorized role This is a mandatory role that applies to the traffic of authenticated stations Classes of Service for which no other role was explicitly specied. It can be the same as the default non-authorized role. 3 Third-party AP role This role applies to the list of MAC addresses corresponding to the wired interfaces of third party APs specically dened by the administrator to be providing the RF access as an AP WLAN Service. This role is only relevant when applied to third party AP WLAN Services. D In general, CoS (Class of Service) refers to a set of attributes that dene the importance of a frame while it is forwarded through the network relative to other packets, and to the maximum throughput per time unit that a station or port assigned to a specic role is permitted. The CoS denes actions to be taken when rate limits are exceeded. raft All incoming packets may follow these steps to determine a CoS:
Classication - identies the rst matching rule that denes a CoS. Marking - modies the L2 802.1p and/or L3 ToS based on CoS denition. Rate limiting (drop) is set. A WLAN Service represents all the RF, authentication and QoS attributes of a wireless access service offered by the controller and its APs. A WLAN Service can be one of the following types:
Standard A conventional service. Only APs running ExtremeWireless software can be part of this WLAN Service. This type of service can be used as a Bridged at Controller, Bridged at AP, or Routed Topology. This type of service provides access for mobile stations. Roles can be associated with this type of WLAN service to create a VNS. Hotspot can be enabled for standard WLAN services. The system limit for the number of CoS proles on a controller is identical to the number of roles. For example, the maximum number of CoS proles on a C4110 is 512. WLAN Services Third Party AP A Wireless Service offered by third party APs. This type of service provides access for mobile stations. Roles can be assigned to this type of WLAN service to create a VNS. Dynamic Mesh and WDS (Static Mesh) This is to congure a group of APs organized into a hierarchy for purposes of providing a Wireless Distribution Service. This type of service is in essence ExtremeWireless V10.41.06 User Guide 27 Overview of the ExtremeWireless Solution a wireless trunking service rather than a service that provides access for stations. As such, this service cannot have roles attached to it. Remote A service that resides on the edge (foreign) controller. Pairing a remote service with a remoteable service on the designated home controller allows you to provision centralized WLAN Services in the mobility domain. This is known as centralized mobility. The components of a WLAN Service map to the corresponding components of a VNS in previous releases. The administrator makes an explicit choice of the type of authentication to use on the WLAN Service. If the choice of authentication option conicts with any other authentication or privacy choices, the WLAN Service cannot be enabled. Routing device traffic can be forwarded to the default gateway. Routing can be used on the controller to support the VNS denitions. Through the user interface you can congure routing on the controller to use one of the following routing techniques:
Static routes Use static routes to set the default route of a controller so that legitimate wireless D OSPF (version 2) (RFC2328) Use OSPF to allow the controller to participate in dynamic route Next-hop routing Use next-hop routing to specify a unique gateway to which traffic on a VNS is forwarded. Dening a next-hop for a VNS forces all the traffic in the VNS to be forwarded to the indicated network device, bypassing any routing denitions of the controller's route table. selection. OSPF is a protocol designed for medium and large IP networks with the ability to segment routes into different areas by routing information summarization and propagation. Static Route denition and OSPF dynamic learning can be combined, and the precedence of a static route denition over dynamic rules can be congured by selecting or clearing the Override dynamic routes option check box. raft In typical simple congurations, APs are set up as bridges that bridge wireless traffic to the local subnet. In bridging congurations, the user obtains an IP address from the same subnet as the AP, assuming no VLAN trunking functionality. If the user roams between APs on the same subnet, it is able to keep using the same IP address. However, if the user roams to another AP outside of that subnet, its IP address is no longer valid. The user's client device must recognize that the IP address it has is no longer valid and re-negotiate a new one on the new subnet. This mechanism does not mandate any action on the user. The recovery procedure is entirely client device dependent. Some clients automatically attempt to obtain a new address on roam (which affects roaming latency), while others will hold on to their IP address. This loss of IP address continuity seriously affects the client's experience in the network, because in some cases it can take minutes for a new address to be negotiated. Mobility and Roaming The Extreme Networks ExtremeWireless solution centralizes the user's network point of presence, therefore abstracting and decoupling the user's IP address assignment from that of the APs location subnet. That means that the user is able to roam across any AP without losing its own IP address, regardless of the subnet on which the serving APs are deployed. In addition, a controller can learn about other controllers on the network and then exchange client session information. This enables a wireless device user to roam seamlessly between different APs on different controllers. ExtremeWireless V10.41.06 User Guide 28 Overview of the ExtremeWireless Solution Network Availability The Extreme Networks ExtremeWireless solution provides availability against AP outages, controller outages, and even network outages. The controller in a VLAN bridged topology can potentially allow the user to retain the IP address in a failover scenario, if the VNS/VLAN is common to both controllers. For example, availability is provided by dening a paired controller conguration by which each peer can act as the backup controller for the other's APs. APs in one controller are allowed to fail over and register with the alternate controller. If the primary controller fails, all of its associated APs can automatically switch over to another controller that has been dened as the secondary or backup controller. If an AP reboots, the primary controller is restored if it is active. However, active APs will continue to be connected to the backup controller until the administrator releases them back to the primary home controller. Quality of Service (QoS) D IP ToS (Type of Service) or DSCP (Diffserv Codepoint) The ToS/DSCP eld in the IP header of a frame indicates the priority and class of service for each frame. Adaptive QoS ensures correct priority handling of client payload packets tunneled between the controller and AP by copying the IP ToS/DSCP setting from client packet to the header of the encapsulating tunnel packet. Extreme Networks ExtremeWireless solution provides advanced Quality of Service (QoS) management to provide better network traffic ow. Such techniques include:
WMM (Wi-Fi Multimedia) WMM is enabled per WLAN service. The controller provides centralized management of the AP features. For devices with WMM enabled, the standard provides multimedia enhancements for audio, video, and voice applications. WMM shortens the time between transmitting packets for higher priority traffic. WMM is part of the 802.11e standard for QoS. In the context of the ExtremeWireless Solution, the ToS/DSCP eld is used for classication and proper class of service mapping, output queue selection, and priority tagging. raft Quality of Service (QoS) management is also provided by:
Assigning high priority to a WLAN service Adaptive QoS (automatic and all time feature) Support for legacy devices that use SpectraLink Voice Protocol (SVP) for prioritizing voice traffic Role denition, the user can specify (default) role that includes Ingress and Egress rate control. Ingress rate control applies to traffic generated by wireless clients and Egress rate control applies to traffic targeting specic wireless clients. The bit-rates can be congured as part of globally available proles which can be used by any particular conguration. A global default is also dened. Rate Control Rate Control for user traffic can also be considered as an aspect of QoS. As part of
(congurable) ExtremeWireless Appliance Product Family The ExtremeWireless Appliance is available in the following product families:
ExtremeWireless V10.41.06 User Guide 29 Overview of the ExtremeWireless Solution Table 4: ExtremeWireless Product Families EExtremeWireless Appliance Model Specications Number C5110 C4110 C25 V2110 C35 C5210/C5215 D Three data ports supporting up to 525 APs 2 ber optic SR (10Gbps) 1 Ethernet port GigE One management port (Ethernet) GigE One console port (DB9 serial) Four USB ports two on each front and back panel (only one port active at a time) Redundant dual power supply unit Four data ports supporting up to 1000 APs 2 SFP+ (10Gbps) 2 Ethernet port GigE One management port (Ethernet) GigE One console port (RJ-45 serial) Five USB ports two on front and three on back panel (only one port active at a time) raft Redundant dual power supply unit Four GigE ports supporting up to 250 APs One management port (Ethernet) GigE One console port (DB9 serial) Four USB ports (only one active at a time) Redundant dual power supply unit Two GigE ports supporting up to 50 APs One management port GigE One console port (DB9 serial) Two USB ports Two GigE ports or 10G ber ports supporting up to 525 APs One management port GigE USB ports (only one active at a time) Four GigE ports supporting up to 125 APs One management port GigE One console port Two USB ports ExtremeWireless V10.41.06 User Guide 30 3 Conguring the ExtremeWireless Appliance SSystem Conguration Overview Logging on to the ExtremeWireless Appliance Wireless Assistant Home Screen Working with the Basic Installation Wizard Conguring the ExtremeWireless Appliance for the First Time Using a Third-party Location-based Solution Additional Ongoing Operations of the System D System Conguration Overview The following section provides a high-level overview of the steps involved in the initial conguration of ExtremeWireless:
1 Before you begin the conguration process, research the type of WLAN (Wireless Local Area Network) deployment that is required. For example, topology and VLAN (Virtual LAN) IDs, SSIDs, security requirements, and lter roles. 2 Prepare the network servers. Ensure that the external servers, such as DHCP (Dynamic Host Conguration Protocol) and RADIUS servers (if applicable) are available and appropriately congured. raft 3 Install the controller. For more information, see the documentation for your controller. 4 Perform the rst time setup of the controller on the physical network, which includes conguring the c Congure the data port interfaces to be on separate VLANs, matching the VLANs congured in step 3 above. Ensure also that the tagged vs. untagged state is consistent with the switch port conguration. b To manage the controller through the interface congured above, select the Mgmt check box on a Create a new physical topology and provide the IP address to be the relevant subnet point of IP addresses of the interfaces on the controller. attachment to the existing network. the IInterfaces tab. d Congure the time zone. Because changing the time zone requires restarting the controller, it is recommended that you congure the time zone during the initial installation and conguration of ExtremeWireless V10.41.06 User Guide 31 Conguring the ExtremeWireless Appliance the controller to avoid network interruptions. For more information, see Conguring Network Time on page 89. e Apply an activation key le. If an activation key is not applied, the controller functions with some features enabled in demonstration mode. Not all features are enabled in demonstration mode. For example, mobility is not enabled and cannot be used. CCaution Whenever the licensed region changes on the ExtremeWireless Appliance, all APs are changed to Auto Channel Select to prevent possible infractions to local RF regulatory requirements. If this occurs, all manually congured radio channel settings will be lost.Installing the new license key before upgrading will prevent the ExtremeWireless Appliance from changing the licensed region, and in addition, manually congured channel settings will be maintained. For more information, see the ExtremeWireless Maintenance Guide. 5 Congure the controller for remote access:
D a Set up an administration station (laptop) on subnet 192.168.10.0/24. By default, the controller's network. Management interface is congured with the static IP address 192.168.10.1. For more information, see Conguring the ExtremeWireless Appliance for the First Time on page 45. b Congure the controllers management interface. c Congure the data interfaces. d Set up the controller on the network by conguring the physical data ports. e Congure the routing table. f Congure static routes or OSPF (Open Shortest Path First) parameters, if appropriate to the raft points of network attachment, and therefore VLANs and port assignments need to be coordinated with the corresponding network switch ports. For more information, see Conguring a Basic Data Port Topology on page 266. corresponding network point. Roles dene user access rights (ltering or ACL (Access Control List)) Polices reference user's rate control prole. For more information, see Conguring Roles on page 284. 7 Congure roles. Roles are typically bound to topologies. Role application assigns user traffic to the 6 Congure the traffic topologies your network must support. Topologies represent the controllers 8 Congure WLAN services. Dene SSID and privacy settings for the wireless link. Select the set of APs/Radios on which the service is present. Congure the method of credential authentication for wireless users (None, Internal CP, External CP, GuestPortal, 802.1x[EAP]) For more information, see Conguring WLAN Services on page 318. 9 Create the VNSs. A VNS binds a WLAN Service to a Role that will be used for default assignment upon a users network attachment. ExtremeWireless V10.41.06 User Guide 32 Conguring the ExtremeWireless Appliance You can create topologies, roles, and WLAN services rst, before conguring a VNS, or you can select one of the wizards (such as the VNS wizard), or you can simply select to create new VNS. The VNS page then allows for in-place creation and denition of any dependency it may require, such as:
Creating a new WLAN Service Creating a new role Creating a new class of service (within a role) Creating a new topology (within a role) Creating new rate controls, and other Class of Service parameters The default shipping conguration does not ship any pre-congured WLAN Services, VNSs, or Roles. Conrm the latest rmware version is loaded. For more information, see Performing AP Software 10 Install, register, and assign APs to the VNS. D Maintenance on page 235. Deploy APs to their corresponding network locations. If applicable, congure a default AP template for common radio assignment, whereby APs Connect the APs to the controller. Once the APs are powered on, they automatically begin the Discovery process of the controller, automatically receive complete conguration. For typical deployments where all APs are to have the same conguration, this feature will expedite deployment, as an AP will automatically receive full conguration (including VNS-related assignments) upon initial registration with the controller. If applicable, modify the properties or settings of the APs. For more information, see Conguring the ExtremeWireless APs on page 101. raft based on factors that include:
Their Registration mode (on the AAP Registration screen) The enterprise network services that will support the discovery process Start your Web browser (Internet Explorer version 11 or later, FireFox, or Chrome). See the Release Notes for the supported web browsers. 1 Logging on to the ExtremeWireless Appliance ExtremeWireless V10.41.06 User Guide 33 Conguring the ExtremeWireless Appliance 2 In the browser address bar, type the following, using the IP address of your controller:
https://192.168.10.1:5825 This launches the Wireless Assistant. The login screen displays. D 3 Type your user name and password and click Login . The WWireless Assistant Home screen displays. Note The default User Name is "admin". The default Password is "abc123". raft The WWireless Assistant Home screen provides real-time status information on the current state of the wireless network. Information is grouped under multiple functional areas, and the Wireless Assistant Home Screen provides a graphical representation of information related to the active APs (such as the number of wired packets, stations, and total APs). Navigate the Wireless Assistant using the top menu bar tabs. Figure 6: Wireless Assistant Top Menu Bar Wireless Assistant Home Screen The bottom status bar displays the type and description of the current wireless controller, user and admin login status, ash status, software version and the number of admin users currently logged into the controller. ExtremeWireless V10.41.06 User Guide 34 Conguring the ExtremeWireless Appliance Figure 7: Wireless Assistant Home Screen Table 5 describes the panes on the WWireless Assistant Home Screen. raft ExtremeWireless V10.41.06 User Guide 35 Conguring the ExtremeWireless Appliance Table 5: Wireless Assistant Home Screen HHome Screen Heading Description Network Status D the All Active Client report. Includes real-time totals for the following components. Click the number displayed to display additional information, such as name, serial number, and IP address. Local APs - total number of active or inactive local congured APs. Foreign APs - total number of active or inactive foreign congured APs. Availability pair must be congured to display additional information. Pending APs - total APs pending verication. Load Groups - total active load groups. Click to display the Active Wireless Load Groups report. Active Client report. Local Stations - total number of active mobile stations. Click to display the All Local & Foreign - total number of active and foreign stations. Click to display settings. SSH or serial console ones) Read/Write sessions. settings (Stand-alone, Paired, Fast Failover FFO). VNS - total dened VNSs (enabled and disabled). Click to display the total number of enabled and disabled VNS assignments, respectively, congured on the system. Mobility Tunnels - status of the mobility tunnel. Click to display controller Availability - status of the controller availability. Click to display controller Read-only sessions - total number of currently active GUI and CLI (either SSH Displays information on the total number of recent administrative activities including:
Read/Write sessions - total number of currently active GUI and CLI (either raft sessions that can only be achieved through the GUI. Auth Type - lists the presently congured login mode. Click each heading to access the Wireless Controller > Login Management screen. For more information, see Conguring the Login Authentication Mode on page 75. Displays a graphical representation of the total number of active stations grouped by protocol. Click the Stations by Protocol heading to access the All Active Clients Report. For more information, see Viewing Statistics for APs on page 627. Guest Access sessions - total number of currently active GuestPortal Manager or serial console ones) Read only sessions. Displays a graphical representation of the total number of active stations and the number of APs. Click the APs by Channel heading to access the Active Wireless AP Report. For more information, see Viewing Statistics for APs on page 627. Displays a graphical representation of the total number of active APs grouped by channel. Click the Status by AP heading to access the Active Clients by Wireless APs Report. For more information, see Viewing Statistics for APs on page 627. Admin Sessions Stations by Protocol APs by Channel Stations by AP ExtremeWireless V10.41.06 User Guide 36 Conguring the ExtremeWireless Appliance Table 5: Wireless Assistant Home Screen (continued) HHome Screen Heading Description Applications by WLAN D If Application Visibility is enabled on the WWLAN Conguration screen, a pie chart displaying the top ve applications on that WLAN displays. If Application Visibility is not enabled, click Enable Application Visibility to display the Apps, operating systems, and devices used by clients. The Application Visibility option displays the following information for clients associated with a selected WLAN:
IPv4 and IPv6 Addresses Host Name Operating System Device Type Top 5 Application Groups by Throughput (2-minute interval) Top 5 current Application Groups by Bytes, from session start. Throughput chart for an application group. Average TCP Round Trip Time. Average DNS Round Trip Time. For more information, see Enabling Application Visibility with Device Identication on page 626 and Device Identication on page 625. raft ExtremeWireless V10.41.06 User Guide 37 Conguring the ExtremeWireless Appliance Table 5: Wireless Assistant Home Screen (continued) HHome Screen Heading Description Licensing Displays licensing information including:
License mode: License Manager can operate in Lone or Paired mode. Lone (standalone) - Only local APs are counted against locally installed capacity keys. ALL Radar In-Service and Guardian APs are counted against locally installed Radar keys. This is the default license mode. License Manager switches to Paired mode on the following conditions: Availability is enabled while License Manager is running and it receives a license request or Availability is enabled before the License Manger starts up and the database has counters for the peers capacity and Radar keys. D Paired - Both local and foreign APs are counted against sum of locally installed capacity keys and capacity keys, pooled from the peer controller. ALL Radar In-Service and Guardian APs are counted against sum or locally installed Radar keys, installed on the peer controller. License Manager switches to Lone (standalone) mode if Availability is disabled or if the peer IP address is changed. controller.
(backup) controller.
(backup) controller. information, see Applying Product License Keys on page 47). Unused AP Licenses: total number of unassigned AP licenses (for more Local Radar Licenses: total number of Radar licenses local to the primary Foreign Radar Licenses: total number of Radar licenses local to the secondary Local AP Licenses: total number of AP licenses local to the primary controller. Foreign AP Licenses: total number of AP licenses local to the secondary raft Days Remaining: number of days remaining on this license key. Regulatory Domain: Domain information for this license period. Click the Licensing heading to access the Wireless Controller > Software Maintenance screen. For more information, see Installing the License Keys on page 49. Displays network health statistics including:
Local AP Uptime (min) APs with > 30 clients APs in low power mode Unused Radar Licenses: total number of unassigned licenses for Radar (for more information, see Radar License Requirements on page 565). Health This feature is for AP39xx only. This option displays when there is one or more AP39xx in low power mode. Click to display details of the AP. Failed VNS RADIUS Txs Click each heading to access the Active Wireless APs Report. For more information, see Viewing Statistics for APs on page 627. ExtremeWireless V10.41.06 User Guide 38 Conguring the ExtremeWireless Appliance Table 5: Wireless Assistant Home Screen (continued) HHome Screen Heading Description Radar Displays totals for the following security related statistics:
AP Remote Access - click to access the APs > AP Registration page Unsecured WLANs - click to access the WLAN Security Report Uncategorized APs - click to access the list of Uncategorized APs Active Threats - click to access the Active Threats Report Active Countermeasures - click to access the Active Countermeasures Report APs denied by license - click to access the list of APs denied by license constraints. For more information, see Wireless AP Registration on page 123, and Working with Radar Reports on page 593. Events D Displays major events that impact network performance and efficiency. Each event listed includes a timestamp of the event, the type or classication of the event, which component is impacted by the event, and a log message providing specic information for the event. Click the Events heading to access the Log > Logs & Traces page. For more information, see Working with Reports and Statistics on page 621. The Extreme Networks ExtremeWireless system provides a basic installation wizard that can help administrators congure the minimum controller settings that are necessary to deploy a functioning ExtremeWireless system solution on a network. raft Use the Basic Installation Wizard to quickly congure the controller for deployment, and later to revise the controller conguration as needed. The Basic Installation Wizard launches when you log on to the controller for the rst time and when the system has been reset to the factory default settings. You can also launch the wizard from the left pane of the controller CConguration screen anytime. 1 Log on to the controller. For more information, see Logging on to the ExtremeWireless Appliance on page 33. 2 From the top menu, click Controller. The WWireless Controller Conguration screen displays. To congure the controller using the Basic Installation Wizard:
Working with the Basic Installation Wizard ExtremeWireless V10.41.06 User Guide 39 Conguring the ExtremeWireless Appliance 3 In the left pane, click Administration > Installation Wizard. The BBasic Installation Wizard screen displays. 4 In the Time Settings section, congure the controller timezone:
Continent or Ocean Select the continent for the time zone. Time Zone Region Select the appropriate time zone region for the selected continent. aft To manually set the controller time, click Set time. The Year, Month, Day, HR, and Min. elds display, where you can use the drop-down lists to specify the time values. To use the controller as the NTP time server, select the Run local NTP Server option. In the Server eld, enter the IP address or Domain Name for the NTP server. To use NTP to set the controller time, select the Use NTP option, and then type the IP address of 5 To congure the controllers time, do one of the following:
an NTP time server that is accessible on the enterprise network. The Network Time Protocol is a protocol for synchronizing the clocks of computer systems over packet-switched data networks. 6 In the Server eld, enter the IP address or Domain Name for the NTP server. Note The Server Address eld supports both IPv4 and IPv6 addresses. ExtremeWireless V10.41.06 User Guide 40 Conguring the ExtremeWireless Appliance 7 In the Topology Conguration section, the physical interface of the controller data port, the IP Address and Netmask values for the data port, and the VLAN ID display as read-only values. For information on how to obtain a temporary IP address from the network, click How to obtain a temporary IP address. 8 Click Next. The Management screen displays Basic Installation Wizard - Management Screen The MManagement screen displays:
1 In the AP Password section, enter a password for the AP. Click Unmask to display the password characters as you type. Access Points are shipped with default passwords. You must create a new SSH Access Password here. Note Passwords can include the following characters: A-Z a-z 0-9 ~!@#$%^&*()_+|-=\{}[];<>?,. Password cannot include the following characters: / ` ' " : or a space. ExtremeWireless V10.41.06 User Guide 41 Conguring the ExtremeWireless Appliance 2 In the Management Port section, conrm the port conguration values that were dened when the controller was physically deployed on the network. If applicable, edit these values:
Static IP Address Displays the IPv4 address for the controllers management port. Revise this as appropriate for the enterprise network. Netmask Displays the appropriate subnet mask for the IP address to separate the network portion from the host portion of the address. Gateway Displays the default gateway of the network. Static IPv6 Address Displays the IPv6 address for the controllers management port. Revise this as appropriate for the enterprise network. Prex Length Length of the IPv6 prex. Maximum is 64 bits. Gateway Displays the default gateway of the network. 3 In the SNMP section, click V2c or V3 in the Mode drop-down list to enable SNMP (Simple Network receive SNMP messages. If you selected V3, the Syslog Server options display:
Management Protocol), if applicable. If you selected V2c, the Community options display:
Read Community Type the password that is used for read-only SNMP communication. Write Community Type the password that is used for write SNMP communication. Trap Destination Type the IP address of the server used as the network manager that will D Enable Click to enable Syslog Server. IP Address Enter the IP address for the Syslog Server. Note The Trap Destination Address eld supports both IPv4 and IPv6 addresses. raft the controller to participate in dynamic route selection. OSPF is a protocol designed for medium and large IP networks with the ability to segment routes into different areas by routing information summarization and propagation. Do the following:
Area ID Type the desired area. Area 0.0.0.0 is the main area in OSPF. controller, if applicable. Syslog is a protocol used for the transmission of event notication messages across networks. In the IP Address eld, type the IP address of the syslog server. 4 In the OSPF section, select the Enable check box to enable OSPF, if applicable. Use OSPF to allow 5 In the Syslog Server section, select the Enable check box to enable the syslog protocol for the Note The Syslog Server IP Address eld supports both IPv4 and IPv6 addresses. 6 Click Next. The Services screen displays. ExtremeWireless V10.41.06 User Guide 42 Conguring the ExtremeWireless Appliance Basic Installation Wizard - Services Screen aft In the RADIUS section, select the Enable check box to enable RADIUS login authentication, if applicable. RADIUS login authentication uses a RADIUS server to authenticate user login attempts. RADIUS is a client/server authentication and authorization access protocol used by a network access server
(NAS) to authenticate users attempting to connect to a network device. 1 Do the following:
Server Alias Type a name that you want to assign to the RADIUS server. You can type a name or IP address of the server. IP Address Type the RADIUS server's hostname or IP address. Shared Secret Type the password that will be used to validate the connection between the controller and the RADIUS server. ExtremeWireless V10.41.06 User Guide 443 Conguring the ExtremeWireless Appliance 2 In the Mobility section, select the Enable check box to enable the controller mobility feature, if applicable. Mobility allows a wireless device user to roam seamlessly between different APs on the same or different controllers. A dialog informs you that NTP is required for the mobility feature and prompts you to conrm you want to enable mobility. NNote If the ExtremeWireless Appliance is congured as a mobility agent, it will act as an NTP client and use the mobility manager as the NTP server. If the appliance is congured as a mobility manager, its local NTP will be enabled for the mobility domain. 3 Click OK to continue, and then do the following:
Role Select the role for the controller, Manager or Agent. One controller on the network is designated as the mobility manager and all other controllers are designated as mobility agents. Port Click the interface on the controller to be used for communication between mobility manager and mobility agent. Ensure that the selected interface is routable on the network. For more information, see Conguring Mobility on page 555. D the mobility agent. Manager IP Type the IP address of the mobility manager port if the controller is congured as 4 In the Default VNS section, select the Enable check box to enable a default VNS for the controller. Note Refer to Virtual Network Services on page 22 for more information about the default VNS. raft The default VNS parameters display. The Success screen displays. 5 Click Finish. Basic Installation Wizard - Success Screen ExtremeWireless V10.41.06 User Guide 44 Conguring the ExtremeWireless Appliance 1 We recommend that you change the factory default administrator password. aft 2 To change the administrator password:
a Type a new administrator password in the New Password. b Conrm the new password in the Conrm Password eld. c Click Save. Your new password is saved. 3 Click OK, and then click Close. NNote The ExtremeWireless Appliance reboots after you click Save if the time zone is changed during the Basic Install Wizard. If the IP address of the management port is changed during the conguration with the Basic Install Wizard, the ExtremeWireless Assistant session is terminated and you will need to log back in with the new IP address. The WWireless Assistant home screen displays. Conguring the ExtremeWireless Appliance for the First Time After the ExtremeWireless Appliance is deployed, perform the following conguration tasks:
ExtremeWireless V10.41.06 User Guide 45 Conguring the ExtremeWireless Appliance Changing the Administrator Password on page 46 Applying Product License Keys on page 47 Setting Up the Data Ports on page 51 Setting Up Internal VLAN ID and Multicast Support on page 58 Setting Up Static Routes on page 59 Setting Up OSPF Routing on page 61 Conguring Filtering at the Interface Level on page 65 Protecting Controller Interfaces and the Internal Captive Portal Page on page 69 Conguring the Login Authentication Mode on page 75 Conguring SNMP on page 85 Conguring Network Time on page 89 Conguring DNS Servers for Resolving Host Names of NTP and RADIUS Servers on page 94 The basic installation wizard automatically congures aspects of the controller deployment. You can modify that conguration according to your network specications. D Changing the Administrator Password Extreme Networks recommends that you change your default administrator password once your system is deployed. The ExtremeWireless Appliance default password is abc123. When the controller is installed and you elect to change the default password, the new password must be a minimum of eight characters. The minimum eight character password length is not applied to existing passwords. For example, if a six character password is already being used and an upgrade of the software is performed, the software does not require the password to be changed to a minimum of eight characters. However, once the upgrade is completed and a new account is created, or the password of an existing account is changed, the new password length minimum will be enforced. raft 1 2 In the left pane, click Login Management. 3 In the Full Administrator table, click the administrator user name. 4 In the Password eld, type the new administrator password. 5 In the Conrm Password eld, type the new administrator password again. 6 Click Change Password. To Change the Administrator Password:
From the top menu, click Controller. NNote The ExtremeWireless Controller provides you with local login authentication mode, the RADIUS-based login authentication mode, and combinations of the two authentication modes. The local login authentication is enabled by default. For more information, see Conguring the Login Authentication Mode on page 75. ExtremeWireless V10.41.06 User Guide 46 Conguring the ExtremeWireless Appliance Applying Product License Keys The controllers license system works on simple software-based key strings. A key string consists of a series of numbers and/or letters. Using these key strings, you can license the software, and enhance the capacity of the controller to manage additional APs. The key strings can be classied into the following variants:
Activation Key Activates the software. This key is further classied into sub-variants:
Temporary Activation Key Activates the software for a trial period of 90 days. Permanent Activation Key Activates the software for an innite period. Cloud provider license. Subscription license. NNote You must obtain a specic activation key to run release v10.01 or later. Once installed, the number of available Radar licenses increments by 2. D Option Key Activates the optional feature:
Capacity Enhancement Key Format For AP:
Enhances the capacity of the controller to manage additional APs. You may have to add multiple capacity enhancement keys to reach the ExtremeWireless's limit. Depending on the appliance model, a capacity enhancement key adds the following APs:
C5110 Adds 25 wireless APs C5210 Adds 25 or 100 wireless APs C5215 Adds 25 or 100 wireless APs C4110 Adds 25 wireless APs C25 Adds 1 or 16 wireless APs C35 Adds 1 or 16 wireless APs V2110 Adds 1 or 16 wireless APs raft Note If you connect additional wireless APs to an ExtremeWireless controller that has a permanent activation key without installing a capacity enhancement key, a grace period of seven days will start. You must install the correct key during the grace period. If you do not install the key, the controller will start generating event logs every 15 minutes, indicating that the key is required. In addition, you will not be able to edit the Virtual Network Services (VNS) parameters. Capacity Enhancement Key Format For Radar:
Enhances the capacity of the controller to manage Radar licenses for multiple APs. Radar capacity licenses are only required for In-Service Scan Proles (for more information, see Radar License Requirements on page 565). The capacity enhancement key includes a capacity increment which determines the number of APs supported as follows:
License format: RADCAP<nnn> (where <nnn> is the capacity increment):
RADCAP001 Adds 1 wireless AP RADCAP016 Adds 16 wireless APs ExtremeWireless V10.41.06 User Guide 47 Conguring the ExtremeWireless Appliance RADCAP025 Adds 25 wireless APs RADCAP100 Adds 100 wireless APs NNote Any AP assigned to an In-Service scan prole counts as 1 against the licensed Radar capacity. The controller can be in the following licensing modes:
Unlicensed When the controller is not licensed, it operates in demo mode. In demo mode, the controller allows you to operate as many APs as you want, subject to the maximum limit of the platform type. In demo mode, you can use only the b/g radio, with channels 6, 11, and auto. 11n support and Mobility are disabled in demo mode. Cloud Provider A Cloud Provider license is valid for a period of 5 years. License pooling is not Licensed with a temporary activation key A temporary activation key comes with a regulatory domain. With the temporary activation key, you can select a country from the domain and operate the APs on any channel permitted by the country. A temporary activation key allows you to use all software features. You can operate as many APs as you want, subject to the maximum limit of the platform type. D supported because the values are set at the platform limits. Cloud Provider licenses enable local APs with the system limit of the platform, while the radar licenses are set at twice the system limits. e.g. for V2110 medium, local AP licenses available are 250 and Local radar licenses available are 500. A temporary activation key is valid for 90 days. Once the 90 days are up, the temporary key expires. You must get a permanent activation key and install it on the controller. If you do not install a permanent activation key, the controller will start generating event logs every 15 minutes, indicating that an appropriate license is required for the current software version. In addition, you will not be able to edit the Virtual Network Services (VNS) parameters. raft period. In addition, unlike the temporary activation key, the permanent activation key allows you to operate a stipulated number of the APs, depending upon the platform type. If you want to connect additional APs, you have to install a capacity enhancement key. You may even have to install multiple capacity enhancement keys to reach the controllers limit. pooling is not supported because the values are set at the platform limits. A Subscription license enables local APs with the system limit of the platform, while the radar licenses are set at twice the system limits. e.g. for V2110 medium, local AP licenses available are 250 and Local radar licenses available are 500. Subscription A subscription license can be generated for a period between 1 to 255 days. License Licensed with permanent activation key A permanent activation key is valid for an innite The Table 6 lists the platform type and the corresponding number of the APs allowed by the permanent activation key. Table 6: Platform Type / Wireless APs Allowed by Permanent Activation Key Platform Wireless APs permitted by permanent activation key Platforms optimum limit Number of capacity enhancement keys to reach the optimum limit C25 C35 16 50 50 125 4 to 34 (depending on the enhancement license type used) 15 to 75 (depending on the enhancement license type used) ExtremeWireless V10.41.06 User Guide 48 Conguring the ExtremeWireless Appliance Table 6: Platform Type / Wireless APs Allowed by Permanent Activation Key
(continued) PPlatform Wireless APs permitted by permanent activation key Platforms optimum limit Number of capacity enhancement keys to reach the optimum limit C4110 C5110 C5210 C5215 50 150 100 100 V2110 (Small) 8 250 525 1000 1000 50 8 15 9 to 36 (depending on the enhancement license type used) 9 to 36 (depending on the enhancement license type used) 17 to 42 (depending on the enhancement license type used) 12 to 242 (depending on the enhancement license type used) 8 V2110
(Medium) D 250 8 525 V2110 (Large) 37 to 517 (depending on the enhancement license type used) If the controller detects multiple license violations, such as capacity enhancement, a grace period counter starts from the moment the rst violation occurred. The controller generates event logs for every violation. To leave the grace period, clear all outstanding license violations. The controller can be in an unlicensed state for an innite period. However, if you install a temporary activation key, the unlicensed state is terminated. After the validity of a temporary activation key and the related grace period expire, the controller generates event logs every 15 minutes, indicating that an appropriate license is required for the current software version. In addition, you will not be able to edit the Virtual Network Services (VNS) parameters. raft If the controller is paired with an availability partner, you can redistribute licenses when a Capacity Enhancement Key (AP or Radar) is installed. Both controllers must be running at least v9.01 and both members must have a permanent license key. Separate pools will be introduced for each type of license, and licenses installed on either member of an availability pair are shared across the pair automatically. License pooling is supported in fast failover and legacy availability setups. The limit of distribution is set by the license key; therefore if a controller has two keys of 25 APs each, then you will be allowed to transfer 25 or 50 APs to the former peer controller (for more information, see Availability on page 537). License Pooling License pooling is not supported for Cloud Provider and Subscription license types since the values are already set at the platform system limits. Installing the License Keys This section describes how to install the license key on the controller. It does not explain how to generate the license key. For information on how to generate the license key, see the ExtremeWireless License Certicate, which is sent to you via traditional mail. For more information on licensing, see Licensing Considerations on page 108. ExtremeWireless V10.41.06 User Guide 49 Conguring the ExtremeWireless Appliance You have to type the license keys on the Wireless Assistant GUI. To install the license keys:
From the top menu, click Controller. 1 2 In the left pane, click Administration > Software Maintenance. 3 Click the EWC Product Keys tab. The bottom pane displays the license summary. t Figure 8: Product Keys Tab 4 If you are installing a temporary or permanent activation license key, type the key in the Activation Key eld, and then click the Apply Activation Key button. 5 If you are installing a capacity enhancement, type the key in the Option Key eld, and then click the Apply Option Key button. ExtremeWireless V10.41.06 User Guide 550 Conguring the ExtremeWireless Appliance 6 To view installed keys, click View Installed Keys. The IInstalled Licensed Keys dialog displays. Figure 9: Installed License Keys raft Physical ports are represented by the L2 (Ethernet) Ports. The L2 port can be accessed from L2 Ports tabs under ExtremeWireless Controller Conguration. The L2 Ports cannot be removed from the system but their operational status can be changed. Refer to Viewing and Changing the L2 Ports Information on page 52. A new controller is shipped from the factory with all its data ports set up. Support of management traffic is disabled on all data ports. By default, data interface states are enabled. A disabled interface does not allow data to ow (receive/transmit). Setting Up the Data Ports Link Aggregation ports are represented by the L2 (peer-to-peer) LAG (Link Aggregation Group) Ports. The L2 port and Topology information can be accessed from L2 Ports and Topology tabs under ExtremeWireless Controller Conguration. The LAG L2 Ports cannot be removed from the system but their operational status can be changed. Refer to Viewing and Changing the L2 Ports Information on page 52. Note You can redene a data port to function as a Third-Party AP Port. Refer to Viewing and Changing the Physical Topologies on page 54 for more information. ExtremeWireless V10.41.06 User Guide 51 Conguring the ExtremeWireless Appliance Viewing and Changing the L2 Ports Information To view and change the l2 port information:
From the top menu, click Controller. 1 2 In the left pane, click Network > L2 Ports. The LL2 Ports tab is displayed. D 3 The L2 Ports tab presents the Physical (that is, Ethernet) and LAG (peer to peer) data ports that exist on the controller. These ports cannot be deleted and new ones cannot be created. LAG ports are statically congured by adding/removing physical ports from the LAG. Physical port belong to at most one LAG at one time. L2 port attached to a LAG port does not have any properties and could not be attached to any topology. The L2 ports attached to LAG ports can be enabled or disabled. Optional, if changes occur to the port physical parameters (speed, half or full duplex), a warning will be displayed to indicate that the L2 port does not meet LAG conditions. raft Considerations for attaching/detaching regular L2 ports to LAG ports:
Regular L2 port should not have any bridged and physical topologies associated with the port. Regular L2 port should not be disabled. L2 ports can be detached from LAG ports regardless of any topologies attached to the LAG port. If the L2 port is the last remaining in LAG, a warning will be issued. If last port of the LAG has After detaching the L2 port, it could be attached to any bridged or physical topology or points been detached, the LAG should be in operational DOWN state. via a routing table to the port any Routed topology. Jumbo Frames support is a feature that allows the conguration of physical Maximum Transmission Unit (MTU) sizes larger than the standard 1500 bytes on the AP and controller. When Jumbo Frames is enabled, the maximum MTU is 1800 bytes. ExtremeWireless V10.41.06 User Guide 52 Conguring the ExtremeWireless Appliance 4 Assigning any bridged or physical topology without specifying an L2 port is not supported. However, you can move any bridged and physical topology to either a physical or LAG L2 port. Physical:
C5110 Three data ports, displayed as esa0, esa1, and esa2. C5210 Four data ports, displayed as esa0, esa1, esa2, and esa3. C5215 Four data ports, displayed as esa0, esa1, esa2, and esa3. C4110 Four data ports, displayed as Port1, Port2, Port3, and Port4. C25 Two data ports, displayed as esa0 and esa1. C35 Four data ports, displayed as esa0, esa1, esa2, and esa3. V2110 Two data ports, displayed as esa0 and esa1. D Link Aggregation:
C5110 One data port, displayed as lag1 C5210 Two data ports, displayed as lag1 and lag2. C5215 Two data ports, displayed as lag1 and lag2. C4110 Two data ports, displayed as lag1 and lag2. C35 Two data ports, displayed as lag1 and lag2. C25 One data port, displayed as lag1. is the only congurable parameter. 5 An Admin port is created by default. This represents a physical port, separate from the other data ports, being used for management connectivity. For more information, see Conguring the Admin Port on page 263. Parameters displayed for the L2 Ports are:
Operational status, represented graphically with a green checkmark (UP) or red X (DOWN). This raft Port name, as described above. MAC address, as per Ethernet standard. Untagged VLAN, displays the associated untagged VLAN ID. This ID is unique among topologies. Tagged VLAN, displays the associated tagged VLAN ID. Attached Physical L2 Ports (Link Aggregation L2 Ports only) select the physical L2 ports Note Refer to Viewing and Changing the Physical Topologies on page 54 for more information about L2 port topologies. associated with the link aggregation L2 Ports. 6 If desired, change the operational status by clicking the Enable check box. You can change the operational state for each port. By default, data interface states are enabled. If they are not enabled, you can enable them individually. A disabled interface does not allow data to ow (receive/transmit). 7 If support of MTU sizes above 1500 bytes is required, click Enable Jumbo Frames support. This will extend the MTU size to 1800 bytes on the data link layer. Enabling Jumbo Frames support requires that port speed to be 1Gbps or higher on the controller and the APs which support Jumbo Frames. Jumbo Frames are not supported on 10 or 100 Mbps speeds. ExtremeWireless V10.41.06 User Guide 53 Conguring the ExtremeWireless Appliance Viewing and Changing the Physical Topologies To view and change the L2 Port topologies:
From the top menu, click Controller. 1 2 In the left pane, click Network > Topologies. An associated topology entry is created by default for each L2 Port with the same name. The TTopologies tab is displayed. ft ExtremeWireless V10.41.06 User Guide 54 Conguring the ExtremeWireless Appliance 3 To make changes, select a specic topology. The EEdit Topology dialog appears. D For the data ports predened in the system, Name and Mode are not congurable. 4 Optionally, congure one of the physical topologies for Third Party AP connectivity by clicking the 3rd Party AP Topology check box. You must congure a topology to which you will be connecting third-party APs by checking this box. Only one topology can be congured for third-party APs. raft Third-party APs must be deployed within a segregated network for which the controller becomes the single point of access (i.e., routing gateway). When you dene a third-party AP topology, the interface segregates the third-party AP from the remaining network. When you congure a controller port to be a member of a VLAN, you must ensure that the VLAN conguration (VLAN ID, tagged or untagged attribute, and Port ID) is matched with the correct conguration on the network switch. 5 To congure an interface for VLAN assignment, congure the VLAN Settings in the Layer 2 box. 6 To replicate topology settings, click Synchronize in the Status eld. 7 If the desired IP conguration is different from the one displayed, change the Interface IP and Mask accordingly in the Layer 3 box. For this type of data interface, the Layer 3 check box is selected automatically. This allows for IP Interface and subnet conguration together with other networking services. ExtremeWireless V10.41.06 User Guide 55 Conguring the ExtremeWireless Appliance 8 The MTU value species the Maximum Transmission Unit or maximum packet size for this topology. The xed value is 1500 bytes for physical topologies. If you are using OSPF, be sure that the MTU of all the interfaces in the OSPF link match. Note If the routed connection to an AP traverses a link that imposes a lower MTU than the default 1500 bytes, the controller and AP participate in automatic MTU discovery and adjust their settings accordingly. At the controller, MTU adjustments are tracked on a per AP basis. If the ExtremeWireless software cannot discover the MTU size, it enforces the static MTU size. 9 To enable AP registration through this interface, select the AP Registration check box. 11 To enable the local DHCP Server on the controller, in the DHCPeld, select Local Server. Then, click on the Congure button to open the DDHCP conguration pop-up window. Wireless APs use this port for discovery and registration. Other controllers can use this port to enable inter-controller device mobility if this port is congured to use SLP or the controller is running as a manager and SLP is the discovery protocol used by the agents. D provides access to SNMP (v1/v2c, v3), SSH, and HTTPs management interfaces.DDNote 10 To enable management traffic, select the Management Traffic check box. Enabling management This option does not override the built-in protection lters on the port. The built-in protection lters for the port, which are restrictive in the types of packets that are allowed to reach the management plane, are extended with a set of denitions that allow for access to system management services through that interface (SSH, SNMP, HTTPS:5825). raft Note The local DHCP Server is useful as a general-purpose DHCP Server for small subnets. ExtremeWireless V10.41.06 User Guide 56 Conguring the ExtremeWireless Appliance a In the Domain Name eld, type the name of the domain that you want the APs to use for DNS Servers discovery. b In the Lease (seconds) default eld, type the time period for which the IP address will be allocated to the APs (or any other device requesting it). c In the Lease (seconds) max eld, type the maximum time period in seconds for which the IP address will be allocated to the APs. d In the DNS Servers eld, type the DNS Servers IP address if you have a DNS Server. e In the WINS eld, type the WINS Servers IP address if you have a WINS Server. NNote You can type multiple entries in the DNS Servers and WINS elds. Each entry must be separate by a comma. These two elds are not mandatory to enable the local DHCP feature. f D In the Gateway eld, type the IP address of the default gateway.DDDNote g Congure the address range from which the local DHCP Server will allocate IP addresses to the h Click the Exclusion(s) button to exclude IP addresses from allocation by the DHCP Server. The APs. In the Address Range: from eld, type the starting IP address of the IP address range. In the Address Range: to eld, type the ending IP address of the IP address range. Since the controller is not allowed to be the gateway for the segment, including APs, you cannot use the Interface IP address as the gateway address for physical and Bridged at Controller topology. For Routed topology, the controller IP address must be the gateway. raft The controller automatically adds the IP addresses of the Interfaces (Ports), and the default gateway to the exclusion list. You cannot remove these IP addresses from the exclusion list. DHCP Address Exclusion window opens. ExtremeWireless V10.41.06 User Guide 57 Conguring the ExtremeWireless Appliance D want to exclude from the DHCP allocation. Select Range. In the From eld, type the starting IP address of the IP address range that you In the To eld, type the ending IP address of the IP address range that you want to exclude from raft In the Comment eld, type any relevant comment. For example, you can type the reason for which a certain IP address is excluded from the DHCP allocation. Click Add. The excluded IP addresses are displayed in the IP Address(es) to exclude from DHCP To exclude a single address, select the Single Address radio button and type the IP address in the To delete a IP Address from the exclusion list, select it in the IP Address(es) to exclude from DHCP Range eld, and then click Delete. To save your changes, click OK. the DHCP allocation. adjacent eld. Address Range eld. NNote The Broadcast (Bcast) Address eld is view only. This eld is computed from the mask and the IP addresses. Setting Up Internal VLAN ID and Multicast Support You can congure the Internal VLAN ID, and enable multicast support. The internal VLAN used only internally and is not visible on the external traffic. The physical topology used for multicast is represented by a physical topology to/from which the multicast traffic is forwarded in conjunction with ExtremeWireless V10.41.06 User Guide 58 Conguring the ExtremeWireless Appliance the virtual routed topologies (and VNSs) congured on the controller. Please note that no multicast routing is available at this time. To congure the Internal VLAN ID and enable multicast support:
From the top menu, click Controller. 1 2 In the left pane, click Network > Topologies. The TTopologies tab is displayed. ft 3 In the Internal VLAN ID eld, type the internal VLAN ID. 4 From the Multicast Support drop-down list, select the desired physical topology. 5 To save your changes, click Save. Setting Up Static Routes When setting up a controller routing protocol, you must dene a default route to your enterprise network, either with a static route or by using the OSPF protocol. A default route enables the controller to forward packets to destinations that do not match a more specic route denition. To Set a Static Route on the controller:
ExtremeWireless V10.41.06 User Guide 59 Conguring the ExtremeWireless Appliance 1 From the top menu, click Controller. The WWireless Controller Conguration screen displays. 2 In the left pane, click Network > Routing Protocols. The SStatic Routes tab is displayed. raft To dene a default static route for any unknown address not in the routing table, type 0.0.0.0. In the Subnet Mask eld, type the appropriate subnet mask to separate the network portion from the host portion of the IP address (typically 255.255.255.0). To dene the default static route for any unknown address, type 0.0.0.0. subnet as the controller to which to forward these packets. This is the IP address of the next hop between the controller and the packets ultimate destination. In the Gateway eld, type the IP address of the adjacent router port or gateway on the same In the Destination Address eld, type the IP address of the destination controller. 3 To add a new route, click New, and in the EEdit route dialog, enter the following information:
Select the Override dynamic routes check box to give priority over the OSPF learned routes, including the default route, which the controller uses for routing. This option is enabled by default. To remove this priority for static routes, so that routing is controlled dynamically at all times, clear the Override dynamic routes check box. Note If you enable dynamic routing (OSPF), the dynamic routes will normally have priority for outgoing routing. For internal routing on the controller, the static routes normally have priority. ExtremeWireless V10.41.06 User Guide 60 Conguring the ExtremeWireless Appliance 4 To save your changes, click Save. Viewing the Forwarding Table You can view the dened routes, whether static or OSPF, and their current status in the forwarding table. To view the forwarding table on the controller:
1 From the Routing Protocols Static Routes tab, click View Forwarding Table. The Forwarding Table is displayed. 2 Alternatively, from the top menu, click Reports. The AAvailable AP Reports screen displays. 3 In the left pane, click Routing Protocols, then click Forwarding Table. The FForwarding Table is displayed. D raft This report displays all dened routes, whether static or OSPF, and their current status. 4 To update the display, click Refresh. Setting Up OSPF Routing Open Shortest Path First (OSPF) is a robust link-state routing protocol. OSPF forms adjacencies with neighbors and shares information via the Designated Router (DR) and Backup DR using link state advertisements. Areas in OSPF are used to limit LSAs and summarize routes. Everyone connects to area zero, the backbone. Related Links Enabling OSPF Routing on page 62 Setting OSPF Routing Settings on page 62 ExtremeWireless V10.41.06 User Guide 61 Conguring the ExtremeWireless Appliance Conrming OSPF Ports on page 65 Enabling OSPF Routing To enable OSPF (OSPF RFC2328) routing, you must:
1 Specify at least one topology on which OSPF is enabled on the Port Settings option of the OSPF tab. This is the interface on which you can establish OSPF adjacency. 2 Enable OSPF globally on the controller. 3 Dene the global OSPF parameters. 4 Ensure that the OSPF parameters dened here for the controller are consistent with the adjacent Related Links routers in the OSPF area. This consistency includes the following:
If the peer router has different timer settings, the protocol timer settings in the controller must The MTU of the ports on either end of an OSPF link must match. The MTU for ports on the be changed to match to achieve OSPF adjacency. D controller is xed at 1500. This matches the default MTU in standard routers. The maximum MTU can be increased to 1800 bytes by enabling Jumbo Frames support (for more information, see Setting Up the Data Ports on page 51). It is important to ensure that the MTU of the ports on either end of an OSPF link match. If there is a mismatch in the MTU, then the OSPF adjacency between the controller and the neighboring router might not get established. raft From the top menu, click Controller. 1 2 In the left pane, click Network > Routing Protocols. The SStatic Routes tab is displayed by default. Setting Up OSPF Routing on page 61 Setting OSPF Routing Settings on page 62 Conrming OSPF Ports on page 65 To set OSPF routing global settings on the controller:
Setting OSPF Routing Settings ExtremeWireless V10.41.06 User Guide 62 Conguring the ExtremeWireless Appliance 3 Click the OOSPF tab. 4 From the OSPF Status drop-down list, click On to enable OSPF. raft Default The default acts as the backbone area (also known as area zero). It forms the core of an OSPF network. All other areas are connected to it, and inter-area routing happens via a router connected to the backbone area. Stub The stub area does not receive external routes. External routes are dened as routes which were distributed in OSPF via another routing protocol. Therefore, stub areas typically rely on a default route to send traffic routes outside the present domain. In the Router ID eld, type the IP address of the controller. This ID must be unique across the OSPF area. If left blank, the OSPF daemon automatically picks a router ID from one of the controllers interface IP addresses. 5 In the Area ID eld, type the area. 0.0.0.0 is the main area in OSPF. 6 In the Area Type drop-down list, click one of the following:
Not-so-stubby The not-so-stubby area is a type of stub area that can import autonomous system (AS) external routes and send them to the default/backbone area, but cannot receive AS external routes from the backbone or other areas. 7 To save your changes, click Save. ExtremeWireless V10.41.06 User Guide 63 Conguring the ExtremeWireless Appliance 8 To add a new OSPF interface, click New or select a port to congure by clicking on the desired port in the Port Settings table. The EEdit Port dialog displays. 9 In the Link Cost eld, type the OSPF standard value for your network for this port. This is the cost of sending a data packet on the interface. The lower the cost, the more likely the interface is to be used D to forward data traffic.DNote 11 10 In the Authentication drop-down list, click the authentication type for OSPF on your network: None or Password. The default setting is None. If Password is selected as the authentication type, in the Password eld, type the password. If None is selected as the Authentication type, leave this eld empty. This password must match on either end of the OSPF connection. If more than one port is enabled for OSPF, it is important to prevent the controller from serving as a router for other network traffic (other than the traffic from wireless device users on routed topologies controlled by the controller). For more information, see Policy Rules on page 288. raft Retransmit-Interval Species the time in seconds (displays OSPF default). The default setting Dead-Interval Species the time in seconds (displays OSPF default). The default setting is 40 Hello-Interval Species the time in seconds (displays OSPF default).The default setting is 10 Transmit Delay Species the time in seconds (displays OSPF default). The default setting is 1 12 Type the following:
is 5 seconds. seconds. seconds. second. 13 To save your changes, click Save. Related Links Setting Up OSPF Routing on page 61 Enabling OSPF Routing on page 62 Conrming OSPF Ports on page 65 ExtremeWireless V10.41.06 User Guide 64 Conguring the ExtremeWireless Appliance Conrming OSPF Ports To conrm that the ports are set up for OSPF, and that advertised routes from the upstream router are recognized:
1 Click View Forwarding Table. The FForwarding Table is displayed. The following additional reports display OSPF information when the protocol is in operation:
OSPF Neighbor Displays the current neighbors for OSPF (routers that have interfaces to a common network) OSPF Linkstate Displays the Link State Advertisements (LSAs) received by the currently running OSPF process. The LSAs describe the local state of a router or network, including the state of the routers interfaces and adjacencies. 2 To update the display, click Refresh. Related Links Conguring Filtering at the Interface Level Setting Up OSPF Routing on page 61 Enabling OSPF Routing on page 62 D Setting OSPF Routing Settings on page 62 The ExtremeWireless solution has a number of built-in lters that protect the system from unauthorized traffic. These lters are specic only to the controller. These lters are applied at the network interface level and are automatically invoked. By default, these lters provide stringent-level rules to allow only access to the system's externally visible services. In addition to these built-in lters, the administrator can dene specic exception lters at the interface-level to customize network access. These lters depend on Topology Modes and the conguration of an L3 interface for the topology. raft On the controller, various interface-based exception lters are built in and invoked automatically. These lters protect the controller from unauthorized access to system management functions and services via the interfaces. Access to system management functions is granted if the administrator selects the allow management traffic option in a specic topology. For Bridged at Controller topologies, exception lters are dened only if L3 (IP) interfaces are specied. For Physical, Routed, and 3rd Party AP topologies, exception ltering is always congured since they all have an L3 interface presence. Built-in Interface-based Exception Filters Allow management traffic is possible on the topologies that have L3 IP interface denitions. For example, if management traffic is allowed on a physical topology (esa0), only users connected through ESA0 will be able to get access to the system. Users connecting on any other topology, such as Routed or Bridged Locally at Controller, will no longer be able to target ESA0 to gain management access to the system. To allow access for users connected on such a topology, the given topology conguration itself must have allow management traffic enabled and users will only be able to target the topology interface specically. On the controllers L3 interfaces (associated with either physical, Routed, or Bridged Locally at Controller topologies), the built-in exception lter prohibits invoking SSH, HTTPS, or SNMP. However, such traffic is allowed, by default, on the management port. ExtremeWireless V10.41.06 User Guide 65 Conguring the ExtremeWireless Appliance If management traffic is explicitly enabled for any interface, access is implicitly extended to that interface through any of the other interfaces (VNS). Only traffic specically allowed by the interfaces exception lter is allowed to reach the controller itself. All other traffic is dropped. Exception lters are dynamically congured and regenerated whenever the system's interface topology changes (for example, a change of IP address for any interface). Enabling management traffic on an interface adds additional rules to the exception lter, which opens up the well-known IP(TCP/UDP) ports, corresponding to the HTTPS, SSH, and SNMP applications. The interface-based built-in exception policy rules, in the case of traffic from wireless users, are applicable to traffic targeted directly for the topology L3 interface. For example, a lter specied by a Role may be generic enough to allow traffic access to the controller's management (for example, Allow All [*.*.*.*]). Exception policy rules are evaluated after the user's assigned lter role, as such, it is possible that the role allows the access to management functions that the exception lter denies. These packets are dropped. To enable SSH, HTTPS, or SNMP access through a physical data interface:
D 1 2 In the left pane, click Network > Topologies. The TTopologies tab is displayed. From the top menu, click Controller. 3 On the Topologies tab, click the appropriate data port topology. The EEdit Topology window displays. ExtremeWireless V10.41.06 User Guide 66 Conguring the ExtremeWireless Appliance 4 Select the Management Traffic check box if the topology has specied an L3 IP interface presence. 5 To save your changes, click Save. Working with Administrator-dened Interface-based Exception Filters You can add specic policy rules at the interface level in addition to the built-in rules. Such rules give you the capability of restricting access to a port, for specic reasons, such as a Denial of Service (DoS) attack. The policy rules are set up in the same manner as policy rules dened for a Role specify an IP address, select a protocol if applicable, and then either allow or deny traffic to that address. For more information, see Policy Rules on page 288. The rules dened for port exception lters are prepended to the normal set of restrictive exception lters and have precedence over the system's normal protection enforcement (that is, they are evaluated rst). D To dene interface exception lters:
From the top menu, click Controller. 1 2 In the left pane, click Network > Topologies. The TTopologies screen displays. 3 Select a topology to be congured. The EEdit Topology window is displayed. WWarning If dened improperly, user exception rules may seriously compromise the systems normal security enforcement rules. They may also disrupt the system's normal operation and even prevent system functionality altogether. It is advised to only augment the exception-ltering mechanism if absolutely necessary. raft ExtremeWireless V10.41.06 User Guide 67 Conguring the ExtremeWireless Appliance 4 If the topology has an L3 interface dened, an EException Filters tab is available. Select this tab. The Exception Filter rules are displayed. aft ExtremeWireless V10.41.06 User Guide 68 Conguring the ExtremeWireless Appliance 5 Add rules by either:
Click Add Predened , select a lter from the drop down list, and click Add. D Click Add, congure the following parameters, then click OK:
In the IP / subnet:port eld, type the destination IP address. You can also specify an IP range, a port designation, or a port range on that IP address. raft 6 The new lter is displayed in the upper section of the screen. 7 Click the new lter entry. 8 To allow traffic, select the Allow check box. 9 To adjust the order of the policy rules, click Up or Down to position the rule. The policy rules are In the Protocol drop-down list, click the protocol you want to specify for the lter. This list may include UDP, TCP, GRE, IPsec-ESP, IPsec-AH, ICMP (Internet Control Message Protocol). The default is N/A. 10 To save your changes, click Save. executed in the order dened here. Protecting Controller Interfaces and the Internal Captive Portal Page By default, the controller is shipped with a self-signed certicate used to perform the following tasks:
Protect all interfaces that provide administrative access to the controller Protect the internal Captive Portal page This certicate is associated with topologies that have a congured L3 (IP) interface. If you continue to use the default certicate to secure the controller and internal Captive Portal page, your web browser will likely produce security warnings regarding the security risks of trusting self-
ExtremeWireless V10.41.06 User Guide 69 Conguring the ExtremeWireless Appliance signed certicates. To avoid the certicate-related web browser security warnings, you can install customized certicates on the controller. NNote To avoid the certicate-related web browser security warnings when accessing the controller, you must also import the customized certicates into your web browser application. Before Installing a Certicate Before you create and install a certicate:
1 Select a certicate format to install. The controller supports several types of certicates, as shown in Table 7. Table 7: Supported Certicate and CA Formats Certicate Format D Description PKCS#12 PEM/DER PEM-formatted CA public certicate le If you choose to install this optional certicate, you must do so when The PKCS#12 certicate (.pfx) le contains both a certicate and the corresponding private key. The controller will accept the PKCS#12 le as long as the format of the private key and certicate are valid. The PEM/DER certicate (.crt) le requires a separate PEM/DER private key (.key) le. The controller uses OpenSSL PKCS12 command to convert the .crt and .key les into a single .pfx PKCS#12 certicate le. The controller will accept the PEM/DER le as long as the format of the private key and certicate are valid. raft Note When generating the PKCS#12 certicate le or PEM/DER certicate and key les, you must ensure that the interface identied in the certicate corresponds to the controllers interface for which the certicate is being installed. The controller generates an entry in the events information log as the certicate expiry date approaches, based on the following schedule: 15, 8, 4, 2, and 1 day prior to expiration. The log messages cease when the certicate expires. For more information, refer to the Extreme Networks ExtremeWireless Maintenance Guide. specifying the PCKCS#12 or PEM/DER certicates. 2 Understand how the controller monitors the expiration date of installed certicates. 3 Understand how the controller manages certicates during upgrades and migrations. Installed certicates will be backed up and restored with the controller conguration data. Installed certicates will also be migrated during an upgrade and during a migration. Installing a Certicate for a Controller Interface To install a certicate for a Controller Data Interface:
From the top menu, click Controller. 1 2 In the left pane, click Network > Topologies. The TTopologies tab is displayed. ExtremeWireless V10.41.06 User Guide 70 Conguring the ExtremeWireless Appliance 3 Click the CCerticates tab. Topologies with an L3 interface will be listed. 4 In the Interface Certicates table, click to select the topology for which you want to install a certicate. The CConguration for Topologies section displays. Note There are separate certicates if IPv4 and IPv6 is congured for Admin topology. The Conguration for Topologies section and the Generate Signing Request button become available. Use the eld and button descriptions in Table 8 to create and install certicates. Note The certicate Common Name (CN) must match the interface IP or DNS addresses (Admin only). D Table 8: Topologies Page: Certicates Tab Fields and Buttons Field/Button Description Interface Certicates Topology Expiry Date Topology name Date when the certicate expires ExtremeWireless V10.41.06 User Guide 71 Conguring the ExtremeWireless Appliance Table 8: Topologies Page: Certicates Tab Fields and Buttons (continued) FField/Button Description CA Cert. Name (CN) Identies whether or not a CA certicate has been installed on the topology. The IP address of DNS address associated with the topology that the certicate applies to. Note: The Name eld supports both IPv4 or IPv6 addresses. Org Unit (OU) Organization Conguration for Topology Name of the organizations unit. Name of the organization Replace/Install selected Topologys certicate D 1 To replace/install the existing ports certicate and key using this option, do the following:
From the click the Generate Signing Request button to create the certicate and key. certicate and a Certicate Authority (CA) le. select Replace/Install selected Topologies certicate. 7 Click Browse next to the Signed certicate to install eld. 8 Navigate to the certicate le you want to install for this port, 2 Download the CSR when prompted. 3 Use a 3rd party certicate service to sign the CSR and create a 4 Save the certicate on your computer. 5 Return to the Certicates tab on the ExtremeWireless UI. 6 Select the topology for which you created the certicate and raft this port, and then click Open. The certicate le name is displayed in the Optional:Enter PEM-encoded CA public certicates le eld. Note: If you choose to install a CA public certicate, you must install it when you install the PEM/DER certicate and key. and then click Open. The certicate le name is displayed in the Certicate le to install eld. encoded CA public certicates le eld. The Choose le dialog is displayed. 10 (Optional) Navigate to the certicate le you want to install for 9 (Optional) Click Browse next to the Optional:Enter PEM-
ExtremeWireless V10.41.06 User Guide 72 Conguring the ExtremeWireless Appliance Table 8: Topologies Page: Certicates Tab Fields and Buttons (continued) FField/Button Description Replace/Install selected Topologys certicate and key from a single le To replace the existing ports certicate and key using this option, do the following:
1 Click Browse next to the PKCS #12 le to install eld. The Choose le dialog is displayed. 2 Navigate to the certicate le you want to install for this port, and then click Open. The certicate le name is displayed in the PKCS #12 le to install eld. In the Private key password box, type the password for the key le. The key le is password protected. 3 4 (Optional) Click Browse next to the Optional:Enter PEM-
D 5 encoded CA public certicates le eld. The CChoose le dialog is displayed.
(Optional) Navigate to the certicate le you want to install for this port, and then click Open. The certicate le name is displayed in the Optional:Enter PEM-encoded CA public certicates le eld. 1 2 Navigate to the certicate le you want to install for this port, Click Browse next to the PKCS #12 le to install eld. The Choose le dialog is displayed. and then click Open. The certicate le name is displayed in the PKCS #12 le to install eld. To replace the existing ports certicate and key using this option, do the following:
Note: If you choose to install a CA public certicate, you must install it when you install the PEM/DER certicate and key. raft 4 Navigate to the key le you want to install for this port, and then click Open. The key le name is displayed in the Private key le to install eld. In the Private key password box, type the password for the key le. The key le is password protected. encoded CA public certicates le eld. The CChoose le dialog is displayed.
(Optional) Navigate to the certicate le you want to install for this port, and then click Open. The certicate le name is displayed in the Optional:Enter PEM-encoded CA public certicates le eld. 3 Click Browse next to the Private key le to install eld. The 6 (Optional) Click Browse next to the Optional:Enter PEM-
Choose le dialog is displayed. 5 7 Replace/Install selected Topologys certicate and key from separate les Note: If you choose to install a CA public certicate, you must install it when you install the PEM/DER certicate and key. Reset selected Topology to the factory default certicate and key Remove custom certicate that user installed. No change No change. ExtremeWireless V10.41.06 User Guide 73 Conguring the ExtremeWireless Appliance Table 8: Topologies Page: Certicates Tab Fields and Buttons (continued) FField/Button Description Generate Signing Request To generate a CSR for the controller, click Generate Signing Request. The GGenerate Certicate Signing Request window displays (Figure 10). Save Click to save the changes to this Topology. Note To avoid the certicate-related web browser security warnings when accessing the Wireless Assistant, you must also import the customized certicates into your web browser application. D raft The two-letter ISO abbreviation of the name of the country The name of the State/Province The name of the city. Figure 10: Generate Certicate Signing Request Window Table 9: Generate Certicate Signing Request Page - Fields and Buttons Field/Button Description Country name State or Province name Locality name (city) Organization name The name of the organization Organizational Unit name The name of the unit within the organization. Common Name Set the common name to be one of the following:
the IP address of the interface that the CSR applies to. a DNS address associated with the IP address of the interface that the CSR applies to. ExtremeWireless V10.41.06 User Guide 74 Conguring the ExtremeWireless Appliance Table 9: Generate Certicate Signing Request Page - Fields and Buttons
(continued) FField/Button Description Email address The email address of the organization Generate Signing Request Click to generate a signing request. A certicate request le is generated (.csr le extension). The name of the le is the IP address of the topology you created the CSR for. The FFile Download dialog is displayed. Conguring the Login Authentication Mode Conguring the Local Login Authentication Mode and Adding New Users on page 75. You can congure the following login authentication modes to authenticate administrator login attempts:
Local authentication The controller uses locally congured login credentials and passwords. See D RADIUS server. See Conguring the RADIUS Login Authentication Mode on page 78. RADIUS authentication The controller uses login credentials and passwords congured on a Local authentication rst, then RADIUS authentication The controller rst uses locally congured login credentials and passwords. If this login fails, the controller attempts to validate login credentials and passwords congured on a RADIUS server. See Conguring the Local, RADIUS Login Authentication Mode on page 82. RADIUS authentication rst, then local authentication The controller rst uses login credentials and passwords congured on a RADIUS server. If this login fails, the controller attempts to validate login credentials and passwords congured locally. See Conguring the RADIUS, Local Login Authentication Mode on page 84. raft Note The ExtremeWireless Appliance enables you to recover the controller via the Rescue mode if you have lost its login password. For more information, see the ExtremeWireless Maintenance Guide. Local login authentication mode is enabled by default. If the login authentication was previously set to another authentication mode, you can change it to the local authentication. You can also add new users and assign them to a login group as full administrators, read-only administrators, or as a GuestPortal managers. For more information, see Dening Wireless Assistant Administrators and Login Groups on page 673. Conguring the Local Login Authentication Mode and Adding New Users To congure the local login authentication mode:
1 From the top menu, click Controller. ExtremeWireless V10.41.06 User Guide 75 Conguring the ExtremeWireless Appliance 2 In the left pane, click Administration > Login Management. The LLogin Management screen displays. aft 3 In the Authentication mode section, click Congure. The LLogin Authentication Mode Conguration window is displayed. ExtremeWireless V10.41.06 User Guide 76 Conguring the ExtremeWireless Appliance 4 Select the Local check box. If the RADIUS check box is selected, deselect it. 5 Click OK. 6 In the Add User section, select one of the following from the Group drop-down list:
Full Administrator Grants the administrators access rights to the administrator. Read-only Administrator Grants read-only access right to the administrator. GuestPortal Manager Grants the user GuestPortal manager rights. 7 In the User ID box, type the users ID. 8 In the Password box, type the users password. NNote UNICODE characters are not supported in passwords for local and remote RADIUS/
TACACS+ authentication. All passwords must be 8 to 24 characters long. D 9 In the Conrm Password box, re-type the password. 10 To add the user, click Add User. The new user is added. 11 Click Save. The AAdministrator Password Conrmation window is displayed. raft Yes, but I want to change administrators password rst Change authentication mode to local and change the administrator password currently dened on the controller. No Do not change the authentication mode to local. Yes Change authentication mode to local. Use the administrator password currently dened on the controller. 12 Select the appropriate option. 13 Click Submit. 14 If you chose Yes, but I want to change administrators password rst, you are prompted to change the administrators password. ExtremeWireless V10.41.06 User Guide 77 Conguring the ExtremeWireless Appliance Conguring the RADIUS Login Authentication Mode The local login authentication mode is enabled by default. You can change the local login authentication mode to RADIUS-based authentication. NNote Before you change the default local login authentication to RADIUS-based authentication, you must congure the RADIUS Server on the GGlobal Settings screen. For more information, see VNS Global Settings on page 392. RADIUS is a client/server authentication and authorization access protocol used by a network access server (NAS) to authenticate users attempting to connect to a network device. The NAS functions as a client, passing user information to one or more RADIUS servers. The NAS permits or denies network access to a user based on the response it receives from one or more RADIUS servers. RADIUS uses User Datagram Protocol (UDP) for sending the packets between the RADIUS client and server. D You can congure a RADIUS key on the client and server. If you congure a key on the client, it must be the same as the one congured on the RADIUS servers. The RADIUS clients and servers use the key to encrypt all RADIUS packets transmitted. If you do not congure a RADIUS key, packets are not encrypted. The key itself is never transmitted over the network. Note Before you congure the system to use RADIUS-based login authentication, you must congure the Service-Type RADIUS attribute on the RADIUS server. EWC uses the standard RADIUS attribute Service-Type to put the user into the appropriate groups:
Administrator Service-Type = 6 Read-Only Service-Type = 7 GuestPortal Manager Service-Type = 8 raft From the top menu, click Controller. 1 2 In the left pane, click Administration > Login Management. The LLogin Management screen displays. To congure the RADIUS login authentication mode:
ExtremeWireless V10.41.06 User Guide 78 Conguring the ExtremeWireless Appliance 3 Click the RADIUS Authentication tab. aft 4 In the Authentication mode section, click Congure. The LLogin Authentication Mode Conguration window is displayed. ExtremeWireless V10.41.06 User Guide 79 Conguring the ExtremeWireless Appliance 5 Deselect Local and select the RADIUS check box. D NNote The RADIUS Servers displayed in the list located against the Use button are dened on Global Settings screen. For more information, see VNS Global Settings on page 392. 6 Click OK. 7 From the drop-down list, located next to the Use button, select the RADIUS Server that you want to use for the RADIUS login authentication, and then click Use. The RADIUS Servers name is displayed in the Congured Servers box, and in the Auth section, and the following default values of the RADIUS Server are displayed. raft The following values can be edited:
NAS IP address The IP address of Network Access Server (NAS). NAS Identier The Network Access Server (NAS) identier. The NAS identier is a RADIUS attribute that identies the server responsible for passing information to designated RADIUS servers, and then acting on the response returned. Auth Type The authentication protocol type (PAP, CHAP, MS-CHAP, or MS-CHAP2). Set as Primary Server Species the primary RADIUS server when there are multiple RADIUS Note You can add up to three RADIUS servers to the list of login authentication servers. When you add two or more RADIUS servers to the list, you must designate one of them as the Primary server. The controller rst attempts to connect to the Primary server. If the Primary Server is not available, it tries to connect to the second and third server according to their order in the Congured Servers box. You can change the order of RADIUS servers in the Congured Servers box by clicking on the Up and Down buttons. 8 To add additional RADIUS servers, repeat step 7. servers. ExtremeWireless V10.41.06 User Guide 80 Conguring the ExtremeWireless Appliance 9 Click Test to test connectivity to the RADIUS server. NNote You can also test the connectivity to the RADIUS server after you save the conguration. If you do not test the RADIUS server connectivity, and you have made an error in conguring the RADIUS-based login authentication mode, you will be locked out of the controller when you switch the login mode to the RADIUS login authentication mode. If you are locked out, access Rescue mode via the console port to reset the authentication method to local. The following window is displayed. D 10 In the User ID and the Password elds, type the users ID and the password, which were congured on the RADIUS Server, and then click Test. The RADIUS connectivity result is displayed. raft Note To learn how to congure the User ID and the Password on the RADIUS server, refer to your RADIUS servers user guide. If the test is not successful, the following message will be displayed:
ExtremeWireless V10.41.06 User Guide 81 Conguring the ExtremeWireless Appliance 11 D If the RADIUS connectivity test displays Successful result, click Save on the RRADIUS Authentication screen to save your conguration. The following window is displayed:
raft 12 If you tested the RADIUS server connectivity earlier in this procedure, click No. If you click Yes, you will be asked to enter the RADIUS server user ID and password. 13 To change the authentication mode to RADIUS authentication, click OK. You will be logged out of the controller immediately. You must use the RADIUS login user name and password to log on the controller. To cancel the authentication mode changes, click Cancel. Conguring the Local, RADIUS Login Authentication Mode To congure the Local, RADIUS login authentication mode:
1 From the top menu, click Controller. ExtremeWireless V10.41.06 User Guide 82 Conguring the ExtremeWireless Appliance 2 In the left pane, click Administration > Login Management. The LLogin Management screen displays. aft 3 In the Authentication mode section, click Congure. 4 Select the Local and RADIUS check box. ExtremeWireless V10.41.06 User Guide 83 Conguring the ExtremeWireless Appliance 5 If necessary, select Local and use the Move Up button to move Local to the top of the list. 6 Click OK. 7 On the LLogin Management screen, click Save. For information on setting local login authentication settings, see Conguring the Local Login Authentication Mode and Adding New Users on page 75. For information on setting RADIUS login authentication settings, see Conguring the RADIUS Login Authentication Mode on page 78. Conguring the RADIUS, Local Login Authentication Mode To congure the RADIUS, Local login authentication mode:
From the top menu, click Controller. 1 2 In the left pane, click Administration > Login Management. The LLogin Management screen displays. D 3 In the Authentication mode section, click Congure. The LLogin Authentication Mode Conguration window is displayed. 4 Select the Local and RADIUS check box. ExtremeWireless V10.41.06 User Guide 84 Conguring the ExtremeWireless Appliance 5 If necessary, select the RADIUS eld and use the Move Up button to move RADIUS to the top of the list. D 6 Click OK. 7 On the LLogin Management screen, click Save. For information on setting local login authentication settings, see Conguring the Local Login Authentication Mode and Adding New Users on page 75. For information on setting RADIUS login authentication settings, see Conguring the RADIUS Login Authentication Mode on page 78. raft The controller supports the SNMP for retrieving statistics and conguration information. If you enable SNMP on the controller, you can choose either SNMPv3 or SNMPv1/v2 mode. If you congure the controller to use SNMPv3, then any request other than SNMPv3 request is rejected. The same is true if you congure the controller to use SNMPv1/v2. 1 From the top menu, click Controller. The WWireless Controller Conguration screen displays. To congure SNMP:
Conguring SNMP ExtremeWireless V10.41.06 User Guide 85 Conguring the ExtremeWireless Appliance 2 In the left pane, click Network > SNMP. The SSNMP screen displays. raft Mode Select SNMPv1/v2c or SNMPv3 to enable SNMP. Contact Name The name of the SNMP administrator. Location The physical location of the controller running the SNMP agent. SNMP Port The destination port for the SNMP traps. Possible ports are 065555. Forward Traps The lowest severity level of SNMP trap that you want to forward. Publish AP as interface of controller Enable or disable SNMP publishing of the access point as an interface to the controller. 4 Select the tab for the SNMP version you are conguring. For more information, see:
3 In the SNMP Common Settings section, congure the following:
Conguring SNMPv1/v2c-specic Parameters on page 87 Conguring SNMPv3-specic Parameters on page 87 ExtremeWireless V10.41.06 User Guide 86 Conguring the ExtremeWireless Appliance Conguring SNMPv1/v2c-specic Parameters 1 Congure the following parameters on the SSNMPv1/v2c tab:
Read Community Name The password that is used for read-only SNMP communication. Read/Write Community Name The password that is used for write SNMP communication. Manager A The IP address of the server used as the primary network manager that will receive SNMP messages. Manager B The IP address of the server used as the secondary network manager that will receive SNMP messages. Note Manager A and Manager B address elds support both IPv4 or IPv6 addresses. must be from 5 to 32 characters long. 2 Click Save. Conguring SNMPv3-specic Parameters D 1 Congure the parameters following on the SSNMPv3 tab:
Context String A description of the SNMP context. Engine ID The SNMPv3 engine ID for the controller running the SNMP agent. The engine ID RFC3411 Compliant The engine ID will be formatted as dened by SnmpEngineID textual convention (that is, the engine ID will be prepended with SNMP agents' private enterprise number assigned by IANA as a formatted HEX text string). raft Auth Protocol If you have selected a security level of authPriv or authNoPriv, select the authentication protocol. Choices are: MD5 (Message-Digest algorithm 5), SHA, None. Auth Password If you have selected a security level of authPriv or authNoPriv, enter an User Enter the name of the user account. Security Level Select the security level for this user account. Choices are: authPriv, authNoPriv, Privacy Password If you have selected the security level of authPriv, enter a privacy password. Engine ID If desired, enter an engine ID. The ID can be between 5 and 32 bytes long, with no 2 Click Add User Account. The AAdd SNMPv3 User Account window displays. 3 Congure the following parameters:
Privacy Protocol If you have selected the security level of authPriv, select the privacy protocol. authentication password. Choices are: DES, None noAuthnoPriv. spaces, control characters, or tabs. Destination IP If desired, enter the IP address of a trap destination. Note The Destination IP address eld supports both IPv4 or IPv6 addresses. 4 Click OK. The AAdd SNMPv3 User Account window closes. 5 Repeat steps 2 through 4 to add additional users. ExtremeWireless V10.41.06 User Guide 87 Conguring the ExtremeWireless Appliance 6 In the Trap 1 and Trap 2 sections, congure the following parameters:
Destination IP The IP address of the machine monitoring SNMPv3 traps NNote The Destination IP address eld supports both IPv4 or IPv6 addresses. User Name The SNMPv3 user to congure for use with SNMPv3 traps 7 Click Save. Editing an SNMPv3 User To edit an SNMPv3 user:
Deleting an SNMPv3 User To delete an SNMPv3 user:
From the top menu, click Controller. From the top menu, click Controller. D 1 2 In the left pane, click SNMP. The SSNMP screen displays. 3 Click the SNMPv3 tab. 4 Select an SNMP user. 5 Click Edit Selected User. The EEdit SNMPv3 User Account window displays. 6 Edit the user conguration as desired. 7 Click OK. The EEdit SNMPv3 User Account window closes. 8 Click Save. raft 1 2 In the left pane, click SNMP. The SNMP screen displays. 3 Click the SNMPv3 tab. 4 Select an SNMP user. 5 Click Delete Selected User. You are prompted to conrm that you want to delete the selected user. 6 Click OK. The SNMP agent generates traps to notify the administrator of events such as conguration changes, component failures, and disconnection of Access Points. Administrators can congure the Agent and the Controller, dening the level of trap to receive. The following trap types are supported by ExtremeWireless Controllers:
Interfaces MIB (IF-MIB) linkDown (.1.3.6.1.6.3.1.1.5.3) Interfaces MIB (IF-MIB) linkUp (.1.3.6.1.6.3.1.1.5.4) HIPATH-WIRELESS-HWC-MIB apTunnelAlarm (.1.3.6.1.4.1.4329.15.3.19.4) SNMP Trap Types Sent by the controller when it detects that it has lost the connection to an AP. The trap identies the AP that the controller can no longer contact. HIPATH-WIRELESS-HWC-MIB hiPathWirelessLogAlarm (.1.3.6.1.4.1.4329.15.3.9.6) ExtremeWireless V10.41.06 User Guide 88 Conguring the ExtremeWireless Appliance A generic trap that contains specic information relevant to the event. The information is carried in the trap, and the information varies from event to event. The trap contains the trap severity, the component on the controller that raised the event, and the text string associated with the event, as it appears in the controller GUI. A trap containing one event that also is displayed in the controllers Event / Log report page. The trap is sent when the event is raised and recorded on the controller. This trap accounts for the vast majority of traps messages sent by the controller at most sites. Conguring Network Time Network time is synchronized in one of two ways:
Using the systems time The systems time is the controllers time. Using Network Time Protocol (NTP) The Network Time Protocol is a protocol for synchronizing You should synchronize the clocks of the controller and the APs to ensure that the logs and reports reect accurate time stamps. For more information, see Working with Reports and Statistics on page 621. D The normal operation of the controller will not be affected if you do not synchronize the clock. The clock synchronization is necessary to ensure that the logs display accurate time stamps. In addition, clock synchronization of network elements is a prerequisite for the following conguration:
Mobility Manager Session Availability NNetwork Time Synchronization raft The controller automatically adjusts for any time change due to Daylight Savings time. the clocks of computer systems over packet-switched data networks. From the top menu, click Controller. 1 Conguring the Network Time Using the Systems Time ExtremeWireless V10.41.06 User Guide 89 Conguring the ExtremeWireless Appliance 2 In the left pane, click Network > Network Time. The NNetwork Time screen displays. D for the time zone. country. 4 From the Time Zone Region drop-down list, click the appropriate time zone region for the selected 3 From the Continent or Ocean drop-down list, click the appropriate large-scale geographic grouping raft 5 Click Apply Time Zone. 6 In the System Time eld, type the system time. 7 Click Set Clock. The WLAN network time is synchronized in accordance with the controllers time. Conguring the Network Time Using an NTP Server 1 From the top menu, click Controller. ExtremeWireless V10.41.06 User Guide 90 Conguring the ExtremeWireless Appliance 2 In the left pane, click Network > Network Time. The NNetwork Time screen displays. aft 3 From the Continent or Ocean drop-down list, click the appropriate large-scale geographic grouping 4 From the Time Zone Region drop-down list, click the appropriate time zone region for the selected for the time zone. country. 5 Click Apply Time Zone. 6 In the System Time box, type the system time. 7 Select the Use NTP check box. Note If you want to use the controller as the NTP Server, select the Run local NTP Server check box, and click Apply. 8 In the Time Server 1 text box, type the IP address or FQDN (Full Qualied Domain Name) of an NTP time server that is accessible on the enterprise network. Note The Time Server elds supports both IPv4 and IPv6 addresses. 9 Repeat for Time Server2 and Time Server3 text boxes. If the system is not able to connect to the Time Server 1, it will attempt to connect to the additional servers that have been specied in Time Server 2 and Time Server 3 text boxes. ExtremeWireless V10.41.06 User Guide 91 Conguring the ExtremeWireless Appliance 10 Click Apply. The WLAN network time is synchronized in accordance with the specied time server. Conguring Secure Connections The controllers communicate amongst themselves using a secure protocol. Among other things, this protocol is used to share between controllers the data required for high availability. They also use this protocol to communicate with NMS Wireless Manager. The protocol requires the use of a shared secret for mutual authentication of the end points. By default the controllers and NMS Wireless Manager use a well known factory default shared secret. This makes it easy to get up and running but is not as secure as some sites require. The controllers and NMS Wireless Manager allow the administrator to change the shared secret used by the secure protocol. In fact the controllers and Wireless Manager can use a different shared secret for each individual end point to which they connect with the protocol. D To congure the shared secret for a connection on the controller:
From the top menu, click Controller. 1 raft ExtremeWireless V10.41.06 User Guide 92 Conguring the ExtremeWireless Appliance 2 In the left pane, click Network > Secure Connections. The SSecure Connections screen displays. ft 3 Select Enable Weak Ciphers to enable weak ciphers for the remote connections. Disabling weak ciphers prevents users from accessing various web pages on the controller using less secure methods. 4 Enter the Server IP address of the other end of the secure protocol tunnel and the shared secret to use. 5 Click Add/Update. 6 Click Save. Note Congure the same shared secret onto the devices at each end of the connection. Otherwise, the two controllers or controller and NMS Wireless Manager will not be able to communicate. ExtremeWireless V10.41.06 User Guide 93 Conguring the ExtremeWireless Appliance Conguring DNS Servers for Resolving Host Names of NTP and RADIUS Servers Because the GGlobal Settings screen allows you to set up NTP and RADIUS servers by dening their host names, you have to congure your DNS servers to resolve the host names of NTP and RADIUS servers to the corresponding IP addresses. Go to VNS > Global Settings. Note For more information on RADIUS server conguration, see Dening RADIUS Servers and MAC Address Format on page 394. You can congure up to three DNS servers to resolve NTP and RADIUS server host names to their corresponding IP addresses. The controller sends the host name query to the rst DNS server in the stack of three congured DNS servers. The DNS server resolves the queried domain name to an IP address and sends the result back to the controller. D If for some reason, the rst DNS server in the stack of congured DNS servers is not reachable, the controller sends the host name query to the second DNS server in the stack. If the second DNS server is also not reachable, the query is sent to the third DNS server in the stack. To congure DNS servers for resolving host names of NTP and RADIUS servers:
1 From the top menu, click Controller. raft ExtremeWireless V10.41.06 User Guide 94 Conguring the ExtremeWireless Appliance 2 In the left pane, click Administration > Host Attributes. The HHost Attributes screen displays. 3 In the DNS box, type the DNS servers IP address in the Server Address eld and then click Add Server. The new server is displayed in the DNS servers list. aft Note You can congure up to three DNS servers. The Server Address eld supports both IPv4 and IPv6 addresses. 4 Int the Default Gateway IP box, enter the IP address of the Default Gateway. 5 To save your changes, click Save. Using a Third-party Location-based Solution ExtremeWireless supports the following location-based solutions:
AeroScout Ekahau Centrak On the controller, congure the AeroScout/Ekahau/Centrak server IP address and enable the location-
based service. When using AeroScout or Ekahau, the location-based server is aware of the controller IP address. And if using AeroScout, the controller noties the AeroScout server of the operational APs. ExtremeWireless V10.41.06 User Guide 95 Conguring the ExtremeWireless Appliance Enable the location-based service on the APs that you want to participate. NNote Participating APs must use the 2.4 GHz band and the radio that receives location-based service tags must have at least one WLAN service associated with it. Once you have enabled the location-based service on the controller and the participating APs, at least one of the participating APs will receive reports from a location-based service Wi-Fi RFID tag in the 2.4 GHz band. The tag reports are collected by the AP and forwarded to the location-based server by encapsulating the tag reports in a WASSP tunnel and routing them as IP packets through the controller. When using Ekahau or Centrak, the controller does not converse directly with the location-based service server. Note Tag reports are marked with UP=CS5, and DSCP = 0xA0. On the wireless controller, tag reports are marked with UP=CS5 to the core (if 802.1p exists). D An APs tag report collection status is reported in the AP Inventory report. For more information, see Viewing Routing Protocol Reports on page 657. When location-based service support is disabled on the controller, the controller does not communicate with the location-based server and the APs do not perform any location-based functionality. If availability is enabled, tag report transmission pauses on failed over APs until they are congured and notied by the location-based server. With an availability pair, it is good practice to congure both controllers with the same location-based service. Ensure that your location-based service tags are congured to transmit on all non-overlapping channels
(1, 6 and 11) and also on channels above 11 for countries where channels above 11 are allowed. For information about proper deployment of the location-based solution, refer to the third-party documentation (AeroScout/Ekahau/Centrak). raft Conguring Location-Based Services on page 96 AP Multi-Edit Properties on page 111 AP Properties Tab - Advanced Settings on page 164 Conguring Location-Based Services Related Links To congure a controller for use with an AeroScout/Ekahau/Centrak solution:
1 From the top menu, click Controller. ExtremeWireless V10.41.06 User Guide 96 Conguring the ExtremeWireless Appliance 2 In the left pane, click Services > Location-based Service. D 3 Select the desired location-based service for the controller. Enter the IP address of the location based service server. Centrak and Ekahau conguration offer a default port number and multicast address, but you can modify the default values if necessary. 4 Click Save. Now assign APs to participate in the location-based service. raft ExtremeWireless V10.41.06 User Guide 997 Conguring the ExtremeWireless Appliance 5 From the top menu, click AP. In the left pane, click APs. NNote You can enable location-based service on APs using the Location-based service eld on the AAP Multi-edit screen and the AAdvanced window of the AAP Default Settings screen. The following procedure shows you how to enable location-based services on one AP at a time. t 6 Click on an AP row. The AAP Status dashboard displays. 7 Click Congure to display the CConguration dialog. ExtremeWireless V10.41.06 User Guide 98 Conguring the ExtremeWireless Appliance 8 Click Advanced. The AAdvanced dialog displays. aft 9 Select Enable location-based service and close the dialog. 10 Enable Location-based services on each additional AP that you want to participate. 11 Click Save. Related Links Using a Third-party Location-based Solution on page 95 AP Multi-Edit Properties on page 111 AP Properties Tab - Advanced Settings on page 164 Additional Ongoing Operations of the System Ongoing operations of the Extreme Networks ExtremeWireless system can include the following:
Controller System Maintenance Client Disassociate Logs and Traces Reports and Displays ExtremeWireless V10.41.06 User Guide 99 Conguring the ExtremeWireless Appliance For more information, see Performing System Administration on page 669 or the Extreme Networks ExtremeWireless Maintenance Guide. D raft ExtremeWireless V10.41.06 User Guide 1100 4 Conguring the ExtremeWireless APs D WWireless AP Overview Discovery and Registration Viewing a List of All APs Wireless AP Default Conguration Conguring Wireless AP Properties Outdoor Access Point Installation Assigning Wireless AP Radios to a VNS Conguring Wireless AP Radio Properties Conguring IoT Applications Setting Up the Wireless AP Using Static Conguration Setting Up 802.1x Authentication for a Wireless AP Conguring Co-Located APs in Load Balance Groups Conguring an AP Cluster Conguring an AP as a Guardian Conguring a Captive Portal on an AP AP3916ic Integrated Camera Deployment Performing AP Software Maintenance Understanding the ExtremeWireless LED Status raft Extreme Networks ExtremeWireless APs use the 802.11 wireless standards (802.11a/b/g/n/ac) for network communications, and bridge network traffic to an Ethernet LAN. In addition to the Wireless APs that run proprietary software and communicate with a controller only, Extreme Networks offers a Cloud-enabled APs. The 3805i and the AP39xx series are radar capable, Cloud-enabled APs that interoperate fully with ExtremeCloud and other ExtremeWireless products. Wireless AP Overview A wireless AP physically connects to a LAN infrastructure and establishes an IP connection to a controller, which manages the AP conguration through the Wireless Assistant. The controller also provides centralized management (verication and upgrade) of the AP rmware image. A UDP-based protocol enables communication between an AP and a controller. The UDP-based protocol encapsulates IP traffic from the AP and directs it to the controller. The controller decapsulates the packets and routes them to the appropriate destinations, while managing sessions and applying roles. ExtremeWireless V10.41.06 User Guide 101 Conguring the ExtremeWireless APs AP Model Firmware Support Refer to the ExtremeWireless Hardware Firmware Support Matrix to easily determine the currently supported rmware version and the minimum rmware version for each ExtremeWireless access point. Wireless Protocol Standards (802.11) Most current wireless networks and end-user devices use the IEEE 802.11n wireless protocol standard. The 802.11n APs are backward-compatible with existing 802.11a/b/g networks and devices. The AP38xx and AP39xx series APs support the 802.11ac wireless protocol. The AP3705i delivers data rates up to 300 Mbps per radio; the AP37xx series APs except for the AP3705i deliver data rates up to 450 Mbps per radio. The AP38xx series APs deliver data rates up to 1.3 Gbps on Radio 1 (the 5 GHz radio) and 450 Mbps Antennas The AP39xx series supports an internal antenna array and active/active E/N data ports that deliver on Radio 2 (the 2.4 GHz radio) data rates up to 1.7 Gbps on Radio 1 and 600 Mbps on Radio 2. D To congure an 802.11n/ac AP to achieve this high link rate, see Achieving High Throughput with 11n and 11ac Wireless APs on page 187. Some wireless AP models have built-in, internal antennas; some support external antennas. APs with internal antennas are certied as a complete unit. External antennas are individually certied for maximum transmitting power and determination of available channels in each country in which the AP is deployed. raft For a list of the external antennas that can be used with each AP model and how to install them, refer to the Installation Guide for each AP and to the ExtremeWireless External Antenna Site Preparation and Installation Guide. Wireless APs with external antenna ports must be congured to associate the external antenna connected to each antenna port. For more information, see Conguring Wireless AP Properties on page 156. The latest AP3915i/e and AP3917i/e models offer both Wi-Fi antennas and IoT antennas that are used to receive iBeacon signals from IoT devices. AP Types (Features) AP model types are differentiated by their feature design, particularly:
Indoor/Outdoor APs are built for either indoor or outdoor service. Indoor APs are built for use in enclosed, protected areas (like inside buildings) where they are not exposed to harsh weather or temperature extremes. Indoor APs have optional mounting brackets for mounting the AP on walls or drop ceilings. Outdoor APs are built weather-hardened, with watertight ttings for cables and antennas, splash guards, and a greater resistance to temperature extremes (both cold and heat). Outdoor APs can ExtremeWireless V10.41.06 User Guide 1102 Conguring the ExtremeWireless APs extend your Wireless LAN to outdoor locations without Ethernet cabling. Mounting brackets are available to enable quick and easy mounting of the Outdoor APs to walls, rails, and poles. Controller-based Controller-based APs are intended to be controlled centrally by an ExtremeWireless Appliance. All AP and service conguration, bridging, and networking is done on the controller, with the AP acting as the remote access point relaying communications between the network (the controller) and end-user devices. Cloud-enabled Cloud-enabled APs are intended to be controlled by ExtremeCloud an easy to use and scalable cloud-based management platform that supports and transforms with your business. Combined with enterprise-grade wired and wireless cloud-managed devices, ExtremeCloud delivers a scalable and highly available pay-as-you go subscription solution. IoT ready, smoke detector models ExtremeWireless offers APs that are equipped with IoT antennas for receiving iBeacon signals from IoT devices. The controller collects and lters data based on conguration parameters, and forwards the data to an Application Server for reporting. The AP3915i/e and AP3917i/e are equipped with IoT antennas. Additionally, the indoor model (AP3915i/e) is equipped with a smoke detector. D AP 3912 Wall Plate 2x2 11ac AP that is installed replacing other existing Ethernet wall plates with The AP3912 and AP3916 models are equipped with BLE radios that send iBeacon signals to IoT devices. AP 3916ic (Integrated Camera) 2x2 11ac AP with an integral security camera (2MP camera with resolution up to 1080p) that lets you extend your Wireless LAN and provide simultaneous wireless service, BLE or 802.15.4 coverage and security in public spaces, such as classrooms and offices. This fully featured access point can be mounted on the ceiling or wall. The integral ONVIF compatible security camera is connected to an internal wired Ethernet port. The AP3916ic provides ow based data handling for the wireless and wired connections. Enabled for ExtremeCloud support. raft one or two ports. One Ethernet port on the wall plate must be connected to the LAN1 uplink connection on the AP (black). This link provides AF or AT POE to the AP and uplink data connectivity to the network. The other Ethernet port on the wall plate can be connected to the pass-
through port on the AP (blue), allowing connection options for wired devices like IP phones. The AP3912 is intended to take advantage existing wired Ethernet outlets and a switch port. The AP3912 is installed over an existing wall plate, and it is connected to the existing cable / switch port. The AP offers an integrated BTLE/802.15.4 radio for connectivity to Internet of Things (IoT) sensors and devices. Enabled for ExtremeCloud support. Threat Detection and Prevention Capability As the potential for wireless security threats grows, APs must evolve to detect and counter hostile intrusion and attacks. The AP37xx, AP38xx, AP39xx and W78xC series of access points are designed to support Radar channel monitoring and are congurable for protection against detected attacks. The Radar and Mitigator functions are described in greater detail in Threat Detection and Prevention Features on page 105. Conguration of these functions on controllers is described in Working with ExtremeWireless Radar on page 563. Other differentiating features in an AP product series are the number of internal or external antennas
(see Antennas on page 102) or the number of radios the AP has (see Radios on page 103). Radios All wireless APs are equipped with at least two radios Radio 1 and Radio 2:
ExtremeWireless V10.41.06 User Guide 1103 Conguring the ExtremeWireless APs Radio 1 supports a 5 GHz radio band Radio 2 supports a 2.4 GHz radio band NNote The following APs offer integrated BLE/802.15.4 radios: AP3912i , AP3915i/e, AP3916ic, AP3917i/e/k. The AP39xx supports up to 1.7 Gbps on the 5 GHz radio and 600 Mbps on the 2.4 GHz radio using four spatial streams. The 38xx and AP37xx series radios (except AP3705i) support up to 450Mbps using three spatial streams. The radios are enabled or disabled through the Wireless Assistant. For more information, see Modifying 11n and 11ac Wireless AP Radio Properties on page 178. D The Unlicensed National Information Infrastructure (U-NII) bands all lie within the 5 GHz band, designed for short-range, high-speed, wireless networking communication. 802.11n APs support the full range of frequencies available in the 5 GHz band:
5150 to 5250 MHz - U-NII Low band 5250 to 5350 MHz - U-NII Middle Band 5470 to 5700 MHz - U-NII Worldwide 5725 to 5825 MHz - U-NII High Band Note 802.11n-compliant wireless APs can achieve link rates of up to 300 Mbps. You can congure the controller for this higher level link rate. For more information, see Achieving High Throughput with 11n and 11ac Wireless APs on page 187. raft The AP3916ic is an 11ac Wave 2 AP with an integral security camera that lets you extend your Wireless LAN and provide simultaneous wireless service, BLE or 802.15.4 coverage and security in public spaces, such as classrooms and offices. The AP3916 can be mounted on the ceiling, wall or in a junction/gang box. The integral ONVIF compatible security camera is connected to an internal wired Ethernet port, and the AP provides policy enforcement control for the wireless and wired connections. AP3916ic (Integrated Camera) The AP3916ic has the following specications:
Integrated 2MP camera with resolution up to 1080p, with manual view adjustment. Radios: Two concurrent Wi-Fi radios (2.4 GHz and 5 GHz) and one additional radio that can operate as Bluetooth or 802.15.4. Antennas: Four internal single band Wi-Fi antennas and one internal antenna for Bluetooth (BLE) or 802.15.4. LEDs: Six 802.3af compliant for full functionality. Optional AC adapter. ExtremeWireless V10.41.06 User Guide 104 Conguring the ExtremeWireless APs Supports the 802.11ac and 802.11n wireless standards, with full backward compatibility with legacy 802.11abg. 10/100/1000 Mbps operation. Adjustable mounting bracket (included) for drop-ceiling T-bar rail. Optional mounts can be purchased separately for junction/gang box, indoor wall and solid ceiling installation. Enabled for ExtremeCloud support. RRelated Links ExtremeWireless support for the AP3916ic:
Camera is powered by the AP3916i PoE power supply:
Camera port (CAM) can be assigned through policy to B@AP or B@AC virtual network service topologies. Default and specic assignment is supported. You can use policy denition and assignment to provide network segmentation for network access and camera (CAM) functions. client list to obtain a list of cameras under the appliance management. The AP3916ic's camera function is identied as "EXTR2MP-CAM" device type. Filter the appliance The controller provides factory reset and restart functions for the camera. D AP3916ic Integrated Camera Deployment on page 226 Upgrading the Camera Image Manually on page 237 AP3916ic-Camera Web User Interface on page 227 raft ExtremeWireless Appliances and the wireless APs they manage, provide Wireless Intrusion Detection Services (WIDS) and Wireless Intrusion Prevention Services (WIPS) to detect, report, and protect against potential wireless network attacks and threats such as rogue APs, AP spoong, honeypot APs, password cracking, man-in-the-middle, denial of service (DoS), and others. The latest generation of controllers and the APs (AP39xx, AP38xx, AP37xx and W78xC series) implement the Radar feature and its major functions:
Scanning channels for threat identication Analyzing and detecting a wide range of wireless security threats Taking active countermeasures (if congured to do so) against identied threats Validating WLAN (Wireless Local Area Network) Service conguration to protect against security Generating threat event reports and forwarding them to Extreme Management Center weakness Threat Detection and Prevention Features All APs can simultaneously perform channel bridging and scan (monitor) the channels they are bridging. These APs can also be congured (on their controller) to perform countermeasures against detected threats. Radar threat detection scanning of channels on the APs is congured on In-Service Scan Proles. You can congure APs to operate as full time Radar agents by adding them to a Guardian Scan Prole. When operating in this mode, they are referred to as "Guardians." Once assigned to the Guardian Scan Prole, the APs stop forwarding traffic on both radios and devote all of their resources to threat detection and countermeasures. Any AP added to a Guardian Scan Prole is done so in its entirety. Therefore, it is not possible to dedicate one radio to scanning, and the other to forwarding. Guardian AP ExtremeWireless V10.41.06 User Guide 105 Conguring the ExtremeWireless APs can scan on multiple channels, which you can congure from the SScan Prole Detection Settings user interface. The AP cannot scan or transmit on channels that are prohibited by the regulations of the countries in which it is deployed. Related Links Guardian Scan Prole Detection Settings on page 578 Working with ExtremeWireless Radar on page 563 802.11n- and 802.11ac-Compliant Access Point Features All 802.11n-compatible APs have the following features:
MIMO Wireless APs use MIMO (multiple input, multiple output) a technology that uses advanced signal processing with multiple antennas to improve throughput. MIMO takes advantage of multipath propagation to decrease packet retries to improve the delity of the wireless network. MIMO increases throughput by using multiple streams. D MIMO radios send out one, two or three radio signals through each antenna. Each signal is called a spatial stream. The antennas on the AP are deliberately spaced so that each spatial stream follows a slightly different path to the client device. Two spatial streams get multiplied into several streams as they bounce off obstructions in the vicinity. This phenomenon is called multipath. As the streams are bounced from different surfaces, they follow different paths to the client device. The client device also has multiple antennas. Each of the antennas independently decodes the arriving signal. Then the decoded signal from each antenna combines with the decoded signals from the other antennas. A software algorithm uses this redundancy to extract one or two spatial streams and enhances the signal to noise ratio of the streams. raft The client device also sends out one or two spatial streams through its multiple antennas. These spatial streams get multiplied into several steams as they bounce off the obstructions in the vicinity en route to the AP. MIMO receivers receive these multiple streams with three antennas. Each of the three antennas independently decodes the arriving signal. Then the decoded signal of each antennas is combined with the decoded signals from the other antennas. The receiving AP's MIMO receiver also uses redundancy to extract one or two spatial streams and enhances the streams' signal to noise ratio. ExtremeWireless V10.41.06 User Guide 106 Conguring the ExtremeWireless APs Operating with multiple antennas, an AP with MIMO is capable of picking up even the weakest signals from the client devices. Figure 11: MIMO in Wireless APs ft The AP39xx models offer Multi-User MIMO that enables Wave2 APs to communicate with multiple Wave2 clients concurrently, in the downstream direction. Up to 3 MU-MIMO conversations concurrently. Channel Bonding In addition to MIMO technology, the 802.11n-compliant APs have additional radio features that increase the effective throughput of the wireless LAN. Second-generation wireless APs use radio channels that are 20 MHz wide. The channels must be spaced at 20 MHz to avoid interference. The radios of 802.11n-
compliant wireless APs can use two channels at the same time to create a 40-MHz-wide channel. The 802.11ac radio of the AP38xx and AP39xx series can use four channels at the same time to create an 80-
MHz-wide channel. By using multiple 20-MHz channels in this manner, the wireless AP achieves more than double the throughput. The 40-MHz and 80-MHz channels in 802.11n and 802.11ac are adjacent 20-
ExtremeWireless V10.41.06 User Guide 1107 Conguring the ExtremeWireless APs MHz channels, bonded together. This technique of using multiple channels at the same time is called channel bonding. Shortened Guard Interval The purpose of the guard interval is to introduce immunity to propagation delays, echoes and reections of symbols in orthogonal frequency division multiplexing (OFDM) a method by which information is transmitted via a radio signal in APs. In OFDM, the beginning of each symbol is preceded by a guard interval. As long as the echoes fall within this interval, they do not affect the safe decoding of the actual data, as data is interpreted only outside the guard interval. Longer guard periods reduce the channel efficiency. 802.11n-compliant APs provide reduced guard periods, thereby increasing the throughput. RRelated Links MAC Enhancements D Wireless AP International Licensing 802.11n-compliant APs also have an improved MAC layer protocol that reduces overhead (in the MAC layer protocol) and contention losses, resulting in increased throughput. Licensing Considerations on page 108 To congure the appropriate radio band according to the country of operation, use the controller. For more information, see Conguring Wireless AP Properties on page 156. A wireless AP must be congured to operate on the appropriate radio band in accordance with the regulations of the country in which it is being used. For more information, see Regulatory Information on page 705. raft With ExtremeWireless v10.01 and later each controller is licensed in a specic domain. The domain licenses include:
FCC ROW MNT EGY The user interface reects the domain of the controller. The following are use cases for each domain:
A wireless appliance with an FCC license can manage access points deployed in the United States, Licensing Considerations Puerto Rico, or Colombia. A wireless appliance with a ROW license can manage access points deployed in any country except the United States, Puerto Rico, Egypt, or Colombia. ExtremeWireless V10.41.06 User Guide 108 Conguring the ExtremeWireless APs A wireless appliance with a EGY license will continue to require ROW hardware, but the license will restrict country selection to Egypt only. A wireless controller with a EGY license can manage access points deployed in Egypt. NNote If upgrading from v10.21 with an EGY license, call customer support for assistance. A wireless appliance with a MNT license can manage only domain-locked access points, which are the AP39xx-FCC, AP39xx-ROW, and the AP3805i-FCC, AP3805i-ROW only. The FCC models must be deployed in the United States, Puerto Rico, or Colombia. The ROW must be deployed in any country except the United States, Puerto Rico, or Colombia. Note The AP37xx and AP38xx will NOT be able to connect to a controller licensed in the MNT domain. D First-time Conguration Guidelines Wireless AP Default IP Address Wireless APs are shipped from the factory with a default IP address 192.168.1.20. The default IP address simplies the rst-time IP address conguration process for APs. If an AP fails in its discovery process, it returns to its default IP address. This AP behavior ensures that only one AP at a time can use the default IP address on a subnet. For more information, see Discovery and Registration on page 120. Wireless APs can acquire their IP addresses by one of two methods:
DHCP assignment When an AP is powered on, it attempts to reach the DHCP (Dynamic Host Conguration Protocol) server on the network to acquire an IP address. If successful, the DHCP server assigns an IP address to the AP. raft If the DHCP assignment is not successful in the rst 60 seconds, the AP returns to its default IP address. DHCP assignment is the default method for AP conguration. DHCP assignment is part of the discovery process. For more information, see Discovery and Registration on page 120. The process repeats until the DHCP assignment is successful, or until an administrator assigns the After 30 seconds in the default IP address mode, it attempts again to acquire an IP address from AP an IP address, using static conguration. the DHCP server. Static conguration Use the static conguration option to assign a static IP address to a wireless AP. For more information, see the following section. You can establish an SSH session with an AP during the time window of 30 seconds when the AP returns to its default IP address mode. If a static IP address is assigned during this period, reboot the AP for the conguration to take effect. For more information, see Assigning a Static IP Address to a Wireless AP on page 110. ExtremeWireless V10.41.06 User Guide 109 Conguring the ExtremeWireless APs Assigning a Static IP Address to a Wireless AP Depending upon the network condition, you can assign a static IP address to a wireless AP using the Wireless Assistant (Controllers GUI). Refer to Setting Up the Wireless AP Using Static Conguration on page 199 for more information. Conguring Wireless APs for the First Time Before conguring an AP for the rst time, conrm that the following tasks have already been performed:
The ExtremeWireless Appliance has been installed and connected to the network. For more information, see Conguring the ExtremeWireless Appliance on page 31. The ExtremeWireless Appliance has been congured. For more information, see Conguring the ExtremeWireless Appliance on page 31. page 123. General Conguration Methods For installation information, refer to the respective AP Installation Guide. The wireless APs have been installed. D Once the APs are installed, continue with the AP initial conguration:
This section describes the methods you can use to modify the properties of APs in your network. 1 Dene parameters for the discovery process. For more information, see Wireless AP Registration on 2 Connect the AP to a power source to initiate the discovery and registration process. For installation information, refer to the respective AP Installation Guide. raft CCaution If you reset an AP to defaults, its Search List is deleted, regardless of the settings in Common Conguration. To congure a wireless AP with the system default AP settings:
From the top menu, click AP and select the AP to modify. 1 2 Click Reset to Defaults and click OK to conrm your changes. Modifying the Properties of Wireless APs Based on a Default AP Conguration To reset the AP to the default conguration, select AP Properties > Reset To Defaults. Modifying the Default Setting of Wireless APs Using the Copy to Defaults Feature The Copy to Defaults feature allows the properties of an already congured AP to become the systems default AP settings. To modify the system default AP settings based on an already congured AP:
1 From the main menu, click AP and select the AP whose properties you want to use as the default. You can modify the properties here if necessary. ExtremeWireless V10.41.06 User Guide 110 Conguring the ExtremeWireless APs 2 Click Copy to Defaults and click OK to conrm your changes. AP Multi-Edit Properties When you use the Multi-edit function, only options that are explicitly modied are changed by the update. The APs shown in the Wireless APs list are supported by various versions of software. Only attributes that are common between software versions are available for multi-edit. Setting an attribute that does not apply to an AP does not cause an abort of the multi-edit operation. Table 10: Multi-Edit AP Properties FField Description AP Properties Zone Poll Timeout Location D Dene the location of the AP. When a client roams to an AP with a different location, Area Notication is triggered. The Area Notication feature is designed to track client locations within pre-dened areas using either the Location Engine (for more information, see Conguring the Location Engine on page 609) or the AP Location eld. When the clients change areas, a notication is sent. Location functionality on the AP is useful when access to Extreme Management Center OneView is not available. Zone allows the RADIUS client to send the AP Zone name as the BSSID instead of the radio MAC address. This feature can be enabled regardless of whether the Site is using centrally located or local RADIUS servers. Zone name is limited to 32 bytes. Each AP can have its own Zone label although it is often useful to assign the same Zone to multiple APs. It can be easier to base authorization decisions on the zone label rather than on the BSSID. raft Note: If you are conguring session availability, the Poll Timeout value should be 1.5 to 2 times of Detect link failure value on AAP Properties screen. For more information, see Session Availability on page 545. Type the timeout value, in seconds. The AP uses this value to trigger re-establishing the link with the Controller if the AP does not get an answer to its polling. The default value is 10 seconds. ExtremeWireless V10.41.06 User Guide 111 Conguring the ExtremeWireless APs Table 10: Multi-Edit AP Properties (continued) FField Description Secure Tunnel This feature, when enabled, provides encryption, authentication, and key management between the AP and/or controllers. Select the desired Secure Tunnel mode from the drop-down list:
Disabled Secure Tunnel is turned off and no traffic is encrypted. All SFTP/SSH/TFTP traffic works normally. Encrypt control traffic between AP & Controller An IPSEC tunnel is established from the AP to the controller and all SFTP/SSH/
TFTP/WASSP control traffic is encrypted. The AP skips the registration and authentication phases and when selected, the Secure Tunnel Lifetime feature can be congured. Encrypt control and data traffic between AP & Controller This mode only benets routed/bridged@Controller Topologies. An IPSEC tunnel is established from the AP to the controller and all SFTP/SSH/TFTP/WASSP control and data traffic is encrypted. The AP skips the registration and authentication phases, and when selected, the Secure Tunnel Lifetime feature can be congured. D Note: This option is not available for AP3805 models. Debug mode An IPSEC tunnel is established from the AP to the Note: Changing a Secure Tunnel mode will automatically disconnect and reconnect the AP. controller, no traffic is encrypted, and all SFTP/SSH/TFTP traffic works normally. The AP skips the registration and authentication phases and when selected, the Secure Tunnel Lifetime feature can be congured. raft Enable or disable third-party location based services on this AP. ExtremeWireless supports the following third-party services:
AeroScout Ekahau Centrak Enter an interval (in hours) at which time the keys of the IPSEC tunnel are renegotiated. Note: Changing the Secure Tunnel Lifetime setting will not cause any AP disruption. Determines if the AP can be accessed remotely. Secure Tunnel Lifetime (hours) Remote Access Location-based Service Maintain client session in event of poll failure Restart service in the absence of controller Determines if the AP remains active when a link loss with the controller occurs. Select this option when using a bridged at AP VNS. This option is enabled by default. Determines if the APs radios continue providing service when the APs connection to the controller is lost. Select this option when using a bridged at AP VNS. When this option is enabled, the AP starts a bridged at AP VNS in the absence of a controller. ExtremeWireless V10.41.06 User Guide 112 Conguring the ExtremeWireless APs Table 10: Multi-Edit AP Properties (continued) FField Description Use broadcast for disassociation LLDP Determines if the AP uses broadcast disassociation when disconnecting all clients, instead of disassociating each client one by one. This setting affects the behavior of the AP when the AP is preparing to reboot or preparing to enter one of the special modes
(DRM initial channel selection). and when a BSSID is deactivated or removed on the AP. This option is disabled by default. Determines if the AP broadcasts LLDP (Link Layer Discovery Protocol) information. This option is disabled by default. If SNMP (Simple Network Management Protocol) is enabled on the controller and you enable LLDP, the LLLDP Conrmation dialog is displayed. Select one of the following:
Proceed (not recommended) Select this option to enable LLDP D Maintenance Guide. and keep SNMP running. Disable SNMP publishing, and proceed Select this option to enable LLDP and disable SNMP. For more information on enabling SNMP, see the ExtremeWireless Ensures that multicast data has the highest priority in the wireless network. Prioritizes multicast data to the level of voice data. This setting must be enabled when deploying healthcare patient monitoring devices. Determines if IP Multicast Assembly runs on the wireless AP. If enabled, IP Multicast Assembly joins together fragmented multicast data packets that are too large to t the MTU size of the tunnel header. This feature is disabled by default. raft Indicates the country of operation. The antenna you select determines the available channel list and the maximum transmitting power for the country in which the AP is deployed. Simplify power settings so settings function across all channels in the channel plan. Select the desired LED pattern from the drop-down list. Options include: Off, WDS Signal Strength, Identify, and Normal. The Professional Install option is only available for AP models with external antennas. The elds and corresponding antenna value options that appear on the PProfessional Install dialog depend on the selected AP and the antenna models that are available. Select an antenna for each available port. By default, the two antennas must be identical. However, you have the option to select No Antenna for the second antenna port. The AP3915e and AP3917e access point models offer an external IoT antenna. Select the antenna model from the drop-down eld. Choose the desired attenuation for each radio from the drop-
down list. Selectable range is from 0 to 30 dBI. Determines if the radio mode. Select On to enable the radio. Select Off to disable the radio. Multicast prioritized as voice IP Multicast Assembly Balanced Channel List Power LED Country Antennas Radio Settings Admin Mode ExtremeWireless V10.41.06 User Guide 113 Conguring the ExtremeWireless APs Table 10: Multi-Edit AP Properties (continued) FField Description Radio Mode Channel Width Select the radio mode based on the type of AP. Available radio settings are dependent on the selected radio mode. Determines the channel width for the radio. Valid values are:
20 MHz Allows 802.11n clients to use the primary channel (20 MHz) and non-802.11n clients, beacons, and multicasts to use the 802.11b/g radio protocols. 40 MHz Allows 802.11n clients that support the 40 MHz frequency to use 40 MHz, 20 MHz, or the 802.11b/g radio protocols. 802.11n clients that do not support the 40 MHz frequency can use 20 MHz or the 802.11b/g radio protocols and non-802.11n clients, beacons, and multicasts use the 802.11b/g radio protocols. 80 MHz Allows 802.11ac clients to use the 80 MHz frequency. Applies to AP38xx and AP39xx Radio 1 only. Auto Automatically switches between 20 MHz, 40 MHz, and 80 D DTIM MHz channel widths, depending on how busy the extension channels are. Denes the time, in milliseconds, between beacon transmissions. The default value is 100 milliseconds. Type the desired DTIM (Delivery Traffic Indication Message) period the number of beacon intervals between two DTIM beacons. To ensure the best client power savings, use a large number. Use a small number to minimize broadcast and multicast delay. The default value is 5. raft
(Request to Send/Clear to Send) handshake. Determines the maximum packet size, in bytes, that triggers a RTS/CTS handshake. The default value is 2346 (the maximum 802.11 frame size) which means all packets are sent without RTS/CTS. If the transmitted packet size is greater than the threshold value, the RTS/CTS handshake occurs. Otherwise, the data frame is sent immediately. Reduce this value only if necessary. Note: In order for RTS/CTS to take affect, the RTS threshold must be less than or equal to the Frag threshold. Determines the maximum packet size, in bytes, that triggers packet fragmentation. The default value is 2346. At 2346, all packets are sent unfragmented. Any value above the frag threshold triggers packet fragmentation by the AP prior to transmission. Denes a group of APs that cooperate in managing RF channels and transmission power levels. The maximum string length is 16 characters. Select Auto to use Automatic Channel Selection. For more information, see Dynamic Radio Management (DRM) on page 174. Beacon Period RTS/CTS (Bytes) Frag Threshold (Bytes) RF Domain Channel Auto Tx Power Control Determines if the AP automatically adapts transmission power signals according to the coverage provided by the AP. After a period of time, the system stabilizes itself based on the RF coverage of your wireless APs. When enabled, Min Tx Power and Auto Tx Power Ctrl Adjust parameters can be edited, and the ATPC algorithm adjusts the AP power between the Max Tx and Min Tx settings. When disabled, the radio uses the Max Tx Power value or the largest value in the compliance table,whichever is smaller. ExtremeWireless V10.41.06 User Guide 114 Conguring the ExtremeWireless APs Table 10: Multi-Edit AP Properties (continued) FField Description Max Tx Power Min Tx Power Auto Tx Ctrl Adjust D Determines the maximum power level used by the radio in dBm. The values are governed by compliance requirements based on the country, radio, and antenna selected, and vary by AP. Changing this value below the current Min Tx Power value will lower the Min Tx Power to a level lower than the selected Max TX Power. If Auto Tx Power Ctrl (ATPC) is disabled, the radio uses the selected value or the largest value in the compliance table as the power level, whichever is smaller. Determines the minimum power level for the radio. Use the lowest supported value in order to not limit the potential Tx power level range that can be used. If ATPC is enabled, select the Min Tx power level that is equal or lower than the Max Tx power level. The Min Tx Power setting cannot be set higher than the Max Tx Power setting. Determines if the AP automatically adapts transmission power signals according to the coverage provided by the AP. After a period of time, the system stabilizes itself based on the RF coverage of your wireless APs. When enabled, Min Tx Power and Auto Tx Power Ctrl Adjust parameters can be edited, and the ATPC algorithm adjusts the AP power between the Max Tx and Min Tx settings. When disabled, the radio uses the Max Tx Power value or the largest value in the compliance table,whichever is smaller. raft ExtremeWireless V10.41.06 User Guide 115 Conguring the ExtremeWireless APs Table 10: Multi-Edit AP Properties (continued) FField Description Channel Plan If ACS is enabled you can dene a channel plan for the AP. Dening a channel plan allows you to control which channels are available for use during an ACS scan. For example, you may want to avoid using specic channels because of low power, regulatory domain, or radar interference. For 5 GHz Radio nodes, click one of the following:
All channels ACS scans all channels for an operating channel and, when ACS is triggered, the optimal channel is selected from all available channels. D All Non-DFS Channels ACS scans all non-DFS channels for an operating channel. With ACS, the AP selects the best non-
DFS channel. Custom To congure individual channels from which the ACS All channels including weather radar ACS selects the best selects an operating channel, click Congure. The CCustom Channel Plan dialog displays. By default, all channels participate in the channel plan. Click the individual channels you want to include in the channel plan. To select contiguous channels, use the Shift key. To select multiple, non-contiguous channels in the list, use the CTRL key. Click OK to save the conguration. channel from the available channels list. Selected channel may be DFS, weather-radar DFS or non-DFS. Weather-radar channels are approved for selected AP models in selected countries. Consult the compliance information for the selected AP. raft The weather channel includes 5600-5650MHz sub-bands and requires a listening period before the AP can provide wireless service. During the listening period, the Current Channel eld for DFS channels displays the value DFS Timeout, and the weather channel elds display DFS Timeout . In Europe, the listening period can be up to 10 minutes. In the U.S., this period is 1 minute. For 2.4 GHz Radio nodes, click one of the following:
3 Channel Plan ACS scans the following channels: 1, 6, and 11 in North America, and 1, 7, and 13 in the rest of the world. 4 Channel Plan ACS scans the following channels: 1, 4, 7, and 11 in North America, and 1, 5, 9, and 13 in the rest of the world. Auto ACS scans the default channel plan channels: 1, 6, and 11 in North America, and 1, 5, 9, and 13 in the rest of the world. Custom If you want to congure individual channels from which the ACS selects an operating channel, click Congure. The AAdd Channels dialog is displayed. Click the individual channels you want to add to the channel plan while pressing the CTRL key, and then click OK. ExtremeWireless V10.41.06 User Guide 116 Conguring the ExtremeWireless APs Table 10: Multi-Edit AP Properties (continued) FField Description Dynamic Channel Selection DCS Noise Threshold Determines behavior when traffic or noise levels exceed the congured DCS thresholds. Valid values are:
Monitor Mode An alarm is triggered and an information log is generated. Active Mode An alarm is triggered, an information log is generated, the AP stops operating on the current channel,and ACS automatically selects an alternate channel for the AP to operate on. Denes the noise interference limit, measured in dBm. If the noise interface exceeds this threshold, ACS scans for a new operating channel for the AP. Denes the channel utilization level, measured as a percentage. If the threshold is exceeded, ACS scans for a new operating channel for the AP. DCS Channel Occupancy Threshold D DCS Update Period (Minutes) Dynamic Channel Selection (DCS) events Denes a period of time, in minutes, where the average values for DCS Noise and Channel Occupancy are measured. If the average value for either setting exceeds the dened threshold for that setting, then the AP triggers Automatic Channel Scan (ACS). Indicates items that can affect DCS (Dynamic Channel Selection). Enable one or more events if they are part of the wireless network:
Bluetooth Microwave Cordless Phone Constant Wave Video Bridge raft When data collides on a given channel, CTS (clear to send) protection determines which device transmits at a given time. Auto. The default and recommended setting. None. Select if 11b APs and clients are not expected. Always. Select if you expect many 11b-only clients. Select a preamble type for 11b-specic (CCK) rates: Short, or Long. Click Short if you are sure that there is no 11b APs or client in the vicinity of this AP. Click Long if compatibility with 11b clients is required. Length of the delay (in seconds) before logging an alarm. Default setting is 10 seconds. A CTS (Clear to Send) packet is always sent out at the MBR (Minimum Basic Rate) congured for the radio. Protection is used when the sending rate (to the client) is greater than the congured protection rate. For example,if the protection rate is 11Mbps it means that 802.11 protection is used. Interference Wait Time Preamble Protection Mode Protection Rate ExtremeWireless V10.41.06 User Guide 117 Conguring the ExtremeWireless APs Table 10: Multi-Edit AP Properties (continued) FField Description Probe Suppression D Protection Type Min Basic Rate Force Disassociate Select a protection type:
CTS (Clear to Send) Only. RTS (Request to Send) and CTS. Recommended when a 40 MHz or 80 MHz channel is used. This protects high throughput transmissions on extension channels from interference from non-11n APs and clients. Denes the minimum data rate that must be supported by all stations in a BSS (Base Station Subsystem):
Select 1, 2, 5.5, or 11 Mbps for 11b and 11b+11g modes. Select 6, 12, or 24 Mbps for 11g-only mode. Select 6, 12, or 24 Mbps for 11a mode. Used to remedy "sticky clients", that is clients that do not probe on other channels and remain associated to an AP when a better AP is available. Congure per radio (Enable/Disable and Threshold). Applies to AP37xx, AP38xx, and AP39xx series APs. Probe Suppression accomplishes the following:
RSS threshold (Adjustable Cell Size) Reduces the number of Probe Responses. Prevents clients with RSS below the threshold from associating. Field is available when Probe Suppression is enabled. This setting does the following:
Disassociates Sticky Clients Occurs 5dBm below the suppression threshold. Prevents clients from re-associating to the AP. Encourages/Forces roaming to a better AP. Congure per radio (Enable/Disable). raft Denes the maximum percentage of time that the AP transmits non-
unicast packets (broadcast and multicast traffic) for each congured Beacon Period. For each non-unicast packet transmitted, the system calculates the airtime used by each packet and drops all packets that exceed the congured maximum percentage. Restrict non-unicast traffic, to limit the impact of broadcasts and multicasts on overall system performance. 90 (Range of -50 to -100). Field is available when Probe Suppression is enabled. RSS Threshold (dBm) Max % of non-unicast traffic per Beacon period Optimized Multicast for power save Adaptable rate for Multicast Enables several performance enhancements applicable to clients in power save mode. One of these enhancements converts multicast to unicast for power save clients when the ratio of active to power save clients is sufficiently large. Determines if the AP tracks the lowest unicast transmission speed of any station currently associated to the AP. Multicast frames are then forwarded at that speed or at the Minimum Basic Rate, whichever is higher. ExtremeWireless V10.41.06 User Guide 118 Conguring the ExtremeWireless APs Table 10: Multi-Edit AP Properties (continued) FField Description Multicast to Unicast delivery Determines if multicast packets are replaced by one unicast packet per destination station. Each unicast packet is transmitted at the highest speed the destination station will accept. Note: It is possible that some client devices will not handle frames properly when the L2 MAC is unicast and the L3 IP address is multicast in which case the "Multicast to Unicast Delivery" option should be disabled. Note: The AP converts a multicast frame to unicast frames only when it determines that it is more efficient to do so. With the exception of Optimized Multicast for power save these options can be enabled at any time without service disruption. Guard Interval 11n Radio Settings D Ensures that individual transmissions do not interfere with one another. It is the space between the symbols being transmitted. Selecting Short increases throughput, but can increase interference. Selecting Long can increase overhead due to additional idle time. The wireless 802.11n AP provides a shorter guard interval, which increases channel throughput. Long guard periods reduce channel efficiency. When data collides on a given channel, CTS (clear to send) protection determines which device transmits at a given time. Auto. The default and recommended setting. None. Select if 11b APs and clients are not expected. Always. Select if you expect many 11b-only clients. raft Select a protection type:
CTS (Clear to Send) Only. RTS (Request to Send) and CTS. Recommended when a 40 MHz or CTS Only or RTS CTS, when a 40 MHz channel is used. This protects high throughput transmissions on extension channels from interference from non-11n APs and clients. 80 MHz channel is used. This protects high throughput transmissions on extension channels from interference from non-11n APs and clients. Determines MAC Service Data Unit (MSDU) aggregation. Enable to increase the maximum frame transmission size. Determines MAC Protocol Data Unit (MPDU) aggregation. Enable to increase the maximum frame transmission size, providing a signicant improvement in throughput. Protection Mode Protection Type Extension Channel Busy Threshold Aggregate MSDUs Aggregate MPDUs Aggregate MPDU Max Length Agg. MPDU Max # of Sub-frames Denes the maximum length of the MAC Protocol Data Unit (MPDU) aggregation. Valid values range from 1024-65535 bytes. For the 802.11ac radio (Radio 1 of the AP38xx), the range is 1024-1048575. Determines the maximum number of sub frames in the aggregate MAC Protocol Data Unit (MPDU). Valid value range is 2-64. The default value and recommended value is 64. Setting this value to 64 results in less overhead and higher throughput. ExtremeWireless V10.41.06 User Guide 119 Conguring the ExtremeWireless APs Table 10: Multi-Edit AP Properties (continued) FField Description ADDBA Support LDPC STBC TXBF Block acknowledgement. Provides acknowledgement of a group of frames instead of a single frame. ADDBA Support must be enabled if Aggregate MPDU is enable. Increases the reliability of the transmission resulting in a 2dB increased performance compared to traditional 11n coding. Space Time Block Coding. A simple open loop transmit diversity scheme. When enabled, STBC conguration is 2x1 (two spatial streams combined into one spatial stream). TXBF overrides STBC if both are enabled for single stream rates. Tx Beam Forming is a technique of re-aligning the transmitter multipath spatial streams phases in order to get better signal-to-noise ratio on the receiver side. For the AP37xx and AP38xx models, valid values are Enabled or Disabled. For the 39xx APs, this setting is only available on Radio1. The valid values are: MU_MIMO and Disabled. D Static Conguration EWC Search List Tunnel MTU WLAN Assignments WLAN Assignment Option Denes the list of IP addresses that the AP is congured to try to connect to in the event that the current connection to the controller is lost. Maximum transmission unit. Determines the largest packet size than can be transmitted by an IP interface without the packet needing to be broken down into smaller units. raft Determines action on the WLAN assignment list associated with one or more APs. Valid values are Clear WLAN List or Recongure WLAN List. Warning Only use power supplies that are recommended by Extreme Networks. When a wireless AP is powered on, it automatically begins a discovery process to determine its own IP address and the IP address of the controller. When the discovery process is successful, the AP registers with the controller. For more information, see Figure 12. Discovery and Registration ExtremeWireless V10.41.06 User Guide 120 Conguring the ExtremeWireless APs ft Figure 12: Wireless AP Discovery Process Wireless AP Discovery Wireless APs discover the IP address of a controller using a sequence of mechanisms that allow for the possible services available on the enterprise network. The discovery process is successful when the AP successfully locates a controller to which it can register. ExtremeWireless V10.41.06 User Guide 1121 Conguring the ExtremeWireless APs Ensure that the appropriate services on your enterprise network are prepared to support the discovery process. The following steps are used to nd a known controller:
1 Use the predened static IP addresses for the controllers on the network (if congured). You can specify a list of static IP addresses of the controllers on your network. On the Static Conguration tab, add the addresses to the Wireless Controller Search List. CCaution Wireless APs congured with a static Wireless Controller Search List can connect only to controllers in the list. Improperly congured APs cannot connect to a non-existent controller address, and therefore cannot receive a corrected conguration. 2 Use the IP address of the controller to which the AP last connected successfully. Once an AP has successfully registered with a controller, it recalls that controller's IP address, and uses that address on subsequent reboots. The AP bypasses discovery and goes straight to registration. D If a known controller cannot be located, the following discovery process steps should be followed:
3 Use DHCP Option 60 to query the DHCP server for available controllers. The DHCP server responds to the AP with Option 43, which lists the available controllers. For the DHCP server to respond to an Option 60 request from an AP, congure the DHCP server with the vendor class identier (VCI) for each AP. Also, congure the DHCP server with the IP addresses of the controllers. For more information, refer to the Getting Started Guide. 4 Use a Domain Name Server (DNS) lookup for the host name Controller.domain-name. raft The AP sends a multicast SLP request, looking for any SLP Service Agents providing the Extreme Networks service. If you use this method for discovery, place an A record in the DNS server for Controller.<domain-
name>. The <domain-name> is optional, but if used, ensure it is listed with the DHCP server. 6 Use DHCP Option 78 to locate a Service Location Protocol (SLP) Directory Agent (DA), followed by a The AP tries the DNS server if it is congured in parallel with SLP unicast and SLP multicast. The AP tries SLP multicast in parallel with other discovery methods. 5 Use a multicast SLP request to nd SLP SAs unicast SLP request to the Directory Agent. To use the DHCP and unicast SLP discovery method, ensure that the DHCP server on your network supports Option 78 (DHCP for SLP RFC2610). The APs use this method to discover the controller. This solution takes advantage of two services that are present on most networks:
DHCP The standard is a means of providing IP addresses dynamically to devices on a network. SLP A means of allowing client applications to discover network services without knowing their location beforehand. Devices advertise their services using a Service Agent (SA). In larger installations, a Directory Agent (DA) collects information from SAs and creates a central repository (SLP RFC2608). ExtremeWireless V10.41.06 User Guide 122 Conguring the ExtremeWireless APs The controller contains an SLP SA that, when started, queries the DHCP server for Option 78 and if found, registers itself with the DA as service type Extreme Networks. The controller contains a DA (SLPD). The AP queries DHCP servers for Option 78 to locate any DAs. The SLP User Agent for the AP then queries the DAs for a list of Extreme Networks SAs. Option 78 must be set for the subnets connected to the ports of the controller and the subnets connected to the APs. These subnets must contain an identical list of DA IP addresses. Wireless AP Registration To dene the discovery process parameters:
From the top menu, click AP. 1 2 In the left pane, click Global > Registration. D The following screen appears:
raft 3 Congure the following parameters:
Security Mode The Allow all Wireless APs to connect option is selected by default. For more information, see Security Mode on page 124. Allow only approved Wireless APs to connect Discovery Timers . The discovery timer parameters dictate the number of retry attempts and the time delay between each attempt. Number of retries ExtremeWireless V10.41.06 User Guide 1123 Conguring the ExtremeWireless APs Delay between retries The number of retries is limited to 255 for the discovery. The default number of retries is 3, and the default delay between retries is 3 seconds. SSH Access Set up a Secure Shell password. Click Unmask to display the password as you type. Password Conrm Password Secure Cluster Security Mode Cluster Shared Secret. A common, default cluster ID. Click Unmask to display the shared secret value. Check Use Cluster Encryption . If you disable cluster encryption, the AP cannot participate in the D the diagnostic slpdump tool. cluster. 5 From the Wireless AP Registration screen, click Save to save your changes. 4 Click View SLP Registration to conrm SLP Registration. A screen appears displaying the results of Once the discovery parameters are dened, you can connect the AP to a power source. For instructions on connecting and powering an AP, refer to the Installation Guide for the specic AP. raft If the controller does not recognize the registering serial number, a new registration record is automatically created for the AP (if within MDL license limit). The AP receives a default conguration. The default conguration can be the default template assignment. If the controller recognizes the serial number, it indicates that the registering device is pre-
registered with the controller. The controller uses the existing registration record to authenticate the AP and the existing conguration record to congure the AP. Security mode denes how the controller behaves when registering new, unknown devices. During the registration process, the controllers approval of the APs serial number depends on the security mode that has been set:
Allow all APs to connect Allow only approved APs to connect (this is also known as secure mode) If controller does not recognize the AP, the AP's registration record is created in pending state (if within MDL limits). The administrator is required to manually approve a pending AP for it to provide active service. The pending AP receives minimum conguration only, which allows it to maintain an active link with the controller for future state change. The AP's radios are not congured or enabled. Pending APs are not eligible for conguration operations (VNS Assignment, default template, Radio parameters) until approved. If the controller recognizes the serial number, the controller uses the existing registration record to authenticate the AP. Following successful authentication, the AP is congured according to its stored conguration record. ExtremeWireless V10.41.06 User Guide 1124 Conguring the ExtremeWireless APs During the initial setup of the network, Extreme Networks recommends that you select the Allow all Wireless APs to connect option. This option is the most efficient way to get a large number of APs registered with the controller. Once the initial setup is complete,Extreme Networks recommends that you reset the security mode to the Allow only approved Wireless APs to connect option. This option ensures that no unapproved APs are allowed to connect. For more information, see Conguring Wireless AP Properties on page 156. Registration After Discovery Any of the discovery steps 2 through 6 can inform the AP of a list of multiple IP addresses to which the AP may attempt to connect. Once the AP has discovered these addresses, it sends out connection requests to each of them. These requests are sent simultaneously. The AP attempts to register only with the rst which responds to its request. When the AP obtains the IP address of the controller, it connects and registers, sending its serial number identier to the controller, and receiving from the controller a port IP address and binding key. D Once the AP is registered with a controller, congure the AP. After the AP is registered and congured, you can assign it to one or more Virtual Network Services (VNS) to handle wireless traffic. The AP is registered with Secure mode and Un-secure mode. For new APs, that option is set in AAP Default Settings dialog. raft Viewing a List of All APs To view a list of all APs:
ExtremeWireless V10.41.06 User Guide 125 Conguring the ExtremeWireless APs 1 From the top menu, click AP. aft
. Search for any part of the AP string, any column of the AP list. Results:
APs that match the search criteria appear. Select one or more APs and apply actions to selected APs. 2 At the top of the screen, enter search criteria and click APs that match the search criteria are displayed in the list. 3 To take action on one or more APs, select the check box for the AP and select an action from the Actions button. For more information, see AP Actions on page 128. 4 To view AP properties, click the AP row (not the check box). AP details are displayed. 5 Click Congure to display AP properties. For more information, see AP Properties Tab Conguration on page 159. 6 To add a new AP to the list, click New > Create. For more information, see New Button -- Adding and Registering a Wireless AP on page 131. 7 To add a new AP as a clone of an existing AP, click New > Clone. For more information, see Creating a Clone AP on page 133. ExtremeWireless V10.41.06 User Guide 1126 Conguring the ExtremeWireless APs RRelated Links AP Search Facility on page 127 Understanding AP Status on page 127 AP Actions on page 128 Radio Actions on page 130 New Button -- Adding and Registering a Wireless AP on page 131 Deleting an AP on page 134 AP Properties Tab Conguration on page 159 Related Links AP Actions on page 128 Radio Actions on page 130 New Button -- Adding and Registering a Wireless AP on page 131 Deleting an AP on page 134 Understanding AP Status on page 127 AP Search Facility Search for any part of the AP string, any column of the AP list. Results:
APs that match the search criteria appear. Select one or more APs and apply actions to selected APs. D To search, do the following:
1 Go to AP > APs. 2 At the top of the screen, enter search criteria and click APs that match the search criteria are displayed in the list. raft Understanding AP Status The full AP list can be ltered to display just Foreign APs or just Local APs. When displaying a list of all APs, the value in the Status column is limited to Foreign or Local. In the left pane, click the Foreign or Local link to lter the list respectively. When the list is ltered, the value in the Status column changes. Possible statuses for Local APs include:
Pending. (You cannot view AP properties for Pending APs.) Active In-Active Possible statuses for Foreign APs include:
Active In-Active ExtremeWireless V10.41.06 User Guide 127 Conguring the ExtremeWireless APs For information about changing an AP's status, see AP Actions on page 128. AP Actions Take the following actions from the AP Actions button. D Figure 13: AP Actions button Description raft Select from the list of AP version images and apply to selected APs. If more than one AP is selected, the upgrade image must be common between the selected APs. If not, message displays indicating no common image. To upgrade without interrupting service, click Upgrade without interrupting service. If you click this option while the upgrade scheduler is running, the schedule is interrupted, and the current upgrade cycle calculates a new schedule that includes APs that weren't upgraded. Download appropriate image or select different APs. For information on downloading an upgrade image, see Downloading a new Wireless AP Software Image on page 240. Opens MMulti Edit dialog for selected APs. Conguration changes are applied to selected APs only. For more information, see AP Multi-Edit Properties on page 111. Opens CCerticates screen for selected APs. Conguration changes are applied to selected APs only. For more information, see Managing Certicates on page 211 Approve A Wireless AP's status changes from Pending to Approve if the AAP Registration screen was congured to register only approved APs. Release foreign APs after recovery from a failover. Releasing an AP corresponds to the Availability function. For more information, see Availability and Session Availability on page 537. Change Status to Pending AP is removed from the Active list, and is forced into discovery. Table 11: AP Actions FField Image Upgrade Multi Edit Manage Certicates Approve Release Pending ExtremeWireless V10.41.06 User Guide 128 Conguring the ExtremeWireless APs Table 11: AP Actions (continued) FField Description Reboot Restart selected APs without using SSH to access it. On-demand Background Scan Set Country Apply WLAN To verify channel assignments and review channel details without having to run a full ACS, run an on-demand background scan. For more information, see Running a Background Scan on page 638. Select from a list of countries and apply the command to the selected APs. You are prompted to conrm your selection. The AApply WLAN dialog appears. Select the radio for each congured WLAN Service for the selected AP. List can contain 128 WLAN Services. You are prompted to conrm your selection. For AP3912 only, you can select the client port for each service.For the AP3916 only, you can select CAM on each service. For AP3916 only. Restarts the camera on the AP. Reboot Camera D Reset Camera Multi Edit - IoT Related Links IoT Multi-Edit Conguration on page 129 IoT Thread Gateway on page 196 Modifying the Status of a Wireless AP on page 156 Assigning WLAN Services to Client Ports on page 170 Applying WLAN Service Congure more than one AP for IoT support. For AP3916 only. Resets the camera to factory default settings. After the camera is reset, a DHCP server is required to reassign IP addresses to the camera. raft Related Links Assigning WLAN Services to Client Ports on page 170 IoT Multi-Edit Conguration Congure more than one AP at a time for IoT support. Select the radio for each congured WLAN Service for the selected AP. List can contain 128 WLAN Services. You are prompted to conrm your selection. For AP3912 only, you can select the client port for each service. 1 Select the check box next to more than one AP that supports the IoT. The following APs offer integrated BLE/802.15.4 radios: AP3912i , AP3915i/e, AP3916ic, AP3917i/e/k. ExtremeWireless V10.41.06 User Guide 129 Conguring the ExtremeWireless APs 2 Click Actions > Multi Edit - IoT. RRelated Links D Figure 14: Multi-Edit - IoT Action Conguring AP as an iBeacon on page 190 Conguring iBeacon Scan on page 192 Conguring AP as an Eddystone-url Beacon on page 194 Conguring Eddystone-url Scan on page 195 Advanced Thread Gateway Properties on page 198 3 Select Enable from the IoT Admin eld. 4 Select a value from the Application eld. Valid values are iBeacon, iBeacon Scan, Eddystone-url Beacon, Eddystone-url Scan, or Thread Gateway. Resulting parameters depend on the application you select here. raft Take the following actions from the Radio Actions button for the appropriate radio. Radio Actions Figure 15: Radio 1 Actions ExtremeWireless V10.41.06 User Guide 130 Conguring the ExtremeWireless APs Figure 16: Radio 2 Actions button Table 12: Radio Actions FField Set Tx Power Description D Apply this command to selected APs. All selected APs must be the same model and licensed for the same country. Congure the setting from the resulting dialog. First, congure the selected APs to the same radio mode and same channel width before setting Tx Power here. When selected APs are congured for the same width/mode, the SSet Tx Power dialog displays the width/mode and you are able to set the Tx power and channel. For more information, see Conguration Parameters for Radio Properties on page 180. Apply this command to selected APs. For more information about ACS, see Dynamic Radio Management (DRM) on page 174. Apply this command to selected APs. All selected APs must be the same model and licensed for the same country. Congure the setting from the resulting dialog. For more information, see Conguration Parameters for Radio Properties on page 180. raft Apply this command to selected APs. All selected APs must be the same model and licensed for the same country. Congure the setting from the resulting dialog. For more information, see Conguration Parameters for Radio Properties on page 180. Auto Channel Select Set Radio Mode Set Channel Width Related Links Conguration Parameters for Radio Properties on page 180 Dynamic Radio Management (DRM) on page 174 New Button -- Adding and Registering a Wireless AP You can manually add and register a wireless AP to the controller, but the AP must still go through the automatic discovery and registration process to locate the controller. The AP may skip the discovery process if it has a static list, or has previously connected and registered with the controller. When you manually add and register an AP, the system applies the default settings to the AP. After the system registers the AP, you can go in and edit its conguration settings (see Conguring Wireless AP Properties on page 156). To add and register an AP manually:
1 From the top menu, click AP. ExtremeWireless V10.41.06 User Guide 131 Conguring the ExtremeWireless APs Regardless of the tab that you click on, the New button displays at the bottom of the page. 2 Click New and select Create or Clone. CCreate Displays the AAdd Wireless AP dialog. For eld descriptions, see Table 13 on page 133. Clone Displays the CClone AP dialog. See Creating a Clone AP on page 133. The AAdd Wireless AP screen displays. raft ExtremeWireless V10.41.06 User Guide 132 Conguring the ExtremeWireless APs Table 13: Add Wireless AP FField Description Serial #
Hardware Type Type the unique identier of the AP. Select the hardware model of this AP from the drop-down menu. With ExtremeWireless v10.01 each controller is licensed in a specic domain. There are three types of domain licenses: FCC, ROW, EGY, and MNT. The ExtremeWireless user interface reects the domain of the controller. The following are use cases for each domain:
A wireless controller with an FCC license can manage AP37xx, AP38xx, and AP39xx-FCC. These access points can be deployed in the United States, Puerto Rico, or Colombia. A wireless controller with a ROW license can manage AP37xx, AP38xx, and AP39xx-ROW. These access points can be deployed in any country except the United States, Puerto Rico, Egypt, or Colombia. D AP38xx, and AP39xx-EGY. A wireless controller with a EGY license can manage AP37xx, Note: The AP37xx and AP38xx cannot connect to a controller licensed in the MNT domain. A wireless controller with a MNT license can manage only domain-
locked access points, which are the AP39xx-FCC and the AP39xx-
ROW only. The AP39xx-FCC must be deployed in the United States, Puerto Rico, or Colombia. The AP39xx-ROW must be deployed in any country except the United States, Puerto Rico, Egypt, or Colombia. raft Click to add the AP with default settings. You can later modify these settings. When an AP is added manually, it is added to the controller database only and does not get assigned. Type a unique name for the AP that identies the access point. The default value is the APs serial number. Enter a description of this AP. Click to close this window. Conguring Wireless AP Properties on page 156 Creating a Clone AP on page 133 Name Description Add Wireless AP Close Related Links Creating a Clone AP Create a new AP with the same type and conguration as the selected AP. Only one AP can be selected for the Clone action. Select an AP from the AP list and click New > Clone. 1 2 Enter the Serial # and Name of the new clone AP. 3 Click Apply. Related Links ExtremeWireless V10.41.06 User Guide 133 Conguring the ExtremeWireless APs Viewing a List of All APs on page 125 New Button -- Adding and Registering a Wireless AP on page 131 Deleting an AP To delete an AP from the controller AP list:
1 Go to AP > APs. 2 Select the APs to delete. 3 Click Delete. Wireless AP Default Conguration Conguring the Default Wireless AP Settings Default wireless AP conguration acts as a conguration template that can be automatically assigned to new registering APs. The default AP conguration allows you to specify common sets of radio conguration parameters and VNS assignments for APs. D Wireless APs are added with default settings. You can modify the systems AP default settings, and then use these default settings to congure newly added APs. In addition, you can base the AP default settings on an existing AP conguration or you can make pre-congured APs inherit the properties of the default AP conguration when they register with the system. Each AP model has its own tab:
Common Conguration Congure common conguration, such as WLAN assignments and static conguration options for all APs. See Conguring Common Conguration Default AP Settings on page 135. raft AP38xx Congure the default settings for the ExtremeWireless Radar series APs. See Conguring AP3801 Congure the default settings for the ExtremeWireless Radar series APs. See Conguring AP37xx W78xC Congure the default settings for the Radar series APs. See Conguring AP37xx, AP37xx Dual Band Congure the default settings for the Radar series APs. See Conguring AP37xx Dual Band Default Settings on page 145 AP38xx Default AP Settings on page 143. AP3801 Default AP Settings on page 143. W78xC Default AP Settings on page 146. AP3805 Congure the default settings for the ExtremeWireless Radar series APs. See Conguring AP3805 Default AP Settings on page 144. AP3912 Congure the default settings for the ExtremeWireless wall plate AP. See Conguring AP3912 Default AP Settings on page 139. AP3915 Congure the default settings for the ExtremeWireless AP3915, BLE Radio enabled AP. See Conguring AP3915 Default AP Settings on page 138. AP3916ic Congure the default settings for the ExtremeWireless Integrated Camera AP. See Conguring AP3916 Default AP Settings on page 137. AP3917 Congure the default settings for the ExtremeWireless AP3917, BLE Radio enabled AP. See Conguring AP3917 Default AP Settings on page 136. ExtremeWireless V10.41.06 User Guide 134 Conguring the ExtremeWireless APs AP3935 Congure the default settings for the ExtremeWireless indoor series AP. See Conguring AP3935 Default AP Settings on page 140. AP3965 Congure the default settings for the ExtremeWireless outdoor series AP. See Conguring AP3965 Default AP Settings on page 142. Conguring Common Conguration Default AP Settings To congure common conguration default AP settings:
From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. The Common Conguration tab is displayed. D raft NNote Ports 1, 2, and 3, are available on the AP3912. Port 1 is the port that corresponds to the Camera (CAM) function of the AP3916ic. 3 In the Static Conguration section, you can specify an EWC search list or use the search list provided from the AP. Do one of the following:
Check Learn EWC Search List from AP to accept the AP's search list, or clear the check box to specify a common search list for all APs. For more information about creating an EWC Search List, see Table 22 on page 201. ExtremeWireless V10.41.06 User Guide 135 Conguring the ExtremeWireless APs 4 In the WLAN Assignments section, you can associate a WLAN assignment to a radio. If the controller is in an availability pair, you can apply default WLAN assignments to foreign APs, by selecting the Apply default WLAN assignments to foreign APs check box. For more information, see Availability on page 537. To associate a WLAN Service in the list to a radio and or a client port, select the check box matching the radio and or port for the selected WLAN. One WLAN can be assigned per port. The assignment enables the port. Wireless and wired users associated to the same WLAN service receive identical service. They are affected by the same policies and lters. Note Airtime % is available for AP38xx and AP39xx access point models that are assigned WLANS congured with Reserved Airtime. Related Links 5 Click Save Settings. D Conguring Airtime Fairness: Reservation Mode on page 406 Conguring AP3917 Default AP Settings To congure AP3917 default AP settings:
From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. raft ExtremeWireless V10.41.06 User Guide 136 Conguring the ExtremeWireless APs 3 Click the AP3917 FCC tab. raft Figure 17: AP3917 Default Settings 4 Congure the following Default AP Settings as required:
AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. 5 Click Save Settings. Conguring AP3916 Default AP Settings To congure AP3916 default AP settings:
From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. ExtremeWireless V10.41.06 User Guide 1137 Conguring the ExtremeWireless APs 3 Click the AP3916 ROW tab. aft Figure 18: AP3916 Default Settings 4 Congure the following Default AP Settings as required:
AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. 5 Click Save Settings. Conguring AP3915 Default AP Settings To congure AP3915 default AP settings:
From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. ExtremeWireless V10.41.06 User Guide 1138 Conguring the ExtremeWireless APs 3 Click the AP3915 FCC tab. raft Figure 19: AP3915 Default Settings 4 Congure the following Default AP Settings as required:
AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. 5 Click Save Settings. Conguring AP3912 Default AP Settings To congure AP3912 default AP settings:
From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. ExtremeWireless V10.41.06 User Guide 1139 Conguring the ExtremeWireless APs 3 Click the AP3912 FCC tab. ft Figure 20: AP3912 Default Settings 4 Congure the following Default AP Settings as required:
AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. 5 Click Save Settings. Conguring AP3935 Default AP Settings ExtremeWireless 10.01 associates the license key to a specic Wireless Controller, and each license key applies to a specic regulatory domain (FCC or ROW). The FCC domain operates in the United States, ExtremeWireless V10.41.06 User Guide 1140 Conguring the ExtremeWireless APs Colombia and Puerto Rico. The ROW domain operates outside these countries. The AP3935 can be licensed to operate within an FCC or ROW regulatory domain. To congure AP3935 default AP settings:
From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. 3 Click the AP3935 FCC tab. ft Figure 21: AP3935 FCC Default Settings 4 Congure the following Default AP Settings as required:
AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. 5 To save your changes, click Save Settings. ExtremeWireless V10.41.06 User Guide 1141 Conguring the ExtremeWireless APs Conguring AP3965 Default AP Settings ExtremeWireless 10.01 associates the license key to a specic Wireless Controller, and each license key applies to a specic regulatory domain (FCC or ROW). The FCC domain operates in the United States, Colombia and Puerto Rico. The ROW domain operates outside these countries. The AP3965 can be licensed to operate within an FCC or ROW regulatory domain. To congure AP3965 default AP settings:
From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. 3 Click the AP3965 FCC tab. D Figure 22: AP3965 FCC Default Settings 4 Congure the following Default AP Settings as required:
AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. ExtremeWireless V10.41.06 User Guide 1142 Conguring the ExtremeWireless APs 5 To save your changes, click Save Settings. Conguring AP38xx Default AP Settings To congure AP38xx default AP settings:
From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. 3 Click the AP38xx tab. ft Figure 23: AP38xx Default Settings 4 Congure the following Default AP Settings as required:
AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. 5 To save your changes, click Save Settings. Conguring AP3801 Default AP Settings To congure AP3801 default AP settings:
1 From the top menu, click AP. ExtremeWireless V10.41.06 User Guide 1143 Conguring the ExtremeWireless APs 2 In the left pane, click Global > Default Settings. 3 Click the AP3801 tab. raft Figure 24: AP3801 Default Settings 4 Congure the following Default AP Settings as required:
AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. 5 To save your changes, click Save Settings. Conguring AP3805 Default AP Settings To congure AP3805 default AP settings:
From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. ExtremeWireless V10.41.06 User Guide 1144 Conguring the ExtremeWireless APs 3 Click the AP3805 ROW tab. raft Figure 25: AP3805 Default Settings 4 Congure the following Default AP Settings as required:
AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. 5 To save your changes, click Save Settings. Conguring AP37xx Dual Band Default Settings This AP37xx prole supports two concurrent Wi-Fi radios (2.4 GHz and 5 GHz). To congure AP37xx default AP settings:
From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. ExtremeWireless V10.41.06 User Guide 1145 Conguring the ExtremeWireless APs 3 Click the AP37xx tab. raft Figure 26: AP37xx Default Settings 4 Congure the following Default AP Settings as required:
AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. 5 Click Save Settings. Conguring AP37xx, W78xC Default AP Settings To congure AP37xx, W78xC default AP settings:
From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. ExtremeWireless V10.41.06 User Guide 1146 Conguring the ExtremeWireless APs 3 Click the AP37xx W78xC tab. raft 4 Congure the following Default AP Settings as required:
AP Properties Radio Settings Advanced Settings For detailed information, see AP Default Settings on page 148. Figure 27: AP37xx W78xC Default Settings 5 Click Save Settings. ExtremeWireless V10.41.06 User Guide 1147 AP Default Settings Table 14: AP Default Settings FField LLDP Conguring the ExtremeWireless APs Description AP Properties Determines if the AP broadcasts LLDP information. This option is disabled by default. If SNMP is enabled on the controller and you enable LLDP, the LLLDP Conrmation dialog is displayed. Select one of the following:
Proceed (not recommended) Enables LLDP and keeps SNMP
(Simple Network Management Protocol) running. Disable SNMP publishing, and proceed Enables LLDP and For more information on using SNMP, see the Extreme Networks ExtremeWireless Maintenance Guide disables SNMP. D Announcement Interval Note: Announcement Interval is not applicable on all AP models. Determines how often the AP advertises its information by sending a new LLDP (Link Layer Discovery Protocol) packet when LLDP is enabled. This value is measured in seconds. If there are no changes to the AP conguration that impact the LLDP information, the AP sends a new LLDP packet according to this schedule. Determines the length of time that delays the new packet delivery. The announcement delay helps minimize LLDP (Link Layer Discovery Protocol) packet traffic when LLDP is enabled. This value is measured in seconds. If a change to the AP conguration occurs which impacts the LLDP information, the AP sends an updated LLDP packet. raft Determines the lifespan of the LLDP (Link Layer Discovery Protocol) packet. The Time to Live value is calculated as four times the Announcement Interval value. It cannot be directly edited. Note: Announcement Delay is not applicable on all AP models. Note: Time to Live is not applicable on all AP models. Select On to enable this radio; Select Off to disable this radio. Radio Settings (Radio 1 and Radio 2) Select the country of operation. Click the radio mode based on the type of AP. For more information on the available Radio modes, see Conguring Wireless AP Radio Properties on page 174. The available radio settings are dependent on the radio mode you select. Announcement Delay Time to Live Country Admin mode Radio mode ExtremeWireless V10.41.06 User Guide 148 Conguring the ExtremeWireless APs Table 14: AP Default Settings (continued) FField Description Channel Width D RF Domain Auto Tx Power Ctrl (ATPC) Click the channel width for the radio:
20 MHz Click to allow 802.11n clients to use the primary channel
(20 MHz) and non-802.11n clients, beacons, and multicasts to use the 802.11b/g radio protocols. 40 MHz Click to allow 802.11n clients that support the 40 MHz frequency to use 40 MHz, 20 MHz, or the 802.11b/g radio protocols. 802.11n clients that do not support the 40 MHz frequency can use 20 MHz or the 802.11b/g radio protocols and non-802.11n clients, beacons, and multicasts use the 802.11b/g radio protocols. 80 MHz Click to allow 802.11ac clients to use the 80MHz frequency. Applies to AP38xx and AP39xx Radio 1 only. Auto Click to automatically switch between 20 MHz, 40 MHz, and 80 MHz channel widths, depending on how busy the extension channels are. Uniquely denes a group of APs that cooperate in managing RF channels and transmission power levels. The maximum length of the string is 16 characters. Determines if the AP will automatically adapt transmission power signals. Click to either enable or disable ATPC from the Auto Tx Power Ctrl drop-down list. ATPC automatically adapts transmission power signals according to the coverage provided by the AP. After a period of time, the system stabilizes itself based on the RF coverage of your Wireless APs. raft Click the appropriate Tx power level from the Max TX Power drop-
down list. The values in the Max TX Power drop-down are in dBm and will vary by AP. The values are governed by compliance requirements based on the country, radio, and antenna selected. Changing this value below the current Min Tx Power value will change the Min Tx Power to a level lower than the selected Max TX Power. Note: When enabled, Min Tx Power and Auto Tx Power Ctrl Adjust parameters can be edited, and the ATPC algorithm will adjust the AP power between Max Tx power and Min Tx Power. When disabled, the Max Tx Power selected value or the largest value in the compliance table will be the power level used by the radio, whichever is smaller. Note: If Auto Tx Power Ctrl (ATPC) is disabled, the selected value or the largest value in the compliance table will be the power level used by the radio, whichever is smaller. If ATPC is enabled, select the minimum Tx power level that is equal or lower than the maximum Tx power level. We recommend that you use the lowest supported value if you do not want to limit the potential Tx power level range that can be used. Note: The Min Tx Power setting cannot be set higher than the Max Tx Power setting. Max Tx Power Min Tx Power ExtremeWireless V10.41.06 User Guide 149 Conguring the ExtremeWireless APs Table 14: AP Default Settings (continued) FField Description Auto Tx Power Ctrl Adjust The Auto Tx Power Ctrl Adj parameter is a correction parameter that allows you to manually adjust (up or down) the Tx Power calculated by the ATPC algorithm. If ATPC is enabled, click the Tx power level that can be used to adjust the ATPC power levels that the system has assigned. Extreme Networks recommends that use 0 dB during your initial conguration. If you have an RF plan that recommends Tx power levels for each AP, compare the actual Tx power levels your system has assigned against the recommended values your RF plan has provided. Use the Auto Tx Power Ctrl Adjust value to achieve the recommended values. Valid range is from -(Max Tx Power - Min Tx Power) dB to (Max Tx Power - Min Tx Power) dB. D raft ExtremeWireless V10.41.06 User Guide 150 Conguring the ExtremeWireless APs Table 14: AP Default Settings (continued) FField Description Channel Plan If ACS is enabled you can dene a channel plan for the AP. Dening a channel plan allows you to control which channels are available for use during an ACS scan. For example, you may want to avoid using specic channels because of low power, regulatory domain, or radar interference. For 5 GHz Radio nodes, click one of the following:
All channels ACS scans all channels for an operating channel and, when ACS is triggered, the optimal channel is selected from all available channels. D All Non-DFS Channels ACS scans all non-DFS channels for an operating channel. With ACS, the AP selects the best non-
DFS channel. Custom To congure individual channels from which the ACS All channels including weather radar ACS selects the best selects an operating channel, click Congure. The CCustom Channel Plan dialog displays. By default, all channels participate in the channel plan. Click the individual channels you want to include in the channel plan. To select contiguous channels, use the Shift key. To select multiple, non-contiguous channels in the list, use the CTRL key. Click OK to save the conguration. channel from the available channels list. Selected channel may be DFS, weather-radar DFS or non-DFS. Weather-radar channels are approved for selected AP models in selected countries. Consult the compliance information for the selected AP. raft The weather channel includes 5600-5650MHz sub-bands and requires a listening period before the AP can provide wireless service. During the listening period, the Current Channel eld for DFS channels displays the value DFS Timeout, and the weather channel elds display DFS Timeout . In Europe, the listening period can be up to 10 minutes. In the U.S., this period is 1 minute. For 2.4 GHz Radio nodes, click one of the following:
3 Channel Plan ACS scans the following channels: 1, 6, and 11 in North America, and 1, 7, and 13 in the rest of the world. 4 Channel Plan ACS scans the following channels: 1, 4, 7, and 11 in North America, and 1, 5, 9, and 13 in the rest of the world. Auto ACS scans the default channel plan channels: 1, 6, and 11 in North America, and 1, 5, 9, and 13 in the rest of the world. Custom If you want to congure individual channels from which the ACS selects an operating channel, click Congure. The AAdd Channels dialog is displayed. Click the individual channels you want to add to the channel plan while pressing the CTRL key, and then click OK. ExtremeWireless V10.41.06 User Guide 151 Conguring the ExtremeWireless APs Table 14: AP Default Settings (continued) FField Description Antenna Selection Antenna Selection Click the antenna, or antenna combination, you want to congure on this radio. When you congure 11n Wireless APs to use specic antennas, the transmission power is recalculated; the Current Tx Power Level value for the radio is automatically adjusted to reect the recent antenna conguration. It takes approximately 30 seconds for the change to the Current Tx Power Level value to be reected in the ExtremeWireless Assistant. Also, the radio is reset causing client connections on this radio to be lost. Note: Antenna Selection is not applicable on all AP models. Advanced dialog AP Properties Poll Timeout D Secure Tunnel Type the timeout value, in seconds. The AP uses this value to trigger re-establishing the link with the controller if the AP does not get an answer to its polling. The default value is 10 seconds. All SFTP/SSH/TFTP traffic works normally. Encrypt control traffic between AP & Controller An IPSEC tunnel Note: If you are conguring session availability, the Poll Timeout value should be 1.5 to 2 times of Detect link failure value on AAP Properties screen. For more information, see Session Availability on page 545. This feature, when enabled, provides encryption, authentication, and key management between the AP and/or controllers. Select the desired Secure Tunnel mode from the drop-down list:
Disabled Secure Tunnel is turned off and no traffic is encrypted. raft Encrypt control and data traffic between AP & Controller This mode only benets routed/bridged@Controller Topologies. An IPSEC tunnel is established from the AP to the controller and all SFTP/SSH/TFTP/WASSP control and data traffic is encrypted. The AP skips the registration and authentication phases, and when selected, the Secure Tunnel Lifetime feature can be congured. is established from the AP to the controller and all SFTP/SSH/
TFTP/WASSP control traffic is encrypted. The AP skips the registration and authentication phases and when selected, the Secure Tunnel Lifetime feature can be congured. Debug mode An IPSEC tunnel is established from the AP to the Note: This option is not available for AP3805 models. controller, no traffic is encrypted, and all SFTP/SSH/TFTP traffic works normally. The AP skips the registration and authentication phases and when selected, the Secure Tunnel Lifetime feature can be congured. Note: Changing a Secure Tunnel mode will automatically disconnect and reconnect the AP. ExtremeWireless V10.41.06 User Guide 152 Conguring the ExtremeWireless APs Table 14: AP Default Settings (continued) FField Description Secure Tunnel Lifetime Enter an interval (in hours) at which time the keys of the IPSEC tunnel are renegotiated. Remote Access Location-based Service Note: Changing the Secure Tunnel Lifetime setting will not cause any AP disruption. Click to Enable or Disable SSH to the AP. Click to Enable or Disable location-based service on this AP. Location-
based service allows you to use this AP with an AeroScout or Ekahau solution. Maintain client sessions in event of poll failure D Restart service in the absence of controller Use broadcast for disassociation Click to Enable or Disable (using a bridged at AP VNS) the AP remains active if a link loss with the controller occurs. This option is disabled by default. modes (DRM initial channel selection). If a BSSID is deactivated or removed on the AP. This option is disabled by default. Click to Enable or Disable (if using a bridged at AP VNS) to ensure the AP continues providing service if the APs connection to the controller is lost. If this option is enabled, it allows the AP to start a bridged at AP VNS even in the absence of a controller. Click to Enable or Disable if you want the AP to use broadcast disassociation when disconnecting all clients, instead of disassociating each client one by one. This affects the behavior of the AP under the following conditions:
If the AP is preparing to reboot or to enter one of the special raft Click to Enable or Disable multicast frames assembling for groups of APs using AP Multi-editing settings (for more information, see AP Multi-Edit Properties on page 111 ). This simplies power settings such that they will function across all channels in the channel plan. Type the desired DTIM (Delivery Traffic Indication Message) period the number of beacon intervals between two DTIM beacons. To ensure the best client power savings, use a large number. Use a small number to minimize broadcast and multicast delay. The default value is 5. Select the desired LED pattern from the drop-down list. Options include: Off, WDS Signal Strength, Identify, and Normal. Radio Settings IP Multicast Assembly Balanced Channel List Power:
Denes the time, in milliseconds, between beacon transmissions. The default value is 100 milliseconds. Type the packet size threshold, in bytes, above which the packet will be preceded by an RTS/CTS (Request to Send/Clear to Send) handshake. The default value is 2346, which means all packets are sent without RTS/CTS. Reduce this value only if necessary. Type the fragment size threshold, in bytes, above which the packets will be fragmented by the AP prior to transmission. The default value is 2346, which means all packets are sent un-fragmented. LED DTIM Beacon Period RST/CTS Frag. Threshold ExtremeWireless V10.41.06 User Guide 153 Conguring the ExtremeWireless APs Table 14: AP Default Settings (continued) FField Description Dynamic Channel Selection DCS Noise Threshold Click one of the following:
Monitor Mode If traffic or noise levels exceed the congured DCS thresholds, an alarm is triggered and an information log is generated. Active Mode If traffic or noise levels exceed the congured DCS thresholds, an alarm is triggered and an information log is generated. In addition, the AP ceases operating on the current channel and ACS automatically selects an alternate channel for the AP to operate on. Type the noise interference level, measured in dBm, after which ACS scans for a new operating channel for the AP if the threshold is exceeded. DCS Channel Occupancy Threshold D DCS Update Period Type the channel utilization level, measured as a percentage, after which ACS scans for a new operating channel for the AP if the threshold is exceeded. Type the time, measured in minutes that determines the period during which the AP averages the DCS Noise Threshold and DCS Channel Occupancy Threshold measurements. If either one of these thresholds is exceeded, then the AP triggers ACS. Enable or disable the following DCS Events:
Bluetooth Microwave Cordless Phone Constant Wave Video Bridge raft Click a protection rate: 1, 2, 5.5, or 11 Mbps. The default and recommended setting is 11. Only reduce the rate if there are many 11b clients in the environment or if the deployment has areas with poor coverage. For example, rates lower than 11 Mbps are required to ensure coverage. Click a preamble type for 11b-specic (CCK) rates: Short, or Long. Click Short if you are sure that there is no 11b APs or client in the vicinity of this AP. Click Long if compatibility with 11b clients is required. Length of the delay (in seconds) before logging an alarm. Default setting is 10 seconds. Click a protection mode: None, Auto, or Always. The default and recommended setting is Auto. Click None if 11b APs and clients are not expected. Click Always if you expect many 11b-only clients. Click a protection type, CTS Only or RTS CTS, when a 40 MHz or 80 MHz channel is used. This protects high throughput transmissions on extension channels from interference from non-11n APs and clients. Interference Wait Time Preamble Protection Rate Protection Mode Protection Type DCS Interference Event
(appears if Dynamic Channel Selection is enabled) ExtremeWireless V10.41.06 User Guide 154 Conguring the ExtremeWireless APs Table 14: AP Default Settings (continued) FField Description Max % of non-unicast traffic per Beacon period Enter the maximum percentage of time that the AP transmits non-
unicast packets (broadcast and multicast traffic) for each congured Beacon Period. For each non-unicast packet transmitted, the system calculates the airtime used by each packet and drops all packets that exceed the congured maximum percentage. By restricting non-
unicast traffic, you limit the impact of broadcasts and multicasts on overall system performance. Optimized Multicast for power save Click to optimize for power save. Adaptable rate for Multicast Click to enable adaptable rate capabilities. Multicast to Unicast delivery Click to set the Multicast to Unicast delivery method from the drop-
down list. D Min. Basic Rate Enhanced Rate Control 11n Settings Click a protection mode: None, Auto, or Always. The default and recommended setting is Auto. Click None if 11b APs and clients are not expected. Click Always if you expect many 11b-only clients. For each radio, click the minimum data rate that must be supported by all stations in a BSS:
Click 1, 2, 5.5, or 11 Mbps for 11b and 11b+11g modes. Click 6, 12, or 24 Mbps for 11g-only mode. Click 6, 12, or 24 Mbps for 11a mode. raft Click a protection type, CTS Only or RTS CTS, when a 40 MHz channel is used. This protects high throughput transmissions on extension channels from interference from non-11n APs and clients. Type the maximum length of the aggregate MPDU. The value range is 1024-65535 bytes. Type the extension channel threshold percentage, which if exceeded, disables transmissions on the extension channel (40 MHz). Click an aggregate MPDU mode: Enabled or Disabled. Aggregate MPDU provides a signicant improvement in throughput. Click an aggregate MSDU mode: Enabled or Disabled. Aggregate MSDU increases the maximum frame transmission size. Type the maximum number of sub-frames of the aggregate MPDU. The value range is 2-64. Protection Mode Protection Type Extension Channel Busy Threshold Aggregate MSDUs Aggregate MPDUs Aggregate MPDU Max Length Agg. MPDU Max # of Sub-frames ADDBA Support LDPC Click an ADDBA support mode: Enabled or Disabled. ADDBA, or block acknowledgement, provides acknowledgement of a group of frames instead of a single frame. ADDBA Support must be enabled if Aggregate MPDU is enable. Click an LDPC mode: Enabled or Disabled. LDPC increases the reliability of the transmission resulting in a 2dB increased performance compared to traditional 11n coding. ExtremeWireless V10.41.06 User Guide 155 Conguring the ExtremeWireless APs Table 14: AP Default Settings (continued) FField Description STBC TxBF Click an STBC mode: Enabled or Disabled. STBC is a simple open loop transmit diversity scheme. When enabled, STBC conguration is 2x1
(two spatial streams combine into one spatial stream). TXBF will override STBC if both are enabled for single stream rates. Tx Beam Forming is a technique of re-aligning the transmitter multipath spatial streams phases in order to get better signal-to-noise ratio on the receiver side. Click a TXBF mode: For the AP37xx and AP38xx models, valid values are Enabled or Disabled. For the 39xx APs, this setting is only available on Radio1 and valid values are MU-
MIMO and Disabled. Conguring Wireless AP Properties D Wireless APs are added with default settings, which you can adjust and congure according to your network requirements. In addition, you can modify the properties and the settings for each radio on the AP. Conguring AP settings can include the following processes:
Modifying the Status of a Wireless AP on page 156 AP Properties Tab Conguration on page 159 Setting Up the Wireless AP Using Static Conguration on page 199 You can also locate and select APs in specic registration states to modify their settings. For example, this feature is useful when approving pending APs when there are a large number of other APs that are already registered. On the AAccess Approval screen, click Pending to select all pending APs, then click Approve to approve all selected APs. raft If during the discovery process, the controller security mode was Allow only approved Wireless APs to connect, then the status of the AP is Pending. Modify the security mode to Allow all Wireless APs to connect. When conguring APs, you can choose to congure individual APs or simultaneously congure a group of APs. For more information, see AP Multi-Edit Properties on page 111 . Modifying the Status of a Wireless AP Related Links Security Mode on page 124 AP Rehoming on page 156 AP Actions on page 128 AP Rehoming You can balance your AP deployment by switching an AP from local to foreign (and from foreign to local). The AP will continue providing service without interruption while the APs are redeployed. If the availability link is down, the conversion will be completed when the link is established. ExtremeWireless V10.41.06 User Guide 156 Conguring the ExtremeWireless APs The rehomed AP will establish an active tunnel to the new controller and radio conguration is preserved once conversion is complete. WLAN assignments are not affected by rehoming. WDS and Mesh APs cannot be converted from local to foreign. A rehomed AP will be removed from load balance groups. AP Dashboard ExtremeWireless offers a dashboard of statistical information for each AP in the network. The following information is displayed for each AP:
IP address. Supports both IPv4 and IPv6 addresses. IoT MAC. Mac address for the Internet of Things enablement. Displays for AP3912 and AP3916 when D IoT is enabled. Model Number Software version running on the AP Country AP Role Number of 802.3 clients (AP3912) Camera IP (AP3916) Number of radios Channel number if applicable Channel Mode Power level raft AP properties for these access points display the IoT MAC address and channel and the TX Power Level for the BLE radio when the IoT is enabled. The following APs offer integrated BLE/802.15.4 radios: AP3912i , AP3915i/e, AP3916ic, AP3917i/e/k. Figure 28: AP3916 Dashboard with IoT Enabled The dashboard displays a graphical representation over the last hour for the following:
Client count. Associated clients per radio Devices by Type classication Noise oor for both bands Channel utilization for both bands ExtremeWireless V10.41.06 User Guide 157 Conguring the ExtremeWireless APs ftFigure 29: AP Dashboard Displays the number of clients on each radio in 10-minute intervals. Use this information to gain visibility over time into AP utilization per radio. Details for the AP3912 and AP3916 show the number of 802.3 clients. These are clients that utilize the wired client ports that are available on these AP models. CClients Devices by Type Offers visibility into the type of devices connected to your network by percentage. Use this information to understand the BYOD usage on your network. Noise (dBm) ExtremeWireless V10.41.06 User Guide 158 Conguring the ExtremeWireless APs Tracks the noise level for each AP radio in 10-minute intervals. Use this information to understand channel performance over time. CChannel Utilization (%) Tracks the percentage of traffic on each radio. Use this information to understand channel usage over time, in 10-minute intervals. Click Congure to display conguration options for the AP. For more information, see AP Properties Tab Conguration on page 159. Related Links AP Properties Tab Conguration on page 159 Channel Inspector Report on page 637 AP Properties Tab Conguration D Use the AP Properties tab to view and congure basic AP properties. Some of the AP properties can be viewed and congured via the Advanced dialog. From the top menu, click AP. 1 2 Click the appropriate wireless AP in the list (not the check box). The AAP dashboard displays. For more information, see AP Dashboard on page 157. raft ExtremeWireless V10.41.06 User Guide 159 Conguring the ExtremeWireless APs 3 Click Congure. The AAP Properties tab displays. ft Related Links AP Dashboard on page 157 AP Properties Tab - Basic Settings on page 161 AP Properties Tab - Advanced Settings on page 164 Professional Install Settings on page 166 Assigning Wireless AP Radios to a VNS on page 168 Conguration Parameters for Radio Properties on page 180 Conguring IoT Applications on page 189 Setting Up the Wireless AP Using Static Conguration on page 199 Setting Up 802.1x Authentication for a Wireless AP on page 203 ExtremeWireless V10.41.06 User Guide 160 AP Properties Tab - Basic Settings FField Serial #
Host Name Name Conguring the ExtremeWireless APs Description Read-only. Displays a unique identier (serial number) that is assigned during the manufacturing process. Read-only. This value, which is based on AP Name, cannot be directly edited. This value depicts the AP Host-Name value. If the AP Name value does begin with a number, for example when it is the AP serial number, the AP model is prepended to the value. This value is used for tracking purposes on the DHCP server. The default value of the AP Name is the serial number, but it can be modied to any desired AP Name. Supported characters include:
alphanumeric, blank space, hyphen, underscore, and period. Up to 255 characters. Location D Dene the location of the AP. When a client roams to an AP with a different location, Area Notication is triggered. The Area Notication feature is designed to track client locations within pre-dened areas using either the Location Engine (for more information, see Conguring the Location Engine on page 609) or the AP Location eld. When the clients change areas, a notication is sent. Location functionality on the AP is useful when access to Extreme Management Center OneView is not available. Zone is a label that can be sent to a RADIUS server in place of an AP BSSID in the called-station-id attribute. It can be easier to base authorization decisions on the zone label rather than on the BSSID. Each AP can have its own Zone label although it is often useful to assign the same Zone to multiple APs. raft Select Indoor or Outdoor. This property is available for outdoor APs only, indicating where the AP is deployed. The Outdoor APs can be deployed in both indoor and outdoor environments. AP placement should depend on the country of operation that is selected and the country regulatory domain requirements for radio emissions. For more information, see Outdoor Access Point Installation on page 167. Read only. The Topology name with which the AP is registered. Type comments for the AP. Zone Description Topology AP Environment ExtremeWireless V10.41.06 User Guide 161 FField Hardware Type Conguring the ExtremeWireless APs Description Select the hardware model of this AP from the drop-down menu. With ExtremeWireless v10.01 each controller is licensed in a specic domain. There are three types of domain licenses: FCC, ROW, EGY, and MNT. The ExtremeWireless user interface reects the domain of the controller. The following are use cases for each domain:
A wireless controller with an FCC license can manage AP37xx, AP38xx, and AP39xx-FCC. These access points can be deployed in the United States, Puerto Rico, or Colombia. A wireless controller with a ROW license can manage AP37xx, AP38xx, and AP39xx-ROW. These access points can be deployed in any country except the United States, Puerto Rico, Egypt, or Colombia. A wireless controller with a MNT license can manage only domain-
locked access points, which are the AP39xx-FCC and the AP39xx-
ROW only. The AP39xx-FCC must be deployed in the United States, Puerto Rico, or Colombia. The AP39xx-ROW must be deployed in any country except the United States, Puerto Rico, Egypt, or Colombia. D Application Version Status Active Clients AP38xx, and AP39xx-EGY. Displays the ExtremeWireless release version. A wireless controller with a EGY license can manage AP37xx, Note: The AP37xx and AP38xx cannot connect to a controller licensed in the MNT domain. raft Approved Indicates that the AP has received its binding key from the controller after the discovery process. If no status is shown, that indicates that the AP has not yet successfully been approved for access with the secure controller. You can modify the status of an AP on the Access Approval screen. For more information, see Modifying the Status of a Wireless AP on page 156. Displays the number of wireless devices currently associated with the AP. ExtremeWireless V10.41.06 User Guide 162 Conguring the ExtremeWireless APs FField Role Description Displays the role for the AP. Note: You can only view these options here. You cannot change them. D Country Related Links AP Properties Tab - Advanced Settings on page 164 Options include:
Traffic Forwarding Normal Operation. Applies to all APs. Guardian Once the AP is congured as a Guardian, the AP stops forwarding traffic and dedicates both radios to threat detection and countermeasures. For more information, see Conguring an AP as a Guardian on page 221. The AP can be congured in one of three sub-modes:
Out-of-Service with its radios off Providing full bridging functionality without RADAR Providing full bridging functionality and In-Service RADAR. For more information, see Conguring a Guardian Scan Prole on page 577. Click the country of operation. AirDefense Sensor AP39xx integration with the AirDefense Services Platform (ADSP). Alternative to the Guardian AP conguration. For more information, see Conguring an AirDefense Prole on page 568. Note: The antenna you select determines the available channel list and the maximum transmitting power for the country in which the AP is deployed. raft ExtremeWireless V10.41.06 User Guide 163 Conguring the ExtremeWireless APs AP Properties Tab - Advanced Settings FField Poll Timeout Secure Tunnel D Description Type the timeout value, in seconds. The AP uses this value to trigger re-
establishing the link with the Controller if the AP does not get an answer to its polling. The default value is 10 seconds. Note: If you are conguring session availability, the Poll Timeout value should be 1.5 to 2 times of Detect link failure value on AP Properties screen. For more information, see Session Availability on page 545. This feature, when enabled, provides encryption, authentication, and key management between the AP and/or controllers. Select the desired Secure Tunnel mode from the drop-down list:
Disabled Secure Tunnel is turned off and no traffic is encrypted. All SFTP/SSH/TFTP traffic works normally. Encrypt control traffic between AP & Controller An IPSEC tunnel is Note: This option is not available for AP3805 models. established from the AP to the controller and all SFTP/SSH/TFTP/
WASSP control traffic is encrypted. The AP skips the registration and authentication phases and when selected, the Secure Tunnel Lifetime feature can be congured. Encrypt control and data traffic between AP & Controller This mode only benets routed/bridged@Controller Topologies. An IPSEC tunnel is established from the AP to the controller and all SFTP/SSH/TFTP/
WASSP control and data traffic is encrypted. The AP skips the registration and authentication phases, and when selected, the Secure Tunnel Lifetime feature can be congured. raft controller, no traffic is encrypted, and all SFTP/SSH/TFTP traffic works normally. The AP skips the registration and authentication phases and when selected, the Secure Tunnel Lifetime feature can be congured. Note: Changing the Secure Tunnel Lifetime setting will not cause any AP disruption. Note: Changing a Secure Tunnel mode will automatically disconnect and reconnect the AP. Available when Secure Tunnel is enabled. Enter an interval (in hours) at which time the keys of the IPSEC tunnel are renegotiated. Debug mode An IPSEC tunnel is established from the AP to the Click to enable or disable SSH for access to the AP. Secure Tunnel Lifetime Enable SSH Access Enable location-based-service Enable or disable the AeroScout, Ekahau, or Centrak location-based service for the AP. Maintain client session in event of poll failure Select this option (if using a bridged at AP VNS) if the AP should remain active if a link loss with the controller occurs. This option is enabled by default. Restart service in the absence of controller Select this option (if using a bridged at AP VNS) to ensure the APs radios continue providing service if the APs connection to the controller is lost. If this option is enabled, it allows the AP to start a bridged at AP VNS even in the absence of a controller. ExtremeWireless V10.41.06 User Guide 164 Conguring the ExtremeWireless APs FField Description Use broadcast for disassociation Enable LLDP D Maintenance Guide. Announcement Interval Select this option if you want the AP to use broadcast disassociation when disconnecting all clients, instead of disassociating each client one by one. This affects the behavior of the AP under the following conditions:
If the AP is preparing to reboot or to enter one of the special modes
(DRM initial channel selection). If a BSSID is deactivated or removed on the AP. This option is disabled by default. Click to enable or disable the AP from broadcasting LLDP information. This option is disabled by default. If SNMP is enabled on the controller and you enable LLDP, the LLDP Conrmation dialog is displayed. Select one of the following:
Proceed (not recommended) Select this option to enable LLDP and keep SNMP running, and then click OK. Disable SNMP publishing, and proceed Select this option to enable LLDP and disable SNMP, and then click OK. For more information on enabling SNMP, see the ExtremeWireless Note: The Time to Live value cannot be directly edited. The Time to Live value is calculated as four times the Announcement Interval value. If LLDP is enabled, type how often the AP advertises its information by sending a new LLDP packet. This value is measured in seconds. If there are no changes to the AP conguration that impact the LLDP information, the AP sends a new LLDP packet according to this schedule. raft If LLDP is enabled, type the announcement delay. This value is measured in seconds. If a change to the AP conguration occurs which impacts the LLDP information, the AP sends an updated LLDP packet. The announcement delay is the length of time that delays the new packet delivery. The announcement delay helps minimize LLDP packet traffic. Click to Enable or Disable IP Multicast Assembly on this Wireless AP. If Enabled, the IP Multicast Assembly feature assembles multicast data packets that were too large to t the MTU size of the tunnel and were fragmented in order to t the tunnel header. This feature is disabled by default. When enabled, this setting avoids channel overlap by shrinking channels, when ACS detects an overlapping BSS. Before a radio provides service, it performs an overlapping BSS coexistence scan to ensure that the radio's channel will not overlap with a nearby operating AP's secondary channels. This behavior is in accordance with the 802.11 standard and provides data to the Channel Inspector Report. If the channel width is set to 40 or 80 MHz and an overlap is detected, ACS shrinks the channel to 20 or 40MHz to avoid the overlap. When this setting is disabled, the radio starts the service in spite of the overlap. By default, this option is enabled for newly deployed APs and is disabled for existing AP deployments, ensuring backward compatibility with previous ExtremeWireless releases. Announcement Delay IP Multicast Assembly Active OBSS channel width adjustment Balanced Channel List Power This simplies power settings such that they will function across all channels in the channel plan. ExtremeWireless V10.41.06 User Guide 165 Conguring the ExtremeWireless APs FField Description Low Power Mode Override Check this box to have AP ALWAYS operate in 4x4 mode regardless of what was negotiated with the Switch PoE. When this option is cleared, the AP operates in 2x2 or 4x4 depending on what was negotiated with the Switch PoE using the 2-event classication. AP sends Power Status element with "Power Mode" set to 0 when "Low Power Mode Override" is enabled. AP sends Critical Log "entering Low Power mode" only if negotiated .af with Switch PoE and "Low Power Mode Override" is disabled. Otherwise, Critical Log is not sent. Controller "Network Health" shows only APs that have "Power Mode"
bit in the Power Status set to 1. The default conguration for the 39xx AP is disabled. LED Real Capture D Select the desired LED pattern from the drop-down list. Options include:
Off, WDS Signal Strength, Identify, and Normal. Click Start to start real capture server on the AP. Default capture server timeout is set to 300 seconds and the maximum congurable timeout is 1 hour. While the capture session is active, the AP interface operates in promiscuous mode. From the Wireshark GUI, set the capture interface to the IP address of the selected AP, and select null authentication. Once Wireshark connects to the AP, the AP's interfaces are listed as available to capture traffic. eth0 is the wired interface, wlan0 is the 5Ghz interface, and wlan1 is the 2.4Ghz interface. You can capture bidirectional traffic on eth0, wi0, and wi1. The capture on wi0 and wi1 does not include internally generated hardware packets by the capturing AP. The capturing AP does not report its own Beacons, Retransmission, Ack and 11n Block Ack. If this information is needed, perform Real Capture from a second AP that is close by. Make sure both APs are on the same wireless channel. Broadcast an SSID to activate the radios, but do not broadcast the SSID of the AP you are troubleshooting. You do not want the clients to connect to the second capturing AP. Capture statistics are found on the Active Wireless APs report (see Viewing Statistics for APs on page 627). raft Related Links AP Properties Tab - Basic Settings on page 161 Professional Install Settings The Professional Install option is only available for AP models with external antennas. The elds and corresponding antenna value options that appear on the PProfessional Install dialog depend on the selected AP and the antenna models that are available. Select an antenna for each available port. By default, the two antennas must be identical. However, you have the option to select No Antenna for the second antenna port. The AP3915e and AP3917e access point models offer an external IoT antenna. Select the antenna model from the drop-down eld. Choose the desired attenuation for each radio from the drop-down list. Selectable range is from 0 to 30 dBI. ExtremeWireless V10.41.06 User Guide 166 Conguring the ExtremeWireless APs Figure 30: Professional Install dialog AP3917 D Outdoor Access Point Installation an outdoor installation. When a transmitter is placed indoors and the antenna is oriented to intentionally radiate outdoors, The FCC regulations for the indoor and outdoor installation are different. The professional installer must congure the access point transmitters accordingly. Products that are specically intended to be placed outdoors are congured at the factory for compliant outdoor operation. Professional installers should review the following to assess the legality of outdoor deployments:
When a transmitter is placed indoors but the antenna is placed outdoors, the FCC interprets this as raft Antenna gain is the ratio of an antenna's radiation intensity in a given direction to the intensity produced by a no-loss, isotropic antenna radiating equally in all directions. An antenna's gain along the horizon and at an elevation of 30 degree may vary. The elevation gain is dened as the maximum antenna gain at 30 to 150 degrees above the horizon. If elevation gain is congured, the transmit (TX) power calculations maximize the allowable TX power for an elevation below 30 degree. When the transmitter is placed on a loading dock or inside a covered stadium with a retractable cover, the FCC views this as an outdoor installation. the FCC interprets this as an outdoor installation. Antenna Gain Access Points must conform to U.S. Federal Communications Commission's (FCC) limitations. FCC has now stipulated a 21dBm Effective Isotropic Radiated Power (EIRP) limit for power directed 30 degrees above the horizon. For Extreme Networks -supplied antennas, compatible with 5.0 GHz on the access point, refer to the Antenna Guide for Elevation Gain information. If using a third-party antenna, you must obtain the antenna-elevation gain information from the antenna manufacturer. The elevation gain should be congured if the access point:
Is deployed outdoors, and ExtremeWireless V10.41.06 User Guide 1167 Conguring the ExtremeWireless APs Is used with a dipole antenna (Panel antennas and polarized antennas are for point to point only and are excluded from this requirement.) and Is transmitting in the 5.15 - 5.25 GHz Unlicensed National Information Infrastructure-1 (UNII-1) band. Professional installers must complete the following steps to ensure compliance with the FCC rule:
NNote ExtremeWireless determines the antenna peak gain and elevation gain based on the user congured settings. 1 Congure the antenna type from the PProfessional Install dialog. 2 Congure the antenna placement from the AP Environment eld on the AAP Properties tab. 3 Congure the Country eld on the AAP Properties tab. Related Links Assigning Wireless AP Radios to a VNS AP Properties Tab - Basic Settings on page 161 Professional Install Settings on page 166 Outdoor Access Point Installation on page 167 The rmware uses this information with hardcoded maximum limits (that are determined during testing) to limit the EIRP below 21dBm for outdoor use in UNII-1 band. For information on specic antennas, refer to the ExtremeWireless External Antenna with Wave 2. D The following describe methods of assigning AP radios to a VNS:
VNS conguration When a VNS is congured, you can assign AP radios to the VNS through its associated WLAN Service. For more information, see Conguring WLAN Services on page 318. raft Note To congure foreign AP radios to a VNS, use the VNS conguration method. Foreign APs are listed and available only for VNS assignment from the WLAN Services tab. For more information, see Conguring a VNS on page 390. AP Multi-edit When you congure multiple APs simultaneously, use the AP Multi-edit feature. For Wireless AP conguration When you congure an individual AP, assign its radios to a specic more information, see AP Multi-Edit Properties on page 111 . WLAN Service. To assign wireless AP radios when conguring an AP:
From the top menu, click AP. 1 2 Click the appropriate AP in the list (not the check box). The AAP Details dialog is displayed. 3 Click Congure. The AAP Properties tab is displayed. ExtremeWireless V10.41.06 User Guide 168 Conguring the ExtremeWireless APs 4 Click the WWLAN Assignment tab. ft Note Airtime % is available for AP38xx and AP39xx access point models that are assigned WLANS congured with Reserved Airtime. 5 In the Radio 1 and Radio 2 columns, select the radio check box that you want to assign for each WLAN Service. 6 To save your changes, click Apply. Related Links Assigning WLAN Services to Client Ports on page 170 AP Properties Tab Conguration on page 159 Conguration Parameters for Radio Properties on page 180 Setting Up 802.1x Authentication for a Wireless AP on page 203 ExtremeWireless V10.41.06 User Guide 169 Conguring the ExtremeWireless APs AP Multi-Edit Properties on page 111 Conguring Airtime Fairness: Reservation Mode on page 406 NEW! Assigning WLAN Services to Client Ports When conguring client ports on access point models AP391x that offer client ports, you can assign one or more client ports to a single WLAN service. Client ports offer 802.1x authentication and policy support. NNote Network access for the AP3916ic camera function is controlled through policy denition, assigned as a the CAM port. The camera port on the AP3916 is treated as a wired client port. From the top menu, click AP. 1 2 Select a specic AP. D AP as a border gateway router. The AAP Properties dialog appears. 3 Click Congure. 4 Select the WWLAN Assignment tab. 5 Select one or more client ports for each WLAN Service. Port options depend on the AP model you select:
AP3912 supports wired client ports 1-3. AP3916ic supports the wired CAM port for a camera. AP3917i/e supports 1 client port. Additionally, all the AP391x models, including AP3915i/e, support IoT Thread Gateway using the raft The wired ports for the AP391x default to auto-negotiation for speed and mode. To congure xed speed and mode values (for instance, 100Mbps and Full Duplex), select the SStatic Conguration tab and select the speed and mode settings for the Ethernet port and each client port. Congure the values that the client hardware supports. All Port Assignments:
One WLAN can be assigned per port. The assignment enables the port. Wireless and wired users associated to the same WLAN service receive identical service. They are affected by the same policies and lters. ExtremeWireless V10.41.06 User Guide 170 Conguring the ExtremeWireless APs ftFigure 31: Port Conguration for AP3912 Wired Ports CCAM Port Assignments:
The topology associated with the role that is assigned to the CAM port (either through WLAN assignment or through device MBA authentication) must be congured to allow ONVIF camera discovery and video streaming. Congure the default topology to explicitly allow multicast bridging of WS-Discovery group (239.255.255.0). When the camera port is unassigned, it is disabled, and the camera is disconnected from the network and turned off. One policy denition for wired and wireless users. Users on wired ports can receive the same default policy. However, the camera function (CAM) can be assigned a specic device policy to separate user service and video surveillance networks. The camera function can be assigned to B@AP and B@AC topologies and Mac Based Authentication for dynamic policies. ExtremeWireless V10.41.06 User Guide 171 Conguring the ExtremeWireless APs Congure MAC authentication (MBA) for network attached devices or collect device metrics through RADIUS accounting from the AAuth&Acct tab. WLAN SSID, Privacy, and QoS settings are not relevant for the camera functionality. Captive Portal and 802.1x are not supported on the CAM port. Note Bind the WLAN Service to the VNS to activate service. aft Figure 32: WLAN Services Port Assignment ExtremeWireless V10.41.06 User Guide 172 Conguring the ExtremeWireless APs D Figure 33: Assigning Ports to WLAN Service on the AP3912 raft Figure 34: Assigning the Camera Port to WLAN Service on the AP3916ic ExtremeWireless V10.41.06 User Guide 1173 Conguring the ExtremeWireless APs Dynamic Radio Management (DRM) Conguring Wireless AP Radio Properties D RRelated Links Figure 35: Assigning the IoT Port to WLAN Service on the AP3915 Conguring IoT Applications on page 189 Setting Up the Wireless AP Using Static Conguration on page 199 Conguring Common Conguration Default AP Settings on page 135 raft Wireless AP radio properties can vary depending on the model of the AP being congured. For specic information on modifying a wireless 802.11n AP, see Modifying 11n and 11ac Wireless AP Radio Properties on page 178. Consider the following deployment methodologies:
Plan the wireless RF deployment using various site survey methodologies including the ExtremeCloud RF planner. Congure each APs channel width and channel according to the RF plan. Use the DRM automatic tool to congure the deployed APs channel width and channel according to the channel plan. Use DRM Auto Channel Selection (ACS) to automatically assign the APs to appropriate channels and channel width. Use Auto Tx Power Control (ATPC) to set transmit power and let the AP dynamically adapt transmit power. Use Dynamic Channel Selection (DCS) to monitor channel occupancy around the APs and optionally allow the AP to dynamically adapt the channel. ExtremeWireless V10.41.06 User Guide 174 Use the Dynamic Radio Management (DRM) controller function to establish the optimum radio conguration for your APs. Conguring the ExtremeWireless APs The controllers DRM functionality:
Adjusts transmit power levels to balance coverage between APs assigned to the same RF domain and operating on the same channel. Triggers ACS for all selected APs in the deployment, simultaneously. The APs determine the deployment density and the optimal channel width for the selected group. Density deployment is based on the following factors:
The number of channels congured in the channel list The number of APs that have to be set up The number of detected APs that do not belong to the deployment. Each AP is set to the best available channel. The channel inspector displays the RF environment seen by each AP. Use the Channel Inspector Report to understand why an AP selects a channel and, if necessary, to make manual adjustments. D AP39xx and AP38xx perform overlapping BSS (OBSS) scan every time the radio is restarted. This scan results are used as follows:
Channel inspector is always updated with the latest RF environment seen by the AP. If the channel width is set to 40MHz or 80MHz and the AP property Active OBSS channel width adjustment is enabled, the AP shrinks its channel to avoid overlapping with other APs detected in the area. (An OBSS overlap occurs when a primary channel and a secondary channel overlap.) After the interfering AP is shut down and the APs radio is reset, the channel width returns to 40MHz or 80MHz. NNote When setting a xed channel width to 40 MHz or 80 MHz, the Active OBSS channel width adjustment setting must be disabled. This setting is disabled by default for existing APs in order to maintain existing behavior and the existing channel plan. For APs that are newly added to the network, this setting is enabled by default. raft When a RADAR event is detected, the channel is marked and the AP selects a new channel from the allowed channel list. After 30 minutes, if there are no clients associated with the AP, the AP returns to the original channel. If there are associated clients, the AP tries to return to the original channel every ve minutes until there are no clients associated with the radio. AP39xx and AP38xx return to original channel after a RADAR event in order to restore original The DRM feature consists of three functions:
channel plan. Auto Channel Selection (ACS) ACS provides an easy way to optimize channel arrangement based on the current situation in the eld. An optimal solution is provided only if ACS is triggered on all APs in a deployment, or all APs placed in a distinct area like a oor. ACS forces the channel width selection of the involved APs to Auto width. The ACS algorithm selects the optimal channel width for all the selected APs and places each AP on the best channel available in its area. Use the Channel Inspector Report to visualize why the AP was placed on the selected channel. Triggering ACS on a single AP or on a subset of APs can be useful but it is not an optimal solution. The ACS algorithm places the selected APs as best it can considering the channels occupied by other ExtremeWireless V10.41.06 User Guide 175 Conguring the ExtremeWireless APs operating APs. ACS relies on the RF channel information observed at the time it is triggered. Once an AP has selected a channel, it remains operating on that channel until you change the channel or trigger ACS again. ACS can be triggered by one of the following events:
A new AP registers with the controller and the AP Default Settings channel is Auto. A user selects Auto from the Request New Channel drop-down list on the Wireless APs radio conguration tabs. A user selects Auto from the Channel drop-down list on the AAP Multi-edit screen. If Dynamic Channel Selection (DCS) is enabled in active mode and a DCS threshold is exceeded. A Wireless AP detects radar on its current operating channel and it employs ACS to select a new radar free channel. The AP returns to the original channel under the following condition:
A 30-minute Non-Occupancy timer expired per the DFS standard. The AP does not disrupt service to any clients. Channel Plan The ACS algorithm selects channels from the congured channel plan. You can Multi-Edit The best way to trigger ACS between multiple APs is to use the AP Multi Edit option. D You can initiate ACS from the Channel Inspector Report. ACS is triggered for Site deployments or Cloud deployments by sending the ACS command to one of the member APs, which will distribute the ACS command to all other member APs. Each Site is considered an RF domain. dene the channel plan for each AP or accept the default plan. It is recommended that all APs in a deployment have identical channel plans. Dening a channel plan allows you to limit the available channels for use during an ACS scan. For example, you may want to avoid using specic channels because of allowed power limits on that channel or regulatory domain, or avoid DFS channel RADAR interference. raft First, select Radio 1 or Radio 2 actions, and then select Auto Channel Select. APs that congure ACS together, must all be part of the same RF domain. Therefore, set the RF Domain before ACS is started. ACS between multiple APs must start at the same time. DCS allows a Wireless AP to monitor RF channel conditions and noise levels on the channel on which the AP is currently operating. DCS can operate in the following modes:
Monitor When DCS is enabled in monitor mode the AP monitors channel occupancy and traffic or noise levels on the channel on which the AP is currently operating. The DCS monitor alarm and generated stats can be used to evaluate the RF environment of your deployed APs. Active When DCS is enabled in active mode and channel occupancy traffic or noise levels exceed the congured DCS thresholds, ACS is triggered to move the AP from a busy / noisy channel to the best available channel. Also, an alarm is triggered and an information log is generated. Dynamic Channel Selection (DCS) Note If DCS is enabled, DCS statistics can be viewed in the Wireless Statistics by Wireless APs display. For more information, see Working with Reports and Statistics on page 621. Related Links AP Properties Tab - Advanced Settings on page 164 Use Cases for Dynamic Radio Management on page 178 Conguration Parameters for Radio Properties on page 180 ExtremeWireless V10.41.06 User Guide 176 Conguring the ExtremeWireless APs AP Multi-Edit Properties on page 111 Radio Advanced Properties on page 184 Channel Inspector Report on page 637 ATPC The purpose of ATPC is to automatically adjust the coverage cell around an AP. During initial deployment, the Tx Power of each AP is adjusted to provide coverage without overlapping the coverage cell of a neighboring AP. To maintain optimal performance, it is important to maintain a small cell sizes to encourage WLAN clients to roam to the closest AP and operate at high data rates. This practice frees the channel as fast as possible and reduces congestion. Setting the AP transmit power too high can cause interference and potentially exceed useful bounds. Setting the AP transmit power too low may introduce coverage gaps in the installation. D When all APs are operating, the cells size of each AP is adjusted to cover the surrounding area. If one AP fails, the APs around it increase their Tx Power, increasing the cell size, and compensating for the loss of the failed AP. If an RF obstructing object is moved between the APs, the APs increase Tx Power in order to maintain coverage. ATPC operates over a group of APs congured to participate in the same RF domain. Congure the RF Domain parameter as a unique string across all the APs that provide service coverage, ensuring that cell shaping is not inuenced by non-participating APs. ATPC operates by periodically broadcasting custom probe requests that allow the other APs in range to determinate the RF Distance / Path Loss to the sending AP. Every 10 seconds, each AP evaluates the Path Loss to its neighbors. If Path Loss is less then 70dB, the AP reduces its Tx Power. If the Path Loss is more than 70dB, the AP boosts its Tx Power. raft The ATPC feature is congured for each radio. When you check Auto Tx Power Ctrl (ATPC) check box, you are enabling the radio to participate in the AP group that collaborates to automatically adjust the cell size. When ATPC is enabled, the following parameters are available for conguration:
Max Tx Power Min Tx Power Auto Tx Power Ctrl Adj The Max and Min Tx Power parameters set the power range used by the ATPC. The Auto Tx Power Ctrl Adj parameter allows you to manually adjust the Tx Power calculated by the ATPC algorithm (either up or down). The Current Tx Power Level eld on the AP / Radio page displays the actual AP Tx Power. ATPC preserving Power Setting In some cases operators may use ATPC to initially set up the power setting of the APs over a service area, but then want to freeze this setting during normal operation of the network. When the Auto Tx Power Ctrl (ATPC)check box is cleared you have two choices:
Maintain the ATPC-acquired Tx Power value after turning ATPC off. Set the Tx Power to the Max Tx Power value. The ATPC feature allows you to use ATPC to achieve a Tx Power level required for the installation, and then statically maintain this value if ATPC is turned off. RRelated Links ExtremeWireless V10.41.06 User Guide 177 Conguring the ExtremeWireless APs Conguration Parameters for Radio Properties on page 180 Use Cases for Dynamic Radio Management The following scenarios outline use cases for Dynamic Radio Management (DRM). UUsing ACS with a set of APs When you trigger ACS for a set of APs, the channel width is automatically set to Auto and ACS determines the deployment density and the desired channel width to minimize co-channel interference. A channel plan is created with non-overlapping cells, and each AP performs an overlapping BSS (OBSS) scan to avoid channel overlap. Manually Selecting Channels and Channel Width Modifying 11n and 11ac Wireless AP Radio Properties When you select a xed channel and channel width, the AP radio is set to the requested channel and width. The AP performs an overlapping BSS (OBSS) scan and sends the results to the Channel Inspector. If the setting Active OBSS channel width adjustment is not enabled, the radio uses the manually selected channel and width, and the detected overlap is not remedied automatically. D If Active OBSS channel width adjustment is enabled, the detected overlap is corrected by shrinking the channel width before the radio is enabled. The channel width can recover after a subsequent radio reset if the OBSS scan does not detect another channel overlap. raft Channel bonding improves the effective throughput of the wireless LAN. In contrast to legacy APs which use radio channel spacings that are only 20 MHz wide, 11n wireless APs can use two channels at the same time to create a 40 MHz wide channel. 11ac wireless APs can use four channels at the same time to create an 80 MHz wide channel. The ExtremeWireless 37xx/W78xC series are 802.11n-compliant access points. AP38xx and AP39xx series are 11n and 11ac-compliant. This section describes how to congure/modify properties of an 11n or 11ac AP. The 40 MHz channel width is achieved by bonding the primary channel (20 MHz) with an extension channel. Channel Bonding Channel bonding is predened on both Radio 1 and Radio 2. Channel bonding is enabled by selecting the Channel Width on the Radio tabs. When selecting Channel Width, the following options are available:
20 MHz Channel bonding is not enabled:
802.11n clients use the primary channel (20 MHz) Non-802.11n clients, as well as beacons and multicasts, use the 802.11a/b/g radio protocols. 40 MHz Channel bonding is enabled:
802.11n clients that support the 40 MHz channel width can use 40 MHz, 20 MHz, or the 802.11a/b/g radio protocols. ExtremeWireless V10.41.06 User Guide 178 Conguring the ExtremeWireless APs 802.11n clients that do not support the 40 MHz channel width can use 20 MHz or the 802.11a/b/g radio protocols. Non-802.11n clients, beacons, and multicasts use the 802.11a/b/g radio protocols. 80 MHz Channel bonding is enabled:
802.11ac clients that support the 80 MHz channel width can use 80 MHz, 40 MHz, 20 MHz, or the 802.11a/b/g radio protocols. 802.11n clients that do not support the 80 MHz channel width can use 20 MHz, 40 MHz, or the 802.11a/b/g radio protocols. Non-802.11n clients, beacons, and multicasts use the 802.11a/b/g radio protocols. Auto Channel bonding is automatically enabled or disabled, switching between 20 MHz, 40 MHz, and 80 MHz, depending on how busy the extension channel(s) are. If the extension channel is busy above a prescribed threshold percentage, which is dened in the 40 MHz Channel Busy Threshold box, channel bonding is disabled. Aggregate MSDU and MPDU Channel Selection Primary and Extension D Guard Interval The primary channel of the wireless 802.11n AP is selected from the Request New Channel drop-down list. If auto is selected, the ACS feature selects the primary channel. The channels in the Request New Channel drop-down list show which extension channel(s) are being used for bonding. The guard intervals ensure that individual transmissions do not interfere with one another. The wireless 802.11n AP provides a shorter guard interval that increases the channel throughput. You can select the guard interval to improve the channel efficiency. The guard interval is selected from the Guard Interval drop-down list. Longer guard periods reduce the channel efficiency. raft The wireless 802.11n AP provides aggregate Mac Service Data Unit (MSDU) and aggregate Mac Protocol Data Unit (MPDU) functions, which combine multiple frames together into one larger frame for a single delivery. This aggregation reduces the overhead of the transmission and results in increased throughput. The aggregate methods are enabled and dened selected from the Aggregate MSDUs and Aggregate MPDUs drop-down lists. Wireless APs have differing numbers of antennas, internal or external, depending on the AP model. Wireless APs by default transmit on all antennas. Depending on your deployment requirements, you can congure the AP to transmit on specic antennas. You can congure the wireless 802.11ac AP to transmit on specic antennas for both radios, including all the available modes:
Radio 1 a/n/ac, ac-strict modes Radio 2 b/g, g/n, b/g/n, n-strict modes Antenna Selection When you congure the AP to use specic antennas, the following occurs:
Transmission power is recalculated The Current Tx Power Level value for the radio is automatically adjusted to reect the recent antenna conguration. It takes approximately 30 seconds for the change to the Current Tx Power Level value to be reected in the Wireless Assistant. ExtremeWireless V10.41.06 User Guide 1179 Conguring the ExtremeWireless APs Radio is reset The radio is reset causing client connections on this radio to be lost. TTo modify wireless AP radio properties:
From the top menu, click AP. 1 2 Click the appropriate wireless AP in the list (not the check box). The AAP dashboard displays. 3 Click Congure. The AAP Properties tab displays. 4 Click the Radio tab you want to modify. Conguration Parameters for Radio Properties Table 15: Radio Properties Field Description BSS Info D Base Settings Admin Mode Radio Mode - Radio 1 Select On to enable the radio; select Off to disable the radio. BSS Info is read-only. After WLAN Service conguration, the Basic Service Set (BSS) section displays the MAC address on the AP for each WLAN Service and the SSIDs of the WLAN Services to which this radio has been assigned. Click one of the following radio options for Radio 1:
a Click to enable the 802.11a mode of Radio 1 without 802.11n Note: Depending on the radio modes you select, some of the radio settings may not be available for conguration. The AP hardware version dictates the available radio modes. raft n-strict Click to enable the 802.11a mode of Radio 1 with 802.11n a/n Click to enable the 802.11a mode of Radio 1 with 802.11n ac-strict Click to enable the 802.11ac mode of Radio 1 with a/n/ac Click to enable the 802.11ac mode of Radio 1 with 802.ac strict capability. 802.11ac capability. strict capability. capability. capability. ExtremeWireless V10.41.06 User Guide 180 Conguring the ExtremeWireless APs Table 15: Radio Properties (continued) FField Description Radio Mode - Radio 2 Note: Depending on the radio modes you select, some of the radio settings may not be available for conguration. Click one of the following radio options for Radio 2:
b Click to enable the 802.11b-only mode of Radio 2. If selected, the AP uses only 11b (CCK) rates with all associated clients. g Click to enable the 802.11g-only mode of Radio 2. b/g Click to enable both the 802.11g mode and the 802.11b mode of Radio 2. If selected, the AP uses 11b (CCK) and 11g-specic
(OFDM) rates with all of the associated clients and will not transmit or receive 11n rates. g/n Click to enable both the 802.11g mode and the 802.11nb mode of Radio 2. If selected, the AP uses 11n and 11g-specic
(OFDM) rates with all of the associated clients. The AP will not transmit or receive 11b rates. D Basic Radio Settings AP uses all available 11b, 11g, and 11n rates. n-strict Click to enable the 802.11n-strict mode of Radio 2. If b/g/n Click to enable b/g/n modes of Radio 2. If selected, the selected, the AP can be congured to use 11n-strict rates with all of the associated clients. With n-strict mode enabled, the AP does not transmit or receive 11b or 11g rates. raft Type a string that uniquely identies a group of APs that cooperate in managing RF channels and transmission power levels. The maximum length of the string is 16 characters. The RF Domain is used to identify a group of APs. The RF Domain feature is part of the Auto Tx Power Control (ATPC) feature (for more information, see Conguring Wireless AP Radio Properties on page 174). Read-only. The actual channel the ACS has assigned to the AP radio. The Current Channel value and the Last Requested Channel value may be different because the ACS automatically assigns the best available channel to the AP, ensuring that a APs radio is always operating on the best available channel. Read-only. The last wireless channel that you had selected to communicate with the wireless devices. Click the wireless channel you want the wireless AP to use to communicate with wireless devices. Weather channels (116, 120, 124, 128) are supported for European compliance. See Channel Plan. Click Auto to request the ACS to search for a new channel for the AP, using a channel selection algorithm. This forces the AP to go through the auto-channel selection process again. RF Domain Current Channel Last Requested Channel Request New Channel Note: ACS in the 2.4 GHz radio band with 40 MHz channels is not recommended due to severe co-channel interference. Depending on the regulatory domain (based on country), some channels may be restricted. The default value is based on North America. For more information, refer to the appropriate AP Installation Guide. ExtremeWireless V10.41.06 User Guide 181 Conguring the ExtremeWireless APs Table 15: Radio Properties (continued) FField Description Auto Tx Power Ctrl (ATPC) Click to either enable or disable ATPC from the Auto Tx Power Ctrl drop-down list. ATPC automatically adapts transmission power signals according to the coverage provided by the AP. After a period of time, the system stabilizes itself based on the RF coverage of your Wireless APs. Note: When enabled, Min Tx Power and Auto Tx Power Ctrl Adjust parameters can be edited, and the ATPC algorithm will adjust the AP power between Max Tx power and Min Tx Power. When disabled, the Max Tx Power selected value or the largest value in the compliance table will be the power level used by the radio, whichever is smaller. Max Tx Power Current Tx Power Level D The actual Tx power level used by the AP radio. Note: If Auto Tx Power Ctrl (ATPC) is disabled, the selected value or the largest value in the compliance table will be the power level used by the radio, whichever is smaller. Displays dynamic power level based on channel selected. Select the Max TX Power from the drop-down list. The values in the Max TX Power drop-down are in dBm and will vary by AP. The values are governed by compliance requirements based on the country, radio, and antenna selected. Changing this value below the current Min Tx Power value will change the Min Tx Power to a level lower than the selected Max TX Power. If ATPC is enabled, select the minimum Tx power level that is equal or lower than the maximum Tx power level. Extreme Networks recommends that you use 0 dBm if you do not want to limit the potential Tx power level range that can be used. raft The Auto Tx Power Ctrl Adj parameter is a correction parameter that allows you to manually adjust (up or down) the Tx Power calculated by the ATPC algorithm. If ATPC is enabled, click the Tx power level that can be used to adjust the ATPC power levels that the system has assigned. It is recommended that you use 0 dBm during the initial conguration. If you have an RF plan that recommends Tx power levels for each AP, compare the actual Tx power levels your system has assigned against the recommended values your RF plan has provided. Use the Auto Tx Power Ctrl Adjust value to achieve the recommended values. Valid range is from - (Max Tx Power - Min Tx Power) dB to
(Max Tx Power - Min Tx Power) dB. Note: The Min Tx Power setting cannot be set higher than the Max Tx Power setting. Min Tx Power Auto Tx Power Ctrl Adjust ExtremeWireless V10.41.06 User Guide 182 Conguring the ExtremeWireless APs Table 15: Radio Properties (continued) FField Description Channel Plan - Radio 1 If ACS is enabled you can dene a channel plan for the AP. Dening a channel plan allows you to control which channels are available for use during an ACS scan. For example, you may want to avoid using specic channels because of low power, regulatory domain, or radar interference. For 5 GHz Radio nodes, click one of the following:
All channels ACS scans all channels for an operating channel and, when ACS is triggered, the optimal channel is selected from all available channels. D All Non-DFS Channels ACS scans all non-DFS channels for an operating channel. With ACS, the AP selects the best non-
DFS channel. Custom To congure individual channels from which the ACS All channels including weather radar ACS selects the best selects an operating channel, click Congure. The CCustom Channel Plan dialog displays. By default, all channels participate in the channel plan. Click the individual channels you want to include in the channel plan. To select contiguous channels, use the Shift key. To select multiple, non-contiguous channels in the list, use the CTRL key. Click OK to save the conguration. channel from the available channels list. Selected channel may be DFS, weather-radar DFS or non-DFS. Weather-radar channels are approved for selected AP models in selected countries. Consult the compliance information for the selected AP. raft The weather channel includes 5600-5650MHz sub-bands and requires a listening period before the AP can provide wireless service. During the listening period, the Current Channel eld for DFS channels displays the value DFS Timeout, and the weather channel elds display DFS Timeout . In Europe, the listening period can be up to 10 minutes. In the U.S., this period is 1 minute. For 2.4 GHz Radio nodes, click one of the following:
3 Channel Plan ACS scans the following channels: 1, 6, and 11 in North America, and 1, 7, and 13 in the rest of the world. 4 Channel Plan ACS scans the following channels: 1, 4, 7, and 11 in North America, and 1, 5, 9, and 13 in the rest of the world. Auto ACS scans the default channel plan channels: 1, 6, and 11 in North America, and 1, 5, 9, and 13 in the rest of the world. Custom If you want to congure individual channels from which the ACS selects an operating channel, click Congure. The AAdd Channels dialog is displayed. Click the individual channels you want to add to the channel plan while pressing the CTRL key, and then click OK. ExtremeWireless V10.41.06 User Guide 183 Conguring the ExtremeWireless APs Table 15: Radio Properties (continued) FField Description Channel Plan - Radio 2 If ACS is enabled, you can dene a channel plan for the AP. Dening a channel plan allows you to limit which channels are available for use during an ACS scan. For example, you may want to avoid using specic channels because of low power, regulatory domain, or radar interference. Click one of the following:
3 Channel Plan ACS scans the following channels: 1, 6, and 11 in North America, and 1, 7, and 13 in most other parts of the world. 4 Channel Plan ACS scans the following channels: 1, 4, 7, and 11 in North America, and 1, 5, 9, and 13 in most other parts of the world. Auto ACS scans the default channel plan channels: 1, 6, and 11 in North America, and 1, 5, 9, and 13 in most other parts of the world. Custom If you want to congure individual channels from which D View Related Links Radio Advanced Properties on page 184 Radio Actions on page 130 AP Properties Tab Conguration on page 159 Assigning Wireless AP Radios to a VNS on page 168 Setting Up the Wireless AP Using Static Conguration on page 199 Setting Up 802.1x Authentication for a Wireless AP on page 203 the ACS selects an operating channel, click Congure. The AAdd Channels dialog is displayed. Click the individual channels you want to add to the channel plan while pressing the CTRL key, and then click OK. Click to open a new dialog that displays the selected Channel Plan for the antenna. raft Advanced Dialog - Base Settings Description Type the desired DTIM (Delivery Traffic Indication Message) period the number of beacon intervals between two DTIM beacons. To ensure the best client power savings, use a large number. Use a small number to minimize broadcast and multicast delay. The default value is 5. Radio Advanced Properties Table 16: Advanced Radio Properties Field DTIM period Beacon Period RTS/CTS Threshold Denes the time, in milliseconds, between beacon transmissions. The default value is 100 milliseconds. Type the packet size threshold, in bytes, above which the packet is preceded by an RTS/CTS (Request to Send/Clear to Send) handshake. The default value is 2346, which means all packets are sent without RTS/CTS. Reduce this value only if necessary. ExtremeWireless V10.41.06 User Guide 184 Conguring the ExtremeWireless APs Table 16: Advanced Radio Properties (continued) FField Description Frag. Threshold Maximum Distance Type the fragment size threshold, in bytes, above which the packets are fragmented by the AP prior to transmission. The default value is 2346, which means all packets are sent unfragmented. Reduce this value only if necessary. Enter a value from 100 to 15,000 meters that identies the maximum link distance between APs that participate in a WDS. This value ensures that the acknowledgement of communication between APs does not exceed the timeout value predened by the 802.11 standard. The default value is 100 meters. If the link distance between APs is greater than 100 meters, congure the maximum distance up to 15,000 meters so that the software increases the timeout value proportionally with the distance between APs. Do not change the default setting for the radio that provides service to 802.11 clients only. D Dynamic Channel Selection Advanced Dialog - Basic Radio Settings To enable Dynamic Channel Selection, click one of the following:
Monitor Mode If enabled, a selection of DCS Interference Events appears in a separate dialog. If traffic or noise levels exceed the congured DCS thresholds, an alarm is triggered and an information log is generated. Active Mode If enabled, a selection of DCS Interference Events appears in a separate dialog. If traffic or noise levels exceed the congured DCS thresholds, an alarm is triggered and an information log is generated. In addition, the AP ceases operating on the current channel and ACS is employed to automatically select an alternate channel for the AP to operate on. raft Click the minimum data rate that must be supported by all stations in a BSS: 6, 12, or 24 Mbps and MCS0-MCS7 for n Radio (MCS0, 1 to MCS7,1 for a/n/c radio). If necessary, the Max Basic Rate choices adjust automatically to be higher or equal to the Min Basic Rate. Click to Enable Probe Suppression. Forced Disassociate Click to enable. RSS Threshold 90 (Range of -50 to -100). Applies to AP37xx, AP38xx, and AP39xx series APs. Advanced Dialog - Multicast Settings Enter the maximum percentage of time that the AP transmits non-
unicast packets (broadcast and multicast traffic) for each congured Beacon Period. For each non-unicast packet transmitted, the system calculates the airtime used by each packet and drops all packets that exceed the congured maximum percentage. By restricting non-
unicast traffic, you limit the impact of broadcasts and multicasts on overall system performance. Probe Suppression Min. Basic Rate Max % of non-unicast traffic per Beacon period Optimized for power save Click to optimize for power save. Adaptable rate Click to enable adaptable rate capabilities. Multicast to Unicast delivery Click to set the Multicast to Unicast delivery method from the drop-
down list. ExtremeWireless V10.41.06 User Guide 185 Conguring the ExtremeWireless APs Table 16: Advanced Radio Properties (continued) FField Description Guard Interval Protection Mode Extension Channel Busy Threshold Advanced Dialog - 11n Settings Intended to eliminate interference between symbols during transmission. It is the space between the symbols being transmitted. Valid values are Long or Short. Enabling Short Guard Interval increases throughput, but can increase interference. Enabling Long Guard Interval can increase overhead due to additional idle time. Click a protection mode: None, Auto, or Always. The default and recommended setting is Auto. Click None if 11b APs and clients are not expected. Click Always if you expect many 11b-only clients. Click a protection type, CTS Only or RTS CTS, when a 40 MHz channel is used. This protects high throughput transmissions on extension channels from interference from non-11n APs and clients. Aggregate MSDUs D Aggregate MPDUs Aggregate MPDU Max Length Agg. MPDU Max # of Sub-frames Click an aggregate MSDU mode: Enabled or Disabled. Aggregate MSDU increases the maximum frame transmission size. Click an aggregate MPDU mode: Enabled or Disabled. Aggregate MPDU provides a signicant improvement in throughput. Type the maximum number of sub-frames of the aggregate MPDU. The value range is 2-64. Type the maximum length of the aggregate MPDU. The value range is 1024-65535 bytes. For the 802.11ac radio (Radio 1 of the AP38xx), the range is 1024-1048575. raft Click an ADDBA support mode: Enabled or Disabled. ADDBA, or block acknowledgement, provides acknowledgement of a group of frames instead of a single frame. ADDBA Support must be enabled if Aggregate APDU is enable. Click an STBC mode: Enabled or Disabled. STBC is a simple open loop transmit diversity scheme. When enabled, STBC conguration is 2x1
(two spatial streams combine into one spatial stream). TXBF overrides STBC if both are enabled for single stream rates. Click an LDPC mode: Enabled or Disabled. LDPC increases the reliability of the transmission resulting in a 2dB increased performance compared to traditional 11n coding. Tx Beam Forming is a technique of re-aligning the transmitter multipath spatial streams phases in order to get better signal-to-noise ratio on the receiver side. Click a TXBF mode: For the AP37xx and AP38xx models, valid values are Enabled or Disabled. For the 39xx APs, this setting is only available on Radio1 and valid values are MU-
MIMO and Disabled. ADDBA Support LDPC STBC TXBF Preamble Advanced Dialog - 11b Settings Click a preamble type for 11b-specic (CCK) rates: Short or Long. Click Short if you are sure that there is no pre-11b AP or a client in the vicinity of this wireless AP. Click Long if compatibility with pre-11b clients is required. Advanced Dialog - 11g Settings ExtremeWireless V10.41.06 User Guide 186 Conguring the ExtremeWireless APs Table 16: Advanced Radio Properties (continued) FField Description Protection Mode Protection Rate Protection Type Click a protection mode: None, Auto, or Always. The default and recommended setting is Auto. Click None if 11b APs and clients are not expected. Click Always if you expect many 11b-only clients. Click a protection rate: 1, 2, 5.5, or 11 Mbps. The default and recommended setting is 11. Only reduce the rate if there are many 11b clients in the environment or if the deployment has areas with poor coverage. For example, rates lower than 11 Mbps are required to ensure coverage. D Click a protection type: CTS Only or RTS CTS. The default and recommended setting is CTS Only. Click RTS CTS only if an 11b AP that operates on the same channel is detected in the neighborhood, or if there are many 11b-only clients in the environment. The overall throughput is reduced when Protection Mode is enabled, due to the additional overhead caused by the RTS/
CTS. The overhead is minimized by setting Protection Type to CTS Only and Protection Rate to 11 Mbps. The overhead causes the overall throughput to be sometimes lower than if just 11b mode is used. If there are many 11b clients, it is recommended that you disable 11g support (11g clients are backward compatible with 11b APs). An alternate approach, although potentially a more expensive method, is to dedicate all APs on a channel for 11b (for example, disable 11g on these APs) and disable 11b on all other APs. The difficulty with this method is that the number of APs must be increased to ensure coverage separately for 11b and 11g clients. raft Note Some client devices choose a 2.4 GHz radio even when a 5 GHz high-speed radio network is available. You may need to force those client devices to use only 5 GHz if you have congured high throughput only on the 5 GHz radio. To achieve high throughput with the wireless APs, congure your system as described in this section. To achieve high throughput with a wireless AP:
From the top menu, click AP. 1 2 Click the appropriate wireless AP in the list (not the check box). The AAP dashboard displays. 3 Click Congure. The AAP Properties tab displays. Achieving High Throughput with 11n and 11ac Wireless APs ExtremeWireless V10.41.06 User Guide 187 Conguring the ExtremeWireless APs 4 For Radio 2 congure the following:
In the Radio Mode drop-down list, click b/g/n. In the Channel Width drop-down list, click 40 MHz. Under Advanced Settings, in the Guard Interval drop-down list, click Short. In the 11g Settings section, click None in the Protection Mode drop-down list. NNote Do not disable 802.11g protection mode if you have 802.11b or 802.11g client devices using this AP. Instead, congure only Radio 1 for high throughput unless it is acceptable to achieve less than maximum 802.11n throughput on Radio 2. If only 802.11n devices are present, disable 11n protection and 40 MHz protection:
Protection Mode Click None. D Protection Type Click CTS only or RTS CTS.DDDNote 5 Click the Radio 1 tab, and then do the following:
Aggregate MSDUs Click Enabled. Aggregate MPDUs Click Enabled. Aggregate MPDUs Max Length Click 65535 (for the 802.11ac AP models). Agg. MPDUs Max # of Sub-frames Type 64. ADDBA Support Click Enabled. Do not disable 802.11n protection mode if you have 802.11b or 802.11g client devices using this AP. Instead, congure only Radio 1 for high throughput unless it is acceptable to achieve less than maximum 802.11n throughput on Radio 2. raft In the Admin Mode drop-down list, click the On option. In the Radio Mode drop-down list, click the a/n option for the AP3825, and click a/n/ac for the In the Guard Interval drop-down list, click Short. If only 802.11n devices are present, disable 11n protection and 40 MHz protection:
In the Channel Width drop-down list, click 40 MHz (for the AP3825 and for the AP3865 and Protection Mode Click None. Protection Type Click CTS only or RTS CTS. AP3865 and the 39xx series APs). 39xx series, click 80 MHz). Aggregate MSDUs Click Enabled. Aggregate MPDU Click Enabled. Aggregate MPDU Max Length Click Enabled. Agg. MPDU Max # of Sub-frames Type 64. ADDBA Support Click Enabled. 6 From the top menu, click VNS. 7 In the left pane select WLAN Services and select the WLAN service to congure. ExtremeWireless V10.41.06 User Guide 188 Conguring the ExtremeWireless APs 8 Click the Privacy tab. Some client devices do not use 802.11n mode if they are using WEP or TKIP for security. Do one of the following:
Select None. Select WPA-PSK, and then clear the WPA v.1 option:
Select WPA v.2. In the Encryption drop-down list, click AES only. NNote To achieve the strongest encryption protection for your VNS, it is recommended that you use WPA v.2. 9 Click the QoS tab. From the QoS tab, you can select WMM and Flexible Client Access (FCA) to get better throughput. NEW! Conguring IoT Applications Note For FCA, go to VNS > Global > Wireless QoS and set the Fairness Policy to 100% Airtime. D rates. Congure IoT support from the IIoT tab access point models AP391x 10 In the Wireless QoS section, select the WMM option. Some 802.11n client devices remain at legacy raft ExtremeWireless supports the following applications. Each supported AP can be congured for one application at a time. iBeacon AP is an Apple iBeacon. AP sends beacons in Apple iBeacon format. iBeacon Scan AP scans for Apple iBeacons, ltering beacons based on conguration parameters ExtremeWireless supports Real Time Location Systems (RTLS) on APs that offer integrated BLE/
802.15.4 radios for connectivity to Internet of Things (IoT) sensors and devices. The AP must be BLE enabled. Eddystone-url Beacon AP sends a compressed URL in a beacon for automatic presentation of a Eddystone-url Scan AP scans for Eddystone-url beacons, ltering beacons based on conguration website. Eddystone-url is supported by both iOS and Android 4.4 operating systems. and reports ndings to an Application Server. parameters and reports ndings to an Application Server. Thread Gateway AP is a gateway router to the Thread Network. Thread is a mesh networking protocol based on IEEE 802.15.4 for IoT devices. Related Links IoT iBeacon on page 190 IoT iBeacon Scan on page 191 Eddystone-url Beacon on page 193 Eddystone-url Scan on page 195 IoT Thread Gateway on page 196 ExtremeWireless V10.41.06 User Guide 189 Conguring the ExtremeWireless APs IoT iBeacon iBeacon is Apple's technology standard that allows mobile apps to identify a beacon position in the physical world. It delivers content based on the identied location. Extreme Wireless access point models AP391x support iBeacon. RRelated Links Conguring AP as an iBeacon on page 190 IoT iBeacon Scan on page 191 Conguring IoT Applications on page 189 IoT Multi-Edit Conguration on page 129 Conguring AP as an iBeacon With the iBeacon application, congure a supported AP as an iBeacon in an IoT network. The following APs offer integrated BLE/802.15.4 radios: AP3912i , AP3915i/e, AP3916ic, AP3917i/e/k. D To congure iBeacon support from the IIoT tab:
From the top menu, click AP. The AAP screen displays. 1 2 Click the appropriate wireless AP in the list (not the check box). The AAP dashboard displays. 3 Click Congure. The AAP Properties tab displays. 4 Click the IoT tab, and select IoT Admin. 5 From the Application eld, select iBeacon. ra Figure 36: IoT Admin Tab iBeacon Application 6 Congure the following parameters:
ExtremeWireless V10.41.06 User Guide 190 Conguring the ExtremeWireless APs Table 17: IoT iBeacon Application Settings FField Description Application Advertise Interval UUID Major Minor Determines application type. Select iBeacon The advertising interval for the beacon application. Valid values are:
Min (100ms) and Max (10240ms). The default value is Min (100ms). Identier used to differentiate a large group of related beacons. A company can have a network of beacons with the same UUID. Identies a subset of beacons within the larger set. This value could represent a venue specic attribute, such as a specic store or wing in a building. Valid values are 0 to 65635. Identies an individual beacon. Used to more precisely pinpoint beacon location. This value complements the UUID and Major values to provide more granular identication of a specic location, such as a particular shelf, door-way, or item. Valid values are 0 to 65635. IoT iBeacon Scan D Related Links IoT iBeacon on page 190 Conguring IoT Applications on page 189 IoT Multi-Edit Conguration on page 129 raft With iBeacon Scan, an AP scans for beacons, ltering data based on conguration parameters and reports ndings to an Application Server. ExtremeWireless forwards an iBeacon report as a JSON message to the customer's Application Server. The iBeacon report includes the following data:
AP serial number The MAC address of the iBeacon tag The RSSI The signal strength of the iBeacon tag The UUID of the iBeacon tag including Major and Minor values. The following lters can be applied at the AP to specify the message stream:
UUID. The Global Unique Identier. iBeacon messages with corresponding UUID are sent to the Minimum Received Signal Strength Indicator (RSSI). Transfers messages that meet the congured Application Server. All other UUID values are omitted. RSSI threshold. Messages received with an RSSI below the congured threshold are omitted. Refer to the Integration Guide for details on the format of the iBeacon RTLS message. The customer's Application Server handles the business logic and presentation of the IoT report. The Application Server:
Calculates the distance between the BLE tag and the AP, based on the signal strength for the tag/
radio channel Maps AP Serial Number to a physical location Tracks BLE tags. ExtremeWireless V10.41.06 User Guide 191 Conguring the ExtremeWireless APs From ExtremeWireless, congure iBeacon Scan parameters under AP conguration. RRelated Links Conguring iBeacon Scan on page 192 IoT Multi-Edit Conguration on page 129 Conguring IoT Applications on page 189 Conguring iBeacon Scan The following APs offer integrated BLE/802.15.4 radios: AP3912i , AP3915i/e, AP3916ic, AP3917i/e/k. To congure iBeacon Scan support from the IIoT tab:
From the top menu, click AP. The AAP screen displays. 1 2 Click the appropriate wireless AP in the list (not the check box). The AAP dashboard displays. 3 Click Congure. The AAP Properties tab displays. 4 Click the IoT tab, and select IoT Admin. 5 From the Application eld, select iBeacon Scan. D Figure 37: iBeacon Scan Application 6 Congure the following parameters:
ExtremeWireless V10.41.06 User Guide 192 Conguring the ExtremeWireless APs Table 18: iBeacon Scan Settings FField Description Application Destination IP Address Destination Port Scan Interval Scan Window Determines application type. Select iBeacon Scan IP address of the customer Application Server that receives the beacon report. Destination Port on the customer Application Server that presents the beacon report. Determines how long to wait between scans. Valid values are: Min
(100ms) and Max (10240ms). The default value is Min (100ms). Determines how long to scan per channel. Valid values are Min
(100ms) and Max (10240ms).Value must be less than Scan Interval value. Default value is 100ms. Related Links IoT iBeacon Scan on page 191 IoT Multi-Edit Conguration on page 129 UUID D Min RSSI Identier used to differentiate a large group of related beacons. A company can have a network of beacons with the same UUID. Used for ltering data. ExtremeWireless forwards data with matching UUID to the Application Server and lters out all other UUID data. If UUID congured value is all zeros, no ltering occurs. This is the signal strength required to include the packet in the BLE report. Valid values: -10 to -100. Default value is -100. Data from beacons with an RSSI that is less than the Min RSSI congured value is ltered out. raft Eddystone-url is a Google technology standard that supports the physical web by providing a beacon-
delivered URL that offers content based on the identied location. Eddystone-url is supported by both iOS and Android 4.4 operating systems. An AP sends a beacon that includes a compressed URL. A mobile device app accepts the beacon, and the mobile user can access the URL that is provided in the beacon. This technology automatically presents websites to mobile users at the AP location. Possible use cases include:
Registration at a medical facility or school. Online payment at a parking garage. Detailed information about a museum exhibit. The beacon format is dened by a Google specication. Both the URL and the Advertising Interval are congurable parameters on the AP. Related Links Conguring AP as an Eddystone-url Beacon on page 194 ExtremeWireless V10.41.06 User Guide 193 NEW! Eddystone-url Beacon Conguring the ExtremeWireless APs Conguring AP as an Eddystone-url Beacon Congure an AP with integrated BLE radio as an Eddystone-url Beacon in an IoT network. The following APs offer integrated BLE/802.15.4 radios: AP3912i , AP3915i/e, AP3916ic, AP3917i/e/k. To congure Eddystone-url Beacon support from the IIoT tab:
From the top menu, click AP. The AAP screen displays. 1 2 Click the appropriate wireless AP in the list (not the check box). The AAP dashboard displays. 3 Click Congure. The AAP Properties tab displays. 4 Click the IoT tab, and select IoT Admin. 5 From the Application eld, select Eddystone-url Beacon. D Figure 38: IoT Admin Tab Eddystone-url Beacon Application 6 Congure the following parameters:
Table 19: IoT Eddystone-url Beacon Application Settings Field Description raft The URL that is included with the Eddystone-url beacon. The URL is limited to 17 characters. The 17 characters does not include the protocol, but it does include the domain name. A secure protocol
(HTTPS address) is required. The URL is compressed, effectively allowing more than a 17-character input. See https://github.com/
google/eddystone/tree/master/eddystone-url for the Eddystone-url compression rules to more accurately judge the length of your URL. If necessary, also nd third-party URL Shortening Services available on the internet. Determines application type. Select Eddystone-url Beacon Application URL Advertise Interval The advertising interval for the beacon application. Valid values are:
Min (100ms) and Max (10240ms). The default value is Min (100ms). Related Links Eddystone-url Beacon on page 193 Conguring IoT Applications on page 189 IoT Multi-Edit Conguration on page 129 ExtremeWireless V10.41.06 User Guide 194 Conguring the ExtremeWireless APs NEW! Eddystone-url Scan BLE-enabled APs capture beacons and send them to a congured Application Server. Upon reception, the server application triggers possible actions such as updating statistics related to beacon location or communicating with a mobile device application. An AP scans for beacons, ltering data based on conguration parameters and reports ndings to an Application Server. ExtremeWireless forwards the report as a JSON message to the customer's Application Server. The report includes the following data:
AP Serial Number The MAC address of the beacon tag Decoded URL Device transmission power The signal strength of the iBeacon tag D The following lters can be applied at the AP to specify the message stream:
Minimum Received Signal Strength Indicator (RSSI). Transfers messages that meet the congured RSSI threshold. Messages received with an RSSI below the congured threshold are omitted. The customer's Application Server handles the business logic and presentation of the IoT report. The Application Server:
Calculates the distance between the BLE tag and the AP, based on the signal strength for the tag/
NNote Only scanned frames with Eddystone-url format are supported. The UUID must be 0xFEAA. raft radio channel Maps AP Serial Number to a physical location Tracks BLE tags. The following APs offer integrated BLE/802.15.4 radios: AP3912i , AP3915i/e, AP3916ic, AP3917i/e/k. From ExtremeWireless, congure Eddystone-url Scan parameters under AP conguration. Refer to the Integration Guide for details on the format of the beacon RTLS message. To congure Eddystone-url Scan support from the IIoT tab:
Conguring Eddystone-url Scan From the top menu, click AP. The AAP screen displays. 1 2 Click the appropriate wireless AP in the list (not the check box). The AAP dashboard displays. 3 Click Congure. The AAP Properties tab displays. 4 Click the IoT tab, and select IoT Admin. ExtremeWireless V10.41.06 User Guide 195 Conguring the ExtremeWireless APs 5 From the Application eld, select Eddystone-url Scan. D Figure 39: Eddystone-url Scan Application 6 Congure the following parameters:
Table 20: Eddystone-url Scan Settings FField Description Determines application type. Select Eddystone URL Scan IP address of the customer Application Server that receives the beacon report. raft This is the signal strength required to include the packet in the BLE report. Valid values: -10 to -100. Default value is -100. Data from beacons with an RSSI that is less than the Min RSSI congured value is ltered out. Determines how long to scan per channel. Valid values are Min
(100ms) and Max (10240ms).Value must be less than Scan Interval value. Default value is 100ms. Destination Port on the customer Application Server that presents the beacon report. Determines how long to wait between scans. Valid values are: Min
(100ms) and Max (10240ms). The default value is Min (100ms). Application Destination IP Address Destination Port Scan Interval Scan Window Min RSSI Related Links Eddystone-url Scan on page 195 IoT Multi-Edit Conguration on page 129 Conguring IoT Applications on page 189 IoT Thread Gateway The ExtremeWireless Thread Network solution makes use of a single infrastructure to combine a wireless network with an IoT sensor network, while integrating with an enterprise backbone network. ExtremeWireless V10.41.06 User Guide 196 Conguring the ExtremeWireless APs Each AP391x, with integrated BLE/802.15.4 radios, creates a separate Thread Network identied with a separate PAN ID. Sensors scan, nd the AP Thread Network, and build a Mesh network with that AP serving as the border gateway router. The AP routes network traffic between its own Thread Network interface and the IoT interface. To congure a Thread Network, do the following:
Congure a VNS:
Create a new VNS. Enable IPv6 multicast Assign a VLAN. Related Links NNote The VLAN must have a Router with DHCPv6-PD Thread Network supports IPv6 addressing only. If the DHCPv6 server provides global address, all sensors in the network receive the global address, and therefore, can be managed from the Cloud IPv6 network. D Congure IoT Thread Gateway on an AP391x. Congure a WLANS with an IoT port enabled. Congure a whitelist that denes the allowed sensor nodes and joiner sensors for the Thread Network. Note If the whitelist is not congured, all sensors with password THREAD are accepted into the network. raft Conguring an AP as a Thread Gateway on page 197 Advanced Thread Gateway Properties on page 198 Managing an IoT Whitelist on page 671 IoT Multi-Edit Conguration on page 129 From the top menu, click AP. The AAP screen displays. 1 2 Click the AP row (not the check box) for an AP model that offers a BLE/802.15.4 radio. To congure the Thread Network on each supported AP, take the following steps:
The AAP dashboard displays. 3 Click Congure. The AAP Properties tab displays. 4 Click the IoT tab, and select IoT Admin. Conguring an AP as a Thread Gateway ExtremeWireless V10.41.06 User Guide 197 Conguring the ExtremeWireless APs 5 From the Application eld, select Thread Gateway and click Advanced. D Figure 40: IoT Admin Tab Thread Gateway Application The AAdvanced Thread Gateway parameters dialog displays. Related Links Advanced Thread Gateway Properties on page 198 IoT Thread Gateway on page 196 Advanced Thread Gateway Properties raft Congure the following parameters on the selected AP. The AP serves as a border gateway router for its own Thread Network. ExtremeWireless V10.41.06 User Guide 198 Conguring the ExtremeWireless APs D Figure 41: IoT Thread Gateway PropertiesDNNote The congured Thread Gateway displays on the Active Clients report, indicating that the gateway is up and running. Table 21: Thread Gateway Properties Field Description Determines application type. Select Thread Gateway Thread Network name. Default value is the AP serial number. Each AP creates a separate Thread Network identied with separate Short PAN ID and Extended PAN ID. raft A 16-bit, MAC-layer addressing eld used in RF data transmissions between devices in a Thread Network. The default value is derived from the AP serial number. The Short PAN ID identies the APs Thread Network. A 64-bit, MAC-layer addressing eld used in RF data transmissions between devices in a Thread Network. The default value is derived from the AP serial number. This value must be unique. It is used for a more specic network identication. Indicates the Network Master Key used to encrypt communication between nodes in a Thread Network. The IEEE Standard: 802.15.4 AP channel number. Application Name Channel Short PAN ID Extended PAN ID Master Key Related Links Conguring an AP as a Thread Gateway on page 197 IoT Thread Gateway on page 196 Setting Up the Wireless AP Using Static Conguration Static conguration settings allow you to set up branch office support. These settings can be employed whenever required, and are not dependent on branch topology. In the branch office model, while the controller is at a central office, APs are installed in remote sites. The APs must be able to interact in both ExtremeWireless V10.41.06 User Guide 199 Conguring the ExtremeWireless APs the local site network and the central office network. When this is the case, a static conguration is recommended. For initial conguration of a wireless AP to use a static IP address assignment:
Allow the AP to rst obtain an IP address using DHCP. By default, APs are congured to use the DHCP IP address conguration method. Allow the AP to connect to the controller using the DHCP assigned IP address. After the AP has successfully registered to the controller, use the SStatic Conguration tab to congure a static IP address for the AP, and then save the conguration. Once the static IP address has been congured on the AP, the AP can then be moved to its target location, if applicable. To set up a wireless AP using static conguration:
From the top menu, click AP. The AAP screen displays. Note If a wireless AP with a statically congured IP address (without a statically congured Wireless Controller Search List) cannot register with the controller within the specied number of retries, the wireless AP uses SLP, DNS, and SLP multicast as a backup mechanism. D 1 2 Click the appropriate wireless AP in the list (not the check box). The AAP dashboard displays. 3 Click Congure. The AAP Properties tab displays. 4 Click the Static Conguration tab. 5 Congure the following parameters:
raft Caution Caution should be exercised when using this feature. For more information, see Conguring VLAN Tags for Wireless APs on page 203. If the Wireless AP VLAN is not congured properly (wrong tag), connecting to the AP may not be possible. To recover from this situation, you need to reset the AP to its factory default settings. For more information, see the Extreme Networks ExtremeWireless Maintenance Guide . a Select a VLAN (Virtual LAN) setting for the AP. ExtremeWireless V10.41.06 User Guide 200 Conguring the ExtremeWireless APs b Select a method of IP address assignment for the AP. D raft NNote Client Port conguration is available for the AP3912. For more information, see Assigning WLAN Services to Client Ports on page 170. Table 22: Static Conguration Properties Field/Button Description VLAN Settings Tagged Untagged VLAN ID Select if you want to assign this AP to a specic VLAN and type the value in the box. Select if you want this AP to be untagged. This option is selected by default. Enter a VLAN ID. Valid values are 2 to 4094 IP Address Assignment ExtremeWireless V10.41.06 User Guide 201 Conguring the ExtremeWireless APs Table 22: Static Conguration Properties (continued) FField/Button Description Use DHCP Select to enable Dynamic Host Conguration Protocol (DHCP). This option is enabled by default. Static Values Select to specify the IP address of the AP. IP Address Netmask Type the IP address of the AP. Type the appropriate subnet mask to separate the network portion from the host portion of the address. Gateway Type the default gateway of the network. Ethernet Port Ethernet Speed Ethernet Mode D Tunnel MTU If the AP has an Ethernet port, select values in the Ethernet Speed and Ethernet Mode drop down lists. If the AP has an Ethernet port, select values in the Ethernet Speed and Ethernet Mode drop down lists. Wireless Controller Search List Applies to the AP38xx and AP39xx only. Click to Enable Link Aggregation Control Protocol. This feature allows higher throughput by combining the two Ethernet ports. This feature is disabled by default. Enter a static MTU value, from 600 to 1500, in the Tunnel MTU box. The maximum MTU can be increased to 1800 bytes by enabling Jumbo Frames support (for more information, see Setting Up the Data Ports on page 51). If the wireless software cannot discover the MTU size, it enforces the static MTU size. Set the MTU size to allow the source to reduce the packet size and avoid the need to fragment data packets in the tunnel. raft In the Add box, type the IP address of the controller that will control this AP then click the Add button to add the IP address is added to the list. Repeat this process to add the IP addresses of up to three controllers. This feature allows the AP to bypass the discovery process. If the Wireless Controller Search List box is not populated, the AP uses SLP unicast/multicast, DNS, or DHCP vendor option 43 to discover a controller. For the initial AP deployment, it is necessary to use one of the described options in Discovery and Registration on page 120. Select a controller and click the Up button to modify the order of the controllers. When an AP searches for a controller to register with, it begins with the rst controller in the list. Select a controller and click the Up button to modify the order of the controllers. When an AP searches for a controller to register with, it begins with the rst controller in the list. Click to remove the controller from the list so that it can no longer control the AP. LACP Up Down Delete Add Additional Buttons Copy to Defaults To make this APs conguration be the systems default AP settings, click Copy to Defaults. A pop-up dialog asking you to conrm the conguration change is displayed.To conrm resetting the systems default AP settings, click OK. ExtremeWireless V10.41.06 User Guide 202 Conguring the ExtremeWireless APs Table 22: Static Conguration Properties (continued) FField/Button Description Reset to Defaults If you have an AP that is already congured with its own settings, but would like the AP to be reset to use the systems default AP settings, use the Reset to Defaults feature Apply Click to save your changes. Related Links AP Properties Tab Conguration on page 159 Assigning Wireless AP Radios to a VNS on page 168 Conguration Parameters for Radio Properties on page 180 Setting Up 802.1x Authentication for a Wireless AP on page 203 Conguring VLAN Tags for Wireless APs D require VLAN tagging. To congure Wireless APs with a VLAN tag:
1 Connect the AP in the central office to the controller port (or to a network point) that does not Caution Exercise caution while conguring a VLAN ID tag. If a VLAN tag is not congured properly, the connectivity between the controller and the AP will be lost. raft 2 From the top menu, click AP. 3 Click the Static Conguration tab. 4 In the VLAN Settings section, select Tagged - VLAN ID. 5 In the Tagged - VLAN ID text box, type the VLAN ID on which the AP operates. 6 To save your changes, click Save. The AP reboots and loses connection with the controller. 7 Log out from the controller. 8 Disconnect the AP from the central office network and move it to the target location. 9 Power up the AP. The AP connects to the controller. If the AP does not connect to the controller, the AP was not congured properly. To recover from this situation, reset the AP to its factory default settings, and recongure the static IP address. Setting Up 802.1x Authentication for a Wireless AP 802.1x is an authentication standard for wired and wireless LANs. The 802.1x standard can be used to authenticate access points to the LAN to which they are connected. 802.1x support provides security for network deployments where access points are placed in public spaces. ExtremeWireless V10.41.06 User Guide 203 Conguring the ExtremeWireless APs To successfully set up 802.1x authentication of a Wireless AP, the AP must be congured for 802.1x authentication before the AP is connected to a 802.1x enabled switch port. CCaution If the switch port to which the AP is connected is not 802.1x enabled, the 802.1x authentication does not take effect. 802.1x authentication credentials can be updated at any time, whether or not the AP is connected with an active session. If the AP is connected, the new credentials are sent immediately. If the AP is not connected, the new credentials are delivered the next time the AP connects to the controller. There are two main aspects to the 802.1x feature:
Credential management The controller and the AP are responsible for the requesting, creating, deleting, or invalidating the credentials used in the authentication process. EAP-TLS Authentication The AP is responsible for the actual execution of the EAP-TLS or PEAP protocol. D 802.1x authentication can be congured on a per-AP basis. For example, 802.1x authentication can be applied to specic APs individually or with a multi-edit function. The 802.1x authentication supports two authentication methods:
PEAP (Protected Extensible Authentication Protocol) Is the recommended 802.1x authentication method Requires minimal conguration effort and provides equal authentication protection to EAP-TLS Uses user ID and passwords for authentication of access points Requires more conguration effort Requires the use of a third-party Certicate Authentication application Uses certicates for authentication of access points The controller can operate in either proxy mode or pass through mode. raft Note Although a wireless AP can support using both PEAP and EAP-TLS credentials simultaneously, it is not recommended to do so. Instead, it is recommended that you use only one type of authentication and that you install the credentials for only that type of authentication on the wireless AP. Proxy mode The controller generates the public and private key pair used in the certicate. Pass through mode The certicate and private key are created by the third-party Certicate Authentication application. Related Links AP Properties Tab Conguration on page 159 Assigning Wireless AP Radios to a VNS on page 168 Conguration Parameters for Radio Properties on page 180 Setting Up the Wireless AP Using Static Conguration on page 199 Setting Up 802.1x Authentication for Wireless APs Using Managing Certicates on page 209 ExtremeWireless V10.41.06 User Guide 204 Conguring the ExtremeWireless APs Conguring 802.1x EAP-TLS Authentication EAP-TLS authentication uses certicates for authentication. A third-party Certicate Authentication application is required to congure EAP-TLS authentication. Certicates can be overwritten with new ones at any time. With EAP-TLS authentication, the controller can operate in the following modes:
Proxy Mode on page 205 Pass Through Mode on page 207 NNote When a wireless AP that is congured with 802.1x EAP-TLS authentication is connected to a controller, the AP begins submitting logs to the controller thirty days before the certicate expires to provide administrators with a warning of the impending expiry date. Proxy Mode D From the top menu, click AP. To Congure 802.1x EAP-TLS Authentication in Proxy Mode:
1 2 In the AP list, click the wireless AP (not the check box) for which you want to congure 802.1x EAP-
In proxy mode, the controller generates the public and private key pair used in the certicate. You can specify the criteria used to create the Certicate Request. The Certicate Request that is generated by the controller is then used by the third-party Certicate Authentication application to create the certicate used for authentication of the Wireless AP. To successfully congure 802.1x authentication of a Wireless AP, the AP must rst be congured for 802.1x authentication before the AP is deployed on a 802.1x enabled switch port. raft TLS authentication. 3 Click the 8802.1x tab. 4 Click Generate Certicate Signing Request. The GGenerate Certicate Signing Request window is displayed. ExtremeWireless V10.41.06 User Guide 205 Conguring the ExtremeWireless APs raft5 Type the criteria to be used to create the certicate request. All elds are required:
Country name The two-letter ISO abbreviation of the name of the country State or Province name The name of the State/Province Locality name (city) The name of the city Organization name The name of the organization Organizational Unit name The name of the unit within the organization Common name Click the value you want to assign as the common name of the wireless AP. Email address The email address of the organization
(See Table 23 on page 212 for credential parameters and values.) 6 Click Generate Certicate Signing Request. A certicate request le is generated (.csr le extension). The name of the le is the AP serial number. The FFile Download dialog is displayed. 7 Click Save. The SSave as window is displayed. 8 Navigate to the location on your computer that you want to save the generated certicate request le, and then click Save. 9 In the third-party Certicate Authentication application, use the content of the generated certicate request le to generate the certicate le (.cer le extension). 10 On the 8802.1x tab, click Browse. The CChoose le dialog is displayed. ExtremeWireless V10.41.06 User Guide 206 Conguring the ExtremeWireless APs 11 Navigate to the location of the certicate le, and click Open. The name of the certicate le is displayed in the X509 DER / PKCS#12 le box. 12 To save your changes, click Save. The 802.1x EAP-TLS (certicate and private key) authentication in proxy mode is assigned to the AP. The wireless AP can now be deployed to a 802.1x enabled switch port. Pass Through Mode In pass through mode, the certicate and private key are created by the third-party Certicate Authentication application. To successfully congure 802.1x authentication of a wireless AP, the AP must rst be congured for 802.1x authentication before the AP is deployed on a 802.1x enabled switch port. From the top menu, click AP. Before you congure 802.1x using EAP-TLS authentication in pass through mode, create a certicate using the third-party Certicate Authentication application and save the certicate le in PKCS #12 le format (.pfx le extension) on your system. D TTo Congure 802.1x EAP-TLS Authentication in Pass Through Mode:
7 In the Password box, type the password that was used to protect the private key. 1 2 Click the appropriate wireless AP in the list (not the check box). The AAP dashboard displays. 3 Click Congure. The AAP Properties tab displays. 4 Click the 8802.1x tab. 5 Click Browse. The CChoose le window is displayed. 6 Navigate to the location of the certicate le (.pfx) and click Open. The name of the certicate le is raft Note The password that was used to protect the private key must be a maximum of 31 characters long. The 802.1x EAP-TLS authentication in pass through mode is assigned to the wireless AP. The AP can now be deployed to a 802.1x enabled switch port. displayed in the X509 DER / PKCS#12 le box. 8 To save your changes, click Save. Viewing 802.1x Credentials When 802.1x authentication is congured on a wireless AP, the light bulb icon on the 802.1x tab for the congured AP is lit to indicate which 802.1x authentication method is used. A wireless AP can be congured to use both EAP-TLS and PEAP authentication methods. For example, when both EAP-TLS ExtremeWireless V10.41.06 User Guide 207 Conguring the ExtremeWireless APs and PEAP authentication methods are congured for the AP, both light bulb icons on the 802.1x tab are lit. NNote You can view only the 802.1x credentials of wireless APs that have an active session with the controller. If you attempt to view the credentials of a wireless AP that does not have an active session, the AAP Credentials window displays the following message: Unable to query wireless AP: not connected. To view current 802.1x credentials:
From the top menu, click AP. 1 2 In the AP list, click the wireless AP (not the check box) for which you want to view its current 802.1x credentials. 3 Select the 8802.1x tab. 4 In the Current Credentials section, click Get Certicate details. D The WWireless AP Credentials window is displayed. raft ExtremeWireless V10.41.06 User Guide 208 Conguring the ExtremeWireless APs Deleting 802.1x Credentials CCaution Exercise caution when deleting 802.1x credentials. For example, deleting 802.1x credentials may prevent the AP from being authenticated or cause it to lose its connection with the controller. To delete current 802.1x credentials:
From the top menu, click AP. 1 2 In the AP list, click the wireless AP (not the check box) for which you want to view its current 802.1x credentials. 3 Select the 8802.1x tab. 4 Do the following:
To delete EAP-TLS credentials, click Delete EAP-TLS credentials. To delete PEAP credentials, click Delete PEAP credentials. D The credentials are deleted and the AP settings are updated.DDNote If you attempt to delete the 802.1x credentials of a wireless AP that currently does not have an active session with the controller, the credentials are deleted only after the AP connects with the controller. raft When you use the AP 802.1x Multi-edit feature, you can choose to:
Assign EAP-TLS authentication based on generated certicates to multiple APs by uploading a .pfx, .cer, or .zip le. Assign PEAP credentials to multiple APs based on a user name and password that you dene In addition to conguring APs individually, you can also congure 802.1x authentication for multiple APs simultaneously by using the AP 802.1x Multi-edit feature. To congure 802.1x EAP-TLS Authentication in Proxy Mode using Multi-edit:
Setting Up 802.1x Authentication for Wireless APs Using Managing Certicates ExtremeWireless V10.41.06 User Guide 209 Conguring the ExtremeWireless APs 1 From the top menu, click AP. The AAP screen displays. ft 2 In the AAPs list, select one or more APs to congure. To search for a specic AP, enter the AP in the search bar and click
. 3 Click Actions > Manage Certicates 4 In the Certicate Signing Request section, type the following:
Country name The two-letter ISO abbreviation of the name of the country State or Province name The name of the State/Province Locality name (city) The name of the city Organization name The name of the organization Organizational Unit name The name of the unit within the organization Common name Click the value you want to assign as the common name of the wireless AP
(see Table 23 on page 212 for credential parameters and values). Email address The email address of the organization Key Size If the email address key size is different from the default value shown, you can change it by selecting a new value from the drop down menu. ExtremeWireless V10.41.06 User Guide 210 Conguring the ExtremeWireless APs 5 Click Generate Certicates. The AAP 802.1x Multi-edit progress dialog is displayed, which provides the status of the conguration process. Once complete, the FFile Download dialog is displayed. 6 Click Save. The SSave as window is displayed. 7 Navigate to the location on your computer that you want to save the generated certicate_requests.tar le, and then click Save. The certicate_requests.tar le contains a certicate request (.csr) le for each AP. 8 Do one of the following:
For each certicate request, generate a certicate using the third-party Certicate Authentication application. This method produces a certicate for each wireless AP. Once complete, zip all the certicates les (.cer) into one .zip le. Use one of the certicate requests and generate one certicate using the Certicate Authentication application. This method produces one certicate that can be applied to all APs. Conguring 802.1x EAP-TLS Authentication in Pass Through Mode Using Multi-edit 9 In the Bulk Certicate Upload section, click Browse. The CChoose le window is displayed. 10 Navigate to the location of the le (.zip or .cer), and then click Open. The name of the le is displayed in the PFX, CER or ZIP Archive box. D 11 Click Upload and Set certicates. Once complete, the Settings updated message is displayed in the footer of the Wireless Assistant. The 802.1x EAP-TLS authentication conguration is assigned to the APs. The APs can now be deployed to 802.1x enabled switch ports. When you congure 802.1x EAP-TLS authentication in pass through mode using Multi-edit, do one of the following:
Generate a certicate for each AP using the third-party Certicate Authentication application. When generating the certicates:
Use the Common name value (either Name, Serial, or MAC) of the AP to name each generated raft Generate one certicate, using the third-party Certicate Authentication application, to be applied to all APs. When generating the certicate, use the Common name value (either Name, Serial, or MAC) of the wireless AP to name the generated certicate. Use a common password for each generated certicate. All .pfx les created by the third-party Certicate Authentication application must be zipped into The 802.1x PEAP authentication conguration is assigned to the APs. The APs can now be deployed to 802.1x enabled switch ports. certicate. one le. Managing Certicates To congure certicates, take the following steps:
ExtremeWireless V10.41.06 User Guide 211 Conguring the ExtremeWireless APs 1 Certicate Signing Request Country name The two-letter ISO abbreviation of the name of the country State or Province name The name of the State/Province Locality name (city) The name of the city Organization name The name of the organization Organizational Unit name The name of the unit within the organization Common name Click the value you want to assign as the common name of the wireless AP
(see Table 23 on page 212 for credential parameters and values). Email address The email address of the organization Key Size If the email address key size is different from the default value shown, you can change it by selecting a new value from the drop down menu. 2 Click Generate Certicates. The AAP 802.1x Multi-edit progress window is displayed, which provides 5 Do one of the following:
Authentication application. This method produces one certicate that can be applied to all APs. the status of the conguration process. Once complete, the FFile Download dialog is displayed. 3 Click Save. The SSave as window is displayed. 4 Navigate to the location on your computer that you want to save the generated D certicate_requests.tar le, and then click Save. The certicate_requests.tar le contains a certicate request (.csr) le for each AP. Bulk Certicate Upload 6 Click Browse. The CChoose le window is displayed. 7 Navigate to the location of the le (.zip or .cer), and then click Open. The name of the le is For each certicate request, generate a certicate using the third-party Certicate Authentication application. This method produces a certicate for each wireless AP. Once complete, zip all the certicates les (.cer) into one .zip le. Use one of the certicate requests and generate one certicate using the Certicate raft footer of the Wireless Assistant. The 802.1x EAP-TLS authentication conguration is assigned to the APs. The APs can now be deployed to 802.1x enabled switch ports. PEAP authentication uses user ID and passwords for authentication. To successfully congure 802.1x authentication of a wireless AP, the AP must rst be congured for 802.1x authentication before the AP is deployed on an 802.1x enabled switch port. 9 In the Username drop-down list, click the value you want to assign as the user name credential:
10 In the Password drop-down list, click the value you want to assign as the password credential. 8 Click Upload and Set certicates. Once complete, the Settings updated message is displayed in the displayed in the PFX, CER or ZIP Archive box. PEAP Authentication Table 23: Credential Parameters Parameter Value Name The name of the wireless AP, which is assigned on the AP Properties tab. The AP name can be edited. Serial The serial number of the AP. This setting cannot be edited. ExtremeWireless V10.41.06 User Guide 212 Conguring the ExtremeWireless APs Table 23: Credential Parameters (continued) PParameter Value MAC Other The MAC address of the AP. The setting cannot be edited. Click to specify a custom value. A text box is displayed. In the text box, type the value you want to assign as the user name credential. 11 To save your changes, click Save. The 802.1x PEAP authentication conguration is assigned to the AP. The AP can now be deployed to an 802.1x enabled switch port. Related Links Setting Up 802.1x Authentication for Wireless APs Using Managing Certicates on page 209 Conguring Co-Located APs in Load Balance Groups D You can congure APs that are co-located in an open area, such as a classroom, a conference hall, or an entrance lobby, to act as a load balance group. Load balancing distributes clients across the co-located APs that are members of the load balance group. The co-located APs should provide the same SSID, have Line-of-Sight (LoS) between each other, and be deployed on multiple channels with overlapping coverage. Assign an AP's radio to the load balance group for the client distribution to occur. Load balancing occurs only among the assigned AP radios of the load balance group. Each radio can be assigned only to one load balance group. Multiple radios on the same AP do not have to be in the same load balance group. The radios that you assign to the load balance group must be on APs that are controlled by the same controller. raft The load balance group uses one or more WLAN services for all APs assigned to the load balance group. You can congure two types of load balance groups:
Client Balancing load group performs load balancing based on the number of clients across all APs in the group and only for the WLANs assigned to the load group. This is different from load control in the Radio Preference group load control APs make decisions in isolation from each other. steering is a mechanism to move 11a-capable clients to the 11a radio on the AP, relieving congestion on the 11g radio. No balancing is done between the 11a and 11g radios. Load control is disabled by default. A radio load group executes band preference steering and/or load control across the radios on each AP in the group. Each AP balances in isolation from the other APs, but all APs in the load group have the same conguration related to the band preference and load control. Radio Preference load group performs band preference steering and load control. Band preference Client balancing on the controller is AP-centric and requires no input from the client. The AP radios in the client balance group share information with secure (AES) messaging using multicast on the wired network. All APs in a client balance group must be in the same SIAPP cluster to ensure that each AP can reach all other APs in the client balance group over the wired subnet. If the APs in a client balance group are not in the same SIAPP cluster, client balancing happens independently within the subgroups dened by SIAPP clusters. The benets of conguring your co-located APs that are controlled by the same controller as a client balance group are the following:
ExtremeWireless V10.41.06 User Guide 213 Conguring the ExtremeWireless APs Resource sharing of the balanced AP Efficient use of the deployed 2.4 and 5 GHz channels Reduce client interference by distributing clients on different channels Scalable 802.11 deployment: if more clients need to be served in the area, additional APs can be deployed on a new channel You can assign a maximum of 32 APs to a client balance group. Table 24 lists the maximum number of load balance groups for each controller. Table 24: Maximum Number of Load Balance Groups EExtremeWireless Appliance Number of load balance groups C4110 32 C5110 C5210 D C5215 C25 64 64 64 8 C35 V2110 V2110 (MS Hyper-V platform) Currently, all APs support load balance groups. 8 32 64 raft Creating a Load Balance Group To create a load balance group:
From the top menu, click AP. 1 2 In the left pane, click Load Groups. 3 Click New. The AAdd Load Group window displays. To create a load balance group, see Creating a Load Balance Group on page 214. 4 Enter a unique name for a load group ID, and select a Type from the drop-down menu and then click Add. The options are:
Client Balancing load balancing based on the number of clients across all APs in the load balance group and only for the WLANs assigned to the group. Radio Preference band preference steering and load control on this load group. If you are adding a Client Balancing load balancing group, the RRadio Assignment tab becomes available. ExtremeWireless V10.41.06 User Guide 214 Conguring the ExtremeWireless APs raftIf you are adding a Radio Preference load balancing group, the RRadio Preference tab becomes available. ExtremeWireless V10.41.06 User Guide 215 Conguring the ExtremeWireless APs D The radios for both types of load groups can be assigned to a WLAN, on the WWLAN Assignment tab. raft ExtremeWireless V10.41.06 User Guide 216 Conguring the ExtremeWireless APs You can lter the display of AP Groups. In the left pane, Expand Client Balancing to see only Client Balancing groups. Expand Radio Preference to see only Radio Preference groups. raft NNote For more information about the elds on these screens, see Conguration Parameters for AP Load Groups on page 217. Description Table 25: AP Load Groups Field/Button Conguration Parameters for AP Load Groups Load Group ID Type Enter a unique name for the load group. You can create load groups with the same name on different controller; however, the groups are treated as separate groups according to the home controller where the group was originally created. The type of load group is displayed. Options include:
Client Balancing - select to perform load balancing based on the number of clients across all APs in the load balance group and only for the WLAN Services assigned to the group. Radio Preference - select to perform band preference steering and enforce load control settings on this load group. ExtremeWireless V10.41.06 User Guide 217 Conguring the ExtremeWireless APs Table 25: AP Load Groups (continued) FField/Button Description New Delete Save Click to create a new load group. The AAdd Load Group window. Click to delete this load group. Click to save your changes. Radio Assignment tab - Available for load groups assigned the Client Balancing type. Select AP Radios D Radio Preference tab - Available for load groups assigned the Radio Preference type From the drop-down menu, select the AP radios that you want to assign to the load group. Options include:
All radios Radio 1 Radio 2 Clear all radios You can assign a radio to only one load balance group. A radio that is assigned to another load balance group has an asterisk next to it. If you select a radio that has been assigned to another load balance group, the radio is reassigned to the new load balance group. Note: You can assign each radio of an AP to different load balance groups. raft Select the Enable check box to enable band preference for this load group. You can apply band preference to a VNS assigned in the load group. Enabling band preference enables you to move an 11a-capable client to an 11a radio to relieve congestion on an 11g radio. A client is considered 11a capable if the AP receives requests on an 11a VNS that already belongs to a load group with band preference enabled. After you congure band preference, if a client tries to re-associate with an 11g radio, it is rejected if the AP determines that the client is 11a capable. Select the following parameters for each radio assigned to this load group:
Enable: Select this check box to enable Radio Load Control (RLC) for individual radios (Radio1 and Radio2) associated with this Load Group. 1 and Radio 2. The default limit is 60. The valid range is: 5 to 60. Strict Limit: Select this check box to enable a strict limit on the Max. # of Clients: Enter the maximum number of clients for Radio number of clients allowed on a specic radio, based on the max #
of clients allowed. Limits can be enforced separately for radio1 and radio 2. Band Preference Load Control AP Assignment Select the APs on which you want to enforce the Band Preference and Load Control settings. ExtremeWireless V10.41.06 User Guide 218 Conguring the ExtremeWireless APs Table 25: AP Load Groups (continued) FField/Button Description WLAN Assignment tab WLAN Name Click the check box of the one or more WLAN services that you want to assign to all member radios of the load balance group. You can select up to the radio limit of eight VNSs. When you assign a radio to a load group, WLAN service assignment can be done only from the WLAN Assignment tab on the WWireless AP Load Groups screen. On all other WLAN Assignment tabs associated with the member AP radios, the radio check box associated with the member AP radios is grayed out. When you remove a radio from a load group, the load groups WLAN service remains assigned to the radio, but you can now assign a different WLAN service to the radio. How Availability Mode Affects Load Balancing D All radios assigned to a load group must belong to APs that are all controlled by the same controller. Availability mode can be congured only from the home controller on which the load group was created. Load balancing continues to operate if member APs fail over to the foreign controller as long as the WLAN service assignment remains the same. To ensure that load balancing works properly in availability mode, enable synchronization of the system conguration and the WLAN services used by the load group when you congure availability mode. If you do not enable synchronization, the radios on any AP that fails over may be removed from their assigned load groups. For more about availability mode, see Conguring Availability Using the Availability Wizard on page 539. raft If you have congured synchronization, you cannot change the WLAN assignments from the foreign controller. If you have not congured synchronization, you must congure the foreign controller to ensure that all AP radios in the load balance group have the same WLAN services assigned before the AP fails over, as originally congured for the load group. If the WLAN services assigned do not match when an AP fails over, the affected AP radios are removed from the load group. If you change the WLAN services to match after the AP fails over, the AP radios still are not allowed to be in the load group. Reconnect the AP to the home controller to have the radios become part of the load group again. If you have not congured synchronization, in a failover situation you are able to change the load balance groups WLAN service assignment from the VVNS Conguration screens and the WWireless AP WLAN Assignment screens on the foreign controller. Load Balance Group Statistics You can view load balance group statistics through the Active Wireless Load Groups report. For more information, see Viewing Load Balance Group Statistics on page 631. ExtremeWireless V10.41.06 User Guide 219 Conguring the ExtremeWireless APs Conguring an AP Cluster APs operating in both t mode and standalone mode operate in a cluster setup. A cluster is a group of APs congured to communicate with each other. Mobile users (MU) can seamlessly roam between the APs participating in the cluster. Wireless APs extend basic cluster functions with the following enhancements:
Client balancing across AP in the Load Group Client session synchronization between APs in the Site APs operating on the same subnet with multicast and IGMP (Internet Group Management Protocol) snooping enabled can be formed into a cluster. You assign each AP a common, default cluster ID
(shared secret). Each AP caches locally-stored information about the other cluster members and maintains its own view of the cluster including the client session information in the Site. D An AP cluster can exist at any point in your network. Each cluster member periodically (every 30 seconds) sends a secure SIAPP (Siemens Inter-AP Protocol) multicast message to update other cluster members. The SIAPP message includes:
The AP name The AP Ethernet MAC address The AP IP address The client count The base BSSIDs for both radios Client session information in a case when APs are members of a Site raft To change an AP clusters conguration:
From the top menu, click AP. 1 ExtremeWireless V10.41.06 User Guide 220 Conguring the ExtremeWireless APs 2 In the left pane, click Global Settings > AP Registration. D 3 In the Secure Cluster section, enter a cluster shared secret. 4 Enable cluster encryption by clicking on the User Cluster Encryption check box. APs on which user cluster encryption is disabled cannot participate in the cluster. 5 Enable or disable support for inter-AP roaming by clicking on the Inter AP Roam check box. 6 Click Save. raft When an AP is Approved as a Guardian:
The AP becomes a full time RADAR agent. The AP is added to a Guardian scan prole. The AP no longer provides services (WLAN service, load group, site) that were provided prior to the Wireless access points that are congured as Guardians do not bridge traffic and instead devote all of the APs resources to threat detection and countermeasures. Conguring an AP as a Guardian change. Note Once an AP is assigned to a Guardian Scan Prole it will stop forwarding traffic on both radios. To congure an AP as a Guardian Scan Prole:
From the top menu, click WIPS. 1 2 In the left pane, expand Radar Proles. ExtremeWireless V10.41.06 User Guide 221 Conguring the ExtremeWireless APs 3 In the left pane, expand Guardian Scan and select an AP from the list or click New. 4 In the AAdd Scan Prole dialog, select Guardian from the Prole drop-down. D 5 Click Add. For more information, see Conguring a Guardian Scan Prole on page 577. raft ExtremeWireless offers a scalable captive portal solution on the AP that can be managed locally or through a Cloud solution. The distributed solution is available on ExtremeWireless AP38xx series and AP39xx series APs. Firewall Friendly External Captive Portal (FFECP) on the AP for B@AP topologies is an extension to Firewall Friendly Captive Portal on the controller for tunneled (B@AC and routed) topologies. You can congure the FFECP with full authentication using a URI and signature, or you can congure a RADIUS server, authenticating with a user name and password. Conguring a Captive Portal on an AP To congure an External Captive Portal on an AP, the following is required:
The WLAN Service topology must be VLAN B@AP. You must congure specic policy rules that denes which traffic is allowed, which traffic is denied, and if using Rule-based Redirection, which traffic is redirected. The Captive Portal must be congured as External Firewall Friendly. Note ExtremeWireless supports a non-topology specic implementation. Extreme will register sub-
domain apcp.ezcloudx.com and populate public/Extreme DNS server with DNS mapping of 1.1.1.1 for FQDN apcp.ezcloudx.com. ExtremeWireless V10.41.06 User Guide 222 Conguring the ExtremeWireless APs In Figure 42, the default Access Control on the VLAN is Deny. Rules are created to allow the ECP URL, allow DNS and DHCP traffic, and to allow all outgoing MU traffic, and to redirect specic traffic. D RRelated Links Figure 42: Example: Policy Rules for non-authenticated role Conguring Firewall Friendly External Captive Portal on an AP on page 223 Controlling Network Access on the AP on page 226 Conguring Firewall Friendly External Captive Portal on page 353 Assigning RADIUS Servers for Authentication on page 340 raft Conguring Firewall Friendly External Captive Portal on an AP To congure a Firewall Friendly External Captive Portal (FFECP) on the AP, take the following steps:
ExtremeWireless V10.41.06 User Guide 223 Conguring the ExtremeWireless APs 1 If conguring Rule-based Redirection, verify that Rule-based Redirection is enabled. Go to VNS >
Global > Filtering Mode and select Enable Rule-Based Redirection. Rule-Based Redirection is enabled by default for new installations of ExtremeWireless v10.11 and later. When upgrading from an earlier version of ExtremeWireless, this option is cleared by default. You must enable Rule-Based Redirection from the FFiltering Mode screen. Note The option to disable Rule-based Redirection is available for backward capability only. Rule-based Redirection relies on policy rules that are dened for HTTP(S) redirection. Non-Rule-
based Redirection automatically redirects an un-authenticated client to ECP when a deny action occurs on HTTP(S) traffic. Note You cannot congure Captive Portal Redirection using IPv6 classiers. While you can http to IPv6 websites, you cannot apply Captive Portal redirection to http [s] over IPv6 . D 3 Create a role and dene specic policy rules. The role must be congured with the following parameters:
From the VVLAN & Class of Service tab, select a default Access Control value for the role. 2 Create a basic topology where the topology mode is Bridge Traffic Locally at AP. The topology can be tagged or untagged. For more information, see Conguring a Basic Topology on page 267 in the User Guide. If using RADIUS authentication, FF-ECP on the AP can work with both local and central RADIUS authentication. raft Select from one of the following:
None - No role dened No change - Default setting Allow - Packets contained to role's default action's VLAN/topology. Deny - Any packet not matching a rule in the Role is dropped. Containment VLAN - Any packet not matching a rule is sent to dened VLAN. For B@AP traffic, only the FF ECP is supported as an external captive portal. ExtremeWireless V10.41.06 User Guide 224 Conguring the ExtremeWireless APs On the PPolicy Rules tab, enable AP Filtering. Congure specic policy lters. Allow DHCP and DNS traffic. Mobile user access to FF-ECP. Allow traffic towards mobile user. HTTP(S) redirection.DDDNote D 4 Congure a WLAN Service with the following parameter settings:
For more information, see Conguring Rule-Based Redirection on page 291 in the User Guide. ExtremeWireless supports a non-topology specic implementation. Extreme will register sub-domain apcp.ezcloudx.com and populate public/Extreme DNS server with DNS mapping of 1.1.1.1 for FQDN apcp.ezcloudx.com. Default Topology = Bridged at AP, tagged or untagged. Select an AP. Congure Privacy settings. Congure the Captive Portal to be External Firewall Friendly.
(Optional) Congure RADIUS servers for RADIUS authentication. For more information, see raft Rule Denition dialog must match the Redirection URL value specied on the FFECP Congure dialog. The Identity and Shared Secret elds are required and must match the values used when you Select the Vendor Specic Attributes (VSAs) for authentication. For more information, see When conguring the Allow policy for the ECP, the IP/subnet value specied on the FFilter Assigning RADIUS Servers for Authentication on page 340 in the User Guide. Congure the following parameters on the ECP:
Vendor Specic Attributes on page 344 in the User Guide. congured the captive portal. Select an option for Send Successful Login To. For FFECP local radius authentication:
The AP must be in Site mode. Local RADIUS authentication is congured on at least one RADIUS server. The Signature option is unchecked. 5 Congure a VNS with the authenticated and non-authenticated policies. Related Links Conguring a Basic Topology on page 267 Conguring Rule-Based Redirection on page 291 ExtremeWireless V10.41.06 User Guide 225 Conguring the ExtremeWireless APs Understanding the Filter Rule Denition Dialog on page 302 Conguring a Basic WLAN Service on page 319 Conguring WLAN Service Privacy on page 330 Conguring Firewall Friendly External Captive Portal on page 353 Assigning RADIUS Servers for Authentication on page 340 Controlling Network Access on the AP AP3916ic Integrated Camera Deployment When Rule-based Redirection is disabled, denied HTTP(S) traffic from an non-authenticated client is automatically redirected to the External Captive Portal by the AP. To control network access after authentication, congure roles that have an Access Control of deny and specify that role under Virtual Networks > General. To congure default roles that deny network access after authentication:
D Roles, select a role or create a new role that has policy rules dened to deny access. For more information, see Understanding the Filter Rule Denition Dialog on page 302 1 Go to Virtual Networks and select a VNS or click New. 2 Specify the default roles for Authenticated network traffic. In the Authenticated eld under Default The AP3916ic features an integrated video camera, offering a single device for wireless access and security purposes. Video management is provided by the customer's Video Management System (VMS) integrated per ONVIF Prole S 2.4 compliance. The camera deployment process is as follows:
raft Per ONVIF specication, video management systems query network through WS-Discovery multicast (239.255.255.250). Allow multicast when conguring the default camera topology. Client IP = IP address of camera module Device Type = Extreme Networks 2 MP Camera (EXTR2MP-CAM) AP = AP camera module is associated with Radio/Port = CAM Packet/Byte counters = Indicate Camera Activity 2 Associate a WLAN B@AP or B@AC topology to the camera port. 3 The camera requests a DHCP address. 4 The EWC Active Clients Report lists the IP address of the camera. You can export the client IP The AP3916ic is connected to the network and the controller discovers the camera IP address. 1 address list to an XML le. ExtremeWireless V10.41.06 User Guide 226 Conguring the ExtremeWireless APs
(Optional) The camera IP address can be detected by third-party tools, such as ONVIF Device Manager. NNote ExtremeWireless manages the AP and camera rmware revision. After initial connection, the AP/camera may undergo a rmware upgrade. The upgrade process runs before the device becomes fully active on the network. 5 Based on the reported IP address of the camera, the user associates the camera to the video surveillance system. For information about camera conguration settings, see Accessing the Camera Web User Interface on page 227. Related Links Camera Direct Stream Subscription D AP3916ic (Integrated Camera) on page 104 Assigning WLAN Services to Client Ports on page 170 Upgrading the Camera Image Manually on page 237 Multicast Filtering on page 281 AP3916ic-Camera Web User Interface on page 227 If your video management system does not support ONVIF/IP camera discovery, subscribe directly using Real Time Streaming Protocol (RTSP). With direct stream, video is streamed through RTSP H. 264 or Motion JPEG (MJPEG):
Stream 1:
raft The AP3916ic is an 11ac Wave 2 AP with an integral security camera that lets you extend your Wireless LAN and provide simultaneous wireless service, BLE or 802.15.4 coverage and security in public spaces, such as classrooms and offices. Max Resolution: 1920x1080 (1080p) RTSP URL: rtsp://<Camera IP>:554/live/ch00_0 Max Resolution: 640x360 RTSP URL: rtsp://<Camera IP>:554/live/ch01_0 Stream 2:
AP3916ic-Camera Web User Interface Extreme Networks offers a web-based user interface to customize and congure the camera. Related Links Accessing the Camera Web User Interface on page 227 Camera UI Basic Functions on page 228 Accessing the Camera Web User Interface Take the following steps to access the AP3916ic Web User Interface:
ExtremeWireless V10.41.06 User Guide 227 Conguring the ExtremeWireless APs 1 Using your browser, navigate to the IP address of the camera. Find the camera IP address on the AP dashboard of the AP3916ic. Go to the AP list and click on an AP3916ic. 2 Enter the camera IP address into your browser. The web UI displays. Figure 43: AP3916ic Web UI 3 Login with default credentials admin/admin The credentials are case sensitive. Later, you can customize these credentials. See User Management on page 235. raft NNote After the initial login, set a password in accordance with your IT policy regulations. Using default credentials is a security vulnerability for your network. Related Links AP3916ic (Integrated Camera) on page 104 Camera UI Basic Functions on page 228 AP3916ic Integrated Camera Deployment on page 226 Camera Direct Stream Subscription on page 227 Camera UI Basic Functions Congure the AP3916ic camera using the web user interface. The AP3916ic web user interface is divided into the following tabs:
System on page 229 Network on page 231 ExtremeWireless V10.41.06 User Guide 228 Conguring the ExtremeWireless APs Media on page 232 User Management on page 235 RRelated Links Accessing the Camera Web User Interface on page 227 AP3916ic (Integrated Camera) on page 104 Camera Direct Stream Subscription on page 227 System System settings for the AP3916ic camera:
Status Displays status information about the system, network, and video streams. D raft Figure 44: Sample System and Network Status ExtremeWireless V10.41.06 User Guide 229 Conguring the ExtremeWireless APs D Figure 45: Sample Video Status Time Date/Time settings for the camera. raft Figure 46: Sample Manual Time settings ExtremeWireless V10.41.06 User Guide 2230 Conguring the ExtremeWireless APs Figure 47: Sample NTP Server Settings D Firmware Browse to the camera image (.dlf le) and apply the image. Camera rmware is distributed and managed from the controlling ExtremeWireless appliance. If GTAC Support determines that a specic rmware version is required on your device, the on-board rmware upload functionality can be used to install the image. GTAC will provide the necessary rmware (.d) le. Backup Save camera settings to a backup le or restore settings from an existing backup le. raft Figure 48: Sample Backup /Restore Settings Reset to Default/Reboot Reset Camera Defaults Rest camera to factory default settings. Backup current settings before resetting to factory default settings. Reboot Camera Restarts the camera. The current camera settings are retained after a camera restart. Network Network settings for the AP3916ic camera. ExtremeWireless V10.41.06 User Guide 2231 Conguring the ExtremeWireless APs IP Conguration Congure network settings for the camera port. NNote Dynamic IP (DHCP) is the default network Mode. D Figure 49: Sample IP Conguration Settings Universal Plug and Play (UPnP) raft Figure 50: Sample Discovery Settings: UPnP Media Congure settings for: video, camera, advanced settings, privacy mask, and audio. Video ExtremeWireless V10.41.06 User Guide 232 Conguring the ExtremeWireless APs raftFigure 51: Sample Video Conguration Settings The video feed assumes a ceiling mount default orientation. When installing the AP in any other orientation, adjust the video feed accordingly. For example,when the AP is installed as a desk-
mount, the video Mirror/Flip setting should be Flip. Camera ExtremeWireless V10.41.06 User Guide 2233 Conguring the ExtremeWireless APs D Figure 52: Sample Camera Settings Advanced raft Figure 53: Sample Camera Advanced Settings Audio ExtremeWireless V10.41.06 User Guide 2234 Conguring the ExtremeWireless APs D Figure 54: Sample Camera Audio Settings User Management Add and delete user accounts, change user settings, and change user password. User List raft Figure 55: User Management Settings NNote You cannot delete the Administrator account. Performing AP Software Maintenance When a new version of AP software becomes available, you can install it from the controller. You can congure each AP to upload the new software version either immediately, or the next time the AP connects to the controller. You can also set up a maintenance cycle for specic APs using the options ExtremeWireless V10.41.06 User Guide 235 Conguring the ExtremeWireless APs available on the AP Maintenance Cycle tab. Part of the AP boot sequence seeks and installs its software from the controller. WWarning Never disconnect an AP from its power supply during a rmware upgrade. Disconnecting an AP from its power supply during a rmware upgrade may cause rmware corruption rendering the AP unusable. You can modify most of the radio properties on an AP without requiring a reboot of the AP. During upgrade, the AP keeps a backup copy of its software image. When a software upgrade is sent to the AP, the upgrade becomes the AP's current image and the previous image becomes the backup. In the event of failure of the current image, the AP runs the backup image. Maintaining the List of Current AP Software Images The following screen appears:
From the top menu, click AP. To maintain the list of current wireless AP software images:
1 2 In the left pane, click Global > Maintenance. D r Figure 56: AP Software Maintenance 3 In the AP Images for Platform drop-down list, click the appropriate platform. 4 To select an image to be the default image for a software upgrade, click it in the list, and then click Set as default. ExtremeWireless V10.41.06 User Guide 236 Conguring the ExtremeWireless APs 5 In the Upgrade Behavior section, select one of the following:
Upgrade when AP connects using settings from Controlled Upgrade The CControlled Upgrade tab is displayed when you click Save. Controlled upgrade allows you to individually select and control the state of an AP image upgrade: which APs to upgrade, when to upgrade, how to upgrade, and to which image the upgrade or downgrade should be done. Administrators decide on the levels of software releases that the equipment should be running. Always upgrade AP to default image (overrides Controlled Upgrade settings) Selected by default. Allows for the selection of a default revision level (rmware image) for all APs in the domain. As the AP registers with the controller, the rmware version is veried. If it does not match the same value as dened for the default-image, the AP is automatically requested to upgrade to the default-image. 6 To save your changes, click Save. Related Links Upgrading the Camera Image Manually on page 237 D Upgrading the Camera Image Manually The camera image (.dlf le) is distributed within the controller builds. The AP manages the camera image camera images are automatically upgraded with the AP image upgrade when a new camera image is available. The AP3916ic is an 11ac Wave 2 AP with an integral security camera that lets you extend your Wireless LAN and provide simultaneous wireless service, BLE or 802.15.4 coverage and security in public spaces, such as classrooms and offices. raft From the top menu, click AP. 1 2 In the left pane, click Global > Maintenance. 3 From the AAP Software Maintenance tab, under Download AP Images:
a Provide the necessary information to download the camera image le. b Select AP3916-Camera as the Platform. c Click Download. You have the option to upgrade the camera image manually if necessary. To upgrade the AP3916ic camera image manually:
4 Under Upgrade Behavior, select Upgrade when AP connects using settings from Controlled Upgrade. ExtremeWireless V10.41.06 User Guide 237 Conguring the ExtremeWireless APs 5 Click Save. The CControlled Upgrade tab displays. D Figure 57: Manually Upgrading Camera Image 6 Select the CControlled Upgrade tab. raft Figure 58: Controlled Upgrade Tab 7 Select AP Platform: AP3916-camera. 8 Select the camera image le. 9 Click Camera Image Upgrade. Scheduling a Maintenance Cycle for Specic APs To schedule a maintenance cycle for specic APs:
ExtremeWireless V10.41.06 User Guide 238 Conguring the ExtremeWireless APs 1 Go to AP. 2 In the left pane, click Global Settings > Maintenance. 3 Click the AAP Maintenance Cycle tab. The following screen appears:
aft 4 Click the Start At box to display the CChoose Time dialog. 5 Adjust the sliders for both Hour and Minute to set the time for the AP maintenance cycle, then click Done. 6 In the Duration drop-down, select the desired duration time (in hours). 7 Under Recurrence, select the desired frequency. 8 Under Platforms, select the AP(s) that are included in the maintenance cycle. 9 Click Save. Deleting a Wireless AP Software Image To delete a wireless AP software image:
From the top menu, click AP. The AAP screen displays. 1 2 In the left pane, click Global > Maintenance. 3 In the AP Images for Platform drop-down list, click the appropriate platform. 4 In the AP Images list, click the image you want to delete. ExtremeWireless V10.41.06 User Guide 239 Conguring the ExtremeWireless APs 5 Click Delete. The image is deleted. Downloading a new Wireless AP Software Image To download a new wireless AP software image:
From the top menu, click AP. 1 2 In the left pane, click Global Settings, then AP Maintenance. The AAP Software Maintenance tab is displayed. 3 In the Download AP Images list, type the following:
FTP Server The IP of the FTP server to retrieve the image le from. User ID The user ID for the controller to use when it attempts to log in to the FTP server. Password The corresponding password for the user ID. Conrm The corresponding password for the user ID to conrm it was typed correctly. Directory The directory on the server in which the image le to be retrieved is stored. Filename The name of the image le to retrieve. Platform The AP hardware type to which the image applies. The are several types of AP and D they require different images. 4 Click Download. The new software image is downloaded. From the top menu, click AP. 1 2 In the left pane, click Global > Maintenance. 3 Under upgrade behavior, select Upgrade when AP connects using settings from Controlled raft Dening Parameters for a Controlled Software Upgrade To dene parameters for a wireless AP controlled software upgrade:
Upgrade. The CControlled Upgrade tab displays. ExtremeWireless V10.41.06 User Guide 240 Conguring the ExtremeWireless APs 4 Click the CControlled Upgrade tab. aft Note The CControlled Upgrade tab is displayed only when the Upgrade Behavior is set to Upgrade when AP connects using settings from Controlled Upgrade on the AAP Software Maintenance tab. 5 In the Select AP Platform drop-down list, click the type of AP you want to upgrade. 6 In the Select an image to use drop-down list, click the software image you want to use for the upgrade. 7 In the list of registered Wireless APs, select the check box for each AP to be upgraded with the selected software image. 8 Click Apply AP image version. The selected software image is displayed in the Upgrade To column of the list. 9 To save the software upgrade strategy to be run later, click Save for later. ExtremeWireless V10.41.06 User Guide 241 Conguring the ExtremeWireless APs 10 To run the software upgrade immediately, click Upgrade Now. The selected AP reboots, and the new software version is loaded. NNote The Always upgrade AP to default image check box on the AAP Software Maintenance tab overrides the Controlled Upgrade settings. 11 To upgrade without interrupting service, click Upgrade without interrupting service. If you click this option while the upgrade scheduler is running, the schedule is interrupted, and the current upgrade cycle calculates a new schedule that includes APs that weren't upgraded. Understanding the ExtremeWireless LED Status 39xx Series Wireless APs After you power on and boot the AP for the rst time, you can congure LED behavior as described in Conguring Wireless AP LED Behavior on page 259. When you power on and boot an AP, you can follow its progress through the registration process by observing the LED sequence as described in the following sections:
39xx Series Wireless APs 38xx Series Wireless APs on page 251 37xx Series Wireless APs on page 255 D raft The following AP39xx model access points are supported by ExtremeWireless:
AP3917i/e AP3916i/e AP3915i/e AP3912i/e AP3935i/e AP3965i/e ExtremeWireless V10.41.06 User Guide 242
1 2 3 4 | Extreme Wireless V10.41.06 User Guide Part 2 | Users Manual | 5.49 MiB |
Conguring the ExtremeWireless APs AP3917 LED Indicators D Figure 59: AP3917i LEDs and Features Table 26: AP3917 LEDs IItem Description Status Color raft Indicates that the IoT application is running. Indicates that the radio is enabled. Indicates that the radio is enabled. Indicates AP is working normally. Indicates System Failure. Amber Green Green Green Blue 1 (IoT Radio) 2 (5 GHz radio) 3 (2.4 GHz radio) 4 (Status LED) Table 27: AP3917 Features Item Description 5 6 7 8 Ethernet Port 1 (POE IN) Ethernet Port 2 (Client Port) Console Gore Vent ExtremeWireless V10.41.06 User Guide 243 Conguring the ExtremeWireless APs AP3916 LED Indicators D Figure 60: Front View of AP3916ic The following features are on the front of the AP:
Description raft The power reset button is recessed and located on the top of the AP. Use a tool to press the reset button. The locking pin lets you adjust and set the rotational position of the camera. The thumbscrews let you adjust and set the tilt angle of the camera. Remove the caps to access the thumbscrews. Description IItem 1 - Reset Button 2 - Cap 3 - Thumbscrew 4 - Locking Pin Table 28: LEDs Symbol The following LEDs are located on the top cover of the AP:
Camera IoT (BLE or 802.15.4) ExtremeWireless V10.41.06 User Guide 244 Conguring the ExtremeWireless APs Table 28: LEDs (continued) SSymbol Description Radio 2 (2.4 GHz) Radio 1 (5 GHz) LAN 1 (Ethernet 1) D Status AP3915i LED Indicators The AP3915i has the following LEDs:
raft ExtremeWireless V10.41.06 User Guide 245 Conguring the ExtremeWireless APs raftFigure 61: AP3915i LEDs Table 29: AP3915i LEDs IItem Indicates AP is working normally. Indicates System Failure. 1 (Status LED) Description Amber Status Green 2 (2.4 GHz radio) 3 (5 GHz radio) 4 (IoT Radio) Green Indicates radio is enabled. Green Indicates radio is enabled. Blue Indicates IoT application is running. ExtremeWireless V10.41.06 User Guide 246 Conguring the ExtremeWireless APs NEW! AP3915e LED Indicators AP3915e access points have LED indicators on the front of the box. The LEDs provide the status of the access point indicating on, off,and network activity. aft Description Indicates IoT application is running. Radio 1, 5GHz. Indicates radio is enabled. Figure 62: AP3915e Top View Table 30: AP3915e LED Indicators Status IItem Blue Green 1 (IoT Radio) 2 (5 GHz radio) ExtremeWireless V10.41.06 User Guide 247 Conguring the ExtremeWireless APs Description Radio 2, 2.4GHz. Indicates radio is enabled. Indicates AP is working normally. Indicates System Failure. Table 30: AP3915e LED Indicators (continued) IItem Status Green Green Amber 3 (2.4 GHz radio) 4 (Status LED) AP3912 LED Indicators The AP3912i has six LED indicators. The LEDs provide status information on the current state of the AP3912i. D raft ExtremeWireless V10.41.06 User Guide 248 Conguring the ExtremeWireless APs ftFigure 63: AP3912i LEDs Table 31: AP3912i LED Status Indicators LLED Indicator 1 (Status) 2 (Ethernet link state) LAN 1 Status Green Amber Amber Green Description Indicates AP is working normally System failure Indicates a valid 1Gbps Ethernet link Indicates a valid 10Mbps or 100Mbps Ethernet link ExtremeWireless V10.41.06 User Guide 249 Conguring the ExtremeWireless APs Table 31: AP3912i LED Status Indicators (continued) LLED Indicator Status Description 3 (Radio 1) 4 (Radio 2) 5 (PSE Client Port) Green Indicates Radio 1 is enabled Green Indicates Radio 2 is enabled Green Uplink AP port detects AF PoE
(Power over Ethernet) source 6 (BLE) D AP3935, AP3965 LED Indicators Green Indicates IoT (BLE or 802.15.4) is enabled The AP3935 and AP3965 provide 5 LED indicators. The LEDs provide status information on the current state of the AP. raft Table 32: LED Indications AP3935 and AP3965 LED Status 1 (AP status) 2 (Ethernet link state) LAN 1 On Green Flashing Green On Amber On Green On Amber Description Indicates that the AP is working normally. Indicates:
running a self test loading software program Indicates a CPU/system failure. Indicates a valid 100Mbps Ethernet link. Indicates a valid 1Gbps Ethernet link. ExtremeWireless V10.41.06 User Guide 250 Conguring the ExtremeWireless APs Table 32: LED Indications AP3935 and AP3965 (continued) LLED Status Description 3 (Ethernet link state) LAN 2 4 (Radio 1 (5 GHz) status) Off On Green On Amber Off On Green Off 5 (Radio 2 (2.4 GHz) status) On Green Indicates the link is down. Indicates a valid 100Mbps Ethernet link. Indicates a valid 1Gbps Ethernet link. Indicates the link is down. Indicates Radio 1 is enabled. Indicates Radio 1 is not on. Indicates Radio 2 is enabled. Indicates Radio 2 is not on. Off D 38xx Series Wireless APs The following AP38xx model access points are supported by ExtremeWireless:
WS-AP3801i WS-AP3805i/e WS-AP3865 WS-AP3825 raf The WS-AP3801i provides three LED indicators. The LEDs provide status information on the current state of the WS-AP3801i. WS-AP3801i LED Indicators Figure 64: AP3801i Top View ExtremeWireless V10.41.06 User Guide 251 Table 33: AP3801i LED Status Indicators LLED Status 1 (Power) On Green Flashing Green On Red On Green 2 (Radio 1 Status) Conguring the ExtremeWireless APs Description Indicates the AP3801 is working normally. Indicates:
running a self test loading software program Indicates a CPU or system failure. Indicates Radio 1 (5.0 GHz) is enabled. Indicates Radio 2 (2.4 GHz) is enabled. 3 (Radio 2 Status)) On Green D WS-AP3805i/e LED Indicators The WS-AP3805i/e provides three LED indicators. The LEDs provide status information on the current state of the WS-AP3805i/e. raft Figure 65: AP3805i/e Top View Table 34: AP3805i/e LED Status Indicators LED Status Description 1 (Power) On Green Flashing Green Indicates the AP3805 is working normally. Indicates:
running a self test loading software program On Red Indicates a CPU or system failure. ExtremeWireless V10.41.06 User Guide 252 Conguring the ExtremeWireless APs Table 34: AP3805i/e LED Status Indicators (continued) LLED Status Description 2 (Radio 1 Status) 3 (Radio 2 Status)) On Green On Green Indicates Radio 1 (5.0 GHz) is enabled. Indicates Radio 2 (2.4 GHz) is enabled. WS-AP3865 LED Indicators The WS-AP3865e has ve LED indicators. The LEDs provide status information on the current state of the WS-AP3865e. D raft Figure 66: WS-AP3865e LEDs ExtremeWireless V10.41.06 User Guide 253 Table 35: WS-AP3865 LED Indications LLED Status 1 (Radio 1 status) 2 (Radio 2 status) 3 (Ethernet link state) LAN 2 On Green Off On Green Off On Green On Amber Off Conguring the ExtremeWireless APs Description Indicates Radio 1 is enabled. Indicates Radio 1 is not on. Indicates Radio 2 is enabled. Indicates Radio 2 is not on. Indicates a valid 100Mbps Ethernet link. Indicates a valid 1Gbps Ethernet link. Indicates the link is down. Indicates a valid 100Mbps Ethernet link. Indicates a valid 1Gbps Ethernet link. Indicates the link is down. 4 (Ethernet link state) LAN 1 On Green D 5 (AP status) On Amber Off WS-AP3825 LED Indicators The WS-AP3825 has ve LED indicators. The LEDs provide status information on the current state of the WS-AP3825. On Green On Amber Flashing Green Indicates a CPU/system failure. Indicates the WS-AP3865 is working normally. Indicates:
running a self test loading software program raft Figure 67: WS-AP3825 LEDs ExtremeWireless V10.41.06 User Guide 254 Table 36: WS-AP3825 LED Indications LLED Status 1 (AP status) On Green 2 (Ethernet link state) LAN 1 Flashing Green On Amber On Green On Amber Conguring the ExtremeWireless APs Description Indicates the WS-AP3825 is working normally. Indicates:
running a self test loading software program Indicates a CPU/system failure. Indicates a valid 100Mbps Ethernet link. Indicates a valid 1Gbps Ethernet link. Indicates the link is down. Indicates a valid 100Mbps Ethernet link. Indicates a valid 1Gbps Ethernet link. Off 3 (Ethernet link state) LAN 2 D 4 (Radio 2 status) On Amber On Green Off Off Off On Green On Green 5 (Radio 1 status) Indicates the link is down. Indicates Radio 1 is not on. Indicates Radio 2 is not on. Indicates Radio 1 is enabled. Indicates Radio 2 is enabled. raft The ExtremeWireless AP37xx series are 802.11n APs, with added capacity for intrusion threat detection and prevention capability. The LED indicators on these are described in the following subsections:
WS-AP3710 LED Indicators on page 256 WS-AP3715 LED Indicators on page 257 AP3765/AP3767/W786C LED Status on page 259 The WS-AP3705i provides four LED indicators (see Figure 68). The LEDs provide status information
(see Table 37) on the current state of the WS-AP3705i. 37xx Series Wireless APs WS-AP3705i LED Indicators ExtremeWireless V10.41.06 User Guide 255 Conguring the ExtremeWireless APs D Figure 68: AP3705i Top View Table 37: AP3705i LED Status Indicators LLED Status On Green Description raft Indicates:
running a self test loading software program Indicates the AP3705 is working normally. Indicates a valid 100Mbps Ethernet link. Indicates Radio 2 (2.4 GHz) is enabled. Indicates a valid 1Gbps Ethernet link. Indicates Radio 1 (5 GHz) is enabled. Indicates a CPU or system failure. Indicates the link is down. Flashing Green On Green On Green On Green On Blue On Red Off 1 (Power) 2 (Ethernet Link) 3 (Radio 2 Status) 4 (Radio 1 Status)) WS-AP3710 LED Indicators Both models (AP3710i and AP3710e) of the WS-AP3710 have four LED indicators, shown in Figure 69. The LEDs provide status information, described in Table 38 on page 257, on the current state of the WS-
AP3710. ExtremeWireless V10.41.06 User Guide 256 Conguring the ExtremeWireless APs D Figure 69: WS-AP3710 LEDs (Front, lower right) Identies Power Indicator LED Table 38: WS-AP3710 LED Indications LLED Status 1 (AP status) On Green Identies LAN Indicator LED Identies Radio Indicator LEDs raft Indicates:
running a self test loading software program Indicates the WS-AP3710 is working normally. Indicates a valid 100Mbps Ethernet link. Indicates a valid 1Gbps Ethernet link. Indicates a CPU/system failure. Indicates Radio 1 is enabled. Indicates the link is down. Flashing Green Description On Green On Green On Blue On Red Off On Green Indicates Radio 2 is enabled. 2 (Ethernet link state) 3 (Radio 1 status) 4 (Radio 2 status) WS-AP3715 LED Indicators The WS-AP3715 has six LED indicators, as shown in Figure 70. The LEDs provide status information, described in Table 39 on page 258, on the current state of the WS-AP3715. ExtremeWireless V10.41.06 User Guide 257 Conguring the ExtremeWireless APs D Figure 70: WS-AP3715 LEDs Identies Power Indicator LED Table 39: WS-AP3715 LED Indications LLED Status 1 (AP status) Indicator LED Identies LAN Indicator LEDs Identies Radio raft Indicates:
running a self test loading software program Indicates the WS-AP3825 is working normally. Indicates a valid 100Mbps Ethernet link. Indicates a valid 1Gbps Ethernet link. Indicates a CPU/system failure. Flashing Green Description On Amber On Amber On Green On Green Off Indicates the link is down. 2 (Ethernet link state) LAN 1 3 (Ethernet link state) LAN 2 4 (Radio 2 status) 5 (Radio 1 status) On Green On Amber Off On Green Off On Green Off Indicates a valid 100Mbps Ethernet link. Indicates a valid 1Gbps Ethernet link. Indicates the link is down. Indicates Radio 2 is enabled. Indicates Radio 2 is not on. Indicates Radio 1 is enabled. Indicates Radio 1 is not on. ExtremeWireless V10.41.06 User Guide 258 Conguring the ExtremeWireless APs AP3765/AP3767/W786C LED Status The ExtremeWireless AP3765i, W786C, AP3765e, and AP3767e models are nearly identical in appearance (e models have external antenna ports). LED status indicator displays are the same on all three models. The frontal view of the housing cover (see Figure 71) displays six LEDs. These LEDs provide information on operating status. D Figure 71: Wireless Outdoor AP3765/AP3767/W786C LEDs Table 40: AP3765/AP3767 LED Status Indicators LLED Meaning Color raft Ethernet port 1 LED. When green on, indicates Ethernet port activity. When off, Ethernet is off, WDS is enabled. WLAN Radio 2 LED When green on, indicates Radio 2 is active. WLAN Radio 1 LED. When green on, indicates Radio 1 is active. Power LED. When on, indicates AP power is sourced from power supply. PoE power LED. When on, indicates AP power is sourced from PoE. Error LED. When on, indicates error. When off, indicates normal operation, AP connected to controller. L1 PoE P1 R1 R2 F Green Green Green Green Green Red Conguring Wireless AP LED Behavior You can congure the behavior of the LEDs so that they provide the following information:
ExtremeWireless V10.41.06 User Guide 259 Conguring the ExtremeWireless APs Table 41: LED Operational Modes LLED Mode Information Displayed Off Normal Identify Displays fault patterns only. LEDs do not light when the AP is fault free and the discovery is complete. Identies the AP status during the registration process during power on and boot process. All LEDs blink simultaneously approximately two to four times every second. Related Links You can congure the AP LED mode when you congure the following:
An individual AP. Multiple APs simultaneously. D Default AP behavior.DDDNote To congure the AP LED operational mode when conguring an individual wireless AP:
AP Multi-Edit Properties on page 111 AP Properties Tab - Advanced Settings on page 164 You can congure all four AP LED modes if you congure an individual AP or multiple APs simultaneously. If you congure the default AP behavior, the only LED modes available are Off and Normal. raft The AAP Conguration page displays with the AAP Properties tab exposed. 3 On the AAP Properties tab, click Advanced . 4 In the LED eld, select an LED operational mode. See Table 41 on page 260 for a description of each option. From the top menu, click AP > APs. 1 2 In the AP list, click a wireless AP (not the check box). Conguring Operational Mode with Multi-Edit Conguring Operational Mode for One AP To set the AP LED Operational Mode when using the AP Mulit-edit feature:
From the top menu, click AP. 1 2 Select the check box for more than one AP. 3 Click Actions > Multi Edit. The MMulti Edit dialog displays. 4 In the LED eld, select an LED operational mode. See Table 41 on page 260 for a description of each option. ExtremeWireless V10.41.06 User Guide 260 Conguring the ExtremeWireless APs Conguring AP Operational Mode Default Behavior To set the AP LED Operational Mode when conguring default AP behavior:
From the top menu, click AP. 1 2 In the left pane, click Global > Default Settings. 3 Click the AP tab that corresponds to the type of AP that you want to congure. 4 Click Advanced. The AAdvanced window displays. In the LED eld, select an LED operational mode. See Table 41 on page 260 for a description of each option. D raft ExtremeWireless V10.41.06 User Guide 261 5 Conguring Topologies TTopology Overview Conguring the Admin Port Conguring a Basic Data Port Topology Creating a Topology Group Edit or Delete a Topology Group Enabling Management Traffic Layer 3 Conguration Exception Filtering Multicast Filtering D Topology Overview A topology can be thought of as a VLAN (Virtual LAN) with at least one egress port, and optionally, sets of services, exception lters and multicast lters. ExtremeWireless makes use of a number of different topology modes:
Admin - This is the topology to which the management plane's administration interface is assigned. It is the only topology that can be assigned to the administration interface. The interface must be present at layer 3 to receive management related traffic such as ssh, https and RADIUS. This interface supports IPv4 and IPv6. raft Physical - A physical mode topology is intended to be used for management purposes. A physical topology can also be used to carry station traffic for a "3rd party VNS", a VNS that uses non-
Extreme Networks wireless APs. A physical topology can be assigned to any of the data plane ports on the controller. Routed - For this type of topology the controller acts as a router between the topology's VLAN and the rest of the network. The controller's data plane ports can be assigned to this type of topology. Bridged Traffic Locally at EWC - For this type of topology the controller bridges traffic for the station through its interfaces, rather than routing the traffic. For this type of topology the station's
"point of presence" on the wired network is the data plane port assigned to the topology. Bridged Traffic Locally at AP - This type of topology is assigned to APs. For this type of topology the AP bridges traffic between its wired and wireless interfaces without involving the controller. The station's "point of presence" on the wired network for a bridged at AP topology is the AP's wired port. Note IPv6 is supported for Layer 2 bridging for both B@AC and B@AP topologies. Fabric Attach - The Fabric Attach topology type allows an AP to attach to a Shortest Path Bridging
(Fabric Connect) Network. The client component on the AP communicates directly with the server on an edge switch (or it can communicate with the server through a proxy) to allow the AP to request VLAN to I-SID (backbone Service Identier [IEEE 802.1 ah] mappings). The Fabric Attach ExtremeWireless V10.41.06 User Guide 262 Conguring Topologies topology type is similar to B@AP with the added I-SID parameter. Fabric Attach can be congured on a controller anywhere a B@AP topology can be congured. Dene the following parameters on the Topologies conguration page:
VLAN ID and associated L2 port L3 (IP) interface presence and the associated IP address and subnet range The rules for using DHCP (Dynamic Host Conguration Protocol) Enabling or disabling the use of the associated interface for management/control traffic Selection of an interface for AP registration Multicast lter denition Exception lter denition Related Links Conguring the Admin Port on page 263 Fabric Attach Topology on page 269 At most, one physical topology can be enabled for the multicast support for Routed VNS. This can be congured on the new physical port GUI. management plane of the controller. The controller has two types of Layer 2 ports:
Admin - which can only be used for management-related purposes. It is connected directly on the D Physical - which can be used for a variety of purposes, including bridging and routing as well as management. The physical ports are directly connected to the controller's data plane, although traffic received at physical ports may be sent up the exception path to the management plane. raft The Admin port is a physical ethernet port directly connected to the controller's management plane. It provides a dedicated connection to a secure management VLAN. The controller can use the Admin port to interact with RADIUS, SNMP (Simple Network Management Protocol),and Extreme Management Center servers. 1 From the top menu, click Controller. Conguring the Admin Port ExtremeWireless V10.41.06 User Guide 263 Conguring Topologies 2 In the left pane, click Network > Topologies. The TTopologies tab is displayed. aft Figure 72: Network Topologies ExtremeWireless V10.41.06 User Guide 264 Conguring Topologies 3 To change any of the associated Admin parameters, click on the Admin topology entry. The EEdit Topology dialog appears. D Figure 73: Edit Topology raft The MTU value species the Maximum Transmission Unit or maximum packet size for this topology. The xed value is 1500 bytes for physical topologies. The maximum MTU can be increased to 1800 bytes by enabling Jumbo Frames support (for more information, see Setting Up the Data Ports on page 51). In the Mask eld, type the appropriate subnet mask for the IP address (typically, 255.255.255.0). The Static IP Address species the address assigned by the administrator. 4 Under Core, the Admin port Name and Mode are not congurable. 5 Under Layer 3 - IPv4, the following settings are available:
The Gateway eld species the IP address of the default gateway for the Admin port. ExtremeWireless V10.41.06 User Guide 265 Conguring Topologies 6 Under Layer 3 - IPv6, the following settings are available:
The Static IPv6 Address eld species the address assigned by the administrator. The Static IPv6 Gateway eld species the IP address of the default gateway for the Admin port. The Prex Length eld species the length of the IPv6 prex. Maximum is 64 bits. The MTU value species the Maximum Transmission Unit or maximum packet size for this topology. The xed value is 1500 bytes for physical topologies. The maximum MTU can be increased to 1800 bytes by enabling Jumbo Frames support (for more information, see Setting Up the Data Ports on page 51). The Dynamic IP Address lists the current auto-generated IPv6 addresses assigned to the Admin port. Conguring a Basic Data Port Topology To congure a basic data port topology:
NNote IPv6 supports multiple addresses on the same port including auto-generated addresses such as a link-local address, or an address created by combining the Router Advertisement prex with the interface ID. Auto-generated addresses generated via the Router Advertisement prex are dynamic and their availability depends on the existence of the prex (or lack of) in the Router Advertisement. D 7 Click Refresh to refresh the list of Dynamic IP Addresses and click Save . Or, click Cancel to close the EEdit Topology dialog without saving any changes to the port conguration. raft ExtremeWireless V10.41.06 User Guide 266 Conguring Topologies 1 From the top menu, click VNS. Then, in the left pane, select Topologies. The TTopologies window displays. aft Figure 74: Conguring a Topology 2 Select the topology to edit or click New to create a new topology. For more information, see Conguring a Basic Topology on page 267. Conguring a Basic Topology To congure a basic topology:
1 From the top menu, click VNS. Then, in the left pane, select Topologies. The TTopologies window displays. ExtremeWireless V10.41.06 User Guide 267 2 Select the topology to edit or click New to create a new topology. Conguring Topologies Figure 75: Conguring a basic topology raft Physical VLAN identier (1 - 4094), with at least one layer 2 member port (no mu associated). Routed Routed topologies do not require Layer 2 conguration (controller internal VLAN identier from valid range 1- 4094), and Layer 3 conguration. See Layer 3 Conguration on page 272 for more information. conguration. Bridge Traffic at the AP VNSs do not require the denition of a corresponding IP address since all traffic for users in that VNS will be directly bridged by the Wireless AP at the local network point of attachment (VLAN at AP port). Bridge Traffic Locally at AP Requires Layer 2 conguration. Does not require Layer 3 3 On the General tab, enter a name for the topology in the Name eld. 4 Select a mode of operation from the Mode drop-down list. Choices are:
Bridge Traffic Locally at EWC Requires Layer 2 conguration. May optionally have Layer 3 conguration. Layer 3 conguration would be necessary if services (such as DHCP, captive portal, etc.) are required over the congured network segment, or if controller management operations are intended to be done through the congured interface. Fabric Attach The Fabric Attach topology type is similar to B@AP with the added I-SID parameter. Fabric Attach can be congured on a controller anywhere a B@AP topology can be congured. See Bridge Traffic Locally at AP. ExtremeWireless V10.41.06 User Guide 268 Conguring Topologies 5 Congure the Layer 2 VLAN Settings, depending on the previously selected Mode. For Physical, enter a VLAN identier (2 - 4094), with at least one layer 2 member port (no MU associated). For Bridge Traffic Locally at EWC, enter a VLAN identier (2- 4094) that is valid for your system and enter the port to which this VLAN is attached to, according to the networking deployment model pre-established during planning. For Bridge Traffic Locally at AP, enter a VLAN identier (1 - 4094), 4094 is reserved for Internal VLAN ID. For Fabric Attach, enter a VLAN identier (1 - 4094), 4094 is reserved for Internal VLAN ID and an I-SID (service identier). Specify whether the VLAN conguration is Tagged or Untagged. To eliminate ARP Request Broadcast on the Wireless network, select ARP Proxy. ARP Proxy applies to traffic for Bridge Traffic Locally at AP Topologies. ARP Proxy is congurable per topology. For Port, select the Physical (Ethernet) or LAG (Link Aggregation Group) data port. For more D information, see Viewing and Changing the L2 Ports Information on page 52. 7 Click Save to save your changes. 6 (Optional) Provide a netmask in the Mask eld for topologies that do not support Layer 3. This Layer 3 Conguration on page 272 Creating a Topology Group on page 270 Enabling Management Traffic on page 272 option makes it possible to add the Framed-IP-Netmask attribute to the client RADIUS accounting request packets when the topology does not support Layer 3. These steps are sufficient to create and save a topology. The following conguration options are optional and depend on the mode of the topology. raft The Fabric Attach topology type allows an AP to attach to a Shortest Path Bridging (Fabric Connect) Network. The client component on the AP communicates directly with the server on an edge switch (or it can communicate with the server through a proxy) to allow the AP to request VLAN to I-SID
(backbone Service Identier [IEEE 802.1 ah] mappings). The Fabric Attach topology type is similar to B@AP with the added I-SID parameter. Fabric Attach can be congured on a controller anywhere a B@AP topology can be congured. Fabric Attach Topology Related Links Note When Fabric Attach is congured, LLDP (Link Layer Discovery Protocol) is automatically enabled on all APs associated with the topology. The setting cannot be disabled by users. The switch requires that the VLAN/I-SID mapping is unique per port per switch, therefore only one AP per switch port is allowed. The exception is WDS (Wireless Distribution Service). When using WDS, only the root AP in the mesh has a Fabric Attach client. The root AP handles all VLAN/I-SID mapping for all APs in its mesh. ExtremeWireless V10.41.06 User Guide 269 Conguring Topologies The controller enforces the unique VLAN/I-SID requirement for each Fabric Attach topology. A single controller supports up to 94 VLAN/I-SID mappings. This is a limit of LLDP. APs connected to a Fabric-enabled switch automatically use the default management VLAN that is congured on the switch. Moving an AP from a Fabric-enabled switch to a non Fabric-enabled switch requires a factory default reset to connect to the new management VLAN. NNote In a mobility scenario that includes a local and foreign controller, make sure the Fabric Attach topology conguration is the same on each controller, ensuring that an AP that moves between controllers has the same set of topologies. Fabric Attach is supported on all AP39xx series access points. D raft Important In rare cases, an unstable AP image can cause the AP to revert to an image that does not support Fabric Attach topologies. Connectivity between the AP and controller is preserved because the conguration is preserved, but the Fabric Attach feature will not work until the AP v10.41 image is restored. Therefore, we recommend that you upgrade an AP running v10.31 twice, ensuring that both the current and previous images are v10.41. Figure 76: Fabric Attach for FA Clients Automated Network Services Creating a Topology Group A topology group is a list of topologies with a unique name and a VLAN ID of its own. A topology groups name must be unique across topology groups and topologies since it will be used anywhere the topology name can be used. All the topologies in a dened group have the same type. For example, if the topology group mode is Routed, it only contains Routed topologies. The maximum number of topology groups for all platforms is 32. ExtremeWireless V10.41.06 User Guide 270 Conguring Topologies From the top menu, click VNS. 1 2 In the left pane, click Topologies. 3 On the TTopologies tab, click New Group. D Figure 77: Topology Group raft 6 Under Layer 2, VLAN Setting, enter a VLAN ID (1-4094). 7 Under Topologies, only the topologies of the groups type are shown & eligible for inclusion. Select topologies to be members of the group. A topology group must contain at least 1 topology. 4 Under Core, enter a name for the topology group. 5 Under Mode, select a mode from the drop-down menu. Choices are Bridge Traffic Locally at EWC and Routed. 8 Click Save. Edit or Delete a Topology Group To modify or delete a topology group:
From the top menu, click VNS. 1 2 In the left pane, click Topologies and click on a topology group to edit or delete. (Do not select the check box.) 3 To edit the group, in the Topologies pane, click Edit. The Topology list is populated with available topologies. 4 Check topology boxes to add topologies to the group. Clear the check boxes to remove topologies from the group. 5 To delete the topology group that you have open, click the Delete button. When a topology group is deleted, only the group is deleted, not the topologies it contains. ExtremeWireless V10.41.06 User Guide 271 Conguring Topologies 6 Click Save. 7 You can also delete the topology group from the TTopologies tab. a From the top menu, click VNS. b From the left pane, click Topologies. c Select the check box for the topology group to delete and click Delete Selected. d Click Save. Enabling Management Traffic If management traffic is enabled for a VNS, it overrides the built-in exception lters that prohibit traffic on the controller data interfaces. For more information, see Policy Rules on page 288. Layer 3 Conguration This section describes conguring Layer 3 of the network topology. Layer 3 conguration includes dening IP addresses, DHCP options, Next Hop and OSPF (Open Shortest Path First) parameters, for Physical port, Routed, and Bridge Traffic Locally at EWC topologies. Not all topologies support Layer 3. From the top menu, click either Controller or VNS. Then, in the left pane, select Topologies. 1 2 Select the desired physical or Routed topology. If the Layer 3 parameters are not displayed, check To enable management traffic for a topology:
D 3 Select the Management Traffic check box. 4 Click Save. the Layer 3 check box. raft Note IPv6 is not supported in Layer 3 conguration. Related Links IP Address Conguration on page 272 DHCP Conguration on page 274 Dening a Next Hop Route and OSPF Advertisement on page 277 IP Address Conguration The L3 (IP) address denition is only required for Physical port and Routed topologies. For Bridge Traffic Locally at EWC topologies, L3 conguration is optional. L3 conguration would be necessary if services such as DHCP, captive portal, AP registration (with up to 4 topologies) are required over the congured network segment or if controller management operations are intended to be done through the congured interface. Bridge Traffic Locally at AP topologies can dene a Mask and do not require the denition of a corresponding IP address since all traffic for users in that VNS will be directly bridged by the AP at the local network point of attachment (VLAN at AP port). ExtremeWireless V10.41.06 User Guide 272 Conguring Topologies To dene the IP address for the topology:
From the top menu, click Controller> Topologies, or VNS > Topologies. 1 2 Click New to create a new topology or select the topology you want to dene the IP address for. The TTopologies window is displayed. Depending on the preselected options, two or three tabs are displayed. 3 For IP interface conguration for Routed topologies, congure the following Layer 3 parameters. Figure 78: Conguring IP Address for Routed Topology raft default gateway for the VNS. The controller advertises this address to the wireless devices when they sign on. For routed VNSs, it corresponds to the IP address that is communicated to MUs (in the VNS) as the default gateway for the VNS subnet. (MUs target the controller's interface in their effort to route packets to an external host.) Note The Gateway eld only supports IPv4 addresses. network portion from the host portion of the address (typically, 255.255.255.0). a In the Gateway eld, type the controller's own IP address in that VNS. This IP address is the b In the Mask eld, type the appropriate subnet mask for the IP address. This separates the c If desired, enable Management traffic. 4 For IP interface conguration for Bridge Traffic Locally at EWC Topologies, congure the following Layer 3 parameters. ExtremeWireless V10.41.06 User Guide 273 Conguring Topologies D 1 Figure 79: IP Address for Bridged Traffic Locally In the Interface IP eld, type the IP address that corresponds to the controller's own point of presence on the VLAN. In this case, the controller's interface is typically not the gateway for the subnet. The gateway for the subnet is the infrastructure router dened to handle the VLAN. raft 3 Congure Strict Subnet Adherence. 4 If desired, congure AP Registration. If selected, wireless APs can use this port for discovery and 2 In the Mask eld, type the appropriate subnet mask for the IP address. This separates the network portion from the host portion of the address (typically, 255.255.255.0). Enabling Management Traffic on page 272 5 If desired, enable Management traffic. registration. RRelated Links DHCP Conguration You can congure DHCP settings for all modes except Bridge Traffic Locally at AP mode since all traffic for users in that VNS will be directly bridged by the AP at the local network point of attachment (VLAN at AP port). DHCP assignment is disabled by default for Bridged to VLAN mode. However, you can enable DHCP server/relay functionality to have the controller service the IP addresses for the VLAN
(and wireless users). ExtremeWireless V10.41.06 User Guide 274 Conguring Topologies To congure DHCP options:
1 Click VNS > Topologies > General and enable Layer 3. 2 From the DHCP drop-down list, select one of the following options and click Congure. Local Server if the controller's local DHCP server is used for managing IP address allocation. Use Relay if the controller forwards DHCP requests to an external DHCP server on the enterprise network. DHCP relay bypasses the local DHCP server for the controller and allows the enterprise to manage IP address allocation to a VNS from its existing infrastructure. 3 If you selected Local Server, the following window displays. Congure the following parameters:
D In the Domain Name box, type the external enterprise domain name server to be used. 1 2 In the Lease default box, type the default time limit. The default time limit dictates how long a wireless device can keep the DHCP server assigned IP address. The default value is 36000 seconds (10 hours). raft 5 Check the Enable DLS DHCP Option check box if you expect optiPoint WL2 wireless phone traffic on the VNS. DLS is a Siemens application that provides conguration management and software deployment and licensing for optiPoint WL2 phones. 6 In the Gateway eld, type the controllers own IP address in that topology. This IP address is the default gateway for the topology. The controller advertises this address to the wireless devices when they sign on. For routed topologies, it corresponds to the IP address that is communicated to wireless clients as the default gateway for the subnet. (wireless clients target the controller's interface in their effort to route packets to an external host). 3 In the DNS Servers box, type the IP Address of the Domain Name Servers to be used. 4 In the WINS box, type the IP address if the DHCP server uses Windows Internet Naming Service
(WINS). For a Bridge traffic locally at the EWC topology, the IP address corresponds to the controller's own point of presence on the VLAN. In this case, the controller's interface is typically not the gateway for the subnet. The gateway for the subnet is the infrastructure router dened to handle the VLAN. 7 The Address Range boxes (from and to) populate automatically with the range of IP addresses to be assigned to wireless devices using this VNS, based on the IP address you provided. To modify the address in the Address Range from box, type the rst available address. ExtremeWireless V10.41.06 User Guide 2275 Conguring Topologies To modify the address in the Address Range to box, type the last available address. If there are specic IP addresses to be excluded from this range, click Exclusion(s). The DHCP Address Exclusion dialog is displayed. D In the DHCP Address Exclusion dialog, do one of the following:
Figure 81: DHCP Address Exclusion To specify an IP range, type the rst available address in the From box and type the last available address in the to box. Click Add for each IP range you provide. To specify an IP address, select the Single Address option and type the IP address in the box. raft 1 The Broadcast Address box populates automatically based on the Gateway IP address and subnet mask of the VNS. Click Add for each IP address you provide. To save your changes, click OK. 2 Click Close. Figure 80: DHCP Conguration 4 If you selected Use Relay, a DDHCP window displays. a in the DHCP Servers box, type the IP address of the DHCP server to which DHCP discover and request messages will be forwarded for clients on this VNS. The controller does not handle DHCP requests from users, but instead forwards the requests to the indicated DHCP server. Note The DHCP Server must be congured to match the topology settings. In particular for Routed topologies, the DHCP server must identify the controller's interface IP as the default Gateway (router) for the subnet. Users intending to reach devices outside of the subnet will forward the packets to the default gateway (controller) for delivery upstream. 5 To save your changes, click Save. ExtremeWireless V10.41.06 User Guide 276 Conguring Topologies Dening a Next Hop Route and OSPF Advertisement The next hop denition allows the administrator to dene a specic host as the target for all non-VNS targeted traffic for users in a VNS. The next hop IP identies the target device to which all VNS (user traffic) will be forwarded to. Next-hop denition supersedes any other possible denition in the routing table. If the traffic destination from a wireless device on a VNS is outside of the VNS, it is forwarded to the next hop IP address, where this router applies role and forwards the traffic. This feature applies to unicast traffic only. In addition, you can also modify the OSPF route cost. dene a next-hop route. 3 In the Layer 3 area, click the Congure button. The DHCP conguration dialog displays. OSPF is an interior gateway routing protocol developed for IP networks based on the shortest path rst or link-state algorithm. Using OSPF, a host that obtains a change to a routing table or detects a change in the network immediately distributes the information to all other hosts in the network so that all will have the same routing table information. The host using OSPF sends only the part that has changed, and only when a change has taken place. D 1 2 In the left pane, expand the Topologies pane, then click the Routed topology for which you want to To dene a Next Hop Route and OSPF Advertisement:
From the top menu, click VNS. raft Figure 82: DHCP conguration 4 In the Next Hop Address box, type the IP address of the next hop router on the network through which you wish all traffic on the VNS using this Topology to be directed. ExtremeWireless V10.41.06 User Guide 277 Conguring Topologies 5 In the OSPF Route Cost box, type the OSPF cost of reaching the VNS subnet. The OSPF cost value provides a relative cost indication to allow upstream routers to calculate whether or not to use the controller as a better t or lowest cost path to reach devices in a particular network. The higher the cost, the less likely of the possibility that the controller will be chosen as a route for traffic, unless that controller is the only possible route for that traffic. 6 To disable OSPF advertisement on this VNS, select the Disable OSPF Advertisement check box. 7 Click Close. 8 Click Save. Exception Filtering The exception lter provides a set of rules aimed at restricting the type of traffic that is delivered to the controller. By default, your system is shipped with a set of restrictive lter rules that help control access through the interfaces to only those services that are absolutely necessary. D By conguring to allow management on an interface, an additional set of rules is added to the shipped lter rules that provide access to the system's management conguration framework (SSH, HTTPS, SNMP Agent). Most of this functionality is handled directly behind the scenes by the system, rolling and unrolling canned lters as the system's topology and dened access privileges for an interface change. Note An interface for which Allow Management is enabled can be reached by any other interface. By default, Allow Management is disabled and shipped interface lters will only permit the interface to be visible directly from its own subnet. raft The visible exception lter denitions, both in physical ports and topology denitions, allow administrators to dene a set of rules to be added to the system's dynamically updated exception lter protection rules. Rule evaluation is performed top to bottom, until an exact match is determined. Therefore, these user-dened rules are evaluated before the systems own generated rules. As such, these user-dened rules may inadvertently create security lapses in the system's protection mechanism or create a scenario that lters out packets that are required by the system. Note Use exception lters only if absolutely necessary. It is recommended that you avoid dening general allow all or deny all rule denitions since those denitions can easily be too liberal or too restrictive to all types of traffic. The exception rules are evaluated in the context of referring to the specic controller's interface. The destination address for the role rule denition is typically dened as the interface's own IP address. The port number for the lter denition corresponds to the target (destination) port number for the applicable service running on the controller's management plane. The exception lter on an topology applies only to the packets directed to the controller and can be applied to the destination portion of the packet, or to the source portion of the packet when ltering is enabled. Traffic to a specied IP address and IP port is either allowed or denied. Adding exception lter rules allows network administrators to either tighten or relax the built-in ltering that automatically drops packets not specically allowed by role rule denitions. The exception lter rules can deny access in the event of a DoS attack, or can allow certain types of management traffic that would otherwise be denied. Typically, Allow Management is enabled. ExtremeWireless V10.41.06 User Guide 278 Conguring Topologies From the top menu, click VNS. To dene exception lters:
1 2 In the left pane, select Topologies. 3 On the Topologies page, click the EException Filters tab. The EExceptions Filter page displays. t Figure 83: Topology Exception Filters 4 Select an existing topology from the right-hand pane to edit an existing topology, or click New to create a new topology. The TTopologies conguration page displays. The EException Filters tab is available only if Layer 3 (L3) conguration is enabled. 5 Click the EException Filters tab to display the EException Filters page. ExtremeWireless V10.41.06 User Guide 279 Conguring Topologies Table 42: Exception Filters page - Fields and Buttons FField/Button Description D IP:Port Allow Rule In Protocol Up, Down Add Delete Add Predened Save Advanced Mode Add Filter section IP/subnet:port Protocol Identies the type of role rule. Options are:
D - Default rule I - Internal (read-only) T - Local interface rule U - user-dened rule Identies the rule that applies to traffic from the network host or wireless device that is trying to get to a controller. You can change this setting using the drop-down menu. Options include:
Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only Click to remove this role rule. Identies the IP address and port to which this role rule applies. Click to add a role rule. The elds in the Add Filter area are enabled. Select the Allow check box to allow this rule. Otherwise the rule is denied. Select a role rule and click to either move the rule up or down in the list. The lter rules are executed in the order in which you dene them here In the Protocol drop-down list, click the applicable protocol. The default is N/A. raft Advanced ltering mode provides the ability to create bidirectional lters. If this controller participates in a mobility zone, before enabling advanced mode be sure that all controllers in the mobility zone are running V7.41 or greater. Note: After enabling advanced ltering mode, you can no longer use NMS Wireless Manager V4.0 to manage the controllers roles and you cannot switch back to basic lter mode unless you return the controller to its default state. Select a predened role rule. Click Add to add the rule to the rule table, otherwise click Cancel Click to save the conguration. Type the destination IP address. You can also specify an IP range, a port designation, or a port range on that IP address In the Protocol drop-down list, click the applicable protocol. The default is N/A. ExtremeWireless V10.41.06 User Guide 280 Conguring Topologies Table 42: Exception Filters page - Fields and Buttons (continued) FField/Button Description In Filter In the drop-down menu, select an option that refers to traffic from the network host that is trying to get to a wireless device. Options include:
Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only By default, user-dened rules are enabled on ingress (In), and are assumed to be Allow rules. To disable the rule in either direction, or to make it a Deny rule, click the new lter, then de-select the relevant check box. Multicast Filtering OK Cancel Click to add the role rule to the lter group. The information displays in the role rule table. D Click Cancel to discard your changes.DDNote A mechanism that supports multicast traffic can be enabled as part of a topology denition. This mechanism is provided to support the demands of VoIP and IPTV network traffic, while still providing the network access control. For External Captive Portal, you need to add an external server to a non-authentication lter. raft Note To use the mobility feature with this topology, you must select the Enable Multicast Support check box for the data port. Note Before enabling multicast lters and depending on the topology, you may need to dene which physical interface to use for multicast relay. Dene the multicast port on the IP Addresses tab. For more information, see Setting Up the Data Ports on page 51. Dene a list of multicast groups whose traffic is allowed to be forwarded to and from the VNS using this topology. The default behavior is to drop the packets. For each group dened, you can enable Multicast Replication by group. To enable Multicast for a topology:
1 On the Topologies page, click the Multicast Filters tab. ExtremeWireless V10.41.06 User Guide 281 Conguring Topologies aftFigure 84: Topology Multicast Filters IP Group Type the IP address range. Dened groups Click from the drop-down list. 2 To enable the multicast function, select Multicast bridging. 3 Dene the multicast groups by selecting one of the radio buttons:
NNote IPv6 traffic is supported for B@AC and B@AP topologies. 4 To enable the wireless multicast replication for this group, select the corresponding Wireless Replication check box. Wireless Replication lters multicast traffic being sent back to the wireless AP channel or wired network. Note Wireless replication takes effect only when Multicast Address is allowed. 5 Click Add. The group is added to the list above. ExtremeWireless V10.41.06 User Guide 282 Conguring Topologies 6 To modify the priority of the multicast groups, click the group row, and then click the Up or Down buttons. A Deny All rule is automatically added as the last rule, IP = *.*.*.* and the Wireless Replication check box is not selected. This rule ensures that all other traffic is dropped. 7 To save your changes, click Save. NNote The multicast packet size should not exceed 1450 bytes. D raft ExtremeWireless V10.41.06 User Guide 283 6 Conguring Roles RRoles Overview Conguring Default VLAN and Class of Service for a Role Policy Rules Roles Overview A role can contain any number of services in Policy Manager. A role is a set of network access services that can be applied at various points in a policy-enabled network. A port takes on a user's role when the user authenticates. Roles are usually named for a type of user such as Student or Engineering. Often, role names will match the naming conventions that already exist in the organization. The role name should match lter ID values set up on the RADIUS servers. D A VNS can have up to two roles assigned to it. The default non-authenticated role will be used while the station is not authenticated but able to access the network. The default authenticated role will be assigned to a station if it completes authentication successfully but the authentication process did not explicitly assign a role to the station. A role may also contain default access control (VLAN (Virtual LAN)) and/or Class of Service (priority) characteristics that will be applied to traffic not identied specically by the set of access services contained in the role. The set of services included in a role, along with any access control or class of service defaults, determine how all network traffic will be handled at any network point congured to use that role. raft Default Global Role denitions provide a placeholder for completion of incomplete roles for initial default assignment. If a role is dened as Default for a particular VNS, the role inherits incomplete attributes from Default Global Role denitions. Roles don't need to be fully specied; unspecied attributes are retained by the user or inherited from Global Role denitions (see Conguring the Global Default Policy on page 408 for more information). Conguring Default VLAN and Class of Service for a Role From the VLAN & Class of Service tab you can assign a previously congured topology to a role. You can also launch the Topology Conguration page to edit an existing topology or create a new one. For ExtremeWireless V10.41.06 User Guide 284 Conguring Roles information about how to congure a topology, refer to Conguring a Basic Data Port Topology on page 266. NNote The Conguration Manager (CM) checks overall conguration as conguration is entered. If CM detects mixed B@AC and B@AP rules in the same role, and the role has L7 lter rules, then the conguration is rejected. For more information, see Conguration Rules with L7 Filters on page 307. In general, CoS (Class of Service) refers to a set of attributes that dene the importance of a frame while it is forwarded through the network relative to other packets, and to the maximum throughput per time unit that a station or port assigned to the role is permitted. The CoS denes actions to be taken when rate limits are exceeded. 1 From the top menu, click VNS. To congure VLAN and Class of Service for a role:
D raft ExtremeWireless V10.41.06 User Guide 285 Conguring Roles 2 In the left pane expand the Roles pane and click the role you want to edit, or click New to create a new role. ft Figure 85: VLAN & Class of Service Tab 3 Select Policy Rules to congure the policy rules for the Role. For more information, see Conguring Policy Rules on page 298. Table 43: VLAN & Class of Service Tab - Fields and Buttons FField/Button Description Core Role Name Default Action Enter a name to assign to this role. ExtremeWireless V10.41.06 User Guide 286 Conguring Roles Table 43: VLAN & Class of Service Tab - Fields and Buttons (continued) FField/Button Description Select from one of the following:
None - No role dened No change - Default setting Allow - Packets contained to role's default action's VLAN/
Deny - Any packet not matching a rule in the Role is dropped. Containment VLAN - Any packet not matching a rule is sent to topology. dened VLAN. D Default Class of Service Note: VLAN is only visible when the user selects "Contain to VLAN" as the default access control action. Select an existing Topology, Topology Group, or click New to create a new Topology. To edit an existing Topology, select the VLAN and then click Edit. The Edit Topology page displays. For more information, see Conguring a Basic Topology on page 267. Select an existing class of service from the Default Class of Service drop-down list, or click New to create a new topology. To edit an existing class of service, select the class of service and then click Edit. The Edit Class of Service page displays. For more information, see Conguring Classes of Service on page 487. raft When enabled, this option sends a copy of the network packets to a mirroring L2 port for analysis, in an effort to monitor network traffic. The Purview Engine analyses the traffic. The assigned port can only be used for traffic analysis. You can enable traffic mirroring from the WLAN Service, from the Role, or from the Filter Rule. Setting traffic mirroring at the Filter Rule takes precedence over settings for the Role and WLAN Service. The order of precedence for the traffic mirror setting is: Filter Rule, Role, WLAN Service. To set the L2 port, go to VNS > Global > Netow/
MirrorN Conguration. Valid values for Filter Rule and Role are:
None - No traffic mirroring Enable - Traffic mirroring enabled. Traffic is copied if the lter rule Prohibited - Traffic mirroring is prohibited for this role. Traffic is not copied when the lter rule matches or the role is applied. matches or the role is applied. HTTP Redirection appears when the following conditions are present:
Rule-based Redirection is enabled on the VNS > Global > Filtering Mode screen. A lter exits with Access Control = HTTP Redirect.
(See Understanding the Filter Rule Denition Dialog on page 302.) Access Control VLAN Traffic Mirror HTTP Redirection ExtremeWireless V10.41.06 User Guide 287 Conguring Roles Table 43: VLAN & Class of Service Tab - Fields and Buttons (continued) FField/Button Description Select from one of the previously congured redirection URLs or click New to create a new redirection URL. For more information about setting up a redirection URL, see Managing Redirection URLs on page 421. WLAN (Wireless Local Area Network) Services with Captive Portals are included in this list. The default value for the redirection URL is Own WLAN, which indicates the current WLAN. This is identical to the current redirection behaviour. Redirection URL:
Status Synchronize Enable automatic synchronization with its availability peer. For more information about viewing synchronization status, see Using the Sync Summary on page 414. If this VNS is part of an availability pair, Extreme Networks recommends that you enable Synchronize. By default the WLAN Service is enabled. Clear this check box to disable the WLAN Service. D Advanced Button Static Egress Untagged VLANs For more information about rate control proles, see Working with Bandwidth Control Proles on page 407. Lists those VLANs (for multicast, broadcast, unicast) that a station assigned to a role receives from, even if it hasnt sent on it. Choose a VLAN as follows:
Click a VLAN from the list of available VLANs to use Click >> to move the VLAN to the active list of VLANs used Click OK to permit static conguration of egress untagged VLANs. raft You can dene policy rules for a role to specify network access settings for a specic user role. Network policies are a set of rules, dened in a specic order, that determine how connections are authorized or denied. If you do not dene policy rules for a role, the role's default action is applied to all traffic subject to that role. However, if you require user-specic lter denitions, then the lter ID conguration identies the specic role that is applied to the user. ExtremeWireless supports IPv6 prexes specied in policy lter rules. With a few considerations:
You cannot congure Captive Portal Redirection using IPv6 classiers. While you can http to IPv6 websites, you cannot apply Captive Portal redirection to http [s] over IPv6 . Policy Rules Application visibility rules are ignored for http[s] ows over IPv6. Related Links Understanding the Filter Rule Denition Dialog on page 302 L7 Conguration on page 307 ExtremeWireless V10.41.06 User Guide 288 Conguring Roles Matching Policy Rules Criteria The following criteria apply when trying to match rules. Many of these criteria accept a range of addresses or codes not just a single address or code. A policy rule consists of:
Match criteria An optional access control action (allow, deny) An optional class of service assignment D Policy rules can match on:
Source MAC address Destination MAC address IPv4 or IPv6 Source IP address IPv4 or IPv6 Destination IP address Source layer 4 port Destination layer 4 port IPv4 or IPv6 Source socket (IP address + port) IPv4 or IPv6 Destination socket (IP address + port) IP type ICMP (Internet Control Message Protocol) packet type and code ToS/DSCP marking 802.1p priority Ethertype raft Policy rule access control actions can be:
Allow Forward matching frames on the WLAN Service's default topology. Deny Drop matching frames. Contain to VLAN Forward matching frames on the indicated VLAN. None The rule does not have an access control action. The matching engines ignore a rule with an HTTP Redirect Redirect traffic to default URL 'Own WLAN' or to a URL that is dened on the Redirection URL screen. For more information, see Managing Redirection URLs on page 421. You can also specify a Redirection URL when you congure an External Captive Portal. For more information, see Conguring Firewall Friendly External Captive Portal on page 353. access control action of 'None'. Rule-Based Redirection You can now congure policy rules to explicitly redirect traffic to the captive portal denition assigned to the role, regardless of authentication status. Rule-based Redirection applies to HTTP and HTTPS traffic, and explicitly denes when traffic will be redirected. In previous releases, redirection automatically redirected an un-authenticated client to an ECP when a deny action, on HTTP(S) traffic, occurred. Rule-based redirection requires explicit enablement. For new installations, Rule-based Redirection is enabled by default. For upgrades from releases prior to v10.11, ExtremeWireless preserves the previous ExtremeWireless V10.41.06 User Guide 289 Conguring Roles captive portal redirection method of triggering redirect off denied HTTP/HTTPS for non-
authenticaticated roles. To enable Rule-based Redirection upon an upgrade, go to VNS > Global > Filtering Mode. D Figure 86: Enabling Rule-based Redirection To use Rule-based Redirection:
Verify that the feature is enabled. Congure roles with policy rules for redirection. Add the Redirect rules to the (non-auth) role denition; otherwise, the Deny All default action is interpreted explicitly, and traffic will be denied not redirected. raft Rule-based Redirection is explicit when the redirection ag is enabled and a rule is dened for redirection. The redirection destination can be dened on the role or as part of a WLAN Service conguration. If a redirection destination is not congured, the default destination is 'Own WLAN', which indicates the WLAN of the device. Redirection is allowed on any port. Congure a list of redirection URLs. Specify the redirection URL on the Role VVLAN & Class of Service tab. This value can be an IP
(Optional) And if redirecting to an ECP, congure the captive portal for redirected traffic. address, URL, or host name if using L7 host name rules. ExtremeWireless V10.41.06 User Guide 290 Conguring Roles RRelated Links D Figure 87: Example Role with Redirection specied. Understanding the Filter Rule Denition Dialog on page 302 Host Name DNS Support on page 312 Managing Redirection URLs on page 421 Conguring Firewall Friendly External Captive Portal on page 353 Conguring External and Mode 802.1 Captive Portal on page 351 Conguring Default VLAN and Class of Service for a Role on page 284 raft Deciding how to congure HTTP Redirection depends on the type of traffic you are allowing and the default Access Control value you congure on the role. You must congure the policy rules in the following order:
Allow policies Redirect policies (if using Rule-based Redirection) Deny policies. Allow Policies Conguring Rule-Based Redirection You can congure ve Allow policies or any combination of Allow and Deny policies on a single role. The following are ways to implement policy rules:
Allow All Policy. If you opt to allow all traffic. You only need one policy rule indicating that all traffic is allowed. ExtremeWireless V10.41.06 User Guide 291 Conguring Roles D Figure 88: Allow All Policy Conguration Combination of Allow and Deny policies, allowing specic traffic. raf Figure 89: Policy Rules Conguration Deny All Policy. When opting to deny all traffic, you must rst congure the 5 Allow policies to gather the parameters that direct the client to the FFECP. First congure the specic Allow policies, then congure the Deny All policy. ExtremeWireless V10.41.06 User Guide 2292 Conguring Roles D Redirect Policy Figure 90: Deny All Policy Conguration raft If Rule-based Redirection is enabled, congure at least one policy rule where the Access Control is set to HTTP Redirect. If Rule-based Redirection is disabled, congure at least one policy rule where the Access Control is set to Deny. For more information on conguring policy rules, including host name rules, see Understanding the Filter Rule Denition Dialog on page 302 and Conguring a Host Name Rule on page 312. Conguring Rule-Based Redirection on page 291 Understanding the Filter Rule Denition Dialog on page 302 Rule-Based Redirection on page 289 Host Name DNS Support on page 312 Conguring a Captive Portal on an AP on page 222 RRelated Links Rule Based Redirection to a Captive Portal Redirecting to a captive portal is a common rule-based redirection use case. The following is an example Allow conguration for rule-based redirection to a captive portal. The role allows the station to use DHCP (Dynamic Host Conguration Protocol) and DNS:
Access Control = Allow, Port = DNS Access Control = Allow, Port = DHCP Client. ExtremeWireless V10.41.06 User Guide 293 Conguring Roles Access Control = Allow, Port = DHCP Server. The role allows the station to communicate with the external captive portal server using HTTP or HTTPS. Access Control = Allow, IP/subnet = IP of Captive Portal Server Then specify the Captive Portal Server on the VVLAN Class of Service tab in the Redirection URL eld. The Redirection URL can be provided as a URL, IP address, or host name if using L7 Host Name DNS support. Policy Rules for a Non-authenticated Role The role must allow the station to send traffic to the controllers IP address on the VLAN containing the stations traffic; therefore, one Allow policy must include the IP/subnet that corresponds to the VLAN ID. Depending on the Default Access Control value on the role, this can be the VLAN ID specied on the role or the VLAN ID specied during WLAN Service conguration. When default Access Control = Allow, VLAN ID on the WLAN Service conguration is used. When default Access Control = Contain to VLAN, the VLAN ID on the Role conguration is used. D Access Control = Allow, IP/subnet = Congured VLAN subnet.DNote You cannot congure Captive Portal Redirection using IPv6 classiers. While you can http to IPv6 websites, you cannot apply Captive Portal redirection to http [s] over IPv6 . A VNS' non-authenticated role controls the access of stations until the station completes authentication. The role can be as restrictive or open as necessary. If the station is expected to authenticate, then the role may need to grant it access to resources required to complete the authentication. For example, if the station is expected to perform captive portal authentication then the non-authenticated role must allow the station to:
Perform DHCP address acquisition DNS name lookups Forward to the Captive Portal web server raft Dening non-authenticated roles allows administrators to identify destinations that a mobile user is allowed to access without incurring an authentication redirection. Typically, the recommended default rule is Deny All. However, administrators should dene a rule set that permits users to access essential services:
DNS (IP of DNS server) Default Gateway (VNS Interface IP) The administrator may grant unauthenticated stations access to other resources, but the recommended default action of a non-authenticated role is to drop all traffic that does not match a rule. Any HTTP streams requested by the client for denied targets is redirected to the specied location. The non-authenticated role should allow access to the Captive Portal page IP address, as well as to any URLs for the header and footer of the Captive Portal page. This lter should also allow network access to the IP address of the DNS server and to the network addressthe gateway of the Topology. The ExtremeWireless V10.41.06 User Guide 294 Conguring Roles gateway is used as the IP for an internal Captive Portal page. An external Captive Portal provides a specic IP denition of a server outside the wireless network. Redirection and Captive Portal credentials apply to HTTP traffic only. A wireless device user attempting to reach websites other than those specically allowed in the non-authenticated lter is redirected to the allowed destinations. Most HTTP traffic outside of that dened in the non-authenticated lter is redirected. NNote Although non-authenticated role denitions are used to assist in the redirection of HTTP traffic for restricted or denied destinations, the non-authenticated lter is not restricted to HTTP operations. The lter denition is general. Any traffic, other than HTTP, that the lter does not explicitly allow is discarded by the controller. The non-authenticated lter is applied to sessions until they successfully complete authentication. The authentication procedure results in an adjustment to the user's applicable Policy Rule for the access role. D Typically, default lter ID access is less restrictive than a non-authenticated prole. It is the administrators responsibility to dene the correct set of access privileges. Note Administrators must ensure that the non-authenticated lter allows access to the corresponding authentication server:
Internal Captive Portal IP address of the VNS interface External Captive Portal IP address of external Captive Portal server raft IP address of the captive portal Allow all incoming wireless devices access to the default gateway of the VNS. Description Table 44 lists the rules that a basic non-authenticated role for internal Captive Portal should have, in the specied order:
Table 44: Non-authenticated Role Example A In IP / Port Allow Out IP address of the DNS Server Allow all incoming wireless devices access to the DNS server of the VNS. x x x x x x x x
*.*.*.*. Default access control action is to deny all. Non-authenticated Role Examples Note For external Captive Portal, an additional rule to Allow (in/out) access to the external Captive Portal authentication/web server is required. If you place URLs in the header and footer of the Captive Portal page, you must explicitly allow access to any URLs mentioned in the authentication servers page, such as:
ExtremeWireless V10.41.06 User Guide 295 Conguring Roles Internal Captive Portal URLs referenced in a header or footer External Captive Portal URLs mentioned in the page denition Table 45 is another example of a non-authenticated lter that adds additional policy rules. The additional rules do the following:
Deny access to a specic IP address. Allow only HTTP traffic. Table 45: Non-authenticated Role Example B IIn IP / Port Allow Out Description x x x IP address of the default gateway Allow all incoming wireless devices access to the default gateway of the VNS. Allow all incoming wireless devices access to the DNS server of the VNS. x x x x IP address of the DNS Server D
[a specic IP address, or address plus range]
*.*.*.*:80 x x x x x x Once a wireless device user has logged in on the Captive Portal page and has been authenticated by the RADIUS server, then the following rules apply:
Role lters If a lter ID associated with this user is returned by the authentication server, then the Role with the same name as the lter ID will be applied. Default lter If no matching lter ID is returned from the authentication server. Deny all traffic to a specic IP address, or to a specic IP address range (such as:0/24).
*.*.*.*. Allow all port 80 (HTTP) traffic. Default access control action is to deny all. raft SSH sessions 192.168.18.0/24 Description
*.*.*.*:22-23 Deny all traffic to a specic IP address or address range Here are examples of possible policy rules for authenticated users. Table 46 disallows some specic access before allowing everything else. Table 46: Policy Rules Example A In IP / Port Allow Out Authenticated Rules Examples x
*.*.*.*. Default action is to allow everything else x x x x x x Table 47 allows some specic access and denies everything else. ExtremeWireless V10.41.06 User Guide 296 Table 47: Policy Rules Example B IIn IP / Port Allow Out x 192.168.18.0/24 x x x x
*.*.*.*. Default action is to deny all. Conguring Roles Description Allow traffic to a specic IP address or address range. Policy Rules for a Default Role After authentication of the wireless device user, the default lter applies only after the following conditions are met:
No lter ID attribute value is returned by the authentication server for this user. No Role match is found on the controller for the lter ID value. D The nal rule in the default lter should be a catch-all rule for any traffic that did not match a lter. A nal 'Allow All' rule in a default lter ensures that a packet is not dropped entirely if no match is found. VNS Role is also applicable for Captive Portal and MAC-based authorization. Default Role Examples The following are examples of policy rules for a default lter:
Table 48: Default Role Examples In IP / Port Allow Out Description 192.168.18.0/24 raft Default access control action is to allow or contain to VLAN Deny all incoming wireless devices access to Web browsing the host Deny all traffic from the network to the wireless devices on the port range, such as FTP (port 21) Allow all other traffic from the wireless devices to the Intranet network Deny all access to Web browsing Deny all access to a specic IP Deny all access to an IP range Port 80 (HTTP) on host IP 10.3.0.20, ports 10-30 Port 80 (HTTP) 192.168.18.10 10.3.0.20
*.*.*.*. 10.3.0.20
*.*.*.*. Allow all other traffic from Intranet network to wireless devices Default action is to deny/drop x x x x x x x x x x x x x x x x x Policy Rules Between Two Wireless Devices Traffic from two wireless devices that are on the same VNS and that are connected to the same AP will pass through the controller and therefore be subject to a ltering role. You can set up policy rules that ExtremeWireless V10.41.06 User Guide 297 Conguring Roles allow each wireless device access to the default gateway, but also prevent each device from communicating with each other. Add the following two rules to a lter, before allowing everything else:
Table 49: Rules Between Two Wireless Devices IIn IP / Port Description Allow Out x x x x x x x x 10.3.2.25 Allow access to the Gateway IP address of the VNS only 10.3.5.28.0/24 Deny all access to the VNS subnet range (such as 0/24)
*.*.*.*. Default access control action is contain to VLAN. Note You can also prevent the two wireless devices from communicating with each other by setting Block Mu to MU traffic. See Conguring a Basic WLAN Service on page 319. D Dening Policy Rules for Wireless APs topology, the ltering is applied to traffic in both the inbound and outbound direction, the inbound direction is from the wireless device to the network, and the outbound direction is from the network to the wireless device. You can also apply policy rules on the wireless AP. Applying policy rules at the AP helps restrict unwanted traffic at the edge of your network. All APs support 64 rules. Filtering at the AP can be congured with the following Topology types:
Bridge Traffic Locally at the AP If ltering at the AP is enabled on a Bridge Traffic Locally at the AP raft Routed and Bridge Traffic Locally at the EWC If ltering at the AP is enabled on a Routed or Bridge Traffic Locally at the EWC topology, the ltering is applied only to traffic in the inbound direction. The lters applied in the outbound direction at the AP can be the same as or different from lters applied at the controller. A role can use more than one topology and more than one type of topology. If a role uses at least one Bridged at AP topology, the AP lters all inbound traffic assigned to the rule. The controller performs all outbound ltering. From the PPolicy Rules tab, create and work with the policy rules for a role. If you do not dene policy rules for a role, then the role's default action is applied to all traffic subject to the role. Conguring Policy Rules To congure policy rules:
1 Navigate to the PPolicy Rules tab. (Click VNS > Roles > Policy Rules.) By default, the RRules tab appears, displaying a list of Policy Rules for the Role. ExtremeWireless V10.41.06 User Guide 298 Conguring Roles 2 You can take the following actions:
Add Edit Delete Up Down Top Bottom For information about adding or editing a rule, see Understanding the Filter Rule Denition Dialog on page 302. RRelated Links The PPolicy Rules tab displays the authentication policy rules for a user role. If you do not dene policy rules for a role, then the role's default action is applied to all traffic subject to the role. Understanding the Policy Rules Tab Conguring a Captive Portal on an AP on page 222 Rule-Based Redirection on page 289 D r Figure 91: Policy Rules Tab ExtremeWireless V10.41.06 User Guide 299 Conguring Roles Table 50: Policy Rules Tab - Fields and Buttons FField/Button Description Inherit policy rules from currently applied role Allow action in policy rules contains to the VLAN assigned by the role Select if you do not want to apply new lter settings. If you do not apply new lter settings, the wireless client uses lter settings from a previously applied role. If rules were never dened, then the system enforces the rules from the Global Default Policy. If you choose to apply new lter settings by not selecting this option, the new lter settings will overwrite any pre-existing lter settings. Note: This option only appears on roles that have been upgraded to 8.31 or later from a previous release and on new roles that have custom AP ltering enabled. AP Filtering Custom AP Rules Rules/Custom AP rules Tab D Select to apply the congured rules to the AP. Select to create a new lter denition to apply to the AP. The ag is provided for backward compatibility. The administrator can achieve the same effect by modifying each rule with an "Allow" action to "Contain to VLAN" where the containment VLAN is the one referenced by the role's default access control action. When enabled, the "Allow" action forwards the packet on the VLAN of the assigned topology of the containing policy. If the policy does not have a default topology, a series of decision rules are applied to decide which topology the packet was forwarded on. When disabled, the "Allow" action in policy rules is interpreted as
"contain to PVID". raft Identies the rule that applies to traffic from the wireless device that is trying to get on the network. You can change this setting using the drop-down menu. Options include:
Source (src) None Both - available in Advanced Filtering Mode only Indicates if the rule has QoS enabled. Policy-enabled QoS is a network service that provides the ability to prioritize different types of traffic and to manage bandwidth over a network. Displays the IP address and port to which this policy rule applies. Displays the applicable protocol. Identies the access control. Action Name Protocol QoS In Out Identies which IPv4 address eld is matched by the rule when applied in the outbound direction (toward the wireless device.) You can change this setting using the drop-down menu. Options include:
Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only The role for outbound traffic may be impacted by the selection
(mode) for Egress Filtering. For more information, see Conguring Egress Filtering Mode on page 410. ExtremeWireless V10.41.06 User Guide 300 Conguring Roles Table 50: Policy Rules Tab - Fields and Buttons (continued) FField/Button Description Add Edit Delete Up, Down, Top, Bottom Click to add a new rule. The FFilter Rule Denition dialog displays. See Understanding the Filter Rule Denition Dialog on page 302. Click to edit the selected denition. See Understanding the Filter Rule Denition Dialog on page 302. Click to delete the rule. Select a rule and click to either move the rule up or down in the list, or move the rule to the top of the list. The policy rules are executed in the order in which you dene them. Save Click to save the conguration. Custom AP Rules D In general, an AP that performs ltering should apply the same set of policy rules for a role as the controller. However, this is not mandatory. An AP can enforce a different set of rules than the controller. In general, avoid using Custom AP lters. Custom AP lters are provided primarily for backward compatibility. For example, they are useful when using policies that have more than 32 rules. There are restrictions on a role that uses custom AP ltering, including the following:
Custom Rules option is not visible when L7 lter rules are present. The role cannot use Layer 2 lter rules. The role cannot use 'Contain to VLAN' actions in rules. The role's default action must be 'Contain to VLAN' or 'No Change'. The role's static untagged egress VLAN list must be empty. raft Creating a Custom AP Filter on page 301 Understanding the Filter Rule Denition Dialog on page 302 1 Click VNS > Roles > Policy Rules and select the AP Filtering check box. To create a custom AP lter:
Creating a Custom AP Filter Related Links Note The AP Filtering option is not available when L7 lters are present. For more information, see Conguration Rules with L7 Filters on page 307. The Custom AP Rules check box appears. 2 Select the Custom AP Rules check box. The CCustom AP Rules tab appears. 3 Click the CCustom AP Rules tab. ExtremeWireless V10.41.06 User Guide 301 Conguring Roles 4 You can take the following actions:
Add Edit Delete Up Down Top Bottom For information about adding or editing a rule, see Understanding the Filter Rule Denition Dialog on page 302. RRelated Links Custom AP Rules on page 301 D Understanding the Filter Rule Denition Dialog Dene lter rules from the Figure 92. This dialog displays when you click Add or Edit from the Rules tab or from the Custom AP Rules tab. raft ExtremeWireless V10.41.06 User Guide 302 Conguring Roles ftFigure 92: Filter Rule Denition Dialog Table 51: Filter Rule Denition Dialog - Fields and Buttons FField/Button Description Classication Direction Select Layers 2-4 to display conguration options for the data link, routing, and transport layers. Select Layer 7 to congure options related to the application layer. For more information, see Layer 7 conguration. ExtremeWireless V10.41.06 User Guide 303 Conguring Roles Table 51: Filter Rule Denition Dialog - Fields and Buttons (continued) FField/Button Description In the drop-down menu, select which IPv4 addresses in the IP header to match for traffic owing from the station to the network. Options include:
Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only D Classication - Layer 2, 3, 4 Select a matching Ethertype lter for the selected policy rule. In the drop-down menu, select which IPv4 addresses in the IP header to match for traffic owing from the network to the station. Options include:
Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only The role for outbound traffic rules may be impacted by the selection
(mode) for Egree Filtering. For more information, see Conguring Egress Filtering Mode on page 410. Note: You cannot congure Captive Portal Redirection using IPv6 classiers. While you can http to IPv6 websites, you cannot apply Captive Portal redirection to http [s] over IPv6 . raft IP - select to map the rule to the associated Topology IP address. Subnet - select to map the rule to the associated Topology Select one of the following:
User Dened, then type the destination IP address and mask. Use From the Port drop-down list, select one of the following:
User Dened, then type the port number. Use this option to explicitly specify the port number. A specic port type. The appropriate port number or numbers are added to the Port text eld. Select Any MAC or User Dened and provide the Mac Address. this option to explicitly dene the IP/subnet aspect of the rule. Select a Priority from the drop-down list. segment denition (IP address/mask). In Filter Out Filter Ethertype Mac Address Priority IP/subnet Port Protocol ToS/DSCP Select In the Protocol drop-down list, click the applicable protocol. The default is N/A. Select the ToS/DSCP value to match, if any, to dene the Layer 3, 4 ToS/DSCP bits. Enter a hexadecimal value in the 0x (DSCP:) eld. Click the Select button to open the ToS/DSCP Conguration dialog. For more information, see Priority and ToS/DSCP Marking on page 491. ExtremeWireless V10.41.06 User Guide 304 Conguring Roles Table 51: Filter Rule Denition Dialog - Fields and Buttons (continued) FField/Button Description This is a mask for the ToS/DSCP eld match. The mask allows the match to be based on specic bits in the ToS/DSCP match value. Enter a hexadecimal value. Mask Application Application D Access Control Action Select from one of the following pre-dened IDs to support L5+
ltering:
None Link Local Multicast Name Resolution Query Link Local Multicast Name Resolution Response Simple Service Discovery Protocol Query Simple Service Discovery Protocol Unsolicited Announcement mDNS-SD Query mDNS-SD Response using a role that does not specify a topology. HTTP Redirect - Indicates redirect action. Select from one of the following:
None - No role dened. Allow - Packets contained to role's default action's VLAN topology. Deny - Any packet not matching a rule in the policy is dropped. Containment VLAN - A topology to use when a VNS is created raft Rule-based Redirection is explicit when the redirection ag is enabled and a rule is dened for redirection. The redirection destination can be dened on the role or as part of a WLAN Service conguration. If a redirection destination is not congured, the default destination is 'Own WLAN', which indicates the WLAN of the device. Redirection is allowed on any port. Note: Access control option Contain to VLAN and "Redirect" are not supported for L7 rules. For more information about Rule-based Redirection, see Rule-Based Redirection on page 289. Select an existing class of service from the drop-down list. For information about how to congure a Class of Service, go to Conguring Roles on page 284. Class of Service ExtremeWireless V10.41.06 User Guide 305 Conguring Roles Table 51: Filter Rule Denition Dialog - Fields and Buttons (continued) FField/Button Description Traffic Mirror When enabled, this option sends a copy of the network packets to a mirroring L2 port for analysis, in an effort to monitor network traffic. The Purview Engine analyses the traffic. The assigned port can only be used for traffic analysis.You can enable traffic mirroring from the WLAN Service, from the Role, or from the Filter Rule. Setting traffic mirroring at the Filter Rule takes precedence over settings for the Role and WLAN Service. The order of precedence for the traffic mirror setting is: Filter Rule, Role, WLAN Service. To set the L2 port, go to VNS > Global > Netow/MirrorN Conguration. Valid values for Filter Rule and Role are:
None - No traffic mirroring Enable - Traffic mirroring enabled. Traffic is copied if the lter rule matches or the role is applied. Prohibited - Traffic mirroring is prohibited for this role. Traffic is not copied when the lter rule matches or the role is applied. Cancel Related Links D OK L7 Conguration on page 307 Rule-Based Redirection on page 289 Conguring Policy Rules on page 298 Conguring a Captive Portal on an AP on page 222 Click Cancel to discard your changes. Click to add the rule to the lter group. The information is displayed in the role rule table. raft The Deep Packet Inspection (DPI) engine runs independently on the controller and on selected AP models (AP38xx and AP39xx). The DPI engine that is used depends on the underlying topology of the role. The controller DPI handles traffic for centralized topologies (Bridged@Controller and Routed) for traffic in both directions. The AP's DPI handles distributed topologies (Bridged@AP). Enabling App Visibility in the WLAN causes end-user traffic of the particular WLAN to be sent to and processed by the respective DPI engine. For DPI and L7 lters to work, each instance of the DPI engine running on the AP or on the controller must inspect traffic that is moving in both directions of the connection. DPI L7 Conguration Restrictions The mixed topologies (B@AP & tunneled in same role) are not supported, and are disabled in the user interface, when L7 application rules are dened in a role. As a result, the Contain to VLAN Action option is unavailable for conguration of an L7 Application Rule. For more information, see Conguration Rules with L7 Filters on page 307. Related Links Conguration Rules with L7 Filters on page 307 L7 Conguration on page 307 ExtremeWireless V10.41.06 User Guide 306 Conguring Roles Conguration Rules with L7 Filters The controller imposes the following L7 lter conguration rules:
Rule #1 If L7 lter rules are congured, AP lter and custom AP lter in Roles is disabled and the corresponding check box options are hidden. This allows the Conguration Manager to congure the system for upstream ltering at the controller, if possible, with no mixed B@AC and B@AP conguration within a role - enforced by Rule
# 3. Rule # 2 Access control options Contain to VLAN and "Redirect" are not supported for L7 rules. L7 Conguration For DPI to identify a ow, TCP packets (three-way handshake exchanges and initial payload packets) must be allowed to pass through the system. If after the traffic ow is classied and the system diverts the rest of the traffic ow to a different VLAN (and most likely to a different server), then the new server treats the packets as stray traffic. This is because the new server did not exchange a three-way handshake with the client for the connection. D If CM detects mixed B@AC and B@AP rules in the same role, and the role has L7 lter rules, then the conguration is rejected. Rule # 4 For L2/L3/L4 rule conguration, if COS is congured, the GUI prompts users to set AP lter. But, if L7 rules are present, then the GUI will always disable the AP lter option. (See Rule # 1.) Rule # 3 Conguration Manager (CM) checks overall conguration as conguration is entered. raft Use this dialog to congure lters that allow or deny specic applications or application groups from running on the network, and specify class of service and traffic mirroring. Dene Layer 7 lter rules. This dialog displays when you select L7 on the FFilter Rule Denition dialog. ExtremeWireless V10.41.06 User Guide 307 Conguring Roles Figure 93: L7 Properties - Filter Rule Denition Dialog Table 52: Filter Rule Denition Dialog - Fields and Buttons FField/Button Description raft Select Layer 7 to congure options related to the application layer. For more information about layers 2-4, see Understanding the Filter Rule Denition Dialog on page 302. Select which IPv4 addresses in the IP header to match for traffic owing from the station to the network. Options include:
Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only Classication Direction In Filter ExtremeWireless V10.41.06 User Guide 308 Conguring Roles Table 52: Filter Rule Denition Dialog - Fields and Buttons (continued) FField/Button Description Out Filter Application Select which IPv4 addresses in the IP header to match for traffic owing from the network to the station. Options include:
Destination (dest) Source (src) - available in Advanced Filtering Mode only None Both - available in Advanced Filtering Mode only The role for outbound traffic rules may be impacted by the selection
(mode) for Egree Filtering. For more information, see Conguring Egress Filtering Mode on page 410. Application Search D Group Type the application to search for. The Group and Name elds are automatically populated when you select an application from the Search eld. Name Custom Web Applications Action Names of applications that are a member of the specied group. You can include custom applications in the Filter Rule Denition dialog. For more information. see Including Custom Apps on page 313. Internet applications are organized in groups based on the type or purpose of the application. Once you select an Application Group, the Name drop-down is populated with application names that are part of the specied group. See Application Groups on page 311. raft Note: A role can be congured with application visibility rules and rules referencing IPv6 classiers, but the application visibility rules are ignored for http[s] ows over IPv6. They will continue to apply to ows over IPv4. ExtremeWireless V10.41.06 User Guide 309 Conguring Roles Table 52: Filter Rule Denition Dialog - Fields and Buttons (continued) FField/Button Description Access Control Select from one of the following:
None - No role dened. No change - Default setting. Allow - Packets contained to role's default action's VLAN/topology. Deny - Any packet not matching a rule in the policy is dropped. Containment VLAN - A topology to use when a VNS is created using a role that does not specify a topology. Note: Do not specify a VLAN with a Routed topology if the IPv6 classier is used. IPv6 classiers are not supported on a Routed topology. HTTP Redirect - Indicates redirect action. D For more information about Rule-based Redirection, see Rule-Based Redirection on page 289. Select an existing class of service from the drop-down list. For information about how to congure a Class of Service, go to Conguring Roles on page 284. Rule-based Redirection is explicit when the redirection ag is enabled and a rule is dened for redirection. The redirection destination can be dened on the role or as part of a WLAN Service conguration. If a redirection destination is not congured, the default destination is 'Own WLAN', which indicates the WLAN of the device. Redirection is allowed on any port. raft Select from one of the following:
None - No rule dened Enable - Default setting Prohibited - Traffic Mirroring prohibited for this Filter Rule. Click to add the rule to the lter group. The information is displayed in the role rule table. Click Cancel to discard your changes. Class of Service Traffic Mirror OK Cancel Related Links DPI L7 Conguration Restrictions on page 306 Conguration Rules with L7 Filters on page 307 Application Groups on page 311 Allowing for Restricted Sets of Applications and Resources on page 311 Host Name DNS Support on page 312 Including Custom Apps on page 313 ExtremeWireless V10.41.06 User Guide 310 Application Groups Conguring Roles Advertising Business Applications Certicate Validation Cloud Computing Cloud Storage Corporate Website Databases E-commerce Education Finance Games Health Care Location Services Mail News and Information Peer to Peer Protocols Real Time and Cloud Communications Restricted Content Search Engines Social Networking Software Updates Sports Storage Streaming Travel VPN and Security Web Applications Web Collaboration Web Content Services Web File Sharing All D raft EExtremeWireless Special Purpose Groups Unknown Apps Wild Card Allowing for Restricted Sets of Applications and Resources With the use of two new groups: the Unknown Apps group and the Wild Card group, you can congure policy lters that improve application control. Dened signature rules allow ne-tuning of how to handle traffic for specic applications or traffic categories. The Unknown Apps group allows you to take action on applications that the Deep Packet Inspection
(DPI) sensor does not recognize. When the DPI sensor fails to classify a ow, the ow is automatically ExtremeWireless V10.41.06 User Guide 311 Conguring Roles considered unknown and it is classied as part of the Unknown Apps group. You can assign standard actions (allow, deny, rate limit, etc) to ows belonging to the Unknown Apps group. The Wild Card group makes it simple to allow access to restricted sets of applications and resources. When conguring lters for restrictive sets:
1 Congure the Allowed application lters rst. 2 Congure a Deny lter specifying the Group = Wild Card and Name = All. 3 Congure a Deny lter specifying Group = Unknown Apps and Name = All. Host Name DNS Support When redirecting to an external captive portal (ECP), you can permit end users to log in with their credentials from a third-party site. ExtremeWireless builds a dynamic list of server addresses for sites by monitoring the DNS replies between DNS servers and the mobile user. D DNS Resolution on page 312 Conguring a Host Name Rule on page 312 RRelated Links Congure an Allow lter rule that applies to all learned server addresses for a specic site. The controller and AP handle DNS resolution (mapping of the host name to an IP address) at runtime for third-party login support. DNS resolution is handled by the AP for B@AP topologies and handled by the controller for B@AC and Routed topologies. First, congure a host name pattern in the Custom Application dialog as part of the Layer 7 lter conguration. The ExtremeWireless data plane inspects DNS replies for host name patterns that match the user-congured patterns. When a match is found, the host name IP pair is stored in the database. The data plane only considers the user-congured patterns when inspecting the DNS reply. raft For example, the pattern facebook.com matches any string that ends with facebook.com. Valid matches include any.facebook.com and 1.any.2.facboook.com. Patterns that do not match include: facebook.org.com. A single host name supports multiple IP addresses. The data plane reserves space for up to 128 IP addresses per host name. DNS Resolution Conguring a Host Name Rule DNS-based rules are dened as custom L7 signatures. ExtremeWireless matches the dened pattern to the corresponding IP address. Take the following steps to congure a rule that allows mobile clients to authenticate using credentials from a specic host. 1 Go to VNS > Roles > Policy Rules and click Add. 2 Create a new lter denition. For more information, see Understanding the Filter Rule Denition Dialog on page 302. 3 On the FFilter Rule Denition dialog, select the L7 radio button. 4 Select the link Custom Web Applications. ExtremeWireless V10.41.06 User Guide 312 Conguring Roles 5 Click the plus button and congure the parameters on the CCustom Web Application dialog. Specify Type = Host name. The Host Name type differentiates the denition from other extended signatures. Figure 94: Host Name Rule Conguration D Custom Apps List Use the custom web application denition editor to dene the characteristics of traffic ngerprints used for Deep Packet Inspection and Layer 7 policy enforcement. To add or remove custom Apps from the Filter Rule Denition dialog:
Select Custom Web Applications. 1 2 To add an App, click the plus sign. See Including Custom Apps on page 313. 3 To remove an App, select the App and click the minus sign. 4 Click OK. raft Related Links Understanding the Filter Rule Denition Dialog on page 302 L7 Conguration on page 307 Including Custom Apps on page 313 To add custom apps to the LL7 Filter Rule Denition dialog:
From the FFilter Rule Denition dialog, select L7. 1 2 Click Custom Web Application. Including Custom Apps ExtremeWireless V10.41.06 User Guide 313 Conguring Roles 3 Click the plus sign and enter the following:
Group. Internet applications are organized in groups based on the type or purpose of the application. Once you select an Application Group, the Application Name drop-down is populated with application names that are part of the specied group. The group names are pre-dened standard Extreme Application Analytics signature groups. The group names are case-sensitive. Type. Type of authentication. Valid values are:
Signature. Standard IP address sent in Signature. Layer 3 host name. Authentication based on User Dened IP/subnet parameter in Layer 3 conguration. You can dene up to 64 host name patterns per controller or site. The Matching Pattern is the URL pattern that is associated with the application (case-sensitive, up to 64 characters). D Figure 95: Adding Custom Web Applications raft ExtremeWireless V10.41.06 User Guide 3314 Conguring Roles 4 Click OK. The CCustom Web Application list displays. D Figure 96: Custom Web Applications List raft ExtremeWireless V10.41.06 User Guide 315 Conguring Roles 5 Select the check box and click OK to add the custom app to the Name drop-down eld on the LL7 Conguration dialog. ft Figure 97: L7 Conguration: Custom Apps with hostname rule Related Links Application Groups on page 311 Host Name DNS Support on page 312 Partially Specied Policy A partially specied policy is one that has No change selected for lters, default topology, or default qos. When two policies are applied to a station and one of them is partially specied, the No change settings are overwritten by the settings of the other policy. When a station successfully authenticates ExtremeWireless V10.41.06 User Guide 316 Conguring Roles and is assigned a partially specied policy, the No change elements of the policy are replaced with the corresponding elements of the WLAN Services default authenticated policy. Consider the following example. Suppose a VNS is dened that uses policy P1 for its default non-
authenticated policy and policy P2 for its default authenticated policy. Policy P1 assigns the station to topology T1 and policy P2 assigns the station to topology T2. Suppose there is a policy P3, which has
"No change" set for its topology. A client on the VNS will be assigned to P1 with topology T1 when he rst associates to the VNS. Now suppose the station is assigned P3 by the RADIUS server when the station authenticates. Even though the station is on T1 and P3 has no change set for the topology, the station will be assigned to T2. When the client is authenticated, internally on the controller, the client is rst assigned to P2 then P3 is applied. A similar scenario exists when the hybrid mode policy feature is set to use tunnel-private-group-id to assign both policy and topology but for some reason the VLAN-id-to-Policy mapping table does not contain a mapping for the returned tunnel private group id. In this case a station that successfully authenticates would be assigned the lters and default QoS of the WLAN Services default authenticated policy and the topology with the VLANID contained in the Tunnel-Private-Group-ID of the ACCESS-ACCEPT response. D If this is not the desired behavior, then consider the following:
Avoid using partially specied policies. When the controller is congured to map the VLAN ID in the Tunnel-Private-Group-ID response to a policy using the mapping table, ensure that there is a policy mapping for each VLAN ID that can be returned to the controller by the RADIUS server. raft ExtremeWireless V10.41.06 User Guide 317 7 Conguring WLAN Services WWLAN Services Overview Third-party AP WLAN Service Type Conguring a Basic WLAN Service Conguring Privacy Conguring Accounting and Authentication Conguring QoS Modes Conguring Hotspots WLAN Services Overview D can be part of this WLAN Service. This type of service may be used as a Bridged @ Controller, Bridged @ AP, or Routed VNS. This type of service provides access for mobile stations. Therefore, roles can be assigned to this type of WLAN service to create a VNS. A WLAN (Wireless Local Area Network) Service represents all the RF, authentication and QoS attributes of a wireless access service. The WLAN Service can be one of the following types:
Standard A conventional service. Only APs running Extreme Networks ExtremeWireless software Third Party AP A wireless service offered by third party APs. This type of service provides access for mobile stations. Therefore, roles can be assigned to this type of WLAN service to create a VNS. Dynamic Mesh and WDS (Static Mesh) A group of APs organized into a hierarchy for the purposes of providing a Wireless Distribution Service. This type of service is in essence a wireless trunking service rather than a service that provides access for stations. As such, this service cannot have roles attached to it. raft Remote A service that resides on the edge (foreign) controller. Pairing a remote service with a remoteable service on the designated home controller allows you to provision centralized WLAN Services in the mobility domain. This is known as centralized mobility. The remote service should have the same SSID name and privacy as the home remoteable service. Any WLAN Service/VNS can be a remoteable service, though deployment preference is given to tunneled topologies (Bridged@Controller and Routed). To reduce the amount of information distributed across the mobility domain, you will explicitly select which WLAN Services are available from one controller to any other controller in the mobility domain. The WLAN Service remoteable property is synchronized with the availability peer, making the WLAN service published by both the home and foreign controllers. The following types of authentication are supported for remote WLAN services:
None Guest Portal Internal/External Captive Portal ExtremeWireless V10.41.06 User Guide 318 Conguring WLAN Services Guest Splash AAA/802.1x Third-party AP WLAN Service Type For more information, see Working with Third-party APs on page 561. A third-party AP WLAN Service allows for the specication of a segregated subnet by which non-
Extreme Networks ExtremeWireless APs are used to provide RF services to users while still utilizing the controller for user authentication and user role enforcement. Note Third-party AP devices are not fully integrated with the system and therefore must be managed individually to provide the correct user access characteristics. D The denition of third-party AP identication parameters allows the system to be able to differentiate the third-party AP device (and corresponding traffic) from user devices on that segment. Devices identied as third-party APs are considered pre-authenticated, and are not required to complete the corresponding authentication verication stages dened for users in that segment (typically Captive Portal enforcement). In addition, third-party APs have a specic set of lters (third-party) applied to them by default, which allows the administrator to provide different traffic access restrictions to the third-party AP devices for the users that use those resources. The third-party lters could be used to allow access to third-party APs management operations (for example, HTTP, SNMP (Simple Network Management Protocol)). raft To congure a WLAN service:
Conguring a Basic WLAN Service ExtremeWireless V10.41.06 User Guide 319 Conguring WLAN Services 1 Go to VNS > WLAN Services. Figure 98: Conguring a WLAN Service raft ExtremeWireless V10.41.06 User Guide 3320 Conguring WLAN Services 2 Click New to create a new service. Figure 99: New WLAN Service raft a Enter a name for the WLAN service. b Select the service type. c Change the SSID (optional). d Enable Hotspot functionality (optional). For more information, see Conguring Hotspots on page Synchronize Enable automatic synchronization with its availability peer. Refer to Using the Sync Summary on page 414 for information about viewing synchronization status. If this VNS is part of an availability pair, Extreme Networks recommends that you enable Synchronize. By default the WLAN Service is enabled. Clear this check box to disable the WLAN Service. e The default status of the WLAN service is Synchronized and Enabled. 376. f Click Save. ExtremeWireless V10.41.06 User Guide 3321 Conguring WLAN Services 3 For information about elds and buttons on this page, see Table 53. D Figure 100: WLAN Service Conguration Table 53: WLAN Services Conguration Page FField/Button Description raft Select the type of service to apply to this WLAN service. Options include:
Standard WDS Mesh Third Party AP Remote If you selected Remote as the Service Type, select the Privacy type. If you set Service Type as either Standard or Remote, select Synchronize, in the Status area, if desired. Enabling this feature allows availability pairs to be synchronized automatically Enter a name for this WLAN service The software automatically populates this eld with the WLAN service name that you supply. Optionally, you can change this. If you are creating a remote WLAN service, select the SSID of the remoteable service that this remote service will be paired with. Core Name Service Type SSID ExtremeWireless V10.41.06 User Guide 322 Conguring WLAN Services Table 53: WLAN Services Conguration Page (continued) FField/Button Description Default Topology From the drop-down list, select a precongured topology, topology group, or click New Topology to create a new one. Refer to Conguring a Basic Data Port Topology on page 266 for information about how to create a new topology. A WLAN service uses the topology of the role assigned to the VNS, if such a topology is dened. If the role doesn't dene a topology, you can assign an existing topology as the default topology to the WLAN service. If you choose not to assign a default topology to the WLAN service, the WLAN service will use the topology of the global default policy (by default, Bridged at AP Untagged). Default CoS (Class of Service) D Note: You cannot assign a default topology to a WDS, 3rd party, or remote WLAN service. Note: You cannot assign a default CoS to a WDS, 3rd party, or remote WLAN service. From the drop-down list, select a precongured CoS or click New CoS to create a new one. Refer to Conguring Classes of Service on page 487 for information on how to create a new CoS. A WLAN service uses the CoS of the role assigned to the VNS, if such a CoS is dened. If the role doesn't dene a CoS, you can assign an existing CoS as the default CoS to the WLAN service. If you choose not to assign a default CoS to the WLAN service, the WLAN service will use the CoS of the global default policy (by default, Bridged at AP Untagged). raft When enabled, this option sends a copy of the network packets to a mirroring L2 port for analysis, in an effort to monitor network traffic. The Purview Engine analyses the traffic. The assigned port can only be used for traffic analysis. You can enable traffic mirroring from the WLAN Service, from the Role, or from the Filter Rule. Setting traffic mirroring at the Filter Rule takes precedence over settings for the Role and WLAN Service. The order of precedence for the traffic mirror setting is: Filter Rule, Role, WLAN Service. To set the L2 port, go to VNS > Global > Netow/MirrorN Conguration. Valid values for the WLAN Service are:
Prohibited - Traffic is not copied for this WLAN Service. Enable in both directions Traffic coming from wireless clients and Enable in direction only Traffic generated by wireless clients only is traffic targeted at specic clients is copied. copied. Default Traffic Mirror App Visibility Status Note: Traffic Mirror congured in WLAN service applies to TCP/UDP only. Check this option to enable Application Visibility and Application Enforcement on the specic WLAN. Application Visibility allows the controller to capture throughput and byte statistics for 31 pre-selected application groups per client. The data is refreshed every 2 minutes. Enabling this option increases CPU load. Clear this option when Application Visibility and Application Enforcement is not required. ExtremeWireless V10.41.06 User Guide 323 Conguring WLAN Services Table 53: WLAN Services Conguration Page (continued) FField/Button Description D Synchronize Enable Wireless APs Select APs Radio 1 Radio 2 Ports CAM IoT Synchronize Enable automatic synchronization with its availability peer. Refer to Using the Sync Summary on page 414 for information about viewing synchronization status. If this VNS is part of an availability pair, Extreme Networks recommends that you enable this feature. The WLAN service is enabled by default, unless the number of supported enabled WLAN services has been reached. To disable the WLAN service, clear the check box. Select APs and their radios by grouping. Options include:
all radios Click to assign all of the APs radios. all ports Click to assign all of the AP ports for an AP3912. radio 1 Click to assign only the APs Radio 1. radio 2 Click to assign only the APs Radio 2. local APs - all radios Click to assign only the local APs. local APs - radio 1 Click to assign only the local APs Radio 1. local APs - radio 2 Click to assign only the local APs Radio 2. foreign APs - all radios Click to assign only the foreign APs. foreign APs - radio 1 Click to assign only the foreign APs Radio 1. foreign APs - radio 2 Click to assign only the foreign APs Radio 2. clear all ports Click to clear all of the AP port assignments. clear all selections Click to clear all of the AP radio assignments. original selections Click to return to the AP radio selections prior to raft Supported on the AP3912 and AP3917. Select one or more client ports for each WLAN Service. One WLAN can be assigned per port. The assignment enables the Note: If two controllers have been paired for availability (for more information, see Availability on page 537), each controller's registered APs are displayed as foreign in the list of available APs on the other controller Assign the APs Radios to the service by selecting the individual radios check boxes. Alternatively, you can use the Select APs list. Assign the APs Radios to the service by selecting the individual radios check boxes. Alternatively, you can use the Select APs list. the most recent save. port. Wireless and wired users associated to the same WLAN service receive identical service. They are affected by the same policies and lters. Alternatively, you can use the Select APs list. Camera port for the AP3916ic. For more information, see Assigning WLAN Services to Client Ports on page 170. Client port for the IoT Network Thread, supported on all AP391x models. For more information, see IoT Thread Gateway on page 196. ExtremeWireless V10.41.06 User Guide 324 Conguring WLAN Services Table 53: WLAN Services Conguration Page (continued) FField/Button Description Airtime %
AP Name Advanced New Percentage of airtime. Airtime % is available for AP38xx and AP39xx access point models that are assigned WLANS congured with Reserved Airtime. For more information, see Conguring Airtime Fairness:
Reservation Mode on page 406. Displays the AP name that you assigned on the AAP Properties screen. Click to access the WLAN service advanced conguration options. The Advanced conguration page options are described in Advanced WLAN Service Conguration on page 326. Click to create a new WLAN service. Click to save the changes to this WLAN service. If you are creating a new service, the WWLAN Services conguration window is displayed, allowing you to assign APs to the service. Delete Click to delete this WLAN service. Save D After you have assigned an AP Radio to eight WLAN Services, it will not appear in the list for another WLAN Service setup. Each Radio can support up to eight SSIDs (16 per AP). Each AP can be assigned to any of the VNSs dened within the system. Note If two controllers have been paired for availability each controller's registered wireless APs are displayed as foreign in the list of available APs on the other controller. For more information, see Availability on page 537. raft The controller can support the following active VNSs:
C5110 Up to 128 VNSs C5210 Up to 128 VNSs C5215 Up to 128 VNSs C4110 Up to 64 VNSs C25 Up to 16 VNs C35 Up to 16 VNs V2110 Up to 128 VNSs Note You can assign the Radios of all three AP variants ExtremeWireless Appliance, Outdoor AP, and Wireless 802.11n AP to any VNS. ExtremeWireless V10.41.06 User Guide 325 Conguring WLAN Services Advanced WLAN Service Conguration Table 54: Advanced WLAN Service Conguration Page FField/Button Description Timeout Idle (pre) Idle (post) Specify the amount of time in minutes that a Mobile user can have a session on the controller in pre-authenticated state during which no active traffic is passed. The session will be terminated if no active traffic is passed within this time. The default value is 5 minutes. Specify the amount of time in minutes that a Mobile user can have a session on the controller in authenticated state during which no active traffic is passed. The session will be terminated if no active traffic is passed within this time. The default value is 30 minutes. Specify the maximum number of minutes of service to be provided to the user before the termination of the session. Session D RF - select one or more of the following options:
Suppress SSID Enable 11h support Apply power reduction to 11h clients Process client IE requests Energy Save Mode Select to enable 11h support. By default this option is disabled. It is recommended that you enable this option. Select to prevent this SSID from appearing in the beacon message sent by the AP. The wireless device user seeking network access will not see this SSID as an available choice, and will need to specify it. Select to enable the AP to use reduced power (as does the 11h client). By default this option is disabled. It is recommended that you enable this option. This option is available only if you enable 11h support. raft Select to enable the AP to accept IE requests sent by clients via Probe Request frames and responds by including the requested IEs in the corresponding Probe Response frames. By default this option is disabled. It is recommended that you enable this option. Select to reduce the number of beacons the AP transmits on a BSSID when no client is associated with the BSSID. This reduces both the power consumption of the AP and the interference created by the AP when no client is associated. Select to enable background scan. Optionally, enable Beacon Report and/or Quiet IE. Traffic is ltered as congured. For more information, see Conguring Egress Filtering Mode on page 410. Radio Management (11k) support Egress Filtering Mode Enforce explicitly dened Out rules Apply In rules to out direction traffic The role of the source and destination addresses are reversed. For more information, see Conguring Egress Filtering Mode on page 410. Client Behavior Block MU to MU traffic 802.1D Select the Block Mu to MU traffic check box if you want to prevent two devices associated with this SSID and registered as users of the controller, to be able to talk to each other. The blocking is enforced at the L2 (device) classication level. ExtremeWireless V10.41.06 User Guide 326 Conguring WLAN Services Table 54: Advanced WLAN Service Conguration Page (continued) FField/Button Description 8021D Base Port: xxx Remote Service Remoteable Inter-WLAN Service Roaming Permit Inter-WLAN Service Roaming The 802.1D Base Port number in the 802.1D area is the port number by which Extreme Management Center recognizes the SSID. It is read-
only. Select the check box if you want to pair this service with a remote service. Netow Apply Cancel Conguring Privacy D Unauthenticated Behavior Discard Unauthenticated Traffic Default Non-Authenticated Policy Select to enable a client on a controller to maintain the session, including the IP address and role assignment, while roaming between VNSs having the same SSID and privacy settings. If not selected, when the client roams among VNSs, the existing session terminates and a new session starts with the client having to associated and authenticate again. The list of VNSs that share the same SSID and privacy settings displays below. Select the check box to drop all traffic owing to and from an unauthenticated station. Click to Enable/Disable Netow ag. For more information, see Using Netow/MirrorN on page 419. Select the check box to apply the default non-authenticated policy to all traffic owing to and from an unauthenticated station. raft Click to close the AAdvanced dialog without saving changes. Click to apply changes. Privacy is a mechanism that protects data over wireless and wired networks, usually by encryption techniques. The controller provides several privacy mechanism to protect data over the WLAN. The following are privacy options:
None Static Wired Equivalent Privacy (WEP) Keys for a selected VNS, so that it matches the WEP mechanism used on the rest of the network. Each AP can participate in up to 50 VNSs. For each VNS, only one WEP key can be specied. It is treated as the rst key in a list of WEP keys. Dynamic Keys The dynamic key WEP mechanism changes the key for each user and each session. Wi-Fi Protected Access (WPA) version 1 with encryption by temporal key integrity protocol (TKIP) version 2 with encryption by advanced encryption standard with counter-mode/CBC-MAC protocol (AES-CCMP) Wi-Fi Protected Access (WPA) Pre-Shared key (PSK) Privacy in PSK mode, using a Pre-Shared Key (PSK), or shared secret for authentication. WPA-PSK is a security solution that adds ExtremeWireless V10.41.06 User Guide 327 Conguring WLAN Services authentication to enhanced WEP encryption and key management. WPA-PSK mode does not require an authentication server. It is suitable for home or small office. NNote Regardless of the AP model or WLAN Service type, a maximum of 112 simultaneous clients, per radio, are supported by all of the data protection encryption techniques. About Wi-Fi Protected Access (WPA V1 and WPA V2) Note To achieve the strongest encryption protection for your VNS, it is recommended that you use WPA v.1 or WPA v.2. encryption key for every packet (unicast key) or after the specied re-key time interval (broadcast key) expires The encryption portion of WPA v1 is Temporal Key Integrity Protocol (TKIP). TKIP includes:
A per-packet key mixing function that shares a starting key between devices, and then changes their D WPA v1 and WPA v2 add authentication to WEP encryption and key management. Key features of WPA privacy include:
Species 802.1x with Extensible Authentication Protocol (EAP) Requires a RADIUS or other authentication server Uses RADIUS protocols for authentication and key distribution Centralizes management of user credentials raft The encryption portion of WPA v2 is Advanced Encryption Standard (AES). AES includes:
A 128-bit key length, for the WPA2/802.11i implementation of AES Four stages that make up one round. Each round is iterated 10 times. A per-packet key mixing function that shares a starting key between devices, and then changes their standard WEP 4-byte Integrity Check Value (ICV). These integrity codes are used to calculate and compare, between sender and receiver, the value of all bits in a message, which ensures that the message has not been tampered with. A Message Integrity Check or Code (MIC), an additional 8-byte code that is inserted before the An enhanced Initialization Vector (IV) of 48 bits, instead of 24 bits, making it more difficult to encryption key for every packet or after the specied re-key time interval expires. compromise The Counter-Mode/CBC-MAC Protocol (CCMP), a new mode of operation for a block cipher that enables a single key to be used for both encryption and authentication. The two underlying modes employed in CCM include:
Counter mode (CTR) that achieves data encryption Cipher Block Chaining Message Authentication Code (CBC-MAC) to provide data integrity The following is an overview of the WPA authentication and encryption process:
The wireless device client associates with Wireless APs. 1 2 Wireless AP blocks the client's network access while the authentication process is carried out (the controller sends the authentication request to the RADIUS authentication server). ExtremeWireless V10.41.06 User Guide 328 Conguring WLAN Services 3 The wireless client provides credentials that are forwarded by the controller to the authentication server. 4 If the wireless device client is not authenticated, the wireless client stays blocked from network access. 5 If the wireless device client is authenticated, the controller distributes encryption keys to the AP and the wireless client. 6 The wireless device client gains network access via the AP, sending and receiving encrypted data. The traffic is controlled with permissions and role applied by the controller. Wireless 802.11n APs and WPA Authentication protocol. If WPA v.1 is enabled, the wireless AP will advertise TKIP as an available encryption protocol. WPA v.2 If WPA v.2 is enabled, the wireless AP will do the following:
NNote If you congure a WLAN Service to use either WEP or TKIP authentication, any wireless 802.11n AP associated to a VNS using that service will be limited to legacy AP performance rates. D If a VNS is congured to use WPA authentication, any wireless 802.11n AP within that VNS will do the following:
WPA v.1 If WPA v.1 is enabled, the wireless AP will advertise only TKIP as an available encryption Note If WPA v.2 is enabled, the wireless AP does not support the Auto option. raft Note The security encryption for some network cards must not to be set to WEP or TKIP to achieve a data rate beyond 54 Mbps. If WPA v.1 is disabled, the wireless AP will advertise the encryption cipher AES (Advanced Encryption Standard). Wi-Fi Protected Access (WPA v1 and WPA v2) privacy offers you the following key management options:
None The wireless client device performs a complete 802.1x authentication each time it associates or tries to connect to an AP. WPA Key Management Options Opportunistic Keying Opportunistic Keying or opportunistic key caching (OKC) enables the client devices to roam fast and securely from one wireless AP to another in 802.1x authentication setup. ExtremeWireless V10.41.06 User Guide 329 Conguring WLAN Services The client devices that run applications such as video streaming and VoIP require rapid reassociation during roaming. OKC helps such client devices by enabling them to rapidly reassociate with the APs. This avoids delays and gaps in transmission and thus helps in secure fast roaming (SFR). NNote The client devices should support OKC to use the OKC feature in the WLAN. Pre-authentication Pre-authentication enables a client device to authenticate simultaneously with multiple APs in 802.1x authentication setup. When the client device roams from one AP to another, it does not have to perform the complete 802.1x authentication to reassociate with the new AP as it is already pre-authenticated with it. This reduces the reassociation time and thus helps in seamless roaming. Conguring WLAN Service Privacy To congure privacy:
Note The client devices should support pre-authentication to use the pre-authentication feature in the WLAN. D Opportunistic Keying & Pre-auth Opportunistic Keying and Pre-auth options is meant for environments where device clients supporting either authentication method (OKC or Pre-Auth) may be expected. The method that is used in each case is up to the individual client device. 1 From the top menu, click VNS. Then, in the left pane, select WLAN Services. The WWLAN Services window displays. 2 Select the desired service to edit from the left pane. The WWLAN Service conguration page is displayed. raft ExtremeWireless V10.41.06 User Guide 330 Conguring WLAN Services 3 Click the PPrivacy tab, then select the desired privacy method. The WLAN Services Privacy tab displays. Table 55 describes the WLAN services privacy tab elds and buttons. aft Select to congure a WLAN service with no privacy settings. Figure 101: Conguring WLAN Service Privacy Table 55: WLAN Services Privacy Tab - Fields and Buttons Field/Button Description None Static Keys (WEP) WEP Key Index WEP Key Length Select to congure static key (WEP) privacy settings. From the WEP Key Index drop-down list, select the WEP encryption key index. Options are 1 to 4. This eld is available only when conguring static keys. From the WEP Key Length drop-down list, click the WEP encryption key length. Options are: 64-bit, 128-
bit, and 152-bit. This eld is available only when conguring static keys. ExtremeWireless V10.41.06 User Guide 331 Conguring WLAN Services Table 55: WLAN Services Privacy Tab - Fields and Buttons (continued) FField/Button Description Input Method Select one of the following input methods:
Input Hex If you select Input Hex, type the WEP key input in the WEP Key box. The key is generated automatically, based on the input. Input String If you select Input String, type the secret WEP key string used for encrypting and decrypting in the Strings box. The WEP Key box is automatically lled by the corresponding Hex code. WEP Key D Dynamic Keys (WEP) WPA WPA - PSK WPA v.1 This eld is available only when conguring static keys. Type the WEP key using the input method chosen above. Select to congure dynamic keys (WEP) privacy settings. Select to congure WPA privacy settings. Select to congure dynamic keys (WEP) privacy settings. raft Select the check box to enable WPA v.1 encryption, and then select an encryption method:
Auto If you click Auto, the AP advertises both TKIP and CCMP (counter mode with cipher block chaining message authentication code protocol). CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). Auto is the default. TKIP only If you click TKIP, the AP advertises TKIP as an available encryption protocol. It will not advertise CCMP. This eld is available only when conguring WPA and WPA - PSK privacy settings. Note: TKIP is no longer a supported conguration. Instead you will be directed to congure WPA/WPA2 mixed mode security. ExtremeWireless V10.41.06 User Guide 332 Conguring WLAN Services Table 55: WLAN Services Privacy Tab - Fields and Buttons (continued) FField/Button Description WPA v.2 Select the check box to enable WPA v.2 encryption, and then select an encryption method:
Auto If you click Auto, the AP advertises both TKIP and CCMP (counter mode with cipher block chaining message authentication code protocol). CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). Auto is the default. AES only If you click AES, the AP advertises CCMP as an available encryption protocol. It will not advertise TKIP. This eld is available only when conguring WPA and WPA - PSK privacy settings. TKIP If you click AES, the wireless AP advertises CCMP as an available encryption protocol. D Key Management Options Opportunistic Keying Enables secure fast Pre-authentication Enables seamless roaming. For more information, see Conguring WLAN Service Privacy on page 330. roaming (SFR) of mobile units. For more information, see Conguring WLAN Service Privacy on page 330. Click one of the following key management options:
None The mobile units (client devices) perform a complete 802.1x authentication each time they associate or connect to an AP. raft To enable re-keying after a time interval, select the Broadcast re-key interval box, then type the time interval after which the broadcast encryption key is changed automatically. The default is 3600 seconds. If this check box is not selected, the Broadcast encryption key is never changed and the AP will always use the same broadcast key for Broadcast/
Multicast transmissions which will reduce the level of security for wireless communications. information, see Conguring WLAN Service Privacy on page 330. Opportunistic Keying & Pre-auth For more Select to enable or disable frame protection for WPA v.2 privacy. Broadcast re-key interval Management Frame Protection Fast Transition Input Method Click to Enable for 11r enabled APs. This feature only applies to 37xx and 38xx APs. Select one of the following input methods:
Input Hex If you select Input Hex, type the pre-
shared key as hex characters. Input String If you select Input String, type the pre-shared key as a string of characters. ExtremeWireless V10.41.06 User Guide 333 Conguring WLAN Services Table 55: WLAN Services Privacy Tab - Fields and Buttons (continued) FField/Button Description Pre-shared key String In the Pre-Shared Key box, type the shared secret key to be used between the wireless device and AP. The shared secret key is used to generate the 256-bit key. To proofread your entry before saving the conguration, click Unmask to display the Pre-Shared Key. To mask the key, click Mask Save Click to save the conguration. Conguring Accounting and Authentication access.) D The next step in conguring a WLAN Service is to set up the authentication mechanism. There are various authentication modes available:
None Internal Captive Portal External Captive Portal GuestPortal GuestSplash Firewall-Friendly External Captive Portal 802.1x authentication (The wireless device user must be authenticated before gaining network Note You cannot congure accounting and authentication for a remote WLAN service. The authentication that you congure for the corresponding remoteable WLAN service applies to the remote WLAN service as well. raft The rst step for any type of authentication is to select RADIUS servers for the following:
Authentication Accounting MAC-based authentication The selected RADIUS servers are displayed in a tri-pane under RADIUS Servers. The RADIUS Server pane changes depending on the Authentication and Accounting methods you enable:
If the Authentication Mode is enabled, the AAuth pane displays. If MAC-based Authentication is enabled, a MMAC pane displays. If RADIUS Accounting is enabled an AAccounting pane displays. For more information, see Selecting RADIUS Servers on page 335. For more information about captive portal, see Conguring Basic Captive Portal Settings on page 349 Related Links Selecting RADIUS Servers on page 335 MAC-Based Authentication for a WLAN Service on page 338 ExtremeWireless V10.41.06 User Guide 334 Conguring WLAN Services Dening Accounting Methods for a WLAN Service on page 336 Selecting RADIUS Servers You have the option to specify up to three RADIUS servers for authentication and accounting. The rst server in the list is the rst active server for both Primary-Backup and Round-Robin. For Primary-
Backup, the rst server is also the primary server. In the event of the rst server fails, the next server in the list (backup server) becomes active. In the case of Round-Robin conguration, each server in the list is contacted in a round-robin fashion starting with the rst server. See Conguring Advanced RADIUS Servers Settings on page 397. To select RADIUS servers for authentication and accounting:
From the top menu, click VNS. 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service. The WWLAN Services conguration page is displayed. D 3 Click the AAuth & Acct tab. 4 Select one or more servers. To select a server:
The RRADIUS Selection dialog displays. Click the + sign in the appropriate column heading to select a server for that specic function, or Click Select RADIUS to apply your selection to all three functions. Note Once selected, the server is no longer available in the RADIUS servers selection list. Maximum number of selected servers is three. raft ExtremeWireless V10.41.06 User Guide 335 Conguring WLAN Services 5 Once you have more than one server listed, select a server and click Move Up or Move Down to arrange the order. Dening Accounting Methods for a WLAN Service D 6 To save your changes, click Save. Accounting tracks the activity of wireless device users. There are two types of accounting available:
Controller accounting Enables the controller to generate Call Data Records (CDRs), containing usage information about each wireless session. CDR generation is enabled on a per VNS basis. For more information on CDRs, refer to section Call Detail Records (CDRs) on page 663. raft RADIUS accounting Enables the controller to generate an accounting request packet with an accounting start record after successful login by the wireless device user, and an accounting stop record based on session termination. The controller sends the accounting requests to a remote RADIUS server. Controller accounting creates Call Data Records (CDRs). If RADIUS accounting is enabled, a RADIUS accounting server needs to be specied. From the top menu, click VNS. 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service you want to dene To dene accounting methods:
accounting methods for. The WWLAN Services conguration page is displayed. 3 Click the Auth & Acct tab. 4 Select an authentication method under Mode or click Enable MAC-based authentication. The Enable RADIUS Accounting check box displays. ExtremeWireless V10.41.06 User Guide 336 Conguring WLAN Services 5 In the Accounting column, select the RADIUS server. For more information, see Selecting RADIUS Servers on page 335. NNote The RADIUS servers are dened on the GGlobal Settings screen. For more information, see Dening RADIUS Servers and MAC Address Format on page 394. Note When multiple RADIUS servers are congured for a WLAN Service, Accounting packets are sent to the primary RADIUS server only. The secondary servers are used as fail over when necessary. When upgrading to v10.31.02, the previous behavior of sending Accounting packets to all servers is maintained. 6 One a server is selected, click Congure. 7 The RRADIUS Parameters dialog is displayed. D The congured values for the selected server are displayed in the table at the top. raft Figure 102: RADIUS Parameters dialog 8 For NAS IP Address, accept the default of Use VNS IP address or de-select the check box and type the IP address of a Network Access Server (NAS). 9 For NAS Identier, accept the default of Use VNS name or type the Network Access Server (NAS) identier. The NAS identier is a RADIUS attribute that identies the server responsible for passing information to designated RADIUS servers and then acting on the response returned. 10 For Auth. type, select the Protocol using the drop down list. Choices are PAP, CHAP, MS-CHAP, or 11 MS-CHAP2. In the Password box, type the password that will be passed to RADIUS for wireless MAC authentication. To proofread your shared secret key, click Unmask. The password is displayed. 12 Click OK. ExtremeWireless V10.41.06 User Guide 337 Conguring WLAN Services 13 To enable controller accounting, select Collect Accounting Information of Wireless Controller. 14 To save your changes, click Save. Conguring Authentication for a WLAN Service 802.1x Authentication If 802.1x authentication mode is congured, the wireless device must successfully complete the user authentication verication prior to being granted network access. This enforcement is performed by both the user's client and the AP. The wireless device's client utility must support 802.1x. The user's EAP packets request for network access along with login identication or a user prole is forwarded by the controller to a RADIUS server. External Captive Portal After an external server displays the Captive Portal Web page and Captive Portal Authentication For Captive Portal authentication, the wireless device connects to the network, but can only access the specic network destinations dened in the non-authenticated lter. For more information, see Policy Rules on page 288. One of these destinations should be a server, either internal or external, which presents a Web login page the Captive Portal. The wireless device user must input an ID and a password. This request for authentication is sent by the controller to a RADIUS server or other authentication server. Based on the permissions returned from the authentication server, the controller implements role and allows the appropriate network access. D External Captive Portal with internal authentication After an external server displays the Captive Portal Web page, the controller carries out the authentication and implements role. Captive Portal authentication relies on a RADIUS server on the enterprise network. There are three mechanisms by which Captive Portal authentication can be carried out:
Internal Captive Portal The controller displays the Captive Portal Web page, carries out the authentication, and implements role. raft Authentication RADIUS servers are congured to provide authentication. MAC authentication RADIUS servers are congured to provide MAC-based authentication. Accounting RADIUS servers are congured to provide accounting services. MAC-based authentication MAC-based authentication enables network access to be restricted to specic devices by MAC address. The controller queries a RADIUS server for a MAC address when a wireless client attempts to connect to the network. RADIUS servers RADIUS servers can perform the following for a WLAN Service:
carries out the authentication, the controller implements role. MAC-Based Authentication for a WLAN Service MAC-based authentication can be set up on any type of WLAN Service. To set up a RADIUS server for MAC-based authentication, you must set up a user account with UserID=MAC and Password=MAC (or a password dened by the administrator) for each user. Specifying a MAC address format and role depends on which RADIUS server is being used. If MAC-based authentication is to be used in conjunction with the 802.1x or Captive Portal authentication, an additional account with a real User ID and Password must also be set up on the RADIUS server. MAC-based authentication responses may indicate to the controller what VNS a user should be assigned to. Authentication (if enabled) can apply on every roam. ExtremeWireless V10.41.06 User Guide 3338 Conguring WLAN Services RRelated Links Conguring MAC-Based Authentication on page 339 Conguring MAC-Based Authentication This topic outlines the MAC-Based Authentication settings. Click the Congure button to open the MMAC-Based Authorization dialog. D Figure 103: MAC-Based Authorization Conguration Table 56: MAC-Based Authorization Conguration - Fields and Buttons Field/Button Description MAC-based authorization on roam raft Select method for MAC-based authorization:
Never: disables the feature On inter-AP roam: enables MAC-based authorization on roam. On inter-Area roam: enables MAC-based authorization sent to the RADIUS server on area roams. Note: Enable this option if you want your clients to be authorized every time they roam to another AP or area. If this option is not enabled, and MAC-based authentication is in use, the client is authenticated only at the start of a session. Select to automatically authenticate authorized users. When set, a station that passes MAC-based authentication is treated as fully authorized. For example, its authentication state is set to fully authenticated. This can trigger a change to the role applied to the station. If Captive Portal authentication is also congured on the WLAN Service, a station that passes MAC-based authentication will not have to pass Captive Portal authentication as well. Automatically Authenticate Authorized Users Allow Un-Authorized Users Select to allow un-authorized users which permits stations that do not pass MAC-based authentication to stay on the network in an un-
authorized state. The station can be conned to a Walled Garden by its assigned role. If Captive Portal authentication is also congured on the WLAN Service, a station that fails MAC-based authentication can still become authorized by passing Captive Portal authentication. ExtremeWireless V10.41.06 User Guide 339 Conguring WLAN Services Table 56: MAC-Based Authorization Conguration - Fields and Buttons (continued) FField/Button Description RADIUS accounting begins after MAC-
based authorization completes Select to delay RADIUS accounting until after MAC-based authorization is complete. RADIUS Server Timeout Role Select a Radius Server Timeout Role from the drop-down list. Assigning RADIUS Servers for Authentication To assign RADIUS servers for authentication:
From the top menu, click VNS. 1 2 In the left pane expand the WLAN Services pane, then click the WLAN Service. 3 Click the Auth & Acct tab. D Figure 104: Auth & Acct Tab ExtremeWireless V10.41.06 User Guide 340 Conguring WLAN Services Table 57: WLAN Services Auth & Acct Tab - Fields and Buttons FField/Button Description Authentication Mode Select an authentication mode from the drop-down list:
Disabled 802.1x Internal External Firewall Friendly External Guest Portal Guest Splash Collect Accounting Information of Wireless Controller Congure Enable MAC-based authentication D RADIUS Servers Click to congure the selected mode. For more information, see Conguring Accounting and Authentication on page 334. Select to enable the RADIUS server to perform MAC-based authentication for the VNS with Captive Portal. Select this check box to enable Controller accounting. To select a server, see Selecting RADIUS Servers on page 335. The RADIUS servers are dened on the GGlobal Settings screen. For more information, see Dening RADIUS Servers and MAC Address Format on page 394. Note Both MAC-based Authorization settings work together so that a station can be allowed onto a WLAN Service if it passes MAC-based authentication or Captive Portal authentication. Owners of known stations do not have to enter credentials and owners of unknown stations can get onto the network, if authorized, via Captive Portal. raft ExtremeWireless V10.41.06 User Guide 341 Conguring WLAN Services 4 Click the Radius TLVs button to open the RADIUS Access-Request Message Options dialog. Figure 105: RADIUS Access Request Message Options raft Select the appropriate check boxes to include the Vendor Specic Attributes (VSAs) in the message to the RADIUS server:
Ingress Rate Control Egress Rate Control Topology Name Role Name VNS Name AP Name SSID For more information, see Dening Common RADIUS Settings on page 344. Table 58: RADIUS TLVs Dialog - Fields and Buttons FField/Button Description VSAs Vendor-Specic-Attributes in RADIUS Requests Optional TLVs Chargeable-User-Identity Select to NOT return a Chargeable-User-Identity attribute for the RADIUS Server. ExtremeWireless V10.41.06 User Guide 342 Conguring WLAN Services Table 58: RADIUS TLVs Dialog - Fields and Buttons (continued) FField/Button Description Select to enable feature. Treat Access-Accept without Chargeable-User-Identity attribute as Access-Reject Zone Support RADIUS Request Call Station ID Options:
Replace BSSID with Zone name Selecting this check box to allows the RADIUS client to send the AP Zone name as the BSSID instead of the radio MAC address. This feature can be enabled regardless of whether the Site is using centrally located or local RADIUS servers. Zone name is limited to 32 bytes. Each AP can have its own Zone label although it is often useful to assign the same Zone to multiple APs. Dening the RADIUS Server Priority for RADIUS Redundancy Operator Name Replace BSSID with AP Ethernet MAC D Selecting this check box allows the RADIUS client to send the AP Ethernet MAC as the BSSID instead of the radio MAC address. This feature can be enabled regardless of whether the Site is using centrally located or local RADIUS servers. The AP MAC address value is always the AP LAN1 MAC address. 5 To save your changes, click Save. Select the name of the user assigned to this RADIUS server from the drop-down list. Once a name is selected, a text box displays to allow text to be entered. raft You have the option to specify up to three RADIUS servers for authentication and accounting. The rst server in the list is the rst active server for both Primary-Backup and Round-Robin. For Primary-
Backup, the rst server is also the primary server. In the event of the rst server fails, the next server in the list (backup server) becomes active. In the case of Round-Robin conguration, each server in the list is contacted in a round-robin fashion starting with the rst server. See Conguring Advanced RADIUS Servers Settings on page 397. If more than one server has been dened for any type of authentication or accounting, you can dene the priority of the servers. If all dened RADIUS servers fail to respond, a critical message is generated in the logs. To dene the RADIUS server priority for RADIUS redundancy:
From the top menu, click VNS. 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service. The WWLAN Servicesconguration page is displayed. 3 Click the Auth & Acct tab. 4 Select one or more servers. See Selecting RADIUS Servers on page 335. ExtremeWireless V10.41.06 User Guide 343 Conguring WLAN Services 5 Once you have more than one server listed, select a server and click Move Up or Move Down to arrange the order. Conguring Assigned RADIUS Servers D 6 To save your changes, click Save. Conguring assigned RADIUS servers for a VNS can include the following:
Dening Common RADIUS Settings on page 344 Dening RADIUS Settings for Individual RADIUS Servers on page 345 Testing RADIUS Server Connections on page 346 Viewing the RADIUS Server Conguration Summary on page 347 Removing an Assigned RADIUS Server from a WLAN Service on page 348 raft 1 2 In the left pane expand the WLAN Services pane, then click the WLAN Service. The WWLAN Services To Dene Common RADIUS Settings:
From the top menu, click VNS. conguration page is displayed. Dening Common RADIUS Settings 3 Click the Auth & Acct tab. 4 In the RADIUS Servers section, click the Radius TLVs button and select the appropriate check boxes to include the Vendor Specic Attributes in the message to the RADIUS server. For more information, see Vendor Specic Attributes on page 344. 5 To save your changes, click Save. Vendor Specic Attributes In addition to the standard RADIUS message, you can include Vendor Specic Attributes (VSAs). The ExtremeWireless authentication mechanism provides VSAs for RADIUS and other authentication mechanisms (see Table 59.) ExtremeWireless V10.41.06 User Guide 344 Table 59: Vendor Specic Attributes AAttribute Name Type ID Messages AP-Name AP-Serial AP Ethernet MAC AP Location 2 3 string string string string Sent to RADIUS server Sent to RADIUS server Sent to RADIUS server Sent to RADIUS server Conguring WLAN Services Description The name of the AP the client is associating to. It can be used to assign role based on AP name or location. The AP serial number. It can be used instead of (or in addition to) the AP name. The MAC address of the AP used by the ECP to determine client location. The physical location of the AP. Provided by the network administrator. The name of the Virtual Network the client has been assigned to. It is used in assigning role and billing options, based on service selection. VNS-Name 4 string Sent to RADIUS server D Sent to RADIUS server string SSID 5 BSS-MAC Role-Name Topology-Name Ingress-RC-Name Egress-RC-Name 7 8 6 string string string Sent to RADIUS server Sent to RADIUS server The name of the role applied to the stations session. The name of the SSID the client is associating to. It is used in assigning role and billing options, based on service selection. The name of the BSS-ID the client is associating to. It is used in assigning role and billing options, based on service selection and location. raft The name of the topology applied to the stations session. The name of the rate limit applied to the stations sessions outbound traffic. The name of the rate limit applied to the stations sessions inbound traffic. Sent to RADIUS server Sent to RADIUS server Sent to RADIUS server string string 10 9 Note Siemens-URL-Redirection is supported by MAC-based authentication. The RADIUS message also includes RADIUS attributes Called-Station-Id and Calling-Station-Id to include the MAC address of the wireless device. Dening RADIUS Settings for Individual RADIUS Servers To dene RADIUS settings for individual RADIUS servers:
From the top menu, click VNS. 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service. The WWLAN Services conguration page is displayed. 3 Click the AAuth & Acct tab. ExtremeWireless V10.41.06 User Guide 345 Conguring WLAN Services 4 In the Server table, click the RADIUS server you want to dene, and then click Congure. The RADIUS Parameters dialog is displayed. D the IP address of a Network Access Server (NAS). MS-CHAP2. 8 In the Password box, type the password that will be used to validate the connection between the 5 For NAS IP Address, accept the default of Use VNS IP address or de-select the check box and type controller and the RADIUS server. To proofread your shared secret key, click Unmask. The password is displayed. 6 For NAS Identier, accept the default of Use VNS name or type the Network Access Server (NAS) identier. The NAS identier is a RADIUS attribute that identies the server responsible for passing information to designated RADIUS servers and then acting on the response returned. 7 For Auth. type, select the Protocol using the drop down list. Choices are PAP, CHAP, MS-CHAP, or raft From the top menu, click VNS. 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service. The WWLAN Services 9 Click OK. 10 To save your changes, click Save. conguration page is displayed. 3 Click the AAuth & Acct tab. Testing RADIUS Server Connections To test RADIUS server connections:
ExtremeWireless V10.41.06 User Guide 346 Conguring WLAN Services 4 In the Server table, click the RADIUS server whose connection you want to test, and then click Test. D The RADIUS test is a test of connectivity to the RADIUS server, not of full RADIUS functionality. The controllers RADIUS connectivity test initiates an access-request, to which the RADIUS server will respond. If a response is received (either access-reject or access-accept), then the test is deemed to have succeeded. If a response is not received, then the test is deemed to have failed. In either case, the test ends at this point. raft If the WLAN Service Authentication mode is Internal or External Captive Portal, or if MAC-Based Authorization is selected, then this test can also test a user account congured on the RADIUS server. In these cases, if proper credentials are lled in for User ID and Password, an access-accept could be returned. 5 In the User ID box, type the user ID that you know can be authenticated. 6 In the Password box, type the corresponding password. A password is not required for a AAA VNS. 7 Click Test. The TTest Result screen displays. 8 Click Close after reviewing the test results. 9 To save your changes, click Save. If the WLAN Service Authentication mode is 802.1x, however, an Access-Reject is expected if the RADIUS server is accessible, and the test is considered a success. Figure 106: Test RADIUS Server Viewing the RADIUS Server Conguration Summary To view the RADIUS server conguration summary:
From the top menu, click VNS. 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service. The WWLAN Services conguration page is displayed. 3 Click the AAuth & Acct tab. ExtremeWireless V10.41.06 User Guide 347 Conguring WLAN Services 4 In the Server table, click a RADIUS server whose conguration summary you want to view, and then click Summary. The RRADIUS Summary screen displays. Figure 107: RADIUS Summary 5 Click Close. 6 To save your changes, click Save. D Removing an Assigned RADIUS Server from a WLAN Service To remove an assigned RADIUS Server from a WLAN Service:
then click Remove. The RADIUS server is removed from the VNS. From the top menu, click VNS. 1 2 In the left pane expand the WWLAN Services pane and click the WLAN Service you want to dene accounting methods for. 3 Click the AAuth & Acct tab. 4 In the Server table, click the assigned RADIUS server that you want to remove from the VNS, and raft A WLAN Service with no authentication can still control network access using policy rules. For more information on how to set up policy rules that allow access only to specied IP addresses and ports, see Policy Rules on page 288. You can set up a WLAN Service that will bypass all authentication mechanisms and run the ExtremeWireless Appliance with no authentication of a wireless device user. 5 Click Save. Dening a WLAN Service with No Authentication To dene a WLAN Service with No Authentication:
From the top menu, click VNS. 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service you want to congure or click New. 3 Congure the service as described in WLAN Services Overview on page 318. 4 Click the AAuth & Acct tab. 5 From the Authentication Mode drop-down list, select Disabled. 6 Click Save. ExtremeWireless V10.41.06 User Guide 348 Conguring WLAN Services Conguring Captive Portal for Internal or External Authentication Captive Portal allows you to require network users to complete a dened process, such as logging in or accepting a network usage role, before accessing the Internet. The Captive Portal options are:
802.1x - Dene the parameters of the external Captive Portal page displayed by an external server. The authentication can be carried out by an external authentication server or by the controller request to a RADIUS server. Internal Captive Portal Dene the parameters of the internal Captive Portal page displayed by the controller, and the authentication request from the controller to the RADIUS server. External Captive Portal Dene the parameters of the external Captive Portal page displayed by an external server. The authentication can be carried out by an external authentication server or by the appliance request to a RADIUS server. wireless device users with temporary guest network services. Firewall Friendly External Dene the parameters of the Firewall Friendly Captive Portal page displayed by an external server. This parameter minimizes the need to open rewall ports and any device on the secure side is allowed to connect to the Internet on port 80, 443. D Guest Splash Dene the parameters of the Guest Splash page displayed by the controller. These GuestPortal Dene the parameters for a GuestPortal Captive Portal page. A GuestPortal provides parameters are similar to those for an internal Captive Portal page, except that the options to congure the labels for user id and password elds are not present since login information is not required when the user is re-directed to the authorization web page. This type of Captive Portal could be used where the user is expected to read and accept some terms and conditions before being granted network access. raft 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service. The WWLAN Services When conguring captive portal, different settings become available depending on the captive portal option you choose. To congure the captive portal settings:
From the top menu, click VNS. conguration page is displayed. Conguring Basic Captive Portal Settings ExtremeWireless V10.41.06 User Guide 349 Conguring WLAN Services 3 Click the AAuth & Acct tab. Figure 108: Conguring Basic Captive Portal 4 In the Authentication Mode drop-down list, select a Captive Portal option. aft Disabled 802.1x Internal External Firewall Friendly External Guest Portal Note You must congure a Guest Portal before Guest Portal appears as a Captive Portal option. Only one WLAN Service can be congured for Guest Portal on a VNS. Guest Splash ExtremeWireless V10.41.06 User Guide 350 Conguring WLAN Services 5 Click Congure. The Captive Portal conguration page displays. The page display differs depending on the mode that you have selected:
Internal and Splash modes, see Conguring Internal Captive Portal and Guest Splash on page 359 External and 802.1x modes, see Conguring External and Mode 802.1 Captive Portal on page 351 Guest Portal mode, see Conguring Guest Portal on page 360 Firewall Friendly External Captive Portal mode, see Conguring Firewall Friendly External Captive Portal on page 353. CConguring External and Mode 802.1 Captive Portal D raft In the drop-down list, click the IP address of the external Web server. and then enter the port of the controller. If there is an authentication server congured for this VNS, the external Captive Portal page on the external authentication server will send the request back to the controller to allow the controller to continue with the RADIUS authentication and ltering. Figure 109: Captive Portal Page for External and 802.1x Modes Table 60: External Captive Portal Page - Fields and Buttons Field/Button Description Session Control Interface EWC Connection Enable HTTPS support Select Enable https support if you want to enable HTTPS support
(TLS/SSL) for this external captive portal. This has no impact on the traffic exchanged between users browsers and the External Captive Portal. When enabled, this option protects the session control traffic between the external captive portal and the controller from being read by a third party. This is particularly useful when a dedicated network management VLAN (Virtual LAN) is unavailable to carry the session control traffic. For more information, see the Integration Guide. ExtremeWireless V10.41.06 User Guide 351 Conguring WLAN Services Table 60: External Captive Portal Page - Fields and Buttons (continued) FField/Button Description Encryption D Select the data encryption to use. Options are:
Noneno encryption is performed. If the HTTPS option is not enabled, session control messages are sent in plain text over the network. Legacyboth the ECP and the controller are expected to use simple message encryption based on MD5 (Message-Digest algorithm 5). Frames are encrypted by Xoring session control message payload with a keystream generated from an MD5 hash of a shared key. This is a weak encryption algorithm and is only supported for backward compatibility. If encryption is needed, consider using the option below. AESsession control messages sent by the controller and ECP are encrypted with the Advanced Encryption Standard based on the Rijndael cipher. AES encryption is considerably more secure than legacy encryption. If encryption is enabled then a shared key must be entered. Note: Using the encryption option has one advantage over using the HTTPS option alone. When HTTPS is enabled, the ECP can authenticate the controllers certicate, but the controller does not ask the client to provide one. Consequently, HTTPS does not prevent unauthorized users from sending messages to the session control interface. Because the encryption option is based on a shared key, the encryption provides a form of authentication. If the controller can decrypt the payload of a session control message, then it is has reason to believe the message came from the external captive portal. raft Type the password common to both the controller and the external web server if you want to encrypt the information passed between the controller and the external web server. If encryption is enabled then a shared key must be entered. A shared key is a string that both the controller and the ECP use to encrypt and decrypt session control messages. The shared key must be between 16 and 64 characters long. For better security, use a long key composed of randomly selected characters. The Redirection URL eld contains the URL to which the controller will redirect all blocked, unauthenticated HTTP traffic on this WLAN Service, or traffic that has been explicitly congured for redirection, depending on your conguration. This should be the URL of the page that will prompt the user to authenticate. If using host name rules, the redirection url can be the congured host name. The redirected browser will issue a get to the ECP for this URL. The Redirection URL:
Can begin with http:// or https://. Must end with a ? or &. Use & if the base URL contains some query strings. Shared Secret Redirection URL Note: The Redirection URL does not support IPv6. ExtremeWireless V10.41.06 User Guide 352 Conguring WLAN Services Table 60: External Captive Portal Page - Fields and Buttons (continued) FField/Button Description Add EWC IP & Port to redirection URL The Add HWC IP & Port to redirection URL option is useful if the external captive portal serves more than one controller. An ECP must send its session control messages to the controller hosting the controlled session. If an ECP serves more than one controller, then the Add HWC IP & Port to redirection URL option must be used to identify the source of the redirection. The ECP should store the controller address and port with the token and other session details so that it is available throughout the authentication process. Special ToS override for NAC Related Links Allows for ToS marking results in redirection to a captive portal via a NAC server. Close Cancel D Click to discard the congurationDDNote Click to save your changes and close this page. Conguring Basic Captive Portal Settings on page 349 Policy Rules on page 288 You must add a role rule to the non-authenticated lter that allows access to the external Captive Portal site. For more information, see Policy Rules on page 288. raft The Congure button is enabled. for Authentication on page 340. From the AAuth & Account tab, in the Mode eld, select Firewall Friendly External . 3 Congure RADIUS servers for authentication. For more information, see Assigning RADIUS Servers This task describes how to congure a Firewall Friendly External Captive Portal. 1 2 Click Save. Conguring Firewall Friendly External Captive Portal ExtremeWireless V10.41.06 User Guide 353 Conguring WLAN Services 4 Click Congure. Figure 110: Conguring Firewall Friendly External Captive Portal ExtremeWireless V10.41.06 User Guide 3354 Conguring WLAN Services ExtremeWireless offers a scalable external captive portal (ECP) solution on the AP that can be managed locally or through a Cloud solution, in addition to the controller based ECP. The following table illustrates the WLAN redirection conguration options for the AP and the controller. Each setting is identied as mandatory or optional for redirection on the AP or on the controller. For more information about conguring ECP on an AP, see Conguring a Captive Portal on an AP on page 222. Table 61: Firewall Friendly External Captive Portal FField/Button Description Redirect to External Captive Portal Redirection at the AP Redirection at the Controller Identity Type the name common to both the controller and the external Web server if you want to encrypt the information passed between the controller and the external Web server. D Shared Secret Optional Mandatory Required for signing the redirected URL. If you do not congure the Identity, the redirector on the AP drops the traffic. Redirection URL EWC IP and Port Optional Mandatory Type the URL to which the wireless device user will be directed to after authentication. Mandatory Required for signing the redirected URL. If you do not congure the Shared Secret, the redirector on the AP drops the traffic. Type the password common to both the controller and the external Web server if you want to encrypt the information passed between the controller and the external Web server. raft Note: Ensure the request does not exceed the browser character limit. Older browsers limit requests to 255 characters. Newer browsers allow up to 2048 characters. The Redirection URL does not support IPv6. IP address and Port number Mandatory Mandatory By default, this option is enabled. The IP address and port of the AP are always URL parameters. A deployment will have multiple APs. The IP address and port communicate to the External Captive Portal through the client, identifying which AP is redirecting the client. Optional This option is not required when the deployment includes only one controller. However, we recommend enabling this option when the deployment includes multiple controllers. ExtremeWireless V10.41.06 User Guide 355 Conguring WLAN Services Redirection at the Controller Optional You can enable this setting if the deployment uses a single controller. Optional Optional N/A AP has this information locally. N/A AP has this information locally. Table 61: Firewall Friendly External Captive Portal (continued) FField/Button Description Redirection at the AP Replace EWC IP with EWC FQDN Use controller's Fully-Qualied Domain Name instead of IP address. Not supported AP Name and Serial Number Name and Serial Number of AP AP Ethernet MAC MAC address of the AP AP Location D Text string used to describe physical AP location. Associated BSSID of AP Associated BSSID Optional Optional Optional Optional Virtualized Network Service Name N/A AP has this information locally. raft Optional For non-site deployments, the VNS Name is not available on the AP. Therefore, it must be included in the mobile user associated response or as part of the mobile user update requirement from the controller. N/A AP has this information locally. N/A AP has this information locally. Media Access Control Address Service Set Identier Optional Optional Optional VNS Name SSID Station MAC Address Currently Assigned Role Optional For non-site deployments, the Assigned Role is not available on the AP. Therefore, it must be included in the mobile user associated response or as part of the mobile user update requirement from the controller. ExtremeWireless V10.41.06 User Guide 356 Table 61: Firewall Friendly External Captive Portal (continued) FField/Button Description Redirection at the AP Containment VLAN of Assigned Role Conguring WLAN Services Optional For non-site deployments, the Assigned Role is not available on the AP. Therefore, it must be included in the mobile user associated response or as part of the mobile user update requirement from the controller. Redirection at the Controller Optional Optional Signature Timestamp D Timestamp (in UTC) Mandatory The timestamp (in UTC) is always included, because it prevents replay attacks of a recorded redirected URL. The AP must have access to UTC time, which is provided by the controller. raft Optional Signature is included when full authentication is employed. If conguring a RADIUS authentication server, clear the Signature check box. The Signature option is the ag that indicates how authentication is achieved. Optional Optional Redirect From External Captive Portal Use HTTPS for Users Connections Select this option to use HTTPS instead of HTTP. The default state will be set for HTTPS. This applies to both new WLAN Services and WLAN Services that existed prior to upgrading to V9.15 and later. Optional The AP presents a self-
signed certicate that triggers a warning page in most browsers. The AP does not support installing signed certicates from a trusted certicate authority. ExtremeWireless V10.41.06 User Guide 357 Conguring WLAN Services Redirection at the Controller Optional The session management page does include a button to terminate the users session. Mandatory The session management page can contain a link to the original URL that was served when it was redirected. The session management page includes a button to terminate the users session. The only way the client can come directly to this page is by replaying the redirection URL from the External Captive Portal within the grace period measured by the timestamp. Table 61: Firewall Friendly External Captive Portal (continued) FField/Button Description Redirection at the AP Send Successful Login to:
Select the IP address of the external Web server, and then enter the port of the controller. D View Sample Displays an example format of the redirection URL that the controller/AP expects to receive (indirectly) from the ECP. If the WLAN Service is part of a VNS or has a default topology, then the server portion of the URL contains the IP address of the controller/AP. The query string is populated with realistic but ctional data. This information is provided to assist in developing the ECP program. raft ExtremeWireless V10.41.06 User Guide 358 CConguring Internal Captive Portal and Guest Splash Conguring WLAN Services D Figure 111: Captive Portal Page Conguration Page for Internal and Guest Splash Modes Table 62: Captive Portal Page Conguration Page for Internal and Guest Splash Modes - Fields and Buttons Field/Button Description raft Select this option to use HTTPS instead of HTTP. The default state will be set for HTTPS. This applies to both new WLAN Services and WLAN Services that existed prior to upgrading to V9.01 and later. Click to congure error messages that may display on the internal captive portal page. The Message Conguration page displays. See Conguring Error Messages on page 363. Type the appropriate name if a Fully Qualied Domain Name (FQDN) is used as the gateway address. Message Conguration Congure Communication Options Use HTTPS for Users Connections Replace Gateway IP with FDQN Send Successful Login To:
Manual Settings Select this option if you want to manually dene the elements on the Captive Portal page. When you select this option, you enable the Launch Captive Portal Editor button. ExtremeWireless V10.41.06 User Guide 359 Conguring WLAN Services Table 62: Captive Portal Page Conguration Page for Internal and Guest Splash Modes - Fields and Buttons (continued) FField/Button Description Use Zip File Select this option to upload a zip le that contains custom Captive Portal content. The zip le you upload must have a at structure it cannot contain any sub-directories. The contents of the zip must adhere to the following le formats:
Content to be used in the captive portal login page must be in a Content to be used in the captive portal index page must be in a le named login.htm le named index.htm. The number of graphics and the size of the graphics is unlimited, and can be either .gif, .jpg, or .png. Click the Browse button and navigate to the zip le to use for setting up the captive portal. Upload Zip File D View Sample Login Page View Sample Index Page Download Launch Captive Portal Editor Click to view the sample login page for this captive portal. Click to view the sample index page for this captive portal. Click to download the specied zip le. The File Download page displays. Click to launch the Captive Portal Editor. Using the Captive Portal Editor, you can congure the elements on the captive portal page. This button becomes available when you select the Manual Setting radio button. raft Click to discard your conguration changes and close this page. Note You must congure a Guest Portal before Guest Portal appears as a Captive Portal option. Only one WLAN Service can be congured for Guest Portal on a VNS. Click to save your changes and close this page. Close Cancel Conguring Guest Portal ExtremeWireless V10.41.06 User Guide 360 Conguring WLAN Services aftFigure 112: Captive Portal Page for Guest Portal Mode Table 63: Congure Internal Captive Portal Page - Fields and Buttons FField/Button Click to add and congure guest user accounts. The Manage Guest Users page displays. For information about adding and managing guest users, see Working with GuestPortal Administration on page 690. Guest Portal - this section becomes available only when conguring a Guest Portal. Manage Guest Users Description Congure Ticket Page Congure Password Generator Click to congure the guest portal ticket. The Congure ticket page displays. For information about how to congure and activate guest portal ticket pages, see Working with GuestPortal Administration on page 690. Click to congure the guest password. The Congure Password Generator page displays. For information about how to congure and activate guest passwords, see Conguring Guest Password Patterns on page 701 ExtremeWireless V10.41.06 User Guide 361 Conguring WLAN Services Table 63: Congure Internal Captive Portal Page - Fields and Buttons (continued) FField/Button Description Account Lifetime Guest Admin Can Set Account Lifetime Maximum Session Lifetime User ID Prex Type the account lifetime, in days, for the guest account. A value of 0 species no limit to the account lifetime. Select to enable the guest administrator to set the amount of time for which this account will be active. Type the maximum session lifetime, in hours, for the guest account. The default 0 value does not limit a session lifetime. The session lifetime is the allowed cumulative total in hours spent on the network during the account lifetime. Type a prex that will be added to all guest account user IDs. The default is Guest. Type a minimum password length that will be applied to all guest accounts. Minimum Password Length D Message Conguration Congure Communication Options Use HTTPS for Users Connections Replace Gateway IP with FDQN Send Successful Login To:
Manual Settings Use Zip File Type the appropriate name if a Fully Qualied Domain Name (FQDN) is used as the gateway address. Click to congure error messages that may display on the internal captive portal page. The Message Conguration page displays. See Conguring Error Messages on page 363. Select this option to use HTTPS instead of HTTP. The default state will be set for HTTPS. This applies to both new WLAN Services and WLAN Services that existed prior to upgrading to V9.01 and later. raft Select this option to upload a zip le that contains custom Captive Portal content. The zip le you upload must have a at structure it cannot contain any sub-directories. The contents of the zip must adhere to the following le formats:
Content to be used in the captive portal login page must be in a Select this option if you want to manually dene the elements on the Captive Portal page. When you select this option, you enable the Launch Captive Portal Editor button. Content to be used in the captive portal index page must be in a le named login.htm le named index.htm. The number of graphics and the size of the graphics is unlimited, and can be either .gif, .jpg, or .png. Upload Zip File View Sample Login Page View Sample Index Page Download Click the Browse button and navigate to the zip le to use for setting up the captive portal. Click to view the sample login page for this captive portal. Click to view the sample index page for this captive portal. Click to download the specied zip le. The File Download page displays. ExtremeWireless V10.41.06 User Guide 362 Conguring WLAN Services Table 63: Congure Internal Captive Portal Page - Fields and Buttons (continued) FField/Button Description Launch Captive Portal Editor Close Cancel Conguring Error Messages Click to launch the Captive Portal Editor. Using the Captive Portal Editor, you can congure the elements on the captive portal page. This button becomes available when you select the Manual Setting radio button. Click to save your changes and close this page. Click to discard your conguration changes and close this page. You can congure informational and error messages that a user may encounter when trying to access a captive portal. To congure error and informational messages:
D From the top menu, click VNS. conguration page is displayed. 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service. The WWLAN Services 3 Click the AAuth & Acct tab. 4 In the Authentication Mode drop-down list, select a Captive Portal option. 5 Click Congure. The CCaptive Portal Conguration page displays. raft ExtremeWireless V10.41.06 User Guide 363 Conguring WLAN Services 6 In the Message Conguration section, click the Congure button. The MMessage Conguration page displays. For information about the Message Conguration elds, see Understanding the Message Conguration Page on page 364. Understanding the Message Conguration Page Table 64: Message Conguration Page - Fields and Buttons Field/Button Description raft Enter a message indicating that the user entered an invalid username or password combination. Enter a message to indicate when a user successfully logs in. Enter an error message that indicates the a user login was unsuccessful. Enter a message indicating an internal error. Enter an error message indicating that the user authentication timed out. Invalid Success Access Fail Fail Timeout RADIUS shared secret security key fail Enter an error message indicating that RADIUS shared secret failed. RADIUS internal error Max RADIUS login fail Enter an error message indicating an internal RADIUS client error Enter a message that indicates that the maximum number of simultaneous captive portal logins have been reached. ExtremeWireless V10.41.06 User Guide 364 Conguring WLAN Services Table 64: Message Conguration Page - Fields and Buttons (continued) FField/Button Description Invalid Login parameters Enter a message indicating that the user entered an invalid username or password combination. General failure Enter a message indicating that a general failure has occurred. Invalid third party parameters Enter an error message indicating that one or more parameters passed from the external captive portal server to the controller is either invalid or missing. Authentication in progress fail Enter a message indicating that the user credentials were not authenticated. Topology Change Enter an error message indicating that the topology failed. Close Cancel D Using the Captive Portal Editor Click to save your changes and close this page. Click to discard your conguration changes and close this page. To congure the editor:
conguration page displays. From the top menu, click VNS. The Captive Portal Editor enables you to congure the look and feel of a captive portal page. 1 2 In the left pane expand WLAN Services, then select the WLAN Service. The WWLAN Services 3 Click the AAuth & Acct tab. The AAuth & Accounting page displays. 4 In the Authentication Mode drop-down list, select a Captive Portal option. 5 Click Congure. The CCaptive Portal Conguration page displays. 6 In the Communications Options section, select Manual Settings and then click Launch Captive raft Note The Captive Portal Editor page supports only one administrator editing a captive portal page at one time. Portal Editor. For more information see Table 65 on page 367. ExtremeWireless V10.41.06 User Guide 365 Conguring WLAN Services aftCCaution In order for Captive Portal authentication to be successful, all the URLs referenced in the Captive Portal setup must also be specically identied and allowed in the non-authenticated lter. For more information, see Policy Rules on page 288. Caution If you use logos or graphics, ensure that the graphics or logos are appropriately sized. Large graphics or logos may force the login section out of view. Understanding the Captive Portal Editor ExtremeWireless V10.41.06 User Guide 366 Conguring WLAN Services Table 65: Captive Portal Editor - Fields and Buttons FField/Button Description Login Page tab Click to view and congure the elements that will display on the Captive Portal login page. By default, widgets for a Login username and Password, as well as an Accept button are congured by default. You can accept or change these widgets using the Captive Portal Editor widget management tools in the right-hand panel. Using the Captive Portal Editor widget management tools in the right-
hand pane on this page you can:
congure the background colors and forms add graphics add an external cascading style sheet (.css) VSA attributes Index Page Tab D page, allowing users to control their logoff. add an external cascading style sheet (.css) Click to view and congure the elements that will display on the Captive Portal Index page. Using the Captive Portal Editor widget management tools in the right-hand pane on this page you can:
congure the background colors and forms add graphics add a Logoff button. The Logoff button launches a pop-up logoff add a Status Check button The Status check button launches a pop-up window, which allows users to monitor session statistics such as system usage and time left in a session. raft Click to view and congure the elements that will display on the Captive Portal Topology change page. By default, a login conrmation and informational message, as well as a Close button, are precongured. You can accept or change these elements using the Captive Portal Editor widget management tools in the right-hand panel. Using the Captive Portal Editor widget management tools in the right-
hand pane on this page you can:
congure the background colors and forms add graphics add an external cascading style sheet (.css) Select to cache most of the widgets from the design to rescue the amount of time it takes a captive portal page to load. Topology Change Tab Design Management Cached Preview Close Save Save&Close Data Management Import Select to view the way the congured widgets will display to a user. Select to close this page without saving the conguration. Select to save the conguration changes. Select to save the conguration changes and close this window. Select and click Browse to navigate to the directory and lename of the a conguration that you want to import. Click OK to import the conguration. ExtremeWireless V10.41.06 User Guide 367 Conguring WLAN Services Table 65: Captive Portal Editor - Fields and Buttons (continued) FField/Button Description Export Select to save this conguration and enter the name of the le you want to save it in. Click the Browse button to navigate to a directory where you want to store the conguration le. Click OK to save the conguration. Widget Management Use the elds in this section to congure the widgets. Graphics Background External CSS Click to locate and upload a graphic. The graphic becomes available in the SShow Images section of the Property Editor. Click to congure the background color of the page Click to identify a cascading style sheet (.css) that will determine the page format. Session Variables D Use the elds in this section to add the congured widgets to the page. Click to congure the following VSA attributes:
AP Serial AP Name VNS Name SSID MAC Address The selections inuence what URL is returned in either section. For example, wireless users can be identied by which AP or which VNS they are associated with, and can be presented with a Captive Portal Web page that is customized for those identiers. raft Select to add a Header attribute to the panel. Use the Property Editor to determine the size and position of the Header attribute, the conditions under which it displays, and identify the link and type of Header attribute to include. Select to add a graphic to the page. Use the Property Editor select a precongured graphic, and to determine the size and location of the graphic. Select to add text to the page. Use the Property Editor to type and format the text, and to determine the location of the text and the conditions under which it displays. Use the Property Editor to determine the size and position of the Header attribute and the conditions under which it displays, select a Display Option, and select a type of VSA. Add Widget to Panel Graphic Text Header Session Variables External HTML Text (Scrollable) Footer Select to add an external HTML link to the page. Use the Property Editor select a precongured graphic, and to determine the size and location of the graphic Select to add scrollable text to the page. Use the Property Editor to type and format the text, and to determine the location of the text and the conditions under which it displays. Select to add a Footer attribute to the panel. Use the Property Editor to determine the size and position of the Footer attribute, the conditions under which it displays, and identify the link and type of Footer attribute to include. ExtremeWireless V10.41.06 User Guide 368 Conguring WLAN Services Dening Priority Level and Service Class Voice over Internet Protocol (VoIP) using 802.11 wireless local area networks are enabling the integration of internet telephony technology on wireless networks. Various issues including Quality-of-Service
(QoS), call control, network capacity, and network architecture are factors in VoIP over 802.11 WLANs. Wireless voice data requires a constant transmission rate and must be delivered within a time limit. This type of data is called isochronous data. This requirement for isochronous data is in contradiction to the concepts in the 802.11 standard that allow for data packets to wait their turn to avoid data collisions. Regular traffic on a wireless network is an asynchronous process in which data streams are broken up by random intervals. multimedia enhancements that improve the user experience for audio, video, and voice applications. WMM is part of the 802.11e standard for QoS. To reconcile the needs of isochronous data, mechanisms are added to the network that give voice data traffic or another traffic type priority over all other traffic, and allow for continuous transmission of data. D To provide better network traffic ow, the controller provides advanced Quality of Service (QoS) management. These management techniques include:
WMM (Wi-Fi Multimedia) Enabled on individual WLAN Services, is a standard that provides IP ToS (Type of Service) or DSCP (Diffserv Codepoint) The ToS/DSCP eld in the IP header of a frame is used to indicate the priority and Quality of Service for each frame. Adaptive QoS ensures correct priority handling of client payload packets tunneled between the controller and AP by copying the IP ToS/DSCP setting from client packet to the header of the encapsulating tunnel packet. raft Service class is determined by the combination of the following operations:
The class of treatment given to a packet. For example, queuing or per hop behavior (PHB). The packet marking of the output packets (user traffic and/or transport). Table 66: Service Classes SService class name (number) 7 (highest priority) Priority level Dening the Service Class Network Control (7) Premium (Voice) (6) Platinum (video) (5) Gold (4) Silver (3) Bronze (2) Best Effort (1) Background (0) 6 5 4 3 2 1 0 (lowest priority) The service class is equivalent to the 802.1D UP (user priority). ExtremeWireless V10.41.06 User Guide 369 Table 67: Relationship Between Service Class and 802.1D UP SSC name 802.1d UP SC Value AC Network Control Premium (voice) Platinum (video) Gold Silver Bronze Best Effort 7 6 5 4 3 2 1 7 6 5 4 3 0 2 Conguring WLAN Services Queue VO or TVO VO or TVO VI VI BE BE BK BK VO VO VI VI BE BE BK BK Background 0 1 D Conguring the Priority Override Conguring QoS Modes Priority override allows you to dene and force the traffic to a desired priority level. Priority override can be used with any combination, as displayed in Table 67 on page 370. You can congure the service class and the DSCP values. When Priority Override is enabled, the congured service class overrides the queue selection in the inbound and outbound directions, the 802.1P UP for the WLAN tagged Ethernet packets, and the UP for the wireless QoS packets (WMM or 802.11e) according to the mapping in Table 66 on page 369. If Priority Override is enabled and the VNS is not locally bridged, the congured DSCP value is used to tag the IP header of the encapsulated packets. The AP does not override the DSCP in the IP header of the user packet. raft outbound traffic for all WMM clients. WMM clients will also classify and prioritize the inbound traffic. 802.11e If enabled, the AP will accept WMM client associations, and will classify and prioritize the outbound traffic for all 802.11e clients. The 802.11e clients will also classify and prioritize the inbound traffic. You can enable the following QoS modes for a WLAN Service:
WMM If enabled, the AP will accept WMM client associations, and will classify and prioritize the Turbo Voice If any of the above QoS modes are enabled, the Turbo Voice mode is available. If enabled, all the out traffic that is classied to the Voice (VO) AC and belongs to that VNS is transmitted by the AP via a queue called Turbo Voice (TVO) instead of the normal Voice (VO) queue. The TVO queue is tailored in terms of contention parameters and number of retries to maximize voice quality and voice capacity. U-APSD Unscheduled Automatic Power Save Delivery feature works in conjunction with WMM and/or 802.11e, and it is automatically disabled if both WMM and 802.11e are disabled. The APs are capable of supporting ve queues. The queues are implemented per radio; for example, ve queues per radio. The queues are:
ExtremeWireless V10.41.06 User Guide 370 Conguring WLAN Services Table 68: Queues QQueue Name AC_VO AC_VI AC_BK AC_BE AC_TVO Purpose Voice Video Background Best Effort Turbo Voice The controller supports the denition of 8 levels of user priority (UP). These priority levels are mapped at the AP to the best appropriate access class. Of the 8 levels of user priority, 6 are considered low priority levels and 2 are considered high priority levels. WMM clients have the same 4 AC queues. WMM clients will classify the traffic and use these queues when they are associated with a WMM-enabled AP. WMM clients will behave like non-WMM clients map all traffic to the Best Effort (BE) queuewhen not associated with WMM-enabled AP. D The prioritization of the traffic on the downstream (for example, from wired to wireless) and on the upstream (for example, from wireless to wired) is dictated by the conguration of the WLAN Service and the QoS tagging within the packets, as set by the wireless devices and the host devices on the wired network. Both Layer 3 tagging (DSCP) and Layer 2 (802.1d) tagging are supported, and the mapping conforms with the WMM specication. If both L2 and L3 priority tags are available, then both are taken into account and the chosen AC is the highest resulting from L2. If only one of the priority tags is present, it is used to select the queue. If none is present, the default queue AC_BE is chosen. raft Note If the wireless packets to be transmitted must include the L2 priority (send to a WMM client from a WMM-enabled AP), the outbound L2 priority is copied from the inbound L2 priority if available, or it is inferred from the L3 priority using the above table if the L2 inbound priority is missing. Table 69: Traffic Prioritization VNS type Packet Source Packet type Untagged Wired Yes No L3 L2 Wired VLAN tagged Yes Yes Wired Wireless Wireless Untagged WMM non-WMM No Yes No Yes Yes Yes Tunneled Branch Branch Branch or Tunneled Branch or Tunneled To congure QoS Role:
From the top menu, click VNS. 1 2 In the left pane expand the WWLAN Services pane, then click the WLAN Service. ExtremeWireless V10.41.06 User Guide 371 Conguring WLAN Services 3 Click the QQoS tab. D Figure 113: Conguring QoS raft ExtremeWireless V10.41.06 User Guide 372 Conguring WLAN Services Table 70: WLAN Services QoS Tab - Fields and Buttons FField/Button Description Wireless QoS D Admission Control From the Wireless QoS list, do the following:
WMM Select to enable the AP to accept WMM client associations, and classify and prioritize the outbound traffic for all WMM clients. Note that WMM clients will also classify and prioritize the inbound traffic. WMM is part of the 802.11e standard for QoS. If selected, the Turbo Voice and Enable U-APSD options are displayed. 802.11e Select to enable the AP to accept WMM client associations, and classify and prioritize the outbound traffic for all 802.11e clients. The 802.11e clients will also classify and prioritize the inbound traffic. If selected, the Turbo Voice and the Enable U-APSD options are displayed:
Turbo Voice Select to enable all out traffic that is classied to the Voice (VO) AC and belongs to that VNS to be transmitted by the AP via a queue called Turbo Voice (TVO) instead of the normal Voice (VO) queue. When Turbo Voice is enabled together with WMM or 802.11e, the WMM and/or 802.11e clients in that VNS are instructed by the AP to transmit all traffic classied to VO AC with special contention parameters tailored to maximize voice performance and capacity. Enable U-APSD Select to enable the Unscheduled Automatic Power Save Delivery (U-APSD) feature. This feature can be used by mobile devices to efficiently sustain one or more real-time streams while being in power-save mode. This feature works in conjunction with WMM and/or 802.11e, and it is automatically disabled if both WMM and 802.11e are disabled. raft From the Admission Control list, do the following:
Use Global Admission Control for Voice (VO) - Select to enable admission control for Voice. With admission control, clients are forced to request admission to use the high priority access categories in both inbound and outbound directions. Admission control protects admitted traffic against new bandwidth demands. For more information, see VNS Global Settings on page 392. Use Global Admission Control for Video (VI) - This feature is only available if admission control is enabled for Voice. With admission control, clients are forced to request admission to use the high priority access categories in both inbound and outbound directions. Admission control protects admitted traffic against new bandwidth demands.Select to provide distinct thresholds for VI (video). For more information, see VNS Global Settings on page 392. Use Global Admission Control for Best Effort (BE) - If the client does not support admission control for the access category that requires admission control, the traffic category will be downgraded to lower access category that does not have Mandatory Admission control. For example, if admission control is required for video, and client does not support admission control for video, traffic will be downgraded to Best Effort (BE). ExtremeWireless V10.41.06 User Guide 373 Conguring WLAN Services Table 70: WLAN Services QoS Tab - Fields and Buttons (continued) FField/Button Description For more information, see VNS Global Settings on page 392. Use Global Admission Control for Background (BK)-
This feature is only available if admission control is enabled for Background. With admission control, clients are forced to request admission to use the high priority access categories in both inbound and outbound directions. Admission control protects admitted traffic against new bandwidth demands. For more information, see VNS Global Settings on page 392. Flexible Client Access D Advanced button Priority Processing Select the check box to enable exible client access. Flexible client access levels are set as part of the VNS global settings. Note: TSPEC must be disabled when using Flexible Client Access. Select this check box to force DSCP and a service class. raft Note: When Priority Override is enabled, the congured service class forces queue selection in the outbound direction, the 802.1P user priority for the VLAN tagged Ethernet packets and the user priority for the wireless QoS packets (WMM or 802.11e), according to the mapping between service class and user priority. If Priority Override is enabled and the VNS is not locally bridged, the congured DSCP value is used to tag the IP header of the encapsulated packets. The AP does not override the DSCP in the IP header of the user packet. From the drop-down list, click the DSCP value used to tag the IP header of the encapsulated packets. For more information, seeDening the DSCP and Service Classications on page 375. Select one of the following service classes:
Network control (7) The highest priority level. Premium (Voice) (6) Platinum (5) Gold (4) Silver (3) Bronze (2) Best Effort (1) Background (0) The lowest priority level Priority Override DSCP Service Class Note: If you want to assign a service class to each DSCP marking, clear the Priority Override check box and dene the DSCP service class priorities in the DSCP classication table. ExtremeWireless V10.41.06 User Guide 374 Conguring WLAN Services Table 70: WLAN Services QoS Tab - Fields and Buttons (continued) FField/Button Description Advanced Wireless QoS options
(Options are only displayed if the WMM or 802.11e check boxes are selected) UL Policer Action If Use Global Admission Control for Voice (VO) or Use Global Admission Control for Video (VI) is enabled, click the action you want the AP to take when TSPEC violations occurring on the inbound direction are discovered:
Do nothing Click to allow TSPEC violations to continue when they are discovered. Data transmissions will continue and no action is taken against the violating transmissions. Send DELTS to Client Click to end TSPEC violations when it they are discovered. This action deletes the TSPEC. D DL Policier Action If Use Global Admission Control for Voice (VO) or Use Global Admission Control for Video (VI) is enabled, click the action you want the AP to take when TSPEC violations occurring on the outbound direction are discovered:
Do nothing Click to allow TSPEC violations to continue when they are discovered. Data transmissions will continue and no action is taken against the violating transmissions. Downgrade Click to force the transmissions data packets to be downgraded to the next priority when a TSPEC violation is discovered. Drop Click to force the transmissions data packets to be dropped when a TSPEC violation is discovered. raft All 64 DSCP code-points are supported. The IETF dened codes are listed by name and code. Undened codes are listed by code. The following is the default DSCP service class classication (where SC is Service Class and UP is User Priority):
Dening the DSCP and Service Classications To dene the DSCP and Service Class classications:
Table 71: DSCP Code-Points DSCP SC/UP CS0/DE CS1 CS2 CS3 CS4 CS5 2/0 0/1 1/2 3/3 4/4 5/5 DSCP AF11 AF12 AF13 AF21 AF22 AF23 SC/UP 2/0 2/0 2/0 3/3 3/3 3/3 DSCP AF33 AF41 AF42 AF43 EF Others SC/UP 4/4 5/5 5/5 5/5 6/6 0/1 ExtremeWireless V10.41.06 User Guide 375 Conguring WLAN Services DSCP SC/UP SC/UP 4/4 4/4 Table 71: DSCP Code-Points (continued) DDSCP SC/UP DSCP CS6 CS7 6/6 7/7 AF31 AF32 Conguring Hotspots Traditionally, using a hotspot presents end users with several challenges, including initial connection issues, security concerns, and connectivity while roaming. The ExtremeWireless solution offers the following features to improve the hotspot end-user experience:
Pre-association network discovery and selection using the dot11u ANQP protocol, resulting in a Simplied account registration. Network administrators create accounts easily, and provisioning is seamless initial connection. D achieved without user input. Enhanced security, using over the air transmission secured by WPAv2. Each hotspot WLAN has its own Access Network Query Protocol (ANQP) conguration. The HESSID and ANQP Domain ID are specic to the hotspot WLAN. With pre-association, a mobile device uses ANQP to perform network discovery. The mobile device's connection manager uses hotspot information, such as the service provider policy and user preferences, to automatically select a hotspot network. A mobile device queries the hotspot for key service provider identication and authentication information and selects a network. The ANQP response is generated using parameters congured by the hotspot operator. raft Only one hotspot WLAN can be assigned to an AP and to a specic site conguration. The hotspot WLAN can refer to a single Online Signup (OSU) WLAN, which can be open or encrypted. Network operators dene the lter policy during hotspot conguration. From the top menu, click VNS. Then, in the left pane, select WLAN Services. The WWLAN Services window displays. Congure hotspots under the WLAN Services workbench. To congure a hotspot:
1 Conguring a New Hotspot 2 Click New to congure a new WLAN service. 3 Provide the service Name, Service Type, and SSID. ExtremeWireless V10.41.06 User Guide 376 Conguring WLAN Services 4 Select the Hotspot option. Valid values are:
Disabled. Hotspot functionality is not enabled. Enabled. Hotspots are enabled for this WLAN and the Hotspot tab appears on the WLAN page. Privacy is set by default to WPA and Mandatory Frame Protection (MFP) is enable. The authentication method is set to AAA with External Radius Server;. You can congure MBA, if required . OSU. Allows the denition of Online Sign Up or OSEN WLAN. NNote Congure the policy and topology assigned to the OSU WLAN to allow access only to the OSU server. No access to the internet. D DNote 5 Select the Hotspot tab. Once you have dened a WLAN service with a hotspot, you cannot disable the hotspot. You can only delete the WLAN service and recreate it. Figure 114: Hotspot Conguration ExtremeWireless V10.41.06 User Guide 377 Conguring WLAN Services Table 72: WLAN Services Hotspot Tab - Fields and Buttons FField/Button Description HESSID One SSID can be used across multiple WLANs (BSS), so the HESSID helps a client identify when the BSSID belongs to a homogenous BSS with identical conguration. Beacon with same {HESSID, SSID} pair belong to same WLAN. The {HESSID, SSID} pair must be unique for each WLAN. By default, the HESSID is set to the MAC address of the controller Ethernet port. Hotspots can have the same HESSID as long as the SSID is unique. If opting to congure the HESSID manually, we recommend using an AP BSSID as the HESSID. Note: In a mobility domain, manually congure the HESSID to a unique value, differentiating it from the value used in the controller's WLAN. D Access Network accounts. network providing guest access. anyone but access requires payment. Free public network. Open network, free of Chargeable public network. (Default) Open to Private network with guest access. An enterprise Identies the type of network. Valid values are:
Private network. An enterprise network with user charge but may still require acceptance of terms of use (and may involve OSU servers with captive portal). raft Downstream Group-Address Forwarding Disabled. By default this option is checked. When checked, the AP is not forwarding downstream group-addressed frames. This is a list of one or more domain names of the entity operating the hotspot network. Domain names in the domain name list may contain sub-domains. If the service provider's FQDN is not in the domain name list but is in the realm list, then a mobile device that chooses that service provider is considered to be roaming. Domain. FQDN specied by the user. Default value is empty string. DGAF Disabled 6 From the Hotspot Identication tab, congure the following parameters:
Venue Info. Describes the venue. Select from a list of predened values:
Select a description of the venue group in the rst eld. 1 2 Select a value from the second eld. Note The second eld is not populated with values until after you select a value from the rst eld. Default value is Unspecied. ExtremeWireless V10.41.06 User Guide 378 Conguring WLAN Services 7 You can congure up to four languages for each venue. Click the plus sign. A conguration dialog displays. Figure 115: Hotspot Identication Tab D raft Describe the venue where the hotspot is located. If there are multiple hotspot APs in one venue, use the same venue name. However, when one hotspot covers multiple venues, you can list multiple venues here even though they may share a single service set identier (SSID). Select a language preference, specifying the venue name and operator name, and click OK. Figure 116: Conguring Operator and Venue List venue names in multiple languages. The mobile device selects the language that is used to display information to the user. The mobile device can obtain venue name information through an ANQP query, which can help the user when they are manually selecting a hotspot. The mobile device implementation determines if the venue name information is displayed. ExtremeWireless V10.41.06 User Guide 3379 Conguring WLAN Services 8 To remove a language row from the Venue list, select the check box in the list row and click the minus sign. Figure 117: Removing a Venue D 9 To edit a list row, click the list row. In the resulting dialog, modify the values and click OK. 10 Click Save to save the conguration. SP Identication Tab The hotspot SP identication tab displays hotspot properties for service provider identication and authentication. raf To congure SP Identication for the hotspot:
376. 2 Select the SP Identication tab. 1 Congure a WLAN Services Hotspot. For more information, see Conguring a New Hotspot on page Figure 118: Service Provider Identication ExtremeWireless V10.41.06 User Guide 3380 Conguring WLAN Services 3 Congure the following parameters:
NAI Realm. The the NAI (Network Access Identication) Realms list is a FQDN of the service provider. This is a list of realms that can be successfully authenticated. Each realm may have up to 8 supported EAP methods. Click the plus sign to add realms and select the EAP Method. Then, click OK. Congure an NAI Realm list for each hotspot as follows:
Add all realms that can authenticate a mobile devices logon credentials or certicate credentials, including the realms of all roaming partners that are accessible from the hotspot AP. Include the realm of the home SP. Add a realm for the PLMN ID. This is the cellular network identity based on public land mobile network (PLMN) information. See Figure 120 on page 382. You can congure the EAP method list to support devices that do not know the EAP methods If the device has been provisioned with the home service provider, the device does not need to use the EAP methods in the NAI Realm List. The mobile device knows the EAP method required to that are being used by a given service provider. D authenticate against its home service provider and automatically uses it.DDNNote Keep your DNS server records up to date so that mobile devices can resolve the server domain names (FQDN). ra Figure 119: Realm Conguration Mobile devices with a SIM or USIM credential, can obtain a realm from the hotspot NAI Realm list. While 3GPP credentials are usually used to access a hotspot, a targeted NAI home query is an efficient alternative approach. The device's connection manager compares the realm information in the list to the information that is stored on the device. The connection manager uses the mobile ExtremeWireless V10.41.06 User Guide 381 Conguring WLAN Services devices precongured user preferences and policy to make a decision between a hotspot AP or a non-hotspot AP, if both are available. Roaming Consortium.To congure authentication of mobile devices to the members of a roaming consortium, or to a particular SP that has a roaming consortium, add the appropriate IEEE-assigned Organizational Identier (OI) here. Specify two identiers unique to the organization that are part of the MAC address. Use roaming consortium authentication when you do not know all the authenticated realms. Using identiers unique to the organization in the beacon is a battery efficient roaming method because there are no ANQP queries needed. 3GPP Cellular Network. This is a list of cellular network IDs in the form of mobile country code, mobile network code (MCC, MNC). This list establishes whether an AP has a roaming arrangement with the 3GPP service providers. Click the plus sign to add mobile country code, mobile network code (MCC, MNC) values. Then, click OK. D raft The hotspot Network Characteristics tab displays network parameters for the hotspot. To congure Network Characteristics for the hotspot:
1 Congure a WLAN Services Hotspot. For more information, see Conguring a New Hotspot on page 376. Figure 120: 3GPP Cellular Network Conguration 4 Click Save to save the conguration. Network Characteristics Tab ExtremeWireless V10.41.06 User Guide 3382 Conguring WLAN Services 2 Select the NNetwork Characteristics tab. D 3 Congure the following parameters:
Figure 121: Conguring Network Characteristics IP Address Type Availability. The mobile device uses the IP Address Type Availability information to make network selection decisions. Select the level of restriction for each network type. Levels of restriction range from Public Address Available to Port Restricted and Double NATed Private Address Available. raft The mobile device uses information from the WAN Metrics congured here to make network selection decisions. The mobile device can determine if necessary throughput is available from the hotspot before connecting. If the mobile device receives indication that the basic service set (BSS) is at capacity, the device will not associate with that AP. Connection Capability. The mobile device uses connection capability information to make network selection decisions by determining which services are blocked or supported at the hotspot. Congure up to 16 ports. To add a protocol, click the plus sign. Specify the protocol, the port number, and the status WLAN Metrics. Enter the values for maximum Uplink and Downlink speed and load parameters for the WLAN service. associated with the protocol. Valid Status values include: Closed, Open, or Unknown. Note Make an effort to congure all ports and do not rely on the Unknown value. ExtremeWireless V10.41.06 User Guide 383 Conguring WLAN Services To remove a port from the Connection Capability list, select the check box in the list row and click Figure 122: Conguring Connection Capability D the minus sign. Figure 123: Removing a Connection Port To edit a port, click the list row. In the resulting dialog, modify the values and click OK. raft The hotspot OOnline Signup tab displays hotspot properties for Online Signup users. Online Signup allows users who are not part of the provider network to manually connect to the hotspot. It also allows for added security for users who want to connect anonymously. To congure Online Signup for the hotspot:
4 Click Save. Online Signup Tab 1 Congure a WLAN Services Hotspot. For more information, see Conguring a New Hotspot on page 376. ExtremeWireless V10.41.06 User Guide 384 Conguring WLAN Services 2 Select the Online Signup tab. D 3 Congure the following parameters:
Conditions. Figure 124: Conguring Online Signup Network Authentication Type. Possible values for network authentication are:
Acceptance of terms and conditions. Redirection is accomplished after user accepts Terms and Http/Https redirection. Redirect Http or Https automatically. Online enrollment supported. Authentication supports online enrollment. DNS redirection. DNS redirection serves a web page other than what the end user had requested. raft To remove a provider from the list, select the check box in the list row and click the minus sign. To edit provider information, click the list row. In the resulting dialog, modify the values and click Server Provider Setting. This is service provider conguration settings. To add a provider to the list, click the plus sign and congure the provider settings. For more OSU WLAN. This is the address of the Online Signup WLAN. When you created the hotspot, you specied OSU in step 1 above. The OSU WLAN can be either Open or Encrypted (OSEN). information, see Conguring the OSU Service Provider on page 385. OK. For more information, see Conguring the OSU Service Provider on page 385. 4 Click Save to save the conguration. CConguring the OSU Service Provider Hotspot conguration supports Online Signup. This task outlines how to create a list of service providers that support Online Signup. Take the following steps to congure an Online Signup service provider:
1 Congure a WLAN Services Hotspot. For more information, see Conguring a New Hotspot on page 376. ExtremeWireless V10.41.06 User Guide 385 Conguring WLAN Services 2 From the WLAN Services Hotspot tab, select the OOnline Signup tab. D Figure 125: Online Signup Tab raft ExtremeWireless V10.41.06 User Guide 386 Conguring WLAN Services 3 In the Service Provider Setting pane, select the plus sign. The OOSU SP Conguration dialog appears. t Figure 126: Conguring the OSU Service Provider ExtremeWireless V10.41.06 User Guide 387 Conguring WLAN Services 4 Congure the following parameters:
Server URI. The OSU server URI. Methods. OSU Method is the preferred list of encoding methods that the OSU server supports in order of priority. Select the connection method used by the provider. Icon. Click Congure to add or remove an icon associated with Online Signup. For more information, see Conguring an OSU Icon on page 388. Anonymous Name. Congure a name that anonymous users can use to access the network. Language. Congure the Language, Friendly Name, and Service Description for the Online Signup user interface. To add an icon:
5 Click OK to save the OSU SP conguration. Conguring an OSU Icon D This task outlines how to add, change, or remove icons to a list of icons that are associated with Online Signup. The icon list contains the metadata for the available icon les. The metadata denes the image size, language, type, and le name. The mobile device determines which icon in the list best ts the display and downloads the appropriate le. The list can be blank. The NAI realm is used in cases where the OSU ESS (OSEN) SSID is congured. This allows the device to authenticate to the OSU OSEN SSID for access to the OSU server. raft 1 From the OOSU SP Conguration dialog, click Congure. The IIcon Conguration dialog appears. 2 Click Browse to navigate to the icon le. Then, click Open and Upload. The icon le is added to the IIcon Conguration dialog. ExtremeWireless V10.41.06 User Guide 388 Conguring WLAN Services 3 Select the icon and click Save. To delete an icon:
1 Open the IIcon Conguration dialog. 2 Select the icon and click Delete. 3 Click Save. D raft ExtremeWireless V10.41.06 User Guide 389 8 Conguring a VNS CConguring a VNS VNS Global Settings Methods for Conguring a VNS Manually Creating a VNS Creating a VNS Using the Wizard Enabling and Disabling a VNS Renaming a VNS Deleting a VNS D Conguring a VNS Setting up a VNS denes a binding between a default role specied for wireless users and an associated WLAN (Wireless Local Area Network) Service set, as shown in Figure 127. There are conceptually hierarchical dependencies on the conguration elements of a VNS. However, the provisioning framework is exible enough that you may select an existing dependent element or create one on the y. Therefore, each element can be provisioned independently (WLAN services, Topologies, and Roles). For service activation, all the pieces will need to be in place, or dened during VNS conguration. raft Figure 127: VNS Conguration Flow You can use the VNS Creation Wizard to guide you through the necessary steps to create a virtual network service (and the necessary subcomponents during the process). The end result is a fully resolved set of elements and an active service. The recommended order of conguration events is:
1 Before you begin, draft out the type of services the system is expected to provide wireless services, encryption types, infrastructure mapping (VLAN (Virtual LAN)s), and connectivity points
(switch ports). Switch port VLAN conguration/trunks must match the controller's. 2 Set up basic controller services such as NTP, Routing, DNS, and RADIUS Servers, using one of the following methods:
ExtremeWireless V10.41.06 User Guide 390 Conguring a VNS Run the Basic Conguration Wizard, or Manually dene the necessary infrastructure components such as RADIUS Servers. RADIUS Servers are dened via the VNS > Global > Authentication. 3 Dene Topologies. Topologies represent the controllers points of network attachment. Therefore, VLANs and port assignments need to be coordinated with the corresponding switch ports. 4 Dene Roles. Roles are typically bound to Topologies. Role application assigns user traffic to the corresponding network point of attachment. Roles dene mobile user access rights by ltering. Polices reference the mobile user's traffic rate control proles. 5 Dene the WLAN Service. Dene SSID and privacy settings for the wireless link. Select the set of APs and radios on which the service is present. Congure the method of credential authentication for wireless users (None, Internal CP, External 6 Create a VNS that binds the WLAN Service to the Role that will be used for default assignment CP, Guest Portal, 802.1x[EAP]). D upon user network attachment. Create a new Topology. Create a new Class of Service. The VNS conguration page in turn allows for in-place creation of any dependencies it may require. For example:
Create a new WLAN Service. Create a new Role. raft The controller system ships with a Topology entity for an admin interface. Topology entities representing the controller physical interfaces must be set manually or using the basic installation wizard. The default shipping controller conguration does not include any pre-congured WLAN Services, VNSs, or Roles. The ExtremeWireless system does ship with Topology entities representing each of it's physical interfaces, plus an admin interface. There are, however, global default settings corresponding to:
A Default Topology named Bridged @ AP Untagged An Unlimited Rate Control Prole A Filter Denition of Deny all Controller Defaults These entities are simply placeholders for Role completion, in case roles are incompletely dened. For example, a Role may be dened as no-change for Topology assignment. ExtremeWireless V10.41.06 User Guide 391 Conguring a VNS If an incomplete Role is assigned as the default for a VNS / WLAN Service (wireless port), the incomplete Role needs to be fully qualied, at which point the missing values are picked from the Default Global Role denitions, and the resulting role is applied as default. NNote You can edit the attributes of the Default Global Role (under VNS > Global tab). For example, change the topology, apply more permissive lter sets, or use a more restrictive Rate Control prole). It is possible to dene a Default Global Role to refer to a specic Topology (for example, Topology_VLAN). Then congure every other Roles topology as No-change. This conguration denes Topology_VLAN as the default assignment. All user traffic, regardless of the role assignment
(applying different access rights, different rate controls) will be carried through the same VLAN. Table maps each VLAN ID to a Role ID. DAS (Dynamic Authorization Service) VNS Global Settings D Before dening a specic VNS, dene the global settings that apply to all VNS denitions. These global settings include:
Authentication available choices when you set up the authentication mechanism for each WLAN Service. Conguring RADIUS servers on the enterprise network. The dened servers are displayed as Conguring Dynamic Authorization Service (DAS) support. DAS helps secure your network by Conguring the MAC format. Conguring RFC 3580 (ACCESS -ACCEPT) RADIUS attributes for the selected server. A Role Map raft thresholds for VO (voice) and VI (video), and distinct thresholds for roaming and new streams.
(AP37xx Only) Flexible Client Access provides the ability to adjust media access fairness in ve levels between Packet Fairness and Airtime Fairness. The Bandwidth Control Proles you dene are displayed as available choices in the Rate Proles Airtime % is available for AP38xx and AP39xx access point models that are assigned WLANS Admission control thresholds protect admitted traffic against overloads, provide distinct Wireless QoS, comprising Admission Control Thresholds and Flexible Client Access Fairness Role. providing the ability to disconnect a mobile device from your network. congured with Reserved Airtime. Bandwidth Control menu when you set up CoS (Class of Service) role. Default Role The Global Default Policy species:
A topology to use when a VNS is created using a role that does not specify a topology A set of lters The controller ships from the factory with a default Global Default Policy that has the following settings:
ExtremeWireless V10.41.06 User Guide 392 Conguring a VNS Topology is set to an Bridged at AP untagged topology. This topology will itself be dened in controllers by default. Filters - A single Allow All lter. The Global Default Policy is user-congurable. Changes to the Global Default Policy immediately effect all shadow roles created from it, just as if the administrator had made a comparable change directly to the incomplete role. Egress Filtering Mode The global Egress Filtering Mode setting overrides the individual WLAN service Egress Filtering Mode setting. Sync Summary Client Auto Login The SSync Summary screen provides an overview of the synchronization status of paired controllers. The screen is divided into sections: Virtual Networks, WLAN services, Roles, and Topologies. Each section lists the name of the corresponding conguration object, its synchronization mode, and the status of last synchronization attempt. For more information, see Using the Sync Summary on page 414. D NAC Integration This features congures how auto login behavior is handled for users with devices that need to authenticate to a captive portal to gain network access. For more information, see Using Client Login on page 417. NAC Integration provides a list of NAC servers for use by the controller for passing DHCP (Dynamic Host Conguration Protocol) traffic. The NAC server can accept DHCP messages from the controllers DHCP server and use them to ngerprint devices. For more information, see Using NAC Integration on page 416. raft Use Netow to forward packet information. Integration with ExtremeAnalytics no longer requires Netow/MirrorN. See ExtremeAnalytics Support with Enhanced IPFIX Records on page 419 for more information. Topology Group Algorithms are used for selecting a member Topology from a Topology Group. The wireless controller will run one of the following algorithms: MAC based, Round Robin, Random Selected, and Lease used. For more information, see Using Topology Group Algorithm on page 418. Topology Group Algorithm Netow/MirrorN Redirection URL Congure a list of redirection URLs from the Redirection URL dialog. You can add and delete a URL. Note To display the Redirection URL option, enable Rule-based Redirection under Filtering Mode. Related Links Conguring Airtime Fairness: Reservation Mode on page 406 ExtremeWireless V10.41.06 User Guide 393 Conguring a VNS Dening RADIUS Servers and MAC Address Format The Authentication global settings include conguring RADIUS servers, the MAC format to be used, the SERVICE-TYPE attribute in the client ACCESS-REQUEST messages, and how long a notice web page displays if a topology change occurs during authentication. The notice Web page indicates that authentication was successful and that the user must restart the browser to gain access to the network. Dening RADIUS Servers for VNS Global Settings To dene RADIUS servers for VNS global settings:
From the top menu, click VNS. 1 2 In the left pane, click Global > Authentication. 3 Select Strict Mode to force the top three Radius servers in priority order for each WLAN where applicable. Clearing this check box, allows individual Radius change per WLAN. D Figure 128: Global Authentication Settings ExtremeWireless V10.41.06 User Guide 394 Conguring a VNS 4 To dene a new RADIUS server available on the network, click New. The RRADIUS Settings dialog displays. Figure 129: RADIUS Server Settings ExtremeWireless V10.41.06 User Guide 395 Conguring a VNS 5 In the Server Alias eld, type a name that you want to assign to the RADIUS server. NNote You can also type the RADIUS servers IP address in the Server Alias box in place of a nickname. The RADIUS server will identify itself by the value typed in the Server Alias box in the RADIUS Servers drop down list on the RRADIUS Authentication tab of the LLogin Management screen (top menu > Wireless Controller > Login Management). For more information, see Conguring the Login Authentication Mode on page 75. 6 In the Hostname/IP eld, type either the RADIUS servers FQDN (fully qualied domain name) or IP address. 7 In the Shared Secret eld, type the password that will be used to validate the connection between Note If you type the host name in the Hostname/IP address box, the controller will send a host name query to the DNS server for host name resolution. The DNS servers must be appropriately congured for resolving the RADIUS servers host names. For more information, see Conguring DNS Servers for Resolving Host Names of NTP and RADIUS Servers on page 94. D the controller and the RADIUS server. To proofread your shared secret key, click Unmask. The password is displayed. Note You should always proofread your Shared Secret key to avoid any problems later when the controller attempts to communicate with the RADIUS server. raft a Priority default is 4. b Total number of tries default is 3. c RADIUS Request timeout default is 5 seconds. d For Accounting operations, the Interim Accounting Interval default is 30 minutes. Setting the e Port default Authentication port is 1812. Default Accounting port is 1813. Interim Accounting Interval value to 0 results in no interims being sent. and enter a Test Request Timeout (shown in seconds). 8 If desired, change the Default Protocol using the drop down list. Choices are PAP, CHAP, MS-CHAP, 10 If desired, setup Health Monitoring by selecting a Polling Mechanism from the drop-down menu, 9 If desired, change the pre-dened default values for Authentication and Accounting operations:
or MS-CHAP2. 11 To save your changes, click Save. The new server is displayed in the RADIUS Servers list. Note The RADIUS server is identied by its Server Alias. 12 To edit an existing server, click the row containing the server. The RRADIUS Settings window displays, containing the servers conguration values. 13 To remove a server from the list, select the check box next to the server, and then click Delete Selected. You cannot remove a server that is used by any VNS. ExtremeWireless V10.41.06 User Guide 396 Conguring a VNS Conguring the Global MAC Address Format for Use with the RADIUS Servers To congure the Global MAC Address Format for use with the RADIUS servers:
From the top menu, click VNS. 1 2 In the left pane, click Global, then Authentication. 3 In the MAC Address area, select the MAC Address Format from the drop down list. 4 Click Save to save your changes. Conguring Advanced RADIUS Servers Settings From the top menu, click VNS. 1 2 In the left pane, click Global > Authentication. 3 In the MAC Address area, click Advanced. D raft Figure 130: Advanced RADIUS Server Settings ExtremeWireless V10.41.06 User Guide 3397 Conguring a VNS 4 Congure the following parameters:
Table 73: Advanced Radius Settings FField Description Include Service-Type attribute in Client Access Request messages Set Service Type to Login Select if the client RADIUS Access Request message includes the
"Service-Type" attribute. If included, the attribute is set to "Framed"
by default. If selected, the RADIUS "Service-Type" attribute of the client Access Request is set to "Login" (instead of "Framed"). Note: RADIUS-based controller administrative access also sets the Service-Type attribute to "Login". Therefore, if you enable Service Type Login here, RADIUS-based administrative access is not allowed
(and vice versa). Delay for Client Message for Topology Change D How should multiple RADIUS servers be used?
Denes a delay during client authentication when switching from one topology to another. This is relevant for Captive Portal authentication. The delay gives time for the client to be assigned an IP address for the new topology before browser redirection. Set the delay in seconds. Primary-Backup. Select a primary failover server to have control starting at the top of the list of approved servers. The rst server is used until it fails, and that pattern continues down the list. When the last server fails, then the rst server is used again. Select an authentication or accounting option. The selection applies to all WLAN Services and to all sites on the EWC. Round-Robin. The server is selected on a round-robin basis raft over which server provides redundancy. When you select Primary-Backup, the RADIUS server assigned to the site or WLAN Service is the primary for the WLAN Service. All other RADIUS servers assigned to WLAN Service are backups for the primary and continue to be selected in a round-robin approach. For controllers in an availability pair, the Primary and Backup servers must be synchronized (enable "Synchronize System Conguration" in Availability setup) if the WLAN Services are synchronized. If the primary server has failed resulting in a backup server being used for authentication, the controller will periodically send a "Health Check" to the primary server to see if it has recovered. If the primary server has recovered, the controller starts using the primary server for all new authentications. All authentications in progress continue to use the backup server. Use MAC-Based Authentication MAC address format for user authentication and accounting via RADIUS Allows the administrator to override the default MAC address colon-
separated format (for example 00:11:22:33:44:55) with the Global Authentication MAC Address format for the following attributes:
Calling-Station-Id attribute of the RADIUS packet Called-Station-Id attribute (if Called-Station-Id is not overridden by Zone name) AP BSSID Mac in one of the vendor attributes User-Name attribute. Note: This setting is enabled for new deployments. You must manually enable this setting for upgraded deployments. ExtremeWireless V10.41.06 User Guide 398 Conguring a VNS Table 73: Advanced Radius Settings (continued) FField Description Override 802.1x Authentication Call-
Station-Id format with XX-XX-XX-XX-
XX-XX:SSID Allows the administrator to override the Called-Station-Id attribute format for 802.1x authentication with the format XX-XX-XX-XX-XX-
XX:SSID. This setting is disabled by default. When you select this option, the Called-Station-Id conforms to the format specied in RFC 3580 (IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines). If the RADIUS server is processing this attribute, the RADIUS server has to support this format. Note: This setting overrides the setting Use MAC-Based Authentication MAC address format for user authentication and accounting via RADIUS. Enabling RADIUS accounting activates RADIUS accounting only in WLAN Services specically congured to perform it. Disabling RADIUS accounting overrides the RADIUS accounting settings of individual WLAN Services. Radius Accounting D Defer sending the accounting start request until the client's IP address is known 5 Click Close to close the AAdvanced Settings dialog. 6 Click Save to save your changes. Specify Authentication Behavior of RADIUS servers on Server Failure. If selected, the client RADIUS Accounting Request "start"
command is not sent to the RADIUS server until the client IP address is known. By default, this option is not selected and the
"start" command is sent once the client is authenticated. raft 1 2 In the left pane, click Global, then Authentication. 3 In the MAC Address area, click Advanced. 4 In the Delay for Client Message for Topology Change eld, specify the number of seconds the web page is displayed to the client when the topology changes as a result of a role change. The Web page indicates that authentication was successful and that the user must close all browser windows and then restart the browser for access to the network. You can modify the amount of time that the NNotice web page displays if a topology change occurs during authentication. Take the following steps:
From the top menu, click VNS. Changing the Display Time of the Notice Web Page Currently this is supported for Internal Captive Portal, Guest Portal, and Guest Splash. 5 Click Close. 6 Click Save to save your changes. Conguring RADIUS Attribute for Hybrid Role Mode Hybrid Role mode (RFC 3580 Mapping mode) enables the wireless controller to separately assign different roles or topologies depending on a mobile station location. The following are available modes of operation:
ExtremeWireless V10.41.06 User Guide 399 Conguring a VNS RADIUS Filter-ID attribute Controller uses the topology assigned by the role and ignores the VLAN tunnel ID. RADIUS Tunnel-Private-Group-ID attribute Controller selects a role for the station based on the VLAN tunnel ID and ignores the lter ID. When selected, a mapping table maps each VLAN ID to a role. Both RADIUS Filter-ID and Tunnel-Private-Group-ID attribute Controller uses both the role identied in the lter ID and the topology associated with the VLAN tunnel ID. Note The selected mode of operation applies to all WLAN Services on the controller. Dening RFC 3580 Mapping Mode for VNS Global Settings From the top menu, click VNS. The VVirtual Network Conguration screen displays. To dene RFC 3580 for VNS global settings:
D 1 2 In the left pane, click Global > Authentication. 3 Click the RRFC 3580 (ACCESS-ACCEPT) Options tab. raft Figure 131: Authentication Settings 4 Select RADIUS Filter - ID attribute to assign both role and topology when the controller receives a RADIUS ACCESS-ACCEPT message. To save your changes, click Save. ExtremeWireless V10.41.06 User Guide 400 Conguring a VNS 5 Select RADIUS Tunnel-Private-Group-ID attribute to assign both role and topology (based on the VLAN ID to Role Mapping table selection) when the controller receives a RADIUS ACCESS-ACCEPT message. In the VLAN ID Role Mapping table, select an existing VLAN ID and Role. Click New to create a new mapping entry. In the AAdd VLAN Role dialog, enter a VLAN ID, and select a Role from the drop-down list. D Click Add. To save your changes, click Save. select a Role from the drop-down list. Click Add. To save your changes, click Save. 6 Select Both RADIUS Filter-ID and Tunnel-Private-Group-ID attributes to identify the role to assign to the station and the topology to assign to the station (based on the VLAN ID to Role Mapping table selection), when the controller receives a RADIUS ACCESS-ACCEPT message. In the VLAN ID Role Mapping table, select an existing VLAN ID and Role. Click New to create a new mapping entry. In the AAdd VLAN Role dialog, enter a VLAN ID, and raft DAS helps secure your network by forcing the disconnection of any mobile device from your network. Typically, you would want to disconnect any unwelcome or unauthorized mobile device from your network. The disconnect message that is dened in RFC 3576 is enforced by the DAS support. If an unauthorized mobile device is detected on the network, the DAS client sends a disconnect packet, forcing the mobile device off the network. Your DAS client can be an integration with ExtremeControl or another third-party application, including RADIUS applications. For more information, see NAC Integration with the Wireless WLAN on page 24. DAS support is available to all physical interfaces of the controller, and by default DAS listens to the standard-specied UDP port 3799. Conguring Dynamic Authorization Server Support To Congure Dynamic Authorization Server Support:
1 From the top menu, click VNS. ExtremeWireless V10.41.06 User Guide 401 2 In the left pane, click Global > DAS. Conguring a VNS aft Figure 132: Global DAS Settings 3 In the Port box, type the UDP port you want DAS to monitor. By default, DAS is congured for the standard-specied UDP port 3799. It is unlikely this port value needs to be revised. 4 In the Replay Interval box, type how long you want DAS to ignore repeated identical messages. By default, DAS is congured for 300 seconds. This time buffer helps defend against replay network attacks. 5 To save your changes, click Save. Dening Wireless QoS Global Settings Dening the wireless QoS global settings include the following:
Conguring QoS Admission Control Thresholds on page 403 Conguring QoS Flexible Client Access on page 404 ExtremeWireless V10.41.06 User Guide 4402 Conguring a VNS Conguring QoS Admission Control Thresholds To dene Admission Control Thresholds for VNS Global Settings:
From the top menu, click VNS. 1 2 In the left pane, click Global > Wireless QoS. aft Figure 133: Wireless QoS Settings ExtremeWireless V10.41.06 User Guide 4403 Conguring a VNS 3 In the Admission Control Thresholds area, dene the thresholds for the following:
Max Voice (VO) BW for roaming streams The maximum allowed overall bandwidth on the new AP when a client with an active voice stream roams to a new AP and requests admission for the voice stream. Max Voice (VO) BW for new streams The maximum allowed overall bandwidth on an AP when an already associated client requests admission for a new voice stream. Max Video (VI) BW for roaming streams The maximum allowed overall bandwidth on the new AP when a client with an active video stream roams to a new AP and requests admission for the video stream. Max Video (VI) BW for new streams The maximum allowed overall bandwidth on an AP when an already associated client requests admission for a new video stream. Max Best Effort (BE) BW for roaming streams Max Best Effort (BE) BW for new streams Max Background (BK) BW for roaming streams The maximum allowed background bandwidth on an AP for roaming streams. D an AP for new streams. Max Background (BK) BW for new streams The maximum allowed background bandwidth on These global QoS settings apply to all APs that serve QoS enabled VNSs with admission control. raft Conguring QoS Flexible Client Access This feature allows you to adjust client access role in multiple steps between packet fairness and airtime fairness. 4 To save your changes, click Save. RRelated Links Conguring Airtime Fairness: Reservation Mode on page 406 Legacy Airtime Fairness: AP37xx on page 407 To dene exible client access for VNS global settings:
1 Go to VNS. ExtremeWireless V10.41.06 User Guide 404 2 In the left pane, click Global > Wireless QoS. Conguring a VNS raft Figure 134: Wireless QoS Settings 3 Depending on your AP model, do one of the following:
If conguring an AP37xx, select a role from the Fairness Policy drop-down list. NNote TSPEC must be disabled when using Flexible Client Access. If conguring an AP38xx or AP39xx using Reservation Mode, click Congure. The AAirtime Reservation Conguration dialog displays. Related Links Conguring Airtime Fairness: Reservation Mode on page 406 Legacy Airtime Fairness: AP37xx on page 407 ExtremeWireless V10.41.06 User Guide 405 Conguring a VNS CConguring Airtime Fairness: Reservation Mode With Airtime Reservation, reserve a percentage of air time for clients associated to a WLAN. The Airtime Reservation algorithm monitors the down link traffic from all clients. When congestion starts, the reservation algorithm guarantees that these clients have access to the air for the congured amount of time. If clients do not request to transmit, the reserved airtime is consumed by other clients. Note Airtime Reservation Mode is supported by AP38xx and AP39xx models. The legacy Flexible Client Access feature continues to support AP37xx models. Conguring Airtime Reservation Mode may cause the AP to reboot. 1 Go to VNS > Global > Wireless QoS. 2 Click Congure The AAirtime Reservation Conguration dialog displays. D raft Figure 135: Airtime Reservation Conguration Dialog ExtremeWireless V10.41.06 User Guide 406 Conguring a VNS 3 Select the percentage of airtime for each WLAN. Airtime Reservation conguration rules:
Four WLAN services associated with a controller can be congured with Airtime Reservation. The total Airtime Reservation of four WLAN services is limited to 80 percent of the total. The remaining 20 percent of the total time is reserved for the other WLAN services. If a WLAN service with Airtime Reservation is associated to a radio, the QCA ATF module is turned on, and the AP will restart in order to load the ATF module. The number of clients supported by QCA ATF is 50. If the radio does not have a WLAN service with Airtime Reservation associated, the QCA ATF module is turned off. When congured, Airtime Fairness percentage displays on the WWLAN Assignment page for the AP. When Mesh and WDS is congured, the rst WLAN gets 20 percent of the available channel airtime. The other clients on the radio channel get the remaining airtime. This takes co-channel interference into account. If there is 50 percent interference, WLAN1 gets 20 percent of the available 50 percent. D Conguring QoS Flexible Client Access on page 404 Legacy Airtime Fairness: AP37xx on page 407 This topic outlines the legacy Airtime Fairness behaviour that is supported by AP37xx. Airtime Fairness Reservation Mode, is supported by AP38xx and AP39xx models. Legacy Airtime Fairness is described as:
Packet fairness is the default 802.11 access role. Each WLAN participant gets the same (equal) opportunity to send packets. All WLAN clients will show the same throughput, regardless of their PHY rate. raft Note Flexible Client Access may not work if Global Admission Controls for Voice and Video
(Advanced QoS settings) are enabled. Airtime fairness gives each WLAN participant the same (equal) time access. WLAN clients throughput will be proportional to their PHY rate. Related Links Legacy Airtime Fairness: AP37xx Related Links Conguring Airtime Fairness: Reservation Mode on page 406 Conguring QoS Flexible Client Access on page 404 Working with Bandwidth Control Proles Bandwidth control limits the amount of bidirectional traffic from a mobile device. A bandwidth control prole provides a generic denition for the limit applied to certain wireless clients' traffic. A bandwidth control prole is assigned on a per role basis. A bandwidth control prole is not applied to multicast traffic. ExtremeWireless V10.41.06 User Guide 407 Conguring a VNS A bandwidth control prole consists of the following parameters:
Prole Name Name assigned to a prole Committed Information Rate (CIR) Rate at which the network supports data transfer under normal operations. It is measured in kilo bits per second (Kbps). The bandwidth control proles you dene on the Global Settings screen are displayed as available choices in the Bandwidth Control Proles list on the Classes of Service screen. To create a bandwidth control prole:
From the top menu, click VNS. 1 2 In the left pane, click Global > Bandwidth Control. D raft Figure 136: Global Bandwidth Control Proles 3 Provide a Prole Name for the bandwidth control prole. 4 Provide the Average Rate (CIR) value for the bandwidth control prole. 5 Click Add Prole. The prole is created and displayed in the Bandwidth Control Proles list. 6 Create additional bandwidth control proles, if applicable. 7 Click Save. Conguring the Global Default Policy The controller ships with a Global Default Policy that can be congured. The Global Default Policy species:
A topology to use when a VNS is created using a role that does not specify a topology. The default assigned topology is named Bridged at AP untagged. ExtremeWireless V10.41.06 User Guide 4408 Conguring a VNS A set of lters. Conguring the Topology and Rate Proles To congure the topology and rate proles:
From the top menu, click VNS. The Virtual Network Conguration screen displays. 1 2 In the left pane, click Global > Default Role. 3 Select the VLAN & Class of Service tab. aft 4 In the Default Action area, select a VLAN using one of the following methods:
Select an existing VLAN from the drop-down list. Select an existing VLAN from the drop-down list, then click Edit. The EEdit Topology window displays, showing the current values for the selected topology. Click New. The NNew Topology window displays. Figure 137: Default Role Settings Edit or create the selected topology as described in Conguring a Basic Data Port Topology on page 266. 5 Select an Invalid Role Action from the one of the following:
Select Apply VNS Default Role. Select Allow All traffic. Select Deny All traffic. 6 Click Save. ExtremeWireless V10.41.06 User Guide 409 Conguring a VNS Conguring the Filters To congure the lters:
1 Click the PPolicy Rules tab. The RRules tab displays, allowing you to create policy rules that will be applied by the controller when default non-authentication role does not specify lters. aft Figure 138: Default Role Settings 2 To add a rule, click Add. For more information, see Policy Rules on page 288. 3 To congure custom AP lters, select AP Filtering and Custom AP Rules then click the Custom AP rules tab. For more information, see Dening Policy Rules for Wireless APs on page 298. Related Links Understanding the Filter Rule Denition Dialog on page 302 L7 Conguration on page 307 Conguring Egress Filtering Mode The controller can be congured to support Policy Managers Egress Role mode. Egress Role refers to taking the ingress lters assigned to a port, exchanging the source and destination addresses with each other in each role rule and applying the result to the traffic egressing the port. ExtremeWireless V10.41.06 User Guide 410 Conguring a VNS The ExtremeWireless solution applies egress ltering mode to WLAN services. When egress ltering is enabled, any role that is applied to a station on the WLAN service will have its outbound lters replaced with rules in which the source and destination addresses of the inbound lters are swapped. The same role can be assigned to stations on WLAN services that have egress ltering mode enabled and on WLAN services that have it disabled. For stations that are on WLAN services with egress ltering mode enabled, the roles outbound lters will be replaced by ones derived from the inbound policy rules. For stations that are on WLAN services with egress ltering disabled, the outbound lters of the role will be applied as dened. In other words the same role can be applied in two different ways at the same time, based on the egress lter mode settings of the WLAN services it is used with. The global Egress Filtering Mode setting overrides the individual WLAN service Egress Filtering Mode setting. By default, the global setting is set to Use WLAN. In this mode, egress ltering can be enabled for some WLAN services and not others. Set the Egress Filtering Mode setting from the Advanced conguration dialog of each WLAN service. D RRule-Based Redirection Rule-based redirection requires explicit enablement. For new installations, Rule-based Redirection is enabled by default. For upgrades from releases prior to v10.11, ExtremeWireless preserves the previous captive portal redirection method of triggering redirect off denied HTTP/HTTPS for non-
authenticaticated roles. For more information, see Rule-Based Redirection on page 289. Changing the global setting does not alter each individual WLAN egress ltering mode setting, although the global setting can override the individual setting. Changing the global setting does not alter the outbound policy rules of each role. Each roles policy rules are stored on the controller as they were entered. Changing the global egress ltering mode ag does, however, affect how a roles rules are interpreted when they are applied. raft Note The option to disable Rule-based Redirection is available for backward capability only. ExtremeWireless V10.41.06 User Guide 411 Conguring a VNS D Figure 139: Enabling Rule-based Redirection RRelated Links Conguring the In/Out Rules for WLAN Services Settings on page 412 Rule-Based Redirection on page 289 Conguring the In/Out Rules for WLAN Services Settings To congure the Egress Filtering Mode:
1 From the top menu, click VNS. The VVirtual Network Conguration screen displays. raft ExtremeWireless V10.41.06 User Guide 412 Conguring a VNS 2 In the left pane, click Global > Filtering Mode. The Egress Filtering Mode Conguration screen displays. D 3 Select an egress ltering mode:
Figure 140: Egress Filtering Mode outbound lters on egress traffic exactly as they are dened in the role. All WLAN Services enforce explicitly dened Out rules All WLAN services enforce All WLAN Services apply In policy rules to Out direction traffic All WLAN services enforce that outbound policy rules that are explicitly dened in the role are overridden by a set of rules created by copying each inbound role rule and swapping the source and destination address roles in the rule. raft Note The Use WLAN Service setting is recommended. If you are using Policy Manager, congure each WLAN Services Egress ltering option directly from Policy Manager. Enabling Egress Filtering on a WLAN Service port in Policy Manager is equivalent to setting Apply In rules to Out direction traffic in the WWLAN Services Advanced dialog. Use WLAN Service setting Each roles rules are interpreted in accordance with the Egress Filtering Mode setting of each WLAN Service on which the role is applied. In this mode, it is possible that a roles rules can be interpreted in two different ways at the same time, if it is used simultaneously on a WLAN service that has Enforce explicitly dened Out rules enabled and on a WLAN service that has Apply In rules to Out direction traffic at the same time. ExtremeWireless V10.41.06 User Guide 413 Conguring a VNS 4 Select Rule-based Redirection to enable redirection based on congured policy rules after a packet is denied. For more information, see Rule-Based Redirection on page 289. Upgrade considerations for default Rule-based Redirection setting:
This setting is enabled for the following installation scenarios:
For new installations of ExtremeWireless v10.11 or later When upgrading from ExtremeWireless v10.11 or later For factory resets of ExtremeWireless v10.11 or later When upgrading from a previous version of ExtremeWireless, this check box is cleared, and Rule-
based Redirection is disabled. RRelated Links Conguring Egress Filtering Mode on page 410 Rule-Based Redirection on page 289 Managing Redirection URLs on page 421 D Using the Sync Summary The SSync Summary screen provides an overview of the synchronization status of paired controllers. raft ExtremeWireless V10.41.06 User Guide 414 Conguring a VNS aftThe screen is divided into ve sections: Virtual Networks, WLAN services, Roles, Classes of Service, and If Synchronization of an object is not enabled, then there is a button in the Status eld which says Synchronize Now, which performs a single synchronization of the object, pushing the object from local controller to the peer. Topologies. Each section lists the name of the corresponding conguration object, its synchronization mode, and the status of last synchronization attempt. If Synchronization of an object is enabled, then the Status eld can have the following values:
Synchronized Not Synchronized Failed Conict (with a button called Resolve) The Synchronize System Conguration check box acts as a global synchronization ag. When it's disabled, synchronization is not performed in the background. When it is enabled, only the objects that have Sync enabled are synchronized. ExtremeWireless V10.41.06 User Guide 415 Conguring a VNS An object may have a synchronization state of Conict if it was updated on both controllers in the availability pair while the availability link was down. In such a case, the Resolve button lets you choose which version of the object should be taken, local or remote. Please note that controllers don't compare the actual conguration when they declare a conict only the fact that the object was updated on both controllers in the availability pair triggers the Conict state. Using NAC Integration NAC Integration provides the ability to forward DHCP traffic from a controller to a congured NAC server. When a controller is congured to be a topologys DHCP server, or a relay for a topology, and this feature is enabled, traffic is forwarded to the NAC server. The NAC Integration Options screen provides a list of NAC servers that will accept DHCP messages from the controller. A maximum of three address can be entered and only one address can be entered for each NAC Server. To stop DHCP forwarding, all congured NAC servers need to be deleted from the list. The screen lists the NAC Server, NAC Name and IP Address. The screen provides the ability to add a new server or delete an existing entry. D raft Figure 141: NAC Integration Settings Adding a New NAC Server Destination From the top menu, click VNS. 1 2 In the left pane, click Global > NAC Integration. ExtremeWireless V10.41.06 User Guide 416 Conguring a VNS 3 Click New. The NNAC DHCP Receiver Address dialog appears. Using Client Login 4 For Nac Server Name, enter a name for the NAC Server. This is an optional step, but it helps to identify a specic server. D 5 For Address for DHCP Traffic, enter the IPv4 address for DHCP Traffic. 6 Click OK. This autologin behavior is incompatible with deployments that need to direct all wireless users to a specic web page after the login completes. Using the Client Autologin feature provides conguration options to control autologin behavior. When a client uses a device that provides autologin capabilities, an attempt is made to detect whether the device needs to authenticate to a captive portal to gain network access via the controller. If the device determines that captive portal authentication is required, a login dialog is displayed. After logging in, access is granted and the browser window closes. raft Figure 142: Global Client Autologin ExtremeWireless V10.41.06 User Guide 417 Conguring a VNS Selecting a Client Autologin Option From the top menu, click VNS. 1 2 In the left pane, click Global > Client Autologin. The CClient Autologin Handling screen displays. 3 Select from one of the following options:
When Autologin is set to Hide the captive portal from Autologin detector, the server is spoofed and creates the impression that there is no captive portal. This is the default option. When Autologin is set to Redirect detection messages to the Captive Portal, the client detects the captive portal and prompts the user to login. When Autologin is set to Drop detection messages, the controller ignores the connection request and drops the client. 4 Click Save to save the desired option. D Using Topology Group Algorithm Tunneled station traffic is forwarded from the AP to the controller as if the groups were plain topologies. The controller provides minimum support to use only tunneled topology groups (B@AC, routed). The controller will run the Topology Group Algorithm and will not forward the mapping table to the AP. Go to VNS > Global > Topology Group Algorithm. raft Figure 143: Topology Group Algorithm The following algorithms are available for selecting a member topology from a Topology Group:
MAC-Based: This algorithm always assigns a client to the same topology within the topology group. Round Robin: The list is considered ordered; start at the top of the list. The next assignment is the next topology on the list; wrap around at the bottom. Random Selected: Random number selected from a uniform distribution mod the number of topologies in the topology group. Least Used: Assign a topology in the topology group with the least number of stations assigned to it at the moment of assignment. ExtremeWireless V10.41.06 User Guide 418 Conguring a VNS Using Netow/MirrorN Use Netow to forward packet information. Integration with ExtremeAnalytics no longer requires Netow/MirrorN. See ExtremeAnalytics Support with Enhanced IPFIX Records on page 419 for more information. D Figure 144: Netow/MirrorN The following conguration items are supported:
Netow Export-Destination IP Address: Congure the ExtremeAnalytics engine IP to receive Netow records. Netow Export Interval: Congure the Netow sending interval for same ow. The default value is 60. It will support from 30 to 360 seconds. Mirror rst N: Congure the MirrorN rst N packets. It is a global setting per controller and all raft Congure the mirror port on the controller. The default value is None. The other l2 ports can only be selected when it is not referred elsewhere (lag, topologies). APs (per link). Default setting is 15. Traffic Mirror L2 Port:
ExtremeAnalytics Support with Enhanced IPFIX Records ExtremeWireless leverages and integrates with ExtremeAnalytics for decoding, detection, collection of Metadata, and scrutinization of Layer 7 data. The solution functions by rst enabling WLAN Services on the wireless controller to forward packets to the ExtremeAnalytics engine. This feature requires ExtremeAnalytics 7.0.8 or later. Depending on your topology, the controller and the AP can inspect the ow, generate the application ID and round trip time (RTT), and format the IPFIX record. With B@AP, the AP sends the IPFIX record to the controller via a WASSP tunnel and then the controller exports the record to ExtremeAnalytics. With B@AC, the controller exports the IPFIX record to ExtremeAnalytics directly. ExtremeWireless V10.41.06 User Guide 419 Conguring a VNS The IPFIX packets provide all the standard information found in a Netow v9 packet with enhanced IPFIX parameters. The standard packet includes source and destination IP addresses, ports, protocol, and packet counter information. The enhanced IPFIX records include the application group ID, display ID, the DNS and TCP round trip times (RTT), and ow metadata (which is part of the URL to help classify the ow). The enhanced IPFIX records that the controller sends, releases the dedicated MirrorN port and reduces ExtremeAnalytics CPU resources previously used to identify the application. IPFIX record templates are supported for IPv4 and IPv6. Upgrades retain NETFLOW conguration, delivering enhanced records. Netow with IPFIX reporting is disabled by default. Live Signature Update ExtremeWireless supports Live Signature Update to synchronize standard application signatures with ExtremeAnalytics. Through the use of Live Signature Update, the ExtremeWireless controller and its connected APs receive standard signature updates and custom signatures from ExtremeAnalytics. D ExtremeAnalytics users download the updated signature list to ExtremeWireless through the CLI. Once downloaded, the signatures are available for conguration in role lters using L7 Application Rules, and the new signatures are automatically propagated to all attached APs. Both standard and custom signatures are updated. When conguring applications from ExtremeAnalytics, you can dene a custom application and custom group. When conguring applications from ExtremeWireless, you can dene a custom application specifying a pre-congured ExtremeAnalytics group. The following is the maximum number of custom signatures that can be supported simultaneously:
ExtremeAnalytics 512 signatures ExtremeWireless 64 signatures raft During a conguration import, if ExtremeWireless encounters a lter with a group or application name that is not recognized, ExtremeWireless converts the group to the predened Unknown Apps group and the application name to Undened. A log le is generated to alert the administrator. The original group and application name are lost. A new signature set is applied to the group and the application is re-
dened. The latest downloaded signature les are saved in permanent storage on both the controller and the AP and will remain intact after software upgrades and system restarts. CLI Command: copy signature (<server> <user> <dir> <file> [ftp
<ftp_password> | scp <scp password>]) | show For more information about the ExtremeWireless CLI, see the CLI Guide. NNote Live Signature Update is supported when using the following software and AP models:
ExtremeWireless v10.41 on-premise with the following AP models: AP3805, AP3825, and AP39xx models. This feature does not support APs connected to ExtremeCloud. ExtremeAnalytics v8.1 or later. It can be ported to v8.0.x branch earlier) with ExtremeAnalytics and the appropriate licenses. ExtremeWireless V10.41.06 User Guide 420 Conguring a VNS RRelated Links Deleted Signature Support on page 421 L7 Conguration on page 307 Including Custom Apps on page 313 Conguring Policy Rules on page 298 Allowing for Restricted Sets of Applications and Resources on page 311 Deleted Signature Support Deleted signature support If a signature that is used in an L7 Application Rule is deleted by Live Signature Update, ExtremeWireless does not delete the lter, but displays the ID of the application and the group instead of the text names, see Figure 145. The display of the ID number indicates that the signature has been deleted. You can delete the lter rule or recongure the rule with a different signature. Application lters that employ deleted signatures will not match any network traffic and the lter is treated as NULL. D If the deleted signature is included again through a signature update, the ExtremeWireless user interface automatically replaces the ID numbers with text names. raft Figure 145: L7 Application Filter Rule with Deleted Signature Related Links Live Signature Update on page 420 Managing Redirection URLs Congure a list of redirection URLs from the Redirection URL dialog. You can add and delete a URL. Note To display the Redirection URL option, enable Rule-based Redirection under Filtering Mode. For more information, see Conguring the In/Out Rules for WLAN Services Settings on page 412. The URL list can contain up to 255 proper URLs, consisting of Fully-Qualied Domain Name (FQDN) addresses and IPV4 addresses. Duplicate entries are not permitted, and you must ensure that network traffic is accessible to the required IP addresses. The name of the WLAN Service that these entries are created for is displayed on the user interface and on the command line interface. SNMP also displays the URLs when queried through the Policy Prole MIB. ExtremeWireless V10.41.06 User Guide 421 Conguring a VNS External Captive Portal URLs are not required, but when they exist, they are automatically added to the list. NNote You cannot congure Captive Portal Redirection using IPv6 classiers. While you can http to IPv6 websites, you cannot apply Captive Portal redirection to http [s] over IPv6 . For URL specications, see Adding a Redirection URL on page 422. Related Links Conguring the In/Out Rules for WLAN Services Settings on page 412 Adding a Redirection URL on page 422 Deleting a Redirection URL on page 423 Adding a Redirection URL D 1 2 Enter the URL for redirection. The RRedirection URL dialog displays. Beside the Redirection URL eld, click New. There are two ways to add a redirection URL:
Adding from the RRedirection URL list, go to VNS > Global > Redirection URL and click Add. Adding from the VVLAN & Class of Service tab, go to VNS > Roles > VLAN & Class of Service. Redirection destinations have the following specications:
Only one redirection destination per role. The redirection destination is congurable and is comprised of one of the following items:
raft Session identier or token for the station of the redirected traffic Address & port of the controller that is performing the redirection Destination URL of the redirection. The default redirection destination is 'Own WLAN'. administrator species. Using the controller interface, you can augment the Get query with the following parameters:
Note The default Redirection destination is 'Own WLAN'. The IP address and port of the destination server. In this case, the redirection is driven by the A complete URL. In this case, the redirection is driven by the HTTP Get query that the HTTP Get query from the redirected request. Related Links Managing Redirection URLs on page 421 Modifying a Redirection URL To modify a redirection URL:
ExtremeWireless V10.41.06 User Guide 422 Conguring a VNS Navigate to VNS > Global > Redirection URL, and click Edit. NNote Changes made to an existing redirection URL affect all roles using that redirection URL. Deleting a Redirection URL To delete a redirection URL:
1 Navigate to VNS > Global > Redirection URL. Methods for Conguring a VNS Note To display the Redirection URL option, enable Rule-based Redirection under Filtering Mode. For more information, see Conguring the In/Out Rules for WLAN Services Settings on page 412. D 2 Select the URL in the list to delete, and click Delete Selected.DDDNote URLs that are in use, cannot be deleted from the list. To congure a VNS, you can use one of the following methods:
Manual conguration Allows you to create a new VNS by rst conguring the topology, role, and WLAN services and then conguring any remaining individual VNS tabs that are necessary to complete the process. raft Note If you navigate away from the VNS conguration tabs without saving your VNS changes, your VNS conguration changes will be lost. When conguring a VNS, you can navigate between the various VNS tabs and dene your conguration without having to save your changes on each individual tab. After your VNS conguration is complete, click Save on any VNS tab to save your completed VNS conguration. for a minimum amount of conguration information. The VNS is created using minimum parameters. The remaining parameters are automatically assigned in accordance with best practice standards. Wizard conguration The VNS wizard helps create and congure a new VNS by prompting you After the VNS wizard completes the VNS creation process, you can then edit or revise any of the VNS conguration to suit your network needs. Manually Creating a VNS Advanced conguration allows administrators to create a new VNS once the topology, role, and WLAN services required by the VNS parameters are available. The topology, role and WLAN services could be created in advance or could be created at the time of VNS conguration. ExtremeWireless V10.41.06 User Guide 423 Conguring a VNS When you create a new VNS, additional tabs are displayed depending on the selections made in the Core box of the main VNS conguration tab. When conguring a VNS, you can navigate between the various VNS tabs and dene your conguration without having to save your changes on each individual tab. After your VNS conguration is complete, click Save on any VNS tab to save your complete VNS conguration. NNote If you navigate away from the VNS Conguration tabs without saving your VNS changes, your VNS conguration changes will be lost. The following procedure lists the steps necessary to create a VNS in advanced mode. Each step references a section in this document that describes the full details. Follow the links provided to go directly to the appropriate sections. Creating a VNS Manually D To create a VNS manually:
1 From the top menu, click VNS. The VVirtual Network Conguration screen displays. raft ExtremeWireless V10.41.06 User Guide 424 2 In the left pane, expand the Virtual Networks pane and select an existing VNS to edit, or click New. Conguring a VNS aft 3 Enter a name for the VNS. 4 Select an existing WLAN Service for the VNS, or create a new WLAN Service, or edit an existing one. For more information, see Conguring a Basic WLAN Service on page 319. 5 Congure the Default Roles for the VNS. Select existing roles, or create new roles, or edit existing ones. For more information, see Conguring a VNS on page 390. Figure 146: VNS Settings 6 Congure the Status parameters for the VNS:
Synchronize Enable automatic synchronization with its availability peer. Refer to Using the Sync Summary on page 414 for information about viewing synchronization status. If this VNS is part of an availability pair, Extreme Networks recommends that you enable this feature. Enabled Check to enable the VNS. 7 Click Save to save your changes. Also, as with creating a new VNS, you can:
ExtremeWireless V10.41.06 User Guide 425 Conguring a VNS Congure a topology for the VNS Congure a role for the VNS Congure WLAN services for the VNS Congure additional roles for the VNS Creating a VNS Using the Wizard The VNS wizard helps create and congure a new VNS by prompting you for a minimum amount of conguration information during the sequential conguration process. After the VNS wizard completes the VNS creation process, you can then continue to congure or revise any of the VNS conguration to suit your network needs. more information, see Creating a Data VNS Using the VNS Wizard on page 436. When using the VNS wizard to create a new VNS, you can create the following types of VNSs:
NAC SSID-based VNS NAC gateway-compatible VNS. The controller integrates with an Extreme Networks NAC Controller to provide authentication, assessment, remediation and access control for mobile users. For more information, see Creating a NAC VNS Using the VNS Wizard on page 426. D Spectralink, Vocera, and Mobile Connect - Nokia. For more information, see Creating a Voice VNS Using the VNS Wizard on page 428. Voice Voice-specic VNS that can support various wireless telephones, including optiPoint, Data Data-specic VNS, that can be congured to use either SSID or AAA authentication. For Captive Portal A VNS that employs a Captive Portal page, which requires mobile users to provide login credentials when prompted to access network services. In addition, use the VNS wizard to congure a GuestPortal VNS using the Captive Portal option. For more information, see Creating a Captive Portal VNS Using the VNS Wizard on page 446. raft Use the VNS wizard to congure a NAC gateway-compatible VNS by dening the following essential parameters:
VNS Name The name that will be assigned to the VNS and SSID. IP Address The IP address of the ExtremeWireless controller's interface on the VLAN. Mask The subnet mask for the IP address to separate the network portion from the host portion of The ExtremeWireless controller integrates with an Extreme Networks NAC controller to provide authentication, assessment, remediation and access control for mobile users. For more information, see NAC Integration with the Wireless WLAN on page 24. The VNS type dictates the conguration information that is required during the VNS creation process. Creating a NAC VNS Using the VNS Wizard the address. VLAN ID ID number of the VLAN to which the ExtremeWireless controller is bridged for the VNS. Port Physical L2 port to which the congured VLAN is attached. RADIUS server IP address of the NAC controller. Redirection URL The URL that points to the NAC controllers web server. The VNS wizard creates a Bridge Traffic Locally at EWC VNS. This VNS has the crucial attributes SSID Network Assignment Type, MAC-based external captive portal authentication and WPA-PSK encryption ExtremeWireless V10.41.06 User Guide 426 Conguring a VNS that makes it compatible with the NAC controller. The remaining VNS parameters are dened automatically according to best practice standards. To congure a NAC VNS using the VNS wizard:
From the top menu, click VNS. 1 2 In the left pane, click New > START VNS WIZARD. D 3 In the Name box, type a name for the NAC SSID-based VNS. 4 In the Category drop-down list, click NAC VNS, and then click Next. raft ExtremeWireless V10.41.06 User Guide 4427 Conguring a VNS Table 74: NAC-compatible VNS Page - Fields and Buttons FField/Button Description IP Address Mask Interface VLAN ID Type the IP address of the ExtremeWireless Appliance's interface on the VLAN. Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). From the drop-down list, select the physical port that provides the access to the VLAN. Type the VLAN tag to which the ExtremeWireless Appliance will be bridged for the VNS. Hostname/IP Shared Secret NAS D Server Alias From the drop-down list, click the interface/port through which the NAC gateway will communicate with the ExtremeWireless Appliance. The IP address in this eld will be used as the NAS IP RADIUS attribute when communicating with the NAC gateway. NAC Server Type the name or IP address of the NAC server. Type the NAC servers FQDN (fully qualied domain name) or IP address. Type the password that will be used to validate the connection between the ExtremeWireless Appliance and the NAC server. To proofread your shared secret key, click Unmask. The password is displayed. raft Note: You should always proofread your Shared Secret key to avoid any problems later when the wireless appliance attempts to communicate with the NAC controller. Type the NAC web server IP address. The VNS wizard creates a SSID-based NAC controller-compatible VNS, and displays the conguration summary. 6 To close the VNS wizard, click Close. If applicable, you can continue to congure or edit the new VNS by clicking the individual VNS conguration tabs. NAC web server IP 5 To save your changes, click Finish. Creating a Voice VNS Using the VNS Wizard Use the VNS wizard to create a voice-specic VNS that can support various wireless telephones, including optiPoint, Spectralink, Vocera, and Mobile Connect - Nokia. When you use the VNS wizard to create a voice-specic VNS, you optimize the voice VNS to support one wireless telephone vendor. If the voice VNS needs to be optimized for more than one wireless phone vendor, use the advanced method to create the voice-specic VNS. For more information, see Enabling and Disabling a VNS on page 485. When you create a new voice VNS using the VNS wizard, you congure the VNS in the following stages:
ExtremeWireless V10.41.06 User Guide 428 Conguring a VNS Basic settings Authentication settings, if applicable DHCP settings Privacy settings Radio assignment settings Summary To congure a Voice VNS using the VNS Wizard:
From the top menu, click VNS. The VVirtual Network Conguration screen displays. 1 2 In the left pane, expand the New pane, then click START VNS WIZARD. The VVNS Creation Wizard screen displays. D raft 3 In the Name box, type a name for the voice VNS. 4 In the Category drop-down list, click Voice. 5 Click Next. The Basic Settings screen displays. Creating a Voice VNS Using the VNS Wizard - Basic Settings Screen The BBasic Settings screen displays:
ExtremeWireless V10.41.06 User Guide 429 Conguring a VNS D Table 75: Voice VNS Basic Settings Page - Fields and Buttons FField/Button Description By default, the Enabled check box for the new VNS is enabled. A VNS must be enabled for it to be able to provide service for mobile user traffic. raft Click the VNS Mode you want to assign:
Routed is a VNS type where user traffic is tunneled to the Click the wireless phone you want to support for the new voice VNS you are creating. Bridge Traffic Locally at EWC is a VNS type that has By default, the Synchronize check box for the new VNS is disabled. Identies the SSID assigned to the VNS. Identies the name of the VNS. Identies the VNS category. controller. associated with it a Topology with a mode of Bridge Traffic Locally at EWC. User traffic is tunneled to the controller and is directly bridged at the controller to a specic VLAN. With this VNS type, mobile users become a natural extension of a VLAN subnet. For each Bridge Traffic Locally at EWC VNS that is created, a VLAN needs to be specied. In addition, the network port on which the VLAN is assigned must be congured on the switch, and the corresponding controller interface must match the correct VLAN. Enabled Synchronize Name Category SSID Type Mode Routed Voice VNS ExtremeWireless V10.41.06 User Guide 430 Conguring a VNS Table 75: Voice VNS Basic Settings Page - Fields and Buttons (continued) FField/Button Description Gateway Mask Type the controller's own IP address of the topology associated with that VNS. This IP address is also the default gateway for the VNS. The controller advertises this address to the wireless devices when they sign on. For routed VNSs, it corresponds to the IP address that is communicated to mobile users (in the VNS) as the default gateway for the VNS subnet. (Mobile users target the controller's interface in their effort to route packets to an external host). Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). Gateway/SVP Vocera Server D PBX Server Enable Authentication If the voice VNS is to support Spectralink wireless phones, type the IP address of the SpectraLink Voice Protocol (SVP) gateway. If the voice VNS is to support Vocera wireless phones, type the IP address of the Vocera server. By default, this option is selected. Type the IP address of the controllers interface on the VLAN. Click the physical interface that provides the access to the VLAN. If applicable, select this check box to enable authentication for the new voice VNS. If the voice VNS is to support either WL2 or Mobile Connect - Nokia wireless phones, type the PBX IP address. raft Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). If the voice VNS is to support Spectralink wireless phones, type the IP address of the SpectraLink Voice Protocol (SVP) gateway. If the voice VNS is to support either WL2 or Mobile Connect - Nokia wireless phones, type the PBX IP address. If the voice VNS is to support Vocera wireless phones, type the IP address of the Vocera server. Type the VLAN tag to which the controller will be bridged for the VNS. If applicable, select this check box to enable authentication for the new voice VNS. Enable DHCP Interface Interface IP Mask VLAN ID Gateway/SVP Vocera Server PBX Server Enable Authentication Bridge Traffic Locally- Voice VNS Enable DHCP If applicable, select this check box to enable DHCP authentication for the new voice VNS. Click Next. The Authentication screen displays. Creating a Voice VNS Using the VNS Wizard - Authentication Settings Screen The AAuthentication screen displays:
ExtremeWireless V10.41.06 User Guide 431 Conguring a VNS D Table 76: Voice VNS Authorization Page - Fields and Buttons FField/Button Description Type a name you want to assign to the new RADIUS server. Click the RADIUS server you want to assign to the new voice VNS, or click Add New Server and then do the following raft Select the authentication role options for the RADIUS server:
MAC-based Authentication Select to enable the RADIUS server to perform MAC-based authentication on the voice VNS. If applicable, and the MAC-based authentication option is Type either the RADIUS servers FQDN (fully qualied domain name) or IP address. Type the password that will be used to validate the connection between the controller and the RADIUS server. enabled, select to enable MAC-based authorization on roam. Click to display or hide your shared secret key. Click the RADIUS server you want to assign to the new data VNS, or click Add New Server and then do the following Type a name you want to assign to the new RADIUS server. Radius Server Server Alias Hostname/IP Shared Secret Mask/Unmask Roles Radius Server Server Alias Click Next. The DHCP screen displays. Creating a Voice VNS Using the VNS Wizard - DHCP Screen The DDHCP screen displays:
ExtremeWireless V10.41.06 User Guide 432 Conguring a VNS D Table 77: Voice VNS DHCP Page - Fields and Buttons FField/Button Description DHCP Option raft From the drop-down list, click one of the following:
Use DHCP Relay Using DHCP relay forces the controller to forward DHCP requests to an external DHCP server on the enterprise network. DHCP relay bypasses the local DHCP server for the controller and allows the enterprise to manage IP address allocation to a VNS from its existing infrastructure. which DHCP discover and request messages will be forwarded for clients on this VNS. The controller does not handle DHCP requests from users, but instead forwards the requests to the indicated DHCP server. The DHCP server must be congured to match the VNS settings. In particular for a Routed VNS, the DHCP server must identify the controller's interface IP as the default Gateway (router) for the subnet. (Users intending to reach devices outside of the subnet will forward the packets to the default gateway (controller) for delivery upstream.) Local DHCP Server If applicable, edit the local DHCP DHCP Servers Type the IP address of the DHCP server to server settings. DNS Servers WINS Type the IP Address of the Domain Name Servers to be used. Type the IP address if the DHCP server uses Windows Internet Naming Service (WINS). Click Next. The Privacy screen displays. ExtremeWireless V10.41.06 User Guide 433 Creating a Voice VNS Using the VNS Wizard - Privacy Screen The PPrivacy screen displays:
Conguring a VNS D 1 Most options on this screen are view-only, but you can do the following:
Pre-shared key Type the shared secret key to be used between the wireless device and AP. The shared secret key is used to generate the 256-bit key. Mask/Unmask Click to display or hide your shared secret key. 2 Click Next. The Radio Assignment screen displays. raft Creating a Voice VNS Using the VNS Wizard - Radio Assignment Screen The RRadio Assignment screen displays:
ExtremeWireless V10.41.06 User Guide 434 Conguring a VNS D Table 78: Voice VNS Radio Assignment Page - Fields and Buttons FField/Button Description AP Default Settings Select the radios of the AP default settings prole that you want to broadcast the voice VNS. raft Select the group of APs that will broadcast the voice VNS:
all radios Click to assign all of the APs radios. radio 1 Click to assign only the APs Radio 1. radio 2 Click to assign only the APs Radio 2. local APs - all radios Click to assign only the local APs. local APs - radio 1 Click to assign only the local APs Radio 1. local APs - radio 2 Click to assign only the local APs Radio 2. foreign APs - all radios Click to assign only the foreign APs. foreign APs - radio 1 Click to assign only the foreign APs Radio 1. foreign APs - radio 2 Click to assign only the foreign APs Radio 2.
(Wi-Fi Multimedia) If enabled on an individual VNS, provides multimedia enhancements that improve the user experience for audio, video, and voice applications. WMM is part of the 802.11e standard for QoS. If enabled, the AP will accept WMM client associations, and will classify and prioritize the out traffic for all WMM clients. WMM clients will also classify and prioritize the inbound traffic. Radio 1 / Radio 2 AP Selection Select APs WMM Click Next. The Summary screen displays. ExtremeWireless V10.41.06 User Guide 435 Creating a Voice VNS Using the VNS Wizard - Summary Screen The SSummary screen displays:
Conguring a VNS D conguration tabs. 1 Conrm your voice VNS conguration. To revise your conguration, click Back. 2 To create your VNS, click Finish, and then click Close. 3 If applicable, you can continue to congure or edit the new VNS by clicking the individual VNS raft When you create a new data VNS using the VNS wizard, you congure the VNS in the following stages:
Basic settings Authentication settings DHCP settings Filter settings Privacy settings Radio assignment settings Summary Use the VNS wizard to create a data-specic VNS that can be congured to use either SSID or AAA authentication. Creating a Data VNS Using the VNS Wizard To congure a data VNS using the VNS wizard:
1 From the top menu, click VNS. The VVirtual Network Conguration screen displays. ExtremeWireless V10.41.06 User Guide 436 Conguring a VNS 2 In the left pane, expand the New pane, then click START VNS WIZARD. The VVNS Creation Wizard screen displays. D 3 In the Name box, type a name for the data VNS. 4 In the Category drop-down list, click Data. 5 Click Next. The Basic Settings screen displays. raft Creating a Data VNS Using the VNS Wizard - Basic Settings Screen The BBasic Settings screen displays:
ExtremeWireless V10.41.06 User Guide 437 Conguring a VNS Table 79: Data VNS Basic Settings Page - Fields and Buttons FField/Button Description Enabled Synchronize Name Category SSID By default, the Enabled check box for the new VNS is enabled. A VNS must be enabled for it to be able to provide service for mobile user traffic. By default, the Synchronize check box for the new VNS is disabled. Identies the name of the VNS. Identies the VNS category. Identies the SSID assigned to the VNS. Authentication Mode Click the type of network assignment for the VNS. There are two options for network assignment, Disabled or 802.1x. Mode D controller. Click the VNS mode you want to assign:
Routed is a VNS type where user traffic is tunneled to the Bridge Traffic Locally at AP is a VNS type where user traffic is directly bridged to a VLAN at the AP network point of access
(switch port). Bridge Traffic Locally at EWC is a VNS type where user traffic is tunneled to the controller and is directly bridged at the controller to a specic VLAN. With this VNS type, mobile users become a natural extension of a VLAN subnet. For each Bridge Traffic Locally at EWC VNS that is created, a VLAN needs to be specied. In addition, the network port on which the VLAN is assigned must be congured on the switch, and the corresponding controller interface must match the correct VLAN. raft Type the controller's own IP address of the topology associated with that VNS. This IP address is the default gateway for the VNS. The controller advertises this address to the wireless devices when they sign on. For routed VNSs, it corresponds to the IP address that is communicated to mobile users (in the VNS) as the default gateway for the VNS subnet. (Mobile users target the controller's interface in their effort to route packets to an external host). Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). This option is enabled by default if the Type is 802.1x. Routed Data VNS Gateway Mask Enable Authentication Enable DHCP By default, this option is enabled for a routed data VNS. Bridged Traffic Locally @ AP Data VNS Tagged VLAN ID Untagged Enable Authentication Select if you want to assign this VNS to a specic VLAN. Type the VLAN tag to which the controller will be bridged for the data VNS. Select if you want this VNS to be untagged. This option is selected by default. If applicable, select this check box to enable authentication for the new data VNS. This option is enabled by default if the Type is 802.1x. ExtremeWireless V10.41.06 User Guide 438 Conguring a VNS Table 79: Data VNS Basic Settings Page - Fields and Buttons (continued) FField/Button Description Bridge Traffic Locally at EWC Data VNS Interface Click the physical port that provides the access to the VLAN. Interface IP address Type the IP address of the controllers interface on the VLAN. Mask VLAN ID Enable Authentication Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). Type the VLAN tag to which the controller will be bridged for the VNS. If applicable, select this check box to enable authentication for the new data VNS. This option is enabled by default if the Type is 802.1x. If applicable, select this check box to enable DHCP authentication for the new data VNS. Enable DHCP D Click Next. The Authentication screen displays. Creating a Data VNS Using the VNS Wizard - Authentication Screen The AAuthentication screen displays:
raft ExtremeWireless V10.41.06 User Guide 439 Conguring a VNS Table 80: Data VNS Authentication Page - Fields and Buttons FField/Button Description Radius Server Server Alias Hostname/IP Shared Secret Click the RADIUS server you want to assign to the new data VNS, or click Add New Server and then do the following Type a name you want to assign to the new RADIUS server. Type either the RADIUS servers FQDN (fully qualied domain name) or IP address. Type the password that will be used to validate the connection between the controller and the RADIUS server. Click Next. The DHCP screen displays. Creating a Data VNS Using the VNS Wizard - DHCP Screen If DHCP was enabled previously, the DDHCP screen displays:
Roles Mask/Unmask D Click to display or hide your shared secret key. Select the authentication role options for the RADIUS server:
MAC-based Authentication Select to enable the If applicable, and the MAC-based authentication RADIUS server to perform MAC-based authentication on the data VNS. option is enabled, select to enable MAC-based authorization on roam. raft ExtremeWireless V10.41.06 User Guide 440 Conguring a VNS Table 81: Data VNS DHCP Page - Fields and Buttons FField/Button Description DHCP Option In the DHCP Option drop-down list, click one of the following:
Use DHCP Relay Using DHCP relay forces the controller to forward DHCP requests to an external DHCP server on the enterprise network. DHCP relay bypasses the local DHCP server for the controller and allows the enterprise to manage IP address allocation to a VNS from its existing infrastructure. DHCP Servers If Use DHCP Relay was selected, type the IP address of the DHCP server to which DHCP discover and request messages will be forwarded for clients on this VNS. The controller does not handle DHCP requests from users, but instead forwards the requests to the indicated DHCP server.The DHCP server must be congured to match the VNS settings. In particular for a Routed VNS, the DHCP server must identify the controller's interface IP as the default Gateway (router) for the subnet. (Users intending to reach devices outside of the subnet will forward the packets to the default gateway (controller) for delivery upstream.) D settings. DNS Server WINS Click Next. The Filtering screen displays. Creating a Data VNS Using the VNS Wizard - Filtering Screen The FFiltering screen displays:
Type the IP Address of the Domain Name Servers to be used. Local DHCP Server If applicable, edit the local DHCP server Type the IP address if the DHCP server uses Windows Internet Naming Service (WINS). raft ExtremeWireless V10.41.06 User Guide 441 Conguring a VNS D 1 In the Filter ID drop-down list, click one of the following:
Default Controls access if there is no matching lter ID for a user. Exception Protects access to the controllers own interfaces, including the VNSs own interface. VNS exception lters are applied to user traffic intended for the controller's own interface point on the VNS. These lters are applied after the user's specic VNS state assigned lters raft 2 In the Filter table, select the Allow or Deny option buttons for each lter if applicable, and then select the Enable check box accordingly. 3 Click Next. The Prviacy screen displays. The PPrivacy screen displays:
Creating a Data VNS Using the VNS Wizard - Privacy Screen ExtremeWireless V10.41.06 User Guide 442 Conguring a VNS D Table 82: Data VNS Privacy Page - Fields and Buttons FField/Button Description Select to congure static keys. Then enter:
WEP Key Index Click the WEP encryption key index: 1, 2, 3, or 4. raft Select an Input Method:
Input Hex type the WEP key input in the WEP Key box. The key Specifying the WEP key index is supported only for AP37XX wireless APs. Select to allow the dynamic key WEP mechanism to change the key for each user and each session. and decrypting in the WEP Key String box. The WEP Key box is automatically lled by the corresponding Hex code. Input String type the secret WEP key string used for encrypting WEP Key Length Click the WEP encryption key length: 64 bit, is generated automatically based on the input. 128 bit, or 152 bit. Static Keys (WEP) Dynamic Keys ExtremeWireless V10.41.06 User Guide 443 Conguring a VNS Table 82: Data VNS Privacy Page - Fields and Buttons (continued) FField/Button Description WPA Select to congure Wi-Fi Protected Access (WPA v1 and WPA v2), a security solution that adds authentication to enhanced WEP encryption and key management. To enable WPA v1 encryption, select WPA v.1. In the Encryption drop-
down list, select one of the following encryption types:
Auto The AP will advertise both TKIP and CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) for WPAv1. CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). TKIP only The AP will advertise TKIP as an available encryption protocol for WPAv1. It will not advertise CCMP. D WPA-PSK To enable WPA v2 encryption, select WPA v.2. In the Encryption drop-
down list, click one of the following encryption types:
Auto The AP advertises both TKIP and CCMP (counter mode with cipher block chaining message authentication code protocol). CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). raft AES only The AP advertises CCMP as an available encryption protocol. It will not advertise TKIP. To enable re-keying after a time interval, select Broadcast re-key interval, then type the time interval after which the broadcast encryption key is changed automatically. The default is 3600. If this check box is not selected, the Broadcast encryption key is never changed and the AP will always use the same broadcast key for Broadcast/Multicast transmissions. This will reduce the level of security for wireless communications. To enable the group key power save retry, select Group Key Power Save Retry. The group key power save retry is supported only for AP37XX wireless APs. In the Pre-shared key box, type the shared secret key to be used between the wireless device and AP. The shared secret key is used to generate the 256-bit key. Mask/Unmask Click to display or hide your shared secret key. Click Next. The Radio Assignment screen displays. Creating a Data VNS Using the VNS Wizard - Radio Assignment Screen The RRadio Assignment screen displays:
ExtremeWireless V10.41.06 User Guide 444 Conguring a VNS D Table 83: Data VNS Radio Assignment Page - Fields and Buttons FField/Button Description Select the radios of the AP default settings prole that you want to broadcast the data VNS. raft Select the group of APs that will broadcast the data VNS:
all radios Click to assign all of the APs radios. radio 1 Click to assign only the APs Radio 1. radio 2 Click to assign only the APs Radio 2. local APs - all radios Click to assign only the local APs. local APs - radio 1 Click to assign only the local APs Radio 1. local APs - radio 2 Click to assign only the local APs Radio 2. foreign APs - all radios Click to assign only the foreign APs. foreign APs - radio 1 Click to assign only the foreign APs Radio 1. foreign APs - radio 2 Click to assign only the foreign APs Radio 2. AP Default Settings Radio 1 / Radio 2 AP Selection Select APs WMM
(Wi-Fi Multimedia), if enabled on an individual VNS, provides multimedia enhancements that improve the user experience for audio, video, and voice applications. WMM is part of the 802.11e standard for QoS. If enabled, the AP will accept WMM client associations, and will classify and prioritize the outbound traffic for all WMM clients. WMM clients will also classify and prioritize the inbound traffic. Click Next. The Summary screen displays. Creating a Data VNS Using the VNS Wizard - Summary Screen The SSummary screen displays:
ExtremeWireless V10.41.06 User Guide 445 Conguring a VNS D The data VNS is created and saved. 3 If applicable, you can continue to congure or edit the new VNS by clicking the individual VNS 1 Conrm your data VNS conguration. To revise your conguration, click Back. 2 To create your VNS, click Finish, and then click Close. conguration tabs. If the controller is congured to be part of an availability pair, you can chose to synchronize the VNS on the secondary controller. See Availability and Session Availability on page 537 for more information. raft Use the VNS wizard to create a Captive Portal VNS. A Captive Portal VNS employs an authentication method that uses a Web redirection which directs a mobile user's Web session to an authentication server. Typically, the mobile user must provide their credentials (user ID, password) to be authenticated. You can create the following types of Captive Portal VNSs:
Internal Captive Portal The controllers own Captive Portal authentication page congured as an editable form is used to request user credentials. The redirection triggers the locally stored authentication page where the mobile user must provide the appropriate credentials, which then is checked against what is listed in the congured RADIUS server. Creating a Captive Portal VNS Using the VNS Wizard External Captive Portal An entity outside of the controller is responsible for handling the mobile user authentication process, presenting the credentials request forms and performing user authentication procedures. The external Web server location must be explicitly listed as an allowed destination in the non-authenticated lter. Firewall Friendly External Captive Portal A Firewall Friendly External Captive Portal VNS provides wireless connections to any device on the secure side (behind the Firewall). When you create a new captive portal VNS using the VNS wizard, you congure the VNS in the following stages:
ExtremeWireless V10.41.06 User Guide 4446 GuestPortal A GuestPortal VNS provides wireless device users with temporary guest network services. Conguring a VNS Basic settings Authentication settings DHCP settings Filter settings Privacy settings Radio assignment settings Summary review Related Links Creating an Internal Captive Portal VNS on page 447 Creating an External Captive Portal VNS on page 456 Creating a Firewall Friendly External Captive Portal VNS on page 467 Creating a GuestPortal VNS on page 477 D To congure an Internal Captive Portal VNS using the VNS Wizard:
Creating an Internal Captive Portal VNS From the top menu, click VNS. The VVirtual Network Conguration screen displays. 1 2 In the left pane, expand the New pane, then click START VNS WIZARD. The VVNS Creation Wizard screen displays. raft 3 In the Name box, type a name for the Captive Portal VNS. 4 In the Category drop-down list, click Captive Portal. 5 Click Next. The Basic Settings screen displays. ExtremeWireless V10.41.06 User Guide 447 CCreating an Internal Captive Portal VNS - Basic Settings Screen The BBasic Settings screen displays:
Conguring a VNS D Table 84: Captive Portal Basic Settings Page - Fields and Buttons Field/Button Description raft By default, the Enabled check box for the new VNS is enabled. A VNS must be enabled for it to be able to provide service for mobile user traffic. Click the VNS Mode you want to assign:
Routed is a VNS type where user traffic is tunneled to the controller. Bridge Traffic Locally at EWC is a VNS type where user traffic is tunneled to the controller and is directly bridged at the controller to a specic VLAN. With this VNS type, mobile users become a natural extension of a VLAN subnet. For each Bridge Traffic Locally at EWC VNS that is created, a VLAN needs to be specied. In addition, the network port on which the VLAN is assigned must be congured on the switch, and the corresponding controller interface must match the correct VLAN. Identies the SSID assigned to the VNS. Identies the name of the VNS. Click Internal Captive Portal Identies the VNS category. Enabled Name Category SSID Authentication Mode Mode Routed Internal Captive Portal ExtremeWireless V10.41.06 User Guide 448 Conguring a VNS Table 84: Captive Portal Basic Settings Page - Fields and Buttons (continued) FField/Button Description Gateway Mask Gateway Type the controller's own IP address in that VNS. This IP address is the default gateway for the VNS. The controller advertises this address to the wireless devices when they sign on. For routed VNSs, it corresponds to the IP address that is communicated to mobile users (in the VNS) as the default gateway for the VNS subnet. (Mobile users target the controller's interface in their effort to route packets to an external host). Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). Message Enable Authentication D Enable DHCP Type a brief message that will be displayed above the Login button that greets the mobile device user. By default, this option is selected if the VNS Type is Internal Captive Portal, which enables authentication for the new Captive Portal VNS. Interface Interface IP address Mask VLAN ID Message Enable Authentication Enable DHCP Bridge Traffic Locally- Voice VNS Type the IP address of the controllers interface on the VLAN. Click the physical interface that provides the access to the VLAN. Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). By default, this option is selected if the VNS Type is Internal Captive Portal, which enables DHCP authentication for the new Captive Portal VNS. raft By default, this option is selected if the VNS Type is Internal Captive Portal, which enables authentication for the new Captive Portal VNS. If applicable, select this check box to enable DHCP authentication for the new Captive Portal VNS. Type a brief message that will be displayed above the Login button that greets the mobile device user. Type the VLAN tag to which the controller will be bridged for the VNS. Click Next. The Authentication screen displays. Creating an Internal Captive Portal VNS - Authentication Screen The AAuthentication screen displays:
ExtremeWireless V10.41.06 User Guide 449 Conguring a VNS D Table 85: Captive Portal Authentication Page - Fields and Buttons FField/Button Description Type a name you want to assign to the new RADIUS server. Click the RADIUS server you want to assign to the new Captive Portal VNS, or click Add New Server and then do the following raft Select the authentication role options for the RADIUS server:
Authentication By default, this option is selected if the VNS Type either the RADIUS servers FQDN (fully qualied domain name) or IP address. Type is Internal Captive Portal, which enables the RADIUS server to perform authentication on the Captive Portal VNS. Type the password that will be used to validate the connection between the controller and the RADIUS server. MAC-based Authentication Select to enable the RADIUS server to perform MAC-based authentication on the Captive Portal VNS. If the MAC-based authentication option is enabled, select to enable MAC-based authorization on roam, if applicable. Click to display or hide your shared secret key. Accounting Select to enable the RADIUS server to perform accounting on the Captive Portal VNS. Radius Server Server Alias Hostname/IP Shared Secret Mask/Unmask Roles Click Next. The DHCP screen displays. Creating an Internal Captive Portal VNS - DHCP Screen The DDHCP screen displays:
ExtremeWireless V10.41.06 User Guide 450 Conguring a VNS D Table 86: Captive Portal DHCP Page - Fields and Buttons FField/Button Description DHCP Option In the DHCP Option drop-down list, click one of the following:
Use DHCP Relay Using DHCP relay forces the controller to raft address of the DHCP server to which DHCP discover and request messages will be forwarded for clients on this VNS. The controller does not handle DHCP requests from users, but instead forwards the requests to the indicated DHCP server.The DHCP server must be congured to match the VNS settings. In particular for a Routed VNS, the DHCP server must identify the controller's interface IP as the default Gateway (router) for the subnet. (Users intending to reach devices outside of the subnet will forward the packets to the default gateway (controller) for delivery upstream.) forward DHCP requests to an external DHCP server on the enterprise network. DHCP relay bypasses the local DHCP server for the controller and allows the enterprise to manage IP address allocation to a VNS from its existing infrastructure. DHCP Servers If Use DHCP Relay was selected, type the IP Local DHCP Server If applicable, edit the local DHCP server settings. DNS Server WINS Type the IP Address of the Domain Name Servers to be used. Type the IP address if the DHCP server uses Windows Internet Naming Service (WINS). Click Next. The Filtering screen displays. Creating an Internal Captive Portal VNS - Filtering Screen The FFiltering screen displays:
ExtremeWireless V10.41.06 User Guide 451 Conguring a VNS D 1 In the Filter ID drop-down list, click one of the following::
Default Controls access if there is no matching lter ID for a user. Exception Protects access to the controllers own interfaces, including the VNSs own interface. VNS exception lters are applied to user traffic intended for the ExtremeWireless Controller's own interface point on the VNS. These lters are applied after the user's specic VNS state assigned lters. raft Non-Authenticated Controls network access and also used to direct mobile users to a Captive 2 In the Filter table, select the Allow or Deny option buttons for each lter if applicable, and then select the Enable check box accordingly. The Privacy screen displays. Portal web page for login. 3 Click Next. The PPrivacy screen displays:
CCreating an Internal Captive Portal VNS - Privacy Screen ExtremeWireless V10.41.06 User Guide 452 Conguring a VNS D raft ExtremeWireless V10.41.06 User Guide 4453 Conguring a VNS Table 87: Captive Portal Privacy Page - Fields and Buttons FField/Button Description None Static Keys (WEP) Select if you do not want to assign any privacy mechanism. Select to congure static keys. Then enter:
WEP Key Index Click the WEP encryption key index: 1, 2, 3, or 4. Specifying the WEP key index is supported only for AP37XX wireless APs. WEP Key Length Click the WEP encryption key length: 64 bit, 128 bit, or 152 bit. Select an Input Method:
Input Hex type the WEP key input in the WEP Key box. The key is generated automatically based on the input. Input String type the secret WEP key string used for encrypting and decrypting in the WEP Key String box. The WEP Key box is automatically lled by the corresponding Hex code. WPA-PSK D with Cipher Block Chaining Message Authentication Code Protocol) for WPAv1. CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). Select to use a Pre-Shared Key (PSK), or shared secret for authentication. WPA-PSK (Wi-Fi Protected Access Pre-Shared key) is a security solution that adds authentication to enhanced WEP encryption and key management. WPA-PSK mode does not require an authentication server. It is suitable for home or small office. To enable WPA v1 encryption, select WPA v.1. In the Encryption drop-
down list, select one of the following encryption types:
Auto The AP will advertise both TKIP and CCMP (Counter Mode raft To enable WPA v2 encryption, select WPA v.2. In the Encryption drop-
down list, click one of the following encryption types:
Auto The AP advertises both TKIP and CCMP (counter mode with cipher block chaining message authentication code protocol). CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). TKIP only The AP will advertise TKIP as an available encryption AES only The AP advertises CCMP as an available encryption protocol for WPAv1. It will not advertise CCMP. protocol. It will not advertise TKIP. To enable re-keying after a time interval, select Broadcast re-key interval. If this check box is not selected, the Broadcast encryption key is never changed and the AP will always use the same broadcast key for Broadcast/Multicast transmissions. This will reduce the level of security for wireless communications. In the Broadcast re-key interval box, type the time interval after which the broadcast encryption key is changed automatically. To enable the group key power save retry, select Group Key Power Save Retry. The group key power save retry is supported only for AP37XX wireless APs.In the Pre-shared key box, type the shared secret key to be used between the wireless device and AP. The shared secret key is used to generate the 256-bit key. Mask/Unmask Click to display or hide your shared secret key. Click Next. The Radio Assignment screen displays. ExtremeWireless V10.41.06 User Guide 454 Conguring a VNS CCreating an Internal Captive Portal VNS - Radio Assignment Screen The RRadio Assignment screen displays:
D Table 88: Captive Portal Radio Assignment Page - Fields and Buttons Field/Button Description raft Select the group of APs that will broadcast the Captive Portal VNS:
all radios Click to assign all of the APs radios. radio 1 Click to assign only the APs Radio 1. radio 2 Click to assign only the APs Radio 2. local APs - all radios Click to assign only the local APs. local APs - radio 1 Click to assign only the local APs Radio 1. local APs - radio 2 Click to assign only the local APs Radio 2. foreign APs - all radios Click to assign only the foreign APs. foreign APs - radio 1 Click to assign only the foreign APs Radio 1. foreign APs - radio 2 Click to assign only the foreign APs Radio 2. Select the radios of the AP default settings prole that you want to broadcast the Captive Portal VNS. AP Default Settings Radio 1 / Radio 2 AP Selection Select APs WMM
(Wi-Fi Multimedia) If enabled on an individual VNS, provides multimedia enhancements that improve the user experience for audio, video, and voice applications. WMM is part of the 802.11e standard for QoS. If enabled, the AP will accept WMM client associations, and will classify and prioritize the outbound traffic for all WMM clients. WMM clients will also classify and prioritize the inbound traffic. Click Next. The Summary screen displays. ExtremeWireless V10.41.06 User Guide 455 Conguring a VNS CCreating an Internal Captive Portal VNS - Summary Screen The SSummary screen displays:
D 1 Conrm your data VNS conguration. To revise your conguration, click Back. 2 To create your VNS, click Finish, and then click Close. 3 If applicable, you can continue to congure or edit the new VNS by clicking the individual VNS conguration tabs. raft 1 From the top menu, click VNS. The VVirtual Network Conguration screen displays. Creating an External Captive Portal VNS To congure an external Captive Portal VNS using the VNS wizard:
ExtremeWireless V10.41.06 User Guide 456 Conguring a VNS 2 In the left pane, expand the New pane, then click START VNS WIZARD. The VVNS Creation Wizard screen displays. D 3 In the Name box, type a name for the Captive Portal VNS. 4 In the Category drop-down list, click Captive Portal. 5 Click Next. The Basic Settings screen displays. Creating an External Captive Portal VNS - Basic Settings Screen The BBasic Settings screen displays:
raft ExtremeWireless V10.41.06 User Guide 457 Conguring a VNS D Table 89: External Captive Portal Basic Settings Page - Fields and Buttons FField/Button Description Enabled Synchronize Name Category SSID Authentication Mode Mode By default, the Enabled check box for the new VNS is enabled. A VNS must be enabled for it to be able to provide service for mobile user traffic. raft Synchronize Enable automatic synchronization with its availability peer. Refer to Using the Sync Summary on page 414 for information about viewing synchronization status. If this VNS is part of an availability pair, Extreme Networks recommends that you enable this feature. Identies the SSID assigned to the VNS. Identies the name of the VNS. Click External Captive Portal Identies the VNS category. Click the VNS Mode you want to assign:
Routed is a VNS type where user traffic is tunneled to the controller. Bridge Traffic Locally at EWC is a VNS type where user traffic is tunneled to the controller and is directly bridged at the controller to a specic VLAN. With this VNS type, mobile users become a natural extension of a VLAN subnet. For each Bridge Traffic Locally at EWC VNS that is created, a VLAN needs to be specied. In addition, the network port on which the VLAN is assigned must be congured on the switch, and the corresponding controller interface must match the correct VLAN. ExtremeWireless V10.41.06 User Guide 458 Conguring a VNS Table 89: External Captive Portal Basic Settings Page - Fields and Buttons
(continued) FField/Button Description Routed External Captive Portal Gateway Mask Gateway Type the controller's own IP address in that VNS. This IP address is the default gateway for the VNS. The controller advertises this address to the wireless devices when they sign on. For routed VNSs, it corresponds to the IP address that is communicated to mobile users (in the VNS) as the default gateway for the VNS subnet. (Mobile users target the controller's interface in their effort to route packets to an external host). Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). EWC External Captive Portal VNS EWC Connection D Type the URL to which the wireless device user will be directed to after authentication. Type the password that is common to both the controller and the external Web server if you want to encrypt the information passed between the controller and the external Web server. Click the controller IP address. Also type the port of the controller in the accompanying box. If there is an authentication server congured for this VNS, the external Captive Portal page on the external authentication server will send the re0quest back to the controller to allow the controller to continue with the RADIUS authentication and ltering. raft Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). By default, this option is selected if the VNS Type is External Captive Portal, which enables authentication for the new Captive Portal VNS. By default, this option is selected if the VNS Type is External Captive Portal, which enables DHCP services for the new Captive Portal VNS. Type the VLAN tag to which the controller will be bridged for the VNS. Click the physical interface that provides the access to the VLAN. Type the IP address of the controllers interface on the VLAN. Click the controller IP address. Also type the port of the controller in the accompanying box. If there is an authentication server congured for this VNS, the external Captive Portal page on the external authentication server will send the request back to the controller to allow the controller to continue with the RADIUS authentication and ltering. Type the URL to which the wireless device user will be directed to after authentication. Type the password that is common to both the controller and the external Web server if you want to encrypt the information passed between the controller and the external Web server. Redirection URL Shared Secret Enable Authentication Enable DHCP Interface Interface IP address Mask VLAN ID EWC Connection Redirection URL Shared Secret ExtremeWireless V10.41.06 User Guide 459 Conguring a VNS Table 89: External Captive Portal Basic Settings Page - Fields and Buttons
(continued) FField/Button Description Enable Authentication Enable DHCP By default, this option is selected if the VNS Type is External Captive Portal, which enables authentication for the new Captive Portal VNS. If applicable, select this check box to enable DHCP authentication for the new Captive Portal VNS. Click Next. The Authentication screen displays. Creating an External Captive Portal VNS - Authentication Screen The VNS wizard displays the appropriate conguration screens, depending on your selection of the Enable Authentication and Enable DHCP check boxes. D raft Table 90: External Captive Portal Authentication Page - Fields and Buttons Field/Button Description Radius Server Server Alias Hostname/IP Shared Secret Click the RADIUS server you want to assign to the new Captive Portal VNS, or click Add New Server and then do the following Type a name you want to assign to the new RADIUS server. Type either the RADIUS servers FQDN (fully qualied domain name) or IP address. Type the password that will be used to validate the connection between the controller and the RADIUS server. ExtremeWireless V10.41.06 User Guide 460 Conguring a VNS Table 90: External Captive Portal Authentication Page - Fields and Buttons
(continued) FField/Button Description Mask/Unmask Roles Click to display or hide your shared secret key. Select the authentication role options for the RADIUS server:
Authentication By default, this option is selected if the VNS Type is External Captive Portal, which enables the RADIUS server to perform authentication on the Captive Portal VNS. MAC-based Authentication Select to enable the RADIUS server to perform MAC-based authentication on the Captive Portal VNS. If the MAC-based authentication option is enabled, select to enable MAC-based authorization on roam, if applicable. Accounting Select to enable the RADIUS server to perform accounting on the Captive Portal VNS. D Click Next. The DHCP screen displays. Creating an External Captive Portal VNS - DHCP Screen The DDHCP screen displays:
raft ExtremeWireless V10.41.06 User Guide 461 Conguring a VNS Table 91: External Captive Portal DHCP Page - Fields and Buttons FField/Button Description DHCP Option In the DHCP Option drop-down list, click one of the following:
Use DHCP Relay Using DHCP relay forces the controller to forward DHCP requests to an external DHCP server on the enterprise network. DHCP relay bypasses the local DHCP server for the controller and allows the enterprise to manage IP address allocation to a VNS from its existing infrastructure. DHCP Servers If Use DHCP Relay was selected, type the IP address of the DHCP server to which DHCP discover and request messages will be forwarded for clients on this VNS. The controller does not handle DHCP requests from users, but instead forwards the requests to the indicated DHCP server.The DHCP server must be congured to match the VNS settings. In particular for a Routed VNS, the DHCP server must identify the controller's interface IP as the default Gateway (router) for the subnet. (Users intending to reach devices outside of the subnet will forward the packets to the default gateway (controller) for delivery upstream.) D settings. DNS Server WINS Click Next. The Filtering screen displays. Creating an External Captive Portal VNS - Filtering Screen The FFiltering screen displays:
Type the IP Address of the Domain Name Servers to be used. Local DHCP Server If applicable, edit the local DHCP server Type the IP address if the DHCP server uses Windows Internet Naming Service (WINS). raft ExtremeWireless V10.41.06 User Guide 462 Conguring a VNS 1 In the Filter ID drop-down list, click one of the following:
Default Controls access if there is no matching lter ID for a user. Exception Protects access to the controllers own interfaces, including the VNSs own interface. VNS exception lters are applied to user traffic intended for the controller's own interface point on the VNS. These lters are applied after the user's specic VNS state assigned lters. Non-Authenticated Controls network access and also used to direct mobile users to a Captive Portal Web page for login. 2 In the Filter table, select the Allow or Deny option buttons for each lter if applicable, and then select the Enable check box accordingly. 3 Click Next. The Privacy screen displays. CCreating an External Captive Portal VNS - Privacy Screen The PPrivacy screen displays:
D raft ExtremeWireless V10.41.06 User Guide 463 Conguring a VNS Table 92: External Captive Portal Privacy Page - Fields and Buttons FField/Button Description None Static Keys (WEP) Select if you do not want to assign any privacy mechanism. Select to congure static keys. Then enter:
WEP Key Index Click the WEP encryption key index: 1, 2, 3, or 4. Specifying the WEP key index is supported only for AP37XX wireless APs. WEP Key Length Click the WEP encryption key length: 64 bit, 128 bit, or 152 bit. D WPA-PSK Select an Input Method:
Input Hex type the WEP key input in the WEP Key box. The key is generated automatically based on the input. Input String type the secret WEP key string used for encrypting and decrypting in the WEP Key String box. The WEP Key box is automatically lled by the corresponding Hex code. with Cipher Block Chaining Message Authentication Code Protocol) for WPAv1. CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). Select to use a Pre-Shared Key (PSK), or shared secret for authentication. WPA-PSK (Wi-Fi Protected Access Pre-Shared key) is a security solution that adds authentication to enhanced WEP encryption and key management. WPA-PSK mode does not require an authentication server. It is suitable for home or small office. To enable WPA v1 encryption, select WPA v.1. In the Encryption drop-
down list, select one of the following encryption types:
Auto The AP will advertise both TKIP and CCMP (Counter Mode raft To enable WPA v2 encryption, select WPA v.2. In the Encryption drop-
down list, click one of the following encryption types:
Auto The AP advertises both TKIP and CCMP (counter mode with cipher block chaining message authentication code protocol). CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). TKIP only The AP will advertise TKIP as an available encryption AES only The AP advertises CCMP as an available encryption protocol for WPAv1. It will not advertise CCMP. protocol. It will not advertise TKIP. To enable re-keying after a time interval, select Broadcast re-key interval. If this check box is not selected, the Broadcast encryption key is never changed and the AP will always use the same broadcast key for Broadcast/Multicast transmissions. This will reduce the level of security for wireless communications. In the Broadcast re-key interval box, type the time interval after which the broadcast encryption key is changed automatically. To enable the group key power save retry, select Group Key Power Save Retry. The group key power save retry is supported only for AP37XX Wireless APs. ExtremeWireless V10.41.06 User Guide 464 Conguring a VNS Table 92: External Captive Portal Privacy Page - Fields and Buttons (continued) FField/Button Description In the Pre-shared key box, type the shared secret key to be used between the wireless device and AP. The shared secret key is used to generate the 256-bit key. Mask/Unmask Click to display or hide your shared secret key. Click Next. The Radio Assignment screen displays. Creating an External Captive Portal VNS - Radio Assignment Screen The RRadio Assignment screen displays:
D raft Select the radios of the AP default settings prole that you want to broadcast the Captive Portal VNS. Table 93: External Captive Portal Radio Assignment Page - Fields and Buttons Field/Button Description AP Default Settings Radio 1 / Radio 2 AP Selection ExtremeWireless V10.41.06 User Guide 465 Conguring a VNS Table 93: External Captive Portal Radio Assignment Page - Fields and Buttons
(continued) FField/Button Description Select APs Select the group of APs that will broadcast the Captive Portal VNS:
all radios Click to assign all of the APs radios. radio 1 Click to assign only the APs Radio 1. radio 2 Click to assign only the APs Radio 2. local APs - all radios Click to assign only the local APs. local APs - radio 1 Click to assign only the local APs Radio 1. local APs - radio 2 Click to assign only the local APs Radio 2. foreign APs - all radios Click to assign only the foreign APs. foreign APs - radio 1 Click to assign only the foreign APs Radio 1. foreign APs - radio 2 Click to assign only the foreign APs Radio 2. WMM D Click Next. The Summary screen displays. Creating an External Captive Portal VNS - Summary Screen The SSummary screen displays:
(Wi-Fi Multimedia), if enabled on an individual VNS, provides multimedia enhancements that improve the user experience for audio, video, and voice applications. WMM is part of the 802.11e standard for QoS. If enabled, the AP will accept WMM client associations, and will classify and prioritize the outbound traffic for all WMM clients. WMM clients will also classify and prioritize the inbound traffic. raft 1 Conrm your data VNS conguration. To revise your conguration, click Back. 2 To create your VNS, click Finish, and then click Close. ExtremeWireless V10.41.06 User Guide 466 Conguring a VNS 3 If applicable, you can continue to congure or edit the new VNS by clicking the individual VNS conguration tabs. Creating a Firewall Friendly External Captive Portal VNS To congure a Firewall Friendly External Captive Portal VNS using the VNS wizard:
From the top menu, click VNS. The VVirtual Network Conguration screen displays. 1 2 In the left pane, click New, then click START VNS WIZARD. The VVNS Creation Wizard displays. D raft 3 In the Name box, type a name for the Firewall Friendly Captive Portal VNS. 4 In the Category drop-down list, click Captive Portal. 5 Click Next. The Basic Settings screen displays. If applicable, you can continue to congure or edit the new VNS by clicking the individual VNS conguration tabs. Creating a Firewall Friendly External Captive Portal VNS - Basic Settings Screen The BBasic Settings screen displays:
ExtremeWireless V10.41.06 User Guide 467 Conguring a VNS D Table 94: Firewall Friendly External Captive Portal Basic Settings Page - Fields and Buttons FField/Button Description raft By default, the Enabled check box for the new VNS is enabled. A VNS must be enabled for it to be able to provide service for mobile user traffic. Click the VNS Mode you want to assign:
Routed is a VNS type where user traffic is tunneled to the Identies the SSID assigned to the VNS. Identies the name of the VNS. Click External Captive Portal Identies the VNS category. controller. Enabled Name Category SSID Authentication Mode Mode Bridge Traffic Locally at EWC is a VNS type where user traffic is tunneled to the controller and is directly bridged at the controller to a specic VLAN. With this VNS type, mobile users become a natural extension of a VLAN subnet. For each Bridge Traffic Locally at EWC VNS that is created, a VLAN needs to be specied. In addition, the network port on which the VLAN is assigned must be congured on the switch, and the corresponding controller interface must match the correct VLAN. ExtremeWireless V10.41.06 User Guide 468 Conguring a VNS Table 94: Firewall Friendly External Captive Portal Basic Settings Page - Fields and Buttons (continued) FField/Button Description Gateway Mask Gateway Type the controller's own IP address in that VNS. This IP address is the default gateway for the VNS. The controller advertises this address to the wireless devices when they sign on. For routed VNSs, it corresponds to the IP address that is communicated to mobile users (in the VNS) as the default gateway for the VNS subnet. (Mobile users target the controller's interface in their effort to route packets to an external host). Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). Redirection URL D Shared Secret Enable Authentication Type the URL to which the wireless device user will be directed to after authentication. Type the IP address of the controllers interface on the VLAN. Click the physical interface that provides the access to the VLAN. Type the password that is common to both the controller and the external Web server if you want to encrypt the information passed between the controller and the external Web server. By default, this option is selected if the VNS Type is External Captive Portal, which enables DHCP services for the new Captive Portal VNS. By default, this option is selected if the VNS Type is External Captive Portal, which enables authentication for the new Captive Portal VNS. raft Click the controller IP address. Also type the port of the controller in the accompanying box. If there is an authentication server congured for this VNS, the external Captive Portal page on the external authentication server will send the request back to the controller to allow the controller to continue with the RADIUS authentication and ltering. Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). Type the URL to which the wireless device user will be directed to after authentication. Type the VLAN tag to which the controller will be bridged for the VNS. Type the password that is common to both the controller and the external Web server if you want to encrypt the information passed between the controller and the external Web server. Enable DHCP Interface Interface IP address Mask VLAN ID EWC Connection Redirection URL Shared Secret Enable Authentication Enable DHCP By default, this option is selected if the VNS Type is External Captive Portal, which enables authentication for the new Captive Portal VNS. If applicable, select this check box to enable DHCP authentication for the new Captive Portal VNS. Click Next. The Authentication screen displays. ExtremeWireless V10.41.06 User Guide 469 Conguring a VNS CCreating a Firewall Friendly External Captive Portal VNS - Authentication Screen The VNS wizard displays the appropriate conguration screens, depending on your selection of the Enable Authentication and Enable DHCP check boxes. D Table 95: Firewall Friendly External Captive Portal Authentication Page - Fields and Buttons Field/Button Description raft Click the RADIUS server you want to assign to the new Captive Portal VNS, or click Add New Server and then do the following Type either the RADIUS servers FQDN (fully qualied domain name) or IP address. Type the password that will be used to validate the connection between the controller and the RADIUS server. Type a name you want to assign to the new RADIUS server. Click to display or hide your shared secret key. Radius Server Server Alias Hostname/IP Shared Secret Mask/Unmask Roles Select the authentication role options for the RADIUS server:
Authentication By default, this option is selected if the VNS Type is External Captive Portal, which enables the RADIUS server to perform authentication on the Captive Portal VNS. MAC-based Authentication Select to enable the RADIUS server to perform MAC-based authentication on the Captive Portal VNS. If the MAC-based authentication option is enabled, select to enable MAC-based authorization on roam, if applicable. Accounting Select to enable the RADIUS server to perform accounting on the Captive Portal VNS. Click Next. The DHCP screen displays. ExtremeWireless V10.41.06 User Guide 470 Conguring a VNS CCreating a Firewall Friendly External Captive Portal VNS - DHCP Screen The DDHCP screen displays:
D Table 96: External Captive Portal DHCP Page - Fields and Buttons Field/Button Description DHCP Option raft forward DHCP requests to an external DHCP server on the enterprise network. DHCP relay bypasses the local DHCP server for the controller and allows the enterprise to manage IP address allocation to a VNS from its existing infrastructure. address of the DHCP server to which DHCP discover and request messages will be forwarded for clients on this VNS. The controller does not handle DHCP requests from users, but instead forwards the requests to the indicated DHCP server.The DHCP server must be congured to match the VNS settings. In particular for a Routed VNS, the DHCP server must identify the controller's interface IP as the default Gateway (router) for the subnet. (Users intending to reach devices outside of the subnet will forward the packets to the default gateway (controller) for delivery upstream.) In the DHCP Option drop-down list, click one of the following:
Use DHCP Relay Using DHCP relay forces the controller to DHCP Servers If Use DHCP Relay was selected, type the IP Local DHCP Server If applicable, edit the local DHCP server settings. DNS Server WINS Type the IP Address of the Domain Name Servers to be used. Type the IP address if the DHCP server uses Windows Internet Naming Service (WINS). Click Next. The Filtering screen displays. ExtremeWireless V10.41.06 User Guide 471 Conguring a VNS CCreating a Firewall Friendly External Captive Portal VNS - Filtering Screen The FFiltering screen displays:
raft In the Filter ID drop-down list, click one of the following:
Default Controls access if there is no matching lter ID for a user. Exception Protects access to the controllers own interfaces, including the VNSs own interface. VNS exception lters are applied to user traffic intended for the controller's own interface point on the VNS. These lters are applied after the user's specic VNS state assigned lters. Non-Authenticated Controls network access and also used to direct mobile users to a Captive select the Enable check box accordingly. Portal Web page for login. 2 In the Filter table, select the Allow or Deny option buttons for each lter if applicable, and then 3 Click Next. The Privacy screen displays. 1 Creating a Firewall Friendly External Captive Portal VNS - Privacy Screen The Privacy screen displays:
ExtremeWireless V10.41.06 User Guide 472 Conguring a VNS D raft ExtremeWireless V10.41.06 User Guide 4473 Conguring a VNS Table 97: External Captive Portal Privacy Page - Fields and Buttons FField/Button Description None Static Keys (WEP) Select if you do not want to assign any privacy mechanism. Select to congure static keys. Then enter:
WEP Key Index Click the WEP encryption key index: 1, 2, 3, or 4. Specifying the WEP key index is supported only for AP37XX wireless APs. WEP Key Length Click the WEP encryption key length: 64 bit, 128 bit, or 152 bit. D WPA-PSK Select an Input Method:
Input Hex type the WEP key input in the WEP Key box. The key is generated automatically based on the input. Input String type the secret WEP key string used for encrypting and decrypting in the WEP Key String box. The WEP Key box is automatically lled by the corresponding Hex code. with Cipher Block Chaining Message Authentication Code Protocol) for WPAv1. CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). Select to use a Pre-Shared Key (PSK), or shared secret for authentication. WPA-PSK (Wi-Fi Protected Access Pre-Shared key) is a security solution that adds authentication to enhanced WEP encryption and key management. WPA-PSK mode does not require an authentication server. It is suitable for home or small office. To enable WPA v1 encryption, select WPA v.1. In the Encryption drop-
down list, select one of the following encryption types:
Auto The AP will advertise both TKIP and CCMP (Counter Mode raft To enable WPA v2 encryption, select WPA v.2. In the Encryption drop-
down list, click one of the following encryption types:
Auto The AP advertises both TKIP and CCMP (counter mode with cipher block chaining message authentication code protocol). CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). TKIP only The AP will advertise TKIP as an available encryption AES only The AP advertises CCMP as an available encryption protocol for WPAv1. It will not advertise CCMP. protocol. It will not advertise TKIP. To enable re-keying after a time interval, select Broadcast re-key interval. If this check box is not selected, the Broadcast encryption key is never changed and the AP will always use the same broadcast key for Broadcast/Multicast transmissions. This will reduce the level of security for wireless communications. In the Broadcast re-key interval box, type the time interval after which the broadcast encryption key is changed automatically. To enable the group key power save retry, select Group Key Power Save Retry. The group key power save retry is supported only for AP37XX wireless APs. In the Pre-shared key box, type the shared secret key to be used between the wireless device and AP. The shared secret key is used to generate the 256-bit key. ExtremeWireless V10.41.06 User Guide 474 Conguring a VNS Table 97: External Captive Portal Privacy Page - Fields and Buttons (continued) FField/Button Description Mask/Unmask Click to display or hide your shared secret key. Click Next. The Radio Assignment screen displays. Creating a Firewall Friendly External Captive Portal VNS - Radio Assignment Screen The RRadio Assignment screen displays:
aft Select the radios of the AP default settings prole that you want to broadcast the Captive Portal VNS. Table 98: External Captive Portal Radio Assignment Page - Fields and Buttons Field/Button Description AP Default Settings Radio 1 / Radio 2 AP Selection ExtremeWireless V10.41.06 User Guide 475 Conguring a VNS Table 98: External Captive Portal Radio Assignment Page - Fields and Buttons
(continued) FField/Button Description Select APs Select the group of APs that will broadcast the Captive Portal VNS:
all radios Click to assign all of the APs radios. radio 1 Click to assign only the APs Radio 1. radio 2 Click to assign only the APs Radio 2. local APs - all radios Click to assign only the local APs. local APs - radio 1 Click to assign only the local APs Radio 1. local APs - radio 2 Click to assign only the local APs Radio 2. foreign APs - all radios Click to assign only the foreign APs. foreign APs - radio 1 Click to assign only the foreign APs Radio 1. foreign APs - radio 2 Click to assign only the foreign APs Radio 2. Creating a Firewall Friendly External Captive Portal VNS - Summary Screen The SSummary screen displays:
WMM D Click Next. The Summary screen displays.
(Wi-Fi Multimedia), if enabled on an individual VNS, provides multimedia enhancements that improve the user experience for audio, video, and voice applications. WMM is part of the 802.11e standard for QoS. If enabled, the AP will accept WMM client associations, and will classify and prioritize the outbound traffic for all WMM clients. WMM clients will also classify and prioritize the inbound traffic. raf 1 Conrm your data VNS conguration. To revise your conguration, click Back. 2 To create your VNS, click Finish, and then click Close. ExtremeWireless V10.41.06 User Guide 476 Conguring a VNS Creating a GuestPortal VNS A GuestPortal provides wireless device users with temporary guest network services. A GuestPortal is serviced by a GuestPortal-dedicated VNS. A controller is allowed only one GuestPortal-dedicated VNS at a time. GuestPortal user accounts are administered by a GuestPortal manager. A GuestPortal manager is a login group GuestPortal managers must have their accounts created for them on the controller. For more information, see Working with GuestPortal Administration on page 690 The GuestPortal VNS is a Captive Portal authentication-based VNS that uses a database on the controller for managing user accounts. The database is administered through a simple, user-friendly graphic user interface that can be used by non-technical staff. The GuestPortal VNS can be a Routed or a Bridge Traffic Locally at the EWC VNS, with SSID-based network assignment. The GuestPortal VNS is a simplied VNS. It does not support the following:
RADIUS authentication or accounting MAC-based authorization Child VNS support D The GuestPortal VNS can be created as a new VNS or can be congured from an already existing VNS. When you create a new VNS using the VNS wizard, you congure the VNS in the following stages:
Basic settings DHCP settings Filter settings Privacy settings Radio assignment settings Summary raft A GuestPortal account ticket is a print-ready form that displays the guest account information, system requirements, and instructions on how to log on to the guest account. For more information, see Working with the Guest Portal Ticket Page on page 700. The GuestPortal VNS can be created as a new VNS or can be congured from an already existing VNS. Use the following high-level description to set up a GuestPortal on your system:
3 Congure availability, if applicable. 2 Congure the GuestPortal ticket. 1 Create a GuestPortal VNS. Availability maintains service availability in the event of a controller outage. For more information, see Availability and Session Availability on page 537. 4 Create GuestPortal manager and user accounts. For more information, see Working with GuestPortal Administration on page 690. 5 Manage your guest accounts and GuestPortal logs. For more information, see the Extreme Networks ExtremeWireless Maintenance Guide. Creating a GuestPortal VNS from an Existing VNS The GuestPortal VNS can be created as a new VNS or can be congured from an already existing VNS. A controller is allowed only one GuestPortal-dedicated VNS at a time. ExtremeWireless V10.41.06 User Guide 477 Conguring a VNS To create a GuestPortal VNS from an already sxisting VNS:
From the top menu, click VNS. The VVirtual Network Conguration screen displays. 1 2 In the left pane, select and expand the Virtual Networks pane. 3 Click on the VNS you want to congure as a GuestPortal VNS. The VNS conguration window CCore tab is displayed. 4 Select a precongured WLAN Service and click Edit, or press New to create a new WLAN Service. 5 In the Edit WLAN Service window, click the AAuth & Acct tab 6 In the Authentication Mode drop-down list, click GuestPortal. 7 To save your changes, click Save. Creating a New GuestPortal VNS Using the VNS Wizard To create a new GuestPortal VNS using the VNS Wizard:
From the top menu, click VNS. The VVirtual Network Conguration screen displays. 1 2 In the left pane, expand the New pane, and then click START VNS WIZARD. D The VVNS Creation Wizard displays. raft 3 In the Name box, type a name for the GuestPortal VNS. 4 In the Category drop-down list, click Captive Portal. 5 Click Next. The Basic Settings screen displays. Creating a New GuestPortal VNS Using the VNS Wizard - Basic Settings Screen The BBasic Settings screen displays:
ExtremeWireless V10.41.06 User Guide 478 Conguring a VNS D Table 99: Guest Portal Basic Settings Page - Fields and Buttons FField/Button Description Identies the name of the VNS. By default, the Enabled check box for the new VNS is enabled. A VNS must be enabled for it to be able to provide service for mobile user traffic. raft Click the VNS Mode you want to assign:
Routed is a VNS type where user traffic is tunneled to the By default, the Synchronize check box for the new VNS is disabled. Bridge Traffic Locally at EWC is a VNS type where user traffic is tunneled to the controller and is directly bridged at the controller to a specic VLAN. With this VNS type, mobile users become a natural extension of a VLAN subnet. For each Bridge Traffic Locally at EWC VNS that is created, a VLAN needs to be specied. In addition, the network port on which the VLAN is assigned must be congured on the switch, and the corresponding controller interface must match the correct VLAN. Identies the SSID assigned to the VNS. Identies the VNS category. Click Guest Portal controller. Enabled Synchronize Name Category SSID Authentication Mode Mode Routed ExtremeWireless V10.41.06 User Guide 479 Conguring a VNS Table 99: Guest Portal Basic Settings Page - Fields and Buttons (continued) FField/Button Description Gateway Mask Gateway Type the controller's own IP address in that VNS. This IP address is the default gateway for the VNS. The controller advertises this address to the wireless devices when they sign on. For routed VNSs, it corresponds to the IP address that is communicated to mobile users (in the VNS) as the default gateway for the VNS subnet. (Mobile users target the controller's interface in their effort to route packets to an external host). Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). Bridge Traffic Locally at EWC Interface Interface IP address D Mask VLAN ID Enable DHCP Click the physical interface that provides the access to the VLAN. Type the IP address of the controllers interface on the VLAN. If applicable, select this check box to enable DHCP. Type the VLAN to which the controller will be bridged for the VNS. Then, select either Untagged or Tagged. Type the appropriate subnet mask for this IP address to separate the network portion from the host portion of the address (typically 255.255.255.0). raft Click Next. The DHCP screen displays. Creating a New GuestPortal VNS Using the VNS Wizard - DHCP Screen The DDHCP screen displays:
ExtremeWireless V10.41.06 User Guide 480 Conguring a VNS Table 100: Guest Portal DHCP Page - Fields and Buttons FField/Button Description DHCP Option In the DHCP Option drop-down list, click one of the following:
Use DHCP Relay Using DHCP relay forces the controller to forward DHCP requests to an external DHCP server on the enterprise network. DHCP relay bypasses the local DHCP server for the controller and allows the enterprise to manage IP address allocation to a VNS from its existing infrastructure. DHCP Servers If Use DHCP Relay was selected, type the IP address of the DHCP server to which DHCP discover and request messages will be forwarded for clients on this VNS. The controller does not handle DHCP requests from users, but instead forwards the requests to the indicated DHCP server.The DHCP server must be congured to match the VNS settings. In particular for a Routed VNS, the DHCP server must identify the controller's interface IP as the default Gateway
(router) for the subnet. (Users intending to reach devices outside of the subnet will forward the packets to the default gateway (controller) for delivery upstream.) Local DHCP Server If applicable, edit the local DHCP server settings. D DNS Server WINS Click Next. The Filtering screen displays. Creating a New GuestPortal VNS Using the VNS Wizard - Filtering Screen The FFiltering screen displays:
Type the IP Address of the Domain Name Servers to be used. Type the IP address if the DHCP server uses Windows Internet Naming Service (WINS). raft ExtremeWireless V10.41.06 User Guide 481
1 2 3 4 | Extreme Wireless V10.41.06 User Guide Part 3 | Users Manual | 5.49 MiB |
Conguring a VNS 1 Congure the VNS ltering settings:
a In the Filter ID drop-down list, click one of the following:
Authenticated Controls network access after the user has been authenticated. Non-authenticated Controls network access and to direct users to a Captive Portal Web page for login. 2 In the Filter table, select the Enable check box for the desired lters, then select the Allow or Deny option buttons for each lter as needed. 3 At the bottom of the Filter list, select Allow or Deny for All Other Traffic. 4 Click Next. The Privacy screen displays. Creating a New GuestPortal VNS Using the VNS Wizard - Radio Assignment Screen The RRadio Assignment screen displays:
D raft Description AP Default Settings Table 101: Guest Portal Radio Assignment Page - Fields and Buttons Field/Button Radio 1 / Radio 2 Select the radios of the AP default settings prole that you want to broadcast the Captive Portal VNS. AP Selection ExtremeWireless V10.41.06 User Guide 482 Conguring a VNS Table 101: Guest Portal Radio Assignment Page - Fields and Buttons (continued) FField/Button Description Select APs Select the group of APs that will broadcast the Captive Portal VNS:
all radios Click to assign all of the APs radios. radio 1 Click to assign only the APs Radio 1. radio 2 Click to assign only the APs Radio 2. local APs - all radios Click to assign only the local APs. local APs - radio 1 Click to assign only the local APs Radio 1. local APs - radio 2 Click to assign only the local APs Radio 2. foreign APs - all radios Click to assign only the foreign APs. foreign APs - radio 1 Click to assign only the foreign APs Radio 1. foreign APs - radio 2 Click to assign only the foreign APs Radio 2. The PPrivacy screen displays:
WMM D Click Next. The Summary screen displays. Creating a New GuestPortal VNS Using the VNS Wizard - Privacy Screen
(Wi-Fi Multimedia), if enabled on an individual VNS, provides multimedia enhancements that improve the user experience for audio, video, and voice applications. WMM is part of the 802.11e standard for QoS. If enabled, the AP will accept WMM client associations, and will classify and prioritize the outbound traffic for all WMM clients. WMM clients will also classify and prioritize the inbound traffic. raft ExtremeWireless V10.41.06 User Guide 483 Conguring a VNS Table 102: Guest Portal Privacy Page - Fields and Buttons FField/Button Description None Static Keys (WEP) Select if you do not want to assign any privacy mechanism. Select to congure static keys. Then enter:
WEP Key Index Click the WEP encryption key index: 1, 2, 3, or 4. Specifying the WEP key index is supported only for AP37XX wireless APs. WEP Key Length Click the WEP encryption key length: 64 bit, 128 bit, or 152 bit. D WPA-PSK Select an Input Method:
Input Hex type the WEP key input in the WEP Key box. The key is generated automatically based on the input. Input String type the secret WEP key string used for encrypting and decrypting in the WEP Key String box. The WEP Key box is automatically lled by the corresponding Hex code. with Cipher Block Chaining Message Authentication Code Protocol) for WPAv1. CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). Select to use a Pre-Shared Key (PSK), or shared secret for authentication. WPA-PSK (Wi-Fi Protected Access Pre-Shared key) is a security solution that adds authentication to enhanced WEP encryption and key management. WPA-PSK mode does not require an authentication server. It is suitable for home or small office. To enable WPA v1 encryption, select WPA v.1. In the Encryption drop-
down list, select one of the following encryption types:
Auto The AP will advertise both TKIP and CCMP (Counter Mode raft To enable WPA v2 encryption, select WPA v.2. In the Encryption drop-
down list, click one of the following encryption types:
Auto The AP advertises both TKIP and CCMP (counter mode with cipher block chaining message authentication code protocol). CCMP is an IEEE 802.11i encryption protocol that uses the encryption cipher AES (Advanced Encryption Standard). TKIP only The AP will advertise TKIP as an available encryption AES only The AP advertises CCMP as an available encryption protocol for WPAv1. It will not advertise CCMP. protocol. It will not advertise TKIP. To enable re-keying after a time interval, select Broadcast re-key interval. If this check box is not selected, the Broadcast encryption key is never changed and the AP will always use the same broadcast key for Broadcast/Multicast transmissions. This will reduce the level of security for wireless communications. In the Broadcast re-key interval box, type the time interval after which the broadcast encryption key is changed automatically. To enable the group key power save retry, select Group Key Power Save Retry. The group key power save retry is supported only for AP37XX wireless APs. ExtremeWireless V10.41.06 User Guide 484 Conguring a VNS Table 102: Guest Portal Privacy Page - Fields and Buttons (continued) FField/Button Description In the Pre-shared key box, type the shared secret key to be used between the wireless device and AP. The shared secret key is used to generate the 256-bit key. Mask/Unmask Click to display or hide your shared secret key. Click Next. The Radio Assignment screen displays. Creating a New GuestPortal VNS Using the VNS Wizard - Summary Screen The SSummary screen displays:
D raft 1 Conrm your VNS conguration. To revise your conguration, click Back. 2 To create your VNS, click Finish, and then click Close. If the controller is congured to be part of an availability pair, you can chose to synchronize the VNS on the secondary controller. 3 If applicable, you can continue to congure or edit the new VNS by clicking the individual VNS conguration tabs. Enabling and Disabling a VNS By default, when a new VNS is created, the VNS is added to the system as an enabled VNS. A VNS can be enabled or disabled. Disabling a VNS provides the ability to temporarily stop wireless service on a VNS. The disabled VNS conguration remains in the database for future use. The controller can support the following VNSs:
ExtremeWireless V10.41.06 User Guide 485 Conguring a VNS Table 103: ExtremeWireless Appliance Active and Dened VNS Support PPlatform Dened VNSs Active VNSs C5110 C5210 C5215 C4110 C25 C35 V2110 (Small) 128 128 128 64 16 16 16 256 256 256 128 32 32 32 128 256 Renaming a VNS V2110 (Medium) 64 V2110 (Large) D From the top menu, click VNS. To enable or disable a VNS:
128 To rename a VNS:
1 2 In the left pane, expand the Virtual Networks pane and select the VNS to enable or disable. 3 On the CCore tab, in the Status box, select or de-select the Enable check box. 4 Click Save. The VNS is enabled or disabled accordingly. raft From the top menu, click VNS. 1 2 In the left pane expand the VVirtual Networks pane, then select the VNS you want to rename. 3 On the CCore tab, in the VNS Name eld, enter the new name. 4 Click Save. The VNS is renamed. You can delete a VNS that is no longer necessary. To delete a VNS:
From the top menu, click VNS. 1 2 In the left pane expand the VVirtual Networks pane, then select the VNS you want to rename. 3 On the CCore tab, click the Delete button. A pop-up window prompts you to conrm you want to Deleting a VNS delete the VNS. Click OK. 4 Click Save. The VNS is deleted. ExtremeWireless V10.41.06 User Guide 486 9 Conguring Classes of Service CClasses of Service Overview Conguring Classes of Service CoS Rule Classication Priority and ToS/DSCP Marking Rate Limiting The CoS denes actions to be taken when rate limits are exceeded. Classes of Service Overview D In general, CoS (Class of Service) refers to a set of attributes that dene the importance of a frame while it is forwarded through the network relative to other packets, and to the maximum throughput per time unit that a station or port assigned to a specic role is permitted. For more information on conguring roles, see Conguring Default VLAN and Class of Service for a Role on page 284. All incoming packets may follow these steps to determine a CoS:
Classication - identies the rst matching rule that denes a CoS. Marking - modies the L2 802.1p and/or L3 ToS based on CoS denition. Rate limiting (drop) is set. Transmit queue assignment. raft The CoS feature is a conguration entity containing QoS Marking (802.1p and ToS/DSCP), Inbound/
Outbound Rate Limiting and Transmit Queue Assignments. The CoS ToS marking capability allows for NAC-based redirection to different captive portals on the same WLAN (Wireless Local Area Network) Service. The supported CoS attributes are enforced on the controller (data plane) and on the APs. Conguring Classes of Service To congure Classes of Service:
1 From the top menu, click VNS. ExtremeWireless V10.41.06 User Guide 487 Conguring Classes of Service 2 In the left pane click Classes of Service. NNote
"No CoS" means that the traffic to which it is assigned will not be remarked, the controller software will decide the appropriate transmit queue and no rate limits will be applied on traffic traveling to or from the station to which the CoS is applied. The "No CoS" CoS is predened and cannot be removed. raft The CClass of Service conguration page displays. By default, the GGeneral tab displays. Table 104 describes the elds and buttons on the GGeneral tab. Alternately, click the New button to create a new CoS. 3 In the left pane, click the name of the Classes of Service that you want to edit. ExtremeWireless V10.41.06 User Guide 488 Conguring Classes of Service raft Priority override allows you to dene and force the traffic to a desired priority level. Priority override can be used with any combination. You can congure the service class and the DSCP values. Select this check box to use Priority Override dened in the WLAN as in previous releases. For more information, see Conguring the Priority Override on page 370. Enter a name to assign to this class of service. Table 104: General Tab - Fields and Buttons FField/Button Description Core Name Marking Use Legacy Priority Override dened in the WLAN Service 802.1p Priority Select this check box to dene how the Layer 2 priority of the packet will be marked. From the drop-down list, select Priority 0 to Priority 7. For more information, see Priority and ToS/DSCP Marking on page 491. Note:
This selection is not available if Legacy Priority Override is checked. ExtremeWireless V10.41.06 User Guide 489 Conguring Classes of Service Table 104: General Tab - Fields and Buttons (continued) FField/Button Description ToS/DSCP Marking Select this check box to dene how the Layer 3 ToS/DSCP will be marked. Enter a hexadecimal value in the 0x (DSCP:) eld, or Click the Select button to open the ToS/DSCP Conguration dialog. For more information, see Conguring ToS/DSCP Marking on page 491. Note:
This selection is not available if Legacy Priority Override is checked. Mask: 0x D Rate Limiting Inbound Rate Limit Displays the hexadecimal value to use for the ToS/DSCP value. For example, if the mask is 0xF0, then only the four most signicant bits of the ToS of the received packets are marked. So, if the received ToS is 0x33 and the ToS marking is set to 0x2A, then the resulting ToS is 0x22. Outbound Rate Limit Transmit Queue Assignment Transmit Queue Select this check box, and then select an inbound rate limit from the drop-down list or click the New button to create a new inbound rate limit prole. To edit an existing inbound rate limit prole, select the prole from the drop-down list and then click the Edit button. For more information, see Rate Limiting on page 492. raft Select this check box, and then select an outbound rate limit from the drop-down list or click the New button to create a new outbound rate limit prole. To edit an existing outbound rate limit prole, select the prole from the drop-down list and then click the Edit button. For more information, see Rate Limiting on page 492. Select this check box, and select a Transmit Queue from the drop-
down list. The Transmit Queue assignment is an override to the default TXQ assignment specied in the 802.1p priority, but without remarking the actual 802.1p eld. CoS Rule Classication Classication is the process of nding the rst matching rule that denes a CoS for an incoming packet. The order of classication is as follows:
1 Use the CoS assigned by the rst role rule matched by the packet that explicitly assigns a CoS. 2 If no CoS found, use the default CoS of the Role. 3 If still no CoS found, use the default CoS of the WLAN (for non-auth role). For inbound traffic, classication is done at the AP (if AP Filtering is enabled), otherwise it is done at the controller. For outbound traffic, classication is always done at the controller. ExtremeWireless V10.41.06 User Guide 490 Conguring Classes of Service The Rule that assigns authorization (Access Control) may not be the same rule that assigns CoS. Therefore, up to two passes are made through the policy rules for each packet. If the rst pass results in the packet being allowed a second pass will take place to classify the packet for CoS. The rst pass looks for authorization (allow, deny). The second pass classies and assigns the CoS. The number of rules reported to Policy Manager are limited to the number of rules allowed on the controller. On the controller, a single rule can contain different classication types whereas for Policy Manager this rule may be split into several rules. For example, if a rule denes an IP source address and also a ToS value, then this rule would be split into an IP type and a ToS type. Rules exceeding the limit after splitting will be dropped. From the CClass of Service General tab, click ToS/DSCP Marking. 1 2 Click the Select button. The TToS/DSCP Conguration dialog displays:
Priority and ToS/DSCP Marking After packets are classied, they are assigned a nal User Priority (UP) value. The Priority and ToS/
DSCP Marking bits to be applied to the packet is taken from the CoS and if not set, the received value
(ToS/DSCP) is used. ToS/DSCP Marking rewrites the Layer 3 Type of Service (ToS) byte. D Conguring ToS/DSCP Marking To congure ToS/DSCP marking:
raft Note Select either Type of Service (ToS) or Diffserv Codepoint (DSCP) from this dialog. You cannot congure both types. ExtremeWireless V10.41.06 User Guide 491 Conguring Classes of Service 3 If you select Type of Service (ToS):
a Select a Precedence value from the drop-down list. b Select a specic ToS from the following list:
Delay Sensitive High Throughput High Reliability Explicit Congestion Notication 4 If you select Diffserv Codepoint (DSCP):
Choose a Well-known Value, or Enter a Raw Binary Value Rate Limiting table. 9 If still no UP, use received DSCP value and map to UP with WLANs DSCP-to-UP mapping table. 5 Close the CConguration dialog. The logic used to nd the nal User Priority (UP) depends on the CoS, the received UP, or the nal ToS/
DSCP value. Here are the steps followed to determine the nal UP:
6 Use UP markings dened in CoS (directly or via Legacy UP override). 7 If still no UP, use UP from the received packet. 8 If still no UP, use DSCP marking dened in CoS and map to UP with WLANs DSCP-to-UP mapping D The Inbound and Outbound Rate Limit is enforced on a per-station basis whether the rate limit is assigned to a rule, role or WLAN. Each station has its own set of counters that are used to monitor its wireless network utilization. Traffic from other stations never count against a station's rate limits. Controllers support up to 128 system wide rate proles when managed from the controller. Each role can use a maximum of 9 inbound rate proles and 9 outbound rate proles. For each raft If two or more rules in the same role assign the same named rate prole to a station's packets, then those rules "share" the rate prole. In Figure 147, a role's rules assign both HTTP and FTP traffic to the same rate limiter. The sum of the amounts of HTTP and FTP traffic determine whether the rate limit is being exceeded. Each station gets its own set of rate limiters. So the HTTP and FTP traffic of other stations never gets counted against a station's own rate prole limits. direction there can be one rate prole assigned by the role's default CoS and 8 other rate proles assigned by the role's rules. There is no limit to how many rules allow CoS assignments as long as there are never more than 8
+ 8 rate proles assigned by Classes of Service. ExtremeWireless V10.41.06 User Guide 492 Conguring Classes of Service Figure 147: Rate Limiter Example D raft ExtremeWireless V10.41.06 User Guide 4493 10 Conguring Sites VVNS Sites Overview Conguring Sites Recommended Deployment Guidelines Radius Conguration Selecting AP Assignments Selecting WLAN Assignments VNS Sites Overview assigned, the controller preloads the APs with the server conguration used by the Site. A WLAN (Wireless Local Area Network) Assignments tab lists available WLAN Services and specic When conguring a Site prole, two additional tabs are included:
An AP Assignments tab provides a list of APs that can be assigned to a specic Site. Once an AP is D A Site is a mechanism for grouping APs and refers to specic Roles, CoS (Class of Service) and RADIUS servers that are grouped to form a single conguration. Sites allow for deployment where the authentication server is local and provides the ability to associate a new 802.1x client and to allow 802.1x clients to roam with Fast Roaming when the APs home controller is unreachable. raft Topology groups for sites is not supported. You can add a WLAN or Role to a site if it does not use a topology group. You can change the conguration of a WLAN, Role, and VNS to use a topology group, but if the WLAN, Role, or VNS is part of the Site conguration, the Site conguration will become invalid. At that point, you must remove the topology group related conguration from the site conguration. The number of sites supported on each controller model is equal to the number of APs supported. For more information, see Table 4 on page 30. radio assignments. WLAN Services can be assigned in the same way as AP Load Groups (see Conguring Co-Located APs in Load Balance Groups on page 213). Conguring Sites A site can also use any Bridged at AP, Bridged at Controller, or Routed Topology dened in the controller. Once an AP is assigned to a site, the controller will preload the AP with Topologies, Roles, CoS and RADIUS server conguration used by the site. The AP will then be able to use these conguration items even when the controller is unreachable. An AP that is part of a site that has local RADIUS client services enabled will use its own RADIUS client to do the following:
Perform all MAC-based authentication for all stations associated with it on any of the WLAN Services assigned to it. ExtremeWireless V10.41.06 User Guide 494 Conguring Sites Perform all RADIUS server interactions for 802.1x authentications for all stations associated with it on any 802.1x WLAN Service assigned to it. Perform all user authentication for all stations associated with it on any of the FF-ECP WLAN Services required user authentication. Recommended Deployment Guidelines The Sites feature introduces new and complex interactions between hardware and software components. Sites are recommended for customers who have an AP-to-controller link (in a normal deployment) which they expect will be disconnected for long periods of time, but still expect to give service to users. NNote For best performance and maintainability, do not use the Sites feature if the AP-to-controller link is normally connected. D controller link:
Tunneled/Routed topologies RADIUS accounting Captive Portal The following guidelines are recommended to congure a secure and easy-to-maintain Site:
Use 802.1x and WPA2 Enterprise authentication and privacy. Do not use MAC-based authentication (MBA) unless absolutely required. Do not use more than 32 policy rules within a single AP lter. Do not congure a Sites AP Session Availability function without an AP-to-controller link. Do not congure the following features in a Sites conguration since they rely on a consistent AP-to-
raft From the top menu, click VNS. 1 Dening Roles, CoS, and RADIUS Servers for Local RADIUS Authentication ExtremeWireless V10.41.06 User Guide 495 2 In the left pane, click Sites. The SSites screen displays. Conguring Sites D raft ExtremeWireless V10.41.06 User Guide 496 Conguring Sites 3 In the left pane, click the name of the Site that you want to edit, or click the New button to create a new Site. The SSite conguration page displays. By default, the CConguration tab displays. Table 105 describes the elds and buttons on the Conguration tab. ft Table 105: Conguration Tab - Fields and Buttons Field/Button Description Site Name Local Radius Authentication Default DNS Server Enter a name to assign to this Site.The name is unique among Sites on the controller. AP load group names and Site names are part of the same space so a load group and a Site cannot have the same name. Select this check box to choose a local RADIUS Server for login credentials and authentication. This eld is used to resolve RADIUS server names to IP addresses if necessary. ExtremeWireless V10.41.06 User Guide 497 Conguring Sites Table 105: Conguration Tab - Fields and Buttons (continued) FField/Button Description Roles to download to member APs CoS to download to member APs RADIUS Server used Select roles that will be applied to APs with this specic Site conguration. Physical topologies and third party AP enabled topologies cannot be assigned to a Site. Displays the Class of Service that will be applied to APs with this specic Site conguration. Displays the list of available RADIUS servers used for this Site (for more information, see Radius Conguration on page 499). The RADIUS servers assigned to a Site override the list of RADIUS servers in the WLAN Service denition for APs that are part of the Site. Status:
Synchronize: (unknown) D Advanced Button Select this check box to enable automatic synchronization with an availability peer. Refer to Using the Sync Summary on page 414 for information about viewing synchronization status. If this Site is part of an availability pair, Extreme Networks recommends that you enable this feature. Secure Tunnel This feature, when enabled, provides encryption, authentication, and key management between the AP and/or controllers. Select the desired Secure Tunnel mode from the drop-down list:
Disabled Secure Tunnel is turned off and no traffic is encrypted. All SFTP/SSH/TFTP traffic works normally. Encrypt control traffic between AP & Controller An IPSEC tunnel is established from the AP to the controller and all SFTP/SSH/TFTP/
WASSP control traffic is encrypted. The AP skips the registration and authentication phases and when selected, the Secure Tunnel Lifetime feature can be congured. Encrypt control and data traffic between AP & Controller This mode only benets routed/bridged@AP Controller Topologies. An IPSEC tunnel is established from the AP to the controller and all SFTP/SSH/TFTP/WASSP control and data traffic is encrypted. The AP skips the registration and authentication phases, and when selected, the Secure Tunnel Lifetime feature can be congured. raft Debug mode An IPSEC tunnel is established from the AP to the controller, no traffic is encrypted, and all SFTP/SSH/TFTP traffic works normally. The AP skips the registration and authentication phases and when selected, the Secure Tunnel Lifetime feature can be congured. Note: This option is not available for AP3805 models. Secure Tunnel Lifetime Note: Changing a Secure Tunnel mode will automatically disconnect and reconnect the AP. When Secure Tunnel is enabled, enter an interval (in hours) at which time the keys of the IPSEC tunnel are renegotiated. Only applies if both the AP and controller are running V8.31 or newer. Note: Changing the Secure Tunnel Lifetime setting will not cause any AP disruption. ExtremeWireless V10.41.06 User Guide 498 Conguring Sites Table 105: Conguration Tab - Fields and Buttons (continued) FField/Button Description Encrypt control traffic between APs Band Preference Load Control Select check box to provide encryption, authentication, and key management between APs and/or controllers. Select this check box to enable APs to become members of both this Site and a load group at the same time. Select the following parameters for each radio assigned to this Site:
Enable: Select this check box to enable Radio Load Control (RLC) for individual radios (Radio1 and Radio2) associated with this Site. Max. # of Clients: Enter the maximum number of clients for Radio 1 and Radio 2. The default limit is 60. The valid range is: 5 to 60. Strict Limit: Select this check box to enable a strict limit on the number of clients allowed on a specic radio, based on the max # of clients allowed. Limits can be enforced separately for radio1 and radio 2. Radius Conguration D RADIUS Authentication:
Replace Called Station ID with Zone A single Site denition can be congured with one or two RADIUS servers. The RADIUS servers assigned to a Site can only be selected from the list of servers displayed on the RRADIUS Conguration dialog. To select site RADIUS servers:
Select this check box to allow the RADIUS client to send the AP Zone as the Called-Station ID instead of the radio MAC address. This feature can be enabled regardless of whether the Site is using centrally located or local RADIUS servers. raft 1 From the CConguration tab, under RADIUS Server used, click Congure. The RRADIUS Conguration dialog displays. 2 Select a RADIUS server from the list of available servers and click the right-arrow button. ExtremeWireless V10.41.06 User Guide 499 Conguring Sites The server will be moved under the RADIUS Servers used list. 3 Click the Move Up or Move Down buttons to change the order of the RADIUS Servers used. 4 Click the Advanced button. The RRADIUS Advanced Conguration dialog appears. D 5 The following values can be edited:
MS-CHAP2). alternate name in the box provided. an alternate IP Address in the box provided. NAS Identier Click the check box to use the name of the existing VNS server, or enter an NAS IP Address Click the check box to use the existing IP address of the VNS server, or enter Auth. type Select an authorization protocol from the drop-down list (PAP, CHAP, MS-CHAP, or Password To override the default password (see VNS Global Settings on page 392) for MBA -
MAC Based authorization only. Select Mask to display the password, and select Unmask to hide the entry. 6 Click Close. raft 1 Go to VNS > Sites. 2 Select a site and click the AAP Assignments tab. To select AP assignments:
Selecting AP Assignments ExtremeWireless V10.41.06 User Guide 500 3 Select the APs to apply to the Site conguration. Conguring Sites D Selecting WLAN Assignments To select WLAN Assignments:
conguration. 4 Click Save. 1 Go to VNS > Sites. 2 Select a site and click the WWLAN Assignments tab. 3 Select Radio assignments (Radio 1 and Radio 2) for specic WLANs that will be applied to this Site raf ExtremeWireless V10.41.06 User Guide 501 11 Working with a Mesh Network AAbout Mesh Simple Mesh Conguration Wireless Repeater Conguration Wireless Bridge Conguration Examples of Deployment Mesh WLAN Services Key Features of Mesh Deploying the Mesh System Changing the Pre-shared Key in a Mesh WLAN Service D About Mesh A Mesh deployment is ideally suited for locations where installing Ethernet cabling is too expensive, or physically impossible. Mesh networks enable you to expand the wireless network by interconnecting the wireless APs through wireless links in addition to the traditional method of interconnecting wireless APs via a wired network. In a Mesh deployment, each node not only captures and disseminates its own data, but it also serves as a relay for other nodes, that is, it collaborates to propagate the data in the network. raft The Mesh network can be deployed in three congurations:
Simple Mesh Conguration Wireless Repeater Conguration Wireless Bridge Conguration In a typical Mesh conguration, the APs are connected to the distribution system via an Ethernet network, which provides connectivity to the ExtremeWireless Appliance. Simple Mesh Conguration However, when an AP is installed in a remote location and cant be wired to the distribution system, an intermediate AP is connected to the distribution system via the Ethernet link. This intermediate AP forwards and receives the user traffic from the remote AP over a radio link. The intermediate AP that is connected to the distribution system via the Ethernet network is called Mesh portal, and the AP that is remotely located is called the Mesh AP. Figure 148 illustrates the Simple Mesh conguration:
ExtremeWireless V10.41.06 User Guide 502 Working with a Mesh Network D Figure 148: Simple Mesh Conguration Wireless Repeater Conguration In Wireless Repeater conguration, a Mesh AP is installed between the Mesh Portal and the destination Mesh AP. The Mesh AP relays the user traffic between the Mesh Portal and the destination Mesh AP. This increases the WLAN (Wireless Local Area Network) range. Figure 149 illustrates the Wireless Repeater conguration:
raft ExtremeWireless V10.41.06 User Guide 503 Working with a Mesh Network D Figure 149: Wireless Repeater Conguration NNote You should restrict the number of repeater hops in a Wireless Repeater conguration to three for optimum performance. raft In Wireless Bridge conguration, the traffic between two APs that are connected to two separate wired LAN segments is bridged via Mesh link. You may also install a Mesh AP between the two Wireless APs connected to two separate LAN segments. Wireless Bridge Conguration Figure 150: Wireless Bridge Conguration When you are conguring the Wireless Bridge conguration, you must specify on the user interface that the Mesh AP is connected to the wired LAN. ExtremeWireless V10.41.06 User Guide 504 Working with a Mesh Network Examples of Deployment The following illustration depicts a few examples of Mesh deployment. D Figure 151: Examples of Mesh Deployment Mesh WLAN Services In a traditional WLAN deployment, each radio of the AP can interact with the client devices on a maximum of eight networks. In Mesh deployment, one of the radios of every Mesh AP establishes a Mesh link on an exclusive WLAN Service. The Mesh AP is therefore limited to seven network WLAN Services on the Mesh radio. The other radio can interact with the client-devices on a maximum of eight WLAN Services. raft The WLAN Service on which the APs establish the Mesh link is called the Mesh WLAN Service. A Mesh can be setup either by using either a single Mesh WLAN Service or multiple Mesh WLAN Services. The following gures illustrate the point. In Figure 152 on page 506:
The rectangular enclosure denotes an office building. The four wireless APs Minoru, Yosemite, Bjorn and Lancaster are within the connes of the building and are connected to the wired network. The space around the office building is a warehouse. The solid arrows point towards Current Parents. The dotted arrows point towards Alternative Parents. ExtremeWireless V10.41.06 User Guide 505 Working with a Mesh Network Mesh Setup with a Single Mesh WLAN Service D Figure 152: Deployment Example Deploying the Mesh for the above example using a single Mesh WLAN Service results in the following structure shown in Figure 153. The tree will operate as a single Mesh entity. It will have a single Mesh SSID and a single pre-shared key for Mesh links. This tree will have multiple roots. For more information, see Multi-Root Mesh Topology on page 511. raft ExtremeWireless V10.41.06 User Guide 506 Working with a Mesh Network ftFigure 153: Mesh Setup with a Single Mesh WLAN Service Mesh Setup with Multiple Mesh WLAN Services You can also deploy the same Mesh in Figure 152 on page 506 using two Mesh WLAN Services. The Two Mesh WLAN Services will create two independent Mesh trees. Both the trees will operate on separate SSIDs and use separate pre-shared keys. ExtremeWireless V10.41.06 User Guide 507 Working with a Mesh Network Figure 154: Mesh Setup with Multiple Mesh WLAN Services ExtremeWireless V10.41.06 User Guide 5508 Working with a Mesh Network Key Features of Mesh Some key features of Mesh are:
Self-Healing Network on page 509 Tree-like Topology on page 509 Radio Channels on page 510 Multi-Root Mesh Topology on page 511 Figure 156 on page 511 Self-Healing Network Tree-like Topology Data in a Mesh network propagates along a path, by hopping from node to node until the destination is reached. To ensure that all its paths' availability, the Mesh network allows for continuous connections and reconguration around broken or blocked paths, referred to as self-healing. The self-healing capability enables a routing based network to operate when one node breaks down or a connection goes bad. D The APs in Mesh conguration can be regarded as nodes, and these nodes form a tree-like structure. The tree builds in a top down manner with the Mesh Portal being the tree root, and the Mesh AP being the tree leaves. The nodes in the tree-structure have a parent-child relationship. The Mesh AP dynamically selects the best parent for connecting to the Mesh portal. A Mesh AP can have the role of both parent and child at the same time and the APs role can change dynamically. raft Figure 155 on page 510 illustrates the parent-child relationship between the nodes in a Mesh topology. Mesh Portal is the parent of Mesh AP 1. Mesh AP 1 is the child of Mesh Portal. Mesh AP 1 is the parent of Mesh AP 2. Mesh AP 2 is the child of Mesh AP 1. Mesh AP 2 is the parent of the following Wireless APs:
Mesh AP 5 Mesh AP 4 Mesh AP 3 All the three Mesh APs are the children of Mesh AP 2. ExtremeWireless V10.41.06 User Guide 5509 Working with a Mesh Network aftFigure 155: Parent-Child Relationship Between Wireless APs in Mesh Conguration NNote If an AP is congured to serve as a scanner in Radar, it cannot be used in a Mesh tree. For more information, see Working with ExtremeWireless Radar on page 563. Note It is recommended that you limit the number of APs participating in a Mesh tree to 50. This limit guarantees decent performance in most typical situations. Radio Channels All APs in a mesh deployment must have Mesh congured on the same radio. On the backhaul radio, the following settings must be set the same way for all APs in the Mesh:
Radio mode ExtremeWireless V10.41.06 User Guide 510 Working with a Mesh Network Minimum Basic Rate Multi-Root Mesh Topology A Mesh topology can have multiple Mesh Portals. Figure 156 illustrates the multiple-root Mesh topology. aft Figure 156: Multiple-Root Mesh Topology Link Security The Mesh link is encrypted using Advance Encryption Standard (AES). NNote The keys for AES are congured prior to deploying the Repeater or Mesh APs. Deploying the Mesh System Before you start conguring the Mesh APs, you must ensure the following:
The APs that are part of the wired WLAN are connected to the wired network. ExtremeWireless V10.41.06 User Guide 511 Working with a Mesh Network The wired APs that will serve as the Mesh Portal of the proposed Mesh topology are operating normally. The WLAN is operating normally. Planning the Mesh Topology You may sketch the proposed WLAN topology on er before you start the Mesh deployment process. You should clearly identify the following in the sketch:
Mesh APs with their names Radios that you will choose to link the APs Provisioning the Mesh Wireless AP D This step is of crucial importance and involves connecting the Mesh APs to the enterprise network via the Ethernet link. This is done to enable the Mesh APs to connect to the wireless controller so that they can derive their Mesh conguration. The Mesh APs conguration includes pre-shared key and its role, preferred parent name and the backup parent name. Note The provisioning of Mesh APs must be done before they are deployed at the target location. If the APs are not provisioned, they will not work at their target location. raft 3 Creating a Mesh VNS. 4 Assigning roles, parents and backup parents to the Mesh wireless APs. 5 Assigning the Mesh APs radios to the network VNSs. 6 Connecting the Mesh APs to the enterprise network via the Ethernet link for provisioning. For more discover and register themselves with the wireless controller. For more information, see Discovery and Registration on page 120. 2 Disconnecting the Mesh APs from the enterprise network after they have discovered and registered 1 Connecting the Mesh APs to the enterprise network via the Ethernet network to enable them to The following is the high-level overview of the Mesh deployment process:
with the wireless controller. Mesh Deployment Overview information, see Provisioning the Mesh Wireless AP on page 512. 7 Disconnecting the Mesh APs from the enterprise network and moving them to the target location. Note During the Mesh deployment process, the Mesh APs are connected to the enterprise network on two occasions rst to enable them to discover and register with the wireless controller, and then the second time to enable them to obtain the provisioning from the wireless controller. ExtremeWireless V10.41.06 User Guide 512 Working with a Mesh Network Connecting the Mesh APs to the Network for Discovery and Registration Connect each Mesh wireless AP to the enterprise network to enable it to discover and register itself with the wireless controller. NNote Before you connect the Mesh APs to the enterprise network for discovery and registration, you must ensure that the Security mode property of the wireless controller is dened according to your security needs. The Security mode property dictates how the wireless controller behaves when registering new and unknown devices. For more information, see Wireless AP Registration on page 123. If the Security mode is set to Allow only approved Wireless APs to connect (this is also known as secure mode), you must manually approve the Mesh APs after they are connected to the network for the discovery and registration. For more information, see New Button -- Adding and Registering a Wireless AP on page 131. Conguring the Mesh Wireless APs Through the Controller Depending upon the number of Ethernet ports available, you may connect one or more Mesh wireless APs at a time, or you may connect all of them together. D Conguring the Mesh wireless APs involves the following steps:
1 Creating a Mesh WLAN Service. 2 Dening the SSID name and the pre-shared key. Once a Mesh wireless AP has discovered and registered itself with the wireless controller, disconnect it from the enterprise network. raft For ease of understanding, the Mesh conguration process is explained with an example. Figure 157 on page 514 depicts a site with the following features:
An office building, denoted by a rectangular enclosure. Four APs Ardal, Arthur, Athens and Auberon are within the connes of the building, and are The space around the building is the warehouse. The solid arrows point toward Current Parents. The dotted arrows point toward Alternative Parents. connected to the wired network. ExtremeWireless V10.41.06 User Guide 513 Working with a Mesh Network D Figure 157: Mesh Deployment To congure the Mesh wireless APs through the controller:
NNote With the single Mesh VNS, the tree structure for the Mesh deployment will be as depicted on the bottom right of Figure 157. You can also implement the same deployment using four Mesh VNSs, each for a set of APs in the four corners of the building. Each set of APs will form an isolated topology and will operate using a separate SSID and a separate Pre-shared key. For more information, see Figure 151 on page 505. raft Before conguring Mesh, be sure that the following conditions are met:
Energy Save is set to Off Beacon Interval is set to 100 msec AP names are 32 characters or less for statistics display purposes ATPC and DCS are both disabled. If possible, follow these guidelines for the backhaul radio to achieve a balance of stability, throughput, and latency:
Use a 5.2 GHz band for backhaul Select a non-DFS channel for the Mesh Portal Use a 40 MHz Channel Width and Short guard interval Disable Aggregate MSDUs Enable Aggregate MPDUs Enable ADDBA support Congure the settings on the Radio conguration page the same for all APs in the Mesh. Set the Poll Timeout to be at least 60 seconds. ExtremeWireless V10.41.06 User Guide 514 Working with a Mesh Network From the top menu, click VNS. 1 2 In the left pane, expand the WLAN Services pane and select a Mesh service to edit or click the New button. 3 Enter a name for the service in the Name eld. 4 The SSID eld is automatically lled in with the name, but you can change it if desired. 5 For Service Type, select Mesh. raft 6 To save your changes, click Save. The WWLAN conguration window is re-displayed to show additional conguration elds. ExtremeWireless V10.41.06 User Guide 515 Working with a Mesh Network D 7 In the Mesh Pre-shared Key box, type the key. NNote The pre-shared key must be 8 to 63 characters long. The Mesh APs use this pre-shared key to establish a Mesh link between them. raft Note Changing the pre-shared key after the Mesh is deployed can be a lengthy process. For more information, see Changing the Pre-shared Key in a Mesh WLAN Service on page 517. Note After you save the conguration, you cannot change the backhaul radio. Please congure this setting wisely. 8 Assign a backhaul radio. 9 To save your changes, click Save. Note The Mesh Bridge feature on the user interface relates to Mesh Bridge conguration. When you are conguring the Mesh Bridge topology, you must select Mesh Bridge for Mesh AP that is connected to the wired network. For more information, see Wireless Bridge Conguration on page 504. ExtremeWireless V10.41.06 User Guide 516 Working with a Mesh Network Connecting the Mesh Wireless APs to the Enterprise Network for Provisioning You must connect the Mesh wireless APs to the enterprise network once more to enable them to obtain their conguration from the wireless controller. The conguration includes the pre-shared key, the APs role, preferred parent and backup parent. For more information, see Provisioning the Mesh Wireless AP on page 512. WWarning If you skip this step, the Mesh APs will not work at their target location. Moving the Mesh Wireless APs to the Target Location Changing the Pre-shared Key in a Mesh WLAN Service To Change the Pre-shared Key in a Mesh WLAN Service Note If you change any of the following radio properties of a Mesh AP, the Mesh AP will reject the change: disabling the radio on which the Mesh link is established,lowering the radios Tx Power of a radio on which the Mesh link is established, or changing the country. D 1 Disconnect the Mesh APs from the enterprise network, and move them to the target location. 2 Install the Mesh APs at the target location. 3 Connect the APs to a power source. The discovery and registration processes are initiated. raft 4 Check the Mesh Statistics report page to ensure that all the Mesh APs have connected to the wireless controller via the new Mesh VNS. For more information, see Viewing Statistics for APs on page 627. 5 Delete the old Mesh WLAN Service. For more information, see Deleting a VNS on page 486. 1 Create a new Mesh WLAN Service with a new pre-shared key. 2 Assign the RF of the APs from the old Mesh to the new Mesh WLAN Service. 3 Wait at least 30 seconds to ensure that all APs got the conguration, then disable the old Mesh WLAN service. ExtremeWireless V10.41.06 User Guide 517 12 Working with a Wireless Distribution System AAbout WDS Simple WDS Conguration Wireless Repeater Conguration Wireless Bridge Conguration Examples of Deployment WDS WLAN Services Key Features of WDS Deploying the WDS System Changing the Pre-shared Key in a WDS WLAN Service D About WDS The Wireless Distribution System (WDS) enable you to expand the wireless network by interconnecting the wireless APs through wireless links in addition to the traditional method of interconnecting APs via a wired network. A WDS deployment is ideally suited for locations, where installing Ethernet cabling is too expensive, or physically impossible. raft The WDS can be deployed in three congurations:
Simple WDS Conguration Wireless Repeater Conguration Wireless Bridge Conguration In a typical WDS conguration, the wireless APs are connected to the distribution system via an Ethernet network, which provides connectivity to the wireless controller. Simple WDS Conguration However, when an AP is installed in a remote location and cant be wired to the distribution system, an intermediate AP is connected to the distribution system via the Ethernet link. This intermediate AP forwards and receives the user traffic from the remote AP over a radio link. The intermediate AP that is connected to the distribution system via the Ethernet network is called Root AP, and the AP that is remotely located is called the Satellite AP. Figure 158 illustrates the Simple WDS conguration:
ExtremeWireless V10.41.06 User Guide 518 Working with a Wireless Distribution System D Figure 158: Simple WDS Conguration Wireless Repeater Conguration In Wireless Repeater conguration, a Repeater wireless AP is installed between the Root AP and the Satellite AP. The Repeater AP relays the user traffic between the Root AP and the Satellite AP. This increases the WLAN (Wireless Local Area Network) range. Figure 159 illustrates the Wireless Repeater conguration:
raft ExtremeWireless V10.41.06 User Guide 519 Working with a Wireless Distribution System D Figure 159: Wireless Repeater Conguration NNote You should restrict the number of repeater hops in a Wireless Repeater conguration to three for optimum performance. raft In Wireless Bridge conguration, the traffic between two wireless APs that are connected to two separate wired LAN segments is bridged via WDS link. You may also install a Repeater AP between the two APs connected to two separate LAN segments. Wireless Bridge Conguration Figure 160: Wireless Bridge Conguration When you are conguring the Wireless Bridge conguration, you must specify on the user interface that the Satellite AP is connected to the wired LAN. ExtremeWireless V10.41.06 User Guide 520 Working with a Wireless Distribution System Examples of Deployment Examples of Deployment on page 521 illustration depicts a few examples of WDS deployment. D Figure 161: Examples of WDS Deployment WDS WLAN Services In a traditional WLAN deployment, each radio of the wireless AP can interact with the client devices on a maximum of eight networks. In WDS deployment, one of the radios of every WDS AP establishes a WDS link on an exclusive WLAN Service. The WDS AP is therefore limited to seven network WLAN Services on the WDS radio. The other radio can interact with the client-devices on a maximum of eight WLAN Services. raft Note The root wireless AP and the Repeater APs can also be congured to interact with the client-
devices. For more information, see Assigning the Satellite Wireless APs Radios to the Network WLAN Services on page 535. A WDS can be setup either by using either a single WDS WLAN Service or multiple WDS WLAN Services. The following gures illustrate the point. Figure 162 on page 522 shows:
The rectangular enclosure denotes an office building. The four wireless APs Minoru, Yosemite, Bjorn and Lancaster are within the connes of the The WLAN Service on which the APs establish the WDS link is called the WDS WLAN Service. building and are connected to the wired network. The space around the office building is a ware house. The solid arrows point towards Preferred Parents. The dotted arrows point towards Backup Parents. ExtremeWireless V10.41.06 User Guide 521 Working with a Wireless Distribution System WDS Setup with a Single WDS WLAN Service D Figure 162: Deployment Example Deploying the WDS for the above example using a single WDS WLAN Service results in the following structure. The tree will operate as a single WDS entity. It will have a single WDS SSID and a single pre-shared key for WDS links. This tree will have multiple roots. For more information, see Multi-Root WDS Topology on page 527. raft ExtremeWireless V10.41.06 User Guide 522 Working with a Wireless Distribution System ftFigure 163: WDS Setup with a Single WDS WLAN Service WDS Setup with Multiple WDS WLAN Services You can also deploy the same WDS using two WDS WLAN Services. The Two WDS WLAN Services will create two independent WDS trees. Both the trees will operate on separate SSIDs and use separate pre-
shared keys. ExtremeWireless V10.41.06 User Guide 523 Working with a Wireless Distribution System Figure 164: WDS Setup with Multiple WDS WLAN Services ExtremeWireless V10.41.06 User Guide 5524 Working with a Wireless Distribution System Key Features of WDS Some key features of WDS are:
Tree-like Topology on page 525 Radio Channels on page 527 Multi-Root WDS Topology on page 527 Figure 166 on page 527 Link Security on page 528 Tree-like Topology The wireless APs in WDS conguration can be regarded as nodes, and these nodes form a tree-like structure. The tree builds in a top down manner with the Root AP being the tree root, and the Satellite AP being the tree leaves. D The nodes in the tree-structure have a parent-child relationship. The AP that provides the WDS service to the other APs in the downstream direction is a parent. The APs that establish a link with the AP in the upstream direction for WDS service are children. NNote If a parent AP fails or stops to act a parent, the children APs will attempt to discover their backup parents. If the backup parents are not dened, the children APs will be left stranded. The following gure illustrates the parent-child relationship between the nodes in a WDS topology. In Figure 165 on page 526:
Root Wireless AP is the parent of Repeater Wireless AP 1. Repeater Wireless AP 1 is the child of Root Wireless AP. Repeater Wireless AP 1 is the parent of Repeater Wireless AP 2. Repeater Wireless AP 2 is the child of Repeater Wireless AP 1. Repeater Wireless AP 2 is the parent of the following Wireless APs:
raft Satellite Wireless AP 1 Satellite Wireless AP 2 Satellite Wireless AP 3 All the three Satellite APs are the children of Repeater Wireless AP 2. ExtremeWireless V10.41.06 User Guide 525 Working with a Wireless Distribution System aftFigure 165: Parent-Child Relationship Between Wireless APs in WDS Conguration The WDS system enables you to congure the APs role parent, child or both from the wireless controllers interface. If the WDS AP will be serving as a parent and a child in a given topology, its role is congured as both. NNote It is recommended that you limit the number of APs participating in a WDS tree to 8. This limit guarantees decent performance in most typical situations. Note If an AP is congured to serve as a scanner in Radar, it cannot be used in a WDS tree. For more information, see Working with ExtremeWireless Radar on page 563. ExtremeWireless V10.41.06 User Guide 526 Working with a Wireless Distribution System Radio Channels The radio channel on which the child AP operates is determined by the parent AP. An AP may connect to its parent AP and children APs on the same radio, or on different radios. Similarly, an AP can have two children operating on two different radios. NNote When an AP is connecting to its parent AP and children APs on the same radio, it uses the same channel for both the connections. Multi-Root WDS Topology A WDS topology can have multiple Root wireless APs. Figure 166 illustrates the multiple-root WDS topology. D Figure 166: Multiple-root WDS Topology Automatic Discovery of Parent and Backup Parent Wireless APs The children wireless APs, including the Repeater wireless AP and the Satellite wireless APs, scan for their respective parents at a startup. ExtremeWireless V10.41.06 User Guide 527 Working with a Wireless Distribution System You can manually congure a parent and backup parent for the children APs or you can enable the children APs to automatically select the best parent out of all of the available APs. If you choose automatic parent AP selection, a child AP selects a parent AP based on its received signal strength and the number of hops to the root AP. After a parent AP and backup parent AP is selected, the wireless controller will rst try to negotiate a WDS link with the parent wireless controller. If the WDS link negotiation is unsuccessful, the wireless controller will try to negotiate a link with the backup parent. Link Security The WDS link is encrypted using Advance Encryption Standard (AES). NNote The keys for AES are congured prior to deploying the Repeater or Satellite APs. Deploying the WDS System D Planning the WDS Topology operating normally. The WLAN is operating normally. Before you start conguring the WDS wireless APs, you must ensure the following:
The wireless APs that are part of the wired WLAN are connected to the wired network. The wired wireless APs that will serve as the Root AP/Root APs of the proposed WDS topology are raft You may sketch the proposed WLAN topology on er before you start the WDS deployment process. You should clearly identify the following in the sketch:
WDS wireless APs with their names Parent-child relationships between wireless APs Radios that you will choose to link the wireless APs' parents and children This step is of crucial importance and involves connecting the WDS wireless APs to the enterprise network via the Ethernet link. This is done to enable the WDS APs to connect to the wireless AP controller so that they can derive their WDS conguration. Provisioning the WDS APs The WDS APs conguration includes pre-shared key, its role, preferred parent name and the backup parent name. Note The provisioning of WDS APs must be done before they are deployed at the target location. If the APs are not provisioned, they will not work at their target location. ExtremeWireless V10.41.06 User Guide 528 Working with a Wireless Distribution System WDS Deployment Overview The following is the high-level overview of the WDS deployment process:
1 Connecting the WDS wireless APs to the enterprise network via the Ethernet network to enable them to discover and register themselves with the wireless controller. For more information, see Discovery and Registration on page 120. 2 Disconnecting the WDS APs from the enterprise network after they have discovered and registered with the wireless controller. 3 Creating a WDS VNS. 4 Assigning roles, parents and backup parents to the WDS APs. 5 Assigning the Satellite APs radios to the network VNSs. 6 Connecting the WDS APs to the enterprise network via the Ethernet link for provisioning. For more information, see Provisioning the WDS APs on page 528. Connecting the WDS Wireless APs to the Enterprise Network for Discovery and Registration D 7 Disconnecting the WDS APs from the enterprise network and moving them to the target location.DDDNNote During the WDS deployment process, the WDS APs are connected to the enterprise network on two occasions rst to enable them to discover and register with the wireless controller, and then the second time to enable them to obtain the provisioning from the wireless controller. raft Note Before you connect the WDS APs to the enterprise network for discovery and registration, you must ensure that the Security mode property of the wireless controller is dened according to your security needs. The Security mode property dictates how the wireless controller behaves when registering new and unknown devices. For more information, see Wireless AP Registration on page 123. If the Security mode is set to Allow only approved APs to connect (this is also known as secure mode), you must manually approve the WDS APs after they are connected to the network for the discovery and registration. For more information, see New Button -- Adding and Registering a Wireless AP on page 131. Connect each WDS wireless AP to the enterprise network to enable it to discover and register itself with the wireless controller. Depending upon the number of Ethernet ports available, you may connect one or more WDS APs at a time, or you may connect all of them together. Once a WDS AP has discovered and registered itself with the wireless controller, disconnect it from the enterprise network. ExtremeWireless V10.41.06 User Guide 529 Working with a Wireless Distribution System Conguring the WDS Wireless APs Through the Wireless Controller NNote You must identify and mark the Preferred Parents, Backup Parents and the Child APs in the proposed WDS topology before starting the conguration process. Conguring the WDS wireless APs involves the following steps:
Creating a WDS WLAN Service. Dening the SSID name and the pre-shared key. Assigning roles, parents and backup parents to the WDS APs. For ease of understanding, the WDS conguration process is explained with an example. The following gure depicts a site with the following features:
An office building, denoted by a rectangular enclosure. Four APs Ardal, Arthur, Athens and Auberon are within the connes of the building, and are connected to the wired network. D The space around the building is the warehouse. The solid arrows point toward Preferred Parents. The dotted arrows point toward Backup Parents. raft Figure 167: WDS Deployment Note With the single WDS VNS, the tree structure for the WDS deployment will be as depicted on the bottom right of the gure above. You can also implement the same deployment using four WDS VNSs, each for a set of APs in the four corners of the building. Each set of APs will form an isolated topology and will operate using a separate SSID and a separate Pre-shared key. For more information, see Figure 161 on page 521. To congure the WDS wireless APs through the wireless controller:
ExtremeWireless V10.41.06 User Guide 530 Working with a Wireless Distribution System From the top menu, click VNS. 1 2 In the left pane, expand the WLAN Services pane and select a WDS service to edit or click the New button. 3 Enter a name for the service in the Name eld. 4 The SSID eld is automatically lled in with the name, but you can change it if desired. 5 For Service Type, select WDS. raft ExtremeWireless V10.41.06 User Guide 5531 Working with a Wireless Distribution System 6 To save your changes, click Save. The WWLAN conguration window displays again to show additional conguration elds. ft 7 To improve security for WDS links and reduce inadvertent user associations to WDS SSID, check the Suppress SSID check box. (This option is available after you save the WDS type WLAN Service.) When this option is checked:
The SSID name is not included in the SSID IE eld. The child AP inspects the beacon for proprietary information that identies the service. ExtremeWireless V10.41.06 User Guide 532 Working with a Wireless Distribution System 8 In the WDS Pre-shared Key box, type the key. NNote The pre-shared key must be 8 to 63 characters long. The WDS APs use this pre-shared key to establish a WDS link between them. Note Changing the pre-shared key after the WDS is deployed can be a lengthy process. For more information, see Changing the Pre-shared Key in a WDS WLAN Service on page 536. 9 Assign the roles, preferred parents and backup parents to the AP Radios. Table 106: Wireless APs and Their Roles ExtremeWireless AP Radio b/g Radio a D Note The roles parent, child, and both are assigned to the Radios of the APs. An AP may connect to its parent wireless AP and children APs on the same Radio, or on a different Radio. Similarly, a AP can have two children operating on two different Radios.The Radio on which the child AP operates is determined by the parent AP.If the AP will be serving both as parent and child, you must select both as its role. 10 To congure the WDS with a single WDS VNS, you must assign the roles, preferred parents and backup parents to the APs according to Table 106. Parent Parent Parent Backup Parent Preferred Parent See the note below. raft See the note below. See the note below. See the note below. See the note below. See the note below. See the note below. See the note below. Auberon Auberon Athens Athens Bawdy Arthur Arthur Arthur Parent Parent Parent Parent Parent Ardal Ardal Ardal Child Child Child Child Child Child Child Child Both Both Both Both Bern Ardal Arthur Athens Auberon Bawdy Bern Barend Barett Osborn Oscar Orson Oswald Child Child Child Child Barend Barett Athens Auberon Note Since the Root APs Ardal, Arthur, Athens and Auberon are the highest entities in the tree structure, they do not have parents. Therefore, the Preferred Parent and Backup Parent drop-down lists of the Root APs do not display any AP. You must leave these two elds blank. ExtremeWireless V10.41.06 User Guide 533 Working with a Wireless Distribution System NNote You must rst assign the parent role to the APs that will serve as the parents. Unless this is done, the Parent APs will not be displayed in the Preferred Parent and Backup Parent drop-down lists of other APs. Note The WDS Bridge feature on the user interface relates to WDS Bridge conguration. When you are conguring the WDS Bridge topology, you must select WDS Bridge for Satellite AP that is connected to the wired network. For more information, see Wireless Bridge Conguration on page 520. 11 To assign the roles, preferred parent and backup parent:
a From the radio b/g drop-down list of the Root APs Ardal, Arthur, Athens and Auberon, click c From the radio a and radio b/g drop-down list of other APs, click the roles according to Table 106 d From the Preferred Parent drop-down list of other APs, click the parents according to Table 106 b From the radio a drop-down list of the Root APs Ardal, Arthur, Athens and Auberon, click Parent. D on page 533. Parent. on page 533. Table 106 on page 533. ra e From the Backup Parent drop-down list of other APs, click the backup parents according to Figure 168: Wireless AP Services 12 Click Save to save your changes. ExtremeWireless V10.41.06 User Guide 534 Working with a Wireless Distribution System Assigning the Satellite Wireless APs Radios to the Network WLAN Services You must assign the Satellite wireless APs radios to the network WLAN Services. Note Network WLAN Services are the typical WLAN Services on which the APs service the client devices: Routed, Bridge Traffic Locally at EWC, and Bridge Traffic Locally at AP. For more information, see VNS Global Settings on page 392. To assign the satellite wireless APs radios to the Network WLAN Service:
From the top menu, click VNS. 1 2 In the left pane, expand the WLAN Services pane and select a network WDS service to edit D 4 To save your changes, click Save. 5 Log out from the wireless controller. 3 In the Wireless APs list, select the radios of the Satellite APs Osborn, Oscar, Orson and Oswald. Note If you want the Root AP and the Repeater APs to service the client devices, you must select their radios in addition to the radios of the Satellite APs. raft Connecting the WDS Wireless APs to the Enterprise Network for Provisioning You must connect the WDS wirless APs to the enterprise network once more to enable them to obtain their conguration from the wireless controller. The conguration includes the pre-shared key, the APs role, preferred parent and backup parent. For more information, see Provisioning the WDS APs on page 528. Warning If you skip this step, the WDS wireless APs will not work at their target location. ExtremeWireless V10.41.06 User Guide 535 Working with a Wireless Distribution System Moving the WDS Wireless APs to the Target Location NNote If you change any of the following conguration parameters of a WDS AP, the WDS AP will reject the change: Reassigning the WDS APs role from Child to None, Reassigning the WDS APs role from Both to Parent, and changing the Preferred Parent of the WDS AP. However , the wireless controller will display your changes, as these changes will be saved in the database. To enable the WDS AP to obtain your changes, you must remove it from the WDS location and then connect it to the wireless Controller via the wired network. Note If you change any of the following radio properties of a WDS AP, the WDS AP will reject the change: Disabling the radio on which the WDS link is established, lowereing the radios Tx Power of a radio on which the WDS link is established, or changing the country Changing the Pre-shared Key in a WDS WLAN Service 1 Disconnect the WDS wireless APs from the enterprise network, and move them to the target location. D To change the Pre-shared Key in a WDS WLAN Service:
2 Install the WDS APs at the target location. 3 Connect the APs to a power source. The discovery and registration processes are initiated. 1 Create a new WDS WLAN Service with a new pre-shared key. 2 Assign the RF of the APs from the old WDS to the new WDS WLAN Service. 3 Check the WDS AP Statistics report page to ensure that all the WDS APs have connected to the wireless controller via the new WDS VNS. For more information, see Viewing Statistics for APs on page 627. raft 4 Delete the old WDS WLAN Service. For more information, see Deleting a VNS on page 486. ExtremeWireless V10.41.06 User Guide 536 13 Availability and Session Availability AAvailability Session Availability Viewing SLP Activity Availability D service availability in the event of a controller outage.DNote The Extreme Networks ExtremeWireless Software system provides the availability feature to maintain During the failover event, the maximum number of failover APs the secondary controller can accommodate is equal to the maximum number of APs supported by the hardware platform. Wireless APs that attempt to connect to the secondary controller during a failover event are assigned to the WLAN (Wireless Local Area Network) Service that is dened in the systems default AP conguration, provided the administrator has not assigned the failover APs to one or more VNSs. If a system default AP conguration does not exist for the controller (and the administrator has not assigned the failover APs to any WLAN Service), the APs will not be assigned to any WLAN Service during the failover. raft A controller will not accept a connection by a foreign AP if the controller believes its availability partner controller is in service. Also, the default AP conguration assignment is only applicable to new APs that failover to the backup controller. Any AP that has previously failed over and is already known to the backup system will receive the conguration already present on that system. For more information, see Conguring the Default Wireless AP Settings on page 134. During the failover event when the AP connects to the secondary controller, the users are disassociated from the AP. Consequently, the users must log on again and be authenticated on the secondary controller before the wireless service is restored. Note If you want the mobile users session to be maintained, you must use the session availability feature that enables the primary controllers APs to failover to the secondary controller fast enough to maintain the session availability (user session). For more information, see Session Availability on page 545. The availability feature provides APs with a list of local active interfaces for the active controller as well as the active interfaces for the backup controller. The list is sorted by top-down priority. ExtremeWireless V10.41.06 User Guide 537 Availability and Session Availability If the connection with an active controller link is lost (poll failure), the AP automatically scans (pings) all addresses in its availability interface list. The AP then connects to the highest priority interface that responds to its probe. Events and Actions in Availability If one of the controllers in a pair fails, the communication between the two controllers stops. This triggers a failover condition and a critical message is displayed in the information log of the secondary controller. After an AP on the failed controller loses its connection, it will try to connect to all enabled interfaces on both controllers without rebooting. If the AP is not successful, it will begin the discovery process. If the AP is not successful in connecting to the controller after ve minutes of attempting, the AP will reboot if there is no Bridge traffic locally at the AP topology associated to it. All mobile users sessions using the failover AP will terminate except those associated to a Bridge traffic locally at the AP and if the Maintain client sessions in event of poll failure option is enabled on the AP Properties tab or AAP Default Settings screen. ExtremeWireless V10.41.06 User Guide 538 Availability and Session Availability When the APs connect to the second controller, they are either assigned to the VNS that is dened in the systems default AP conguration or manually congured by the administrator. The mobile users log on again and are authenticated on the second controller. When the failed controller recovers, each controller in the pair goes back to normal mode. They exchange information including the latest lists of registered APs. The administrator must release the APs manually on the second controller, so that they may re-register with their home controller. Foreign APs can now all be released at once by using the Approve as Foreign button on the AAccess Approval screen to select all foreign APs, and then clicking Release. To support the availability feature during a failover event, you need to do the following:
1 Monitor the critical messages for the failover mode message, in the information log of the remaining controller (in the Logs & Traces section of the Wireless Assistant). 2 After recovery, on the controller that did not fail, select the foreign APs, and then click Release on the AAccess Approval screen. D Availability Prerequisites link is established as a UDP session on port 13911. Before you congure availability, you must do the following:
Choose the primary and secondary controllers. Verify the network accessibility for the UDP connection between the two controllers. The availability Set up a DHCP (Dynamic Host Conguration Protocol) server for AP subnets to support Option 78 for SLP, so that it points to the IP addresses of the physical interfaces on both the controllers. Ensure that the Poll Timeout value on the AAP Properties tab AAdvanced dialog is set to 1.5 to 2 times of Detect link failure value on the CController > Availability screen. For more information, see AP Properties Tab - Advanced Settings on page 164. raft If the Poll Timeout value is more than 1.5 to 2 times of Detect link failure value, the APs failover will be unnecessarily delayed, because the APs will continue polling the primary controller even though the secondary controller is ready to accept them as the failover APs. To achieve ideal availability behavior, set the Poll Timeout value for all APs to 15 seconds, and the Detect link failure on the CController > Availability screen to 10 seconds. The availability wizard allows you to create an availability pair from one of the controllers that will be in the availability pair. When creating the availability pair, you also have the option to synchronize VNS denitions and GuestPortal user accounts between the paired controllers. Conguring Availability Using the Availability Wizard To congure availability using the availability wizard:
From the top menu, click Controller. 1 2 In the left pane, click Administration > Availability. ExtremeWireless V10.41.06 User Guide 539 Availability and Session Availability 3 In the Availability Wizard section, click Start. The Availability Pair Wizard screen displays. D 4 In the Connection Details section, do the following:
establish the availability link. Select Port Select the port and IP address of the primary controller that is to be used to Peer Controller IP Type the IP address of the peer (secondary) controller. User Type the login user name credentials of an account that has full administrative privileges raft NNote Synchronizing the VNS denitions will delete and replace existing VNS denitions on the peer controller. Synchronize System Conguration Select this check box to push the congured Routed and Bridge Traffic Locally at Controller VNS denitions from the primary controller to the peer controller. WDS and 3rd Party AP VNS denitions are ignored and not synchronized. Password Type the login password used with the user ID to login to the peer controller. Enable Fast Failover Select this check box to enable Fast Failover for the availability pair. on the peer controller. 5 In the Synchronize Options section, do the following:
Synchronize Guest Portal Accounts Select this check box to push GuestPortal user accounts to the peer controller. 6 Click Next. ExtremeWireless V10.41.06 User Guide 540 Availability and Session Availability 7 If you are synchronizing topology denitions, the Topology Denitions screen displays. Do the following:
a In the Synchronization Settings section, complete the topology properties that are missing. Any topology that did not already exist on the peer controller will have missing properties on the TTopology Denitions screen. The elds congured are actual parameter values that are congured at the remote Controller with respect to associated topologies chosen for synchronization. Some of these parameters are:
Interface IP address, Netmask, L2 port, VLAN (Virtual LAN) ID, DHCP range, etc. b Click Finish. 8 If you are not synchronizing topology denitions, the availability wizard completes the conguration. 9 Click Close. Conguring Availability Manually The Sync status for any of these elements can also be changed from this tab. This operation marks the desired topologies for synchronization. The two controllers exchange information and the conguration is applied to the remote controller. D On the local controller, the Enable Synchronization of System Conguration becomes selected. This can be double checked by navigating to VNS > Global > Sync Summary. This tab also lists all topologies, roles, WLAN Services and VNSes with their synchronization status (on or off). All these congurable elements have a Synchronize check box (on their main/general conguration tab) that allows for individual control and selection of availability from the main element conguration page. raft 1 On the wireless controller Availability screen, set up the controller in Paired Mode. 2 On the VVNS conguration window, dene a VNS (through topology, WLAN service, role and VNS conguration) on each controller with the same SSID. The IP addresses must be unique. For more information, see Manually Creating a VNS on page 423. A controller VLAN Bridged topology can permit two controllers to share the same subnet. This setup provides support for mobility users in a VLAN Bridged VNS. APs to connect option so that no more APs can register unless they are approved by the administrator. 3 On both controllers, on the AP Registration screen, select the Security Mode Allow only approved 4 On each controller, on the AP conguration Access Approval screen, check the status of the APs When conguring availability manually, you congure each controller separately. and approve any APs that should be connected to that controller. System AP defaults can be used to assign a group of VNSs to the foreign APs:
If the APs are not yet known to the system, the AP will be initially congured according to AP default settings. To ensure better transition in availability, Extreme Networks recommends that the AP default settings match the desired assignment for failover APs. AP assignment to WLAN Services according to the AP default settings can be overwritten by manually modifying the AP assignment. (For example, select and assign each WLAN service that the AP should connect to.) If specic foreign APs have been assigned to a WLAN service, those specic foreign AP assignments are used. ExtremeWireless V10.41.06 User Guide 541 Availability and Session Availability Alternate Method to Setting Up a Wireless AP An alternate method to setting up Wireless APs for Availability mode include:
1 Add each AP manually to each controller. 2 On the AAP Properties screen, click Add Wireless AP. 3 Dene the AP, and then click Add Wireless AP. Manually dened APs will inherit the default AP conguration settings. Caution If two wireless controllers are paired and one has the Allow All option set for AP registration, all APs will register with that wireless controller. Setting the Primary or Secondary Wireless Controllers for Availability To set the primary or secondary controllers for availability:
D 1 2 In the left pane, click Administration > Availability. From the top menu, click Controller. The WWireless Controller Conguration screen displays. raft 3 To enable availability, select the Paired option. 4 Do one of the following:
For a primary controller, in the Wireless IP Address box, type the IP address of the data interface of the secondary controller. This IP address must be on a routable subnet between the two controllers. For a secondary controller, in the Wireless IP Address box, type the IP address of the Management port or data interface of the primary controller. ExtremeWireless V10.41.06 User Guide 542 Availability and Session Availability 5 Set this controller as the primary or secondary connection point:
To set this controller as the primary connection point, select the Current Wireless is primary connect point check box. To set this controller as the secondary connection point, clear the Current Wireless is primary connect point check box. If the Current Wireless is primary connect point check box is selected, the specied controller sends a connection request. If the Current Wireless is primary connect point check box is cleared, the specied controller waits for a connection request. Conrm that one controller has this check box selected, and the second controller has this check box cleared, since improper conguration of this option will result in incorrect network conguration. 6 On both the primary and secondary controllers, type the Detect link failure value. NNote Ensure that the Detect link failure value on both the controllers is identical. D 7 On both the primary and secondary controllers, select the Synchronize GuestPortal Guest Users option to synchronize GuestPortal guest accounts between the controllers. Allow only approved wireless APs to connect If the controller does not recognize the serial 8 From the top menu, click AP. 9 In the left pane, click Global Settings > AP Registration. To set the security mode for the controller, select one of the following options:
Allow all wireless APs to connect If the controller does not recognize the serial number, it sends a default conguration to the AP. Or, if the controller recognizes the serial number, it sends the specic conguration (port and binding key) set for that AP. number, the APs will be in pending mode and the administrator must manually approve them. Or, if the controller recognizes the serial number, it sends the conguration for that AP. raft Note During the initial setup of the network, it is recommended that you select the Allow all Wireless APs to connect option. This option is the most efficient way to get a large number of APs registered with the controller. Once the initial setup is complete, it is recommended that you reset the security mode to the Allow only approved Wireless APs to connect option. This option ensures that no unapproved APs are allowed to connect. For more information, see Conguring Wireless AP Properties on page 156. 10 To save your changes, click Save. Note When two controllers have been paired as described above, each controller's registered APs will appear as foreign on the other controller in the list of available APs when conguring a VNS topology. 11 Verify that availability is congured correctly. Verifying Availability To verify that availability is congured correctly:
ExtremeWireless V10.41.06 User Guide 543 Availability and Session Availability 1 From the top menu of either of the two controllers, click Reports. D 2 From the Reports and Displays menu, click AP Availability. The Wireless Availability Report is displayed. raft 3 Check the statement at the top of the screen. If the statement reads Availability link is up, the availability feature is congured correctly. If the statement reads Availability link is down, check the conguration error logs. For more information on logs, see the Extreme Networks ExtremeWireless Maintenance Guide. ExtremeWireless V10.41.06 User Guide 5544 Availability and Session Availability Session Availability Session availability enables wireless APs to switch over to a standby (secondary) wireless controller fast enough to maintain the mobile users session availability in the following scenarios:
The primary wireless controller fails (see Figure 169). D Figure 169: AP Fail Over When Primary Controller Fails The wireless APs network connectivity to the primary controller fails (see Figure 170). raft Figure 170: AP Fail Over When Connectivity to Primary Fails The secondary controller does not have to detect its link failure with the primary controller for the session availability to kick in. If the AP loses ve consecutive polls to the primary controller either due to the controller outage or connectivity failure, it fails over to the secondary controller fast enough to maintain the user session. ExtremeWireless V10.41.06 User Guide 5545 Availability and Session Availability In session availability mode (Figure 171), the APs connect to both the primary and secondary controllers. While the connectivity to the primary controller is via the active tunnel, the connectivity to the secondary controller is via the backup tunnel. Figure 171: Session Availability Mode raft The following is the traffic ow of the topology illustrated in Figure 171:
The AP establishes the active tunnel to connect to the primary controller. The controller sends the conguration to the AP. This conguration also contains the port information of the secondary controller. On the basis of the secondary controllers port information, the AP connects to the secondary The AP receives the backup conguration and stores it in its memory to use it for failing over to the secondary controller. All this while, the AP is connected to the primary controller via the active tunnel. After the connection is established via the backup tunnel, the secondary controller sends the backup controller via the backup tunnel. conguration to the wireless AP. Session availability applies only to the following topologies:
Bridge Traffic Locally at Controller Bridge Traffic Locally at AP Events and Actions in Session Availability In the event of a primary controller outage, or the network connectivity failure to the primary controller, the wireless AP:
ExtremeWireless V10.41.06 User Guide 5546 Availability and Session Availability Sends a tunnel-active-req request message to the secondary controller. The secondary controller accepts the request by sending the tunnel-activate-response message. The AP applies the backup conguration and starts sending the data. The client devices authentication state is not preserved during failover. When the fast failover takes place, a critical message is displayed in the information log of the secondary controller. NNote In session availability, the maximum number of failover APs that the secondary controller can accommodate is equal to the maximum number of APs supported by the hardware platform. Access Approval screen. After the APs are released, they establish the active tunnel to their home controller and backup tunnel to the secondary controller. When the failed controller recovers, each controller in the pair goes back to normal mode. They exchange information that includes the latest lists of registered APs. The administrator must release the APs manually on the second controller, so that they may re-register with their home controller. Foreign APs can now all be released at once by using the Approve as Foreign button on the Access Approval screen to select all foreign APs, and then clicking Released. D To support the availability feature during a failover event, administrators need to do the following:
1 Monitor the critical messages for the failover mode message, in the information log of the secondary controller (in the Logs & Traces section of the Wireless Assistant). 2 After recovery, on the secondary controller, select the foreign APs, and then click Release on the raft In session availability, mobile user devices are able to retain their IP address. In addition, the mobile user device does not have to have to re-associate after the failover. These characteristics ensure that the failover is achieved within 5 seconds, which is fast enough to maintain the mobile users session. Session availability is supported when fast failover is enabled and when Synchronize System Conguration is selected. For more information, see Conguring Fast Failover and Enabling Session Availability on page 548. Note In session availability, the fast failover is achieved within 5 seconds only if there is at least one client device (mobile unit) associated to the AP. In the absence of any client device, the AP takes more time to failover since there is no need to preserve the user session. Enabling Session Availability The authentication state is not preserved during fast failover. If a WLAN Service requires authentication, the client device must re-authenticate. However, in such a case, the session availability is not guaranteed because authentication may require additional time during which the user session may be disrupted. Session availability is not supported in a WLAN Service that uses Captive Portal (CP) authentication. Session availability does not support user-specic lters as these lters are not shared between the primary and secondary controller. ExtremeWireless V10.41.06 User Guide 547 Availability and Session Availability Conguring Fast Failover and Enabling Session Availability Before you congure the fast failover feature, ensure the following:
The primary and secondary controllers are properly congured in availability mode. For more information, see Availability on page 537. The pair of controllers in availability mode is formed by one of the following combinations:
C5110 and C5110 C5210 and C5210 C5215 and C5215 C4110 and C4110 C5110 and C4110 V2110 and V2110 (Using the same V2110 prole, two V2110 Small, or two V2110 Medium, or two V2110 Large.) C25 and C25 C35 and C35 D ExtremeWireless software. Both the primary and secondary controllers are running the most recent Extreme Networks Both the primary and secondary controllers have equivalent upstream access to the servers on which they depend. For example, both the controllers must have access to the same RADIUS and DHCP servers. which controller the APs associate with. For example, the fast failover feature will not support the deployment in which the two controllers in availability mode are connected via a WAN link. A network connection exists between the two controllers. The APs are operating in availability mode. The deployment is designed in such a way that the service provided by the APs is not dependent on raft Note The fast failover feature works optimally in fast networks (preferably switched networks). Time on all the network elements (both the controllers in availability pair, APs, DHCP and RADIUS The users (client devices) that use DHCP must obtain their addresses from a DHCP Server that is servers etc.) is synchronized. For more information, see Conguring Network Time on page 89. To congure Fast Failover and enable Session Availability:
external to the controller. Log on to both the primary and secondary controllers. 1 2 From the top menu of the primary controller, click Controller. ExtremeWireless V10.41.06 User Guide 548 Availability and Session Availability 3 In the left pane, click Administration > Availability. D 4 Under Controller Availability Settings, select Paired. 5 Select the Fast Failover check box. 6 Type the appropriate value in the Detect link failure box. raft The Detect link failure eld species the period within which the system detects link failure after the link has failed. For fast failover conguration, this parameter is tied closely to the Poll Timeout parameter on the AAP Properties tab Advanced dialog. The Poll Timeout eld species the period for which the wireless AP waits before re-attempting to establish a link when its polling to the primary controller fails. For the fast failover feature to work within 5 seconds, the Poll Timeout value should be 1.5 to 2 times the Detect link failure value. For example, if you have set the Detect link failure value to 2 seconds, the Poll Timeout value should be set to 3 or 4 seconds. 7 In the Synchronization Option area, select Synchronize System Conguration. This is a global parameter that enables synchronization of VNS conguration components (topology, role, WLAN Service, VNS) on both controllers paired for availability and/or fast failover. For more information about synchronization, see Using the Sync Summary on page 414. 8 Click Save. ExtremeWireless V10.41.06 User Guide 549 Availability and Session Availability 9 Set the APs Poll Timeout value for fast failover. a From the top menu of the primary controller, click AP. b Select the check box for one or more APs. c Click Actions > Multi Edit. The MMulti Edit dialog displays. D d In the Poll Timeout eld, enter the poll timeout value in seconds. e Click Apply. ExtremeWireless V10.41.06 User Guide Note 550 daryyryryryryryryryryryyyyyy The fast failover conguration must be identical on both the primary and secondary controllers. Logs are generated if the conguration is not identical. For more information, see ooorrrrmrrrrrr ation the ExtremeWireless Maintenance Guide. Availability and Session Availability After you have congured fast failover, you can verify session availability to preserve the user session during the failover. Verifying Session Availability To have session availability, you must ensure the following:
The primary and secondary wireless controllers are properly congured in availability mode. For more information, see Availability on page 537. The fast failover feature is properly congured. For more information, see Conguring Fast Failover and Enabling Session Availability on page 548. NNote If you havent congured the fast failover feature, the Enable Session Availability check box is not displayed. Time on all the network elements both the wireless controllers in availability pair, APs, DHCP and RADIUS servers etc. is synchronized. For more information, see Conguring Network Time on page 89. D controller software release. Both the wireless controllers in fast failover mode must be running the most recent wireless If you are using Bridge Traffic Locally at Controller topology, you must select None from the DHCP The Bridge Traffic Locally at Controller must be mapped to the same VLAN on both the primary Option drop-down menu. and secondary wireless controllers. raf To Verify that the session availability feature is congured correctly:
1 From the top menu of either of the two controllers, click Reports. ExtremeWireless V10.41.06 User Guide 551 Availability and Session Availability 2 From the Reports and Displays menu, click Wireless AP Availability. The Wireless Availability Report is displayed. aft 3 Check the statement at the top of the screen. If the statement reads Availability link is up, the availability feature is congured correctly. If the statement reads Availability link is down, check the conguration error in logs. For more information on logs, see the Extreme Networks ExtremeWireless Maintenance Guide. To verify that all elements have been synchronized correctly, navigate to the VNS tab on both the primary and secondary controllers, and conrm that the topologies, WLAN services, roles and desired VNSs are displayed as [synchronized]. Verify Synchronization You can verify this by selecting the appropriate tabs and then inspecting the Synchronized ags or by navigating to VNS > Global > Sync Summary. Conguration synchronization:
VNS conguration related synchronization will be supported with legacy or fast failover availability conguration as long as there is an availability link established. Synchronization for VNS, WLAN Services, Roles, Topologies, and Rate Limit Proles can be enabled/
disabled individually. ExtremeWireless V10.41.06 User Guide 552 Availability and Session Availability VNS, WLAN Service, Role, Topology, and Rate Limit Prole conguration will be dynamically synchronized when synchronization is enabled individually between a pair of controllers. MU session synchronization:
MU session synchronization will be supported only when there is fast failover congured between two controllers. If mobility is disabled, MU session with Bridge Traffic Locally at AP, Bridge Traffic Locally at Controller, and Routed topologies will all be synchronized between a pair of controllers. If mobility is enabled, an MU session with Routed topologies will not be synchronized. Viewing SLP Activity In normal operations, the primary controller registers as an SLP service called ac_manager. The controller service directs the APs to the appropriate controller. During an outage, if the remaining controller is the secondary controller, it registers as the SLP service ru_manager. To view SLP activity:
From the top menu, click AP. 1 2 In the left pane, click Global Settings > AP Registration. D r ExtremeWireless V10.41.06 User Guide 5553 Availability and Session Availability 3 To conrm SLP registration, click View SLP Registration. A screen displays the results of the diagnostic slpdump tool, to conrm SLP registration. ft ExtremeWireless V10.41.06 User Guide 5554 14 Conguring Mobility MMobility Overview Mobility Domain Topologies Conguring a Mobility Domain Mobility Overview The ExtremeWireless system allows up to 12 controllers on a network to discover each other and exchange information about a client session. This technique enables a wireless device user to roam seamlessly between different APs on different controllers. D The solution introduces the concept of a mobility manager; one controller on the network is designated as the mobility manager and all others are designated as mobility agents. The wireless device keeps the IP address, and the service assignments it received from its home controllerthe controller that it rst connected to. The WLAN (Wireless Local Area Network) Service on each controller must have the same SSID and RF privacy parameter settings. You have two options for choosing the mobility manager:
Rely on SLP with DHCP (Dynamic Host Conguration Protocol) Option 78 Dene at the agent, the IP address of the mobility manager. By explicitly dening the IP address, the agent and the mobility manager are able to nd each other directly without using the SLP discovery mechanisms. Direct IP denition is recommended to provide tighter control of the registration steps for multi-domain installations. raft The controller designated as the mobility manager:
Is explicitly identied as the manager for a specic mobility domain. Agents connect to this manager Denes, at the agent, the IP address of the mobility manager, which allows for the bypass of SLP. Uses SLP, if this method is preferred, to register itself with the SLP Directory Agent as Extreme Agents directly nd and attempt to register with the mobility manager. to establish a mobility domain. NetworksNet. Denes the registration behavior for a multi-controller mobility domain set:
Open mode A new agent is automatically able to register itself with the mobility manager and immediately becomes part of the mobility domain. Secure mode The mobility manager does not allow a new agent to automatically register. Instead, the connection with the new agent is placed in a pending state until the administrator approves the new device. Listens for connection attempts from mobility agents. Establishes connections and sends a message to the mobility agent specifying the heartbeat interval, and the mobility manager's IP address if it receives a connection attempt from the agent. ExtremeWireless V10.41.06 User Guide 555 Conguring Mobility Sends regular heartbeat messages containing wireless device session changes and agent changes to the mobility agents and waits for a returned update message. Establishes a connection to an optional backup mobility manager that can be congured to back up the primary mobility manager. The controller designated as a mobility agent does the following:
Uses SLP or a statically congured IP address to locate the mobility manager. Denes at the agent the IP address of the mobility manager, which allows for the bypass of SLP. Agents directly nd and attempt to register with the mobility manager. Attempts to establish a TCP/IP connection with the mobility manager. Connects to an optional backup mobility manager that can be congured to back up the primary mobility manager. Sends updates, in response to the heartbeat message, on the wireless device users and the data tunnels to the mobility manager. D If a controller congured as the mobility manager is lost, with a backup mobility manager congured, the following occurs:
If enabled, the controller establishes a connection to the optional backup mobility manager. When a failure occurs, the backup manager becomes the primary manager and control tunnels are re-
negotiated. The data tunnels are not affected. When the primary manager comes back online, the backup manager detects the higher priority manager and switches back to agent (passive) mode. If a controller congured as the mobility manager is lost, without a backup mobility manager, the following occurs:
Agent to agent connections remain active. The mobility agents continue to operate based on the mobility information last coordinated before the manager link was lost. The mobility location list remains relatively unaffected by the controller failure. Only entries associated with the failed controller are cleared from the registration list, and users that have roamed from the manager controller to other agents are terminated and required to re-register as local users with the agent where they are currently located. raft The data link between active controllers remains active after the loss of a mobility manager. Mobility agents continue to use the last set of mobility location lists to service known users. Existing users remain in the mobility scenario, and if the users are known to the mobility domain, New users become local at attaching controller. Roaming to another controller resets session. they continue to be able to roam between connected controllers. The mobility network that includes all the wireless controllers and the APs is called the Mobility Domain. NNote The mobility feature is not backward compatible. This means that all the controllers in the mobility domain must be running the most recent controller software release. Mobility Domain Topologies You can congure a mobility domain in the following scenarios:
ExtremeWireless V10.41.06 User Guide 556 Conguring Mobility Mobility domain without availability Mobility domain with availability Mobility domain with session availability NNote When conguring a mobility domain with availability or session availability, synchronize time on all the wireless controllers that are part of your mobility domain. For more information, see Conguring Network Time on page 89. D Figure 172: Mobility Domain with Fast Failover and Session Availability Features The users home session is with Controller1. When the user roams from wireless AP 1 to wireless AP 2, he establishes his home session with raft Note The mobility managers heart beat time is congurable. If you are conguring a mobility domain with session availability, you should congure the heart beat time as one second to enable the mobility manager to update its tables quickly. When the user roams, AP 1 receives a notication that the user has roamed away following which it marks the user session as inactive. Consequently, no statistics are sent to the Controller 1 for that user. sends updates that the user has a new home on Controller 2. Upon receiving the updates, the mobility manager updates its own tables. In response to the heart beat message from the mobility manager (Controller 3), the Controller 2 Controller2. If a failover takes place, and the user is still associated with AP 1:
AP1 fails over, and establishes an active session with Controller 2. In response to the heart beat message from the mobility manager (Controller 3), the Controller 2 sends updates to the mobility manager on the failover AP and its user. If a failover takes place, and the user has roamed to wireless AP 2:
As part of roaming, the users home session moves from Controller 1 to Controlle r2. AP1 establishes active session with Controller 2. AP 2 is not impacted by the failover. ExtremeWireless V10.41.06 User Guide 557 Conguring Mobility Conguring a Mobility Domain When conguring a mobility domain with availability or session availability, synchronize time on all the wireless controllers that are part of your mobility domain. For more information, see Conguring Network Time on page 89. Designating a Mobility Manager To designate a mobility manager:
From the top menu, click Controller. 1 2 In the left pane, click Services > Mobility Manager. 3 To enable mobility for this controller, select the Mobility check box. The controller mobility options are displayed. D 4 Select the This Wireless Controller is a Mobility Manager option. The mobility manager options are displayed. 5 In the Port drop-down list, select the interface on the controller to be used for the mobility manager process. Ensure that the selected interfaces IP address is routable on the network. ExtremeWireless V10.41.06 User Guide 5558 Conguring Mobility 6 In the Heartbeat eld, type the time interval (in seconds) at which the mobility manager sends a Heartbeat message to a mobility agent. NNote When the mobility domain is congured for fast failover and session availability, congure the mobility managers heart beat time as one second. 7 In the SLP Registration drop-down list, select whether to enable or disable SLP registration. 8 In the Permission list, select the agent IP addresses you want to approve that are in pending state, by selecting the agent and clicking Approve. New agents are only added to the domain if they are approved. To add a controller to the mobility domain, type the agent IP address in the box, and then click Add. This can only be done from the primary manager. To assign a backup manager, select a controller from the Permission List, and click Backup mgr. To delete a controller, click the controller in the list, and then click Delete. This can only be done from the primary manager. D 9 Select the Security Mode option:
10 Click Save. to the mobility manager. Allow all mobility agents to connect All mobility agents can connect to the mobility manager. Allow only approved mobility agents to connect Only approved mobility agents can connect Note If you set up one wireless controller on the network as a mobility manager, all other controllers must be set up as mobility agents. raft From the top menu, click Controller. 1 2 In the left pane, click Services > Mobility Manager. 3 Select the Mobility check box. The controller mobility options are displayed. To designate a mobility agent:
Designating a Mobility Agent ExtremeWireless V10.41.06 User Guide 559 Conguring Mobility 4 Select the This Wireless Controller is a Mobility Agent option. The mobility agent options are displayed. D process. Ensure that the port selected is routable on the network. 6 From the Discovery Method drop-down list, select one of the following:
5 From the Port drop-down list, select the port on the controller to be used for the mobility agent 7 In the Mobility Manager Address box, type the IP address for the designated mobility manager. The Backup Manager Address box displays the IP address of the backup controller. SLPD Service Location Protocol Daemon, a background process acting as an SLP server, provides the functionality of the Directory Agent and Service Agent for SLP. Use SLP to locate the area mobility manager controller. Static Conguration You must provide the IP address of the mobility manager manually. Dening a static conguration for a mobility manager IP address bypasses SLP discovery. raft For information about viewing mobility manager displays, see Viewing Mobility Reports on page 650. 8 Click Save. ExtremeWireless V10.41.06 User Guide 5560 15 Working with Third-party APs DDening Authentication by Captive Portal for the Third-party AP WLAN Service Dening the Third-party APs List Dening Policy Rules for the Third-party APs Service, click the Auth & Acct tab. External Authentication on page 349. 1 On the WWLAN conguration window for the third-party WLAN (Wireless Local Area Network) Dening Authentication by Captive Portal for the Third-party AP WLAN Service D 802.1x Authentication is not supported directly by the wireless controller. However, this type of authentication can be supported by the actual third-party AP. All other options for authentication are supported at the controller. 2 In the Authentication Mode drop-down list, click Internal or External, and then click Congure. 3 Dene the Captive Portal conguration as described in Conguring Captive Portal for Internal or raft In the WLAN Services panel, select the third-party WLAN Service. 1 2 In the IP Address eld, type the IP address of a third-party AP. 3 In the Wired MAC Address eld, type the MAC address of the AP. 4 Click Add to add the AP to the list. 5 Repeat for all third-party APs to be assigned to this WLAN Service. Dening Policy Rules for the Third-party APs Dening the Third-party APs List 1 Because the third-party APs are mapped to a physical topology, you must dene the Exception lters on the physical topology, using the Exception Filters tab. For more information, see Exception Filtering on page 278. 2 Dene policy rules that allow access to other services and protocols on the network such as HTTP, FTP, and SNMP (Simple Network Management Protocol). 3 On the Multicast Filters tab, select Enable Multicast Support and congure the multicast groups whose traffic is allowed to be forwarded to and from the VNS using this topology. For more information, see Multicast Filtering on page 281. In addition, modify the following functions on the third-party AP:
ExtremeWireless V10.41.06 User Guide 561 Working with Third-party APs Disable the AP's DHCP (Dynamic Host Conguration Protocol) server, so that the IP address assignment for any wireless device on the AP is from the DHCP server at the controller with VNS information. Disable the third-party AP's layer-3 IP routing capability and set the access point to work as a layer-2 bridge. The following are the differences between third-party APs and APs on the Extreme Networks ExtremeWireless system:
A third-party AP exchanges data with the controller's data port using standard IP over Ethernet protocol. The third-party access points do not support the tunnelling protocol for encapsulation. For third-party APs, the VNS is mapped to the physical data port and this is the default gateway for mobile units supported by the third-party access points. A controller cannot directly control or manage the conguration of a third-party access point. Third-party APs are required to broadcast an SSID unique to their segment. This SSID cannot be Roaming from third-party APs to wireless APs and vice versa is not supported. used by any other VNS. D raft ExtremeWireless V10.41.06 User Guide 562 16 Working with ExtremeWireless Radar RRadar Overview Radar Components Radar License Requirements Enabling the Analysis Engine Radar Scan Proles AirDefense Prole Viewing Existing Radar Proles Adding a New Radar Prole Conguring an In-Service Scan Prole Conguring a Guardian Scan Prole Assigning an AP to a Prole Viewing the List of Assigned APs Maintaining the Radar List of APs Working with Radar Reports D raft Radar is a set of advanced, intelligent features for managing the wireless environment. Radar includes advanced features for:
Device location tracking Wireless-Intrusion-Detection and Wireless-Intrusion-Prevention (WIDS-WIPS) Advanced load balancing capability Radar provides a basic solution for discovering unauthorized devices within the wireless coverage area. Radar performs basic RF network analysis to identify unmanaged APs and personal ad-hoc networks. The Radar feature set includes: intrusion detection, prevention and interference detection. All APs can provide WIDS and traffic forwarding functionality, simultaneously and, if congured to do so, will apply countermeasures to detected wireless intrusions. Radar Overview All APs (except 3705) can be placed in Guardian mode. In this mode, the AP dedicates both radios for intrusion detection and prevention functions. Guardians are capable of detecting and mitigating attacks on wireless channels that are not being used for traffic forwarding by the authorized network. When controllers are congured in an availability pair, the Radar feature operates in High Availability mode, allowing Radar to retain its conguration, historical, and runtime data in the case of an availability pair controller failure. In High Availability mode, the conguration and runtime on both controllers is synchronized. ExtremeWireless V10.41.06 User Guide 563 Working with ExtremeWireless Radar Radar Components Figure 173 illustrates the major components of Radar. Analysis Engine Overview D Figure 173: Radar System Components Radar requires that one controller host the Analysis Engine, and a data collector application, is installed on each controller. The data collector receives and manages the RF scan messages sent by each AP. The data collector forwards to the Analysis Engine lists of all connected wireless APs, third-party APs and RF scan information collected from participating APs. raft The Analysis Engine processes the scan data from the data collectors through algorithms that make decisions about whether any of the detected APs or clients are threats or are running in an unsecure environment (for example, in ad-hoc mode). APs must be part of a Radar scan prole to participate in WIDS-WIPS activity. A scan prole is a collection of WIDS-WIPS conguration options that can be assigned to appropriate APs. The actual conguration options depend on whether the prole is an In-Service or Guardian scan prole. The Analysis Engine relies on a database of connected devices on the Extreme Networks ExtremeWireless system. The database is basically a compiled list of all APs and clients connected to the controller. The Analysis Engine compares the data from the data collector with the database of known devices. For more information on enabling the Analysis Engine, see Enabling the Analysis Engine on page 565. Radar Functionality on the Controller The Analysis Engine can run on a standalone controller or on a High Availability pair. The controller's Analysis Engine works only with local data collectors and with data collectors of the controller's availability partner. ExtremeWireless V10.41.06 User Guide 5564 Working with ExtremeWireless Radar Radar Functionality on the Wireless AP An AP can be assigned to only one scan prole and only needs to be added to a prole if it is to be used for scanning. APs run a radio frequency (RF) scanning task. The APs scan for threats and perform countermeasures while simultaneously providing full traffic forwarding services including the application of role. NNote When you enable countermeasures, the countermeasures apply to threats on channels that receive forwarded traffic. Radar License Requirements All APs, except 3705, support Guardian mode prole. In Guardian mode, the APs rapidly sweep across multiple channels. This allows for threat detection on channels that are being used by APs that are not authorized to provide service. However, the more channels the AP has to defend concurrently, the less thoroughly it can defend any one channel. The AP will only defend a channel if an actual threat is detected on that channel, and if the Analysis Engine on the controller is able to distribute responsibility for dealing with concurrent active threats among multiple APs. D Note If an AP is part of a WDS/Mesh link, you cannot congure it to act as a Guardian AP or In Service prole AP in Radar. raft Radar functionality is controlled by capacity licenses installed on the controller and activated as an option key. For more information on the Option Key, see Applying Product License Keys on page 47. Any AP assigned to an In-Service scan prole counts as 1 against the licensed Radar capacity. The base capacity for all controllers is 2, and any capacity increment can be installed on any controller. The maximum number of APs that can be licensed for Radar is twice the platform limit for local APs. Once the maximum number of APs is reached, no new licenses can be installed. The radar capacity is twice the platform system AP limit for Cloud Provider and Subscription license types. AP Limitations Enabling the Analysis Engine Before using WIPS (Wireless Intrusion Prevention System), you must enable and dene the Analysis and Data Collector Engines. If using In-Service scan proles, only the controller itself and its availability pair report to the Analysis Engine. For more information, see Conguring an In-Service Scan Prole on page 574. To enable the Analysis Engine:
ExtremeWireless V10.41.06 User Guide 565 Working with ExtremeWireless Radar 1 From the top menu, click WIPS. The Conguration > Engine Settings screen displays. 2 If not already selected, select Security Analysis Engine and click Save. ft Figure 174: Radar Engine Settings Radar Scan Proles Radar scan proles provide the ability to organize scans for rogue activity based on a specic set of parameters such as radio assignments and desired channels. APs can be selected from a list of Assigned APs or a new AP can be added to the scan prole. An AP can only belong to one scan prole. Radar provides In-Service and Guardian scan proles. Any AP can use the In-Service scan prole. All APs, except 3705, can use the Guardian scan prole. ExtremeWireless V10.41.06 User Guide 5566 Working with ExtremeWireless Radar The AP39xx support the AirDefense prole. This prole integrates the AP39xx with the AirDefense Services Platform, offering an alternative to the Guardian Scan Prole. RRelated Links Conguring an In-Service Scan Prole on page 574 Conguring a Guardian Scan Prole on page 577 Conguring an AirDefense Prole on page 568 In-Service Scan Proles Related Links Guardian Scan Proles In-Service scan proles work with any AP type and include the following:
A set of countermeasure that lists possible prevention options to counter specic types of threats. Support for automatic blacklisting, which automatically removes network access from devices performing certain types of wireless attacks. The administrator can congure the length of time that a device remains on the blacklist. D In-Service Scan Prole Prevention Settings on page 575 Blacklisted Clients on page 598 raft A set of countermeasure that lists possible prevention options to counter specic types of threats. For more information, see In-Service Scan Prole Prevention Settings on page 575. Support for automatic blacklisting which allows the administrator to list which MAC addresses should be allowed or denied on the network. For more information, see Blacklisted Clients on page 598. Guardian scan proles work with all AP types (except AP3705) and include the following:
An AP operating in Guardian mode does not bridge traffic and instead devotes all of the APs An AP assigned to a Guardian scan prole stops providing any services (WLAN (Wireless Local Area An AP is added to a Guardian scan mode in its entirety. There is no option to dedicate one radio to A list of all possible channels that the Gardian AP could scan. Each channel has a check box which when checked enables scanning by any AP in the group. resources to threat detection and countermeasures. Network) service, load groups, site) immediately. scanning and the other to forwarding. Addresses added to the blacklist manually are there until they are manually removed. If blacklisting clients is enabled, you can set the maximum amount of time a device can be blacklisted. Related Links AirDefense Prole on page 567 AirDefense Prole The AP integrates with the AirDefense Service Platform (ADSP), offering an additional prole option that allows the AP to function as an AirDefense sensor or to act as a sensor and retain the ability to ExtremeWireless V10.41.06 User Guide 567 Working with ExtremeWireless Radar forward traffic. When the AP is congured with a AirDefense dedicated sensor prole, the functionality of the AP is controlled by the ADSP server. When the AP is congured as a AirDefense Radio Share prole, it continues to forward traffic while sending packets to an ADSP server. In dedicated sensor mode, the AP operates independently from the controller while the controller continues to see the AP and display the AP Role as a dedicated AirDefense sensor. In its role as a dedicated sensor, the AP does not report statistics to the controller. However, the WASSP-tunnel is maintained to allow future reconguration. In the Radio Share mode, both radios on the AP operate as both a sensor and a traffic forwarder. The controller conguration indicates whether the radios gather all packet traffic or packet traffic for only APs registered with ADSP. With Radio Share, you also have the option to scan neighboring channels in addition to the operating channel. RRelated Links AP39xx supports AirDefense proles. Conguring an AirDefense Prole on page 568 D Conguring an AirDefense Prole Congure an AirDefense prole that allows the AP to function as an AirDefense dedicated sensor or as a Radio Share prole. From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. 3 Select AirDefense Proles. 4 From the AAirDefense Proles screen, click New. 5 Select the Prole type. Valid values are:
raft The radios are both ADSP sensors and they forward traffic to the controller. The radio is a dedicated ADSP sensor, controlled by the ADSP server. Dedicated Radio Share ExtremeWireless V10.41.06 User Guide 568 Working with ExtremeWireless Radar aftFigure 175: AirDefense Prole Dedicated Conguration ExtremeWireless V10.41.06 User Guide 5569 Working with ExtremeWireless Radar D Figure 176: AirDefense Prole Radio Share Conguration 6 On the CConguration tab congure the following parameters:
Table 107: AirDefense Prole Conguration Settings Field Description raft The IP address of the AirDefense servers. Provide the FQDN or IPv4 string, maximum 255 characters. Scan prole name Name AirDefense Servers Radio Share ExtremeWireless V10.41.06 User Guide 570 Working with ExtremeWireless Radar Table 107: AirDefense Prole Conguration Settings (continued) FField Description Off Channel Scanning Radio Mode Enable Off Channel Scanning. Allow the radio to perform periodic scanning on neighboring channels in addition to the operating channel. Note: Providing service on the operating channel has priority over scanning neighboring channels. Radio mode for packet transfer. Valid values are:
Off. When the radio mode is set to Off, the Radio Share capability is disabled, regardless of the selected Prole type. Inline. AP reports to the ADSP server only its own traffic and multicast / broadcast traffic such as beacons and probe requests. Inline mode has minimal impact on AP performance, because the AP reports to the ADSP server only traffic that it processes. D Promiscuous. AP receives all packets seen on its operating Note: Set AP to Promiscuous mode when AP is required to perform Termination. channel and forwards them to the ADSP server. Promiscuous mode loads the AP resources, because the AP processes traffic intended for all neighboring APs. In high-density, wireless deployments, use dedicated sensors instead of Radio Share in Promiscuous mode. raft Related Links AirDefense Prole on page 567 Conguring an In-Service Scan Prole on page 574 Conguring a Guardian Scan Prole on page 577 Viewing Existing Radar Proles From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. 3 In the left pane, click Radar Proles. The RRadar Proles screen displays. ExtremeWireless V10.41.06 User Guide 571 Working with ExtremeWireless Radar D Figure 177: In-Service Proles Table 108: Scan Proles - Fields and Buttons FField/Button Description raft Indicates whether the prole enables security scanning on APs assigned to the prole. Indicates that the scan prole does not enable security scanning. Indicates that the scan prole enables security scanning. The name of the scan prole. In-Service or Guardian. Name Prole Security Scan ExtremeWireless V10.41.06 User Guide 572 Working with ExtremeWireless Radar Table 108: Scan Proles - Fields and Buttons (continued) FField/Button Description Interference Scan Interference classication compares patterns in RF interference to known interference patterns to help identify the source of the interference. Indicates that the interference scan classication is enabled on specic APs assigned to the prole. New Delete Selected Status D Indicates that the interference scan classication is not enabled on specic APs assigned to the prole. Click to delete the selected scan prole. Enabled: Indicates that the scan prole is enabled (for example, whether the APs assigned to the prole are scanning in accordance with the prole). Scan proles are Enabled if either security scanning or interference scanning is enabled. Click to create a new scan prole (see Adding a New Radar Prole on page 573). Disabled: Indicates that the scan prole is disabled. A disabled prole means the prole is dened but any APs assigned to the prole are not performing scans. raft Adding a New Radar Prole From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. 3 Select Radar Proles. 4 From the RRadar Proles screen, click New. ExtremeWireless V10.41.06 User Guide 573 Working with ExtremeWireless Radar 5 In the AAdd Radar Prole dialog, select the prole type:
Guardian In-Service ft Figure 178: Add Radar Prole For information about conguring the prole:
Conguring an AirDefense Prole on page 568 Conguring a Guardian Scan Prole on page 577. Conguring an In-Service Scan Prole on page 574. Conguring an In-Service Scan Prole Congure the following for an In-Service scan prole:
Detection Settings Prevention Settings ExtremeWireless V10.41.06 User Guide 574 Working with ExtremeWireless Radar List of Assigned APs RRelated Links Assigning an AP to a Prole on page 581 Viewing the List of Assigned APs on page 581 In-Service Scan Prole Detection Settings Note Once an In-Service scan prole is created, the DDetection tab appears. Select the DDetection tab. D raft From the Core pane, type a unique name for the scan prole and congure the following detection options:
Scan for security threats. For more information, see Security Threats on page 594. Rogue AP detection. Select this option to detect rogue APs serving open SSIDs (for example an AP Listener port: Enter the UDP port for rogue AP detection. Classify sources of interference. Interference classication compares patterns in RF interference to attached to an Ethernet wall jack and the AP is running an open SSID). If a rogue AP is detected, countermeasures can be optionally applied to prevent any station from using this rogue AP. Figure 179: Detection Settings known interference patterns to help identify the source of the interference. All APs based on the AP371x, AP38xx, and AP39xx architecture are capable of performing interference classication. Click Save. In-Service Scan Prole Prevention Settings Radar provides multiple countermeasures which can be enabled in an In-Service scan prole. The level of prevention for the prole is dependent on the countermeasures selected. For more information on the Radar threat categories for which countermeasures can be applied, see Radar Scan Proles on page 566. ExtremeWireless V10.41.06 User Guide 575 Working with ExtremeWireless Radar When Radar WIDS-WIPS is enabled, all detected threats are reported when they start and when they stop. The reports are available in the controller's event logs and can be streamed off the controller using SNMP (Simple Network Management Protocol) and syslog. These event reports are always generated regardless of which other countermeasures are enabled. For more information on these reports, see Working with Radar Reports on page 593. Related Links Selecting Countermeasures on page 576 Selecting Countermeasures Countermeasures mitigate the impact of a security threat:
Sending standard 802.11 deauthentication frames to prevent stations from associating to threat devices. To select a specic countermeasure:
Rate limiting ooded frames. This can prevent oods from propagating through the AP to the wired Blacklisting attacking devices to prevent them from gaining access to the network. network. D Countermeasures are enabled on a per-scan-prole basis. Some scan proles can have countermeasures enabled while others cannot. From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. 3 In the left pane, click Radar Proles. 4 Select an In-Service scan prole and click the Prevention tab. raf Figure 180: Prevention Settings ExtremeWireless V10.41.06 User Guide 576 Working with ExtremeWireless Radar Table 109: Prevention Tab - Fields and Buttons FField/Button Description Countermeasures Prevent authorized stations from roaming to external honeypot APs Prevent authorized stations from roaming to friendly APs Prevent any station from using an internal honeypot AP An external honeypot is an AP that is attempting to make itself a man-in-the-middle by advertising a popular SSID, such as an SSID advertised by a coffee shop or an airport Friendly APs are APs that are not part of the authorized wireless network, but they operate in the vicinity of the authorized wireless network. An internal honeypot is an AP that is attempting to make itself a man-in-the-middle by advertising an SSID belonging to the authorized network. Prevent any station from using an ad hoc mode device Remove network access from clients originating DoS and password-cracking attacks Prevent any station from using a rogue AP D Prevent any station from using a spoofed AP Drop frames in a controlled fashion during a ood attack A rogue AP is an unauthorized AP connected to the authorized wired network. A spoofed AP is an AP that is not part of the authorized network is advertising a BSSID (MAC address) that belongs to an authorized AP on the authorized network. Deauthentication messages are used to prevent devices from using an ad hoc mode device. Prevents some types of Denial of Service (DoS) attack from affecting the authorized network instead of just the target AP. For example, rate limiting the ooded frames. raft Prevents propagation of the DoS attack from the AP to the authorized network. Many types of DoS attack involve deluging an AP with a large volume of messages of one or two specic types. When this option is enabled, the AP will apply rate limits to the specic type of frame that is being deluged. The selected clients for this countermeasure are denied access to the network for the amount of time that is specied in " Remove network access from violating clients for a period of time."
Click to create a new scan prole. For more information, see Adding a New Radar Prole on page 573. Click to delete the selected scan prole. Enter a numeric value in seconds. Click to save changes. Remove network access from violating clients for a period of time New Delete Save Conguring a Guardian Scan Prole Congure the following for a Guardian scan prole:
Detection Settings Prevention Settings List of Assigned APs Related Links ExtremeWireless V10.41.06 User Guide 577 Working with ExtremeWireless Radar Guardian Scan Prole Detection Settings on page 578 Guardian Scan Prole Prevention Settings on page 579 Selecting Countermeasures on page 579 Assigning an AP to a Prole on page 581 Viewing the List of Assigned APs on page 581 Guardian Scan Prole Detection Settings NNote Once a new Guardian Scan Prole is created, the Detection tab appears. D raft Figure 181: Detection Settings 1 In the Name box, type a unique name for this scan prole. Select from the following detection options:
Scan for security threats. For more information, see Security Threats on page 594. Classify sources of interference. Interference classication compares patterns in RF interference to known interference patterns to help identify the source of the interference. All APs based on the AP371x, AP38xx, and AP39xx architecture are capable of performing interference classication. 2 Under Channels to Monitor:
Click the 2.4 GHz tab and select channels to be monitored within this band for the scan prole. ExtremeWireless V10.41.06 User Guide 578 Working with ExtremeWireless Radar Click the 5 GHz tab and select channels to be monitored within this band for the scan prole. Guardian Scan Prole Prevention Settings Radar provides multiple countermeasures which can be enabled in a Guardian scan prole. The level of prevention for the prole is dependent on the countermeasures selected. For more information on the Radar threat categories for which countermeasures can be applied, see Radar Scan Proles on page 566. When Radar WIDS-WIPS is enabled, all detected threats are reported when they start and when they stop. The reports are available in the controller's event logs and can be streamed off the controller using SNMP and syslog. These event reports are always generated regardless of which other countermeasures are enabled. For more information on these reports, see Working with Radar Reports on page 593. Selecting Countermeasures D Countermeasures mitigate the impact of a security threat. Three main countermeasures are used by the Guardian APs:
Sending standard 802.11 deauthentication frames to prevent stations from associating to threat Rate limiting ooded frames. This can prevent oods from propagating through the AP to the wired devices. network. Blacklisting attacking devices to prevent them from gaining access to the wireless network. raft From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. 3 In the left pane, click Radar Proles. Countermeasures are enabled on a per-scan-prole basis. Some scan proles can have countermeasures enabled while others cannot. To select a specic countermeasure:
ExtremeWireless V10.41.06 User Guide 579 Working with ExtremeWireless Radar 4 Select a Guardian scan prole and click the Prevention tab. D Figure 182: Prevention Settings 5 Select desired prevention method. 6 Select number of channels per radio to defend concurrently. Number of defended channels can be raft An external honeypot is an AP that is attempting to make itself a man-in-the-middle by advertising a popular SSID, such as an SSID advertised by a coffee shop or an airport Description Table 110: Prevention Tab - Fields and Buttons FField/Button Countermeasures Prevent authorized stations from roaming to external honeypot APs between 1 and 4. Prevent authorized stations from roaming to friendly APs Prevent any station from using an internal honeypot AP Prevent any station from using a rogue AP Prevent any station from using a spoofed AP Friendly APs are APs that are not part of the authorized wireless network, but they operate in the vicinity of the authorized wireless network. An internal honeypot is an AP that is attempting to make itself a man-in-the-middle by advertising an SSID belonging to the authorized wireless network. A rogue AP is an unauthorized AP connected to the authorized wired or wireless network. A spoofed AP s an AP that is not part of the authorized network is advertising a BSSID (MAC address) that belongs to an authorized AP on the authorized network. ExtremeWireless V10.41.06 User Guide 580 Working with ExtremeWireless Radar Table 110: Prevention Tab - Fields and Buttons (continued) FField/Button Description Drop frames in a controlled fashion during a ood attack Prevents some types of Denial of Service (DoS) attack from affecting the authorized network instead of just the target AP. For example, rate limiting the ooded frames. Prevent any station from using an ad hoc mode device Deauthentication messages are used to prevent devices from using an ad hoc mode device. Remove network access from clients originating DoS and password-cracking attacks Prevents propagation of the DoS attack from the AP to the authorized network. Many types of DoS attack involve deluging an AP with a large volume of messages of one or two specic types. When this option is enabled, the AP will apply rate limits to the specic type of frame that is being deluged. The selected clients for this countermeasure are denied access to the network for the amount of time that is specied in " Remove network access from violating clients for a period of time."
New Delete Save D Remove network access from violating clients for a period of time Defense Options Maximum number of channels per radio to defend concurrently Enter a numeric value in seconds. Click the slider to select the number of channels desired. Click to create a new Guardian scan prole. For more information, click Adding a New Radar Prole on page 573. raft Click to delete the selected Guardian scan prole. Click to save changes. From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. 3 In the left pane, click Radar Proles or AirDefense Proles. 4 Select a prole, and click the AAssigned APs tab. 5 Select an AP from the list of Assigned APs and click Save. Assigning an AP to a Prole To assign an AP to a scan prole:
Related Links Viewing the List of Assigned APs on page 581 Viewing the List of Assigned APs The list of Assigned APs is a list of all APs reported by the data collectors. Assigned APs automatically appear once a prole is created. To view the list of APs assigned to a prole, click the AAssigned APs tab. ExtremeWireless V10.41.06 User Guide 581 Working with ExtremeWireless Radar Table 111: Assigned APs Tab - Fields and Buttons FField/Button Description Wireless APs Identies the wireless APs assigned to the prole. May include the AP name or serial number. Controller (Radar Proles) Identies the controller associated with the wireless AP. An IP address indicates a remote data collector. Local Controller indicates a controller local to the AP. Applies to Radar Proles only. Assignment (Guardian AP) Indicates if the Guardian AP is assigned to a Site, Load Group, or WLAN Service. Search Select All Deselect All To search for a prole in the list, enter the full name of a scan prole and press Enter. Select all APs in the list. Clear the selection of all APs in the list. Related Links Save Click to save changes. D The list of Assigned APs are APs that are available to any prole. However, an AP can only be assigned to one prole. Assigning an AP to a Prole on page 581 Conguring an AirDefense Prole on page 568 Conguring an In-Service Scan Prole on page 574 Conguring a Guardian Scan Prole on page 577 raft Wireless Intrusion Prevention System (WIPS) provides a list of APs organized in categories based on the scan results of the Analysis Engine. WIPS will try to assign each discovered AP to one of these categories. If it can't nd a specic category for the AP, it will assign it to the Uncategorized APs category. Uncategorized APs require manual classication. To get the best protection from WIPS, classify uncategorized APs as soon as possible. You can manually assign APs from one category to another using WIPS. For more information, see Reclassifying APs on page 592. Maintaining the Radar List of APs AP Categories APs belong to one of the following categories when they are added to the Analysis Engine database:
Scanning APs - This is the subset of authorized APs congured to provide WIDS-WIPS services. Friendly APs - These are APs that are not part of the authorized network, but they operate in the vicinity of the authorized network. Friendly APs are operated by a neighboring enterprise for their own use. Authorized APs can prevent authorized devices from using friendly APs. Uncategorized APs - APs discovered by scanning APs and which do not fall into any other category. Uncategorized APs require manual classication. To get the best protection from WIPS, classify uncategorized APs as soon as possible. ExtremeWireless V10.41.06 User Guide 582 Working with ExtremeWireless Radar Authorized APs - APs that can be used by devices authorized to use the network. APs can be added to the list automatically (for example, if the APs are active on the current host or the hosts availability partner) or manually. Prohibited APs - These are APs that have been manually added to the Radar database so that the Radar WIDS-WIPS system will detect them and, if so congured, protect against them. An example of manually prohibited APs might be APs that were stolen from the authorized network and now could be used to generate a security breach. Viewing the List of Scanning APs From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. 3 In the left pane, click Radar Maintenance. The SScanning APs screen displays. D Figure 183: Scanning APs ExtremeWireless V10.41.06 User Guide 583 Working with ExtremeWireless Radar Table 112: Scanning APs - Fields and Buttons FField/Button Description Wireless Controllers Displays the name of wireless controllers reporting to the Analysis Engine on this host. Can be the IP address of another controller or
"Local Controller" which represents the controller hosting this instance of the Analysis Engine. Wireless APs Name - Name of the Access Point Serial - Serial number of the Access Point Prole Name - Describes the scan prole. The shield icon indicates a Guardian scan prole. Licensed - A check mark indicates that the AP is licensed. Viewing the List of Friendly APs D The Friendly APs page allows you to manage the list of APs that are considered to be operating in the vicinity legitimately but to which authorized devices should not roam. A Friendly AP has to be added manually to the list, or manually reclassify an Uncategorized AP as Friendly. To view a list of Friendly APs:
From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. raft ExtremeWireless V10.41.06 User Guide 584 Working with ExtremeWireless Radar 3 In the left pane, click Radar Maintenance > Friendly APs raft Unique identier attached to the header of packets sent over a wireless local-area network (WLAN) from the Friendly AP APs categorized as Friendly APs can be reclassied as authorized or threats, For more information, see Reclassifying APs on page 592. Species a brief description for the Friendly AP Species the MAC address for the Friendly AP Lists the AP manufacturer MAC Address SSID Description Manufacturer Categorize Selected APs as Table 113: Friendly APs Screen - Fields and Buttons FField/Button Description New Delete Selected Click to create a new Friendly AP. For more information, see Adding Friendly APs on page 585. Select an AP from the list of Friendly APs, and click to delete them from the list. Adding Friendly APs To add a Friendly AP:
1 From the top menu, click WIPS. ExtremeWireless V10.41.06 User Guide 585 Working with ExtremeWireless Radar 2 If not already selected, select Security Analysis Engine and click Save. 3 Click Maintenance > Friendly APs. 4 Click New. Modifying Friendly APs 6 Click Save. The new access point is displayed in the Friendly APs list. Figure 184: New Friendly AP 5 Congure the following parameters:
D MAC Address Species the MAC address of the Friendly AP SSID Species the SSID of the Friendly AP Description Species a brief description of the Friendly AP raft From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. 3 Click Maintenance > Friendly APs. 4 In the Friendly APs list, double-click the access point you want to modify. 5 Modify the access point elds as required and click Save. To modify a Friendly AP:
NNote The MAC Address eld cannot be modied Figure 185: Modify Friendly AP ExtremeWireless V10.41.06 User Guide 586 Working with ExtremeWireless Radar Viewing the List of Uncategorized APs Uncategorized APs are discovered but do not fall into any other category. To view a list of Uncategorized APs:
From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. 3 In the left pane, click Radar Maintenance > Uncategorized APs . ft Figure 186: Uncatagorized APs Table 114: Uncategorized APs Screen - Fields and Buttons FField/Button Description MAC Address SSID Species the MAC address of the uncategorized AP Unique identier attached to the header of packets sent over a wireless local-area network (WLAN) from the uncategorized AP. ExtremeWireless V10.41.06 User Guide 587 Working with ExtremeWireless Radar Table 114: Uncategorized APs Screen - Fields and Buttons (continued) FField/Button Description Manufacturer Lists the AP manufacturer Categorize Selected APs as APs categorized as uncategorized APs can be reclassied as authorized, friendly, or prohibited. For more information, see Reclassifying APs on page 592. 4 Click Export to download the list of Uncategorized APs in .xml format. Viewing the List of Authorized APs The list of Authorized APs includes the APs that an authorized device is permitted to associate with. APs can be added to the list automatically (for example if the AP is active on the current host or its availability partner) or manually. D Re-categorize an AP as Authorized, to protect it from an unwanted countermeasure when there is a non-authorized AP with a problematic SSID (an External Honeypot) in the vicinity of the authorized network and you want to exclude the AP from an undesired counter attack. To view a list of Authorized APs:
From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. raft ExtremeWireless V10.41.06 User Guide 588 Working with ExtremeWireless Radar 3 In the left pane, click Radar Maintenance > Authorized APs . raft APs categorized as authorized APs can be reclassied as friendly APs. For more information, see Reclassifying APs on page 592. Species a brief description of the authorized AP Species the MAC address of the authorized AP Lists the AP manufacturer Figure 187: Authorized APs Table 115: Authorized APs Screen - Fields and Buttons FField/Button Description MAC Address Description Manufacturer Categorize Selected APs as New Delete Selected Click to create a new authorized AP. For more information, see Adding Authorized APs on page 589. Select an AP from the list of authorized APs, and click to delete them from the list. Adding Authorized APs You do not have to manually add APs to the authorized AP list. The controllers create the list automatically. However, sometimes you may need to do this manually:
ExtremeWireless V10.41.06 User Guide 589 Working with ExtremeWireless Radar An AP of a controller that is not sending information to the Analysis Engine is included on the Scanning APs screen. Devices should be able to roam between that AP and the APs of the controllers managed by the Analysis Engine. When adding a foreign AP (External or Internal Honeypot, or Rogue AP) to the list of Authorized APs, accidental countermeasures applied to that AP can be prevented. You have a third-party AP that its authorized devices should be allowed to use even though the AP is not managed by a controller. To add an Authorized AP 1 To add Friendly access points manually to the Authorized APs list, from the Authorized APs screen, click New. The AAuthorized APs dialog displays. 3 Click Save. The new access point is displayed in the authorized APs list. D 2 In the AAuthorized APs dialog, type the following:
MAC Address Species the MAC address for the AP Description Species a brief description for the AP raft The list of Prohibited APs are APs that you have manually added to the Radar database so that the Radar WIDS-WIPS system will detect them and, if so congured, protect against them. Manually add an AP to the list of Prohibited APs, when a non-authorized AP is a threat, but it cannot be detected by existing threat criteria. To view a list of Prohibited APs:
From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. Viewing the List of Prohibited APs ExtremeWireless V10.41.06 User Guide 590 Working with ExtremeWireless Radar 3 In the left pane, click Radar Maintenance > Prohibited APs. raft Species a brief description of the prohibited AP Species the MAC address of the prohibited APs Lists the AP manufacturer Threat category APs categorized as prohibited APs can be reclassied as friendly APs. For more information, see Reclassifying APs on page 592. Figure 188: Prohibited APs Table 116: Prohibited APs Screen - Fields and Buttons FField/Button Description MAC Address Category Description Manufacturer Categorize Selected APs as New Delete Selected Click to create a new prohibited AP. For more information, see Adding Prohibited APs on page 591. Select APs from the list of prohibited APs, and click to delete them from the list. Adding Prohibited APs To add a Prohibited AP:
ExtremeWireless V10.41.06 User Guide 591 Working with ExtremeWireless Radar 1 To add access points manually to the Prohibited APs list, from the PProhibited APs screen, click New. The PProhibited APs dialog displays. 2 For MAC Address, specify the MAC address for the Prohibited AP. 3 For Description, enter a brief description of the AP. 4 For Action, select from the following options:
D Report presence only - When the MAC address of the prohibited AP is detected by an Treat like an internal honeypot AP - The device with the MAC address is considered to be as Treat like an external honeypot - The device with the entered MAC address is considered to be harmful as an AP that is 'impersonating' one of the authorized APs. If countermeasures are enabled, no devices will be allowed to associate to this MAC address, including devices of other neighboring enterprises. authorized scanning AP, the prohibited AP's presence will be reported in an event message. This in turn will result in the presence of the MAC being included in the Radar threat reports. No countermeasures will be taken against the device with the MAC address by Radar. as harmful as an AP that is advertising a popular SSID. Authorized devices will be prohibited from roaming to the device with this MAC address. Unauthorized devices and unrecognized devices will be allowed to roam to the device with the MAC address. raft You can manually assign APs from one category to another depending on the APs current classication. Categorize selected APs directly from its current category list. For example, APs on the Friendly and Uncategorized lists can be reclassied as Authorized. 5 Click Save. The new access point is displayed in the Prohibited APs list. For information about reclassifying an existing AP to Prohibited, see . Reclassifying APs To reclassify an AP:
From the top menu, click WIPS. 1 2 If not already selected, select Security Analysis Engine and click Save. ExtremeWireless V10.41.06 User Guide 592 Working with ExtremeWireless Radar 3 In the left pane, click Radar Maintenance and select one of the AP lists. An AP can be reclassied depending on its current classication. See Table 117. Table 117: AP Classications CCurrent AP Category Friendly Uncategorized Authorized Possible Reclassication Authorized Prohibited Authorized Friendly Prohibited Friendly Friendly Prohibited D 5 Click OK to reclassify the selected APs. APs as. Reclassifying an AP as a Threat Friendly and Uncatagorized APs can be reclassied as a threat. 4 Select one or more APs from the list and choose an available classication from Categorize Selected 1 From the FFriendly or UUncatagorized AP List, select one or more APs and click Prohibited. The RReclassify APs dialog displays. raft Figure 189: Reclassify an AP as a Threat 2 Select a threat classication from the list displayed. 3 Click Save. Related Links Viewing the List of Friendly APs on page 584 Viewing the List of Uncategorized APs on page 587 Working with Radar Reports The Analysis Engine receives reports of threats from multiple APs. Different APs can be reporting the same threat incident at the same time. The Analysis Engine needs a way to decide which reports are actually reports of the same threat. It takes a number of factors into account when making this decision. Location is an important attribute used to decide whether two different reports are actually for the same threat. ExtremeWireless V10.41.06 User Guide 593 Working with ExtremeWireless Radar To view Radar AP reports and statistics:
From the top menu, click Reports. 1 2 In the left pane, click Radar. aft Figure 190: Radar Reports 3 Click on the desired report:
Active Threats on page 595 Active Countermeasures on page 597 Blacklisted Clients on page 598 Radar APs Denied by License on page 599 Collection Engine Status on page 599 WLAN Security Report on page 600 Threat Summary on page 601 Threat History on page 603 Security Threats The Radar reports provide information about security threats. Threat APs are APs that have been detected performing one or more types of attack on the authorized network. Each AP dened on the controller has a text location attribute that can be set using the controller's GUI, CLI, and SNMP agent. By default the location attribute is empty for all APs. It is strongly recommended ExtremeWireless V10.41.06 User Guide 594 Working with ExtremeWireless Radar that you set the location attribute of each AP. The attribute should be set so that APs at the same location have exactly the same location attribute. For example all the APs on the 3rd oor of a building could have the same location, such as "Boston/123 4th street/3rd oor". The controller's multi-edit page provides a convenient way to assign groups of APs to the same location. The types of threat recognized by the Radar WIDS-WIPS system include:
Ad Hoc Device - A device in ad hoc mode can participate in direct device-to-device wireless networks. Devices in ad hoc mode are a security threat because they are prone to leaking information stored on le system shares and bridging to the authorized network. Cracking - This refers to attempts to crack a password or network passphrase (such as a WPA-PSK). The Chop-Chop attack on WPA-PSK and WEP is an example of an active password cracking attack. Denial of Service (DoS) attacks - DoS attacks External Honeypot - An AP that is attempting to make itself a man-in-the-middle by advertising a network. popular SSID, such as an SSID advertised by a coffee shop or an airport. Interference Source - A device that is generating a radio signal that is interfering with the operation D SSID belonging to the authorized network. of the wireless network. An example of an interference source is a microwave oven which can interfere with 2.4GHz transmissions. Roque AP - A rogue AP is an unauthorized AP connected to the authorized wired or wireless Internal Honeypot - An AP that is attempting to make itself a man-in-the-middle by advertising an Prohibited Device - A MAC address or BSSID is detected that matches an address entered manually Performance - Performance issues pertain to overload conditions that cause a service impact. Performance issues aren't necessarily security issues but many types of attack do generate performance issues. raft NNote Surveillance can be passive (purely listening) or active (surveyor sends messages to speed up the process of surveillance). It is only possible to detect active surveillance. Netstumbler and Wellenreiter are examples of active surveillance tools. Spoofed AP - An AP that is not part of the authorized network is advertising a BSSID (MAC address) Surveillance - A device or application that is probing for information about the presence and that belongs to an authorized AP on the authorized network. services offered by a network. into the Radar database. Active Threats The Active Threats report lists all currently detected threats. Active threats are devices that are being detected performing attacks on the authorized network. Threat APs are identied as APs that have been detected to be performing one or more types of attacks on the authorized network. The report only lists currently active threats, not historic threats. For more information, see Threat History on page 603. Viewing Active Threats Scan Results 1 From the top menu, click Reports. ExtremeWireless V10.41.06 User Guide 595 Working with ExtremeWireless Radar 2 In the left pane, click Radar. 3 Click Active Threats. Figure 191: Active Threats Report Table 118: Active Threats Report - Fields and Buttons FField/Button Description Detected Active At Threat MAC Address D Threat Category Threat MAC address of the device. Date and time that the threat was identied. Countermeasures Applied Location - AP Name Location - RSS Additional Details Type of threat. Name of the threat AP. Indicates if a countermeasure has been applied. Threat AP Received Signal Strength (displayed in dBm). For more information, see Security Threats on page 594. Details of the threat including frequency, SSID, and Rogue Threats. Rogue threats details are accessed by clicking 3 dots ... that display in the column. The following parameters display in the Rogue Details dialog:
raft When the Threat Report is based on MAC address, we can determine the SSID and encryption type associated with the threat. This information is not preserved after upgrade, and historical data is aged every 30 days regardless of upgrade. address is automatically assigned via DHCP (Dynamic Host Conguration Protocol) (DHCP is through the Rogue AP). Received IP address: Wired test packet source IP address. TTL difference: TTL (Time-To-Live or hop limit) difference between Sent MAC address: Sent wireless test packet source MAC address. Received MAC address: Received wired test packet source MAC Sent IP address: Wireless test packet source IP address. This IP address. sent wireless test packet TTL and received wireless test packet TTL. For example, if the TTL of the sent wireless test packet is 64 and the TTL of the received wireless test packet is 62, then the TTL difference is 2 indicating the packet went through 2 hops. Learned gateway: Wireless gateway IP address as specied from the DHCP server (DHCP is through the Rogue AP). ExtremeWireless V10.41.06 User Guide 596 Working with ExtremeWireless Radar Modifying the Page's Refresh Rate:
1 Type a time (in seconds) in the Refresh every __ seconds box at the top of the screen and click Apply. The new refresh rate is applied. 2 To add a specic threat to the list of Friendly APs, select the threat and click Add to Friendly List. 3 To refresh the page, click Refresh. 4 To export a copy of the report in XML format, click Export. 5 To close the report window, click Close. Active Countermeasures The Active Countermeasures report lists each AP currently taking countermeasures. The list also contains the type of attack being countered, when the counter attack started, which channel is being defended, the type of countermeasure in use and when appropriate, the identiers for the target of the attack. D Viewing Active Countermeasures Scan Results From the top menu, click Reports. 1 2 In the left pane, click Radar. The AAvailable Radar Reports screen displays. 3 Click Active Countermeasures. The AActive Countermeasures Report screen displays. raft Description Table 119: Active Countermeasures Report - Fields and Buttons Field/Button AP Name AP Serial Number Threat Category Countermeasure Name of the AP taking countermeasures. Serial number of the AP For more information, see Active Threats on page 595. Indicates type of countermeasure applied. Threat MAC Address MAC address of the device being countered. Started At Date and time that the threat was identied. ExtremeWireless V10.41.06 User Guide 597 Working with ExtremeWireless Radar Modifying the Pages Refresh Rate:
1 Type a time (in seconds) in the Refresh every __ seconds box at the top of the screen and click Apply. The new refresh rate is applied. 2 To refresh the page, click Refresh. 3 To export a copy of the report in XML format, click Export. 4 To close the report window, click Close. Blacklisted Clients The Blacklisted Clients report lists all devices that are currently on the blacklist (or removed from the whitelist if the list is in whitelist mode) because of the application of countermeasures to an attack. Clients automatically added to the Blacklist will be removed automatically after the interval congured passes. Station addresses manually added to the Blacklist (or manually removed from the Whitelist) do not appear in this report. D Viewing Blacklisted Clients Scan Results 1 2 In the left pane, click Radar. 3 Click Blacklisted Clients. The Blacklisted Clients Report screen displays. From the top menu, click Reports. raft Description Table 120: Blacklisted Clients Report - Fields and Buttons FField/Button Blacklisted Address MAC address of the blacklisted device. Blacklisting Started at Blacklisting Ends at Reason Date and time when the device was added to the blacklist. Date and time when the device was removed from the blacklist. Reason for blacklisting the device. To modify the pages refresh rate:
1 Type a time (in seconds) in the Refresh every __ seconds box at the top of the screen and click Apply. The new refresh rate is applied. 2 To refresh the page, click Refresh. ExtremeWireless V10.41.06 User Guide 598 Working with ExtremeWireless Radar 3 To export a copy of the report in XML format, click Export. 4 To close the report window, click Close. Radar APs Denied by License The Radar APs Denied by License report lists all currently unlicensed APs. Viewing Radar APs Denied by License Results From the top menu, click Reports. 1 2 In the left pane, click Radar. 3 Click Radar APs Denied by License. The RRadar APs Denied by License screen displays. D raft Identies the name of the assigned Radar APs denied by license. Identies the associated scan prole for the assigned AP. Table 121: Radar APs Denied by License Report - Fields and Buttons Field/Button Description Assigned APs Scan Prole Collection Engine Status You can view a report on the connection status between the Analysis Engine and the remote data collector engine on each controller. To view the collection engine status:
From the top menu, click Reports. 1 2 In the left pane, under Radar, click Collection Engine Status. ExtremeWireless V10.41.06 User Guide 599 Working with ExtremeWireless Radar Ensure that the Data Collector is running on the remote controller. If no box is displayed, the Analysis Engine is not attempting to connect with that Data Collector Engine. The boxes display the IP address of the Data Collector engine. The status of the Data Collector engine is indicated by one of the following colors:
Green The Analysis Engine has connection with the Data Collector on that controller. Yellow The Analysis Engine has connected to the Data Collector but has not synchronized with it. D Red The Analysis Engine is aware of the Data Collector and attempting to connect. NNote If the box is displayed red and remains red, ensure your IP address is correctly set up to point to an active controller. If the box remains yellow, ensure the Data Collector is running on the remote controller. raft The WLAN Security Report creates a PDF identifying security-related problems in the conguration of the wireless controller WLAN Services. The report identies issues and provides guidance for their resolution. The report can be printed or saved locally. To modify the pages refresh rate, type a time (in seconds) in the Refresh every __ seconds box at the top of the screen and click Apply. The new refresh rate is applied. 2 To refresh the page, click Refresh. 3 To close the report window, click Close. 1 Viewing WLAN Security Report Scan Results WLAN Security Report From the top menu, click Reports. 1 2 In the left pane, click Radar. 3 Click WLAN Security Report. ExtremeWireless V10.41.06 User Guide 600 Working with ExtremeWireless Radar Figure 192: WLAN Security Report Threat Summary The Threat Summary report includes both Active and Historical Threats displayed in the form of pie chart graphs. A device can be counted more than once if it is the source of more than one threat. Each threat category is highlighted using a different color to quickly identify specic threats. ExtremeWireless V10.41.06 User Guide 6601 Working with ExtremeWireless Radar Viewing the Threat Summary From the top menu, click Reports. 1 2 In the left pane, click Radar. 3 Click Threat Summary. The TThreat Summary screen is displayed. ft List of possible threat categories that are displayed on the summary report. For more information, see Security Threats on page 594. Total number of active threats identied for each threat category. Total number of threats that are no longer active but have been retained on the list for historical tracking purposes. Threats are identied for each threat category. Table 122: Threat Summary Report - Fields and Buttons Field/Button Description Threat Category Active Threats Historical Threats ExtremeWireless V10.41.06 User Guide 602 Working with ExtremeWireless Radar Modifying the Page's Refresh Rate 1 Type a time (in seconds) in the Refresh every __ seconds box at the top of the screen and click Apply. 2 To refresh the page, click Refresh. 3 To export a copy of the report in XML format, click Export. 4 To close the report window, click Close. Threat History Viewing the Threat History From the top menu, click Reports. 1 2 In the left pane, click Radar. 3 Click Threat History. The TThreat History screen displays. D raft Date and time when the threat was most recently reported. Date and time that the threat was identied. MAC address of the device. Type of threat. Table 123: Historical Threat Report - Fields and Buttons Field/Button Description Last Reported First Detected Threat MAC Address Threat Threat Category Currently Active Location - AP Name Location - RSS Additional Details For more information, see Active Threats on page 595. Current status of the threat. Name of the threat AP. Threat AP Received Signal Strength (displayed in dBm). Detail information on the specic threat. When the Threat Report is based on MAC address, we can determine the SSID and encryption type associated with the threat. This information is not preserved after upgrade, and historical data is aged every 30 days regardless of upgrade. ExtremeWireless V10.41.06 User Guide 603 Working with ExtremeWireless Radar 4 To export a copy of the report in XML format, click Export. 5 To close the report window, click Close. D raft ExtremeWireless V10.41.06 User Guide 6604 17 Working with Location Engine LLocation Engine Overview Location Engine on the Controller Deploying APs for Location Aware Services Conguring the Location Engine ExtremeLocation Support Location Engine Overview D Station location tracking is one of the advanced ExtremeWireless Radar features designed for managing a wireless environment and its resources. The Location Engine works in conjunction with Extreme Management Center maps to dene specic oor plan areas for Location Aware Services. The Location Engine determines location based on measured Received Signal Strength (RSS) of the client stations at the AP. The location algorithm uses RF nger printing based on a Path Loss model and determines location by triangulating RSS reported from one or more APs. Estimating location using readings from multiple APs provides a more accurate location estimate. Estimating location using RSS from a single AP is sufficient to determine the location of client in terms of proximity to the associated AP. The client location is indicated on the map as a circle around the AP. Estimation using multiple RSS offers a pinpoint location estimate of the client. The client location is indicated as a pin, in the most probable position, on the map. The colors displayed around the pin indicate the level of condence that the client is physically located there. raft The Location Engine can be congured to track on-demand users, associated users, and unassociated users:
An on-demand user is a client that is manually added to a preferred list of clients. Space is guaranteed for on-demand users in the Location Engine table. An on-demand user can be either an associated user, such as an employee, or an unassociated user, such as a rogue client that can be tracked as a possible network threat. The Location Engine tracks location of multiple clients simultaneously and returns position relative to the oor plan. An associated user is an authenticated client. An associated user joins the SSID provided by the AP by simply associating to the open or protected SSID. Location Engine can track location for every associated client up to the controller limit of associated clients. An unassociated user is a client that is not authenticated but is in the designated area. Location Engine can track these clients. No additional license is required to use the Location Engine functionality in the controller. However, to draw maps and to visualize location tracking, Extreme Management Center is required, which comes with its own licensing requirements. ExtremeWireless V10.41.06 User Guide 605 Working with Location Engine Location Solution Architecture The ExtremeWireless controller is at the center of the Location Aware Services solution. Location Engine collects RSS reading from APs and displays location data using Extreme Management Center maps or other third-party applications. The following diagram illustrates the solution architecture. ft Figure 193: Components of Location Aware Services Solution Dynamic Filtering Dynamic ltering is a primary use case for Location Aware Services. This feature controls client access based on location. Customers can use Location Aware Services in schools and hospitals to dene access parameters within a designated area. This functionality combined with the role assignment from Network Access Control (NAC), makes it possible to implement dynamic ltering on the client location. Network access rights (access to servers or applications) can depend on the client location -- inside or outside the dened area. Role assignment is accomplished dynamically by the controller and NAC as client moves within the oor plan. ExtremeWireless V10.41.06 User Guide 6606 Working with Location Engine Bulk Reporting Location Engine can export bulk reporting data for use in third-party applications. For example, use Location Engine data to determine traffic ow in large venues and time-of-use analytics. The controller's bulk reporting data includes location of the client, the serial number of the associated AP, the name of the oor plan, and more. Third-party location client applications can synchronize their oor maps directly from the controller (either on-demand or on a scheduled basis using the controller CLI). Although it is possible to access the Location Engine data directly using a CLI session, most users will choose to access location data using Extreme Management Center maps or a third-party location client application. Location Engine on the Controller Location Engine tracks location of multiple clients simultaneously and returns position relative to the oor plan. The following are components of the Location Engine:
HHeat Map. The Location Engine generates a heat map of each AP on a user-provided oor plan. The D Location Engine analyzes the oor plan and considers the presence and material of structures or obstacles, such as walls, when calculating the predictive coverage map. Extreme Management Center is required to dene the oor plan. Be sure to include the presence of walls and obstacles when dening the oor plan. For information about dening a oor plan, see the Extreme Management Center User Guide. Localization algorithms. Location Engine algorithms scan all APs that report the client and select RSS readings from three or more APs that are most likely to provide the best location estimates. Using the selected RSS readings, location is triangulated and returned as the Catresian coordinates relative to the oor plan. raft Notication. Location is reported immediately on a real-time stream and as a notication on the event stream (syslog). The controller tracks the client location and can determine when a client is inside a predened area. You can dene up to 16 areas of interest per oor map using Extreme Management Center. The Location Engine offers a Track Area Change feature, that, when enabled, triggers a notication each time a client moves from one area to another. The notication events can be used for improved radio resource management such as Network Access Control (NAC). For information about how to enable Track Area Change, see Conguring the Location Engine on page 609. track the number of clients that can be supported by the controller. If the controller is part of an availability pair, it can also track the clients supported by the availability partner, and Location Engine is not restricted by oor size. Simultaneous updates. Location Engine simultaneously updates the location of tracked clients. It can Client location is presented in Extreme Management Center. Figure 194 illustrates a blue pin placed on the most probable position of the client. The map is colored according to the expected probably of the client position . Black is the most likely and yellow is the least likely position. ExtremeWireless V10.41.06 User Guide 607 Working with Location Engine Figure 194: Extreme Management Center Floor Plan raft Deploying APs for location tracking requires additional consideration above the standard AP deployment guidelines for coverage and capacity. The following are best practices for AP deployment:
Minimum Received RSS. No less than three APs should be detecting and reporting the RSS of any client station. Only RSS reading stronger than -75 dBm are used by the Location Engine. Use the same AP model for the entire oor plan, so that the RSS readings in that area will have less Design your oor plan with the APs installed at the corners of the oor plan, along the perimeter of the location area. (An area is considered a closed polygon.) Do not cluster APs in the center of the location area. The following illustration shows a recommended AP placement. variation. Deploying APs for Location Aware Services ExtremeWireless V10.41.06 User Guide 6608 Working with Location Engine Figure 195: Recommended AP Placement The maximum distance between APs depends on environmental factors such as the presence of walls and structures, but as rule of thumb, in a location aware deployment, place the APs 10 to 20 meters apart. Conguring the Location Engine Install APs at the same height on the wall, and do not install APs behind walls or ceilings. Install APs away from metal structures like poles or racks, because metal can affect the radiated D pattern. When location accuracy is paramount, augment your in-service deployment with Guardian APs. Guardian APs scan multiple channels where in-service APs operate on a single channel. Therefore, Guardian APs are capable of registering readings from more clients than in-service APs. Guardian APs also increase the number of triangulation points. The Guardian mitigates the problem of non-probing clients and is capable of sensing a client based on the data packets. For more information, see Conguring an AP as a Guardian on page 221. raft Location Engine conguration involves dening environmental factors in the oor plan, location targets, area change notication, and client targets. The following information is provided to help you congure the Location Engine:
Enabling the Location Engine on page 609 Location Batch Reporting on page 611 Creating a New Destination URL on page 613 Creating a New On-Demand User on page 613 Downloading a Floor File on page 614 Uploading a Floor File on page 616 Deleting a Floor File on page 618 Enabling the Location Engine From the top menu, click WIPS. 1 2 In the left pane, click Location Engine. The LLocation Engine Settings screen displays. ExtremeWireless V10.41.06 User Guide 609 Working with Location Engine 3 To Enable/Disable the Location Engine, select or clear the Location Engine check box. raft Select a mode that best matches the environment identied by the oor plan. Choose from one of the following modes from the drop-
down list:
Indoor open space (halls, auditoriums) Office Environment with light divisions (cubicles) Office Environment with dry wall divisions Office Environment with hard divisions (brick) Interior Walls (need be dened in the oor plan Enter the height of the AP based on its location on the wall. Table 124: Location Engine Settings Dialog - Fields and Buttons FField/Button Description Environment Settings Default AP Height (cm) Default Environmental Model None Clients Locator does not collect or triangulate RSS readings. Locator tracks active sessions only. ExtremeWireless V10.41.06 User Guide 610 Working with Location Engine Table 124: Location Engine Settings Dialog - Fields and Buttons (continued) FField/Button Description All Locates all active users and all non-associated users (MAC ) around deployed APs located within the signal range. RSS readings from non-
associated users are included in the Location Engine table. Note: The Location Engine table is shared between all tracked users. This table does not increase in size and does not reserve space for associated users. Once the number of tracked users exceeds the limit,additional users will not be added to the table. Users remain in the table until they time out. Users designated as On-Demand are guaranteed space in the Location Engine table. Track Area Change The controller tracks the client location and can determine when a client is inside a predened area. Select Track Area Change to trigger a notication when a client moves from one area to another. Use the notication events to improve radio resource management such as Network Access Control (NAC). D On-Demand Users Add Delete Selected Advanced Save Click to delete the selected on-demand user. Click to create a new on-demand user. For more information, see Creating a New On-Demand User on page 613 Click to open the AAdvanced dialog, which lists available oor plans. From the AAdvanced dialog, you can upload and dowload oor plans. For more information, see Downloading a Floor File on page 614 Displays a list of known MAC addresses present in the area, for example, a list of employees. On-demand users are guaranteed space in the Location Engine table. raft Click to save changes. When the Location Engine is enabled and congured to publish locations, it posts location data in XML format to a given location. The location data is pushed to up to ve given destinations periodically within the given time interval. Batch reporting continues until Location Batch Reporting is disabled, the Location Engine is disabled, or the controller is powered off. In location-based applications and user traffic analytics, integrating partners often require more detail than simply the location of a MAC address. The client reporting option allows users to generate a report with details from the MU-Table. Location Batch Reporting The AP reporting option provides AP details that give a third-party App server context for the AP location. To generate a report:
From the top menu, click WIPS. 1 2 In the left pane, click Location Engine. 3 To enable/disable the Location Batch Reporting, in the left pane, select Location Batch Reporting then select the Location Batch Reporting check box. ExtremeWireless V10.41.06 User Guide 611 Working with Location Engine 4 To enable/disable the Client Reporting, in the left pane, select Location Batch Reporting then select the Clients Detail Reporting check box. 5 To enable/disable the AP Detail Reporting, in the left pane, select Location Batch Reporting then select the AP Detail Reporting check box. Figure 196: Reporting Options raft The following details are provided with the AP Detail Reporting option:
name serial hostname ipAddress macAddress iotMacAddress iotRadioMode iotProtocol iBeaconProperties iBeaconUUID iBeaconMajor iBeaconMinor NNote The IoT data is provided when the IoT port is enabled and provisioned. IoT is enabled by default for supported APs. ExtremeWireless V10.41.06 User Guide 612 Working with Location Engine Table 125: Reporting Fields and Buttons FField/Button Description Report all station locations every (X) minutes Select a time (in minutes) for station reporting from the drop-down list. Dimension Unit Login Password Destination URL Add Select a dimension unit, from the drop-down list, for measuring location destinations. (Displayed for Location Batch Reporting only.) Login ID of the destination URL. Password of the destination URL. List of destination URLs. Click to create a new Destination URL. For more information, see Creating a New Destination URL on page 613. Save Delete Selected D Click to save changes. Creating a New Destination URL Click to delete the selected Destination. From the top menu, click WIPS. 1 2 In the left pane, click Location Engine > Location Batch Reporting and select either Location Batch Reporting or Client Detail Reporting. 3 Click Add. The DDestination URL dialog displays. raft 4 Enter a user ID and password for the destination URL. 5 Enter a URL for the new destination. 6 Click OK. Creating a New On-Demand User From the top menu, click WIPS. 1 2 In the left pane, click Location Engine. The LLocation Engine Settings screen displays. ExtremeWireless V10.41.06 User Guide 613 Working with Location Engine 3 Click Add. The OOn-demand User dialog displays. 4 Enter a MAC Address for the new on-demand user. 5 Click OK. Extreme Management Center Floor Files Generate oor les using Extreme Management Center. Floor les have the le type .fxml. Once .fxml les are generated locally, they automatically display on the Location Engine Settings AAdvanced dialog. D Related Links It is possible to download .fxml les from a server, but it is most common to generate the le locally using Extreme Management Center. Downloading a Floor File on page 614 Uploading a Floor File on page 616 Deleting a Floor File on page 618 The Download button is always enabled. All information about the oor plan is contained in the le being downloaded including unique identiers for the oor plan. From the top menu, click WIPS. 1 2 In the left pane, click Location Engine. The LLocation Engine Settings screen displays. raft Downloading a Floor File ExtremeWireless V10.41.06 User Guide 614 Working with Location Engine 3 Click Advanced. The AAdvanced dialog displays. D 4 Click Download. The DDownload and Import Floor Plan File dialog displays. raft ExtremeWireless V10.41.06 User Guide 615 Working with Location Engine Table 126: Download and Import Floor File Dialog - Fields and Buttons FField/Button Description Protocol Server User ID Password Conrm Directory Select the transfer protocol from one of the following:
FTP SCP IP address of the server containing the oor le. Required ID to access the server. Password required for access to the server. Enter the password for conrmation Location of the oor le on the selected server Uploading a Floor File File name of the oor plan le on the selected server. 5 Click Download to import the oor plan, or click Close to cancel the import. Related Links Filename D Extreme Management Center Floor Files on page 614 Uploading a Floor File on page 616 Deleting a Floor File on page 618 The Upload Selected button is enabled when a row within the list of oor plans is highlighted. From the top menu, click WIPS. 1 2 In the left pane, click Location Engine. The LLocation Engine Settings screen displays. 3 Click Advanced. The AAdvanced dialog displays. raft ExtremeWireless V10.41.06 User Guide 616 Working with Location Engine D 4 Select a oor le from the list of oor les. 5 Click Upload Selected. The Upload Floor Plan File dialog displays. raft Table 127: Upload Floor Plan File Dialog - Fields and Buttons FField/Button Description Protocol Server Select the transfer protocol from one of the following:
FTP SCP IP address of the server where the le will be exported. ExtremeWireless V10.41.06 User Guide 617 Working with Location Engine Table 127: Upload Floor Plan File Dialog - Fields and Buttons (continued) FField/Button Description User ID Password Conrm Directory Filename Required ID to access the server. Password required for access to the server. Enter the password for conrmation Location of the oor le directory on the destination server. File name of the oor plan le on the destination server. 6 Click Upload to export the oor plan, or click Close to cancel the export. Related Links Extreme Management Center Floor Files on page 614 Downloading a Floor File on page 614 Deleting a Floor File on page 618 D Deleting a Floor File From the top menu, click WIPS. 1 2 In the left pane, click Location Engine . The LLocation Engine Settings screen displays. 3 Click Advanced. The AAdvanced dialog displays. raft 4 Select a oor le from the list of oor les. Only one oor le can be deleted at a time. 5 Click Delete Selected to delete the oor le from the list. Click OK to conrm the delete operation. 6 Click Close. ExtremeWireless V10.41.06 User Guide 618 Working with Location Engine RRelated Links Extreme Management Center Floor Files on page 614 Downloading a Floor File on page 614 Uploading a Floor File on page 616 ExtremeLocation Support ExtremeWireless supports integration with ExtremeLocation for on-premise controller and ExtremeCloud deployments using AP39xx. Related Links ExtremeLocation is a premier location tracking and analytics solution by Extreme Networks. Using HTTPS with self-signed certicates, an AP opens WebSocket connections to the ExtremeLocation Server and reports RSS signal strength readings based on the ExtremeLocation conguration. An ExtremeLocation user associates the Tenant ID and Site information with the AP MAC address over AP WebSocket. D Conguring ExtremeLocation on page 619 The AP can be the RSS source for both Location Engine (integrated with Extreme Management Center) and ExtremeLocation at the same time. RSS information travels both through the WASSP tunnel to the controller and through WebSocket to ExtremeLocation. The AP operates as the ExtremeLocation client in both modes: as an in-service AP (while providing service to the associate users, collects RSS on the same channel) and as a Guardian AP (scan multiple channels and provide RSS on the channels scanned). Channels and dwell time are dened in the Guardian Group conguration. raft To congure ExtremeLocation support for ExtremeWireless, do the following:
1 Go to WIPS > Location Engine > ExtremeLocation. Conguring ExtremeLocation ExtremeWireless V10.41.06 User Guide 619 Working with Location Engine 2 Check Report to ExtremeLocation. D Figure 197: ExtremeLocation Conguration 3 Congure the following parameters:
Table 128: ExtremeLocation Conguration Parameters FField Description raft RSS threshold for reporting location data. Valid values are -90 to
-70 dBm. The IP address or FQDN (fully-qualied domain name) of the LocationEngine Server. Reporting interval in seconds. 4 Select one or more APs to assign for ExtremeLocation support. Use the search eld to nd a specic AP in the list. AP39xx models are supported. Server Address Minimum RSS Reporting Report every number of seconds 5 Click Save. Related Links ExtremeLocation Support on page 619 ExtremeWireless V10.41.06 User Guide 620 18 Working with Reports and Statistics AApplication Visibility and Device ID Viewing AP Reports and Statistics Available Client Reports Viewing Role Filter Statistics Viewing Topology Reports Viewing Mobility Reports Viewing Controller Status Information Viewing Routing Protocol Reports Viewing RADIUS Reports Call Detail Records (CDRs) D This chapter describes the various reports and statistics available in the Wireless system including:
Viewing AP Reports and Statistics Viewing Active Clients Viewing Role Filter Statistics Viewing Topology Reports Viewing Mobility Reports Viewing Controller Status Information Viewing Routing Protocol Reports Call Detail Records (CDRs) Application Visibility and Device Identication raft With ExtremeWireless, you can identify devices and applications on the wireless network. From the dashboard and the Active Client report, you can view:
IPv4 and IPv6 Addresses Host Name Operating System Device Type Top 5 Application Groups by Throughput (2-minute interval) Top 5 current Application Groups by Bytes, from session start. Throughput chart for an application group. Average TCP Round Trip Time. Average DNS Round Trip Time. Application Visibility and Device ID ExtremeWireless V10.41.06 User Guide 621 Working with Reports and Statistics ftFigure 198: Application Visibility by WLAN ExtremeWireless V10.41.06 User Guide 6622 Working with Reports and Statistics aftFigure 199: Application Visibility by Client Device Identication on page 625 Enabling Application Visibility with Device Identication on page 626 Application Visibility on page 623 RRelated Links Displaying Client Details on page 643 Wireless Assistant Home Screen on page 34 Application Visibility With the ability to gather application analytics, you can engineer wireless traffic to support company policies, preserve bandwidth, identify critical applications, assign higher priority and QOS values, and enhance network security. Application Visibility and Application Enforcement makes it possible to block restricted web content and block or limit peer-to-peer protocols to preserve network bandwidth. ExtremeWireless V10.41.06 User Guide 623 Working with Reports and Statistics With ExtremeWireless, you can view the top 5 application groups by WLAN (Wireless Local Area Network) from the controller Home dashboard and the top 5 application groups for each client from the Client Details report. The Applications by WLAN pie chart displays the top 5 application groups running on that WLAN. ExtremeWireless cycles through the active WLAN Services displaying statistics. To view detailed statistics, enable Application Visibility during the WLAN conguration; then, on the Home dashboard, click the displayed pie chart under Applications by WLAN. Or, click Enable Application Visibility from the Home dashboard. The controller and AP capture statistics for 31 pre-selected application groups. The top 5 application groups are displayed based on bytes and throughput over the last two-minute measuring period. The stats for each WLAN display for 30 seconds on a continuous cycle. Historical statistical data is available from ExtremeCloud and Extreme Application Analytics. Related Links L7 Conguration on page 307 Note For application enforcement, you must enable Application Visibility in WLAN conguration. D To manage wireless traffic in support of company policies, dene Layer 7 lter rules from the FFilter Rule Denition dialog. Layer 7 represents the application layer of the OSI communication module. Dene policy rules with access control actions for specic applications or groups of applications. Application visibility supports standard Extreme Application Analytics signatures. You can also congure up to 64 extended web application signatures. raft To classify a ow, the DPI engine must examine both client and server packets. The controller enforces policy for downstream traffic and the AP enforces policy for upstream traffic. For tunnel traffic, the DPI engine must examine the packets at the controller. Enforce this by clearing the AP Filtering check box on the PPolicy Rules tab. Device Identication on page 625 Wireless Assistant Home Screen on page 34 Enabling Application Visibility with Device Identication on page 626 Application Visibility and Device ID on page 621 Application Control for Tunneled Traffic ExtremeWireless V10.41.06 User Guide 624 Working with Reports and Statistics Device Identication D Figure 200: Conguring Policy Rules for Downstream Traffic at the Controller ExtremeWireless can identify the device type and operating system used by clients associated with an ExtremeWireless AP. Gathering this information in a site deployment furthers mobile user statistical reporting on the controller or Cloud. This feature is supported on the ExtremeWireless AP38xx or AP39xx series APs. This discovery is implemented on the AP through deep packet inspection of the DHCP (Dynamic Host Conguration Protocol) and HTTP packets. Regardless of how the traffic is bridged -- at the controller or routed -- ngerprinting is handled on the AP. This approach offers a consistent implementation that does not require a large processing load. The AP ngerprints the same messages as Extreme Access Control. raft The precision of the clients identity improves overtime. Each DHCP ngerprint has an assigned weight in the XML le. HTTP ngerprints are assigned a greater weight than DHCP ngerprints. The AP tracks the weight of a clients ngerprint. If a client is identied with a ngerprint that has a greater weight than what was previously stored in the database, the new device identity and weight value are updated in the database. Device ID is based on a DHCP database. The database is dened by an XML le that is built into both the AP and controller image. The XML le can be updated each time the image le is updated. The AP reports device identity changes to the controller and to the Cloud. This information is available to the user through the ExtremeWireless dashboard and through the controller reporting system. The client device type is included in all data streams where client parameters are included. For instance, this information is available to the ExtremeWireless Location Engine and to Extreme Management Center. Related Links Application Visibility and Device ID on page 621 Wireless Assistant Home Screen on page 34 Displaying Client Details on page 643 ExtremeWireless V10.41.06 User Guide 625 Working with Reports and Statistics Enabling Application Visibility with Device Identication To view statistics on the applications and devices associated with a specic WLAN Service, congure the WLAN Service with Application Visibility enabled. You can enable visibility from the WWLAN Services conguration screen or temporarily enable visibility from the HHome screen dashboard. To enable Application Visibility from the WLAN Service:
1 Go to VNS > WLAN Services and select a WLAN Service or click New. aft Figure 201: Application Visibility Check box Option 2 Check the App Visibility option and click Save. Note You can enable Application Visibility from the Home dashboard for WLAN Services that do not have this conguration option enabled. Related Links Application Visibility on page 623 Device Identication on page 625 Wireless Assistant Home Screen on page 34 ExtremeWireless V10.41.06 User Guide 626 Working with Reports and Statistics Viewing AP Reports and Statistics To view AP reports:
From the top menu, click Reports. aft Viewing Statistics for APs Several displays are snapshots of activity at that point in time on available APs:
Active APs Wired Ethernet Statistics Wireless Statistics Admission Control Statistics Mesh Statistics Wireless Load Groups AP Availability AP Inventory Channel Inspector AP Performance by Radio AP Performance by SSID and Radio AP Accessibility AP Dashboard. See AP Dashboard on page 157 ExtremeWireless V10.41.06 User Guide 6627 Working with Reports and Statistics The statistics displayed are those dened in the 802.11 MIB, in the IEEE 802.11 standard. Viewing Active Wireless APs Statistics in the Active Wireless APs report are expressed in respect to the AP. For example, Packets Sent indicates the packets the AP has sent to a client and Packets Recd indicates the packets the AP has received from a client. From the top menu, click Reports. 1 2 Click the Active APs display option. The AActive Wireless APs display opens in a new browser window. D raft Figure 202: Active Wireless APs Report Note IoT column indicates the IoT status for an AP. Valid values are:
Off. The iBeacon application is not running. iBeacon. The iBeacon application is running. N/A. IoT is not supported on this AP. Only AP models AP39xx support IoT. ExtremeWireless V10.41.06 User Guide 628 Working with Reports and Statistics Viewing Wired Ethernet Statistics:
From the top menu, click Reports. The AAvailable AP Reports screen displays. 1 2 Click the Wired Ethernet Statistics display option. The WWired Ethernet Statistics by Wireless APs display opens in a new browser window. Viewing Wireless Statistics:
D 3 In the left pane. click a registered AP to display its information. From the top menu, click Reports. 1 2 Click the Wireless Statistics display option. The WWireless Statistics by Wireless APs display opens in a new browser window. raft ExtremeWireless V10.41.06 User Guide 629 Working with Reports and Statistics 3 In the Wireless Statistics by Wireless APs display, click a registered AP to display its information. 4 Click the appropriate tab to display information for each Radio on the AP. Viewing Admission Control Statistics by Wireless AP:
From the top menu, click Reports. 1 2 Click the Admission Control Statistics display option. The AAdmission Control Statistics by Wireless AP display opens in a new browser window. D information:
3 In the Admission Control Statistics by Wireless AP display, click a registered AP to display its 4 The Admission Control Statistics by Wireless AP lists the TSPEC statistics associated with this AP:
raft AC Access class where TSPEC is applied, Direction Inbound, Outbound or Bidirectional, MDR Mean Data Rate NMS Nominal Packet Size SBA Surplus Bandwidth (ratio) The following statistics are of measured traffic:
Rate Rate in 30 second intervals (inbound and outbound) Violation Number of bits in excess in the last 30 seconds (inbound and outbound) Viewing Mesh VNS Wireless AP Statistics:
1 From the top menu, click Reports. ExtremeWireless V10.41.06 User Guide 630 Working with Reports and Statistics 2 From the Available AP Reports screen, click Mesh Statistics. The MMesh Statistics display opens in a new browser window. D The Rx RSS value on the Mesh Statistics display represents the received signal strength (in dBm). Viewing Load Balance Group Statistics The Active Wireless Load Groups report lists all load groups, and for the selected load group, all active AP radios. raft The AActive Wireless Load Groups report opens in a new browser window. Reports display differently when reporting on client balance load groups and radio preference load groups. To view the active wireless load groups report:
From the top menu, click Reports. 1 2 Click the Wireless Load Groups report. About Radio Preference/Load Control Statistics The statistics reported for each radio preference load balance group are:
Members The number of AP members ExtremeWireless V10.41.06 User Guide 631 Working with Reports and Statistics The statistics reported for each member of the load balance group are:
AP AP name Band Preference Status The operational status: enabled or disabled Probes Declined The number of probes declined Auth/Assoc Requests Declined The number of authentications or associations declined Load Control Radio 1 Status The operational status: enabled or disable Rejected The number of clients declined at the rst association attempt Radio 2 Status The operational status: enabled or disabled Rejected The number of clients declined at the rst association attempt Returned The number of clients declined at the second association attempt D Load balance group statistics are reported on the foreign controller when APs fail over with load groups from a different controller indicated with an (F) following the load group name. raft About Client Balancing Statistics Reports In a client balancing/load control statistics report, the statistics reported for each client balancing load balance group are:
Members Number of radio members Clients Total number of clients for all radio members Average Load Average load for the group The reported average load may not be correct in a failover situation. If some APs in the load balance group fail over the foreign controller, those APs will report to the foreign controller. The member APs will continue to use the member count for the whole group, but the member count displayed on the controller will be for only those APs that are reporting. Since the member count reported on the ExtremeWireless V10.41.06 User Guide 6632 Working with Reports and Statistics controller is not the complete set, the average will not be consistent with what the APs are using for the state determination. The statistics reported for each member of the load balance group are:
AP AP name Radio Radio number Load Load value (number of clients currently associated with the AP) State Load state Probes Declined Auth/Assoc Requests Declined Rebalance Event Clients removed because of an over-loaded state Viewing Wireless AP Availability In session availability, the Wireless Availability report displays the state of both the tunnels active tunnel and backup tunnel on both the primary and secondary wireless controllers. The report identies SIAPP sub-groupings and provide separate group statistics for each sub-group. When the load group includes sub-groups, Average Load, in red, is the average of the entire group. The average for each sub-group is also reported. The sub-group average is reported in red when group membership changes and not all members have been updated with the new member count. D Load balance group statistics are reported on the foreign controller when APs fail over with load groups from a different controller indicated with an (F) following the load group name. raft In the report, each AP is represented by a box. The label, Foreign or Local, indicates whether the AP is local or foreign on the controller. The color in the upper pane of the box represents the state of the tunnel that is established to the current controller. The report uses a Color Legend to indicate the tunnel state:
Green AP has established an active tunnel. Blue AP has established a backup tunnel. Red AP is not connected. NNote The current controller is the one on which the AP Availability report is viewed. The color in the lower pane of the box represents the state of the tunnel that is established with the other controller. For the ease of understanding, take the example of the following scenario:
Controller1 and Controller2 are paired in session availability A Wireless AP has established an active tunnel to Controller1. The same AP has established a backup tunnel to Controller2. If you open the Wireless AP Availability report on Controller2, the report will appear as follows:
ExtremeWireless V10.41.06 User Guide 633 Working with Reports and Statistics In the above example, the circled AP has established a backup tunnel to the foreign (secondary) controller, and an active tunnel to the local (Primary) controller. D AP Inventory Reports To view reports:
From the top menu, click Reports. 1 2 In the AAvailable AP Reports list, click the report you want to view. Note All AP Inventory reports open in a new browser window. raft Note If you open only automatically refreshed reports, the Web management session timer will not be updated or reset. Your session will eventually time out. The following is an example of the Wireless AP Inventory report:
ExtremeWireless V10.41.06 User Guide 634 Working with Reports and Statistics Table 129 lists the column names and abbreviations found in the AP Inventory report:
Table 129: AP Inventory Report Columns CColumn Name Description Wireless AP (Serial) Includes AP type, AP name, serial number, and role (including role type) Topology HW SW Country Antennas Ethernet port and associated IP address of the interface on the controller through which the AP communicates. Hardware version of the AP. Software version executing on the AP. Country in which the AP is deployed Antennas used Indicates ports on the AP39xx with low power status. Feature available for AP39xx only. Power Status D Secure tunnel mode Sec. Tunnel Cert. SSH Enabled or disabled SSH access (enabled or disabled) AP certication (enabled or disabled) Multicast Assembly (enabled or disabled) Location-based service (enabled or disabled) Broadcast disassociation (enabled or disabled). Poll timeout. If polling is enabled, a numeric value. raft 802.11a radio. The data entry for an AP indicates whether the a radio is on or off. The physical address of the AP's wired Ethernet interface. 802.11b protocol enabled. Possible values are on or off. 802.11g protocol enabled. Possible values are on or off. 802.11n protocol enabled. Possible values are on or off. Poll interval. If polling is enabled, a numeric value. As dened on the AAP Properties screen. Radios: 1 or 2. DTIM period LBS Mcast Assembly BD Persistence P/To P/I Wired MAC Description Rdo Ra Rb Rg Rn DP BP RT FT Req Ch Ch / Tx Aj TxMn Beacon Period RTS Threshold Fragmentation Threshold Last requested channel Current channel Tx power level Auto Tx Power Ctrl Adjust when ATPC is enabled Minimum Tx power, in decibels ExtremeWireless V10.41.06 User Guide 635 Working with Reports and Statistics Table 129: AP Inventory Report Columns (continued) CColumn Name Description TxMx ATT Dom MnBR Pmb PM PR Maximum Tx power, in decibels Attenuation for APs that support professional antenna installation. RF domain Minimum Basic Rate (For more information, see the Wireless AP radio conguration tabs.) Preamble (long, short) Protection Mode Protection Rate PT Protection Type VNS Name: MAC D 20MHz, 40MHz, or auto 11n Channel Width 11n Guard Interval Also called BSSID, this is the MAC address of a (virtual) wireless interface on which the AP serves a BSS/VNS. There could be 8 per radio. Assignment (address assignment method) Enabled only if 11n Channel Width is 40MHz If 11n Channel Width is 40MHz, long or short Protects high throughput transmissions on primary channels from non-11n APs and clients. Enabled or disabled. Maintain MU sessions on the Wireless AP when the AP loses the connection to the controller. raft Wireless AP's IP address if statically congured (same as the Static Values button on the AAP Static Conguration screen). If the AP's IP address is congured statically, the IP address of the gateway router that the AP will use. If the AP's IP address is congured statically, the net mask that is statically congured for the AP. 802.1x EAP-TLS authentication conguration 802.1x PEAP authentication conguration MTU Interface (enabled or disabled) MTU Tunnel value The list of IP addresses that the AP is congured to try to connect to in the event that the current connection to the controller is lost. MAC address of the IoT hardware. Indicates the image type for the IoT hardware. Valid values are: Bluetooth or Thread. Bluetooth is the default. Indicates the received RSSI for the beacon application. Currently xed. Valid values are: Min.-127dBm, Max. 127dBm, Default. -45dBm. The advertising interval for the beacon application. Valid values are: Min
(100ms) and Max (10240ms). The default value is Min (100ms). 11n Channel Bonding 11n Protection Mode Failure Maintn. Assn IP Address Netmask Gateway MTU Interface MTU Tunnel TLS PEAP EWC Search List IoT MAC Mode Power Interval ExtremeWireless V10.41.06 User Guide 636 Working with Reports and Statistics Table 129: AP Inventory Report Columns (continued) CColumn Name Description Major Minor Available for Export Only:
UUID Beacon Identies a subset of beacons within the larger set. This value could represent a venue specic attribute, such as a specic store or wing in a building. Valid values are 0 to 65635. Identies an individual beacon. Used to more precisely pinpoint beacon location. This value complements the UUID and Major values to provide more granular identication of a specic location, such as a particular shelf, door-
way, or item. Valid values are 0 to 65635. Identier used to differentiate a large group of related beacons. A company can have a network of beacons with the same UUID. Map coordinates. Used in conjunction with a site map. (Top left corner of the map is considered 0,0.) Location of AP XY D Channel Inspector Report Viewing the Channel Inspector Report on page 637 The Channel Inspector Report enhances Automatic Channel Selection (ACS) on the controller by providing an audit trail of selected channels and presenting a history of channel selection. The channel data generated from ACS populates the report, or you can initiate a channel scan on-demand from the user interface. The report is generated from the last channel scan. The date and time of the last channel scan appear on the report. raft Running Auto Channel Select (ACS) on page 638 Running a Background Scan on page 638 Channel Inspector Report Fields on page 638 1 2 Select Channel Inspector. To view the Channel Inspector Report:
From the top menu, click Reports. Viewing the Channel Inspector Report Related Links 3 Select Radio 1 tab or Radio 2 tab to see details for the different radios. ExtremeWireless V10.41.06 User Guide 637 Working with Reports and Statistics Running Auto Channel Select (ACS) ACS provides an easy way to optimize channel arrangement based on the current situation in the eld. An optimal solution is provided only if ACS is triggered on all APs in a deployment, or all APs placed in a distinct area like a oor. ACS forces the channel width selection of the involved APs to Auto width. The ACS algorithm selects the optimal channel width for all the selected APs and places each AP on the best channel available in its area. Use the Channel Inspector Report to visualize why the AP was placed on the selected channel. To initiate ACS from the Channel Inspector Report, click Auto Channel Select. To verify channel assignment without making changes, see Running a Background Scan on page 638. RRelated Links Channel Inspector Report Fields on page 638 Dynamic Radio Management (DRM) on page 174 D Running a Background Scan From the Channel Inspector Report, click On-Demand Background Scan. The background scan does not change channel assignments, it simply provides details about the current assignments. Run background scan on each radio separately. To change channel assignments, you must run ACS. Background scan extends the usefulness of the Automatic Channel Scan (ACS) feature. It is a reporting tool that helps you verify and understand channel assignments. Where ACS will disrupt service and result in a persistent channel assignment, the on-demand background scan runs without disrupting service. To verify channel assignments and review channel details without having to run a full ACS, run an on-demand background scan. raft Indicates the operating channel of the AP. This is not necessarily the highest ranked channel. For best performance, you want the highest ranked channel to be the operating channel. Table 130: Channel Inspector Report Field Channel Inspector Report Fields on page 638 Description Channel Inspector Report Fields Related Links Operating Channel Last Scan Refresh Auto Channel Select Date and time of the last background scan. Auto refresh ensures that the most recent scan data is presented. Enable or disable auto refresh at the top of the report. 30 seconds is the default auto refresh value. If auto refresh is disabled, click the Refresh button to manually refresh the display. Initiates Auto Channel Selection (ACS). ACS will disrupt service and result in a persistent channel assignment. Use this option to reassign the channels. The ACS scan will disrupt network activity. ExtremeWireless V10.41.06 User Guide 638 Working with Reports and Statistics Table 130: Channel Inspector Report (continued) FField Description On-Demand Background Scan Ranking Frequency Noise The background scan does not change channel assignments, it simply provides details about the current assignments. Run background scan on each radio separately. To change channel assignments, you must run ACS. Indicates the best operating channel based on a 5-star ranking. This ranking is relative to the channels that are available. Radio Frequency channels with the beacon channel (primary) denoted with brackets. The following is an 80MHz channel example showing
[5220] as the beacon channel. 44: (5180 5200 [5220] 5240). Channel noise measured in Decibel-milliwatts (dBm). Channel Details Interference Type D Adjacent. APs on adjacent channels are close enough to interfere, Overlapping. Applicable for 40MGz and 80MGz channels only. The but not close enough to know they are interfering. They do not have the benet of DCF. Click the details link to display the following channel details:
Describes the channel interference in relation to the operating channel. Possible values are:
Co-Channel. All the APs on the same channel as the target AP are competing. Using Distributed Control Function (DCF) collisions are avoided because the APs know to avoid each other; however, the more traffic on the channel the greater the chance of collisions. Throughput slows but all packets get through. raft 20MGz channel is designated as the primary and the other channels are designated as extension channels (secondary). If the primary channel of one AP is the same as the extension channel of another AP it is considered overlapping. Overlapping is the worst type of interference. Radio Frequency channels with the beacon channel (primary) denoted with brackets. The following is an 80MHz channel example showing
[5220] as the beacon channel. 44: (5180 5200 [5220] 5240). Example Notation, Co-Channel 20 44: (5220) indicates that there is co-channel interference on the beacon channel 5220. Basic Service Set Identier. Identies the AP. Service Set Identier. Identies the network. Received signal strength value. Name of the AP provided at network setup. Frequency RSS BSSID SSID AP Name AP Performance by Radio Report 1 From the top menu, click Reports. ExtremeWireless V10.41.06 User Guide 639 Working with Reports and Statistics 2 Click the AP Performance by Radio display option. The AAP Performance by Radio display opens in a new browser window. D AP Performance by SSID and Radio Report 1 From the top menu, click Reports. raft ExtremeWireless V10.41.06 User Guide 640 Working with Reports and Statistics 2 Click the AP Performance by SSID and Radio display option. The AAP Performance by SSID and Radio display opens in a new browser window. D AP Accessibility Report 1 From the top menu, click Reports. The AAvailable AP Reports screen displays. raft ExtremeWireless V10.41.06 User Guide 641 Working with Reports and Statistics 2 Click the AP Accessibility Report display option. The AAP Accessibility Report display opens in a new browser window. D raft By VNS Displays a list of congured VNS. Select a VNS to view a list of connected clients. Each report displays the number of connected users, broken down into a count of active users, authenticated users, and non-authenticated users. All Active Clients Displays a list of all active clients. ExtremeWireless offers reports to view data related to the network clients. View reports in any of the following ways:
By AP Displays a list of available APs in the left pane. Select an AP to view a list of connected clients. Available Client Reports Related Links Viewing All Clients on page 642 Displaying Client Details on page 643 Client Search Facility on page 645 Viewing Client MAC and OUI on page 646 Viewing All Clients View a list of all clients and take action on one or more clients in the list. You can also export the list of clients to an XML le. ExtremeWireless V10.41.06 User Guide 642 Working with Reports and Statistics 1 From the top menu, click Reports > Clients > All Active Clients. Figure 203: All Active Client Report raft NNote Clients supporting 802.11W Protected Management Frame (PMF) display a W in the client Protocol eld. buttons:
Add to Blacklist. Add the selected wireless device's MAC address to a blacklist of wireless clients that will not be allowed to associate with the AP. 3 To take action on one or more clients, select the check box for the client and click one of the action 2 Use the Search facility to nd a specic client. For more information, see Client Search Facility on page 645. Disassociate. Cut the connection with a particular wireless device. Show OUI. The Organizationally Unique Identier (OUI) is a 24-bit number that uniquely identies the client vendor or manufacturer. Export. Export selected clients to an XML le. System prompts you to open or save the XML le. 4 To view client details, click the client row (not the check box). For more information, see Displaying Client Details on page 643. Displaying Client Details Display client details to determine client activity and usage of network resources. From the All Client report, you can display the following information for each client:
ExtremeWireless V10.41.06 User Guide 643 Working with Reports and Statistics IPv4 and IPv6 Addresses Host Name Operating System Device Type Top 5 Application Groups by Throughput (2-minute interval) Top 5 current Application Groups by Bytes, from session start. Throughput chart for an application group. Average TCP Round Trip Time. Average DNS Round Trip Time. 1 Go to Reports > Clients. The All Clients report appears. 2 Click on a client row (not the check box). The DDetailed Information dialog for the client appears. D Figure 204: Client Detailed Information ExtremeWireless V10.41.06 User Guide 644 Working with Reports and Statistics raftFigure 205: Camera as a Client On the AAll Active Clients report, search for any part of the client string. When viewing the CClients by AP report or the CClients by VNS report, search the client report for a specic client by one of the following criteria:
user name MAC Address IP Address OUI (Organizationally Unique Identier) Application Visibility and Device ID on page 621 AP3916ic (Integrated Camera) on page 104 RRelated Links Client Search Facility Results:
Clients that match the search criteria appear. Select one or more clients and apply actions to selected clients. ExtremeWireless V10.41.06 User Guide 645 Working with Reports and Statistics VViewing Client MAC and OUI Take the following steps to view the MAC address and OUI for selected clients. The Organizationally Unique Identier (OUI) is a 24-bit number that uniquely identies the client vendor or manufacturer. From the top menu, click Reports > Clients. 1 2 Select the check box next to a client row and click Show OUI. The CClient MAC and OOUI Full Name for the selected client display. D Figure 206: Show OUI dialog Viewing Role Filter Statistics From the top menu, click Reports. 1 2 In the left pane, click Filter Statistics. The AAvailable Filter Statistics Reports screen displays. raft ExtremeWireless V10.41.06 User Guide 646 Working with Reports and Statistics 3 Under Available Filter Statistics Reports, click Role Filter Statistics. The RRole Filter Statistics display opens in a new browser window. D 4 Under Available Filter Statistics Reports, click Topology Filter Statistics. The Topology Filter disappears as soon as it times out. Statistics display opens in a new browser window. Statistics are expressed in respect to the AP. Therefore, Packets Allowed indicates the packets the AP has received from a client and Packets Denied indicates the packets the AP has rejected. A client is displayed as soon as the client connects (or after a refresh of the screen). The client raft Statistics are expressed in respect to the AP. Therefore, Packets Allowed indicates the packets the AP has received from a client and Packets Denied indicates the packets the AP has rejected. A client is displayed as soon as the client connects (or after a refresh of the screen). The client disappears as soon as it times out. ExtremeWireless V10.41.06 User Guide 647 Working with Reports and Statistics Viewing Topology Reports Topology Statistics Displays statistics for total sent and received packets, octects, multicast packets, and broadcast packets. Wired Topology Statistics Displays statistics for each topology including total packets sent and received. EWC Port Statistics Displays port statistics for active Topologies including current status and totals for frames, octects, multicast frames and broadcast frames sent and received. DHCP Leases Displays statistics to help determine if you have sufficient DHCP addresses for your needs and whether the lease times are too long. From the top menu, click Reports. 1 2 In the left pane, click Topology. The AAvailable Topology Reports screen displays. D raft 3 Under Available Topology Reports, click Topology Statistics. The TTopology Statistics display opens in a new browser window. ExtremeWireless V10.41.06 User Guide 648 Working with Reports and Statistics 4 Under Available Topology Reports, click Wired Topology Statistics. The WWired Topology Statistics display opens in a new browser window. D 5 Under Available Topology Reports, click EWC Port Statistics. The PPort Statistics display opens in a new browser window. raft Statistics are expressed in respect to the AP. Therefore, Frames Sent indicates packets sent to the AP from a client and Frames Received indicates the packets received from the AP. ExtremeWireless V10.41.06 User Guide 649 Working with Reports and Statistics 6 Under Available Topology Reports, click DHCP Leases. The DDHCP Leases display opens in a new browser window. D Abandoned leases should rarely be seen. The presence of one or more abandoned leases indicates that another DHCP server may be operating on the same subnet, resulting in IP address conicts. The server abandons the use of any address it thinks is being managed by another DHCP server. The report applies only to the DHCP server hosted on the local controller. The report is empty if DHCP is not enabled on any of the controllers topologies. Otherwise, for each of the controllers topologies the report provides a summary table of the address range, number of excluded address and total addresses available, a pie chart showing the proportion of addresses that are free, in use or abandoned, and a graph that shows how many leases will become available at different times assuming that no more leases are handed out by the server from this instant. raft The lease expiry graph indicates the proportion of available leases that will be available now, 1, 4 hours, 1 day, 1 week 50 and 90 days from now assuming that the server never hands out another lease. If the network serves a relatively small number of users, who are in fact the same users day in and day out, then you should use longer lease times, meaning that this graph should not show 100%
address availability until farther to the right in the graph. If you have a high turn over of users (like in a university classroom that has a different set of people every 1 hour) then you should use shorter lease times (achieve 100% availability more towards the left in the graph). If you nd that you are running out of addresses, you should use the line graph to decide if you can afford to shorten lease times to make leases available sooner as opposed to creating a new, bigger subnet to handle more users concurrently. Viewing Mobility Reports The Mobility Domain is a virtual combination of Wireless LAN Controllers (WLCs) grouped for the purpose of roaming. The controller group consists of a Mobility Manager, Mobility agents, and a Backup Mobility Manager. The Mobility Domain preserves information about user sessions, allowing users to roam through the use of identity-based networking. A Mobility Domain can also provide network exibility and scalability. ExtremeWireless V10.41.06 User Guide 650 Working with Reports and Statistics When a controller has been congured as a mobility manager, additional displays appear as options in the left pane:
Primary Manager Mobility Tunnel Matrix Displays a cross-connection view of the state of inter-
controller tunnels, as well as relative loading for user distribution across the mobility domain. Client Location in Mobility Zone Displays the active wireless clients and their status. Backup Manager Mobility Tunnel Matrix Displays a cross-connection view of the state of inter-
controller tunnels, as well as relative loading for user distribution across the mobility domain. Remotable VNS Displays the active wireless clients and their status. NNote There are four possible reports available from the Available Mobility Reports page depending on the conguration of the controller. If the controller does not have mobility enabled, it will just include the Remotable VNS report. D raft To view Mobility Manager reports:
From the top menu, click Reports. 1 2 In the left pane, click Mobility. 3 Click the appropriate mobility manager report:
Client Location in Mobility Zone Backup Manager Mobility Tunnel Matrix Remotable VNS Primary Manager Mobility Tunnel Matrix The colored status indicates the following:
Green The mobility manager is in communication with an agent and the data tunnel has been successfully established. Yellow The mobility manager is in communication with an agent but the data tunnel is not yet successfully established. Red The mobility manager is not in communication with an agent and there is no data tunnel. ExtremeWireless V10.41.06 User Guide 651 Working with Reports and Statistics Client Location in Mobility Zone This report displays the active wireless clients and their status. D Figure 207: Client Location in Mobility Zone Report box. Dene the refresh rates for this display. Export this information as a .xml le. You can do the following:
Sort this display by home or foreign controller. Search for a client by MAC address, user name, or IP address, and typing the search criteria in the raft This report displays a cross-connection view of the state of inter-controller tunnels, as well as relative loading for user distribution across the mobility domain. The following report illustrates a mobility setup with three controllers:
Mobility Manager (M) (10.105.0.5) Mobility Agent/Backup Manager (BM) 10.105.0.9 Mobility Agent (10.105.0.7) In the following illustration, there is one client on the Primary Manager (M) and 0 clients on the other controllers. As the client moves through the Mobility group, the number of clients will change from 0 to 1 depending on which tunnel the client moves through. This report graphically displays the number of data tunnels, number of active mobility clients, and the number of clients on each controller. Primary/Backup Manager Mobility Tunnel Matrix Downed tunnels are represented in brown. NNo tunnels: 0 indicates that all tunnels are up. ExtremeWireless V10.41.06 User Guide 652 Working with Reports and Statistics D Figure 208: Primary/Backup Manager Mobility Tunnel Matrix This report provides the following information:
Provides connectivity matrix of mobility state. Provides a view of:
If a tunnel between controllers is reported down, it is highlighted in red. If only a control tunnel is present, it is highlighted in yellow. If data and control tunnels are fully established, it is highlighted in green. Tunnel state Tunnel Uptime Number of clients roamed (Mobility loading) Local controller loading Mobility membership list raft The Active Clients by VNS report for the controller on which the user is home (home controller) will display the known user characteristics (IP, statistics, etc.). On the foreign controller, the Clients by VNS report does not show users that have roamed from other controllers, since the users remain associated with the home controller's VNS. A controller is only removed from the mobility matrix if an administrator explicitly removes it from the by Mobility permission list. If there is a link between controllers, or the controller is down, the corresponding matrix connections are identied in red to identify the link. The Active Clients by AP report on each controller will show both the loading of local and foreign users
(users roamed from other controllers) that are taking resources on the AP. NNote Although you can set the screen refresh period less than 30 seconds, the screen will not be refreshed quicker than 30 seconds. The screen will be refreshed according to the value you set only if you set the value above 30 seconds. ExtremeWireless V10.41.06 User Guide 653 Working with Reports and Statistics Remotable VNS This report displays the active wireless clients and their status. aft Figure 209: Remotable VNS Report You can do the following:
Sort this display by home or foreign controller. Search for a client by MAC address, user name, or IP address, and typing the search criteria in the box. Dene the refresh rates for this display. Export this information as an xml le. Viewing Controller Status Information External Connection Statistics Displays connection information including security level. System Information Displays system information including memory usage and CPU and board temperatures. Manufacturing Information Displays manufacturing information including the card serial number and CPU type and frequency. ExtremeWireless V10.41.06 User Guide 6654 Working with Reports and Statistics Viewing External Connection Statistics To view external connection statistics:
From the top menu, click Reports. 1 2 In the left pane, click Controller Status. The AAvailable Controller Status Reports screen displays. 3 Click the External Connection Statistics option. The EExternal Connection Statistics display opens in a new browser window. raft ExtremeWireless V10.41.06 User Guide 655 Working with Reports and Statistics Viewing System Information To view system information:
From the top menu, click Reports. 1 2 In the left pane, click Controller Status. The AAvailable Controller Status Reports screen displays. 3 Click the System Information display option. The SSystem Information display opens in a new browser window. D raft Viewing Manufacturing Information To view manufacturing information:
1 From the top menu, click Reports. ExtremeWireless V10.41.06 User Guide 656 Working with Reports and Statistics 2 In the left pane, click Controller Status.. The AAvailable Controller Status Reports screen displays. 3 Click the Manufacturing Information display option. The MManufacturing Information display opens in a new browser window. D raft The following reports are available in the Extreme Networks ExtremeWireless system:
Forwarding Table Displays the dened routes, whether static or OSPF (Open Shortest Path First), OSPF Neighbor Displays the current neighbors for OSPF (routers that have interfaces to a and their current status. common network). OSPF Linkstate Displays the Link State Advertisements (LSAs) received by the currently running OSPF process. The LSAs describe the local state of a router or network, including the state of the routers interfaces and adjacencies. Viewing Routing Protocol Reports Viewing Forwarding Table To view the forwarding table:
1 From the top menu, click Reports. ExtremeWireless V10.41.06 User Guide 657 Working with Reports and Statistics 2 In the left pane, click Routing Protocols. The AAvailable Routing Protocols Reports screen displays. D 3 Click the Forwarding Table option. The FForwarding Table displays in a new browser window. raft Note If you open only automatically refreshed reports, the Web management session timer will not be updated or reset. Your session will eventually time out. ExtremeWireless V10.41.06 User Guide 658 Working with Reports and Statistics Viewing OSPF Neighbor Table To view the OSPF neighbor table:
From the top menu, click Reports. 1 2 In the left pane, click Routing Protocols. 3 Click the OSPF Neighbor option. The OOSPF Neighbor displays in a new browser window. D raft Viewing OSPF Linkstate Table To view the OSPF Linkstate table:
1 From the top menu, click Reports. The AAvailable AP Reports screen displays. 2 In the left pane, click Routing Protocols. ExtremeWireless V10.41.06 User Guide 659 Working with Reports and Statistics 3 Click the OSPF Linkstate option. The OOSPF Linkstate displays in a new browser window. D raft Note If your default XML viewer is Internet Explorer or Netscape, clicking Open will open the exported data to your display screen. You must right-click to go back to the export display. The XML data le will not be saved to your local drive. Saving Report In XML To export and save a report in xml:
1 On the report screen, click Export. A Windows FFile Download dialog is displayed. 2 Click Save. A Windows SSave As dialog is displayed. 3 Browse to the location where you want to save the exported XML data le, and in the File name box enter an appropriate name for the le. 4 Click Save. The XML data le is saved in the specied location. Viewing RADIUS Reports The following RADIUS reports are available in the Extreme Networks ExtremeWireless system:
RADIUS Statistics by VNS Displays a list of VNS along with the number of Requests and their status (Failed or Rejected). ExtremeWireless V10.41.06 User Guide 660 Working with Reports and Statistics Access-Reject Reply-Message Displays the current list of messages along with an active count of all messages. From the top menu, click Reports. 1 2 In the left pane, click RADIUS. The AAvailable RADIUS Reports screen displays. raft ExtremeWireless V10.41.06 User Guide 661 Working with Reports and Statistics 3 Click RADIUS Statistics by VNS option. The report displays in a new browser window. D 4 To view the Access-Reject Messages, in the left pane, click Access-Reject Messages option. raft ExtremeWireless V10.41.06 User Guide 6662 Working with Reports and Statistics 5 Click Save. A SSave As dialog is displayed. Call Detail Records (CDRs) You can congure the wireless controller to generate Call Detail Records (CDRs), which contain usage information about each wireless session per VNS. For more information on how to congure the controller to generate CDRs, refer to Dening Accounting Methods for a WLAN Service on page 336. CDRs are located in a CDR directory on the controller. To access the CDR le, you must rst back up the le on the local drive, and then upload it to a remote server. After the CDR le is uploaded to a remote server, you can work with the le to view CDRs or import the records to a reporting tool. You can back up and upload the le on the remote server either via the Wireless Assistant (GUI) or CLI. CDR File Naming Convention D CDRs are written to a le on the controller. The lename is based on the creation time of the CDR le with the following format: YYYYMMDDhhmmss.<ext>
YYYY Four digit year MM Two digit month, padded with a leading zero if the month number is less than 10 DD Two digit day of the month, padded with a leading zero if the day number is less than 10 hh Two digit hour, padded with a leading zero if the hour number is less than 10 mm Two digit minute, padded with a leading zero if the minute number is less than 10 ss Two digit second, padded with a leading zero if the second number is less than 10
<ext> File extension, either .work or .dat raft renamed with the .dat extension when it attains its maximum size (16 MB) or it has been open for the maximum allowed duration (12 hours). You can back up and copy the .work le from the controller to a remote server. Two types of CDR les exist in the CDR directory on the controller:
.work The active le that is being updated by the accounting system. The le is closed and
.dat The inactive le that contains the archived account records. You can back up and copy the .dat le from the controller to a remote server. CDR File Types Note The CDR directory on the controller only has two les a .work le and a .dat le. When the .work le attains its maximum size of 16 MB, or it has been open for 12 hours, it is saved as a .dat le. This new .dat le overwrites the existing .dat le. If you want to copy the existing .dat le, you must do so before it is overwritten by the new .dat le. ExtremeWireless V10.41.06 User Guide 663 Working with Reports and Statistics CDR File Format A CDR le contains a sequence of CDR records. The le is a standard ASCII text le. Records are separated by a sequence of dashes followed by a line break. The individual elds of a record are reported one per line, in "eld=value" format. The following table describes the records that are displayed in a CDR le. NNote Most of the CDR records are typical RADIUS server attributes. For more information, refer to the user manual of your RADIUS server. Table 131: CDR Records and Their Description CDR Records Description User-Name Acct-Session-ID D Acct-Interim-Interval A unique CDR ID Filter-ID The name of the user, who was authenticated. The name of the lter list for the user. The number of seconds between interim accounting updates. Indicates whether this Accounting-Request marks the beginning of the user service (Start) or the end (Stop). The maximum number of seconds of service to be provided to the user before termination of the session. This eld is copied from the access-accept message sent by the RADIUS server during authentication. raft Indicates how the user was authenticated, whether by RADIUS (AAA), Local (Internal CP) or Remote (External CP). The eld displays one of the following values:
1 AAA authentication 2 Internal CP authentication 3 External CP authentication Indicates how many seconds the client tried to authenticate send this record for, and can be subtracted from the time of arrival on the server to nd the approximate time of the event generating this Accounting-
Request. Indicates the address to be congured for the user This eld is sent from the NAS to indicate the nature of the users connection 802.11b for Radio b/g or 802.11a for radio a. Indicates RADIUS NAS Port Type is Wireless 802.11 The Wireless APs MAC address. The clients MAC address. Session-Timeout Class Acct-Status-Type Acct-Delay-Time Acct-Authentic Framed-IP-Address Connect-Info NAS-Port-Type Called-Station-ID Calling-Station-ID Extreme Networks-AP-Serial The APs serial number. Extreme Networks-AP-Name The APs name. Extreme Networks-VNS-Name The VNS name on which the session took place. Extreme Networks-SSID The SSID name on which the session took place. ExtremeWireless V10.41.06 User Guide 664 Working with Reports and Statistics Table 131: CDR Records and Their Description (continued) CCDR Records Description Acct-Session-Time Acct-Output-Packets Acct-Input-Packets Acct-Output-Octets Acct-Input-Octets The number of seconds the user has received the service. The number of packets that were sent to the port in the course of delivering this service to a framed user. The number of packets that have been received from the port over the course of this service being provided to a Framed User. The number of octets that were sent to the port in the course of delivering the service. The number of octets that were received from the port over the course of the service. Acct-Terminate-Cause D Indicates the time at which the client was authenticated. The time is in the following format: Date hh:mm:ss. For example, April 21 2008 14:50:24 Indicates how the session was terminated. The eld displays one of the following values:
1 User Request 4 Idle Timeout 5 Session Timeout 6 Admin Reset 11 NAS Reboot 16 Callback 17 User Error raft Indicates the time at which the client was disassociated from the AP. The time is in the following format: Date hh:mm:ss. For example, April 21 2008 14:57:20. The following is a high-level overview of how to view CDRs:
1 Back up the CDR les on the local drive of the controller. 2 Copy the CDR les from the controller to the remote server. 3 Unzip the le. 4 Download the CDR les from the remote server to view CDRs. Authenticated_time Disassociation_time Viewing CDRs Note You cannot access the CDR les directly from the CDR directory. When you back up CDRs, both the .work and .dat les are zipped into a single .zip le. This .zip le is uploaded on the remote server. You can unzip this le from the remote server to extract the .work and .dat les. You can back up and upload the les on the remote server either via the Wireless Assistant (GUI) or CLI. This section describes how to back up and copy the CDR les to a remote server via the Wireless Assistant (GUI). For more information on how to copy the CDR le to the remote server via CLI, refer to the Extreme Networks ExtremeWireless CLI Reference Guide. ExtremeWireless V10.41.06 User Guide 665 Working with Reports and Statistics Backing Up and Copying CDR Files to a Remote Server To back up and copy the CDR les to a remote server:
From the top menu, click Controller. 1 2 In the left pane, click Administration > Software Maintenance. 3 Click the BBackup tab. t ExtremeWireless V10.41.06 User Guide 666 Working with Reports and Statistics 4 From the Select what to backup drop-down menu, click CDRs only, and then click Backup Now. The following window displays the backup status. D 5 To close the window, click Close. The backed up le is displayed in the AAvailable Backups box. 6 To upload a backup to a Remote, in the Copy Selected Backup > to section, select Remote, then do Note The .work and .dat les are zipped into a single le. the following:
Protocol Select the le transfer protocol you want to use to upload the backup le, SCP or FTP. Server Type the IP address of the server where the backup will be stored. raft Note The Server Address eld supports both IPv4 and IPv6 addresses. User ID Type the user ID to log in to the server. Password The password to log in to the server. Conrm The password to conrm the password. Directory The directory in which you want to upload the CDR le. Filename Select the zipped CDR le name. 7 To upload a backup to Flash, in the Copy Selected Backup > to section, select Flash, then do the following:
Filename Select the zipped CDR le name. 8 In the CCopy Selected Backup to section, click Copy. The .zip le is uploaded on to the server. 9 Unzip the le. The two CDR les .work and .dat are visible on the server. ExtremeWireless V10.41.06 User Guide 667 Working with Reports and Statistics 10 To view CDRs, download the les. D Figure 210: Sample .dat File raft ExtremeWireless V10.41.06 User Guide 6668 19 Performing System Administration PPerforming Wireless AP Client Management Dening Wireless Assistant Administrators and Login Groups Performing Wireless AP Client Management Related Links Maintenance Guide. Backup and restore the controller database. For more information, see the ExtremeWireless D There are times when for business, service, or security reasons you want to cut the connection with a particular wireless device. You can view all the associated wireless devices, by MAC address, on a selected AP and do the following:
Disassociate a selected wireless device from its AP. Take this action from the All Clients Report. See Viewing All Clients on page 642. Add a selected wireless device's MAC address to a blacklist of wireless clients that will not be allowed to associate with the AP. For more information, see Adding Clients to a Blacklist on page 669. raft Viewing All Clients on page 642 Adding Clients to a Blacklist on page 669 To create a client blacklist:
1 Go to AP. Adding Clients to a Blacklist ExtremeWireless V10.41.06 User Guide 669 Performing System Administration 2 In the left pane, click Global > Whitelist/Blacklist. 3 Do one of the following:
D Type the client MAC Address or OUI Prex and click Add. Click Select OUI/IABs, and search for a client OUI/IAB by company name. The Organizationally Unique Identier (OUI) is a 24-bit number that uniquely identies the client vendor or manufacturer. (Search by company name.) Individual Address Block (IAB) is a block of identiers that uniquely identify the assignee of the IAB. The purpose of the IAB is to allow organizations to purchase smaller blocks of identiers. raft Figure 211: Searching OUI/IAB by Company Name ExtremeWireless V10.41.06 User Guide 6670 Performing System Administration 4 Select one or more items to add to the blacklist and click OK. aft 5 To remove clients from the list, select one or more clients on the list and click Remove Selected. Figure 212: Example List RRelated Links Viewing Client MAC and OUI on page 646 Viewing All Clients on page 642 Managing an IoT Whitelist Create a whitelist of approved nodes for the Thread Network. The IoT whitelist applies to all APs that are congured for Thread Gateway associated with the controller. ExtremeWireless V10.41.06 User Guide 671 Performing System Administration If your whitelist is empty, all sensors with the default password THREAD have access to the Thread Network. Once you congure at least one node on the whitelist, network access is limited to only nodes congured on the whitelist. NNote Once a whitelist is congured, only nodes congured on the whitelist gain access to the Thread Network. 1 Go to AP > Global > Whitelist - IoT. A list of approved nodes is displayed. 2 To add a node to the whitelist, click the plus sign and provide the EUI (Extended Unique Identier) and shared-password for the node. 3 To delete a node from the whitelist, select a node and click the minus sign. D raft Figure 213: Whitelist - IoT Related Links Whitelist Node Parameters on page 672 Whitelist Node Parameters Create a whitelist of approved nodes for the Thread Network. The IoT whitelist applies to all APs that are congured for Thread Gateway associated with the controller. Use the long EUI for each sensor and the pre-shared password. The short EUI is not used. Currently, the whitelist can be comprised of a maximum 32 nodes. ExtremeWireless V10.41.06 User Guide 672 Performing System Administration Table 132: Node Parameters FField Description EUI Password Extended Unique Identier for each sensor node, determined by the sensor manufacturer. Pre-shared password. Sensor passwords are created when the sensor is commissioned, outside of ExtremeWireless. The default password is THREAD. Related Links Managing an IoT Whitelist on page 671 IoT Thread Gateway on page 196 Dening Wireless Assistant Administrators and Login Groups D controller, including the GuestPortal user accounts. GuestPortal managers Users assigned to this login group can only manage GuestPortal user Read-only administrators Users assigned to this login group have read-only access rights on the controller. Full administrators can manage all aspects of the controller, including GuestPortal user accounts. accounts. Any user who logs on to the controller and is assigned to this group can only access the GuestPortal Guest Administration page of the Wireless Assistant. You can dene the login user names and passwords for administrators that have access to the Wireless Assistant. You can also assign them to a login group as full administrators, read-only administrators, or as GuestPortal managers. For each user added, you can dene and modify a user ID and password. Full administrators Users assigned to this login group have full administrator access rights on the raft Note Passwords can include the following characters: A-Z a-z 0-9 ~!@#$%^&*()_+|-=\{}[];<>?,. Password cannot include the following characters: / ` ' " : or a space. To add a controller administrator to a login group:
From the top menu, click Controller. 1 ExtremeWireless V10.41.06 User Guide 673 Performing System Administration 2 From the left pane, click Administration > Login Management. The following screen appears:
aft 3 In the Group drop-down list, click one of the following:
Full Administrator Users assigned to this login group have full administrator access rights on Full administrators can manage GuestPortal user accounts. Read-only Administrator Users assigned to this login group have read-only access rights on the controller. the controller. Read-only administrators have read access to the GuestPortal user accounts. GuestPortal Manager Users assigned to this login group can only manage GuestPortal user accounts. Any user who logs on to the controller and is assigned to this group can only access the GuestPortal Guest Administration page of the wireless assistant. For more information, see Performing System Administration on page 669. 4 In the User ID box, type the user ID for the new user. A user ID can only be used once, in only one category. 5 In the Password box, type the password for the new user. 6 In the Conrm Password, re-type the password. ExtremeWireless V10.41.06 User Guide 6674 Performing System Administration 7 Click Add User. The new user is added to the appropriate login group list. RRelated Links Modifying Admin Password on page 675 Removing Administrator on page 675 Modifying Admin Password To modify a controller administrator password:
1 Go to Controller. 2 In the left pane, click Administration > Login Management. 3 Click the user whose password you want to modify. 4 In the Password box, type the new password for the user. 5 Under Conrm Password re-type the new password. 6 To change the password, click Change Password. D Removing Administrator To remove a controller administrator:
1 Go to Controller. 2 In the left pane, click Administration > Login Management. The Login Managementtab is displayed. 3 Click the user you want to remove. 4 Click Remove user. The user is removed from the list. raft ExtremeWireless V10.41.06 User Guide 675 20 Logs, Traces, Audits and DHCP Messages EExtremeWireless Appliance Messages Working with Logs Viewing Wireless AP Traces Viewing Audit Messages Viewing the DHCP Messages Viewing the NTP Messages Viewing Software Upgrade Messages Viewing Conguration Restore/Import Messages D ExtremeWireless Appliance Messages internal monitoring of software The ExtremeWireless Appliance generates four types of messages:
Logs (including alarms) Messages that are triggered by events Traces Messages that display activity by component, for system debugging, troubleshooting, and raft Caution In order for the Debug Info option on the WWireless AP Traces screen to return trace messages, this option must be enabled while Wireless AP debug commands are running. To do so, you need to run a Wireless AP CLI command to turn on a specic Wireless AP debug. Once the CLI command is run, select the Debug Info option, and then click Retrieve Traces. For more information, see Extreme Networks ExtremeWireless CLI Reference Guide. Because Wireless AP debugging can affect the normal operation of Wireless AP service, enabling debugging is not recommended unless specic instructions are provided. Audits Messages that record administrative changes made to the system DHCP Messages that record DHCP (Dynamic Host Conguration Protocol) service events Working with Logs The log messages contain the time of event, severity, source component, and any details generated by the source component. Log messages are divided into three groups:
Controller logs Wireless AP logs Login logs ExtremeWireless V10.41.06 User Guide 676 Logs, Traces, Audits and DHCP Messages Log Severity Levels Log messages are classied at four levels of severity:
Information (the activity of normal operation) Minor (alarm) Major (alarm) Critical (alarm) The alarm messages (minor, major or critical log messages) are triggered by activities that meet certain conditions that should be known and dealt with. The following are examples of events on the wireless controller that generate an alarm message:
Reboot due to failure Software upgrade failure on the wireless controller Software upgrade failure on the wireless AP Detection of rogue access point activity without valid ID Availability conguration not identical on the primary and secondary wireless controller D If SNMP (Simple Network Management Protocol) is enabled on the wireless controller, alarm conditions will trigger a trap in SNMP (Simple Network Management Protocol). An SNMP trap is an event notication sent by the managed agent (a network device) to the management system to identify the occurrence of conditions. Note The log statements Low water mark level was reached and Incoming message dropped, because of the rate limiting mechanism indicate that there is a burst of log messages coming to the event server and the processing speed is slower than the incoming rate of log messages. These messages do not indicate that the system is impaired in any way. raft From the top menu, click Logs. To view wireless controller logs:
1 Viewing the Wireless Controller Logs ExtremeWireless V10.41.06 User Guide 677
1 2 3 4 | Extreme Wireless V10.41.06 User Guide Part 4 | Users Manual | 1.19 MiB |
Logs, Traces, Audits and DHCP Messages 2 Click EWC Events and the severity level. The log screen displays and the events are displayed in chronological order. raft 3 To sort the events by Timestamp, Type, or Component, click the appropriate column heading. 4 To lter the events by severity, Critical, Major, Minor, Info, and All, click the appropriate log severity. 5 To refresh the log screen, click Refresh. 6 To export the log screen, click Export. The FFile Download dialog is displayed. 7 Do one of the following:
To open the log le, click Open. To save the log le, click Save, and then navigate to the directory location you want to save the Note The component Langley is the term for the inter-process messaging infrastructure on the wireless controller. le. Click Save. Viewing Wireless Controller Station Logs To view wireless controller station logs:
1 From the top menu, click Logs. ExtremeWireless V10.41.06 User Guide 678 Logs, Traces, Audits and DHCP Messages 2 Click EEWC: Station Events. The Station Events screen displays and the events are displayed in chronological order. Note Station log generation is controlled by the Report station events on controller" check box on the wireless Controller > Logs > Logs Conguration page. aft The table is sortable on all column (ascending and descending), if you close this log window and open it again within the same GUI session, it remembers you previous column sorting option, plus it has multi-column sorting. 3 To sort by multiple columns, click the rst column, hold down the [Shift] key, and then click the next column. As many columns as you wish can be added to the sort. 4 Click on MAC addresses in Station MAC Address column to see up-to-date details about the particular station. 5 Click the Search box and enter text. The information is ltered automatically as you type and only lines which match this text in any column (on all pages) are displayed. 6 Click Refresh to refresh the log. This log doesn't refresh automatically (the same as other logs). 7 To export the Station log screen, click Export. The File Download dialog is displayed. Do one of the following:
To open the log le, click Open. To save the log le, click Save, and then navigate to the directory location you want to save the le. Click Save. ExtremeWireless V10.41.06 User Guide 679 Logs, Traces, Audits and DHCP Messages 8 Click Close to close this log window. Viewing Wireless AP Logs To view wireless AP logs:
From the top menu, click Logs. 1 2 Click AP: Logs. The WWireless AP Log screen displays and the events are displayed in chronological order. aft 3 In the Wireless AP list, click a Wireless AP to view the log events for that particular Wireless AP. 4 To sort the events by EWC time or Sev (Severity), click the appropriate column heading. 5 To lter the events by severity, Critical, Major, Minor, Information, and All, click the appropriate log severity. 6 To refresh the log screen, click Refresh. 7 To export the logs, click Export. The FFile Download dialog is displayed. 8 Do one of the following:
To open the log le, click Open. To save the log le, click Save, and then navigate to the directory location you want to save the le. Click Save. Viewing Login Logs To view administrator login logs:
ExtremeWireless V10.41.06 User Guide 680 Logs, Traces, Audits and DHCP Messages From the top menu, click Logs. 1 2 Click Login . The LLogin screen displays and the login events are displayed in chronological order. aft 3 To refresh the LLogin screen, click Refresh. Working with GuestPortal Login Logs To view GuestPortal login logs:
From the top menu, click Logs. 1 2 Click Login . The LLogin screen displays and the login events are displayed in chronological order. ExtremeWireless V10.41.06 User Guide 681 Logs, Traces, Audits and DHCP Messages 3 Click GuestPortal. The GuestPortal login events are displayed in chronological order. 4 To export the GuestPortal log information, click Export. The FFile Download dialog is displayed. 5 Do one of the following:
To open the log le, click Open. To save the log le, click Save, and then navigate to the directory location you want to save the raft 1 To generate a Tech Support le, click Logs from the top menu. The LLogs & Traces screen displays. 2 Ensure that EWC:Events is selected. le. Click Save. Working with a Tech Support File ExtremeWireless V10.41.06 User Guide 682 Logs, Traces, Audits and DHCP Messages 3 Click the Tech Support button at the bottom of the page. The GGenerate Tech Support File screen displays. 4 Select the parameters for the tech support le:
raft Wireless Controller Wireless AP Logs All No Stats If Wireless AP is selected, select this check box to include or exclude Wireless AP A warning message is displayed informing you that this operation may temporarily affect system performance. statistics in the tech support le. 5 Click Generate New Tech Support File. 6 Click OK to continue. The tech support le generation status is displayed. 7 When the le generation has completed, click Close. 8 To download the last generated Tech Support le, click Logs from the top menu. The LLogs & Traces screen displays. 9 Ensure that the EEWC tab is selected. 10 Click the Tech Support button at the bottom of the page. The GGenerate Tech Support File screen displays. 11 Click Download Last Tech Support File. The FFile Download dialog is displayed. ExtremeWireless V10.41.06 User Guide 683 Logs, Traces, Audits and DHCP Messages 12 Click Save. The SSave as window is displayed. 13 Navigate to the location you want to save the generated tech support le, and then click Save. 14 To delete a Tech Support le, click Logs from the to pmenu. The LLogs & Traces screen displays. 15 Ensure that the EEWC tab is selected. 16 Click the Tech Support button at the bottom of the page. The GGenerate Tech Support File screen displays. 17 Click List All Tech Support Files. 18 In the drop-down list, click the tech support le you want to delete. The tech support le is deleted. 19 Click Close. Viewing Wireless AP Traces D To view wireless AP traces:
From the top menu, click Logs. 1 2 Click AP: Traces. The WWireless AP trace screen displays. raft 3 In the Wireless AP list, click the Wireless AP whose trace messages you want to view. 4 Click Retrieve Traces. Depending on the browser, the FFile Download dialog appears. 5 Click Save and navigate to the location on your computer that you want to save the Wireless AP trace report. The le is saved as a .tar le. 6 To view the le, unpack the .tar le. Viewing Audit Messages To view Audit messages:
1 From the top menu, click Logs. ExtremeWireless V10.41.06 User Guide 684 Logs, Traces, Audits and DHCP Messages 2 Click Audit: UI . The AAudit screen displays and the events are displayed in chronological order. 3 To sort the events by Timestamp, User, Section, or Page, click the appropriate column heading. 4 To refresh the audit screen, click Refresh. 5 To export the audit screen, click Export. The FFile Download dialog is displayed. 6 Do one of the following:
raft To open the audit le, click Open. To save the audit le, click Save, and then navigate to the directory location you want to save the To view DHCP messages:
le. Click Save. Viewing the DHCP Messages 1 From the top menu, click Logs. The LLogs & Traces screen displays. ExtremeWireless V10.41.06 User Guide 685 Logs, Traces, Audits and DHCP Messages 2 Click Service: DHCP. The DDHCP Message screen displays and the events are displayed in chronological order. aft 3 To sort the events by timestamp, click Timestamp. 4 To refresh the DHCP message screen, click Refresh. Viewing the NTP Messages To view NTP messages:
1 From the top menu, click Logs. The LLogs & Traces screen displays. ExtremeWireless V10.41.06 User Guide 686 Logs, Traces, Audits and DHCP Messages 2 Click SService: NTP. The NNTP Message screen displays and the events are displayed in chronological order. aft 3 To sort the events by timestamp, click Timestamp. 4 To refresh the NTP message screen, click Refresh. Viewing Software Upgrade Messages The SS/W Upgrade tab displays the most recent upgrade actions, either success or failure, and the operating system patch history. Some examples of the upgrade actions that can be displayed are:
FTP failure during backup of system image Conguration reset failure Conguration export failure Conguration import details To view software upgrade messages:
1 From the top menu, click Logs. The LLogs & Traces screen displays. ExtremeWireless V10.41.06 User Guide 687 Logs, Traces, Audits and DHCP Messages 2 Click the SS/W Upgrade tab. The SS/W Upgrade message screen displays. ft 3 Do the following:
To view software upgrade messages, click Detail. To view the operating system history, click History. 4 To refresh the screen, click Refresh. 5 To export the software upgrade messages or operating system history, click Export. The FFile Download dialog is displayed. 6 Do one of the following:
To open the le, click Open. To save the le, click Save, and then navigate to the directory location you want to save the le. Click Save. ExtremeWireless V10.41.06 User Guide 688 Logs, Traces, Audits and DHCP Messages Viewing Conguration Restore/Import Messages The RRestore/Import tab displays the most recent conguration restore/import results. To view Restore/Import messages:
From the top menu, click Logs. The LLogs & Traces screen displays. 1 2 Click the RRestore/Import tab. The restore/import message screen displays. D 3 To refresh the restore/import message screen, click Refresh. 4 To export the restore/import message screen, click Export. The FFile Download dialog is displayed. 5 Do one of the following:
To open the le, click Open. To save the le, click Save, and then navigate to the directory location you want to save the le. raft Click Save. ExtremeWireless V10.41.06 User Guide 689 21 Working with GuestPortal Administration AAbout GuestPortals Adding New Guest Accounts Enabling or Disabling Guest Accounts Editing Guest Accounts Removing Guest Accounts Importing and Exporting a Guest File Viewing and Printing a GuestPortal Account Ticket Working with the Guest Portal Ticket Page Conguring Guest Password Patterns Conguring Web Session Timeouts D About GuestPortals A GuestPortal provides wireless device users with temporary guest network services. A GuestPortal is serviced by a GuestPortal-dedicated VNS. The GuestPortal-dedicated VNS is congured by an administrator with full administrator access rights. For more information, see Creating a GuestPortal VNS on page 477. raft A GuestPortal administrator is assigned to the GuestPortal Manager login group and can only create and manage guest user accounts a GuestPortal administrator cannot access any other area of the Wireless Assistant. For more information, see Dening Wireless Assistant Administrators and Login Groups on page 673. From the GuestPortal Guest Administration page of the Wireless Assistant, you can add, edit, congure, and import and export guest accounts. To add a new guest account:
Adding New Guest Accounts ExtremeWireless V10.41.06 User Guide 690 Working with GuestPortal Administration 1 Do one of the following:
If you have GuestPortal Manager rights, log onto the controller. If you have full administrator rights:
From the top menu, click VNS. The VVirtual Network Conguration screen displays. In the left pane, expand the WLAN Services pane, click the dedicated WLAN (Wireless Local Area Network) Service that provides the temporary guest network services. The WWLAN Services conguration window for that service displays. Click the Auth & Acct tab. Make sure the Mode is set to Guest Splash and then click Congure. The Conguration page displays. In the Guest Splash section, click Manage Guest Users. The Guest Splash Administration screen displays. D DDNote You have three minutes to add new guest user accounts. If that time expires, close the Guest Splash Administration screen and click Manage Guest Users again. You can also increase the Start date time to be within three minutes of the current network time. raft ExtremeWireless V10.41.06 User Guide 691 Working with GuestPortal Administration 2 In the Account Management section, click Add Guest Account. The AAdd Guest User screen displays. D 3 To enable the new guest account, select the Enabled check box. For more information, see Enabling or Disabling Guest Accounts on page 693. 4 In the Credentials section, do the following:
User Name Type a user name for the person who will use this guest account. User ID Type a user ID for the person who will use this guest account. The default user ID can raft Start date Specify the start date and time for the new guest account. Account lifetime Specify the account lifetime, in days, for the new guest account. The default 0 value species no limit to the account lifetime. Only a user with administrative privileges can change the value of the Account lifetime. Toggle between Mask/Unmask to hide or see the password. Description Type a brief description for the new guest account. 5 In the Account Settings section, do the following:
Password Type a password for the person who will use this guest account. The default be edited. password can be edited. 6 In the Session Settings section, do the following:
Session lifetime Specify a session lifetime, in hours, for the new guest account. The default 0 value species no limit to the session lifetime. The session lifetime is the allowed cumulative total in hours spent on the network during the account lifetime. Start Time Specify a start time for the session for the new guest account. End Time Specify an end time for the session for the new guest account. 7 To save your changes, click OK. ExtremeWireless V10.41.06 User Guide 692 Working with GuestPortal Administration Enabling or Disabling Guest Accounts A guest account must be enabled in order for a wireless device user to use the guest account to obtain guest network services. When a guest account is disabled, it remains in the database. A disabled guest account cannot provide access to the network. To enable or disable guest accounts:
1 Do one of the following:
If you have GuestPortal Manager rights, log onto the controller. If you have full administrator rights:
From the top menu, click VNS. The VVirtual Network Conguration screen displays. In the left pane, expand the WWLAN Services pane, click the dedicated WLAN Service that provides the temporary guest network services. The WWLAN Services conguration window for that service displays. D Click the AAuth & Acct tab, and then click Congure. The SSettings screen displays. The Guest Splash Administration screen displays. In the Guest Splash section, click Manage Guest Users. raft 2 In the guest account list, select the check box next to the user name of the guest account that you want to enable or disable. 3 In the Account Enable/Disable section, click Enable Selected Accounts or Disable Selected Accounts accordingly. A dialog is displayed requesting you to conrm your selection. 4 Click Ok. A conrmation message is displayed in the GGuest Splash Administration screen footer. Editing Guest Accounts An already existing guest account can be edited. ExtremeWireless V10.41.06 User Guide 693 Working with GuestPortal Administration To edit a guest account:
1 Do one of the following:
If you have GuestPortal Manager rights, log onto the controller. If you have full administrator rights:
From the top menu, click VNS. In the left pane, expand the WWLAN Services pane, click the dedicated WLAN Service that provides the temporary guest network services. The WWLAN Services conguration window for that service displays. Click the AAuth & Acct tab, and then click Congure. The SSettings screen displays. The GGuest Splash Administration screen displays. In the Guest Splash section, click Manage Guest Users. D raft 2 In the guest account list, select the check box next to the user name of the guest account that you want to edit. 3 In the Account Management section, click Edit Selected Accounts. 4 Edit the guest account accordingly. For more information on guest account properties, see Adding New Guest Accounts on page 690. 5 To save your changes, click OK. A conrmation message is displayed in the GGuest Splash Administration screen footer. Removing Guest Accounts An already existing guest account can be removed from the database. ExtremeWireless V10.41.06 User Guide 694 Working with GuestPortal Administration 1 To remove a guest account, do one of the following:
If you have GuestPortal Manager rights, log onto the controller. If you have full administrator rights:
From the top menu, click VNS. The VVirtual Network Conguration screen displays. In the left pane, expand the WWLAN Services pane, click the dedicated WLAN Service that provides the temporary guest network services. The WWLAN Services conguration window for that service displays. Click the AAuth & Acct tab, and then click Congure. The SSettings screen displays. In the GGuest Splash section, click Manage Guest Users. The GGuest Splash Administration screen displays. D raft 3 In the AAccount Management section, click Remove Selected Accounts. A dialog is displayed requesting you to conrm your removal. want to remove. 4 Click OK. 2 In the guest account list, select the check box next to the user name of the guest account that you A conrmation message is displayed in the GGuest Splash Administration screen footer. Importing and Exporting a Guest File To help administrators manage large numbers of guest accounts, you can import and export .csv
(comma separated value) guest les for the controller. The following describes the column values of the .csv guest le. ExtremeWireless V10.41.06 User Guide 695 Working with GuestPortal Administration Table 133: Guest Account Import and Export .csv File Values CColumn Value A B C D E F G User ID User name Password Description Account activation date Account lifetime, measured in days Session lifetime, measured in hours Is the account enabled (1) or disabled (0) H L I J Time of day, start time D Time of day, duration K Is the guest user account synchronized on a secondary controller in an availability pair, yes (1) no (0) Total session used time, measured in seconds. A user session starts when the guest user is authenticated, and ends when the guest user is disassociated. raft ExtremeWireless V10.41.06 User Guide 696 Working with GuestPortal Administration 1 To export a guest le, do one of the following:
If you have GuestPortal Manager rights, log onto the controller. If you have full administrator rights:
From the top menu, click VNS. The VVirtual Network Conguration screen displays. In the left pane, expand the WWLAN Services pane, click the dedicated WLAN Service that provides the temporary guest network services. The WWLAN Services conguration window for that service displays. Click the AAuth & Acct tab, and then click Congure. The SSettings screen displays. In the Guest Splash section, click Manage Guest Users. The GGuest Splash Administration screen displays. D raft 2 In the File Management section, click Export Guest File. A FFile Download dialog is displayed. 3 Click Save. The SSave As dialog is displayed. 4 Name the guest le, and then navigate to the location where you want to save the le. By default, the exported guest le is named exportguest.csv. 5 Click Save. The FFile Download dialog is displayed as the le is exported. 6 Click Close. A conrmation message is displayed in the GGuest Splash Administration screen footer. ExtremeWireless V10.41.06 User Guide 697 Working with GuestPortal Administration 7 To import a guest le, do one of the following:
If you have Guest Splash Manager rights, log onto the controller. If you have full administrator rights:
From the top menu, click VNS. The VVirtual Network Conguration screen displays. In the left pane, expand the WWLAN Services pane, click the dedicated WLAN Service that provides the temporary guest network services. The WWLAN Services conguration window for that service displays. Click the AAuth & Acct tab, and then click Congure. The SSettings screen displays. In the GGuest Splash section, click Manage Guest Users. The GGuestPortal Guest Administration screen displays. D raft 8 In the File Management section, click Import Guest File. The IImport Guest File dialog is displayed. 9 Click Browse to navigate to the location of the .csv guest le that you want to import, and then click The le is imported and a conrmation message is displayed in the IImport Guest File dialog. Open. 10 Click Import. 11 Click Close. Viewing and Printing a GuestPortal Account Ticket You can view and print a GuestPortal account ticket from the GGuestPortal Guest Administration screen. A GuestPortal account ticket is a print-ready form that displays the guest account information, system requirements, and instructions on how to log on to the guest account. The controller is shipped with a default template for the GuestPortal account ticket. The template is an html page that is augmented with system placeholders that display information about the user. ExtremeWireless V10.41.06 User Guide 698 Working with GuestPortal Administration You can also upload a custom GuestPortal ticket template for the controller. To upload a custom GuestPortal ticket template you need full administrator access rights on the controller. The lename of a custom GuestPortal ticket template must be .html. For more information, see Working with the Guest Portal Ticket Page on page 700. To view and print a GuestPortal account ticket:
1 Do one of the following:
If you have GuestPortal Manager rights, log onto the controller. If you have full administrator rights:
From the top menu, click VNS. The Virtual Network Conguration screen displays. In the left pane, expand the WLAN Services pane, click the dedicated WLAN Service that provides the temporary guest network services. The WLAN Services conguration window for that service displays. Click the Auth & Acct tab, and then click Congure. The SSettings screen displays. In the GuestPortal section, click Manage Guest Users. The GGuestPortal Guest Administration screen displays. D raft ExtremeWireless V10.41.06 User Guide 699 Working with GuestPortal Administration 2 In the guest account list, select the check box next to the user name whose guest account ticket you want to print a ticket, and then click Print Ticket for Selected Account. The GuestPortal ticket is displayed. D 3 Click Print. The PPrint dialog is displayed. 4 Click Print. Note The default GuestPortal ticket page uses placeholder tags. For more information, see Default GuestPortal Ticket Page on page 706. raft Note The default GuestPortal ticket page cannot be deleted. From the GuestPortal ticket page, you can activate a GuestPortal ticket page, upload a customized GuestPortal ticket page to the controller, and delete a customized GuestPortal ticket page. To work with the GuestPortal account ticket page, you need full administrator rights. You can work with the guest account ticket page from the SSettings screen. A guest account ticket is a print-ready form that displays the guest account information, system requirements, and instructions on how to log on to the guest account. Working with the Guest Portal Ticket Page Related Links Working with a Custom GuestPortal Ticket Page on page 701 Activating a GuestPortal Ticket Page on page 701 Uploading a Custom GuestPortal Ticket Page on page 701 Deleting a Custom GuestPortal Ticket Page on page 701 Example Ticket Page on page 706 ExtremeWireless V10.41.06 User Guide 700 Working with GuestPortal Administration Working with a Custom GuestPortal Ticket Page A customized GuestPortal ticket page can be uploaded to the controller. When designing your customized GuestPortal ticket page, be sure to use the guest account information placeholder tags that are depicted in the default GuestPortal ticket page. For more information, see Default GuestPortal Ticket Page on page 706. Activating a GuestPortal Ticket Page To activate a GuestPortal ticket page:
Uploading a Custom GuestPortal Ticket Page From the top menu, click VNS. 1 2 In the left pane, expand the WWLAN Services pane, click the dedicated WLAN Service that provides the temporary guest network services. The WWLAN Services conguration window for that service displays. D 3 Click the AAuth & Acct tab, and then click Congure. The Settings screen displays. 4 In the GuestPortal section, click Congure Ticket Page. The TTicket Settings dialog is displayed. 5 In the Active Template list, click the GuestPortal ticket page you want to activate, and then click Apply. This list includes all GuestPortal ticket pages that have been uploaded to the controller. raft 1 On the TTicket Settings dialog, click Browse. The CChoose le dialog is displayed. 2 Navigate to the .html GuestPortal ticket page le that you want to upload to the controller, and then The Active Template list includes all GuestPortal ticket pages that have been uploaded to the controller. click Open. The le name is displayed in the Upload Template box. 3 Click Apply. The le is uploaded to the controller. To upload a custom GuestPortal ticket page:
To delete a custom GuestPortal ticket page:
Deleting a Custom GuestPortal Ticket Page 1 On the Ticket Settings dialog, in the Active Template list, click the GuestPortal ticket page you want to delete, and then click Delete. A dialog prompts you to conrm you want to delete the GGuestPortal ticket page. 2 To delete the le, click OK, and then click Apply. Conguring Guest Password Patterns This feature makes it easier for system administrators to create password patterns that the Wireless Assistant will use to auto generate guest passwords. You can specify a predened pattern or you can ExtremeWireless V10.41.06 User Guide 701 Working with GuestPortal Administration create a customized pattern. You must have full administrative rights to generate password patterns. Select from the following password patterns:
Completely Random Sequence Two Words Phone number Postal Code Custom Pattern The generator offers three character sets: Latin (ASCII), Cyrillic, and Greek. RRelated Links To Congure a Guest Password Pattern on page 702 To Congure a Guest Password Pattern D To generate a password pattern:
From the top menu, click VNS. The Virtual Network Conguration screen displays. 1 2 In the left pane, expand the WWLAN Services pane, click the dedicated WLAN Service that provides the temporary guest network services. The WWLAN Services conguration window for that service displays. 3 Click the AAuth & Acct tab, and then click Congure. The SSettings screen displays. raft ExtremeWireless V10.41.06 User Guide 702 Working with GuestPortal Administration 4 In the GuestPortal section, click Congure Password Generator. The CCongure Password Generator screen displays. To generate a custom password pattern:
aft Note You can only type characters that are represented on the keypad. Entries in the Pattern eld are editable. From the Pattern pane, select Custom. 1 2 Select the character set and minimum password length. 3 Use the keypad to enter the pattern characters or type the pattern in the Pattern eld. The Clear key on the keypad clears the full pattern. The Clear Entry key on the keypad clears the last entered character. The password pattern displays in the Pattern eld. Copy paste this pattern into the AAdd Guest User dialog. For more information, see Adding New Guest Accounts on page 690. 5 Click Close to close the dialog and save the password pattern. 6 Click Cancel to close the dialog without saving the password pattern. ExtremeWireless V10.41.06 User Guide 703 Working with GuestPortal Administration Conguring Web Session Timeouts You can congure the time period to allow web sessions to remain inactive before timing out. To congure web session timeouts:
1 From the top menu, click Controller. The WWireless Controller Conguration screen displays. 2 In the left pane, click Administration > Web Settings The WWireless Controller Web Management Settings screen displays. D 3 In the Web Session Timeout box, type the time period to allow the web session to remain inactive before it times out. This can be entered as hour:minutes, or as minutes. The range is 1 minute to 168 hours. 4 In the GuestPortal Manager Web Session Timeout box, type the time period to allow the GuestPortal web session to remain inactive before it times out. This can be entered as hour:minutes, or as minutes. The range is 1 minute to 168 hours. raft Note Screens that auto-refresh will time-out unless a manual action takes place prior to the end of the timeout period. 5 To save your settings, click Save. ExtremeWireless V10.41.06 User Guide 704 A Regulatory Information EExtremeWireless APs 37XX , 38XX, and 39XX Warning Warnings identify essential information. Ignoring a warning can lead to problems with the application. Note For technical specications and certication information for a specic Outdoor AP refer to the appropriate AP Installation Guide. D Conguration of the ExtremeWireless AP frequencies and power output are controlled by the regional software license and proper selection of the country during initial installation and set-up. Customers are allowed to select only the proper country from their licensed regulatory domain related to that customers geographic location, performing the set-up of access points in accordance with local laws and regulations. The ExtremeWireless AP must not be operated until congured with the correct country setting or it may be in violation of the local laws and regulations. Warning Changes or modications made to the APs which are not expressly approved by Extreme Networks could void the user's authority to operate the equipment. Only authorized Extreme Networks service personnel are permitted to service the system. Procedures that must be performed only by Extreme Networks personnel are clearly identied in the respective AP guide. raft Note The APs are in compliance with the European Directive 2002/95/EC on the restriction of the use of certain hazardous substances (RoHS) in electrical and electronic equipment. For regulatory information for the ExtremeWireless AP models 37xx, 38xx, and 39XX refer to the appropriate AP Installation Guide. ExtremeWireless APs 37XX , 38XX, and 39XX ExtremeWireless V10.41.06 User Guide 705 B Default GuestPortal Ticket Page EExample Ticket Page This section provides an example ticket page with an explanation of each placeholder variable and example HTML source code. Example Ticket Page D raft Placeholders Used in the Default GuestPortal Ticket Page Table 134: Default GuestPortal Ticket Page Template Placeholders Placeholder tag Description
!GuestName
!GuestComment
!TimeOfDayStart
!TimeOfDayDuration
!SessionLifeTime
!UserID
!Password Guest Name Guest Comment Time-of-day start Time-of-day session duration Maximum session time User ID for the guest Password for the guest ExtremeWireless V10.41.06 User Guide 706 Default GuestPortal Ticket Page Table 134: Default GuestPortal Ticket Page Template Placeholders (continued) PPlaceholder tag Description
!SSID
!AccountActivationTime
!AccountLifeTime SSID to connect to Account available time Account life time Default GuestPortal Ticket Page Source Code Note The GuestPortal account information placeholders used in the html code are preceded by the ! character. D raft
<HTML>
<HEAD>
<title></title>
<meta content="text/html;charset=utf-8" http-equiv="Content-Type"/>
</HEAD>
<body style="text-align:center">
<table cellspacing="0" cellpadding="0" border="0" align="center" width="790">
<tr>
<td style="background-color:gray;color:white;font-weight:bold;font-size:
30;padding:5px"
align="center" width="790">GuestPortal</td>
</tr>
</table>
<table cellspacing="5" cellpadding="0" border="0" style="margin:0 auto">
<tr>
<td align="right"><b>Guest Name:</b></td>
<td align="left">!GuestName</td>
</tr>
<tr>
<td align="right"><b>User ID:</b></td>
<td align="left">!UserID</td>
</tr>
<tr>
<td align="right"><b>Password:</b></td>
<td align="left">!Password</td>
</tr>
<tr>
<td align="right"><b>Account Start:</b></td>
<td align="left">!AccountActivationTime</td>
</tr>
<tr>
<td align="right"><b>Duration:</b></td>
<td align="left">!AccountLifeTime</td>
</tr>
<tr>
<td align="right"><b>Valid Daily Login Time:</b></td>
<td align="left">!TimeOfDayStart -- !TimeOfDayDuration</td>
</tr>
<tr>
<td align="right"><b>Comment:</b></td>
<td align="left">!GuestComment</td>
</tr>
</table>
<div style="width:790px;margin:0 auto;text-align:left">
ExtremeWireless V10.41.06 User Guide 707 Default GuestPortal Ticket Page
<b>System Requirements:</b>
<hr width=790 size=2 noshade>
<div style="padding-left:30px">
<ul>
<li>A laptop with WLAN capabilities (801.11a/b/g). This functionality can be either embedded into your device or via a PCMCIA card.
<li>Web browser software. You can use any standard Internet browser (ie, Internet Explorer, Netscape, etc).
</ul>
</div>
</div>
<div style="width:790px;margin:10px auto;text-align:left">
<b>Instructions:</b>
<hr width=790 size=2 noshade>
<div style="padding-left:30px;">
<ul>
<li>Enable your wireless device to connect to the '!SSID'
SSID.
<li>Once connected, launch your Internet browser and you will be redirected to the Guest Access webpage.
<li>Enter the user ID and password supplied above. By logging into the network, you are accepting the terms and conditions below.
<li>You're connected!
</ul>
</div>
</div>
</div>
</body>
</HTML>
D raft ExtremeWireless V10.41.06 User Guide 7708 Glossary AACL An Access Control List is a mechanism for ltering packets at the hardware level. Packets can be classied by characteristics such as the source or destination MAC, IP address, IP type, or QoS queue. Once classied, the packets can be forwarded, counted, queued, or dropped. ad hoc mode An 802.11 networking framework in which devices or stations communicate directly with each other, without the use of an AP. ARP Basic Service Set is a wireless topology consisting of one access point connected to a wired network and a set of wireless devices. Also called an infrastructure network. See also IBSS (Independent Basic Service Set). Address Resolution Protocol is part of the TCP/IP suite used to dynamically associate a device's physical address (MAC address) with its logical address (IP address). The system broadcasts an ARP request, containing the IP address, and the device with that IP address sends back its MAC address so that traffic can be transmitted. D Asynchronous Transmission Mode is a start/stop transmission in which each character is preceded by a start signal and followed by one or more stop signals. A variable time interval can exist between characters. ATM is the preferred technology for the transfer of images. raft Challenge-Handshake Authentication Protocol is one of the two main authentication protocols used to verify a user's name and password for PPP Internet connections. CHAP is more secure because it performs a three-way handshake during the initial link establishment between the home and remote machines. It can also repeat the authentication anytime after the link has been established. Chalet is a web-based user interface for setting up and viewing information about a switch, removing the need to enter common commands individually in the CLI. Command Line Interface. The CLI provides an environment to issue commands to monitor and manage switches and wireless appliances. ATM BSS Chalet CHAP CLI CoS Class of Service species the service level for the classied traffic type. Data Center Connect DCC, formerly known as DCM (Data Center Manager), is a data center fabric management and automation tool that improves the efficiency of managing a large virtual and physical network. DCC provides an integrated view of the server, storage, and networking operations, removing the need to use multiple tools and management systems. DCC automates VM assignment, allocates appropriate ExtremeWireless V10.41.06 User Guide 709 Glossary network resources, and applies individual policies to various data objects in the switching fabric
(reducing VM sprawl). Learn more about DCC at http://www.extremenetworks.com/product/data-
center-connect/. DDHCP Dynamic Host Conguration Protocol allows network administrators to centrally manage and automate the assignment of IP addresses on the corporate network. DHCP sends a new IP address when a computer is plugged into a different place in the network. The protocol supports static or dynamic IP addresses and can dynamically recongure networks in which there are more computers than there are available IP addresses. DoS attack DSSS Denial of Service attacks occur when a critical network or computing resource is overwhelmed so that legitimate requests for service cannot succeed. In its simplest form, a DoS attack is indistinguishable from normal heavy traffic. ExtremeXOS software has congurable parameters that allow you to defeat DoS attacks. D Direct-Sequence Spread Spectrum is a transmission technology used in Local Area Wireless Network
(LAWN) transmissions where a data signal at the sending station is combined with a higher data rate bit sequence, or chipping code, that divides the user data according to a spreading ratio. The chipping code is a redundant bit pattern for each bit that is transmitted, which increases the signal's resistance to interference. If one or more bits in the pattern are damaged during transmission, the original data can be recovered due to the redundancy of the transmission. (Compare with FHSS (Frequency-Hopping Spread Spectrum).) raft IEEE 802.1x species how EAP should be encapsulated in LAN frames. In wireless communications using EAP, a user requests connection to a WLAN through an access point, which then requests the identity of the user and transmits that identity to an authentication server such as RADIUS The server asks the access point for proof of identity, which the access point gets from the user and then sends back to the server to complete the authentication. EAP-TLS Extensible Authentication Protocol - Transport Layer Security. A general protocol for authentication that also supports multiple authentication methods, such as token cards, Kerberos, one-
time passwords, certicates, public key authentication and smart cards. EAP-TLS provides for certicate-based and mutual authentication of the client and the network. It relies on client-side and server-side certicates to perform authentication and can be used to dynamically generate user-based and session-based WEP keys. EAP-TLS/EAP-TTLS EAP-TTLS (Tunneled Transport Layer Security) is an extension of EAP-TLS to provide certicate-based, mutual authentication of the client and network through an encrypted tunnel, as well as to generate dynamic, per-user, per-session WEP keys. Unlike EAP-TLS, EAP-TTLS requires only server-side certicates.
(See also PEAP (Protected Extensible Authentication Protocol).) ESRP Extreme Standby Router Protocol is an Extreme Networks-proprietary protocol that provides redundant Layer 2 and routing services to users. ExtremeWireless V10.41.06 User Guide 710 Glossary EExtreme Access Control EAC, formerly NAC, featuring both physical and virtual appliances, is a pre- and post-connect solution for wired and wireless LAN and VPN users. Using Identity and Access appliances and/or Identity and Access Virtual Appliance with the XMC (Extreme Management Center) software, you can ensure only the right users have access to the right information from the right place at the right time. EAC is tightly integrated with the Intrusion Prevention System (IPS) and Security Information and Event Manager
(SIEM) to deliver best-in-class post-connect access control. Learn more about EAC at http://
www.extremenetworks.com/product/extreme-access-control/. Extreme Application Analytics Extreme Management Center EAA, formerly Purview, is a network powered application analytics and optimization solution that captures and analyzes context-based application traffic to deliver meaningful intelligence about applications, users, locations, and devices. EAA provides data to show how applications are being used. This can be used to better understand customer behavior on the network, identify the level of user engagement, and assure business application delivery to optimize the user experience. The software also provides visibility into network and application performance allowing IT to pinpoint and resolve performance issues in the infrastructure whether they are caused by the network, application, or server. Learn more about EAA at http://www.extremenetworks.com/product/extremeanalytics/. D Extreme Management Center (Extreme Management Center), formerly Netsight, is a web-based control interface that provides centralized visibility into your network. Extreme Management Center reaches beyond ports, VLANs, and SSIDs and provides detailed control of individual users, applications, and protocols. When coupled with wireless and Identity & Access Management products, Extreme Management Center becomes the central location for monitoring and managing all the components in the infrastructure. Learn more about Extreme Management Center at http://
www.extremenetworks.com/product/management-center/. raft ExtremeCloud is a cloud-based network management Software as a Service (SaaS) tool. ExtremeCloud allows you to manage users, wired and wireless devices, and applications on corporate and guest networks. You can control the user experience with smarter edges including managing QoS, call admission control, secure access policies, rate limiting, multicast, ltering, and traffic forwarding, all from an intuitive web interface. Learn more about ExtremeCloud at http://www.extremenetworks.com/
product/extremecloud/. ExtremeSwitching is the family of products comprising different switch types: MModular (X8 and 8000 series [formerly BlackDiamond] and S and K series switches); SStackable (X-series and A, B, C, and 7100 series switches); SStandalone (SSA, X430, and D, 200, 800, and ISW series); and MMobile Backhaul (E4G). Learn more about ExtremeSwitching at http://www.extremenetworks.com/products/switching-
routing/. ExtremeSwitching ExtremeCloud ExtremeWireless ExtremeWireless products and solutions offer high-density WiFi access, connecting your organization with employees, partners, and customers everywhere they go. The family of wireless products and solutions includes APs, wireless appliances, and software. Learn more about ExtremeWireless at http://
www.extremenetworks.com/products/wireless/. ExtremeWireless V10.41.06 User Guide 711 Glossary EExtremeXOS ExtremeXOS, a modular switch operating system, is designed from the ground up to meet the needs of large cloud and private data centers, service providers, converged enterprise edge networks, and everything in between. Based on a resilient architecture and protocols, ExtremeXOS supports network virtualization and standards-based SDN capabilities like VXLAN gateway, OpenFlow, and OpenStack Cloud orchestration. ExtremeXOS also supports comprehensive role-based policy. Learn more about ExtremeXOS at http://www.extremenetworks.com/product/extremexos-network-operating-system/. FHSS Frequency-Hopping Spread Spectrum is a transmission technology used in Local Area Wireless Network (LAWN) transmissions where the data signal is modulated with a narrowband carrier signal that 'hops' in a random but predictable sequence from frequency to frequency as a function of time over a wide band of frequencies. This technique reduces interference. If synchronized properly, a single logical channel is maintained. (Compare with DSSS (Direct-Sequence Spread Spectrum).) D An IBSS is the 802.11 term for an ad hoc network. See ad hoc mode. IBSS ICMP Internet Control Message Protocol is the part of the TCP/IP protocol that allows generation of error messages, test packets, and operating messages. For example, the ping command allows you to send ICMP echo messages to a remote IP device to test for connectivity. ICMP also supports traceroute, which identies intermediate hops between a given source and destination. Hosts use Internet Group Management Protocol to inform local routers of their membership in multicast groups. Multicasting allows one computer on the Internet to send content to multiple other computers that have identied themselves as interested in receiving the originating computer's content. When all hosts leave a group, the router no longer forwards packets that arrive for the multicast group. raft A Link Aggregation Group is the logical high-bandwidth link that results from grouping multiple network links in link aggregation (or load sharing). You can congure static LAGs or dynamic LAGs
(using the LACP). Link Layer Discovery Protocol conforms to IEEE 802.1ab and is a neighbor discovery protocol. Each LLDP-enabled device transmits information to its neighbors, including chassis and port identication, system name and description, VLAN names, and other selected networking information. The protocol also species timing intervals in order to ensure current information is being transmitted and received. Message-Digest algorithm is a hash function that is commonly used to generate a 128-bit hash value. It was designed by Ron Rivest in 1991. MD5 is officially dened in RFC 1321 - The MD5 Message-Digest Algorithm. Message Integrity Check (or Code), also called Michael, is part of WPA and TKIP. The MIC is an additional 8-byte code inserted before the standard 4-byte ICV appended in by standard WEP to the IGMP LAG LLDP MD5 MIC ExtremeWireless V10.41.06 User Guide 712 Glossary 802.11 message. This greatly increases the difficulty in carrying out forgery attacks. Both integrity check mechanisms are calculated by the receiver and compared against the values sent by the sender in the frame. If the values match, there is assurance that the message has not been tampered with. nnetmask A netmask is a string of 0s and 1s that mask, or screen out, the network part of an IP address, so that only the host computer part of the address remains. A frequently-used netmask is 255.255.255.0, used for a Class C subnet (one with up to 255 host computers). The ".0" in the netmask allows the specic host computer address to be visible. OSPF An interior gateway routing protocol for TCP/IP networks, Open Shortest Path First uses a link state routing algorithm that calculates routes for packets based on a number of factors, including least hops, speed of transmission lines, and congestion delays. You can also congure certain cost metrics for the algorithm. This protocol is more efficient and scalable than vector-distance routing protocols. OSPF features include least-cost routing, ECMP routing, and load balancing. Although OSPF requires CPU power and memory space, it results in smaller, less frequent router table updates throughout the network. This protocol is more efficient and scalable than vector-distance routing protocols. D Protected Extensible Authentication Protocol is an IETF draft standard to authenticate wireless LAN clients without requiring them to have certicates. In PEAP authentication, rst the user authenticates the authentication server, then the authentication server authenticates the user. If the rst phase is successful, the user is then authenticated over the SSL tunnel created in phase one using EAP-Generic Token Card (EAP-GTC) or Microsoft Challenged Handshake Protocol Version 2 (MSCHAP V2). (See also EAP-TLS/EAP-TTLS.) raft Simple Network Management Protocol is a standard that uses a common software agent to remotely monitor and set network conguration and runtime parameters. SNMP operates in a multivendor environment, and the agent uses MIBs, which dene what information is available from any manageable network device. You can also set traps using SNMP, which send notications of network events to the system log. The Power over Ethernet standard (IEEE 802.3af) denes how power can be provided to network devices over existing Ethernet connections, eliminating the need for additional external power supplies. PEAP PoE SNMP SSL Secure Socket Layer is a protocol for transmitting private documents using the Internet. SSL works by using a public key to encrypt data that is transferred over the SSL connection. SSL uses the public-and-
private key encryption system, which includes the use of a digital certicate. SSL is used for other applications than SSH, for example, OpenFlow. syslog A protocol used for the transmission of event notication messages across networks, originally developed on the University of California Berkeley Software Distribution (BSD) TCP/IP system implementations, and now embedded in many other operating systems and networked devices. A ExtremeWireless V10.41.06 User Guide 713 Glossary device generates a messages, a relay receives and forwards the messages, and a collector (a syslog server) receives the messages without relaying them. syslog uses the UDP as its underlying transport layer mechanism. The UDP port that has been assigned to syslog is 514. (RFC 3164) VVLAN The term VLAN is used to refer to a collection of devices that communicate as if they are on the same physical LAN. Any set of ports (including all ports on the switch) is considered a VLAN. LAN segments are not restricted by the hardware that physically connects them. The segments are dened by exible user groups you create with the CLI. WLAN Wireless Local Area Network. D raft ExtremeWireless V10.41.06 User Guide 714
1 2 3 4 | User Manual-AP3917e | Users Manual | 718.51 KiB |
Installing the ExtremeWireless AP3917i/e Access Point Overview of the AP3917i/e The AP3917 is an IP67 rated Access Point with 802.11ac dual band 2:2 radios. The AP3917 is easy to install, lightweight, and is available in an internal
(AP3917i) and external (AP3917e) antenna model. Each model includes 802.11 radios, an IoT radio, and a GPS radio. The AP3917 model comes in two models:
AP3917i and AP3917e. In this document, the functionality, feature, and the procedure applies to both the models when AP3917i/e is used. Note: The AP3917i/e requires a minimum base firmware of 10.41. The AP3917i/e model has the following features:
Radios: 2 radios (2.4GHz and 5GHz); 1 IoT/BLE/802.15.4 Radio (2.4 GHz) Console Port: RJ45 One RJ45, 10/100/1000 Ethernet Port (GE1) with PoE One RJ45, 10/100/1000Mb Ethernet Port (GE2) LEDs: 4 (see Figure 1) One Reset button Power: PoE 802.3af or 802.3at GPS Receiver (will be supported via a future firmware release) Antennas:
IP67 Connectors on all ports AP3917i - 5 internal antennas (four band locked antennas and one BLE antenna). The polarization on one antenna of each radio can be configured by the installer. AP3917e- 5 external antennas (four single band antennas and one BLE antenna) Temperature: -40 to 70*C ambient temperature Enclosure: Cast Aluminum base and PC cover Figure 1 indicates AP3917i. In Figure 2, you can see AP3917e. Figure 1 Top and Side Views of AP3917i 1 IoT/BLE Radio 2 Radio - 5 GHz 3 Radio - 2.4 GHz 4 Status 5 GE1 (PoE IN) 6 GE2 7 Console/Reset 8 Vent Figure 2 Top and Side Views of AP3917e 1 IoT/BLE Radio 2 Radio - 5 GHz 3 Radio - 2.4 GHz 4 Status 5 GE1 (PoE IN) 6 GE2 7 Console/Reset 8 2.4 G - Antenna 1 and 2 9 Vent 10 5G - Antenna 1 11 BLE/802.15.4 Antenna 12 5 G - Antenna 2 LEDs on the Front of the AP Both the Radio LEDs will be Green when they are ON and the LEDs will not have any lights when they are OFF. Blue LED indicates the IoT status. For detailed installation information about the AP3917i/e, see the ExtremeWireless AP3917i/e Installation Guide. Table 1 shows ways to power the AP3917i/e. Table 1 Powering the AP3917i/e Power Source Description Power over Ethernet
(PoE) Power is provided through the RJ45 Ethernet port (GE1 port). Verifying the AP3917i/e Box Contents Verify the contents of the box and ensure that the following items are available:
Table 2 Contents of the AP3917i/e Box Quantity Item AP3917i/e Quick Reference Guide Cloud Quick Start Card 1 1 The following hardware is included:
1 1 M4 screw assembly with star washer Ring terminal Mounting and Connecting the AP Electrical Hazard: Only qualified personnel should perform installation procedures. Use these instructions as guidelines for mounting and connecting the AP3917i/e easily and safely. The AP3917i/e mounting brackets are sold separately. For more information about installing the optional bracket and the adapter, see the ExtremeWireless AP3917i/e Installation Guide. For installation videos of the AP, see www.extremenetworks.com/support/. Mounting the AP3917i/e The installation of the AP3917i/e should be performed by a professional installer to ensure proper operation and compliance with local safety guidelines. The access point can be mounted to a wall, girder, ceiling, pole or vehicle using the appropriate bracket. Positioning the AP for Installation Mount the AP so that the glands are on the side of the AP closest to the ground, and not above the plastic cover. You must provide a 3-inch drip loop on all cables. Note: Do not remove the dust cap until you need to install the BLE/
IoT antennas. Attach the Ground Wire Use the M4 ground screw assembly, with the star washer, to attach the ground wires ring terminal to the back of the AP. The wire should be as close to the AP bottom as possible. Tighten the screw to a torque of 13.0-13.5 in-
lbs. Note: Attach the H bracket after attaching the ground wire onto the AP. Once you tighten the torque, tighten the ground screws, and attach the LAN cable. Mounting the AP3917i/e to a Wall Note: The H type Mounting Bracket (WS-MBO-H01) is sold as a separate accessory (ordering part #30519). 1 Using the mounting bracket as a guide, mark the location for the mounting screws. The wall bracket provides eight attachment holes. Use four (one in each corner), Place the bracket and mark the four hole centers. 2 Drill four holes into the wall as follows:
for installing the AP on a masonry wall, use a 5/16 diameter bit. for other materials, use the appropriate drill for the screws being used. 3 For masonry installations, drill at least 1/8 (3mm) past the depth of the screw, or bolt, being used, and place four anchor assemblies into the holes. 4 Attach the AP to the H Bracket:
a Use 4 M4 screw assemblies to attach the AP to the H bracket on the side that does not have the PEM stand-offs. b Tighten the four screws to a torque of 13.0-13.5 in-lbs. Figure 3 Attaching the H Bracket to the AP 5 Secure the anchors to the wall, then secure the bracket to the anchors. 6 If using #10 screws, tighten them to a torque of 25 in-lbs. If using screws, tighten them to 45 in-lbs. Figure 4 AP3917i/AP3917e Wall Mount H Bracket Mounting the AP3917i/e to a Pole Note: The Pole Mounting Bracket (WS-MBO-POLE01) is sold as a separate accessory (ordering part #30520). 1 Determine the diameter of the pole. Pole Diameter
<= 2.5 (63.5mm) 5 - 7 (178mm) Cable Clamp Size Use small cable clamp. Use large cable clamp For other pole diameters, provide your own stainless steel cable clamp. The band must be (12.7mm) wide. 2 Attach the AP to the Pole Mount bracket using four M4 screws. Tighten the four screws to a torque of 13.0-13.5 in-lbs. Figure 5 Attaching a Pole Bracket to the AP 3 Attach the cable clamp to the pole bracket. Open the cable clamp by turning a flat bladed screwdriver counterclockwise. Then, insert the non-
clamp end into the pole bracket through the holes. Note: It is easier to install both clamps before attaching to the pole. 4 Put the metal band around the pole and insert it into the clamp. Turn the clamp screw clockwise, tightening the band around the pole. Figure 6 AP with Mounting BracketVertical Pole Mounting the AP3917i/e to a Wall/Pole using the WS-MBO-ART01 2 Axis Extension Arm You can mount the AP3917i/e to a wall or a pole using a 10 extension arm
(WS-MBO-ART01, ordering part #30514). For mounting and installation instructions, refer to the ExtremeWireless AP3917i/e Installation Guide. Installing External Antennas 1 Professionally install the external antennas intended for area coverage. For information about antenna selection and installation, refer to the External Antenna Site Preparation and Installation Guide. 2 Attach the external antenna cables to the Standard Polarity Type-N connectors on the AP3917i/e. Connecting a Power Source to the AP3917i/e If you need to power the AP3917i/e, you can do so my using the GE1 port on the AP. The power LED on the front face of the AP illuminates when the device is connected to a power source. Refer to the ExtremeWireless AP3917i/e Installation Guide for information. LAN/Console Connections The AP3917i/e has one LAN (Ethernet) port and a Console port. Refer to Figure 1 for the location of these ports. During administration and maintenance through the LAN or Console, the AP must still have a power connection through either an Ethernet PoE cable or a DC power supply. Professional Installation Instruction Installation personnel This product is designed for specific application and needs to be installed by a qualified personnel who has RF and related rule knowledge. The general user shall not attempt to install or change the setting. Installation location The product shall be installed at a location where the radiating antenna can be kept 20 cm for AP3917i and 35 cm for AP3917e (FCC) and 20 cm for AP3917i and 42 cm for AP3917e (ISED) from nearby person in normal operation condition to meet regulatory RF exposure requirement. External antenna Use only the antennas which have been approved by the applicant. The non-
approved antenna(s) may produce unwanted spurious or excessive RF transmitting power which may lead to the violation of FCC/ISED limit and is prohibited. Installation procedure Please refer to users manual for the detail. Warning: Please carefully select the installation position and make sure that the final output power does not exceed the limit set force in relevant rules. The violation of the rule could lead to serious federal penalty. Instructions d'installation professionnelle Installation Ce produit est destine a un usage specifique et doit etre installe par un personnel qualifie maitrisant les radiofrequences et les regles s'y rapportant. L'installation et les reglages ne doivent pas etre modifies par l'utilisateur final. Emplacement d'installation En usage normal, afin de respecter les exigences reglementaires concernant l'exposition aux radiofrequences, ce produit doit etre installe de facon a respecter une distance de 20 cm pour AP3917i et 35cm pour AP3917e (FCC) et 20 cm pour AP3917i et 42cm pour AP3917e (ISED) entre l'antenne emettrice et les personnes. Antenn externe Utiliser uniiquement les antennes approuvees par le fabricant. L'utilisation d'autres antennes peut conduire a un niveau de rayonnement essentiel ou non 2 le gain maximal d'antenne permis (pour les dispositifs utilisant la bande de 5725 5 850 MHz) doit tre conforme la limite de la p.i.r.e. spcifie pour l'exploitation point point et lexploitation non point point, selon le cas;
3 De plus, les utilisateurs devraient aussi tre aviss que les utilisateurs de radars de haute puissance sont dsigns utilisateurs principaux (c.--d., quils ont la priorit) pour les bandes 5650-5850 MHz et que ces radars pourraient causer du brouillage et/ou des dommages aux dispositifs LAN-
EL. Warning: IC Radiation Exposure Statement: This equipment complies with ISED radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20 cm for AP3917i and 42 cm for AP3917e between the radiator & your body. Warning: Dclaration d'exposition aux radiations: Cet quipement est conforme aux limites d'exposition aux rayonnements ISED tablies pour un environnement non contrl. Cet quipement doit tre install et utilis avec un minimum de 20 cm pour AP3917i et 42 cm pourAP3917e de distance entre la source de rayonnement et votre corps. essentiel depassant les niveaux limites definis par FCC/ISED, ce qui est interdit. Procedure d'installation Consulter le manuel d'utilisation. Warning: Avertissement: Choisir avec soin la position d'installation et s'assurer que la puissance de sortie ne depasse pas les limites en vigueur. La violation de cette regle peut conduire a de serieuses penalites federales. Regulatory and Compliance Information Safety Guidelines This section contains notices that are intended to protect your personal safety and prevent damage to the equipment. Qualified Personnel:
Electrical Hazard: Only qualified personnel should perform installation procedures. Within the context of the safety notes in this documentation, qualified persons are defined as persons who are authorized to commission, ground and label devices, systems, and circuits in accordance with established safety practices and standards. A qualified person understands the requirements and risks involved with installing electrical equipment in accordance with national codes. Federal Communications Commission (FCC) Notice This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures:
Reorient or relocate the receiving antenna. Connect the equipment into an outlet on a circuit different from that to Increase the separation between the equipment and receiver. which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help. Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. This device meets all the other requirements specified in Part 15E, Section 15.407 of the FCC Rules. Warning: FCC Radiation Exposure Statement: This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20 cm for AP3917i and 35 cm for AP3917e between the radiator & your body. Industry Canada Notice This radio transmitter (IC: 4141B-AP3917E/ Model: AP3917e & AP7662) has been approved by ISED to operate with the antenna type listed below with maximum permissible gain indicated. Antenna types not included in this list, having a gain greater than the maximum gain indicated for that type, are strictly prohibited for use with this device. Le prsent metteur radio (IC: 4141B-AP3917E/ Model: AP3917e & AP7662) a t approuv par ISED pour fonctionner avec les types d'antenne numrs ci-dessous et ayant un gain admissible maximal. Les types d'antenne non inclus dans cette liste, et dont le gain est suprieur au gain maximal indiqu, sont strictement interdits pour l'exploitation de l'metteur. This device complies with ISEDs licence-exempt RSSs. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Le prsent appareil est conforme aux CNR d ISED applicables aux appareils radio exempts de licence. Lexploitation est autorise aux deux conditions suivantes : (1) le dispositif ne doit pas produire de brouillage prjudiciable, et
(2) ce dispositif doit accepter tout brouillage reu, y compris un brouillage susceptible de provoquer un fonctionnement indsirable. Caution :
1 The device for operation in the band 5150-5250 MHz is only for indoor use to reduce the potential for harmful interference to co-channel mobile satellite systems;
2 The maximum antenna gain permitted for devices in the band 5725-5850 MHz shall be such that the equipment still complies with the e.i.r.p. limits specified for point-to-point and non-point-to-point operation as appropriate; and 3 Users should also be advised that high-power radars are allocated as primary users (i.e. priority users) of the bands 5650-5850 MHz and that these radars could cause interference and/or damage to LE-LAN devices. Avertissement:
1 les dispositifs fonctionnant dans la bande 5150-5250 MHz sont rservs uniquement pour une utilisation lintrieur afin de rduire les risques de brouillage prjudiciable aux systmes de satellites mobiles utilisant les mmes canaux;
4.9G Antenna for Item 6 and Item 11 will be secondary primary permanent fixed operations use only. European Waste Electrical and Electronic Equipment
(WEEE) Notice In accordance with Directive 2012/19/EU of the European Parliament on waste electrical and electronic equipment (WEEE):
1 The symbol above indicates that separate collection of electrical and electronic equipment is required. 2 When this product has reached the end of its serviceable life, it cannot be disposed of as unsorted municipal waste. It must be collected and treated separately. 3 It has been determined by the European Parliament that there are potential negative effects on the environment and human health as a result of the presence of hazardous substances in electrical and electronic equipment. 4 It is the users responsibility to utilize the available collection system to ensure WEEE is properly treated. For information about the available collection system, please contact Extreme Customer Support at +353 61 705500 (Ireland). Hazardous Substances This product complies with the requirements of Directive 2011/65/EU of the European Parliament and of the Council of 8 June 2011 on the restriction of the use of certain hazardous substances in electrical and electronic equipment. Declaration of Conformity in Languages of the European Community English Finnish Dutch Hereby, Extreme Networks, declares that this Radio LAN device is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC. Valmistaja Extreme Networks vakuuttaa tten ett Radio LAN device tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sit koskevien direktiivin muiden ehtojen mukainen. Hierbij verklaart Extreme Networks dat het toestel Radio LAN device in overeenstemming is met de essentile eisen en de andere relevante bepalingen van richtlijn 1999/5/EG. Bij deze verklaart Extreme Networks dat deze Radio LAN device voldoet aan de essentile eisen en aan de overige relevante bepalingen van Richtlijn 1999/5/EC. French Par la prsente Extreme Networks dclare que l'appareil Radio LAN device est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/CE. Swedish Danish German Greek Icelandic Italian Spanish Portuguese Malti Par la prsente, Extreme Networks dclare que ce Radio LAN device est conforme aux exigences essentielles et aux autres dispositions de la directive 1999/5/CE qui lui sont applicables. Hrmed intygar Extreme Networks att denna Radio LAN device str I verensstmmelse med de vsentliga egenskapskrav och vriga relevanta bestmmelser som framgr av direktiv 1999/5/EG. Undertegnede Extreme Networks erklrer herved, at flgende udstyr Radio LAN device overholder de vsentlige krav og vrige relevante krav i direktiv 1999/5/EF. Hiermit erklrt Extreme Networks die bereinstimmung des "WLAN Wireless Controller bzw. Access Points" mit den grundlegenden Anforderungen und den anderen relevanten Festlegungen der Richtlinie 1999/5/EG. Extreme Networks Radio LAN device 1999/5/
. Extreme Networks lysir her med yfir a thessi bunadur, Radio LAN device, uppfyllir allar grunnkrofur, sem gerdar eru i R&TTE tilskipun ESB nr 1999/5/EC. Con la presente Extreme Networks dichiara che questo Radio LAN device conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE. Por medio de la presente Extreme Networks declara que el Radio LAN device cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. Extreme Networks declara que este Radio LAN device est conforme com os requisitos essenciais e outras disposies da Directiva 1999/5/
CE. Hawnhekk, Extreme Networks, jiddikjara li dan Radio LAN device jikkonforma mal-htigijiet essenzjali u ma provvedimenti ohrajn relevanti li hemm fid-Dirrettiva 1999/5/EC. ExtremeWirelessTM Access Points Quick Reference P/N 31050 WS-AP3917i-FCC P/N 31051 WS-AP3917i-ROW P/N 31055 WS-AP3917e-FCC P/N 31056 WS-AP3917e-ROW Notice Copyright 2017 Extreme Networks, Inc. All Rights Reserved. Legal Notices Extreme Networks, Inc., on behalf of or through its wholly-owned subsidiary, Enterasys Networks, Inc., reserves the right to make changes in specifications and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made. The hardware, firmware, software or any specifications described or referred to in this document are subject to change without notice. Trademarks Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names (including any product names) mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies/owners. For additional information on Extreme Networks trademarks, please see:
www.extremenetworks.com/company/legal/trademarks/
Documentation & Support For product support, including documentation, visit:
www.extremenetworks.com/support/
P/N 9035165-03
1 2 3 4 | User Manual-AP3917e R1 | Users Manual | 230.56 KiB |
Installing the ExtremeWireless AP3917i/e Access Point Overview of the AP3917i/e The AP3917 is an IP67 rated Access Point with 802.11ac dual band 2:2 radios. The AP3917 is easy to install, lightweight, and is available in an internal
(AP3917i) and external (AP3917e) antenna model. Each model includes 802.11 radios, an IoT radio, and a GPS radio. The AP3917 model comes in two models:
AP3917i and AP3917e. In this document, the functionality, feature, and the procedure applies to both the models when AP3917i/e is used. Note: The AP3917i/e requires a minimum base firmware of 10.41. The AP3917i/e model has the following features:
Radios: 2 radios (2.4GHz and 5GHz); 1 IoT/BLE/802.15.4 Radio (2.4 GHz) Console Port: RJ45 One RJ45, 10/100/1000 Ethernet Port (GE1) with PoE One RJ45, 10/100/1000Mb Ethernet Port (GE2) LEDs: 4 (see Figure 1) One Reset button Power: PoE 802.3af or 802.3at GPS Receiver (will be supported via a future firmware release) Antennas:
IP67 Connectors on all ports AP3917i - 5 internal antennas (four band locked antennas and one BLE antenna). The polarization on one antenna of each radio can be configured by the installer. AP3917e- 5 external antennas (four single band antennas and one BLE antenna) Temperature: -40 to 70*C ambient temperature Enclosure: Cast Aluminum base and PC cover Figure 1 indicates AP3917i. In Figure 2, you can see AP3917e. Figure 1 Top and Side Views of AP3917i 1 IoT/BLE Radio 2 Radio - 5 GHz 3 Radio - 2.4 GHz 4 Status 5 GE1 (PoE IN) 6 GE2 7 Console/Reset 8 Vent Figure 2 Top and Side Views of AP3917e 1 IoT/BLE Radio 2 Radio - 5 GHz 3 Radio - 2.4 GHz 4 Status 5 GE1 (PoE IN) 6 GE2 7 Console/Reset 8 2.4 G - Antenna 1 and 2 9 Vent 10 5G - Antenna 1 11 BLE/802.15.4 Antenna 12 5 G - Antenna 2 LEDs on the Front of the AP Both the Radio LEDs will be Green when they are ON and the LEDs will not have any lights when they are OFF. Blue LED indicates the IoT status. For detailed installation information about the AP3917i/e, see the ExtremeWireless AP3917i/e Installation Guide. Table 1 shows ways to power the AP3917i/e. Table 1 Powering the AP3917i/e Power Source Description Power over Ethernet
(PoE) Power is provided through the RJ45 Ethernet port (GE1 port). Verifying the AP3917i/e Box Contents Verify the contents of the box and ensure that the following items are available:
Table 2 Contents of the AP3917i/e Box Quantity Item AP3917i/e Quick Reference Guide Cloud Quick Start Card 1 1 The following hardware is included:
1 1 M4 screw assembly with star washer Ring terminal for installing the AP on a masonry wall, use a 5/16 diameter bit. for other materials, use the appropriate drill for the screws being used. 3 For masonry installations, drill at least 1/8 (3mm) past the depth of the screw, or bolt, being used, and place four anchor assemblies into the holes. 4 Attach the AP to the H Bracket:
a Use 4 M4 screw assemblies to attach the AP to the H bracket on the side that does not have the PEM stand-offs. b Tighten the four screws to a torque of 13.0-13.5 in-lbs. Figure 3 Attaching the H Bracket to the AP 5 Secure the anchors to the wall, then secure the bracket to the anchors. 6 If using #10 screws, tighten them to a torque of 25 in-lbs. If using screws, tighten them to 45 in-lbs. Figure 4 AP3917i/AP3917e Wall Mount H Bracket Mounting and Connecting the AP Electrical Hazard: Only qualified personnel should perform installation procedures. Mounting the AP3917i/e to a Pole Use these instructions as guidelines for mounting and connecting the AP3917i/e easily and safely. The AP3917i/e mounting brackets are sold separately. For more information about installing the optional bracket and the adapter, see the ExtremeWireless AP3917i/e Installation Guide. For installation videos of the AP, see www.extremenetworks.com/support/. Mounting the AP3917i/e The installation of the AP3917i/e should be performed by a professional installer to ensure proper operation and compliance with local safety guidelines. The access point can be mounted to a wall, girder, ceiling, pole or vehicle using the appropriate bracket. Positioning the AP for Installation Mount the AP so that the glands are on the side of the AP closest to the ground, and not above the plastic cover. You must provide a 3-inch drip loop on all cables. Note: Do not remove the dust cap until you need to install the BLE/
IoT antennas. Attach the Ground Wire Use the M4 ground screw assembly, with the star washer, to attach the ground wires ring terminal to the back of the AP. The wire should be as close to the AP bottom as possible. Tighten the screw to a torque of 13.0-13.5 in-
lbs. Note: Attach the H bracket after attaching the ground wire onto the AP. Once you tighten the torque, tighten the ground screws, and attach the LAN cable. Mounting the AP3917i/e to a Wall Note: The H type Mounting Bracket (WS-MBO-H01) is sold as a separate accessory (ordering part #30519). 1 Using the mounting bracket as a guide, mark the location for the mounting screws. The wall bracket provides eight attachment holes. Use four (one in each corner), Place the bracket and mark the four hole centers. 2 Drill four holes into the wall as follows:
Note: The Pole Mounting Bracket (WS-MBO-POLE01) is sold as a separate accessory (ordering part #30520). 1 Determine the diameter of the pole. Pole Diameter
<= 2.5 (63.5mm) 5 - 7 (178mm) Cable Clamp Size Use small cable clamp. Use large cable clamp For other pole diameters, provide your own stainless steel cable clamp. The band must be (12.7mm) wide. 2 Attach the AP to the Pole Mount bracket using four M4 screws. Tighten the four screws to a torque of 13.0-13.5 in-lbs. Figure 5 Attaching a Pole Bracket to the AP 3 Attach the cable clamp to the pole bracket. Open the cable clamp by turning a flat bladed screwdriver counterclockwise. Then, insert the non-
clamp end into the pole bracket through the holes. Note: It is easier to install both clamps before attaching to the pole. 4 Put the metal band around the pole and insert it into the clamp. Turn the clamp screw clockwise, tightening the band around the pole. Figure 6 AP with Mounting BracketVertical Pole Mounting the AP3917i/e to a Wall/Pole using the WS-MBO-ART01 2 Axis Extension Arm You can mount the AP3917i/e to a wall or a pole using a 10 extension arm
(WS-MBO-ART01, ordering part #30514). For mounting and installation instructions, refer to the ExtremeWireless AP3917i/e Installation Guide. Installing External Antennas 1 Professionally install the external antennas intended for area coverage. For information about antenna selection and installation, refer to the External Antenna Site Preparation and Installation Guide. 2 Attach the external antenna cables to the Standard Polarity Type-N connectors on the AP3917i/e. Connecting a Power Source to the AP3917i/e If you need to power the AP3917i/e, you can do so my using the GE1 port on the AP. The power LED on the front face of the AP illuminates when the device is connected to a power source. Refer to the ExtremeWireless AP3917i/e Installation Guide for information. LAN/Console Connections The AP3917i/e has one LAN (Ethernet) port and a Console port. Refer to Figure 1 for the location of these ports. During administration and maintenance through the LAN or Console, the AP must still have a power connection through either an Ethernet PoE cable or a DC power supply. Professional Installation Instruction Installation personnel This product is designed for specific application and needs to be installed by a qualified personnel who has RF and related rule knowledge. The general user shall not attempt to install or change the setting. Installation location The product shall be installed at a location where the radiating antenna can be kept 20 cm for AP3917i and 35 cm for AP3917e (FCC) and 20 cm for AP3917i and 42 cm for AP3917e (ISED) from nearby person in normal operation condition to meet regulatory RF exposure requirement. External antenna Use only the antennas which have been approved by the applicant. The non-
approved antenna(s) may produce unwanted spurious or excessive RF transmitting power which may lead to the violation of FCC/ISED limit and is prohibited. Installation procedure Please refer to users manual for the detail. Warning: Please carefully select the installation position and make sure that the final output power does not exceed the limit set force in relevant rules. The violation of the rule could lead to serious federal penalty. Instructions d'installation professionnelle Installation Ce produit est destine a un usage specifique et doit etre installe par un personnel qualifie maitrisant les radiofrequences et les regles s'y rapportant. L'installation et les reglages ne doivent pas etre modifies par l'utilisateur final. Emplacement d'installation En usage normal, afin de respecter les exigences reglementaires concernant l'exposition aux radiofrequences, ce produit doit etre installe de facon a respecter une distance de 20 cm pour AP3917i et 35cm pour AP3917e (FCC) et 20 cm pour AP3917i et 42cm pour AP3917e (ISED) entre l'antenne emettrice et les personnes. Antenn externe Utiliser uniiquement les antennes approuvees par le fabricant. L'utilisation d'autres antennes peut conduire a un niveau de rayonnement essentiel ou non 2 le gain maximal d'antenne permis (pour les dispositifs utilisant la bande de 5725 5 850 MHz) doit tre conforme la limite de la p.i.r.e. spcifie pour l'exploitation point point et lexploitation non point point, selon le cas;
3 De plus, les utilisateurs devraient aussi tre aviss que les utilisateurs de radars de haute puissance sont dsigns utilisateurs principaux (c.--d., quils ont la priorit) pour les bandes 5650-5850 MHz et que ces radars pourraient causer du brouillage et/ou des dommages aux dispositifs LAN-
EL. Warning: IC Radiation Exposure Statement: This equipment complies with ISED radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20 cm for AP3917i and 42 cm for AP3917e between the radiator & your body. Warning: Dclaration d'exposition aux radiations: Cet quipement est conforme aux limites d'exposition aux rayonnements ISED tablies pour un environnement non contrl. Cet quipement doit tre install et utilis avec un minimum de 20 cm pour AP3917i et 42 cm pourAP3917e de distance entre la source de rayonnement et votre corps. essentiel depassant les niveaux limites definis par FCC/ISED, ce qui est interdit. Procedure d'installation Consulter le manuel d'utilisation. Warning: Avertissement: Choisir avec soin la position d'installation et s'assurer que la puissance de sortie ne depasse pas les limites en vigueur. La violation de cette regle peut conduire a de serieuses penalites federales. Regulatory and Compliance Information Safety Guidelines This section contains notices that are intended to protect your personal safety and prevent damage to the equipment. Qualified Personnel:
Electrical Hazard: Only qualified personnel should perform installation procedures. Within the context of the safety notes in this documentation, qualified persons are defined as persons who are authorized to commission, ground and label devices, systems, and circuits in accordance with established safety practices and standards. A qualified person understands the requirements and risks involved with installing electrical equipment in accordance with national codes. Federal Communications Commission (FCC) Notice This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures:
Reorient or relocate the receiving antenna. Connect the equipment into an outlet on a circuit different from that to Increase the separation between the equipment and receiver. which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help. Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. This device meets all the other requirements specified in Part 15E, Section 15.407 of the FCC Rules. Warning: FCC Radiation Exposure Statement: This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20 cm for AP3917i and 35 cm for AP3917e between the radiator & your body. Industry Canada Notice This radio transmitter (IC: 4141B-AP3917E/ Model: AP3917e & AP7662) has been approved by ISED to operate with the antenna type listed below with maximum permissible gain indicated. Antenna types not included in this list, having a gain greater than the maximum gain indicated for that type, are strictly prohibited for use with this device. Le prsent metteur radio (IC: 4141B-AP3917E/ Model: AP3917e & AP7662) a t approuv par ISED pour fonctionner avec les types d'antenne numrs ci-dessous et ayant un gain admissible maximal. Les types d'antenne non inclus dans cette liste, et dont le gain est suprieur au gain maximal indiqu, sont strictement interdits pour l'exploitation de l'metteur. This device complies with ISEDs licence-exempt RSSs. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Le prsent appareil est conforme aux CNR d ISED applicables aux appareils radio exempts de licence. Lexploitation est autorise aux deux conditions suivantes : (1) le dispositif ne doit pas produire de brouillage prjudiciable, et
(2) ce dispositif doit accepter tout brouillage reu, y compris un brouillage susceptible de provoquer un fonctionnement indsirable. Caution :
1 The device for operation in the band 5150-5250 MHz is only for indoor use to reduce the potential for harmful interference to co-channel mobile satellite systems;
2 The maximum antenna gain permitted for devices in the band 5725-5850 MHz shall be such that the equipment still complies with the e.i.r.p. limits specified for point-to-point and non-point-to-point operation as appropriate; and 3 Users should also be advised that high-power radars are allocated as primary users (i.e. priority users) of the bands 5650-5850 MHz and that these radars could cause interference and/or damage to LE-LAN devices. Avertissement:
1 les dispositifs fonctionnant dans la bande 5150-5250 MHz sont rservs uniquement pour une utilisation lintrieur afin de rduire les risques de brouillage prjudiciable aux systmes de satellites mobiles utilisant les mmes canaux;
4.9G Antenna for Item 6 and Item 11 will be secondary primary permanent fixed operations use only. European Waste Electrical and Electronic Equipment
(WEEE) Notice In accordance with Directive 2012/19/EU of the European Parliament on waste electrical and electronic equipment (WEEE):
1 The symbol above indicates that separate collection of electrical and electronic equipment is required. 2 When this product has reached the end of its serviceable life, it cannot be disposed of as unsorted municipal waste. It must be collected and treated separately. 3 It has been determined by the European Parliament that there are potential negative effects on the environment and human health as a result of the presence of hazardous substances in electrical and electronic equipment. 4 It is the users responsibility to utilize the available collection system to ensure WEEE is properly treated. For information about the available collection system, please contact Extreme Customer Support at +353 61 705500 (Ireland). Hazardous Substances This product complies with the requirements of Directive 2011/65/EU of the European Parliament and of the Council of 8 June 2011 on the restriction of the use of certain hazardous substances in electrical and electronic equipment. Declaration of Conformity in Languages of the European Community English Finnish Dutch Hereby, Extreme Networks, declares that this Radio LAN device is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC. Valmistaja Extreme Networks vakuuttaa tten ett Radio LAN device tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sit koskevien direktiivin muiden ehtojen mukainen. Hierbij verklaart Extreme Networks dat het toestel Radio LAN device in overeenstemming is met de essentile eisen en de andere relevante bepalingen van richtlijn 1999/5/EG. Bij deze verklaart Extreme Networks dat deze Radio LAN device voldoet aan de essentile eisen en aan de overige relevante bepalingen van Richtlijn 1999/5/EC. French Par la prsente Extreme Networks dclare que l'appareil Radio LAN device est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/CE. Swedish Danish German Greek Icelandic Italian Spanish Portuguese Malti Par la prsente, Extreme Networks dclare que ce Radio LAN device est conforme aux exigences essentielles et aux autres dispositions de la directive 1999/5/CE qui lui sont applicables. Hrmed intygar Extreme Networks att denna Radio LAN device str I verensstmmelse med de vsentliga egenskapskrav och vriga relevanta bestmmelser som framgr av direktiv 1999/5/EG. Undertegnede Extreme Networks erklrer herved, at flgende udstyr Radio LAN device overholder de vsentlige krav og vrige relevante krav i direktiv 1999/5/EF. Hiermit erklrt Extreme Networks die bereinstimmung des "WLAN Wireless Controller bzw. Access Points" mit den grundlegenden Anforderungen und den anderen relevanten Festlegungen der Richtlinie 1999/5/EG.
Extreme Networks Radio LAN device
1999/5/
. Extreme Networks lysir her med yfir a thessi bunadur, Radio LAN device, uppfyllir allar grunnkrofur, sem gerdar eru i R&TTE tilskipun ESB nr 1999/5/EC. Con la presente Extreme Networks dichiara che questo Radio LAN device conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE. Por medio de la presente Extreme Networks declara que el Radio LAN device cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. Extreme Networks declara que este Radio LAN device est conforme com os requisitos essenciais e outras disposies da Directiva 1999/5/
CE. Hawnhekk, Extreme Networks, jiddikjara li dan Radio LAN device jikkonforma mal-htigijiet essenzjali u ma provvedimenti ohrajn relevanti li hemm fid-Dirrettiva 1999/5/EC. ExtremeWirelessTM Access Points Quick Reference P/N 31050 WS-AP3917i-FCC P/N 31051 WS-AP3917i-ROW P/N 31055 WS-AP3917e-FCC P/N 31056 WS-AP3917e-ROW Notice Copyright 2017 Extreme Networks, Inc. All Rights Reserved. Legal Notices Extreme Networks, Inc., on behalf of or through its wholly-owned subsidiary, Enterasys Networks, Inc., reserves the right to make changes in specifications and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made. The hardware, firmware, software or any specifications described or referred to in this document are subject to change without notice. Trademarks Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names (including any product names) mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies/owners. For additional information on Extreme Networks trademarks, please see:
www.extremenetworks.com/company/legal/trademarks/
Documentation & Support For product support, including documentation, visit:
www.extremenetworks.com/support/
P/N 9035165-04
1 2 3 4 | User Manual-AP7662 | Users Manual | 769.21 KiB |
Installing the ExtremeWiNG AP7662i/AP7662 Access Point Overview of the AP7662i/AP7662 The AP7662 is an IP67 rated Access Point with 802.11ac dual band 2:2 radios. The AP7662 is easy to install, lightweight, and is available in an internal
(AP7662i) and external (AP7662) antenna model. Each model includes 802.11 radios, an IoT radio, and a GPS radio. The AP7662 model comes in two models:
AP7662i and AP7662. In this document, the functionality, feature, and the procedure applies to both the models when AP7662i/AP7662 is used. Note: The AP7662i/AP7662 requires a minimum base firmware of WiNG 5.9.1. The AP7662i/AP7662 model has the following features:
Radios: 2 radios (2.4GHz and 5GHz); 1 IoT/BLE/802.15.4 Radio (2.4 GHz) Console Port: RJ45 One RJ45, 10/100/1000 Ethernet Port (GE1) with PoE One RJ45, 10/100/1000Mb Ethernet port (GE2) LEDs: 4 (see Figure 1) One Reset button Power: PoE 802.3af or 802.3at GPS Receiver (will be supported via a future firmware release) Antennas:
IP67 Connectors on all ports AP7662i - Five internal antennas (four band locked antennas and one BLE antenna) AP7662- Five external antennas (four single band antennas and one BLE antenna) Temperature: -40 to 70*C ambient temperature Enclosure: Cast Aluminum base and Top In Figure 1, the top image indicates AP7662i. Figure 2 shows the top and side views of AP7662. Figure 1 Top and Side Views of AP7662i 1 IoT/BLE Radio 2 Radio - 5 GHz 3 Radio - 2.4 GHz 4 Status 5 GE1 (PoE IN) 6 GE2 7 Console/Reset 8 Vent Figure 2 Top and Side Views of AP7662 1 IoT/BLE Radio 2 Radio - 5 GHz 3 Radio - 2.4 GHz 4 Status 5 GE1 (PoE IN) 6 GE2 7 Console/Reset 8 2.4 G - Antenna 1 and 2 9 Vent 10 5G - Antenna 1 11 BLE/802.15.4 Antenna 12 5 G - Antenna 2 LEDs on the Front of the AP Amber LEDs indicate 5 GHz Wi-Fi Radio, Green LEDs indicate 2.4 GHz Wi-Fi Radio, and Blue LED indicates the IoT Radio. The Status LED is ON only during bootup. For detailed installation information about the AP7662i/AP7662, see the ExtremeWireless AP7662i/AP7662 Installation Guide. Table 1 shows ways to power the AP7662i/AP7662. Table 1 Powering the AP7662i/AP7662 Power Source Description Power over Ethernet
(PoE) Power is provided through the RJ45 Ethernet port (GE1 port). Verifying the AP7662i/AP7662 Box Contents Verify the contents of the box and ensure that the following items are available:
Table 2 Contents of the AP7662i/AP7662 Box Quantity Item AP7662i/AP7662 Quick Reference Guide Cloud Quick Start Card 1 1 The following hardware is included:
1 1 M4 screw assembly with star washer Ring terminal Mounting and Connecting the AP Electrical Hazard: Only qualified personnel should perform installation procedures. Use these instructions as guidelines for mounting and connecting the AP7662i/AP7662 easily and safely. The AP7662i/AP7662 mounting brackets are sold separately. For more information about installing the optional bracket and the adapter, see the ExtremeWireless AP7662i/AP7662 Installation Guide. For installation videos of the AP, see www.extremenetworks.com/support/
Mounting the AP7662i/AP7662 Use these instructions as guidelines for mounting and connecting the AP7662i/AP7662 easily and safely. The installation of the AP7662i/AP7662 should be performed by a professional installer to ensure proper operation and compliance with local safety guidelines. Attach the AP7662i/AP7662 to a surface that can support the AP and in an environment it can withstand. It can be mounted to a wall, girder, ceiling, or pole, and the surface material can be concrete, brick, wood, metal, or plastic. Positioning the AP for Installation Mount the AP so that the glands are on the side of the AP closest to the ground, and not above the plastic cover. You must provide a 3-inch drip loop on all cables. Note: Do not remove the dust cap until you need to install the BLE/
IoT antennas. Attach the Ground Wire Use the M4 ground screw assembly, with the star washer, to attach the ground wires ring terminal to the back of the AP. The wire should be as close to the AP bottom as possible. Tighten the screw to a torque of 13.0-13.5 in-
lbs. Note: Attach the H bracket after attaching the ground wire onto the AP. Tighten the torque, tighten the screws, and attach the LAN cable. Mounting the AP7662i/AP7662 to a Wall Note: The H type Mounting Bracket (WS-MBO-H01) is sold as a separate accessory (ordering part #30519). 1 Using the mounting bracket as a guide, mark the location for the mounting screws. The wall bracket provides eight attachment holes. Use four (one in each corner). Place the bracket and mark the four hole centers. 2 Drill four holes into the wall as follows:
for installing the AP on a masonry wall, use a 5/16 diameter bit. for other materials, use the appropriate drill for the screws being used. 3 For masonry installations, drill at least 1/8 (3mm) past the depth of the screw, or bolt, being used, and place four anchor assemblies into the holes. 4 Attach the AP to the H Bracket:
a Use four M4 screw assemblies to attach the AP to the H bracket on the side that does not have the PEM stand-offs. b Tighten the four screws to a torque of 13.0-13.5 in-lbs. Figure 3 Attaching the H Bracket to the AP 5 Secure the anchors to the wall, then secure the bracket to the anchors. 6 If using #10 screws, tighten them to a torque of 25 in-lbs. If using screws, tighten them to 45 in-lbs. Figure 4 AP7662i and AP7662 Wall Mount H Bracket Mounting the AP7662i/AP7662 to a Pole Note: The Pole Mounting Bracket (WS-MBO-POLE01) is sold as a separate accessory (ordering part #30520). 1 Determine the diameter of the pole. Pole Diameter
<= 2.5 (63.5mm) 5 - 7 (178mm) Cable Clamp Size Use small cable clamp. Use large cable clamp For other pole diameters, provide your own stainless steel cable clamp. The band must be (12.7mm) wide. 2 Attach the AP to the Pole Mount bracket using 4 M4 screws. Tighten the four screws to a torque of 13.0-13.5 in-lbs. Figure 5 Attaching a Pole Bracket to the AP Figure 6 AP with Mounting BracketVertical Pole Mounting the AP7662i/AP7662 to a Wall/Pole using the WS-MBO-ART01 2 Axis Extension Arm You can mount the to AP7662i/AP7662 to a wall or a pole using a 10 extension arm (WS-MBO-ART01, ordering part #30514). For mounting and installation instructions, refer to the ExtremeWireless AP7662i/AP7662 Installation Guide. Installing External Antennas 1 Professionally install the external antennas intended for area coverage. For information about antenna selection and installation, refer to the External Antenna Site Preparation and Installation Guide. 2 Attach the external antenna cables to the Standard Polarity Type-N connectors on the AP7662i/AP7662. Connecting a Power Supply to the AP7662i/AP7662 If you need to power the AP7662i/AP7662, you can do so my using the GE1 port on the AP. The power LED on the front face of the AP illuminates when the device is powered on. Refer to the ExtremeWireless AP7662i/AP7662 Installation Guide for more information. LAN/Console Connections The AP7662i/AP7662 has two LAN (Ethernet) ports and a Console port. Refer to Figure 1 and Figure 2 for the location of these ports. During administration and maintenance through the LAN or Console, the AP must still have a power connection through either an Ethernet PoE cable or a DC power supply. Professional Installation Instruction Installation personnel This product is designed for specific application and needs to be installed by a qualified personnel who has RF and related rule knowledge. The general user shall not attempt to install or change the setting. Installation location The product shall be installed at a location where the radiating antenna can be kept 20 cm for AP7662i and 35 cm for AP7662 (FCC) and 20 cm for AP7662i and 42 cm for AP7662 (ISED) from nearby person in normal operation condition to meet regulatory RF exposure requirement. External antenna Use only the antennas which have been approved by the applicant. The non-
approved antenna(s) may produce unwanted spurious or excessive RF transmitting power which may lead to the violation of FCC/ISED limit and is prohibited. Installation procedure Please refer to users manual for the detail. Warning: Please carefully select the installation position and make sure that the final output power does not exceed the limit set force in relevant rules. The violation of the rule could lead to serious federal penalty. Instructions d'installation professionnelle 3 Attach the cable clamp to the pole bracket. Open the cable clamp by turning a flat bladed screwdriver counterclockwise. Then, insert the non-
clamp end into the pole bracket through the holes. Note: It is easier to install both clamps before attaching to the pole. Installation Ce produit est destine a un usage specifique et doit etre installe par un personnel qualifie maitrisant les radiofrequences et les regles s'y rapportant. L'installation et les reglages ne doivent pas etre modifies par l'utilisateur final. 4 Put the metal band around the pole and insert it into the clamp. Turn the clamp screw clockwise, tightening the band around the pole. Emplacement d'installation En usage normal, afin de respecter les exigences reglementaires concernant l'exposition aux radiofrequences, ce produit doit etre installe de facon a respecter une distance de 20cm pour AP7662i et 35 cm pour AP7662 (FCC) et 20 cm pour AP7662i et 42 cm pour AP7662 (ISED) entre l'antenne emettrice et les personnes. Antenn externe Utiliser uniiquement les antennes approuvees par le fabricant. L'utilisation d'autres antennes peut conduire a un niveau de rayonnement essentiel ou non essentiel depassant les niveaux limites definis par ISED, ce qui est interdit. Procedure d'installation Consulter le manuel d'utilisation. Warning: Avertissement: Choisir avec soin la position d'installation et s'assurer que la puissance de sortie ne depasse pas les limites en vigueur. La violation de cette regle peut conduire a de serieuses penalites federales. Regulatory and Compliance Information Safety Guidelines This section contains notices that are intended to protect your personal safety and prevent damage to the equipment. Qualified Personnel:
Electrical Hazard: Only qualified personnel should perform installation procedures. Within the context of the safety notes in this documentation, qualified persons are defined as persons who are authorized to commission, ground and label devices, systems, and circuits in accordance with established safety practices and standards. A qualified person understands the requirements and risks involved with installing electrical equipment in accordance with national codes. Federal Communications Commission (FCC) Notice This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures:
Reorient or relocate the receiving antenna. Connect the equipment into an outlet on a circuit different from that to Increase the separation between the equipment and receiver. which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help. Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. This device meets all the other requirements specified in Part 15E, Section 15.407 of the FCC Rules. Warning: FCC Radiation Exposure Statement: This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20 cm for AP7662i and 35 cm for AP7662 between the radiator & your body. Industry Canada Notice This device complies with ISEDs licence-exempt RSSs. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Le prsent appareil est conforme aux CNR d ISED applicables aux appareils radio exempts de licence. Lexploitation est autorise aux deux conditions suivantes : (1) le dispositif ne doit pas produire de brouillage prjudiciable, et
(2) ce dispositif doit accepter tout brouillage reu, y compris un brouillage susceptible de provoquer un fonctionnement indsirable. Caution :
1 The device for operation in the band 5150-5250 MHz is only for indoor use to reduce the potential for harmful interference to co-channel mobile satellite systems;
2 The maximum antenna gain permitted for devices in the band 5725-5850 MHz shall be such that the equipment still complies with the e.i.r.p. limits specified for point-to-point and non-point-to-point operation as appropriate; and 3 Users should also be advised that high-power radars are allocated as primary users (i.e. priority users) of the bands 5650-5850 MHz and that these radars could cause interference and/or damage to LE-LAN devices. Avertissement:
1 les dispositifs fonctionnant dans la bande 5150-5250 MHz sont rservs uniquement pour une utilisation lintrieur afin de rduire les risques de brouillage prjudiciable aux systmes de satellites mobiles utilisant les mmes canaux;
2 le gain maximal d'antenne permis (pour les dispositifs utilisant la bande de 5725 5 850 MHz) doit tre conforme la limite de la p.i.r.e. spcifie pour l'exploitation point point et lexploitation non point point, selon le cas;
3 De plus, les utilisateurs devraient aussi tre aviss que les utilisateurs de radars de haute puissance sont dsigns utilisateurs principaux (c.--d., quils ont la priorit) pour les bandes 5650-5850 MHz et que ces radars pourraient causer du brouillage et/ou des dommages aux dispositifs LAN-
EL. Warning: IC Radiation Exposure Statement: This equipment complies with ISED radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20 cm for AP7662i and 42 cm for AP7662 between the radiator & your body. Warning: Dclaration d'exposition aux radiations: Cet quipement est conforme aux limites d'exposition aux rayonnements ISED tablies pour un environnement non contrl. Cet quipement doit tre install et utilis avec un minimum de 20 cm pour AP7662i et 42 cm pour AP7662 de distance entre la source de rayonnement et votre corps. This radio transmitter (IC: 4141B-AP3917E/ Model: AP3917e & AP7662) has been approved by ISED to operate with the antenna type listed below with maximum permissible gain indicated. Antenna types not included in this list, having a gain greater than the maximum gain indicated for that type, are strictly prohibited for use with this device. Le prsent metteur radio (IC: 4141B-AP3917E/ Model: AP3917e & AP7662) a t approuv par ISED pour fonctionner avec les types d'antenne numrs ci-
dessous et ayant un gain admissible maximal. Les types d'antenne non inclus dans cette liste, et dont le gain est suprieur au gain maximal indiqu, sont strictement interdits pour l'exploitation de l'metteur. 4.9G Antenna for Item 6 and Item 11 will be secondary primary permanent fixed operations use only. European Waste Electrical and Electronic Equipment
(WEEE) Notice In accordance with Directive 2012/19/EU of the European Parliament on waste electrical and electronic equipment (WEEE):
1 The symbol above indicates that separate collection of electrical and electronic equipment is required. 2 When this product has reached the end of its serviceable life, it cannot be disposed of as unsorted municipal waste. It must be collected and treated separately. 3 It has been determined by the European Parliament that there are potential negative effects on the environment and human health as a result of the presence of hazardous substances in electrical and electronic equipment. 4 It is the users responsibility to utilize the available collection system to ensure WEEE is properly treated. For information about the available collection system, please contact Extreme Customer Support at +353 61 705500 (Ireland). Hazardous Substances This product complies with the requirements of Directive 2011/65/EU of the European Parliament and of the Council of 8 June 2011 on the restriction of the use of certain hazardous substances in electrical and electronic equipment. Declaration of Conformity in Languages of the European Community English Finnish Dutch Hereby, Extreme Networks, declares that this Radio LAN device is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC. Valmistaja Extreme Networks vakuuttaa tten ett Radio LAN device tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sit koskevien direktiivin muiden ehtojen mukainen. Hierbij verklaart Extreme Networks dat het toestel Radio LAN device in overeenstemming is met de essentile eisen en de andere relevante bepalingen van richtlijn 1999/5/EG. Bij deze verklaart Extreme Networks dat deze Radio LAN device voldoet aan de essentile eisen en aan de overige relevante bepalingen van Richtlijn 1999/5/EC. French Par la prsente Extreme Networks dclare que l'appareil Radio LAN device est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/CE. Swedish Danish German Greek Icelandic Italian Spanish Portuguese Malti Par la prsente, Extreme Networks dclare que ce Radio LAN device est conforme aux exigences essentielles et aux autres dispositions de la directive 1999/5/CE qui lui sont applicables. Hrmed intygar Extreme Networks att denna Radio LAN device str I verensstmmelse med de vsentliga egenskapskrav och vriga relevanta bestmmelser som framgr av direktiv 1999/5/EG. Undertegnede Extreme Networks erklrer herved, at flgende udstyr Radio LAN device overholder de vsentlige krav og vrige relevante krav i direktiv 1999/5/EF. Hiermit erklrt Extreme Networks die bereinstimmung des "WLAN Wireless Controller bzw. Access Points" mit den grundlegenden Anforderungen und den anderen relevanten Festlegungen der Richtlinie 1999/5/EG. Extreme Networks Radio LAN device 1999/5/
. Extreme Networks lysir her med yfir a thessi bunadur, Radio LAN device, uppfyllir allar grunnkrofur, sem gerdar eru i R&TTE tilskipun ESB nr 1999/5/EC. Con la presente Extreme Networks dichiara che questo Radio LAN device conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE. Por medio de la presente Extreme Networks declara que el Radio LAN device cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. Extreme Networks declara que este Radio LAN device est conforme com os requisitos essenciais e outras disposies da Directiva 1999/5/
CE. Hawnhekk, Extreme Networks, jiddikjara li dan Radio LAN device jikkonforma mal-htigijiet essenzjali u ma provvedimenti ohrajn relevanti li hemm fid-Dirrettiva 1999/5/EC. ExtremeWiNGTM Access Points Quick Reference P/N 37121 AP-7662-680B30-US P/N 37122 AP-7662-680B30-WR P/N 37123 AP-7662-680B40-US P/N 37124 AP-7662-680B40-WR Notice Copyright 2017 Extreme Networks, Inc. All Rights Reserved. Legal Notices Extreme Networks, Inc., on behalf of or through its wholly-owned subsidiary, Enterasys Networks, Inc., reserves the right to make changes in specifications and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made. The hardware, firmware, software or any specifications described or referred to in this document are subject to change without notice. Trademarks Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names (including any product names) mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies/owners. For additional information on Extreme Networks trademarks, please see:
www.extremenetworks.com/company/legal/trademarks/
Documentation & Support For product support, including documentation, visit:
www.extremenetworks.com/support/
P/N 9035167-02
1 2 3 4 | User Manual-AP7662 R1 | Users Manual | 246.13 KiB |
1 Using the mounting bracket as a guide, mark the location for the mounting screws. The wall bracket provides eight attachment holes. Use four (one in each corner). Place the bracket and mark the four hole centers. 2 Drill four holes into the wall as follows:
Figure 6 AP with Mounting BracketVertical Pole Installing the ExtremeWiNG AP7662i/AP7662 Access Point Overview of the AP7662i/AP7662 The AP7662 is an IP67 rated Access Point with 802.11ac dual band 2:2 radios. The AP7662 is easy to install, lightweight, and is available in an internal
(AP7662i) and external (AP7662) antenna model. Each model includes 802.11 radios, an IoT radio, and a GPS radio. The AP7662 model comes in two models:
AP7662i and AP7662. In this document, the functionality, feature, and the procedure applies to both the models when AP7662i/AP7662 is used. Note: The AP7662i/AP7662 requires a minimum base firmware of WiNG 5.9.1. The AP7662i/AP7662 model has the following features:
Radios: 2 radios (2.4GHz and 5GHz); 1 IoT/BLE/802.15.4 Radio (2.4 GHz) Console Port: RJ45 One RJ45, 10/100/1000 Ethernet Port (GE1) with PoE One RJ45, 10/100/1000Mb Ethernet port (GE2) LEDs: 4 (see Figure 1) One Reset button Power: PoE 802.3af or 802.3at GPS Receiver (will be supported via a future firmware release) Antennas:
IP67 Connectors on all ports AP7662i - Five internal antennas (four band locked antennas and one BLE antenna) AP7662- Five external antennas (four single band antennas and one BLE antenna) Temperature:
AP3917i -40C to +65C (-40F to 149F) without solar radiation; -40C to +55C (-40F to 131F) with solar radiation AP3917e -40C to +65C (-40F to 149F) without solar radiation; -40C to +55C (-40F to 131F) with solar radiation Enclosure: Cast Aluminum base and Top In Figure 1, the top image indicates AP7662i. Figure 2 shows the top and side views of AP7662. Figure 1 Top and Side Views of AP7662i 1 IoT/BLE Radio 2 Radio - 5 GHz 3 Radio - 2.4 GHz 4 Status 5 GE1 (PoE IN) 6 GE2 7 Console/Reset 8 Vent Figure 2 Top and Side Views of AP7662 1 IoT/BLE Radio 2 Radio - 5 GHz 3 Radio - 2.4 GHz 4 Status 5 GE1 (PoE IN) 6 GE2 7 Console/Reset 8 2.4 G - Antenna 1 and 2 9 Vent 10 5G - Antenna 1 11 BLE/802.15.4 Antenna 12 5 G - Antenna 2 LEDs on the Front of the AP Amber LEDs indicate 5 GHz Wi-Fi Radio, Green LEDs indicate 2.4 GHz Wi-Fi Radio, and Blue LED indicates the IoT Radio. The Status LED is ON only during bootup. For detailed installation information about the AP7662i/AP7662, see the ExtremeWireless AP7662i/AP7662 Installation Guide. Table 1 shows ways to power the AP7662i/AP7662. Table 1 Powering the AP7662i/AP7662 Power Source Description Power over Ethernet
(PoE) Power is provided through the RJ45 Ethernet port (GE1 port). Verifying the AP7662i/AP7662 Box Contents Verify the contents of the box and ensure that the following items are available:
Table 2 Contents of the AP7662i/AP7662 Box Quantity Item AP7662i/AP7662 Quick Reference Guide Cloud Quick Start Card 1 1 The following hardware is included:
1 1 M4 screw assembly with star washer Ring terminal for installing the AP on a masonry wall, use a 5/16 diameter bit. for other materials, use the appropriate drill for the screws being used. 3 For masonry installations, drill at least 1/8 (3mm) past the depth of the screw, or bolt, being used, and place four anchor assemblies into the holes. 4 Attach the AP to the H Bracket:
a Use four M4 screw assemblies to attach the AP to the H bracket on the side that does not have the PEM stand-offs. b Tighten the four screws to a torque of 13.0-13.5 in-lbs. Figure 3 Attaching the H Bracket to the AP 5 Secure the anchors to the wall, then secure the bracket to the anchors. 6 If using #10 screws, tighten them to a torque of 25 in-lbs. If using screws, tighten them to 45 in-lbs. Figure 4 AP7662i and AP7662 Wall Mount H Bracket Mounting and Connecting the AP Electrical Hazard: Only qualified personnel should perform installation procedures. Mounting the AP7662i/AP7662 to a Pole Use these instructions as guidelines for mounting and connecting the AP7662i/AP7662 easily and safely. The AP7662i/AP7662 mounting brackets are sold separately. For more information about installing the optional bracket and the adapter, see the ExtremeWireless AP7662i/AP7662 Installation Guide. For installation videos of the AP, see www.extremenetworks.com/support/
Mounting the AP7662i/AP7662 Use these instructions as guidelines for mounting and connecting the AP7662i/AP7662 easily and safely. The installation of the AP7662i/AP7662 should be performed by a professional installer to ensure proper operation and compliance with local safety guidelines. Attach the AP7662i/AP7662 to a surface that can support the AP and in an environment it can withstand. It can be mounted to a wall, girder, ceiling, or pole, and the surface material can be concrete, brick, wood, metal, or plastic. Positioning the AP for Installation Mount the AP so that the glands are on the side of the AP closest to the ground, and not above the plastic cover. You must provide a 3-inch drip loop on all cables. Note: Do not remove the dust cap until you need to install the BLE/
IoT antennas. Attach the Ground Wire Use the M4 ground screw assembly, with the star washer, to attach the ground wires ring terminal to the back of the AP. The wire should be as close to the AP bottom as possible. Tighten the screw to a torque of 13.0-13.5 in-
lbs. Note: Attach the H bracket after attaching the ground wire onto the AP. Tighten the torque, tighten the screws, and attach the LAN cable. Mounting the AP7662i/AP7662 to a Wall Note: The H type Mounting Bracket (WS-MBO-H01) is sold as a separate accessory (ordering part #30519). Note: The Pole Mounting Bracket (WS-MBO-POLE01) is sold as a separate accessory (ordering part #30520). 1 Determine the diameter of the pole. Pole Diameter
<= 2.5 (63.5mm) 5 - 7 (178mm) Cable Clamp Size Use small cable clamp. Use large cable clamp For other pole diameters, provide your own stainless steel cable clamp. The band must be (12.7mm) wide. 2 Attach the AP to the Pole Mount bracket using 4 M4 screws. Tighten the four screws to a torque of 13.0-13.5 in-lbs. Figure 5 Attaching a Pole Bracket to the AP 3 Attach the cable clamp to the pole bracket. Open the cable clamp by turning a flat bladed screwdriver counterclockwise. Then, insert the non-
clamp end into the pole bracket through the holes. Note: It is easier to install both clamps before attaching to the pole. 4 Put the metal band around the pole and insert it into the clamp. Turn the clamp screw clockwise, tightening the band around the pole. Mounting the AP7662i/AP7662 to a Wall/Pole using the WS-MBO-ART01 2 Axis Extension Arm You can mount the to AP7662i/AP7662 to a wall or a pole using a 10 extension arm (WS-MBO-ART01, ordering part #30514). For mounting and installation instructions, refer to the ExtremeWireless AP7662i/AP7662 Installation Guide. Installing External Antennas 1 Professionally install the external antennas intended for area coverage. For information about antenna selection and installation, refer to the External Antenna Site Preparation and Installation Guide. 2 Attach the external antenna cables to the Standard Polarity Type-N connectors on the AP7662i/AP7662. Connecting a Power Supply to the AP7662i/AP7662 If you need to power the AP7662i/AP7662, you can do so my using the GE1 port on the AP. The power LED on the front face of the AP illuminates when the device is powered on. Refer to the ExtremeWireless AP7662i/AP7662 Installation Guide for more information. LAN/Console Connections The AP7662i/AP7662 has two LAN (Ethernet) ports and a Console port. Refer to Figure 1 and Figure 2 for the location of these ports. During administration and maintenance through the LAN or Console, the AP must still have a power connection through either an Ethernet PoE cable or a DC power supply. Professional Installation Instruction Installation personnel This product is designed for specific application and needs to be installed by a qualified personnel who has RF and related rule knowledge. The general user shall not attempt to install or change the setting. Installation location The product shall be installed at a location where the radiating antenna can be kept 20 cm for AP7662i and 35 cm for AP7662 (FCC) and 20 cm for AP7662i and 42 cm for AP7662 (ISED) from nearby person in normal operation condition to meet regulatory RF exposure requirement. External antenna Use only the antennas which have been approved by the applicant. The non-approved antenna(s) may produce unwanted spurious or excessive RF transmitting power which may lead to the violation of FCC/ISED limit and is prohibited. Installation procedure Please refer to users manual for the detail. Warning: Please carefully select the installation position and make sure that the final output power does not exceed the limit set force in relevant rules. The violation of the rule could lead to serious federal penalty. Instructions d'installation professionnelle Installation Ce produit est destine a un usage specifique et doit etre installe par un personnel qualifie maitrisant les radiofrequences et les regles s'y rapportant. L'installation et les reglages ne doivent pas etre modifies par l'utilisateur final. Emplacement d'installation En usage normal, afin de respecter les exigences reglementaires concernant l'exposition aux radiofrequences, ce produit doit etre installe de facon a respecter une distance de 20cm pour AP7662i et 35 cm pour AP7662 (FCC) et 20 cm pour AP7662i et 42 cm pour AP7662 (ISED) entre l'antenne emettrice et les personnes. Antenn externe Utiliser uniiquement les antennes approuvees par le fabricant. L'utilisation d'autres antennes peut conduire a un niveau de rayonnement essentiel ou non essentiel depassant les niveaux limites definis par ISED, ce qui est interdit. Procedure d'installation Consulter le manuel d'utilisation. Warning: Avertissement: Choisir avec soin la position d'installation et s'assurer que la puissance de sortie ne depasse pas les limites en vigueur. La violation de cette regle peut conduire a de serieuses penalites federales. Regulatory and Compliance Information Safety Guidelines This section contains notices that are intended to protect your personal safety and prevent damage to the equipment. Qualified Personnel:
Electrical Hazard: Only qualified personnel should perform installation procedures. Within the context of the safety notes in this documentation, qualified persons are defined as persons who are authorized to commission, ground and label devices, systems, and circuits in accordance with established safety practices and standards. A qualified person understands the requirements and risks involved with installing electrical equipment in accordance with national codes. Federal Communications Commission (FCC) Notice This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one of the following measures:
Reorient or relocate the receiving antenna. Connect the equipment into an outlet on a circuit different from that to which the Increase the separation between the equipment and receiver. receiver is connected. Consult the dealer or an experienced radio/TV technician for help. Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void the user's authority to operate this equipment. This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. This device meets all the other requirements specified in Part 15E, Section 15.407 of the FCC Rules. Warning: FCC Radiation Exposure Statement: This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20 cm for AP7662i and 35 cm for AP7662 between the radiator & your body. Industry Canada Notice This device complies with ISEDs licence-exempt RSSs. Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation. Le prsent appareil est conforme aux CNR d ISED applicables aux appareils radio exempts de licence. Lexploitation est autorise aux deux conditions suivantes : (1) le dispositif ne doit pas produire de brouillage prjudiciable, et (2) ce dispositif doit accepter tout brouillage reu, y compris un brouillage susceptible de provoquer un fonctionnement indsirable. Caution :
1 The device for operation in the band 5150-5250 MHz is only for indoor use to reduce the potential for harmful interference to co-channel mobile satellite systems;
2 The maximum antenna gain permitted for devices in the band 5725-5850 MHz shall be such that the equipment still complies with the e.i.r.p. limits specified for point-to-
point and non-point-to-point operation as appropriate; and 3 Users should also be advised that high-power radars are allocated as primary users
(i.e. priority users) of the bands 5650-5850 MHz and that these radars could cause interference and/or damage to LE-LAN devices. Avertissement:
1 2 les dispositifs fonctionnant dans la bande 5150-5250 MHz sont rservs uniquement pour une utilisation lintrieur afin de rduire les risques de brouillage prjudiciable aux systmes de satellites mobiles utilisant les mmes canaux;
le gain maximal d'antenne permis (pour les dispositifs utilisant la bande de 5725 5 850 MHz) doit tre conforme la limite de la p.i.r.e. spcifie pour l'exploitation point point et lexploitation non point point, selon le cas;
3 De plus, les utilisateurs devraient aussi tre aviss que les utilisateurs de radars de haute puissance sont dsigns utilisateurs principaux (c.--d., quils ont la priorit) pour les bandes 5650-5850 MHz et que ces radars pourraient causer du brouillage et/
ou des dommages aux dispositifs LAN-EL. Warning: IC Radiation Exposure Statement: This equipment complies with ISED radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with minimum distance 20 cm for AP7662i and 42 cm for AP7662 between the radiator & your body. Warning: Dclaration d'exposition aux radiations: Cet quipement est conforme aux limites d'exposition aux rayonnements ISED tablies pour un environnement non contrl. Cet quipement doit tre install et utilis avec un minimum de 20 cm pour AP7662i et 42 cm pour AP7662 de distance entre la source de rayonnement et votre corps. This radio transmitter (IC: 4141B-AP3917E/ Model: AP3917e & AP7662) has been approved by ISED to operate with the antenna type listed below with maximum permissible gain indicated. Antenna types not included in this list, having a gain greater than the maximum gain indicated for that type, are strictly prohibited for use with this device. Le prsent metteur radio (IC: 4141B-AP3917E/ Model: AP3917e & AP7662) a t approuv par ISED pour fonctionner avec les types d'antenne numrs ci-dessous et ayant un gain admissible maximal. Les types d'antenne non inclus dans cette liste, et dont le gain est suprieur au gain maximal indiqu, sont strictement interdits pour l'exploitation de l'metteur. 4.9G Antenna for Item 6 and Item 11 will be secondary primary permanent fixed operations use only. European Waste Electrical and Electronic Equipment
(WEEE) Notice In accordance with Directive 2012/19/EU of the European Parliament on waste electrical and electronic equipment (WEEE):
1 The symbol above indicates that separate collection of electrical and electronic equipment is required. 2 When this product has reached the end of its serviceable life, it cannot be disposed of as unsorted municipal waste. It must be collected and treated separately. 3 It has been determined by the European Parliament that there are potential negative effects on the environment and human health as a result of the presence of hazardous substances in electrical and electronic equipment. 4 It is the users responsibility to utilize the available collection system to ensure WEEE is properly treated. For information about the available collection system, please contact Extreme Customer Support at +353 61 705500 (Ireland). English Finnish Dutch French Swedish Danish German Greek Icelandic Italian Spanish Hazardous Substances This product complies with the requirements of Directive 2011/65/EU of the European Parliament and of the Council of 8 June 2011 on the restriction of the use of certain hazardous substances in electrical and electronic equipment. Portuguese Malti ExtremeWiNGTM Access Points Quick Reference P/N 37121 AP-7662-680B30-US P/N 37122 AP-7662-680B30-WR P/N 37123 AP-7662-680B40-US P/N 37124 AP-7662-680B40-WR Notice Copyright 2017 Extreme Networks, Inc. All Rights Reserved. Legal Notices Extreme Networks, Inc., on behalf of or through its wholly-owned subsidiary, Enterasys Networks, Inc., reserves the right to make changes in specifications and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made. The hardware, firmware, software or any specifications described or referred to in this document are subject to change without notice. Trademarks Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names (including any product names) mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies/owners. For additional information on Extreme Networks trademarks, please see:
www.extremenetworks.com/company/legal/trademarks/
Documentation & Support For product support, including documentation, visit:
www.extremenetworks.com/support/
P/N 9035167-04 Declaration of Conformity in Languages of the European Community Hereby, Extreme Networks, declares that this Radio LAN device is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC. Valmistaja Extreme Networks vakuuttaa tten ett Radio LAN device tyyppinen laite on direktiivin 1999/5/EY oleellisten vaatimusten ja sit koskevien direktiivin muiden ehtojen mukainen. Hierbij verklaart Extreme Networks dat het toestel Radio LAN device in overeenstemming is met de essentile eisen en de andere relevante bepalingen van richtlijn 1999/5/EG. Bij deze verklaart Extreme Networks dat deze Radio LAN device voldoet aan de essentile eisen en aan de overige relevante bepalingen van Richtlijn 1999/5/EC. Par la prsente Extreme Networks dclare que l'appareil Radio LAN device est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999/5/CE. Par la prsente, Extreme Networks dclare que ce Radio LAN device est conforme aux exigences essentielles et aux autres dispositions de la directive 1999/5/CE qui lui sont applicables. Hrmed intygar Extreme Networks att denna Radio LAN device str I verensstmmelse med de vsentliga egenskapskrav och vriga relevanta bestmmelser som framgr av direktiv 1999/5/EG. Undertegnede Extreme Networks erklrer herved, at flgende udstyr Radio LAN device overholder de vsentlige krav og vrige relevante krav i direktiv 1999/5/EF. Hiermit erklrt Extreme Networks die bereinstimmung des "WLAN Wireless Controller bzw. Access Points" mit den grundlegenden Anforderungen und den anderen relevanten Festlegungen der Richtlinie 1999/5/EG.
Extreme Networks Radio LAN device
1999/5/
. Extreme Networks lysir her med yfir a thessi bunadur, Radio LAN device, uppfyllir allar grunnkrofur, sem gerdar eru i R&TTE tilskipun ESB nr 1999/5/EC. Con la presente Extreme Networks dichiara che questo Radio LAN device conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE. Por medio de la presente Extreme Networks declara que el Radio LAN device cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. Extreme Networks declara que este Radio LAN device est conforme com os requisitos essenciais e outras disposies da Directiva 1999/5/
CE. Hawnhekk, Extreme Networks, jiddikjara li dan Radio LAN device jikkonforma mal-htigijiet essenzjali u ma provvedimenti ohrajn relevanti li hemm fid-Dirrettiva 1999/5/EC.
1 2 3 4 | WiNG 5.9.1 CLI Reference Guide Part 1 | Users Manual | 5.50 MiB |
WiNG 5.9.1 Access Point, Wireless Controller and Service Platform CLI Reference Guide Published September 2017 9035205 Published September 2017 9035205 9035205 Copyright 2017 Extreme Networks, Inc. All Rights Reserved. Legal Notices Extreme Networks, Inc. reserves the right to make changes in specifications and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made. The hardware, firmware, software or any specifications described or referred to in this document are subject to change without notice. Trademarks Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names (including any product names) mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies/owners. For additional information about Extreme Networks trademarks, go to:
www.extremenetworks.com/company/legal/trademarks/
Support For product support, including documentation, visit: www.extremenetworks.com/support/
Contents ABOUT THIS GUIDE Chapter 1, INTRODUCTION 1.1 CLI Overview ....................................................................................................................................................................................................................1-2 1.2 Getting Context Sensitive Help ................................................................................................................................................................................1-7 1.3 Using the No Command ............................................................................................................................................................................................. 1-9 1.3.1 Basic Conventions ............................................................................................................................................................................................. 1-9 1.4 Using CLI Editing Features and Shortcuts ......................................................................................................................................................... 1-9 1.4.1 Moving the Cursor on the Command Line .............................................................................................................................................1-10 1.4.2 Completing a Partial Command Name ...................................................................................................................................................1-10 1.4.3 Command Output Pagination ..................................................................................................................................................................... 1-11 1.5 Using CLI to Create Profiles and Enable Remote Administration ............................................................................................................. 1-11 1.5.1 Creating Profiles ................................................................................................................................................................................................ 1-12 1.5.2 Changing the default profile by creating vlan 150 and mapping to ge3 Physical interface ............................................. 1-13 1.5.3 Enabling Remote Administration ..............................................................................................................................................................1-14 Chapter 2, USER EXEC MODE COMMANDS 2.1 User Exec Commands .................................................................................................................................................................................................2-2 2.1.1 captive-portal-page-upload ......................................................................................................................................................................... 2-4 2.1.2 change-passwd ................................................................................................................................................................................................ 2-8 2.1.3 clear ....................................................................................................................................................................................................................... 2-9 2.1.4 clock ....................................................................................................................................................................................................................2-20 2.1.5 cluster .................................................................................................................................................................................................................. 2-21 2.1.6 connect .............................................................................................................................................................................................................. 2-22 2.1.7 create-cluster ..................................................................................................................................................................................................2-23 2.1.8 crypto .................................................................................................................................................................................................................2-24 2.1.9 crypto-cmp-cert-update ............................................................................................................................................................................2-33 2.1.10 database ..........................................................................................................................................................................................................2-34 2.1.11 database-backup ..........................................................................................................................................................................................2-38 2.1.12 database-restore ......................................................................................................................................................................................... 2-40 2.1.13 device-upgrade ..............................................................................................................................................................................................2-41 2.1.14 disable ..............................................................................................................................................................................................................2-49 2.1.15 enable ...............................................................................................................................................................................................................2-50 2.1.16 file-sync .............................................................................................................................................................................................................2-51 2.1.17 join-cluster ......................................................................................................................................................................................................2-54 2.1.18 l2tpv3 ................................................................................................................................................................................................................2-56 2.1.19 logging .............................................................................................................................................................................................................2-58 2.1.20 mint ................................................................................................................................................................................................................. 2-60 2.1.21 no ........................................................................................................................................................................................................................2-62 2.1.22 on .......................................................................................................................................................................................................................2-64 2.1.23 opendns ..........................................................................................................................................................................................................2-65 2.1.24 page ..................................................................................................................................................................................................................2-67 2.1.25 ping ...................................................................................................................................................................................................................2-68 2.1.26 ping6 ................................................................................................................................................................................................................2-70 2.1.27 ssh ....................................................................................................................................................................................................................... 2-71 2.1.28 telnet ................................................................................................................................................................................................................ 2-72 2.1.29 terminal ........................................................................................................................................................................................................... 2-73 2.1.30 time-it ..............................................................................................................................................................................................................2-74 2.1.31 traceroute ........................................................................................................................................................................................................2-75 2.1.32 traceroute6 2-76 Access Point, Wireless Controller and Service Platform CLI Reference Guide i Contents 2.1.33 virtual-machine ............................................................................................................................................................................................ 2-77 2.1.34 watch ...............................................................................................................................................................................................................2-83 2.1.35 exit .....................................................................................................................................................................................................................2-84 Chapter 3, PRIVILEGED EXEC MODE COMMANDS 3.1 Privileged Exec Mode Commands ........................................................................................................................................................................ 3-3 3.1.1 archive ................................................................................................................................................................................................................... 3-6 3.1.2 boot ....................................................................................................................................................................................................................... 3-8 3.1.3 captive-portal-page-upload ....................................................................................................................................................................... 3-9 3.1.4 cd ..........................................................................................................................................................................................................................3-13 3.1.5 change-passwd ...............................................................................................................................................................................................3-14 3.1.6 clear ......................................................................................................................................................................................................................3-15 3.1.7 clock ....................................................................................................................................................................................................................3-28 3.1.8 cluster .................................................................................................................................................................................................................3-29 3.1.9 configure ...........................................................................................................................................................................................................3-30 3.1.10 connect .............................................................................................................................................................................................................3-31 3.1.11 copy ....................................................................................................................................................................................................................3-32 3.1.12 cpe ......................................................................................................................................................................................................................3-33 3.1.13 create-cluster .................................................................................................................................................................................................3-35 3.1.14 crypto ...............................................................................................................................................................................................................3-37 3.1.15 crypto-cmp-cert-update ...........................................................................................................................................................................3-46 3.1.16 database ..........................................................................................................................................................................................................3-47 3.1.17 database-backup .........................................................................................................................................................................................3-50 3.1.18 database-restore ..........................................................................................................................................................................................3-52 3.1.19 delete ................................................................................................................................................................................................................3-53 3.1.20 device-upgrade ...........................................................................................................................................................................................3-54 3.1.21 diff ..................................................................................................................................................................................................................... 3-60 3.1.22 dir ........................................................................................................................................................................................................................3-61 3.1.23 disable ..............................................................................................................................................................................................................3-62 3.1.24 edit ....................................................................................................................................................................................................................3-63 3.1.25 enable ..............................................................................................................................................................................................................3-64 3.1.26 erase .................................................................................................................................................................................................................3-65 3.1.27 ex3500 ............................................................................................................................................................................................................3-67 3.1.28 factory-reset .................................................................................................................................................................................................3-75 3.1.29 file-sync ...........................................................................................................................................................................................................3-79 3.1.30 halt ....................................................................................................................................................................................................................3-82 3.1.31 join-cluster ......................................................................................................................................................................................................3-83 3.1.32 l2tpv3 ...............................................................................................................................................................................................................3-85 3.1.33 logging .............................................................................................................................................................................................................3-87 3.1.34 mint ...................................................................................................................................................................................................................3-89 3.1.35 mkdir .................................................................................................................................................................................................................3-91 3.1.36 more .................................................................................................................................................................................................................3-92 3.1.37 no .......................................................................................................................................................................................................................3-93 3.1.38 on .......................................................................................................................................................................................................................3-95 3.1.39 opendns ..........................................................................................................................................................................................................3-96 3.1.40 page ...............................................................................................................................................................................................................3-100 3.1.41 ping ................................................................................................................................................................................................................... 3-101 3.1.42 ping6 .............................................................................................................................................................................................................. 3-103 3.1.43 pwd .................................................................................................................................................................................................................3-104 3.1.44 re-elect .......................................................................................................................................................................................................... 3-105 3.1.45 reload .............................................................................................................................................................................................................3-106 3.1.46 rename .............................................................................................................................................................................................................3-111 3.1.47 rmdir .................................................................................................................................................................................................................3-112 Access Point, Wireless Controller and Service Platform CLI Reference Guide ii Contents 3.1.48 self .....................................................................................................................................................................................................................3-113 3.1.49 ssh .................................................................................................................................................................................................................... 3-114 3.1.50 t5 .......................................................................................................................................................................................................................3-115 3.1.51 telnet .................................................................................................................................................................................................................3-117 3.1.52 terminal ...........................................................................................................................................................................................................3-118 3.1.53 time-it ............................................................................................................................................................................................................. 3-119 3.1.54 traceroute .................................................................................................................................................................................................... 3-120 3.1.55 traceroute6 ....................................................................................................................................................................................................3-121 3.1.56 upgrade ..........................................................................................................................................................................................................3-122 3.1.57 upgrade-abort ............................................................................................................................................................................................ 3-126 3.1.58 virtual-machine ...........................................................................................................................................................................................3-127 3.1.59 watch ..............................................................................................................................................................................................................3-133 3.1.60 exit .................................................................................................................................................................................................................. 3-134 3.1.61 raid ....................................................................................................................................................................................................................3-135 Chapter 4, GLOBAL CONFIGURATION COMMANDS 4.1 Global Configuration Commands .........................................................................................................................................................................4-4 4.1.1 aaa-policy ............................................................................................................................................................................................................ 4-9 4.1.2 alias .......................................................................................................................................................................................................................4-11 4.1.3 aaa-tacacs-policy ......................................................................................................................................................................................... 4-20 4.1.4 ap6521 ................................................................................................................................................................................................................4-22 4.1.5 ap6522 ...............................................................................................................................................................................................................4-23 4.1.6 ap6532 ...............................................................................................................................................................................................................4-24 4.1.7 ap6562 ...............................................................................................................................................................................................................4-25 4.1.8 ap71xx ................................................................................................................................................................................................................4-26 4.1.9 ap7502 ...............................................................................................................................................................................................................4-27 4.1.10 ap7522 .............................................................................................................................................................................................................4-28 4.1.11 ap7532 ...............................................................................................................................................................................................................4-29 4.1.12 ap7562 ............................................................................................................................................................................................................. 4-30 4.1.13 ap7602 ..............................................................................................................................................................................................................4-31 4.1.14 ap7612 ...............................................................................................................................................................................................................4-32 4.1.15 ap7622 ..............................................................................................................................................................................................................4-33 4.1.16 ap7632 ............................................................................................................................................................................................................ 4-34 4.1.17 ap7662 ..............................................................................................................................................................................................................4-35 4.1.18 ap81xx ...............................................................................................................................................................................................................4-36 4.1.19 ap82xx ..............................................................................................................................................................................................................4-37 4.1.20 ap8432 ............................................................................................................................................................................................................4-38 4.1.21 ap8533 ..............................................................................................................................................................................................................4-39 4.1.22 application .................................................................................................................................................................................................... 4-40 4.1.23 application-group ...................................................................................................................................................................................... 4-48 4.1.24 application-policy .......................................................................................................................................................................................4-55 4.1.25 association-acl-policy ...............................................................................................................................................................................4-78 4.1.26 auto-provisioning-policy .........................................................................................................................................................................4-79 4.1.27 bgp .....................................................................................................................................................................................................................4-81 4.1.28 bonjour-gateway-discovery-policy .....................................................................................................................................................4-83 4.1.29 bonjour-gw-forwarding-policy ............................................................................................................................................................ 4-90 4.1.30 bonjour-gw-query-forwarding-policy ...............................................................................................................................................4-92 4.1.31 captive portal ................................................................................................................................................................................................4-93 4.1.32 clear ................................................................................................................................................................................................................4-146 4.1.33 client-identity ............................................................................................................................................................................................. 4-147 4.1.34 client-identity-group ............................................................................................................................................................................... 4-156 4.1.35 clone ...............................................................................................................................................................................................................4-164 4.1.36 crypto-cmp-policy ................................................................................................................................................................................... 4-165 Access Point, Wireless Controller and Service Platform CLI Reference Guide iii Contents 4.1.37 customize .....................................................................................................................................................................................................4-166 4.1.38 database-client-policy ............................................................................................................................................................................ 4-177 4.1.39 database-policy .........................................................................................................................................................................................4-184 4.1.40 device ............................................................................................................................................................................................................ 4-192 4.1.41 device-categorization ..............................................................................................................................................................................4-194 4.1.42 dhcp-server-policy ................................................................................................................................................................................. 4-200 4.1.43 dhcpv6-server-policy ..............................................................................................................................................................................4-201 4.1.44 dns-whitelist ..............................................................................................................................................................................................4-203 4.1.45 end .................................................................................................................................................................................................................4-208 4.1.46 event-system-policy ..............................................................................................................................................................................4-209 4.1.47 ex3500 ......................................................................................................................................................................................................... 4-226 4.1.48 ex3500-management-policy .............................................................................................................................................................. 4-233 4.1.49 ex3500-qos-class-map-policy ...........................................................................................................................................................4-254 4.1.50 ex3500-qos-policy-map ...................................................................................................................................................................... 4-262 4.1.51 ex3524 ........................................................................................................................................................................................................... 4-277 4.1.52 ex3548 .......................................................................................................................................................................................................... 4-279 4.1.53 firewall-policy ............................................................................................................................................................................................4-280 4.1.54 global-association-list ............................................................................................................................................................................ 4-282 4.1.55 guest-management ................................................................................................................................................................................ 4-285 4.1.56 host ................................................................................................................................................................................................................ 4-297 4.1.57 inline-password-encryption ................................................................................................................................................................4-298 4.1.58 ip .....................................................................................................................................................................................................................4-299 4.1.59 ipv6 .................................................................................................................................................................................................................4-301 4.1.60 ipv6-router-advertisement-policy ...................................................................................................................................................4-302 4.1.61 l2tpv3 .............................................................................................................................................................................................................4-320 4.1.62 mac ................................................................................................................................................................................................................ 4-322 4.1.63 management-policy ............................................................................................................................................................................... 4-323 4.1.64 meshpoint ................................................................................................................................................................................................... 4-325 4.1.65 meshpoint-qos-policy ............................................................................................................................................................................ 4-327 4.1.66 mint-policy ................................................................................................................................................................................................. 4-328 4.1.67 nac-list .......................................................................................................................................................................................................... 4-329 4.1.68 no ................................................................................................................................................................................................................... 4-335 4.1.69 nsight-policy ..............................................................................................................................................................................................4-339 4.1.70 passpoint-policy ......................................................................................................................................................................................4-350 4.1.71 password-encryption .............................................................................................................................................................................. 4-352 4.1.72 profile ............................................................................................................................................................................................................ 4-353 4.1.73 radio-qos-policy ....................................................................................................................................................................................... 4-357 4.1.74 radius-group .............................................................................................................................................................................................. 4-358 4.1.75 radius-server-policy ................................................................................................................................................................................4-359 4.1.76 radius-user-pool-policy .......................................................................................................................................................................... 4-361 4.1.77 rename ......................................................................................................................................................................................................... 4-362 4.1.78 replace ..........................................................................................................................................................................................................4-364 4.1.79 rf-domain ....................................................................................................................................................................................................4-366 4.1.80 rfs6000 ........................................................................................................................................................................................................4-403 4.1.81 rfs4000 ........................................................................................................................................................................................................ 4-404 4.1.82 nx5500 .........................................................................................................................................................................................................4-405 4.1.83 nx75xx ......................................................................................................................................................................................................... 4-406 4.1.84 nx9000 ........................................................................................................................................................................................................4-407 4.1.85 roaming-assist-policy ........................................................................................................................................................................... 4-408 4.1.86 role-policy ....................................................................................................................................................................................................4-410 4.1.87 route-map ..................................................................................................................................................................................................... 4-411 4.1.88 routing-policy ............................................................................................................................................................................................. 4-412 4.1.89 rtl-server-policy ......................................................................................................................................................................................... 4-413 4.1.90 schedule-policy .........................................................................................................................................................................................4-419 Access Point, Wireless Controller and Service Platform CLI Reference Guide iv Contents 4.1.91 self ...................................................................................................................................................................................................................4-426 4.1.92 sensor-policy ............................................................................................................................................................................................. 4-427 4.1.93 smart-rf-policy ..........................................................................................................................................................................................4-436 4.1.94 t5 ....................................................................................................................................................................................................................4-438 4.1.95 web-filter-policy ...................................................................................................................................................................................... 4-440 4.1.96 wips-policy ..................................................................................................................................................................................................4-451 4.1.97 wlan ...............................................................................................................................................................................................................4-452 4.1.98 wlan-qos-policy ........................................................................................................................................................................................4-549 4.1.99 url-filter ......................................................................................................................................................................................................... 4-551 4.1.100 url-list ..........................................................................................................................................................................................................4-565 4.1.101 vx9000 ......................................................................................................................................................................................................... 4-571 Chapter 5, COMMON COMMANDS 5.1 Common Commands ................................................................................................................................................................................................. 5-2 5.1.1 clrscr ....................................................................................................................................................................................................................... 5-3 5.1.2 commit ................................................................................................................................................................................................................. 5-4 5.1.3 exit ......................................................................................................................................................................................................................... 5-5 5.1.4 help ........................................................................................................................................................................................................................ 5-6 5.1.5 no ........................................................................................................................................................................................................................... 5-9 5.1.6 revert ...................................................................................................................................................................................................................5-12 5.1.7 service .................................................................................................................................................................................................................5-13 5.1.8 show ....................................................................................................................................................................................................................5-58 5.1.9 write ................................................................................................................................................................................................................... 5-60 Chapter 6, SHOW COMMANDS 6.1 show commands .......................................................................................................................................................................................................... 6-2 6.1.1 show ....................................................................................................................................................................................................................... 6-5 6.1.2 adoption ............................................................................................................................................................................................................ 6-10 6.1.3 bluetooth ...........................................................................................................................................................................................................6-14 6.1.4 boot .....................................................................................................................................................................................................................6-16 6.1.5 bonjour ...............................................................................................................................................................................................................6-17 6.1.6 captive-portal ..................................................................................................................................................................................................6-18 6.1.7 captive-portal-page-upload .................................................................................................................................................................... 6-20 6.1.8 cdp .......................................................................................................................................................................................................................6-22 6.1.9 classify-url ........................................................................................................................................................................................................6-24 6.1.10 clock ..................................................................................................................................................................................................................6-25 6.1.11 cluster ................................................................................................................................................................................................................6-26 6.1.12 cmp-factory-certs ........................................................................................................................................................................................6-28 6.1.13 commands ......................................................................................................................................................................................................6-29 6.1.14 context ............................................................................................................................................................................................................ 6-30 6.1.15 critical-resources ...........................................................................................................................................................................................6-31 6.1.16 crypto ...............................................................................................................................................................................................................6-32 6.1.17 database ..........................................................................................................................................................................................................6-35 6.1.18 device-upgrade ............................................................................................................................................................................................6-37 6.1.19 dot1x ..................................................................................................................................................................................................................6-39 6.1.20 dpi ......................................................................................................................................................................................................................6-41 6.1.21 eguest .............................................................................................................................................................................................................. 6-44 6.1.22 environmental-sensor ...............................................................................................................................................................................6-45 6.1.23 event-history ............................................................................................................................................................................................... 6-48 6.1.24 event-system-policy ................................................................................................................................................................................. 6-49 6.1.25 ex3500 ........................................................................................................................................................................................................... 6-50 6.1.26 extdev ..............................................................................................................................................................................................................6-53 Access Point, Wireless Controller and Service Platform CLI Reference Guide v Contents 6.1.27 file-sync ...........................................................................................................................................................................................................6-54 6.1.28 firewall .............................................................................................................................................................................................................6-56 6.1.29 global .............................................................................................................................................................................................................. 6-60 6.1.30 gre .....................................................................................................................................................................................................................6-62 6.1.31 guest-registration ........................................................................................................................................................................................6-63 6.1.32 interface ...........................................................................................................................................................................................................6-71 6.1.33 ip ........................................................................................................................................................................................................................6-75 6.1.34 ip-access-list .................................................................................................................................................................................................6-82 6.1.35 ipv6 .................................................................................................................................................................................................................. 6-84 6.1.36 ipv6-access-list ............................................................................................................................................................................................6-88 6.1.37 l2tpv3 ...............................................................................................................................................................................................................6-89 6.1.38 lacp ...................................................................................................................................................................................................................6-92 6.1.39 ldap-agent .....................................................................................................................................................................................................6-95 6.1.40 licenses .......................................................................................................................................................................................................... 6-96 6.1.41 lldp .................................................................................................................................................................................................................... 6-99 6.1.42 logging ......................................................................................................................................................................................................... 6-100 6.1.43 mac-access-list ...........................................................................................................................................................................................6-101 6.1.44 mac-address-table ...................................................................................................................................................................................6-102 6.1.45 mac-auth ......................................................................................................................................................................................................6-103 6.1.46 mac-auth-clients .......................................................................................................................................................................................6-105 6.1.47 mint ................................................................................................................................................................................................................6-107 6.1.48 nsight ............................................................................................................................................................................................................... 6-111 6.1.49 ntp .................................................................................................................................................................................................................... 6-112 6.1.50 password-encryption ............................................................................................................................................................................... 6-114 6.1.51 pppoe-client .................................................................................................................................................................................................. 6-115 6.1.52 privilege ......................................................................................................................................................................................................... 6-116 6.1.53 radius .............................................................................................................................................................................................................. 6-117 6.1.54 reload .............................................................................................................................................................................................................. 6-119 6.1.55 rf-domain-manager .................................................................................................................................................................................6-120 6.1.56 role ................................................................................................................................................................................................................... 6-121 6.1.57 route-maps .................................................................................................................................................................................................. 6-122 6.1.58 rtls ................................................................................................................................................................................................................... 6-123 6.1.59 running-config ........................................................................................................................................................................................... 6-125 6.1.60 session-changes ....................................................................................................................................................................................... 6-132 6.1.61 session-config ............................................................................................................................................................................................. 6-133 6.1.62 sessions ......................................................................................................................................................................................................... 6-134 6.1.63 site-config-diff ........................................................................................................................................................................................... 6-135 6.1.64 smart-rf ......................................................................................................................................................................................................... 6-136 6.1.65 spanning-tree .............................................................................................................................................................................................6-140 6.1.66 startup-config ............................................................................................................................................................................................ 6-142 6.1.67 t5 ...................................................................................................................................................................................................................... 6-143 6.1.68 terminal .......................................................................................................................................................................................................... 6-151 6.1.69 timezone ...................................................................................................................................................................................................... 6-152 6.1.70 traffic-shape ............................................................................................................................................................................................... 6-153 6.1.71 upgrade-status ............................................................................................................................................................................................ 6-155 6.1.72 version ........................................................................................................................................................................................................... 6-156 6.1.73 vrrp ................................................................................................................................................................................................................. 6-157 6.1.74 web-filter ...................................................................................................................................................................................................... 6-159 6.1.75 what ................................................................................................................................................................................................................. 6-161 6.1.76 wireless ......................................................................................................................................................................................................... 6-162 6.1.77 wwan .............................................................................................................................................................................................................. 6-185 6.1.78 virtual-machine .......................................................................................................................................................................................... 6-186 6.1.79 raid .................................................................................................................................................................................................................. 6-189 Access Point, Wireless Controller and Service Platform CLI Reference Guide vi Contents Chapter 7, PROFILES 7.1 Profile Config Commands .........................................................................................................................................................................................7-7 7.1.1 adopter-auto-provisioning-policy-lookup ............................................................................................................................................. 7-11 7.1.2 adoption ............................................................................................................................................................................................................. 7-13 7.1.3 alias ....................................................................................................................................................................................................................... 7-15 7.1.4 application-policy .......................................................................................................................................................................................... 7-22 7.1.5 area ......................................................................................................................................................................................................................7-24 7.1.6 arp ........................................................................................................................................................................................................................7-25 7.1.7 auto-learn ......................................................................................................................................................................................................... 7-27 7.1.8 autogen-uniqueid ..........................................................................................................................................................................................7-28 7.1.9 autoinstall .........................................................................................................................................................................................................7-30 7.1.10 bridge ................................................................................................................................................................................................................ 7-31 7.1.11 captive-portal .................................................................................................................................................................................................7-62 7.1.12 cdp .....................................................................................................................................................................................................................7-63 7.1.13 cluster ...............................................................................................................................................................................................................7-64 7.1.14 configuration-persistence ........................................................................................................................................................................7-67 7.1.15 controller .........................................................................................................................................................................................................7-68 7.1.16 critical-resource ............................................................................................................................................................................................ 7-72 7.1.17 crypto ............................................................................................................................................................................................................... 7-80 7.1.18 database ........................................................................................................................................................................................................ 7-143 7.1.19 device-onboard .......................................................................................................................................................................................... 7-144 7.1.20 device-upgrade ......................................................................................................................................................................................... 7-145 7.1.21 diag .................................................................................................................................................................................................................. 7-147 7.1.22 dot1x ............................................................................................................................................................................................................... 7-148 7.1.23 dpi .................................................................................................................................................................................................................... 7-150 7.1.24 dscp-mapping .............................................................................................................................................................................................7-153 7.1.25 eguest-server (VX9000 only) ............................................................................................................................................................. 7-154 7.1.26 eguest-server (NOC Only) .....................................................................................................................................................................7-155 7.1.27 email-notification ...................................................................................................................................................................................... 7-156 7.1.28 enforce-version .......................................................................................................................................................................................... 7-158 7.1.29 environmental-sensor ............................................................................................................................................................................. 7-159 7.1.30 events ............................................................................................................................................................................................................. 7-161 7.1.31 export .............................................................................................................................................................................................................. 7-162 7.1.32 file-sync ......................................................................................................................................................................................................... 7-163 7.1.33 floor ................................................................................................................................................................................................................. 7-164 7.1.34 gre ................................................................................................................................................................................................................... 7-165 7.1.35 http-analyze .................................................................................................................................................................................................7-177 7.1.36 interface ........................................................................................................................................................................................................ 7-180 7.1.37 ip ..................................................................................................................................................................................................................... 7-348 7.1.38 ipv6 ................................................................................................................................................................................................................ 7-358 7.1.39 l2tpv3 ............................................................................................................................................................................................................ 7-362 7.1.40 l3e-lite-table .............................................................................................................................................................................................. 7-364 7.1.41 led .................................................................................................................................................................................................................... 7-365 7.1.42 led-timeout ................................................................................................................................................................................................. 7-366 7.1.43 legacy-auto-downgrade ....................................................................................................................................................................... 7-368 7.1.44 legacy-auto-update ................................................................................................................................................................................ 7-369 7.1.45 lldp ................................................................................................................................................................................................................. 7-370 7.1.46 load-balancing ...........................................................................................................................................................................................7-372 7.1.47 logging ..........................................................................................................................................................................................................7-377 7.1.48 mac-address-table .................................................................................................................................................................................. 7-379 7.1.49 mac-auth .......................................................................................................................................................................................................7-381 7.1.50 management-server ............................................................................................................................................................................... 7-384 7.1.51 memory-profile .......................................................................................................................................................................................... 7-385 Access Point, Wireless Controller and Service Platform CLI Reference Guide vii Contents 7.1.52 meshpoint-device .................................................................................................................................................................................... 7-386 7.1.53 meshpoint-monitor-interval ................................................................................................................................................................ 7-388 7.1.54 min-misconfiguration-recovery-time .............................................................................................................................................. 7-389 7.1.55 mint ................................................................................................................................................................................................................7-390 7.1.56 misconfiguration-recovery-time ....................................................................................................................................................... 7-397 7.1.57 neighbor-inactivity-timeout ................................................................................................................................................................ 7-398 7.1.58 neighbor-info-interval ............................................................................................................................................................................ 7-399 7.1.59 no ................................................................................................................................................................................................................... 7-400 7.1.60 noc .................................................................................................................................................................................................................7-402 7.1.61 nsight .............................................................................................................................................................................................................7-403 7.1.62 ntp ..................................................................................................................................................................................................................7-408 7.1.63 otls .................................................................................................................................................................................................................... 7-411 7.1.64 offline-duration .......................................................................................................................................................................................... 7-414 7.1.65 power-config .............................................................................................................................................................................................. 7-415 7.1.66 preferred-controller-group ................................................................................................................................................................... 7-417 7.1.67 preferred-tunnel-controller .................................................................................................................................................................. 7-418 7.1.68 radius ............................................................................................................................................................................................................. 7-419 7.1.69 rf-domain-manager ................................................................................................................................................................................7-420 7.1.70 router ............................................................................................................................................................................................................. 7-421 7.1.71 spanning-tree .............................................................................................................................................................................................. 7-423 7.1.72 traffic-class-mapping ............................................................................................................................................................................. 7-426 7.1.73 traffic-shape ............................................................................................................................................................................................... 7-428 7.1.74 trustpoint (profile-config-mode) ......................................................................................................................................................7-434 7.1.75 tunnel-controller ....................................................................................................................................................................................... 7-436 7.1.76 use .................................................................................................................................................................................................................. 7-437 7.1.77 vrrp .................................................................................................................................................................................................................7-443 7.1.78 vrrp-state-check ....................................................................................................................................................................................... 7-447 7.1.79 virtual-controller .......................................................................................................................................................................................7-448 7.1.80 wep-shared-key-auth ............................................................................................................................................................................7-450 7.1.81 service ............................................................................................................................................................................................................. 7-451 7.1.82 zone ............................................................................................................................................................................................................... 7-456 7.2 Device Config Commands .................................................................................................................................................................................. 7-457 7.2.1 adoption-site ................................................................................................................................................................................................7-464 7.2.2 area .................................................................................................................................................................................................................. 7-465 7.2.3 channel-list ...................................................................................................................................................................................................7-466 7.2.4 contact ........................................................................................................................................................................................................... 7-467 7.2.5 country-code ...............................................................................................................................................................................................7-468 7.2.6 floor .................................................................................................................................................................................................................7-469 7.2.7 geo-coordinates .........................................................................................................................................................................................7-470 7.2.8 hostname ....................................................................................................................................................................................................... 7-471 7.2.9 lacp .................................................................................................................................................................................................................. 7-472 7.2.10 layout-coordinates .................................................................................................................................................................................. 7-473 7.2.11 license ............................................................................................................................................................................................................ 7-474 7.2.12 location ......................................................................................................................................................................................................... 7-477 7.2.13 mac-name ................................................................................................................................................................................................... 7-478 7.2.14 no .................................................................................................................................................................................................................... 7-479 7.2.15 nsight ............................................................................................................................................................................................................7-480 7.2.16 override-wlan ............................................................................................................................................................................................7-484 7.2.17 remove-override .......................................................................................................................................................................................7-486 7.2.18 rsa-key .......................................................................................................................................................................................................... 7-488 7.2.19 sensor-server .............................................................................................................................................................................................7-489 7.2.20 timezone .....................................................................................................................................................................................................7-490 7.2.21 trustpoint (device-config-mode) ....................................................................................................................................................... 7-491 7.2.22 raid ................................................................................................................................................................................................................ 7-493 Access Point, Wireless Controller and Service Platform CLI Reference Guide viii Contents 7.3 T5 Profile Config Commands ............................................................................................................................................................................7-494 7.3.1 cpe .................................................................................................................................................................................................................... 7-495 7.3.2 interface ......................................................................................................................................................................................................... 7-497 7.3.3 ip .......................................................................................................................................................................................................................7-499 7.3.4 no .....................................................................................................................................................................................................................7-500 7.3.5 ntp ..................................................................................................................................................................................................................... 7-501 7.3.6 override-wlan .............................................................................................................................................................................................. 7-502 7.3.7 t5 ....................................................................................................................................................................................................................... 7-503 7.3.8 t5-logging .....................................................................................................................................................................................................7-504 7.3.9 use ...................................................................................................................................................................................................................7-505 7.4 EX3524 & EX3548 Profile/Device Config Commands ............................................................................................................................7-506 7.4.1 interface ......................................................................................................................................................................................................... 7-507 7.4.2 ip ........................................................................................................................................................................................................................7-527 7.4.3 power ............................................................................................................................................................................................................. 7-528 7.4.4 upgrade ......................................................................................................................................................................................................... 7-529 7.4.5 use ................................................................................................................................................................................................................... 7-530 7.4.6 no .......................................................................................................................................................................................................................7-531 Chapter 8, AAA-POLICY 8.1 aaa-policy ....................................................................................................................................................................................................................... 8-3 8.1.1 accounting ........................................................................................................................................................................................................... 8-4 8.1.2 attribute ............................................................................................................................................................................................................... 8-8 8.1.3 authentication ...................................................................................................................................................................................................8-11 8.1.4 health-check .....................................................................................................................................................................................................8-16 8.1.5 mac-address-format .....................................................................................................................................................................................8-17 8.1.6 no ..........................................................................................................................................................................................................................8-19 8.1.7 proxy-attribute ................................................................................................................................................................................................8-21 8.1.8 server-pooling-mode ...................................................................................................................................................................................8-22 8.1.9 use .......................................................................................................................................................................................................................8-23 Chapter 9, AUTO-PROVISIONING-POLICY 9.1 auto-provisioning-policy .......................................................................................................................................................................................... 9-4 9.1.1 adopt ..................................................................................................................................................................................................................... 9-5 9.1.2 auto-create-rfd-template .......................................................................................................................................................................... 9-10 9.1.3 default-adoption .............................................................................................................................................................................................9-12 9.1.4 deny .....................................................................................................................................................................................................................9-13 9.1.5 evaluate-always ..............................................................................................................................................................................................9-16 9.1.6 redirect ...............................................................................................................................................................................................................9-17 9.1.7 upgrade ..............................................................................................................................................................................................................9-21 9.1.8 no .........................................................................................................................................................................................................................9-24 Chapter 10, ASSOCIATION-ACL-POLICY 10.1 association-acl-policy .............................................................................................................................................................................................10-2 10.1.1 deny .....................................................................................................................................................................................................................10-3 10.1.2 no .........................................................................................................................................................................................................................10-5 10.1.3 permit ............................................................................................................................................................................................................... 10-6 Chapter 11, ACCESS-LIST 11.1 ip-access-list ..................................................................................................................................................................................................................11-4 11.1.1 deny ....................................................................................................................................................................................................................... 11-5 11.1.2 disable .................................................................................................................................................................................................................11-17 Access Point, Wireless Controller and Service Platform CLI Reference Guide ix Contents 11.1.3 insert .................................................................................................................................................................................................................. 11-20 11.1.4 no .........................................................................................................................................................................................................................11-22 11.1.5 permit .................................................................................................................................................................................................................11-23 11.2 mac-access-list ......................................................................................................................................................................................................... 11-34 11.2.1 deny ....................................................................................................................................................................................................................11-35 11.2.2 disable ...............................................................................................................................................................................................................11-38 11.2.3 ex3500 ............................................................................................................................................................................................................11-40 11.2.4 insert ................................................................................................................................................................................................................ 11-43 11.2.5 no ....................................................................................................................................................................................................................... 11-45 11.2.6 permit .............................................................................................................................................................................................................. 11-46 11.3 ipv6-access-list ......................................................................................................................................................................................................... 11-49 11.3.1 deny ................................................................................................................................................................................................................... 11-50 11.3.2 no ....................................................................................................................................................................................................................... 11-56 11.3.3 permit ................................................................................................................................................................................................................11-57 11.4 ip-snmp-access-list ................................................................................................................................................................................................ 11-63 11.4.1 deny ................................................................................................................................................................................................................... 11-64 11.4.2 permit .............................................................................................................................................................................................................. 11-65 11.4.3 no ....................................................................................................................................................................................................................... 11-66 11.5 ex3500-ext-access-list ......................................................................................................................................................................................... 11-67 11.5.1 deny ................................................................................................................................................................................................................... 11-68 11.5.2 permit .................................................................................................................................................................................................................11-71 11.5.3 no ....................................................................................................................................................................................................................... 11-74 11.6 ex3500-std-access-list ..........................................................................................................................................................................................11-75 11.6.1 deny ................................................................................................................................................................................................................... 11-76 11.6.2 permit ...............................................................................................................................................................................................................11-77 11.6.3 no ........................................................................................................................................................................................................................11-78 Chapter 12, DHCP-SERVER-POLICY 12.1 dhcp-server-policy ................................................................................................................................................................................................... 12-3 12.1.1 bootp ...................................................................................................................................................................................................................12-4 12.1.2 dhcp-class ........................................................................................................................................................................................................12-5 12.1.3 dhcp-pool .........................................................................................................................................................................................................12-11 12.1.4 dhcp-server .................................................................................................................................................................................................. 12-56 12.1.5 no ...................................................................................................................................................................................................................... 12-58 12.1.6 option .............................................................................................................................................................................................................. 12-59 12.1.7 ping ..................................................................................................................................................................................................................12-60 12.2 dhcpv6-server-policy ........................................................................................................................................................................................... 12-61 12.2.1 dhcpv6-pool ................................................................................................................................................................................................. 12-62 12.2.2 option ..............................................................................................................................................................................................................12-73 12.2.3 restrict-vendor-options ...........................................................................................................................................................................12-75 12.2.4 server-preference ..................................................................................................................................................................................... 12-76 12.2.5 no ......................................................................................................................................................................................................................12-77 Chapter 13, FIREWALL-POLICY 13.1 firewall-policy .............................................................................................................................................................................................................13-3 13.1.1 acl-logging ........................................................................................................................................................................................................13-4 13.1.2 alg ........................................................................................................................................................................................................................13-5 13.1.3 clamp .................................................................................................................................................................................................................. 13-7 13.1.4 dhcp-offer-convert ......................................................................................................................................................................................13-8 13.1.5 dns-snoop ........................................................................................................................................................................................................13-9 13.1.6 firewall ............................................................................................................................................................................................................. 13-10 13.1.7 flow .....................................................................................................................................................................................................................13-11 Access Point, Wireless Controller and Service Platform CLI Reference Guide x Contents 13.1.8 ip .........................................................................................................................................................................................................................13-13 13.1.9 ip-mac ............................................................................................................................................................................................................. 13-20 13.1.10 ipv6 .................................................................................................................................................................................................................13-22 13.1.11 ipv6-mac ....................................................................................................................................................................................................... 13-26 13.1.12 logging .......................................................................................................................................................................................................... 13-28 13.1.13 no ..................................................................................................................................................................................................................... 13-30 13.1.14 proxy-arp ......................................................................................................................................................................................................13-32 13.1.15 proxy-nd ........................................................................................................................................................................................................13-33 13.1.16 stateful-packet-inspection-12 .............................................................................................................................................................. 13-34 13.1.17 storm-control ..............................................................................................................................................................................................13-35 13.1.18 virtual-defragmentation .........................................................................................................................................................................13-37 Chapter 14, MINT-POLICY 14.1 mint-policy ...................................................................................................................................................................................................................14-2 14.1.1 level ......................................................................................................................................................................................................................14-3 14.1.2 lsp ........................................................................................................................................................................................................................14-4 14.1.3 mtu ......................................................................................................................................................................................................................14-5 14.1.4 router .................................................................................................................................................................................................................14-6 14.1.5 udp ......................................................................................................................................................................................................................14-7 14.1.6 no .........................................................................................................................................................................................................................14-8 Chapter 15, MANAGEMENT-POLICY 15.1 management-policy .................................................................................................................................................................................................15-3 15.1.1 aaa-login ............................................................................................................................................................................................................15-5 15.1.2 allowed-locations .......................................................................................................................................................................................... 15-7 15.1.3 banner ................................................................................................................................................................................................................15-9 15.1.4 ftp ...................................................................................................................................................................................................................... 15-10 15.1.5 http ....................................................................................................................................................................................................................15-12 15.1.6 https ..................................................................................................................................................................................................................15-13 15.1.7 idle-session-timeout ...................................................................................................................................................................................15-15 15.1.8 ipv6 ................................................................................................................................................................................................................... 15-16 15.1.9 no ....................................................................................................................................................................................................................... 15-18 15.1.10 passwd-entry ............................................................................................................................................................................................. 15-20 15.1.11 privilege-mode-password .......................................................................................................................................................................15-22 15.1.12 rest-server ................................................................................................................................................................................................... 15-24 15.1.13 restrict-access .............................................................................................................................................................................................15-25 15.1.14 snmp-server ................................................................................................................................................................................................ 15-28 15.1.15 ssh ....................................................................................................................................................................................................................15-33 15.1.16 t5 ..................................................................................................................................................................................................................... 15-34 15.1.17 telnet .............................................................................................................................................................................................................. 15-36 15.1.18 user ..................................................................................................................................................................................................................15-37 15.1.19 service ............................................................................................................................................................................................................ 15-41 Chapter 16, RADIUS-POLICY 16.1 radius-group ................................................................................................................................................................................................................16-2 16.1.1 guest ....................................................................................................................................................................................................................16-4 16.1.2 policy ..................................................................................................................................................................................................................16-5 16.1.3 rate-limit ...........................................................................................................................................................................................................16-9 16.1.4 no .......................................................................................................................................................................................................................16-10 16.2 radius-server-policy .............................................................................................................................................................................................. 16-12 16.2.1 authentication .............................................................................................................................................................................................. 16-14 Access Point, Wireless Controller and Service Platform CLI Reference Guide xi Contents 16.2.2 bypass ............................................................................................................................................................................................................. 16-16 16.2.3 chase-referral .............................................................................................................................................................................................. 16-17 16.2.4 crl-check ........................................................................................................................................................................................................ 16-18 16.2.5 ldap-agent .................................................................................................................................................................................................... 16-19 16.2.6 ldap-group-verification ........................................................................................................................................................................... 16-21 16.2.7 ldap-server ................................................................................................................................................................................................... 16-22 16.2.8 local ................................................................................................................................................................................................................ 16-25 16.2.9 nas ................................................................................................................................................................................................................... 16-26 16.2.10 no ................................................................................................................................................................................................................... 16-28 16.2.11 proxy ..............................................................................................................................................................................................................16-30 16.2.12 session-resumption ................................................................................................................................................................................ 16-32 16.2.13 termination ................................................................................................................................................................................................. 16-33 16.2.14 use ................................................................................................................................................................................................................. 16-34 16.3 radius-user-pool-policy ...................................................................................................................................................................................... 16-35 16.3.1 duration .......................................................................................................................................................................................................... 16-36 16.3.2 user ................................................................................................................................................................................................................. 16-37 16.3.3 no .....................................................................................................................................................................................................................16-40 Chapter 17, RADIO-QOS-POLICY 17.1 radio-qos-policy .........................................................................................................................................................................................................17-4 17.1.1 accelerated-multicast ................................................................................................................................................................................... 17-5 17.1.2 admission-control .........................................................................................................................................................................................17-6 17.1.3 no ....................................................................................................................................................................................................................... 17-10 17.1.4 smart-aggregation ......................................................................................................................................................................................17-12 17.1.5 service .............................................................................................................................................................................................................. 17-14 17.1.6 wmm ................................................................................................................................................................................................................ 17-16 Chapter 18, ROLE-POLICY 18.1 role-policy ....................................................................................................................................................................................................................18-2 18.1.1 default-role .......................................................................................................................................................................................................18-3 18.1.2 ldap-deadperiod ............................................................................................................................................................................................18-5 18.1.3 ldap-query .......................................................................................................................................................................................................18-6 18.1.4 ldap-server ......................................................................................................................................................................................................18-7 18.1.5 ldap-timeout ...................................................................................................................................................................................................18-9 18.1.6 no ....................................................................................................................................................................................................................... 18-10 18.1.7 user-role ............................................................................................................................................................................................................18-11 Chapter 19, SMART-RF-POLICY 19.1 smart-rf-policy ...........................................................................................................................................................................................................19-3 19.1.1 area ......................................................................................................................................................................................................................19-4 19.1.2 assignable-power .........................................................................................................................................................................................19-5 19.1.3 avoidance-time ..............................................................................................................................................................................................19-6 19.1.4 channel-list ......................................................................................................................................................................................................19-8 19.1.5 channel-width .................................................................................................................................................................................................19-9 19.1.6 coverage-hole-recovery ........................................................................................................................................................................... 19-11 19.1.7 enable .............................................................................................................................................................................................................. 19-13 19.1.8 group-by ......................................................................................................................................................................................................... 19-14 19.1.9 interference-recovery ............................................................................................................................................................................... 19-15 19.1.10 neighbor-recovery .................................................................................................................................................................................... 19-17 19.1.11 no ...................................................................................................................................................................................................................... 19-19 19.1.12 sensitivity ...................................................................................................................................................................................................... 19-21 Access Point, Wireless Controller and Service Platform CLI Reference Guide xii Contents 19.1.13 smart-ocs-monitoring ............................................................................................................................................................................ 19-23 Chapter 20, WIPS-POLICY 20.1 wips-policy ............................................................................................................................................................................................................... 20-4 20.1.1 ap-detection ..................................................................................................................................................................................................20-5 20.1.2 enable ..............................................................................................................................................................................................................20-7 20.1.3 event ............................................................................................................................................................................................................... 20-8 20.1.4 history-throttle-duration ....................................................................................................................................................................... 20-12 20.1.5 interference-event ................................................................................................................................................................................... 20-13 20.1.6 no ....................................................................................................................................................................................................................20-14 20.1.7 signature .......................................................................................................................................................................................................20-16 20.1.8 use .................................................................................................................................................................................................................20-33 Chapter 21, WLAN-QOS-POLICY 21.1 wlan-qos-policy ......................................................................................................................................................................................................... 21-2 21.1.1 accelerated-multicast ................................................................................................................................................................................... 21-3 21.1.2 classification ....................................................................................................................................................................................................21-5 21.1.3 multicast-mask ............................................................................................................................................................................................... 21-7 21.1.4 no .........................................................................................................................................................................................................................21-8 21.1.5 qos .......................................................................................................................................................................................................................21-9 21.1.6 rate-limit ......................................................................................................................................................................................................... 21-10 21.1.7 svp-prioritization ..........................................................................................................................................................................................21-13 21.1.8 voice-prioritization ..................................................................................................................................................................................... 21-14 21.1.9 wmm .................................................................................................................................................................................................................21-15 Chapter 22, L2TPV3-POLICY 22.1 l2tpv3-policy-commands .....................................................................................................................................................................................22-3 22.1.1 cookie-size ......................................................................................................................................................................................................22-5 22.1.2 failover-delay ................................................................................................................................................................................................22-6 22.1.3 force-l2-path-recovery ............................................................................................................................................................................. 22-7 22.1.4 hello-interval .................................................................................................................................................................................................22-8 22.1.5 no .......................................................................................................................................................................................................................22-9 22.1.6 reconnect-attempts ................................................................................................................................................................................. 22-10 22.1.7 reconnect-interval ......................................................................................................................................................................................22-11 22.1.8 retry-attempts .............................................................................................................................................................................................22-12 22.1.9 retry-interval ................................................................................................................................................................................................22-13 22.1.10 rx-window-size ......................................................................................................................................................................................... 22-14 22.1.11 tx-window-size ...........................................................................................................................................................................................22-15 22.2 l2tpv3-tunnel-commands ................................................................................................................................................................................. 22-16 22.2.1 establishment-criteria ..............................................................................................................................................................................22-17 22.2.2 fast-failover ................................................................................................................................................................................................ 22-19 22.2.3 hostname .................................................................................................................................................................................................... 22-20 22.2.4 local-ip-address .........................................................................................................................................................................................22-21 22.2.5 mtu .................................................................................................................................................................................................................22-22 22.2.6 no ....................................................................................................................................................................................................................22-23 22.2.7 peer ............................................................................................................................................................................................................... 22-24 22.2.8 router-id ...................................................................................................................................................................................................... 22-28 22.2.9 session ......................................................................................................................................................................................................... 22-29 22.2.10 use .................................................................................................................................................................................................................22-31 22.3 l2tpv3-manual-session-commands ..............................................................................................................................................................22-32 22.3.1 local-cookie ................................................................................................................................................................................................ 22-34 Access Point, Wireless Controller and Service Platform CLI Reference Guide xiii Contents 22.3.2 local-ip-address ........................................................................................................................................................................................22-35 22.3.3 local-session-id ........................................................................................................................................................................................ 22-36 22.3.4 mtu .................................................................................................................................................................................................................22-37 22.3.5 no ................................................................................................................................................................................................................... 22-38 22.3.6 peer ............................................................................................................................................................................................................... 22-39 22.3.7 remote-cookie ..........................................................................................................................................................................................22-40 22.3.8 remote-session-id .................................................................................................................................................................................... 22-41 22.3.9 traffic-source ............................................................................................................................................................................................ 22-42 Chapter 23, ROUTER-MODE COMMANDS 23.1 router-mode ..............................................................................................................................................................................................................23-2 23.1.1 area ....................................................................................................................................................................................................................23-3 23.1.2 auto-cost .......................................................................................................................................................................................................23-12 23.1.3 default-information ...................................................................................................................................................................................23-13 23.1.4 ip ...................................................................................................................................................................................................................... 23-14 23.1.5 network ..........................................................................................................................................................................................................23-15 23.1.6 ospf ................................................................................................................................................................................................................. 23-16 23.1.7 passive ............................................................................................................................................................................................................23-17 23.1.8 redistribute .................................................................................................................................................................................................. 23-18 23.1.9 route-limit .................................................................................................................................................................................................... 23-19 23.1.10 router-id .......................................................................................................................................................................................................23-21 23.1.11 no .....................................................................................................................................................................................................................23-22 Chapter 24, ROUTING-POLICY 24.1 routing-policy-commands ...................................................................................................................................................................................24-2 24.1.1 apply-to-local-packets ..............................................................................................................................................................................24-3 24.1.2 logging ............................................................................................................................................................................................................24-4 24.1.3 route-map ......................................................................................................................................................................................................24-5 24.1.4 route-map-mode ........................................................................................................................................................................................24-8 24.1.5 use ................................................................................................................................................................................................................... 24-18 24.1.6 no .................................................................................................................................................................................................................... 24-19 Chapter 25, AAA-TACACS-POLICY 25.1 aaa-tacacs-policy ....................................................................................................................................................................................................25-2 25.1.1 accounting ......................................................................................................................................................................................................25-3 25.1.2 authentication ..............................................................................................................................................................................................25-6 25.1.3 authorization .................................................................................................................................................................................................25-9 25.1.4 no ......................................................................................................................................................................................................................25-12 Chapter 26, MESHPOINT 26.1 meshpoint-config-instance .................................................................................................................................................................................26-2 26.1.1 allowed-vlans .................................................................................................................................................................................................26-4 26.1.2 beacon-format .............................................................................................................................................................................................26-5 26.1.3 control-vlan ...................................................................................................................................................................................................26-6 26.1.4 data-rates ......................................................................................................................................................................................................26-7 26.1.5 description .................................................................................................................................................................................................... 26-11 26.1.6 force ............................................................................................................................................................................................................... 26-12 26.1.7 meshid ........................................................................................................................................................................................................... 26-13 26.1.8 neighbor ....................................................................................................................................................................................................... 26-14 26.1.9 no ..................................................................................................................................................................................................................... 26-15 26.1.10 root ............................................................................................................................................................................................................... 26-17 Access Point, Wireless Controller and Service Platform CLI Reference Guide xiv Contents 26.1.11 security-mode ............................................................................................................................................................................................ 26-19 26.1.12 service .........................................................................................................................................................................................................26-20 26.1.13 shutdown .................................................................................................................................................................................................... 26-21 26.1.14 use ................................................................................................................................................................................................................ 26-22 26.1.15 wpa2 ............................................................................................................................................................................................................ 26-23 26.2 meshpoint-qos-policy-config-instance ...................................................................................................................................................... 26-26 26.2.1 accelerated-multicast ............................................................................................................................................................................ 26-27 26.2.2 no ................................................................................................................................................................................................................... 26-29 26.2.3 rate-limit .....................................................................................................................................................................................................26-30 26.3 meshpoint-device-config-instance .............................................................................................................................................................. 26-34 26.3.1 meshpoint-device .................................................................................................................................................................................... 26-35 26.3.2 meshpoint-device-commands .......................................................................................................................................................... 26-37 Chapter 27, PASSPOINT POLICY 27.1 passpoint-policy ...................................................................................................................................................................................................... 27-2 27.1.1 3gpp ................................................................................................................................................................................................................... 27-3 27.1.2 access-network-type .................................................................................................................................................................................27-4 27.1.3 connection-capability ................................................................................................................................................................................27-5 27.1.4 domain-name ............................................................................................................................................................................................... 27-7 27.1.5 hessid ...............................................................................................................................................................................................................27-8 27.1.6 internet ............................................................................................................................................................................................................27-9 27.1.7 ip-address-type ......................................................................................................................................................................................... 27-10 27.1.8 nai-realm ........................................................................................................................................................................................................27-12 27.1.9 net-auth-type ..............................................................................................................................................................................................27-18 27.1.10 no ................................................................................................................................................................................................................... 27-19 27.1.11 operator ....................................................................................................................................................................................................... 27-20 27.1.12 osu ...................................................................................................................................................................................................................27-21 27.1.13 roam-consortium ......................................................................................................................................................................................27-31 27.1.14 venue ............................................................................................................................................................................................................27-32 27.1.15 wan-metrics .............................................................................................................................................................................................. 27-36 Chapter 28, BORDER GATEWAY PROTOCOL 28.1 bgp-ip-prefix-list-config commands ...............................................................................................................................................................28-2 28.1.1 deny ...................................................................................................................................................................................................................28-4 28.1.2 permit ..............................................................................................................................................................................................................28-5 28.1.3 no .......................................................................................................................................................................................................................28-6 28.2 bgp-ip-access-list-config commands ............................................................................................................................................................28-7 28.2.1 deny ..................................................................................................................................................................................................................28-8 28.2.2 permit .............................................................................................................................................................................................................28-9 28.2.3 no ....................................................................................................................................................................................................................28-10 28.3 bgp-as-path-list-config commands ...............................................................................................................................................................28-11 28.3.1 deny ................................................................................................................................................................................................................ 28-12 28.3.2 permit ........................................................................................................................................................................................................... 28-13 28.3.3 no .................................................................................................................................................................................................................... 28-14 28.4 bgp-community-list-config commands ..................................................................................................................................................... 28-15 28.4.1 deny .................................................................................................................................................................................................................28-17 28.4.2 permit ........................................................................................................................................................................................................... 28-19 28.4.3 no ................................................................................................................................................................................................................... 28-21 28.5 bgp-extcommunity-list-config commands .............................................................................................................................................. 28-22 28.5.1 deny ............................................................................................................................................................................................................... 28-23 28.5.2 permit .......................................................................................................................................................................................................... 28-25 28.5.3 no ................................................................................................................................................................................................................... 28-27 Access Point, Wireless Controller and Service Platform CLI Reference Guide xv Contents 28.6 bgp-route-map-config commands ............................................................................................................................................................. 28-28 28.6.1 description ..................................................................................................................................................................................................28-30 28.6.2 match ............................................................................................................................................................................................................ 28-31 28.6.3 no ................................................................................................................................................................................................................... 28-34 28.6.4 set ................................................................................................................................................................................................................. 28-35 28.7 bgp-router-config commands ....................................................................................................................................................................... 28-39 28.7.1 aggregate-address ................................................................................................................................................................................... 28-41 28.7.2 asn ................................................................................................................................................................................................................. 28-42 28.7.3 bgp ................................................................................................................................................................................................................ 28-43 28.7.4 bgp-route-limit ........................................................................................................................................................................................28-48 28.7.5 distance .......................................................................................................................................................................................................28-49 28.7.6 ip ....................................................................................................................................................................................................................28-50 28.7.7 network ........................................................................................................................................................................................................ 28-51 28.7.8 no ................................................................................................................................................................................................................... 28-52 28.7.9 route-redistribute ................................................................................................................................................................................... 28-53 28.7.10 timers ......................................................................................................................................................................................................... 28-55 28.8 bgp-neighbor-config commands ................................................................................................................................................................. 28-56 28.8.1 activate ......................................................................................................................................................................................................... 28-59 28.8.2 advertisement-interval .........................................................................................................................................................................28-60 28.8.3 allowas-in .................................................................................................................................................................................................... 28-61 28.8.4 attribute-unchanged ............................................................................................................................................................................. 28-62 28.8.5 capability .................................................................................................................................................................................................... 28-63 28.8.6 default-originate .....................................................................................................................................................................................28-64 28.8.7 description ................................................................................................................................................................................................. 28-65 28.8.8 disable-connected-check ....................................................................................................................................................................28-66 28.8.9 dont-capability-negotiate ................................................................................................................................................................... 28-67 28.8.10 ebgp-multihop ....................................................................................................................................................................................... 28-68 28.8.11 enforce-multihop ....................................................................................................................................................................................28-69 28.8.12 local-as .......................................................................................................................................................................................................28-70 28.8.13 maximum-prefix ......................................................................................................................................................................................28-71 28.8.14 next-hop-self .......................................................................................................................................................................................... 28-72 28.8.15 no ................................................................................................................................................................................................................. 28-73 28.8.16 override-capability ............................................................................................................................................................................... 28-74 28.8.17 passive ....................................................................................................................................................................................................... 28-75 28.8.18 password .................................................................................................................................................................................................. 28-76 28.8.19 peer-group ................................................................................................................................................................................................28-77 28.8.20 port ............................................................................................................................................................................................................ 28-78 28.8.21 remote-as ................................................................................................................................................................................................. 28-79 28.8.22 remove-private-as ...............................................................................................................................................................................28-80 28.8.23 route-server-client ................................................................................................................................................................................ 28-81 28.8.24 send-community .................................................................................................................................................................................. 28-82 28.8.25 shutdown ................................................................................................................................................................................................. 28-83 28.8.26 soft-reconfiguration ............................................................................................................................................................................28-84 28.8.27 strict-capability-match ....................................................................................................................................................................... 28-85 28.8.28 timers ........................................................................................................................................................................................................ 28-86 28.8.29 unsuppress-map ................................................................................................................................................................................... 28-88 28.8.30 update-source ....................................................................................................................................................................................... 28-89 28.8.31 use ...............................................................................................................................................................................................................28-90 28.8.32 weight ........................................................................................................................................................................................................ 28-91 Chapter 29, CRYPTO-CMP-POLICY 29.1 crypto-cmp-policy-instance ...............................................................................................................................................................................29-2 29.1.1 ca-server ..........................................................................................................................................................................................................29-3 Access Point, Wireless Controller and Service Platform CLI Reference Guide xvi Contents 29.1.2 cert-key-size .................................................................................................................................................................................................29-5 29.1.3 cert-renewal-timeout ................................................................................................................................................................................29-6 29.1.4 cross-cert-validate .....................................................................................................................................................................................29-7 29.1.5 subjectAltName ...........................................................................................................................................................................................29-8 29.1.6 trustpoint .......................................................................................................................................................................................................29-9 29.1.7 use .................................................................................................................................................................................................................... 29-11 29.1.8 no ..................................................................................................................................................................................................................... 29-12 29.2 other-cmp-related-commands ...................................................................................................................................................................... 29-13 29.2.1 use ................................................................................................................................................................................................................... 29-14 29.2.2 show .............................................................................................................................................................................................................. 29-15 Chapter 30, ROAMING ASSIST POLICY 30.1 roaming-assist-policy-instance .........................................................................................................................................................................30-2 30.1.1 action ................................................................................................................................................................................................................30-3 30.1.2 aggressiveness ........................................................................................................................................................................................... 30-4 30.1.3 detection-threshold ...................................................................................................................................................................................30-5 30.1.4 disassoc-time .............................................................................................................................................................................................. 30-6 30.1.5 handoff-count ..............................................................................................................................................................................................30-7 30.1.6 handoff-threshold ..................................................................................................................................................................................... 30-8 30.1.7 monitoring-interval ................................................................................................................................................................................... 30-9 30.1.8 sampling-interval ......................................................................................................................................................................................30-10 30.1.9 no ..................................................................................................................................................................................................................... 30-11 Appendix A, CONTROLLER MANAGED WLAN USE CASE A.1 Creating a First Controller Managed WLAN .....................................................................................................................................................A-1 A.1.1 Assumptions .......................................................................................................................................................................................................A-1 A.1.2 Design ..................................................................................................................................................................................................................A-2 A.1.3 Using the Command Line Interface to Configure the WLAN .......................................................................................................A-2 Appendix B, PUBLICLY AVAILABLE SOFTWARE B.1 General Information .................................................................................................................................................................................................... B-1 B.2 Open Source Software Used .................................................................................................................................................................................B-2 B.3 OSS Licenses ..............................................................................................................................................................................................................B-15 B.3.1 Apache License, Version 2.0 .....................................................................................................................................................................B-15 B.3.2 The BSD License ............................................................................................................................................................................................B-17 B.3.3 Creative Commons Attribution-ShareAlike License, version 3.0 ............................................................................................. B-18 B.3.4 DropBear License ........................................................................................................................................................................................B-23 B.3.5 GNU General Public License, version 2 ...............................................................................................................................................B-25 B.3.6 GNU GENERAL PUBLIC LICENSE ........................................................................................................................................................ B-26 B.3.7 GNU Lesser General Public License 2.1 ............................................................................................................................................... B-30 B.3.8 CCO 1.0 Universal .........................................................................................................................................................................................B-37 B.3.9 GNU General Public License, version 3 .............................................................................................................................................. B-39 B.3.10 ISC License ................................................................................................................................................................................................... B-48 B.3.11 GNU Lesser General Public License, version 3.0 ............................................................................................................................ B-48 B.3.12 GNU General Public License 2.0 ...........................................................................................................................................................B-51 B.3.13 GNU Lesser General Public License, version 2.0 ............................................................................................................................B-57 B.3.14 GNU Lesser General Public License, version 2.1 ............................................................................................................................ B-63 B.3.15 GNU LESSER GENERAL PUBLIC LICENSE ...................................................................................................................................... B-65 B.3.16 MIT License .................................................................................................................................................................................................. B-69 B.3.17 Mozilla Public License, version 2 .......................................................................................................................................................... B-70 B.3.18 The Open LDAP Public License ........................................................................................................................................................... B-74 Access Point, Wireless Controller and Service Platform CLI Reference Guide xvii Contents B.3.19 OpenSSL License ........................................................................................................................................................................................B-75 B.3.20 WU-FTPD Software License ................................................................................................................................................................ B-76 B.3.21 zlib License ....................................................................................................................................................................................................B-77 B.3.22 Python License, Version 2 (Python-2.0) ......................................................................................................................................... B-78 B.3.23 BEOPEN.COM LICENSE AGREEMENT FOR PYTHON 2.0 ........................................................................................................ B-78 B.3.24 CNRI OPEN SOURCE LICENSE AGREEMENT (for Python 1.6b1) .......................................................................................... B-79 B.3.25 CWI LICENSE AGREEMENT FOR PYTHON 0.9.0 THROUGH 1.2 ...........................................................................................B-80 B.3.26 Zope Public License (ZPL) Version 2.0 ............................................................................................................................................ B-81 B.3.27 Zope Public License (ZPL) Version 2.1 ............................................................................................................................................. B-82 Access Point, Wireless Controller and Service Platform CLI Reference Guide xviii ABOUT THIS GUIDE This manual supports the following wireless controllers, service platformss, and access points:
Wireless Controllers RFS4000, RFS6000 Service Platformss NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP8122, AP8132, AP8163, AP8232, AP8432, AP8533 NOTE: In this document AP8122, AP8132, AP8163 are collectively referred to as AP81XX. CAUTION: To configure a WE access point, exclusively use the WE UI. Do not use the command line interface (CLI) along with it. Similarly, when using the CLI to configure the WE access point, do not use the WE UI along with it. A simplified version of the WiNG operating system user interface (UI) is available on the following access point and service platforms models:
AP6521E, AP6522E, AP6562E, AP7502E, AP7522E, AP7532E, AP7562E, AP7602, AP7612, AP7632, AP7662 NX5500E, NX7510E, and VX9000E This new WiNG Express (WE) UI, simplifies configuration and monitoring of small access point deployments by limiting monitoring, analytics, and configuration capabilities. The WE UI is designed for single-site access point deployments not exceeding more than 24 access points of the same model. This section is organized into the following topics:
Document Conventions Notational Conventions End-User Software License Agreement Access Point, Wireless Controller and Service Platform CLI Reference Guide i ABOUT THIS GUIDE Document Conventions The following conventions are used in this document to draw your attention to important information:
NOTE: Indicates tips or special requirements.
!
CAUTION: Indicates conditions that can cause equipment damage or data loss. WARNING! Indicates a condition or procedure that could result in personal injury or equipment damage. Switch Note: Indicates caveats unique to a RFS4000, RFS6000, NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, or NX9600 model controller. Notational Conventions The following notational conventions are used in this document:
Italics are used to highlight specific items in the general text, and to identify chapters and sections in this and related documents Bullets () indicate:
lists of alternatives lists of required steps that are not necessarily sequential action items
-
-
-
Sequential lists (those describing step-by-step procedures) appear as numbered lists Understanding Command Syntax
<variable>
Variables are described with a short description enclosed within a
< and a > pair. For example, the command, nx9500-6C8809>show interface ge 1 is documented as:
show interface ge <1-2>
where:
show is the command displays information interface is the keyword represents the interface type
<1-2> is the variable represents the ge interface index value Access Point, Wireless Controller and Service Platform CLI Reference Guide ii
|
[]
ABOUT THIS GUIDE The pipe symbol. This is used to separate the variables/keywords in a list. For example, the command, nx9500-6C8809> show ..... is documented as:
show [adoption|bluetooth|bonjour|boot|
...... where:
show is the command displays information
[adoption|bluetooth|bonjour|boot|.......] indicates the different keywords that can be combined with the show command. However, only one of the above option can be used at a time. show adoption ... show bluetooth ... show bonjour ... Of the different keywords and variables listed inside a [ & ] pair, only one can be used. Each choice in the list is separated with a |
(pipe) symbol. For example, the command, nx9500-6C8809#clear ... is documented as:
clear [arp-cache|bonjour|cdp|counters|crypto|
event-history|firewall|gre|ip|ipv6|l2tpv3-
stats|lacp|license|lldp|logging|mac-address-
table|mint|role|rtls|spanning-tree|traffic-
shape|vrrp]
where:
clear is the command
[arp-cache|cdp|bonjour|counters|crypto|event-history|firewall|
gre|ip|ipv6|l2tpv3-stats|lacp|license|lldp|logging|mac-address-
table|mint|role|rtls|spanning-tree|traffic-shape|vrrp] indicates that these keywords are available for this command. However, only one can be used at a time. Access Point, Wireless Controller and Service Platform CLI Reference Guide iii ABOUT THIS GUIDE
{ }
command / keyword
() Any command/keyword/variable or a combination of them inside a { &} pair is optional. All optional commands follow the same conventions as listed above. However, they are displayed italicized. For example, the command, nx9500-6C8809> show adoption .... is documented as:
show adoption info {on <DEVICE-NAME>}
here:
show adoption info is the command. This command can also be used as:
show adoption info The command can also be extended as:
show adoption info {on <DEVICE-NAME>}
here:
{on <DEVICE-NAME>} is the keyword, which is optional. The first word is always a command. Keywords are words that must be entered as is. Commands and keywords are mandatory. For example, the command, nx9500-6C8809>show wireless is documented as:
show wireless where:
show is the command wireless is the keyword Any command/keyword/variable or a combination of them inside a ( & ) pair are recursive. All recursive commands can be listed in any order and can be used once along with the rest of the commands. For example, the command, crypto pki export request generate-rsa-key test autogen-subject-name ... is documented as:
nx9500-6C8809#crypto pki export request generate-rsa-key test autogen-subject-name
(<URL>,email <EMAIL>,fqdn <FQDN>,ip-address
<IP>) here:
crypto pki export request generate-rsa-key <RSA-KEYPAIR-
NAME> auto-gen-subject-name is the command
<RSA-KEYPAIR-NAME> is the RSA keypair name (in this example, the keypair name is test), and is a variable
(<URL>,email <EMAIL>,fqdn <FQDN>,ip-address <IP>) is the set of recursive parameters (separated by commas) that can be used in any order. Access Point, Wireless Controller and Service Platform CLI Reference Guide iv ABOUT THIS GUIDE End-User Software License Agreement This document is an agreement (Agreement) between You, the end user, and Extreme Networks, Inc., on behalf of itself and its Affiliates (Extreme) that sets forth your rights and obligations with respect to the Licensed Materials. BY INSTALLING SOFTWARE AND/OR THE LICENSE KEY FOR THE SOFTWARE
(License Key) (collectively, Licensed Software), IF APPLICABLE, COPYING, OR OTHERWISE USING THE LICENSED SOFTWARE AND/OR ANY OF THE LICENSED MATERIALS UNDER THIS AGREEMENT, YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS AGREEMENT, WHICH INCLUDES THE LICENSE(S) AND THE LIMITATION(S) OF WARRANTY AND DISCLAIMER(S)/LIMITATION(S) OF LIABILITY. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, RETURN THE LICENSE KEY (IF APPLICABLE) TO EXTREME OR YOUR DEALER, IF ANY, OR DO NOT USE THE LICENSED SOFTWARE AND/OR LICENSED MATERIALS AND CONTACT EXTREME OR YOUR DEALER WITHIN TEN (10) DAYS FOLLOWING THE DATE OF RECEIPT TO ARRANGE FOR A REFUND. IF YOU HAVE ANY QUESTIONS ABOUT THIS AGREEMENT, CONTACT EXTREME, Attn: LegalTeam@extremenetworks.com. 1 DEFINITIONS. Affiliates means any person, partnership, corporation, limited liability company, or other form of enterprise that directly or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with the party specified. Server Application means the software application associated to software authorized for installation (per License Key, if applicable) on one or more of Your servers as further defined in the Ordering Documentation. Client Application shall refer to the application to access the Server Application. Network Device for purposes of this Agreement shall mean a physical computer device, appliance, appliance component, controller, wireless access point, or virtual appliance as further described within the applicable product documentation, which includes the Order Documentation. Licensed Materials means the Licensed Software (including the Server Application and Client Application), Network Device (if applicable), Firmware, media embodying software, and the accompanying documentation. Concurrent User shall refer to any of Your individual employees who You provide access to the Server Application at any one time. Firmware refers to any software program or code embedded in chips or other media. Standalone software is software licensed for use independent of any hardware purchase as identified in the Ordering Documentation. Licensed Software collectively refers to the software, including Standalone software, Firmware, Server Application, Client Application or other application licensed with conditional use parameters as defined in the Ordering Documentation. Ordering Documentation shall mean the applicable price quotation, corresponding purchase order, relevant invoice, order acknowledgement, and accompanying documentation or specifications for the products and services purchased, acquired or licensed hereunder from Extreme either directly or indirectly. 2 TERM. This Agreement is effective from the date on which You accept the terms and conditions of this Agreement via click-through, commence using the products and services or upon delivery of the License Key if applicable, and shall be effective until terminated. In the case of Licensed Materials offered on a subscription basis, the term of licensed use shall be as defined within Your Ordering Documentation. 3 GRANT OF LICENSE. Extreme will grant You a non-transferable, non-sublicensable, non-exclusive license to use the Licensed Materials and the accompanying documentation for Your own business purposes subject to the terms and conditions of this Agreement, applicable licensing restrictions, and any term, user server networking device, field of use, or other restrictions as set forth in Your Ordering Documentation. If the Licensed Materials are being licensed on a subscription and/or capacity basis, the applicable term and/or capacity limit of the license shall be specified in Your Ordering Documentation. You may install and use the Licensed Materials as permitted by the license type purchased as described below in License Types. The license type purchased is specified on the invoice issued to You by Extreme Access Point, Wireless Controller and Service Platform CLI Reference Guide v ABOUT THIS GUIDE or Your dealer, if any. YOU MAY NOT USE, COPY, OR MODIFY THE LICENSED MATERIALS, IN WHOLE OR IN PART, EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT. 4 LICENSE TYPES. Single User, Single Network Device. Under the terms of this license type, the license granted to You by Extreme authorizes You to use the Licensed Materials as bundled with a single Network Device as identified by a unique serial number for the applicable Term, if and as specified in Your Ordering Documentation, or any replacement for that network device for that same Term, for internal use only. A separate license, under a separate License Agreement, is required for any other network device on which You or another individual, employee or other third party intend to use the Licensed Materials. A separate license under a separate License Agreement is also required if You wish to use a Client license (as described below). Single User, Multiple Network Device. Under the terms of this license type, the license granted to You by Extreme authorizes You to use the Licensed Materials with a defined amount of Network Devices as defined in the Ordering Documentation. Client. Under the terms of the Client license, the license granted to You by Extreme will authorize You to install the License Key for the Licensed Materials on your server and allow the specific number of Concurrent Users as ordered by you and is set forth in Your Ordering Documentation. A separate license is required for each additional Concurrent User. Standalone. Software or other Licensed Materials licensed to You for use independent of any Network Device. Subscription. Licensed Materials, and inclusive Software, Network Device or related appliance updates and maintenance services, licensed to You for use during a subscription period as defined in Your applicable Ordering Documentation. Capacity. Under the terms of this license, the license granted to You by Extreme authorizes You to use the Licensed Materials up to the amount of capacity or usage as defined in the Ordering Documentation. 5 AUDIT RIGHTS. You agree that Extreme may audit Your use of the Licensed Materials for compliance with these terms and Your License Type at any time, upon reasonable notice. In the event that such audit reveals any use of the Licensed Materials by You other than in full compliance with the license granted and the terms of this Agreement, Extreme reserves the right to charge You for all reasonable expenses related to such audit in addition to any other liabilities and overages applicable as a result of such non-compliance, including but not limited to additional fees for Concurrent Users, excess capacity or usage over and above those specifically granted to You. From time to time, the Licensed Materials may upload information about the Licensed Materials and the associated usage to Extreme. This is to verify the Licensed Materials are being used in accordance with a valid license and/or entitlement. By using the Licensed Materials, you consent to the transmission of this information. 6 RESTRICTION AGAINST COPYING OR MODIFYING LICENSED MATERIALS. Except as expressly permitted in this Agreement, You may not copy or otherwise reproduce the Licensed Materials. In no event does the limited copying or reproduction permitted under this Agreement include the right to decompile, disassemble, electronically transfer, or reverse engineer the Licensed Materials, including the Licensed Software, or to translate the Licensed Materials into another computer language. The media embodying the Licensed Materials may be copied by You, in whole or in part, into printed or machine readable form, in sufficient numbers only for backup or archival purposes, or to replace a worn or defective copy. However, You agree not to have more than two (2) copies of the Licensed Software in whole or in part, including the original media, in your possession for said purposes without Extreme prior written consent, and in no event shall You operate more copies of the Licensed Software than the specific licenses granted to You. You may not copy or reproduce the documentation. You agree to maintain appropriate records of the location of the original media and all copies of the Licensed Software, in whole or in part, made by You. Any portion of the Licensed Software included in any such modular work shall be used only on a single computer for internal purposes and shall remain subject to Access Point, Wireless Controller and Service Platform CLI Reference Guide vi ABOUT THIS GUIDE all the terms and conditions of this Agreement. You agree to include any copyright or other proprietary notice set forth on the label of the media embodying the Licensed Software on any copy of the Licensed Software in any form, in whole or in part, or on any modification of the Licensed Software or any such modular work containing the Licensed Software or any part thereof. 7 TITLE AND PROPRIETARY RIGHTS a The Licensed Materials are copyrighted works and are the sole and exclusive property of Extreme, any company or a division thereof which Extreme controls or is controlled by, or which may result from the merger or consolidation with Extreme (its Affiliates), and/or their suppliers. This Agreement conveys a limited right to operate the Licensed Materials and shall not be construed to convey title to the Licensed Materials to You. There are no implied rights. You shall not sell, lease, transfer, sublicense, dispose of, or otherwise make available the Licensed Materials or any portion thereof, to any other party. b You further acknowledge that in the event of a breach of this Agreement, Extreme shall suffer severe and irreparable damages for which monetary compensation alone will be inadequate. You therefore agree that in the event of a breach of this Agreement, Extreme shall be entitled to monetary damages and its reasonable attorneys fees and costs in enforcing this Agreement, as well as injunctive relief to restrain such breach, in addition to any other remedies available to Extreme. 8 PROTECTION AND SECURITY. In the performance of this Agreement or in contemplation thereof, You and your employees and agents may have access to private or confidential information owned or controlled by Extreme relating to the Licensed Materials supplied hereunder including, but not limited to, product specifications and schematics, and such information may contain proprietary details and disclosures. All information and data so acquired by You or your employees or agents under this Agreement or in contemplation hereof shall be and shall remain Extreme exclusive property, and You shall use all commercially reasonable efforts to keep, and have your employees and agents keep, any and all such information and data confidential, and shall not copy, publish, or disclose it to others, without Extreme prior written approval, and shall return such information and data to Extreme at its request. Nothing herein shall limit your use or dissemination of information not actually derived from Extreme or of information which has been or subsequently is made public by Extreme, or a third party having authority to do so. You agree not to deliver or otherwise make available the Licensed Materials or any part thereof, including without limitation the object or source code (if provided) of the Licensed Software, to any party other than Extreme or its employees, except for purposes specifically related to your use of the Licensed Materials on a single computer as expressly provided in this Agreement, without the prior written consent of Extreme. You acknowledge that the Licensed Materials contain valuable confidential information and trade secrets, and that unauthorized use, copying and/or disclosure thereof are harmful to Extreme or its Affiliates and/or its/their software suppliers. 9 MAINTENANCE AND UPDATES. Except as otherwise defined below, updates and certain maintenance and support services, if any, shall be provided to You pursuant to the terms of an Extreme Service and Maintenance Agreement, if Extreme and You enter into such an agreement. Except as specifically set forth in such agreement, Extreme shall not be under any obligation to provide updates, modifications, or enhancements, or maintenance and support services for the Licensed Materials to You. If you have purchased Licensed Materials on a subscription basis then the applicable service terms for Your Licensed Materials are as provided in Your Ordering Documentation. Extreme will perform the maintenance and updates in a timely and professional manner, during the Term of Your subscription, using qualified and experienced personnel. You will cooperate in good faith with Extreme in the performance of the support services including, but not limited to, providing Extreme with: (a) access to the Extreme Licensed Materials (and related systems); and (b) reasonably requested assistance and Access Point, Wireless Controller and Service Platform CLI Reference Guide vii ABOUT THIS GUIDE information. Further information about the applicable maintenance and updates terms can be found on Extremes website at http://www.extremenetworks.com/company/legal/terms-of-support 10 DEFAULT AND TERMINATION. In the event that You shall fail to keep, observe, or perform any obligation under this Agreement, including a failure to pay any sums due to Extreme, or in the event that you become insolvent or seek protection, voluntarily or involuntarily, under any bankruptcy law, Extreme may, in addition to any other remedies it may have under law, terminate the License and any other agreements between Extreme and You. a Immediately after any termination of the Agreement, Your licensed subscription term, or if You have for any reason discontinued use of Licensed Materials, You shall return to Extreme the original and any copies of the Licensed Materials and remove the Licensed Materials, including an Licensed Software, from any modular works made pursuant to Section 3, and certify in writing that through your best efforts and to the best of your knowledge the original and all copies of the terminated or discontinued Licensed Materials have been returned to Extreme. b Sections 1, 7, 8, 10, 11, 12, 13, 14 and 15 shall survive termination of this Agreement for any reason. 11 EXPORT REQUIREMENTS. You are advised that the Licensed Materials, including the Licensed Software is of United States origin and subject to United States Export Administration Regulations; diversion contrary to United States law and regulation is prohibited. You agree not to directly or indirectly export, import or transmit the Licensed Materials, including the Licensed Software to any country, end user or for any Use that is prohibited by applicable United States regulation or statute (including but not limited to those countries embargoed from time to time by the United States government); or contrary to the laws or regulations of any other governmental entity that has jurisdiction over such export, import, transmission or Use. 12 UNITED STATES GOVERNMENT RESTRICTED RIGHTS. The Licensed Materials (i) were developed solely at private expense; (ii) contain restricted computer software submitted with restricted rights in accordance with section 52.227-19 (a) through (d) of the Commercial Computer Software-Restricted Rights Clause and its successors, and (iii) in all respects is proprietary data belonging to Extreme and/or its suppliers. For Department of Defense units, the Licensed Materials are considered commercial computer software in accordance with DFARS section 227.7202-3 and its successors, and use, duplication, or disclosure by the U.S. Government is subject to restrictions set forth herein. 13 LIMITED WARRANTY AND LIMITATION OF LIABILITY. Extreme warrants to You that (a) the initially-
shipped version of the Licensed Materials will materially conform to the Documentation; and (b) the media on which the Licensed Software is recorded will be free from material defects for a period of ninety (90) days from the date of delivery to You or such other minimum period required under applicable law. Extreme does not warrant that Your use of the Licensed Materials will be error-free or uninterrupted. NEITHER EXTREME NOR ITS AFFILIATES MAKE ANY OTHER WARRANTY OR REPRESENTATION, EXPRESS OR IMPLIED, WITH RESPECT TO THE LICENSED MATERIALS, WHICH ARE LICENSED "AS IS". THE LIMITED WARRANTY AND REMEDY PROVIDED ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WHICH ARE EXPRESSLY DISCLAIMED, AND STATEMENTS OR REPRESENTATIONS MADE BY ANY OTHER PERSON OR FIRM ARE VOID. IN NO EVENT WILL EXTREME OR ANY OTHER PARTY WHO HAS BEEN INVOLVED IN THE CREATION, PRODUCTION OR DELIVERY OF THE LICENSED MATERIALS BE LIABLE FOR SPECIAL, DIRECT, INDIRECT, RELIANCE, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING LOSS OF DATA OR PROFITS OR FOR INABILITY TO USE THE LICENSED MATERIALS, TO ANY PARTY EVEN IF EXTREME OR SUCH OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL Access Point, Wireless Controller and Service Platform CLI Reference Guide viii ABOUT THIS GUIDE EXTREME OR SUCH OTHER PARTY'S LIABILITY FOR ANY DAMAGES OR LOSS TO YOU OR ANY OTHER PARTY EXCEED THE LICENSE FEE YOU PAID FOR THE LICENSED MATERIALS. Some states do not allow limitations on how long an implied warranty lasts and some states do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation and exclusion may not apply to You. This limited warranty gives You specific legal rights, and You may also have other rights which vary from state to state. 14 JURISDICTION. The rights and obligations of the parties to this Agreement shall be governed and construed in accordance with the laws and in the State and Federal courts of the State of California, without regard to its rules with respect to choice of law. You waive any objections to the personal jurisdiction and venue of such courts. None of the 1980 United Nations Convention on the Limitation Period in the International Sale of Goods, and the Uniform Computer Information Transactions Act shall apply to this Agreement. 15 FREE AND OPEN SOURCE SOFTWARE. Portions of the Software (Open Source Software) provided to you may be subject to a license that permits you to modify these portions and redistribute the modifications (an Open Source License). Your use, modification and redistribution of the Open Source Software are governed by the terms and conditions of the applicable Open Source License. More details regarding the Open Source Software and the applicable Open Source Licenses are available at www.extremenetworks.com/services/SoftwareLicensing.aspx. Some of the Open Source software may be subject to the GNU General Public License v.x (GPL) or the Lesser General Public Library (LGPL), copies of which are provided with the Licensed Materials and are further available for review at www.extremenetworks.com/services/SoftwareLicensing.aspx, or upon request as directed herein. In accordance with the terms of the GPL and LGPL, you may request a copy of the relevant source code. See the Software Licensing web site for additional details. This offer is valid for up to three years from the date of original download of the software. 16 GENERAL. a This Agreement is the entire agreement between Extreme and You regarding the Licensed Materials, and all prior agreements, representations, statements, and undertakings, oral or written, are hereby expressly superseded and canceled. b This Agreement may not be changed or amended except in writing signed by both parties hereto. c You represent that You have full right and/or authorization to enter into this Agreement. d This Agreement shall not be assignable by You without the express written consent of Extreme. The rights of Extreme and Your obligations under this Agreement shall inure to the benefit of Extreme assignees, licensors, and licensees. e Section headings are for convenience only and shall not be considered in the interpretation of this Agreement f The provisions of the Agreement are severable and if any one or more of the provisions hereof are judicially determined to be illegal or otherwise unenforceable, in whole or in part, the remaining provisions of this Agreement shall nevertheless be binding on and enforceable by and between the parties hereto g Extremes waiver of any right shall not constitute waiver of that right in future. This Agreement constitutes the entire understanding between the parties with respect to the subject matter hereof, and all prior agreements, representations, statements and undertakings, oral or written, are hereby expressly superseded and canceled. No purchase order shall supersede this Agreement. Access Point, Wireless Controller and Service Platform CLI Reference Guide ix ABOUT THIS GUIDE h Should You have any questions regarding this Agreement, You may contact Extreme at the address set forth below. Any notice or other communication to be sent to Extreme must be mailed by certified mail to the following address:
Extreme Networks, Inc. 16480 Via Del San Jose, CA 95119 United States Tel: +1 408-579-2800 Toll-free: +1 888-257-3000 Access Point, Wireless Controller and Service Platform CLI Reference Guide x 1 INTRODUCTION This chapter describes the commands available within a devices Command Line Interface (CLI) structure. CLI is available for wireless controllers, access points (APs), and service platforms. Access the CLI by using:
A terminal emulation program running on a computer connected to the serial port on the device
(access point, wireless controller, and service platform). A Telnet session through Secure Shell (SSH) over a network. Configuration for connecting to a Controller using a terminal emulator If connecting through the serial port, use the following settings to configure your terminal emulator:
Bits Per Second Data Bits Parity Stop Bit Flow Control 19200 For AP8533, AP8432, AP7662, AP7632, AP7622, AP7612, AP7602, AP7502, AP7522, AP7532, AP7562, AP6521, AP6522, AP6532, AP6562 model access points set this value to 115200. 8 None 1 None When a CLI session is established, complete the following (user input is in bold):
login as: <username>
administrators login password: <password>
User Credentials Use the following credentials when logging into a device for the first time:
User Name Password admin admin123 When logging into the CLI for the first time, you are prompted to change the password. Examples in this reference guide Examples used in this reference guide are generic to each supported wireless controller, service platform, and AP model. Commands that are not common, are identified using the notation Supported in the following platforms: For an example, see below:
Supported in the following platforms:
Wireless Controller RFS6000 The above example indicates the command is only available for an RFS6000 model wireless controller. Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 1 INTRODUCTION This chapter is organized into the following sections:
CLI Overview Getting Context Sensitive Help Using the No Command Using CLI Editing Features and Shortcuts Using CLI to Create Profiles and Enable Remote Administration 1.1 CLI Overview INTRODUCTION The CLI is used for configuring, monitoring, and maintaining the network. The user interface allows you to execute commands on supported wireless controllers, service platforms, and APs, using either a serial console or a remote access method. This chapter describes basic CLI features. Topics covered include an introduction to command modes, navigation and editing features, help features and command history. The CLI is segregated into different command modes. Each mode has its own set of commands for configuration, maintenance, and monitoring. The commands available at any given time depend on the mode you are in, and to a lesser extent, the particular model used. Enter a question mark (?) at the system prompt to view a list of commands available for each command mode/instance. Use specific commands to navigate from one command mode to another. The standard order is: USER EXEC mode, PRIV EXEC mode and GLOBAL CONFIG mode. Command Modes Figure 1-1 Hierarchy of User Modes A session generally begins in the USER EXEC mode (one of the two access levels of the EXEC mode). For security, only a limited subset of EXEC commands are available in the USER EXEC mode. This level is Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 2 INTRODUCTION reserved for tasks that do not change the devices (wireless controller, service platform, or AP) configuration. rfs6000-6DB5D4>
The system prompt signifies the device name and the last three bytes of the device MAC address. To access commands, enter the PRIV EXEC mode (the second access level for the EXEC mode). Once in the PRIV EXEC mode, enter any EXEC command. The PRIV EXEC mode is a superset of the USER EXEC mode. rfs6000-6DB5D4>enable rfs6000-6DB5D4#
Most of the USER EXEC mode commands are one-time commands and are not saved across device reboots. Save the command by executing commit command. For example, the show command displays the current configuration and the clear command clears the interface. Access the GLOBAL CONFIG mode from the PRIV EXEC mode. In the GLOBAL CONFIG mode, enter commands that set general system characteristics. Configuration modes, allow you to change the running configuration. If you save the configuration later, these commands are stored across device reboots. Access a variety of protocol specific (or feature-specific) modes from the global configuration mode. The CLI hierarchy requires you to access specific configuration modes only through the global configuration mode. rfs6000-6DB5D4#configure terminal Enter configuration commands, one per line. End with CNTL/Z. rfs6000-6DB5D4(config)#
You can also access sub-modes from the global configuration mode. Configuration sub-modes define specific features within the context of a configuration mode. rfs6000-6DB5D4(config)#aaa-policy test rfs6000-6DB5D4(config-aaa-policy-test)#
The following table summarizes available CLI commands:
Table 1.1 Controller CLI Modes and Commands User Exec Mode captive-portal-page-upload change-passwd clear clock cluster commit connect create-cluster crypto crypto-cmp-cert-update database database-backup Priv Exec Mode archive boot captive-portal-page-upload cd change-passwd clear clock cluster commit configure connect copy Global Configuration Mode aaa-policy aaa-tacacs-policy alias ap6521 ap6522 ap6532 ap6562 ap7161 ap7502 ap7522 ap7532 ap7562 Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 3 User Exec Mode database-restore debug device-upgrade disable enable file-sync help join-cluster l2tpv3 logging mint no on opendns page ping ping6 revert service show ssh telnet terminal time-it traceroute traceroute6 virtual-machine (supported only on NX9500, NX9600, and VX9000) watch write clrscr exit INTRODUCTION Table 1.1 Controller CLI Modes and Commands Priv Exec Mode cpe (RFS4000, RFS6000, NX9500, NX9600, VX9000) create-cluster crypto crypto-cmp-cert-update database database-backup database-restore debug delete device-upgrade diff dir disable edit enable erase ex3500 factory-reset file-sync halt help join-cluster l2tpv3 logging mint mkdir more no on opendns page ping ping6 Global Configuration Mode ap7602 ap7612 ap7622 ap7632 ap7662 ap81xx (ap8122, ap8132, ap8163) ap8232 ap8432 ap8533 application application-group application-policy association-acl-policy auto-provisioning-policy bgp bonjour-gw-discovery-policy bonjour-gw-forwarding-policy bonjour-gw-query-forwarding-
policy captive-portal clear client-identity client-identity-group clone crypto-cmp-policy customize database-client-policy (supported only on VX9000 database-policy (supported only on NX9500, NX9600, and VX9000) device device-categorization dhcp-server-policy dhcp6-server-policy dns-whitelist event-system-policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 4 User Exec Mode INTRODUCTION Table 1.1 Controller CLI Modes and Commands Priv Exec Mode pwd raid (supported only on NX9500 and NX7530) re-elect reload remote-debug rename revert rmdir self service show ssh t5 (supported only on RFS4000, RFS6000, NX9500, NX9600, and VX9000) telnet terminal time-it traceroute traceroute6 upgrade upgrade-abort virtual-machine (supported only on NX9500, NX9600, and VX9000) watch write clrscr exit Global Configuration Mode ex3500 ex3500-management-policy ex3500-qos-class-map-policy ex3500-qos-policy-map ex3524 ex3548 firewall-policy global-association-list guest-management help host igmp-snoop-policy (This command has been deprecated. IGMP snooping is now configurable under the profile/
device configuration mode. For more information, see ip. inline-password-encryption ip ipv6 ipv6-router-advertisement-policy l2tpv3 mac management-policy meshpoint meshpoint-qos-policy mint-policy nac-list no nsight-policy nx5500 (supported only on NX9500, NX9600, VX9000) nx75xx (supported only on NX9500, NX9600, VX9000) nx9000 (supported only on NX9500, NX9600, VX9000) Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 5 INTRODUCTION Table 1.1 Controller CLI Modes and Commands User Exec Mode Priv Exec Mode Global Configuration Mode nx9600 (supported only on NX9600) passpoint-policy password-encryption profile radio-qos-policy radius-group radius-server-policy radius-user-pool-policy rename replace rf-domain rfs4000 rfs6000 roaming-assist-policy role-policy route-map routing-policy rtl-server-policy schedule-policy self sensor-policy smart-rf-policy t5 (supported only on RFS4000, RFS6000, NX9500, NX9600, VX9000) url-filter (supported only on NX9500, NX9600, VX9000) url-list (supported only on NX9500, NX9600, VX9000) vx9000 (supported only on NX9500, and NX9600, VX9000) web-filter-policy wips-policy wlan wlan-qos-policy write clrscr Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 6 INTRODUCTION Table 1.1 Controller CLI Modes and Commands User Exec Mode Priv Exec Mode Global Configuration Mode commit do end exit revert service show 1.2 Getting Context Sensitive Help INTRODUCTION Enter a question mark (?) at the system prompt to display a list of commands available for each mode. Obtain a list of arguments and keywords for any command using the CLI context-sensitive help. Use the following commands to obtain help specific to a command mode, command name, keyword or argument:
Command
(prompt)#help
(prompt)#abbreviated-command-entry?
(prompt)#abbreviated-command-entry[TAB]
(prompt)#?
(prompt)#command ?
(prompt)#command keyword ?
Description Displays a brief description of the help system Lists commands in the current mode that begin with a particular character string Completes a partial command name Lists all commands available in the command mode Lists the available syntax options (arguments and keywords) for the command Lists the next available syntax option for the command NOTE: The system prompt varies depending on the configuration mode. NOTE: Enter Ctrl + V to use ? as a regular character and not as a character used for displaying context sensitive help. This is required when the user has to enter a URL that ends with a ?
NOTE: The escape character used through out the CLI is \. To enter a "\"
use "\\" instead. Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 7 INTRODUCTION When using context-sensitive help, the space (or lack of a space) before the question mark (?) is significant. To obtain a list of commands that begin with a particular sequence, enter the characters followed by a question mark (?). Do not include a space. This form of help is called word help, because it completes a word. rfs6000-6DB5D4#service?
service Service Commands rfs6000-6DB5D4#service Enter a question mark (?) (in place of a keyword or argument) to list keywords or arguments. Include a space before the ?. This form of help is called command syntax help. It shows the keywords or arguments available based on the command/keyword and argument already entered. rfs6000-6DB5D4#service ?
block-adopter-config-update Block configuration updates from the bluetooth Bluetooth service commands clear Clear adoption history cli-tables-skin Choose a formatting layout/skin for CLI tabular outputs (EXPERIMENTAL-Applies only to certain commands) cluster Cluster Protocol copy Copy files or directories delete Delete sessions delete-offline-aps Delete Access Points that are configured but offline force-send-config Resend configuration to the device force-update-vm-stats Force VM statistics to be pushed up to the NOC load-balancing Wireless load-balancing service commands load-ssh-authorized-keys Load Ssh authorized keys locator Enable leds flashing on the device mint MiNT protocol pktcap Start packet capture pm Process Monitor radio Radio parameters radius Radius test request-full-config-from-adopter Request full configuration from the adopter set Set global options show Show running system information signal Send a signal to a process smart-rf Smart-RF Management Commands snmp Snmp ssm Command related to ssm start-shell Provide shell access syslog Syslog service trace Trace a process for system calls and signals troubleshoot Troubleshooting wireless Wireless commands rfs6000-6DB5D4#
It is possible to abbreviate commands and keywords to allow a unique abbreviation. For example, configure terminal can be abbreviated as config t. Since the abbreviated command is unique, the controller accepts the abbreviation and executes the command. Enter the help command (available in any command mode) to provide the following description:
rfs6000-6DB5D4>help When using the CLI, help is provided at the command line when typing '?'. If no help is available, the help content will be empty. Backup until entering a '?'
shows the help content. There are two styles of help provided:
1. Full help. Available when entering a command argument (e.g. 'show ?'). This will Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 8 INTRODUCTION describe each possible argument. 2. Partial help. Available when an abbreviated argument is entered. This will display which arguments match the input (e.g. 'show ve?'). rfs6000-6DB5D4>
1.3 Using the No Command INTRODUCTION Almost every command has a no form. Use no to disable a feature or function or return it to its default. Use the command without the no keyword to re-enable a disabled feature. 1.3.1 Basic Conventions Keep the following conventions in mind while working within the CLI structure:
Use ? at the end of a command to display the sub-modes (keywords) associated with the command. Type the first few characters of the required sub-mode and press the tab key to auto-fill. Continue using ? until you reach the last sub-mode. Pre-defined CLI commands and keywords are case-insensitive: cfg = Cfg = CFG. However (for clarity), CLI commands and keywords are displayed (in this guide) using mixed case. For example, apPolicy, trapHosts, channelInfo. Enter commands in uppercase, lowercase, or mixed case. Only passwords are case sensitive. 1.4 Using CLI Editing Features and Shortcuts INTRODUCTION A variety of shortcuts and edit features are available. The following sections describe these features:
Moving the Cursor on the Command Line Completing a Partial Command Name Command Output Pagination Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 9 INTRODUCTION 1.4.1 Moving the Cursor on the Command Line Using CLI Editing Features and Shortcuts The following table shows the key combinations or sequences to move the command line cursor. Ctrl defines the control key, which must be pressed simultaneously with its associated letter key. Esc means the escape key (which must be pressed first), followed by its associated letter key. Keys are not case sensitive. Specific letters are used to provide an easy way of remembering their functions. Table 1.2 Keystrokes Details Function Summary Back character Forward character Back word Forward word Beginning of line End of line Keystrokes Left Arrow or Ctrl-B Right Arrow or Ctrl-F Esc- B Esc- F Ctrl-A Ctrl-E Ctrl-D Ctrl-U Ctrl-K Ctrl-P Ctrl-N Esc-C Esc-L Esc-D Ctrl-W Ctrl-Z Ctrl-T Ctrl-L Function Details Moves the cursor one character to the left When entering a command that extends beyond a single line, press the Left Arrow or Ctrl-B keys repeatedly to move back to the system prompt. Moves the cursor one character to the right Moves the cursor back one word Moves the cursor forward one word Moves the cursor to the beginning of the command line Moves the cursor to the end of the command line Deletes the current character Deletes text up to cursor Deletes from the cursor to end of the line Obtains the prior command from memory Obtains the next command from memory Converts the letter at the cursor to uppercase Converts the letter at the cursor to lowercase Deletes the remainder of a word Deletes the word up to the cursor Returns to the root prompt Transposes the character to the left of the cursor with the character located at the cursor Clears the screen 1.4.2 Completing a Partial Command Name Using CLI Editing Features and Shortcuts If you cannot remember a command name (or if you want to reduce the amount of typing you have to perform), enter the first few letters of a command, then press the Tab key. The command line parser completes the command if the string entered is unique to the command mode. If your keyboard does not have a Tab key, press Ctrl-L. Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 10 INTRODUCTION The CLI recognizes a command once you have entered enough characters to make the command unique. If you enter conf within the privileged EXEC mode, the CLI associates the entry with the configure command, since only the configure command begins with conf. In the following example, the CLI recognizes a unique string in the privileged EXEC mode when the Tab key is pressed:
rfs6000-6DB5D4#conf[TAB]
rfs6000-6DB5D4#configure When using the command completion feature, the CLI displays the full command name. The command is not executed until the [Return] or [Enter] key is pressed. Modify the command if the full command was not what you intended in the abbreviation. If entering a set of characters (indicating more than one command), the system lists all commands beginning with that set of characters. Enter a question mark (?) to obtain a list of commands beginning with a particular set of characters. Do not leave a space between the last letter and the question mark (?). In the following example, all commands, available in the current context, starting with the characters co are listed:
rfs6000-6DB5D4#co?
commit Commit all changes made in this session configure Enter configuration mode connect Open a console connection to a remote device copy Copy from one file to another rfs6000-6DB5D4#
NOTE: The characters entered before the question mark are reprinted to the screen to complete the command entry. 1.4.3 Command Output Pagination Using CLI Editing Features and Shortcuts Output often extends beyond the visible screen length. For cases where output continues beyond the screen, the output is paused and a
--More--
prompt displays at the bottom of the screen. To resume the output, press the [Enter] key to scroll down one line or press the Spacebar to display the next full screen of output. 1.5 Using CLI to Create Profiles and Enable Remote Administration INTRODUCTION The following sections describe the following essential procedures:
Creating Profiles Changing the default profile by creating vlan 150 and mapping to ge3 Physical interface Enabling Remote Administration Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 11 INTRODUCTION 1.5.1 Creating Profiles Using CLI to Create Profiles and Enable Remote Administration Profiles are sort of a template representation of configuration. The system has:
a default profile for each of the following devices:
- RFS4000, RFS6000 a default profile for each of the following service platforms:
- NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 a default profile for each of the following access points:
- AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 You can modify a default profile. In the following example, an IP address is assigned to the management port on the default RFS6000 profile. rfs6000-6DB5D4(config)#profile rfs6000 default-rfs6000 rfs6000-6DB5D4(config-profile-default-rfs6000)#interface me1 rfs6000-6DB5D4(config-profile-default-rfs6000-if-me1)#ip address 172.16.10.2/24 rfs6000-6DB5D4(config-profile-default-rfs6000-if-me1)#commit rfs6000-6DB5D4(config-profile-default-rfs6000)#exit rfs6000-6DB5D4(config)#
The following command displays a default AP7562 profile configuration:
rfs6000-6DB5D4(config-profile-default-ap7562)#
rfs6000-6DB5D4(config-profile-default-ap7562)#show context profile ap7562 default-ap7562 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto load-management crypto remote-vpn-client interface radio1 placement outdoor interface radio2 placement outdoor interface ge1 interface ge2 interface vlan1 ip address dhcp ip address zeroconf secondary ip dhcp client request options all
--More--
rfs6000-6DB5D4(config-profile-default-ap7562)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 12 INTRODUCTION 1.5.2 Changing the default profile by creating vlan 150 and mapping to ge3 Physical interface Using CLI to Create Profiles and Enable Remote Administration Logon to the controller in config mode and follow the procedure below:
rfs6000-6DB5D4(config-profile-default-rfs6000)#interface vlan 150 rfs6000-6DB5D4(config-profile-default-rfs6000-if-vlan150)#ip address 192.168.150.20/24 rfs6000-6DB5D4(config-profile-default-rfs6000-if-vlan150)#exit rfs6000-6DB5D4(config-profile-default-rfs6000)#interface ge 3 rfs6000-6DB5D4(config-profile-default-rfs6000-if-ge3)#switchport access vlan 150 rfs6000-6DB5D4(config-profile-default-rfs6000-if-ge3)#commit write Please Wait .
[OK]
rfs6000-6DB5D4(config-profile-default-rfs6000-if-ge3)#
rfs6000-6DB5D4(config-profile-default-rfs6000-if-ge3)#show interface vlan 150 Interface vlan150 is UP Hardware-type: vlan, Mode: Layer 3, Address: 00-15-70-81-74-2D Index: 6, Metric: 1, MTU: 1500 IP-Address: 192.168.150.20/24 input packets 0, bytes 0, dropped 0, multicast packets 0 input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0 output packets 2, bytes 140, dropped 0 output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0 collisions 0 IPv6 mode is disabled rfs6000-6DB5D4(config-profile-default-rfs6000-if-ge3)#
1.5.2.1 Viewing Configured APs To view previously configured APs, enter the following command:
rfs6000-6DB5D4>show wireless ap configured
--------------------------------------------------------------------------------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
--------------------------------------------------------------------------------
1 ap7532-80C2AC 84-24-8D-80-C2-AC default-ap7532 TechPubs 00-15-70-81-74-2D 2 ap8132-74B45C B4-C7-99-74-B4-5C default-ap81xx TechPubs 00-15-70-81-74-2D 3 ap7522-8330A4 84-24-8D-83-30-A4 default-ap7522 default 00-15-70-81-74-2D 4 ap8132-711728 B4-C7-99-71-17-28 default-ap81xx TechPubs 00-15-70-81-74-2D 5 ap8533-9A12DB 74-67-F7-9A-12-DB default-ap8533 default un-adopted 6 ap7562-84A224 84-24-8D-84-A2-24 default-ap7562 TechPubs 00-15-70-81-74-2D
--------------------------------------------------------------------------------
rfs6000-6DB5D4>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 13 1.5.3 Enabling Remote Administration Using CLI to Create Profiles and Enable Remote Administration INTRODUCTION A terminal server may function in remote administration mode if either the terminal services role is not installed on the machine or the client used to invoke the session has enabled the admin controller. A terminal emulation program running on a computer connected to the serial port on the controller. The serial port is located on the front of the controller. A Telnet session through a Secure Shell (SSH) over a network. The Telnet session may or may not use SSH depending on how the controller is configured. It is recommended you use SSH for remote administration tasks. This section is organized into the following sub sections:
Configuring Telnet for Management Access Configuring SSH for Management Access 1.5.3.1 Configuring Telnet for Management Access Enabling Remote Administration To enable Telnet for management access, use the serial console to login to the device and perform the following:
1 The session, by default, opens in the USER EXEC mode (one of the two access levels of the EXEC mode). Access the PRIV EXEC mode from the USER EXEC mode. rfs6000-6DB5D4>en rfs6000-6DB5D4#
2 Access the GLOBAL CONFIG mode from the PRIV EXEC mode. rfs6000-6DB5D4>en rfs6000-6DB5D4#configure terminal Enter configuration commands, one per line. End with CNTL/Z. rfs6000-6DB5D4(config)#
3 Go to default-management-policy mode. rfs6000-6DB5D4(config)#management-policy ?
MANAGEMENT Name of the management policy to be configured (will be created if it does not exist) rfs6000-6DB5D4(config)#management-policy default rfs6000-6DB5D4(config-management-policy-default)#
4 Enter Telnet and the port number at the command prompt. Note, the port number is optional. If you do not specify the port, the system, by default, assigns port 23 for Telnet. Commit your changes. Telnet is enabled. rfs6000-6DB5D4(config-management-policy-default)#telnet rfs6000-6DB5D4(config-management-policy-default)#commit write rfs6000-6DB5D4(config-management-policy-default)#end rfs6000-6DB5D4#exit 5 Connect to the controller through Telnet using its configured IP address. If logging in for the first time, use the following credentials:
User Name Password admin admin123 At the first-time login instance, you will be prompted to change the password. Set a new password. Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 14 INTRODUCTION 6 On subsequent logins, to change the password, access the default management-policy configuration mode and enter the username, new password, role, and access details. rfs6000-6DB5D4(config-management-policy-default)#user testuser password test@123 role helpdesk access all rfs6000-6DB5D4(config-management-policy-default)#commit rfs6000-6DB5D4(config-management-policy-default)#show context management-policy default telnet http server https server no ftp ssh user admin password 1 fd07f19c6caf46e5b7963a802d422a708ad39a24906e04667c8642299c8462f1 role superuser access all user testuser password 1 32472f01757293a181738674bdf068ffe0b777ce145524fc669278820ab582c0 role helpdesk access all snmp-server community 2 uktRccdr9eLoByF5PCSuFAAAAAeB78WhgTbSKDi96msyUiW+ rw snmp-server community 2 Ne+R15zlwEdhybKxfbd6JwAAAAZzvrLGzU/xWXgwFtwF5JdD ro snmp-server user snmptrap v3 encrypted des auth md5 2 WUTBNiUi7tL4ZbU2I7Eh/
QAAAAiDhBZTln0UIu+y/W6E/0tR snmp-server user snmpmanager v3 encrypted des auth md5 2 9Fva4fYV1WL4ZbU2I7Eh/
QAAAAjdvbWANBNw+We/xHkH9kLi no https use-secure-ciphers-only rfs6000-6DB5D4(config-management-policy-default)#
7 Logon to the Telnet console and provide the user details configured in the previous step to access the controller. rfs6000 release 5.9.1.0-015D rfs6000-6DB5D4 login: testuser Password:
Welcome to CLI Starting CLI... rfs6000-6DB5D4>
1.5.3.2 Configuring SSH for Management Access Enabling Remote Administration By default, SSH is enabled from the factory settings on the controller. The controller requires an IP address and login credentials. To enable SSH access on a device, login through the serial console and perform the following:
1 The session, by default, opens in the USER EXEC mode (one of the two access levels of the EXEC mode). Access the PRIV EXEC mode from the USER EXEC mode. rfs6000-6DB5D4>en rfs6000-6DB5D4#
2 Access the GLOBAL CONFIG mode from the PRIV EXEC mode. rfs6000-6DB5D4>en rfs6000-6DB5D4#configure terminal Enter configuration commands, one per line. End with CNTL/Z. rfs6000-6DB5D4(config)#
3 Go to default-management-policy mode. rfs6000-6DB5D4(config)#management-policy ?
MANAGEMENT Name of the management policy to be configured (will be created if it does not exist) rfs6000-6DB5D4(config)#management-policy default rfs6000-6DB5D4(config-management-policy-default)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 15 INTRODUCTION 4 Enter SSH at the command prompt. rfs6000-6DB5D4(config-management-policy-default)#ssh rfs6000-6DB5D4(config-management-policy-default)#commit write rfs6000-6DB5D4(config-management-policy-default)#end rfs6000-6DB5D4#exit 5 Connect to the controller through SSH using its configured IP address. If logging in for the first time, use the following credentials:
User Name Password admin admin123 At the first-time login instance, you will be prompted to change the password. Set a new password. 6 On subsequent logins, to change the password, access the default management-policy configuration mode and enter the username, new password, role, and access details. rfs6000-6DB5D4(config-management-policy-default)#user testuser password test@123 role helpdesk access all rfs6000-6DB5D4(config-management-policy-default)#commit rfs6000-6DB5D4(config-management-policy-default)#show context management-policy default telnet http server https server no ftp ssh user admin password 1 fd07f19c6caf46e5b7963a802d422a708ad39a24906e04667c8642299c8462f1 role superuser access all user testuser password 1 32472f01757293a181738674bdf068ffe0b777ce145524fc669278820ab582c0 role helpdesk access all snmp-server community 2 uktRccdr9eLoByF5PCSuFAAAAAeB78WhgTbSKDi96msyUiW+ rw snmp-server community 2 Ne+R15zlwEdhybKxfbd6JwAAAAZzvrLGzU/xWXgwFtwF5JdD ro snmp-server user snmptrap v3 encrypted des auth md5 2 WUTBNiUi7tL4ZbU2I7Eh/
QAAAAiDhBZTln0UIu+y/W6E/0tR snmp-server user snmpmanager v3 encrypted des auth md5 2 9Fva4fYV1WL4ZbU2I7Eh/
QAAAAjdvbWANBNw+We/xHkH9kLi no https use-secure-ciphers-only rfs6000-6DB5D4(config-management-policy-default)#
7 Logon to the SSH console and provide the user details configured in the previous step to access the controller. rfs6000 release 5.9.1.0-015D rfs6000-6DB5D4 login: testuser Password:
Welcome to CLI Starting CLI... rfs6000-6DB5D4>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 1 - 16 2 USER EXEC MODE COMMANDS Logging in to the wireless controller places you within the USER EXEC command mode. Typically, a login requires a user name and password. You have three login attempts before the connection attempt is refused. USER EXEC commands (available at the user level) are a subset of the commands available at the privileged level. In general, USER EXEC commands allow you to connect to remote devices, perform basic tests, and list system information. To list available USER EXEC commands, use ? at the command prompt. The USER EXEC prompt consists of the device host name followed by an angle bracket (>).
<DEVICE>>?
Command commands:
captive-portal-page-upload Captive portal internal and advanced page upload change-passwd Change password clear Clear clock Configure software system clock cluster Cluster commands commit Commit all changes made in this session connect Open a console connection to a remote device create-cluster Create a cluster crypto Encryption related commands crypto-cmp-cert-update Update the cmp certs database Database database-backup Backup database database-restore Restore database debug Debugging functions device-upgrade Device firmware upgrade disable Turn off privileged mode command enable Turn on privileged mode command file-sync File sync between controller and adoptees help Description of the interactive help system join-cluster Join the cluster l2tpv3 L2tpv3 protocol logging Modify message logging facilities mint MiNT protocol no Negate a command or set its defaults on On RF-Domain opendns OpenDNS configuration page Toggle paging ping Send ICMP echo messages ping6 Send ICMPv6 echo messages revert Revert changes service Service Commands show Show running system information ssh Open an ssh connection telnet Open a telnet connection terminal Set terminal line parameters time-it Check how long a particular command took between request and completion of response traceroute Trace route to destination traceroute6 Trace route to destination(IPv6) virtual-machine Virtual Machine watch Repeat the specific CLI command at a periodic interval write Write running configuration to memory or terminal clrscr Clears the display screen exit Exit from the CLI
<DEVICE>>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 1 USER EXEC MODE COMMANDS 2.1 User Exec Commands USER EXEC MODE COMMANDS The following table summarizes the User Exec Mode commands:
Table 2.1 User Exec Mode Commands Description Uploads captive portal advanced pages to adopted access points Command captive-portal-
page-upload change-passwd Changes the password of a logged user clear clock cluster connect create-cluster crypto crypto-cmp-
cert-update database Resets the last saved command Configures the system clock Accesses the cluster context Establishes a console connection to a remote device Creates a new cluster on a specified device Enables encryption and configures encryption related parameters Triggers a CMP certificate update on a specified device or devices database-
backup database-
restore Enables automatic repairing (vacuuming) and dropping of databases
(Captive-portal and NSight) Backs up captive-portal and/or NSight database to a specified location and file on an FTP or SFTP server Restores a previously exported database [captive-portal and/or NSight]. Previously exported databases (backed up to a specified FTP or SFTP server) are restored to the original database. device-upgrade Configures device firmware upgrade settings disable enable file-sync Turns off (disables) the privileged mode command set Turns on (enables) the privileged mode command set Configures parameters enabling syncing of PKCS#12 and wireless-
bridge certificate between the staging-controller and adopted access points Adds a device (access point, wireless controller, or service platform) to an existing cluster of devices Establishes or brings down Layer 2 Tunneling Protocol Version 3
(L2TPV3) tunnels Modifies message logging facilities Configures MiNT protocol Negates a command or sets its default Executes the following commands in the RF Domain context: clrscr, do, end, exit, help, service, and show join-cluster l2tpv3 logging mint no on Reference page 2-4 page 2-8 page 2-9 page 2-20 page 2-21 page 2-22 page 2-23 page 2-24 page 2-33 page 2-34 page 2-38 page 2-40 page 2-41 page 2-49 page 2-50 page 2-51 page 2-54 page 2-56 page 2-58 page 2-60 page 2-62 page 2-64 Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 2 USER EXEC MODE COMMANDS Table 2.1 User Exec Mode Commands Command opendns page ping ping6 ssh telnet terminal time-it traceroute traceroute6 virtual-machine watch Description Connects to the OpenDNS site using OpenDNS registered credentials
(username, password) OR OpenDNS API token to fetch the OpenDNS device_id. This command is a part of the process that integrates access points, controllers, and service platforms with OpenDNS. Toggles a devices (access point, wireless controller, or service platform) paging function Sends ICMP echo messages to a user-specified location Sends ICMPv6 echo messages to a user-specified IPv6 address Opens an SSH connection between two network devices Opens a Telnet session Sets the length and width of the terminal window Verifies the time taken by a particular command between request and response Traces the route to its defined destination Traces the route to a specified IPv6 destination Installs, configures, and monitors the status of virtual machines
(VMs) installed on a WiNG controller Repeats a specific CLI command at a periodic interval Reference page 2-65 page 2-67 page 2-68 page 2-70 page 2-71 page 2-72 page 2-73 page 2-74 page 2-75 page 2-76 page 2-77 page 2-83 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. NOTE: The input parameter <HOSTNAME>, if used in syntaxes across this chapter, cannot include an underscore (_) character. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 3 USER EXEC MODE COMMANDS 2.1.1 captive-portal-page-upload User Exec Commands Uploads captive portal advanced pages to adopted access points. Use this command to provide access points with specific captive portal configurations, so that they can successfully provision login, welcome, and condition pages to clients attempting to access the wireless network using the captive portal. NOTE: Ensure that the captive portal pages uploaded are *.tar files. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax captive-portal-page-upload [<CAPTIVE-PORTAL-NAME>|cancel-upload|delete-file|
load-file]
captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all|rf-domain]
captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all]
{upload-time <TIME>}
captive-portal-page-upload <CAPTIVE-PORTAL-NAME> rf-domain [<DOMAIN-NAME>|all]
{from-controller} {(upload-time <TIME>)}
captive-portal-page-upload cancel-upload [<MAC/HOSTNAME>|all|on rf-domain
[<DOMAIN-NAME>|all]]
captive-portal-page-upload delete-file <CAPTIVE-PORTAL-NAME> <FILE-NAME>
captive-portal-page-upload load-file <CAPTIVE-PORTAL-NAME> <URL>
Parameters captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all]
{upload-time <TIME>}
captive-portal-page-
upload <CAPTIVE-
PORTAL-NAME>
Uploads advanced pages of the captive-portal identified by the <CAPTIVE-PORTAL-
NAME> parameter
<CAPTIVE-PORTAL-NAME> Specify the captive portals name (should be existing and configured).
<MAC/HOSTNAME>
all Uploads to a specified AP
<MAC/HOSTNAME> Specify APs MAC address or hostname. Uploads to all APs Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 4 USER EXEC MODE COMMANDS upload-time <TIME> Optional. Schedules an AP upload time
<TIME> Specify upload time in the MM/DD/YYYY-HH:MM or HH:MM format. The scheduled upload time is your local systems time. It is not the access point, controller, service platform, or virtual controller time and it is not synched with the device. To view a list of uploaded captive portal files, execute the show > captive-portal-
page-upload > list-files <CAPTIVE-PORTAL-NAME> command. captive-portal-page-upload <CAPTIVE-PORTAL-NAME> rf-domain [<DOMAIN-NAME>|
all] {from-controller} {(upload-time <TIME>)}
captive-portal-page-
upload <CAPTIVE-
PORTAL-NAME>
Uploads advanced pages of the captive portal identified by the <CAPTIVE-PORTAL-
NAME> parameter
<CAPTIVE-PORTAL-NAME> Specify captive portal name (should be existing and configured). rf-domain
[<DOMAIN-
NAME>|all]
from-controller Uploads to all APs within a specified RF Domain or all RF Domains
<DOMAIN-NAME> Uploads to APs within a specified RF Domain. Specify the RF Domain name. all Uploads to APs across all RF Domains Optional. Uploads captive-portal pages to APs via the controller to which the APs are adopted upload-time <TIME> Optional. Schedules an AP upload time
<TIME> Specify upload time in the MM/DD/YYYY-HH:MM or HH:MM format. The scheduled upload time is your local systems time. It is not the access point, controller, service platform, or virtual controller time and it is not synched with the device. captive-portal-page-upload cancel-upload [<MAC/HOSTNAME>|all|on rf-domain
[<DOMAIN-NAME>|all]]
captive-portal-page-
upload cancel-upload cancel-upload
[<MAC/HOSTNAME>|
all|on rf-domain
[<DOMAIN-
NAME>|all]]
Cancels a scheduled AP upload Select one of the following options:
<MAC/HOSTNAME> Cancels scheduled upload to a specified AP. Specify the APs MAC address or hostname. all Cancels all scheduled AP uploads on rf- domain Cancels all scheduled uploads to APs within a specified RF Domain or all RF Domains
<DOMAIN-NAME> Cancels scheduled uploads to APs within a specified RF Do-
main. Specify RF Domain name. all Cancels scheduled uploads across all RF Domains captive-portal-page-upload delete-file <CAPTIVE-PORTAL-NAME> <FILE-NAME>
captive-portal-page-
upload delete-file
<CAPTIVE-PORTAL-
NAME> <FILE-
NAME>
Deletes a specified captive portals uploaded captive-portal Web page files Identifies the captive-portal and Web pages to delete
<CAPTIVE-PORTAL-NAME> Specify the captive portal name.
<FILE-NAME> Specify the file name. The specified internal captive portal page is deleted. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 5 USER EXEC MODE COMMANDS captive-portal-page-upload load-file <CAPTIVE-PORTAL-NAME> <URL>
captive-portal-page-
upload load-file
<CAPTIVE-PORTAL-
NAME> <URL>
Loads captive-portal advanced pages Specify the captive portal name and location. The captive portal should be existing and configured.
<URL> Specifies location of the captive-portal Web pages. Use one of the following formats to specify the location:
IPv4 URLs:
tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file IPv6 URLs:
tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file http://<hostname|[IPv6]>[:port]/path/file Note: The captive portal pages are downloaded to the controller from the location specified here. After downloading use the captive-portal-page-upload > <CAPTIVE-
PORTAL-NAME> > <DEVICE-OR-DOMAIN-NAME> command to upload these pages to APs. Example ap6562-B1A214>captive-portal-page-upload load-file captive_portal_test tftp://
89.89.89.17/pages_new_only.tar ap6562-B1A214>
ap6562-B1A214>show captive-portal-page-upload load-image-status Download of captive_portal_test advanced page file is complete ap6562-B1A214>
ap6562-B1A214>captive-portal-page-upload captive_portal_test all
--------------------------------------------------------------------------------
CONTROLLER STATUS MESSAGE
--------------------------------------------------------------------------------
FC-0A-81-B1-A2-14 Success Added 6 APs to upload queue
--------------------------------------------------------------------------------
ap6562-B1A214>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 6 USER EXEC MODE COMMANDS ap6562-B1A214>show captive-portal-page-upload status Number of APs currently being uploaded : 1 Number of APs waiting in queue to be uploaded : 0
--------------------------------------------------------------------------------
-------
AP STATE UPLOAD TIME PROGRESS RETRIES LAST UPLOAD ERROR UPLOADED BY
--------------------------------------------------------------------------------
-------
ap6562-B1A738 downloading immediate 100 0 - None
--------------------------------------------------------------------------------
-------
ap6562-B1A214>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 7 USER EXEC MODE COMMANDS 2.1.2 change-passwd User Exec Commands Changes the password of the logged user. When this command is executed without any parameters, the password can be changed interactively. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax change-passwd {<OLD-PASSWORD>} <NEW-PASSWORD>
Parameters
<OLD-PASSWORD>
<NEW-PASSWORD>
change-passwd {<OLD-PASSWORD>} <NEW-PASSWORD>
Optional. Specify the existing password. Specify the new password. Note: The password can also be changed interactively. To do so, press [Enter] after the command. Usage Guidelines A password must be from 1 - 64 characters in length. Example rfs6000-81742D>change-passwd Enter old password:
Enter new password:
Password for user 'admin' changed successfully Please write this password change to memory(write memory) to be persistent. rfs6000-81742D#write memory OK rfs6000-81742D>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 8 USER EXEC MODE COMMANDS 2.1.3 clear User Exec Commands Clears parameters, cache entries, table entries, and other similar entries. The clear command is available for specific commands only. The information cleared, using this command, depends on the mode where the clear command is executed. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 NOTE: When using the clear command, refer to the interface details provided in interface. Syntax clear [arp-cache|bonjour|cdp|counters|crypto|eguest|event-history|gre|ip|
ipv6|lacp|lldp|mac-address-table|mint|role|rtls|spanning-tree|traffic-shape|
vrrp]
clear arp-cache {on <DEVICE-NAME>}
clear bonjour cache {on <DEVICE-NAME>}
clear [cdp|lldp] neighbors {on <DEVICE-NAME>}
clear counters [ap|radio|wireless-client]
clear counters [ap {<MAC>}|radio {<MAC/DEVICE-NAME>} {<1-X>}|wireless-client
{<MAC>}] {(on <DEVICE-OR-DOMAIN-NAME>)}
clear crypto [ike|ipsec] sa clear crypto ike sa [<IP>|all] {on <DEVICE-NAME>}
clear crypto ipsec sa {on <DEVICE-NAME>}
clear eguest registration statistics clear event-history clear gre stats {on <DEVICE-NAME>}
clear ip [bgp|dhcp|ospf]
clear ip bgp [<IP>|all|external|process]
clear ip bgp [<IP>|all|external] {in|on|out|soft}
clear ip bgp [<IP>|all|external] {in prefix-filter} {on <DEVICE-NAME>}
clear ip bgp [<IP>|all|external] {out} {(on <DEVICE-NAME>)}
clear ip bgp [<IP>|all|external] {soft {in|out}} {on <DEVICE-NAME>}
clear ip bgp process {on <DEVICE-NAME>}
clear ip dhcp bindings [<IP>|all] {on <DEVICE-NAME>}
clear ip ospf process {on <DEVICE-NAME>}
clear ipv6 neighbor-cache {on <DEVICE-NAME>}
clear lacp [<1-4> counters|counters]
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 9 USER EXEC MODE COMMANDS clear mac-address-table {address|interface|mac-auth-state|vlan} {on <DEVICE-
NAME>}
clear mac-address-table {address <MAC>|vlan <1-4094>} {on <DEVICE-NAME>}
clear mac-address-table {interface [<IN-NAME>|ge <1-2>|port-channel <1-2>|
vmif <1-8>]} {on <DEVICE-NAME>}
clear mac-address-table mac-auth-state address <MAC> vlan <1-4094> {on <DEVICE-
NAME>}
clear mint mlcp history {on <DEVICE-NAME>}
clear role ldap-stats {on <DEVICE-NAME>}
clear rtls [aeroscout|ekahau]
clear rtls [aeroscout|ekahau] {<MAC/DEVICE-NAME> {on <DEVICE-OR-DOMAIN-NAME>}|
on <DEVICE-OR-DOMAIN-NAME>}
clear spanning-tree detected-protocols {interface|on}
clear spanning-tree detected-protocols {on <DEVICE-NAME>}
clear spanning-tree detected-protocols {interface [<INTERFACE-NAME>|ge <1-X>|me1|
port-channel <1-X>|pppoe1|up1|vlan <1-4094>|wwan1]} {on <DEVICE-NAME>}
clear traffic-shape statistics class <1-4> {(on <DEVICE-NAME>)}
clear vrrp [error-stats|stats] {on <DEVICE-NAME>}
Parameters clear arp-cache {on <DEVICE-NAME>}
arp-cache on <DEVICE-NAME>
Clears Address Resolution Protocol (ARP) cache entries on a device. This protocol matches layer 3 IP addresses to layer 2 MAC addresses. Optional. Clears ARP cache entries on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear bonjour cache {on <DEVICE-NAME>}
bonjour cache on <DEVICE-NAME>
Clears all Bonjour cached statistics. Once cleared the system has to re-discover available Bonjour services. Optional. Clears all Bonjour cached statistics on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear [cdp|lldp] neighbors {on <DEVICE-NAME>}
cdp lldp neighbors on <DEVICE-NAME>
Clears Cisco Discovery Protocol (CDP) table entries Clears Link Layer Discovery Protocol (LLDP) table entries Clears CDP or LLDP neighbor table entries based on the option selected in the preceding step Optional. Clears CDP or LLDP neighbor table entries on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 10 USER EXEC MODE COMMANDS clear counters [ap {<MAC>}|radio {<MAC/DEVICE-NAME>} {<1-X>}|wireless-client
{<MAC>}] {(on <DEVICE-OR-DOMAIN-NAME>)}
counters ap <MAC>
radio <MAC/DEVICE-
NAME> <1-X>
Clears counters based on the parameters passed. The options are: AP, radio, and wireless clients. Clears counters for all APs or a specified AP
<MAC> Optional. Specify the APs MAC address. Note: If no MAC address is specified, all AP counters are cleared. Clears radio interface counters on a specified device or on all devices
<MAC/DEVICE-NAME> Optional. Specify the devices hostname or MAC address. Optionally, append the radio interface number (to the radio ID) using one of the following formats: AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX (where RX is the interface number).
<1-X> Optional. Identifies the radio interface by its index. Specify the radio inter-
face index, if not specified as part of the radio ID. Note, the number of radio interfaces available varies with the access point type. If no device name or MAC address is specified, all radio interface counters are cleared. wireless-client <MAC> Clears counters for all wireless clients or a specified wireless client on <DEVICE-OR-
DOMAIN-NAME>
<MAC> Optional. Specify the wireless clients MAC address. If no MAC address is specified, all wireless client counters are cleared. The following option is common to all of the above keywords:
on <DEVICE-OR-DOMAIN-NAME> Optional. Clears AP, radio, or wireless client counters on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. clear crypto ike sa [<IP>|all] {on <DEVICE-NAME>}
crypto ike sa [<IP>|all]
on <DEVICE-NAME>
Clears encryption modules cached statistics Clears Internet Key Exchange (IKE) security associations (SAs)
<IP> Clears IKE SA entries for the peer identified by the <IP> keyword all Clears IKE SA entries for all peers Optional. Clears IKE SA entries, for a specified peer or all peers, on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear crypto ipsec sa {on <DEVICE-NAME>}
crypto ipsec sa on <DEVICE-NAME>
Clears encryption modules cached statistics Clears Internet Protocol Security (IPSec) database SAs on <DEVICE-NAME> Optional. Clears IPSec SA entries on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 11 USER EXEC MODE COMMANDS clear eguest registration statistics eguest registration statistics Clears EGuest registration server counters. When cleared EGuest registration details are deleted, and the show > eguest > registration > statistics command output is null. This command is applicable only on the NX9500, NX9600, and VX9000 model service platforms. gre stats on <DEVICE-NAME>
clear gre stats {on <DEVICE-NAME>}
Clears GRE tunnel statistics Optional. Clears GRE tunnel statistics on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear event-history event-history Clears event history cache entries clear ip bgp [<IP>|all|external] {in prefix-filter} {on <DEVICE-NAME>}
ip bgp
[<IP>|all|external]
Clears on-going BGP sessions based on the option selected
<IP> Clears BGP session with the peer identified by the <IP> keyword. Specify the BGP peers IP address. all Clears all BGP peer sessions external Clears external BGP (eBGP) peer sessions This command is applicable only to the RFS4000, RFS6000, NX9500, NX9600, and VX9000 platforms. Modifications made to BGP settings (BGP access lists, weight, distance, route-maps, versions, routing policy, etc.) take effect only after on-going BGP sessions are cleared. The clear > ip > bgp command clears BGP sessions. To reduce lose of route updates during the process, use the soft option. Soft reconfiguration stores inbound/outbound route updates to be processed later and updated to the routing table. This requires high memory usage. Optional. Clears inbound route updates prefix-filter Optional. Clears the existing Outbound Route Filtering (ORF) prefix-list Optional. Clears route updates on a specified device
<DEVICE-NAME> Specify the name of the AP or service platform. in prefix-filter on <DEVICE-NAME>
clear ip bgp [<IP>|all|external] {out} {(on <DEVICE-NAME>)}
Clears on-going BGP sessions based on the option selected
<IP> Clears BGP session with the peer identified by the <IP> keyword. Specify the ip bgp
[<IP>|all|external]
BGP peers IP address. all Clears all BGP peer sessions external Clears eBGP peer sessions This command is applicable only to the RFS4000, RFS6000, NX9500, NX9600, and VX9000 platforms. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 12 USER EXEC MODE COMMANDS Modifications made to BGP settings (BGP access lists, weight, distance, route-maps, versions, routing policy, etc.) take effect only after on-going BGP sessions are cleared. The clear > ip > bgp command clears BGP sessions. To reduce lose of route updates during the process, use the soft option. Soft reconfiguration stores inbound/outbound route updates to be processed later and updated to the routing table. This requires high memory usage. Optional. Clears outbound route updates. Optionally specify the device on which to execute this command. The following keyword is recursive and optional. on <DEVICE-NAME> Optional. Clears BGP sessions on a specified device out on <DEVICE-NAME>
<DEVICE-NAME> Specify the name of the AP or service platform. clear ip bgp [<IP>|all|external] {soft {in|out}} {on <DEVICE-NAME>}
ip bgp
[<IP>|all|external]
Clears on-going BGP sessions based on the option selected
<IP> Clears the BGP peer session with the peer identified by the <IP> keyword. Specify the BGP peers IP address. all Clears all BGP peer sessions external Clears eBGP peer sessions This command is applicable only to the RFS4000, RFS6000, NX9500, NX9600, and VX9000 platforms. Optional. Initiates soft-reconfiguration of route updates for the specified IP address in Optional. Enables soft reconfiguration of inbound route updates out Optional. Enables soft reconfiguration of outbound route updates Modifications made to BGP settings (BGP access lists, weight, distance, route-maps, versions, routing policy, etc.) take effect only after on-going BGP sessions are cleared. The clear > ip > bgp command clears BGP sessions. To reduce loss of route updates during the process, use the soft option. Soft reconfiguration stores inbound/outbound route updates to be processed later and updated to the routing table. This requires high memory usage. Optional. Initiates soft reconfiguration inbound/outbound route updates on a specified device
<DEVICE-NAME> Specify the name of the AP or service platform. soft {in|out}
on <DEVICE-NAME>
clear ip bgp process {on <DEVICE-NAME>}
ip bgp process on <DEVICE-NAME>
Clears all BGP processes running This command is applicable only to the RFS4000, RFS6000, NX9500, NX9600, and VX9000 platforms. Optional. Clears all BGP processes on a specified device
<DEVICE-NAME> Specify the name of the AP or service platform. clear ip dhcp bindings [<IP>|all] {on <DEVICE-NAME>}
ip dhcp bindings
<IP>
Clears a Dynamic Host Configuration Protocol (DHCP) servers IP address binding entries Clears DHCP connections and server bindings Clears specific address binding entries. Specify the IP address to clear binding entries. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 13 USER EXEC MODE COMMANDS all on <DEVICE-NAME>
Clears all address binding entries Optional. Clears a specified address binding or all address bindings on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear ip ospf process {on <DEVICE-NAME>}
ip ospf process on <DEVICE-NAME>
Clears already enabled Open Shortest Path First (OSPF) process and restarts the process Optional. Clears OSPF process on a specified device OSPF is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighboring routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer, which makes routing decisions based solely on the destination IP address found in IP packets.
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear ipv6 neighbor-cache {on <DEVICE-NAME>}
clear ipv6 neighbor-cache on <DEVICE-NAME>
Clears IPv6 neighbor cache entries Optional. Clears IPv6 neighbor cache entries on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear lacp [<1-4> counters|counters]
clear lacp
[<1-4> counters|
counters]
Clears Link Aggregation Control Protocol (LACP) counters for a specified port-
channel group or all port-channel groups configured
<1-4> counters Clears LACP counters for a specified port-channel. Specify the port-channel index number from 1 - 4. Note, LACP is supported only on the NX5500, NX7500, and NX9500 model service platforms. However, the NX9500 series service platforms support only two (2) port-channels, and the other model service platforms support four (4) port-channels. counters Clears LACP counters for all configured port-channels on the device mac-address-table clear mac-address-table {address <MAC>|vlan <1-4094>} {on <DEVICE-NAME>}
Clears MAC address forwarding table data based on the parameters passed Use this command to clear the following: all or specified MAC addresses from the system, all MAC addresses on a specified interface, all MAC addresses on a specified VLAN, or the authentication state of a MAC address. Optional. Clears a specified MAC address from the MAC address table.
<MAC> Specify the MAC address in one of the following formats: AA-BB-CC-DD-
address <MAC>
EE-FF or AA:BB:CC;DD:EE:FF or AABB.CCDD.EEFF If executed without specifying any MAC address(es), all MAC addresses from the MAC address table will be removed. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 14 USER EXEC MODE COMMANDS vlan <1-4094>
on <DEVICE-NAME>
Optional. Clears all MAC addresses for a specified VLAN
<1-4094> Specify the VLAN ID from 1 - 4094. Optional. Clears a single MAC entry or all MAC entries, for the specified VLAN on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear mac-address-table {interface [<IF-NAME>|ge <1-X>|port-channel <1-X>]} {on
<DEVICE-NAME>}
mac-address-table interface
<IF-NAME>
ge <1-X>
port-channel <1-X>
on <DEVICE-NAME>
Clears MAC address forwarding table data based on the parameters passed Use this command to clear the following: all or specified MAC addresses from the system, all MAC addresses on a specified interface, all MAC addresses on a specified VLAN, or the authentication state of a MAC address. Clears all MAC addresses for the selected interface. Use the options available to specify the interface. Clears MAC address forwarding table for the specified layer 2 interface (Ethernet port)
<IF-NAME> Specify the layer 2 interface name. Clears MAC address forwarding table for the specified GigabitEthernet interface
<1-X> Specify the GigabitEthernet interface index from 1 - X. The number of GE interfaces supported varies for different device types. Clears MAC address forwarding table for the specified port-channel interface
<1-X> Specify the port-channel interface index from 1 - X. The number of port-channel interfaces supported varies for different device types. Optional. Clears the MAC address forwarding table, for the selected interface, on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear mac-address-table mac-auth-state address <MAC> vlan <1-4904> {on <DEVICE-
NAME>}
mac-address-table mac-auth-state address
<MAC> vlan <1-4904>
Clears MAC addresses learned from a particular VLAN when WLAN MAC authentication and captive-portal fall back is enabled Access points/controllers provide WLAN access to clients whose MAC address has been learned and stored in their MAC address tables. Use this command to clear a specified MAC address on the MAC address table. Once cleared the client has to re-
authenticate, and is provided access only on successful authentication.
<MAC> Specify the MAC address to clear. vlan <1-4904> Specify the VLAN interface from 1 - 4094. In the AP/controllers MAC address table, the specified MAC address is cleared on the specified VLAN in-
terface. on <DEVICE-NAME>
Optional. Clears the specified MAC address on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. If a device is not specified, the system clears the MAC address on all devices. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 15 USER EXEC MODE COMMANDS clear mint mlcp history {on <DEVICE-NAME>}
mint mlcp history on <DEVICE-NAME>
Clears MiNT related information Clears MiNT Link Creation Protocol (MLCP) client history Optional. Clears MLCP client history on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear role ldap-stats {on <DEVICE-NAME>}
role ldap-stats on <DEVICE-NAME>
Clears Lightweight Directory Access Protocol (LDAP) server statistics Optional. Clears LDAP server statistics on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear rtls [aeroscout|ekahau] {<MAC/DEVICE-NAME> {on <DEVICE-OR-DOMAIN-NAME>}|
on <DEVICE-OR-DOMAIN-NAME>}
rtls aeroscout ekahau
<MAC/DEVICE-NAME>
on <DEVICE-OR-
DOMAIN-NAME>
Clears Real Time Location Service (RTLS) statistics Clears RTLS Aeroscout statistics Clears RTLS Ekahau statistics This keyword is common to the aeroscout and ekahau parameters.
<MAC/DEVICE-NAME> Optional. Clears Aeroscout or Ekahau RTLS statistics on a specified AP, wireless controller, or service platform. Specify the APs MAC address or hostname. This keyword is common to the aeroscout, ekahau, and <MAC/DEVICE-NAME>
parameters. on <DEVICE-OR-DOMAIN-NAME> Optional. Clears Aeroscout or Ekahau RTLS statistics on a specified device
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. clear spanning-tree detected-protocols {on <DEVICE-NAME>}
spanning-tree detected-protocols on <DEVICE-NAME>
Clears spanning tree entries on an interface, and restarts protocol migration Restarts protocol migration Optional. Clears spanning tree entries on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear spanning-tree detected-protocols {interface [<INTERFACE-NAME>|ge <1-X>|
me1|port-channel <1-X>|pppoe1|up1|vlan <1-4094>|wwan1]} {on <DEVICE-NAME>}
Clears spanning tree entries on an interface and restarts protocol migration Restarts protocol migration spanning-tree detected-protocols Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 16 USER EXEC MODE COMMANDS interface
[<INTERFACE-NAME>|
ge <1-X>|me1|
port-channel <1-X>|
pppoe1|up1|
vlan <1-4094>|
wwan1]
on <DEVICE-NAME>
Optional. Clears spanning tree entries on different interfaces
<INTERFACE-NAME> Clears detected spanning tree entries on a specified interface. Specify the interface name. ge <1-X> Clears detected spanning tree entries for the selected GigabitEthernet interface. Select the GigabitEthernet interface index from 1 - X. me1 Clears FastEthernet interface spanning tree entries port-channel <1-X> Clears detected spanning tree entries for the selected port channel interface. Select the port channel index from 1 - X. The number of port-channel interfaces supported varies for different device types. pppoe1 Clears detected spanning tree entries for Point-to-Point Protocol over Ethernet (PPPoE) interface up1 Clears detected spanning tree entries for the WAN Ethernet interface vlan <1-4094> Clears detected spanning tree entries for the selected VLAN interface. Select a Switch Virtual Interface (SVI) VLAN ID from 1- 4094. wwan1 Clears detected spanning tree entries for wireless WAN interface. Optional. Clears spanning tree entries on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear traffic-shape statistics class <1-4> {(on <DEVICE-NAME>)}
traffic-shape statistics class <1-4>
on <DEVICE-NAME>
Clears traffic shaping statistics Clears traffic shaping statistics for a specific traffic class
<1-4> Specify the traffic class from 1 - 4. Note: If the traffic class is not specified, the system clears all traffic shaping statistics. Optional. Clears traffic shaping statistics for the specified traffic class on a specified device
<DEVICE-NAME> Specify the name of the access point, wireless controller, or service platform. Note: For more information on configuring traffic-shape, see traffic-shape. clear vrrp [error-stats|stats] {on <DEVICE-NAME>}
vrrp error-stats stats on <DEVICE-NAME>
Clears a devices Virtual Router Redundancy Protocol (VRRP) statistics VRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address. Clears global error statistics Clears VRRP related statistics The following keywords are common to the error-stats and stats parameters:
on <DEVICE-NAME> Optional. Clears VRRP statistics on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 17 Example USER EXEC MODE COMMANDS rfs4000-229D58>clear event-history rfs4000-229D58>clear spanning-tree detected-protocols interface port-channel 1 rfs4000-229D58>clear spanning-tree detected-protocols interface ge 1 rfs4000-229D58>show lldp neighbors
-------------------------
Chassis ID: 00-23-68-88-0D-A7 System Name: rfs4000-880DA7 Platform: RFS-4011-11110-US, Version 5.8.6.0-008B Capabilities: Bridge WLAN Access Point Router Enabled Capabilities: Bridge WLAN Access Point Router Local Interface: ge5, Port ID (outgoing port): ge5 TTL: 176 sec Management Addresses: 192.168.13.8,192.168.0.1,1.2.3.4 rfs4000-229D58>
rfs4000-229D58>clear lldp neighbors rfs4000-229D58>show lldp neighbors rfs4000-229D58>show cdp neighbors
--------------------------------------------------------------------------------
Device ID Platform Local Intrfce Port ID Duplex
--------------------------------------------------------------------------------
rfs4000-880DA7 RFS-4011-11110-US ge1 ge1 full rfs6000-434CAA RFS6000 ge1 ge1 full ap7131-139B34 AP7131N ge1 ge1 full
--------------------------------------------------------------------------------
rfs4000-229D58>
rfs4000-229D58>clear cdp neighbors rfs4000-229D58>show cdp neighbors
--------------------------------------------------------------------------------
Device ID Platform Local Intrfce Port ID Duplex
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
rfs4000-229D58>
rfs4000-229D58>clear role ldap-stats rfs4000-229D58>show role ldap-stats No ROLE LDAP statistics found. rfs4000-229D58>
rfs4000-229D58>show mac-address-table
--------------------------------------------------------
BRIDGE VLAN PORT MAC STATE
--------------------------------------------------------
1 1 ge5 00-02-B3-28-D1-55 forward 1 1 ge5 00-0F-8F-19-BA-4C forward 1 1 ge5 B4-C7-99-5C-FA-8E forward 1 1 ge5 00-23-68-0F-43-D8 forward 1 1 ge5 00-15-70-38-06-49 forward 1 1 ge5 00-23-68-13-9B-34 forward 1 1 ge5 B4-C7-99-58-72-58 forward 1 1 ge5 00-15-70-81-74-2D forward
--------------------------------------------------------
Total number of MACs displayed: 8 rfs4000-229D58>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 18 USER EXEC MODE COMMANDS rfs4000-229D58>clear mac-address-table address 00-02-B3-28-D1-55 rfs4000-229D58>show mac-address-table
--------------------------------------------------------
BRIDGE VLAN PORT MAC STATE
--------------------------------------------------------
1 1 ge5 00-0F-8F-19-BA-4C forward 1 1 ge5 B4-C7-99-5C-FA-8E forward 1 1 ge5 00-23-68-0F-43-D8 forward 1 1 ge5 00-15-70-38-06-49 forward 1 1 ge5 00-23-68-13-9B-34 forward 1 1 ge5 B4-C7-99-58-72-58 forward 1 1 ge5 00-15-70-81-74-2D forward
--------------------------------------------------------
Total number of MACs displayed: 7 rfs4000-229D58>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 19 USER EXEC MODE COMMANDS 2.1.4 clock User Exec Commands Sets a devices system clock. By default all WiNG devices are shipped with the time zone and time format set to UTC and 24-hour clock respectively. If a devices clock is set without resetting the time zone, the time is displayed relative to the Universal Time Coordinated (UTC) Greenwich Time. To display time in the local time zone format, in the devices configuration mode, use the timezone command. You can also reset the time zone at the RF Domain level. When configured as RF Domain setting, it applies to all devices within the domain. Configuring the local time zone prior to setting the clock is recommended. For more information on configuring RF Domain time zone, see timezone. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax clock set <HH:MM:SS> <1-31> <MONTH> <1993-2035> {on <DEVICE-NAME>}
Parameters clock set <HH:MM:SS> <1-31> <MONTH> <1993-2035> {on <DEVICE-NAME>}
clock set
<HH:MM:SS>
<1-31>
<MONTH>
<1993-2035>
on
<DEVICE-NAME>
Example Sets a devices software system clock Sets the current time (in military format hours, minutes, and seconds) Note: By default, the WiNG software displays time in the 24-hour clock format. This setting cannot be changed. Sets the numerical day of the month Sets the month of the year (Jan to Dec) Sets a valid four digit year from 1993 - 2035 Optional. Sets the clock on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. The following commands set the time zone and clock for the logged device:
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#timezone America/Los_Angeles nx9500-6C8809>clock set 11:24:30 21 Jan 2017 nx9500-6C8809>show clock 2017-01-21 12:14:14 PDT nx9500-6C8809>
Note, if the clock is set without resetting the time zone, the time displays as UTC time, as shown in the following example:
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#no timezone nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#commit nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show clock 2017-01-21 19:15:55 UTC nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 20 USER EXEC MODE COMMANDS 2.1.5 cluster User Exec Commands Initiates cluster context. The cluster context provides centralized management to configure all cluster members from any one member. Commands executed under this context are executed on all members of the cluster. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cluster start-election Parameters cluster start-election start-election Starts a new cluster master election Example nx9500-6C8809>cluster start-election nx9500-6C8809>
Related Commands create-cluster join-cluster Creates a new cluster on the specified device Adds a wireless controller or service platform, as a member, to an existing cluster of controllers Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 21 USER EXEC MODE COMMANDS 2.1.6 connect User Exec Commands Begins a console connection to a remote device using the remote devices MiNT ID or name Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax connect [mint-id <MINT-ID>|<REMOTE-DEVICE-NAME>]
Parameters mint-id <MINT-ID>
connect [mint-id <MINT-ID>|<REMOTE-DEVICE-NAME>]
Connects to the remote system using its MiNT ID
<MINT-ID> Specify the remote devices MiNT ID. Connects to the remote system using its name
<REMOTE-DEVICE-NAME> Specify the remote devices name.
<REMOTE-DEVICE-
NAME>
Example rfs6000-81742D>show mint lsp-db 9 LSPs in LSP-db of 19.6D.B5.D4:
LSP 19.6C.88.09 at level 1, hostname nx9500-6C8809", 8 adjacencies, seqnum 1294555 LSP 19.6D.B5.D4 at level 1, hostname "rfs6000-81742D", 8 adjacencies, seqnum 1915724 LSP 19.74.B4.5C at level 1, hostname "ap8132-74B45C", 8 adjacencies, seqnum 1468229 LSP 4D.80.C2.AC at level 1, hostname "ap7532-80C2AC", 8 adjacencies, seqnum 649244 LSP 4D.83.30.A4 at level 1, hostname "ap7522-8330A4", 8 adjacencies, seqnum 202821 LSP 4D.84.A2.24 at level 1, hostname "ap7562-84A224", 8 adjacencies, seqnum 380340 LSP 68.88.0D.A7 at level 1, hostname "rfs4000-880DA7", 8 adjacencies, seqnum 1494523 LSP 68.99.BB.7C at level 1, hostname "ap7131-99BB7C", 8 adjacencies, seqnum 831532 rfs6000-81742D>
rfs6000-81742D>connect mint-id 19.6C.88.09 Entering character mode Escape character is '^]'. NX9500 release 5.9.1.0-012D nx9500-6C8809 login:
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 22 USER EXEC MODE COMMANDS 2.1.7 create-cluster User Exec Commands Creates a new device cluster with the specified name and assigns it an IP address and routing level A cluster (or redundancy group) is a set of controllers or service platforms (nodes) uniquely defined by a profile configuration. Within the cluster, members discover and establish connections to other members and provide wireless network self-healing support in the event of member's failure. A cluster's load is typically distributed evenly amongst its members. An administrator needs to define how often the profile is load balanced for radio distribution, as radios can come and go and members join and exit the cluster. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax create-cluster name <CLUSTER-NAME> ip <IP> {level [1|2]}
Parameters create-cluster name <CLUSTER-NAME> ip <IP> {level [1|2]}
create-cluster name
<CLUSTER-NAME>
Creates a cluster Configures the cluster name
<CLUSTER-NAME> Specify a cluster name. Define a name for the cluster name unique to its configuration or profile support requirements. The name cannot exceed 64 characters. ip <IP>
level [1|2]
Specifies the devices IP address used for cluster creation
<IP> Specify the devices IP address in the A.B.C.D format. Optional. Configures the clusters routing level 1 Configures level 1 (local) routing 2 Configures level 2 (inter-site) routing Example rfs6000-81742D>create-cluster name TechPubs ip 192.168.13.23 level 1
... creating cluster
... committing the changes
... saving the changes Please Wait .
[OK]
rfs6000-81742D>
rfs6000-81742D>show context session-config include-factory | include cluster name TechPubs cluster name TechPubs rfs6000-81742D>
Related Commands cluster join-cluster Initiates cluster context. The cluster context provides centralized management to configure all cluster members from any one member. Adds a device, as a member, to an existing cluster of devices Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 23 USER EXEC MODE COMMANDS 2.1.8 crypto User Exec Commands Enables digital certificate configuration and RSA Keypair management. Digital certificates are issued by CAs and contain user or device specific information, such as name, public key, IP address, serial number, company name, etc. Use this command to generate, delete, export, or import encrypted RSA Keypairs and generate Certificate Signing Request (CSR). This command also enables trustpoint configuration. Trustpoints contain the CAs identity and configuration parameters. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax crypto [key|pki]
crypto key [export|generate|import|zeroize]
crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL>
{background|on|passphrase}
crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL> {background|passphrase
<KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
crypto key generate rsa <RSA-KEYPAIR-NAME> [2048|4096] {on <DEVICE-NAME>}
crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL>
{background|on|passphrase}
crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL> {background|passphrase
<KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
crypto key zeroize rsa <RSA-KEYPAIR-NAME> {force} {(on <DEVICE-NAME>)}
crypto pki [authenticate|export|generate|import|zeroize]
crypto pki authenticate <TRUSTPOINT-NAME> <LOCATION-URL> {background}
{(on <DEVICE-NAME>)}
crypto pki export [request|trustpoint]
crypto pki export request [generate-rsa-key|short|use-rsa-key] <RSA-KEYPAIR-NAME>
[autogen-subject-name|subject-name]
crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME>
autogen-subject-name (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>, ip-address <IP>) crypto pki export request [generate-rsa-key|short [generate-rsa-key|use-rsa-key]|
use-rsa-key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE>
<CITY> <ORGANIZATION> <ORGANIZATION-UNIT> (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>, fqdn <FQDN>,ip-address <IP>) crypto pki export trustpoint <TRUSTPOINT-NAME> <EXPORT-TO-URL>
{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME)}
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 24 USER EXEC MODE COMMANDS crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]
<RSA-KEYPAIR-NAME> [autogen-subject-name|subject-name]
crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]
<RSA-KEYPAIR-NAME> autogen-subject-name {(email <SEND-TO-EMAIL>, fqdn <FQDN>,ip-
address <IP>,on <DEVICE-NAME>)}
crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]
<RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY>
<ORGANIZATION> <ORGANIZATION-UNIT> {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address
<IP>,on <DEVICE-NAME>)}
crypto pki import [certificate|crl|trustpoint]
crypto pki import [certificate|crl] <TRUSTPOINT-NAME> <IMPORT-FROM-URL>
{background} {(on <DEVICE-NAME>}) crypto pki import trustpoint <TRUSTPOINT-NAME> <IMPORT-FROM-URL>
{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
crypto pki zeroize trustpoint <TRUSTPOINT-NAME> {del-key} {(on <DEVICE-NAME>)}
Parameters crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL> {background|passphrase
<KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
key export rsa
<RSA-KEYPAIR-
NAME>
<EXPORT-TO-URL>
background passphrase
<KEY-PASSPHRASE>
background on <DEVICE-NAME>
Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key. Exports an existing RSA Keypair to a specified destination
<RSA-KEYPAIR-NAME> Specify the RSA Keypair name. Specify the RSA Keypair destination address. Both IPv4 and IPv6 address formats are supported. After specifying the destination address (where the RSA Keypair is exported), configure one of the following parameters: background or passphrase. Optional. Performs export operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the export on. Optional. Encrypts RSA Keypair before exporting
<KEY-PASSPHRASE> Specify a passphrase to encrypt the RSA Keypair. background Optional. Performs export operation in the background. After spec-
ifying the passphrase, optionally specify the device (access point or controller) to perform the export on. The following parameter is recursive and common to all of the above parameters:
on <DEVICE-NAME> Optional. Performs export operation on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. crypto key generate rsa <RSA-KEYPAIR-NAME> [2048|4096] {on <DEVICE-NAME>}
key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 25 USER EXEC MODE COMMANDS generate rsa
<RSA-KEYPAIR-
NAME> [2048|4096]
Generates a new RSA Keypair
<RSA-KEYPAIR-NAME> Specify the RSA Keypair name.
[2048|4096] Sets the size of the RSA key in bits. The options are 2048 bits and 4096 bits. The default size is 2048 bits. on <DEVICE-NAME>
After specifying the key size, optionally specify the device (access point or controller) to generate the key on. Optional. Generates the new RSA Keypair on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL>
{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key. Imports a RSA Keypair from a specified source
<RSA-KEYPAIR-NAME> Specify the RSA Keypair name. import rsa
<RSA-KEYPAIR-
NAME>
<IMPORT-FROM-URL> Specify the RSA Keypair source address. Both IPv4 and IPv6 address formats are background passphrase
<KEY-PASSPHRASE>
background on <DEVICE-NAME>
supported. After specifying the source address (where the RSA Keypair is imported from), configure one of the following parameters: background or passphrase. Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the import on. Optional. Decrypts the RSA Keypair after importing
<KEY-PASSPHRASE> Specify the passphrase to decrypt the RSA Keypair. background Optional. Performs import operation in the background. After spec-
ifying the passphrase, optionally specify the device (access point, controller, or ser-
vice platform) to perform the import on. The following parameter is recursive and common to the background and passphrase keywords:
on <DEVICE-NAME> Optional. Performs import operation on a specific device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. crypto key zeroize rsa <RSA-KEYPAIR-NAME> {force} {(on <DEVICE-NAME>)}
key zeroize rsa
<RSA-KEYPAIR-
NAME>
force Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key. Deletes a specified RSA Keypair
<RSA-KEYPAIR-NAME> Specify the RSA Keypair name. Note: All device certificates associated with this key will also be deleted. Optional. Forces deletion of all certificates associated with the specified RSA Keypair. Optionally specify a device on which to force certificate deletion. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 26 USER EXEC MODE COMMANDS on <DEVICE-NAME>
The following parameter is recursive and optional:
on <DEVICE-NAME> Optional. Deletes all certificates associated with the RSA Keypair on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. crypto pki authenticate <TRUSTPOINT-NAME> <URL> {background} {(on <DEVICE-
NAME>)}
pki authenticate
<TRUSTPOINT-NAME>
<URL>
background on <DEVICE-NAME>
Enables Private Key Infrastructure (PKI) management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated Certificate Authority (CA) certificates. Authenticates a trustpoint and imports the corresponding CA certificate
<TRUSTPOINT-NAME> Specify the trustpoint name. Specify CAs location. Both IPv4 and IPv6 address formats are supported. Note: The CA certificate is imported from the specified location. Optional. Performs authentication in the background. If selecting this option, you can optionally specify the device (access point, controller, or service platform) to perform the export on. The following parameter is recursive and optional:
on <DEVICE-NAME> Optional. Performs authentication on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME>
autogen-subject-name (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-
address <IP>) pki export request
[generate-rsa-key|
use-rsa-key]
<RSA-KEYPAIR-
NAME>
Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Exports CSR to the CA for digital identity certificate. The CSR contains applicants details and RSA Keypairs public key. Generates a new RSA Keypair or uses an existing RSA Keypair generate-rsa-key Generates a new RSA Keypair for digital authentication use-rsa-key Uses an existing RSA Keypair for digital authentication
<RSA-KEYPAIR-NAME> If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name. autogen-subject-name Auto generates subject name from configuration parameters. The subject name
<EXPORT-TO-URL>
<SEND-TO-EMAIL>
fqdn <FQDN>
ip-address <IP>
identifies the certificate. Specify the CAs location. Both IPv4 and IPv6 address formats are supported. Note: The CSR is exported to the specified location. Exports CSR to a specified e-mail address
<SEND-TO-EMAIL> Specify the CAs e-mail address. Exports CSR to a specified Fully Qualified Domain Name (FQDN)
<FQDN> Specify the CAs FQDN. Exports CSR to a specified device or system
<IP> Specify the CAs IP address. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 27 USER EXEC MODE COMMANDS crypto pki export request [generate-rsa-key|short [generate-rsa-key|use-rsa-
key]|use-rsa-key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE>
<CITY> <ORGANIZATION> <ORGANIZATION-UNIT> (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>, fqdn <FQDN>,ip-address <IP>) pki export request
[generate-rsa-key|
short [generate-rsa-
key|use-rsa-key]|
use-rsa-key]
<RSA-KEYPAIR-
NAME>
subject-name
<COMMON-NAME>
<COUNTRY>
<STATE>
<CITY>
<ORGANIZATION>
<ORGANIZATION-
UNIT>
<EXPORT-TO-URL>
<SEND-TO-EMAIL>
fqdn <FQDN>
ip-address <IP>
Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Exports CSR to the CA for a digital identity certificate. The CSR contains applicants details and RSA Keypairs public key. Generates a new RSA Keypair or uses an existing RSA Keypair generate-rsa-key Generates a new RSA Keypair for digital authentication short [generate-rsa-key|use-rsa-key] Generates and exports a shorter version of the CSR generate-rsa-key Generates a new RSA Keypair for digital authentication. If gen-
erating a new RSA Keypair, specify a name for it. use-rsa-key Uses an existing RSA Keypair for digital authentication. If using an existing RSA Keypair, specify its name. use-rsa-key Uses an existing RSA Keypair for digital authentication
<RSA-KEYPAIR-NAME> If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name. Configures a subject name, defined by the <COMMON-NAME> keyword, to identify the certificate
<COMMON-NAME> Specify the common name used with the CA certificate. The name should enable you to identify the certificate easily (2 to 64 characters in length). Sets the deployment country code (2 character ISO code) Sets the state name (2 to 64 characters in length) Sets the city name (2 to 64 characters in length) Sets the organization name (2 to 64 characters in length) Sets the organization unit (2 to 64 characters in length) Specify the CAs location. Both IPv4 and IPv6 address formats are supported. The CSR is exported to the specified location. Exports CSR to a specified e-mail address
<SEND-TO-EMAIL> Specify the CAs e-mail address. Exports CSR to a specified FQDN
<FQDN> Specify the CAs FQDN. Exports CSR to a specified device or system
<IP> Specify the CAs IP address. crypto pki export trustpoint <TRUSTPOINT-NAME> <EXPORT-TO-URL>
{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 28 USER EXEC MODE COMMANDS export trustpoint
<TRUSTPOINT-NAME>
<EXPORT-TO-URL>
background passphrase
<KEY-PASSPHRASE>
background on <DEVICE-NAME>
Exports a trustpoint along with CA certificate, Certificate Revocation List (CRL), server certificate, and private key
<TRUSTPOINT-NAME> Specify the trustpoint name (should be authenticated). Specify the destination address. Both IPv4 and IPv6 address formats are supported. The trustpoint is exported to the address specified here. Optional. Performs export operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the export on Optional. Encrypts the key with a passphrase before exporting
<KEY-PASSPHRASE> Specify the passphrase to encrypt the trustpoint. background Optional. Performs export operation in the background. After spec-
ifying the passphrase, optionally specify the device (access point or controller) to perform the export on. The following parameter is recursive and common to the background and passphrase keywords:
on <DEVICE-NAME> Optional. Performs export operation on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]
<RSA-KEYPAIR-NAME> autogen-subject-name {(email <SEND-TO-EMAIL>,fqdn <FQDN>, ip-address <IP>,on <DEVICE-NAME>)}
pki generate self-signed
<TRUSTPOINT-NAME>
[generate-rsa-key|
use-rsa-key]
<RSA-KEYPAIR-
NAME>
Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated certificates. Generates a certificate and a trustpoint Generates a self-signed certificate and a trustpoint
<TRUSTPOINT-NAME> Specify a name for the certificate and its trustpoint. Generates a new RSA Keypair, or uses an existing RSA Keypair generate-rsa-key Generates a new RSA Keypair for digital authentication use-rsa-key Uses an existing RSA Keypair for digital authentication
<RSA-KEYPAIR-NAME> If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name. autogen-subject-name Auto generates the subject name from the configuration parameters. The subject email
<SEND-TO-EMAIL>
fqdn <FQDN>
ip-address <IP>
on <DEVICE-NAME>
name helps to identify the certificate. Optional. Exports the self-signed certificate to a specified e-mail address
<SEND-TO-EMAIL> Specify the e-mail address. Optional. Exports the self-signed certificate to a specified FQDN
<FQDN> Specify the FQDN. Optional. Exports the self-signed certificate to a specified device or system
<IP> Specify the devices IP address. Optional. Exports the self-signed certificate on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 29 USER EXEC MODE COMMANDS crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]
<RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY>
<ORGANIZATION> <ORGANIZATION-UNIT> {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address
<IP>,on <DEVICE-NAME>)}
pki generate self-signed
<TRUSTPOINT-NAME>
[generate-rsa-key|
use-rsa-key]
<RSA-KEYPAIR-
NAME>
subject-name
<COMMON-NAME>
Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated certificates. Generates a self-signed certificate and a trustpoint
<TRUSTPOINT-NAME> Specify a name for the certificate and its trustpoint. Generates a new RSA Keypair, or uses an existing RSA Keypair generate-rsa-key Generates a new RSA Keypair for digital authentication use-rsa-key Uses an existing RSA Keypair for digital authentication
<RSA-KEYPAIR-NAME> If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name. Configures a subject name, defined by the <COMMON-NAME> keyword, to identify the certificate
<COMMON-NAME> Specify the common name used with this certificate. The name should enable you to identify the certificate easily and should not exceed 2 to 64 characters in length.
<COUNTRY>
<STATE>
<CITY>
<ORGANIZATION>
<ORGANIZATION-
UNIT>
<SEND-TO-EMAIL>
fqdn <FQDN>
ip-address <IP>
Sets the deployment country code (2 character ISO code) Sets the state name (2 to 64 characters in length) Sets the city name (2 to 64 characters in length) Sets the organization name (2 to 64 characters in length) Sets the organization unit (2 to 64 characters in length) Optional. Exports the self-signed certificate to a specified e-mail address
<SEND-TO-EMAIL> Specify the e-mail address. Optional. Exports the self-signed certificate to a specified FQDN
<FQDN> Specify the FQDN. Optional. Exports the self-signed certificate to a specified device or system
<IP> Specify the devices IP address. crypto pki import [certificate|crl] <TRUSTPOINT-NAME> <IMPORT-FROM-URL>
{background} {(on <DEVICE-NAME>)}
pki import
[certificate|crl]
<TRUSTPOINT-NAME>
Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Imports certificates, Certificate Revocation List (CRL), or a trustpoint to the selected device Imports a signed server certificate or CRL certificate Imports signed server certificate crl Imports CRL
<TRUSTPOINT-NAME> Specify the trustpoint name (should be authenticated).
<IMPORT-FROM-URL> Specify the signed server certificate or CRL source address. Both IPv4 and IPv6 address formats are supported. The server certificate or the CRL (based on the parameter passed in the preceding step) is imported from the location specified here. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 30 USER EXEC MODE COMMANDS background on <DEVICE-NAME>
Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the import on. The following parameter is recursive and optional:
on <DEVICE-NAME> Optional. Performs import operation on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. crypto pki import trustpoint <TRUSTPOINT-NAME> <IMPORT-FROM-URL>
{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
pki import trustpoint
<TRUSTPOINT-NAME>
Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Imports certificates, CRL, or a trustpoint to the selected device Imports a trustpoint and its associated CA certificate, server certificate, and private key
<TRUSTPOINT-NAME> Specify the trustpoint name (should be authenticated).
<IMPORT-FROM-URL> Specify the trustpoint source address. Both IPv4 and IPv6 address formats are background passphrase
<KEY-PASSPHRASE>
background on <DEVICE-NAME>
supported. Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the import on. Optional. Decrypts trustpoint with a passphrase after importing
<KEY-PASSPHRASE> Specify the passphrase. After specifying the passphrase, optionally specify the device to perform import on. background Optional. Performs import operation in the background. After spec-
ifying the passphrase, optionally specify the device (access point or controller) to perform the import on. The following parameter is recursive and optional:
on <DEVICE-NAME> Optional. Performs import operation on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. crypto pki zeroize trustpoint <TRUSTPOINT-NAME> {del-key} {(on <DEVICE-NAME>)}
pki zeroize trustpoint
<TRUSTPOINT-NAME>
del-key on <DEVICE-NAME>
Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Deletes a trustpoint and its associated CA certificate, server certificate, and private key
<TRUSTPOINT-NAME> Specify the trustpoint name (should be authenticated). Optional. Deletes the private key associated with the server certificate. Optionally specify the device to perform deletion on. The following parameter is recursive and optional:
on <DEVICE-NAME> Optional. Deletes the trustpoint on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 31 Usage Guidelines USER EXEC MODE COMMANDS The system supports both IPv4 and IPv6 address formats. Provide source and destination locations using any one of the following options:
IPv4 URLs:
tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file IPv6 URLs:
tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file http://<hostname|[IPv6]>[:port]/path/file Example rfs6000-81742D>crypto key generate rsa key 1025 RSA Keypair successfully generated rfs6000-81742D>
rfs6000-81742D>crypto key import rsa test123 url passphrase word background RSA key import operation is started in background rfs6000-81742D>
rfs6000-81742DE>crypto pki generate self-signed word generate-rsa-key word autogen-subject-name fqdn word Successfully generated self-signed certificate rfs6000-81742D>
rfs6000-81742D>crypto pki zeroize trustpoint word del-key Successfully removed the trustpoint and associated certificates
%Warning: Applications associated with the trustpoint will start using default-
trustpoint rfs6000-81742D>
rfs6000-81742D>crypto pki authenticate word url background Import of CA certificate started in background rfs6000-81742D>
rfs6000-81742D>crypto pki import trustpoint word url passphrase word Import operation started in background rfs6000-81742D>
Related Commands no Removes server certificates, trustpoints and their associated certificates Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 32 USER EXEC MODE COMMANDS 2.1.9 crypto-cmp-cert-update User Exec Commands Triggers a Certificate Management Protocol (CMP) certificate update on a specified device or devices Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax crypto-cmp-cert-update <TRUSTPOINT-NAME> {on <DEVICE-NAME>}
Parameters crypto-cmp-cert-update <TRUSTPOINT-NAME> {on <DEVICE-NAME>}
crypto-cmp-cert-
update
<TRUSTPOINT-
NAME> on
<DEVICE-NAME>
Triggers a CMP certificate update on a specified device or devices
<TRUSTPOINT-NAME> Specify the target trustpoint name. A trustpoint represents a CA/identity pair containing the identity of the CA, CA specific configuration parameters, and an association with an enrolled identity certificate. Use the crypto-
cmp-policy context mode to configure the trustpoint. on <DEVICE-NAME> Optional. Initiates a CMP certificate update and response on a specified device or devices. Specify the name of the AP, wireless controller, or service platform. Multiple devices can be provided as a comma separated list.
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. Example rfs4000-229D58>crypto-cmp-cert-update test on B4-C7-99-71-17-28 CMP Cert update success rfs4000-229D58>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 33 USER EXEC MODE COMMANDS 2.1.10 database User Exec Commands Enables automatic repairing (vacuuming) and dropping of captive-portal and NSight databases If enforcing authenticated access to the database, use this command to generate the keyfile. Every keyfile has a set of associated users having a username and password. Access to the database is allowed only if the user credentials entered during database login are valid. For more information on enabling database authentication, see Enabling Database Authentication. Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax database [drop|keyfile|repair]
database drop [all|captive-portal|nsight]
database repair {on <DEVICE-NAME>}
database keyfile [export|generate|import|zerzoise]
database keyfile generate database keyfile [export|import] <URL>
database keyfile zerzoise Parameters database drop [all|captive-portal|nsight]
database drop
[all|captive-portal|
nsight]
Drops (deletes) all or a specified database. Execute the command on the database. all Drops all databases, captive portal and NSight captive-portal Drops the captive-portal database nsight Drops the NSight database database repair {on <DEVICE-NAME>}
database repair on <DEVICE-NAME>
Enables automatic repairing of all databases. Repairing (vacuuming a database refers to the process of finding and reclaiming space left over from previous DELETE statements. Execute the command on the database host. on <DEVICE-NAME> Optional. Specifies the name of the database host. When specified, databases on the specified host are periodically checked to identify and remove obsolete data documents.
<DEVICE-NAME> Specify the name of the access point, wireless controller, or ser-
vice platform. Note: If no device is specified, the system repairs all databases. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 34 USER EXEC MODE COMMANDS database keyfile generate database keyfile
[generate|zerzoise]
Enables database keyfile management. This command is part of a set of configurations required to enforce database authentication. Use this command to generate database keyfiles. After generating the keyfile, create the username and password combination required to access the database. For information on creating database users see, service. For information on enabling database authentication, see Enabling Database Authentication. generate Generates the keyfile. In case of a replica-set deployment, execute the command on the primary database host. Once generated, export the keyfile to a specified location from where it is imported on to the replica-set hosts. database keyfile [export|import] <URL>
database keyfile
[export|import]
<URL>
Enables database keyfile management. This command is part of a set of configurations required to enforce database authentication. Use this command to exchange keyfiles between replica set members. export Exports the keyfile to a specified location on an FTP/SFTP/TFTP server. Execute the command on the database host on which the keyfile has been generated. import Imports the keyfile from a specified location. Execute the command on the replica set members. The following parameter is common to both of the above keywords:
<URL> Specify the location to/from where the keyfile is to be exported/imported. Use one of the following options to specify the keyfile location:
ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file tftp://<hostname|IP>[:port]/path/file database keyfile zerzoise database keyfile zerzoise Enables database keyfile management. Use this command to delete keyfiles zerzoise Deletes an existing keyfile. Example nx9500-6C8809>database repair on nx9500-6C8809 nx9500-6C8809>
nx9500-6C8809>database keyfile generate Database keyfile successfully generated nx9500-6C8809>
nx9500-6C8809>database keyfile zeroize Database keyfile successfully removed nx9500-6C8809>
vx9000-1A1809>database keyfile generate Database keyfile successfully generated vx9000-1A1809>
vx9000-1A1809>database keyfile export ftp://1.1.1.111/db-key Database keyfile successfully exported vx9000-1A1809>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 35 USER EXEC MODE COMMANDS vx9000-D031F2>database keyfile import ftp://1.1.1.111/db-key Database keyfile successfully imported vx9000-D031F2>
Example Enabling Database Authentication Follow the steps below to enable database authentication. 1 On the primary database host, a Generate the database keyfile. Primary-DB-HOST>database keyfile generate Database keyfile successfully generated Primary-DB-HOST>
b Use the show > database > keyfile command to view the generated keyfile. c Export the keyfile to an external location. This is required only in case of database replica-set deployment. Primary-DB-HOST>database keyfile export ftp://1.1.1.111/db-key Database keyfile successfully exported Primary-DB-HOST>
d Create the users that are allowed access to the database. Primary-DB-HOST#service database authentication create-user username techpubs password techPubs@123 Database user [techpubs] created. Primary-DB-HOST#
e View the database user account created. Primary-DB-HOST#show database users
--------------------------------
DATABASE USER
--------------------------------
techpubs
--------------------------------
Primary-DB-HOST#
2 On the replica set host, import the keyfile from the location specified in Step 1 c. Secondary-DB-HOST#database keyfile import ftp://1.1.1.111/db-key 3 In the database-policy context, --- (used on the NSight/EGuest database hosts) a Enable authentication. Primary-DB-HOST(config-database-policy-techpubs)#authentication b Configure the user accounts created in Step 1 d. Primary-DB-HOST(config-database-policy-techpubs)#authentication username techpubs password S540QFZz9LzSOdX1ZJEqDgAAAAy3b7GtyO4Z/Ih2ruxnOYnr Primary-DB-HOST(config-database-policy-techpubs)#show context database-policy techpubs authentication authentication username techpubs password 2 S540QFZz9LzSOdX1ZJEqDgAAAAy3b7GtyO4Z/Ih2ruxnOYnr replica-set member nx7500-A02B91 arbiter replica-set member vx9000-1A1809 priority 1 Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 36 USER EXEC MODE COMMANDS replica-set member vx9000-D031F2 priority 20 Primary-DB-HOST(config-database-policy-techpubs)#
4 In the database-client policy context --- (used on the NSight/EGuest server host), Note, this configuration is required only if the NSight/EGuest server and database are hosted on separate hosts. a Configure the user credentials created in Step 1 d. NOC-Controller(config-database-client-policy-techpubs)#authentication username techpubs password S540QFZz9LzSOdX1ZJEqDgAAAAy3b7GtyO4Z/Ih2ruxnOYnr b View the configuration. NOC-Controller(config-database-client-policy-techpubs)#show context database-client-policy techpubs authentication username techpubs password 2 S540QFZz9LzSOdX1ZJEqDgAAAAy3b7GtyO4Z/Ih2ruxnOYnr NOC-Controller(config-database-client-policy-techpubs)#
Related Commands database-backup database-restore database-policy database-client-
policy service Backs up captive-portal and/or NSight database to a specified location and file on an FTP or SFTP server Restores a previously exported database [captive-portal and/or NSight]
Documents database-policy configuration commands. Use this option to enable the database. Documents database-client-policy configuration commands. Use this option to configure the database host details (IP address or hostname). If enforcing database authentication, use it to configure the users having database access. Once configured, use the policy in the NSight/EGuest servers device config context. Documents the database user account configuration details Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 37 USER EXEC MODE COMMANDS 2.1.11 database-backup User Exec Commands Backs up captive-portal and/or NSight database to a specified location and file on an FTP, SFTP, or TFTP server. Execute this command on the database host. Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax database-backup database [captive-portal|nsight|nsight-placement-info] <URL>
database-backup database [captive-portal|nsight] <URL>
database-backup database nsight-placement-info <URL>
Parameters database-backup database [captive-portal|nsight] <URL>
database-backup database
[captive-portal|
nsight]
<URL>
Backs up captive portal and/or NSight database to a specified location. Select the database to backup:
captive-portal Backs up captive portal database nsight Backs up NSight database After specifying the database type, configure the destination location. Configures the destination location. The database is backed up at the specified location. Specify the location URL in one of the following formats:
ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz database-backup database nsight-placement-info <URL>
database-backup database nsight-placement-
info <URL>
Backs up the NSight access point placement related details to a specified location
<URL> Specify the URL in one of the following formats:
ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz tftp://<hostname|IP>[:port]/path/file.tar.gz Example NS-DB-nx9510-6C87EF>database-backup database nsight tftp://192.168.9.50/testbckup NS-DB-nx9510-6C87EF>show database backup-status Last Database Backup Status : In_Progress(Starting tftp transfer.) Last Database Backup Time : 2017-04-17 12:48:05 NS-DB-nx9510-6C87EF>show database backup-status Last Database Backup Status : Successful Last Database Backup Time : Mon Apr 17 12:48:08 IST 2017 NS-DB-nx9510-6C87EF>Apr 17 12:48:17 2017: NS-DB-nx9510-6C87EF : %DATABASE-6-
OPERATION_COMPLETE: backup for database nsight successful NS-DB-nx9510-6C87EF#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 38 USER EXEC MODE COMMANDS NS-DB-nx9510-6C87EF>database-backup database nsight-placement-info tftp://192.16 8.9.50/plmentinfo NS-DB-nx9510-6C87EF>show database backup-status Last Database Backup Status : Successful Last Database Backup Time : Mon Apr 17 12:48:48 IST 2017 NS-DB-nx9510-6C87EF>Apr 17 12:49:03 2017: NS-DB-nx9510-6C87EF : %DATABASE-6-
OPERATION_COMPLETE: backup for database nsight-placement-info successful NS-DB-nx9510-6C87EF>
Related Commands database database-restore Enables automatic repairing (vacuuming) and dropping of databases (captive-portal and/or NSight) Restores a previously exported (backed up) database (captive-portal and/or NSight)]
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 39 USER EXEC MODE COMMANDS 2.1.12 database-restore User Exec Commands Restores a previously exported database [captive-portal and/or NSight]. Previously exported databases
(backed up to a specified FTP or SFTP server) are restored from the backed-up location to the original database. Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax database-restore database [captive-portal|nsight] <URL>
Parameters database-restore database [captive-portal|nsight] <URL>
database-restore database
[captive-portal|
nsight]
<URL>
Example Restores previously exported (backed up) captive-portal and/or NSight database. Specify the database type:
captive-portal Restores captive portal database nsight Restores NSight database After specifying the database type, configure the destination location and file name from where the files are restored. Configures the destination location. The database is restored from the specified location. Specify the location URL in one of the following formats:
ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz tftp://<hostname|IP>[:port]/path/file.tar.gz nx9500-6C8809>database-restore database nsight ftp://
anonymous:anonymous@192.168.13.10/backups/nsight/nsight.tar.gz Related Commands database database-backup Enables automatic repairing (vacuuming) and dropping of databases (captive-portal and NSight) Backs up captive-portal and/or NSight database to a specified location and file on an FTP or SFTP server Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 40 USER EXEC MODE COMMANDS 2.1.13 device-upgrade User Exec Commands Enables firmware upgrade on an adopted device or a set of adopted devices (access points, wireless controllers, and service platforms). In an hierarchically managed (HM) network, this command enables centralized device upgradation across the network. The WiNG HM network defines a three-tier structure, consisting of multiple wireless sites managed by a single Network Operations Center (NOC) controller. The NOC controller constitutes the first and the site controllers constitute the second tier of the hierarchy. The site controllers in turn adopt and manage access points that form the third tier of the hierarchy. NOTE: Hierarchical management allows the NOC controller to upgrade controllers and access points that are directly or indirectly adopted to it. However, ensure that the NOC controller is loaded with the correct firmware version. Use the device-upgrade command to schedule firmware upgrades across adopted devices within the network. Devices are upgraded based on their device names, MAC addresses, or RF Domain. NOTE: If the persist-images option is selected, the RF Domain manager retains the old firmware image, or else deletes it. For more information on enabling device upgrade on profiles and devices (including the persist-
images option), see device-upgrade. NOTE: A NOC controllers capacity is equal to, or higher than that of a site controller. The following devices can be deployed at NOC and sites:
NOC controller NX95XX (NX9500 and NX9510), NX9600, VX9000 Site controller RFS4000, RFS6000, NX5500, or NX95XX NOTE: Standalone devices have to be manually upgraded. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax device-upgrade [<MAC/HOSTNAME>|all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|
ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap76232|ap7662|ap81xx|ap82xx|ap8432|
ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000|cancel-upgrade|load-
image|rf-domain]
device-upgrade <MAC/HOSTNAME> {no-reboot|reboot-time <TIME>|upgrade-time <TIME>
{no-reboot|reboot-time <TIME>}}
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 41 USER EXEC MODE COMMANDS device-upgrade all {force|no-reboot|reboot-time <TIME>|upgrade-time <TIME>
{no-reboot|reboot-time <TIME>}} {(staggered-reboot)}
device-upgrade [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap76232|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx75xx|nx9000|nx9600|vx9000] all {force|no-reboot|reboot-time
<TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}} {(staggered-reboot)}
device-upgrade cancel-upgrade [<MAC/HOSTNAME>|all|ap6521|ap6522|ap6532|ap6562|
ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap76232|ap7662|ap81xx|
ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000|
on rf-domain [<RF-DOMAIN-NAME>|all]]
device-upgrade load-image [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|
ap7532|ap7562|ap7602|ap7612|ap7622|ap76232|ap7662|ap81xx|ap82xx|ap8432|ap8533|
rfs4000|rfs6000|nx5500|nx9000|nx9600|vx9000] {<IMAGE-URL>|on <DEVICE-OR-DOMAIN-
NAME>}
device-upgrade rf-domain [<RF-DOMAIN-NAME>|all|containing <WORD>|filter location
<WORD>] [all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap76232|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx75xx|nx9000|nx9600|vx9000] {(<MAC/HOSTNAME>|force|from-controller|
no-reboot|reboot-time <TIME>|staggered-reboot|upgrade-time <TIME>)}
Parameters device-upgrade <MAC/HOSTNAME> {no-reboot|reboot-time <TIME>|upgrade-time <TIME>
{no-reboot|reboot-time <TIME>}}
<MAC/HOSTNAME>
no-reboot reboot-time <TIME>
upgrade-time <TIME>
{no-reboot|
reboot-time <TIME>}
Upgrades firmware on the device identified by the <MAC/HOSTNAME> keyword
<MAC/HOSTNAME> Specify the devices MAC address or hostname. Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) Optional. Schedules an automatic reboot after a successful upgrade
<TIME> Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. Optional. Schedules an automatic device firmware upgrade on a specified day and time
<TIME> Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. The following actions can be performed after a scheduled upgrade:
no-reboot Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. device-upgrade all {force|no-reboot|reboot-time <TIME>|upgrade-time <TIME>
{no-reboot|reboot-time <TIME>}} {(staggered-reboot)}
all force no-reboot reboot-time <TIME>
Upgrades firmware on all devices Optional. Select this option to force upgrade on the selected device(s). When selected, the devices are upgraded even if they have the same firmware as the upgrading access point, wireless controller, or service platform. If forcing a device upgrade, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-time, or staggered-reboot. Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) Optional. Schedules an automatic reboot after a successful upgrade
<TIME> Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 42 USER EXEC MODE COMMANDS upgrade-time <TIME>
{no-reboot|
reboot-time <TIME>}
Optional. Schedules an automatic device firmware upgrade on all devices on a specified day and time
<TIME> Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. The following actions can be performed after a scheduled upgrade:
no-reboot Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted). reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. staggered-reboot This keyword is recursive and common to all of the above. Optional. Enables staggered device reboot (one at a time) without network impact device-upgrade [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|
ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|
rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] all {force|no-reboot|reboot-time
<TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}} {(staggered-reboot)}
device-upgrade
<DEVICE-TYPE> all force no-reboot reboot-time <TIME>
Upgrades firmware on all devices of a specific type. Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX9500, NX9600, and VX9000. After selecting the device type, schedule an automatic upgrade and/or an automatic reboot. Optional. Select this option to force upgrade on the selected device(s). When selected, the devices are upgraded even if they have the same firmware as the upgrading access point, wireless controller, or service platform. If forcing a device upgrade, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-time, or staggered-reboot. Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) Optional. Schedules an automatic reboot after a successful upgrade
<TIME> Optional. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. upgrade-time <TIME>
{no-reboot|
reboot-time <TIME>}
Optional. Schedules an automatic firmware upgrade on all devices, of the specified type, on a specified day and time
<TIME> Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. The following actions can be performed after a scheduled upgrade:
no-reboot Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. staggered-reboot This keyword is recursive and common to all of the above. Optional. Enables staggered device reboot (one at a time) without network impact Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 43 USER EXEC MODE COMMANDS device-upgrade cancel-upgrade [<MAC/HOSTNAME>|all|ap6521|ap6522|ap6532|
ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|
ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000|
on rf-domain [<RF-DOMAIN-NAME>|all]]
cancel-upgrade Cancels a scheduled firmware upgrade based on the parameters passed. This command provides the following options to cancel scheduled firmware upgrades:
Cancels upgrade on specific device(s). The devices are identified by their MAC addresses or hostnames. Cancels upgrade on all devices within the network Cancels upgrade on all devices of a specific type. Specify the device type. Cancels upgrade on specific device(s) or all device(s) within a specific RF Domain or all RF Domains. Specify the RF Domain name. cancel-upgrade
[<MAC/HOSTNAME>|
all]
Cancels a scheduled firmware upgrade on a specified device or on all devices
<MAC/HOSTNAME> Cancels a scheduled upgrade on the device identified by the
<MAC/HOSTNAME> keyword. Specify the devices MAC address or hostname. cancel-upgrade
<DEVICE-TYPE> all cancel-upgrade on rf-domain
[<RF-DOMAIN-
NAME>|all]
all Cancels scheduled upgrade on all devices Cancels scheduled firmware upgrade on all devices of a specific type. Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX9500, NX9600, and VX9000. Cancels scheduled firmware upgrade on all devices in a specified RF Domain or all RF Domains
<RF-DOMAIN-NAME> Cancels scheduled device upgrade on all devices in a specified RF Domain. Specify the RF Domain name. all Cancels scheduled device upgrade on all devices across all RF Domains device-upgrade load-image [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|
ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|
rfs4000|rfs6000|nx500|nx9000|nx9600|vx9000] {<IMAGE-URL>|on <DEVICE-OR-DOMAIN-
NAME>}
load-image
<DEVICE-TYPE>
<IMAGE-URL>
Loads device firmware image from a specified location. Use this command to specify the device type and the location of the corresponding image file.
<DEVICE-TYPE> Specify the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX9500, NX9600, and VX9000. After specifying the device type, provide the location of the required device firmware image. Specify the devices firmware image location in one of the following formats:
IPv4 URLs:
tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 44 USER EXEC MODE COMMANDS IPv6 URLs:
tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file http://<hostname|[IPv6]>[:port]/path/file on <DEVICE-OR-
DOMAIN-NAME>
Specify the name of the device or RF Domain. The image, of the specified device type is loaded from the device specified here. In case of an RF Domain, the image available on the RF Domain manager is loaded.
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. device-upgrade rf-domain [<RF-DOMAIN-NAME>|all|containing <WORD>|filter location <WORD>] [all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|
ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|
rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] {(<MAC/HOSTNAME>|force|from-
controller|no-reboot|reboot-time <TIME>|staggered-reboot|upgrade-time <TIME>)}
rf-domain
[<RF-DOMAIN-
NAME>|all|
containing <WORD>|
filter location
<WORD>]
<DEVICE-TYPE>
<MAC/HOSTNAME>
force from-controller Upgrades firmware on devices in a specified RF Domain or all RF Domains. Devices within a RF Domain are upgraded through the RF Domain manager.
<RF-DOMAIN-NAME> Upgrades devices in the RF Domain identified by the <RF-
DOMAIN-NAME> keyword.
<RF-DOMAIN-NAME> Specify the RF Domain name. all Upgrades devices across all RF Domains containing <WORD> Filters RF Domains by their names. RF Domains with names containing the sub-string identified by the <WORD> keyword are filtered. Devices on the filtered RF Domains are upgraded. filter location <WORD> Filters devices by their location. All devices with location matching the <WORD> keyword are upgraded. After specifying the RF Domain, select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX9500, NX9600, and VX9000. After specifying the RF Domain and the device type, configure any one of the following actions: force devices to upgrade, or initiate an upgrade through the adopting controller. Optional. Use this option to identify specific devices for upgradation. Specify the devices MAC address or hostname. The device should be within the specified RF Domain and of the specified device type. After identifying the devices to upgrade, configure any one of the following actions: force devices to upgrade, or initiate an upgrade through the adopting controller. Note: If no MAC address or hostname is specified, all devices of the type selected are upgraded. Optional. Select this option to force upgrade for the selected device(s). When selected, the devices are upgraded even if they have the same firmware as the upgrading access point, wireless controller, or service platform. If forcing a device upgrade, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-time, or reboot-time. Optional. Upgrades a device through the adopted device. If initiating an upgrade through the adopting controller, optionally specify any one of the following options:
no-reboot, reboot-time, upgrade-time, or reboot-time. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 45 USER EXEC MODE COMMANDS no-reboot
{staggered-reboot}
reboot-time <TIME>
{staggered-reboot}
staggered-reboot upgrade-time <TIME>
{no-reboot|
reboot-time <TIME>}
Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. This keyword is common to all of the above. Optional. Enables staggered reboot (one at a time) without network impact Optional. Schedules an automatic firmware upgrade
<TIME> Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. After a scheduled upgrade, the following actions can be performed. no-reboot Optional. Disables automatic reboot after a successful upgrade the device must be manually restarted) reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. Example nx9500-6C8809>show adoption status
--------------------------------------------------------------------------------
------------------------
DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-ADOPTION UPTIME
--------------------------------------------------------------------------------
------------------------
rfs6000-81742D 5.9.1.0-012D configured No nx9500-6C8809 2 days 12:23:52 13 days 22:32:38 t5-ED7C6C 5.4.2.0-010R configured No nx9500-6C8809 13 days 22:47:46 16 days 22:33:25
--------------------------------------------------------------------------------
------------------------
Total number of devices displayed: 2 nx9500-6C8809>
nx9500-6C8809>show device-upgrade versions
--------------------------------------------------------------------------------
CONTROLLER DEVICE-TYPE VERSION
--------------------------------------------------------------------------------
nx9500-6C8809 ap621 5.9.0.0-014D nx9500-6C8809 ap622 5.9.1.0-012D nx9500-6C8809 ap650 5.9.1.0-012D nx9500-6C8809 ap6511 none nx9500-6C8809 ap6521 5.9.0.0-014D nx9500-6C8809 ap6522 5.9.1.0-012D nx9500-6C8809 ap6532 5.9.1.0-012D nx9500-6C8809 ap6562 5.9.1.0-012D nx9500-6C8809 ap71xx 5.9.1.0-012D nx9500-6C8809 ap7502 5.9.1.0-012D nx9500-6C8809 ap7522 5.9.1.0-012D nx9500-6C8809 ap7532 5.9.1.0-012D nx9500-6C8809 ap7562 5.9.1.0-012D nx9500-6C8809 ap7602 5.9.1.0-012D nx9500-6C8809 ap7612 5.9.1.0-012D nx9500-6C8809 ap7622 5.9.1.0-012D nx9500-6C8809 ap7632 5.9.1.0-012D nx9500-6C8809 ap7662 5.9.1.0-012D nx9500-6C8809 ap81xx 5.9.1.0-012D nx9500-6C8809 ap82xx 5.9.1.0-012D nx9500-6C8809 ap8432 5.9.1.0-012D nx9500-6C8809 ap8533 5.9.1.0-012D nx9500-6C8809 nx45xx none nx9500-6C8809 nx5500 none Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 46 USER EXEC MODE COMMANDS nx9500-6C8809 nx65xx none nx9500-6C8809 nx75xx none nx9500-6C8809 nx9000 none nx9500-6C8809 rfs4000 5.9.1.0-012D nx9500-6C8809 rfs6000 5.9.1.0-012D nx9500-6C8809 rfs7000 5.9.0.0-010D nx9500-6C8809 vx9000 none
--------------------------------------------------------------------------------
nx9500-6C8809>
nx9500-6C8809#device-upgrade load-image rfs6000 ftp://
anonymous:anonymous@192.168.13.10/LatestBuilds/W591/RFS6000-LEAN-5.9.1.0-
015D.img
--------------------------------------------------------------------------------
CONTROLLER STATUS MESSAGE
--------------------------------------------------------------------------------
nx9500-6C8809 Success Successfully initiated load image
--------------------------------------------------------------------------------
nx9500-6C8809#
nx9500-6C8809#show device-upgrade load-image-status Download of rfs6000 firmware file is complete nx9500-6C8809#
nx9500-6C8809>show device-upgrade versions
--------------------------------------------------------------------------------
CONTROLLER DEVICE-TYPE VERSION
--------------------------------------------------------------------------------
nx9500-6C8809 ap621 5.9.0.0-014D nx9500-6C8809 ap622 5.9.1.0-012D nx9500-6C8809 ap650 5.9.1.0-012D nx9500-6C8809 ap6511 none nx9500-6C8809 ap6521 5.9.0.0-014D nx9500-6C8809 ap6522 5.9.1.0-012D nx9500-6C8809 ap6532 5.9.1.0-012D nx9500-6C8809 ap6562 5.9.1.0-012D nx9500-6C8809 ap71xx 5.9.1.0-012D nx9500-6C8809 ap7502 5.9.1.0-012D nx9500-6C8809 ap7522 5.9.1.0-012D nx9500-6C8809 ap7532 5.9.1.0-012D nx9500-6C8809 ap7562 5.9.1.0-012D nx9500-6C8809 ap7602 5.9.1.0-012D nx9500-6C8809 ap7612 5.9.1.0-012D nx9500-6C8809 ap7622 5.9.1.0-012D nx9500-6C8809 ap7632 5.9.1.0-012D nx9500-6C8809 ap7662 5.9.1.0-012D nx9500-6C8809 ap81xx 5.9.1.0-012D nx9500-6C8809 ap82xx 5.9.1.0-012D nx9500-6C8809 ap8432 5.9.1.0-012D nx9500-6C8809 ap8533 5.9.1.0-012D nx9500-6C8809 nx45xx none nx9500-6C8809 nx5500 none nx9500-6C8809 nx65xx none nx9500-6C8809 nx75xx none nx9500-6C8809 nx9000 none nx9500-6C8809 rfs4000 5.9.1.0-012D nx9500-6C8809 rfs6000 5.9.1.0-015D nx9500-6C8809 rfs7000 5.9.0.0-010D nx9500-6C8809 vx9000 none
--------------------------------------------------------------------------------
nx9500-6C8809>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 47 USER EXEC MODE COMMANDS nx9500-6C8809>device-upgrade rfs6000-81742D
--------------------------------------------------------------------------------
CONTROLLER STATUS MESSAGE
--------------------------------------------------------------------------------
B4-C7-99-6C-88-09 Success Queued 1 devices to upgrade
--------------------------------------------------------------------------------
nx9500-6C8809>
nx9500-6C8809>show device-upgrade status Number of devices currently being upgraded : 1 Number of devices waiting in queue to be upgraded : 0 Number of devices currently being rebooted : 0 Number of devices waiting in queue to be rebooted : 0 Number of devices failed upgrade : 0
--------------------------------------------------------------------------------
------------------------------
DEVICE STATE UPGRADE TIME REBOOT TIME PROGRESS RETRIES LAST UPDATE ERROR UPGRADED BY
--------------------------------------------------------------------------------
------------------------------
rfs6000-81742D downloading immediate immediate 17 0 -
nx9500-6C8809
--------------------------------------------------------------------------------
------------------------------
nx9500-6C8809>
nx9500-6C8809>show adoption status
--------------------------------------------------------------------------------
-------------------------------
DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-
ADOPTION UPTIME
--------------------------------------------------------------------------------
-------------------------------
rfs6000-81742D 5.9.1.0-015D version-mismatch No nx9500-6C8809 0 days 00:00:42 0 days 00:03:33 t5-ED7C6C 5.4.2.0-010R configured No nx9500-6C8809 13 days 23:09:38 16 days 22:55:17
--------------------------------------------------------------------------------
--------------------------------
Total number of devices displayed: 2 nx9500-6C8809>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 48 USER EXEC MODE COMMANDS 2.1.14 disable User Exec Commands This command can be executed in the Priv Exec Mode only. When executed, the command turns off
(disables) the privileged mode command set and returns to the User Executable Mode. The prompt changes from rfs6000-81742D# to rfs6000-81742D>. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax disable Parameters None Example rfs6000-81742D#disable rfs6000-81742D>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 49 USER EXEC MODE COMMANDS 2.1.15 enable User Exec Commands Turns on (enables) the privileged mode command set. The prompt changes from rfs6000-81742D> to rfs6000-81742D#. This command does not do anything in the Privilege Executable mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax enable Parameters None Example rfs6000-81742D>enable rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 50 USER EXEC MODE COMMANDS 2.1.16 file-sync User Exec Commands Syncs trustpoint and/or EAP-TLS X.509 (PKCS#12) certificate between the staging-controller and adopted access points. When enabling file syncing, consider the following points:
The X.509 certificate needs synchronization only if the access point is configured to use EAP-TLS authentication. Execute the command on the controller adopting the access points. Ensure that the X.509 certificate file is installed on the controller. Syncing of trustpoint/wireless-bridge certificate can be automated. To automate file syncing, in the controllers device/profile configuration mode, execute the following command: file-sync [auto|count <1-
20>]. For more information, see file-sync. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632,AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax file-sync [cancel|load-file|trustpoint|wireless-bridge]
file-sync cancel [trustpoint|wireless-bridge]
file-sync cancel [trustpoint|wireless-bridge] [<DEVICE-NAME>|all|rf-domain
[<DOMAIN-NAME>|all]]
file-sync load-file [trustpoint|wireless-bridge]]
file-sync load-file [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] <URL>
file-sync [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] [<DEVICE-NAME>|all|
rf-domain [<DOMAIN-NAME>|all] {from-controller}] {reset-radio|upload-time <TIME>}
Parameters file-sync cancel [trustpoint|wireless-bridge] [<DEVICE-NAME>|all|rf-domain
[<DOMAIN-NAME>|all]]
file-sync cancel
[trustpoint|
wireless-bridge]
[<DEVICE-NAME>|
all|rf-domain
[<DOMAIN-NAME>|
all]]
Cancels scheduled file synchronization trustpoint Cancels scheduled trustpoint synchronization on a specified AP, all APs, or APs within a specified RF Domain wireless-bridge Cancels scheduled wireless-bridge certificate synchronization on a specified AP, all APs, or APs within a specified RF Domain
<DEVICE-NAME> Cancels scheduled trustpoint/certificate synchronization on a specified AP. Specify the APs hostname or MAC address. all Cancels scheduled trustpoint/certificate synchronization on all APs Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 51 USER EXEC MODE COMMANDS rf-domain [<DOMAIN-NAME>|all] Cancels scheduled trustpoint/certificate syn-
chronization on all APs in a specified RF Domain or in all RF Domains
<DOMAIN-NAME> Cancels scheduled trustpoint/certificate synchronization on all APs within a specified RF Domain. Specify the RF Domains name. all Cancels scheduled trustpoint/certificate synchronization on all RF Domains file-sync load-file [trustpoint|wireless-bridge] <URL>
file-sync load-file
[trustpoint|
wireless-bridge]
<URL>
Loads the following files on to the staging controller:
trustpoint Loads the trustpoint, including CA certificate, server certificate and private key wireless-bridge Loads the wireless-bridge certificate to the staging controller Use this command to load the certificate to the controller before scheduling or initiating a certificate synchronization.
<URL> Provide the trustpoint/certificate location using one of the following for-
mats:
tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file Note: Both IPv4 and IPv6 address types are supported. file-sync [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] [<DEVICE-NAME>|all|rf-
domain [<DOMAIN-NAME>|all] {from-controller}] {reset-radio|upload-time <TIME>}
file-sync trustpoint
<TRUSTPOINT-
NAME>
[<DEVICE-NAME>|
all|rf-domain
[<DOMAIN-NAME>
|all] from-controller]
Configures file-syncing parameters trustpoint <TRUSTPOINT-NAME> Syncs a specified trustpoint between controller and its adopted APs
<TRUSTPOINT-NAME> Specify the trustpoint name. wireless-bridge Syncs wireless-bridge certificate between controller and its adopted APs After specifying the file that is to be synced, configure following file-sync parameters:
<DEVICE-NAME> Syncs trustpoint/certificate with a specified AP. Specify the APs hostname or MAC address. all Syncs trustpoint/certificate with all APs rf-domain [<DOMAIN-NAME>|all] Syncs trustpoint/certificate with all APs in a specified RF Domain or in all RF Domains
<DOMAIN-NAME> Select to sync with APs within a specified RF Domain. Specify the RF Domains name. all Select to sync with APs across all RF Domains from-controller Optional. Loads certificate to the APs from the adopting controller and not the RF Domain manager After specifying the access points, specify the following options: reset-radio and upload-time. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 52 USER EXEC MODE COMMANDS reset-radio This keyword is recursive and applicable to all of the above parameters. Optional. Resets the radio after file synchronization. Reset the radio in case the certificate is renewed along with no changes made to the bridge EAP username and bridge EAP password. upload-time <TIME> This keyword is recursive and applicable to all of the above parameters. upload-time Optional. Schedules certificate upload at a specified time
<TIME> Specify the time in the MM/DD/YYYY-HH:MM or HH:MM format. If no time is configured, the process is initiated as soon as the command is executed. Example rfs6000-81742D>file-sync wireless-bridge ap7131-11E6C4 upload-time 06/01/2017-
12:30
--------------------------------------------------------------------------------
CONTROLLER STATUS MESSAGE
--------------------------------------------------------------------------------
B4-C7-99-6D-CD-4B Success Queued 1 APs to upload
--------------------------------------------------------------------------------
rfs6000-81742D>
The following command uploads certificate to all access points:
rfs6000-81742D>file-sync wireless-bridge all upload-time 06/01/2017-23:42 Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 53 USER EXEC MODE COMMANDS 2.1.17 join-cluster User Exec Commands Adds a device (access point, wireless controller, or service platform), as a member, to an existing cluster of devices. Assign a static IP address to the device before adding to a cluster. Note, a cluster can be only formed of devices of the same model type. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax join-cluster <IP> user <USERNAME> password <WORD> {level|mode}
join-cluster <IP> user <USERNAME> password <WORD> {level [1|2]|mode
[active|standby]}
Parameters join-cluster <IP> user <USERNAME> password <WORD> {level [1|2]|mode
[active|standby]}
join-cluster
<IP>
user <USERNAME>
password <WORD>
level [1|2]
mode
[active|standby]
Usage Guidelines Adds an access point, wireless controller, or service platform to an existing cluster Specify the cluster members IP address. Specify a user account with super user privileges on the new cluster member Specify password for the account specified in the user parameter Optional. Configures the routing level 1 Configures level 1 routing 2 Configures level 2 routing Optional. Configures the cluster mode active Configures this cluster as active standby Configures this cluster to be on standby mode To add a device to an existing cluster:
Configure a static IP address on the device (access point, wireless controller, or service platform). Provide username and password for superuser, network admin, system admin, or operator accounts. After adding the device to a cluster, execute the write memory command to ensure the configuration persists across reboots. Example rfs4000-880DA7>join-cluster 192.168.13.15 user admin password superuser level 1 mode standby
... connecting to 192.168.13.15
... applying cluster configuration
... committing the changes
... saving the changes
[OK]
rfs4000-880DA7>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 54 USER EXEC MODE COMMANDS rfs4000-880DA7>show context
!
! Configuration of RFS4000 version 5.9.1.0-012D
!
!
version 2.5
!
!
................................................................................ interface vlan1 ip address 192.168.13.15/24 no ipv6 enable no ipv6 request-dhcpv6-options cluster name TechPubs cluster mode standby cluster member ip 192.168.13.15 logging on logging console warnings logging buffered warnings
!
!
end rfs4000-880DA7>
Related Commands cluster create-cluster Initiates cluster context. The cluster context enables centralized management and configuration of all cluster members from any one member. Creates a new cluster on a specified device Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 55 USER EXEC MODE COMMANDS 2.1.18 l2tpv3 User Exec Commands Establishes and/or brings down a Layer 2 Tunnel Protocol Version 3 (L2TPV3) tunnel Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax l2tpv3 tunnel [<TUNNEL-NAME>|all]
l2tpv3 tunnel <TUNNEL-NAME> [down|session|up]
l2tpv3 tunnel <TUNNEL-NAME> [down|up] {on <DEVICE-NAME>}
l2tpv3 tunnel <TUNNEL-NAME> session <SESSION-NAME> [down|up] {on <DEVICE-NAME>}
l2tpv3 tunnel all [down|up] {on <DEVICE-NAME>}
Parameters l2tpv3 tunnel <TUNNEL-NAME> [down|up] {on <DEVICE-NAME>}
l2tpv3 tunnel
<TUNNEL-NAME>
[down|up]
Establishes or brings down L2TPv3 tunnels Specifies the tunnel name to establish or bring down down Brings down the specified tunnel up Establishes the specified tunnel Optional. Establishes or brings down a tunnel on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. l2tpv3 tunnel <TUNNEL-NAME> session <SESSION-NAME> [down|up] {on <DEVICE-NAME>}
on
<DEVICE-NAME>
l2tpv3 tunnel
<TUNNEL-NAME>
[session
<SESSION-NAME>]
[down|up]
Establishes or brings down L2TPv3 tunnels Establishes or brings down a specified session inside an L2TPv3 tunnel
<TUNNEL-NAME> Specify the tunnel name. session <SESSION-NAME> Identifies a specific session
<SESSION-NAME> Specify the session name. down Brings down the session identified by the <SESSION-NAME> key-
word up Establishes the session identified by the <SESSION-NAME> keyword on
<DEVICE-NAME>
Optional. Establishes or brings down a tunnel session on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. l2tpv3 tunnel all [down|up] {on <DEVICE-NAME>}
l2tpv3 tunnel all [down|up]
Establishes or brings down L2TPv3 tunnels Establishes or brings down all L2TPv3 tunnels down Brings down all tunnels up Establishes all tunnels Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 56 USER EXEC MODE COMMANDS on
<DEVICE-NAME>
Optional. Establishes or brings down all tunnels on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs6000-81742D>l2tpv3 tunnel Tunnel1 session Tunnel1Session1 up on rfs6000-81742D NOTE: For more information on the L2TPv3 tunnel configuration mode and commands, see Chapter 22, L2TPV3-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 57 USER EXEC MODE COMMANDS 2.1.19 logging User Exec Commands Modifies message logging settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax logging monitor {<0-7>|alerts|critical|debugging|emergencies|errors|
informational|notifications|warnings}
Parameters logging monitor {<0-7>|alerts|critical|debugging|emergencies|errors|
informational|notifications|warnings}
monitor Sets the terminal lines logging levels. The logging severity levels can be set from 0 - 7. The system uses default settings, if no logging severity level is specified.
<0-7> Optional. Specify the logging severity level from 0-7. The various levels and their implications are as follows:
alerts Optional. Immediate action needed (severity=1) critical Optional. Critical conditions (severity=2) debugging Optional. Debugging messages (severity=7) emergencies Optional. System is unusable (severity=0) errors Optional. Error conditions (severity=3) informational Optional. Informational messages (severity=6) notifications Optional. Normal but significant conditions (severity=5) warnings Optional. Warning conditions (severity=4) Note: Before configuring the message logging level, ensure logging module is enabled. To enable message logging, in the devices configuration mode, execute the logging > on command. Message logging can also be enabled on a profile. All devices using the profile will have message logging enabled. Example rfs6000-81742D(config-device-00-15-70-81-74-2D)##logging on rfs6000-81742D>logging monitor debugging rfs6000-81742D>show logging Logging module: enabled Aggregation time: disabled Console logging: level warnings Monitor logging: level debugging Buffered logging: level warnings Syslog logging: level warnings Facility: local7 Log Buffer (69317 bytes):
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 58 USER EXEC MODE COMMANDS Apr 04 11:53:02 2017: %DIAG-4-FAN_UNDERSPEED: Fan fan 1 under speed: 0 RPM is under limit 2000 RPM Apr 04 11:43:02 2017: %DIAG-4-FAN_UNDERSPEED: Fan fan 1 under speed: 0 RPM is under limit 2000 RPM
--More--
rfs6000-81742D>
Related Commands no Resets terminal lines logging levels Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 59 USER EXEC MODE COMMANDS 2.1.20 mint User Exec Commands Uses MiNT protocol to perform a ping and traceroute to a remote device Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mint [ping|traceroute]
mint ping <MINT-ID> {(count <1-10000>|size <1-64000>|timeout <1-10>)}
mint traceroute <MINT-ID> {(destination-port <1-65535>|max-hops <1-255>|source-
port <1-65535>|timeout <1-255>)}
Parameters mint ping <MINT-ID> {(count <1-10000>|size <1-64000>|timeout <1-10>)}
ping <MINT-ID>
count <1-10000>
size <1-64000>
timeout <1-10>
Sends a MiNT echo message to a specified destination
<MINT-ID> Specify the destination devices MiNT ID. Optional. Sets the pings to the MiNT destination
<1- 10000> Specify a value from 1 - 10000. The default is 3. Optional. Sets the MiNT payload size in bytes
<1-64000> Specify a value from 1 - 640000 bytes. The default is 64 bytes. Optional. Sets a response time in seconds
<1-10> Specify a value from 1 sec - 10 sec. The default is 1 second. mint traceroute <MINT-ID> {(destination-port <1-65535>|max-hops <1-255>|
source-port <1-65535>|timeout <1-255>)}
traceroute
<MINT-ID>
destination-port
<1-65535>
max-hops <1-255>
source-port
<1-65535>
timeout <1-255>
Prints the route packets trace to a device
<MINT-ID> Specify the destination devices MiNT ID. Optional. Sets the Equal-cost Multi-path (ECMP) routing destination port
<1- 65535> Specify a value from 1 - 65535. The default port is 45. Optional. Sets the maximum number of hops a traceroute packet traverses in the forward direction
<1- 255> Specify a value from 1 - 255. The default is 30. Optional. Sets the ECMP source port
<1- 65535> Specify a value from 1 - 65535. The default port is 45. Optional. Sets the minimum response time period in seconds
<1- 255> Specify a value from 1 sec - 255 sec. The default is 30 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 60 USER EXEC MODE COMMANDS Example rfs6000-81742D>mint ping 19.6C.88.09 MiNT ping 19.6C.88.09 with 64 bytes of data. Response from 19.6C.88.09: id=1 time=0.219 ms Response from 19.6C.88.09: id=2 time=0.145 ms Response from 19.6C.88.09: id=3 time=0.127 ms
--- 19.6C.88.09 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.127/0.164/0.219 ms rfs6000-81742D>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 61 USER EXEC MODE COMMANDS 2.1.21 no User Exec Commands Use the no command to revert a command or to set parameters to their default. This command turns off an enabled feature or reverts settings to default. NOTE: The no command sub-set of commands changes with the context in which it is executed. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [adoption|captive-portal|crypto|debug|logging|page|service|terminal|
virtual-machine|wireless]
no adoption {on <DEVICE-OR-DOMAIN-NAME>}
NOTE: The no > adoption command resets the adoption state of a specified device (and all devices adopted to it) or devices within a specified RF Domain. When executed without specifying the device or RF Domain, the command resets the adoption state of the logged device and all devices, if any, adopted to it. no captive-portal client [captive-portal <CAPTIVE-PORTAL-NAME>|mac <MAC>]
{on <DEVICE-OR-DOMAIN-NAME>}
no crypto pki [server|trustpoint]
no crypto pki [server|trustpoint] <TRUSTPOINT-NAME> {del-key {on <DEVICE-NAME>}|
on <DEVICE-NAME>}
no logging monitor no page no service [block-adopter-config-update|locator|snmp|ssm|wireless]
no service snmp sysoid wing5 no service block-adopter-config-update no service ssm trace pattern {<WORD>} {on <DEVICE-NAME>}
no service wireless [trace pattern {<WORD>} {on <DEVICE-NAME>}|unsanctioned ap air-
terminate <BSSID> {on <DOMAIN-NAME>}]
no service locator {on <DEVICE-NAME>}
no terminal [length|width]
no virtual-machine assign-usb-ports {on <DEVICE-NAME>}
no wireless client [all|<MAC>]
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 62 USER EXEC MODE COMMANDS no wireless client all {filter|on}
no wireless client all {filter [wlan <WLAN-NAME>]}
no wireless client all {on <DEVICE-OR-DOMAIN-NAME>} {filter [wlan <WLAN-NAME>]}
no wireless client mac <MAC> {on <DEVICE-OR-DOMAIN-NAME>}
Parameters no <PARAMETERS>
no <PARAMETERS>
Resets or reverts settings based on the parameters passed Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example rfs4000-880DA7>no adoption rfs4000-880DA7>no page Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 63 USER EXEC MODE COMMANDS 2.1.22 on User Exec Commands Executes the following commands in the RF Domain context: clrscr, do, end, exit, help, service, and show Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax on rf-domain [<RF-DOMAIN-NAME>|all]
Parameters on rf-domain [<RF-DOMAIN-NAME>|all]
on rf-domain
[<RF-DOMAIN-
NAME>|all]
Enters the RF Domain context based on the parameter specified
<RF-DOMAIN-NAME> Specify the RF Domain name. Enters the specified RF Domain context. all Specifies all RF Domains. Example nx9500-6C8809>on rf-domain TechPubs nx9500-6C8809(TechPubs)>?
on RF-Domain Mode commands:
clrscr Clears the display screen do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system service Service Commands show Show running system information nx9500-6C8809(TechPubs)>
nx9500-6C8809(rf-domain-all)>?
on RF-Domain Mode commands:
clrscr Clears the display screen do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system service Service Commands show Show running system information nx9500-6C8809(rf-domain-all)>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 64 USER EXEC MODE COMMANDS 2.1.23 opendns User Exec Commands Fetches the OpenDNS device_id from the OpenDNS site. Use this command to fetch the OpenDNS device_id. Once fetched, apply the device_id to WLANs that are to be OpenDNS enabled. OpenDNS is a free DNS service that enables swift Web navigation without frequent outages. It is a reliable DNS service that provides the following services: DNS query resolution, Web-filtering, protection against virus and malware attacks, performance enhancement, etc. This command is part of a set of configurations that are required to integrate WiNG devices with OpenDNS. When integrated, DNS queries going out of the WiNG device (access point, controller, or service platform) are re-directed to OpenDNS (208.67.220.220 or 208.67.222.222) resolvers that act as proxy DNS servers. For more information on integrating WiNG devices with OpenDNS site, see Enabling OpenDNS Support. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax opendns [APIToken|username]
opendns APIToken <OPENDNS-APITOKEN>
opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>
Note, as per the current implementation both of the above commands can be used to fetch the device_id from the OpenDNS site. Parameters opendns APIToken <OPENDNS-APITOKEN>
opendns APIToken
<OPENDNS-
APITOKEN>
Fetches the device_id from the OpenDNS site using the OpenDNS API token Configures the OpenDNS APIToken. This is the token provided you by CISCO at the time of subscribing for their OpenDNS service.
<OPENDNS-APITOKEN> Provide the OpenDNS API token (should be a valid token). For every valid OpenDNS API token provided a device_id is returned. Apply this device_id to WLANs that are to be OpenDNS enabled. Once applied, DNS queries originating from associating clients are appended with an additional 31 bytes of data
(representing the device ID) at the end of the DNS packet. For information on configuring the device_id in the WLAN context, see opendns. opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>
opendns username
<USERNAME>
Fetches the device_id from the OpenDNS site using the OpenDNS credentials Configures the OpenDNS user name. This is your OpenDNS email ID provided by CISCO at the time of subscribing for their OpenDNS service.
<USERNAME> Provide the OpenDNS user name (should be a valid OpenDNS username). Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 65 USER EXEC MODE COMMANDS password
<OPENDNS-PSWD>
Configures the password associated with the user name specified in the previous step
<OPENDNS-PSWD> Provide the OpenDNS password (should be a valid OpenDNS password). label <LABEL>
Usage Guidelines Configures the network label. This the label (the user friendly name) of your network, and should be the same as the label (name) configured on the OpenDNS portal.
<LABEL> Specify your network label. For every set of user name, password, and label passed only one unique device_id is returned. Apply this device_id to WLANs that are to be OpenDNS enabled. Once applied, DNS queries originating from associating clients are appended with an additional 31 bytes of data (representing the device ID) at the end of the DNS packet. For information on configuring the device_id in the WLAN context, see opendns. Use your OpenDNS credentials to logon to the opendns.org site and use the labels, edit settings, and customize content filtering options to configure Web filtering settings. Example ap7161-E6D512>opendns username bob@examplecompany.com password opendns label company_name Connecting to OpenDNS server... device_id = 0014AADF8EDC6C59 ap7161-E6D512>
nx9600-7F3C7F>opendns ApiToken 9110B39543DEB2ECA1F473AE03E8899C00019073 device_id
= 001480fe36dcb245 nx9600-7F3C7F>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 66 USER EXEC MODE COMMANDS 2.1.24 page User Exec Commands Toggles a devices paging function. When executed, this command enables the display of CLI command outputs page by page, instead of running the entire output at once. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602. AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax page Parameters None Example rfs4000-880DA7>page rfs4000-880DA7>
Related Commands no Disables device paging Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 67 USER EXEC MODE COMMANDS 2.1.25 ping User Exec Commands Sends Internet Controller Message Protocol (ICMP) echo messages to a user-specified location Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ping <IP/HOSTNAME> {count <1-10000>|dont-fragment {count|size}|size <1-64000>|
source [<IP>|pppoe|vlan <1-4094>|wwan]}
Parameters ping <IP/HOSTNAME> {count <1-10000>|dont-fragment {count|size}|size <1-64000>|
source[<IP>|pppoe|vlan <1-4094>|wwan]}
<IP/HOSTNAME>
count <1-10000>
dont-fragment
{count|size}
size <1-64000>
source
[<IP>|pppoe|
vlan <1-4094>|
wwan]
Specify the destination IP address or hostname. When entered without any parameters, this command prompts for an IP address or a hostname. Optional. Sets the pings to the specified destination
<1-10000> Specify a value from 1 - 10000. The default is 5. Optional. Sets the dont fragment bit in the ping packet. Packets with the dont-
fragment bit specified are not fragmented. When a packet, with the dont-fragment bit specified, exceeds the specified maximum transmission unit (MTU) value, an error message is sent from the device trying to fragment it. count <1-10000> Optional. Sets the pings to the specified destination from 1 - 10000. The default is 5. size <1-64000> Optional. Sets the ping payload size from 1 - 64000 bytes. The default is 100 bytes. Optional. Sets the ping payload size in bytes
<1-64000> Specify the ping payload size from 1 - 64000. The default is 100 bytes. Optional. Sets the source address or interface name. This is the source of the ICMP packet to the specified destination.
<IP> Specifies the source IP address pppoe Selects the PPP over Ethernet interface vlan <1-4094> Selects the VLAN interface from 1 - 4094 wwan Selects the wireless WAN interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 68 USER EXEC MODE COMMANDS Example rfs6000-81742D>ping 192.168.13.13 count 4 PING 192.168.13.13 (192.168.13.13) 100(128) bytes of data. 108 bytes from 192.168.13.13: icmp_seq=1 ttl=64 time=0.291 ms 108 bytes from 192.168.13.13: icmp_seq=2 ttl=64 time=0.243 ms 108 bytes from 192.168.13.13: icmp_seq=3 ttl=64 time=0.239 ms 108 bytes from 192.168.13.13: icmp_seq=4 ttl=64 time=0.232 ms
--- 192.168.13.13 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms rtt min/avg/max/mdev = 0.232/0.251/0.291/0.025 ms rfs6000-81742D>
rfs6000-81742D>ping 10.233.89.182 source vlan 1 PING 10.233.89.182 (10.233.89.182) from 192.168.13.24 vlan1: 100(128) bytes of data. From 192.168.13.2 icmp_seq=1 Packet filtered From 192.168.13.2 icmp_seq=2 Packet filtered From 192.168.13.2 icmp_seq=3 Packet filtered From 192.168.13.2 icmp_seq=4 Packet filtered From 192.168.13.2 icmp_seq=5 Packet filtered
--- 10.233.89.182 ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 3997ms rfs6000-81742D>>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 69 USER EXEC MODE COMMANDS 2.1.26 ping6 User Exec Commands Sends ICMPv6 echo messages to a user-specified IPv6 address Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ping6 <IPv6/HOSTNAME> {<INTF-NAME>} {(count <1-10000>|size <1-64000>)}
Parameters ping <IPv6/HOSTNAME> {<INTF-NAME>} {(count <1-10000>|size <1-64000>)}
<IPv6/HOSTNAME> Specify the destination IPv6 address or hostname.
<INTF-NAME>
count <1-10000>
Specify the interface name for link local/broadcast address Optional. Sets the pings to the specified IPv6 destination
<1-10000> Specify a value from 1 - 10000. The default is 5. Optional. Sets the IPv6 ping payload size in bytes
<1-64000> Specify the ping payload size from 1 - 64000. The default is 100 bytes. size <1-64000>
Usage Guidelines To configure a devices IPv6 address, in the VLAN interface configuration mode, use the ipv6 > address
<IPv6-ADDRESS> command. After configuring the IPv6 address, use the ipv6 > enable command to enable IPv6. For more information, see ipv6. Example rfs4000-1B3596(config-device-00-23-68-1B-35-96-if-ge4)#show ipv6 interface brief
--------------------------------------------------------------------------------
INTERFACE IPV6 MODE IPV6-ADDRESS/MASK TYPE STATUS PROTOCOL
--------------------------------------------------------------------------------
vlan1 True fe80::223:68ff:fe88:da7/64 Link-Local UP up vlan1 True 2001:10:10:10:10:10:10:1/64 Global-Permanent UP up vlan2 False UNASSIGNED None UP up
--------------------------------------------------------------------------------
rfs4000-1B3596(config-device-00-23-68-1B-35-96-if-ge4)#
rfs4000-229D58>ping6 2001:10:10:10:10:10:10:1 count 6 PING 2001:10:10:10:10:10:10:1(2001:10:10:10:10:10:10:1) 100 data bytes 108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=1 ttl=64 time=0.401 ms 108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=2 ttl=64 time=0.311 ms 108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=3 ttl=64 time=0.300 ms 108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=4 ttl=64 time=0.309 ms 108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=5 ttl=64 time=0.299 ms 108 bytes from 2001:10:10:10:10:10:10:1: icmp_seq=6 ttl=64 time=0.313 ms
--- 2001:10:10:10:10:10:10:1 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 6999ms rtt min/avg/max/mdev = 0.299/0.318/0.401/0.031 ms rfs4000-229D58>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 70 USER EXEC MODE COMMANDS 2.1.27 ssh User Exec Commands Opens a Secure Shell (SSH) connection between two network devices Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ssh <IP/HOSTNAME> <USER-NAME> {<INF-NAME/LINK-LOCAL-ADD>}
Parameters ssh <IP/HOSTNAME> <USER-NAME> {<INF-NAME/LINK-LOCAL-ADD>}
<IP/HOSTNAME>
<USERNAME>
<INF-NAME/
LINK-LOCAL-ADD>
Specify the remote systems IP address or hostname. Specify the name of the user requesting SSH connection with the remote system. Optional. Specify the interfaces name or link local address. Example nx9500-6C8809>ssh 192.168.13.24 admin admin@192.168.13.24's password:
rfs6000-81742D>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 71 USER EXEC MODE COMMANDS 2.1.28 telnet User Exec Commands Opens a Telnet session between two network devices Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax telnet <IP/HOSTNAME> {<TCP-PORT>} {<INTF-NAME>}
Parameters telnet <IP/HOSTNAME> {<TCP-PORT>} {<INTF-NAME>}
<IP/HOSTNAME>
<TCP-PORT>
<INTF-NAME>
Configures the destination remote systems IP (IPv4 or IPv6) address or hostname. The Telnet session is established between the connecting system and the remote system.
<IP/HOSTNAME> Specify the remote systems IPv4 or IPv6 address or hostname. Optional. Specify the Transmission Control Protocol (TCP) port number. Optional. Specify the interface name for the link local address. Example nx9500-6C8809#telnet 192.168.13.10 Entering character mode Escape character is '^]'. Welcome to Microsoft Telnet Service login:
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 72 USER EXEC MODE COMMANDS 2.1.29 terminal User Exec Commands Sets the length and width of the CLI display window on a terminal Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax terminal [length|width] <0-512>
Parameters terminal [length|width] <0-512>
length <0-512>
width <0-512>
Sets the number of lines displayed on the terminal window
<0-512> Specify a value from 0 - 512. Sets the width (the number of characters displayed in one line) of the terminal window
<0-512> Specify a value from 0 - 512. Example rfs6000-81742D>terminal length 150 rfs6000-81742D>terminal width 215 rfs6000-81742D>show terminal Terminal Type: xterm Length: 150 Width: 215 rfs6000-81742D>
Related Commands no Resets the width or length of the terminal window Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 73 USER EXEC MODE COMMANDS 2.1.30 time-it User Exec Commands Verifies the time taken by a particular command between request and response Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax time-it <COMMAND>
Parameters time-it <COMMAND>
time-it <COMMAND>
Verifies the time taken by a particular command to execute and provide a result
<COMMAND> Specify the command. Example rfs6000-81742D>time-it enable That took 0.00 seconds.. rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 74 USER EXEC MODE COMMANDS 2.1.31 traceroute User Exec Commands Traces the route to a defined destination Use --help or -h to display a complete list of parameters for the traceroute command Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax traceroute <LINE>
Parameters traceroute <LINE>
traceroute <LINE>
Traces the route to a destination IP address or hostname
<LINE> Specify the destination IPv6 address or hostname. Example rfs6000-81742D>traceroute --help BusyBox v1.14.4 () multi-call binary Usage: traceroute [-FIldnrv] [-f 1st_ttl] [-m max_ttl] [-p port#] [-q nqueries]
[-s src_addr] [-t tos] [-w wait] [-g gateway] [-i iface]
[-z pausemsecs] HOST [data size]Options:
-F Set the don't fragment bit
-I Use ICMP ECHO instead of UDP datagrams
-l Display the ttl value of the returned packet
-d Set SO_DEBUG options to socket
-n Print hop addresses numerically rather than symbolically
-r Bypass the normal routing tables and send directly to a host
-v Verbose
-m max_ttl Max time-to-live (max number of hops)
-p port# Base UDP port number used in probes
(default is 33434)
-q nqueries Number of probes per 'ttl' (default 3)
-s src_addr IP address to use as the source address
-t tos Type-of-service in probe packets (default 0)
-w wait Time in seconds to wait for a response
(default 3 sec)
-g Loose source route gateway (8 max) rfs6000-81742D>
rfs6000-81742D>traceroute 192.168.13.13 traceroute to 192.168.13.13 (192.168.13.13), 30 hops max, 38 byte packets 1 192.168.13.13 (192.168.13.13) 1.150 ms 0.261 ms 0.214 ms rfs6000-81742D>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 75 USER EXEC MODE COMMANDS 2.1.32 traceroute6 User Exec Commands Traces the route to a specified IPv6 destination Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax traceroute6 <LINE>
Parameters traceroute6 <LINE>
traceroute6 <LINE>
Traces the route to a destination IPv6 address or hostname
<LINE> Specify the destination IPv6 address or hostname. Example rfs6000-81742D>traceroute6 2001:10:10:10:10:10:10:1 traceroute to 2001:10:10:10:10:10:10:1 (2001:10:10:10:10:10:10:1) from 2001:10:10:10:10:10:10:2, 30 hops max, 16 byte packets 1 2001:10:10:10:10:10:10:1 (2001:10:10:10:10:10:10:1) 6.054 ms 0.448 ms 0.555 ms rfs6000-81742D>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 76 USER EXEC MODE COMMANDS 2.1.33 virtual-machine User Exec Commands Installs, configures, and monitors the status of virtual machines (VMs) installed on a WiNG controller Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax virtual-machine [assign-usb-ports|export|install|restart|set|start|stop|
uninstall]
virtual-machine assign-usb-ports team-vowlan {on <DEVICE-NAME>}
virtual-machine export <VM-NAME> [<FILE>|<URL>] {on <DEVICE-NAME>}
virtual-machine install [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan]
{on <DEVICE-NAME>}
virtual-machine restart [<VM-NAME>|hard|team-urc|team-rls|team-vowlan]
virtual-machine set [autostart|memory|vcpus|vif-count|vif-mac|vif-to-vmif|vnc]
virtual-machine set [autostart [ignore|start]|memory <512-8192>|vcpus <1-4>|
vif-count <0-2>|vif-mac <VIF-INDEX> <MAC-INDEX>|vif-to-vmif <VIF-INDEX> <VMIF-
INDEX>| vnc [disable|enable]] [<VM-NAME>|team-urc|team-rls|team-vowlan]
{on <DEVICE-NAME>}
The following virtual-machine commands are supported only on the VX9000 platform:
virtual-machine volume-group [add-drive|replace-drive|resize-drive|resize-volume-
group]
virtual-machine volume-group [add-drive|replace-drive] <BLOCK-DEVICE-LABEL>
virtual-machine volume-group replace-drive <BLOCK-DEVICE-LABLE> <NEW-BLOCK-
DEVICE-LABEL>
virtual-machine volume-group resize-volume-group <BLOCK-DEVICE-LABEL>
Parameters virtual-machine assign-usb-ports team-vowlan {on <DEVICE-NAME>}
assign-usb-ports team-
vowlan Assigns USB ports to TEAM-VoWLAN on a specified device on <DEVICE-NAME> Optional. Specify the device name. Note: Use the no > virtual-machine > assign-usb-ports to reassign the port to WiNG. Note: TEAM-RLS VM cannot be installed when USB ports are assigned to TEAM-
VoWLAN. virtual-machine export <VM-NAME> [<FILE>|<URL>] {on <DEVICE-NAME>}
virtual-machine export Exports an existing VM image and settings. Use this command to export the VM to another <NX54XX> or <NX65XX> device in the same domain.
<VM-NAME> Specify the VM name.
<FILE> Specify the location and name of the source file (VM image). The VM im-
age is retrieved and exported from the specified location.
<URL> Specify the destination location. This is the location to which the VM im-
age is copied. Use one of the following formats to provide the destination path:
Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 77 USER EXEC MODE COMMANDS tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file on <DEVICE-NAME> Optional. Executes the command on a specified device or devices
<DEVICE-NAME> Specify the service platform name. In case of multiple devices, list the device names separated by commas. Note: The VM should be in a stop state during the export process. Note: If the destination is a device, the image is copied to a predefined location (VM archive). virtual-machine install [<VM-NAME>|adsp|team-centro|team-rls|team-vowlan]
{on <DEVICE-NAME>}
virtual-machine install Installs the VM. The install command internally creates a VM template, consisting of the specified parameters, and starts the installation process. Select one of the following options:
<VM-NAME> Installs a VM having name specified by <VM-NAME> keyword. adsp Installs ADSP team-centro Installs the VM TEAM-Centro image team-rls Installs the VM TEAM-RLS image team-vowlan Installs the VM TEAM-VoWLAN image Specify the device on which to install the VM. on <DEVICE-NAME> Optional. Executes the command on a specified device or devices
<DEVICE-NAME> Specify the service platform name. In case of multiple devices, list the device names separated by commas. virtual-machine set [autostart [ignore|start]|memory <512-8192>|vcpus <1-4>|
vif-count <0-2>|vif-mac <VIF-INDEX> <MAC-INDEX>|vif-to-vmif <VIF-INDEX> <VMIF-
INDEX>|vnc [disable|enable]] [<VM-NAME>|team-urc|team-rls|team-vowlan]
{on <DEVICE-NAME>}
virtual-machine set Configures the VM settings autostart Specifies whether to autostart the VM on system reboot ignore Enables autostart on each system reboot start Disables autostart memory Defines the VM memory size
<512-8192> Specify the VM memory from 512 - 8192 MB. The default is 1024 MB. vcpus Specifies the number of VCPUS for this VM
<1-4> Specify the number of VCPUS from 1- 4. vif-count Configures or resets the VM's VIFs
<0-2> Specify the VIF number from 0 - 2. vif-mac Configures the MAC address of the selected virtual network interface
<1-2> Select the VIF
<1-8> Specify the MAC index for the selected VIF
<MAC> Specify the customized MAC address for the selected VIF in the AA-BB-
CC-DD-EE-FF format. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 78 USER EXEC MODE COMMANDS Each VM has a maximum of two network interfaces (indexed 1 and 2, referred to as VIF). By default, each VIF is automatically assigned a MAC from the range allocated for that device. However, you can use the set keyword to specify the MAC from within the allocated range. Each of these VIFs are mapped to a layer 2 port in the dataplane (referred to as VMIF). These VMIFs are standard l2 ports on the DP bridge, supporting all VLAN and ACL commands. The WiNG software supports up to a maximum of 8 VMIFs. By default, a VMs interface is always mapped to VMIF1. You can map a VIF to any of the 8 VMIFs. Use the vif-
to-vmif command to map a VIF to a VMIF on the DP bridge. vif-to-vmif Maps the virtual interface (1 or 2) to the selected VMIF interface. Specify the VMIF interface index from 1 - 8. WiNG provides a dataplane bridge for external network connectivity for VMs. VM Interfaces define which IP address is associated with each VLAN ID the service platform is connected to and enables remote service platform administration. Each custom VM can have up to a maximum of two VM interfaces. Each VM interface can be mapped to one of the twelve ports for <NX9500> on the dataplane bridge. This mapping determines the destination for service platform routing. By default, VM interfaces are internally connected to the dataplane bridge via VMIF1. VMIF1, by default, is an untagged port providing access to VLAN 1 to support the capability to connect the VM interfaces to any of the VMIF ports. This provides the flexibility to move a VM interface onto different VLANs as well as configure specific firewall and QoS rules. vnc Disables/enables VNC port option for an existing VM. When enabled, provides remote access to VGA through the noVNC client. disable Disables VNC port enable Enables VNC port After configuring the VM settings, identify the VM to apply the settings.
<VM-NAME> Applies these settings to the VM identified by the <VM-NAME>
keyword. Specify the VM name. adsp Applies these settings to the ADSP VM team-urc Applies these settings to the VM TEAM-URC team-rls Applies these settings to the VM TEAM-RLS team-vowlan Applies these settings to the VM TEAM-VoWLAN virtual-machine start [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan]
{on <DEVICE-NAME>}
virtual-machine start Starts the VM, based on the parameters passed. Select one of the following options:
<VM-NAME> Starts the VM identified by the <VM-NAME> keyword. Specify the VM name. adsp Starts the ADSP VM team-urc Starts the VM TEAM-URC team-rls Starts the VM TEAM-RLS team-vowlan Starts the VM TEAM-VoWLAN The following keywords are common to all of the above parameters:
on <DEVICE-NAME> Optional. Executes the command on a specified device or devices
<DEVICE-NAME> Specify the service platform name. In case of multiple devic-
es, list the device names separated by commas. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 79 USER EXEC MODE COMMANDS virtual-machine stop [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan]
{on <DEVICE-NAME>}
virtual-machine stop hard Stops the VM, based on the parameters passed. Select one of the following options:
<VM-NAME> Stops the VM identified by the <VM-NAME> keyword. Specify the VM name. ADSP Stops the ADSP VM team-urc Stops the VM TEAM-URC team-rls Stops the VM TEAM-RLS team-vowlan Stops the VM TEAM-VoWLAN The following keywords are common to all of the above parameters:
on <DEVICE-NAME> Optional. Executes the command on a specified device or devices
<DEVICE-NAME> Specify the service platform name. In case of multiple de-
vices, list the device names separated by commas. Note: The option hard forces the selected VM to shutdown. virtual-machine uninstall [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan]
{on <DEVICE-NAME>}
virtual-machine uninstall Uninstalls the specified VM
<VM-NAME> Uninstalls the VM identified by the <VM-NAME> keyword. Specify the VM name. ADSP Uninstalls the ADSP VM team-urc Uninstalls the VM TEAM-URC team-rls Uninstalls the VM TEAM-RLS team-vowlan Uninstalls the VM TEAM-VoWLAN The following keywords are common to all of the above parameters:
on <DEVICE-NAME> Optional. Executes the command on a specified device or devices
<DEVICE-NAME> Specify the service platform name. In case of multiple de-
vices, list the device names separated by commas. Note: This command releases the VMs resources, such as memory, VCPUS, VNC port, disk space, and removes the RF Domain reference from the system. virtual-machine volume-group [add-drive|resize-drive] <BLOCK-DEVICE-LABEL>]
virtual-machine volume-group [add-
drive|resize-drive]
<BLOCK-DEVICE-
LABEL>]
Enables provisioning of logical volume-groups on the VX9000 platform. Logical volume-groups are created on the primary storage device, allowing the database storage to be expanded to include additional storage drives. However, volume-groups can be provisioned only on new VX9000 installation and cannot be added to existing VX9000 installation. Note: The logical volume-group is supported only on a VX9000 running the WiNG 5.9.1 image. add-drive Adds a new block-device to the VM. Note, currently a maximum of 3
(three) block devices can be added. To add a new drive, first halt the VM, In the Hypervisor, add a new storage disk to the VM and restart the VM. Once the VM comes up, use this command to add the new drive. To identify the new drive execute the show > virtual-machine > volume-group > status command. Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 80 USER EXEC MODE COMMANDS resize-drive - Resizes a drive in the VMs volume group. To increase the size of a drive in the volume-group, first halt the VM. In the Hypervisor, increase the size of the existing secondary storage drive and restart the VM. Once the VM comes up, use this command to resize the drive. To identify the drive with the additional free space, execute the show > virtual-machine > volume-group > status command. The following keyword is common to all of the above parameters:
<BLOCK-DEVICE-LABEL> Specify the block-device label to be added or resized depending on the action being performed. virtual-machine volume-group replace-drive <BLOCK-DEVICE-LABEL> <NEW-BLOCK-
DEVICE-LABEL>]
virtual-machine volume-group replace-
drive <BLOCK-DEVICE-
LABEL> <NEW-BLOCK-
DEVICE-LABEL>]
Enables provisioning of VMs as logical volume-groups on the VX9000 platform. Logical volume-group VMs are created on the primary storage device, allowing the database storage to be expanded to include additional storage drives. replace-drive Replaces an existing block-device with a new block-device in a volume-group. To replace a drive in the volume-group, first halt the VM. In the Hypervisor, add the new drive and restart the VM. Once the VM comes up, use this command to replace an existing drive with the new drive. To identify the drive with the additional free space, execute the show > virtual-machine > volume-group >
status command
<BLOCK-DEVICE-LABEL> Specify the block-device label to be replaced.
<BLOCK-DEVICE-LABEL> Specify the replacement block-device label. virtual-machine volume-group resize-volume-group <BLOCK-DEVICE-LABEL>]
virtual-machine volume-group resize-
volume-group <BLOCK-
DEVICE-LABEL>]
Enables provisioning of VMs as logical volume-groups on the VX9000 platform. Logical volume-group VMs are created on the primary storage device, allowing the database storage to be expanded to include additional storage drives resize-volume-group Adds drive space to an existing block-device in the volume-
group
<BLOCK-DEVICE-LABEL> Specify the block-device label to which additional drive space is to be provided Example The following examples show the VM installation process:
Insatllation media: USB
<DEVICE>#virtual-machine install <VM-NAME> type iso disk-size 8 install-media usb1://vms/win7.iso autostart start memory 512 vcpus 3 vif-count 2 vnc enable Installation media: pre-installed disk image
<DEVICE>#virtual-machine install <VM-NAME> type disk install-media flash:/vms/
win7_disk.img autostart start memory 512 vcpus 3 vif-count 2 vnc-enable on
<DEVICE-NAME>
In the preceding example, the command is executed on the device identified by the
<DEVICE-NAME> keyword. In such a scenario, the disk-size is ignored if specified. The VM has the install media as first boot device. Installation media: VM archive
<DEVICE>#virtual-machine install type vm-archive install-media flash:/vms/<VM-
NAME> vcpus 3 Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 81 USER EXEC MODE COMMANDS In the preceding example, the default configuration attached with the VM archive overrides any parameters specified. Exporting an installed VM:
<DEVICE>#virtual-machine export <VM-NAME> <URL> on <DEVICE-NAME>
In the preceding example, the command copies the VM archive on to the URL (VM should be in stop state).
<exsw6>>virtual-machine install team-urc Virtual Machine install team-urc command successfully sent.
<exsw6>>
vx9000-DE6F97>cirtual-machine add-drive sdb vx9000-DE6F97>show virtual-machine volume-group status
-----------------------------------------
Logical Volume: lv1
-----------------------------------------
STATUS : available SIZE : 81.89 GiB VOLUME GROUP : vg0 PHYSICAL VOLUMES :
sda10 : 73.90 GiB sdc1 : 8.00 GiB AVAILABLE DISKS :
sdb : size: 8590MB
-----------------------------------------
* indicates a drive that must be resized
-----------------------------------------
vx9000-DE6F97>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 82 USER EXEC MODE COMMANDS 2.1.34 watch User Exec Commands Repeats the specified CLI command at periodic intervals Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax watch <1-3600> <LINE>
Parameters watch <1-3600> <LINE>
watch
<1-3600>
<LINE>
Example Repeats a CLI command at a specified interval (in seconds) Select an interval from 1 - 3600 sec. Pressing CTRL-Z halts execution of the command. Specify the CLI command. rfs6000-81742D>watch 40 ping 192.168.13.13 PING 192.168.13.13 (192.168.13.13) 100(128) bytes of data. 108 bytes from 192.168.13.13: icmp_seq=1 ttl=64 time=0.335 ms 108 bytes from 192.168.13.13: icmp_seq=2 ttl=64 time=0.217 ms 108 bytes from 192.168.13.13: icmp_seq=3 ttl=64 time=0.209 ms 108 bytes from 192.168.13.13: icmp_seq=4 ttl=64 time=0.202 ms 108 bytes from 192.168.13.13: icmp_seq=5 ttl=64 time=0.235 ms
--- 192.168.13.13 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3999ms rtt min/avg/max/mdev = 0.202/0.239/0.335/0.051 ms rfs6000-81742D>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 83 USER EXEC MODE COMMANDS 2.1.35 exit User Exec Commands Ends the current CLI session and closes the session window For more information, see exit. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax exit Parameters None Example rfs6000-81742D>exit Access Point, Wireless Controller and Service Platform CLI Reference Guide 2 - 84 3 PRIVILEGED EXEC MODE COMMANDS Most PRIV EXEC commands set operating parameters. Privileged-level access should be password protected to prevent unauthorized use. The PRIV EXEC command set includes commands contained within the USER EXEC mode. The PRIV EXEC mode also provides access to configuration modes, and includes advanced testing commands. NOTE: To password-protect the Privilege mode, in the Management Policy, configure the privilege-mode-password. For more information, see privilege-mode-password. The PRIV EXEC mode prompt consists of the hostname of the device followed by a pound sign (#). To access the PRIV EXEC mode, enter the following at the prompt:
<DEVICE>>enable
<DEVICE>#
The PRIV EXEC mode is often referred to as the enable mode, because the enable command is used to enter the mode. There is no provision to configure a password to get direct access to PRIV EXEC (enable) mode.
<DEVICE>#?
Privileged command commands:
archive Manage archive files boot Boot commands captive-portal-page-upload Captive portal internal and advanced page upload cd Change current directory change-passwd Change password clear Clear clock Configure software system clock cluster Cluster commands commit Commit all changes made in this session configure Enter configuration mode connect Open a console connection to a remote device copy Copy contents of one dir to another cpe T5 CPE configuration create-cluster Create a cluster crypto Encryption related commands crypto-cmp-cert-update Update the cmp certs database Database database-backup Backup database database-restore Restore database debug Debugging functions delete Deletes specified file from the system device-upgrade Device firmware upgrade diff Display differences between two files dir List files on a filesystem disable Turn off privileged mode command edit Edit a text file enable Turn on privileged mode command erase Erase a filesystem ex3500 EX3500 commands factory-reset Delete startup configuration on device(s), reload the device(s) and remove configuration entry from the controller file-sync File sync between controller and adoptees format Format file system Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 1 PRIVILEGED EXEC MODE COMMANDS halt Halt the system help Description of the interactive help system join-cluster Join the cluster l2tpv3 L2tpv3 protocol logging Modify message logging facilities mint MiNT protocol mkdir Create a directory more Display the contents of a file no Negate a command or set its defaults on On RF-Domain opendns Opendns username/password configuration page Toggle paging ping Send ICMP echo messages ping6 Send ICMPv6 echo messages pwd Display current directory raid RAID operations re-elect Perform re-election reload Halt and perform a warm reboot remote-debug Troubleshoot remote system(s) rename Rename a file revert Revert changes rmdir Delete a directory self Config context of the device currently logged into service Service Commands show Show running system information ssh Open an ssh connection t5 T5 commands telnet Open a telnet connection terminal Set terminal line parameters time-it Check how long a particular command took between request and completion of response traceroute Trace route to destination traceroute6 Trace route to destination(IPv6) upgrade Upgrade software image upgrade-abort Abort an ongoing upgrade virtual-machine Virtual Machine watch Repeat the specific CLI command at a periodic interval write Write running configuration to memory or terminal clrscr Clears the display screen exit Exit from the CLI
<DEVICE>#
NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 2 PRIVILEGED EXEC MODE COMMANDS 3.1 Privileged Exec Mode Commands PRIVILEGED EXEC MODE COMMANDS The following table summarizes the PRIV EXEC Mode commands:
Table 3.1 Privileged Exec Commands Description Reference Command archive boot Manages file archive operations Specifies the boot partition (primary or secondary). The device uses the image stored in the specified partition to boot. Uploads captive portal advanced pages to adopted access points Changes the current directory captive-portal-
page-upload cd change-passwd Changes the password of a logged user clear clock cluster configure connect copy Clears parameters, cache entries, table entries, and other similar entries Configures the system clock Initiates a cluster context Enters the global configuration mode Begins a console connection to a remote device Copies a file from any location to the wireless controller, service platform, or access point Enables adopted T5 Customer Premises Equipment (CPE) device(s) management. Use this command to perform the following operations on the CPEs: boot, reload, upgrade. This command is specific to the RFS4000, RFS6000, and NX9500 devices. Creates a new cluster on a specified device Enables encryption Triggers a CMP certificate update on a specified device or devices Enables automatic repairing (vacuuming) and dropping of databases
(Captive-portal and NSight) Backs up captive-portal and/or NSight database to a specified location and file on an FTP or SFTP server Restores a previously exported database [captive-portal and/or NSight]. Previously exported databases (backed up to a specified FTP or SFTP server) are restored to the original database. Deletes a specified file from the system cpe create-cluster crypto crypto-cmp-
cert-update database database-
backup database-
restore delete device-upgrade Configures device firmware upgrade parameters diff dir disable edit Displays the differences between two files Displays the list of files on a file system Disables the privileged mode command set Enables ext file editing page 3-6 page 3-8 page 3-9 page 3-13 page 3-14 page 3-15 page 3-28 page 3-29 page 3-30 page 3-31 page 3-32 page 3-33 page 3-35 page 3-37 page 3-46 page 3-47 page 3-50 page 3-52 page 3-53 page 3-54 page 3-60 page 3-61 page 3-62 page 3-63 Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 3 PRIVILEGED EXEC MODE COMMANDS Command enable erase ex3500 factory-reset file-sync halt join-cluster l2tpv3 logging mint mkdir more no on opendns page ping ping6 pwd re-elect reload rename rmdir self ssh t5 Table 3.1 Privileged Exec Commands Description Turns on (enables) the privileged mode commands set Erases a file system Enables EX3500 switch firmware management. Use this command to perform the following operations: boot, copy, delete, and IP related configurations. Erases startup configuration on a specified device or all devices within a specified RF Domain Configures parameters enabling syncing of PKCS#12 and wireless-bridge certificate between the staging-controller and adopted access points Halts a device (access point, wireless controller, or service platform) Adds a device (access point, wireless controller, or service platform), as cluster member, to an existing cluster of devices Establishes or brings down Layer 2 Tunneling Protocol Version 3
(L2TPV3) tunnels Modifies message logging parameters Configures MiNT protocols Creates a new directory in the file system Displays the contents of a file Reverts a command or sets values to their default Executes the following commands in the RF Domain context: clrscr, do, end, exit, help, service, show Connects to the OpenDNS site using OpenDNS registered credentials
(username, password) OR OpenDNS API token to fetch the OpenDNS device_id. This command is a part of the process integrating access points, controllers, and service platforms with OpenDNS. Toggles a devices (access point, wireless controller, or service platform) paging function Sends ICMP echo messages to a user-specified location Sends ICMPv6 echo messages to a user-specified location Displays the current directory Re-elects the tunnel controller (wireless controller, service platform, or access point) Halts a device (wireless controller, service platform, or access point) and performs a warm reboot Renames a file in the existing file system Deletes an existing file from the file system Displays the configuration context of the device Connects to another device using a secure shell Executes the following operations on a T5 device: copy, rename, delete, and write. This command is specific to the RFS4000, RFS6000, NX9500 devices. Reference page 3-64 page 3-65 page 3-67 page 3-75 page 3-79 page 3-82 page 3-83 page 3-85 page 3-87 page 3-89 page 3-91 page 3-92 page 3-93 page 3-95 page 3-96 page 3-100 page 3-101 page 3-103 page 3-104 page 3-105 page 3-106 page 3-111 page 3-112 page 3-113 page 3-114 page 3-115 Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 4 PRIVILEGED EXEC MODE COMMANDS Table 3.1 Privileged Exec Commands Description Reference Command telnet terminal time-it Opens a Telnet session Sets the length and width of the terminal window Verifies the time taken by a particular command between request and response Traces the route to a defined destination Sends ICMPv6 echo messages to a user-specified location Upgrades the logged devices software image Aborts an ongoing software image upgrade traceroute traceroute6 upgrade upgrade-abort virtual-machine Installs, configures, and monitors the status of virtual machines (VMs) watch raid installed on a WiNG controller Repeats a specified CLI command at a periodic interval Enables RAID management This command is specific to the NX7530, NX9500, and NX9510 service platforms. page 3-117 page 3-118 page 3-119 page 3-120 page 3-121 page 3-122 page 3-126 page 3-127 page 3-133 page 3-135 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. NOTE: The input parameter <HOSTNAME>, if used in syntaxes across this chapter, cannot include an underscore (_) character. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 5 PRIVILEGED EXEC MODE COMMANDS 3.1.1 archive Privileged Exec Mode Commands Manages file archive operations Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax archive tar /table [<FILE>|<URL>]
archive tar /create [<FILE>|<URL>] <FILE>
archive tar /xtract [<FILE>|<URL>] <DIR>
Parameters archive tar /table [<FILE>|<URL>]
tar
/table
<FILE>
<URL>
tar
/create
<FILE>
<URL>
tar
/xtract
<FILE>
<URL>
<DIR>
Manipulates (creates, lists, or extracts) a tar file Lists the files in a tar file Defines a tar filename Sets the tar file URL archive tar /create [<FILE>|<URL>] <FILE>
Manipulates (creates, lists or extracts) a tar file Creates a tar file Defines tar filename Sets the tar file URL archive tar /xtract [<FILE>|<URL>] <DIR>
Manipulates (creates, lists or extracts) a tar file Extracts content from a tar file Defines tar filename Sets the tar file URL Specify a directory name. When used with /create, dir is the source directory for the tar file. When used with /xtract, dir is the destination file where contents of the tar file are extracted. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 6 PRIVILEGED EXEC MODE COMMANDS Example Following examples show how to zip the folder flash:/log/?
nx9500-6C8809#dir flash:/
Directory of flash:/
-rw- 62937 Tue Nov 24 16:00:06 2015 run-config-backup.txt drwx Mon Apr 3 12:40:23 2017 crashinfo drwx Wed Mar 22 13:58:28 2017 upgrade drwx Mon Sep 28 09:48:33 2015 tmptpd drwx Wed Apr 5 11:20:11 2017 log drwx Thu Mar 30 15:07:54 2017 archived_logs drwx Tue May 24 22:23:54 2016 cache drwx Thu Feb 19 08:53:45 2015 floorplans
-rw- 42018304 Tue Sep 27 10:19:24 2016 in.tar drwx Tue Jan 17 10:02:01 2017 hotspot nx9500-6C8809#
nx9500-6C8809#archive tar /create flash:/in.tar flash:/log/
log/nsightd.log.1 log/nsight_reportd.log log/messages.1.log log/martdb.log log/reportd.log.2 log/adopts.log.2 log/mongod.log.2 log/dpd2.log log/nsight_server.log log/mart_websock_server.log log/nuxi/
log/nuxi/beanyaml.log log/nuxi/statsreqresp.1.log log/nuxi/hadoop.log.2014-08-03 log/nuxi/puts.log log/nuxi/copy2w.log log/nuxi/obj2yaml.log log/nuxi/infl.log
--More--
nx9500-6C8809#
nx9500-6C8809#dir flash:/
Directory of flash:/
-rw- 62937 Tue Nov 24 16:00:06 2015 run-config-backup.txt drwx Thu Sep 22 00:12:07 2016 crashinfo drwx Sat Sep 17 05:14:43 2016 upgrade drwx Mon Sep 28 09:48:33 2015 tmptpd drwx Tue Sep 27 09:59:12 2016 log drwx Mon Sep 26 09:58:54 2016 archived_logs drwx Tue May 24 22:23:54 2016 cache drwx Thu Feb 19 08:53:45 2015 floorplans
-rw- 42018304 Tue Sep 27 10:19:24 2016 in.tar drwx Mon Sep 15 03:40:02 2014 hotspot nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 7 PRIVILEGED EXEC MODE COMMANDS 3.1.2 boot Privileged Exec Mode Commands Specifies the image used after reboot Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax boot system [primary|secondary] {on <DEVICE-NAME>}
Parameters boot system [primary|secondary] {on <DEVICE-NAME>}
system
[primary|secondary]
on
<DEVICE-NAME>
Specifies the image used after a device reboot primary Uses the primary image after reboot secondary Uses the secondary image after reboot Optional. Specifies the primary or secondary image location on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example nx9500-6C8809#show boot
--------------------------------------------------------------------------------
IMAGE BUILD DATE INSTALL DATE VERSION
--------------------------------------------------------------------------------
Primary 03/26/2017 01:48:56 03/30/2017 15:02:18 5.9.0.0-012D Secondary 03/17/2017 13:13:38 03/22/2017 13:36:50 5.9.0.0-010D
--------------------------------------------------------------------------------
Current Boot : Primary Next Boot : Primary Software Fallback : Enabled VM support : Not present nx9500-6C8809#
nx9500-6C8809#boot system secondary Updated system boot partition nx9500-6C8809#
nx9500-6C8809#show boot
--------------------------------------------------------------------------------
IMAGE BUILD DATE INSTALL DATE VERSION
--------------------------------------------------------------------------------
Primary 03/26/2017 01:48:56 03/30/2017 15:02:18 5.9.0.0-012D Secondary 03/17/2017 13:13:38 03/22/2017 13:36:50 5.9.0.0-010D
--------------------------------------------------------------------------------
Current Boot : Primary Next Boot : Secondary Software Fallback : Enabled VM support : Not present nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 8 PRIVILEGED EXEC MODE COMMANDS 3.1.3 captive-portal-page-upload Privileged Exec Mode Commands Uploads captive portal advanced pages to connected access points. Use this command to provide connected access points with specific captive portal configurations so they can successfully provision login, welcome, and condition pages to requesting clients attempting to access the wireless network using the captive portal. NOTE: Ensure that the captive portal pages to be uploaded are *.tar files. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax captive-portal-page-upload [<CAPTIVE-PORTAL-NAME>|cancel-upload|delete-file|
load-file]
captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all|rf-domain]
captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all]
{upload-time <TIME>}
captive-portal-page-upload <CAPTIVE-PORTAL-NAME> rf-domain [<DOMAIN-NAME>|all]
{from-controller} {(upload-time <TIME>)}
captive-portal-page-upload cancel-upload [<MAC/HOSTNAME>|all|on rf-domain
{<DOMAIN-NAME>|all]]
captive-portal-page-upload delete-file <CAPTIVE-PORTAL-NAME> <FILE-NAME>
captive-portal-page-upload load-file <CAPTIVE-PORTAL-NAME> <URL>
Parameters captive-portal-page-upload <CAPTIVE-PORTAL-NAME> [<MAC/HOSTNAME>|all]
{upload-time <TIME>}
captive-portal-page-
upload
<CAPTIVE-PORTAL-
NAME>
<MAC/HOSTNAME>
all Uploads advanced pages specified by the <CAPTIVE-PORTAL-NAME> parameter
<CAPTIVE-PORTAL-NAME> Specify captive portal name (should be existing and configured). Uploads to a specified AP
<MAC/HOSTNAME> Specify the APs MAC address or hostname. Uploads to all APs Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 9 PRIVILEGED EXEC MODE COMMANDS upload-time <TIME> Optional. Schedules an upload time
<TIME> Specify upload time in the MM/DD/YYYY-HH:MM or HH:MM format. The scheduled upload time is your local systems time. It is not the access point, controller, service platform, or virtual controller time and it is not synched with the device. To view a list of uploaded captive portal files, execute the show > captive-portal-page-upload > list-files <CAPTIVE-PORTAL-NAME> command. captive-portal-page-upload <CAPTIVE-PORTAL-NAME> rf-domain [<DOMAIN-NAME>|all]
{from-controller} {(upload-time <TIME>)}
captive-portal-page-
upload
<CAPTIVE-PORTAL-
NAME>
rf-domain
[<DOMAIN-NAME>|
all]
Uploads advanced pages specified by the <CAPTIVE-PORTAL-NAME> parameter
<CAPTIVE-PORTAL-NAME> Specify captive portal name (should be existing and configured). Uploads to all APs within a specified RF Domain or all RF Domains
<DOMAIN-NAME> Uploads to APs within a specified RF Domain. Specify the RF Domain name. from-controller upload-time <TIME> Optional. Schedules an AP upload all Uploads to APs across all RF Domains Optional. Uploads to APs from the adopted device
<TIME> Specify upload time in the MM/DD/YYYY-HH:MM or HH:MM format. The scheduled upload time is your local systems time. It is not the access point, controller, service platform, or virtual controller time and it is not synched with the device. captive-portal-page-upload cancel-upload [<MAC/HOSTNAME>|all|on rf-domain
[<DOMAIN-NAME>|all]]
captive-portal-page-
upload cancel-upload cancel-upload
[<MAC/
HOSTNAME>|all|
on rf-domain
[<DOMAIN-NAME>|
all]]
Cancels a scheduled AP upload Select one of the following options:
<MAC/HOSTNAME> Cancels a scheduled upload to a specified AP. Specify the AP MAC address or hostname. all Cancels all scheduled AP uploads on rf- domain Cancels all scheduled uploads within a specified RF Domain or all RF Domains
<DOMAIN-NAME> Cancels scheduled uploads within a specified RF Domain. Specify RF Domain name. all Cancels scheduled uploads across all RF Domains captive-portal-page-upload delete-file <CAPTIVE-PORTAL-NAME> <FILE-NAME>
Deletes a specified captive portals uploaded captive-portal internal page files captive-portal-page-
upload delete-file
<CAPTIVE-PORTAL-
NAME> <FILE-
NAME>
Deletes a captive portals, identified by the <CAPTIVE-PORTAL-NAME> keyword, uploaded internal page files
<CAPTIVE-PORTAL-NAME> Specify the captive portals name.
<FILE-NAME> Specify the file name. The specified internal captive portal page is deleted. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 10 PRIVILEGED EXEC MODE COMMANDS captive-portal-page-upload load-file <CAPTIVE-PORTAL-NAME> <URL>
captive-portal-page-
upload load-file
<CAPTIVE-PORTAL-
NAME> <URL>
Loads captive-portal advanced pages Specify captive portal name (should be existing and configured) and location.
<URL> Specifies location of the captive-portal's advanced pages. Use one of the following formats:
IPv4 URLs:
tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file IPv6 URLs:
tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file http://<hostname|[IPv6]>[:port]/path/file Note: The captive portal pages are downloaded to the controller from the location specified here. After downloading use the captive-portal-page-upload> <CAPTIVE-PORTAL-NAME> > <DEVICE-OR-DOMAIN-
NAME> command to upload these pages to APs. Example ap6562-B1A214#captive-portal-page-upload load-file captive_portal_test tftp://
89.89.89.17/pages_new_only.tar ap6562-B1A214#
ap6562-B1A214#show captive-portal-page-upload load-image-status Download of captive_portal_test advanced page file is complete ap6562-B1A214#
ap6562-B1A214#captive-portal-page-upload captive_portal_test all
--------------------------------------------------------------------------------
CONTROLLER STATUS MESSAGE
--------------------------------------------------------------------------------
FC-0A-81-B1-A2-14 Success Added 6 APs to upload queue
--------------------------------------------------------------------------------
ap6562-B1A214#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 11 PRIVILEGED EXEC MODE COMMANDS ap6562-B1A214#show captive-portal-page-upload status Number of APs currently being uploaded : 1 Number of APs waiting in queue to be uploaded : 0
--------------------------------------------------------------------------------
-------
AP STATE UPLOAD TIME PROGRESS RETRIES LAST UPLOAD ERROR UPLOADED BY
--------------------------------------------------------------------------------
-------
ap6562-B1A738 downloading immediate 100 0 - None
--------------------------------------------------------------------------------
-------
ap6562-B1A214#
The following example lists captive portal CP-BW uploaded files:
nx7500-7F2C13#show captive-portal-page-upload list-files CP-BW
--------------------------------------------------------------------------------
NAME SIZE LAST MODIFIED
--------------------------------------------------------------------------------
CP-BW-1.tar.gz 6133 2017-05-16 10:38:40 CP-BW.tar.gz 3370 2017-05-16 10:45:44
--------------------------------------------------------------------------------
nx7500-7F2C13#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 12 PRIVILEGED EXEC MODE COMMANDS 3.1.4 cd Privileged Exec Mode Commands Changes the current directory Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cd {<DIR>}
Parameters cd {<DIR>}
<DIR>
Example Optional. Changes the current directory to the directory identified by the <DIR>
keyword. If a directory name is not provided, the system displays the current directory. rfs6000-81742D#cd flash:/log/
rfs6000-81742D#pwd flash:/log/
rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 13 PRIVILEGED EXEC MODE COMMANDS 3.1.5 change-passwd Privileged Exec Mode Commands Changes the password of a logged user. When this command is executed without any parameters, the password can be changed interactively. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax change-passwd <OLD-PASSWORD> <NEW-PASSWORD>
Parameters
<OLD-PASSWORD>
<NEW-PASSWORD>
change-passwd <OLD-PASSWORD> <NEW-PASSWORD>
Specify the password to be changed. Specify the new password. Note: The password can also be changed interactively. To do so, press [Enter] after the command. Usage Guidelines A password must be from 1 - 64 characters in length. Example rfs6000-81742D#change-passwd Enter old password:
Enter new password:
Password for user 'admin' changed successfully Please write this password change to memory(write memory) to be persistent. rfs6000-81742D#write memory OK rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 14 PRIVILEGED EXEC MODE COMMANDS 3.1.6 clear Privileged Exec Mode Commands Clears parameters, cache entries, table entries, and other entries. The clear command is available for specific commands only. The information cleared using this command varies depending on the mode where the clear command is executed. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 NOTE: When using the clear command, refer to the interface details provided in interface. Syntax clear [arp-cache|bonjour|cdp|counters|crypto|eguest|event-history|firewall|gre|
ip|ipv6|l2tpv3-stats|lacp|license|lldp|logging|mac-address-table|mint|role|rtls|
spanning-tree|traffic-shape|vrrp]
clear arp-cache {on <DEVICE-NAME>}
clear bonjour cache {on <DEVICE-NAME>}
clear [cdp|lldp] neighbors {on <DEVICE-NAME>}
clear counters [all|ap|bridge|interface|radio|router|thread|wireless-client]
clear counters [all|bridge|router|thread]
clear counters [ap|wireless-client] {<MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}
clear counters interface [<INTERFACE-NAME>|all|ge <1-X>|me1|port-channel <1-X>|
pppoe1|vlan <1-4094>|wwan1|xge <1-4>]
clear counters radio {<MAC/HOSTNAME>|on}
clear counters radio {<MAC/HOSTNAME> <1-X>} {(on <DEVICE-OR-DOMAIN-NAME>)}
clear crypto [ike|ipsec]
clear crypto ike sa [<IP>|all] {on <DEVICE-NAME>}
clear crypto ipsec sa {on <DEVICE-NAME>}
clear eguest registration statistics clear event-history clear firewall [dhcp snoop-table|dos stats|flows [ipv4|ipv6]|neighbors snoop-
table] {on <DEVICE-NAME>}
clear gre stats {on <DEVICE-NAME>}
clear ip [bgp|dhcp|ospf]
clear ip bgp [<IP>|all|external|process]
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 15 PRIVILEGED EXEC MODE COMMANDS clear ip bgp [<IP>|all|external] {in|on|out|soft}
clear ip bgp [<IP>|all|external] {in prefix-filter} {on <DEVICE-NAME>}
clear ip bgp [<IP>|all|external] {out} {(on <DEVICE-NAME>)}
clear ip bgp [<IP>|all|external] {soft {in|out}} {on <DEVICE-NAME>}
clear ip bgp process {on <DEVICE-NAME>}
clear ip dhcp bindings [<IP>|all] {on <DEVICE-NAME>}
clear ip ospf process {on <DEVICE-NAME>}
clear ipv6 neighbor-cache {on <DEVICE-NAME>}
clear lacp [<1-4> counters|counters]
clear l2tpv3-stats tunnel <L2TPV3-TUNNEL-NAME> {session <SESSION-NAME>}
{(on <DEVICE-NAME>)}
clear license [borrowed|lent]
clear license borrowed {on <DEVICE-NAME>}
clear license lent to <DEVICE-NAME> {on <DEVICE-NAME>}
clear logging {on <DEVICE-NAME>}
clear mac-address-table {address|interface|mac-auth-state|vlan} {on <DEVICE-
NAME>}
clear mac-address-table mac-auth-state address <AMC> vlan <1-4094> {on <DEVICE-
NAME>}
clear mac-address-table {address <MAC>|vlan <1-4094>} {on <DEVICE-NAME>}
clear mac-address-table interface [<IF-NAME>|ge <1-X>|port-channel <1-X>|t1e1 <1-
4> <1-1>|up <1-X>|xge <1-4>] {on <DEVICE-NAME>}
clear mint mlcp history {on <DEVICE-NAME>}
clear role ldap-stats {on <DEVICE-NAME>}
clear rtls [aeroscout|ekahau]
clear rtls [aeroscout|ekahau] {<MAC/DEVICE-NAME> {on <DEVICE-OR-DOMAIN-NAME>}|
on <DEVICE-OR-DOMAIN-NAME>}
clear spanning-tree detected-protocols {interface|on <DEVICE-NAME>}
clear spanning-tree detected-protocols {interface [<INTERFACE-NAME>|ge <1-x>|me1|
port-channel <1-x>|pppoe1|vlan <1-4094>|wwan1|xge <1-4>]} {on <DEVICE-NAME>}
clear traffic-shape statistics {class <1-4>} {(on <DEVICE-NAME>)}
clear vrrp [error-stats|stats] {on <DEVICE-NAME>}
The following clear command is specific to the NX95XX series service platforms:
clear logging analytics {on <DEVICE-NAME>}
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 16 PRIVILEGED EXEC MODE COMMANDS Parameters clear arp-cache {on <DEVICE-NAME>}
arp-cache on <DEVICE-NAME>
Clears Address Resolution Protocol (ARP) cache entries on a device. This protocol matches layer 3 IP addresses to layer 2 MAC addresses. Optional. Clears ARP cache entries on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear bonjour cache {on <DEVICE-NAME>}
bonjour cache on <DEVICE-NAME>
Clears all Bonjour cached statistics. Once cleared, the system has to re-discover available Bonjour services. Optional. Clears all Bonjour cached statistics on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear [cdp|lldp] neighbors {on <DEVICE-NAME>}
cdp ldp neighbors on <DEVICE-NAME>
Clears Cisco Discovery Protocol (CDP) table entries Clears Link Layer Discovery Protocol (LLDP) neighbor table entries Clears CDP or LLDP neighbor table entries based on the option selected in the preceding step Optional. Clears CDP or LLDP neighbor table entries on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear counters [all|bridge|router|thread]
counters
[all|bridge|router|
thread]
Clears counters on a system all Clears all counters irrespective of the interface type bridge Clears bridge counters router Clears router counters thread Clears per-thread counters clear counters [ap|wireless-client] {<MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}
counters
[ap|wireless-client]
<MAC>
Clears counters on a system ap Clears access point wireless counters wireless-client Clears wireless client counters The following keyword is common to the ap and wireless-client parameters:
<MAC> Optional. Clears counters of the AP/wireless client identified by the <MAC>
keyword. Specify the MAC address of the AP or wireless client. The system clears all AP or wireless client counters, if no MAC address is specified. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 17 PRIVILEGED EXEC MODE COMMANDS on <DEVICE-OR-
DOMAIN-NAME>
The following keyword is recursive and is applicable to the <MAC> parameter:
on <DEVICE-OR-DOMAIN-NAME> Optional. Clears AP/wireless-client counters on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. If no MAC address is specified, the system clears all AP or wireless client counters on the specified AP, wireless controller, service platform, or RF Domain. clear counters interface [<INTERFACE-NAME>|all|ge <1-X>|me1|port-channel <1-X>|
pppoe1|vlan <1-4094>|wwan1|xge <1-4>]
counters interface
[<INTERFACE-
NAME>|all|
ge <1-X>|me1|
port-channel <1-X>|
pppoe1|vlan <1-4094>|
wwan1|xge <1-4>]
Clears interface counters for a specified interface
<INTERFACE-NAME> Clears a specified interface counters. Specify the interface name. all Clears all interface counters ge <1-X> Clears GigabitEthernet interface counters. Specify the GigabitEthernet interface index from 1 - X. me1 Clears FastEthernet interface counters port-channel <1- X> Clears port-channel interface counters. Specify the port channel interface index from 1 - X. Note: The number of port-channel interfaces supported varies for different device types. For example, RFS4000 supports 3 port-channels. pppoe1 Clears Point-to-Point Protocol over Ethernet (PPPoE) interface counters vlan <1-4094> Clears interface counters. Specify the Switch Virtual Interface (SVI) VLAN ID from 1 - 4094. wwan1 Clears wireless WAN interface counters xge <1-4> Clears TenGigabitEthernet interface counters. Specify the GigabitEthernet interface index from 1 - 4. clear counters radio {<MAC/HOSTNAME> <1-X>} {(on <DEVICE-OR-DOMAIN-NAME>)}
counters radio
<MAC/HOSTNAME>
<1-X>
on <DEVICE-OR-
DOMAIN-NAME>
Clears wireless radio counters Clears counters of a radio identified by the <MAC/HOSTNAME> keyword.
<MAC/HOSTNAME> Optional. Specify the hostname or MAC address. Optionally, append the interface number to form radio ID in the form of AA-BB-CC-DD-EE-
FF:RX or HOSTNAME:RX
<1-X> Optional. Specify the radio index (if not specified as part of the radio ID). The maximum number of radio antennas supported varies with the access point type. If no MAC address or radio index is specified, the system clears all radio counters. The following keyword is recursive and is applicable to the <MAC> parameter:
on <DEVICE-OR-DOMAIN-NAME> Optional. Clears AP/wireless-client counters on a specified device or RF Domain If no MAC address is specified, the system clears all AP or wireless client counters on the specified AP, wireless controller, service platform, or RF Domain. clear crypto ike sa [<IP>|all] {on <DEVICE-NAME>}
crypto Clears encryption module database Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 18 PRIVILEGED EXEC MODE COMMANDS ike sa [<IP>|all]
on <DEVICE-NAME>
Clears Internet Key Exchange (IKE) security associations (SAs)
<IP> Clears IKE SAs for a certain peer all Clears IKE SAs for all peers Optional. Clears IKE SA entries, for a specified peer or all peers, on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear crypto ipsec sa {on <DEVICE-NAME>}
Clears encryption module database Clears Internet Protocol Security (IPSec) database SAs on <DEVICE-NAME> Optional. Clears IPSec SA entries on a specified device crypto ipsec sa
{on <DEVICE-NAME>}
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear eguest registration statistics eguest registration statistics Clears EGuest registration server counters. When cleared EGuest registration details are deleted, and the show > eguest > registration > statistics command output is null. This command is applicable only on the NX95XX, NX9600, and the VX9000 model platforms. clear event-history event-history Clears event history cache entries clear firewall [dhcp snoop-table|dos stats|flows [ipv4|ipv6]|neighbors snoop-
table] {on <DEVICE-NAME>}
firewall dhcp snoop-table dos stats flows [ipv4|ipv6]
neighbors snoop-table on <DEVICE-NAME>
Clears firewall event entries Clears DHCP snoop table entries Clears denial of service statistics Clears established IPv4 or IPv6 firewall sessions Clears IPv6 neighbors snoop-table entries The following keywords are common to the DHCP, DOS, and flows parameters:
on <DEVICE-NAME> Optional. Clears DHCP snoop table entries, denial of service statistics, or the established firewall sessions on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. gre stats on <DEVICE-NAME>
clear gre stats {on <DEVICE-NAME>}
Clears GRE tunnel statistics Optional. GRE tunnel statistics on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 19 PRIVILEGED EXEC MODE COMMANDS clear ip bgp [<IP>|all|external] {in prefix-filter} {on <DEVICE-NAME>}
ip bgp
[<IP>|all|external]
Clears BGP routing table information based on the option selected
<IP> Clears the BGP peer identified by the <IP> keyword. Specify the BGP peers IP address. all Clears Route Updates Received From All BGP Peers external Clears route updates received from external BGP peers This command is applicable only to the RFS4000, RFS6000, NX95XX, and NX9600 series service platforms. In case of a change in routing policy it is necessary to clear BGP routing table entries in order for the new policy to take effect. Optional. Clears soft-reconfiguration inbound route updates prefix-filter Optional. Clears the existing Outbound Route Filtering (ORF) prefix-list. Optional. Clears soft-reconfiguration inbound route updates on a specified device
<DEVICE-NAME> Specify the name of the AP or service platform. in prefix-filter on <DEVICE-NAME>
clear ip bgp [<IP>|all|external] {out} {(on <DEVICE-NAME>)}
ip bgp
[<IP>|all|external]
Clears BGP routing table information based on the option selected
<IP> Clears the BGP peer identified by the <IP> keyword. Specify the BGP peers IP address. all Clears route updates received from all BGP peers external Clears route updates received from external BGP peers This command is applicable only to the RFS4000, RFS6000, and NX95XX series service platforms. In case of a change in routing policy it is necessary to clear BGP routing table entries in order for the new policy to take effect. Optional. Clears soft-reconfiguration outbound route updates. Optionally specify the device on which to execute this command. The following keyword is recursive and optional. on <DEVICE-NAME> Optional. Clears BGP sessions on a specified device out on <DEVICE-NAME>
<DEVICE-NAME> Specify the name of the AP or service platform. clear ip bgp [<IP>|all|external] {soft {in|out}} {on <DEVICE-NAME>}
ip bgp
[<IP>|all|external]
Clears BGP routing table information based on the option selected
<IP> Clears the BGP peer identified by the <IP> keyword. Specify the BGP peers IP address. all Clears route updates received from all BGP peers external Clears route updates received from external BGP peers This command is applicable only to the RFS4000, RFS6000, and NX95XX series service platforms. In case of a change in routing policy it is necessary to clear BGP routing table entries in order for the new policy to take effect. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 20 PRIVILEGED EXEC MODE COMMANDS soft {in|out}
on <DEVICE-NAME>
Optional. Enables soft-reconfiguration of route updates for the specified IP address. This option allows routing tables to be reconfigured without clearing BGP sessions. in Optional. Enables soft reconfiguration of inbound route updates out Optional. Enables soft reconfiguration of outbound route updates Modifications made to BGP settings (BGP access lists, weight, distance, route-maps, versions, routing policy, etc.) take effect only after on-going BGP sessions are cleared. The clear > ip > bgp command clears BGP sessions. To reduce loss of route updates during the process, use the soft option. Soft reconfiguration stores inbound/outbound route updates to be processed later and updated to the routing table. This requires high memory usage. Optional. Clears soft-reconfiguration inbound/outbound route updates on a specified device
<DEVICE-NAME> Specify the name of the AP or service platform. clear ip bgp process {on <DEVICE-NAME>}
ip bgp process on <DEVICE-NAME>
Clears all BGP processes running This command is applicable only to the RFS4000, RFS6000, NX95XX, NX9600 platforms. Optional. Clears all BGP processes on a specified device
<DEVICE-NAME> Specify the name of the AP or service platform. clear ip dhcp bindings [<IP>|all] {on <DEVICE-NAME>}
ip dhcp bindings
<IP>
all on <DEVICE-NAME>
Clears a Dynamic Host Configuration Protocol (DHCP) servers IP address bindings entries Clears DHCP servers connections and address binding entries Clears specific address binding entries. Specify the IP address to clear binding entries. Clears all address binding entries Optional. Clears a specified address binding or all address bindings on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear ip ospf process {on <DEVICE-NAME>}
ip ospf process on <DEVICE-NAME>
Clears already enabled open shortest path first (OSPF) process and restarts the process Optional. Clears OSPF process on a specified device OSPF is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet layer which makes routing decisions based solely on the destination IP address found in IP packets.
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 21 PRIVILEGED EXEC MODE COMMANDS clear ipv6 neighbor-cache {on <DEVICE-NAME>}
clear ipv6 neighbor-cache on <DEVICE-NAME>
Clears IPv6 neighbor cache entries Optional. Clears IPv6 neighbor cache entries on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear lacp [<1-4> counters|counters]
clear lacp
[<1-4> counters|
counters]
Clears Link Aggregation Control Protocol (LACP) counters for a specified port-
channel group or all port-channel groups configured
<1-4> counters Clears LACP counters for a specified port-channel. Specify the port-channel index number from 1 - 4. Note, LACP is supported only on the NX5500, NX7500, and NX9500 model service platforms. However, the NX9500 series service platforms support only two (2) port-channels, and the other model service platforms support four (4) port-channels. counters Clears LACP counters for all configured port-channels on the device clear l2tpv3-stats tunnel <L2TPV3-TUNNEL-NAME> {session <SESSION-NAME>}
{(on <DEVICE-NAME>)}
l2tpv3-stats tunnel
<L2TPV3-TUNNEL-
NAME>
session
<SESSION-NAME>
on <DEVICE-NAME>
Clears L2TPv3 tunnel session statistics Clears all sessions associated with a specified L2TPv3 tunnel
<L2TPV3-TUNNEL-NAME> Specify the L2TPv3 tunnel name. Optional. Clears a specified L2TPv3 tunnel session, identified by the <SESSION-
NAME> keyword
<SESSION-NAME> Specify the session name. The following parameter is recursive and optional:
on <DEVICE-NAME> Optional. Specifies the device running the L2TPv3 tunnel session
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. If no optional parameters are specified, the system clears all L2TPv3 tunnel session statistics. clear license borrowed {on <DEVICE-NAME>}
license borrowed
{on <DEVICE-NAME>}
Releases or revokes all licenses borrowed by a site controller on <DEVICE-NAME> Optional. Specifies the borrowing controllers name.
<DEVICE-NAME> Specify the wireless controllers name. If no device name is specified, the system clears all borrowed licenses on the logged device. clear license lent to <DEVICE-NAME> {on <DEVICE-NAME>}
license lent to <DEVICE-NAME>
NOC controller releases or revokes all licenses loaned to a site controller Specifies the borrowing controllers name
<DEVICE-NAME> Specify the controller's name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 22 PRIVILEGED EXEC MODE COMMANDS on <DEVICE-NAME>
Optional. Specifies the controllers name
<DEVICE-NAME> Specify the wireless controllers name. If no device name is specified, the system clears all loaned licenses on the logged device. clear mac-address-table {address <MAC>|vlan <1-4094>} {on <DEVICE-NAME>}
mac-address-table address <MAC>
vlan <1-4094>
on <DEVICE-NAME>
Clears the MAC address forwarding table Optional. Clears a specified MAC address from the MAC address table.
<MAC> Specify the MAC address in one of the following formats: AA-BB-CC-DD-
EE-FF or AA:BB:CC;DD:EE:FF or AABB.CCDD.EEFF Optional. Clears all MAC addresses for a specified VLAN
<1-4094> Specify the VLAN ID from 1 - 4094. Optional. Clears a single entry or all MAC entries for the specified VLAN in the MAC address forwarding table on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear mac-address-table interface [<IF-NAME>|ge <1-X>|port-channel <1-X>|t1e1
<1-4> <1-1>|up <1-X>|xge <1-4>] {on <DEVICE-NAME>}
mac-address-table interface
<IF-NAME>
ge <1-X>
port-channel <1-X>
up <1-X>
xge <1-4>
on <DEVICE-NAME>
Clears the MAC address forwarding table Clears all MAC addresses for the selected interface. Use the options available to specify the interface. Clears MAC address forwarding table for the specified layer 2 interface (Ethernet port)
<IF-NAME> Specify the layer 2 interface name. Clears MAC address forwarding table for the specified GigabitEthernet interface
<1-X> Specify the GigabitEthernet interface index from 1 - X. Clears MAC address forwarding table for the specified port-channel interface
<1-X> Specify the port-channel interface index from 1 - X. Clears MAC address forwarding table for the WAN Ethernet interface The number of WAN Ethernet interfaces supported varies for different devices. The RFS4000 and RFS6000 devices support 1 WAN Ethernet interface. Clears MAC address forwarding table for the specified TenGigabitEthernet interface
<1-4> Specify the GigabitEthernet interface index from 1 - 4. Optional. Clears the MAC address forwarding table, for the selected interface, on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 23 PRIVILEGED EXEC MODE COMMANDS clear mac-address-table mac-auth-state address <MAC> vlan <1-4904> {on <DEVICE-
NAME>}
mac-address-table mac-auth-state address
<MAC> vlan <1-4904>
Clears MAC addresses learned from a particular VLAN when WLAN MAC authentication and captive-portal fall back is enabled Access points/controllers provide WLAN access to clients whose MAC address has been learned and stored in their MAC address tables. Use this command to clear a specified MAC address on the MAC address table. Once cleared the client has to re-
authenticate, and is provided access only on successful authentication.
<MAC> Specify the MAC address to clear. vlan <1-4904> Specify the VLAN interface from 1 - 4094. In the AP/controllers MAC address table, the specified MAC address is cleared on the specified VLAN in-
terface. on <DEVICE-NAME>
Optional. Clears the specified MAC address on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. If a device is not specified, the system clears the MAC address from the MAC address table of all devices. clear mint mlcp history {on <DEVICE-NAME>}
mint mlcp history on <DEVICE-NAME>
Clears MiNT related information Clears MiNT Link Creation Protocol (MLCP) client history Optional. Clears MLCP client history on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform clear role ldap-stats {on <DEVICE-NAME>}
role ldap-stats on <DEVICE-NAME>
Clears role based Lightweight Directory Access Protocol (LDAP) server statistics Optional. Clears role based LDAP server statistics on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear rtls [aeroscout|ekahau] {<MAC/DEVICE-NAME> {on <DEVICE-OR-DOMAIN-NAME>}|
on <DEVICE-OR-DOMAIN-NAME>}
rtls aeroscout ekahau
<MAC/DEVICE-NAME>
Clears Real Time Location Service (RTLS) statistics Clears RTLS Aeroscout statistics Clears RTLS Ekahau statistics This keyword is common to the aeroscout and ekahau parameters.
<MAC/DEVICE-NAME> Optional. Clears Aeroscout or Ekahau RTLS statistics on a specified AP, wireless controller, or service platform. Specify the APs MAC address or hostname. on <DEVICE-OR-
DOMAIN-NAME>
This keyword is common to the aeroscout and ekahau parameters. on <DEVICE-OR-DOMAIN-NAME> Optional. Clears Aeroscout or Ekahau RTLS statistics on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 24 PRIVILEGED EXEC MODE COMMANDS clear spanning-tree detected-protocols {on <DEVICE-NAME>}
spanning-tree detected-protocols on <DEVICE-NAME>
Clears spanning tree protocols on an interface, and also restarts protocol migration Restarts protocol migration Optional. Clears spanning tree protocols on a specified device
<DEVICE-NAME> Optional. Specify the name of the AP, wireless controller, or service platform. clear spanning-tree detected-protocols {interface [<INTERFACE-NAME>|ge <1-X>|
me1|port-channel <1-X>|pppoe1|vlan <1-4094>|wwan1|xge <1-4>]} {on <DEVICE-NAME>}
spanning-tree detected-protocols interface
[<INTERFACE-NAME>|
ge <1-X>|me1|
port-channel <1-X>|
pppoe1|vlan <1-4094>|
wwan1|xge <1-4>]
on <DEVICE-NAME>
Clears spanning tree protocols on an interface and restarts protocol migration Restarts protocol migration Optional. Clears spanning tree entries on different interfaces
<INTERFACE-NAME> Clears detected spanning tree entries on a specified interface. Specify the interface name. ge <1-X> Clears detected spanning tree entries for the selected GigabitEthernet interface. Select the GigabitEthernet interface index from 1 - X me1 Clears FastEthernet interface spanning tree entries port-channel <1- X> Clears detected spanning tree entries for the selected port channel interface. Select the port channel index from 1 - X. The number of port-channel interfaces supported varies for different device types. For example, RFS4000 supports 3 port-channels. pppoe1 Clears detected spanning tree entries for PPPoE interface. vlan <1-4094> Clears detected spanning tree entries for the selected VLAN interface. Select a SVI VLAN ID from 1 - 4094. wwan1 Clears detected spanning tree entries for wireless WAN interface xge <1-4> Clears detected spanning tree entries for TenGigabitEthernet interfaces. Specify the GigabitEthernet interface index from 1 - 4. Optional. Clears spanning tree protocol entries on a selected device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. clear traffic-shape statistics {class <1-4>} {(on <DEVICE-NAME>)}
traffic-shape statistics class <1-4>
on <DEVICE-NAME>
Clears traffic shaping statistics Optional. Clears traffic shaping statistics for a specific traffic class
<1-4> Specify the traffic class from 1 - 4. Note: If the traffic class is not specified, the system clears all traffic shaping statistics. Optional. Clears traffic shaping statistics for the specified traffic class on a specified device
<DEVICE-NAME> Specify the name of the access point, wireless controller, or service platform. Note: For more information on configuring traffic-shape, see interface. clear vrrp [error-stats|stats] {on <DEVICE-NAME>}
vrrp Clears Virtual Router Redundancy Protocol (VRRP) statistics for a device Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 25 PRIVILEGED EXEC MODE COMMANDS error-stats
{on <DEVICE-NAME>}
stats
{on <DEVICE-NAME>}
Clears global error statistics on <DEVICE-NAME> Optional. Clears VRRP global error statistics on a selected device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Clears VRRP related statistics on <DEVICE-NAME> Optional. Clears VRRP related statistics on a selected device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs4000-229D58#clear crypto ike sa all rfs4000-229D58#show crypto ike sa
--------------------------------------------------------------------------------
-------IDX PEER VERSION ENCR ALGO HASH ALGO DH GROUP IKE STATE
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------Total IKE SAs: 0 rfs4000-229D58#
rfs6000-81742D#clear spanning-tree detected-protocols interface port-channel 1 rfs6000-81742D#clear ip dhcp bindings 172.16.10.9 rfs6000-81742D#clear cdp neighbors rfs4000-229D58#clear spanning-tree detected-protocols interface ge 1 rfs4000-229D58#clear lldp neighbors rfs6000-81742D#show event-history EVENT HISTORY REPORT Generated on '2017-04-04 13:49:57 IST' by 'admin'
2017-04-04 13:37:31 rfs6000-81742D SYSTEM LOGIN Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'
2017-04-04 13:15:19 rfs6000-81742D SYSTEM LOGOUT Logged out user 'admin' with privilege 'superuser' from '192.168.13.10'
2017-04-04 13:09:47 rfs6000-81742D LICMGR LIC_AP_AAP_DEPLETED Depleted AP/AAP license count: 1 2017-04-04 13:09:47 rfs6000-81742D LICMGR LIC_AP_AAP_DEPLETED Depleted AP/AAP license count: 1
--More--
rfs6000-81742D#
jrfs6000-81742D#clear event-history rfs6000-81742D#show event-history EVENT HISTORY REPORT Generated on '2017-04-04 13:51:27 IST' by 'admin'
rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 26 PRIVILEGED EXEC MODE COMMANDS rfs6000-81742D#show mac-address-table
--------------------------------------------------------
BRIDGE VLAN PORT MAC STATE
--------------------------------------------------------
1 1 up1 00-02-B3-28-D1-55 forward 1 1 up1 00-0F-8F-19-BA-4C forward 1 1 up1 84-24-8D-80-C2-AC forward 1 1 up1 84-24-8D-80-BF-34 forward 1 1 up1 1C-7E-E5-18-FA-67 forward 1 1 up1 84-24-8D-83-30-A4 forward 1 1 up1 B4-C7-99-DD-31-C8 forward 1 1 up1 B4-C7-99-6C-88-09 forward 1 1 up1 00-18-71-D0-1B-F3 forward 1 1 up1 B4-C7-99-71-17-28 forward 1 1 up1 FC-0A-81-42-93-6C forward 1 1 up1 B4-C7-99-6D-CD-4B forward 1 1 up1 84-24-8D-84-A2-24 forward 1 1 up1 3C-CE-73-F4-47-83 forward 1 1 up1 B4-C7-99-74-B4-5C forward
--------------------------------------------------------
Total number of MACs displayed: 15 rfs6000-81742D#
rfs6000-81742D>clear mac-address-table address 3C-CE-73-F4-47-83 on rfs6000-81742D rfs6000-81742D#show mac-address-table
--------------------------------------------------------
BRIDGE VLAN PORT MAC STATE
--------------------------------------------------------
1 1 up1 00-02-B3-28-D1-55 forward 1 1 up1 00-0F-8F-19-BA-4C forward 1 1 up1 84-24-8D-80-C2-AC forward 1 1 up1 84-24-8D-80-BF-34 forward 1 1 up1 1C-7E-E5-18-FA-67 forward 1 1 up1 84-24-8D-83-30-A4 forward 1 1 up1 B4-C7-99-DD-31-C8 forward 1 1 up1 B4-C7-99-6C-88-09 forward 1 1 up1 00-18-71-D0-1B-F3 forward 1 1 up1 B4-C7-99-71-17-28 forward 1 1 up1 FC-0A-81-42-93-6C forward 1 1 up1 B4-C7-99-6D-CD-4B forward 1 1 up1 84-24-8D-84-A2-24 forward 1 1 up1 B4-C7-99-74-B4-5C forward
--------------------------------------------------------
Total number of MACs displayed: 14 rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 27 PRIVILEGED EXEC MODE COMMANDS 3.1.7 clock Privileged Exec Mode Commands Sets a devices system clock. By default all WiNG devices are shipped with the time zone and time format set to UTC and 24-hour clock respectively. If a devices clock is set without resetting the time zone, the time is displayed relative to the Universal Time Coordinated (UTC) Greenwich Time. To display time in the local time zone format, in the devices configuration mode, use the timezone command to reset the time zone. You can also reset the time zone at the RF Domain level. When configured as RF Domain setting, it applies to all devices within the domain. Configuring the local time zone prior to setting the clock is recommended. For more information on configuring RF Domain time zone, see timezone. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax clock set <HH:MM:SS> <1-31> <MONTH> <1993-2035> {on <DEVICE-NAME>}
Parameters clock set <HH:MM:SS> <1-31> <MONTH> <1993-2035> {on <DEVICE-NAME>}
clock set
<HH:MM:SS>
Sets a devices system clock Sets the current time (in military format hours, minutes and seconds) Note: By default the WiNG software displays time in the 24-hour clock format. This setting cannot be changed.
<1-31>
Sets the numerical day of the month
<MONTH>
Sets the month of the year from Jan - Dec
<1993-2035>
Sets a valid four digit year from 1993 - 2035 on <DEVICE-NAME> Optional. Sets the clock on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service Example platform. The following commands set the time zone and clock for the logged device:
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#timezone America/Los_Angeles nx9500-6C8809#clock set 00:25:10 16 Jan 2017 nx9500-6C8809#show clock 2017-01-16 03:31:16 IST nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 28 PRIVILEGED EXEC MODE COMMANDS 3.1.8 cluster Privileged Exec Mode Commands Initiates the cluster context. The cluster context provides centralized management to configure all cluster members from any one member. Commands executed under this context are executed on all members of the cluster. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cluster start-election Parameters cluster start-election start-election Starts a new cluster master election Example rfs4000-880DA7#cluster start-election rfs4000-880DA7#
Related Commands create-cluster join-cluster Creates a new cluster on a specified device Adds a controller, as cluster member, to an existing cluster of devices Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 29 PRIVILEGED EXEC MODE COMMANDS 3.1.9 configure Privileged Exec Mode Commands Enters the configuration mode. Use this command to enter the current devices configuration mode, or enable configuration from the terminal. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax configure {self|terminal}
Parameters configure {self|terminal}
self terminal Optional. Enables the current devices configuration mode Optional. Enables configuration from the terminal Example rfs6000-81742D#configure self Enter configuration commands, one per line. End with CNTL/Z. rfs6000-81742D(config-device-00-15-70-81-74-2D)#
rfs6000-81742D#configure terminal Enter configuration commands, one per line. End with CNTL/Z. rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 30 PRIVILEGED EXEC MODE COMMANDS 3.1.10 connect Privileged Exec Mode Commands Begins a console connection to a remote device using the remote devices MiNT ID or name Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax connect [mint-id <MINT-ID>|<REMOTE-DEVICE-NAME>]
Parameters mint-id <MINT-ID>
connect [mint-id <MINT-ID>|<REMOTE-DEVICE-NAME>]
Connects to a remote system using the MiNT ID
<MINT-ID> Specify the remote devices MiNT ID. Connects to a remote system using its name
<REMOTE-DEVICE-NAME> Specify the remote devices name.
<REMOTE-DEVICE-
NAME>
Example nx9500-6C8809#show mint lsp-db 9 LSPs in LSP-db of 19.6C.88.09:
LSP 19.6C.88.09 at level 1, hostname "nx9500-6C8809", 8 adjacencies, seqnum 1294552 LSP 19.6D.B5.D4 at level 1, hostname "rfs6000-81742D", 8 adjacencies, seqnum 1915721 LSP 19.74.B4.5C at level 1, hostname "ap8132-74B45C", 8 adjacencies, seqnum 1468227 LSP 4D.80.C2.AC at level 1, hostname "ap7532-80C2AC", 8 adjacencies, seqnum 649241 LSP 4D.83.30.A4 at level 1, hostname "ap7522-8330A4", 8 adjacencies, seqnum 202818 LSP 4D.84.A2.24 at level 1, hostname "ap7562-84A224", 8 adjacencies, seqnum 380337 LSP 68.88.0D.A7 at level 1, hostname "rfs4000-880DA7", 8 adjacencies, seqnum 1494520 LSP 68.99.BB.7C at level 1, hostname "ap7131-99BB7C", 8 adjacencies, seqnum 831529 nx9500-6C8809#
nx9500-6C8809#connect mint-id ?
MINT-ID MiNT ID of device to connect to nx9500-6C8809#connect mint-id 19.6D.B5.D4 Entering character mode Escape character is '^]'. RFS6000 release 5.9.0.0-012D rfs6000-81742D login: admin Password:
rfs6000-81742D>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 31 PRIVILEGED EXEC MODE COMMANDS 3.1.11 copy Privileged Exec Mode Commands Copies a file (config,log,txt...etc) from any location to the access point, wireless controller, or service platform and vice-versa NOTE: Copying a new config file to an existing running-config file merges it with the existing running-config file on the wireless controller. Both the existing running-config and the new config file are applied as the current running-config. Copying a new config file to a start-up config file replaces the existing start-up config file with the parameters of the new file. It is better to erase the existing start-up config file and then copy the new config file to the startup config. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax copy [<SOURCE-FILE>|<SOURCE-URL>] [<DESTINATION-FILE>|<DESTINATION-URL>]
Parameters copy [<SOURCE-FILE>|<SOURCE-URL>] [<DESTINATION-FILE>|<DESTINATION-URL>]
Specify the source file to copy.
<SOURCE-FILE>
<SOURCE-URL>
Specify the source files location (URL).
<DESTINATION-FILE> Specify the destination file to copy to.
<DESTINATION-URL>
Specify the destination files location (URL). Example Transferring file snmpd.log to remote TFTP server. rfs6000-81742D#copy flash:/log/snmpd.log tftp://10.233.89.183:/snmpd.log Accessing running-config file from remote TFTP server into switch running-config. rfs6000-81742D#copy tftp://10.233.89.183:/running-config running-config Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 32 PRIVILEGED EXEC MODE COMMANDS 3.1.12 cpe Privileged Exec Mode Commands Enables a WiNG controller to perform certain operations on Customer Premises Equipment (CPEs) through an adopted T5 controller A T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating system used by RFS wireless controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. The CPEs are the T5 controller managed radio devices using the IPX operating system. These CPEs use a Digital Subscriber Line
(DSL) as their high speed Internet access mechanism using the CPEs physical wallplate connection and phone jack. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cpe [boot|reload|upgrade]
cpe boot system cpe [<1-24>|all] [primary|secondary] {on <T5-DEVICE-NAME>}
cpe [reload|upgrade <IMAGE-LOCATION>] cpe [<1-24>|all] {on <T5-DEVICE-NAME>}
NOTE: These commands can also be executed on the T5 profile and device context. For more information, see T5 Profile Config Commands. Parameters cpe boot system cpe [<1-24>|all]
cpe boot system cpe [<1-24>|all] [primary|secondary] {on <T5-DEVICE-NAME>}
Changes the image used by a CPE to boot. When reloading, the CPE uses the specified image. Identifies the CPE(s) on which this change is implemented
<1-24> Reloads only those CPEs whose IDs have been specified. Specify the ID from
[primary|secondary]
on <T5-DEVICE-
NAME>
1 - 24. all Reloads all CPEs Select the next boot image primary Uses the primary image when reloading secondary Uses the secondary image when reloading Optional. Performs this operation on a specified T5 device
<T5-DEVICE-NAME> Specify the T5 devices hostname. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 33 PRIVILEGED EXEC MODE COMMANDS cpe [reload|upgrade <IMAGE-LOCATION>] cpe [<1-24>|all] {on <T5-DEVICE-NAME>}
cpe [reload|
upgrade
<IMAGE-LOCATION>]
Performs the following operations on CPEs reload Reloads the device upgrade <IMAGE-LOCATION> Upgrades the device
<IMAGE-LOCATION> Specify the location of the firmware image. Both IPv4 and IPv6 addresses are supported. Use one of the following options to provide the location:
IPv4 URLs:
tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file IPv6 URLs:
tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file http://<hostname|[IPv6]>[:port]/path/file cpe [<1-24>|all]
on <T5-DEVICE-
NAME>
Note: After specifying the operation to perform, identify the device(s). Identifies the CPE(s) on which the operation is performed
<1-24> Configures the CPEs ID from 1 - 24 all Configures all CPEs Optional. Performs this operation on a specified T5 device
<T5-DEVICE-NAME> Specify the T5 devices hostname. Example nx9500-6C8809#show t5 cpe boot on t5-ED7C6C
--------------------------------------------------------------------------------
--------------------
DEVICE PRIMARY VERSION SECONDARY VERSION NEXT BOOT UPGRADE STATUS UPGRADE PROGRESS %
--------------------------------------------------------------------------------
--------------------
cpe1 5.4.2.0-010R 5.4.2.0-006B primary none 0 cpe2 5.4.2.0-010R 5.4.2.0-006B primary none 0
--------------------------------------------------------------------------------
--------------------
nx9500-6C8809#
nx9500-6C8809#cpe boot system cpe 1 secondary on t5-ED7C6C Updated T5 CPE system boot partition nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 34 PRIVILEGED EXEC MODE COMMANDS 3.1.13 create-cluster Privileged Exec Mode Commands Creates a new device cluster, with the specified name, and assigns it an IP address and routing level A cluster (or redundancy group) is a set of controllers or service platforms (nodes) uniquely defined by a profile configuration. Within the cluster, members discover and establish connections to other members and provide wireless network self-healing support in the event of member's failure. A cluster's load is typically distributed evenly amongst its members. An administrator needs to define how often the profile is load balanced for radio distribution, as radios can come and go and members join and exit the cluster. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax create-cluster name <CLUSTER-NAME> ip <IP> {level [1|2]}
Parameters create-cluster name <CLUSTER-NAME> ip <IP> {level [1|2]}
create-cluster name
<CLUSTER-NAME>
Creates a cluster Configures the cluster name
<CLUSTER-NAME> Specify a cluster name. Define a name for the cluster name unique to its configuration or profile support requirements. The name cannot exceed 64 characters. ip <IP>
level [1|2]
Specifies the devices IP address used for cluster creation
<IP> Specify the devices IP address in the A.B.C.D format. Optional. Configures the routing level for this cluster 1 Configures level 1 (local) routing 2 Configures level 2 (inter-site) routing Example rfs4000-229D58#create-cluster name TechPubs ip 192.168.13.8 level 2
... creating cluster
... committing the changes
... saving the changes Please Wait .
[OK]
rfs4000-229D58#
rfs4000-229D58#show cluster configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 35 PRIVILEGED EXEC MODE COMMANDS Cluster Configuration Information Name : TechPubsLAN Configured Mode : Active Master Priority : 128 Force configured state : Disabled Force configured state delay : 5 minutes Handle STP : Disabled Radius Counter DB Sync Time : 5 minutes rfs4000-229D58#
rfs4000-229D58#show context
!
! Configuration of RFS4000 version 5.9.1.0-012D
!
!
version 2.5
!
!
firewall-policy default no ip dos tcp-sequence-past-window alg sip
!
!
mint-policy global-default router packet priority 6
!
radio-qos-policy default
!
!
management-policy default telnet http server https server no ftp
--More--
rfs4000-229D58#
Related Commands cluster join-cluster Initiates the cluster context. The cluster context provides centralized management to configure all cluster members from any one member. Adds a wireless controller, access point, or service platform, as cluster member, to an existing cluster of devices Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 36 PRIVILEGED EXEC MODE COMMANDS 3.1.14 crypto Privileged Exec Mode Commands Enables digital certificate configuration and RSA Keypair management. Digital certificates are issued by CAs and contain user or device specific information, such as name, public key, IP address, serial number, company name, etc. Use this command to generate, delete, export, or import encrypted RSA Keypairs and generate Certificate Signing Request (CSR). This command also enables trustpoint configuration. Trustpoints contain the CAs identity and configuration parameters. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax crypto [key|pki]
crypto key [export|generate|import|zeroize]
crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL>
{background|on|passphrase}
crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL> {background|passphrase
<KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
crypto key generate rsa <RSA-KEYPAIR-NAME> [2048|4096] {on <DEVICE-NAME>}
crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL>
{background|on|passphrase}
crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL> {background|passphrase
<KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
crypto key zeroize rsa <RSA-KEYPAIR-NAME> {force} {(on <DEVICE-NAME>)}
crypto pki [authenticate|export|generate|import|zeroize]
crypto pki authenticate <TRUSTPOINT-NAME> <LOCATION-URL> {background} {(on
<DEVICE-NAME>)}
crypto pki export [request|trustpoint]
crypto pki export request [generate-rsa-key|short|use-rsa-key] <RSA-KEYPAIR-NAME>
[autogen-subject-name|subject-name]
crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME>
autogen-subject-name (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-
address <IP>) crypto pki export request [generate-rsa-key|short [generate-rsa-key|use-rsa-key]|
use-rsa-key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE>
<CITY> <ORGANIZATION> <ORGANIZATION-UNIT> (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>, fqdn <FQDN>,ip-address <IP>) crypto pki export trustpoint <TRUSTPOINT-NAME> <EXPORT-TO-URL>
{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME)}
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 37 PRIVILEGED EXEC MODE COMMANDS crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]
<RSA-KEYPAIR-NAME> [autogen-subject-name|subject-name]
crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]
<RSA-KEYPAIR-NAME> autogen-subject-name {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-
address <IP>,on <DEVICE-NAME>)}
crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]
<RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY>
<ORGANIZATION> <ORGANIZATION-UNIT> {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address
<IP>,on <DEVICE-NAME>)}
crypto pki import [certificate|crl|trustpoint]
crypto pki import [certificate|crl] <TRUSTPOINT-NAME> <IMPORT-FROM-URL>
{background} {(on <DEVICE-NAME>}) crypto pki import trustpoint <TRUSTPOINT-NAME> <IMPORT-FROM-URL>
{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
crypto pki zeroize trustpoint <TRUSTPOINT-NAME> {del-key} {(on <DEVICE-NAME>)}
Parameters crypto key export rsa <RSA-KEYPAIR-NAME> <EXPORT-TO-URL> {background|passphrase
<KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
key export rsa
<RSA-KEYPAIR-
NAME>
<EXPORT-TO-URL>
background passphrase
<KEY-PASSPHRASE>
background on <DEVICE-NAME>
Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key. Exports an existing RSA Keypair to a specified destination
<RSA-KEYPAIR-NAME> Specify the RSA Keypair name. Specify the RSA Keypair destination address. Both IPv4 and IPv6 address formats are supported. After specifying the destination address (where the RSA keypair is exported), configure one of the following parameters: background or passphrase. Optional. Performs export operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the export on. Optional. Encrypts RSA Keypair before exporting
<KEY-PASSPHRASE> Specify a passphrase to encrypt the RSA keypair. background Optional. Performs export operation in the background. After specifying the passphrase, optionally specify the device (access point or controller) to perform the export on. The following parameter is recursive and common to all of the above parameters:
on <DEVICE-NAME> Optional. Performs export operation on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. crypto key generate rsa <RSA-KEYPAIR-NAME> [2048|4096] {on <DEVICE-NAME>}
key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 38 PRIVILEGED EXEC MODE COMMANDS generate rsa
<RSA-KEYPAIR-
NAME> [2048|4096]
Generates a new RSA Keypair
<RSA-KEYPAIR-NAME> Specify the RSA Keypair name.
[2048|4096] Sets the size of the RSA key in bits. The options are 2048 bits and 4096 bits. The default size is 2048 bits. on <DEVICE-NAME>
After specifying the key size, optionally specify the device (access point or controller) to generate the key on. Optional. Generates the new RSA Keypair on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. crypto key import rsa <RSA-KEYPAIR-NAME> <IMPORT-FROM-URL>
{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
key Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key. Imports a RSA Keypair from a specified source
<RSA-KEYPAIR-NAME> Specify the RSA Keypair name. import rsa
<RSA-KEYPAIR-
NAME>
<IMPORT-FROM-URL> Specify the RSA Keypair source address. Both IPv4 and IPv6 address formats are background passphrase
<KEY-PASSPHRASE>
background on <DEVICE-NAME>
supported. After specifying the source address (where the RSA Keypair is imported from), configure one of the following parameters: background or passphrase. Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the import on. Optional. Decrypts the RSA Keypair after importing
<KEY-PASSPHRASE> Specify the passphrase to decrypt the RSA keypair. background Optional. Performs import operation in the background. After specifying the passphrase, optionally specify the device (access point or controller) to perform the import on. The following parameter is recursive and common to the background and passphrase keywords:
on <DEVICE-NAME> Optional. Performs import operation on a specific device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. crypto key zeroize rsa <RSA-KEYPAIR-NAME> {force} {(on <DEVICE-NAME>)}
key zeroize rsa
<RSA-KEYPAIR-
NAME>
force Enables RSA Keypair management. Use this command to export, import, generate, or delete a RSA key. Deletes a specified RSA Keypair
<RSA-KEYPAIR-NAME> Specify the RSA Keypair name. Note: All device certificates associated with this key will also be deleted. Optional. Forces deletion of all certificates associated with the specified RSA Keypair. Optionally specify a device on which to force certificate deletion. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 39 PRIVILEGED EXEC MODE COMMANDS on <DEVICE-NAME>
The following parameter is recursive and optional:
on <DEVICE-NAME> Optional. Deletes all certificates associated with the RSA Keypair on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. crypto pki authenticate <TRUSTPOINT-NAME> <URL> {background} {(on <DEVICE-
NAME>)}
pki authenticate
<TRUSTPOINT-NAME>
<URL>
background on <DEVICE-NAME>
Enables Private Key Infrastructure (PKI) management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated Certificate Authority (CA) certificates. Authenticates a trustpoint and imports the corresponding CA certificate
<TRUSTPOINT-NAME> Specify the trustpoint name. Specify CAs location. Both IPv4 and IPv6 address formats are supported. Note: The CA certificate is imported from the specified location. Optional. Performs authentication in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the authentication on. The following parameter is recursive and optional:
on <DEVICE-NAME> Optional. Performs authentication on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. crypto pki export request [generate-rsa-key|use-rsa-key] <RSA-KEYPAIR-NAME>
autogen-subject-name (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-
address <IP>) pki export request
[generate-rsa-key|
use-rsa-key]
<RSA-KEYPAIR-
NAME>
Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Exports CSR to the CA for digital identity certificate. The CSR contains applicants details and RSA Keypairs public key. Generates a new RSA Keypair or uses an existing RSA Keypair generate-rsa-key Generates a new RSA Keypair for digital authentication use-rsa-key Uses an existing RSA Keypair for digital authentication
<RSA-KEYPAIR-NAME> If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name. autogen-subject-name Auto generates subject name from configuration parameters. The subject name
<EXPORT-TO-URL>
<SEND-TO-EMAIL>
fqdn <FQDN>
ip-address <IP>
identifies the certificate. Specify the CAs location. Both IPv4 and IPv6 address formats are supported. Note: The CSR is exported to the specified location. Exports CSR to a specified e-mail address
<SEND-TO-EMAIL> Specify the CAs e-mail address. Exports CSR to a specified Fully Qualified Domain Name (FQDN)
<FQDN> Specify the CAs FQDN. Exports CSR to a specified device or system
<IP> Specify the CAs IP address. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 40 PRIVILEGED EXEC MODE COMMANDS crypto pki export request [generate-rsa-key|short [generate-rsa-key|use-rsa-
key]|use-rsa-key] <RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE>
<CITY> <ORGANIZATION> <ORGANIZATION-UNIT> (<EXPORT-TO-URL>,email <SEND-TO-EMAIL>, fqdn <FQDN>,ip-address <IP>) pki export request
[generate-rsa-key|
short [generate-rsa-
key|use-rsa-key]|
use-rsa-key]
<RSA-KEYPAIR-
NAME>
subject-name
<COMMON-NAME>
<COUNTRY>
<STATE>
<CITY>
<ORGANIZATION>
<ORGANIZATION-
UNIT>
<EXPORT-TO-URL>
<SEND-TO-EMAIL>
fqdn <FQDN>
ip-address <IP>
Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Exports CSR to the CA for a digital identity certificate. The CSR contains applicants details and RSA Keypairs public key. Generates a new RSA Keypair or uses an existing RSA Keypair generate-rsa-key Generates a new RSA Keypair for digital authentication short [generate-rsa-key|use-rsa-key] Generates and exports a shorter version of the CSR generate-rsa-key Generates a new RSA Keypair for digital authentication. If gen-
erating a new RSA Keypair, specify a name for it. use-rsa-key Uses an existing RSA Keypair for digital authentication. If using an existing RSA Keypair, specify its name. use-rsa-key Uses an existing RSA Keypair for digital authentication
<RSA-KEYPAIR-NAME> If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name. Configures a subject name, defined by the <COMMON-NAME> keyword, to identify the certificate
<COMMON-NAME> Specify the common name used with the CA certificate. The name should enable you to identify the certificate easily (2 to 64 characters in length). Sets the deployment country code (2 character ISO code) Sets the state name (2 to 64 characters in length) Sets the city name (2 to 64 characters in length) Sets the organization name (2 to 64 characters in length) Sets the organization unit (2 to 64 characters in length) Specify the CAs location. Both IPv4 and IPv6 address formats are supported. The CSR is exported to the specified location. Exports CSR to a specified e-mail address
<SEND-TO-EMAIL> Specify the CAs e-mail address. Exports CSR to a specified FQDN
<FQDN> Specify the CAs FQDN. Exports CSR to a specified device or system
<IP> Specify the CAs IP address. crypto pki export trustpoint <TRUSTPOINT-NAME> <EXPORT-TO-URL>
{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
pki Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 41 PRIVILEGED EXEC MODE COMMANDS export trustpoint
<TRUSTPOINT-NAME>
<EXPORT-TO-URL>
background passphrase
<KEY-PASSPHRASE>
background on <DEVICE-NAME>
Exports a trustpoint along with CA certificate, Certificate Revocation List (CRL), server certificate, and private key
<TRUSTPOINT-NAME> Specify the trustpoint name (should be authenticated). Specify the destination address. Both IPv4 and IPv6 address formats are supported. The trustpoint is exported to the address specified here. Optional. Performs export operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the export on. Optional. Encrypts the key with a passphrase before exporting
<KEY-PASSPHRASE> Specify the passphrase to encrypt the trustpoint. background Optional. Performs export operation in the background. After specifying the passphrase, optionally specify the device (access point or controller) to perform the export on. The following parameter is recursive and common to the background and passphrase keywords:
on <DEVICE-NAME> Optional. Performs export operation on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]
<RSA-KEYPAIR-NAME> autogen-subject-name {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-
address <IP>,on <DEVICE-NAME>)}
pki generate self-signed
<TRUSTPOINT-NAME>
[generate-rsa-key|
use-rsa-key]
<RSA-KEYPAIR-
NAME>
Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated certificates. Generates a certificate and a trustpoint Generates a self-signed certificate and a trustpoint
<TRUSTPOINT-NAME> Specify a name for the certificate and its trustpoint. Generates a new RSA Keypair, or uses an existing RSA Keypair generate-rsa-key Generates a new RSA Keypair for digital authentication use-rsa-key Uses an existing RSA Keypair for digital authentication
<RSA-KEYPAIR-NAME> If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name. autogen-subject-name Auto generates the subject name from the configuration parameters. The subject email
<SEND-TO-EMAIL>
fqdn <FQDN>
ip-address <IP>
on <DEVICE-NAME>
name helps to identify the certificate. Optional. Exports the self-signed certificate to a specified e-mail address
<SEND-TO-EMAIL> Specify the e-mail address. Optional. Exports the self-signed certificate to a specified FQDN
<FQDN> Specify the FQDN. Optional. Exports the self-signed certificate to a specified device or system
<IP> Specify the devices IP address. Optional. Exports the self-signed certificate on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 42 PRIVILEGED EXEC MODE COMMANDS crypto pki generate self-signed <TRUSTPOINT-NAME> [generate-rsa-key|use-rsa-key]
<RSA-KEYPAIR-NAME> subject-name <COMMON-NAME> <COUNTRY> <STATE> <CITY>
<ORGANIZATION> <ORGANIZATION-UNIT> {(email <SEND-TO-EMAIL>,fqdn <FQDN>,ip-address
<IP>,on <DEVICE-NAME>)}
pki generate self-signed
<TRUSTPOINT-NAME>
[generate-rsa-key|
use-rsa-key]
<RSA-KEYPAIR-
NAME>
subject-name
<COMMON-NAME>
Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated certificates. Generates a self-signed certificate and a trustpoint
<TRUSTPOINT-NAME> Specify a name for the certificate and its trustpoint. Generates a new RSA Keypair, or uses an existing RSA Keypair generate-rsa-key Generates a new RSA Keypair for digital authentication use-rsa-key Uses an existing RSA Keypair for digital authentication
<RSA-KEYPAIR-NAME> If generating a new RSA Keypair, specify a name for it. If using an existing RSA Keypair, specify its name. Configures a subject name, defined by the <COMMON-NAME> keyword, to identify the certificate
<COMMON-NAME> Specify the common name used with this certificate. The name should enable you to identify the certificate easily and should not exceed 2 to 64 characters in length.
<COUNTRY>
<STATE>
<CITY>
<ORGANIZATION>
<ORGANIZATION-
UNIT>
<SEND-TO-EMAIL>
fqdn <FQDN>
ip-address <IP>
Sets the deployment country code (2 character ISO code) Sets the state name (2 to 64 characters in length) Sets the city name (2 to 64 characters in length) Sets the organization name (2 to 64 characters in length) Sets the organization unit (2 to 64 characters in length) Optional. Exports the self-signed certificate to a specified e-mail address
<SEND-TO-EMAIL> Specify the e-mail address. Optional. Exports the self-signed certificate to a specified FQDN
<FQDN> Specify the FQDN. Optional. Exports the self-signed certificate to a specified device or system
<IP> Specify the devices IP address. crypto pki import [certificate|crl] <TRUSTPOINT-NAME> <IMPORT-FROM-URL>
{background} {(on <DEVICE-NAME>)}
pki import
[certificate|crl]
<TRUSTPOINT-NAME>
Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Imports certificates, Certificate Revocation List (CRL), or a trustpoint to the selected device Imports a signed server certificate or CRL certificate Imports signed server certificate crl Imports CRL
<TRUSTPOINT-NAME> Specify the trustpoint name (should be authenticated).
<IMPORT-FROM-URL> Specify the signed server certificate or CRL source address. Both IPv4 and IPv6 address formats are supported. The server certificate or the CRL (based on the parameter passed in the preceding step) is imported from the location specified here. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 43 PRIVILEGED EXEC MODE COMMANDS background on <DEVICE-NAME>
Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the import on. The following parameter is recursive and optional:
on <DEVICE-NAME> Optional. Performs import operation on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. crypto pki import trustpoint <TRUSTPOINT-NAME> <IMPORT-FROM-URL>
{background|passphrase <KEY-PASSPHRASE> background} {(on <DEVICE-NAME>)}
pki import trustpoint
<TRUSTPOINT-NAME>
Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Imports certificates, CRL, or a trustpoint to the selected device Imports a trustpoint and its associated CA certificate, server certificate, and private key
<TRUSTPOINT-NAME> Specify the trustpoint name (should be authenticated).
<IMPORT-FROM-URL> Specify the trustpoint source address. Both IPv4 and IPv6 address formats are background passphrase
<KEY-PASSPHRASE>
background on <DEVICE-NAME>
supported. Optional. Performs import operation in the background. If selecting this option, you can optionally specify the device (access point or controller) to perform the export on. Optional. Decrypts trustpoint with a passphrase after importing
<KEY-PASSPHRASE> Specify the passphrase. After specifying the passphrase, optionally specify the device to perform import on. background Optional. Performs import operation in the background. After specifying the passphrase, optionally specify the device (access point or controller) to perform the import on. The following parameter is recursive and optional:
on <DEVICE-NAME> Optional. Performs import operation on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. crypto pki zeroize trustpoint <TRUSTPOINT-NAME> {del-key} {(on <DEVICE-NAME>)}
pki zeroize trustpoint
<TRUSTPOINT-NAME>
del-key on <DEVICE-NAME>
Enables PKI management. Use this command to authenticate, export, generate, or delete a trustpoint and its associated CA certificates. Deletes a trustpoint and its associated CA certificate, server certificate, and private key
<TRUSTPOINT-NAME> Specify the trustpoint name (should be authenticated). Optional. Deletes the private key associated with the server certificate. Optionally specify the device to perform deletion on. The following parameter is recursive and optional:
on <DEVICE-NAME> Optional. Deletes the trustpoint on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 44 PRIVILEGED EXEC MODE COMMANDS Usage Guidelines The system supports both IPv4 and IPv6 address formats. Provide source and destination locations using any one of the following options:
IPv4 URLs:
tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file http://<hostname|[IPv6]>[:port]/path/file IPv6 URLs:
Example rfs6000-81742D#crypto key generate rsa key 1025 RSA Keypair successfully generated rfs6000-81742D#
rfs6000-81742D#crypto key import rsa test123 url passphrase word background RSA key import operation is started in background rfs6000-81742D#
rfs6000-81742D#crypto pki generate self-signed word generate-rsa-key word autogen-
subject-name fqdn word Successfully generated self-signed certificate rfs6000-81742D#
rfs6000-81742D#crypto pki zeroize trustpoint word del-key Successfully removed the trustpoint and associated certificates
%Warning: Applications associated with the trustpoint will start using default-
trustpoint rfs6000-81742D#
rfs6000-81742D#crypto pki authenticate word url background Import of CA certificate started in background rfs6000-81742D#
rfs6000-81742D#crypto pki import trustpoint word url passphrase word Import operation started in background rfs6000-81742D#
Related Commands no Removes server certificates, trustpoints and their associated certificates Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 45 PRIVILEGED EXEC MODE COMMANDS 3.1.15 crypto-cmp-cert-update Privileged Exec Mode Commands Triggers a Certificate Management Protocol (CMP) certificate update on a specified device or devices Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax crypto-cmp-cert-update <TRUSTPOINT-NAME> {on <DEVICE-NAME>}
Parameters crypto-cmp-cert-update <TRUSTPOINT-NAME> {on <DEVICE-NAME>}
crypto-cmp-cert-update
<TRUSTPOINT-NAME>
{on <DEVICE-NAME>}
Triggers a CMP certificate update on a specified device or devices
<TRUSTPOINT-NAME> Specify the target trustpoint name. A trustpoint represents a CA/identity pair containing the identity of the CA, CA specific configuration parameters, and an association with an enrolled identity certificate. Use the crypto-
cmp-policy context to configure the trustpoint. on <DEVICE-NAME> Optional. Triggers a CMP certificate update and response on a specified device or devices. Specify the name of the AP, wireless controller, or service platform. Multiple devices can be provided as a comma separated list.
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs4000-229D58#crypto-cmp-cert-update test on B4-C7-99-71-17-28 CMP Cert update success rfs4000-229D58#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 46 PRIVILEGED EXEC MODE COMMANDS 3.1.16 database Privileged Exec Mode Commands Enables automatic repairing (vacuuming) and dropping of databases (Captive-portal and NSight). Vacuuming a database refers to the process of finding and reclaiming space left over from previous DELETE statements. If enforcing authenticated access to the database, use this command to generate the keyfile. Every keyfile has a set of associated users having a username and password. Database access is provided only if the keyfile and the user credentials entered during database longin match. NOTE: For information on enabling database authentication, see Enabling Database Authentication. Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax database [drop|keyfile|repair]
database drop [all|captive-portal|nsight]
database repair {on <DEVICE-NAME>}
database keyfile [export|generate|import|zerzoise]
database keyfile generate database keyfile [export|import] <URL>
database keyfile zerzoise Parameters database drop [all|captive-portal|nsight]
database drop
[all|captive-portal|
nsight]
Drops (deletes) all or a specified database. Execute the command on the database host. all Drops all databases, captive portal and NSight. captive-portal Drops captive-portal database only nsight Drops NSight database only database repair {on <DEVICE-NAME>}
database repair on <DEVICE-NAME>
Enables automatic repairing of all databases. Execute the command on the database host. on <DEVICE-NAME> Optional. Specifies the name of the access point, wireless controller, or service platform hosting the database. When specified, databases on the specified device are periodically checked through to identify and remove obsolete data documents.
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. If no device is specified, the system repairs all databases. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 47 PRIVILEGED EXEC MODE COMMANDS database keyfile [generate|zerzoise]
database keyfile
[generate|zerzoise]
Enables management of database keyfiles. This command is part of a series of configurations that are required to enforce authentication on the database. Use this command to generate keyfiles associated with the database. After generating the keyfile, create the users having the database access. For information on creating database users, see service. generate Generates the keyfile. Execute the command on the primary database host. zerzoise Deletes a keyfile. database keyfile [export|import] <URL>
database keyfile
[export|import]
<URL>
Enables database keyfile management. This command is part of a series of configurations required to enforce database authentication. Use this command to exchange keyfiles between replica set members. export Exports the keyfile to a specified location on an FTP/SFTP/TFTP server. Execute the command on the primary database host. import Imports the keyfile from a specified location. Execute the command on the replica set members. The following parameter is common to both of the above keywords:
<URL> Specify the location to/from where the keyfile is to be exported/imported. Use one of the following options:
ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file tftp://<hostname|IP>[:port]/path/file database keyfile zerzoise database keyfile zerzoise Enables the management of database keyfiles zerzoise Deletes an existing keyfile. Example nx9500-6C8809#database repair on nx9500-6C8809 nx9500-6C8809#
nx9500-6C8809#database keyfile generate Database keyfile successfully generated nx9500-6C8809#
nx9500-6C8809#database keyfile zeroize Database keyfile successfully removed nx9500-6C8809#
vx9000-1A1809#database keyfile generate Database keyfile successfully generated vx9000-1A1809#
vx9000-1A1809#database keyfile export ftp://1.1.1.111/db-key Database keyfile successfully exported vx9000-1A1809#
vx9000-D031F2#database keyfile import ftp://1.1.1.111/db-key Database keyfile successfully imported vx9000-D031F2#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 48 PRIVILEGED EXEC MODE COMMANDS Related Commands database-backup database-restore Backs up captive-portal and/or NSight database to a specified location and file on an FTP or SFTP server Restores a previously exported database [captive-portal and/or NSight]
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 49 PRIVILEGED EXEC MODE COMMANDS 3.1.17 database-backup Privileged Exec Mode Commands Backs up captive-portal/NSight database to a specified location and file on an FTP or SFTP server Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntaxf database-backup database [captive-portal|nsight|nsight-placement-info] <URL>
database-backup database [captive-portal|nsight] <URL>
database-backup database nsight-placement-info <URL>
Parameters database-backup database [captive-portal|nsight] <URL>
database-backup database [captive-
portal|nsight]
<URL>
Backs up captive portal and/or NSight database to a specified location. Select the database to backup:
captive-portal Backs up captive portal database nsight Backs up NSight database After specifying the database type, configure the destination location. Configures the destination location. The database is backed up at the specified location. Specify the location URL in one of the following formats:
ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz database-backup database nsight-placement-info <URL>
database-backup database nsight-placement-
info <URL>
Backs up the NSight access point placement related details to a specified location
<URL> Specify the URL in one of the following formats:
ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz tftp://<hostname|IP>[:port]/path/file.tar.gz Example NS-DB-nx9510-6C87EF#database-backup database nsight tftp://192.168.9.50/testbckup NS-DB-nx9510-6C87EF#show database backup-status Last Database Backup Status : In_Progress(Starting tftp transfer.) Last Database Backup Time : 2017-04-17 12:48:05 NS-DB-nx9510-6C87EF#show database backup-status Last Database Backup Status : Successful Last Database Backup Time : Mon Apr 17 12:48:08 T 2017 NS-DB-nx9510-6C87EF#Apr 17 12:48:17 2017: NS-DB-nx9510-6C87EF : %DATABASE-6-
OPERATION_COMPLETE: backup for database nsight successful NS-DB-nx9510-6C87EF#
NS-DB-nx9510-6C87EF#database-backup database nsight-placement-info tftp://192.16 8.9.50/plmentinfo NS-DB-nx9510-6C87EF#show database backup-status Last Database Backup Status : Successful Last Database Backup Time : Mon Apr 17 12:48:48 IST 2017 NS-DB-nx9510-6C87EF#Apr 17 12:49:03 2017: NS-DB-nx9510-6C87EF : %DATABASE-6-
OPERATION_COMPLETE: backup for database nsight-placement-info successful NS-DB-nx9510-6C87EF#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 50 PRIVILEGED EXEC MODE COMMANDS Related Commands database database-restore Enables automatic repairing (vacuuming) and dropping of databases (captive-portal and NSight) Restores a previously exported (backed up) database [captive-portal and/or NSight]
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 51 PRIVILEGED EXEC MODE COMMANDS 3.1.18 database-restore Privileged Exec Mode Commands Restores a previously exported database [captive-portal and/or NSight]. Previously exported databases
(backed up to a specified FTP or SFTP server) are restored from the backed-up location to the original database. Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax database-restore database [captive-portal|nsight] <URL>
Parameters database-restore database [captive-portal|nsight] <URL>
database-restore database
[captive-portal|
nsight]
<URL>
Example Restores previously exported (backed up) captive-portal and/or NSight database. Specify the database type:
captive-portal Restores captive portal database nsight Restores NSight database After specifying the database type, configure the destination location and file name from where the files are restored. Configures the destination location. The database is restored from the specified location. Specify the location URL in one of the following formats:
ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz nx9500-6C8809#database-restore database nsight ftp://anonymous:anonymous@192.168.13.10/backups/nsight/nsight.tar.gz Related Commands database database-backup Enables automatic repairing (vacuuming) and dropping of databases (captive-portal and NSight) Backs up captive-portal and/or NSight database to a specified location and file on an FTP or SFTP server Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 52 PRIVILEGED EXEC MODE COMMANDS 3.1.19 delete Privileged Exec Mode Commands Deletes a specified file from the devices file system Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax delete [/force <FILE>|/recursive <FILE>|<FILE>]
Parameters delete [/force <FILE>|/recursive <FILE>|<FILE>]
/force <FILE>
/recursive <FILE>
<FILE>
Forces deletion without a prompt Performs a recursive delete Specifies the file name Deletes the file specified by the <FILE> parameter Example rfs6000-81742D#delete flash:/out.tar flash:/out.tar.gz Delete flash:/out.tar [y/n]? y Delete flash:/out.tar.gz [y/n]? y rfs6000-81742D#delete /force flash:/tmp.txt rrfs6000-81742D#
rfs6000-81742D#delete /recursive flash:/backup/
Delete flash:/backup//fileMgmt_350_180B.core
[y/n]? y Delete flash:/backup//fileMgmt_350_18212X.core_bk
[y/n]? n Delete flash:/backup//imish_1087_18381X.core.gz
[y/n]? n rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 53 PRIVILEGED EXEC MODE COMMANDS 3.1.20 device-upgrade Privileged Exec Mode Commands Enables firmware upgrade on an adopted device or a set of adopted devices (access points, wireless controllers, and service platforms) NOTE: A NOC controllers capacity is equal to, or higher than that of a site controller. The following devices can be deployed at NOC and sites:
NOC controller NX95XX (NX9500 and NX9510), NX9600 Site controller RFS4000, RFS6000, NX5500, NX75XX, or NX95XX Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax device-upgrade [<MAC/HOSTNAME>|all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|
ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|
ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000|cancel-upgrade|load-
image|rf-domain]
device-upgrade <MAC/HOSTNAME> {no-reboot|reboot-time <TIME>|upgrade-time <TIME>
{no-reboot|reboot-time <TIME>}}
device-upgrade all {force|no-reboot|reboot-time <TIME>|upgrade-time <TIME>
{no-reboot|reboot-time <TIME>}} {(staggered-reboot)}
device-upgrade [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx75xx|nx9000|nx9600|vx9000] all {force|no-reboot|reboot-time <TIME>|
upgrade-time <TIME> {no-reboot|reboot-time <TIME>}} {(staggered-reboot)}
device-upgrade cancel-upgrade [<MAC/HOSTNAME>|all|ap6521|ap6522|ap6532|ap6562|
ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|
ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx75xx|nx9000|nx9600|vx9000|on rf-domain
[<RF-DOMAIN-NAME>|all]]
device-upgrade load-image [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|
ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|
rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] {<IMAGE-URL>|on <DEVICE-OR-
DOMAIN-NAME>}
device-upgrade rf-domain [<RF-DOMAIN-NAME>|all|containing <WORD>|filter location
<WORD>] [all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx75xx|nx9000|nx9600|vx9000] {(<MAC/HOSTNAME>|force|no-reboot|
from-controller|reboot-time <TIME>|staggered-reboot|upgrade-time <TIME>)}
Parameters device-upgrade <MAC/HOSTNAME> {no-reboot|reboot-time <TIME>|upgrade-time <TIME>
{no-reboot|reboot-time <TIME>}}
<MAC/HOSTNAME>
Upgrades firmware on the device identified by the <MAC/HOSTNAME> keyword
<MAC/HOSTNAME> Specify the devices MAC address or hostname. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 54 PRIVILEGED EXEC MODE COMMANDS no-reboot reboot-time <TIME>
upgrade-time <TIME>
{no-reboot|
reboot-time <TIME>}
Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) Optional. Schedules an automatic reboot after a successful upgrade
<TIME> Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. Optional. Schedules an automatic device firmware upgrade on a specified day and time
<TIME> Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. The following actions can be performed after a scheduled upgrade:
no-reboot Optional. Disables automatic reboot after a successful upgrade
(the device must be manually restarted) reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. device-upgrade all {force|no-reboot|reboot-time <TIME>|upgrade-time <TIME> {no-
reboot|reboot-time <TIME>}} {(staggered-reboot)}
all force no-reboot reboot-time <TIME>
upgrade-time <TIME>
{no-reboot|
reboot-time <TIME>}
staggered-reboot Upgrades firmware on all devices Optional. Select this option to force upgrade on the selected device(s). When selected, the devices are upgraded even if they have the same firmware as the upgrading access point, wireless controller, or service platform. If forcing a device upgrade, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-time, or staggered-reboot. Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) Optional. Schedules an automatic reboot after a successful upgrade
<TIME> Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. Optional. Schedules an automatic device firmware upgrade on all devices on a specified day and time
<TIME> Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. The following actions can be performed after a scheduled upgrade:
no-reboot Optional. Disables automatic reboot after a successful upgrade
(the device must be manually restarted) reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. This keyword is recursive and common to all of the above. Optional. Enables staggered device reboot (one at a time), without network impact device-upgrade [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|
ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|
rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] all {force|no-reboot|reboot-time
<TIME>|upgrade-time <TIME> {no-reboot|reboot-time <TIME>}} {(staggered-reboot)}
device-upgrade
<DEVICE-TYPE> all Upgrades firmware on all devices of a specific type. Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. After selecting the device type, schedule an automatic upgrade and/or an automatic reboot. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 55 PRIVILEGED EXEC MODE COMMANDS force no-reboot reboot-time <TIME>
Optional. Select this option to force upgrade on selected device(s). When selected, the devices are upgraded even if they have the same firmware as the upgrading access point, wireless controller, or service platform. If forcing a device upgrade, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-
time, or staggered-reboot. Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) Optional. Schedules an automatic reboot after a successful upgrade
<TIME> Optional. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. upgrade-time <TIME>
{no-reboot|
reboot-time <TIME>}
Optional. Schedules an automatic firmware upgrade on all devices of the specified type, on a specified day and time
<TIME> Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. The following actions can be performed after a scheduled upgrade:
no-reboot Optional. Disables automatic reboot after a successful upgrade
(the device must be manually restarted) reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. staggered-reboot This keyword is recursive and common to all of the above. Optional. Enables staggered device reboot (one at a time), without network impact device-upgrade cancel-upgrade [<MAC/HOSTNAME>|all|ap6521|ap6522|ap6532|
ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|
ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000|
on rf-domain [<RF-DOMAIN-NAME>|all]]
cancel-upgrade Cancels a scheduled firmware upgrade based on the parameters passed. This command provides the following options to cancel scheduled firmware upgrades:
Cancels upgrade on specific device(s). The devices are identified by their MAC addresses or hostnames. Cancels upgrade on all devices within the network Cancels upgrade on all devices of a specific type. Specify the device type. Cancels upgrade on specific device or all device(s) within a specific RF Domain or all RF Domains. Specify the RF Domain name. cancel-upgrade
[<MAC/HOSTNAME>|
all]
Cancels a scheduled firmware upgrade on a specified device or on all devices
<MAC/HOSTNAME> Cancels a scheduled upgrade on the device identified by the
<MAC/HOSTNAME> keyword. Specify the devices MAC address or hostname. cancel-upgrade
<DEVICE-TYPE> all cancel-upgrade on rf-domain
[<RF-DOMAIN-
NAME>|
all]
all Cancels scheduled upgrade on all devices Cancels scheduled firmware upgrade on all devices of a specific type. Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX9500, NX9600, and VX9000. Cancels scheduled firmware upgrade on all devices in a specified RF Domain or all RF Domains
<RF-DOMAIN-NAME> Cancels scheduled device upgrade on all devices in a specified RF Domain. Specify the RF Domain name. all Cancels scheduled device upgrade on all devices across all RF Domains Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 56 PRIVILEGED EXEC MODE COMMANDS device-upgrade load-image [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|
ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|
rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] {<IMAGE-URL>|on <DEVICE-OR-
DOMAIN-NAME>}
load-image
<DEVICE-TYPE>
Loads device firmware image from a specified location. Select the device type and provide the location of the required device firmware image.
<DEVICE-TYPE> Specify the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. After specifying the device type, provide the location of the required device firmware image.
<IMAGE-URL>
Specify the devices firmware image location in one of the following formats:
IPv4 URLs:
tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file IPv6 URLs:
tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file http://<hostname|[IPv6]>[:port]/path/file on <DEVICE-OR-
DOMAIN-NAME>
Optional. Specifies the name of a device or RF Domain. The image, of the specified device type is loaded from the device specified here. In case of an RF Domain, the image available on the RF Domain manager is loaded.
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. device-upgrade rf-domain [<RF-DOMAIN-NAME>|all|containing <WORD>|filter location <WORD>] [all|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|
ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|
rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000] {(<MAC/HOSTNAME>|force|from-
controller|no-reboot|reboot-time <TIME>|staggered-reboot|upgrade-time <TIME>)}
rf-domain
[<RF-DOMAIN-
NAME>|all|
containing <WORD>|
filter location
<WORD>]
Upgrades firmware on devices in a specified RF Domain or all RF Domains. Devices within a RF Domain are upgraded through the RF Domain manager.
<RF-DOMAIN-NAME> Upgrades devices in the RF Domain identified by the <RF-
DOMAIN-NAME> keyword.
<RF-DOMAIN-NAME> Specify the RF Domain name. all Upgrades devices across all RF Domains containing <WORD> Filters RF Domains by their names. RF Domains with names containing the sub-string identified by the <WORD> keyword are filtered. Devices on the filtered RF Domains are upgraded. filter location <WORD> Filters devices by their location. All devices with location matching the <WORD> keyword are upgraded. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 57 PRIVILEGED EXEC MODE COMMANDS
<DEVICE-TYPE>
<MAC/HOSTNAME>
force from-controller no-reboot
{staggered-reboot}
reboot-time <TIME>
{staggered-reboot}
staggered-reboot upgrade-time <TIME>
{no-reboot|
reboot-time <TIME>}
After specifying the RF Domain, select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. After specifying the RF Domain and the device type, configure any one of the following actions: force devices to upgrade, or initiate an upgrade through the adopting controller. Optional. Use this option to identify specific devices for upgradation. Specify the devices MAC address or hostname. The device should be within the specified RF Domain and of the specified device type. After identifying the devices to upgrade, configure any one of the following actions: force devices to upgrade, or initiate an upgrade through the adopting controller. Note: If no MAC address or hostname is specified, all devices of the type selected are upgraded. Optional. Select this option to force upgrade for the selected device(s). When selected, the devices are upgraded even if they have the same firmware as the upgrading access point, wireless controller, or service platform. If forcing a device upgrade, optionally specify any one of the following options: no-reboot, reboot-time, upgrade-time, or reboot-time. Optional. Upgrades a device through the adopted device. If initiating an upgrade through the adopting controller, optionally specify any one of the following options:
no-reboot, reboot-time, upgrade-time, or reboot-time. Optional. Disables automatic reboot after a successful upgrade (the device must be manually restarted) Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. This keyword is common to all of the above. Optional. Enables staggered reboot (one at a time), without network impact Optional. Schedules an automatic firmware upgrade
<TIME> Specify the upgrade time in the MM/DD/YYYY-HH:MM or HH:MM format. After a scheduled upgrade, the following actions can be performed:
no-reboot Optional. Disables automatic reboot after a successful upgrade
(the device must be manually restarted) reboot-time <TIME> Optional. Schedules an automatic reboot after a successful upgrade. Specify the reboot time in the MM/DD/YYYY-HH:MM or HH:MM format. Example nx9500-6C8809#show device-upgrade history on TechPubs
--------------------------------------------------------------------------------
-----------------
Device RESULT TIME RETRIES UPGRADED-BY LAST-UPDATE-ERROR
--------------------------------------------------------------------------------
-----------------
rfs6000-81742D done 2017-07-20 14:16:49 0 nx9500-6C8809 -
rfs6000-81742D done 2017-07-06 15:19:23 0 nx9500-6C8809 -
rfs6000-81742D done 2017-07-06 15:15:37 0 nx9500-6C8809 -
--More--
nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 58 PRIVILEGED EXEC MODE COMMANDS nx9500-6C8809#device-upgrade load-image rfs6000 ftp://anonymous:anonymous@192.16 8.13.17/RFS6000-LEAN-5.9.1.0-017D.img
--------------------------------------------------------------------------------
CONTROLLER STATUS MESSAGE
--------------------------------------------------------------------------------
nx9500-6C8809 Success Successfully initiated load image
--------------------------------------------------------------------------------
nx9500-6C8809#
nx9500-6C8809#show device-upgrade load-image-status Download of rfs6000 firmware file is 50 percent complete nx9500-6C8809#
nx9500-6C8809#device-upgrade rfs6000-81742D
--------------------------------------------------------------------------------
CONTROLLER STATUS MESSAGE
--------------------------------------------------------------------------------
B4-C7-99-6C-88-09 Success Queued 1 devices to upgrade
--------------------------------------------------------------------------------
nx9500-6C8809#show device-upgrade status Number of devices currently being upgraded : 0 Number of devices waiting in queue to be upgraded : 1 Number of devices currently being rebooted : 0 Number of devices waiting in queue to be rebooted : 0 Number of devices failed upgrade : 0
--------------------------------------------------------------------------------
-------------------------
DEVICE STATE UPGRADE TIME REBOOT TIME PROGRESS RETRIES LAST UPDATE ERROR UPGRADED BY
--------------------------------------------------------------------------------
-------------------------
rfs6000-81742D waiting immediate immediate 0 0 -
nx9500-6C8809
--------------------------------------------------------------------------------
-------------------------
nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 59 PRIVILEGED EXEC MODE COMMANDS 3.1.21 diff Privileged Exec Mode Commands Displays the differences between two files on a devices file system or a particular URL Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax diff [<FILE>|<URL>] [<FILE>|<URL>]
Parameters diff [<FILE>|<URL>] [<FILE>|<URL>]
<FILE>
<URL>
Example The first <FILE> is the source file for the diff command. The second <FILE> is used for comparison. The first <URL> is the source files URL. The second <URL> is the second files URL. nx9500-6C8809#diff startup-config running-config
--- startup-config
+++ running-config
@@ -1,12 +1,10 @@
+!### show running-config
!
! Configuration of NX9500 version 5.9.1.0-012D
!
!
version 2.5
!
-password-encryption-version 1.0
-inline-password-encryption
-password-encryption-key secret 2 776f9d6d5bb08fac753394d779cbc5a200000020a4ca26def55d4d77952308cd5e3afc66c06581bb 1e5af6d6b033fd664c363522
!
client-identity-group default load default-fingerprints
@@ -35,13 +33,13 @@
!
alias string $IN-Blr-EcoSpace-Floor-4 IBEF4
!
-alias encrypted-string $READ 2 LKSXiTieTV5hybKxfbd6JwAAAAZ/lakoqHh/ZfyHLJWzluTH
+alias encrypted-string $READ 2 1og6ZeMyEVJhybKxfbd6JwAAAAahnGq6RaJb70CEIbVpTYre
--More--
nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 60 PRIVILEGED EXEC MODE COMMANDS 3.1.22 dir Privileged Exec Mode Commands Lists files on a devices file system Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dir {/all|/recursive|<DIR>|all-filesystems}
Parameters dir {/all|/recursive|<DIR>|all-filesystems}
/all
/recursive
<DIR>
all-filesystems Optional. Lists all files Optional. Lists files recursively Optional. Lists files in the named file path Optional. Lists files on all file systems Example nx9500-6C8809#dir flash:/
Directory of flash:/
-rw- 62937 Tue Nov 24 16:00:06 2015 run-config-backup.txt drwx Tue Nov 29 09:48:42 2016 crashinfo drwx Sat Sep 17 05:14:43 2016 upgrade drwx Mon Sep 28 09:48:33 2015 tmptpd drwx Wed Feb 15 11:53:07 2017 log drwx Wed Feb 15 11:02:55 2017 archived_logs drwx Tue May 24 22:23:54 2016 cache drwx Thu Feb 19 08:53:45 2015 floorplans
-rw- 42018304 Tue Sep 27 10:19:24 2016 in.tar drwx Tue Jan 17 10:02:01 2017 hotspot nx9500-6C8809#
nx9500-6C8809#dir all-filesystems Directory of flash:/
-rw- 62937 Tue Nov 24 16:00:06 2015 run-config-backup.txt drwx Tue Nov 29 09:48:42 2016 crashinfo drwx Sat Sep 17 05:14:43 2016 upgrade drwx Mon Sep 28 09:48:33 2015 tmptpd drwx Wed Feb 15 11:53:07 2017 log drwx Wed Feb 15 11:02:55 2017 archived_logs drwx Tue May 24 22:23:54 2016 cache drwx Thu Feb 19 08:53:45 2015 floorplans
-rw- 42018304 Tue Sep 27 10:19:24 2016 in.tar drwx Tue Jan 17 10:02:01 2017 hotspot Directory of nvram:/
lrwx 29 Tue Oct 27 16:22:21 2015 sensor_default_scan
--More--
nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 61 PRIVILEGED EXEC MODE COMMANDS 3.1.23 disable Privileged Exec Mode Commands Turns off (disables) the privileged mode command set. This command returns to the User Executable mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax disable Parameters None Example rfs6000-81742D#disable rfs6000-81742D>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 62 PRIVILEGED EXEC MODE COMMANDS 3.1.24 edit Privileged Exec Mode Commands Edits a text file on the devices file system Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax edit <FILE>
Parameters edit <FILE>
<FILE>
Example Specify the name of the file to modify. rfs4000-880DA7#edit startup-config GNU nano 1.2.4 File: startup-config
!
! Configuration of RFS4000 version 5.9.1.0-015D
!
!
version 2.5
!
password-encryption-version 1.0 inline-password-encryption no password-encryption-key
!
client-identity-group default load default-fingerprints
!
ip snmp-access-list default permit any
!
firewall-policy default no ip dos tcp-sequence-past-window
!
[ Read 400 lines ]
^G Get Help ^O WriteOut ^R Read File ^Y Prev Page ^K Cut Text ^C Cur Pos
^X Exit ^J Justify ^W Where Is ^V Next Page ^U UnCut Txt ^T To Spell Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 63 PRIVILEGED EXEC MODE COMMANDS 3.1.25 enable Privileged Exec Mode Commands Turns on (enables) the privileged mode command set. This command does not do anything in the Privilege Executable mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax enable Parameters None Example rfs6000-81742D#enable rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 64 PRIVILEGED EXEC MODE COMMANDS 3.1.26 erase Privileged Exec Mode Commands Erases a devices (wireless controller, access point, and service platform) file system. Erases the content of the specified storage device. Also erases the startup configuration to restore the device to its default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax erase [flash:|nvram:|startup-config|usb1:|usb2:|usb3:|usb4:]
erase [flash:|nvram:|usb1:|usb2:|usb3:|usb4:]
erase startup-config {<HOSTNAME/MAC>|on <DOMAIN-NAME> {containing <SUB-STRING>|
exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}}
Parameters erase [flash:|nvram:|usb1:|usb2:|usb3:|usb4:]
flash:
nvram:
startup-config usb1:
usb2:
usb3:
usb4:
Erases everything in the devices flash: file Erases everything in the devices nvram: file Erases the devices startup configuration file. The startup configuration file is used to configure the device when it reboots. Erases everything in the device's usb1: file Erases everything in the device's usb2: file Erases everything in the device's usb3: file Erases everything in the device's usb4: file erase startup-config {<HOSTNAME/MAC>|on <DOMAIN-NAME> {containing <SUB-STRING>|
exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}}
startup-config:
Erases the startup configuration file on a specified device or devices in a specified RF Domain. The specified device(s) are reloaded after the startup configuration file is erased. Use the <HOSTNAME/MAC> or on <DOMAIN-NAME> options to identify the device or RF Domain respectively. Once executed, the configuration file, for the targeted device or for all device(s) in the targeted RF Domain, is also erased from the adopting controllers configuration file. The are automatically reloaded once the startup configuration file has been erased.
<HOSTNAME/MAC> Optional. Erases the startup configuration file on the device identified by the
<HOSTNAME/MAC> keyword. Specify the devices hostname or MAC address. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 65 on
<DOMAIN-NAME>
{containing <SUB-
STRING>|
exclude-controllers|
exclude-rf-domain-
manager|
filter <DEVICE-
TYPE>}
PRIVILEGED EXEC MODE COMMANDS Optional. Erases the startup configuration file on all devices or specified device(s) in a specified RF Domain
<DOMAIN-NAME> Specify the RF Domain name. After specifying the RF Domain, optionally use the filters provided to identify specific device(s) within the RF Domain. If none of the filters are used, the command is executed on all devices within the RF Domain. These filters are:
containing <SUB-STRING> Optional. Executes the command on all devices con-
taining a specified sub-string in their hostname
<SUB-STRING> Specify the sub-string to match. The startup configuration file is erased on all devices whose hostname contains the sub-string specified here. exclude-controllers Optional. Executes the command on all devices excluding controllers. The startup configuration file is erased on all devices except controllers. exclude-rf-domain-manager Optional. Executes the command on all devices ex-
cluding RF Domain managers. The startup configuration file is erased on all devices ex-
cept RF Domain managers. filter <DEVICE-TYPE> Optional. Executes the command on all devices of a speci-
fied type
<DEVICE-TYPE> Specify the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8532, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. The startup con-
figuration file is erased on all devices of the type specified here. For example, if AP6521 is the device-type specified, the startup configuration file on all AP6521s, within the RF Domain, is erased. Example nx9500-6C8809#erase ?
cf: Erase everything in cf:
flash: Erase everything in flash:
nvram: Erase everything in nvram:
startup-config Reset configuration to factory default usb1: Erase everything in usb1:
usb2: Erase everything in usb2:
nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 66 PRIVILEGED EXEC MODE COMMANDS 3.1.27 ex3500 Privileged Exec Mode Commands Enables EX3500 switch firmware management. Use this command to perform the following operations:
boot, copy, delete, and IP-related configurations. The copy keyword provides multiple copy options. It allows you to upload or download code images or configuration files between the switchs flash memory and an FTP/TFTP server. When you save the system code or configuration settings to a file on an FTP/TFTP server, that file can later be downloaded to the switch to restore system operation. The success of the file transfer depends on the accessibility of the FTP/
TFTP server and the quality of the network connection. Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600 Syntax ex3500 [adoptd|boot|copy|delete|ip]
ex3500 adoptd upgrade <URL> on <EX3500-DEVICE-NAME>
ex3500 boot system <1-1> (config|opcode) <FILE-NAME> on <EX3500-DEVICE-NAME>
ex3500 copy [file|ftp|running-config|startup-config|tftp|unit]
ex3500 copy [file file <SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME>
ex3500 copy [ftp|tftp] [add-to-running-config|file|https-certificate|public-key|
running-config|startup-config]
ex3500 copy [ftp|tftp] add-to-running-config <FTP/TFTP-SERVER-IP> <USER-NAME>
<PASSWORD> <SOURCE-FILE-NAME> on <EX3500-DEVICE-NAME>
ex3500 copy [ftp|tftp] file <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD> [1|2]
<SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME>
ex3500 copy [ftp|tftp] https-certificate <FTP/TFTP-SERVER-IP> <USER-NAME>
<PASSWORD> <SOURCE-CERT-FILE-NAME> <SOURCE-PVT-KEY-FILE-NAME> <PVT-PASS-WORD>
on <EX3500-DEVICE-NAME>
ex3500 copy [ftp|tftp] public-key <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD>
[1|2] <SOURCE-PUB-KEY-FILE-NAME> <USER-NAME> on <EX3500-DEVICE-NAME>
ex3500 copy [ftp|tftp] [running-config|startup-config] <FTP/TFTP-SERVER-IP> <USER-
NAME> <PASSWORD> <SOURCE-CONFIG-FILE-NAME> on <EX3500-DEVICE-NAME>
ex3500 copy running-config [file <DEST-FILE-NAME>|ftp <FTP-SERVER-IP> <USER-NAME>
<PASSWORD> <DEST-FILE-NAME>|startup-config|tftp <TFTP-SERVER-IP> <DEST-FILE-
NAME>] on <EX3500-DEVICE-NAME>
ex3500 copy startup-config [file <DEST-FILE-NAME>|ftp <FTP-SERVER-IP> <USER-NAME>
<PASSWORD> <DEST-FILE-NAME>|running-config|tftp <TFTP-SERVER-IP> <DEST-FILE-
NAME>] on <EX3500-DEVICE-NAME>
ex3500 copy unit file <1-1> [1|2] <SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-
DEVICE-NAME>
ex3500 delete [file|public-key]
ex3500 delete file [name <FILE-NAME>|unit <1-1> name <FILE-NAME>] on <EX3500-
DEVICE-NAME>
ex3500 delete public-key <USER-NAME> [dsa|rsa] on <EX3500-DEVICE-NAME>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 67 PRIVILEGED EXEC MODE COMMANDS ex3500 ip ssh [crypto|save]
ex3500 ip ssh crypto host-key generates [dsa|rsa] on <EX3500-DEVICE-NAME>
ex3500 ip ssh crypto zeroize [dsa|rsa] on <EX3500-DEVICE-NAME>
ex3500 ip ssh save host-key on <EX3500-DEVICE-NAME>
Parameters ex3500 adoptd upgrade <URL> on <EX3500-DEVICE-NAME>
ex3500 adoptd upgrade
<URL>
on <EX3500-DEVICE-
NAME>
Upgrades an adopted EX3500 switch Note: After an upgrade, reboot the EX3500 switch to initiate the new image. To view an EX3500s current image version, use the show > version > on <EX3500-DEVICE-NAME>
command. Specifies the location and image file name in the following format:
tftp://<IP>[/path]/file Executes the command on a specified EX3500 switch
<EX3500-DEVICE-NAME> Specify the EX3500 switchs hostname. ex3500 boot system <1-1> (config|opcode) <FILE-NAME> on <EX3500-DEVICE-NAME>
ex3500 boot system Boots a EX3500 switch using a specified configuration file
<1-1>
Identifies the EX3500 unit by its ID number. Specify the EX3500 ID from 1 - 1. Note: As of now only one (1) EX3500 unit can be managed through a NOC controller. The following keywords are recursive:
Specifies the image file to use for booting. The options are:
config Uses the configuration file to boot the switch opcode Uses the Operation Code (opcode), which is the runtime code, to boot the
(config|opcode)
<FILE-NAME>
switch. The opcode is like an operating system that enables the WiNG software to communicate with the EX3500 device. The following parameter is common to the config and opcode keywords:
<FILE-NAME> Specify the configuration/runtime-code file name. on <EX3500-DEVICE-
NAME>
Reloads a specified EX3500 switch
<EX3500-DEVICE-NAME> Specify the EX3500 switchs hostname. You can also specify its MAC address. ex3500 copy file file <SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-
NAME>
ex3500 copy Copies a configuration file to another file Copies a specified file (this is the source configuration file) file Copies the specified source file to a specified file (this is the destination file file <SOURCE-FILE-
NAME> <DEST-FILE-
NAME>
configuration file)
<SOURCE-FILE-NAME> Specify the source configuration files name
<DEST-FILE-NAME> Specify the destination configuration files name. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 68 PRIVILEGED EXEC MODE COMMANDS When specifying the destination file name, keep in mind the following points:
- It should not contain slashes (\ or /),
- It should not exceed 32 characters for files on the switch, or 127 characters for files on the server. Copies the file to a specified EX3500 switch
<EX3500-DEVICE-NAME> Specify the EX3500 switchs hostname. The specified source file is copied to specified destination file on the EX3500 identified here. on <EX3500-DEVICE-
NAME>
ex3500 copy [ftp|tftp] add-to-running-config <FTP/TFTP-SERVER-IP> <USER-NAME>
<PASSWORD> <SOURCE-FILE-NAME> on <EX3500-DEVICE-NAME>
ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to copy the following types of files: HTTPS certificate, running configuration, startup configuration, public key, etc. This command also allows you to add a remote systems running configuration to the current system configuration. add-to-running-config Adds a remote systems running configuration to the current system
<FTP/TFTP-SERVER-
IP> <USER-NAME>
<PASSWORD>
Configures the FTP or TFTP server details (depending on the option selected in the previous step), such as IP address and user credentials. This is the device running the FTP/TFTP server.
<FTP/TFTP-SERVER-IP> Specify the FTP or TFTP servers IP address in the A.B.C.D format.
<USER-NAME> If using a FTP server, specify the FTP servers user name (should be an authorized user)
<PASSWORD> Specify the password applicable for the above specified FTP server user name.
<SOURCE-FILE-
NAME>
on <EX3500-DEVICE-
NAME>
After specifying the server details, specify the name of the running configuration file.
<SOURCE-FILE-NAME> Specify the source files name. Copies the file to a specified EX3500 switch
<EX3500-DEVICE-NAME> Specify the EX3500 switchs hostname. The specified source file is copied to specified destination file on the EX3500 identified here. ex3500 copy [ftp|tftp] file <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD> [1|2]
<SOURCE-FILE-NAME> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME>
ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to copy the file
<FTP/TFTP-SERVER-
IP> <USER-NAME>
<PASS-WORD>
following types of files: HTTPS certificate, running configuration, startup configuration, public key, etc. Copies to a specified file system Configures the FTP or TFTP server details (depending on the option selected in the previous step), such as IP address and user credentials. This is the device running the FTP/TFTP server.
<FTP/TFTP-SERVER-IP> Specify the FTP or TFTP servers IP address in the A.B.C.D format.
<USER-NAME> If using a FTP server, specify the FTP servers user name (should be an authorized user)
<PASSWORD> Specify the password applicable for the above specified FTP server user name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 69 PRIVILEGED EXEC MODE COMMANDS
[1|2]
<SOURCE-FILE-
NAME>
<DEST-FILE-NAME>
After specifying the server details, select the file type and specify the name of the source and destination file names.
[1|2] Select the file type from 1 - 2. 1 Copies the EX3500 configuration file. 2 Copies the opcode, which is the runtime code. The opcode is like an operating system that enables the WiNG software to communicate with the EX3500 device.
<SOURCE-FILE-NAME> Specify the source files name.
<DEST-FILE-NAME> Specify the destination files name. on <EX3500-DEVICE-
NAME>
Copies the file to a specified EX3500 device
<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. The specified source file is copied to specified destination file on the EX3500 identified here. ex3500 copy [ftp|tftp] https-certificate <FTP/TFTP-SERVER-IP> <USER-NAME>
<PASSWORD> <SOURCE-CERT-FILE-NAME> <SOURCE-PVT-KEY-FILE-NAME> <PVT-PASS-WORD> on
<EX3500-DEVICE-NAME>
ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to copy the https-certificate
<FTP/TFTP-SERVER-
IP> <USER-NAME>
<PASSWORD>
following types of files: HTTPS certificate, running configuration, startup configuration, public key, etc. Copies HTTPS secure site certificate from the FTP or TFTP server to the switch Configures the FTP or TFTP server details (depending on the option selected in the previous step), such as IP address and user credentials. This is the device running the FTP/TFTP server.
<FTP/TFTP-SERVER-IP> Specify the FTP or TFTP servers IP address in the A.B.C.D format.
<USER-NAME> If using a FTP server, specify the FTP servers user name (should be an authorized user)
<PASSWORD> Specify the password applicable for the above specified FTP server user name.
<SOURCE-CERT-FILE-
NAME>
<SOURCE-PVT-KEY-
FILE-NAME>
<PVT-PASS-WORD>
After identifying the FTP or TFTP server, specify the following:
<SOURCE-CERT-FILE-NAME> Specify the source HTTPS secure site certificate file name.
<SOURCE-PVT-KEY-FILE-NAME> Specify the source private-key file name.
<PVT-PASS-WORD> Specify the private password. on <EX3500-DEVICE-
NAME>
Copies the file to a specified EX3500 device
<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. ex3500 copy [ftp|tftp] public-key <FTP/TFTP-SERVER-IP> <USER-NAME> <PASSWORD>
[1|2] <SOURCE-PUB-KEY-FILE-NAME> <USER-NAME> on <EX3500-DEVICE-NAME>
ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to copy the public-key following types of files: HTTPS certificate, running configuration, startup configuration, public key, etc. Copies the SSH public key from the FTP or TFTP server to the switch Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 70 PRIVILEGED EXEC MODE COMMANDS
<FTP/TFTP-SERVER-
IP> <USER-NAME>
<PASSWORD>
Configures the FTP or TFTP server details (depending on the option selected in the previous step), such as IP address and user credentials. This is the device running the FTP/TFTP server.
<FTP/TFTP-SERVER-IP> Specify the FTP or TFTP servers IP address in the A.B.C.D format.
<USER-NAME> If using a FTP server, specify the FTP servers user name (should be an authorized user)
<PASSWORD> Specify the password applicable for the above specified FTP server user name.
[1|2]
<SOURCE-PUB-KEY-
FILE-NAME> <USER-
NAME>
After identifying the FTP or TFTP server, specify the following:
[1|2] Configures the SSH public key type as RS or DSA 1 Configures the public key type as RSA 2 Configures the public key type as DSA
<SOURCE-PUB-KEY-FILE-NAME> Specifies the source public key file name
<USER-NAME> Specifies the public keys user name. on <EX3500-DEVICE-
NAME>
Copies the public key to a specified EX3500 device
<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. ex3500 copy [ftp|tftp] [running-config|startup-config] <FTP/TFTP-SERVER-IP>
<USER-NAME> <PASSWORD> <DEST-FILE-NAME> on <EX3500-DEVICE-NAME>
ex3500 copy [ftp|tftp] Copies files from a FTP or TFTP server. This command allows you to copy the
[running-config|
startup-config]
<FTP/TFTP-SERVER-
IP> <USER-NAME>
<PASSWORD>
<DEST-FILE-NAME>
following types of files: HTTPS certificate, running configuration, startup configuration, public key, etc. Copies the running or startup configuration file to one of the following destinations:
file system, FTP server, or TFTP server The running configuration file can be copied to the startup configuration file and vice versa. If copying to a FTP/TFTP server, configure the following parameters:
<FTP/TFTP-SERVER-IP> Specify the FTP or TFTP servers IP address in the A.B.C.D format.
<USER-NAME> If using a FTP server, specify the FTP servers user name (should be an authorized user)
<PASSWORD> Specify the password applicable for the above specified FTP server user name. Configures the destination file name. The running or startup configuration file is copied to the specified destination file.
<DEST-FILE-NAME> Specify the destination file name. You can also copy the running configuration file to the startup configuration file and vice versa. on <EX3500-DEVICE-
NAME>
Copies the running or startup configuration file on to a specified EX3500 device
<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. ex3500 copy unit file <1-1> [1|2] <SOURCE-FILE-NAME> <DEST-FILE-NAME>
on <EX3500-DEVICE-NAME>
ex3500 copy unit Copies from a EX3500 switch Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 71 PRIVILEGED EXEC MODE COMMANDS file <1-1> [1|2]
<SOURCE-FILE-
NAME>
<DEST-FILE-NAME>
Copies the file system from the EX3500 switch identified by the unit number
<1-1> Specify the unit number from 1 - 1.
[1|2] Select the file type from 1 - 2. 1 Copies the selected units configuration file. 2 Copies the selected units opcode, which is the runtime code. The opcode is like an operating system that enables the WiNG software to communicate with the EX3500 device. Configures the source file name
<SOURCE-FILE-NAME> Specify the source file name. You can copy the running configuration file to the startup configuration file and vice versa. Configures the destination file name. The running or startup configuration file is copied to the specified file.
<DEST-FILE-NAME> Specify the destination file name. You can copy the running configuration file to the startup configuration file and vice versa. on <EX3500-DEVICE-
NAME>
Copies the running or startup configuration file on to a specified EX3500 device
<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. ex3500 delete file [name <FILE-NAME>|unit <1-1> name <FILE-NAME>]
on <EX3500-DEVICE-NAME>
ex3500 delete file name <FILE-NAME>
unit <1-1>
name <FILE-NAME>
Deletes a file or image on a specified EX3500 device Specifies the file to delete. The specified file is deleted.
<FILE-NAME> Specify the file name. Identifies the unit in the stackable system on which the file is located
<1-1> Select the unit from 1 - 1. name After identifying the unit, specify the file to delete. The specified file is deleted.
<FILE-NAME> Specify the file name. on <EX3500-DEVICE-
NAME>
Executes the command on a specified EX3500 device
<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. ex3500 delete public-key <USER-NAME> [dsa|rsa] on <EX3500-DEVICE-NAME>
ex3500 delete public-key
<USER-NAME>
[dsa|rsa]
Deletes a specified users public key
<USER-NAME> Specify the SSH users name. dsa Deletes the specified users DSA (version 2) key rsa Deletes the specified users RSA (version 1) key on <EX3500-DEVICE-
NAME>
Executes the command on a specified EX3500 device
<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 72 PRIVILEGED EXEC MODE COMMANDS ex3500 ip ssh crypto host-key generates [dsa|rsa] on <EX3500-DEVICE-NAME>
ex3500 ip ssh crypto host-key generates
[dsa|rsa]
on <EX3500-DEVICE-
NAME>
Generates the host-key pair (public and private). This host key is used by the SSH server to negotiate a session key and encryption method with the client trying to connect to it. dsa Generates DSA (version 2) key type rsa Generates RSA (version 1) key type Note: The RSA Version 1 is used only for SSHv1.5 clients, whereas DSA Version 2 is used only for SSHv2 clients. Note: This generated host-key pair is stored in the volatile memory (i.e RAM). To save the host-key pair in the flash memory, use the ex3500 > ip > ssh > save > host-key command. Executes the command on a specified EX3500 device
<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. ex3500 ip ssh zeroize [dsa|rsa] <EX3500-DEVICE-NAME>
ex3500 ip ssh zeroize
[dsa|rsa]
on <EX3500-DEVICE-
NAME>
Removes the host-key (DSA and RSA) from the volatile memory (i.e. RAM) Executes the command on a specified EX3500 device
<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. ex3500 ip ssh save host-key on <EX3500-DEVICE-NAME>
ex3500 ip ssh save host-key on <EX3500-DEVICE-
NAME>
Usage Guidelines Saves the host-key (DSA and RSA) to the flash memory Executes the command on a specified EX3500 device
<EX3500-DEVICE-NAME> Specify the EX3500 devices hostname. When using the ex3500 command and its parameters, keep in mind the following:
Destination file names should not:
- Contain slashes (\ or /),
- Exceed 32 characters for files on the switch, or 127 characters for files on the server The FTP servers default user name is set as anonymous. The Boot ROM and Loader cannot be uploaded or downloaded from the FTP/TFTP server. Follow instructions provided in the release notes for new firmware, or contact your distributor for help. The Factory_Default_Config.cfg can be used as the source to copy from, but cannot be used as the destination. Although the switch supports only two operation code files, the maximum number of user-defined configuration files supported is 16. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 73 PRIVILEGED EXEC MODE COMMANDS Example nx9500-6C8809#ex3500 adopted upgrade tftp://192.168.0.99/ex3500-adopted-
5.8.5.0.img on ex3524-ED5EAC Flash programming started Flash programming completed Successful nx9500-6C8809#
nx9500-6C8809#ex3500 copy tftp file 10.2.0.100 1 m360.bix m360.bix on ex3524-ED5EAC
\Write to FLASH Programming.
-Write to FLASH finish. Success. nx9500-6C8809#
nx9500-6C8809#ex3500 copy tftp startup-config 10.2.0.99 startup.01 startup on ex3524-ED5EAC TFTP server ip address: 10.1.0.99 Flash programming started. Flash programming completed. Success. nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 74 PRIVILEGED EXEC MODE COMMANDS 3.1.28 factory-reset Privileged Exec Mode Commands Erases startup configuration on a specified device or all devices within a specified RF Domain Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax factory-reset [<HOSTNAME/MAC>|config-all|config-device-only|on <RF-DOMAIN-NAME>]
factory-reset <HOSTNAME/MAC> {<HOSTNAME/MAC>}
factory-reset on <RF-DOMAIN-NAME> {containing <SUB-STRING>|exclude-controllers|
exclude-rf-domain-manager|filter <DEVICE-TYPE>}
factory-reset [config-all|config-device-only] [<HOSTNAME/MAC> {<HOSTNAME/MAC>}|
on <RF-DOMAIN-NAME> {containing <SUB-STRING>|exclude-controllers|exclude-rf-
domain-manager|filter <DEVICE-TYPE>}]
Parameters factory-reset <HOSTNAME/MAC> {<HOSTNAME/MAC>}
factory-reset
<HOSTNAME/MAC>
{<HOSTNAME/
MAC>}
Erases startup configuration and reloads device(s) based on the parameters passed For more information on the actions performed by this command, see Actions performed by the factory-reset command. Erases startup configuration and reloads the device identified by the <HOSTNAME/
MAC> keyword. Specify the devices hostname or MAC address.
<HOSTNAME/MAC> Optional. You can optionally specify multiple space-separated devices. factory-reset on <RF-DOMAIN-NAME> {containing <SUB-STRING>|exclude-
controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}
factory-reset on <RF-DOMAIN-
NAME>
{containing
<SUB-STRING>|
exclude-controllers|
exclude-rf-domain-
manager|
filter <DEVICE-
TYPE>]}
Erases startup configuration and reloads device(s) based on the parameters passed For more information on the actions performed by this command, see Actions performed by the factory-reset command. Erases startup configuration and reloads all devices or specified device(s) within a specified RF Domain identified by the <RF-DOMAIN-NAME> keyword
<RF-DOMAIN-NAME> Specify the RF Domain name. After specifying the RF Domain, optionally use the filters provided to identify specific device(s) within the RF Domain. If none of the filters are used, the command is executed on all devices within the RF Domain. These filters are:
containing <SUB-STRING> Optional. Executes the command on all devices con-
taining a specified sub-string in their hostname
<SUB-STRING> Specify the sub-string to match. Contd... Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 75 PRIVILEGED EXEC MODE COMMANDS exclude-controllers Optional. Executes the command on all devices excluding controllers. Since only a NOC controller is capable of adopting other controllers, use this option when executing the command on a NOC controller. exclude-rf-domain-manager Optional. Executes the command on all devices ex-
cluding RF Domain managers. Use this option when executing the command on the NOC, site controller, or RF Domain manager. filter <DEVICE-TYPE> Optional. Executes the command on all devices of a speci-
fied type
<DEVICE-TYPE> Specify the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. The startup con-
figuration is erased on all devices of the type specified here. For example, if AP6521 is the device-type specified, the command is executed on all AP6521s within the specified RF Domain. factory-reset [config-all|config-device-only] [<HOSTNAME/MAC> {<HOSTNAME/
MAC>}|on <RF-DOMAIN-NAME> {containing <SUB-STRING>|exclude-controllers|exclude-
rf-domain-manager|filter <DEVICE-TYPE>}]
factory-reset
[config-all|
config-device-only]
Erases startup configuration and reloads device(s) based on the parameters passed For more information on the actions performed by this command, see Actions performed by the factory-reset command. Erases startup configuration and reloads only controller-adopted devices or the controller as well as its adopted devices config-all Erases startup configuration on the controller and all devices adopted by it config-device-only Erases startup configuration only on the devices adopted by the controller
<HOSTNAME/MAC>
{<HOSTNAME/
MAC>}
This parameter is common to the config-all and config-device-only keywords:
<HOSTNAME/MAC> Erases startup configuration and reloads the device identified by the <HOSTNAME/MAC> keyword. Specify the devices hostname or MAC address.
<HOSTNAME/MAC> Optional. You can optionally specify multiple space-separated devices. The following parameters are common to the config-all and config-device-only keywords:
on <RF-DOMAIN-NAME> Erases startup configuration and reloads all devices or specified device(s) within a specified RF Domain
<RF-DOMAIN-NAME> Specify the RF Domain name. After specifying the RF Do-
main, optionally use the filters provided to identify specific device(s) within the RF Do-
main. If none of the filters are used, the command is executed on all devices within the RF Domain. These filters are:
containing <SUB-STRING> Optional. Executes the command on all devices con-
taining a specified sub-string in their hostname
<SUB-STRING> Specify the sub-string to match. exclude-controllers Optional. Executes the command on all devices excluding controllers. Since only a NOC controller is capable of adopting other controllers, use this option when executing the command on a NOC controller. Contd... Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 76 PRIVILEGED EXEC MODE COMMANDS on <RF-DOMAIN-
NAME>
{containing
<SUB-STRING>|
exclude-controllers|
exclude-rf-domain-
manager|
filter <DEVICE-
TYPE>]}
exclude-rf-domain-manager Optional. Executes the command on all devices excluding RF Domain managers. Use this option when executing the command on the NOC, Site controller, or RF Domain manager. filter <DEVICE-TYPE> Optional. Executes the command on all devices of a spec-
ified type
<DEVICE-TYPE> Specify the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. The startup configuration is erased on all devices of the type specified here. For example, if AP6521 is the device-type specified, the command is executed on all AP6521s within the specified RF Domain. Usage Guidelines Actions performed by the factory-reset command. The action taken by this command depends on the parameters passed. For the factory-reset [<DEVICE-NAME>|on <RF-DOMAIN-NAME>] options, the command:
- Erases startup configuration on the target device (or) all devices in the target RF Domain.
- Erases the device configuration entries from the controllers configuration for the target device (or) for all the devices in the target RF Domain.
- Reloads the target device (or) all devices in the target RF Domain. For the factory-reset config-all [<DEVICE-NAME>|on <RF-DOMAIN-NAME>] options, the command:
- Erases startup configuration on the target device (or) all devices in the target RF Domain.
- Erases the device configuration entries from the controllers configuration for the target device (or) for all the devices in the target RF Domain. For the factory-reset config-device-only [<DEVICE-NAME>|on <RF-DOMAIN-NAME>] options, the command:
- Erases startup configuration on the target device (or) all devices in the target RF Domain. Example nx7500-7F3609#factory-reset config-all ap6522-5A873C In progress .... Erased startup-config - success 1 fail 0 Successful device deletion - total 1 nx7500-7F3609#
rfs6000-18072B# factory-reset B4-C7-99-5A-87-3C In progress .... Erased startup-config and initiated reload - success 1 fail 0 Successful device deletion - total 1 rfs6000-18072B#
The following example displays the access points in the RF Domain rfd1:
nx7500-7F3609#show wireless ap on rfd1
--------------------------------------------------------------------------------
-------
MODE : radio modes - W = WLAN, S=Sensor, ' ' (Space) = radio not present
--------------------------------------------------------------------------------
-------
--------------------------------------------------------------------------------
-------
AP-NAME AP-LOCATION RF-DOMAIN AP-MAC #RADIOS MODE #CLIENT IPv4 IPv6
--------------------------------------------------------------------------------
-------
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 77 PRIVILEGED EXEC MODE COMMANDS ap7131-1180FC rfd1 00-23-68-11-80-FC 2 W-W 0 0.0.0.0
::ap6522-551648 rfd1 B4-C7-99-55-16-48 2 W-W 0 0.0.0.0
::ap8232-7F0DF8 rfd1 FC-0A-81-7F-0D-F8 2 W-W 0 0.0.0.0 ::
--------------------------------------------------------------------------------
-------
Total number of APs displayed: 3 nx7500-7F3609#
Note, the factory-reset command executed on an RF Domain with the exclude-rf-domain-manager option erases the startup configuration on all devices other than the RF Domain manager. nx7500-7F3609#factory-reset config-device-only on rfd1 exclude-rf-domain-manager In progress .... Erased startup-config -
ap7131-1180FC: OK ap6522-551648: OK nx7500-7F3609#
nx7500-7F3609# factory-reset on rfd2 In progress .... Erased startup-config and initiated reload -
ap650-A6566C: OK,Reload scheduled in 60 seconds... ap4532-34505C: OK,Reload scheduled in 60 seconds... ap650-345000: OK,Reload scheduled in 60 seconds... Successful device deletion - total 3 nx7500-7F3609#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 78 PRIVILEGED EXEC MODE COMMANDS 3.1.29 file-sync Privileged Exec Mode Commands Syncs trustpoint and/or EAP-TLS X.509 (PKCS#12) certificate between the staging-controller and adopted access points. When enabling file syncing, consider the following points:
The X.509 certificate needs synchronization only if the access point is configured to use EAP-TLS authentication. Execute the command on the controller adopting the access points. Ensure that the X.509 certificate file is installed on the controller. Syncing of trustpoint/wireless-bridge certificate can to be automated. To automate file syncing, in the controllers device/profile configuration mode, execute the following command: file-sync [auto|count <1-
20>]. For more information, see file-sync. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax file-sync [cancel|load-file|trustpoint|wireless-bridge]
file-sync cancel [trustpoint|wireless-bridge]
file-sync cancel [trustpoint|wireless-bridge] [<DEVICE-NAME>|all|rf-domain
[<DOMAIN-NAME>|all]]
file-sync load-file [trustpoint|wireless-bridge]]
file-sync load-file [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] <URL>
file-sync [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] [<DEVICE-NAME>|all|
rf-domain [<DOMAIN-NAME>|all] {from-controller}] {reset-radio|upload-time <TIME>}
Parameters file-sync cancel [trustpoint|wireless-bridge] [<DEVICE-NAME>|all|rf-domain
[<DOMAIN-NAME>|all]]
file-sync cancel
[trustpoint|
wireless-bridge]
[<DEVICE-NAME>|
all|rf-domain
[<DOMAIN-NAME>|
all]]
Cancels scheduled file synchronization trustpoint Cancels scheduled trustpoint synchronization on a specified AP, all APs, or APs within a specified RF Domain wireless-bridge Cancels scheduled wireless-bridge certificate synchronization on a specified AP, all APs, or APs within a specified RF Domain
<DEVICE-NAME> Cancels scheduled trustpoint/certificate synchronization on a specified AP. Specify the APs hostname or MAC address. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 79 PRIVILEGED EXEC MODE COMMANDS all Cancels scheduled trustpoint/certificate synchronization on all APs rf-domain [<DOMAIN-NAME>|all] Cancels scheduled trustpoint/certificate syn-
chronization on all APs in a specified RF Domain or in all RF Domains
<DOMAIN-NAME> Cancels scheduled trustpoint/certificate synchronization on all APs within a specified RF Domain. Specify the RF Domains name. all Cancels scheduled trustpoint/certificate synchronization on all RF Domains file-sync load-file [trustpoint|wireless-bridge] <URL>
file-sync load-file
[trustpoint|
wireless-bridge]
<URL>
Loads the following files on to the staging controller:
trustpoint Loads the trustpoint, including CA certificate, server certificate and private key wireless-bridge Loads the wireless-bridge certificate to the staging controller Use this command to load the certificate to the controller before scheduling or initiating a certificate synchronization.
<URL> Provide the trustpoint/certificate location using one of the following for-
mats:
tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file Note: Both IPv4 and IPv6 address types are supported. file-sync [trustpoint <TRUSTPOINT-NAME>|wireless-bridge] [<DEVICE-NAME>|
all|rf-domain [<DOMAIN-NAME>|all] {from-controller}] {reset-radio|upload-time
<TIME>}
file-sync trustpoint
<TRUSTPOINT-
NAME>
[<DEVICE-NAME>|
all|rf-domain
[<DOMAIN-NAME>
|all] from-controller]
Configures file-syncing parameters trustpoint <TRUSTPOINT-NAME> Syncs a specified trustpoint between controller and its adopted APs
<TRUSTPOINT-NAME> Specify the trustpoint name. wireless-bridge Syncs wireless-bridge certificate between controller and its adopted APs After specifying the file that is to be synced, configure following file-sync parameters:
<DEVICE-NAME> Syncs trustpoint/certificate with a specified AP. Specify the APs hostname or MAC address. all Syncs trustpoint/certificate with all APs rf-domain [<DOMAIN-NAME>|all] from-controller Syncs trustpoint/certificate with all APs in a specified RF Domain or in all RF Domains
<DOMAIN-NAME> Select to sync with APs within a specified RF Domain. Specify the RF Domains name. all Select to sync with APs across all RF Domains from-controller Optional. Loads certificate to the APs from the adopting controller and not the RF Domain manager After specifying the access points, specify the following options: reset-radio and upload-time. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 80 PRIVILEGED EXEC MODE COMMANDS reset-radio This keyword is recursive and applicable to all of the above parameters. Optional. Resets the radio after file synchronization. Reset the radio in case the certificate is renewed along with no changes made to the bridge EAP username and bridge EAP password. upload-time <TIME> This keyword is recursive and applicable to all of the above parameters. upload-time Optional. Schedules certificate upload at a specified time
<TIME> Specify the time in the MM/DD/YYYY-HH:MM or HH:MM format. If no time is configured, the process is initiated as soon as the command is executed. Example rfs6000-81742D#file-sync wireless-bridge ap7131-11E6C4 upload-time 06/01/2017-
12:30
--------------------------------------------------------------------------------
CONTROLLER STATUS MESSAGE
--------------------------------------------------------------------------------
B4-C7-99-6D-CD-4B Success Queued 1 APs to upload
--------------------------------------------------------------------------------
rfs6000-81742D#
The following command uploads certificate to all access points:
rfs6000-81742D#file-sync wireless-bridge all upload-time 06/01/2017-23:42 Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 81 PRIVILEGED EXEC MODE COMMANDS 3.1.30 halt Privileged Exec Mode Commands Stops (halts) a device (access point, wireless controller, or service platform). Once halted, the system must be restarted manually. This command stops the device immediately. No indications or notifications are provided while the device shuts down. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax halt {force} {(on <DEVICE-NAME>)}
Parameters halt {force} {(on <DEVICE-NAME>)}
halt force on <DEVICE-NAME>
Halts a device Optional. Forces a device to halt ignoring in-progress operations, such as firmware upgrades, downloads, unsaved configuration changes, etc. The following keywords are recursive and applicable to the force parameter:
on <DEVICE-NAME> Optional. Specifies the name of the device to be halted
<DEVICE-NAME> Enter the name of the AP, wireless controller, or service plat-
form. If the device name is not specified, the logged device is halted. Example nx9500-6C8809#halt on rfs6000-81742D nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 82 PRIVILEGED EXEC MODE COMMANDS 3.1.31 join-cluster Privileged Exec Mode Commands Adds a device (access point, wireless controller, or service platform), as cluster member, to an existing cluster of devices. Assign a static IP address to the device before adding to a cluster. Note, a cluster can be only formed of devices of the same model type. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax join-cluster <IP> user <USERNAME> password <WORD> {level|mode}
join-cluster <IP> user <USERNAME> password <WORD> {level [1|2]|mode
[active|standby]}
Parameters join-cluster <IP> user <USERNAME> password <WORD> {level [1|2]|mode
[active|standby]}
join-cluster
<IP>
user <USERNAME>
password <WORD>
level [1|2]
Adds a access point, wireless controller, or service platform to an existing cluster Specify the cluster members IP address. Specify a user account with super user privileges on the new cluster member. Specify password for the account specified in the user parameter. Optional. Configures the routing level 1 Configures level 1 routing 2 Configures level 2 routing mode [active|standby] Optional. Configures the cluster mode active Configures cluster mode as active standby Configures cluster mode as standby Usage Guidelines To add a device to an existing cluster:
configure a static IP address on the device (access point, wireless controller, or service platform). provide username and password for superuser, network admin, system admin, or operator accounts. After adding the device to a cluster, execute the write memory command to ensure the configuration persists across reboots. Example rfs6000-81742D#join-cluster 192.168.13.16 user admin password superuser level 1 mode standby
... connecting to 192.168.13.16
... applying cluster configuration
... committing the changes
... saving the changes
[OK]
rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 83 PRIVILEGED EXEC MODE COMMANDS rfs6000-81742D#show context
!
! Configuration of RFS6000 version 5.9.1.0-012D
!
!
version 2.5
!
!
................................................................................ interface ge1 switchport mode access switchport access vlan 1 interface vlan1 ip address 192.168.13.16/24 ip dhcp client request options all no ipv6 enable no ipv6 request-dhcpv6-options cluster name TechPubs cluster mode standby cluster member ip 192.168.13.16 level 1 logging on logging console warnings logging buffered warnings
!
!
end rfs6000-81742D#
Related Commands cluster create-cluster Initiates the cluster context. The cluster context provides centralized management to configure all cluster members from any one member. Creates a new cluster on a specified device Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 84 PRIVILEGED EXEC MODE COMMANDS 3.1.32 l2tpv3 Privileged Exec Mode Commands Establishes or brings down an L2TPv3 tunnel Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax l2tpv3 tunnel [<TUNNEL-NAME>|all]
l2tpv3 tunnel <TUNNEL-NAME> [down|session|up]
l2tpv3 tunnel <TUNNEL-NAME> [down|up] {on <DEVICE-NAME>}
l2tpv3 tunnel <TUNNEL-NAME> session <SESSION-NAME> [down|up] {on <DEVICE-NAME>}
l2tpv3 tunnel all [down|up] {on <DEVICE-NAME>}
Parameters l2tpv3 tunnel <TUNNEL-NAME> [down|up] {on <DEVICE-NAME>}
l2tpv3 tunnel
<TUNNEL-NAME>
[down|up]
Establishes or brings down an L2TPv3 tunnel
<TUNNEL-NAME> Specify the tunnel name. down Brings down the specified tunnel up Establishes the specified tunnel on <DEVICE-NAME>
Optional. Establishes or brings down a tunnel on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. l2tpv3 tunnel <TUNNEL-NAME> session <SESSION-NAME> [down|up] {on <DEVICE-NAME>}
l2tpv3 tunnel
<TUNNEL-NAME>
session
<SESSION-NAME>
[down|up]
Establishes or brings down an L2TPv3 tunnel
<TUNNEL-NAME> Specify the tunnel name. Establishes or brings down a session in the specified tunnel
<SESSION-NAME> Specify the session name. down Brings down the specified tunnel session up Establishes the specified tunnel session on <DEVICE-NAME>
Optional. Establishes or brings down a tunnel session on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. l2tpv3 tunnel all [down|up]
l2tpv3 tunnel all [down|up] {on <DEVICE-NAME>}
Establishes or brings down a L2TPv3 tunnel Establishes or brings down all L2TPv3 tunnels down Brings down all tunnels up Establishes all tunnels Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 85 PRIVILEGED EXEC MODE COMMANDS on <DEVICE-NAME>
Optional. Establishes or brings down all tunnels on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs6000-81742D#l2tpv3 tunnel Tunnel1 session Tunnel1Session1 up on rfs6000-81742D NOTE: For more information on the L2TPv3 tunnel configuration mode and commands, see Chapter 22, L2TPV3-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 86 PRIVILEGED EXEC MODE COMMANDS 3.1.33 logging Privileged Exec Mode Commands Modifies message logging settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax logging monitor {<0-7>|alerts|critical|debugging|emergencies|errors|
informational|warnings|notifications}
Parameters logging monitor {<0-7>|alerts|critical|debugging|emergencies|errors|
informational|notifications|warnings}
monitor Sets terminal lines logging levels. The logging severity levels can be set from 0 - 7. The system configures default settings, if no logging severity level is specified.
<0-7> Optional. Enter the logging severity level from 0 - 7. The various levels and their implications are:
alerts Optional. Immediate action needed (severity=1) critical Optional. Critical conditions (severity=2) debugging Optional. Debugging messages (severity=7) emergencies Optional. System is unusable (severity=0) errors Optional. Error conditions (severity=3) informational Optional. Informational messages (severity=6) notifications Optional. Normal but significant conditions (severity=5) warnings Optional. Warning conditions (severity=4) Note: Ensure that the logging module is enabled, before configuring the message logging level. To enable message logging, in the devices configuration mode, execute the logging > on command. Message logging can also be enabled on a profile. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 87 PRIVILEGED EXEC MODE COMMANDS Example rfs6000-81742D(config-device-00-15-70-81-74-2D)#logging on rfs6000-81742D#logging monitor debugging rfs6000-81742D#show logging Logging module: enabled Aggregation time: disabled Console logging: level warnings Monitor logging: disabled Buffered logging: level warnings Syslog logging: level warnings Facility: local7 Log Buffer (70096 bytes):
Apr 04 12:43:02 2017: %DIAG-4-FAN_UNDERSPEED: Fan fan 1 under speed: 0 RPM is under limit 2000 RPM Apr 04 12:33:02 2017: %DIAG-4-FAN_UNDERSPEED: Fan fan 1 under speed: 0 RPM is under limit 2000 RPM
--More--
rfs6000-81742D#
Related Commands no Resets terminal lines logging levels Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 88 PRIVILEGED EXEC MODE COMMANDS 3.1.34 mint Privileged Exec Mode Commands Uses MiNT protocol to perform a ping and traceroute to a remote device Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mint [ping|traceroute]
mint ping <MINT-ID> {count <1-10000>|size <1-64000>|timeout <1-10>}
mint traceroute <MINT-ID> {destination-port <1-65535>|max-hops <1-255>|source-
port <1-65535>|timeout <1-255>}
Parameters mint ping <MINT-ID> {count <1-10000>|size <1-64000>|timeout <1-10>}
ping <MINT-ID>
count <1-10000>
size <1-64000>
timeout <1-10>
Sends a MiNT echo message to a specified destination
<MINT-ID> Specify the destination devices MiNT ID. Optional. Sets the pings to the MiNT destination
<1-10000> Specify a value from 1 - 60. The default is 3. Optional. Sets the MiNT payload size in bytes
<1-64000> Specify a value from 1 - 640000 bytes. The default is 64 bytes. Optional. Sets a response time in seconds
<1-10> Specify a value from 1 - 10 seconds. The default is 1 second. mint traceroute <MINT-ID> {destination-port <1-65535>|max-hops <1-255>|
source-port <1-65535>|timeout <1-255>}
traceroute
<MINT-ID>
destination-port
<1-65535>
max-hops <1-255>
source-port
<1-65535>
timeout <1-255>
Prints the route packets trace to a device
<MINT-ID> Specify the destination devices MiNT ID. Optional. Sets the Equal-cost Multi-path (ECMP) routing destination port
<1-65535> Specify a value from 1 - 65535. The default port is 45. Optional. Sets the maximum number of hops a traceroute packet traverses in the forward direction
<1-255> Specify a value from 1 - 255. The default is 30. Optional.Sets the ECMP source port
<1-65535> Specify a value from 1 - 65535. The default port is 45. Optional. Sets the minimum response time period
<1-255> Specify a value from 1 - 255 seconds. The default is 30 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 89 PRIVILEGED EXEC MODE COMMANDS Example rfs4000-229D58#mint ping 68.88.0D.A7 MiNT ping 68.88.0D.A7 with 64 bytes of data. Response from 68.88.0D.A7: id=1 time=0.364 ms Response from 68.88.0D.A7: id=2 time=0.333 ms Response from 68.88.0D.A7: id=3 time=0.368 ms
--- 68.88.0D.A7 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.333/0.355/0.368 ms rfs4000-229D58#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 90 PRIVILEGED EXEC MODE COMMANDS 3.1.35 mkdir Privileged Exec Mode Commands Creates a new directory in the file system Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mkdir <DIR>
Parameters mkdir <DIR>
<DIR>
Example Specify a directory name. Note: A directory, specified by the <DIR> parameter, is created within the file system. rfs4000-880DA7#dir Directory of flash:/. drwx Tue Sep 27 06:25:15 2016 log drwx Sat Jan 1 05:30:08 2000 configs drwx Sat Jan 1 05:30:08 2000 cache drwx Wed Nov 4 16:12:15 2015 crashinfo drwx Mon Sep 26 10:45:03 2016 archived_logs drwx Sat Jan 1 05:30:08 2000 upgrade drwx Sat Jan 1 05:30:23 2000 hotspot drwx Sat Jan 1 05:30:08 2000 floorplans drwx Sat Jan 1 05:30:08 2000 tmptpd rfs4000-880DA7#
rfs4000-880DA7#mkdir test rfs4000-880DA7#dir Directory of flash:/. drwx Tue Sep 27 06:25:15 2016 log drwx Tue Sep 27 15:20:01 2016 test drwx Sat Jan 1 05:30:08 2000 configs drwx Sat Jan 1 05:30:08 2000 cache drwx Wed Nov 4 16:12:15 2015 crashinfo drwx Mon Sep 26 10:45:03 2016 archived_logs drwx Sat Jan 1 05:30:08 2000 upgrade drwx Sat Jan 1 05:30:23 2000 hotspot drwx Sat Jan 1 05:30:08 2000 floorplans drwx Sat Jan 1 05:30:08 2000 tmptpd rfs4000-880DA7#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 91 PRIVILEGED EXEC MODE COMMANDS 3.1.36 more Privileged Exec Mode Commands Displays files on the devices file system. This command navigates and displays specific files in the devices file system. Provide the complete path to the file more <file>. The more command also displays the startup configuration file. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax more <FILE>
Parameters more <FILE>
<FILE>
Example Specify the file name and location. rfs4000-880DA7#more flash:/archived_logs/startup.5.log 00-07-42-05-30-17 May 30 05:37:43 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/logd"
May 30 05:37:43 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/isDiag"
May 30 05:37:48 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/rim"
May 30 05:37:51 2017: %DIAG-4-FAN_UNDERSPEED: Fan fan 1 under speed: 0 RPM is under limit 2000 RPM May 30 05:38:18 2017: %PM-6-PROCSTART: Starting process "/etc/init.d/cfgd"
May 30 05:38:19 2017: %KERN-6-INFO: up1 { no link }. May 30 05:38:19 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/nsm"
May 30 05:38:21 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/mstp"
May 30 05:38:21 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/hsd"
May 30 05:38:22 2017: %PM-6-PROCSTART: Starting process "/etc/init.d/dpd2.init"
May 30 05:38:22 2017: %PM-6-PROCSTART: Starting process "/usr/sbin/ssm"
--More--
rfs4000-880DA7#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 92 PRIVILEGED EXEC MODE COMMANDS 3.1.37 no Privileged Exec Mode Commands Use the no command to revert a command or a set of parameters to their default. This command is useful to turn off an enabled feature or to revert to default settings. The no commands have their own set of parameters that can be reset. These parameters depend on the context in which the command is being used. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [adoption|captive-portal|cpe|crypto|debug|logging|page|raid|service|
terminal|upgrade|virtual-machine|wireless]
no adoption {on <DEVICE-OR-DOMAIN-NAME>}
NOTE: The no > adoption command resets the adoption state of a specified device (and all devices adopted to it) or devices within a specified RF Domain. When executed without specifying the device or RF Domain, the command resets the adoption state of the logged device and all devices, if any, adopted to it. no captive-portal client [captive-portal <CAPTIVE-PORTAL-NAME>|mac <MAC>]
{on <DEVICE-OR-DOMAIN-NAME>}
no crypto pki [server|trustpoint]
no crypto pki [server|trustpoint] <TRUSTPOINT-NAME> {del-key {on <DEVICE-NAME>}|
on <DEVICE-NAME>}
no logging monitor no page no service [block-adopter-config-update|locator|snmp|ssm|wireless]
no service block-adopter-config-update no service locator {on <DEVICE-NAME>}
no service snmp sysoid wing5 no service ssm trace pattern {<WORD>} {(on <DEVICE-NAME>)}
no service wireless [trace pattern {<WORD>} {(on <DEVICE-NAME>)}|unsanctioned ap air-terminate <BSSID> {on <DOMAIN-NAME>}]
no terminal [length|width]
no upgrade <PATCH-NAME> {on <DEVICE-NAME>}
no wireless client [all|<MAC>]
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 93 PRIVILEGED EXEC MODE COMMANDS no wireless client all {filter|on}
no wireless client all {filter [wlan <WLAN-NAME>]}
no wireless client all {on <DEVICE-OR-DOMAIN-NAME>} {filter [wlan <WLAN-NAME>]}
no wireless client mac <MAC> {on <DEVICE-OR-DOMAIN-NAME>}
The following command is available only on the NX95XX series service platforms:
no cpe led cpe [<1-24>|all] {on <T5-DEVICE-NAME>}
no virtual-machine assign-usb-ports {on <DEVICE-NAME>}
no raid locate Parameters no <PARAMETERS>
no <PARAMETERS>
Resets or reverts settings based on the parameters passed Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example rfs4000-229D58#no adoption rfs4000-229D58#
rfs6000-81742D#no page rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 94 PRIVILEGED EXEC MODE COMMANDS 3.1.38 on Privileged Exec Mode Commands Executes the following commands in the RF Domain context: clrscr, do, end, exit, help, service, and show Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax on rf-domain [<RF-DOMAIN-NAME>|all]
Parameters on rf-domain [<RF-DOMAIN-NAME>|all]
on rf-domain
[<RF-DOMAIN-
NAME>|all]
Enters the RF Domain context based on the parameter specified
<RF-DOMAIN-NAME> Specify the RF Domain name. Enters the specified RF Domain context. all Specifies all RF Domains. Example nx9500-6C8809#on rf-domain TechPubs nx9500-6C8809(TechPubs)#
nx9500-6C8809(TechPubs)#?
on RF-Domain Mode commands:
clrscr Clears the display screen do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system service Service Commands show Show running system information nx9500-6C8809(TechPubs)#?
nx9500-6C8809(TechPubs)#show adoption timeline on TechPubs/ap7562-84A224
--------------------------------------------------------------------------------
-----
AP-NAME RF-DOMAIN LAST-ADOPTION-TIMESTAMP ADOPTED-SINCE
--------------------------------------------------------------------------------
-----
nx9500-6C8809 TechPubs 2016-09-09 00:00:14 7 days 05:19:49 rfs4000-880DA7 TechPubs 2016-09-08 23:59:57 7 days 05:20:06 rfs6000-81742D TechPubs 2016-09-08 05:52:04 7 days 23:27:58
--------------------------------------------------------------------------------
-----
Total number of devices displayed: 3 nx9500-6C8809(TechPubs)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 95 PRIVILEGED EXEC MODE COMMANDS 3.1.39 opendns Privileged Exec Mode Commands Fetches the OpenDNS device_id from the OpenDNS site. Use this command to fetch the OpenDNS device_id. Once fetched, apply the device_id to WLANs that are to be OpenDNS enabled. OpenDNS is a free DNS service that enables swift Web navigation without frequent outages. It is more reliable than other available DNS services, and provides the following services: DNS query resolution, Web-
filtering, protection against virus and malware attacks, performance enhancement, etc. This command is part of a set of configurations that are required to integrate WiNG devices with OpenDNS. When integrated, DNS queries going out of the WiNG device (access point, controller, or service platform) are re-directed to OpenDNS (208.67.220.220 or 208.67.222.222) resolvers that act as proxy DNS servers. For more information on enabling OpenDNS support, see Enabling OpenDNS Support. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax opendns [APIToken|username]
opendns APIToken <OPENDNS-APITOKEN>
opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>
Note, you can use either of the above commands to fetch the device_id from the OpenDNS site. Parameters opendns APIToken <OPENDNS-APITOKEN>
opendns APIToken
<OPENDNS-
APITOKEN>
Fetches the device_id from the OpenDNS site using the OpenDNS API token Configures the OpenDNS APIToken. This is the token provided you by CISCO at the time of subscribing for their OpenDNS service.
<OPENDNS-APITOKEN> Provide the OpenDNS API token (should be a valid token). For every valid OpenDNS API token provided a device_id is returned. Apply this device_id to WLANs that are to be OpenDNS enabled. Once applied, DNS queries originating from associating clients are appended with an additional 31 bytes of data
(representing the device ID) at the end of the DNS packet. For information on configuring the device_id in the WLAN context, see opendns. opendns username <USERNAME> password <OPENDNS-PSWD> label <LABEL>
opendns username
<USERNAME>
Fetches the device_id from the OpenDNS site using the OpenDNS credentials Configures the OpenDNS user name. This is your OpenDNS email ID provided by CISCO at the time of subscribing for their OpenDNS service.
<USERNAME> Provide the OpenDNS user name (should be a valid OpenDNS username). Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 96 PRIVILEGED EXEC MODE COMMANDS password
<OPENDNS-PSWD>
Configures the password associated with the user name specified in the previous step
<OPENDNS-PSWD> Provide the OpenDNS password (should be a valid OpenDNS password). label <LABEL>
Configures the network label. This the label (the user friendly name) of your network, and should be the same as the label (name) configured on the OpenDNS portal.
<LABEL> Specify your network label. For every set of username, password, and label passed only one unique device_id is returned. Apply this device_id to WLANs that are to be OpenDNS enabled. Once applied, DNS queries originating from associating clients are appended with an additional 31 bytes of data (representing the device ID) at the end of the DNS packet. For information on configuring the device_id in the WLAN context, see opendns. Example ap7131-E6D512#opendns username bob@examplecompany.com password opendns label company_name Connecting to OpenDNS server... device_id = 0014AADF8EDC6C59 ap7131-E6D512#
nx9600-7F3C7F#opendns ApiToken 9110B39543DEB2ECA1F473AE03E8899C00019073 device_id = 001480fe36dcb245 nx9600-7F3C7F#
Example Enabling OpenDNS Support The following example shows how to enable OpenDNS support 1 Fetch the OpenDNS device_id from the OpenDNS site. a In the User/Privilege executable mode execute one of the following commands:
nx9500-6C874D#opendns APIToken <OPENDNS-APITOKEN>
nx9500-6C8809#opendns ApiToken 9110B39543DEB2ECA1F473AE03E8899C00019073 device_id = 001480fe36dcb245 nx9500-6C8809#
OR nx9500-6C8809#opendns username <USERNAME> password <OPENDNS-PSWD> label
<LABEL>
Note, the OpenDNS API token and/or user account credentials are provided the OpenDNS service provider when subscribing for the OpenDNS service. b Apply the device_id fetched in the step 1 to the WLAN. nx9500-6C8809(config-wlan-opendns)#opendns device-id <OPENDNS-DEVICE-ID>
nx9500-6C8809(config-wlan-opendns)#opendns device-id 001480fe36dcb245 nx9500-6C8809(config-wlan-opendns)#show context wlan opendns ssid opendns bridging-mode local encryption-type none authentication-type none opendns device-id 001480fe36dcb245 nx9500-6C8809(config-wlan-opendns)#
Once applied, DNS queries originating from wireless clients associating with the WLAN are appended with an additional 31 bytes of data (representing the device ID) at the end of the DNS packet. 2 Configure a DHCP server policy, and set the DHCP pools DNS server configuration to point to the OpenDNS servers. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 97 PRIVILEGED EXEC MODE COMMANDS nx9500-6C8809(config-dhcp-policy-opendns-pool-opendnsPool)#dns-server 208.67.222.222 Note, you can configure any one of the following OpenDNS servers:
208.67.222.222 OR 208.67.222.220 nx9500-6C8809(config-dhcp-policy-opendns-pool-opendnsPool)#show context dhcp-pool opendnsPool dns-server 208.67.222.222 nx9500-6C8809(config-dhcp-policy-opendns-pool-opendnsPool)#
3 Apply the DHCP server policy configured in step 2 on the access point, controller, or service platform. nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#use dhcp-server-policy opendns nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory
| include use use profile default-nx9000 use rf-domain TechPubs use database-policy default use nsight-policy noc use dhcp-server-policy opendns use auto-provisioning-policy TechPubs nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#
When configured, DNS queries are forwarded by the access point, controller, or service platform to the specified OpenDNS resolver. 4 Configure an IP Access Control List with the following permit and deny rules:
nx9500-6C8809(config-ip-acl-OpenDNS)#permit udp any host 208.67.222.222 eq dns rule-precedence 1 rule-description "allow dns queries only to OpenDNS"
nx9500-6C8809(config-ip-acl-OpenDNS)#deny udp any any eq dns rule-precedence 10 rule-description "block all DNS queries"
nx9500-6C8809(config-ip-acl-OpenDNS)#permit ip any any rule-precedence 100 rule-description "allow all other ip packets"
nx9500-6C8809(config-ip-acl-OpenDNS)#show context ip access-list OpenDNS permit udp any host 208.67.222.222 eq dns rule-precedence 1 rule-description
"allow dns queries only to OpenDNS"
deny udp any any eq dns rule-precedence 10 rule-description "block all dns queries"
permit ip any any rule-precedence 100 rule-description "allow all other ip packets"
nx9500-6C8809config-ip-acl-OpenDNS)#
When configured and applied in the WLAN context, the IP ACL prevents wireless clients from adding their own DNS servers to bypass the Web filtering and network policies enforced by OpenDNS. 5 Apply the IP ACL configured in step 4 in the WLAN context. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 98 PRIVILEGED EXEC MODE COMMANDS nx9500-6C8809(config-wlan-opendns)#use ip-access-list out OpenDNS nx9500-6C8809(config-wlan-opendns)#show context wlan opendns ssid opendns vlan 1 bridging-mode local encryption-type none authentication-type none use ip-access-list in OpenDNS use ip-access-list out OpenDNS opendns device-id 0014AADF8EDC6C59 nx9500-6C8809(config-wlan-opendns)#
When applied to the WLAN, only the DNS queries directed to the OpenDNS server are forwarded. All other DNS queries are dropped. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 99 PRIVILEGED EXEC MODE COMMANDS 3.1.40 page Privileged Exec Mode Commands Toggles controller paging. Enabling this command displays the CLI command output page by page, instead of running the entire output at once. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax page Parameters None Example rfs6000-81742D#page rfs6000-81742D#
Related Commands no Disables controller paging Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 100 PRIVILEGED EXEC MODE COMMANDS 3.1.41 ping Privileged Exec Mode Commands Sends Internet Controller Message Protocol (ICMP) echo messages to a user-specified location Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ping <IP/HOSTNAME> {count <1-10000>|dont-fragment {count|size}|size <1-64000>|
source [<IP>|pppoe|vlan <1-4094>|wwan]}
Parameters ping <IP/HOSTNAME> {count <1-10000>|dont-fragment {count|size}|size <1-64000>|
source [<IP>|pppoe|vlan <1-4094>|wwan]}
<IP/HOSTNAME>
count <1-10000>
dont-fragment
{count|size}
Specify the destination IP address or hostname to ping. When entered without any parameters, this command prompts for an IP address or a hostname. Optional. Sets the pings to the specified destination
<1-10000> Specify a value from 1 - 10000. The default is 5. Optional. Sets the dont-fragment bit in the ping packet. Packets with the dont-
fragment bit specified, are not fragmented. When a packet, with the dont-fragment bit specified, exceeds the specified Maximum Transmission Unit (MTU) value, an error message is sent from the device trying to fragment it. count <1-10000> Sets the pings to the specified destination from 1 - 10000. The default is 5. size <1-64000> Sets the size of ping payload size from 1 - 64000 bytes. The default is 100 bytes. size <1-64000>
Optional. Sets the ping packets size in bytes
<1-64000> Specify the ping payload size from 1 - 64000 bytes. The default is 100 bytes. source [<IP>|pppoe|
vlan <1-4094>|wwan]
Optional. Sets the source address or interface name. This is the source of the ICMP packet to the specified destination.
<IP> Specifies the source IP address pppoe Selects the PPP over Ethernet interface vlan <1-4094> Selects the VLAN interface from 1 - 4094 wwan Selects the wireless WAN interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 101 PRIVILEGED EXEC MODE COMMANDS Example rfs6000-81742D#ping 192.168.13.13 count 4 PING 192.168.13.13 (192.168.13.13) 100(128) bytes of data. 108 bytes from 192.168.13.13: icmp_seq=1 ttl=64 time=0.356 ms 108 bytes from 192.168.13.13: icmp_seq=2 ttl=64 time=0.211 ms 108 bytes from 192.168.13.13: icmp_seq=3 ttl=64 time=0.199 ms 108 bytes from 192.168.13.13: icmp_seq=4 ttl=64 time=0.215 ms
--- 192.168.13.13 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2999ms rtt min/avg/max/mdev = 0.199/0.245/0.356/0.065 ms rfs6000-81742D#
rfs6000-81742D#ping 10.233.89.182 source vlan 1 PING 10.233.89.182 (10.233.89.182) from 192.168.13.24 vlan1: 100(128) bytes of data. From 192.168.13.2 icmp_seq=1 Packet filtered From 192.168.13.2 icmp_seq=2 Packet filtered From 192.168.13.2 icmp_seq=3 Packet filtered From 192.168.13.2 icmp_seq=4 Packet filtered From 192.168.13.2 icmp_seq=5 Packet filtered
--- 10.233.89.182 ping statistics ---
5 packets transmitted, 0 received, +5 errors, 100% packet loss, time 3997ms rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 102 PRIVILEGED EXEC MODE COMMANDS 3.1.42 ping6 Privileged Exec Mode Commands Sends ICMPv6 echo messages to a user-specified IPv6 address Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ping6 <IPv6/HOSTNAME> {<INTF-NAME>|count <1-10000>|size <1-64000>}
Parameters ping <IPv6/HOSTNAME> {<INTF-NAME>|count <1-10000>|size <1-64000>}
<IPv6/HOSTNAME> Specify the destination IPv6 address or hostname.
<INTF-NAME>
count <1-10000>
Optional. Specify the interface name for link local/broadcast address Optional. Sets the pings to the specified IPv6 destination
<1-10000> Specify a value from 1 - 10000. The default is 5. Optional. Sets the IPv6 ping payload size in bytes
<1-64000> Specify the ping payload size from 1 - 64000. The default is 100 bytes. size <1-64000>
Usage Guidelines To configure a devices IPv6 address, in the VLAN interface configuration mode, use the ipv6 > address <IPv6-ADDRESS> command. After configuring the IPv6 address, use the ipv6 > enable command to enable IPv6. For more information, see ipv6. Example rfs4000-880DA7#ping6 2001:10:10:10:10:10:10:2 count 6 size 200 PING 2001:10:10:10:10:10:10:2(2001:10:10:10:10:10:10:2) 200 data bytes 208 bytes from 2001:10:10:10:10:10:10:2: icmp_seq=1 ttl=64 time=0.509 ms 208 bytes from 2001:10:10:10:10:10:10:2: icmp_seq=2 ttl=64 time=0.323 ms 208 bytes from 2001:10:10:10:10:10:10:2: icmp_seq=3 ttl=64 time=0.318 ms 208 bytes from 2001:10:10:10:10:10:10:2: icmp_seq=4 ttl=64 time=0.317 ms 208 bytes from 2001:10:10:10:10:10:10:2: icmp_seq=5 ttl=64 time=0.314 ms 208 bytes from 2001:10:10:10:10:10:10:2: icmp_seq=6 ttl=64 time=0.318 ms
--- 2001:10:10:10:10:10:10:2 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 4999ms rtt min/avg/max/mdev = 0.314/0.349/0.509/0.075 ms rfs4000-880DA7#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 103 PRIVILEGED EXEC MODE COMMANDS 3.1.43 pwd Privileged Exec Mode Commands Displays the full path of the present working directory, similar to the UNIX pwd command Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax pwd Parameters None Example rfs4000-229D58#pwd flash:/
rfs4000-229D58#
rfs4000-229D58#dir Directory of flash:/. drwx Mon Feb 8 17:37:21 2016 log drwx Sat Jan 1 05:30:08 2000 configs drwx Sat Jan 1 05:30:08 2000 cache drwx Thu Nov 12 17:55:02 2015 crashinfo drwx Mon Feb 8 17:34:21 2016 archived_logs drwx Sat Jan 1 05:30:08 2000 upgrade drwx Sat Jan 1 05:30:23 2000 hotspot drwx Sat Jan 1 05:30:08 2000 floorplans drwx Sat Jan 1 05:30:08 2000 tmptpd rfs4000-229D58#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 104 PRIVILEGED EXEC MODE COMMANDS 3.1.44 re-elect Privileged Exec Mode Commands Re-elects the tunnel controller (wireless controller or service platform) Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax re-elect tunnel-controller {<WORD> {on <DEVICE-NAME>}|on <DEVICE-NAME>}
Parameters re-elect tunnel-controller {<WORD> {on <DEVICE-NAME>}|on <DEVICE-NAME>}
re-elect tunnel-controller
<WORD>
{on <DEVICE-
NAME>}
Re-elects the tunnel controller Optional. Re-elects the tunnel controller on all devices whose preferred tunnel controller name matches <WORD>
on <DEVICE-NAME> Optional. Re-elects the tunnel controller on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. Example rfs4000-880DA7#re-elect tunnel-controller OK rfs4000-880DA7#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 105 PRIVILEGED EXEC MODE COMMANDS 3.1.45 reload Privileged Exec Mode Commands Halts a device or devices and performs a warm reboot Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax reload {<DEVICE-MAC-OR-HOSTNAME>|at|cancel|force|in|on|staggered}
reload {(<DEVICE-MAC-OR-HOSTNAME>)}
reload {at <TIME> <1-31> <MONTH> <1993-2035> {on <DEVICE-OR-DOMAIN-NAME>}}
reload {cancel} {on <DEVICE-OR-DOMAIN-NAME>}
reload {force} {(<DEVICE-MAC-OR-HOSTNAME>|on <DOMAIN-NAME>|staggered)}
reload {force} {(<DEVICE-MAC-OR-HOSTNAME>)}
reload {force} {on <DOMAIN-NAME> {staggered}|staggered {<DEVICE-MAC-OR-HOSTNAME>|
on <DOMAIN-NAME>}} {containing <WORD>|exclude-controllers|exclude-rf-domain-
manager|filter <DEVICE-TYPE>}
reload {in <1-999>} {list|on}
reload {in <1-999>} {list {<LINE>|all}|on <DEVICE-OR-DOMAIN-NAME>}
reload {in <1-999>} {on <DEVICE-OR-DOMAIN-NAME>}
reload {on <DOMAIN-NAME>} {containing <WORD>|exclude-controllers|exclude-rf-
domain-manager|filter <DEVICE-TYPE>}
reload {staggered} {(<DEVICE-MAC-OR-HOSTNAME>)|on <DOMAIN-NAME>} {containing
<WORD>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}
Parameters reload {(<DEVICE-MAC-OR-HOSTNAME>)}
reload
<DEVICE-MAC-OR-
HOSTNAME>
Initiates device(s) reload and configures associated parameters The following keyword is recursive and allows you to specify multiple devices:
<DEVICE-MAC-OR-HOSTNAME> Optional. Reloads a specified device(s), identified by the <DEVICE-MAC-OR-HOSTNAME> keyword. Specify the devices hostname or MAC address. If no device is specified, the system reloads the logged device. reload {at <TIME> <1-31> <MONTH> <1993-2035> {on <DEVICE-OR-DOMAIN-NAME>}}
reload at Initiates device(s) reload and configures associated parameters at Optional. Schedules a reload at a specified time and day. Use the following keywords to specify the time and day: <TIME>, <1-31>, <MONTH>, and <1993-2035>.
<TIME>
Specifies the time in the HH:MM:SS format Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 106 PRIVILEGED EXEC MODE COMMANDS
<1-31>
<MONTH>
<1993-2035>
on <DEVICE-OR-
DOMAIN-NAME>
Specifies the day of the month from 1 - 31 Specifies the month from Jan - Dec Specifies the year from 1993 - 2035. It should be a valid 4 digit year. Optional. Performs reload at the scheduled time, on a specified device or all devices within a specified RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. When a RF Domain name is provided, all devices within the specified RF Domain are reloaded at the scheduled time. If no device is specified, the reload is scheduled on the logged device. reload {cancel} {on <DEVICE-OR-DOMAIN-NAME>}
reload cancel on <DEVICE-OR-
DOMAIN-NAME>
Cancels pending/scheduled reloads of device(s) cancel Optional. Cancels all pending reloads on <DEVICE-OR-DOMAIN-NAME> Optional. Cancels reloads pending on a specified device or all devices within a specified RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-
ler, service platform, or RF Domain. If no device is specified, the system cancels reloads pending on the logged device. reload {force} {(<DEVICE-MAC-OR-HOSTNAME>)}
reload force
<DEVICE-MAC-OR-
HOSTNAME>
Initiates device(s) reload and configures associated parameters force Optional. Forces device(s) to reload, while ignoring conditions like upgrade in progress, unsaved changes, etc. Use the options provided to force a reload on a specified device or all devices in a RF Domain. This keyword is recursive and allows you to specify multiple devices.
<DEVICE-MAC-OR-HOSTNAME> Optional. Forces a reload on a specified device identified by the <DEVICE-MAC-OR-HOSTNAME> keyword. Specify the devices hostname or MAC address. When executed, the specified device(s) are forced to halt and a warm reboot is performed. If no device is specified, the system forcefully reloads the logged device. reload {force} {on <DOMAIN-NAME> {staggered}|staggered {<DEVICE-MAC-OR-
HOSTNAME>|on <DOMAIN-NAME>}} {containing <WORD>|exclude-controllers|exclude-rf-
domain-manager|filter <DEVICE-TYPE>}
reload force on <DOMAIN-NAME>
staggered Initiates device(s) reload and configures associated parameters force Optional. Forces device(s) to reload, while ignoring conditions like upgrade in progress, unsaved changes, etc. Use the options provided to force a reload on a specified device or all devices in a RF Domain. Optional. Forces a reload on all devices in a RF Domain
<DOMAIN-NAME> Optional. Specify the name of the RF Domain. When executed, all devices within the specified RF Domain are forced to halt and a warm reboot is performed. staggered Optional. Enables staggered reload of devices (one at a time) with-
out network impact. Use this option when rebooting multiple devices within an RF Domain. When executed, all devices within the specified RF Domain are forced to halt and reboot in a staggered manner. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 107 staggered
{<DEVICE-MAC-OR-
HOSTNAME>|
on <DOMAIN-NAME>}
{containing <WORD>|
exclude-controllers|
exclude-rf-domain-
manager|
filter <DEVICE-TYPE>}
PRIVILEGED EXEC MODE COMMANDS Optional. Enables staggered reload of devices (one at a time) without network impact
<DEVICE-MAC-OR-HOSTNAME> Optional. Forces a reload on specified device(s) identified by the <DEVICE-MAC-OR-HOSTNAME> keyword. Specify the devices hostname or MAC address. This is a recursive keyword that allows you to specify multiple devices. When executed, the specified device(s) are forced to halt and a warm reboot is performed. on <DOMAIN-NAME> Optional. Forces a reload on all devices in a RF Domain. Specify the name of the RF Domain. When executed, all devices within the specified RF Domain are forced to halt and a warm reboot is performed. If no device or RF Domain is specified, the system forcefully reloads the logged device. When forcefully reloading devices in a RF Domain, you can use following options to filter specific devices or device types:
containing <WORD> Optional. Filters out devices containing a specified sub-string in their hostnames
<WORD> Optional. Provide the sub-string to match. All devices having host-
names containing the provided sub-string are filtered and forcefully reloaded. exclude-controllers Optional. Excludes all controllers in the specified RF Domain from the reload process exclude-rf-domain-manager Optional. Excludes the RF Domain manager from the reload process filter <DEVICE-TYPE> Optional. Filters devices by the device type specified. Select the type of device. All devices, of the specified type, within the specified RF Domain, are forcefully reloaded.
<DEVICE-TYPE> Select the type of device to reload. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, VX9000, t5. reload {in <1-999>} {list {<LINE>|all}|on <DEVICE-OR-DOMAIN-NAME>}
reload in <1-999>
Initiates device(s) reload and configures associated parameters in Optional. Performs a reload after a specified time period
<1-999> Specify the time from 1 - 999 minutes list {<LINE>|all}
Optional. Reloads all adopted devices or specified devices
<LINE> Optional. Reloads listed devices. List all devices (to be reloaded) separated by a space. on <DEVICE-OR-
DOMAIN-NAME>
all Optional. Reloads all devices adopted by this controller Optional. Reloads a specified device or all devices within a specified RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 108 PRIVILEGED EXEC MODE COMMANDS reload {on <DOMAIN-NAME>} {containing <WORD>|exclude-controllers|exclude-rf-
domain-manager|filter <DEVICE-TYPE>}
reload on <DOMAIN-NAME>
Initiates device(s) reload and configures associated parameters on <DOMAIN-NAME> Optional. Enables reload of all devices in a RF Domain
{containing <WORD>|
exclude-controllers|
exclude-rf-domain-
manager|
filter <DEVICE-TYPE>}
<DOMAIN-NAME> Specify the name of the RF Domain. When executed, all de-
vices within the specified RF Domain are immediately halted and a warm reboot is performed. If no RF Domain is specified, the system reloads the logged device. When reloading devices in a RF Domain, you can use following options to filter specific devices or device types:
containing <WORD> Optional. Filters out devices containing a specified sub-string in their hostnames.
<WORD> Optional. Provide the sub-string to match. All devices having host-
names containing the provided sub-string are filtered and forcefully reloaded. exclude-controllers Optional. Excludes all controllers in the specified RF Domain from the reload process exclude-rf-domain-manager Optional. Excludes the RF Domain manager from the reload process filter <DEVICE-TYPE> Optional. Filters devices by the device type specified. Select the type of device to reload. All devices, of the specified type, within the specified RF Domain, are forcefully reloaded.
<DEVICE-TYPE> Select the type of device to reload. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, VX9000, t5. All devices of the type specified are reloaded. reload {staggered} {(<DEVICE-MAC-OR-HOSTNAME>)|on <DOMAIN-NAME>} {containing
<WORD>|exclude-controllers|exclude-rf-domain-manager|filter <DEVICE-TYPE>}
reload staggered Initiates device(s) reload and configures associated parameters staggered Optional. Enables staggered reload of devices (one at a time) without network impact
{<DEVICE-MAC-OR-
HOSTNAME>|
on <DOMAIN-NAME>}
Use one of the following options to specify a single device, multiple devices, or a RF Domain
<DEVICE-MAC-OR-HOSTNAME> Optional. Performs staggered reload on specified device(s) identified by the <DEVICE-MAC-OR-HOSTNAME> keyword. Specify the devices hostname or MAC address. This is a recursive keyword that allows you to specify multiple devices. When executed, the specified device(s) are halted and a warm reboot is performed. Multiple devices are halted and rebooted one at a time without impacting network functioning. Contd..
<DOMAIN-NAME> Optional. Performs staggered reload of all devices in a RF Domain. Specify the name of the RF Domain. When executed, devices in the specified RF Domain are halted and rebooted one at a time without impacting network functioning. Use additional filter options to filter devices in the specified RF Domain. If no device or RF Domain is specified, the system reloads the logged device. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 109
{containing <WORD>|
exclude-controllers|
exclude-rf-domain-
manager|
filter <DEVICE-TYPE>}
PRIVILEGED EXEC MODE COMMANDS When reloading devices in a RF Domain, you can use following options to filter specific devices or device types:
containing <WORD> Optional. Filters out devices containing a specified sub-string in their hostnames.
<WORD> Optional. Provide the sub-string to match. All devices having host-
names containing the provided sub-string are filtered and reloaded. exclude-controllers Optional. Excludes all controllers in the specified RF Domain from the reload process exclude-rf-domain-manager Optional. Excludes the RF Domain manager from the reload process filter <DEVICE-TYPE> Optional. Filters devices by the device type specified. Select the type of device. All devices, of the specified type, within the specified RF Domain, are reloaded.
<DEVICE-TYPE> Select the type of device to reload. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, VX9000, t5. Example rfs7000-6DCD4B#reload at 12:30:00 31 Mar 2015 on rfs6000-81742D Reload scheduled at 2015-03-31 12:30:00 UTC ... rfs7000-6DCD4B#
rfs7000-6DCD4B#reload cancel on rfs6000-81742D Scheduled reload cancelled. rfs7000-6DCD4B#
The following example schedules a reload on all non-controller devices in the RF Domain default:
rfs7000-6DCD4B#reload on default exclude-controllers ap8132-711728: OK rfs7000-6DCD4B#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 110 PRIVILEGED EXEC MODE COMMANDS 3.1.46 rename Privileged Exec Mode Commands Renames a file in the devices file system Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rename <OLD-FILE-NAME> <NEW-FILE-NAME>
Parameters rename <OLD-FILE-NAME> <NEW-FILE-NAME>
<OLD-FILE-NAME>
<NEW-FILE-NAME>
Specify the file to rename. Specify the new file name. Example rfs4000-880DA7#dir Directory of flash:/. drwx Wed Sep 14 13:54:10 2016 log drwx Sat Jan 1 05:30:08 2000 configs drwx Sat Jan 1 05:30:08 2000 cache drwx Wed Nov 4 16:12:15 2015 crashinfo drwx Fri Sep 16 05:26:37 2016 testdir drwx Thu Sep 8 04:09:30 2016 archived_logs drwx Sat Jan 1 05:30:08 2000 upgrade drwx Sat Jan 1 05:30:23 2000 hotspot drwx Sat Jan 1 05:30:08 2000 floorplans drwx Sat Jan 1 05:30:08 2000 tmptpd rfs4000-880DA7#
rfs4000-880DA7#rename flash:/testdir/ Final rfs4000-880DA7#
rfs4000-880DA7#dir Directory of flash:/. drwx Wed Sep 14 13:54:10 2016 log drwx Sat Jan 1 05:30:08 2000 configs drwx Fri Sep 16 05:26:37 2016 Final drwx Sat Jan 1 05:30:08 2000 cache drwx Wed Nov 4 16:12:15 2015 crashinfo drwx Thu Sep 8 04:09:30 2016 archived_logs drwx Sat Jan 1 05:30:08 2000 upgrade drwx Sat Jan 1 05:30:23 2000 hotspot drwx Sat Jan 1 05:30:08 2000 floorplans drwx Sat Jan 1 05:30:08 2000 tmptpd rfs4000-880DA7#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 111 PRIVILEGED EXEC MODE COMMANDS 3.1.47 rmdir Privileged Exec Mode Commands Deletes an existing directory from the file system (only empty directories can be removed) Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rmdir <DIR>
Parameters rmdir <DIR>
rmdir <DIR>
Specifies the directory name Note: The directory, specified by the <DIR> parameter, is removed from the file system. Example rfs4000-880DA7#dir Directory of flash:/. drwx Wed Sep 14 13:54:10 2016 log drwx Sat Jan 1 05:30:08 2000 configs drwx Fri Sep 16 05:26:37 2016 Final drwx Sat Jan 1 05:30:08 2000 cache drwx Wed Nov 4 16:12:15 2015 crashinfo drwx Thu Sep 8 04:09:30 2016 archived_logs drwx Sat Jan 1 05:30:08 2000 upgrade drwx Sat Jan 1 05:30:23 2000 hotspot drwx Sat Jan 1 05:30:08 2000 floorplans drwx Sat Jan 1 05:30:08 2000 tmptpd rfs4000-880DA7#
rfs4000-880DA7#rmdir Final rfs4000-880DA7#
rfs4000-880DA7#dir Directory of flash:/. drwx Wed Sep 14 13:54:10 2016 log drwx Sat Jan 1 05:30:08 2000 configs drwx Sat Jan 1 05:30:08 2000 cache drwx Wed Nov 4 16:12:15 2015 crashinfo drwx Thu Sep 8 04:09:30 2016 archived_logs drwx Sat Jan 1 05:30:08 2000 upgrade drwx Sat Jan 1 05:30:23 2000 hotspot drwx Sat Jan 1 05:30:08 2000 floorplans drwx Sat Jan 1 05:30:08 2000 tmptpd rfs4000-880DA7#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 112 PRIVILEGED EXEC MODE COMMANDS 3.1.48 self Privileged Exec Mode Commands Enters the logged devices configuration context Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax self Parameters None Example rfs6000-81742D#self Enter configuration commands, one per line. End with CNTL/Z. rfs6000-81742D(config-device-00-15-70-81-74-2D)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 113 PRIVILEGED EXEC MODE COMMANDS 3.1.49 ssh Privileged Exec Mode Commands Opens a Secure Shell (SSH) connection between two network devices Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ssh <IP/HOSTNAME> <USERNAME> {<INF-NAME/LINK-LOCAL-ADD>}
Parameters ssh <IP/HOSTNAME> <USERNAME> {<INF-NAME/LINK-LOCAL-ADD>}
<IP/HOSTNAME>
<USERNAME>
<INF-NAME/
LINK-LOCAL-ADD>
Usage Guidelines Specify the remote systems IP address or hostname. Specify the name of the user requesting the SSH connection. Optional. Specify the interfaces name or link local address. To exit the other devices context, use the command that is relevant to that device. Example nx9500-6C8809#ssh 192.168.13.16 admin admin@192.168.13.16's password:
rfs6000-81742D>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 114 PRIVILEGED EXEC MODE COMMANDS 3.1.50 t5 Privileged Exec Mode Commands Executes following operations on a T5 device through the WiNG controller:
copy, rename, and delete files on the T5 devices file system write running configuration to the T5 devices memory The T5 switch is a means of providing cost-effective, high-speed, wall-to-wall coverage across a building. The T5 switch leverages the in-building telephone lines to extend Ethernet and Wireless LAN networks without additional expenditure on re-wiring. This setup is ideally suited for hotels, providing high-speed Wi-Fi coverage to guest rooms. The entire setup consists of the DSL T5 switch, TW-510 Ethernet wallplates, and TW-511 wireless wallplate access points. Replace the phone jack plate in a room with the TW-511 delivers 802.11 a/b/g/n and extend wireless connectivity in that room and the neighboring rooms. These TW-511 wallplates (also referred to as the CPEs) are connected to the T5 switch over the DSL interface using a phone block. The T5 switch is adopted and managed through a WiNG controller. The connection between the T5 and WiNG switches is over a WebSocket. NOTE: For more information on other T5 CPE related commands, see cpe. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax t5 [copy <SOURCE-FILE-NAME> <DEST-FILE-NAME>|delete <FILE-NAME>|rename <SOURCE-
FILE-NAME> <DEST-FILE-NAME>|write memory] {on <T5-DEVICE-NAME>}
Parameters t5 [copy <SOURCE-FILE-NAME> <DEST-FILE-NAME>|delete <FILE-NAME>|rename <SOURCE-
FILE-NAME> <DEST-FILE-NAME>|write memory] {on <T5-DEVICE-NAME>}
copy
<SOURCE-FILE-
NAME>
<DEST-FILE-NAME>
delete <FILE-NAME>
Copies file to an external server
<SOURCE-FILE-NAME> Specify the source file name.
<DEST-FILE-NAME> Specify the destination file name. The content from the source file is copied to the destination file. The source or destination files can be local or remote FTP or TFTP files. The source file also can be a pre-defined keyword. At least one of the files should be a local file. Use this command to copy the startup and/or running configurations to an external server. Deletes files on the T5 devices file system
<FILE-NAME> Specify the file name. The specified file is deleted. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 115 PRIVILEGED EXEC MODE COMMANDS rename
<SOURCE-FILE-
NAME>
<DEST-FILE-NAME>
write memory on <T5-DEVICE-
NAME>
Renames a file on the T5 devices file system
<SOURCE-FILE-NAME> Specify the source file name
<DEST-FILE-NAME> Specify the new file name. The source file is renamed to the input provided here. Writes running configuration to an adopted T5 devices memory memory Writes running configuration to the T5 devices non-volatile (NV) memory. Optional. Executes these operation on a specified T5 device
<T5-DEVICE-NAME> Specify the T5 devices hostname. Example nx9500-6C8809#t5 write memory on t5-ED7C6C Success nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 116 PRIVILEGED EXEC MODE COMMANDS 3.1.51 telnet Privileged Exec Mode Commands Opens a Telnet session between two network devices Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax telnet <IP/HOSTNAME> {<TCP-PORT>} {<INTF-NAME>}
Parameters telnet <IP/HOSTNAME> {<TCP-PORT>} {<INTF-NAME>}
<IP/HOSTNAME>
<TCP-PORT>
<INTF-NAME>
Usage Guidelines Configures the remote systems IP (IPv4 or IPv6) address or hostname. The Telnet session will be established between the connecting system and the remote system.
<IP> Specify the remote systems IPv4 or IPv6 address or hostname. Optional. Specify the Transmission Control Protocol (TCP) port. Optional. Specify the interface name for the link local address. To exit the other devices context, use the command relevant to that device. Example nx9500-6C8809#telnet 192.168.13.22 Entering character mode Escape character is '^]'. AP7131 release 5.9.0.0-012D ap7131-11E6C4 login: admin Password:
ap7131-11E6C4>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 117 PRIVILEGED EXEC MODE COMMANDS 3.1.52 terminal Privileged Exec Mode Commands Sets the number of characters per line, and the number of lines displayed within the terminal window Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax terminal [length|width] <0-512>
Parameters terminal [length|width] <0-512>
length <0-512>
width <0-512>
Sets the number of lines displayed on the terminal window
<0-512> Specify a value from 0 - 512. Sets the width or number of characters displayed on the terminal window
<0-512> Specify a value from 0 - 512. Example rfs6000-81742D#terminal length 150 rfs6000-81742D#terminal width 215 rfs6000-81742D#show terminal Terminal Type: xterm Length: 150 Width: 215 rfs6000-81742D#
Related Commands no Resets the width of the terminal window or the number of lines displayed on a terminal window Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 118 PRIVILEGED EXEC MODE COMMANDS 3.1.53 time-it Privileged Exec Mode Commands Verifies the time taken by a particular command between request and response Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax time-it <COMMAND>
Parameters time-it <COMMAND>
time-it <COMMAND>
Verifies the time taken by a particular command to execute and provide a result
<COMMAND> Specify the command name. Example rfs6000-81742D#time-it config terminal Enter configuration commands, one per line. End with CNTL/Z. That took 0.00 seconds.. rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 119 PRIVILEGED EXEC MODE COMMANDS 3.1.54 traceroute Privileged Exec Mode Commands Traces the route to a defined destination Use --help or -h to display a complete list of parameters for the traceroute command Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax traceroute <WORD>
Parameters traceroute <WORD>
<WORD>
Traces the route to a IP address or hostname
<WORD> Specify the IPv4 address or hostname. Example nx9500-6C8809#traceroute 192.168.13.16 traceroute to 192.168.13.16 (192.168.13.16), 30 hops max, 46 byte packets 1 192.168.13.16 (192.168.13.16) 0.479 ms 0.207 ms 0.199 ms nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 120 PRIVILEGED EXEC MODE COMMANDS 3.1.55 traceroute6 Privileged Exec Mode Commands Traces the route to a specified IPv6 destination Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax traceroute6 <WORD>
Parameters traceroute6 <WORD>
traceroute6 <WORD>
Traces the route to a IPv6 address or hostname
<WORD> Specify the IPv6 address or hostname. Example rfs4000-880DA7#traceroute6 2001:10:10:10:10:10:10:2 traceroute to 2001:10:10:10:10:10:10:2 (2001:10:10:10:10:10:10:2) from 2001:10:10:10:10:10:10:1, 30 hops max, 16 byte packets 1 2001:10:10:10:10:10:10:2 (2001:10:10:10:10:10:10:2) 0.622 ms 0.497 ms 0.531 ms rfs4000-880DA7#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 121 PRIVILEGED EXEC MODE COMMANDS 3.1.56 upgrade Privileged Exec Mode Commands Upgrades a devices software image Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax upgrade [<FILE>|<URL>|dhcp-vendor-options]
upgrade [<FILE>|<URL>] {background|on <DEVICE-NAME>|on <RF-DOMAIN-NAME>}
upgrade dhcp-vendor-options {<DEVICE-NAME>|on <RF-DOMAIN-NAME>}
upgrade dhcp-vendor-options {<DEVICE-NAME>} {<DEVICE-NAME>}
upgrade dhcp-vendor-options {on <RF-DOMAIN-NAME>} {containing <SUB-
STRING>|exclude-controllers|exclude-rf-domain-managers|filter <DEVICE-TYPE>}
Parameters upgrade [<FILE>|<URL>] {background|on <DEVICE-NAME>|on <RF-DOMAIN-NAME>}
<FILE>
Specify the target firmware image location in the following format:
cf:/path/file usb1:/path/file usb2:/path/file usb<n>:/path/file
<URL>
Specify the target firmware image location. Use one of the following formats:
IPv4 URLs:
tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file cf:/path/file usb<n>:/path/file IPv6 URLs:
tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file http://<hostname|[IPv6]>[:port]/path/file Optional. Performs upgrade in the background background Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 122 PRIVILEGED EXEC MODE COMMANDS on
<DEVICE-NAME>
on <RF-DOMAIN-
NAME>
Optional. Upgrades the software image on a specified remote device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Optional. Upgrades the software image on all devices within a specified RF Domain
<RF-DOMAIN-NAME> Specify the name of the RF Domain. upgrade dhcp-vendor-options {<DEVICE-NAME>} {<DEVICE-NAME>}
dhcp-vendor-options Uses DHCP vendor options to upgrade device(s)
<DEVICE-NAME>
{<DEVICE-NAME>}
Optional. Uses DHCP vendor options to upgrade a specified device. Specify the name of the AP, wireless controller, or service platform.
<DEVICE-NAME> Optional. You can optionally specify multiple comma-separated device names/MAC addresses to upgrade. upgrade dhcp-vendor-options {on <RF-DOMAIN-NAME>} {containing <SUB-STRING>|
exclude-controllers|exclude-rf-domain-managers|filter <DEVICE-TYPE>}
dhcp-vendor-options Uses DHCP vendor options to upgrade device(s) on <RF-DOMAIN-
NAME>
{containing <SUB-
STRING>|
exclude-controllers|
exclude-rf-domain-
managers|
filter <DEVICE-
TYPE>}
Optional. Uses DHCP vendor options to upgrade all devices or specified device(s) within the RF Domain identified by the <RF-DOMAIN-NAME> keyword
<RF-DOMAIN-NAME> Specify the RF Domain name. After specifying the RF Domain, optionally use the filters provided to identify specific device(s) within the RF Domain. If none of the filters are used, all devices within the RF Domain are upgraded. These filters are:
containing <SUB-STRING> Optional. Upgrades all devices, within the specified RF Domain, containing a specified sub-string in their hostname
<SUB-STRING> Specify the sub-string to match. exclude-controllers Optional. Upgrades all devices, within the specified RF Domain, excluding controllers. Since only a NOC controller is capable of adopting other control-
lers, use this option when executing the command on a NOC controller. exclude-rf-domain-manager Optional. Upgrades all devices, within the specified RF Domain, excluding RF Domain managers. Use this option when executing the com-
mand on the NOC, Site controller, or RF Domain manager. filter <DEVICE-TYPE> Optional. Executes the command on all devices, within the specified RF Domain, of a specified type
<DEVICE-TYPE> Specify the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. Upgrades all devices of the type specified here. For example, if AP6521 is the device-type specified, all AP6521s within the specified RF Domain are up-
graded Example nx9500-6C8809#show boot
--------------------------------------------------------------------------------
IMAGE BUILD DATE INSTALL DATE VERSION
--------------------------------------------------------------------------------
Primary 02/05/2017 14:33:58 02/11/2017 12:27:53 5.9.0.0-024D Secondary 02/01/2017 21:36:24 02/03/2017 12:05:48 5.8.6.0-007B
--------------------------------------------------------------------------------
Current Boot : Secondary Next Boot : Primary Software Fallback : Enabled VM support : Not presentt nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 123 PRIVILEGED EXEC MODE COMMANDS nx9500-6C8809#upgrade ftp://anonymous:anonymous@192.168.13.10/LatestBuilds/W59/
NX9500.img Running from partition /dev/sda7 Validating image file header Removing other partition Making file system Extracting files (this may take some time)........................................................................... ............................................................................... ............................................................................... ............................................................................... ............................................................................... ............................................................................... ............................................................................... ............................................................................... ............................................................................... ............................................................................... ............................................................................... ............................................................ Control C disabled Version of firmware update file is 5.9.0.0-026D Removing unneeded files from flash:/crashinfo directory Removing unneeded files from flash:/var2/log directory Creating LILO files Running LILO Successful nx9500-6C8809#
nx9500-6C8809#show boot
--------------------------------------------------------------------------------
IMAGE BUILD DATE INSTALL DATE VERSION
--------------------------------------------------------------------------------
Primary 05/01/2017 12:03:13 05/10/2017 10:12:53 5.9.0.0-026D Secondary 05/01/2017 19:30:21 05/02/2017 10:05:48 5.9.0.0-007B
--------------------------------------------------------------------------------
Current Boot : Secondary Next Boot : Primary Software Fallback : Enabled VM support : Not present nx9500-6C8809#
After upgrading, the device has to be reloaded to boot using the new image. nx7500-7F3609#upgrade tftp://192.168.0.50/RFS6000-5.9.0.-012D.img rfs6000-6DCBB3
--------------------------------------------------------------------------------
DEVICE STATUS MESSAGE
--------------------------------------------------------------------------------
rfs6000-6DCBB3 Success None
--------------------------------------------------------------------------------
nx7500-7F3609#show upgrade-status Last Image Upgrade Status : Successful Last Image Upgrade Time : 2017-03-26 10:31:12 nx7500-7F3609#
The following example shows the upgrade status:
nx7500-7F3609#show upgrade detail Last Image Upgrade Status : Successful Last Image Upgrade Time : 2017-03-26 10:31:12
-----------------------------------------------
Running from partition /dev/sda7 var2 is 2 percent full
/tmp is 2 percent full Free Memory 15258044 kB FWU invoked via Linux shell Validating image file header Removing other partition Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 124 PRIVILEGED EXEC MODE COMMANDS Making file system Extracting files (this may take some time). Control C disabled Version of firmware update file is 5.9.0.-012D Creating LILO files Running LILO Successful nx7500-7F3609#
nx7500-7F3609#show upgrade on rfs6000-6DCBB3 Last Image Upgrade Status :Successful Last Image Upgrade Time :2017-03-26 10:31:12 nx7500-7F3609#
Related Commands no Removes a patch installed on a specified device Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 125 PRIVILEGED EXEC MODE COMMANDS 3.1.57 upgrade-abort Privileged Exec Mode Commands Aborts an ongoing software image upgrade Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax upgrade-abort {on <DEVICE-OR-DOMAIN-NAME>}
Parameters upgrade-abort {on <DEVICE-OR-DOMAIN-NAME>}
upgrade-abort on <DEVICE-OR-
DOMAIN-NAME>
Aborts an ongoing software image upgrade Optional. Aborts an ongoing software image upgrade on a specified device or domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Example rfs4000-229D58#upgrade ftp://anonymous:anonymous@192.168.13.10/LatestBuilds/W59/
RFS4000-5.9.0.0-012D.img Running from partition /dev/mtdblock6 Validating image file header Making file system Extracting files (this may take some time).................. rfs6000-81701D#upgrade-abort on rfs4000-229D58 rfs4000-229D58#upgrade ftp://anonymous:anonymous@192.168.13.10/LatestBuilds/W59/
RFS4000-5.9.0.0-012D.img.img Running from partition /dev/mtdblock6 Validating image file header Making file system Extracting files (this may take some time).................. Update error: Aborted rfs4000-229D58#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 126 PRIVILEGED EXEC MODE COMMANDS 3.1.58 virtual-machine Privileged Exec Mode Commands Installs, configures, and monitors the status of virtual machines (VMs) installed on a WiNG controller Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax virtual-machine [assign-usb-ports|export|install|restart|set|start|
stop|uninstall]
virtual-machine assign-usb-ports team-vowlan {on <DEVICE-NAME>}
virtual-machine export <VM-NAME> [<FILE>|<URL>] {on <DEVICE-NAME>}
virtual-machine install [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan]
{on <DEVICE-NAME>}
virtual-machine restart [<VM-NAME>|hard|team-urc|team-rls|team-vowlan]
virtual-machine set [autostart|memory|vcpus|vif-count|vif-mac|vif-to-vmif|vnc]
virtual-machine set [autostart [ignore|start]|memory <512-8192>|vcpus <1-4>|
vif-count <0-2>|vif-mac <VIF-INDEX> <MAC-INDEX>|vif-to-vmif <VIF-INDEX> <VMIF-
INDEX>| vnc [disable|enable]] [<VM-NAME>|team-urc|team-rls|team-vowlan]
{on <DEVICE-NAME>}
The following virtual-machine commands are supported only on the VX9000 platform:
virtual-machine volume-group [add-drive|replace-drive|resize-drive|resize-volume-
group]
virtual-machine volume-group [add-drive|replace-drive] <BLOCK-DEVICE-LABEL>
virtual-machine volume-group replace-drive <BLOCK-DEVICE-LABLE> <NEW-BLOCK-
DEVICE-LABEL>
virtual-machine volume-group resize-volume-group <BLOCK-DEVICE-LABEL>
Parameters virtual-machine assign-usb-ports team-vowlan {on <DEVICE-NAME>}
assign-usb-ports team-
vowlan Assigns USB ports to TEAM-VoWLAN on a specified device on <DEVICE-NAME> Optional. Specify the device name. Note: Use the no > virtual-machine > assign-usb-ports to reassign the port to WiNG. Note: TEAM-RLS VM cannot be installed when USB ports are assigned to TEAM-
VoWLAN. virtual-machine export <VM-NAME> [<FILE>|<URL>] {on <DEVICE-NAME>}
virtual-machine export Exports an existing VM image and settings. Use this command to export the VM to another <NX54XX> or <NX65XX> device in the same domain.
<VM-NAME> Specify the VM name.
<FILE> Specify the location and name of the source file (VM image). The VM image is retrieved and exported from the specified location.
<URL> Specify the destination location. This is the location to which the VM im-
age is copied. Use one of the following formats to provide the destination path:
Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 127 PRIVILEGED EXEC MODE COMMANDS tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file http://<hostname|IP>[:port]/path/file on <DEVICE-NAME> Optional. Executes the command on a specified device or devices
<DEVICE-NAME> Specify the service platform name. In case of multiple devices, list the device names separated by commas. Note: The VM should be in a stop state during the export process. Note: If the destination is a device, the image is copied to a predefined location (VM archive). virtual-machine install [<VM-NAME>|adsp|team-centro|team-rls|team-vowlan]
{on <DEVICE-NAME>}
virtual-machine install Installs the VM. The install command internally creates a VM template, consisting of the specified parameters, and starts the installation process. Select one of the following options:
<VM-NAME> Installs a VM having name specified by <VM-NAME> keyword. adsp Installs ADSP team-centro Installs the VM TEAM-Centro image team-rls Installs the VM TEAM-RLS image team-vowlan Installs the VM TEAM-VoWLAN image Specify the device on which to install the VM. on <DEVICE-NAME> Optional. Executes the command on a specified device or devices
<DEVICE-NAME> Specify the service platform name. In case of multiple devices, list the device names separated by commas. virtual-machine set [autostart [ignore|start]|memory <512-8192>|vcpus <1-4>|
vif-count <0-2>|vif-mac <VIF-INDEX> <MAC-INDEX>|vif-to-vmif <VIF-INDEX> <VMIF-
INDEX>|vnc [disable|enable]] [<VM-NAME>|team-urc|team-rls|team-vowlan]
{on <DEVICE-NAME>}
virtual-machine set Configures the VM settings autostart Specifies whether to autostart the VM on system reboot ignore Enables autostart on each system reboot start Disables autostart memory Defines the VM memory size
<512-8192> Specify the VM memory from 512 - 8192 MB. The default is 1024 MB. vcpus Specifies the number of VCPUS for this VM
<1-4> Specify the number of VCPUS from 1- 4. vif-count Configures or resets the VM's VIFs
<0-2> Specify the VIF number from 0 - 2. vif-mac Configures the MAC address of the selected virtual network interface
<1-2> Select the VIF
<1-8> Specify the MAC index for the selected VIF
<MAC> Specify the customized MAC address for the selected VIF in the AA-BB-
CC-DD-EE-FF format. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 128 PRIVILEGED EXEC MODE COMMANDS Each VM has a maximum of two network interfaces (indexed 1 and 2, referred to as VIF). By default, each VIF is automatically assigned a MAC from the range allocated for that device. However, you can use the set keyword to specify the MAC from within the allocated range. Each of these VIFs are mapped to a layer 2 port in the dataplane (referred to as VMIF). These VMIFs are standard l2 ports on the DP bridge, supporting all VLAN and ACL commands. The WiNG software supports up to a maximum of 8 VMIFs. By default, a VMs interface is always mapped to VMIF1. You can map a VIF to any of the 8 VMIFs. Use the vif-
to-vmif command to map a VIF to a VMIF on the DP bridge. vif-to-vmif Maps the virtual interface (1 or 2) to the selected VMIF interface. Specify the VMIF interface index from 1 - 8. WiNG provides a dataplane bridge for external network connectivity for VMs. VM Interfaces define which IP address is associated with each VLAN ID the service platform is connected to and enables remote service platform administration. Each custom VM can have up to a maximum of two VM interfaces. Each VM interface can be mapped to one of the twelve ports for <NX9500> on the dataplane bridge. This mapping determines the destination for service platform routing. By default, VM interfaces are internally connected to the dataplane bridge via VMIF1. VMIF1, by default, is an untagged port providing access to VLAN 1 to support the capability to connect the VM interfaces to any of the VMIF ports. This provides the flexibility to move a VM interface onto different VLANs as well as configure specific firewall and QoS rules. vnc Disables/enables VNC port option for an existing VM. When enabled, provides remote access to VGA through the noVNC client. disable Disables VNC port enable Enables VNC port After configuring the VM settings, identify the VM to apply the settings.
<VM-NAME> Applies these settings to the VM identified by the <VM-NAME>
keyword. Specify the VM name. adsp Applies these settings to the ADSP VM team-urc Applies these settings to the VM TEAM-URC team-rls Applies these settings to the VM TEAM-RLS team-vowlan Applies these settings to the VM TEAM-VoWLAN virtual-machine start [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan]
{on <DEVICE-NAME>}
virtual-machine start Starts the VM, based on the parameters passed. Select one of the following options:
<VM-NAME> Starts the VM identified by the <VM-NAME> keyword. Specify the VM name. adsp Starts the ADSP VM team-urc Starts the VM TEAM-URC team-rls Starts the VM TEAM-RLS team-vowlan Starts the VM TEAM-VoWLAN The following keywords are common to all of the above parameters:
on <DEVICE-NAME> Optional. Executes the command on a specified device or devices
<DEVICE-NAME> Specify the service platform name. In case of multiple devic-
es, list the device names separated by commas. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 129 PRIVILEGED EXEC MODE COMMANDS virtual-machine stop [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan]
{on <DEVICE-NAME>}
virtual-machine stop hard Stops the VM, based on the parameters passed. Select one of the following options:
<VM-NAME> Stops the VM identified by the <VM-NAME> keyword. Specify the VM name. ADSP Stops the ADSP VM team-urc Stops the VM TEAM-URC team-rls Stops the VM TEAM-RLS team-vowlan Stops the VM TEAM-VoWLAN The following keywords are common to all of the above parameters:
on <DEVICE-NAME> Optional. Executes the command on a specified device or devices
<DEVICE-NAME> Specify the service platform name. In case of multiple de-
vices, list the device names separated by commas. Note: The option hard forces the selected VM to shutdown. virtual-machine uninstall [<VM-NAME>|adsp|team-urc|team-rls|team-vowlan]
{on <DEVICE-NAME>}
virtual-machine uninstall Uninstalls the specified VM
<VM-NAME> Uninstalls the VM identified by the <VM-NAME> keyword. Specify the VM name. ADSP Uninstalls the ADSP VM team-urc Uninstalls the VM TEAM-URC team-rls Uninstalls the VM TEAM-RLS team-vowlan Uninstalls the VM TEAM-VoWLAN The following keywords are common to all of the above parameters:
on <DEVICE-NAME> Optional. Executes the command on a specified device or devices
<DEVICE-NAME> Specify the service platform name. In case of multiple de-
vices, list the device names separated by commas. Note: This command releases the VMs resources, such as memory, VCPUS, VNC port, disk space, and removes the RF Domain reference from the system. virtual-machine volume-group [add-drive|resize-drive] <BLOCK-DEVICE-LABEL>]
virtual-machine volume-group [add-
drive|resize-drive]
<BLOCK-DEVICE-
LABEL>]
Enables provisioning of logical volume-groups on the VX9000 platform. Logical volume-groups are created on the primary storage device, allowing the database storage to be expanded to include additional storage drives. However, volume-groups can be provisioned only on new VX9000 installation and cannot be added to existing VX9000 installation. Note: The logical volume-group is supported only on a VX9000 running the WiNG 5.9.1 image. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 130 PRIVILEGED EXEC MODE COMMANDS add-drive Adds a new block-device to the VM. Note, currently a maximum of 3
(three) block devices can be added. To add a new drive, first halt the VM, In the Hypervisor, add a new storage disk to the VM and restart the VM. Once the VM comes up, use this command to add the new drive. To identify the new drive execute the show > virtual-machine > volume-group > status command. resize-drive - Resizes a drive in the VMs volume group. To increase the size of a drive in the volume-group, first halt the VM. In the Hypervisor, increase the size of the existing secondary storage drive and restart the VM. Once the VM comes up, use this command to resize the drive. To identify the drive with the additional free space, execute the show > virtual-machine > volume-group > status command. The following keyword is common to all of the above parameters:
<BLOCK-DEVICE-LABEL> Specify the block-device label to be added or resized depending on the action being performed. virtual-machine volume-group replace-drive <BLOCK-DEVICE-LABEL> <NEW-BLOCK-
DEVICE-LABEL>]
virtual-machine volume-group replace-
drive <BLOCK-DEVICE-
LABEL> <NEW-BLOCK-
DEVICE-LABEL>]
Enables provisioning of VMs as logical volume-groups on the VX9000 platform. Logical volume-group VMs are created on the primary storage device, allowing the database storage to be expanded to include additional storage drives. replace-drive Replaces an existing block-device with a new block-device in a volume-group. To replace a drive in the volume-group, first halt the VM. In the Hypervisor, add the new drive and restart the VM. Once the VM comes up, use this command to replace an existing drive with the new drive. To identify the drive with the additional free space, execute the show > virtual-machine > volume-group >
status command
<BLOCK-DEVICE-LABEL> Specify the block-device label to be replaced.
<BLOCK-DEVICE-LABEL> Specify the replacement block-device label. virtual-machine volume-group resize-volume-group <BLOCK-DEVICE-LABEL>]
virtual-machine volume-group resize-
volume-group <BLOCK-
DEVICE-LABEL>]
Enables provisioning of VMs as logical volume-groups on the VX9000 platform. Logical volume-group VMs are created on the primary storage device, allowing the database storage to be expanded to include additional storage drives resize-volume-group Adds drive space to an existing block-device in the volume-
group
<BLOCK-DEVICE-LABEL> Specify the block-device label to which additional drive space is to be provided Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 131 Example PRIVILEGED EXEC MODE COMMANDS The following examples show the VM installation process:
Insatllation media: USB
<DEVICE>#virtual-machine install <VM-NAME> type iso disk-size 8 install-media usb1://vms/win7.iso autostart start memory 512 vcpus 3 vif-count 2 vnc enable Installation media: pre-installed disk image
<DEVICE>#virtual-machine install <VM-NAME> type disk install-media flash:/vms/
win7_disk.img autostart start memory 512 vcpus 3 vif-count 2 vnc-enable on
<DEVICE-NAME>
In the preceding example, the command is executed on the device identified by the
<DEVICE-NAME> keyword. In such a scenario, the disk-size is ignored if specified. The VM has the install media as first boot device. Installation media: VM archive
<DEVICE>#virtual-machine install type vm-archive install-media flash:/vms/<VM-
NAME> vcpus 3 In the preceding example, the default configuration attached with the VM archive overrides any parameters specified. Exporting an installed VM:
<DEVICE>#virtual-machine export <VM-NAME> <URL> on <DEVICE-NAME>
In the preceding example, the command copies the VM archive on to the URL (VM should be in stop state). nx9500-6C8809#virtual-machine install team-urc Virtual Machine install team-urc command successfully sent. nx9500-6C8809#
vx9000-DE6F97>cirtual-machine add-drive sdb vx9000-DE6F97>show virtual-machine volume-group status
-----------------------------------------
Logical Volume: lv1
-----------------------------------------
STATUS : available SIZE : 81.89 GiB VOLUME GROUP : vg0 PHYSICAL VOLUMES :
sda10 : 73.90 GiB sdc1 : 8.00 GiB AVAILABLE DISKS :
sdb : size: 8590MB
-----------------------------------------
* indicates a drive that must be resized
-----------------------------------------
vx9000-DE6F97#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 132 PRIVILEGED EXEC MODE COMMANDS 3.1.59 watch Privileged Exec Mode Commands Repeats a specified CLI command at periodic intervals Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax watch <1-3600> <LINE>
Parameters watch <1-3600> <LINE>
watch <1-3600>
<1-3600>
<LINE>
Example Repeats a CLI command at a specified interval Select an interval from 1 - 3600 seconds. Pressing CTRL-Z halts execution of the command. Specify the CLI command name. rfs6000-81742D#watch 1 show clock rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 133 PRIVILEGED EXEC MODE COMMANDS 3.1.60 exit Privileged Exec Mode Commands Ends the current CLI session and closes the session window For more information, see exit. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax exit Parameters None Example rfs6000-81742D#exit Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 134 PRIVILEGED EXEC MODE COMMANDS 3.1.61 raid Privileged Exec Mode Commands Enables Redundant Array of Independent Disks (RAID) management RAID is a group of one or more independent, physical drives, referred to as an array or drive group, These physically independent drives are linked together and appear as a single storage unit or multiple virtual drives. Replacing a single, large drive system with an array, improves performance (input and output processes are faster) and increases fault tolerance within the data storage system. In an array, the drives can be organized in different ways, resulting in different RAID types. Each RAID type is identified by a number, which determines the RAID level. The common RAID levels are 0, 00, 1, 5, 6, 50 and 60. The WiNG MegaRAID implementation supports RAID-1, which provides data mirroring, but does not support data parity. RAID-1 consists of a two-drive array, where the data is simultaneously written on both drives, ensuring total data redundancy. In case of a drive failure the information on the other drive is used to rebuild the failed drive. An array is said to be degraded when one of its drives has failed. A degraded array continues to function and can be rebooted using the one remaining functional drive. When a drive fails, the chassis sounds an alarm (if enabled), and the CLI prompt changes to RAID degraded. The failed drive is automatically replaced with a hot spare (provided a spare is installed). The spare is used to re-build the array. Use this command to:
Verify the current array status Start and monitor array consistency checks Retrieve date and time of the last consistency check Shut down drives before physically removing them Install new drives Assign drives as hot spares Identify a degraded drive Deactivate an alarm (triggered when a drive is removed from the array) Supported in the following platforms:
Service Platforms NX7530, NX9500, NX9510 NOTE: RAID controller drive arrays are available within NX7530 and NX95XX series service platforms (NX9500 and NX9510 models) only. However, they can be administrated on behalf of a NX9500 profile by a different model service platform or controller. The NX9500 service platform includes a single Intel MegaRAID controller, configured to provide a single virtual drive. This virtual drive is of the RAID-1 type, and has a maximum of two physical drives. In addition to these two drives, there are three hot spares, which are used in case of a primary drive failure. Syntax raid [check|install|locate|remove|silence|spare]
raid [check|silence]
raid [install|locate|remove|spare] drive <0-4>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 135 PRIVILEGED EXEC MODE COMMANDS Parameters raid [check|silence]
check silence Starts a consistency check on the RAID array. Use the show > raid command to view consistency check status. A consistency check verifies the data stored in the array. When regularly executed, it helps protect against data corruption, and ensures data redundancy. Consistency checks also warn of potential disk failures. Deactivates an alarm When enabled, an audible alarm is triggered when a drive in the array fails. The silence command deactivates the alarm (sound). Note: To enable RAID alarm, in the device configuration mode, use the raid > alarm >
enable command. A NX9500 profile can also have the RAID alarm feature activated. For more information on the enabling RAID alarm, see raid. raid [install|locate|remove|spare] drive <0-4>
install <0-4>
locate <0-4>
remove <0-4>
spare <0-4>
Installs a new drive, inserted in one of the available slots, in the array. Specify the drive number. Drives 0 and 1 are the array drives. Drives 2, 3, and 4 are the hot spare drives. You can include the new drive in a degraded array, or enable it as a hot spare. If the array is in a degraded state, the re-build process is triggered and the new drive is used to repair the degraded array. Enables LEDs to blink on a specified drive. Specify the drive number. Blinking LEDs enable you correctly locate a drive. Removes (shuts downs) a disk from the array, before it is physically removed from its slot. Specify the drive number containing the disk. Use this command to also remove a hot spare. Converts an unused drive into a hot spare. Specify the drive number. Example nx9500-6C874D#raid install drive 0 Error: Input Error: Drive 0 is already member of array, can't be added nx9500-6C874D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 3 - 136 4 GLOBAL CONFIGURATION COMMANDS This chapter summarizes the global-configuration commands in the CLI command structure. The term global indicates characteristics or features effecting the system as a whole. Use the Global Configuration Mode to configure the system globally, or enter specific configuration modes to configure specific elements (such as interfaces or protocols). Use the configure terminal command (under PRIV EXEC) to enter the global configuration mode. The following example describes the process of entering the global configuration mode from the PRIV EXEC mode:
<DEVICE>#configure terminal
<DEVICE>(config)#
NOTE: The system prompt changes to indicate you are now in the global configuration mode. The prompt consists of the device host name followed by (config) and a pound sign (#). Commands entered in the global configuration mode update the running configuration file as soon as they are entered. However, these changes are not saved in the startup configuration file until a commit write memory command is issued.
<DEVICE>(config)#?
Global configuration commands:
aaa-policy Configure a authentication/accounting/authorization policy aaa-tacacs-policy Configure an authentication/accounting/authorization TACACS policy alias Alias ap621 AP621 access point ap622 AP622 access point ap650 AP650 access point ap6511 AP6511 access point ap6521 AP6521 access point ap6522 AP6522 access point ap6532 AP6532 access point ap6562 AP6562 access point ap71xx AP71XX access point ap7502 AP7502 access point ap7522 AP7522 access point ap7532 AP7532 access point ap7562 AP7562 access point ap7602 AP7602 access point ap7612 AP7612 access point ap7622 AP7622 access point ap7632 AP7632 access point ap7662 AP7662 access point ap81xx AP81XX access point ap82xx AP82XX access point ap8432 AP8432 access point ap8533 AP8533 access point application Configure an application application-group Configure an application-group application-policy Configure an application policy association-acl-policy Configure an association acl policy auto-provisioning-policy Configure an auto-provisioning policy bgp BGP Configuration bonjour-gw-discovery-policy Bonjour Gateway discovery policy bonjour-gw-forwarding-policy Bonjour Gateway forwarding policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 1 GLOBAL CONFIGURATION COMMANDS bonjour-gw-query-forwarding-policy Bonjour Gateway Query forwarding policy captive-portal Configure a captive portal clear Clear client-identity Client identity (DHCP Device Fingerprinting) client-identity-group Client identity group (DHCP Fingerprint Database) clone Clone configuration object crypto-cmp-policy CMP policy customize Customize the output of summary cli commands database-client-policy Configure database client policy database-policy Configure database policy device Configuration on multiple devices device-categorization Configure a device categorization object dhcp-server-policy DHCP server policy dhcpv6-server-policy DHCPv6 server related configuration dns-whitelist Configure a whitelist event-system-policy Configure a event system policy ex3500 Ex3500 device ex3500-management-policy Configure a ex3500 management policy ex3500-qos-class-map-policy Configure a ex3500 qos class-map policy ex3500-qos-policy-map Configure a ex3500 qos policy-map ex3524 EX3524 wireless controller ex3548 EX3548 wireless controller firewall-policy Configure firewall policy global-association-list Configure a global association list guest-management Configure a guest management policy help Description of the interactive help system host Enter the configuration context of a device by specifying its hostname igmp-snoop-policy Create igmp snoop policy inline-password-encryption Store encryption key in the startup configuration file ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) ipv6-router-advertisement-policy IPv6 Router Advertisement related configuration l2tpv3 L2tpv3 tunnel protocol mac MAC configuration management-policy Configure a management policy meshpoint Create a new MESHPOINT or enter MESHPOINT configuration context for one or more MESHPOINTs meshpoint-qos-policy Configure a meshpoint quality-of-service policy mint-policy Configure the global mint policy nac-list Configure a network access control list no . nsight-policy Configure a Nsight policy nx45xx NX45XX integrated services platform nx5500 NX5500 wireless controller nx65xx NX65XX integrated services platform nx75xx NX75XX wireless controller nx9000 NX9000 wireless controller passpoint-policy Configure a passpoint policy password-encryption Encrypt passwords in configuration profile Profile related commands - if no parameters are given, all profiles are selected radio-qos-policy Configure a radio quality-of-service policy radius-group Configure radius user group parameters radius-server-policy Create device onboard radius policy radius-user-pool-policy Configure Radius User Pool rename Clone configuration object replace Replace configuration object Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 2 GLOBAL CONFIGURATION COMMANDS rf-domain Create a RF Domain or enter rf-domain context for one or more rf-domains rfs4000 RFS4000 wireless controller rfs6000 RFS6000 wireless controller rfs7000 RFS7000 wireless controller roaming-assist-policy Configure a roaming-assist policy role-policy Role based firewall policy route-map Dynamic routing route map Configuration routing-policy Policy Based Routing Configuration rtl-server-policy Configure a rtl server policy schedule-policy Configure a schedule policy self Config context of the device currently logged into sensor-policy Configure a sensor policy smart-rf-policy Configure a Smart-RF policy t5 T5 DSL switch url-filter Configure a url filter url-list Configure a URL list vx9000 VX9000 wireless controller web-filter-policy Configure a web filter policy wips-policy Configure a wips policy wlan Create a new WLAN or enter WLAN configuration context for one or more WLANs wlan-qos-policy Configure a wlan quality-of-service policy write Write running configuration to memory or terminal clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode revert Revert changes service Service Commands show Show running system information
<DEVICE>(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 3 GLOBAL CONFIGURATION COMMANDS 4.1 Global Configuration Commands GLOBAL CONFIGURATION COMMANDS The following table summarizes Global Configuration mode commands:
Table 4.1 Global Config Commands Command aaa-policy aaa-tacacs-policy alias ap6521 ap6522 ap6532 ap6562 ap71xx ap7502 ap7522 ap7532 ap7562 ap7602 ap7612 ap7622 ap7632 ap7662 ap81xx ap82xx ap8432 ap8533 application Description Creates a AAA policy and enters its configuration mode. This policy enables administrators to define access control within the network. Creates a AAA-TACACS policy and enters its configuration mode. This policy provides access control to network devices such as routers, network access servers, and other computing devices through centralized servers. Creates various types of aliases, such as network, VLAN, network-
group, network-service, encrypted-string, hashed -string, etc. Adds an AP6521 to the network Adds an AP6522 to the network Adds an AP6532 to the network Adds an AP6562 to the network Adds an AP7161 to the network Adds an AP7502 to the network Adds an AP7522 to the network Adds an AP7532 to the network Adds an AP7562 to the network Adds an AP7602 to the network Adds an AP7612 to the network Adds an AP7622 to the network Adds an AP7632 to the network Adds an AP7662 to the network Adds an AP81XX to the network Adds an AP82XX to the network Adds an AP8432 to the network Adds an AP8533 to the network Creates an application definition and enters its configuration mode. This command allows you to create a customized application detection definition. application-group Creates an application group and enters its configuration mode application-policy Creates an application policy and enters its configuration mode. This policy defines the actions executed on recognized HTTP (e.g. Facebook), enterprise (e.g. Webex) and peer-to-peer (e.g. gaming) applications or application-categories. Reference page 4-9 page 4-20 page 4-11 page 4-22 page 4-23 page 4-24 page 4-25 page 4-26 page 4-27 page 4-28 page 4-29 page 4-30 page 4-31 page 4-32 page 4-33 page 4-34 page 4-35 page 4-36 page 4-37 page 4-38 page 4-39 page 4-40 page 4-48 page 4-55 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 4 GLOBAL CONFIGURATION COMMANDS Table 4.1 Global Config Commands Command association-acl-
policy auto-provisioning-
policy bgp bonjour-gw-
discovery-policy bonjour-gw-
forwarding-policy bonjour-gw-
query-forwarding-
policy captive portal clear client-identity Description Creates an association ACL policy and enters its configuration mode. This policy restricts access by specifying a client MAC address or range of addresses to either include or exclude from WLAN connectivity. Creates an auto provisioning policy and enters its configuration mode. This policy defines the process by which an access point discovers controllers and associates with it. Configures Border Gateway Protocol (BGP) settings Creates a Bonjour GW Discovery policy and enters its configuration mode. This policy configures the VLANs on which Bonjour services are located. Configures a Bonjour GW Forwarding policy and enters its configuration mode. This policy enables the discovery of services on VLANs not visible to the device running the Bonjour Gateway. Creates a Bonjour GW Query Forwarding policy and enters its configuration mode. This policy enables Bonjour query forwarding across multiple VLANs. Creates a captive portal and enters its configuration mode Clears the event history Creates a client identity definition and enters its configuration mode. This feature enables client identification through DHCP device fingerprinting. Creates a new client identity group and enters its configuration mode client-identity-
group clone crypto-cmp-policy Creates a crypto Certificate Management Protocol (CMP) policy and Clones a specified configuration object customize database-client-
policy database-policy device device-
categorization enters its configuration mode. CMP is an Internet protocol designed to obtain and manage digital certificates in a Public Key Infrastructure
(PKI) network. Customizes the CLI command summary output Creates a database client policy and enters its configuration mode. The database client policy configures the IP address or hostname of the VX9000 hosting the captive-portal/NSight database. Use this option when deploying a split NSight/EGuest deployment. Creates a database policy and enters its configuration mode. This policy enables the database, and also configures the database replica set. Specifies configuration on multiple devices Creates a device categorization list and enters its configuration mode. The list categorizes devices as sanctioned or neighboring. Categorization of devices enables quick identification and blocking of unsanctioned devices in the network. Reference page 4-78 page 4-79 page 4-81 page 4-84 page 4-90 page 4-92 page 4-93 page 4-146 page 4-147 page 4-156 page 4-164 page 4-165 page 4-166 page 4-177 page 4-184 page 4-192 page 4-194 dhcp-server-policy Creates a DHCP server policy and enters its configuration mode. This policy allows hosts on an IP network to request and be assigned IP addresses and discover information about the network. page 4-200 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 5 GLOBAL CONFIGURATION COMMANDS Command dhcpv6-server-
policy dns-whitelist event-system-
policy ex3500 ex3500-
management-
policy ex3500-qos-class-
map-policy ex3500-qos-
policy-map ex3524 ex3548 firewall-policy global-association-
list guest-
management host inline-password-
encryption ip ipv6 ipv6-router-
advertisement-
policy l2tpv3 Table 4.1 Global Config Commands Description Creates a DHCPv6 server policy and enters its configuration mode. This policy configures hosts with IPv6 addresses, IP prefixes and other configuration attributes required on an IPv6 network. Creates a DNS whitelist and enters its configuration mode. A DNS whitelist is used with a captive portal to provide access services to requesting wireless clients. Creates an Event system policy and enters its configuration mode. This policy enables administrators to create notification mechanisms using one, some, or all of the SNMP, syslog, controller forwarding, or email notification options available to the controller or service platform. Creates an EX3500 time range list and enters its configuration mode Creates an EX3500 management policy and enters its configuration mode. This policy controls access to the EX3500 switch from management stations using SNMP. Creates an EX3500 QoS class map policy and enters its configuration mode. The QoS policy map assigns priority to mission critical EX3500 switch data traffic, prevent EX3500 switch bandwidth congestion, and prevent packet drops. Creates an EX3500 QoS policy map and enters its configuration mode. This policy defines rules that filter traffic exchanged between the EX3500 switch and its connected devices. Adds a EX3524 switch to the network Adds a EX3548 switch to the network Creates a firewall policy and enters its configuration mode. This policy configures safe guards against denial of service (DoS) attacks and packet storms. It also configures firewall parameters, such as logging, application layer gateway, TCP protocol checks, state flow checks, etc. Creates a global list of client MAC addresses Creates a guest management policy and enters its configuration mode. This policy redirects guest users to a registration portal, upon association to a captive portal Service Set Identifier (SSID). Sets the system's network name Stores the encryption key in the startup configuration file Creates a IP access control list (ACL) and/or a Simple Network Management Protocol (SNMP) ACL, and enters its configuration mode Creates a IPv6 ACL and enters its configuration mode Creates an IPv6 router advertisement (RA) policy and enters its configuration mode Creates Layer 2 Tunneling Protocol Version 3 (L2TPV3) tunnel policy and enters its configuration mode. This policy defines control and encapsulation protocols for tunneling layer 2 frames between two IP nodes. Reference page 4-201 page 4-203 page 4-209 page 4-227 page 4-233 page 4-254 page 4-262 page 4-277 page 4-279 page 4-280 page 4-282 page 4-286 page 4-297 page 4-298 page 4-299 page 4-301 page 4-302 page 4-320 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 6 Command mac management-
policy meshpoint meshpoint-qos-
policy mint-policy nac-list no nsight-policy passpoint-policy password-
encryption profile radio-qos-policy radius-group radius-server-
policy radius-user-pool-
policy rename replace rf-domain rfs4000 rfs6000 nx5500 nx75xx nx9000 roaming-assist-
policy role-policy route-map routing-policy rtl-server-policy schedule-policy GLOBAL CONFIGURATION COMMANDS Table 4.1 Global Config Commands Description Configures MAC access lists (goes to the MAC ACL mode) Creates a management policy and enters its configuration context. This policy configures services that run on a device, such as welcome messages, banners, etc. Creates a meshpoint and enters its configuration mode Creates a meshpoint quality of service (QoS) policy and enters its configuration mode Creates a MiNT security policy and enters its configuration mode Creates a network ACL and enters its configuration mode Negates a command or sets its default Creates an NSight policy and enters its configuration mode Creates a new passpoint policy and enters its configuration mode Enables password encryption Creates a device profile and enters its configuration mode Creates a radio qos policy and enters its configuration mode Creates a RADIUS group and enters its configuration mode Creates a RADIUS server policy and enters its configuration mode Reference page 4-322 page 4-323 page 4-325 page 4-327 page 4-328 page 4-329 page 4-335 page 4-339 page 4-350 page 4-352 page 4-353 page 4-357 page 4-358 page 4-359 Creates a RADIUS user pool policy and enters its configuration mode page 4-361 Renames and existing top-level object (TLO) Selects an existing device by its MAC address or hostname and replaces it with a new device having a different MAC address Creates an RF Domain and enters its configuration mode Adds an RFS4000 to the network Adds an RFS6000 to the network Adds an NX5500 to the network Adds an NX75XX to the network Adds a NX9500 or NX9510 to the network Configures a roaming assist policy and enters its configuration mode. This policy enables access points to assist wireless clients in making roaming decisions, such as which access point to connect, etc. Creates a role policy and enters its configuration mode Creates a dynamic BGP route map and enters its configuration mode Creates a routing policy and enters its configuration mode Creates an RTL server policy and enters its configuration mode. The RTL server policy provides the exact location (URL) at which the Euclid server can be reached. Creates a schedule policy and enters its configuration mode page 4-362 page 4-364 page 4-366 page 4-404 page 4-403 page 4-405 page 4-406 page 4-407 page 4-408 page 4-410 page 4-411 page 4-412 page 4-413 page 4-419 4 - 7 Access Point, Wireless Controller and Service Platform CLI Reference Guide GLOBAL CONFIGURATION COMMANDS Table 4.1 Global Config Commands Command self sensor-policy smart-rf-policy t5 web-filter-policy wips-policy wlan wlan-qos-policy url-filter url-list vx9000 Description Displays a logged devices configuration context Creates a sensor policy and enters its configuration mode Creates a Smart RF policy and enters its configuration mode Configures a t5 wireless controller. This command is applicable only on the RFS4000, RFS6000, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, and VX9000 platforms. Creates a Web Filtering policy and enters its configuration mode Creates a WIPS policy and enters its configuration mode Creates a Wireless Local Area Network (WLAN) and enters its configuration mode Creates a WLAN QoS policy and enters its configuration mode Creates an URL filter and enters its configuration mode. URL filtering is a licensed feature. Creates an URL list and enters its configuration mode. Configures a Virtual WLAN Controller (V-WLC) in a virtual machine
(VM) environment Reference page 4-426 page 4-427 page 4-436 page 4-438 page 4-440 page 4-451 page 4-452 page 4-549 page 4-551 page 4-565 page 4-571 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 8 GLOBAL CONFIGURATION COMMANDS 4.1.1 aaa-policy Global Configuration Commands Configures an Authentication, Accounting, and Authorization (AAA) policy. Network administrators can use an AAA policy to define access control within the network. A controller, service platform, or access point can interoperate with external RADIUS and LDAP servers
(AAA Servers) to provide an additional user database and authentication resource. Each WLAN can maintain its own unique AAA configuration. Up to six servers can be configured for providing AAA services. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax aaa-policy <AAA-POLICY-NAME>
Parameters aaa-policy <AAA-POLICY-NAME>
<AAA-POLICY-NAME>
Specify the AAA policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#aaa-policy test rfs6000-81742D(config-aaa-policy-test)#?
AAA Policy Mode commands:
accounting Configure accounting parameters attribute Configure RADIUS attributes in access and accounting requests authentication Configure authentication parameters health-check Configure server health-check parameters mac-address-format Configure the format in which the MAC address must be filled in the Radius-Request frames no Negate a command or set its defaults proxy-attribute Configure radius attribute behavior when proxying through controller or rf-domain-manager server-pooling-mode Configure the method of selecting a server from the pool of configured AAA servers use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-aaa-policy-test)#
Related Commands no Removes an existing AAA policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 9 GLOBAL CONFIGURATION COMMANDS NOTE: For more information on the AAA policy commands, see Chapter 8, AAA-
POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 10 GLOBAL CONFIGURATION COMMANDS 4.1.2 alias Global Configuration Commands Configures the following types of aliases: network, VLAN, host, string, network-service, etc. Aliases are objects having a unique name and content that is determined by the alias type (network, VLAN, and network-service). A typical large enterprize network consists of multiple sites (RF Domains) having similar configuration parameters with few elements that vary, such as networks or network ranges, hosts having different IP addresses, and VLAN IDs or URLs. These elements can be defined as aliases (object oriented wireless firewalls) and used across sites by applying overrides to the object definition. Using aliases results in a configuration that is easier to understand and maintain. Multiple instances of an alias (same type and same name) can be defined at any of the following levels:
global, RF Domain, profile, or device. An alias defined globally functions as a top-level-object (TLO). An alias defined on a device is applicable to that device only. An alias defined on a profile applies to every device using the profile. Similarly, aliases defined at the RF Domain level apply to all devices within that domain. Aliases defined at any given level can be overridden at any of the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. The different aliases types supported are:
address-range alias Maps a user-friendly name to a range of IP addresses. An address-range alias can be utilized at different deployments. For example, if an ACL defines a pool of network addresses as 192.168.10.10 through 192.168.10.100 for an entire network, and a remote locations network range is 172.16.13.20 through 172.16.13.110, the remote locations ACL can be overridden using an alias. At the remote location, the ACL works with the 172.16.13.20-110 address range. A new ACL need not be created specifically for the remote deployment location. host alias Maps a user-friendly name to a specific host (identified by its IP address. For example, 192.168.10.23). A host alias can be utilized at different deployments. For example, if a central network DNS server is set a static IP address, and a remote locations local DNS server is defined, this host can be overridden at the remote location. At the remote location, the network is functional with a local DNS server, but uses the name set at the central network. A new host need not be created at the remote location. This simplifies creating and managing hosts and allows an administrator to better manage specific local requirements. network alias Maps a user-friendly name to a network. A network alias can be utilized at different deployments. For example, if a central network ACL defines a network as 192.168.10.0/24, and a remote locations network range is 172.16.10.0/24, the ACL can be overridden at the remote location to suit their local (but remote) requirement. At the remote location, the ACL functions with the 172.16.10.0/24 network. A new ACL need not be created specifically for the remote deployment. This simplifies ACL definition and allows an administrator to better manage specific local requirements. network-group alias Maps a user-friendly name to a single or a range of addresses of devices, hosts, and network configurations. Network configurations are complete networks in the form 192.168.10.0/24 or IP address range in the form 192.168.10.10-192.168.10.20. A network-group alias can contain a maximum of eight (8) host entries, eight (8) network entries, and eight (8) IP address-range entries. A maximum of 32 network-group alias entries can be created. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 11 GLOBAL CONFIGURATION COMMANDS A network-group alias can be used in IP firewall rules to substitute hosts, subnets, and IP address ranges. network-service alias Maps a user-friendly name to service protocols and ports. Both source and destination ports are configurable. For each protocol, up to 2 source port ranges and up to 2 destination port ranges can be configured. A maximum of 4 protocol entries can be configured per network-service alias. When used with an ACL, the network-service alias defines the service-
specific components of the ACL rule. Overrides can be applied to the service alias, at the device level, without modifying the ACL. Application of overrides to the service alias allows an ACL to be used across sites. Use a network-service alias to associate more than one IP address to a network interface, providing multiple connections to a network from a single IP node. number alias Maps a user-friendly name to a number vlan alias Maps a user-friendly name to a VLAN ID. A VLAN alias can be used at different deployments. For example, if a named VLAN is defined as 10 for the central network, and the VLAN is set at 26 at a remote location, the VLAN can be overridden at the deployment location with an alias. At the remote deployment location, the network is functional with a VLAN ID of 26, but utilizes the name defined at the centrally managed network. A new VLAN need not be created specifically for the remote deployment. string alias Maps a user-friendly name to a specific string (for example, RF Domain name). A string alias can be utilized at different deployments. For example, if the main domain at a remote location is called loc1.domain.com and at another deployment location it is called loc2.domain.com, the alias can be overridden at the remote location to suit the local (but remote) requirement. At one remote location, the alias functions with the loc1.domain.com domain and at the other with the loc2.domain.com domain. encrypted-string alias Maps a user-friendly name to a string value. The string value of this alias is encrypted when "password-encryption" is enabled. Encrypted-string aliases can be used for string configuration parameters that are encrypted by the "password-encryption" feature. hashed-string alias Maps a user-friendly name to a hashed-string value. Hashed-string aliases can be used for string configuration parameters that are hashed, such as passwords. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax alias [address-range|encrypted-string|hashed-string|host|network|network-group|
network-service|number|string|vlan]
alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>
alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>
alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>
alias host <HOST-ALIAS-NAME> <HOST-IP>
alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>
alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range|host|network]
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 12 GLOBAL CONFIGURATION COMMANDS alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to
<ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|network
<NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]
alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|
gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|
ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport|ssh|telnet|tftp|www)}
alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|
gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|
ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|
tftp|www)}
alias number <NUMBER-ALIAS-NAME> <0-4294967295>
alias string <STRING-ALIAS-NAME> <LINE>
alias vlan <VLAN-ALIAS-NAME> <1-4094>
Parameters alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>
address-range
<ADDRESS-RANGE-
ALIAS-NAME>
<STARTING-IP>
to <ENDING-IP>
Creates an address-range alias, defining a range of IP addresses
<ADDRESS-RANGE-ALIAS-NAME> Specify the address-range alias name. Alias name should begin with $. Associates a range of IP addresses with this address-range alias
<STARTING-IP> Specify the first IP address in the range. to <ENDING-IP> Specify the last IP address in the range. alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>
encrypted-string
<ENCRYPTED-
STRING-ALIAS-
NAME>
[0|2] <LINE>
Creates an alias for an encrypted string. Use this alias for string configuration values that are encrypted when "password-encryption" is enabled. For example, in the management-policy, use it to define the SNMP community string. For more information, see snmp-server.
<ENCRYPTED-STRING-ALIAS-NAME> Specify the encrypted-string alias name. Alias name should begin with $. Configures the value associated with the alias name specified in the previous step
[0|2] <LINE> Configures the alias value Note, if password-encryption is enabled, in the show > running-config output, this clear text is displayed as an encrypted string, as shown below:
nx9500-6C8809(config)#show running-config
!............................... alias encrypted-string $enString 2 fABMK2is7UToNiZE3MQXbgAAAAxB0ZIysdqsEJwr6AH/Da//
!
--More--
nx9500-6C8809 In the above show > running-config output, the 2 displayed before the encrypted-
string alias value indicates that the displayed text is encrypted and not a clear text. Cotnd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 13 GLOBAL CONFIGURATION COMMANDS However, if password-encryption is disabled the clear text is displayed as is:
nx9500-6C8809(config)#show running-config
!...............................
!
alias encrypted-string $enString 0 test11223344
!
--More--
nx9500-6C8809 For more information on enabling password-encryption, see password-encryption. alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>
hashed-string
<HASHED-STRING-
ALIAS-NAME>
<LINE>
Creates an alias for a hashed string. Use this alias for configuration values that are hashed strings, such as passwords. For example, in the management-policy, use it to define the privilege mode password. For more information, see .
<HASHED-STRING-ALIAS-NAME> Specify the hashed-string alias name. Alias name should begin with $. Configures the hashed-string value associated with this alias. nx9500-6C8809(config)#show running-config
!
alias encrypted-string $WRITE 2 sBqVCDAoxs3oByF5PCSuFAAAAAd7HT2+EiT/l/BXm9c4SBDv
!
alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ec fc75 0--More--
nx9500-6C8809 In the above show > running-config output, the 1 displayed before the hashed-string alias value indicates that the displayed text is hashed and not a clear text. alias host <HOST-ALIAS-NAME> <HOST-IP>
host
<HOST-ALIAS-NAME>
<HOST-IP>
Creates a host alias, defining a single network host
<HOST-ALIAS-NAME> Specify the host alias name. Alias name should begin with $. Associates the network hosts IP address with this host alias. For example, alias host
$HOST 1.1.1.100. In this example, the host alias name is: $HOST and the host IP address it is mapped to is: 1.1.1.100.
<HOST-IP> Specify the network hosts IP address. network
<NETWORK-ALIAS-
NAME>
alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>
Creates a network alias, defining a single network address
<NETWORK-ALIAS-NAME> Specify the network alias name. Alias name should begin with $. Associates a single network with this network alias. For example, alias network $NET 1.1.1.0/24. In this example, the network alias name is: $NET and the network it is mapped to is: 1.1.1.0/24.
<NETWORK-ADDRESS/MASK> Specify the networks address and mask.
<NETWORK-
ADDRESS/MASK>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 14 GLOBAL CONFIGURATION COMMANDS alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to
<ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|
network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]
network
<NETWORK-GROUP-
ALIAS-NAME>
address-range
<STARTING-IP>
to <ENDING-IP>
{<STARTING-IP>
to <ENDING-IP>}
host <HOST-IP>
{<HOST-IP>}
Creates a network-group alias
<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name. Alias name should begin with $. The network-group aliases are used in ACLs, to define the network-specific components. ACLs using aliases can be used across sites by re-defining the network-
group alias elements at the device or profile level. After specifying the name, specify the following: a range of IP addresses, host addresses, or a range of network addresses. Associates a range of IP addresses with this network-group alias
<STARTING-IP> Specify the first IP address in the range. to <ENDING-IP> Specify the last IP address in the range.
<STARTING-IP> to <ENDING-IP> Optional. Specifies more than one range of IP addresses. A maximum of eight (8) IP address ranges can be configured. Associates a single or multiple hosts with this network-group alias
<HOST-IP> Specify the hosts IP address.
<HOST-IP> Optional. Specifies more than one host. A maximum of eight (8) hosts can be configured. network <NETWORK-
ADDRESS/MASK>
{<NETWORK-
ADDRESS/MASK>}
Associates a single or multiple networks with this network-group alias
<NETWORK-ADDRESS/MASK> Specify the networks address and mask.
<NETWORK-ADDRESS/MASK> Optional. Specifies more than one network. A maximum of eight (8) networks can be configured. alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|
eigrp|gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|
https|ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|
tftp|www)}
alias network-service
<NETWORK-
SERVICE-ALIAS-
NAME>
proto [<0-254>|
<WORD>|eigrp|gre|
igmp|igp|ospf|vrrp]
Configures an alias that specifies available network services and the corresponding source and destination software ports
<NETWORK-SERVICE-ALIAS-NAME> Specify a network-service alias name. Alias name should begin with $. Network-service aliases are used in ACLs, to define the service-specific components. ACLs using aliases can be used across sites by re-defining the network-service alias elements at the device or profile level. Use one of the following options to associate an Internet protocol with this network-
service alias:
<0-254> Identifies the protocol by its number. Specify the protocol number from 0
- 254. This is the number by which the protocol is identified in the Protocol field of the IPv4 header and the Next Header field of IPv6 header. For example, the User Datagram Protocols (UDP) designated number is 17.
<WORD> Identifies the protocol by its name. Specify the protocol name. eigrp Selects Enhanced Interior Gateway Routing Protocol (EIGRP). The protocol number 88. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 15
{(<1-65535>|
<WORD>|
bgp|dns|ftp|ftp-data|
gopher|https|ldap|
nntp|ntp|pop3|proto|
sip|smtp|sourceport
[<1-65535>|
<WORD>]|ssh|telnet|
tftp|www)}
GLOBAL CONFIGURATION COMMANDS gre Selects Generic Routing Encapsulation (GRE). The protocol number is 47. igmp Selects Internet Group Management Protocol (IGMP). The protocol number is 2. igp Selects Interior Gateway Protocol (IGP). The protocol number is 9. ospf Selects Open Shortest Path First (OSPF). The protocol number is 89. vrrp Selects Virtual Router Redundancy Protocol (VRRP). The protocol number is 112. After specifying the protocol, you may configure a destination port for this service. These keywords are recursive and you can configure multiple protocols and associate multiple destination and source ports.
<1-65535> Optional. Configures a destination port number from 1 - 65535
<WORD> Optional. Identifies the destination port by the service name provided. For example, the secure shell (SSH) service uses TCP port 22. bgp Optional. Configures the default Border Gateway Protocol (BGP) services port
(179) dns Optional. Configures the default Domain Name System (DNS) services port (53) ftp Optional. Configures the default File Transfer Protocol (FTP) control services port
(21) ftp-data Optional. Configures the default FTP data services port (20) gopher Optional. Configures the default gopher services port (70) https Optional. Configures the default HTTPS services port (443) ldap Optional. Configures the default Lightweight Directory Access Protocol (LDAP) services port (389) nntp Optional. Configures the default Newsgroup (NNTP) services port (119) ntp Optional. Configures the default Network Time Protocol (NTP) services port
(123) POP3 Optional. Configures the default Post Office Protocol (POP3) services port
(110) proto Optional. Use this option to select another Internet protocol in addition to the one selected in the previous step. sip Optional. Configures the default Session Initiation Protocol (SIP) services port
(5060) smtp Optional. Configures the default Simple Mail Transfer Protocol (SMTP) services port (25) sourceport [<1-65535>|<WORD>] Optional. After specifying the destination port, you may specify a single or range of source ports.
<1-65535> Specify the source port from 1 - 65535.
<WORD> Specify the source port range, for example 1-10. ssh Optional. Configures the default SSH services port (22) telnet Optional. Configures the default Telnet services port (23) tftp Optional. Configures the default Trivial File Transfer Protocol (TFTP) services port (69) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 16 GLOBAL CONFIGURATION COMMANDS alias number <NUMBER-ALIAS-NAME> <0-4294967295>
alias number
<NUMBER-ALIAS-
NAME> <0-
4294967295>
Creates a number alias identified by the <NUMBER-ALIAS-NAME> keyword. Number aliases map a name to a numeric value. For example, alias number $NUMBER 100 The number alias name is: $NUMBER The value assigned is: 100 The value referenced by alias $NUMBER, wherever used, is 100.
<NUMBER-ALIAS-NAME> Specify the number alias name.
<0-4294967295> Specify the number, from 0 - 4294967295, assigned to the number alias created. Alias name should begin with $. alias string <STRING-ALIAS-NAME> <LINE>
alias string
<STRING-ALIAS-
NAME>
Creates a string alias identified by the <STRING-ALIAS-NAME> keyword
<STRING-ALIAS-NAME> Specify the string alias name.
<LINE> Specify the string value associated with the specified <STRING-ALIAS-
NAME> keyword. String aliases map a name to an arbitrary string value. For example, alias string
$DOMAIN test.example_company.com. The string alias name is: $DOMAIN The value assigned is: test.example_company.com (a domain name) The value referenced by alias $DOMAIN, wherever used, is test.example_company.com. Alias name should begin with $. You can also use a string alias to configure the Bonjour Service instance name. Once configured, use the string alias in the Bonjour Gateway Discovery Policy context to specify the Bonjour service instance name to be used as the match criteria. For more information, see allow-service. alias vlan <VLAN-ALIAS-NAME> <1-4094>
alias vlan
<VLAN-ALIAS-NAME>
<1-4094>
Creates a VLAN alias identified by the <VLAN-ALIAS-NAME> keyword
<VLAN-ALIAS-NAME> Specify the VLAN alias name. Alias name should begin with $. Maps the VLAN alias to a VLAN ID
<1-4094> Specify the VLAN ID from 1 - 4094. Example rfs4000-229D58(config)##alias address-range $AddRanAlias 192.168.13.10 to 192.168.13.13 rfs4000-229D58(config)#alias network $NetworkAlias 192.168.13.0/24 rfs4000-229D58(config)#alias host $HostAlias 192.168.13.100 rfs4000-229D58(config)#alias vlan $VlanAlias 1 rfs4000-229D58(config)#alias address-range $AddRangeAlias 192.168.13.2 to 192.16 8.13.10 rfs4000-229D58(config)#alias network-service $NetServAlias proto igmp Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 17 GLOBAL CONFIGURATION COMMANDS rfs4000-229D58(config)#show running-config | include alias alias network-group $NetGrAlias address-range 192.168.13.7 to 192.168.13.9 192.168.13.20 to 192.168.13.25 alias network $NetworkAlias 192.168.13.0/24 alias host $HostAlias 192.168.13.10 alias address-range $AddRangeAlias 192.168.13.2 to 192.168.13.10 alias network-service $NetServAlias proto igmp alias vlan $VlanAlias 1 rfs4000-229D58(config)#
nx9500-6C8809(config)#alias number $NUMBER 100 nx9500-6C8809(config)#show context include-factory | include alias alias string $DOMAIN test.examplecompany.com alias string $DOMAIN2 test.example_company.com alias number $NUMBER 100 alias string $SN B4C7996C8809 nx9500-6C8809(config)#
The following examples show encrypted-string alias configuration:
nx9500-6C8809(config)#alias encrypted-string $WRITE 0 private nx9500-6C8809(config)#alias encrypted-string $READ 0 public nx9500-6C8809(config)#show context | include alias alias vlan $BLR-01 1 alias string $IN-Blr-EcoSpace-Floor-4 IBEF4 alias encrypted-string $READ 0 public alias encrypted-string $WRITE 0 private nx9500-6C8809(config)#
The following example shows the encrypted-string aliases, configured in the previous example, used in the management-policy:
nx9500-6C8809(config-management-policy-default)#snmp-server community 0 $WRITE rw nx9500-6C8809(config-management-policy-default)#snmp-server community 0 $READ ro nx9500-6C8809(config-management-policy-default)#show context management-policy default no telnet no http server https server rest-server ssh user admin password 1 ad4d8797f007444ccdda3788b9ee0e8b46f3facb4308e045239eb7771e127ed5 role superuser access all snmp-server community 0 $WRITE rw snmp-server community 0 $READ ro snmp-server user snmptrap v3 encrypted des auth md5 2 yqr96yyVzmD4ZbU2I7Eh/
QAAAAjWNKa4KXF95pruUCSnhOiT snmp-server user snmpmanager v3 encrypted des auth md5 2 NOf8+2+AY2r4ZbU2I7Eh/
QAAAAgc0l8ahJYo3AjHo9wXzYGo t5 snmp-server community public ro 192.168.0.1 t5 snmp-server community private rw 192.168.0.1 nx9500-6C8809(config-management-policy-default)#
The following example shows hashed-string alias configuration:
nx9500-6C8809(config)#alias hashed-string $PriMode Test12345 nx9500-6C8809(config)#show context | include alias alias vlan $BLR-01 1 alias string $IN-Blr-EcoSpace-Floor-4 IBEF4 alias encrypted-string $READ 0 public alias encrypted-string $WRITE 0 private alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75 nx9500-6C8809(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 18 GLOBAL CONFIGURATION COMMANDS The following example shows the hashed-string alias, configured in the previous example, used in the management-policy:
nx9500-6C8809(config-management-policy-default)#show context management-policy default https server rest-server ssh user admin password 1 ad4d8797f007444ccdda3788b9ee0e8b46f3facb4308e045239eb7771e127ed5 role superuser access all snmp-server community 0 $WRITE rw snmp-server community 0 $READ ro snmp-server user snmptrap v3 encrypted des auth md5 2 yqr96yyVzmD4ZbU2I7Eh/
QAAAAjWNKa4KXF95pruUCSnhOiT snmp-server user snmpmanager v3 encrypted des auth md5 2 NOf8+2+AY2r4ZbU2I7Eh/
QAAAAgc0l8ahJYo3AjHo9wXzYGo t5 snmp-server community public ro 192.168.0.1 t5 snmp-server community private rw 192.168.0.1 privilege-mode-password $PriMode nx9500-6C8809(config-management-policy-default)#
Related Commands no Removes an existing network, VLAN, service, string, etc. alias Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 19 GLOBAL CONFIGURATION COMMANDS 4.1.3 aaa-tacacs-policy Global Configuration Commands Configures AAA Terminal Access Controller Access-Control System+ (TACACS) policy. TACACS+ is a protocol created by CISCO Systems which provides access control to network devices such as routers, network access servers and other networked computing devices through one or more centralized servers. TACACS provides separate authentication, authorization, and accounting services running on different servers. TACACS controls user access to devices and network resources while providing separate accounting, authentication, and authorization services. Some of the services provided by TACACS are:
Authorizing each command with the TACACS+ server before execution. Accounting each sessions logon and log off events. Authenticating each user with the TACACS+ server before enabling access to network resources. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax aaa-tacacs-policy <AAA-TACACS-POLICY-NAME>
Parameters aaa-tacacs-policy <AAA-TACACS-POLICY-NAME>
<AAA-TACACS-POLICY-
NAME>
Specify the AAA-TACACS policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#aaa-tacacs-policy testpolicy rfs6000-81742D(config-aaa-tacacs-policy-testpolicy)#?
AAA TACACS Policy Mode commands:
accounting Configure accounting parameters authentication Configure authentication parameters authorization Configure authorization parameters no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-aaa-tacacs-policy-testpolicy)#
Related Commands no Removes an existing AAA TACACS policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 20 GLOBAL CONFIGURATION COMMANDS NOTE: For more information on the AAA-TACACS policy commands, see Chapter 25, AAA-TACACS-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 21 GLOBAL CONFIGURATION COMMANDS 4.1.4 ap6521 Global Configuration Commands Adds an AP6521 to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:
Access Point AP6521 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap6521 <MAC>
Parameters ap6521 <MAC>
<MAC>
Example Specify the AP6521s MAC address. nx9500-6C8809(config)#ap6521 FC-0A-81-42-93-6C nx9500-6C8809(config-device-FC-0A-81-42-93-6C)#show context ap6521 FC-0A-81-42-93-6C use profile default-ap6521 use rf-domain default hostname ap6521-42936C nx9500-6C8809(config-device-FC-0A-81-42-93-6C)#
nx9500-6C8809(config)#show wireless ap configured
--------------------------------------------------------------------------------
-------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
--------------------------------------------------------------------------------
-------
1 ap6521-42936C FC-0A-81-42-93-6C default-ap6521 default B4-C7-
99-6C-88-09
--------------------------------------------------------------------------------
-------
nx9500-6C8809(config)#
Related Commands no Removes an AP6521 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 22 GLOBAL CONFIGURATION COMMANDS 4.1.5 ap6522 Global Configuration Commands Adds an AP6522 to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:
Access Point AP6522 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap6522 <MAC>
Parameters ap6522 <MAC>
<MAC>
Example Specify the AP6522s MAC address. nx9500-6C8809(config)#ap6522 B4-C7-99-58-72-58 nx9500-6C8809(config-device-B4-C7-99-58-72-58)#show context ap6522 B4-C7-99-58-72-58 use profile default-ap6522 use rf-domain default hostname ap6522-587258 nx9500-6C8809(config-device-B4-C7-99-58-72-58)#
nx9500-6C8809(config)#show wireless ap configured
--------------------------------------------------------------------------------
-------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
--------------------------------------------------------------------------------
-------
1 ap6521-42936C FC-0A-81-42-93-6C default-ap6521 default B4-C7-
99-6C-88-09 2 ap6522-587258 B4-C7-99-58-72-58 default-ap6522 default B4-C7-99-6C-
88-09
--------------------------------------------------------------------------------
-------
nx9500-6C8809(config)#
Related Commands no Removes an AP6522 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 23 GLOBAL CONFIGURATION COMMANDS 4.1.6 ap6532 Global Configuration Commands Adds an AP6532 to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:
Access Point AP6532 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap6532 <MAC>
Parameters ap6532 <MAC>
<MAC>
Example Specify the AP6532s MAC address. nx9500-6C8809(config)#ap6532 00-23-68-31-16-59 nx9500-6C8809(config-device-B4-C7-99-58-72-58)#show context ap6532 00-23-68-31-16-59 use profile default-ap6532 use rf-domain default hostname ap6532-311659 nx9500-6C8809(config-device-00-23-68-31-16-59)#
nx9500-6C8809(config)#show wireless ap configured
--------------------------------------------------------------------------------
-------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
--------------------------------------------------------------------------------
-------
1 ap6521-42936C FC-0A-81-42-93-6C default-ap6521 default B4-C7-
99-6C-88-09 2 ap6522-587258 B4-C7-99-58-72-58 default-ap6522 default B4-C7-99-6C-
88-09 3 ap6532-311659 00-23-68-31-16-59 default-ap6532 default B4-C7-99-6C-
88-09
--------------------------------------------------------------------------------
-------
nx9500-6C8809(config)#
Related Commands no Removes an AP6532 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 24 GLOBAL CONFIGURATION COMMANDS 4.1.7 ap6562 Global Configuration Commands Adds an AP6562 to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:
Access Point AP6562 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap6562 <MAC>
Parameters ap6562 <MAC>
<MAC>
Example Specify the AP6562s MAC address. nx9500-6C8809(config)#ap6562 00-23-09-0E-12-60 nx9500-6C8809(config-device-00-23-09-0E-12-60)#show context ap6562 00-23-09-0E-12-60 use profile default-ap6562 use rf-domain default hostname ap6562-0E1260 nx9500-6C8809(config-device-00-23-09-0E-12-60)#
nx9500-6C8809(config)#show wireless ap configured
--------------------------------------------------------------------------------
-------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
--------------------------------------------------------------------------------
-------
1 ap6521-42936C FC-0A-81-42-93-6C default-ap6521 default B4-C7-
99-6C-88-09 2 ap6522-587258 B4-C7-99-58-72-58 default-ap6522 default B4-C7-99-6C-
88-09 3 ap6532-311659 00-23-68-31-16-59 default-ap6532 default B4-C7-99-6C-
88-09 4 ap6562-0E1260 00-23-09-0E-12-60 default-ap6562 default B4-C7-99-
6C-88-09
--------------------------------------------------------------------------------
-------
nx9500-6C8809(config)#
Related Commands no Removes an AP6562 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 25 GLOBAL CONFIGURATION COMMANDS 4.1.8 ap71xx Global Configuration Commands Adds an AP7161 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:
Access Point AP7161 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap71xx <MAC>
Parameters ap71xx <MAC>
<MAC>
Example Specify the AP7161s MAC address. nx9500-6C8809(config)#ap71xx 00-23-68-11-E6-C4 nx9500-6C8809(config-device-00-23-68-11-E6-C4)#show context ap71xx 00-23-68-11-E6-C4 use profile default-ap71xx use rf-domain TechPubs hostname ap71xx-11E6C4 no staging-config-learnt ip default-gateway 192.168.13.2 interface vlan1 ip address 192.168.13.23/24 use auto-provisioning-policy TecPubs no auto-learn staging-config adopter-auto-provisioning-policy-lookup evaluate-always nx9500-6C8809(config-device-00-23-68-11-E6-C4)#
nx9500-6C8809(config)#show wireless ap configured
--------------------------------------------------------------------------------
-------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
--------------------------------------------------------------------------------
-------
1 ap71xx-11E6C4 00-23-68-11-E6-C4 default-ap71xx TechPubs un-adopted 2 ap7532-80C2AC 84-24-8D-80-C2-AC default-ap7532 TechPubs B4-C7-99-
6C-88-09 3 ap7131-9C63D4 00-23-68-9C-63-D4 default-ap71xx default un-adopted 4 t5-ED7C6C B4-C7-99-ED-7C-6C default-t5 TechPubs B4-C7-99-
6C-88-09 5 rfs4000-880DA7 00-23-68-88-0D-A7 default-rfs4000 TechPubs B4-C7-99-
6C-88-09 6 ap7131-99BB7C 00-23-68-99-BB-7C default-ap71xx TechPubs B4-C7-99-
6C-88-09
--------------------------------------------------------------------------------
-------
nx9500-6C8809(config)#
Related Commands no Removes an AP7161 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 26 GLOBAL CONFIGURATION COMMANDS 4.1.9 ap7502 Global Configuration Commands Adds an AP7502 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:
Access Point AP7502 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap7502 <MAC>
Parameters ap7502 <MAC>
<MAC>
Example Specify the AP7502s MAC address. rfs6000-81742D(config)#ap7502 00-23-68-99-BF-A8 rfs6000-81742D(config-device-00-23-68-99-BF-A8)#
Related Commands no Removes an AP7502 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 27 GLOBAL CONFIGURATION COMMANDS 4.1.10 ap7522 Global Configuration Commands Adds an AP7522 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:
Access Point AP7522 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap7522 <MAC>
Parameters ap7522 <MAC>
<MAC>
Example Specify the AP7522s MAC address. rfs6000-81742D(config)#ap7522 00-23-09-0E-12-63 rfs6000-81742D(config-device-00-23-09-0E-12-63)#
Related Commands no Removes an AP7522 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 28 GLOBAL CONFIGURATION COMMANDS 4.1.11 ap7532 Global Configuration Commands Adds an AP7532 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:
Access Point AP7532 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap7532 <MAC>
Parameters ap7532 <MAC>
<MAC>
Example Specify the AP7532s MAC address. rfs6000-81742D(config)#ap7532 00-23-09-0E-12-71 rfs6000-81742D(config-device-00-23-09-0E-12-71)#
Related Commands no Removes an AP7532 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 29 GLOBAL CONFIGURATION COMMANDS 4.1.12 ap7562 Global Configuration Commands Adds an AP7562 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:
Access Point AP7562 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap7562 <MAC>
Parameters ap7562 <MAC>
<MAC>
Example Specify the AP7562s MAC address. rfs6000-81742D(config)#ap7562 84-24-8D-80-C2-AC rfs6000-81742D(config-device-84-24-8D-80-C2-AC)#
Related Commands no Removes an AP7562 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 30 GLOBAL CONFIGURATION COMMANDS 4.1.13 ap7602 Global Configuration Commands Adds an AP7602 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:
Access Point AP7602 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap7602 <MAC>
Parameters ap7602 <MAC>
<MAC>
Example Specify the AP7602s MAC address. nx9500-6C8809(config)#ap7602 11-2C-3b-01-aa-23 nx9500-6C8809(config-device-11-2C-3B-01-AA-23)#show context ap7602 11-2C-3B-01-AA-23 use profile default-ap7602 use rf-domain default hostname ap7602-01AA23 nx9500-6C8809(config-device-11-2C-3B-01-AA-23)#
Related Commands no Removes an AP7602 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 31 GLOBAL CONFIGURATION COMMANDS 4.1.14 ap7612 Global Configuration Commands Adds an AP7612 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:
Access Point AP7612 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap7612 <MAC>
Parameters ap7612 <MAC>
<MAC>
Example Specify the AP7612s MAC address. nx9500-6C8809(config)#ap7612 10-1c-AB-11-0E-20 nx9500-6C8809(config-device-10-1c-AB-11-0E-20)#show context ap7612 10-1C-AB-11-0E-20 use profile default-ap7612 use rf-domain default hostname ap7612-110E20 nx9500-6C8809(config-device-10-1c-AB-11-0E-20)#
Related Commands no Removes an AP7612 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 32 GLOBAL CONFIGURATION COMMANDS 4.1.15 ap7622 Global Configuration Commands Adds an AP7622 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:
Access Point AP7622 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap7622 <MAC>
Parameters ap7622 <MAC>
<MAC>
Example Specify the AP7622s MAC address. nx9500-6C8809(config-device-01-11-CD-21-0B-13)#show con ap7622 01-11-CD-21-0B-13 use profile default-ap7622 use rf-domain default hostname ap7622-210B13 nx9500-6C8809(config-device-01-11-CD-21-0B-13)#
Related Commands no Removes an AP7622 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 33 GLOBAL CONFIGURATION COMMANDS 4.1.16 ap7632 Global Configuration Commands Adds an AP7632 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:
Access Point AP7632 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap7632 <MAC>
Parameters ap7632 <MAC>
<MAC>
Example Specify the AP7632s MAC address. nx9500-6C8809(config)#ap7632 23-12-A1-F0-12-02 nx9500-6C8809(config-device-23-12-A1-F0-12-02)#show context ap7632 23-12-A1-F0-12-02 use profile default-ap7632 use rf-domain default hostname ap7632-F01202 nx9500-6C8809(config-device-23-12-A1-F0-12-02)#
Related Commands no Removes an AP7632 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 34 GLOBAL CONFIGURATION COMMANDS 4.1.17 ap7662 Global Configuration Commands Adds an AP7662 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:
Access Point AP7662 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap7662 <MAC>
Parameters ap7662 <MAC>
<MAC>
Example Specify the AP7662s MAC address. nx9500-6C8809(config)#ap7662 20-12-bd-4C-31-5F nx9500-6C8809(config-device-20-12-BD-4C-31-5F)#show context ap7662 20-12-BD-4C-31-5F use profile default-ap7662 use rf-domain default hostname ap7662-4C315F nx9500-6C8809(config-device-20-12-BD-4C-31-5F)#
Related Commands no Removes an AP7662 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 35 GLOBAL CONFIGURATION COMMANDS 4.1.18 ap81xx Global Configuration Commands Adds an AP81XX series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:
Access Point AP81XX Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap81xx <MAC>
Parameters ap81xx <MAC>
<MAC>
Example Specify the AP81XXs MAC address. rfs6000-81742D#ap81xx B4-C7-99-71-17-28 rfs6000-81742D(config-device-B4-C7-99-71-17-28)#show context ap8132 B4-C7-99-71-17-28 use profile default-ap81xx use rf-domain default hostname ap8132-711728 license AAP DEFAULT-LICENSE rfs6000-81742D(config-device-B4-C7-99-71-17-28)#
rfs6000-81742D(config)#show wireless ap configured
--------------------------------------------------------------------------------
-------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
--------------------------------------------------------------------------------
-------
1 ap8132-711728 B4-C7-99-71-17-28 default-ap81xx default 00-15-70-
81-74-2D
--------------------------------------------------------------------------------
-------
rfs6000-81742D(config)#
Related Commands no Removes an AP81XX from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 36 GLOBAL CONFIGURATION COMMANDS 4.1.19 ap82xx Global Configuration Commands Adds an AP82XX series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap82xx <MAC>
Parameters ap82xx <MAC>
<MAC>
Example Specify the AP82XXs MAC address. rfs6000-81742D(config-device-00-23-68-14-77-48) rfs6000-81742D(config-device-00-23-68-14-77-48)#show context ap82xx 00-23-68-14-77-48 use profile default-ap82xx use rf-domain default hostname ap8232-147748 rfs6000-81742D(config-device-00-23-68-14-77-48)#
rfs6000-81742D(config)#show wireless ap configured
--------------------------------------------------------------------------------
-------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
--------------------------------------------------------------------------------
-------
1 ap6511-08456A 5C-0E-8B-08-45-6A default-ap6511 default un-adopted 2 ap8232-147748 00-23-68-14-77-48 default-ap82xx default un-adopted
--------------------------------------------------------------------------------
-------
rfs6000-81742D(config)#
Related Commands no Removes an AP82XX from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 37 GLOBAL CONFIGURATION COMMANDS 4.1.20 ap8432 Global Configuration Commands Adds an AP8432 series to the network. If a profile for the AP is not available, a new profile is created. Supported in the following platforms:
Access Point AP8432 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap8432 <MAC>
Parameters ap8432 <MAC>
<MAC>
Example Specify the AP8432s MAC address. nx9500-6C8809(config)#ap8432 84-24-8D-80-C2-AC nx9500-6C8809(config-device-84-24-8D-80-C2-AC)#show context ap8432 84-24-8D-80-C2-AC use profile default-ap8432 use rf-domain default hostname ap8432-80C2AC nx9500-6C8809(config-device-84-24-8D-80-C2-AC)#
nx9500-6C8809(config)#show wireless ap configured
--------------------------------------------------------------------------------
-------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
--------------------------------------------------------------------------------
-------
1 ap8432-80C2AC 84-24-8D-80-C2-AC default-ap8432 default un-adopted
--------------------------------------------------------------------------------
-------
nx9500-6C8809(config)#
Related Commands no Removes an AP8432 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 38 GLOBAL CONFIGURATION COMMANDS 4.1.21 ap8533 Global Configuration Commands Adds an AP8533 series to the network. If a profile for the AP is not available, a new profile is created. Access Point AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap8533 <MAC>
Parameters ap8533 <MAC>
<MAC>
Example Specify the AP8533s MAC address. nx9500-6C8809(config)#ap8533 B4-C7-99-74-B4-5C) nx9500-6C8809(config-device-B4-C7-99-74-B4-5C)#show context ap8533 B4-C7-99-74-B4-5C use profile default-ap8533 use rf-domain default hostname ap8533-74B45C nx9500-6C8809(config-device-B4-C7-99-74-B4-5C)#
nx9500-6C8809(config)#show wireless ap configured
--------------------------------------------------------------------------------
-------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
--------------------------------------------------------------------------------
-------
1 ap8533-74B45C B4-C7-99-74-B4-5C default-ap8533 default un-adopted
--------------------------------------------------------------------------------
-------
nx9500-6C8809(config)#
Related Commands no Removes an AP8533 from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 39 GLOBAL CONFIGURATION COMMANDS 4.1.22 application Global Configuration Commands The following table lists the commands that enable you to enter the Application definition configuration mode:
Table 4.2 Application-Policy Config Command Description Creates a new application definition and enters its configuration mode. This command allows you to create a customized application detection definition. Summarizes application definition configuration mode commands Reference page 4-41 page 4-42 Command application application-
config-mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 40 GLOBAL CONFIGURATION COMMANDS 4.1.22.1 application application Creates a new application definition and enters its configuration mode Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax application <APPLICATION-NAME>
Parameters application <APPLICATION-NAME>
application
<APPLICATION-
NAME>
Creates a new application definition and enters its configuration mode
<APPLICATION-NAME> Specify a name of the new application definition. It is created if not already existing in the system. Example nx9500-6C8809(config)#application Bing nx9500-6C8809(config-application-Bing)#?
Application Mode commands:
app-category Set application category (default is custom) description Add application description https Secure HTTP no Negate a command or set its defaults use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-application-Bing)#
Related Commands no Deletes an existing application definition Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 41 GLOBAL CONFIGURATION COMMANDS 4.1.22.2 application-config-mode commands application The following table summarizes Application definition configuration mode commands:
Table 4.3 Application- Config-Mode Commands Command app-category description https use no Description Configures the category for this application definition Configures a description for this application definition Configures the HTTPS common-name attribute value for this application categorys server certificate. Applicable only to applications using HTTPS protocol. Associates a network-service alias or a URL list with this application definition. Applicable for applications using protocols other than HTTPS. Removes or resets this application definitions configured settings Reference page 4-43 page 4-44 page 4-45 page 4-46 page 4-47 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 42 GLOBAL CONFIGURATION COMMANDS 4.1.22.2.1 app-category application-config-mode commands Configures the category for this application definition Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax app-category <APP-CATEGORY-NAME>
Parameters app-category <APP-CATEGORY-NAME>
app-category
<APP-CATEGORY-
NAME>
Select the category best suited for this application definition. There are twenty three categories. These are: business, conference, custom, database, filetransfer, gaming, generic, im, mail, mobile, network\ management, other, p2p, remote_control, social\
networking, standard, streaming, tunnel, video, voip, and Web. The default setting is custom. Use this option to categorize your internal custom applications, so that they do not appear as unknown traffic. Example nx9500-6C8809(config-application-Bing)#app-category [TAB]
business conference custom database filetransfer gaming generic im mail mobile network\ management other p2p remote_control sharehosting social\ networking streaming tunnel voip web nx9500-6C8809(config-application-Bing)#
nx9500-6C8809(config-application-Bing)#app-category streaming nx9500-6C8809(config-application-Bing)#show context application Bing app-category streaming nx9500-6C8809(config-application-Bing)#
Related Commands no Resets application category to default (custom) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 43 GLOBAL CONFIGURATION COMMANDS 4.1.22.2.2 description application-config-mode commands Configures a description for this application definition Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <WORD>
Parameters description <WORD>
description
<WORD>
Configures a description for this application
<WORD> Specify a description not exceeding 80 characters in length. Enter the descriptive text within double quotes. Example nx9500-6C8809(config-application-Bing)#description "Bing is Microsoft's Web search engine"
nx9500-6C8809(config-application-Bing)#show context application Bing description "Bing is Microsoft's Web search engine"
app-category streaming nx9500-6C8809(config-application-Bing)#
Related Commands no Removes this description configured for this application Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 44 GLOBAL CONFIGURATION COMMANDS 4.1.22.2.3 https application-config-mode commands Configures the HTTPS parameter type, attribute type, match criteria for the HTTPS server name and 64 character maximum server name attribute used in the HTTPS server message exchange Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax https server-cert common-name [contains|ends-with] <WORD>
Parameters https server-cert common-name
[contains|ends-with]
<WORD>
https server-cert common-name [contains|ends-with] <WORD>
Configures the HTTPS parameter type as server certificate Configures the HTTPS attribute match criteria as common name. This is the only option applicable when the HTTPS parameter type is set to server-cert. Use one of the following options to provide the common-name attribute value used as the match criteria:
contains Filters applications having common-name attributes containing the string specified here ends-with Filters applications ending with the string specified here
<WORD> Specify the string to match (should not exceed 64 characters). Example nx9500-6C8809(config-application-Bing)#https server-cert common-name exact bing.com nx9500-6C8809(config-application-Bing)#show context application Bing description "Bing is Microsoft's web search engine"
app-category streaming https server-cert common-name exact bing.com nx9500-6C8809(config-application-Bing)#
Related Commands no Removes the HTTPS common-name attribute value configured with this application category Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 45 GLOBAL CONFIGURATION COMMANDS 4.1.22.2.4 use application-config-mode commands Associates a network-service alias or a URL list with this application definition For applications using protocols other than HTTPS, use this command to define the protocols, ports, and/or URL host name to match. Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use [network-service <NETWORK-SERVICE-ALIAS-NAME>|url-list <URL-LIST-NAME>]
Parameters use [network-service <NETWORK-SERVICE-ALIAS-NAME>|url-list <URL-LIST-NAME>]
use network-service
<NETWORK-
SERVICE-ALIAS-
NAME>
url-list
<URL-LIST-NAME>
Configures this application definition to use a network-service alias or a URL list Associates a network-service alias with this application definition
<NETWORK-SERVICE-ALIAS-NAME> Specify the network-service alias name (should be existing and configured). The network-service alias should specify the protocols and ports to match. Associates a URL list with this application definition. URL lists are utilized for whitelisting and blacklisting Web application URLs from being launched and consuming bandwidth within the WiNG managed network.
<URL-LIST-NAME> Specify the URL list name (should be existing and configured). The URL list should specify the HTTP URL host names to match. Example nx9500-6C8809(config-application-Bing)#use url-list Bing nx9500-6C8809(config-application-Bing)#show context application Bing description "Bing is Microsoft's web search engine"
app-category streaming use url-list Bing https server-cert common-name exact bing.com nx9500-6C8809(config-application-Bing)#
Related Commands no Removes the network-service alias or the URL list associated with this application definition Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 46 GLOBAL CONFIGURATION COMMANDS 4.1.22.2.5 no application-config-mode commands Removes or resets this application definitions configured settings Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [app-category|description|https|use]
no [app-category|description]
no https server-cert common-name [contains|ends-with] <WORD>
no use [network-service <NETWORK-SERVICE-ALIAS-NAME>|url-list <URL-LIST-NAME>]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or resets this application definitions configured settings based on the parameters passed Example The following example displays the application definition Bing parameters before the no commands are executed:
nx9500-6C8809(config-application-Bing)#show context application Bing description "Bing is Microsoft's web search engine"
app-category streaming use url-list Bing https server-cert common-name exact bing.com nx9500-6C8809config-application-Bing)#
nx9500-6C8809(config-application-Bing)#no description nx9500-6C8809(config-application-Bing)#no https server-cert common-name exact bing.com The following example displays the application definition Bing parameters after the no commands are executed:
nx9500-6C8809(config-application-Bing)#show context application Bing app-category streaming use url-list Bing nx9500-6C8809(config-application-Bing)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 47 GLOBAL CONFIGURATION COMMANDS 4.1.23 application-group Global Configuration Commands The following table lists the commands that enable you to create a new application group and enter its configuration mode:
Table 4.4 Application-Group Config Command Description Command application-group Creates a new application group and enters its configuration mode application-group-
mode commands Summarizes application group configuration mode commands Reference page 4-49 page 4-50 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 48 GLOBAL CONFIGURATION COMMANDS 4.1.23.1 application-group application-group An application group is a collection of system-provided and/or user-defined applications. It is a subset of the total number of supported applications. There are a total of 299 system-provided applications. Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax application-group <APPLICATION-GROUP-NAME>
Parameters application-group <APPLICATION-GROUP-NAME>
application-group
<APPLICATION-
GROUP-NAME>
Creates an application group and enters its configuration mode
<APPLICATION-GROUP-NAME Specify the application group name. If an application group with the specified name does not exist, it is created. The name should not exceed 32 characters in length. Example nx9500-6C8809(config)#application-group amazon nx9500-6C8809(config-app-group-amazon)#?
Application Group Mode commands:
application Add application to group description Add application-group description no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-app-group-amazon)#
Related Commands no Removes an existing application group Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 49 GLOBAL CONFIGURATION COMMANDS 4.1.23.2 application-group-mode commands application-group The following table summarizes the application group configuration mode commands:
Table 4.5 Application-Group-Config-Mode Commands Command application description no Description Adds an application to this application group Configures a description for this application group Removes this application groups configured parameters (application and/or description) Reference page 4-51 page 4-53 page 4-54 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 50 GLOBAL CONFIGURATION COMMANDS 4.1.23.2.1 application application-group-mode commands Adds an application to this application group. You can add a system-provided or user-defined application. Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax application <APPLICATION-NAME>
Parameters application <APPLICATION-NAME>
application
<APPLICATION-
NAME>
Example Configures the application to be added to this application group
<APPLICATION-NAME> Provide the application name (should be available as an option in the system). A maximum of eight (8) applications can be added to a group. If the desired application is not available as an option, use the application command to add it. To view all applications available in the system, use [TAB], as shown in the following example:
nx9500-6C8809(config-app-group-test)#application [TAB]
Display all 299 possibilities? (y or n) 1-clickshare-com 1-upload-com 1-upload-to 10upload-com
--More--
nx9500-6C8809(config-app-group-test)#
Select the desired application from the list displayed, as shown in the following examples:
nx9500-6C8809(config-app-group-amazon)#application amazon [TAB]
amazon-prime-music amazon-prime-video amazon_cloud amazon_shop nx9500-6C8809(config-app-group-amazon)#
nx9500-6C8809(config-app-group-amazon)#application amazon-prime-music nx9500-6C8809(config-app-group-amazon)#application amazon-prime-video nx9500-6C8809(config-app-group-amazon)#application amazon_cloud nx9500-6C8809(config-app-group-amazon)#application amazon_shop nx9500-6C8809(config-app-group-amazon)#show context application-group amazon application amazon-prime-music application amazon-prime-video application amazon_cloud application amazon_shop nx9500-6C8809(config-app-group-amazon)#
Note, the system returns an error message if the application entered is not listed, as shown in the following example:
nx9500-6C8809(config-app-group-test)#application bing
% Error: application 'bing' is not defined nx9500-6C8809(config-app-group-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 51 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes a specified application from this application group Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 52 GLOBAL CONFIGURATION COMMANDS 4.1.23.2.2 description application-group-mode commands Configures a description for this application group Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <WORD>
Parameters description <WORD>
description
<WORD>
Configures a description for this application group that uniquely differentiates it from other existing application groups
<WORD> Provide a description not exceeding 80 characters in length. Example nx9500-6C8809(config-app-group-amazon)#description This application-group lists all Amazon applications. nx9500-6C8809(config-app-group-amazon)#show context application-group amazon description This application-group lists all Amazon applications. application amazon-prime-music application amazon-prime-video application amazon_cloud application amazon_shop nx9500-6C8809(config-app-group-amazon)#
Related Commands no Removes the description configured for this application group Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 53 GLOBAL CONFIGURATION COMMANDS 4.1.23.2.3 no application-group-mode commands Removes this application groups configured parameters (application and/or description) Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [application <APPLICATION-NAME>|description]
Parameters no [application <APPLICATION-NAME>|description]
no <PARAMETERS> Removes an application associated with this group, and removes this groups description Example The following example displays the application-group amazon configuration before the execution of no commands:
nx9500-6C8809(config-app-group-amazon)#show context application-group amazon description "This application-group lists all Amazon applications."
application amazon-prime-music application amazon-prime-video application amazon_cloud application amazon_shop nx9500-6C8809(config-app-group-amazon)#
nx9500-6C8809(config-app-group-amazon)#no application amazon_cloud nx9500-6C8809(config-app-group-amazon)#no description The following example displays the application-group amazon configuration after the execution of no commands:
nx9500-6C8809(config-app-group-amazon)#show context application-group amazon application amazon-prime-music application amazon-prime-video application amazon_shop nx9500-6C8809(config-app-group-amazon)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 54 GLOBAL CONFIGURATION COMMANDS 4.1.24 application-policy Global Configuration Commands The following table lists the commands that enable you to enter the Application policy configuration mode:
Table 4.6 Application-Policy Config Command Description Command application-policy Creates an application policy and enters its configuration mode application-policy-
mode commands Summarizes the application policy configuration mode commands Reference page 4-56 page 4-58 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 55 GLOBAL CONFIGURATION COMMANDS 4.1.24.1 application-policy application-policy When an application is recognized and classified by the WiNG application recognition engine, administrator defined actions can be applied to that specific application. An application policy defines the rules or actions executed on recognized applications (for example, Facebook) or application-categories (for example, social-networking). The following are the rules/actions that can be applied in an application policy:
Allow - Allow packets for a specific application or application category Deny - Deny packets for a a specific application or application category Mark - Mark packets with DSCP/8021p value for a specific application or application category Rate-limit - Rate limit packets from specific application types. For each rule defined, a precedence is assigned to resolve conflicting rules for applications and categories. A deny rule is exclusive, as no other action can be combined with a deny. An allow rule is redundant with other actions, since the default action is allow. An allow rule is useful when wanting to deny packets for a category, but wanting to allow a few applications in the same category to proceed. In such a cases, add an allow rule for applications with a higher precedence then a deny rule for that category. Mark actions mark packets for a recognized application and category with DSCP/8021p values used for QoS. Rate-limits create a rate-limiter applied to packets recognized for an application and category. Ingress and egress rates need to be specified for the rate-limiter, but both are not required. Mark and rate-limit are the only two actions that can be combined for an application and category. All other combinations are invalid. Once created and configured, apply the application policy at the following levels within the network to enforce application assurance:
RADIUS CoA usage In the device/profile configuration mode, use the application-policy > radius >
<APPLICATION-POLICY-NAME> command to apply the policy to every user successfully authenticated by the RADIUS server. User role In the role-policy-user-role configuration mode, use the use > application-policy
<APPLICATION-POLICY-NAME> command to apply the policy to all users assigned to the role. WLAN In the WLAN configuration mode, use the use > application-policy <APPLICATION-
POLICY-NAME> command to apply the policy to all users accessing the WLAN. Bridge VLAN In the bridge VLAN configuration mode, use the use > application-policy
<APPLICATION-POLICY-NAME> command to apply the policy for the traffic corresponding to the bridged VLAN. Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax application-policy <APPLICATION-POLICY-NAME>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 56 GLOBAL CONFIGURATION COMMANDS Parameters application-policy <APPLICATION-POLICY-NAME>
application-policy
<APPLICATION-
POLICY-NAME>
Specify the application policy name. If an application policy with the specified name does not exist, it is created. The name should not exceed 32 characters in length. Example nx9500-6C8809(config)#application-policy TestAppliPolicy nx9500-6C8809(config-app-policy-TestAppliPolicy)#?
Application Policy Mode commands:
allow Allow packets deny Deny packets description Application policy description enforcement-time Configure policy enforcement based on time logging Application recognition logging mark Mark packets no Negate a command or set its defaults rate-limit Rate-limit packets clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-app-policy-TestAppliPolicy)#
Related Commands no Removes an existing application policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 57 GLOBAL CONFIGURATION COMMANDS 4.1.24.2 application-policy-mode commands application-policy The following table summarizes Application policy configuration mode commands:
Table 4.7 Application- Policy-Mode Commands Command allow deny description enforcement-
time logging mark rate-limit no Description Creates an allow rule and configures the match criteria based on which packets are filtered and the allow access action applied Creates a deny rule and configures the match criteria based on which packets are filtered and the deny access action applied Configures a brief description for this application policy that enables you to differentiate it from other application policies Configures an enforcement time period in days and hours for this application policy. The policy is enforced only during the specified time period. Enables logging of application recognition hits made by the DPI engine. It also sets the logging level. Creates a mark rule and configures the match criteria based on which packets are filtered and marked with 802.1p priority value or Differentiated Service Code Point (DSCP) code Creates a rate-limit rule and configures the match criteria based on which incoming and outgoing packets are filtered and the configured rate limits applied Removes or resets this application policys settings Reference page 4-59 page 4-62 page 4-65 page 4-66 page 4-68 page 4-70 page 4-73 page 4-76 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 58 GLOBAL CONFIGURATION COMMANDS 4.1.24.2.1 allow application-policy-mode commands Creates an allow rule and configures the match criteria based on which packets are filtered and the allow access action applied Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax allow [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]
schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>) Parameters allow [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]
schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>) allow app-category
[<APP-CATEGORY-
NAME>|all]
application
<APPLICATION-
NAME>
schedule
<SCHEDULE-
POLICY-NAME>
Creates an allow rule and configures the match criteria. The options are app-category and application. Uses application category as the match criteria
<APP-CATEGORY-NAME> Specify the application category. The options are:
antivirus\ update, audio, business, conference, custom, database, file transfer, gaming, generic, im, mail, mobile, network\ management, other, p2p, remote_control, social\
networking, standard, streaming, tunnel, video, voip, and web. Each packets app-
category is matched with the value specified here. In case of a match, the system forwards the packet or else drops it. all The system forwards all packets irrespective of the application category. Uses application name as the match criteria
<APPLICATION-NAME> Specify the application name. Each packets application is matched with the application name specified here. In case of a match, the system forwards the packet. The WiNG database provides approximately 381 canned applications. In addition to these, the database also includes custom-made applications. These are application definitions created using the application command. Schedules an enforcement time for this allow rule by associating a schedule policy with it. Use this parameter to apply rule-specific enforcement time. schedule <SCHEDULE-POLICY-NAME> Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the application-policy >
enforcement-time command). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policys enforcement time. In other words the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting as all). Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 59 GLOBAL CONFIGURATION COMMANDS
<SCHEDULE-POLICY-NAME> Specify the policy name (should be existing and configured). After applying a schedule policy, specify a precedence for the rule. In case of no schedule policy being applied, the rule is enforced as per the enforcement-time configured in the application policy. For more information, see enforcement-time. precedence <1-256> Assigns a precedence value for this allow rule. The precedence value differentiates between rules applicable to applications and the application categories to which they belong. The allow, deny, mark, rate-limit options are mutually exclusive. In other words, in an application policy, for a specific application or application category, you can create either an allow rule, or a deny rule, or a mark and rate-limit rule. Let us consider application youtube belonging to app-category streaming. The action required is: Allow youtube packets and deny all other applications belonging to app-category streaming. The rules can be defined as:
#allow application youtube precedence 1
#deny app-category streaming precedence 2 The following configuration is incorrect:
#deny app-category streaming precedence 1
#allow application youtube precedence 2 Once the deny app-category streaming precedence 1 rule is hit, all streaming packets, including youtube, are dropped. Consequently, there are no packets left to apply the subsequent allow rule. The mark and rate-limit rules are the only two actions that can be combined for a specific application or application category type. Example The following example shows how to view all built-in, system provided applications:
nx9500-6C8809(config-app-policy-test)#allow application [TAB]
Display all 366 possibilities? (y or n) 1-clickshare-com 1-upload-com 1-upload-to 10upload-com 123upload-pl 139pan-com 163pan-com 1clickshare-net 1fichier-com 1kxun 2channel 2gis 2shared-com 360mobile 4fastfile-com 4share-ws Dota\ 2 EA\ Origin
--More--
nx9500-6C8809(config-app-policy-test)#
The following examples show two allow rules, allowing access to all packets belonging to the application category business and the application Bing:
nx9500-6C8809(config-app-policy-Bing)#allow application Bi [TAB]
Bing BitTorrent BitTorrent_encrypted BitTorrent_plain BitTorrent_uTP BitTorrent_uTP_encrypted nx9500-6C8809(config-app-policy-Bing)#
Note: Bing is not one of the WiNG built-in database applications. It is a customized application created using the application command. nx9500-6C8809(config-app-policy-Bing)#allow application Bing precedence 1 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 60 GLOBAL CONFIGURATION COMMANDS nx9500-6C8809(config-app-policy-Bing)#allow app-category [TAB]
all antivirus\ update audio business conference custom database filetransfer gaming generic im mail mobile network\ management other p2p remote_control social\ networking standard streaming tunnel video voip web nx9500-6C8809(config-app-policy-Bing)#
nx9500-6C8809(config-app-policy-Bing)#allow app-category business precedence 2 nx9500-6C8809(config-app-policy-Bing)#show context application-policy Bing allow application Bing precedence 1 allow app-category business precedence 2 nx9500-6C8809(config-app-policy-Bing)#
The following example shows an application policy 'SocialNet' having an allow rule with an associated schedule policy named 'FaceBook':
nx9500-6C8809(config-app-policy-SocialNet)#allow application facebook schedule Facebook precedence 1 nx9500-6C8809(config-app-policy-SocialNet)#show context application-policy SocialNet description "This application policy relates to Social Networking sites."
allow application facebook schedule FaceBook precedence 1 nx9500-6C8809(config-app-policy-SocialNet)#
The schedule policy FaceBook configuration is as follows. As per this policy, the above allow rule will apply to all FaceBook packets every Friday between 13:00 and 18:00 hours. nx9500-6C8809(config-schedule-policy-FaceBook)#show context schedule-policy FaceBook description "Allows FaceBook traffic on Fridays."
time-rule days friday start-time 13:00 end-time 18:00 nx9500-6C8809(config-schedule-policy-FaceBook)#
Related Commands no Removes this allow rule from the application policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 61 GLOBAL CONFIGURATION COMMANDS 4.1.24.2.2 deny application-policy-mode commands Creates a deny rule and configures the match criteria based on which packets are filtered and the deny access action applied Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax deny [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]
schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>) Parameters deny [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]
schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>) deny app-category
[<APP-CATEGORY-
NAME>|all]
application
<APPLICATION-
NAME>
schedule
<SCHEDULE-
POLICY-NAME>
Creates a deny rule and configures the match criteria. The options are app-category and application. Uses application category as the match criteria
<APP-CATEGORY-NAME> Specify the application category name. The options are:
antivirus\ update, audio, business, conference, custom, database, file transfer, gaming, generic, im, mail, mobile, network\ management, other, p2p, remote_control, social\
networking, standard, streaming, tunnel, video, voip, and web. Each packets app-
category is matched with the value specified here. In case of a match, the system drops the packet. all The system drops all packets irrespective of the application category. Uses application name as the match criteria
<APPLICATION-NAME> Specify the application name. Each packets application is matched with the application name specified here. In case of a match, the system drops the packet. There are approximately some 381 canned applications in the database. In addition to these, the database displays custom-made applications also. These are application definitions created using the application command. Schedules an enforcement time for this deny rule by associating a schedule policy with it. Use this parameter to apply rule-specific enforcement time. schedule <SCHEDULE-POLICY-NAME> Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the application-policy >
enforcement-time command). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policys enforcement time. In other words the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting as all). Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 62 GLOBAL CONFIGURATION COMMANDS
<SCHEDULE-POLICY-NAME> Specify the policy name (should be existing and configured). After applying a schedule policy, specify a precedence for the rule. In case of no schedule policy being applied, the rule is enforced as per the enforcement-time configured in the application policy. For more information, see enforcement-time. precedence <1-256> Assigns a precedence value for this deny rule. The precedence value differentiates between rules applicable to applications and the application categories to which they belong. The allow, deny, mark, rate-limit options are mutually exclusive. In other words, in an application policy, for a specific application or application category, you can create either an allow rule, or a deny rule, or a mark and rate-limit rule. Let us consider application youtube belonging to app-category streaming. The action required is: Allow youtube packets and deny all other applications belonging to app-category streaming. The rules can be defined as:
#allow application youtube precedence 1
#deny app-category streaming precedence 2 The following configuration is incorrect:
#deny app-category streaming precedence 1
#allow application youtube precedence 2 Once the deny app-category streaming precedence 1 rule is hit, all streaming packets, including youtube, are dropped. Consequently, there are no packets left to apply the subsequent allow rule. The mark and rate-limit rules are the only two actions that can be combined for a specific application or application category type. Example The following example shows one deny rule, denying access to all packets belonging to the application category social\ networking:
nx9500-6C8809(config-app-policy-Bing)#deny app-category social\ networking precedence 3 nx9500-6C8809(config-app-policy-Bing)#show context application-policy Bing allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3 nx9500-6C8809(config-app-policy-Bing)#
The following example displays the schedule policy DenyS-N settings. The time-rule defined in the policy is all weekdays from 9:30 AM to 11:30 PM. nx9500-6C8809(config-schedule-policy-DenyS-N)#show context schedule-policy DenyS-N description "Denies all social Networking sites on weekdays."
time-rule days weekdays start-time 09:30 end-time 23:30 nx9500-6C8809(config-schedule-policy-DenyS-N)#
The following example displays the schedule policy FaceBook settings. The time-rule defined in the policy is Friday from 1:00 PM to 6:00 PM. nx9500-6C8809(config-schedule-policy-FaceBook)#show context schedule-policy FaceBook description "Allows FaceBook traffic on Fridays."
time-rule days friday start-time 13:00 end-time 18:00 nx9500-6C8809(config-schedule-policy-FaceBook)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 63 GLOBAL CONFIGURATION COMMANDS The following example shows an application policy SocialNet defining an allow and deny rule. Both rules have different enforcement time, which is defined by their respective schedule policies (DentS-N and FaceBook). As per these two schedule policy settings, this application policy:
Denies all social\ networking sites on weekdays (barring Fridays between 1:00 PM to 6:00 PM) from 9:30 AM to 11:30 PM. On Fridays, between 1:00 PM to 6:00 PM, it:
Denies all social\ networking sites except Facebook. nx9500-6C8809(config-app-policy-SocialNet)#show context application-policy SocialNet description "This application policy relates to Social Networking sites."
allow application facebook schedule FaceBook precedence 1 deny app-category "social networking" schedule DenyS-N precedence 2 nx9500-6C8809(config-app-policy-SocialNet)#
Related Commands no Removes this deny rule from the application policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 64 GLOBAL CONFIGURATION COMMANDS 4.1.24.2.3 description application-policy-mode commands Configures a brief description for this application policy that enables you to differentiate it from other application policies Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <LINE>
Parameters description <LINE>
description <LINE>
Configures this application policys description
<LINE> Specify a brief description not exceeding 80 characters in length. Example nx9500-6C8809(config-app-policy-Bing)#description "This application policy allows Bing search engine packets"
nx9500-6C8809(config-app-policy-Bing)#show context application-policy Bing description "This application policy allows Bing search engine packets"
allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3 nx9500-6C8809(config-app-policy-Bing)#
Related Commands no Removes this application policys description Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 65 GLOBAL CONFIGURATION COMMANDS 4.1.24.2.4 enforcement-time application-policy-mode commands Configures an enforcement time period in days and hours for this application policy. The enforcement time is applicable only to those rules, within the application policy, that do not have a schedule policy associated. By default an application policy is enforced on all days. NOTE: Schedule policies are a means of enforcing allow/deny/mark/rate-
limit rules at different time periods. If no schedule policy is applied, all rules within an application policy are enforced at the time specified using this enforcement-time command. For more information on configuring a schedule policy, see schedule-policy. Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax enforcement-time days [sunday|monday|tuesday|wednesday|thursday|friday|
saturday|all|weekends|weekdays] {start-time <HH:MM> end-time <HH:MM>}
Parameters enforcement-time days [sunday|monday|tuesday|wednesday|thursday|friday|
saturday|all|weekends|weekdays] {start-time <HH:MM> end-time <HH:MM>}
enforcement-time days start-time <HH:MM>
end-time <HH:MM>
Enforces this application policy on only on the days specified here sunday Enforces the policy only on Sundays monday Enforces the policy only on Mondays tuesday Enforces the policy only on Tuesdays wednesday Enforces the policy only on Wednesdays thursday Enforces the policy only on Thursdays friday Enforces the policy only on Fridays saturday Enforces the policy only on Saturdays all Enforces the policy on all days. This is the default setting. weekends Enforces the policy only on weekends weekdays Enforces the policy only on weekdays In case no enforcement time is specified, the application policy is enforced on all days
(i.e., always active). If using schedule policies with the allow/deny/mark/rate-limit rules, the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting of all). Optional. Configures this application policys enforcement period start-time Configures the start time. This is the time at which the application policy enforcement begins. end-time Configures the end time. This is the time at which the application policy enforcement ends.
<HH:MM> Specify the start and end time in the HH:MM format. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 66 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config-app-policy-Bing)#enforcement-time days weekdays start-time 10:30 end-time 20:00 nx9500-6C8809(config-app-policy-Bing)#show context application-policy Bing description "This application policy allows Bing search engine packets"
enforcement-time days weekdays start-time 10:30 end-time 20:00 allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3 nx9500-6C8809(config-app-policy-Bing)#
Related Commands no Removes this application policys enforcement period Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 67 GLOBAL CONFIGURATION COMMANDS 4.1.24.2.5 logging application-policy-mode commands Enables DPI application recognition logging. It also sets the logging level. DPI is an advanced packet analysis technique, which analyzes packet and packet content headers to determine the nature of network traffic. When enabled, DPI inspects packets of all flows to identify applications (such as, Netflix, Twitter, Facebook, etc.) and extract metadata (such as, host name, server name, TCP-RTT, etc.) for further use by the WiNG firewall. Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax logging [level|on]
logging on logging level [<0-7>|alerts|critical|debugging|emergencies|errors|informational|
notifications|warnings]
Parameters logging on logging on Enables logging of application recognition hits made by the DPI engine. This option is disabled by default. logging level [<0-7>|alerts|critical|debugging|emergencies|errors|
informational|notifications|warnings]
logging level
[<0-7>|alerts|
critical|debugging|
emergencies|errors|
informational|
notifications|
warnings]
Sets the logging level for application recognition hits made by the DPI engine. This option is disabled by default.
<0-7> Sets the message logging severity level on a scale of 0 - 7 emergencies Severity level 0: System is unusable alerts Severity level 1: Requires immediate action critical Severity level 2: Critical conditions errors Severity level 3: Error conditions warnings Severity level 4: Warning conditions notifications Severity level 5: Normal but significant conditions (this is the default setting) informational Severity level 6: Informational messages debugging Severity level 7: Debugging messages Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 68 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config-app-policy-Bing)#logging level critical nx9500-6C8809(config-app-policy-Bing)#show context application-policy Bing description "This application policy allows Bing search engine packets"
enforcement-time days weekdays start-time 12:30 end-time 20:00 allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3 logging level critical nx9500-6C8809(config-app-policy-Bing)#
Related Commands no Resets the logging level to default (notifications). And the no > logging > on command disables DPI logging. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 69 GLOBAL CONFIGURATION COMMANDS 4.1.24.2.6 mark application-policy-mode commands Creates a mark rule and configures the match criteria based on which packets are marked Marks packets, matching a specified set of application categories or applications/protocols, with 802.1p priority level or Differentiated Services Code Point (DSCP) type of service (ToS) code. Marking packets is a means of identifying them for specific actions, and is used to provide different levels of service to different traffic types. Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mark [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]
[8021p <0-7>|dscp <0-63>] schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>) Parameters mark mark [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]
[8021p <0-7>|dscp <0-63>] schedule <SCHEDULE-POLICY-NAME> (precedence <1-256>) Creates a mark rule and configures the match criteria. When applied, the rule marks packets, matching the criteria configured here, with 802.1p priority value or DSCP code. The match criteria options are: app-category and application. Uses application category as the match criteria
<APP-CATEGORY-NAME> Specify the application category. The options are:
app-category
[<APP-CATEGORY-
NAME>|all]
application
<APPLICATION-
NAME>
8021p <0-7>
antivirus\ update, audio, business, conference, custom, database, file transfer, gaming, generic, im, mail, mobile, network\ management, other, p2p, remote_control, social\
networking, standard, streaming, tunnel, video, voip, and web. Each packets app-
category is matched with the value specified here. In case of a match, the system marks the packet. all The system marks all packets irrespective of the application category. Uses application name as the match criteria
<APPLICATION-NAME> Specify the application name. Each packets application is matched with the application name specified here. In case of a match, the system marks the packet. The WiNG database provides approximately 381 canned applications. In addition to these, the database includes custom-made applications. These are application definitions created using the application command. Marks packets matching the specified criteria with 802.1p priority value
<0-7> Specify a value from 0 - 7. The IEEE 802.1p signaling standard enables marking of layer 2 network traffic. Layer 2 network devices (such as switches), using 802.1p standards, group traffic into classes based on their 802.1p priority value, which is appended to the packets MAC header. In case of traffic congestion, packets with higher priority get precedence over lower priority packets and are forwarded first. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 70 dscp <0-63>
schedule
<SCHEDULE-
POLICY-NAME>
GLOBAL CONFIGURATION COMMANDS Marks packets matching the specified criteria with DSCP ToS code
<0-63> Specify a value from 0 - 63. The DSCP protocol marks layer 3 network traffic. Layer 3 network devices (such as routers) using DSCP, mark each layer 3 packet with a six-bit DSCP code, which is appended to the packets IP header. Each DSCP code is assigned a corresponding level of service, enabling packet prioritization. Schedules an enforcement time for this mark rule by associating a schedule policy with it. Use this parameter to apply rule-specific enforcement time. schedule <SCHEDULE-POLICY-NAME> Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the application-policy >
enforcement-time command). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policys enforcement time. In other words the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting as all).
<SCHEDULE-POLICY-NAME> Specify the policy name (should be existing and configured). After applying a schedule policy, specify a precedence for the rule. In case of no schedule policy being applied, the rule is enforced as per the enforcement-time configured in the application policy. For more information, see enforcement-time. precedence <1-256> Assigns a precedence value for this mark rule. The precedence value differentiates between rules applicable to applications and the application categories they belong. The allow, deny, mark, rate-limit options are mutually exclusive. In other words, in an application policy, for a specific application or application category, you can create either an allow rule, or a deny rule, or a mark and rate-limit rule. Let us consider application youtube belonging to app-category streaming. The action required is: Allow youtube packets and deny all other applications belonging to app-category streaming. The rules can be defined as:
#allow application youtube precedence 1
#deny app-category streaming precedence 2 The following configuration is incorrect:
#deny app-category streaming precedence 1
#allow application youtube precedence 2 Once the deny app-category streaming precedence 1 rule is hit, all streaming packets, including youtube, are dropped. Consequently, there are no packets left to apply the subsequent allow rule. The mark and rate-limit rules are the only two actions that can be combined for a specific application or application category type. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 71 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config-app-policy-Bing)#mark app-category video dscp 9 precedence 4 nx9500-6C8809(config-app-policy-Bing)#mark application facetime dscp 10 precedence 5 nx9500-6C8809(config-app-policy-Bing)#show context application-policy Bing description "This application policy allows Bing search engine packets"
enforcement-time days weekdays start-time 12:30 end-time 20:00 allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3 mark app-category video dscp 9 precedence 4 mark application facetime dscp 10 precedence 5 logging level critical nx9500-6C8809(config-app-policy-Bing)#
Related Commands no Removes this mark rule from the application policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 72 GLOBAL CONFIGURATION COMMANDS 4.1.24.2.7 rate-limit application-policy-mode commands Creates a rate-limit rule and configures the match criteria Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rate-limit [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-
NAME>] ([egress|ingress]) rate <50-1000000> max-burst-size <2-1024> schedule
<SCHEDULE-POLICY-NAME> (precedence <1-256>) Parameters rate-limit [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-
NAME>] ([egress|ingress]) rate <50-1000000> max-burst-size <2-1024> schedule
<SCHEDULE-POLICY-NAME> (precedence <1-256>) rate-limit app-category
[<APP-CATEGORY-
NAME>|all]
application
<APPLICATION-
NAME>
[egress|ingress]
rate <50-1000000>
Creates a rate-limit rule and configures the match criteria. When applied, the rule applies a rate-limit to packets that match the criteria configured here. These packets could be incoming, outgoing, or both. The match criteria options are: app-category and application. Uses application category as the match criteria
<APP-CATEGORY-NAME> Specify the application category. The options are:
antivirus\ update, audio, business, conference, custom, database, file transfer, gaming, generic, im, mail, mobile, network\ management, other, p2p, remote_control, social\
networking, standard, streaming, tunnel, video, voip, and web. Each packets app-
category is matched with the value specified here. In case of a match, the system rate-
limits the packet. all The system rate-limits all packets irrespective of the application category. Uses application name as the match criteria
<APPLICATION-NAME> Specify the application name. Each packets application is matched with the application name specified here. In case of a match, the system rate-
limits the packet. The egress and ingress parameters are recursive and can be used to rate limit either incoming, outgoing, or both incoming and outgoing traffic. egress Selects the traffic type as outgoing ingress Selects the traffic type as outgoing After selecting the traffic type (incoming/outgoing) configure the rate and maximum burst size. The following parameters are common to the egress and ingress keywords:
rate Configures the rate limit, in Kbps, for both incoming and outgoing packets
<50-1000000> Specify the rate limit from 50 - 1000000 Kbps. max-burst-size The following parameters are common to the egress and ingress keywords:
max-burst-size Configures the maximum burst size, in Kbytes, for both incoming and outgoing packets
<2-1024> Specify the maximum burst size from 2 - 1024 Kbytes. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 73 GLOBAL CONFIGURATION COMMANDS schedule
<SCHEDULE-
POLICY-NAME>
Schedules an enforcement time for this rate-limit rule by associating a schedule policy with it. Use this parameter to apply rule-specific enforcement time. schedule <SCHEDULE-POLICY-NAME> Associates a schedule policy with the rule. When associated, the rule is enforced only on the days and time configured in the schedule policy. Without the association of a schedule policy, all rules within an application policy are enforced concurrently (defined by the application-policy >
enforcement-time command). If scheduling a rule, ensure that the time configured in the schedule policy is a subset of the application policys enforcement time. In other words the application policy should be active when the rule is being enforced. For example, if the application policy is enforced on Mondays from 10:00 to 22:00 hours and the schedule policy time-rule is set for Fridays, then this rule will never be hit. When enforcing rules at different times the best practice would be to keep the application policy active at all time (i.e., retain the default enforcement-time setting as all).
<SCHEDULE-POLICY-NAME> Specify the policy name (should be existing and configured). After applying a schedule policy, specify a precedence for the rule. In case of no schedule policy being applied, the rule is enforced as per the enforcement-time configured in the application policy. For more information, see enforcement-time. precedence <1-256> Assigns a precedence value for this mark rule. The precedence value differentiates between rules applicable to applications and the application categories they belong. The allow, deny, mark, rate-limit options are mutually exclusive. In other words, in an application policy, for a specific application or application category, you can create either an allow rule, or a deny rule, or a mark and rate-limit rule. Let us consider application youtube belonging to app-category streaming. The action required is: Allow youtube packets and deny all other applications belonging to app-category streaming. The rules can be defined as:
#allow application youtube precedence 1
#deny app-category streaming precedence 2 The following configuration is incorrect:
#deny app-category streaming precedence 1
#allow application youtube precedence 2 Once the deny app-category streaming precedence 1 rule is hit, all streaming packets, including youtube, are dropped. Consequently, there are no packets left to apply the subsequent allow rule. The mark and rate-limit rules are the only two actions that can be combined for a specific application or application category type. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 74 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config-app-policy-Bing)#rate-limit application BGP ingress rate 100 max-burst-size 25 egress rate 50 max-burst-size 25 precedence 6 nx9500-6C8809(config-app-policy-Bing)#show context application-policy Bing description "This application policy allows Bing search engine packets"
enforcement-time days weekdays start-time 12:30 end-time 20:00 allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3 mark app-category video dscp 9 precedence 4 mark application facetime dscp 10 precedence 5 rate-limit application BGP ingress rate 100 max-burst-size 25 egress rate 50 max-
burst-size 25 precedence 6 logging level critical nx9500-6C8809(config-app-policy-Bing)#
Related Commands no Removes this rate-limit rule from the application policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 75 GLOBAL CONFIGURATION COMMANDS 4.1.24.2.8 no application-policy-mode commands Removes or resets this application policys settings Supported in the following platforms:
Access Points AP7522, AP7532 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [allow|deny|description|enforcement-time|logging|mark|rate-limit]
no allow [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]
precedence <1-256>
no deny [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]
precedence <1-256>
no description no enforcement-time days [sunday|monday|tuesday|wednesday|thursday|friday|
saturday|all|weekends|weekdays]
no logging [level|on]
no mark [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-NAME>]
precedence <1-256>
no rate-limit [app-category [<APP-CATEGORY-NAME>|all]|application <APPLICATION-
NAME>] precedence <0-256>
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or resets this application policy settings based on the parameters passed Example The following example shows the application policy Bing settings before the no commands are executed:
nx9500-6C8809(config-app-policy-Bing)#show context application-policy Bing description "This application policy allows Bing search engine packets"
enforcement-time days weekdays start-time 12:30 end-time 20:00 allow application Bing precedence 1 allow app-category business precedence 2 deny app-category "social networking" precedence 3 mark app-category video dscp 9 precedence 4 mark application facetime dscp 10 precedence 5 rate-limit application BGP ingress rate 100 max-burst-size 25 egress rate 50 max-
burst-size 25 precedence 6 logging level critical nx9500-6C8809(config-app-policy-Bing)#
nx9500-6C8809(config-app-policy-Bing)#no allow app-category business precedence 2 nx9500-6C8809(config-app-policy-Bing)#no deny app-category social\ networking precedence 3 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 76 GLOBAL CONFIGURATION COMMANDS The following example shows the application policy Bing settings after the no commands are executed:
nx9500-6C8809(config-app-policy-Bing)#show context application-policy Bing description "This application policy allows Bing search engine packets"
enforcement-time days weekdays start-time 12:30 end-time 20:00 allow application Bing precedence 1 mark app-category video dscp 9 precedence 4 mark application facetime dscp 10 precedence 5 rate-limit application BGP ingress rate 100 max-burst-size 25 egress rate 50 max-
burst-size 25 precedence 6 logging level critical nx9500-6C8809(config-app-policy-Bing)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 77 GLOBAL CONFIGURATION COMMANDS 4.1.25 association-acl-policy Global Configuration Commands Configures an association ACL policy. This policy defines a list of devices allowed or denied access to the network. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax association-acl-policy <ASSOCIATION-ACL-POLICY-NAME>
Parameters association-acl-policy <ASSOCIATION-ACL-POLICY-NAME>
<ASSOCIATION-ACL-
POLICY-NAME>
Specify the association ACL policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#association-acl-policy test rfs6000-81742D(config-assoc-acl-test)#?
Association ACL Mode commands:
deny Specify MAC addresses to be denied no Negate a command or set its defaults permit Specify MAC addresses to be permitted clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-assoc-acl-test)#
Related Commands no Resets values or disables commands NOTE: For more information on the association-acl-policy, see Chapter 10, ASSOCIATION-ACL-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 78 GLOBAL CONFIGURATION COMMANDS 4.1.26 auto-provisioning-policy Global Configuration Commands Configures an auto provisioning policy. This policy configures the automatic provisioning of device adoption. The policy configures how an AP is adopted based on its type. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax auto-provisioning-policy <AUTO-PROVISIONING-POLICY-NAME>
Parameters auto-provisioning-policy <AUTO-PROVISIONING-POLICY-NAME>
<AUTO-
PROVISIONING-
POLICY-NAME>
Specify the auto provisioning policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#auto-provisioning-policy test rfs6000-81742D(config-auto-provisioning-policy-test)#?
Auto-Provisioning Policy Mode commands:
Auto-Provisioning Policy Mode commands:
adopt Add rule for device adoption auto-create-rfd-template When RF Domain specified by the matching rule template does not exist create new RF Domain automatically default-adoption Adopt devices even when no matching rules are found. Assign default profile and default rf-domain deny Add rule to deny device adoption evaluate-always Set the flag to evaluate the policy everytime, regardless of previous adoption status no Negate a command or set its defaults redirect Add rule to redirect device adoption upgrade Add rule for device upgrade clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-auto-provisioning-policy-test)#
Related Commands no Removes an existing Auto Provisioning policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 79 GLOBAL CONFIGURATION COMMANDS NOTE: For more information on the auto-provisioning-policy, see Chapter 9, AUTO-PROVISIONING-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 80 GLOBAL CONFIGURATION COMMANDS 4.1.27 bgp Global Configuration Commands Configures Border Gateway Protocol (BGP) settings BGP is an inter-ISP routing protocol which establishes routing between Internet Service Providers (ISPs). ISPs use BGP to exchange routing and reachability information between Autonomous Systems (AS) on the Internet. BGP makes routing decisions based on paths, network policies and/or rules configured by network administrators. The primary role of a BGP system is to exchange network reachability information with other BGP peers. This information includes information on AS that the reachability information traverses. This information is sufficient to create a graph of AS connectivity from which routing decisions can be created and rules enforced. An AS is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packets within the AS. AS uses inter-AS routing to route packets to other ASs. For an external AS, an AS appears to have a single coherent interior routing plan and presents a consistent picture of the destinations reachable through it. Routing information exchanged through BGP supports only destination based forwarding (it assumes a router forwards packets based on the destination address carried in the IP header of the packet). BGP uses TCP as its transport protocol. This eliminates the need to implement explicit update fragmentation, retransmission, acknowledgment, and sequencing. BGP listens on TCP port 179. The error notification mechanism used in BGP assumes that TCP supports a graceful close (all outstanding data is delivered before the connection is closed). Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bgp [as-path-list|community-list|extcommunity-list|ip-access-list|ip-prefix-list]
<LIST-NAME>
Parameters bgp [as-path-list|community-list|extcommunity-list|ip-access-list|ip-prefix-
list] <LIST-NAME>
as-path-list
<LIST-NAME>
community-list
<LIST-NAME>
extcommunity-list
<LIST-NAME>
ip-access-list
<LIST-NAME>
ip-prefix-list
<LIST-NAME>
Creates an AS path list and enters its configuration mode
<LIST-NAME> Provide the AS-PATH-LIST name. Creates a community list and enters its configuration mode
<LIST-NAME> Provide the COMMUNITY-LIST name. Creates an extended community list and enters its configuration mode
<LIST-NAME> Provide the EXTCOMMUNITY-LIST name. Creates a BGP IP access list and enters its configuration mode
<LIST-NAME> Provide the BGP IP-ACCESS-LIST name. Creates a BGP IP prefix list and enters its configuration mode
<LIST-NAME> Provide the BGP IP-PREFIX-LIST name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 81 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config)#bgp ?
as-path-list BGP AS path list Configuration community-list Add a community list entry extcommunity-list Add a extended community list entry (EXPERIMENTAL) ip-access-list Add an access list entry ip-prefix-list Build a prefix list nx9500-6C8809(config)#
nx9500-6C8809(config)#bgp as-path-list AS-TEST-PATH nx9500-6C8809(config-bgp-as-path-list-AS-TEST-PATH)#?
BGP AS Path List Mode commands:
deny Specify packets to reject no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-bgp-as-path-list-AS-TEST-PATH)#
Related Commands no Modifies BGP settings, based on the parameters passed NOTE: For more information on configuring BGP Top-Level Objects (TLOs), see Chapter 28, BORDER GATEWAY PROTOCOL. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 82 GLOBAL CONFIGURATION COMMANDS 4.1.28 bonjour-gateway-discovery-policy Global Configuration Commands The following table lists the commands that allows you to create a Bonjour Gateway Discovery Policy:
Table 4.8 Bonjour-Gateway-Discovery Config Commands Description Creates a Bonjour Gateway Discovery policy and enters its configuration mode Summarizes Bonjour Gateway Discovery policy configuration mode commands Reference page 4-84 page 4-86 Command bonjour-gw-
discovery-policy bonjour-
gateway-
discovery-
policy-mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 83 GLOBAL CONFIGURATION COMMANDS 4.1.28.1 bonjour-gw-discovery-policy bonjour-gateway-discovery-policy Bonjour is Apples zero-configuration networking (Zeroconf) implementation. Bonjour enables automatic IP address assignment, name to address resolution, and service discovery without having to configure a DHCP server, DNS server, and Directory server. When configured and applied on a WLAN, the Bonjour Gateway Discovery policy queries for and locates Bonjour devices (printers, computers, file-sharing servers, etc.) and services these computers provide over a local network. Bonjour works only within a single broadcast domain. However, with a special DNS configuration, it can be extended to find services across broadcast domains. Use this command to configure a Bonjour GW Discovery policy. The policy defines a list of services clients can discover across subnets. A maximum of 8 (eight) policies can be created on access points, wireless controllers, or service platforms. When configured and applied, this feature enables discovery of Bonjour services on local and/or tunneled VLANs. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bonjour-gw-discovery-policy <POLICY-NAME>
Parameters bonjour-gw-discovery-policy <POLICY-NAME>
<POLICY-NAME>
Specify the Bonjour GW Discovery policy name. If the policy does not exist, it is created. In the Bonjour GW Discovery policy configuration mode, use the allow-
service keyword to configure the services that the Bonjour gateway is allowed to discover. A maximum of 16 (sixteen) service rules can be created. Optionally, you can restrict this facility for users on specific VLANs. To do so, specify the VLAN IDs. Execute the bonjour-gw-forwarding-policy command to enable forwarding of Bonjour service responses across VLANs. To associate a Bonjour GW Discovery policy with a WLAN, in the WLAN configuration mode, execute the following command: use > bonjour-gw-discovery-
policy > <POLICY-NAME>. For more information, see use. To associate a Bonjour GW Discovery policy with a VLAN, in the interface VLAN configuration mode, execute the following command: use > bonjour-gw-discovery-
policy > <POLICY-NAME>. For more information, see use. To associate a Bonjour GW Discovery policy with a user role, in the role-policy -
user-role - configuration mode, execute the following command: use > bonjour-gw-
discovery-policy > <POLICY-NAME>. For more information, see use. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 84 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config)#bonjour-gw-discovery-policy TestPolicy rfs6000-81742D(config-bonjour-gw-discovery-policy-TestPolicy)#?
commands:
allow-service Allow Bonjour Service on local or tunneled vlan,Optionally VLAN IDs can be given so service will be discovered for those vlan only no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-bonjour-gw-discovery-policy-TestPolicy)#
Related Commands no Removes an existing Bonjour GW Discovery policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 85 GLOBAL CONFIGURATION COMMANDS 4.1.28.2 bonjour-gateway-discovery-policy-mode commands bonjour-gateway-discovery-policy The following table summarizes the Bonjour Gateway Discovery Policy configuration mode commands:
Table 4.9 Bonjour-Gateway-Discovery-Policy-Mode Commands Command allow-service no Description Configures the Bonjour Services that can be discovered on Local or Tunneled VLANs. It configures the local VLANs on which these services can be found. Removes or modifies the Bonjour Gateway Discovery policy settings Reference page 4-87 page 4-89 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 86 GLOBAL CONFIGURATION COMMANDS 4.1.28.2.1 allow-service bonjour-gateway-discovery-policy-mode commands Enables discovery of Bonjour devices and the services they provide on Local or Tunneled VLANs Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax allow-service <BONJOUR-SERVICE-NAME> [local|tunneled]
allow-service <BONJOUR-SERVICE-NAME> local {instance-name contains <WORD>}
({service-vlans <WORD>}) allow-service <BONJOUR-SERVICE-NAME> tunneled {instance-name contains <WORD>}
Parameters allow-service <BONJOUR-SERVICE-NAME> local {instance-name contains <WORD>}
({service-vlans <WORD>}) allow-service
<BONJOUR-
SERVICE-NAME>
local instance-name contains <WORD>
service-vlans
<WORD>
Configures the services that can be discovered by the Bonjour gateway. And also configures the VLANs on which the selected services can be discovered.
<BONJOUR-SERVICE-NAME> You can either select the Bonjour services from a set of system-provided, pre-defined Apple services, or use an existing alias to define a service not available in the predefined list. The predefined Apple services available are: Afp, AirPlay, AirPort, AirPrint, AirTunes, AppleTimeMachine, Chromecast, Daap, HomeSharing, Printer, and Scanner. Use the <WORD> keyword to define a service not included in the system-provided, pre-
defined list. Ensure this device is registered with the Multicast DNS Responder
(mDNSResponder). Select to enable the discovery of the selected Bonjour Services on the local VLAN Optional. Specifies the selected Bonjour services instance name. When specified, the Bonjour service discovery queries contain the instance name. of the service to be discovered. This option is useful especially in large distributed, enterprise networks. Use it to create different instances of a Bonjour service for the different organizations or departments (VLANS) within your network. Creating instances allows you to advertise specific service instances for a specific set of VLANs, instead of advertising top-level Bonjour Services to various allocated VLAN(s). contains <WORD> Specify the instance name. You can either directly specify the string value to be used as a match criteria, or use a string alias (for example,
$BONJOUR-STRING) to identify the string to match. If using a string alias, ensure that it is existing and configured. For information on configuring a string alias, see alias. Optional. Configures a VLAN or a list of VLANs on which the selected service is discoverable. When specified, Bonjour discovery queries are delivered to all clients on the specified VLANs. Applicable only if enabling Bonjour Services discovery on local VLANs. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 87 GLOBAL CONFIGURATION COMMANDS allow-service <BONJOUR-SERVICE-NAME> tunneled {instance-name contains <WORD>}
allow-service
<BONJOUR-
SERVICE-NAME>
Configures the services that can be discovered by the Bonjour gateway. And also configures the VLANs on which the selected services can be discovered.
<BONJOUR-SERVICE-NAME> You can either select the Bonjour Services from a set tunneled instance-name contains <WORD>
of system-provided, pre-defined Apple services, or use an existing alias to define a service not available in the predefined list. The predefined Apple services available are: Afp, AirPlay, AirPort, AirPrint, AirTunes, AppleTimeMachine, Chromecast, Daap, HomeSharing, Printer, and Scanner. Use the <WORD> keyword to define a service not included in the system-provided, predefine list. Select to enable the discovery of the selected Bonjour Services on tunneled VLANs Optional. Adds a Bonjour Service instance name. If you have a large enterprise network, use this option to create different Bonjour Service instances for the different organizations or departments (VLANS) within your network. Creating instances allows you to advertise specific service instances for a specific set of VLANs, instead of advertising top-level Bonjour Services to various allocated VLAN(s). contains <WORD> Specify the sub-string to match. You can either directly specify the string value to be used as a match criteria, or use a string alias (for example,
$BONJOUR-STRING) to identify the string to match. If using a string alias, ensure that it is existing and configured. For information on configuring aliases, see alias. Example nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#allow-service Afp local nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#allow-service Printer lo cal instance-name contains $Bonjour_Service service-vlans 1,2 nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#show context bonjour-gw-discovery-policy test allow-service Printer local service-vlans 1-2 instance-name contains
$Bonjour_Service allow-service Afp local nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#
Following example configures the string alias named $Bonjour_Service:
nx9500-6C8809(config)#alias string $Bonjour_Service admin nx9500-6C8809(config)#commit nx9500-6C8809(config)#show context include-factory | include alias string alias string $Bonjour_Service admin nx9500-6C8809(config)#
Related Commands no Removes or modifies this Bonjour Gateway Discovery Policy settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 88 GLOBAL CONFIGURATION COMMANDS 4.1.28.2.2 no bonjour-gateway-discovery-policy-mode commands Removes or modifies the Bonjour Gateway Discovery policy settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no allow-service <BONJOUR-SERVICE-NAME> [local|tunneled] {service-vlans <WORD>}
Parameters no allow-service <BONJOUR-SERVICE-NAME> [local|tunneled] {service-vlans <WORD>}
no <parameters>
Removes allow-service rules in the selected Bonjour GW Discovery policy, based on the parameters passed Example The following example shows the Bonjour GW Discovery policy test settings before the no command is executed:
nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#show context bonjour-gw-discovery-policy test allow-service Printer local service-vlans 1-2 instance-name contains
$Bonjour_Service allow-service Afp local nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#
nx9500-6C8809(config-bonjour-gw-discovery-policy-test1)#no allow-service Afp local The following example shows the Bonjour GW Discovery policy test settings after the no command was executed:
nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#show context bonjour-gw-discovery-policy test allow-service Printer local service-vlans 1-2 instance-name contains
$Bonjour_Service nx9500-6C8809(config-bonjour-gw-discovery-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 89 GLOBAL CONFIGURATION COMMANDS 4.1.29 bonjour-gw-forwarding-policy Global Configuration Commands Configures a Bonjour GW Forwarding policy. When configured and applied on the controller, the policy defines the service VLANs (the VLANs on which Bonjour services are running) and client VLANs where clients are present. All Bonjour responses from service VLANs are forwarded to client VLANs. A maximum of 2 (two) policies can be created on a wireless controller or service platform. And only 1 (one) policy can be created on an access point. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bonjour-gw-forwarding-policy <POLICY-NAME>
Parameters bonjour-gw-forwarding-policy <POLICY-NAME>
<POLICY-NAME>
Specify the Bonjour GW Forwarding policy name. If the policy does not exist, it is created. To receive Bonjour service responses from specific VLANs, specify the VLAN IDs. In the Bonjour GW Forwarding policy configuration mode, provide a list of VLAN IDs from which Bonjour responses can be received (format: 10-20, 25, 30-35). And then specify the list of client VLANs that can access Bonjour services. Execute the bonjour-gw-discovery-policy command to define the Bonjour services allowed on local and tunneled VLANs. To associate a Bonjour GW Forwarding policy with a device or profile, in the profile/
device configuration mode, execute the use > bonjour-gw-forwarding-policy >
<POLICY-NAME> command. For more information, see use. Example rfs6000-81742D(config)#bonjour-gw-forwarding-policy TestPolicy rfs6000-81742D(config-bonjour-gw-forwarding-policy-TestPolicy)#?
commands:
forward-bonjour-response Forwards bonjour service response across vlans no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-bonjour-gw-forwarding-policy-TestPolicy)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 90 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes an existing Bonjour GW Forwarding policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 91 GLOBAL CONFIGURATION COMMANDS 4.1.30 bonjour-gw-query-forwarding-policy Global Configuration Commands Configures a Bonjour GW Query Forwarding policy and enters its configuration mode. When created and applied, this policy enables forwarding of Bonjour queries across VLANs. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bonjour-gw-query-forwarding-policy <POLICY-NAME>
Parameters bonjour-gw-query-forwarding-policy <POLICY-NAME>
<POLICY-NAME>
Specify the Bonjour GW Query Forwarding policy name. If the policy does not exist, it is created. In the Bonjour GW Query Forwarding policy configuration mode, specify the from and to VLAN(s). The from-vlans option configures the VLAN(s) that are the source of the Bonjour queries. The to-vlans option configures the destination VLAN(s) that can access the Bonjour queries. To associate a Bonjour GW Query Forwarding policy with a device or profile, in the profile/device configuration mode, execute the use > bonjour-gw-query-forwarding-
policy > <POLICY-NAME> command. For more information, see use. Example rfs6000-81742D(config)#bonjour-gw-query-forwarding-policy TestPolicy rfs6000-81742D(config-bonjour-gw-query-forwarding-policy-test)#?
(config-bonjour-gw-query-forwarding-policy) commands:
forward-bonjour-query Forwards bonjour query across vlans no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-bonjour-gw-query-forwarding-policy-test)#
Related Commands no Removes an existing Bonjour GW Query Forwarding policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 92 GLOBAL CONFIGURATION COMMANDS 4.1.31 captive portal Global Configuration Commands The following table lists the commands that enable you to create a new captive portal policy and enter its configuration mode:
Table 4.10 Captive-Portal Config Commands Description Creates a new captive portal and enters its configuration mode Summarizes captive portal configuration commands Reference page 4-94 page 4-96 Command captive-portal captive-portal-
mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 93 GLOBAL CONFIGURATION COMMANDS 4.1.31.1 captive-portal captive portal Configures a captive portal policy and enters its configuration mode. Once created and configured, use the captive portal policy in the WLAN context, and in the device/profile contexts of the access point or controller hosting the captive portal server. A captive portal provides secure access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the wireless network. Once logged into the captive portal, additional Acknowledgment, Agreement, Welcome, No Service, and Fail pages provide the administrator options to customize the screen flow and user appearance. Captive portals are recommended for providing guests or visitors authenticated access to network resources when 802.1X EAP is not a viable option. Captive portal authentication does not provide end-user data encryption, but it can be used with static WEP, WPA-PSK or WPA2-PSK encryption. Authentication for captive portal access requests is performed using a username and password pair, authenticated by an integrated RADIUS server. Authentication for private network access is conducted either locally on the requesting wireless client, or centrally at a data center. Captive portals use a Web provisioning tool to create guest user accounts directly on the controller, service platform, or access point. The connection medium defined for the Web connection is either HTTP or HTTPS. Both HTTP and HTTPS use a request and response procedure to disseminate information to and from requesting wireless clients. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax captive-portal <CAPTIVE-PORTAL-NAME>
Parameters captive-portal <CAPTIVE-PORTAL-NAME>
<CAPTIVE-PORTAL-
NAME>
Specify the captive portal name. If a captive portal with the specified name does not exist, it is created. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 94 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config)#captive-portal test rfs6000-81742D(config-captive-portal-test)#?
Captive Portal Mode commands:
access-time Allowed access time for the client. Used when there is no session time in radius response access-type Access type of this captive portal accounting Configure how accounting records are created for this captive portal policy bypass Bypass captive portal connection-mode Connection mode for this captive portal custom-auth Custom user information data-limit Enforce data limit for clients inactivity-timeout Inactivity timeout in seconds. If a frame is not received from client for this amount of time, then current session will be removed ipv6 Internet Protocol version 6 (IPv6) localization Configure the FQDN address to get the localization parameters for the client logout-fqdn Configure the FQDN address to logout the session from client no Negate a command or set its defaults oauth OAuth 2.0 authentication configuration php-helper Configure the captive portal to use a server for help with php post-authentication-vlan Configure post authentication vlan for captive portal users radius-vlan-assignment Enable radius vlan assignment for captive portal users redirection Configure connection redirection parameters report-loyalty-application Report customer loyalty application presence in clients server Configure captive portal server parameters simultaneous-users Particular username can only be used by a certain number of MAC addresses at a time terms-agreement User needs to agree for terms and conditions use Set setting to use webpage Configure captive portal webpage parameters webpage-auto-upload Enable automatic upload of internal and advanced webpages webpage-location The location of the webpages to be used for authentication. These pages can either be hosted on the system or on an external web server. welcome-back Welcome back page settings clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-captive-portal-test)#
Related Commands no Removes an existing captive portal Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 95 GLOBAL CONFIGURATION COMMANDS 4.1.31.2 captive-portal-mode commands captive portal The following table summarizes captive portal configuration mode commands:
Table 4.11 Captive-Portal-Mode Commands Command access-time access-type accounting bypass connection-
mode custom-auth data-limit inactivity-
timeout ipv6 localization logout-fqdn no oauth php-helper post-
authentication-
vlan radius-vlan-
assignment redirection report-loyalty-
application server simultaneous-
users terms-
agreement use webpage Description Defines a clients access time. It is used when no session time is defined in the RADIUS response. Configures a captive portals access type Enables a captive portals accounting records Enables bypassing of captive portal detection requests from wireless clients Configures a captive portals connection mode Configures custom user information Enforces data limit on captive portal clients Defines an inactivity timeout in seconds Configures the IPv6 address of the internal captive portal server Configures an FQDN address string that enables the client to receive localization parameters. This command also allows the configuration of a response message. Clears the logout FQDN address Reverts the selected captive portals settings to default Enables OAuth-based authentication support on the captive portal. When enabled, OAuth allows captive-portal users to sign in to guest WLANs using their Facebook or Google credentials. Configures a PHP helper to serve the captive portals PHP splash pages to guest users using social-media to login to the captive portal. Assigns a post authentication RADIUS VLAN for this captive portals users Assigns a RADIUS VLAN for this captive portal Enables redirection of client connections to specified destination ports Enables detection of captive portal clients loyalty application presence and stores this information in the captive portals user database Configures the captive portal server settings Specifies a username used by a MAC address pool Enforces the user to agree to terms and conditions (included in login page) for captive portal access Associates a AAA policy and a DNS whitelist with a captive portal Configures captive portal Web page settings Reference page 4-98 page 4-99 page 4-100 page 4-102 page 4-103 page 4-104 page 4-105 page 4-106 page 4-107 page 4-108 page 4-110 page 4-111 page 4-113 page 4-115 page 4-117 page 4-118 page 4-119 page 4-120 page 4-121 page 4-123 page 4-124 page 4-125 page 4-127 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 96 GLOBAL CONFIGURATION COMMANDS Table 4.11 Captive-Portal-Mode Commands Description Enables automatic upload of advanced Web pages on a captive portal Reference page 4-135 Specifies the location of Web pages used for captive portal authentication Enables the provision of direct Internet access to once-registered, captive-portal guest users on subsequent log-ins Documents configuration details required to enable device registration with dynamic VLAN assignment in a multi-vendor environment page 4-136 page 4-137 page 4-139 Documents configuration details required to support the WeChat WiFi hotspot, so that WeChat users, on their first connect to a WiNG access point, can automatically authenticate with the WeChat server through an intermediate server page 4-141 Documents the basic configurations required to deploy an ExtremeGuest setup page 4-143 Command webpage-auto-
upload webpage-
location welcome-back configuring device registration with dynamic VLAN assignment configuring WeChat Wi-Fi hotspot support in WiNG captive portal configuring ExtremeGuest captive-portal Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 97 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.1 access-time captive-portal-mode commands Defines the permitted access time for a client. It is used when no session time is defined in the RADIUS response. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax access-time <10-10080>
Parameters access-time <10-10080>
access-time
<10-10080>
Defines the duration wireless clients are allowed access to the Internet using this captive portal policy
<10-10080> Specify a value from 10 - 10080 minutes. The default is 1440 minutes. Example rfs6000-81742D(config-captive-portal-test)#access-time 35 rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-time 35 rfs6000-81742D(config-captive-portal-test)#
Related Commands no Reverts to the default permitted access time (1440 minutes) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 98 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.2 access-type captive-portal-mode commands Defines the captive portals access type. The authentication scheme configured here is applied to wireless clients using this captive portal. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax access-type [custom-auth-radius|logging|no-auth|radius|registration]
Parameters access-type [custom-auth-radius|logging|no-auth|radius|registration]
custom-auth-radius logging no-auth radius registration Specifies the custom user information used for authentication (RADIUS lookup of given information, such as name, e-mail address, telephone, etc.). When configured, accessing clients are required to provide a 1-32 character lookup data string used to authenticate their credentials. When selecting this option, use the custom-auth command to configure the required user information. Provides users access without authentication. The system logs access details of users allowed access. Defines no authentication required for a guest (guest is redirected to welcome message). Provides users access to the captive portal without authentication. Enables RADIUS authentication for wireless clients. Provides captive portal access to successfully authenticated users only. This is the default setting. Enables captive portals clients to self register in the captive portals database. When configured, a requesting clients user credentials require authentication locally or through social media credential exchange and validation. If enabled, use the webpage > internal > registration > field command to customize the registration page. If not customized, the default, built-in registration Web page is displayed. Example rfs6000-81742D(config-captive-portal-test)#access-type logging rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-type logging access-time 35 rfs6000-81742D(config-captive-portal-test)#
Related Commands no Removes the captive portal access type or reverts to default (radius) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 99 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.3 accounting captive-portal-mode commands Enables support for accounting messages for this captive portal When enabled, accounting for clients entering and exiting the captive portal is initiated. Accounting is the method of collecting and sending security server information for billing, auditing, and reporting user data. This data includes information, such as start and stop times, executed commands (such as PPP), number of packets and number of bytes transmitted, etc. Accounting enables tracking of captive portal services consumed by clients. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax accounting [radius|syslog]
accounting radius accounting syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|through-
controller|through-rf-domain-manager]}
Parameters accounting radius radius Enables support for RADIUS accounting messages. When enabled, this option uses an external RADIUS resource for AAA accounting. This option is disabled by default. accounting syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|
through-controller|through-rf-domain-manager]}
syslog host <IP/
HOSTNAME>
port <1-65535>
proxy-mode [none|
through-controller|
through-rf-domain-
manager]
Enables support for syslog accounting messages. When enabled, data relating to wireless client usage of remote access services is logged on the specified external syslog resource. This information assists in differentiating between local and remote users. Remote user information can be archived to an external location for periodic network and user administration. This option is disabled by default. host <IP/HOSTNAME> Specifies the destination where accounting messages are sent. Specify the destinations IP address or hostname. Optional. Specifies the syslog servers listener port
<1-65535> Specify the UDP port from 1- 65535. The default is 514. Optional. Specifies the mode of proxying the syslog server none Accounting messages are sent directly to the syslog server through-controller Accounting messages are sent through the controller configuring the device through-rf-domain-manager Accounting messages are sent through the local RF Domain manager Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 100 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-captive-portal-test)#accounting syslog host 172.16.10.13 port 1 rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-type logging access-time 35 accounting syslog host 172.16.10.13 port 1 rfs6000-81742D(config-captive-portal-test)#
Related Commands no Disables accounting records for this captive portal Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 101 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.4 bypass captive-portal-mode commands Enables bypassing of captive portal detection requests from wireless clients Certain devices, such as Apple IOS devices send Captive Network Assistant (CNA) requests to detect existence of captive portals. When enabled, the bypass option does not allow CNA requests to be redirected to the captive portal pages. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bypass captive-portal-detection Parameters bypass captive-portal-detection bypass captive-
portal-detection Bypasses captive portal detection requests Example rfs4000-229D58(config-captive-portal-test)#bypass captive-portal-detection rfs4000-229D58(config-captive-portal-test)#show context captive-portal test bypass captive-portal-detection rfs4000-229D58(config-captive-portal-test)#
Related Commands no Disables bypassing of captive portal detection requests Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 102 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.5 connection-mode captive-portal-mode commands Configures a captive portals mode of connection to the Web server. HTTP uses plain unsecured connection for user requests. HTTPS uses an encrypted connection to support user requests. Both HTTP and HTTPS use the same Uniform Resource Identifier (URI), so controller and client resources can be identified. However, the use of HTTPS is recommended, as it affords controller and client transmissions some measure of data protection HTTP cannot provide. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax connection-mode [http|https]
Parameters connection-mode [http|https]
http https Example Sets HTTP as the default connection mode. This is the default setting. Sets HTTPS as the default connection mode HTTPS is a more secure version of HTTP, and uses encryption while sending and receiving requests. rfs6000-81742D(config-captive-portal-test)#connection-mode https rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-type logging access-time 35 connection-mode https accounting syslog host 172.16.10.13 port 1 rfs6000-81742D(config-captive-portal-test)#
Related Commands no Removes this captive portals connection mode Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 103 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.6 custom-auth captive-portal-mode commands Configures custom user information Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax custom-auth info <LINE>
Parameters custom-auth info <LINE>
info <LINE>
Configures information used for RADIUS lookup when custom-auth RADIUS access type is configured
<LINE> Guest data needs to be provided. Specify the name, e-mail address, and telephone number of the user. Example rfs6000-81742D(config-captive-portal-test)#custom-auth info bob bob@examplecompany.com rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-type logging access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https accounting syslog host 172.16.10.13 port 1 rfs6000-81742D(config-captive-portal-test)#
Related Commands no Removes custom user information configured with this captive portal Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 104 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.7 data-limit captive-portal-mode commands Enforces data transfer limits on captive portal clients. This feature enables the tracking and logging of user usage. Users exceeding the allowed bandwidth are restricted from the captive portal. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax data-limit <1-102400> {action [log-and-disconnect|log-only]}
Parameters data-limit <1-102400> {action [log-and-disconnect|log-only]}
data-limit
<1-102400>
action
[log-and-disconnect|
log-only]
Sets a captive portal clients data transfer limit in megabytes. This limit is applicable for both upstream and downstream data transfer.
<1-102400> Specify a value from 1 - 102400 MB. Optional. Specifies the action taken when a client exceeds the configured data limit. The options are:
log-and-disconnect When selected, an entry is added to the log file any time a captive portal client exceeds the data limit, and the client is disconnected. log-only When selected, an entry is added to the log file any time a captive portal client exceeds the data limit. the client, however, remains connected to the captive portal. This is the default setting. Example rfs6000-81742D(config-captive-portal-test)#data-limit 200 action log-and-
disconnect rfs6000-81742D(config-captive-portal-test)#show context captive-portal test data-limit 200 action log-and-disconnect rfs6000-81742D(config-captive-portal-test)#
Related Commands no Removes data limit enforcement for captive portal clients Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 105 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.8 inactivity-timeout captive-portal-mode commands Defines the inactivity timeout in seconds. If a frame is not received from a client for the specified interval the current session is terminated. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax inactivity-timeout <60-86400>
Parameters inactivity-timeout <60-86400>
<60-86400>
Defines the interval for which a captive portal session is kept alive without receiving a frame from the client. The session is automatically terminated once this interval is over.
<60-86400> Specify a value from 60 - 86400 seconds. The default is 10 minutes or 600 seconds. Example rfs6000-81742D(config-captive-portal-test)#inactivity-timeout 750 rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-type logging access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 accounting syslog host 172.16.10.13 port 1 rfs6000-81742D(config-captive-portal-test)#
Related Commands no Removes the client inactivity-timeout configured with this captive portal Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 106 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.9 ipv6 captive-portal-mode commands Configures the internal captive portal servers (running on the centralized mode) IPv6 address. If using centralized server mode, use this option to define the controller, service platform, or access point resources
(hosting the captive portal) IPv6 address. For information on configuring the server mode, see server. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ipv6 server host <IPv6>
Parameters ipv6 server host <IPv6>
ipv6 server host
<IPv6>
Configures the IPv6 address of the internal captive portal server
<IPv6> Specify the captive portal servers global IPv6 address. Example rfs6000-81742D(config-captive-portal-test2)#ipv6 server host 2001:10:10:10:6d:33:fa:8b rfs6000-81742D(config-captive-portal-test2)#show context captive-portal test2 access-type OAuth ipv6 server host 2001:10:10:10:6d:33:fa:8b OAuth client-id Google TechPubs.printer.google.com rfs6000-81742D(config-captive-portal-test2)#
Related Commands no Removes the captive portal servers IPv6 address Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 107 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.10 localization captive-portal-mode commands Configures an FQDN address string that enables the client to receive localization parameters. Use this option to add a URL to trigger a one-time redirect on demand. The defined URL is triggered from a mobile application to derive location information from the wireless network so an application can be localized to a particular store or region. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax localization [fqdn <WORD>|response <WORD>]
Parameters localization [fqdn <WORD>|response <WORD>]
localization fqdn <WORD>
response <WORD>
Configures an FQDN address string that enables the client to receive localization parameters. This command also allows the configuration of a response message. Configures the FQDN address string, which is used to obtain localization parameters for the captive portals client.
<WORD> Specify the FQDN address string. For example, local.guestaccess.com Configures a message, which is sent back to the client in response to the clients localization HTTP requests
<WORD> Specify the response message (should not exceed 512 characters in length). The following built-in query tags can be included in the response message:
WING_TAG_CLIENT_IP' -Captive portal client IPv4 address
'WING_TAG_CLIENT_MAC' - Captive portal client MAC address
'WING_TAG_WLAN_SSID ' - Captive portal client WLAN ssid
'WING_TAG_AP_MAC' - Captive portal client AP MAC address
'WING_TAG_AP_NAME' - Captive portal client AP Name
'WING_TAG_RF_DOMAIN' - Captive portal client RF Domain
'WING_TAG_USERNAME' - Captive portal authentication username
'WING_TAG_USERTYPE' - Captive portal usertype
(new/return/refresh) Example:-
<local><site>WING_TAG_RF_DOMAIN</site><ap>WING_TAG_AP_NAME</ap></
local Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 108 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config-captive-portal-test)#localization fqdn local.guestaccess.com nx9500-6C8809(config-captive-portal-test)#localization response
<local><site>SJExtreme</site><ap>ap8132-74B45C</ap><user>Bob</user><local>
nx9500-6C8809(config-captive-portal-TechPubsNew)#show context captive-portal TechPubsNew webpage internal registration field city type text enable label "City" placeholder
"Enter City"
webpage internal registration field street type text enable label "Address"
placeholder "123 Any Street"
webpage internal registration field name type text enable label "Full Name"
placeholder "Enter First Name, Last Name"
webpage internal registration field zip type number enable label "Zip" placeholder
"Zip"
webpage internal registration field via-sms type checkbox enable title "SMS Preferred"
webpage internal registration field mobile type number enable label "Mobile"
placeholder "Mobile Number with Country code"
webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range"
webpage internal registration field email type e-address enable mandatory label
"Email" placeholder "you@domain.com"
webpage internal registration field via-email type checkbox enable title "Email Preferred"
localization fqdn local.guestaccess.com localization response <local><site>SJExtreme</site><ap>ap8132-74B45C</
ap><user>Bob</user><local>
nx9500-6C8809(config-captive-portal-TechPubsNew)#
Related Commands no Removes the FQDN address string and response message configured on a captive portal for localization Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 109 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.11 logout-fqdn captive-portal-mode commands Configures the Fully Qualified Domain Name (FQDN) address to logout of the session from the client Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax logout-fqdn <WORD>
Parameters logout-fqdn <WORD>
logout-fqdn <WORD> Configures the FQDN address used to logout
<WORD> Provide the FQDN address (for example, logout.guestaccess.com). Example rfs6000-81742D(config-captive-portal-test)#logout-fqdn logout.testuser.com rfs6000-81742D(config-captive-portal-test)#show context captive-portal test logout-fqdn logout.testuser.com rfs6000-81742D(config-captive-portal-test)#
Related Commands no Clears the logout FQDN address Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 110 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.12 no captive-portal-mode commands The no command reverts the selected captive portals settings or resets settings to default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [access-time|access-type|accounting|bypass|connection-mode|custom-auth|
data-limit|inactivity-timeout|ipv6|localization|logout-fqdn|oauth|php-helper|
post-authentication-vlan|radius-vlan-assignment|redirection|
report-loyalty-application|server|simultaneous-users|terms-agreement|use|
webpage|webpage-auto-upload|webpage-location|welcome-back]
no [access-time|access-type|connection-mode|data-limit|inactivity-timeout|
logout-fqdn|post-authentication-vlan|radius-vlan-assignment|report-loyalty-
application|simultaneous-users|terms-agreement|webpage-auto-upload|
webpage-location]
no accounting [radius|syslog]
no bypass captive-portal-detection no custom-auth info no ipv6 server host no localization [fqdn|response]
no oauth {client-id}
no php-helper no redirection ports no server host no server mode {centralized-controller [hosting-vlan-interface]}
no use [aaa-policy|dns-whitelist]
no webpage external [acknowledgement|agreement|fail|login {post}|no-service|
registration|welcome]
no webpage internal [acknowledgement|agreement|fail|login|no-service|org-name|
org-signature|registration|welcome]
no webpage internal [org-name|org-signature]
no webpage internal [acknowledgment|agreement|fail|login|no-service] [body-
background-color|body-font-color|description|footer|header|main-logo|org-
background-color|org-font-color|small-logo|title]
no webpage internal registration [body-background-color|body-font-color|
description|field|footer|header|main-logo|org-background-color|org-font-
color|small-logo|title]
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 111 GLOBAL CONFIGURATION COMMANDS no webpage internal registration field [age-range|city|country|custom <FIELD-
NAME>|disclaimer|dob|email|gender|member|mobile|name|optout|street|via-email|
via-sms|zip] {enable}
no webpage internal welcome [body-background-color|body-font-color|description|
footer|header|main-logo|org-background-color|org-font-color|small-logo|title|
use-external-success-url]
no welcome-back pass-through Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or resets this captive portals settings, based on the parameters passed. Example The following example shows the captive portal test settings before the no commands are executed:
rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-type logging access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 accounting syslog host 172.16.10.13 port 1 rfs6000-81742D(config-captive-portal-test)#
rfs6000-81742D(config-captive-portal-test)#no accounting syslog rfs6000-81742D(config-captive-portal-test)#no access-type The following example shows the captive portal test settings after the no commands are executed:
rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 rfs6000-81742D(config-captive-portal-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 112 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.13 oauth captive-portal-mode commands Enables OAuth-driven Google and/or Facebook authentication on captive portals that use internal Web pages. To enable Google and Facebook captive-portal authentication:
Enforce captive-portal authentication on the WLAN to which wireless-clients associate. For information, see captive-portal-enforcement. Set captive-portal Web page location to internal. For more information, see webpage-location. Register your captive-portal individually on Google/FaceBook APIs and generate a client-id and client-secret. The client-ids retrieved during registration are the IDs for the WiNG application running on the access point/controller. The WiNG application uses these client-ids to access the Google and Facebook Auth APIs, and authenticate the guest client on behalf of the user. If enabling OAuth-driven Google and/or Facebook authentication on the captive portal, use this command to configure the Google/Facebook client-ids. Once enabled, the captive portal landing page, displayed on the clients browser, provides the Facebook and Google login buttons. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax oauth oauth client-id [facebook|google] <WORD>
Parameters oauth oauth Execute this command without the associated keywords to enable OAuth on this captive-portal. If enabling OAuth, ensure the captive-portal Web page location is configured as advanced or external. oauth client-id [facebook|google] <WORD>
oauth client-id
[facebook|google]
<WORD>
Configures the client-ids retrieved from the Google and Facebook API manager portals during registration facebook Configures the Facebook API client-id (is a 15 digit entity) google Configures the Google API client-id (is a 12 digit number)
<WORD> Provide the Facebook/Google client-id. If the captive-portal Web page location is advanced or external, and you are enabling OAuth support, you need not configure the client-id. In such a scenario, the client-id is configured through the EGuest server UI and not the WiNG CLI. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 113 GLOBAL CONFIGURATION COMMANDS Example nx7500-6DCD39(config-captive-portal-test2)#OAuth nx7500-6DCD39(config-captive-portal-test2)#OAuth client-id Google xxxxxxxxxxxx.apps.googleusercontent.com Facebook yyyyyyyyyyyyyyy nx7500-6DCD39(config-captive-portal-test2)#show context captive-portal test2 server host guest.social.com oauth oauth client-id Google xxxxxxxxxxxx.apps.googleusercontent.com Facebook yyyyyyyyyyyyyyy nx7500-6DCD39(config-captive-portal-test)#
In the above example:
xxxxxxxxxxxx - Is the 12 digit numeric part of your Google client-id. yyyyyyyyyyyyyyy - Is the 15 digit Facebook client-id Related Commands no Removes all OAuth client identities configured for this captive portal Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 114 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.14 php-helper captive-portal-mode commands Configures a PHP helper to serve the PHP splash pages to guest users logging in to the captive portal using social-media credentials. Configure a PHP helper only if the following criteria are fulfilled:
OAuth-based authentication is enabled on the captive portal. The captive-portal server mode is self. The access point, hosting the captive-portal server, has low memory space (for example, the AP6511, AP6521, AP6522, AP6532, and AP7502 model access points). A hotspot server, hosting the captive-portal PHP splash pages, is up and running. The WiNG software introduces HybridAuth support on captive portals. HybridAuth is an open-source, social-sign on PHP Library. In addition to Google and Facebook, it allows a variety of third-party social authentications, such as LinkedIn, Twitter, Live, Yahoo, OpenID, etc. However, HybridAuth uses space-
consuming PHP splash pages that cannot be loaded on access points with low memory space. These access points can only serve the initial landing page, where guests clicking on a social login button are redirected by the php-helper to a PHP page hosted on the PHP-helper. To create PHP splash pages, use the splash template configuration tool available on the ExtremeGuest
(EGuest) dashboard. Upload the generated tar to both the hotspot server and the php helper. Note, the EGuest dashboard can be launched from the WiNG controller (NX9500/NX9600/VX9000) enabled as the EGuest server. For more information on enabling the EGuest server, see eguest-server (VX9000 only). For more information on configuring an EGuest captive portal, see configuring ExtremeGuest captive-
portal. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax php-helper [controller|domain-manager]
php-helper controller <IP/HOSTNAME> hosting-vlan-interface <0-4096>
php-helper domain-manager <IP/HOSTNAME>
Parameters php-helper controller <IP/HOSTNAME> hosting-vlan-interface <0-4094>]
php-helper controller <IP/
HOSTNAME>
hosting-vlan-interface
<0-4096>
Configures the php-helper parameters Configures the controller adopting the captive-portal access point as the php-helper
<IP/HOSTNAME> Specify the adopting controllers IP address or host name. Optional. Configures the VLAN on which the php-helper is reachable
<0-4096> Specify the VLAN hosting the php-helper from 0 - 4096. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 115 GLOBAL CONFIGURATION COMMANDS php-helper domain-manager <IP/HOSTNAME>
php-helper domain-manager <IP/
HOSTNAME>
Configures the php-helper parameters Configures the captive-portal access points RF Domain manager as the php-helper
<IP/HOSTNAME> Specify the RF Domain managers IP address or host name. Example To enable php-helper configure the following parameters in the captive-portal context:
ap6532-3163A4(config-captive-portal-php-helper)#oauth ap6532-3163A4(config-captive-portal-php-helper)#php-helper controller nx9500-
6C8809 ap6532-3163A4(config-captive-portal-php-helper)#server mode self ap6532-3163A4(config-captive-portal-php-helper)#server host cpsocial.extreme.com Note, when configuring the server, specify the servers hostname and not the IP address, because some social media do not allow IP address as a redirect URI. ap6532-3163A4(config-captive-portal-php-helper)#show running-config captive-
portal php-helper captive-portal php-helper server host cpsocial.extreme.com php-helper controller nx9500-6C8809 oauth webpage internal registration field city type text enable label "City" placeholder
"Enter City"
webpage internal registration field street type text enable label "Address"
placeholder "123 Any Street"
webpage internal registration field name type text enable label "Full Name"
placeholder --More--
ap6532-3163A4(config-captive-portal-php-helper)#
Related Commands no Removes the PHP helper configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 116 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.15 post-authentication-vlan captive-portal-mode commands Configures the VLAN that is assigned to this captive portals users upon successful authentication Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax post-authentication-vlan [<1-4096>|<VLAN-ALIAS>]
Parameters post-authentication-vlan [<1-4096>|<VLAN-ALIAS>]
post-authentication-
vlan [<1-4096>|
<VLAN-ALIAS>]
Configures the post authentication VLAN. The VLAN specified here is assigned to this captive portals users after they have authenticated and logged on to the network. Provide the VLAN ID, or use an existing VLAN alias to identify the post authentication VLAN.
<1-4096> Specify the VLANs number from 1 - 4096.
<VLAN-ALIAS> Specify the VLAN alias (should be existing and configured). VLAN alias names begin with a $. Example rfs4000-229D58(config-captive-portal-test)#post-authentication-vlan 1 rfs4000-229D58(config-captive-portal-test)#show context captive-portal test post-authentication-vlan 1 rfs4000-229D58(config-captive-portal-test)#
Related Commands no radius-vlan-
assignment Removes the post authentication RADIUS VLAN assigned to this captive portals users Enables assignment of a RADIUS VLAN for this captive portal Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 117 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.16 radius-vlan-assignment captive-portal-mode commands Enables assignment of a RADIUS VLAN for this captive portal When enabled, if the RADIUS server as part of the authentication process returns a clients VLAN-ID in a RADIUS access-accept packet, all client traffic is forwarded on the post authentication VLAN. If disabled, the RADIUS servers VLAN assignment is ignored and the VLAN configuration defined within the WLAN configuration is used instead. This feature is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax radius-vlan-assignment Parameters None Example rfs4000-229D58(config-captive-portal-test)#radius-vlan-assignment rfs4000-229D58(config-captive-portal-test)#show context captive-portal test post-authentication-vlan 1 radius-vlan-assignment rfs4000-229D58(config-captive-portal-test)#
Related Commands no post-authentication-
vlan Disables assignment of a RADIUS VLAN for this captive portal Assigns a post authentication RADIUS VLAN for this captive portals users Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 118 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.17 redirection captive-portal-mode commands Configures a list of destination ports (separated by commas, or using a dash for a range) that are taken into consideration when redirecting client connections Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax redirection ports <LIST-OF-PORTS>
Parameters redirection ports <LIST-OF-PORTS>
ports <LIST-OF-
PORTS>
Configures destination ports considered for redirecting client connection A maximum of 16 ports can be specified in a comma-separated list. Standard ports 80 and 443 are always considered for client connections regardless of whats entered by the administrator. Example rfs4000-229D58(config-captive-portal-test)#redirection ports 1,2,3 rfs4000-229D58(config-captive-portal-test)#show context captive-portal test redirection ports 1-3 rfs4000-229D58(config-captive-portal-test)#
Related Commands no Disables redirection of client connection Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 119 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.18 report-loyalty-application captive-portal-mode commands Enables detection of captive portal clients usage of a selected (preferred) loyalty application Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax report-loyalty-application {custom-app <APPLICATION-NAME>}
Parameters report-loyalty-application {custom-app <APPLICATION-NAME>}
report-loyalty-
application
{custom-app
<APPLICATION-
NAME>}
Reports a captive portal clients loyalty application presence and stores this information in the captive portals user database. The clients loyalty application detection occurs on the access point to which the client is associated. Retail administrators can use this information to assess whether patrons loyalty application usage is as per expectation within specific retail environments. This option is disabled by default. custom-app <APPLICATION-NAME> Optional. Uses a custom application definition as match criteria.
<APPLICATION-NAME> Specify the custom application name (should be existing and configured). Ensure that the application specified is available and configured. If not, create an application definition. For more information, see application. If no custom application definition is specified, the system uses localization to detect application presence. Example nx9500-6C8809(config-captive-portal-test)#report-loyalty-application custom-app AntiVirus nx9500-6C8809(config-captive-portal-test)#show context include-factory | include report-loyalty-application report-loyalty-application custom-app AntiVirus nx9500-6C8809(config-captive-portal-test)#
Related Commands no Disables detection of customer-loyalty application presence Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 120 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.19 server captive-portal-mode commands Configures captive portal server parameters, such as the hostname, IP address, and mode of operation. This is the captive-portal server hosting the captive portal Web pages. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax server [host|mode]
server host <IP/HOSTNAME>
server mode [centralized|centralized-controller {hosting-vlan-interface <0-
4096>}|self]
Parameters server host <IP/HOSTNAME>
host <IP/HOSTNAME> Configures the internal captive portal server (wireless controller, access point, service platform)
<IP/HOSTNAME> Specify the IPv4/IPv6 address or hostname of the captive portal server. For centralized-controller mode, the server host should be a virtual hostname and not an IP address. If enabling OAuth (social-media login) on the captive portal, configure the servers hostname and not the IP address. This is because some social media do not allow IP address as redirect-uri. For more information, see oauth and php-helper. server mode [centralized|centralized-controller {hosting-vlan-interface <0-
4096>}|self]
mode centralized Configures the captive portal server mode. This parameter identifies the device that will capture and redirect a wireless users Web browser session to a landing page where the user has to provide login credentials in order to access the managed network. The WiNG captive portal implementation is very flexible and allows captive portal services to reside anywhere within the WiNG managed network. For example, the capture and redirection can be performed directly by the access points at the edge of the network, centrally on the controllers or service platforms managing the access points, or on dedicated wireless controller deployed within an isolated network. Select this option if capture and redirection is provided by a designated wireless controller/service platform on the network defined using an IPv4/IPv6 address or hostname. This dedicated device can either be managing the dependent/independent access points or be a dedicated device deployed over the intermediate network. Ensure the IPv4 address or hostname of the WiNG wireless controller performing the capture and redirection is defined in the captive portal policy. And also, that the wireless controller is reachable via MINT. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 121 GLOBAL CONFIGURATION COMMANDS Select this option if capture and redirection is on a cluster of wireless controller/
service platforms managing dependent/independent access points when redundancy is required. The capture and redirection is provided by one of the controllers in the cluster that is operating as the designated forwarder for the tunneled VLAN. The cluster can be configured as active/active or active/standby as required. If using this option, ensure a non-resolvable virtual hostname is defined in the captive portal policy which is shared between the controllers in the cluster. hosting-vlan-interface Optional. Configures the VLAN where the client can reach the captive-portal server. This option is available only for the centralized-controller mode.
<0-4096> Specify the VLAN number (0 implies the controller is available on the clients VLAN). Select this option if capture and redirection is provided by the access point that is servicing the captive portal enabled Wireless LAN. This is the default setting. When enabled each remote access point servicing the captive portal enabled WLAN performs the captive portal capture and redirection internally. The WLAN users are mapped to a locally bridged VLAN for which each access point has a Switched Virtual Interface (SVI) defined. The SVI can either have a static or dynamic (DHCP) IPv4 address assigned. The capture, redirection, and presentation of the captive portal pages are performed using the SVI on each access point the wireless device is associated to. centralized-controller
{hosting-vlan-
interface <0-4096>}
self Example rfs6000-81742D(config-captive-portal-test)#server host 172.16.10.9 rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 server host 172.16.10.9 rfs6000-81742D(config-captive-portal-test)#
Related Commands no Resets or disables captive portal host and mode settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 122 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.20 simultaneous-users captive-portal-mode commands Specifies the number of users (client MAC addresses) that can simultaneously logon to the captive portal. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax simultaneous-users <1-8192>
Parameters simultaneous-users <1-8192>
simultaneous-users
<1-8192>
Specifies the number of MAC addresses that can simultaneously access the captive portal
<1-8192> Select a number from 1 - 8192. Example rfs6000-81742D(config-captive-portal-test)#simultaneous-users 5 rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 server host 172.16.10.9 simultaneous-users 5 rfs6000-81742D(config-captive-portal-test)#
Related Commands no Resets or disables captive portal commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 123 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.21 terms-agreement captive-portal-mode commands Enforces the user to agree to terms and conditions (included in the login page) for captive portal access. This feature is disabled by default. When enabled, the system enforces a previously registered user to re-confirm the terms of agreement, on successive log ins, only if the interval between the last log out and the current log in exceeds the agreement-refresh timeout configured in the WLAN context. For more information on configuring the agreement-refresh timeout value, see registration. For example:
If the agreement-refresh timeout is set at 20 minutes, the following two possibilities can arise:
The interval between logging out and re-logging exceeds 20 minutes - in which case the user is served the Terms of Agreement page on successful authentication. The interval between logging out and re-logging is less than 20 minutes - in which case the user is provided direct Internet access. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax terms-agreement Parameters None Example rfs6000-81742D(config-captive-portal-test)#terms-agreement rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 server host 172.16.10.9 simultaneous-users 5 terms-agreement rfs6000-81742D(config-captive-portal-test)#
Related Commands no Resets or disables captive portal commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 124 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.22 use captive-portal-mode commands Configures a AAA policy and DNS whitelist with this captive portal policy. AAA policies are used to configure authentication and accounting servers for this captive portal. DNS whitelists restrict users to a set of configurable domains on the Internet. For more information on AAA policies, see AAA-POLICY. For more information on DNS whitelists, see dns-whitelist. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use [aaa-policy <AAA-POLICY-NAME>|dns-whitelist <DNS-WHITELIST-NAME>]
Parameters use [aaa-policy <AAA-POLICY-NAME>|dns-whitelist <DNS-WHITELIST-NAME>]
aaa-policy
<AAA-POLICY-
NAME>
dns-whitelist
<DNS-WHITELIST-
NAME>
Associates a AAA policy with this captive portal. AAA policies validate user credentials and provide captive portal access to the network.
<AAA-POLICY-NAME> Specify the AAA policy name. Associates a DNS whitelist to use with this captive portal. A DNS whitelist defines a set of allowed destination IP addresses. DNS whitelists restrict captive portal access.
<DNS-WHITELIST-NAME> Specify the DNS whitelist name. To effectively host captive portal pages on an external Web server, the IP address of the destination Web server(s) should be added to the DNS whitelist. Example rfs6000-81742D(config-captive-portal-test)#use aaa-policy test rfs6000-81742D(config-captive-portal-test)#use dns-whitelist test rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 server host 172.16.10.9 simultaneous-users 5 terms-agreement use aaa-policy test use dns-whitelist test rfs6000-81742D(config-captive-portal-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 125 GLOBAL CONFIGURATION COMMANDS Related Commands no dns-whitelist aaa-policy Removes a DNS Whitelist or a AAA policy from the captive portal Configures a DNS whitelist Configures a AAA policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 126 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.23 webpage captive-portal-mode commands Use this command to define the appearance and flow of Web pages requesting clients encounter when accessing a controller, service platform, or access point managed captive portal. Define whether the Web pages are maintained locally or externally to the managing device as well as messages displayed requesting clients. Configures Web pages displayed when interacting with a captive portal. These pages are:
acknowledgment This page displays details for the user to acknowledge agreement This page displays Terms and Conditions that a user accepts before allowed access to the captive portal. fail This page is displayed when the user is not authenticated. login This page is displayed when the user connects to the captive portal. It fetches login credentials from the user. no-service This page is displayed when a captive portal user is unable to access the captive portal due to unavailability of critical services. registration This page is displayed when users are redirected to a Web page where they have to register in the captive portals database. welcome This page is displayed to welcome an authenticated user to the captive portal. These Web pages, which interact with captive portal users, can be located either on the controller or an external location. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax webpage [external|internal]
webpage external [acknowledgment|agreement|fail|login {post}|no-service|
registration|welcome] <URL>
webpage internal [acknowledgment|agreement|fail|login|no-service|org-name|
org-signature|registration|welcome]
webpage internal [acknowledgment|agreement|fail|login|no-service|registration|
welcome] [description|footer|header|title] <CONTENT>
webpage internal [acknowledgment|agreement|fail|login|no-service|registration|
welcome] [body-background-color|body-font-color|org-background-color|org-font-
color] <WORD>
webpage internal [acknowledgment|agreement|fail|login|no-service|registration|
welcome] [main-logo use-as-banner|small-logo] <URL>
webpage internal registration field [age-range|city|country|custom|disclaimer|
dob|email|gender|member|mobile|name|optout|street|via-email|via-sms|zip] type
[checkbox|date|dropdown-menu|e-address|number|radio-button|text] enable {label
<LINE>|mandatory|title <LINE>|placeholder <LINE>}
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 127 GLOBAL CONFIGURATION COMMANDS webpage internal welcome use-external-success-url webpage internal [org-name|org-signature] <LINE>
Parameters webpage external [acknowledgment|agreement|fail|login {post}|no-service|
registration|welcome] <URL>
external acknowledgment agreement fail login {post}
no-service registration welcome Indicates Web pages being served are hosted on an external (to the captive portal) server resource Indicates the page is displayed for user acknowledgment of details. Users are redirected to this page to acknowledge information provided. Indicates the page is displayed for Terms & Conditions The agreement page provides conditions that must be agreed to before captive portal access is permitted. Indicates the page is displayed for login failure The fail page asserts authentication attempt has failed, the user is not allowed to access the Internet (using this captive portal) and must provide the correct login information again to access the Internet. Indicates the page is displayed for getting user credentials. This page is displayed by default. post Optional. Redirects users to post externally during authentication The login page prompts the user for a username and password to access the captive portal and proceed to either the agreement page (if used) or the welcome page. Indicates the page is displayed when certain critical services are unavailable and the user fails to access the captive portal. The no-service page asserts the captive portal service is temporarily unavailable due to technical reasons. Once the services become available, the captive portal user is automatically connected back to the services available through the captive portal. The possible scenarios are:
The RADIUS server (on-board or external) is not reachable and the user cannot be authenticated The external captive portal server is not reachable The connectivity between the adopted AP and controller is lost The external DHCP server is not reachable To provide this service, enable the following:
External captive portal server monitoring AAA server monitoring. This enables detection of RADIUS server failure. External DHCP server monitoring For more information on enabling these critical resource monitoring, see service. Indicates the page is displayed when users are redirected to a Web page where they have to register in the captive portals database Guest users are redirected to an internally (or) externally hosted registration page
(registration.html) upon association to a captive portal SSID, where previously, not-registered guest users can register. Indicates the page is displayed after a user has been successfully authenticated The welcome page asserts a user has logged in successfully and can access the captive portal. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 128 GLOBAL CONFIGURATION COMMANDS
<URL>
This parameter is common to all of the above mentioned Web pages, and specifies the Web page URL. The Web page is retrieved and served from the specified external location. The URL can include following query tags:
'WING_TAG_CLIENT_IP' - Captive portal client IPv4 address
'WING_TAG_CLIENT_MAC' - Captive portal client MAC address
'WING_TAG_WLAN_SSID ' - Captive portal client WLAN ssid
'WING_TAG_AP_MAC' - Captive portal client AP MAC address
'WING_TAG_AP_NAME' - Captive portal client AP Name
'WING_TAG_RF_DOMAIN' - Captive portal client RF Domain
'WING_TAG_CP_SERVER' - Captive portal server address
'WING_TAG_USERNAME' - Captive portal authentication username Example:
http://cportal.com/policy/login.html?client_ip=WING_TAG_CLIENT_IP&ap_m c=WING_TAG_AP_MAC. Use '&' or '?' character to separate field-value pair. Enter 'ctrl-v' followed by '?' to configure query string. webpage internal [acknowledgment|agreement|fail|login|no-service|
registration|welcome] [description|footer|header|title] <CONTENT>
internal acknowledgment agreement fail login no-service Indicates the Web pages are hosted on an internal server resource. This is the default setting. Indicates the Web page is displayed for users to acknowledge the information provided Indicates the page is displayed for Terms & Conditions Indicates the page is displayed for login failure Indicates the page is displayed for entering user credentials Indicates the page is displayed when certain critical services are unavailable and the user fails to access the captive portal. The possible scenarios are:
The RADIUS server (on-board or external) is not reachable and the user cannot be authenticated The external captive portal server is not reachable The connectivity between the adopted AP and controller is lost The external DHCP server is not reachable To provide this service, enable the following:
External captive portal server monitoring AAA server monitoring. This enables detection of RADIUS server failure. External DHCP server monitoring AP to controller connectivity monitoring For more information on enabling these critical resource monitoring, see service. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 129 GLOBAL CONFIGURATION COMMANDS registration welcome description footer header title
<CONTENT>
Indicates the page is displayed when users are redirected to a Web page where they have to register in the captive portals database Guest users are redirected to an internally (or) externally hosted registration page
(registration.html) upon association to a captive portal SSID, where previously, not-
registered guest users can register. Indicates the page is displayed after a user has been successfully authenticated Indicates the content is the description portion of each of the following internal Web pages: acknowledgment, agreement, fail, login, no-service, and welcome Indicates the content is the footer portion of each of the following internal Web pages: acknowledgment, agreement, fail, no-service, and welcome page. The footer portion contains the signature of the organization that hosts the captive portal. Indicates the content is the header portion of each of the following internal Web pages: acknowledgment, agreement, fail, no-service, and welcome page. The header portion contains the heading information for each of these pages. Indicates the content is the title of each of the following internal Web pages:
acknowledgment, agreement, fail, no-service, and welcome page. The title for each of these pages is configured here. The following keyword is common to all of the above internal Web page options:
<CONTENT> Specify the content displayed for each of the different components of the internal Web page. Enter up to 900 characters for the description and 256 characters each for header, footer, and title. webpage internal [acknowledgment|agreement|fail|login|no-service|registration|
welcome] [main-logo use-as-banner|small-logo] <URL>
internal agreement acknowledgment fail login no-service Indicates the Web pages are hosted on an internal server resource Indicates the page is displayed for Terms & Conditions Indicates the Web page is displayed for users to acknowledge the information provided Indicates the page is displayed for login failure Indicates the page is displayed for user credentials Indicates the page is displayed when certain critical services are unavailable and the user fails to access the captive portal. The possible scenarios are:
The RADIUS server (on-board or external) is not reachable and the user cannot be authenticated The external captive portal server is not reachable The connectivity between the adopted AP and controller is lost The external DHCP server is not reachable To provide this service, enable the following:
External captive portal server monitoring AAA server monitoring. This enables detection of RADIUS server failure. External DHCP server monitoring AP to controller connectivity monitoring For more information on enabling these critical resource monitoring, see wlan. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 130 GLOBAL CONFIGURATION COMMANDS registration welcome main-logo use-as-banner small-logo
<URL>
Indicates the page displayed is the registration page to which users are redirected in order to register in the captive portals database Guest users are redirected to an internally (or) externally hosted registration page
(registration.html) upon association to a captive portal SSID, where previously, not-
registered guest users can register. Indicates the page is displayed after a user has been successfully authenticated The following keyword is common to all of the above internal Web page options:
main-logo Indicates the main logo displayed in the header of each Web page use-as-banner Uses the image, specified here, as the Web page banner, in place of the logo and organization name The following keyword is common to all of the above internal Web page options:
small-logo Indicates the logo image displayed in the footer of each Web page, and constitutes the organizations signature This parameter is common to the main-logo and small-logo keywords and provides the complete URL from where the main-logo and small-logo files are loaded and subsequently cached on the system.
<URL> Specify the location and name of the main-logo and the small-logo image files. webpage internal registration field [age-range|city|country|custom|
disclaimer|dob|email|gender|member|mobile|name|optout|street|via-email|via-sms|
zip] type [checkbox|date|dropdown-menu|e-address|number|radio-button|text] enable
{label <LINE>|mandatory|title <LINE>|placeholder <LINE>}
internal registration field [age-range|
city|country|
custom <WORD >|
disclaimer|]
Indicates the Web pages are hosted on an internal server resource Allows you to customize the user registration page. Select this option if the captive-
portals access-type is set to registration. Use the field and type options to define the input fields (for example, age-range, city, email, etc.) and the field type (for example, text, checkbox, dropdown-menu, radio-button, etc.) Guest users are redirected to an internally (or) externally hosted registration page
(registration.html) upon association to a captive portal SSID, where previously, not-
registered guest users can register. If the registration Web page is not customized, the built-in, default registration page is displayed to the client. Configures the captive portals registration page fields Following are the available fields and the field type for each:
age-range Creates the age-range input field (enabled by default and included in the built-in registration page) dropdown-menu Configures the age-range field as a drop-down menu radio-button Configures the age-range field as a radio button menu city Creates the postal address: city name input field (enabled by default and included in the built-in registration page) text Configures the city field as only alpha-numeric and special characters input field Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 131 field [dob|email|
gender|member|
mobile|name|optout|
street|via-email|
via-sms|zip]
GLOBAL CONFIGURATION COMMANDS country Creates the postal address: country name input field (disabled by default) text Configures the country field as only alpha-numeric and special characters in-
put field custom <WORD> Creates a customized field (as per your requirement). Use the custom option to create a field not included in the built-in list.
<WORD> Provide a name for the field. On the registration page, the field is dis-
played under the name specified here. disclaimer Creates clients disclaimer-confirmation input field (disabled by default) checkbox Configures the disclaimer field as a check box dob Creates the clients date of birth (DoB) input field (disabled by default) date Configures the DoB field as only date-format input field dropdown-menu Configures the DoB field as a drop-down menu text Configures the DoB field as only alpha-numeric and special characters input field email Creates the e-mail address input field (enabled by default and included in the built-in registration page) e-address Configures the e-mail field as only e-mail address format input field gender Creates clients gender input field (disabled by default) dropdown-menu Configures the gender field as a drop-down menu radio-button Configures the gender field as a radio button menu member Creates clients loyalty or captive-portal membership card number input field (disabled by default) number Configures the member field as only-numeric characters input field text Configures the member field as only alpha-numeric and special characters input field mobile Creates the mobile number input field (enabled by default and included in the built-in registration page) number Configures the mobile field as only-numeric characters input field text Configures the mobile field as only alpha-numeric and special characters in-
put field name Creates the client name input field (enabled by default and included in the built-in registration page) text Configures the name field as only alpha-numeric and special characters input field optout Creates an input field that enables clients to opt out from registering checkbox Configures the optout field as a check box street Creates the postal address: street name/number input field (enabled by default and included in the built-in registration page) text Configures the street field as only alpha-numeric and special characters input field via-email Creates the clients preferred mode of communication as e-mail input field
(enabled by default and included in the built-in registration page) checkbox Configures the via-email field as a check box via-sms Creates the clients preferred mode of communication as SMS input field
(enabled by default and included in the built-in registration page) checkbox Configures the via-sms field as a check box Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 132 GLOBAL CONFIGURATION COMMANDS type [checkbox|
date|
dropdown-menu|
e-address|number|
radio-button|text]
enable
{label <LINE>|
mandatory|
title <LINE>|
placeholder <LINE>}
zip Creates the postal address: zip input field (enabled by default and included in the built-in registration page) number Configures the zip field as only-numeric characters input field text Configures the zip field as only alpha-numeric and special characters input field After specifying the field, configure the field type. The options displayed depend on the field selected in the previous step. These options are: checkbox, date, dropdown-
menu, e-address, number, radio-button, and text. checkbox Configures the field as a check box date Configures the field as only date-format input field dropdown-menu Configures the field as a drop-down menu e-address Configures the field as an e-mail address input field number Configures the field as only-numeric characters input field radio-button Configures the field as a radio button text Configures the field as only alpha-numeric and special characters input field Some of the fields can have more than one field type options. For example, the field zip can either be a numerical field or a text. Select the one best suited for your captive-portal. Enables the field. When enabled, the field is displayed on the registration page. After enabling the field, optionally configure the following parameters:
label <LINE> Optional. Configures the fields label mandatory Optional. Makes the field mandatory title Optional. Configures the comma-separated list of items to include in the drop-
down menu. placeholder <LINE> Optional. Configures a string, not exceeding 300 characters, that is displayed within the field. If not configured, the field remains blank. webpage internal welcome use-external-success-url internal welcome use-external-success-
url Indicates the Web pages are hosted on an internal server resource Indicates the page is displayed after a user has been successfully authenticated When configured, redirects the user, on successful authentication, to an externally hosted success URL from the locally-hosted landing page. Use the webpage > external > welcome > <URL> command to specify the location of the Welcome page. webpage internal [org-name|org-signature] <LINE>
internal org-name org-signature
<LINE>
Indicates the Web pages are hosted on an internal server resource Specifies the companys name, included on Web pages along with the main image Specifies the companys signature information, included in the bottom of Web pages along with a small image Specify the companys name or signature depending on the option selected. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 133 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81701D(config-captive-portal-guest)#webpage external welcome http://
192.168.9.46/welcome.html rfs6000-81701D(config-captive-portal-guest)#show context captive-portal guest webpage external welcome http://192.168.9.46/welcome.html rfs6000-81701D(config-captive-portal-guest)#
nx9500-6C8809(config-captive-portal-register)#webpage internal registration field age-range type dropdown-menu enable mandatory title 10-20,20-30,30-40,50-60,60-70 nx9500-6C8809(config-captive-portal-register)#show context include-factory |
include age-range webpage internal registration field age-range type dropdown-menu enable mandatory label "Age Range" title "10-20,20-30,30-40,50-60,60-70"
nx9500-6C8809(config-captive-portal-register)#
In the following examples, the background and font colors have been customized for the captive portals login page. Similar customizations can be applied to the acknowledgement, agreement, fail, welcome, no-service, and registration captive portal pages. rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#webpage internal login body-background-color #E7F0EB rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#webpage internal login body-font-color #EF68A7 rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#webpage internal login org-background-color #EFE4E9 rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#webpage internal login org-font-color #BA4A21 rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#show context captive-portal cap-enhanced-policy webpage internal login org-background-color #EFE4E9 webpage internal login org-font-color #BA4A21 webpage internal login body-background-color #E7F0EB webpage internal login body-font-color #EF68A7 rfs6000-81701D(config-captive-portal-ca-enhanced-policy)#
The following examples configure a scenario where a successfully authenticated user is redirected to an externally hosted Welcome page from the internal landing page. rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#webpage external welcome http://192.168.13.10/WelcomePage.html rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#webpage internal welcome use-external-success-url rfs6000-81701D(config-captive-portal-cap-enhanced-policy)#show context captive-portal cap-enhanced-policy webpage external welcome http://192.168.13.10/WelcomePage.html webpage internal acknowledgement org-background-color #33ff88 webpage internal acknowledgement org-font-color #bb6622 webpage internal acknowledgement body-background-color #22aa11 webpage internal acknowledgement body-font-color #bb6622 webpage internal welcome use-external-success-url rfs6000-81701D(config-captive-portal-ca-enhanced-policy)#
Related Commands no Resets or disables captive portal configurations Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 134 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.24 webpage-auto-upload captive-portal-mode commands Enables automatic upload of advanced Web pages to requesting clients on association. Enable this option if the webpage-location is selected as advanced. For more information, see webpage-location. If this feature is enabled, access points shall request for Web pages from the controller during adoption. If the controller has a different set of Web pages, than the ones existing on the access points, the controller shall distribute the Web pages uploaded on it to the access points. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax webpage-auto-upload Parameters None Example rfs6000-81742D(config-captive-portal-test)#webpage-auto-upload rfs6000-81742D(config-captive-portal-test)#show context captive-portal test webpage-auto-upload logout-fqdn logout.testuser.com rfs6000-81742D(config-captive-portal-test)#
Related Commands no webpage webpage-location Disables automatic upload of advanced Web pages on a captive portal Configures Web pages displayed when interacting with a captive portal Specifies the location of the Web pages used for authentication Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 135 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.25 webpage-location captive-portal-mode commands Specifies the location of the Web pages used for authentication. These pages can either be hosted on the system or on an external Web server. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax webpage-location [advanced|external|internal]
Parameters webpage-location [advanced|external|internal]
advanced external internal Uses Web pages for login, welcome, failure, and terms created and stored on the controller. Select advanced to use a custom-developed directory full of Web page content that can be copied in and out of the controller, service platform, or access point. If selecting advanced, enable the webpage-auto-upload option to automatically launch the advanced pages to requesting clients upon association. For more information, see webpage-auto-upload. Uses Web pages for login, welcome, failure, and terms located on an external server. Provide the URL for each of these pages. Uses Web pages for login, welcome, and failure that are automatically generated Example rfs6000-81742D(config-captive-portal-test)#webpage-location external rfs6000-81742D(config-captive-portal-test)#show context captive-portal test access-time 35 custom-auth info bob bob@examplecompany.com connection-mode https inactivity-timeout 750 server host 172.16.10.9 simultaneous-users 5 terms-agreement webpage-location external use aaa-policy test rfs6000-81742D(config-captive-portal-test)#
Related Commands no webpage webpage-auto-
upload Resets or disables captive portal Web page settings Configures a captive portals Web page (acknowledgment, agreement, login, welcome, fail, no-service, and terms) settings Enables an automatic upload of advanced Web pages on a captive portal Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 136 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.26 welcome-back captive-portal-mode commands Enables the provision of direct Internet access to once-registered, captive-portal guest users on subsequent log-ins. When enabled, a registered captive-portal guest user, on subsequent logins, is served the Acknowledgement page only if:
The agreement-refresh option is enabled for device-based (device and device-OTP) registration, and The interval between logout and login is lesser than the agreement-refresh timeout configured in the WLAN context. If this interval exceeds the agreement-refresh timeout, the user is served the Agreement page. For more information on configuring the agreement-refresh timeout value, see registration. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax welcome-back pass-through Parameters welcome-back pass-through welcome-back pass-through Enables display of the Acknowledgement page to an already registered user on subsequent captive-portal log-ins, provided the interval between logout and login is lesser than the agreement-refresh timeout pass-through Provides user direct Internet access, from the Welcome-back page, without any user action Example nx9500-6C8809(config-captive-portal-test)#show context captive-portal test welcome-back pass-through webpage internal registration field city type text enable label "City" placeholder
"Enter City"
webpage internal registration field street type text enable label "Address"
placeholder "123 Any Street"
webpage internal registration field name type text enable label "Full Name"
placeholder "Enter First Name, Last Name"
webpage internal registration field zip type number enable label "Zip" placeholder
"Zip"
webpage internal registration field via-sms type checkbox enable title "SMS Preferred"
webpage internal registration field mobile type number enable label "Mobile"
placeholder "Mobile Number with Country code"
webpage internal registration field age-range type dropdown-menu enable label "Age Range" title "Age Range"
webpage internal registration field email type e-address enable mandatory label
"Email" placeholder "you@domain.com"
webpage internal registration field via-email type checkbox enable title "Email Preferred"
nx9500-6C8809(config-captive-portal-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 137 GLOBAL CONFIGURATION COMMANDS Related Commands no Disables the provision of direct Internet access to once-registered, captive-portal guest users on subsequent log-ins Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 138 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.27 configuring device registration with dynamic VLAN assignment captive-portal-mode commands This section provides the configurations required to enable device registration with dynamic VLAN assignment in a multi-vendor environment. 1 Create vendor-specific RADIUS user groups and assign an allowed VLAN to each group, as shown in the following examples:
nx9500-6C8809(config)#radius-group Apple nx9500-6C8809(config-radius-group-Apple)#policy vlan 200 nx9500-6C8809(config)#radius-group Samsung nx9500-6C8809(config-radius-group-Samsung)#policy vlan 100 nx9500-6C8809(config)#radius-group Devices nx9500-6C8809(config-radius-group-Devices)#policy vlan 1 Note, if necessary, configure the session-time for each of the above configured RADIUS group. This is the duration for which a RADIUS group clients session remains active after successful authentication. Upon expiration, the RADIUS session is terminated. Use the policy > session-time > <5-144000> command to specify the session-time. 2 Create a RADIUS user pool, add users to the pool, and assign the users to the vendor-specific user groups: as shown in the following examples:
nx9500-6C8809(config)#radius-user-pool-policy Vendor-Devices nx9500-6C8809(config-radius-user-pool-Vendor-Devices)#user Samsung password 0 samsung group Samsung nx9500-6C8809(config-radius-user-pool-Vendor-Devices)#user test password 0 test123 group Apple 3 Create a RADIUS server policy, and associate the RADIUS groups and user pool created in steps 1 and 2 respectively, as shown in the following examples:
nx9500-6C8809(config)#radius-server-policy Guest-Radius nx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-user-pool-
policy Vendor-Devices nx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-group Samsung nx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-group Sony nx9500-6C8809(config-radius-server-policy-Guest-Radius)#use radius-group Apple 4 Create an AAA Policy, on the controller, and configure the authentication server as self, as shown in the following example:
nx9500-6C8809(config)#aaa-policy OnBoard-NX nx9500-6C8809(config-aaa-policy-OnBoard-NX)#authentication server 1 onboard controller nx9500-6C8809(config-aaa-policy-OnBoard-NX)#show context aaa-policy OnBoard-NX authentication server 1 onboard self nx9500-6C8809(config-aaa-policy-OnBoard-NX)#
5 Create a captive-portal, and point to the captive-portals server, enable RADIUS VLAN assignment, and associate the AAA policy, as shown in the following examples:
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 139 GLOBAL CONFIGURATION COMMANDS nx9500-6C8809(config)#captive-portal DeviceRegistration nx9500-6C8809(config-captive-portal-DeviceRegistration)#server host captive.extremenoc.com nx9500-6C8809(config-captive-portal-DeviceRegistration)#radius-vlan-
assignment nx9500-6C8809(config-captive-portal-DeviceRegistration)#use aaa-policy OnBoard-NX nx9500-6C8809(config-captive-portal-DeviceRegistration)#access-type radius 6 Configure a WLAN and enable RADIUS VLAN assignment, as shown in the following examples:
nx9500-6C8809(config)#wlan CP-OnBoarding nx9500-6C8809(config-wlan-CP-OnBoarding)#ssid CP-OnBoarding nx9500-6C8809(config-wlan-CP-OnBoarding)#radius vlan-assignment nx9500-6C8809(config-wlan-CP-OnBoarding)#use aaa-policy OnBoard-NX nx9500-6C8809(config-wlan-CP-OnBoarding)#use captive-portal DeviceRegistration nx9500-6C8809(config-wlan-CP-OnBoarding)#captive-portal-enforcement fall-back nx9500-6C8809(config-wlan-CP-OnBoarding)#registration device group-name Devices expiry-time 4320 nx9500-6C8809(config-wlan-CP-OnBoarding)#authentication-type mac assign the WLAN to the AP radio, as shown in the following examples:
7 Create an access point profile, associate the RADIUS server policy, captive-portal policy to it, and also nx9500-6C8809(config-profile-SITE-10)#use radius-server-policy Guest-Radius nx9500-6C8809(config-profile-SITE-10)#use captive-portal server DeviceRegistration nx9500-6C8809(config-profile-SITE-10-if-radio2)#wlan CP-OnBoarding bss 1 primary nx9500-6C8809(config-profile-SITE-10-if-ge1)#switchport mode trunk nx9500-6C8809(config-profile-SITE-10-if-ge1)#switchport trunk native vlan 90 nx9500-6C8809(config-profile-SITE-10-if-ge1)#switchport trunk allowed vlan 1,90,1000-1002 nx9500-6C8809(config-profile-SITE-10-if-ge1)#no switchport trunk native tagged 8 Use the access point profile in the access points device context. Related Commands Documents RADIUS server policy configuration commands Documents RADIUS group policy configuration commands radius-server-policy radius-group radius-user-pool-policy Documents RADIUS user policy configuration commands aaa-policy captive portal wlan Profile Config Commands guest-registration Documents AAA policy configuration commands Documents captive-portal configuration commands Documents WLAN configuration commands Documents profile configuration commands Documents show > guest-registration command and outputs. Use this command to view guest registration statistics once device-registration is enabled. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 140 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.28 configuring WeChat Wi-Fi hotspot support in WiNG captive portal captive-portal-mode commands WeChat is a popular messaging app used in China with more than 500 million installations. WeChats WiFi hotspot solution allows businesses to provide Internet access to their customers. The WiNG captive portal can be configured to incorporate the WeChat WiFi hotspot, so that WeChat users, on their first connect to a WiNG access point, can automatically authenticate with the WeChat server through an intermediate server. This section provides an example that shows the configurations required to be made on the WiNG portal to enable WeChat Wi-Fi hotspot. 1 Create an AAA policy re-directing the WiNG captive portal user to WeChats AAA server for authentication, as shown in the following example:
nx9500-6C8809(config)#aaa-policy cloud2 nx9500-6C8809(config-aaa-policy-cloud2)#authentication server 1 host cloud2.synchroweb.com secret 0 firmware nx9500-6C8809(config-aaa-policy-cloud2)#show context aaa-policy cloud2 authentication server 1 host cloud2.synchroweb.com secret 0 firmware nx9500-6C8809(config-aaa-policy-cloud2)#
Note, Synchroweb is an independent software vendor (ISV), whose third-party software is being used as the intermediate server. The AAA server and RADIUS accounting server configured in AAA policy must be as per the specification provided by the ISV. 2 Create a DNS whitelist, whitelisting WeChats server name in order to initiate RADIUS authentication. The qq.com domain name is where WeChat server can be reached. nx9500-6C8809(config)#dns-whitelist wxWL nx9500-6C8809(config-dns-whitelist-wxWL)#permit cloud2.synchroweb.com nx9500-6C8809(config-dns-whitelist-wxWL)#permit qq.com suffix nx9500-6C8809(config-dns-whitelist-wxWL)#show context dns-whitelist wxWL permit qq.com suffix permit cloud2.synchroweb.com nx9500-6C8809(config-dns-whitelist-wxWL)#
3 Create a captive portal and associate the AAA policy and DNS whitelist created in steps 1 & 2, as shown in the following example:
nx9500-6C8809(config)#captive-portal wxCP nx9500-6C8809(config-captive-portal-wxCP)#use aaa-policy cloud2 nx9500-6C8809(config-captive-portal-wxCP)#use dns-whitelist wxWL 4 Configure the following captive portal parameters:
nx9500-6C8809(config)#captive-portal wxCP nx9500-6C8809(config-captive-portal-wxCP)#access-time 10 nx9500-6C8809(config-captive-portal-wxCP)#server host guest.extreme.com nx9500-6C8809(config-captive-portal-wxCP)#webpage-location external nx9500-6C8809(config-captive-portal-wxCP)#webpage external login http://
cloud2.synchroweb.com/wechat.nx/index.phpc=WING_TAG_CLIENT_MAC Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 141 GLOBAL CONFIGURATION COMMANDS nx9500-6C8809(config-captive-portal-wxCP)#)#show context captive-portal wxCP access-time 10 server host guest.extreme.com webpage-location external webpage external login http://cloud2.synchroweb.com/wechat.nx/
index.phpc=WING_TAG_CLIENT_MAC use aaa-policy cloud2 use dns-whitelist wxWL
--More--
nx9500-6C8809(config-captive-portal-wxCP)#
Note, the login URL configured here must be as per the specifications provided by the ISV. Note, the access-type remains unchanged (i.e radius, which is the default setting). The access-time is set to a minimum value (10 minutes in this example) in order to avoid the default value of 24 hours being applied, in case the RADIUS response does not contain the session-timeout attribute. 5 Create a WLAN and associate the captive portal created in step 3:
nx9500-6C8809(config)#wlan wxOpen nx9500-6C8809(config-wlan-wxOpen)#ssid wxOpen nx9500-6C8809(config-wlan-wxOpen)#vlan 200 nx9500-6C8809(config-wlan-wxOpen)##use captive-portal wxCP nx9500-6C8809(config-wlan-wxOpen)#captive-portal-enforcement nx9500-6C8809(config-wlan-wxOpen)#show context wlan wxOpen ssid wxOpen vlan 200 bridging-mode local encryption-type none authentication-type none use captive-portal wxCP captive-portal-enforcement nx9500-6C8809(config-wlan-wxOpen)#
Note, the modes of authentication and encryption remain unchanged (i.e none, which is the default setting for both parameters). Ensure captive-portal-
enforcement is enabled on the WLAN. Related Commands AAA-POLICY dns-whitelist captive portal wlan Documents AAA policy configuration mode commands Documents DNS whitelist configuration mode commands Documents captive portal configuration mode commands Documents WLAN configuration mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 142 GLOBAL CONFIGURATION COMMANDS 4.1.31.2.29 configuring ExtremeGuest captive-portal captive-portal-mode commands This section documents the basic configurations required to deploy an ExtremeGuest (EGuest) setup. A typical EGuest deployment consists of the EGuest server, EGuest captive-portal database, and NOC adopting the access points. The EGuest server and database can be hosted only on the VX9000 platform. In the following example, the EGuest server and database are hosted on the same device. 1 On the EGuest server/database host, a enable the EGuest daemon. When enabled, the EGuset server is up and running. EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#eguest-server b apply a database-policy to enable the EGuest database. EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#use database-policy default c configure the NTP server. This is to ensure time synchronization across replica-set members (this is mandatory in replica-set deployments and should be configured either on the replica-set members device or profile context). EG-Server-DB(config-device-02-EE-1A-7E-AE-5B)#ntp server time.nist.govt 2 On the NOC, a create an AAA policy with the following configurations:
- Configure the EGuest server (configured in Step 1) as the authentication and accounting RADIUS server. NOC(config-aaa-policy-EguestAAA)#authentication server 1 host EG-Server secret 0 extreme123 NOC(config-aaa-policy-EguestAAA)#accounting server 1 host EG-Server secret 0 extreme123
- Configure the proxy-mode as through-controller. When configured, all requests to the server are proxied through the NOC. NOC(config-aaa-policy-EguestAAA)#authentication server 1 proxy-mode through-
controller NOC(config-aaa-policy-EguestAAA)#accounting server 1 proxy-mode through-
controller NOC(config-aaa-policy-EguestAAA)#show context aaa-policy EguestAAA accounting server 1 host EG-OnBServer secret 0 extreme123 accounting server 1 proxy-mode through-controller authentication server 1 host EG-Server secret 0 extreme123 authentication server 1 proxy-mode through-controller NOC(config-aaa-policy-EguestAAA)#
b Create a DNS whitelist. Note, DNS whitelist configuration is required only if enabling OAuth on the EGuest captive-portal. When created and used on the EGuest captive-portal, the DNS whitelist renders social plugin buttons on the client prior to successful captive portal authentication.
- Configure the following permit rules:
NOC(config-dns-whitelist-EguestDNS)#permit fbstatic-a.akamaihd.net NOC(config-dns-whitelist-EguestDNS)#permit connect facebook.net NOC(config-dns-whitelist-EguestDNS)#permit facebook.com suffix NOC(config-dns-whitelist-EguestDNS)#permit fbcdn.net suffix Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 143 GLOBAL CONFIGURATION COMMANDS NOC(config-dns-whitelist-EguestDNS)#permit googleapis.com suffix NOC(config-dns-whitelist-EguestDNS)#permit google.com suffix NOC(config-dns-whitelist-EguestDNS)#permit googleusercontent.com suffix NOC(config-dns-whitelist-EguestDNS)#permit linkedin.com suffix NOC(config-dns-whitelist-EguestDNS)#permit static.licdn.com NOC(config-dns-whitelist-EguestDNS)#permit twitter.com suffix NOC(config-dns-whitelist-EguestDNS)#permit twimg.com suffix NOC(config-dns-whitelist-EguestDNS)#permit instagramstatic-a.akamaihd.net NOC(config-dns-whitelist-EguestDNS)#permit instagram.com suffix NOC(config-dns-whitelist-EguestDNS)#permit ssl.gstatic.com NOC(config-dns-whitelist-EguestDNS)#permit extremenetworks.com suffix NOC(config-dns-whitelist-EguestDNS)#permit local.extreme.com c Create a captive-portal with the following configurations:
- Specify the captive-portal server. NOC(config-captive-portal-EguestCP)#server host guest.extreme.com
- Use the AAA policy created in Step 2 a. NOC(config-captive-portal-EguestCP)#use aaa-policy EguestAAA
- Enable social-media authentication. This setting is optional. NOC(config-captive-portal-EguestCP)#oauth
- Use the DNS whitelist created in Step 2 b. Note, the DNS whitelist is required only if enabling OAuth on the captive-portal. NOC(config-captive-portal-EguestCP)#use dns-whitelist EguestDNS
- Configure the webpage-location as advanced. Note, webpage-location should be advanced if using pages created with EGuest splash templates. NOC(config-captive-portal-EguestCP)#webpage-location advanced d Create a WLAN policy with the following configurations:
- Enable MAC authentication. NOC(config-wlan-EguestWLAN)#authentication-type mac
- Use the AAA policy created in Step 2 a. NOC(config-wlan-EguestWLAN)#use aaa-policy EguestAAA
--When used, access points/controllers forward registration requests to the EGuest server specified in the AAA policy. However, ensure that the registration >
external > follow-aaa option is configured on the WLAN. See below. NOC(config-wlan-EguestWLAN)#registration external follow-aaa
--This enables the use of the Authentication and Accounting servers specified in the AAA policy applied on the WLAN.
- Use the captive-portal created in Step 2 c. NOC(config-wlan-EguestWLAN)#use captive-portal EguestCP
- Enable captive-portal enforcement with fall-back. NOC(config-wlan-EguestWLAN)#captive-portal-enforcement fall-back
- Configure the following guest registration parameters:
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 144 GLOBAL CONFIGURATION COMMANDS NOC(config-wlan-EguestWLAN)#registration device group-name Eguest expiry-time 4320 agreement-refresh 1440
--This is the RADIUS group assigned to registered users post authentication. NOC(config-wlan-EguestWLAN)#show context wlan EguestWLAN ssid _EXTREME-GUEST-NRF2017 vlan 1 bridging-mode local encryption-type none authentication-type mac no answer-broadcast-probes no client-client-communication wireless-client hold-time 300 use aaa-policy EguestAAA use captive-portal EguestCP captive-portal-enforcement fall-back registration device group-name Eguest expiry-time 4320 agreement-refresh 1440 registration external follow-aaa mac-authentication cached-credentials NOC(config-wlan-EguestWLAN)#
e In the NOCs self context, configure the EGuest server. NOC(config-device-74-67-F7-5C-64-4A)#eguest-server host 1 EG-Server https 3 In the Access Points device or profile context, a Use the captive-portal configured in Step 2 c. Eguest-AP(config-device-74-67-F7-5C-64-4A)#use captive-portal EguestCP 4 To view EGuest registration status and statistics, on the EGuest server, use the following commands:
EG-Server-DB#show eguest registration statistics EG-Server-DB#show eguest registration status 5 To clear EGuest registration statistics, on the EGuest server, use the following command:
EG-Server-DB#clear eguest registration statistics Related Commands eguest-server (VX9000 only) AAA-POLICY dns-whitelist captive portal wlan eguest Documents the eguest-server command. When used in the EGuest servers device/profile context, without the host option, it enables the EGuest daemon. When used on the NOC along with the host option, it points to the EGuest server. Documents AAA policy configuration commands Documents DNS-whitelist configuration commands Documents captive-portal configuration commands Documents WLAN configuration commands Documents the show > eguest command outputs Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 145 GLOBAL CONFIGURATION COMMANDS 4.1.32 clear Global Configuration Commands Clears parameters, cache entries, table entries, and other similar entries. The clear command is available for specific commands only. The information cleared using this command varies depending on the mode where executed. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax clear event-history Parameters clear event-history event-history Clears the event history file Example rfs4000-880DA7(config)#show event-history EVENT HISTORY REPORT Generated on '2017-06-09 14:23:31 IST' by 'admin'
2017-06-09 14:16:28 rfs4000-880DA7 SYSTEM LOGIN Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'
2017-06-09 14:06:21 rfs4000-880DA7 DEVICE OFFLINE Device B4-C7-
99-71-17-28(ap8132-711728) is offline, last seen:10 minutes ago on switchport ap7522-8330A4:ge1 2017-06-09 13:46:15 rfs4000-880DA7 SYSTEM CONFIG_REVISION Configuration revision updated to 10 from 9 2017-06-09 13:36:12 rfs4000-880DA7 SYSTEM CONFIG_REVISION Configuration revision updated to 9 from 8 2017-06-09 13:26:09 rfs4000-880DA7 SYSTEM CONFIG_COMMIT Configuration commit by user 'cfgd' (site apply config diff) from '127.0.0.1'
2017-06-09 13:16:06 rfs4000-880DA7 DEVICE UNADOPTED Device('ap8132-
711728'/'ap81xx'/B4-C7-99-71-17-28) at rf-domain:'TechPubs' unadopted. Radios:
Count=2, Bss: B4-C7-99-78-53-10|B4-C7-99-78-53-70|
2017-06-09 13:10:047 ap8132-711728 SYSTEM WARM_START System Warm Start Reason : Upgrade done, reloading... (user: system @ rfs4000-880DA7) Timestamp: Nov 04 11:32:27 2016 2017-06-09 13:06:03 rfs4000-880DA7 DEVICE DEVICE_UPGRADE_REBOOT DEVICEUPGRADE:
ap81xx mac B4-C7-99-71-17-28 Device upgrade rebooting
--More--
rfs4000-880DA7(config)#
rfs4000-880DA7(config)#clear event-history rfs4000-880DA7(config)#show event-history EVENT HISTORY REPORT Generated on '2017-06-09 14:27:05 IST' by 'admin'
rfs4000-880DA7(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 146 GLOBAL CONFIGURATION COMMANDS 4.1.33 client-identity Global Configuration Commands With an increase in Bring Your Own Device (BYOD) corporate networks, there is a parallel increase in the number of possible attack scenarios within the network. BYOD devices are inherently unsafe, as the organizations security mechanisms do not extend to these personal devices deployed in the corporate wireless network. Organizations can protect their network by limiting how and what these BYODs can access on and through the corporate network. Device fingerprinting assists administrators by controlling how BYOD devices access a corporate wireless domain. Device fingerprinting uses DHCP options sent by the client in request or discover packets to derive a unique signature specific to device class. For example, Apple devices have a different signature from Android devices. The signature is used to classify the devices and assign permissions and restrictions on each device class. The following table summarizes the commands available for creating and configuring a set of new client identity parameters:
Table 4.12 Client-Identity-Config Commands Description Creates a new client identity and enters its configuration mode Invokes the client identity policy configuration mode commands Reference page 4-148 page 4-150 Creates a new client identity group and enters its configuration mode page 4-156 Command client-identity client-identity-
mode commands client-identity-
group Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 147 GLOBAL CONFIGURATION COMMANDS 4.1.33.1 client-identity client-identity Creates a new client identity and enters its configuration mode. Client identity is a set of unique fingerprints used to identify a class of devices. This information is used to configure permissions and access rules for the identified class of devices in the network. The client-identity feature enables device fingerprinting. Device fingerprinting is a technique of collecting, analyzing, and identifying traffic patterns originating from remote computing devices. When enabled, device fingerprinting helps to identify a wireless clients device type. There are two methods of fingerprinting devices: Active and Passive. Active fingerprinting is based on the fact that traffic patterns vary with varying device types. It involves the sending of requests (HTTP, etc.) to devices (clients) and analyzing their response to determine the device type. For example, an invalid request is sent to a device, and its error response is analyzed to identify the device type. Since active device fingerprinting involves sending of packets, the probability of the network getting flooded is very high, especially when many devices are being fingerprinted simultaneously. Passive fingerprinting involves monitoring of devices to check for known traffic patterns specific to devices based on the protocol, driver implementation, etc. This method accurately classifies a clients TCP/IP configuration, OS fingerprints, wireless settings etc. No packets are sent to the device. Some of the commonly used protocols for passive device fingerprinting are, TCP, DHCP, HTTP, etc. This feature implements DHCP device fingerprinting, which relies on specific information sent by a wireless client when acquiring IP address and other configuration information from a DHCP server. The feature uses the DHCP options sent by the wireless client in the DHCP request or discover packets to derive a unique signature specific to the class of devices. For example, Apple devices have a different signature than Android devices. This unique signature can then be used to classify the devices and assign permissions and restrictions on each device class. The WiNG software provides a set of built-in device fingerprints that load by default and identify client device types. Use the service > show > client-identity-defaults command to view default client identity fingerprints. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax client-identity <CLIENT-IDENTITY-NAME>
Parameters client-identity <CLIENT-IDENTITY-NAME>
client-identity
<CLIENT-IDENTITY-
NAME>
Creates a new client identity policy and enters its configuration mode
<CLIENT-IDENTITY--NAME> Specify a client identity policy name. If the client identity policy does not exist, it is created. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 148 GLOBAL CONFIGURATION COMMANDS Usage Guidelines The following points should be considered when configuring the client identity (device fingerprinting) feature:
Ensure that DHCP is enforced on the WLANs. For more information on enforcing DHCP on WLANs, see enforce-dhcp. Successful identification of different device types depends on the uniqueness of the configured fingerprints. DHCP fingerprinting identifies clients based on the patterns (fingerprints) in the DHCP discover and request messages sent by clients. If different operating systems have the same fingerprints. it will be difficult to identity the device type. When associating client identities with a role policy, ensure that the profile/device, under which the role policy is being used, also has an associated client identity group (containing all the client identities used by the role policy). Example rfs4000-229D58(config)#client-identity test rfs4000-229D58(config-client-identity-test)#?
Client Identity Mode commands:
dhcp Add a DHCP option based match criteria dhcp-match-message-type Specify DHCP message type to match no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-client-identity-test)#
Use the service > show > client-identity-defaults command to view default, built-in, system-provided client identity fingerprints:
nx9500-6C8809#service show client-identity-defaults client-identity Android-2-1 dhcp 1 message-type request option 55 exact hexstring 0103061c21333a3b79 dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.1 client-identity Android-2-2 dhcp 1 message-type request option 55 exact hexstring 01792103061c333a3b dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.15 client-identity Android-2-3 dhcp 3 message-type request option 55 exact hexstring 01792103061c333a3b dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.15 dhcp 1 message-type request option-codes exact hexstring 353d32393c37 dhcp 2 message-type request option-codes exact hexstring 353d3236393c37 dhcp 10 message-type request option-codes exact hexstring 353d3236393c0c37
--More--
nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 149 GLOBAL CONFIGURATION COMMANDS 4.1.33.2 client-identity-mode commands client-identity The following table summarizes client identity configuration mode commands:
Table 4.13 Client-Identity-Mode Commands Command dhcp dhcp-match-
message-type no Description Configures the DHCP option match criteria for device fingerprinting Configures the DHCP message type for device fingerprinting Reference page 4-151 page 4-154 Removes the DHCP option (used for client identification) configurations page 4-155 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 150 GLOBAL CONFIGURATION COMMANDS 4.1.33.2.1 dhcp client-identity-mode commands Configures the DHCP option match criteria (signature) for the discover and request message types received from wireless clients When accessing a network, DHCP discover and request messages are passed between wireless clients and the DHCP server. These messages contain DHCP options and option values that differ from device to device and are based on the DHCP implementation in the devices operating system (OS). Options and option values contained in a clients messages are parsed and compared against the configured DHCP option values to identify the device. Once a device type is identified, the wireless client database is updated with the discovered device type. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dhcp <1-16> message-type [discover|request] [option|option-codes]
dhcp <1-16> message-type [discover|request] [option <1-254>|option-codes]
[contains|exact|starts-with] [ascii|hexstring] <WORD>
Parameters dhcp <1-16> message-type [discover|request] [option <1-254>|option-codes]
[contains|exact|starts-with] [ascii|hexstring] <WORD>
dhcp <1-16>
message-type
[discover|request]
option <1-254>
Adds a DHCP option match criteria signature
<1-16> Specify an index for this DHCP match criteria from 1 - 16. A maximum of 16 match criteria can be configured. Specifies the message type to which this DHCP match criteria is applicable discover Applies this match criteria to DHCP discover messages only. Indicates that the fingerprint is only checked with any DHCP discover messages received from any device. request Applies this match criteria to DHCP request messages only. Indicates that the fingerprint is only checked with any DHCP request messages received from any device. It is recommended to configure client-identity with request messages, because clients rarely send discover messages. If the message type is not specified, the fingerprint is checked with all message types
(DHCP request and DHCP discover). The following keywords are common to the discover and request message types:
option Configures a DHCP option value, which is used as the match criteria
<1-254> Configures a code for this DHCP option from 1 - 254 (except option 53) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 151 GLOBAL CONFIGURATION COMMANDS option-codes The following keyword is common to the discover and request message types:
option-codes Matches criteria based on the DHCP option codes contained in the clients discover/request messages Devices pass options in their DHCP discover/request messages as option codes, option types, and option value sets. These option codes are extracted and matched against the configured DHCP option codes and a fingerprint is derived. This derived fingerprint is used to identify the device. The following keyword is common to the discover and request message types:
contains Specifies that the DHCP options received in the clients discover/request messages contains the configured option code string The following keyword is common to the discover and request message types:
exact Specifies that the DHCP options received in the clients discover/request messages is an exact match with the configured option code string The following keyword is common to the discover and request message types:
starts-with Specifies that the DHCP options received in the clients discover/request messages starts with the configured option code string The following keywords are common to the contains, exact, and starts-with parameters:
ascii Configures the DHCP option in the ASCII format
<WORD> Specify the DHCP option ASCII value to match. The following keywords are common to the contains, exact, and starts-with parameters:
hexstring Configures the DHCP option in the hexa-decimal format
<WORD> Specify the DHCP option hexstring value to match. contains exact starts-with ascii <WORD>
hexstring <WORD>
Usage Guidelines The following DHCP options are useful for identifying different device types:
Option 55: Used by a DHCP client to request values for specific configuration parameters. It is a list of DHCP option codes and can be in the clients order of preference. Client configured list of DHCP options (all options parsed into a hex string). Option 60: Vendor class identifier. Used to identify the vendor and functionality of a DHCP client
(some devices do not set the value of this field). Though it is possible to use any option to configure a device fingerprint, the use of a combination of one or more of the preceding options to define a device is recommended. Example rfs4000-229D58(config-client-identity-test)#dhcp 1 message-type request option 60 exact ascii MSFT\5.0 rfs4000-229D58(config-client-identity-test)#dhcp 2 message-type discover option 2 exact hexstring 012456c22c44 rfs4000-229D58(config-client-identity-test)#show context client-identity test dhcp 2 message-type discover option 2 exact hexstring 012456c22c44 dhcp 1 message-type request option 60 exact ascii MSFT5.0 rfs4000-229D58(config-client-identity-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 152 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes a DHCP option signature (match criteria) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 153 GLOBAL CONFIGURATION COMMANDS 4.1.33.2.2 dhcp-match-message-type client-identity-mode commands Configures the DHCP message type to match Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dhcp-match-message-type [all|any|discover|request]
Parameters dhcp-match-message-type [all|any|discover|request]
dhcp-match-
message-type
[all|any|discover|
request]
Specifies the DHCP message type to consider for matching all Matches all message types: discover and request. Indicates that the fingerprint is checked with both the DHCP request and the DHCP discover message. any Matches any message type: discover or request. Indicates that the fingerprint is checked with either the DHCP request or the DHCP discover message. discover Matches discover messages only. Client matches the client identity only if the discover message sent by the client matches. Values configured for request messages are ignored. request Matches request messages only. Client matches the client identity only if the request message sent by the client matches. Values configured for discover messages are ignored. Example rfs4000-229D58(config-client-identity-test)#dhcp-match-message-type all rfs4000-229D58(config-client-identity-test)#show context client-identity test dhcp 2 message-type discover option 2 exact hexstring 012456c22c44 dhcp 1 message-type request option 60 exact ascii MSFT5.0 dhcp-match-message-type all rfs4000-229D58(config-client-identity-test)#
Related Commands no Removes the DHCP message type to match Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 154 GLOBAL CONFIGURATION COMMANDS 4.1.33.2.3 no client-identity-mode commands Removes the DHCP options match criteria configurations Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [dhcp <1-16>|dhcp-match-message-type]
Parameters no [dhcp <1-16>|dhcp-match-message-type]
dhcp <1-16>
dhcp-match-
message-type Example Removes the DHCP option match criteria rule identified by the <1-16> keyword
<1-16> Specify the DHCP option match criteria rule index Removes the DHCP message type to match The following example shows the client identity test settings before the no commands are executed:
rfs4000-229D58(config-client-identity-test)#show context client-identity test dhcp 2 message-type discover option 2 exact hexstring 012456c22c44 dhcp 1 message-type request option 60 exact ascii MSFT5.0 dhcp-match-message-type all rfs4000-229D58(config-client-identity-test)#
The following example shows the client identity test settings after the no commands are executed:
rfs4000-229D58(config-client-identity-test)#no dhcp 2 rfs4000-229D58(config-client-identity-test)#no dhcp-match-message-type rfs4000-229D58(config-client-identity-test)#show context client-identity test dhcp 1 message-type request option 60 exact ascii MSFT5.0 rfs4000-229D58(config-client-identity-test)#
Related Commands dhcp dhcp-match-
message-type Configures the DHCP option match criteria for device fingerprinting Configures the DHCP message type for device fingerprinting Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 155 GLOBAL CONFIGURATION COMMANDS 4.1.34 client-identity-group client-identity The following table summarizes commands available to enter the client identity group configuration mode:
Command client-identity-
group client-identity-
group-mode commands client-identity Table 4.14 Client-Identity-Group Config Commands Description Creates a new client identity group and enters its configuration mode Reference page 4-157 Invokes the client identity group configuration mode commands page 4-158 Creates new client identity policy and enters its configuration mode page 4-147 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 156 GLOBAL CONFIGURATION COMMANDS 4.1.34.1 client-identity-group client-identity-group Configures a new client identity group A client identity group is a collection of client identities. Each client identity included in a client identity group is set a priority value that indicates the priority for that identity when device fingerprinting. Device Fingerprinting relies on specific information sent by a wireless client when acquiring IP address and other configuration information from a DHCP server. The feature uses the DHCP options sent by the wireless client in the DHCP request or discover packets to derive a unique signature specific to the class of devices. For example, Apple devices have a different signature than Android devices. This unique signature can then be used to classify the devices and assign permissions and restrictions on each device class. A client identity group can be attached to a profile or device, enabling device fingerprinting on them. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax client-identity-group <CLIENT-IDENTITY-GROUP-NAME>
Parameters client-identity-group <CLIENT-IDENTITY-GROUP-NAME>
client-identity-group
<CLIENT-IDENTITY-
GROUP-NAME>
Creates a new client identity group and enters its configuration mode
<CLIENT-IDENTITY-GROUP-NAME> Specify a client identity group name. If the group does not exist, it is created. Example rfs4000-229D58(config)#client-identity-group test rfs4000-229D58(config-client-identity-group-test)#
Client Identity group Mode commands:
client-identity Client identity (DHCP Device Fingerprinting) load Load Client identity Fingerprints no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-client-identity-group-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 157 GLOBAL CONFIGURATION COMMANDS 4.1.34.2 client-identity-group-mode commands client-identity-group The following table summarizes client identity group configuration mode commands:
Table 4.15 Client-Identity-Group-Mode Commands Command client-identity load no Description Associates an existing and configured client identity (device fingerprint) with this client identity group Loads default (system-provided) client identity fingerprints Removes the client identity associated with this client identity group Reference page 4-159 page 4-161 page 4-155 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 158 GLOBAL CONFIGURATION COMMANDS 4.1.34.2.1 client-identity client-identity-group-mode commands Associates an existing and configured client identity (device fingerprint) with this client identity group Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax client-identity <CLIENT-IDENTITY-NAME> precedence <1-10000>
Parameters client-identity <CLIENT-IDENTITY-NAME> precedence <1-10000>
client-identity
<CLIENT-IDENTITY-
NAME>
precedence
<1-10000>
Associates a client identity with this group
<CLIENT-IDENTITY-NAME> Specify a client identity name (should be existing and configured) Determines the order in which client identity is used
<1-10000> Specify this client identity precedence from <1-10000>. The client identity rule is applied based on its precedence value. Lower the value, higher is the precedence. Therefore, a client identity with precedence 5 gets precedence over a client identity having precedence 20. Example The following example shows two client identities created and configured:
rfs4000-229D58(config)#show context
!
! Configuration of RFS4000 version 5.9.1.0-029R
!
!
version 2.5
!
!client-identity TestClientIdentity dhcp 1 message-type request option-codes exact hexstring 5e4d36780b3a7f
!client-identity test dhcp 2 message-type discover option 2 exact hexstring 012456c22c44 dhcp 1 message-type request option 60 exact ascii MSFT5.0 dhcp-match-message-type all
!
client-identity-group ClientIdentityGroup client-identity TestClientIdentity precedence 1
!
client-identity-group test
!
ip access-list BROADCAST-MULTICAST-CONTROL permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
--More--
rfs4000-229D58(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 159 GLOBAL CONFIGURATION COMMANDS The following example associates client identity test with the client identity group test:
rfs4000-229D58(config-client-identity-group-test)#client-identity test precedence 1 The following example shows the client identity group test with two associated client identities having precedence 1 and 2:
rfs4000-229D58(config-client-identity-group-test)#client-identity TestClientIdentity precedence 2 rfs4000-229D58(config-client-identity-group-test)#show context client-identity-group test client-identity test precedence 1 client-identity TestClientIdentity precedence 2 rfs4000-229D58(config-client-identity-group-test)#
Related Commands no Removes the client identity associated with the client identity group Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 160 GLOBAL CONFIGURATION COMMANDS 4.1.34.2.2 load client-identity-group-mode commands Loads default (built-in, system-provided) client identity fingerprints. This option is enabled by default. The WiNG software provides some built-in client identity fingerprints that are automatically loaded when the client identity group if applied to a device (either directly or through the profile). Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax load default-fingerprints Parameters load default-fingerprints load default-
fingerprints Example Loads client identity default fingerprints. This option is enabled by default. The auto-load default fingerprints option is enabled by default, as shown in the following example:
nx9500-6C8809(config-client-identity-group-test)#show context client-identity-group test load default-fingerprints nx9500-6C8809(config-client-identity-group-test)#
In scenarios where only customized client identities are to be applied, use the no > load > default-
fingerprints command to disable auto-loading of default device fingerprints. nx9500-6C8809(config-client-identity-group-test)#no load default-fingerprints nx9500-6C8809(config-client-identity-group-test)#show context client-identity-group test no load default-fingerprints nx9500-6C8809(config-client-identity-group-test)#
Use the service > show > client-identity-defaults command to view default client identity fingerprints:
nx9500-6C8809#service show client-identity-defaults client-identity Android-2-1 dhcp 1 message-type request option 55 exact hexstring 0103061c21333a3b79 dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.1 client-identity Android-2-2 dhcp 1 message-type request option 55 exact hexstring 01792103061c333a3b dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.15 client-identity Android-2-3 dhcp 3 message-type request option 55 exact hexstring 01792103061c333a3b dhcp 6 message-type request option 60 exact ascii dhcpcd\ 4.0.15 dhcp 1 message-type request option-codes exact hexstring 353d32393c37 dhcp 2 message-type request option-codes exact hexstring 353d3236393c37 dhcp 10 message-type request option-codes exact hexstring 353d3236393c0c37
--More--
nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 161 GLOBAL CONFIGURATION COMMANDS Related Commands no Disables automatic loading of default client identity fingerprints Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 162 GLOBAL CONFIGURATION COMMANDS 4.1.34.2.3 no client-identity-group-mode commands Removes the client identity associated with the client identity group Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [client-identity|load]
no client-identity <CLIENT-IDENTITY-NAME> precedence <1-10000>
no load default-fingerprints Parameters no client-identity <CLIENT-IDENTITY-NAME> precedence <1-10000>
no client-identity
<CLIENT-IDENTITY-
NAME>
precedence <1-
10000>
Disassociates a specified client identity from this client identity group
<CLIENT-IDENTITY-NAME> Specify the client identity name. precedence <1-10000> Specify the above specified client identitys precedence value from <1-10000>. The client identity rule is applied based on its precedence value. Lower the value, higher is the precedence. Therefore, a client identity with precedence 5 gets precedence over a client identity having precedence 20. no load default-fingerprints no load default-
fingerprints Disables automatic loading of built-in, system-provided client identity fingerprints Example rfs4000-229D58(config-client-identity-group-test)#show context client-identity-group test client-identity test precedence 1 rfs4000-229D58(config-client-identity-group-test)#
rfs4000-229D58(config-client-identity-group-test)#no client-identity test rfs4000-229D58(config)#
Related Commands client-identity load Associates an existing and configured client identity (device fingerprint) with this client identity group Loads default (built-in, system-provided) client identity fingerprints. This option is enabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 163 GLOBAL CONFIGURATION COMMANDS 4.1.35 clone Global Configuration Commands Creates a replica of an existing object or device. The configuration of the new object or device is an exact copy of the existing object or device configuration. Use this command to copy existing configurations and then modifying only the required parameters. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax clone [TLO|device]
clone TLO <EXISTING-OBJECT-NAME> <NEW-OBJECT-NAME>
clone device <EXISTING-DEVICE-MAC/NAME> <NEW-DEVICE-MAC>
Parameters clone TLO <EXISTING-OBJECT-NAME> <NEW-OBJECT-NAME>
TLO <EXISTING-
OBJECT-NAME>
<NEW-OBJECT-
NAME>
Creates a new TLO by cloning an existing top-level object. The new object has the same configuration as the cloned object.
<EXISTING-OBJECT-NAME> Specify the existing objects (to be cloned) name
<NEW-OBJECT-NAME> Provide the new objects name. Enter clone and press Tab to list objects available for cloning. clone device <EXISTING-DEVICE-MAC/NAME> <NEW-DEVICE-MAC>
device
<EXISTING-DEVICE-
MAC/NAME>
<NEW-DEVICE-
MAC>
Configures a new device based on an existing device configuration
<EXISTING-DEVICE-MAC/NAME> Specify the existing devices name or MAC address (the device to be cloned)
<NEW-DEVICE-MAC> Provide the new devices MAC address. Enter clone > device and press Tab to list devices available for cloning. Example nx9500-6C8809(config)#clone rf_domain TechPubs Cloned_TechPubs2 nx9500-6C8809(config)#show context
!
! Configuration of NX9500 version 5.9.1.0-008B
!
!
version 2.5
!
................................................................................ rf-domain TechPubs location SanJose timezone America/Los_Angeles country-code us
!rf-domain Cloned_TechPubs2 location SanJose
--More--
nx9500-6C8809(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 164 GLOBAL CONFIGURATION COMMANDS 4.1.36 crypto-cmp-policy Global Configuration Commands Creates a crypto Certificate Management Protocol (CMP) policy and enters its configuration mode Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax crypto-cmp-policy <CRYPTO-CMP-POLICY-NAME>
Parameters crypto-cmp-policy <CRYPTO-CMP-POLICY-NAME>
<CRYPTO-CMP-
POLICY-NAME>
Specify the crypto CMP policy name. If the policy does not exist, it is created. Example nx9500-6C8809(config)#crypto-cmp-policy CMP nx9500-6C8809(config-cmp-policy-CMP)#?
CMP Policy Mode commands:
ca-server CMP CA Server configuration commands cert-key-size Set key size for certificate request cert-renewal-timeout Trigger a cert renewal request on timeout cross-cert-validate Validate cross-cert using factory-cert no Negate a command or set its defaults subjectAltName Configure subjectAltName value trustpoint Trustpoint for CMP use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-cmp-policy-CMP)#
Related Commands no Resets values or disables commands NOTE: For more information on the crypto CMP policy, see Chapter 29, CRYPTO-CMP-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 165 GLOBAL CONFIGURATION COMMANDS 4.1.37 customize Global Configuration Commands Customizes the output of the summary CLI commands. Use this command to define the data displayed as a result of various show commands. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax customize [cdp-lldp-info-column-width|hostname-column-width|show-adoption-status|
show-wireless-client|show-wireless-client-stats|show-wireless-client-stats-rf|
show-wireless-meshpoint|show-wireless-meshpoint-accelerated-multicast|
show-wireless-meshpoint-neighbor-stats|show-wireless-meshpoint-neighbor-stats-rf
|show-wireless-mint-client|show-wireless-mint-client-stats|show-wireless-mint-
client-stats-rf|show-wireless-mint-portal|show-wireless-mint-portal-stats|
show-wireless-mint-portal-stats-rf|show-wireless-radio|show-wireless-radio-
stats|show-wireless-radio-stats-rf]
customize [cdp-lldp-info-column-width|hostname-column-width] <1-64>
customize show-adoption-status (adopted-by,ap-name <1-64>,cdp-lldp-info,config-
status,last-adoption,msgs,uptime,version) customize show-wireless-client (ap-name <1-64>,auth,client-identity <1-32>,bss, enc,hostname <1-64>,ip,last-active,location <1-64>,mac,radio-alias <3-67>,radio-
id,radio-type,role <1-32>,state,username <1-64>,vendor,vlan,wlan) customize show-wireless-client-stats (hostname <1-64>,mac,rx-bytes,rx-errors,rx-
packets,rx-throughput,t-index,tx-bytes,tx-dropped,tx-packets,tx-throughput) customize show-wireless-client-stats-rf (average-retry-number,error-rate,hostname
<1-64>,mac,noise,q-index,rx-rate,signal,snr,tx-rate) customize show-wireless-meshpoint-accelerated-multicast (ap-hostname,group-addr, mesh-name,neighbor-hostname,neighbor-ifid,radio-alias,radio-id,radio-mac, subscriptions) customize show-wireless-meshpoint (ap-mac,cfg-as-root,hops,hostname <1-64>, interface-ids,is-root,mesh-name <1-64>,mpid,next-hop-hostname <1-64>,next-hop-
ifid,next-hop-use-time,path-metric,root-bound-time,root-hostname <1-64>,root-
mpid) customize show-wireless-meshpoint-neighbor-stats (ap-hostname <1-64>,neighbor-
hostname <1-64>,neighbor-ifid,rx-bytes,rx-errors,rx-packets,rx-throughput,t-
index,tx-bytes,tx-dropped,tx-packets,tx-throughput) customize show-wireless-meshpoint-neighbor-stats-rf (ap-hostname <1-64>,average-
retry-number,error-rate,neighbor-hostname <1-64>,neighbor-ifid,noise,q-index,rx-
rate,signal,snr,t-index,tx-rate) customize show-wireless-mint-client (client-alias <1-64>,client-bss,portal-alias
<1-64>,portal-bss,up-time) customize show-wireless-mint-client-stats (client-alias <1-64>,portal-alias <1-
64>,portal-bss,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index,tx-bytes,tx-
dropped,tx-packets,tx-throughput) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 166 GLOBAL CONFIGURATION COMMANDS customize show-wireless-mint-client-stats-rf (average-retry-number,client-alias
<1-64>,error-rate,noise,portal-alias <1-64>,portal-bss,q-index,rx-rate,signal, snr,tx-rate) customize show-wireless-mint-portal (client-alias <1-64>,client-bss,portal-alias
<1-64>,portal-bss,up-time) customize show-wireless-mint-portal-stats (client-alias <1-64>,client-bss,portal-
alias <1-64>,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index,tx-bytes,tx-
dropped,tx-packets,tx-throughput) customize show-wireless-mint-portal-stats-rf (average-retry-number,client-alias
<1-64>,client-bss,error-rate,noise,portal-alias <1-64>,q-index,rx-rate,signal, snr,tx-rate) customize show-wireless-radio (adopt-to,ap-name <1-64>,channel,location <1-64>, num-clients,power,radio-alias <3-67>,radio-id,radio-mac,rf-mode,state) customize show-wireless-radio-stats (radio-alias <3-67>,radio-id,radio-mac, rx-bytes,rx-errors,rx-packets,rx-throughput,tx-bytes,tx-dropped,tx-packets, tx-throughput) customize show-wireless-radio-stats-rf (average-retry-number,error-rate,noise, q-index,radio-alias <3-67>,radio-id,radio-mac,rx-rate,signal,snr,t-index,tx-rate) Parameters customize [cdp-lldp-info-column-width|hostname-column-width] <1-64>
hostname-column-
width <1-64>
cdp-lldp-info-column-
width <1-64>
Configures default width of the hostname column in all show command outputs
<1-64> Sets the hostname column width from 1 - 64 characters Configures the column width in the show > cdp/lldp > [neighbor|report] command output
<1-64> Sets the column width from 1 - 64 characters customize show-adoption-status (adopted-by,ap-name <1-64>,cdp-lldp-info,config-
status,last-adoption,msgs,uptime,version) show-adoption-status Configures the information displayed in the show > adoption > status command output. Select the columns (information) displayed from the following options:
adopted-by, ap-name, cdp-lldp-info, config-status, last-adoption, msgs, uptime, and version. These are recursive parameters and you can select multiple options at a time. The columns displayed by default are: Device-Name, Version, Config-Status, MSGS, Adopted-By, Last-Adoption, and Uptime. Where ever available, you can optionally use the <1-64> parameter to set the column width. customize show-wireless-client (ap-name <1-64>,auth,client-identity <1-32>, bss,enc,hostname <1-64>,ip,last-active,location <1-64>,mac,radio-alias <3-67>, radio-id,radio-type,role <1-32>,state,username <1-64>,vendor,vlan,wlan) show-wireless-client ap-name <1-64>
auth Customizes the show > wireless > client command output The columns displayed by default are: MAC, IPv4, Vendor, Radio-ID, WLAN. VLAN, and State. Includes the ap-name column, which displays the name of the AP with which this client associates
<1-64> Sets the ap-name column width from 1 - 64 characters Includes the auth column, which displays the authorization protocol used by the wireless client Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 167 GLOBAL CONFIGURATION COMMANDS bss enc location <1-64>
hostname <1-64>
ip last-active client-identity <1-32> Includes the client-identity (device type) column, which displays details gathered from DHCP device fingerprinting feature (when enabled). For more information, see client-
identity.
<1-32> Sets the client-identity column width from 1 - 32 characters Includes the BSS column, which displays the BSS ID the wireless client is associated with Includes the enc column, which displays the encryption suite used by the wireless client Includes the hostname column, which displays the wireless clients hostname
<1-64> Sets the hostname column width from 1 - 64 characters Includes the IP column, which displays the wireless clients current IP address Includes the last-active column, which displays the time of last activity seen from the wireless client Includes the location column, which displays the location of the clients associated access points
<1-64> Sets the location column width from 1 - 64 characters Includes the MAC column, which displays the wireless clients MAC address Includes the radio-alias column, which displays the radio alias with the AP's hostname and radio interface number in the HOSTNAME:RX format
<3-64> Sets the radio-alias column width from 3 - 67 characters Includes the radio-id column, which displays the radio ID with the APs MAC address and radio interface number in the AA-BB-CC-DD-EE-FF:RX format Includes the radio-type column, which displays the wireless clients radio type Includes the role column, which displays the clients role
<1-32> Sets the role column width from 1 - 32 characters Includes the state column, which displays the wireless clients current availability state Includes the username column, which displays the wireless clients username
<1-64> Specify the username column width from 1 - 64 characters. Includes the vendor column, which displays the wireless clients vendor ID Includes the VLAN column, which displays the wireless clients assigned VLAN Includes the WLAN column, which displays the wireless clients assigned WLAN mac radio-alias <3-67>
state username <1-64>
vendor vlan wlan radio-type role <1-32>
radio-id customize show-wireless-client-stats (hostname <1-64>,mac,rx-bytes,rx-errors, rx-packets,rx-throughput,t-index,tx-bytes,tx-dropped,tx-packets,tx-throughput) show-wireless-client-
stats hostname <1-64>
mac rx-bytes Customizes the show > wireless > client > statistics command output The columns displayed by default are: MAC, Tx bytes, RX bytes, Tx pkts, Rx pkts, and Tx bps, RX bps, T-Index, and Dropped pkts. Includes the hostname column, which displays the wireless clients hostname
<1-64> Sets the hostname column width from 1 - 64 characters Includes the MAC column, which displays the wireless clients MAC address Includes the rx-bytes column, which displays the total number of bytes received by the wireless client Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 168 GLOBAL CONFIGURATION COMMANDS rx-errors rx-packets rx-throughput t-index tx-bytes tx-dropped tx-packets tx-throughput Includes the rx-error column, which displays the total number of errors received by the wireless client Includes the rx-packets column, which displays the total number of packets received by the wireless client Includes the rx-throughput column, which displays the receive throughput at the wireless client Includes the t-index column, which displays the traffic utilization index at the particular wireless client Includes the tx-bytes column, which displays the total number of bytes transmitted by the wireless client Includes the tx-dropped column, which displays the total number of dropped packets by the wireless client Includes the tx-packets column, which displays the total number of packets transmitted by the wireless client Includes the tx-throughput column, which displays the transmission throughput at the wireless client customize show-wireless-client-stats-rf (average-retry-number,error-rate,host-
name <1-64>,mac,noise,q-index,rx-rate,signal,snr,tx-rate) show-wireless-client-
stats-rf average-retry-
number error-rate hostname <1-64>
mac noise q-index rx-rate signal snr tx-rate Customizes the show > wireless > client > statistics > rf command output The columns displayed by default are: MAC, Signal (dBm), Noise (dBm), SNR (dB), TX Rate (Mbps), Retry Avg, Errors (pps), and Q-Index (%). Includes the average-retry-number column, which displays the average number of retransmissions made per packet Includes the error-rate column, which displays the rate of error for the wireless client Includes the hostname column, which displays the wireless clients hostname
<1-64> Sets the hostname column width from 1 - 64 characters Includes the MAC column, which displays the wireless clients MAC address Includes the noise column, which displays the noise (in dBm) as detected by the wireless client Includes the q-index column, which displays the RF quality index Higher values indicate better RF quality. Includes the rx-rate column, which displays the receive rate at the particular wireless client Includes the signal column, which displays the signal strength (in dBm) at the particular wireless client Includes the snr column, which displays the signal to noise (SNR) ratio (in dB) at the particular wireless client Includes the tx-rate column, which displays the packet transmission rate at the particular wireless client Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 169 GLOBAL CONFIGURATION COMMANDS customize show-wireless-meshpoint-accelerated-multicast (ap-hostname,group-
addr,mesh-name,neighbor-hostname,neighbor-ifid,radio-alias,radio-id,radio-mac, subscriptions) show-wireless-
meshpoint-
accelerated-multicast Configures the information displayed in the show > wireless > meshpoint >
accelerated multicast command output. Select the columns (information) displayed from the following options: ap-hostname, group-addr, mesh-name, neighbor-
hostname, neighbor-ifid, radio-alias, radio-id, radio-mac, subscriptions. These are recursive parameters and you can select multiple options at a time. The columns displayed by default are: Mesh, Radio, Neighbor-IFID, Neighbor-
Hostname, Group-MAC, and Subscriptions. customize show-wireless-meshpoint (ap-mac,cfg-as-root,hops,hostname <1-64>, interface-ids,is-root,mesh-name <1-64>,mpid,next-hop-hostname <1-64>,next-hop-
ifid,next-hop-use-time,path-metric,root-bound-time,root-hostname <1-64>,root-
mpid) show-wireless-
meshpoint Customizes the show > wireless > meshpoint command output The columns displayed by default are: Mesh, Hostname, Hops, Is-Root, Config-As-Root, Root-Hostname, Root-Bound-Time, Path-Metric, Next-Hop-Hostname, and Next-Hop-
Use-Time. Includes the ap-mac column, which displays the APs MAC address in the AA-BB-CC-
DD-EE-FF format. Applicable only in case of non-controller meshpoints Includes the cfg-as-root column, which displays the configured root state of the meshpoint Includes the hops column, which displays the number of hops to the root for this meshpoint Includes the hostname column, which displays the APs hostname. Applicable only in case of non-wireless controller meshpoints
<1-64> Sets the hostname column width from 1 - 64 characters Includes the interface-ids column, which displays the interface identifiers (interfaces used by this meshpoint) Includes the is-root column, which displays the current root state of the meshpoint Includes the mesh-name column, which displays the meshpoints name
<1-64> Sets the mesh-name column width from 1 - 64 characters Includes the mpid column, which displays the meshpoint identifier in the AA-BB-CC-
DD-EE-FF format Includes the next-hop-hostname column, which displays the next-hop APs name (the AP next in the path to the bound root)
<1-64> Sets the next-hop-hostname column width from 1 - 64 characters Includes the next-hop-ifid column, which displays the next-hop interface identifier in the AA-BB-CC-DD-EE-FF format Includes the next-hop-use-time column, which displays the time since this meshpoint started using this next hop Includes the root-bound-time column, which displays the time since this meshpoint has been bound to the current root ap-mac cfg-as-root hops hostname <1-64>
interface-ids is-root mesh-name <1-64>
mpid next-hop-hostname
<1-64>
next-hop-ifid next-hop-use-time root-bound-time Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 170 GLOBAL CONFIGURATION COMMANDS root-hostname <1-
64>
root-mpid Includes the root-hostname column, which displays the root APs hostname to which this meshpoint is bound
<1-64> Sets the root-hostname column width from 1 - 64 characters Includes the root-mpid column, which displays the bound root meshpoint identifier in the AA-BB-CC-DD-EE-FF format customize show-wireless-meshpoint-neighbor-stats (ap-hostname <1-64>, neighbor-hostname <1-64>,neighbor-ifid,rx-bytes,rx-errors,rx-packets,rx-
throughput,t-index,tx-bytes,tx-dropped,tx-packets,tx-throughput) show-wireless-
meshpoint-neighbor-
stats ap-name <1-64>
neighbor-hostname
<1-64>
neighbor-ifid rx-bytes rx-errors rx-packets rx-throughput t-index tx-bytes tx-dropped tx-packets tx-throughput Customizes the show > wireless > meshpoint > neighbor > statistics command output The columns displayed by default are: AP Hostname, Neighbor-IFID, TX bytes, RX bytes, Tx pkts, Rx pkts, Tx (bps), Rx (bps), T-Index (%), and Dropped pkts. Includes the ap-name column, which displays name of the AP reporting a neighbor
<1-64> Sets the ap-name column width from 1 - 64 characters Includes the neighbor-hostname column, which displays the reported neighbors hostname
<1-64> Sets the neighbor-hostname column width from 1 - 64 characters Includes the neighbor-ifid column, which displays the neighbors interface ID Includes the rx-bytes column, which displays the total bytes received Includes the rx-error column, which displays the total bytes of error received Includes the rx-packets column, which displays the number of packets received Includes the rx-throughput column, which displays neighbors received throughput Includes the t-index column, which displays the traffic utilization index at the neighbor end Includes the tx-bytes column, which displays the total bytes transmitted Includes the tx-dropped column, which displays the total bytes dropped Includes the tx-packets column, which displays the number of packets transmitted Includes the tx-throughput column, which displays neighbors transmitted throughput customize show-wireless-meshpoint-neighbor-stats-rf (ap-hostname <1-64>, average-retry-number,error-rate,neighbor-hostname <1-64>,neighbor-ifid,noise, q-index,rx-rate,signal,snr,t-index,tx-rate) show-wireless-
meshpoint-neighbor-
stats-rf ap-name <1-64>
average-retry-
number error-rate neighbor-hostname
<1-64>
Customizes the show > wireless > meshpoint > neighbor > statistics > rf command output The columns displayed by default are: AP Hostname, Neighbor-IFID, Signal (dBm), Noise (dBm), SNR (dB), Tx-Rate (Mbps), Rx-Rate (Mbps), Retry Avg, Errors (pps), and Q-Index (%). Includes the ap-name column, which displays name of the AP reporting a neighbor
<1-64> Sets the ap-name column width from 1 - 64 characters Includes the average-retry-number column, which displays the average number of retransmissions made per packet. Includes the error-rate column Includes the neighbor-hostname, which displays reported neighbors hostname
<1-64> Sets the neighbor-hostname column width from 1 - 64 characters Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 171 GLOBAL CONFIGURATION COMMANDS noise q-index rx-rate signal snr t-index tx-rate Includes the noise column, which displays the noise level in dBm Includes the q-index column, which displays the q-index Includes the rx-rate column, which displays rate of receiving Includes the signal column, which displays the signal strength in dBm Includes the snr column, which displays the signal-to-noise ratio Includes the t-index column, which displays t-index Includes the tx-rate column, which displays rate of transmission customize show-wireless-mint-client (client-alias <1-64>,client-bss,portal-
alias <1-64>,portal-bss,up-time) show-wireless-mint-
client Configures the information displayed in the show > wireless > mint > client command output. Select the columns (information) displayed from the following options: client-
alias, client-bss, portal-alias, portal-bss, and up-time. These are recursive parameters and you can select multiple options at a time. The columns displayed by default are: Portal, Portal-Radio-MAC, Client, Client-Radio-
MAC, and Up-Time. customize show-wireless-mint-client-stats (client-alias <1-64>,portal-alias <1-
64>,portal-bss,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index,tx-bytes, tx-dropped,tx-packets,tx-throughput) show-wireless-mint-
client-stats Configures the information displayed in the show > wireless > mint > client > statistics command output. Select the columns (information) displayed from the following options: client-alias, portal-alias, portal-bss, rx-bytes, rx-errors, rx-packets, rx-
throughput, t-index, tx-bytes, tx-dropped, tx-packets, tx-throughput. These are recursive parameters and you can select multiple options at a time. The columns displayed by default are: Portal, Portal-Radio-MAC, Client, Tx bytes, Rx bytes, TX pkts, Rx pkts, TX (bps), Rx (bps), T-Index (%), and Dropped pkts. Where ever available, you can optionally use the <1-64> parameter to set the column width. customize show-wireless-mint-client-stats-rf (average-retry-number,client-alias
<1-64>,error-rate,noise,portal-alias <1-64>,portal-bss,q-index,rx-rate,signal, snr,tx-rate) show-wireless-mint-
client-stats-rf Configures the information displayed in the show > wireless > mint > client > statistics
> rf command output. Select the columns (information) displayed from the following options: average-retry-number, client-alias, error-rate, noise, portal-alias, portal-bss, q-
index, rx-rate, signal, snr, and tx-rate. These are recursive parameters and you can select multiple options at a time. The columns displayed by default are: MAC, Signal (dBm), Noise (dBm), SNR (dB), Tx-
Rate (Mbps), Rx-rate (Mbps), Retry Avg, Errors (pps), and Q-Index (%). Where ever available, you can optionally use the <1-64> parameter to set the column width. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 172 GLOBAL CONFIGURATION COMMANDS customize show-wireless-mint-portal (client-alias <1-64>,client-bss,portal-
alias <1-64>,portal-bss,up-time) show-wireless-mint-
portal Configures the information displayed in the show > wireless > mint > portal command output. Select the columns (information) displayed from the following options: client-
alias, client-bss, portal-alias, portal-bss, and up-time. These are recursive parameters and you can select multiple options at a time. The columns displayed by default are: Client, Client-Radio-MAC, Portal, Portal-Radio-
MAC, and Up-Time. Where ever available, optionally use the <1-64> parameter to set the column width. customize show-wireless-mint-portal-stats (client-alias <1-64>,client-bss, portal-alias <1-64>,rx-bytes,rx-errors,rx-packets,rx-throughput,t-index, tx-bytes,tx-dropped,tx-packets,tx-throughput) show-wireless-mint-
portal-stats Configures the information displayed in the show > wireless > mint > portal >
statistics command output. Select the columns (information) displayed from the following options: client-alias, client-bss, portal-alias, rx-bytes, rx-errors, rx-packets, rx-throughput, t-index, tx-bytes, tx-dropped, tx-packets, tx-throughput. These are recursive parameters and you can select multiple options at a time. The columns displayed by default are: Client, Client-Radio-MAC, Portal, Tx bytes, Rx bytes, TX pkts, Rx pkts, TX (bps), Rx (bps), T-Index (%), and Dropped pkts. Where ever available, optionally use the <1-64> parameter to set the column width. customize show-wireless-mint-portal-stats-rf (average-retry-number,client-alias
<1-64>,client-bss,error-rate,noise,portal-alias <1-64>,q-index,rx-rate,signal, snr,tx-rate) show-wireless-mint-
portal-stats-rf Configures the information displayed in the show > wireless > mint > portal >
statistics > rf command output. Select the columns (information) displayed from the following options: average-retry-number, client-alias, client-bss, error-rate, noise, portal-alias, q-index, rx-rate, signal, snr, tx-rate. These are recursive parameters and you can select multiple options at a time. The columns displayed by default are: Client, Client-Radio-MAC, Portal, Signal (dBm), Noise (dBm), SNR (dB), Tx-Rate (Mbps), Rx-rate (Mbps), Retry Avg, Errors (pps), and Q-Index (%). Where ever available, optionally use the <1-64> parameter to set the column width. customize show-wireless-radio (adopt-to,ap-name <1-64>,channel,location <1-64>, num-clients,power,radio-alias <3-67>,radio-id,radio-mac,rf-mode,state) show-wireless-radio adopt-to ap-name <1-64>
channel location <1-64>
num-clients Customizes the show wireless radio command output Includes the adopt-to column, which displays information about the wireless controller adopting this AP Includes the ap-name column, which displays information about the AP this radio belongs
<1-64> Sets the ap-name column width from 1 - 64 characters Includes the channel column, which displays information about the configured and current channel for this radio Includes the location column, which displays the location of the AP this radio belongs
<1-64> Sets the location column width from 1 - 64 characters Includes the num-clients column, which displays the number of clients associated with this radio Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 173 GLOBAL CONFIGURATION COMMANDS power radio-alias <3-67>
radio-id radio-mac rf-mode state Includes the power column, which displays the radios configured and current transmit power Includes the radio-alias column, which displays the radios alias (combination of AP's hostname and radio interface number in the HOSTNAME:RX formate)
<3-67> Sets the radio-alias column width from 3 - 67 characters Includes the radio-id column, which displays the radios ID (combination of APs MAC address and radio interface number in the AA-BB-CC-DD-EE-FF:RX format) Includes the radio-mac column, which displays the radios base MAC address Includes the rf-mode column, which displays the radios operating mode. The radio mode can be 2.4 GHz, 5.0 GHz, or sensor. Includes the state column, which displays the radios current operational state customize show-wireless-radio-stats (radio-alias <3-67>,radio-id,radio-mac, rx-bytes,rx-errors,rx-packets,rx-throughput,tx-bytes,tx-dropped,tx-packets, tx-throughput) show-wireless-radio-
stats radio-alias <3-67>
radio-id radio-mac rx-bytes rx-errors rx-packets rx-throughput tx-bytes tx-dropped tx-packets tx-throughput Customizes the show wireless radio statistics command output Includes the radio-alias column, which displays the radios alias (combination of AP's hostname and radio interface number in the HOSTNAME:RX format)
<3-67> Sets the radio-alias column width from 3 - 67 characters Includes the radio-id column, which displays the radios ID (combination of APs MAC address and radio interface number in the AA-BB-CC-DD-EE-FF:RX format) Includes the radio-mac column, which displays the radios base MAC address Includes the rx-bytes column, which displays the total number of bytes received by the radio Includes the rx-error column, which displays the total number of errors received by the radio Includes the rx-packets column, which displays the total number of packets received by the radio Includes the rx-throughput column, which displays the receive throughput at the radio Includes the tx-bytes column, which displays the total number of bytes transmitted by the radio Includes the tx-dropped column, which displays the total number of packets dropped by the radio Includes the tx-packets column, which displays the total number of packets transmitted by the radio Includes the tx-throughput column, which displays the transmission throughput at the radio customize show-wireless-radio-stats-rf (average-retry-number,error-rate,noise, q-index,radio-alias <3-67>,radio-id,radio-mac,rx-rate,signal,snr,t-index,tx-rate) show-wireless-radio-
stats-rf average-retry-number Customizes the show wireless radio stats RF command output Includes the average-retry-number column, which displays the average number of retransmissions per packet Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 174 GLOBAL CONFIGURATION COMMANDS error-rate noise q-index radio-alias <3-67>
radio-id radio-mac rx-rate signal snr t-index tx-rate Example Includes the error-rate column, which displays the rate of error for the radio Includes the noise column, which displays the noise detected by the radio Includes the q-index column, which displays the RF quality index Higher values indicate better RF quality. Includes the radio-alias column, which displays the radios alias (combination of AP's hostname and radio interface number in the HOSTNAME:RX format)
<3-67> Sets the radio-alias column width from 3 - 67 characters Includes the radio-id column, which displays the radios ID (combination of APs MAC address and radio interface number in the AA-BB-CC-DD-EE-FF:RX format) Includes the radio-mac column, which displays the radios base MAC address Includes the rx-rate column, which displays the receive rate at the particular radio Includes the signal column, which displays the signal strength at the particular radio Includes the snr column, which displays the signal-to-noise ratio at the particular radio Includes the t-index column, which displays the traffic utilization index at the particular radio Includes the tx-rate column, which displays the packet transmission rate at the particular radio The following example shows the shows the show > adoption > status command output before customizing the output:
rfs6000-81742D#show adoption status Adopted by:
Type : nx9000 System Name : nx9500-6C8809 MAC address : B4-C7-99-6C-88-09 MiNT address : 19.6C.88.09 Time : 4 days 22:38:32 ago Adopted Devices:
--------------------------------------------------------------------------------
-------------------------------
DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-
ADOPTION UPTIME
--------------------------------------------------------------------------------
-------------------------------
ap7532-A2A56C 5.9.0.0-010D *configured No rfs6000-81742D 4 days 22:25:56 4 days 22:31:23
--------------------------------------------------------------------------------
--------------------------------
Total number of devices displayed: 1 rfs6000-81742D#
rfs6000-81742D(config)#customize show-adoption-status adopted-by ap-name config-
status last-adoption rfs6000-81742D(config)#commit The following example shows the shows the show > adoption > status command output after customizing the output:
rfs6000-81742D#show adoption status Adopted by:
Type : nx9000 System Name : nx9500-6C8809 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 175 GLOBAL CONFIGURATION COMMANDS MAC address : B4-C7-99-6C-88-09 MiNT address : 19.6C.88.09 Time Adopted Devices:
------------------------------------------------------------------------
ADOPTED-BY DEVICE-NAME CFG-STAT LAST-ADOPTION
------------------------------------------------------------------------
rfs6000-81742D ap7532-A2A56C *configured 4 days 22:25:56
------------------------------------------------------------------------
Total number of devices displayed: 1 rfs6000-81742D(config)#
Use the no > customize > show-adoption-status command to revert back to the default format. rfs6000-81742D(config)#no customize show-adoption-status rfs6000-81742D(config)#commit rfs6000-81742D#show adoption status Adopted by:
Type : nx9000 System Name : nx9500-6C8809 MAC address : B4-C7-99-6C-88-09 MiNT address : 19.6C.88.09 Time : 4 days 22:38:32 ago Adopted Devices:
--------------------------------------------------------------------------------
-------------------------------
DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-
ADOPTION UPTIME
--------------------------------------------------------------------------------
-------------------------------
ap7532-A2A56C 5.9.0.0-010D *configured No rfs6000-81742D 4 days 22:25:56 4 days 22:31:23
--------------------------------------------------------------------------------
--------------------------------
Total number of devices displayed: 1 rfs6000-81742D#
Related Commands no wireless (show commands) Restores custom CLI settings to default Displays wireless configuration and other information Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 176 GLOBAL CONFIGURATION COMMANDS 4.1.38 database-client-policy Global Configuration Commands The following table summarizes the config database client policy commands:
Table 4.16 Database-Client-Policy Config Commands Description Reference Command database-client-policy Creates a database-client policy and enters its configuration mode page 4-178 database-client-
page 4-180 policy-mode commands Summarizes the database client policy mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 177 GLOBAL CONFIGURATION COMMANDS 4.1.38.1 database-client-policy database-client-policy Creates a database-client-policy and enters its configuration mode. The database-client-policy configures the IP address or hostname of the database host, and is used on the NSight/EGuest servers device cortext. However, the database-client-policy is required only in a split deployment, where the server and database are hosted on separate boxes. In such a scenario, the database-client-policy enables the server to identify the database host. If enforcing database authentication, configure the user-name and password required to access the database on the database-client-policy. For more information on enabling database authentication, see database. Supported in the following platforms:
Service Platforms NX9500, NX9600, VX9000 Syntax database-client-policy <DATABASE-CLIENT-POLICY-NAME>
Parameters database-client-policy <DATABASE-CLIENT-POLICY-NAME>
database-policy
<DATABASE-CLIENT-
POLICY-NAME>
Specify the database-client-policy name. If the policy does not exist, it is created. Once created and configured, use this policy in the NSight/EGuest servers device context. Example vx9000-34B78B(config)#database-client-policy DBClientPolicy vx9000-34B78B(config-database-client-policy-DBClientPolicy)#?
Database Client Policy Mode commands:
authentication Database authentication database-server Add database server no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal vx9000-34B78B(config-database-client-policy-DBClientPolicy)#
To setup a database/server environment, with the database and the server hosted n separate hosts:
1 On the database host, use the database policy. This brings up the database server. 2 On the NSight/EGuest server, create the database-client-policy, and configure the database hosts IP address or hostname. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 178 GLOBAL CONFIGURATION COMMANDS vx9000-34B78B(config)#database-client-policy DBClientPolicy vx9000-34B78B(config-database-client-policy-DBClientPolicy)#database-server 192.168.13.10 vx9000-34B78B(config-database-client-policy-DBClientPolicy)#show context database-client-policy DBClientPolicy database-server 192.168.13.10 vx9000-34B78B(config-database-client-policy-DBClientPolicy)#
3 Use this database-client-policy in the NSight/EGuest servers device configuration context. Once applied, the server posts details to the database specified in the policy. vx9000-34B78B(config-device-00-0C-29-34-B7-8B)#use database-client-policy DBClientPolicy vx9000-34B78B(config-device-00-0C-29-34-B7-8B)#show context include-factory |
include database-client-policy use database-client-policy DBClientPolicy vx9000-34B78B(config-device-00-0C-29-34-B7-8B)#
Related Commands no database-policy nsight-policy use (profile/device context) database Removes an existing database-client-policy Documents database policy configuration commands. If enforcing authenticated database access, use this command to enable authentication on the database and configure the username and password. Documents NSight policy configuration commands. The NSight policy is a tool, which when created and applied at the RF Domain level allows the RF Domain manager to send statistics (polled from devices within the RF Domain) to the NOC. The NOC, when enabled as the NSight server, stores this data in a locally or externally hosted database. Uses a database-client-policy in the VX9000s device or profile context Drops or repairs a database. Also provides database keyfile management capabilities. If enforcing authenticated access to the database, use this command to generate, export, import, and zerzoise the keyfile. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 179 GLOBAL CONFIGURATION COMMANDS 4.1.38.2 database-client-policy-mode commands database-client-policy The following table summarizes database-client-policy configuration mode commands:
Table 4.17 Database-Client-Policy-Config-Mode Commands Command authentication database-server no Description Configures the captive-portal/NSight database users Configures the database hosts IP address or hostname. Use this command to configure the IP address or hostname of the VM hosting the database. Removes the database hosts IP/hostname configuration Reference page 4-181 page 4-182 page 4-183 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 180 GLOBAL CONFIGURATION COMMANDS 4.1.38.2.1 authentication database-client-policy-mode commands Configures the databases username and password Supported in the following platforms:
Service Platforms NX9500, NX9600, VX9000 Syntax authentication username <USER-NAME> password <PASSWORD>
Parameters authentication username <USER-NAME> password <PASSWORD>
authentication username <USER-
NAME> password
<PASSWORD>
Configures the username and password required to access the database. Note, username and password specified here should be the same as those already created on the database host. For more information on creating database users, see service. username <USER-NAME> Configures the user name password <PASSWORD> Configures the password for the username specified above. However, ensure database authentication is enabled in the database-policy. For more information on database-policy, see database-policy. For more information on enabling database authentication, see database Example vx9000-65672(config-database-client-policy-DBClientPolicy)# authentication username extreme password 2 test@12345 vx9000-656725#show running-config database-client-policy replica-set database-client-policy replica-set database-server 13.13.13.3 database-server 14.14.14.2 authentication username extreme password 2 q4cUyedmA4BFsn1kg/
xjCQAAAAliMbdrXKblQbsyrwMGdVzv vx9000-656725#
Related Commands no Removes an existing database username and password Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 181 GLOBAL CONFIGURATION COMMANDS 4.1.38.2.2 database-server database-client-policy-mode commands Configures the IPv4/IPv6 address or hostname of the VM hosting the database Supported in the following platforms:
Service Platforms VX9000 Syntax database-server [<IP>|<HOSTNAME>|<IPv6>]
Parameters database-server [<IP>|<HOSTNAME>|<IPv6>]
database-server
[<IP>|<HOSTNAME>|<
IPv6>]
Identifies the database host using one of the following options:
<IP> Specifies the hosts IPv4 address
<HOSTNAME> Specifies the hosts hostname
<IPv6> Specifies the hosts IPv6 address. Example vx9000-34B78B(config-database-client-policy-DBClientPolicy)#database-server 192.168.13.10 vx9000-34B78B(config-database-client-policy-DBClientPolicy)#show context database-client-policy DBClientPolicy database-server 192.168.13.10 vx9000-34B78B(config-database-client-policy-DBClientPolicy)#
Related Commands no Removes the database servers (the VM hosting the database) IP/hostname configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 182 GLOBAL CONFIGURATION COMMANDS 4.1.38.2.3 no database-client-policy-mode commands Removes the database hosts IP/hostname configuration Supported in the following platforms:
Service Platforms VX9000 Syntax no [authentication|database-server]
no authentication username <USER-NAME>
no database-server [<IP>|<HOST-NAME>|<IPv6>]
Parameters no [authentication|database-server]
no database-server Removes the database VMs IPv4/Ipv6 address or hostname associated with this database client policy. Also removes database user details. Example vx9000-34B78B(config-database-client-policy-DBClientPolicy)#show context database-client-policy DBClientPolicy database-server 192.168.13.10 vx9000-34B78B(config-database-client-policy-DBClientPolicy)#
vx9000-34B78B(config-database-client-policy-DBClientPolicy)#no database-server vx9000-34B78B(config-database-client-policy-DBClientPolicy)#show context database-client-policy DBClientPolicy vx9000-34B78B(config-database-client-policy-DBClientPolicy)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 183 GLOBAL CONFIGURATION COMMANDS 4.1.39 database-policy Global Configuration Commands The following table summarizes the config database policy commands:
Table 4.18 Database-Policy Config Commands Command database-policy database-policy-
mode commands Description Creates a database policy and enters its configuration mode Lists database policy configuration mode commands Reference page 4-185 page 4-186 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 184 GLOBAL CONFIGURATION COMMANDS 4.1.39.1 database-policy database-policy Creates a database-policy and enters its configuration mode. After creating the database-policy, use it on the database host. This enables the database. If deploying a database replica-set, use this command to define the replica set configurations. To enforce database authentication, enable authentication on the database-policy, and configure the username and password required to access the database. Note, this command is part of a set of configurations that are required to enable authentication. For more information on the entire set of configurations, see database. Supported in the following platforms:
Service Platforms NX9500, NX9510, VX9000 Syntax database-policy <DATABASE-POLICY-NAME>
Parameters database-policy <DATABASE-POLICY-NAME>
database-policy
<DATABASE-POLICY-
NAME>
Specify the database policy name. If the policy does not exist, it is created. Example nx9500-6C8809(config-database-policy-test)#?
Database Policy Mode commands:
authentication Database authentication no Negate a command or set its defaults replica-set Replica Set shutdown Disable database server clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-database-policy-test)#
Related Commands no Removes an existing database policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 185 GLOBAL CONFIGURATION COMMANDS 4.1.39.2 database-policy-mode commands database-policy The following table summarizes database-policy configuration mode commands:
Table 4.19 Database-Policy-Config-Mode Commands Command authentication replica-set shutdown no Description Enables database authentication and configures the username and password required to access the database Adds a member to a database replica set Shuts down the database server Removes a member from the database replica set Reference page 4-187 page 4-188 page 4-190 page 4-191 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 186 GLOBAL CONFIGURATION COMMANDS 4.1.39.2.1 authentication database-policy-mode commands Enables database authentication. When enabled and applied on the database host, this policy enforces authenticated access to the database. This command also configures the username and password required to access the database. Supported in the following platforms:
Service Platforms NX9500, NX9600, VX9000 Syntax authentication authentication username <USER-NAME> password <PASSWORD>
Parameters authentication authentication Enables database authentication on this database-policy. When executed without the associated keywords, the command enables authentication on the database host using the policy. Execute the command along with the username and password inputs to configure the user credentials required for access the database. authentication username <USER-NAME> password <PASSWORD>
authentication username <USER-
NAME> password
<PASSWORD>
Configures the username and password required to access the database. Note, username and password specified here should be the same as those already created on the database host. For more information, see service. username <USER-NAME> Configures the database username password <PASSWORD> Configures the password for the username specified above Users using these credentials are allowed database access. In case of a split NSight/
EGuest deployment, ensure that the database-client-policy running on the NSight/
EGuest server has the same user details configured. For information on creating database-client-policy, see database-client-policy For more information on enabling database authentication, see database. Example nx9500-6C8809(config-database-policy-test)#authentication nx9500-6C8809(config-database-policy-test)#no shutdown nx9500-6C8809(config-database-policy-test)#authentication username user1 password uesr@123 nx9500-6C8809(config-database-policy-test)#show context database-policy test authentication authentication username user1 password 2 f20/dTjYiMnR/tqbGFaO5gAAAAjL/
xo8clisk1TZjimo128t nx9500-6C8809(config-database-policy-test)#
Related Commands no Disables database authentication, and removes the username and password configuration. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 187 GLOBAL CONFIGURATION COMMANDS 4.1.39.2.2 replica-set database-policy-mode commands Adds a member to a database replica set. A replica-set is a group of devices (replica-set members) running the database instances that maintain the same data set. Replica sets provide redundancy and high availability and are the basis for all production deployments. The replica set usually consists of: an arbiter, a primary member, and one or more secondary members. The primary member and the secondary member(s) maintain replicas of the data set. Before deploying a replica set, ensure that each of the replica-set member:
has the DB instances installed, and is able to communicate with every other member in the set. After ensuring the above, Create a database policy (with identical replica-set configuration) on each of the member devices, and Use the database policy in the member devices configuration mode. These member devices elect a primary member, which begins accepting client-write operations. Remaining devices in the replica-set, with the exception of the arbiter, are designated as secondary members. Supported in the following platforms:
Service Platforms NX9500, NX9600, VX9000, NX7500, NX5500 Syntax replica-set member [<IP>|<FQDN>] {arbiter|priority <0-255>}
Parameters replica-set member [<IP>|<FQDN>] {arbiter|priority <0-255>}
replica-set member
[<IP>|<FQDN>]
{arbiter|priority <0-
255>}
Adds a member to the database replica set. To identify the member, use one of the following options:
<IP> Specify the members IP address.
<FQDN> Specify the members Fully Qualified Domain Name (FQDN). After specifying the IP address or FQDN, specify the following:
arbiter Optional. Select to configure the member as the arbiter. priority <0-255> Optional. Configures the priority of a non-arbiter member of the replica set
<0-255> Specify the priority from 0 - 255. This value determines the members position within the replica set as primary or secondary. It also helps in electing the fall-back primary member in the eventuality of the current primary member being unreachable. A replica set should have at least three members. The maximum number of members can go up to fifty (50). However, configuring a three-member replica set is recommended. Replica sets should have odd number of members. In case of an even-
numbered replica set, add an arbiter to make the member count odd. This ensures that at least one member gets a majority vote in the primary-member election. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 188 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config-database-policy-test)#replica-set member 192.168.13.14 arbiter nx9500-6C8809(config-database-policy-test)#replica-set member 192.168.13.16 priority 1 nx9500-6C8809(config-database-policy-test)#replica-set member 192.168.13.12 priority 2 nx9500-6C8809(config-database-policy-test)#show context database-policy test replica-set member 192.168.13.12 priority 2 replica-set member 192.168.13.14 arbiter replica-set member 192.168.13.16 priority 1 nx9500-6C8809(config-database-policy-test)#
Related Commands no Removes a member from the database replica set Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 189 GLOBAL CONFIGURATION COMMANDS 4.1.39.2.3 shutdown database-policy-mode commands Shuts down the database server. The factory default is set as no shutdown. Supported in the following platforms:
Service Platforms NX9500, NX9600, VX9000, NX7500, NX5500 Syntax shutdown Parameters None Example nx9500-6C8809(config-database-policy-test)#shutdown nx9500-6C8809(config-database-policy-test)#show context database-policy test shutdown nx9500-6C8809(config-database-policy-test)#
Related Commands no Enables the database server Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 190 GLOBAL CONFIGURATION COMMANDS 4.1.39.2.4 no database-policy-mode commands Removes or reverts the database policy settings to default values Supported in the following platforms:
Service Platforms NX9500, NX9600, VX9000, NX7500, NX5500 Syntax no [authentication|replica-set|shutdown]
no authentication {username <USER-NAME>}
no replica-set member [<IP>|<FQDN>]
no shutdown Parameters no <PARAMETERS>
no <PARAMETERS>
Removes a member from the database replica set, or brings up a database server that is down. Also disables database authentication and removes user Example The following example shows a three-member replica set:
nx9500-6C8809(config-database-policy-test)#show context database-policy test replica-set member 192.168.13.12 priority 2 replica-set member 192.168.13.14 arbiter replica-set member 192.168.13.16 priority 1 nx9500-6C8809(config-database-policy-test)#
In the following example the arbiter is being removed, leaving the replica set with only two members:
nx9500-6C8809(config-database-policy-test)#no replica-set member 192.168.13.14 nx9500-6C8809(config-database-policy-test)#show context database-policy test replica-set member 192.168.13.12 priority 2 replica-set member 192.168.13.16 priority 1 nx9500-6C8809(config-database-policy-test)#
Since a replica set must have at least three members, another member must be added to this replica set. This member may or may not be an arbiter. nx9500-6C8809(config-database-policy-test)#replica-set member 192.168.13.8 priority 3 nx9500-6C8809(config-database-policy-test)#show context database-policy test replica-set member 192.168.13.12 priority 2 replica-set member 192.168.13.16 priority 1 replica-set member 192.168.13.8 priority 3 nx9500-6C8809(config-database-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 191 GLOBAL CONFIGURATION COMMANDS 4.1.40 device Global Configuration Commands Enables simultaneous configuration of multiple devices Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax device {containing|filter}
device {containing <STRING>} {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|
ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|
ap8432|ap8533|ex3524|ex3548|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|t5|
vx9000]}
device {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|
ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|ex3524|
ex3548|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|t5|vx9000]}
Parameters device {containing <STRING>} {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|
ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|
ap8432|ap8533|ex3524|ex3548|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|t5|
vx9000]}
device Enters a devices configuration mode. Use this command to simultaneously configure devices having similar configuration. containing <STRING> Optional. Configures the string to search for in the devices hostname. All devices filter type
<DEVICE-TYPE>
having hostnames containing the string specified here are filtered, and can be configured simultaneously.
<STRING> Specify the string to search for in the devices hostname. Optional. Filters out a specific device type. After specifying the hostname string, select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, EX3524, EX3548, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, t5, and VX9000 (V-WLC). The t5 option is applicable only on the NX7500, NX7510, NX7520, NX7530, NX95XX, NX9500, NX9510, and NX9600 platforms. The VX9000 option is applicable only to the NX9500, NX9510, and NX9600 platforms. device {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|
ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|ex3524|
ex3548|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|t5|vx9000]}
device Configures a basic device profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 192 GLOBAL CONFIGURATION COMMANDS filter type
<DEVICE-TYPE>
Optional. Filters out a specific device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, EX3524, EX3548, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, t5, and VX9000 (V-WLC). The t5 option is applicable only on the NX7500, NX7510, NX7520, NX7530, NX95XX, NX9500, NX9510, and NX9600 platforms. The VX9000 option is applicable only to the NX9500, NX9510, and NX9600 platforms. Example rfs6000-81742D(config)#device filter type ap7532 rfs6000-81742D(config-device-{'type': 'ap7532'})#
Related Commands no Removes multiple devices from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 193 GLOBAL CONFIGURATION COMMANDS 4.1.41 device-categorization Global Configuration Commands Categorizes devices as sanctioned or neighboring. Categorization of devices enables quick identification and blocking of unsanctioned devices in the network. The following table summarizes the device categorization mode commands:
Table 4.20 Device-Categorization Config Command Command device-categorization Creates a device categorization list and enters its configuration Description device-categorization-
mode commands mode Summarizes device categorization list configuration mode commands Reference page 4-195 page 4-196 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 194 GLOBAL CONFIGURATION COMMANDS 4.1.41.1 device-categorization device-categorization Configures a device categorization list Proper classification and categorization of devices (access points, clients, etc.) helps suppress unnecessary unauthorized access point alarms, allowing network administrators to focus on alarms on devices actually behaving in a suspicious manner. An intruder with a device erroneously authorized could potentially perform activities that harm your organization. Authorized access points and clients are generally known to you and conform with your organizations security policies. Unauthorized devices are those detected as interoperating within the network, but are not approved. These devices should be filtered to avoid jeopardizing the data within a managed network. Use this command to apply the neighboring and sanctioned (approved) filters on peer devices operating within a wireless controller or access points radio coverage area. Detected client MAC addresses can also be filtered based on their classification. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax device-categorization <DEVICE-CATEGORIZATION-LIST-NAME>
Parameters device-categorization <DEVICE-CATEGORIZATION-LIST-NAME>
<DEVICE-
CATEGORIZATION-
LIST-NAME>
Specify the device categorization list name. If a list with the same name does not exist, it is created. Example rfs6000-81742D(config)#device-categorization rfs6000 rfs6000-81742D(config-device-categorization-rfs6000)#?
Device Category Mode commands:
mark-device Add a device no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-device-categorization-rfs6000)#
Related Commands no Removes an existing device categorization list Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 195 GLOBAL CONFIGURATION COMMANDS 4.1.41.2 device-categorization-mode commands device-categorization The following table summarizes device categorization configuration mode commands:
Table 4.21 Device-Categorization-Mode Commands Command mark-device no Description Adds a device to the device categorization list Removes a device from the device categorization list Reference page 4-197 page 4-199 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 196 GLOBAL CONFIGURATION COMMANDS 4.1.41.2.1 mark-device device-categorization-mode commands Adds a device to the device categorization list as sanctioned or neighboring. Devices are further classified as AP or client. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mark-device <1-1000> [sanctioned|neighboring] [ap|client]
mark-device <1-1000> [sanctioned|neighboring] ap {mac <MAC>|ssid <SSID> {mac
<MAC>}}
mark-device <1-1000> [sanctioned|neighboring] client {mac <MAC>}
Parameters mark-device <1-1000> [sanctioned|neighboring] ap {mac <MAC>|ssid <SSID> {mac
<MAC>}}
<1-1000>
sanctioned neighboring ap
{mac <MAC>|
ssid <SSID>}
Configures the device categorization entry index number Marks a device as sanctioned. A sanctioned device is authorized to use network resources. Marks a device as neighboring. A neighboring device is a neighbor in the same network as this device. Marks a specified AP as sanctioned or neighboring based on its MAC address or SSID mac <MAC> Optional. Specify the APs MAC address ssid <SSID> Optional. Specify the APs SSID. After specifying the SSID, you can optionally specify its MAC SSID. All APs are marked if no specific MAC address or SSID is provided.
<1-1000>
sanctioned neighboring mark-device [sanctioned|neighboring] client {mac <MAC>}
Configures the device categorization entry index number Marks the wireless client as sanctioned. A sanctioned device is authorized to use network resources. Marks the wireless client as neighboring. A neighboring device is a neighbor in the same network as this device. client {mac <MAC>} Marks a specified wireless client as sanctioned or neighboring based on its MAC address mac <MAC> Optional. Specify the wireless clients MAC address. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 197 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-device-categorization-rfs6000)#mark-device 1 sanctioned ap mac 11-22-33-44-55-66 rfs6000-81742D(config-device-categorization-rfs6000)#show context device-categorization rfs6000 mark-device 1 sanctioned ap mac 11-22-33-44-55-66 rfs6000-81742D(config-device-categorization-rfs6000)#
Related Commands no Removes an entry from the device categorization list Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 198 GLOBAL CONFIGURATION COMMANDS 4.1.41.2.2 no device-categorization-mode commands Removes a device from the device categorization list Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no mark-device <1-1000> [neighboring|sanctioned] [ap|client]
no mark-device <1-1000> [sanctioned|neighboring] client {mac <MAC>}
no mark-device <1-1000> [sanctioned|neighboring] ap {mac <MAC>|ssid <SSID> {mac
<MAC>}}
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes a mark device (AP or wireless client) entry from this device categorization list Example The following example shows the device categorization list rfs6000 settings before the no command is executed:
rfs6000-81742D(config-device-categorization-rfs6000)#show context device-categorization rfs6000 mark-device 1 sanctioned ap mac 11-22-33-44-55-66 rfs6000-81742D(config-device-categorization-rfs6000)#
rfs6000-81742D(config-device-categorization-rfs6000)#no mark-device 1 sanctioned ap mac 11-22-33-44-55-66 The following example shows the device categorization list rfs6000 settings after the no command is executed:
rfs6000-81742D(config-device-categorization-rfs6000)#show context device-categorization rfs6000 rfs6000-81742D(config-device-categorization-rfs6000)#
Related Commands mark-device Adds a device to a list of sanctioned or neighboring devices Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 199 GLOBAL CONFIGURATION COMMANDS 4.1.42 dhcp-server-policy Global Configuration Commands Configures DHCPv4 server policy parameters, such as class, address range, and options. A new policy is created if it does not exist. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dhcp-server-policy <DHCP-SERVER-POLICY-NAME>
Parameters dhcp-server-policy <DHCP-SERVER-POLICY-NAME>
<DHCP-SERVER-
POLICY-NAME>
Specify the DHCPv4 server policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#dhcp-server-policy test rfs6000-81742D(config-dhcp-policy-test)#?
DHCP policy Mode commands:
bootp BOOTP specific configuration dhcp-class Configure DHCP class (for address allocation using DHCP user-class options) dhcp-pool Configure DHCP server address pool dhcp-server Activating dhcp server based on criteria no Negate a command or set its defaults option Define DHCP server option ping Specify ping parameters used by DHCP Server clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-dhcp-policy-test)#
Related Commands no Removes an existing DHCP server policy NOTE: For more information on DHCP policy, see Chapter 12, DHCP-SERVER-
POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 200 GLOBAL CONFIGURATION COMMANDS 4.1.43 dhcpv6-server-policy Global Configuration Commands Creates a DHCPv6 server policy and enters its configuration mode DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes, or other configuration attributes required on an IPv6 network. DHCPv6 servers pass IPv6 network addresses to IPv6 clients. The DHCPv6 address assignment feature manages non-duplicate addresses in the correct prefix based on the network where the host is connected. Assigned addresses can be from one or multiple pools. Additional options, such as the default domain and DNS name-server address, can be passed back to the client. Address pools can be assigned for use on a specific interface or on multiple interfaces, or the server can automatically find the appropriate pool. When configured and applied to a device, the DHCPv6 server policy enables the device to function as a stateless DHCPv6 server. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dhcpv6-server-policy <DHCPv6-SERVER-POLICY-NAME>
Parameters dhcpv6-server-policy <DHCPv6-SERVER-POLICY-NAME>
<DHCPv6-SERVER-
POLICY-NAME>
Specify the DHCPv6 server policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config-dhcpv6-server-policy-test)#?
DHCPv6 server policy Mode commands:
dhcpv6-pool Configure DHCPV6 server address pool no Negate a command or set its defaults option Define DHCPv6 server option restrict-vendor-options Restrict vendor specific options to be sent in server reply server-preference Server preference value sent in the reply, by the server to client clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-dhcpv6-server-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 201 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes an existing DHCPv6 server policy NOTE: For more information on DHCP policy, see Chapter 12, DHCP-SERVER-
POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 202 GLOBAL CONFIGURATION COMMANDS 4.1.44 dns-whitelist Global Configuration Commands Configures a DNS whitelist. A DNS whitelist is a list of domains allowed access to the network. The following table lists DNS Whitelist configuration mode commands:
Table 4.22 DNS-Whitelist Config Commands Command dns-whitelist dns-whitelist-mode commands Description Creates a DNS whitelist and enters its configuration mode Summarizes DNS whitelist configuration mode commands Reference page 4-204 page 4-205 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 203 GLOBAL CONFIGURATION COMMANDS 4.1.44.1 dns-whitelist dns-whitelist Configures a DNS whitelist. A DNS whitelist is a list of allowed DNS destination IP addresses pre-approved to access a controller, service platform, or access point managed captive portal. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dns-whitelist <DNS-WHITELIST-NAME>
Parameters dns-whitelist <DNS-WHITELIST-NAME>
<DNS-WHITELIST-
NAME>
Specify the DNS whitelist name. If the whitelist does not exist, it is created. Example rfs6000-81742D(config)#dns-whitelist test rfs6000-81742D(config-dns-whitelist-test)#?
DNS Whitelist Mode commands:
no Negate a command or set its defaults permit Match a host clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-dns-whitelist-test)#
Related Commands no Removes an existing DNS Whitelist Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 204 GLOBAL CONFIGURATION COMMANDS 4.1.44.2 dns-whitelist-mode commands dns-whitelist The following table summarizes DNS Whitelist configuration mode commands:
Table 4.23 DNS-Whitelist-Mode Commands Command permit no Description Permits a host, existing on a DNS whitelist, access to the network or captive portal Negates a command or reverts to default Reference page 4-206 page 4-207 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 205 GLOBAL CONFIGURATION COMMANDS 4.1.44.2.1 permit dns-whitelist-mode commands A whitelist is a list of host names and IP addresses permitted access to the network or captive portal. This command adds a host or destination IP address to the DNS whitelist. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax permit <IPv4/IPv6/HOSTNAME> {suffix}
Parameters permit <IPv4/IPv6/HOSTNAME> {suffix}
<IPv4/IPv6/
HOSTNAME>
Adds a device to the DNS whitelist
<IPv4/IPv6/HOSTNAME> Provide a hostname or numerical IPv4 or IPv6 address for each destination IP address or host included in the whitelist. suffix Example A maximum of 256 entries can be made. Optional. Matches any hostname or domain name including the specified name as suffix rfs6000-81742D(config-dns-whitelist-test)#permit example_company.com suffix rfs6000-81742D(config-dns-whitelist-test)#show context dns-whitelist test permit example_company.com suffix rfs6000-81742D(config-dns-whitelist-test)#
Related Commands no Removes a DNS whitelist entry Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 206 GLOBAL CONFIGURATION COMMANDS 4.1.44.2.2 no dns-whitelist-mode commands Removes a specified host or IP address from the DNS whitelist, and prevents it from accessing network resources Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no permit <IPv4/IPv6/HOSTNAME>
Parameters no permit <IPv4/IPv6/HOSTNAME>
<IPv4/IPv6/
HOSTNAME>
Removes a device from the DNS whitelist (identifies the device by its IP address or hostname)
<IPv4/IPv6/HOSTNAME> Specify the devices IPv4/IPv6 address or hostname. Example rfs6000-81742D(config-dns-whitelist-test)#show context dns-whitelist test permit example_company.com suffix rfs6000-81742D(config-dns-whitelist-test)#
rfs6000-81742D(config-dns-whitelist-test)#no permit example_company.com rfs6000-81742D(config-dns-whitelist-test)#show context dns-whitelist test rfs6000-81742D(config-dns-whitelist-test)#
Related Commands permit Adds a device to the DNS whitelist Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 207 GLOBAL CONFIGURATION COMMANDS 4.1.45 end Global Configuration Commands Ends and exits the current mode and moves to the PRIV EXEC mode The prompt changes to the PRIV EXEC mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax end Parameters None Example rfs4000-229D58(config)#end rfs4000-229D58#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 208 GLOBAL CONFIGURATION COMMANDS 4.1.46 event-system-policy Global Configuration Commands The following table lists event system configuration mode commands:
Table 4.24 Event-System-Policy Config Command Command event-system-
policy event-system-
policy-mode commands Description Creates an event system policy and enters its configuration mode Reference page 4-210 Summarizes event system policy configuration mode commands page 4-211 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 209 GLOBAL CONFIGURATION COMMANDS 4.1.46.1 event-system-policy event-system-policy Configures a system wide events handling policy Event system policies enable administrators to create notification mechanisms using one, some, or all of the SNMP, syslog, controller forwarding, or email notification options available to the controller or service platform. Each listed event can have customized notification settings defined and saved as part of an event policy. Thus, policies can be configured and administrated in respect to specific sets of client association, authentication or encryption, and performance events. Once policies are defined, they can be mapped to device profiles strategically as the likelihood of an event applies to particular devices. To view an existing event system policy configuration details, use the show > event-system-policy command. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax event-system-policy <EVENT-SYSTEM-POLICY-NAME>
Parameters event-system-policy <EVENT-SYSTEM-POLICY-NAME>
<EVENT-SYSTEM-
POLICY-NAME>
Specify the event system policy name. If the policy does not exist, it is created. Example rfs6000-81701D(config)#event-system-policy event-testpolicy rfs6000-81701D(config-event-system-policy-event-testpolicy)#?
Event System Policy Mode commands:
event Configure an event no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81701D(config-event-system-policy-event-testpolicy)#
Related Commands no Removes an event system policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 210 GLOBAL CONFIGURATION COMMANDS 4.1.46.2 event-system-policy-mode commands event-system-policy The following table summarizes event system policy configuration mode commands:
Table 4.25 Event-System-Policy Mode Commands Command event no Description Configures an event Negates a command or reverts to default Reference page 4-212 page 4-225 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 211 GLOBAL CONFIGURATION COMMANDS 4.1.46.2.1 event event-system-policy-mode commands Configures an event and sets the action performed when the event happens Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax event <EVENT-TYPE> <EVENT-NAME> (email,forward-to-switch,snmp,syslog)
[default|on|off]
The event types are:
rfs6000-81742D(config-event-system-policy-testpolicy)#event ?
aaa AAA/Radius module adapt Adaptivity Module adopt-service Adoption Service adv-wips Adv-wips module ap Access Point module bt Bluetooth captive-portal Captive Portal cdp Cisco Discovery Protocol certmgr Certificate Manager (Not valid for NCAP/MCN) cfgd Cfgd module cluster Cluster module crm Critical Resource Monitoring database Database Services device Device module dhcpsvr DHCP Configuration Daemon diag Diag module dot11 802.11 management module dot1x 802.1X Authentication fwu Firmware update module isdn Isdn module l2gre Layer 2 GRE Tunnel l2tpv3 Layer 2 Tunneling Protocol Version 3 licmgr License module lldp Link Layer Discovery Protocol mesh Mesh module mgmt Management Services nsm Network Services Module pm Process-monitor module radconf Radius Configuration Daemon rasst Roaming-Assist module radio Radio module smrt Smart-rf module smtpnot Smtpnot module system System module test Test module vrrp Virtual Router Redundancy Protocol webf Webf module wips Wireless IPS module rfs6000-81742D(config-event-system-policy-testpolicy)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 212 GLOBAL CONFIGURATION COMMANDS NOTE: The parameter values for <EVENT-TYPE> and <EVENT-NAME> are summarized in the table under the Parameters section. Parameters event <EVENT-TYPE> <EVENT-NAME> (email,forward-to-switch,snmp,syslog)
[default|on|off]
<event-type>
aaa adapt adopt-services adv-wips ap
<event-name>
Enables and configures logging of the following authentication, authorization, and accounting related events:
radius-discon-msg RADIUS disconnection radius-session-expired RADIUS session expired radius-session-not-started RADIUS session not started radius-vlan-update RADIUS VLAN update Enables and configures logging of the following adaptivity module related events:
adaptivity-change Event adaptivity change adaptivity-rehome Event adaptivity rehome Enables and configures the logging of adopted services related events Enables and configures the logging of advanced WIPS related events Enables and configures logging of the following AP related events:
adopted Event AP adopted adopted-to-controller Event AP adopted to wireless controller ap-adopted Event access port adopted ap-autoup-done Event AP autoup done ap-autoup-fail Event AP autoup fail ap-autoup-needed Event AP autoup needed ap-autoup-no-need Event AP autoup not needed ap-autoup-reboot Event AP autoup reboot ap-autoup-timeout Event AP autoup timeout ap-autoup-ver Event AP autoup version ap-reset-detected Event access port reset detected ap-reset-request Event access port user requested reset ap-timeout Event access port timed out ap-unadopted Event access port unadopted image-parse-failure Event image parse failure message legacy-auto-update Event legacy auto update no-image-file Event no image file offline Event AP detected as offline online Event offline AP detected as online Contd... Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 213
<event-type>
bt captive-portal cdp certmgr GLOBAL CONFIGURATION COMMANDS
<event-name>
reset Event AP reset sw-conn-lost Event software connection with AP lost unadopted Event AP unadopted Enables and configures logging of the following bluetooth related events:
bt-started Event bluetooth (bt) started bt-state-change Event bt state change Enables and configures logging of the following captive portal (hotspot) related events:
allow-access Event client allowed access auth-failed Event client authentication failed auth-success Event client authentication success client-disconnect Event client disconnected client-removed Event client removed data-limit-exceed Event client data limit exceed flex-log-access Event flexible log access granted to client inactivity-timeout Event client time-out due to inactivity page-cre-failed Event captive portal page creation failure purge-client Event client purged session-timeout Event clients session timeout vlan-switch Event client switched VLAN Enables and configures logging of the following CISCO Discovery Protocol (cdp) related event:
duplex-mismatch Event duplex mismatch detected between CDP neighbors Enables and configures logging of the following certificate manager related events
(not applicable to AP6511 and AP6521 model access points):
ca-cert-actions-failure Event CA certificate actions failure ca-cert-actions-success Event CA certificate actions success ca-key-actions-failure Event CA key actions failure ca-key-actions-success Event CA key actions success cert-expiry Event certificate expiry crl-actions-failure Event Certificate Revocation List (CRL) actions failure crl-actions-success Event CRL actions success csr-export-failure Event CSR export failure csr-export-success Event CSR export success delete-trustpoint-action Event delete trustpoint action export-trustpoint Event trustpoint exported import-trustpoint Event trustpoint imported rsa-key-actions-failure Event RSA key actions failure rsa-key-actions-success Event RSA key actions success svr-cert-actions-success Event server certificate actions success svr-cert-actions-failure Event server certificate actions failure Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 214
<event-type>
certmgr-lite cfgd cluster crm device database dhcpsvr GLOBAL CONFIGURATION COMMANDS
<event-name>
Enables and configures logging of certificate manager (lite version) related event messages (applicable only to AP6521 and AP6511 model access points) Enables and configures logging of the following configuration daemon module related events:
acl-attached-altered Event Access List (ACL) attached altered acl-rule-altered Event ACL rule altered Enables and configures logging of the following cluster module related events:
cmaster-cfg-update-fail Event cluster master config update failed max-exceeded Event maximum cluster count exceeded state-change Event cluster state change (active/inactive) state-change-active Event cluster state change to active state-change-inactive Event cluster state change to inactive state-retain-active Event cluster state retained as active Enables and configures logging of the following Critical Resource Monitoring (CRM) related events:
critical-resource-down Event critical resource goes down critical-resource-up Event critical resource comes up Enables and configures the logging of device module related events Enables and configures logging of the following error conditions in the captive-
portal/NSIght database:
database-election-fail Event primary database node selection failure. Requires manual intervention to select primary database node. database-exception Event database may need to be dropped and device restarted database-low-disk-space Event database low disk space Database-new-state Event database state change database-op-failure Event database failure database-set-name-mismatch Event replica-set not enabled on host database-storage-mismatch Event database mismatch. All database files must be removed. operation-complete Event database operation completed successfully operation-failed Event database operation failure Enables and configures logging of the following DHCP server related events:
dhcp-start Event DHCP server started dhcpsvr-stop Event DHCP sever stopped relay-iface-no-ip Event no IP address on DHCP relay interface relay-no-iface Event no interface for DHCP relay relay-start Event relay agent started relay-stop Event DHCP relay agent stopped Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 215
<event-type>
diag GLOBAL CONFIGURATION COMMANDS
<event-name>
Enables and configures logging of the following diagnostics module related events:
autogen-tech-sprt Event autogen technical support buf-usage Event buffer usage cpu-load Event CPU load cpu-usage-too-high Event CPU usage high cpu-usage-too-high-recover Event recovery from high CPU usage disk-usage Event disk usage elapsed-time Event elapsed time fan-underspeed Event fan underspeed fd-count Event forward count free-flash-disk Event free flash disk free-flash-inodes Event free flash inodes free-nvram-disk Event free nvram disk free-nvram-inodes Event free nvram inodes free-ram Event free ram free-ram-disk Event free ram disk free-ram-inodes Event free ram inodes head-cache-usage Event head cache usage high-temp Event high temp ip-dest-usage Event ip destination usage led-identify Event led identify low-temp Event low temp mem-usage-too-high Event memory usage high mem-usage-too-high-recover Event recovery from high memory usage new-led-state Event new led state over-temp Event over temp over-voltage Event over voltage poe-init-fail Event PoE init fail poe-power-level Event PoE power level poe-read-fail Event PoE read fail poe-state-change Event PoE state change poe-state-change Event PoE state change pwrsply-fail Event failure of power supply raid-degraded Event Redundant Array of Independent Disks (RAID) degraded raid-error Event RAID error ram-usage Event ram usage under-voltage Event under voltage wd-reset-sys Event wd reset system wd-state-change Event wd state change Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 216
<event-type>
dot11 GLOBAL CONFIGURATION COMMANDS
<event-name>
Enables and configures logging of the following 802.11 management module related events:
client-assoc-ignored Wireless client association ignored event client-associated Wireless client associated event client-denied-assoc Event client denied association client-disassociated Wireless client disassociated country-code Event country code applied country-code-error Event country code error eap-cached-keys Event Extensible Authentication Protocol (EAP) cached keys eap-client-timeout Event EAP client timeout eap-failed Event EAP failed eap-opp-cached-keys Event EAP opp cached keys eap-preauth-client-timeout Event EAP pre authentication client timeout eap-preauth-failed Event EAP pre authentication failed eap-preauth-server-timeout Event EAP pre authentication server timeout eap-preauth-success Event EAP pre authentication success eap-server-timeout Event EAP server timeout eap-success Event EAP success ft-roam-success Event client fast BSS transition gal-rx-request Event GAL request received event gal-tx-response Event response sent to GAL request gal-validate-failed Event GAL validation failed gal-validate-req Event GAL validation request gal-validate-success Event GAL validation success kerberos-client-success Event client Kerberos authentication success kerberos-wlan-failed Event WLAN Kerberos authentication failed kerberos-wlan-success Event WLAN Kerberos authentication success kerberos-wlan-timeout Event Kerberos authentication timed out move-operation-success Event move operation success neighbor-denied-assoc Event neighbor denied association tkip-cntrmeas-end Event TKIP countermeasures ended tkip-cntrmeas-start Event TKIP countermeasures initiated tkip-mic-fail-report Event TKIP MIC failure report tkip-mic-failure Event TKIP MIC check failed voice-call-completed Event voice call completed voice-call-established Event voice call established voice-call-failed Event voice call failed wlan-time-access-disable Event WLAN disabled by time-based-access wlan-time-access-enable Event WLAN re-enabled by time-based-access Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 217
<event-type>
dot1x fwu isdn l2gre GLOBAL CONFIGURATION COMMANDS
<event-name>
wlan-time-access-disable Event WLAN disabled by time-based-access wlan-time-access-enable Event WLAN re-enabled by time-based-access wpa-wpa2-failed Event WPA-WPA2 failed wpa-wpa2-key-rotn Event WPA-WPA2 key rotn wpa-wpa2-success Event WPA-WPA2 success Enables and configures logging of the following 802.1X authentication related events:
dot1x-failed Event EAP authentication failure dot1x-success Event dot1x-success Enables and configures logging of the following firmware update (fwu) related events:
fwuaborted Event fwu aborted fwubadconfig Event fwu aborted due to bad config fwucorruptedfile Event fwu aborted due to corrupted file fwucouldntgetfile Event fwu aborted because the system could not get file fwudone Event fwu done fwufileundef Event fwu aborted due to file undefined fwunoneed Event fwu no need fwuprodmismatch Event fwu aborted due to product mismatch fwuserverundef Event fwu aborted due to server undefined fwuserverunreachable Event fwu aborted due to server unreachable fwusignmismatch Event fwu aborted due to signature mismatch fwusyserr Event fwu aborted due to system error fwuunsupportedhw Event fwu aborted due to unsupported hardware fwuunsupportedmodelnum Event fwu aborted due to unsupported FIPS model number fwuvermismatch Event fwu aborted due to version mismatch Enables and configures logging of the following file Integrated Service Digital Network (ISDN) module related events:
isdn-alert Event ISDN alert isdn-crit Event ISDN critical isdn-debug Event ISDN debug isdn-emerg Event ISDN emergency isdn-err Event ISDN error isdn-info Event ISDN info isdn-notice Event ISDN notice isdn-warning Event ISDN warning Enables and configures logging of the following Layer 2 GRE (L2GRE) tunnel related events:
l2gre-tunnel-down Event L2GRE tunnel down l2gre-tunnel-failover Event L2GRE tunnel failover l2gre-tunnel-up Event L2GRE tunnel up Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 218
<event-type>
l2tpv3 licmgr lldp mgmt mesh nsm GLOBAL CONFIGURATION COMMANDS
<event-name>
Enables and configures logging of the following L2TPv3 related events:
l2tpv3-tunnel-down Event L2TPv3 tunnel down l2tpv3-tunnel-up Event L2TPv3 tunnel up Enables and configures logging of the following license manager module related events:
lic-installed-count Event total number of license installed count lic-installed-default Event default license installation lic-installed Event license installed lic-invalid Event license installation failed lic-removed Event license removed Enables and configures logging of the following Link Layer Discovery Protocol (LLDP) related events:
lldp-loop-detected Event layer 2 switching loop lldp-loop-recovery Event recovery from layer 2 switching loop Enables and configures logging of the following management services module related events:
log-http-init Event Web server started log-http-local-start Event Web server started in local mode log-http-start Event Web server started in external mode log-https-start Event secure Web server started log-https-wait Event waiting for Web server to start log-key-deleted Event RSA key associated with SSH is deleted log-key-restored Event RSA key associated with SSH is added log-trustpoint-deleted Event trustpoint associated with HTTPS is deleted Enables and configures logging of the following mesh module related events:
mesh-link-down Event mesh link down mesh-link-up Event mesh link up meshpoint-down Event meshpoint down meshpoint-loop-prevent-off Event meshpoint loop prevent off meshpoint-loop-prevent-on Event meshpoint loop prevent on meshpoint-path-change Event meshpoint-path-change meshpoint-root-change Event meshpoint-root-change meshpoint-up Event meshpoint up Enables and configures logging of the following Network Service Module (NSM) related events:
dhcpc-err Event DHCP certification error dhcpdefrt Event DHCP defrt dhcpip Event DHCP IP dhcpipchg Event DHCP IP change dhcpipnoadd Event DHCP IP overlaps static IP address Contd... Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 219
<event-type>
pm radconf radio GLOBAL CONFIGURATION COMMANDS
<event-name>
dhcplsexp Event DHCP lease expiry dhcpnak Event DHCP server returned DHCP NAK response dhcpnodefrt Event interface no default route if-failback Event interface failback message if-failover Event interface failover message ifdown Event interface down message ifipcfg Event interface IP config message ifup Event interface up message nsm-ntp Event translate host name message ntp-start Event NTP server start message ntp-stop Event NTP server stop message Enables and configures logging of the following process monitor module related events:
procid Event proc ID generated procmaxrstrt Event proc max restart procnoresp Event proc no response procrstrt Event proc restart procstart Event proc start procstop Event proc stop procsysrstrt Event proc system restart startupcomplete Event startup complete Enables and configures logging of the following RADIUS configuration daemon related events:
could-not-stop-radius Event could not stop RADIUS server radiusdstart Event RADIUS server started radiusdstop Event RADIUS server stopped Enables and configures logging of the following radio module related events:
acs-scan-complete Event ACS scan completed acs-scan-started Event ACS scan started cb-associated Event client-bridge access point associates with an infrastructure access point cb-roam Event client-bridge access point roams from one infrastructure access point to another infrastructure access point cb-wired-client-added Event wired client is added to the client-bridge cb-wired-client-removed Event wired client is removed from the client-bridge channel-country-mismatch Event channel and country of operation mismatch radar-det-info Event radar detected radar info radar-detected Event radar detected radar-scan-completed Event radar scan completed radar-scan-started Event radar scan started radio-antenna-error Event invalid antenna type on this radio Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 220
<event-type>
rasst smrt smtpnot system GLOBAL CONFIGURATION COMMANDS
<event-name>
radio-antenna-setting Event antenna type setting on this radio radio-state-change Event radio state change resume-home-channel Event resume home channel Enables and configures the logging of roaming assist module related events Enables and configures logging of the following SMART RF module related events:
calibration-done Event calibration done calibration-started Event calibration started channel-change Event channel change config-cleared Configuration cleared event cov-hole-recovery Event coverage hole recovery cov-hole-recovery-done Event coverage hole recovery done interference-recovery Event interference recovery neighbor-recovery Event neighbor recovery power-adjustment Event power adjustment root-recovery Event meshpoint root recovery Enables and configures logging of the following SMTP module related events:
cfg Event cfg cfginc Event cfg inc net Event net proto Event proto smtpauth Event SMTP authentication smtperr Event SMTP error smtpinfo Event SMTP information Enables and configures logging of the following system module related events:
clock-reset Event clock reset cold-start Event cold start config-commit Event configuration commit config-revision Event config-revision done devup-rfd-fail Event device-upgrade failed on rf-domain manager managed devices guest-user-exp Event guest user purging http-err Event Web server failed to start login Event user successfully logged in login-fail Event login fail. Occurs when user authentication fails. login-fail-access Event login fail access. Occurs in case of access violation. login-fail-bad-role Event login fail bad role. Occurs when user uses an invalid role to logon. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 221
<event-type>
system test vrrp GLOBAL CONFIGURATION COMMANDS
<event-name>
login-lockout Event user account locked out message. Occurs when a user account is locked due to exceeding of maximum number failed login attempts threshold. Configure this event notification only if the max-fail and lockout-time parameters have been configured in the management-policy context. For more information, see passwd-entry. login-unlocked Event user account un-locked. Occurs when a locked user account is re-activated. Enable this event notification only if the max-fail and lockout-time parameters have been configured in the management-policy context. For more information, see passwd-entry. logout Event user logout maat-light Event action on Research in Motion (RIM) radio(s) from the Maat light module panic Event panic periodic-heart-beat Event periodic heart beat procstop Event proc stop server-unreachable Event server-unreachable system-autoup-disable Event system autoup disable system-autoup-enable Event system autoup enable t5-config-error Event t5-config-error ui-user-auth-fail Event user authentication fail ui-user-auth-success Event user authentication success warm-start Event warm start warm-start-recover Event recovery from warm start Enables and configures logging of the following test module related events:
testalert Event test alert testargs Event test arguments testcrit Event test critical testdebug Event test debug testemerg Event test emergency testerr Event test error testinfo Event test information testnotice Event test notice testwarn Event test warning Enables and configures logging of the following Virtual Router Redundancy Protocol
(VRRP) related events:
vrrp-monitor-change Event VRRP monitor link state change vrrp-state-change Event VRRP state transition vrrp-vip-subnet-mismatch Event VRRP IP not overlapping with an interface addresses Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 222 GLOBAL CONFIGURATION COMMANDS
<event-type>
webf wips email forward-to-switch snmp syslog default off on
<event-name>
Enables and configures logging of the following Web Filtering (webf) module related events:
malform-url-request Event malformed URL request no-parent-engine Event no session to URL classification server srvr-connect-fail Event URL classification server unreachable url-blocked Event URL blocked webf-lic-acquired Event webf license acquired webf-lic-missing Event webf license missing webf-lic-revoked Event webf license revoked Enables and configures logging of the following Wireless IPS module related events:
air-termination-active Event air termination active air-termination-ended Event air termination ended air-termination-inactive Event air termination inactive air-termination-initiated Event air termination initiated rogue-ap-active Event rogue AP active rogue-ap-inactive Event rogue AP inactive unsanctioned-ap-active Event unsanctioned AP active unsanctioned-ap-inactive Event unsanctioned AP inactive unsanctioned-ap-status-change Event unsanctioned AP changed state wips-client-blacklisted Event WIPS client blacklisted wips-client-rem-blacklist Event WIPS client rem blacklist wips-event Event WIPS event triggered Sends e-mail notifications to a pre configured e-mail ID Forwards the messages to an external server Logs an SNMP event Logs an event to syslog Performs the default action for the event Switches the event off, when the event happens, and no action is performed Switches the event on, when the event happens, and the configured action is taken Example rfs4000-229D58(config-event-system-policy-event-testpolicy)#event aaa radius-
discon-msg email on forward-to-switch default snmp default syslog default rfs4000-229D58(config-event-system-policy-event-testpolicy)#
rfs4000-229D58(config-event-system-policy-testpolicy)#show context event-system-policy test event aaa radius-discon-msg email on rfs4000-229D58(config-event-system-policy-testpolicy)#
nx9500-6C8809(config-event-system-policy-test)#event database database-exception syslog default snmp default forward-to-switch default email default nx9500-6C8809(config-event-system-policy-test)#event database operation-failed syslog default snmp default forward-to-switch default email default Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 223 GLOBAL CONFIGURATION COMMANDS nx9500-6C8809(config-event-system-policy-test)#show context include-factory |
grep operation-failed event database operation-failed syslog default snmp default forward-to-switch default email default nx9500-6C8809(config-event-system-policy-test)#
Related Commands no Resets or disables event monitoring Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 224 GLOBAL CONFIGURATION COMMANDS 4.1.46.2.2 no event-system-policy-mode commands Negates an event monitoring configuration Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no event <EVENT-TYPE> <EVENT-NAME> [email|forward-to-switch|snmp|syslog]
[default|on|off]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes event monitoring and message forwarding activity based on the parameters passed The system stops network monitoring for the occurrence of the specified event and no notification is sent if the event occurs. Example rfs4000-229D58(config-event-system-policy-TestPolicy)#event ap adopted syslog default rfs4000-229D58(config-event-system-policy-TestPolicy)#no event ap adopted syslog Related Commands event Configures the action taken for each event Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 225 GLOBAL CONFIGURATION COMMANDS 4.1.47 ex3500 GLOBAL CONFIGURATION COMMANDS The following table lists EX3500 time-range configuration mode commands. It also provides links to other EX3500 related configuration modes:
Command ex3500 ex3500-time-
range-config-
mode commands ex3500-
management-
policy ex3500-qos-class-
map-policy ex3500-qos-
policy-map ex3524 ex3548 Table 4.26 EX3500-Time-Range-List Config Command Description Reference Creates an EX3500 time range list and enters its configuration mode page 4-227 page 4-228 Summarizes EX3500 time range list configuration mode commands Creates an EX3500 management policy and enters its configuration mode page 4-233 Creates an EX3500 QoS class map policy and enters its configuration mode Creates an EX3500 QoS policy map and enters its configuration mode Adds a EX3524 switch to the network Adds a EX3548 switch to the network page 4-254 page 4-262 page 4-277 page 4-279 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 226 GLOBAL CONFIGURATION COMMANDS 4.1.47.1 ex3500 ex3500 Creates an EX3500 time range list and enters its configuration mode An EX3500 time range list consists of a set of periodic and absolute time range rules. Periodic time ranges recur periodically at specified time periods, such as daily, weekly, weekends, weekdays, and on specific week days, for example on every successive Mondays. Absolute time ranges are not periodic and do not recur. They consist of a range of days during a particular time period (the starting and ending days and time are fixed). The EX3500 series switch is a Gigabit Ethernet layer 2 switch with either 24 or 48 10/100/1000-BASE-T ports, and four Small Form Factor Pluggable (SFP) transceiver slots for fiber connectivity. The EX3500 series switch can adopt to a WiNG NOC controller and be managed by it. The EX3500 time range values configured here are used in EX3500 MAC ACL firewall rules that filter an EX3500s incoming and outgoing traffic. For more information on creating EX3500 MAC ACL rules, see ex3500 and access-group. Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax ex3500 time-range <TIME-RANGE-NAME>
Parameters ex3500 time-range <TIME-RANGE-NAME>
ex3500 time-range
<TIME-RANGE-
NAME>
Configures EX3500 time range list and enters its configuration mode
<TIME-RANGE-NAME> Enter a name for this EX3500 time range. If the time range does not exist, it is created. Example nx9500-6C8809(config)#ex3500 time-range EX3500_TimeRange_02 nx9500-6C8809(config-ex3500-time-range-EX3500_TimeRange_02)#?
EX3500 Time Range Configuration commands:
absolute Absolute time and date no Negate a command or set its defaults periodic Periodic time and date clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-ex3500-time-range-EX3500_TimeRange_02)#
Related Commands no Removes this EX3500 time range list Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 227 GLOBAL CONFIGURATION COMMANDS 4.1.47.2 ex3500-time-range-config-mode commands ex3500 The following table summarizes EX3500 time-range configuration mode commands:
Table 4.27 EX3500-Time-Range-Mode Commands Command absolute periodic no Description Configures an absolute time range rule for this EX3500 time range list Configures a periodic time range rule for this EX3500 time range list Removes this EX3500 time range list settings Reference page 4-229 page 4-230 page 4-232 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 228 GLOBAL CONFIGURATION COMMANDS 4.1.47.2.1 absolute ex3500-time-range-config-mode commands Configures an absolute time range rule for this EX3500 time range list Absolute time ranges are not periodic and do not recur. They consist of a range of days during a particular time period. Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax absolute start <0-23> <0-59> <1-31> <MONTH> <2013-2037> {end <0-23> <0-59> <1-31>
<MONTH> <2013-2037>}
Parameters absolute start <0-23> <0-59> <1-31> <MONTH> <2013-2037> {end <0-23> <0-59> <1-31>
<MONTH> <2013-2037>}
absolute start <0-23> <0-59>
<1-31> <MONTH>
<2013-2037>
Configures an absolute time range rule settings Configures the start day and time settings
<0-23> Specify the start time from 0 - 23 hours.
<0-59> Specify the start time from 0 - 59 minutes. For example, if the values provided are 12 hours and 30 minutes, the start time is 12:30 A.M on the specified day.
<1-31> Specify the day of month from 1 - 31 when the time range starts.
<MONTH> Specify the month. The options are: April, August, December, February, January, July, June, March, May, November, October, September.
<2013-2037> Specify the year from 2013 - 2037. end <0-23> <0-59>
<1-31> <MONTH>
<2013-2037>
Optional. Configures the end day and time settings
<0-23> Specify the end time from 0 - 23 hours.
<0-59> Specify the end time from 0 - 59 minutes.
<1-31> Specify the day of month from 1 - 31 when the time range ends.
<MONTH> Specify the month. The options are: April, August, December, February, January, July, June, March, May, November, October, September.
<2013-2037> Specify the year from 2013 - 2037. Example nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#absolute start 1 0 1 june 2017 end 1 0 30 june 2018 nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#show context ex3500 time-range EX3500-TimeRange-01 absolute start 1 0 1 june 2017 end 1 0 30 june 2018 nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#
Related Commands no Removes this absolute time range rule from the EX3500 time range list Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 229 GLOBAL CONFIGURATION COMMANDS 4.1.47.2.2 periodic ex3500-time-range-config-mode commands Configures a periodic time range rule for this EX3500 time range list Periodic time ranges are configured to recur based on periodicity such as daily, weekly, weekends, weekdays, and on specific week days, such as on every successive Sunday. Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax periodic [daily|friday|monday|saturday|sunday|thursday|tuesday|wednesday|
weekdays|weekend] <0-23> <0-59> to [<023> <0-59>|daily|friday|monday|saturday|
sunday|thursday|tuesday|wednesday|weekdays|weekend] <0-23> <0-59> rule-precedence
<1-7>
Parameters periodic [daily|friday|monday|saturday|sunday|thursday|tuesday|wednesday|
weekdays|weekend] <0-23> <0-59> to [<023> <0-59>|daily|friday|monday|saturday|
sunday|thursday|tuesday|wednesday|weekdays|weekend] <0-23> <0-59> rule-precedence
<1-7>
periodic
[daily|friday|monday|
saturday|sunday|
thursday|tuesday|
wednesday|
weekdays|
weekend]
<0-23> <0-59>
to
[<023> <0-59>|daily|
friday|monday|
saturday|sunday|
thursday|tuesday|
wednesday|
weekdays|weekend]
Configures this periodic time ranges start day. The options are:
daily Friday Monday Saturday Sunday Thursday Tuesday Wednesday weekdays weekend After specifying the start day, specify the start time in hours (24 hours format) and minutes
<0-23> Specify the start time from 0 - 23 hours.
<0-59> Specify the start time from 0 - 59 minutes. For example, if the values provided are 12 hours and 30 minutes, the start time is 12:30 A.M on the specified day. Configures this periodic time ranges end day. This is the day when the time range ends. The options available changes depending on the start day configured. The options are:
<0-23> <0-59> Select this option to end the time range on the same day as it starts. Specify the end hour from 0 - 23 hours and the minutes from 0 - 59 minutes. daily Select this option if the time range starts and ends every day at a specified time friday Select this option if the time range ends on Fridays Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 230 GLOBAL CONFIGURATION COMMANDS monday Select this option if the time range ends on Mondays saturday Select this option if the time range ends on Saturdays sunday Select this option if the time range ends on Sundays thursday Select this option if the time range ends on Thursdays tuesday Select this option if the time range ends on Tuesdays wednesday Select this option if the time range ends on Wednesdays weekdays Select this option if the time range ends on Weekdays weekend Select this option if the time range ends on Weekends If the time range does not end on the same day, select the end day, and then specify the end time, or else just specify the end time. After specifying the end day, specify the end time in hours (in 24 hours format) and minutes
<0-23> Specify the end time from 0 - 23 hours.
<0-59> Specify the end minute from 0 - 59 minutes. In case of time ranges starting and ending on the same day, ensure that the end time
(hours and minutes) is not lower than the specified start time. Configures a precedence value for this periodic time range rule. Rules with lower precedence have higher priority and are applied first.
<1-7> Specify a precedence value from 1 - 7.
<0-23> <0-59>
rule-precedence
<1-7>
Example nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#periodic daily 1 10 to daily 23 10 rule-precedence 1 nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#show context ex3500 time-range EX3500-TimeRange-01 periodic daily 1 10 to daily 23 10 rule-precedence 1 absolute start 1 0 1 june 2017 end 1 0 30 june 2018 nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#
Related Commands no Removes this periodic time range rule from the EX3500 time range list Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 231 GLOBAL CONFIGURATION COMMANDS 4.1.47.2.3 no ex3500-time-range-config-mode commands Removes this EX3500 time range list settings Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax no [absolute|periodic]
no absolute no periodic [daily|friday|monday|saturday|sunday|thursday|tuesday|wednesday|
weekdays|weekend] <0-23> <0-59> to [<0-23> <0-59>|daily|friday|monday|saturday|
sunday|thursday|tuesday|wednesday|weekdays|weekend]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes this EX3500 time range list settings based on the parameters passed Example nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#show context ex3500 time-range EX3500-TimeRange-01 periodic daily 1 10 to daily 23 10 rule-precedence 1 absolute start 1 0 1 june 2015 end 1 0 30 june 2016 nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#
nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#no periodic daily 1 10 to daily 23 10 rule-precedence 1 nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#show context ex3500 time-range EX3500-TimeRange-01 absolute start 1 0 1 june 2015 end 1 0 30 june 2016 nx9500-6C8809(config-ex3500-time-range-EX3500-TimeRange-01)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 232 GLOBAL CONFIGURATION COMMANDS 4.1.48 ex3500-management-policy Global Configuration Commands The following table lists EX3500 management policy configuration mode commands:
Table 4.28 EX3500-Management-Policy Config Command Command ex3500-
management-
policy ex3500-
management-
policy config commands ex3500 ex3500-qos-class-
map-policy ex3500-qos-
policy-map ex3524 ex3548 Description Creates an EX3500 management policy and enters its configuration mode Reference page 4-234 Summarizes EX3500 management policy configuration mode commands page 4-236 Creates an EX3500 time range list and enters its configuration mode page 4-226 page 4-254 Creates an EX3500 QoS class map policy and enters its configuration mode Creates an EX3500 QoS policy map and enters its configuration mode Adds a EX3524 switch to the network Adds a EX3548 switch to the network page 4-277 page 4-279 page 4-262 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 233 GLOBAL CONFIGURATION COMMANDS 4.1.48.1 ex3500-management-policy ex3500-management-policy Creates an EX3500 management policy and enters its configuration mode. Once configured and applied on a EX3500 switch, the management policy controls access to the switch from management stations using SNMP. The EX3500 management policy is either applied:
Individually on an adopted EX3500 series switch (in the device configuration mode), or To a EX3524 and/or EX3548 profile, which is then applied to an adopted EX3500 series switch. EX3500 devices (EX3524 and EX3548) are layer 2 Gigabit Ethernet switches with either 24 or 48 10/100/
1000-BASE-T ports, and four SFP transceiver slots for fiber connectivity. Each 10/100/1000 Mbps port supports both the IEEE 802.3af and IEEE 802.3at-2009 PoE standards. An EX3500 switch has an SNMP-
based management agent that provides both in-band and out-of-band management access. The EX3500 switch utilizes an embedded HTTP Web agent and CLI, which in spite of being different from that of the WiNG operating system provides WiNG controllers PoE and port management resources. Going forward NX9500 and NX7500 WiNG managed series service platforms and WiNG VMs can discover, adopt, and partially manage EX3500 series Ethernet switches without modifying the proprietary operating system running the EX3500 switches. The WiNG service platforms utilize standardized WiNG interfaces to push configuration files to the EX3500 switches, and maintain a translation layer, understood by the EX3500 switch, for statistics retrieval. WiNG can partially manage an EX3500 without using DHCP option 193, provided the EX3500 is directly configured to specify the IPv4 addresses of potential WiNG adopters. To identify the potential WiNG adopter, in the EX3500s device configuration mode specify the adopters IPv4 address using the controller
> host > <IP-ADDRESS> command. WiNG service platforms leave the proprietary operating system running the EX3500 switches unmodified, and partially manage them utilizing standardized WiNG interfaces. WiNG service platforms use a translation layer to communicate with the EX3500. Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax ex3500-management-policy <POLICY-NAME>
Parameters ex3500-management-policy <POLICY-NAME>
<POLICY-NAME>
Specify the EX3500 management policy name. If the policy does not exist, it is created. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 234 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config)#ex3500-management-policy test nx9500-6C8809(config-ex3500-management-policy-test)#?
EX3500_Management Mode commands:
enable Modifies enable password parameters http Hyper Text Terminal Protocol (HTTP) memory Memory utilization no Negate a command or set its defaults process-cpu Process-cpu utilization snmp-server Enable SNMP server configuration ssh Secure Shell server connections username Login TACACS server port clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-ex3500-management-policy-test)#
Related Commands no Removes this EX3500 management policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 235 GLOBAL CONFIGURATION COMMANDS 4.1.48.2 ex3500-management-policy config commands ex3500-management-policy The following table summarizes EX3500 management policy configuration mode commands:
Table 4.29 EX3500-Management-Policy Config Mode Commands Command enable http memory process-cpu snmp-server ssh username no Description Configures an executive password for this EX3500 management policy Configures the HTTP server settings used to authenticate HTTP connection to a EX3500 switch Configures the EX3500s memory utilization rising (upper) and falling
(lower) threshold values Configures the EX3500s CPU (processor) utilization rising (upper) and falling (lower) threshold values Configures Simple Network Management Protocol (SNMP) server settings. Once configured and applied on a EX3500 switch, the management policy controls access to the switch from management stations using SNMP. Configures the SSH server settings used to authenticate Secure Shell (SSH) connection to a EX3500 switch Configures a EX3500 switch user settings Removes or reverts this EX3500 management policy settings Reference page 4-237 page 4-239 page 4-240 page 4-241 page 4-242 page 4-249 page 4-251 page 4-252 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 236 GLOBAL CONFIGURATION COMMANDS 4.1.48.2.1 enable ex3500-management-policy config commands Configures an executive password for this EX3500 management policy Each EX3500 management policy can have a unique executive password with its own privilege level assigned. Utilize these passwords as specific EX3500 management sessions require priority over others. Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax enable password [0|7|level]
enable password [0|7] <PASSWORD>
enable password level <0-15> [0 <PASSWORD>|7 <PASSWORD>]
Parameters enable password [0|7] <PASSWORD>
enable password
[0|7] <PASSWORD>
Creates a new executive password for this EX3500 management policy. The password could be in clear text or encrypted 0 Configures a clear text password using ASCII characters (should be 1 - 32 characters long) 7 Configures an encrypted password using HEX characters (should be 32 characters long)
<PASSWORD> Specify the password. enable password level <0-15> [0 <PASSWORD>|7 <PASSWORD>]
enable password level <0-15>
Creates a new executive password for this EX3500 management policy and sets its privilege level
<0-15> Specify the privilege level for this executive password from 0 - 15. Lower values have higher priority, to slot and prioritize executive passwords and EX3500 management sessions.
[0|7] <PASSWORD> After setting the privilege level, configure the password, which could be in clear text or encrypted 0 Configures a clear text password using ASCII characters (should be 1 - 32 characters long) 7 Configures an encrypted password using HEX characters (should be 32 characters long)
<PASSWORD> Specify the password. Example nx9500-6C8809(config-ex3500-management-policy-test)#enable password level 3 7 12345678901020304050607080929291 nx9500-6C8809(config-ex3500-management-policy-test)#show context ex3500-management-policy test enable password level 3 7 12345678901020304050607080929291 snmp-server notify-filter 1 remote 127.0.0.1 nx9500-6C8809(config-ex3500-management-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 237 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes a executive password from this EX3500 management policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 238 GLOBAL CONFIGURATION COMMANDS 4.1.48.2.2 http ex3500-management-policy config commands Configures the HTTP server settings used to authenticate HTTP connection to a EX3500 switch Management access to an EX3500 switch can be enabled/disabled as required using separate interfaces and protocols (HTTP, SSH). Disabling un-used and insecure interfaces and unused management services can dramatically reduce an attack footprint and free resources within an EX3500 management policy. Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax http [port <1-65535>|secure-port <1-65535>|secure-server|server]
Parameters http [port <1-65535>|secure-port <1-65535>|secure-server|server]
http port <1-65535>
secure-port
<1-65535>
secure-server server Configures following HTTP settings: port, secure-port, secure-server, and server Configures the HTTP port number. This is the port used to connect to the HTTP server.
<1-65535> Specify a value from 1 - 65535. The default port is 80. Enables secure HTTP connection over a designated secure port. Ensure that the HTTP secure server is enabled before specifying the secure-server port.
<1-65535> Specify the secure HTTP server port from 1 - 65535. The default port is 443. Enables HTTP secure server. This option is disabled by default. Enables HTTP server. This option is enabled by default. Consequently, HTTP management access is allowed by default. Example nx9500-6C8809(config-ex3500-management-policy-test)#http secure-server nx9500-6C8809(config-ex3500-management-policy-test)#show context ex3500-management-policy test http secure-server enable password level 3 7 12345678901020304050607080929291 snmp-server notify-filter 1 remote 127.0.0.1 nx9500-6C8809(config-ex3500-management-policy-test)#
Related Commands no Reverts to default HTTP server settings (HTTP server enabled, HTTP port 80) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 239 GLOBAL CONFIGURATION COMMANDS 4.1.48.2.3 memory ex3500-management-policy config commands Configures the EX3500s memory utilization rising (upper) and falling (lower) threshold values. Once configured, the system sends a notification when the memory utilization exceeds the specified rising limit or falls below the specified falling limit. By customizing an EX3500s memory and CPU utilizations upper and lower thresholds, you can avoid over utilization of the EX3500s processor capacity when sharing network resources with an NX series service platform or a WiNG VM. Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax memory [falling-threshold|rising-threshold] <1-100>
Parameters memory [falling-threshold|rising-threshold] <1-100>
memory falling-threshold
<1-100>
rising-threshold
<1-100>
Configures the EX3500s memory utilization rising and falling threshold values. The system generates a notification when either of these limits is exceeded. Configures the falling threshold for the EX3500 memory utilization
<1-100> Specify the falling threshold as a percentage from 1 - 100. The default is 70%. Configures the rising threshold for the EX3500s memory utilization
<1-100> Specify the rising threshold as a percentage from 1 - 100. The default is 90%. Example nx9500-6C8809(config-ex3500-management-policy-test)#memory falling-threshold 50 nx9500-6C8809(config-ex3500-management-policy-test)#memory rising-threshold 95 nx9500-6C8809(config-ex3500-management-policy-test)#show context ex3500-management-policy test http secure-server enable password level 3 7 12345678901020304050607080929291 snmp-server notify-filter 1 remote 127.0.0.1 memory falling-threshold 50 memory rising-threshold 95 nx9500-6C8809(config-ex3500-management-policy-test)#
Related Commands no Reverts the memory utilization's falling-threshold and/or rising threshold to 70% and 90% respectively Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 240 GLOBAL CONFIGURATION COMMANDS 4.1.48.2.4 process-cpu ex3500-management-policy config commands Configures the EX3500s CPU (processor) utilization rising (upper) and falling (lower) threshold values. Once configured, the system sends a notification when the CPU utilization exceeds the specified rising limit or falls below the specified falling limit. By customizing an EX3500s memory and CPU utilizations upper and lower thresholds, you can avoid over utilization of the EX3500s processor capacity when sharing network resources with an NX series service platform or a WiNG VM. Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax process-cpu [falling-threshold|rising-threshold] <1-100>
Parameters process-cpu [falling-threshold|rising-threshold] <1-100>
process-cpu falling-threshold
<1-100>
rising-threshold
<1-100>
Configures the EX3500s CPU utilization rising and falling threshold values. The system generates a notification when either of these limits is exceeded. Configures the falling threshold for the EX3500s CPU utilization
<1-100> Specify the falling threshold as a percentage from 1 - 100. The default is 70%. Configures the rising threshold for the EX3500s CPU utilization
<1-100> Specify the rising threshold as a percentage from 1 - 100. The default is 90%. Example nx9500-6C8809(config-ex3500-management-policy-test)#process-cpu falling-threshold 60 nx9500-6C8809(config-ex3500-management-policy-test)#process-cpu rising-threshold 80 nx9500-6C8809(config-ex3500-management-policy-test)#show context ex3500-management-policy test http secure-server enable password level 3 7 12345678901020304050607080929291 snmp-server notify-filter 1 remote 127.0.0.1 memory falling-threshold 50 memory rising-threshold 95 process-cpu falling-threshold 60 process-cpu rising-threshold 80 nx9500-6C8809(config-ex3500-management-policy-test)#
Related Commands no Reverts the CPU utilization's falling-threshold and/or rising threshold to 70% and 90%
respectively Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 241 GLOBAL CONFIGURATION COMMANDS 4.1.48.2.5 snmp-server ex3500-management-policy config commands Configures Simple Network Management Protocol (SNMP) server settings. Once configured and applied on a EX3500 switch, the management policy controls access to the switch from management stations using SNMP. SNMP is an application layer protocol that facilitates the exchange of management information between the management stations and a managed EX3500 switch. SNMP-enabled devices listen on port 162 (by default) for SNMP packets from the management server. SNMP uses read-only and read-write community strings as an authentication mechanism to monitor and configure supported devices. The read-only community string is used to gather statistics and configuration parameters from a supported wireless device. The read-write community string is used by a management server to set device parameters. SNMP is generally used to monitor a system's performance and other parameters. Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax snmp-server {community|contact|enable|engine-id|group|host|location|notify-
filter|user|view}
snmp-server {community <STRING> {ro|rw}}
snmp-server {contact <NAME>}
snmp-server {enable traps {authentication|link-up-down}}
snmp-server {engine-id [local <WORD>|remote <IP> <WORD>]}
snmp-server {group <GROUP-NAME> [v1|v2c|v3 [auth|noauth|priv]] {notify <WORD>|
read <WORD>|write <WORD>}}
snmp-server {host <IP> [<STRING>|inform]}
snmp-server {host <IP> <STRING> version [v1|v2c|v3 [auth|noauth|priv]] {udp-port
<1-65535>}}
snmp-server {host <IP> inform [retry <0-255>|timeout <0-2147483647>] <STRING>
version [v2c|v3 [auth|noauth|priv]] {udp-port <1-65535>}}
snmp-server {location <WORD>}
snmp-server {notify-filter <WORD> remote <IP>}
snmp-server {user <USER-NAME> <GROUP-NAME> [remote-host|v1|v2c|v3]}
snmp-server {user <USER-NAME> <GROUP-NAME> remote-host <IP> v3 [auth|encrypted auth] [md5|sha] <WORD> {priv [3des|aes128|aes192|aes256|des56] <WORD>}}
snmp-server {user <USER-NAME> <GROUP-NAME> [v1|v2c|v3]}
snmp-server {view <VIEW-NAME> <OID-TREE-STRING> [excluded|included]}
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 242 GLOBAL CONFIGURATION COMMANDS Parameters snmp-server {community <STRING> {ro|rw}}
snmp-server community
<STRING> {ro|rw}
Configures SNMP-server related settings community Optional. Configures an SNMP community access string used to authorize management access by clients using SNMP v1, v2c, or v3
<STRING> Specify the SNMP community access string (should not exceed 32 char-
acters). After specifying the string, optionally specify the access type associated with it. ro Optional. Provides read-only access with this SNMP community string. Allows authorized clients to only retrieve Management Information Base (MIB) objects. This is the default setting. rw Optional. Provides read-write access with this SNMP community string. Allows authorized clients to retrieve as well as modify MIB objects. You can configure a maximum of five (5) community strings per EX3500 management policy. snmp-server {contact <NAME>}
snmp-server contact
<NAME>
Configures SNMP-server related settings contact Optional. Configures the systems contact information
<NAME> Specify the contact persons name (should not exceed 255 characters). snmp-server {enable traps {authentication|link-up-down}}
snmp-server enable traps
{authentication|
link-up-down}
Configures SNMP-server related settings enable traps Optional. Enables the EX3500 switch to send following SNMP traps or notifications:
authentication Optional. Enables SNMP authentication trap. This option is disabled by default. link-up-down Optional. Enables SNMP link up and link down traps. This option is disabled by default. If the command is executed without either of the above mentioned trap options, the system enables both authentication and link-up-down traps. If enabling SNMP traps, use the snmp-server > host command to specify the host(s) receiving the SNMP notifications. snmp-server {engine-id [local <WORD>|remote <IP> <WORD>]}
snmp-server engine-id
[local <WORD>|
remote <IP>
<WORD>]
Configures SNMP-server related settings engine-id Optional. Configures an identification string for the SNMPv3 engine. The SNMP engine is an independent SNMP agent residing either on the logged switch or on a remote device. It prevents message replay, delay, and redirection. In SNMPv3, the engine ID in combination with user passwords generates the security keys that is used for SNMPv3 packet authentication and encryption. local Configures the SNMP engine on the logged switch
<WORD> Specify the hexadecimal engine ID string identifying the SNMP engine
(should be 9 - 64 characters in length). Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 243 GLOBAL CONFIGURATION COMMANDS remote <IP> <WORD> Configures a remote device as the SNMP engine
<IP> Specify the remote devices IP address.
<WORD> Specify the hexadecimal engine ID string identifying the SNMP engine (should be 9 - 64 characters in length). Configure the remote engine ID when using SNMPv3 informs. The remote ID configured here is used to generate the security digest for authentication and encryption of packets exchanged between the switch and the and the remote host user. SNMP passwords are localized using the engine ID of the authoritative agent. For informs, the authoritative SNMP agent is the remote agent. You therefore need to configure the remote agents SNMP engine ID before you can send proxy requests or informs to it. snmp-server {group <GROUP-NAME> [v1|v2c|v3 [auth|noauth|priv]] {notify <WORD>|
read <WORD>|write <WORD>}}
snmp-server group
<GROUP-NAME>
Configures SNMP-server related settings group Optional. Configures an SNMP user group, mapping SNMP users to SNMP
[v1|v2c|v3
[auth|noauth|priv]]
views
<GROUP-NAME> Specify the SNMP group name (should not exceed 32 charac-
ters). Configures the SNMP version used for authentication by this user group v1 Configures the SNMP version as v1. v2c Configures SNMP version as v2c v3 Configures the SNMP version as v3. If using SNMP v3, specify the authentication and encryption levels. auth Uses SNMP v3 with authentication and no privacy noauth Uses SNMP v3 with no authentication and no privacy priv Uses SNMP v3 with authentication and privacy Optional. Configures the notification view string
<WORD> Specify the string (should not exceed 32 characters). Optional. Configures the read view string
<WORD> Specify the string (should not exceed 32 characters). Optional. Configures the write view string
<WORD> Specify the string (should not exceed 32 characters). notify <WORD>
read <WORD>
write <WORD>
snmp-server {host <IP> <STRING> version [v1|v2c|v3 [auth|noauth|priv]] {udp-port
<1-65535>}}
snmp-server host
<IP>
Configures SNMP-server related settings host Optional. Configures the host(s) receiving the SNMP notifications. At least one SNMP server host should be configured in order to configure the switch to send notifications
<IP> Specify the SNMP hosts IP address. You can configure a maximum of five (5) SNMP trap recipients per EX3500 management policy. Ensure that SNMP trap notification is enabled. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 244 GLOBAL CONFIGURATION COMMANDS
<STRING>
Configures the SNMP community string. You can configure the SNMP community string here, or else use the string configured using the snmp-server > community
<STRING> > {ro|rw} command. It is recommended that you configure the SNMP community string prior to configuring the SNMP host.
<STRING> Specify the community string. The string configured here is sent in the SNMP traps to the SNMPv1 or SNMPv2c hosts. version
[v1|v2c|
v3 [auth|noauth|
priv]]
Configures the SNMP version used v1 Configures the SNMP version as 1. This is the default setting. v2c Configures SNMP version as 2c v3 Configures the SNMP version as 3. If using SNMPv3, specify the authentication and encryption levels. auth Uses SNMP v3 with authentication and no privacy noauth Uses SNMP v3 with no authentication and no privacy priv Uses SNMP v3 with authentication and privacy udp-port <1-65535> Optional. After specifying the SNMP version, optionally specify the host UDP port
<1-65535> Specify the UDP port. The default is 162. snmp-server {host <IP> inform [retry <0-255>|timeout <0-2147483647>] <STRING>
version [v2c|v3 [auth|noauth|priv]] {udp-port <1-65535>}}
snmp-server host
<IP>
Configures SNMP-server related settings host Optional. Configures the host(s) receiving the SNMP notifications
<IP> Specify the SNMP hosts IP address. inform
[retry <0-255>|
timeout
<0-2147483647>]
<STRING>
You can configure a maximum of five (5) SNMP trap recipients per EX3500 management policy. Ensure that SNMP trap notification is enabled. Enables sending of SNMP notifications as inform messages, and configures inform message settings. retry <0-255> Configures the maximum number attempts made to re-send an inform message in case the specified SNMP host does not acknowledge receipt.
<0-255> Specify a value from 0 - 255. The default is 3. timeout <0-2147483647> Configures the interval, in seconds, to wait for an acknowledgment from the SNMP host before re-sending an inform message
<0-2147483647> Specify a value from 0 - 2147483647 seconds. The default is 1500 seconds. Inform messages are more reliable than trap messages since they include a request for acknowledgement of receipt. Using inform messages to communicate critical information would be good practice. However, since inform messages are retained in the memory until a response is received, they consume more memory and may also result in traffic congestion. Take into considerations these facts when configuring the notification format. Configures the SNMP community string. You can configure the SNMP community string here, or else use the string configured using the snmp-server > community
<STRING> > {ro|rw} command. It is recommended that you configure the SNMP community string prior to configuring the SNMP host.
<STRING> Specify the community string. The string configured here is sent in the SNMP inform messages to the SNMPv2c or SNMPv3 hosts. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 245 GLOBAL CONFIGURATION COMMANDS version [v2c|
v3 [auth|noauth|
priv]]
Configures the SNMP version used v2c Configures the SNMP version as v2c v3 Configures the SNMP version as v3. If using SNMP v3, specify the authentication and encryption levels. auth Uses SNMP v3 with authentication and no privacy noauth Uses SNMP v3 with no authentication and no privacy priv Uses SNMP v3 with authentication and privacy SNMP inform messages are not supported on SNMP v1. udp-port <1-65535> Optional. After specifying the SNMP version, optionally specify the host UDP port
<1-65535> Specify the UDP port. The default is 162. snmp-server {location <WORD>}
snmp-server location
<WORD>
Configures SNMP-server related settings location Optional. Configures the EX3500s location string
<WORD> Specify the location (should not exceed 255 characters). snmp-server {notify-filter <WORD> remote <IP>}
snmp-server notify-filter <WORD>
Configures SNMP-server related settings notify-filter Optional. Modifies the SNMP servers notify filter remote <IP>
<WORD> Specify the SNMP notify-filter name. Optional. Configures the remote hosts IP address
<IP> Specify the IP address in the A.B.C.D format. snmp-server {user <USER-NAME> <GROUP-NAME> remote <IP> v3 {auth|encrypted auth}
[md5|sha] <WORD> {priv [3des|aes128|aes192|aes256|des56] <WORD>}}
snmp-server user
<USER-NAME>
<GROUP-NAME>
remote <IP> v3
{auth|encrypted auth}
[md5|sha] <WORD>
{priv [3des|aes128|
aes192|aes256|
des56] <WORD>}
Configures SNMP-server related settings user Optional. Configures the name of the SNMP user (connecting to the SNMP agent) and adds the user to an existing SNMP group. It also specifies the SNMP version type used. In case of SNMP version 3, this command also configures the remote hosts IP address and the authentication type used.
<USER-NAME> Specify the users name (should not exceed 32 characters).
<GROUP-NAME> Specify the SNMP group name to which this user is assigned. Configures the remote host on which the SNMPv3 engine is running
<IP> Specify the remote hosts IP address. This option is available only for SNMPv3 engine. After configuring the remote host, optionally configure the authentication type and the corresponding authentication password used. Optional. Configures authentication and encryption settings auth Specifies the authentication type used and configures the authentication password encrypted Enables encryption. When enabled all communications between the user and the SNMP engine are encrypted. After enabling encryption, specify the authentication type and configure the authentication password. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 246 GLOBAL CONFIGURATION COMMANDS The following parameters are common to the auth and encrypted keywords:
md5 Uses MD5 to authenticate the user sha Uses SHA to authenticate the user The following parameter is common to the md5 and sha keywords:
<WORD> Specify the authentication password. If the encrypted option is not being used, enter an 8 - 40 characters ASCII password. Whereas, in case of an encrypted password enter a HEX characters password of 32 characters. priv Optional. Uses SNMPv3 with privacy. Select one of the privacy options: des, aes128, aes192, aes256, des56
<WORD> Configures the privacy password. If the encrypted option is not being used, enter an 8 - 40 characters long ASCII password. Whereas, the encrypted pass-
word should be 32 HEX characters. snmp-server {user <USER-NAME> <GROUP-NAME> [v1|v2c|v3]}
snmp-server user
<USER-NAME>
<GROUP-NAME>
[v1|v2c|v3]
Configures SNMP-server related settings user Optional. Configures the name of the SNMP user (connecting to the SNMP agent) and adds the user to an existing SNMP group. It also specifies the SNMP version type used. In case of SNMPv3, this command also configures the authentication type used and the enables encryption.
<USER-NAME> Specify the users name (should not exceed 32 characters).
<GROUP-NAME> Specify the SNMP group name to which this user is assigned.
[v1|v2c|v3] After specifying the group name, specify the SNMP version used. The options are SNMP version v1, SNMP version 2c, and SNMP version 3. If using SNMP version 3, optionally specify the authentication type and the corresponding authentication password used. Please see previous table for SNMPv3 authentication and encryption configuration details. snmp-server {view <VIEW-NAME> <OID-TREE-STRING> [excluded|included]}
snmp-server view
<VIEW-NAME>
Configures SNMP-server related settings view Optional. Creates an SNMP view. SNMP views are used to control user access to the MIB.
<VIEW-NAME> Provide a name for this SNMP view (should not exceed 32 charac-
ters).
<OID-TREE-STRING>
[excluded|included]
Configures the object identifier (OID) of a branch within the MIB tree excluded Specifies an excluded view included Specifies an included view Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 247 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config-ex3500-management-policy-test)#snmp-server enable traps nx9500-6C8809(config-ex3500-management-policy-test)#snmp-server host 192.168.13.10 snmpteststring version 1 udp-port 170 nx9500-6C8809(config-ex3500-management-policy-test)#snmp-server host 1.2.3.4 inform retry 2 test version 3 auth udp-port 180 nx9500-6C8809(config-ex3500-management-policy-test)#snmp-server engine-id local 1234567890 nx9500-6C8809(config-ex3500-management-policy-test)#show context ex3500-management-policy test http secure-server enable password level 3 7 12345678901020304050607080929291 snmp-server enable traps authentication snmp-server notify-filter 3 remote 1.2.3.4 snmp-server notify-filter 1 remote 127.0.0.1 snmp-server notify-filter 2 remote 192.168.13.10 snmp-server host 1.2.3.4 inform timeout 1500 retry 2 test version 3 auth udp-port 180 snmp-server host 192.168.13.10 snmpteststring version 1 udp-port 170 snmp-server engine-id local 1234567890 memory falling-threshold 50 memory rising-threshold 95 process-cpu falling-threshold 60 process-cpu rising-threshold 80 nx9500-6C8809(config-ex3500-management-policy-test)#
Related Commands no Removes SNMP server related settings or reverts them to default Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 248 GLOBAL CONFIGURATION COMMANDS 4.1.48.2.6 ssh ex3500-management-policy config commands Configures the SSH server settings used to authenticate Secure Shell (SSH) connection to a EX3500 switch Management access to an EX3500 switch can be enabled/disabled as required using separate interfaces and protocols (HTTP, SSH). Disabling un-used and insecure interfaces and unused management services can dramatically reduce an attack footprint and free resources within an EX3500 management policy. Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax ssh [authentication-retries <1-5>|server|server-key size <512-1024>|timeout <1-
120>]
Parameters ssh [authentication-retries <1-5>|server|server-key size <512-1024>|timeout <1-
120>]
ssh authentication-retries
<1-5>
server server-key size
<512-1024>
timeout <1-120>
Enables SSH management access to an EX3500 switch. This option is disabled by default. Use this command to configure SSH access settings. Configures the maximum number of retries made to connect to the SSH server resource
<1-5> Specify a value from 1 - 5. The default setting is 3. Enables SSH server connection Configures the SSH server key size
<512-1024> Specify the SSH server key from 512 - 1,024. The default length is 768. Configures the SSH server resource inactivity timeout value in seconds. When the specified time is exceeded, the SSH server resource becomes unreachable and must be re-authenticated.
<1-120> Specify a value from 1 120 seconds. The default is 120 seconds. Example nx9500-6C8809(config-ex3500-management-policy-test)#ssh authentication-retries 4 nx9500-6C8809(config-ex3500-management-policy-test)#ssh timeout 90 nx9500-6C8809(config-ex3500-management-policy-test)#ssh server-key size 600 nx9500-6C8809(config-ex3500-management-policy-test)#ssh server nx9500-6C8809(config-ex3500-management-policy-test)#show context ex3500-management-policy test ssh server ssh authentication-retries 4 ssh timeout 90 ssh server-key size 600 http secure-server enable password level 3 7 12345678901020304050607080929291 snmp-server enable traps authentication
--More--
nx9500-6C8809(config-ex3500-management-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 249 GLOBAL CONFIGURATION COMMANDS Related Commands no Disables SSH management access to an EX3500 switch Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 250 GLOBAL CONFIGURATION COMMANDS 4.1.48.2.7 username ex3500-management-policy config commands Configures a EX3500 switch user settings The EX3500 switch user details are stored in a local database on the NX9500, NX7500, or WiNG VM. You can configure multiple users, each having a unique name, access level, and password. Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax username <USER-NAME> [access-level <0-15>|nopassword|password [0|7] <PASSWORD>]
Parameters username <USER-NAME> [access-level <0-15>|nopassword|password [0|7] <PASSWORD>]
username
<USER-NAME>
access-level <0-15>
nopassword password [0|7]
<PASSWORD>
Configures the TACACS server port username
<USER-NAME> Specify the user name (should not exceed 32 characters) Configures the access level for this user. This value determines the access priority of each user requesting access and interoperability with EX3500 switch.
<0-15> Specify the access level from 0 - 15. The default is 0. Allows user to login without a password Configures the password for this user 0 Configures a plain text password 7 Configures an encrypted password (should be 32 characters in length)
<PASSWORD> Specify the password. Example nx9500-6C8809(config-ex3500-management-policy-test)#username user1 access-level 5 nx9500-6C8809(config-ex3500-management-policy-test)#username user1 password 0 user1@1234 nx9500-nx9500-6C8809(config-ex3500-management-policy-test)#show context ex3500-management-policy test ssh server ssh authentication-retries 4 ssh timeout 90 ssh server-key size 600 http secure-server enable password level 3 7 12345678901020304050607080929291 username user1 access-level 5 username user1 password 7 5c4786c1e52f913d38168ce89154a079 snmp-server enable traps authentication snmp-server notify-filter 3 remote 1.2.3.4 snmp-server notify-filter 1 remote 127.0.0.1
--More--
nx9500-6C8809(config-ex3500-management-policy-test)#
Related Commands no Removes this SNMP user settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 251 GLOBAL CONFIGURATION COMMANDS 4.1.48.2.8 no ex3500-management-policy config commands Removes or reverts this EX3500 management policy settings Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax no [enable|http|memory|process-cpu|snmp-server|ssh|username]
no enable password {level <0-15>}
no http [port|secure-port|secure-sever|server]
no memory [falling-threshold|rising-threshold]
no process-cpu [falling-threshold|rising-threshold]
no snmp-server {community|contact|enable|engine-id|group|host|location|notify-
filter|user|view}
no snmp-server {community <STRING>}
no snmp-server {contact}
no snmp-server {enable traps {authentication|link-up-down}}
no snmp-server {engine-id [local|remote <IP>]}
no snmp-server {group <GROUP-NAME> [v1|v2c|v3 [auth|noauth|priv]]}
no snmp-server {host <IP>}
no snmp-server {location}
no snmp-server {notify-filter <WORD> remote <IP>}
no snmp-server {user <USER-NAME> [v1|v2c|v3]}
no snmp-server {user <USER-NAME> <GROUP-NAME> remote-host <IP> v3}
no snmp-server {view <VIEW-NAME> {<OID-TREE-STRING>}}
no ssh [authentication-retries|server|server-key size <512-1024>|timeout]
no username Parameters no <PARAMETERS>
no <PARAMETERS>
Removes this EX3500 management policy settings based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 252 Example GLOBAL CONFIGURATION COMMANDS nx9500-6C8809(config-ex3500-management-policy-test)#show context ex3500-management-policy test ssh server ssh authentication-retries 4 ssh timeout 90 ssh server-key size 600 http secure-server enable password level 3 7 12345678901020304050607080929291 username user1 access-level 5 username user1 password 7 5c4786c1e52f913d38168ce89154a079 snmp-server enable traps authentication snmp-server notify-filter 3 remote 1.2.3.4 snmp-server notify-filter 1 remote 127.0.0.1 snmp-server notify-filter 2 remote 192.168.13.10 snmp-server host 1.2.3.4 inform timeout 1500 retry 2 test version 3 auth udp-port 180 snmp-server host 192.168.13.10 snmpteststring version 1 udp-port 170 snmp-server engine-id local 1234567890 memory falling-threshold 50 memory rising-threshold 95 process-cpu falling-threshold 60 process-cpu rising-threshold 80 nx9500-6C8809(config-ex3500-management-policy-test)#
nx9500-6C8809(config-ex3500-management-policy-test)#no http secure-server nx9500-6C8809(config-ex3500-management-policy-test)#no memory falling-threshold nx9500-6C8809(config-ex3500-management-policy-test)#no process-cpu rising-
threshold nx9500-6C8809(config-ex3500-management-policy-test)#no snmp-server notify-filter 3 remote 1.2.3.4 nx9500-6C8809(config-ex3500-management-policy-test)#show context ex3500-management-policy test ssh server ssh authentication-retries 4 ssh timeout 90 ssh server-key size 600 enable password level 3 7 12345678901020304050607080929291 username user1 access-level 5 username user1 password 7 5c4786c1e52f913d38168ce89154a079 snmp-server enable traps authentication snmp-server notify-filter 1 remote 127.0.0.1 snmp-server notify-filter 2 remote 192.168.13.10 snmp-server host 1.2.3.4 inform timeout 1500 retry 2 test version 3 auth udp-port 180 snmp-server host 192.168.13.10 snmpteststring version 1 udp-port 170 snmp-server engine-id local 1234567890 memory rising-threshold 95 process-cpu falling-threshold 60 nx9500-6C8809(config-ex3500-management-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 253 GLOBAL CONFIGURATION COMMANDS 4.1.49 ex3500-qos-class-map-policy Global Configuration Commands The following table lists EX3500 QoS class map policy configuration mode commands:
Table 4.30 EX3500-QoS-Class-Map Config Command Command ex3500-qos-class-
map-policy ex3500-qos-class-
map-policy config commands ex3500-qos-
policy-map ex3500 ex3500-
management-
policy ex3524 ex3548 Description Creates an EX3500 QoS class map policy and enters its configuration mode Summarizes EX3500 QoS class map policy configuration mode commands Reference page 4-255 page 4-256 Creates an EX3500 QoS policy map and enters its configuration mode Creates an EX3500 time range list and enters its configuration mode page 4-226 page 4-233 Creates an EX3500 management policy and enters its configuration mode page 4-262 Adds a EX3524 switch to the network Adds a EX3548 switch to the network page 4-277 page 4-279 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 254 GLOBAL CONFIGURATION COMMANDS 4.1.49.1 ex3500-qos-class-map-policy ex3500-qos-class-map-policy Creates a EX3500 Quality of Service (QoS) class map policy and enters its configuration mode A QoS class map policy contains a set of Differentiated Services (DiffServ) classification criteria that are used to classify incoming traffic into different category and provide differentiated service based on this classification. Each policy defines a set match criteria rules that use objects, such as access lists, IP precedence or DSCP values, and VLANs. When configured and applied, the policy classifies traffic based on layer 2, layer 3, or layer 4 information contained in each incoming packet. Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax ex3500-qos-class-map-policy <POLICY-NAME>
Parameters ex3500-qos-class-map-policy <POLICY-NAME>
<POLICY-NAME>
Specify the EX3500 QoS class map policy name. If the policy does not exist, it is created. Example nx9500-6C8809(config)#ex3500-qos-class-map-policy dscp nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#?
EX3500_Qos_class_map Mode commands:
description Class-map description match Defines the match criteria to classify traffic no Negate a command or set its defaults rename Redefines the name of class-map clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#
Related Commands no Removes an existing EX3500 QoS class map policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 255 GLOBAL CONFIGURATION COMMANDS 4.1.49.2 ex3500-qos-class-map-policy config commands ex3500-qos-class-map-policy The following table summarizes EX3500 QoS class map policy configuration mode commands:
Table 4.31 EX3500-Management-Policy Commands Command description match rename no Description Configures a description for this EX3500 QoS class map policy Configures match criteria rules used to classify traffic Renames an existing EX3500 QoS class map object Removes this EX3500 QoS class map policys description and match criteria Reference page 4-257 page 4-258 page 4-260 page 4-261 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 256 GLOBAL CONFIGURATION COMMANDS 4.1.49.2.1 description ex3500-qos-class-map-policy config commands Configures this EX3500 QoS class map policys description Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax description <LINE>
Parameters description <LINE>
description <LINE>
Configures this EX3500 QoS class map policys description
<LINE> Enter a description that allows to you differentiate it from other policies with similar configuration (should not exceed 64 characters) Example nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#description "Matches packets marked for DSCP service 3"
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#show context ex3500-qos-class-map-policy dscp description "Matches packets marked for DSCP service 3"
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#
Related Commands no Removes this EX3500 QoS class map policys description Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 257 GLOBAL CONFIGURATION COMMANDS 4.1.49.2.2 match ex3500-qos-class-map-policy config commands Configures match criteria rules used to classify traffic Access lists, IP precedence, DSCP values, or VLANs are commonly used to classify traffic. Access lists select traffic based on layer 2, layer 3, or layer 4 information contained in each packet. Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax match [access-list [ex3500-ext-access-list|ex3500-std-access-list|mac-acl] <ACL-
NAME>|cos <0-7>|ip [dscp <0-63>|precedence <0-7>]|ipv6 dscp <0-63>|vlan <1-4094>]
Parameters match [access-list [ex3500-ext-access-list|ex3500-std-access-list|mac-acl]
<ACL-NAME>|cos <0-7>|ip [dscp <0-63>|precedence <0-7>]|ipv6 dscp <0-63>|vlan <1-
4094>]
match access-list
[ex3500-ext-access-
list|
ex3500-std-access-
list|
mac-acl]
<ACL-NAME>
cos <0-7>
Configures the match criteria. The options are: access-list, cos, ip, ipv6, vlan Incoming packets matching the specified criteria are included in this QoS class map. Uses access lists to provide the match criteria. You can use any one the following ACL types to classify traffic:
ex3500-ext-access-list Uses an IPv4 EX3500 extended ACL ex3500-std-access-list Uses an IPv4 EX3500 standard ACL mac-acl Uses a MAC EX3500 ACL The following keyword is common to all of the above ACL types:
<ACL-NAME> Specify the ACL name (should be existing and configured). Configures the class of service (CoS) value used to apply user priority. CoS is a form of QoS applicable only to layer 2 Ethernet frames. It uses 3-bits (8 values) of the 802.1Q tag to differentiate and shape network traffic.
<0-7> Specify the CoS value from 0 - 7. Following are the 8 traffic classes based on the CoS value:
000 (0) - Routine 001 (1) - Priority 010 (2) - Immediate 011 (3) - Flash 100 (4) - Flash Override 101 (5) - Critical 110 (6) - Internetwork Control 111 (7) - Network Control Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 258 GLOBAL CONFIGURATION COMMANDS ip [dscp <0-63>|
precedence <0-7>]
Configures the IPv4 DSCP value to match and/or the IP precedence value to match.
<0-63> Specify the DSCP value from 0 - 63. Use this option to specify the type of service (ToS) field values included in the IP header. The ToS field exists between the header length and the total length fields. The DSCP constitutes the first 6 bits of the ToS field. precedence <0-7> Configures the IP precedence to match. Following are the 8 traffic classes based on the IP precedence values:
000 (0) - Routine 001 (1) - Priority 010 (2) - Immediate 011 (3) - Flash 100 (4) - Flash Override 101 (5) - Critical 110 (6) - Internetwork Control 111 (7) - Network Control ipv6 dscp <0-63>
vlan <1-4094>
Configures the IPv6 DSCP value to match
<0-63> Specify the DSCP value from 0 - 63. Configures the VLAN to match
<1-4094> Specify the VLAN ID. Usage Guidelines When configuring match entries, take into consideration the following points:
Deny rules included in an ACL (associated with a EX3500 QoS class map policy) are ignored whenever an incoming packet matches the ACL. A class map policy cannot include both IP ACL or IP precedence rule and a VLAN rule. A class map policy containing a MAC ACL or VLAN rule cannot include either an IP ACL or a IP precedence rule. A class map policy can include a maximum of 16 match entries. Example nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#match ip dscp 3 nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#show context ex3500-qos-class-map-policy dscp description "Matches packets marked for DSCP service 3"
match ip dscp 3 nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#
nx9500-6C8809(config-ex3500-qos-class-map-policy-test2)#match ip precedence 1 Related Commands no Removes match criteria rules configured for this EX3500 QoS class map policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 259 GLOBAL CONFIGURATION COMMANDS 4.1.49.2.3 rename ex3500-qos-class-map-policy config commands Renames an existing EX3500 QoS class map policy Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax rename <EX3500-QOS-CLASS-MAP-POLICY-NAME> <NEW-EX3500-QOS-CLASS-MAP-POLICY-NAME>
Parameters rename <EX3500-QOS-CLASS-MAP-POLICY-NAME> <NEW-EX3500-QOS-CLASS-MAP-POLICY-
NAME>
rename <EX3500-
QOS-CLASS-MAP-
POLICY-NAME>
<NEW-EX3500-
QOS-CLASS-MAP-
NAME>
Renames an existing EX3500 QoS class map
<EX3500-QOS-CLASS-MAP-POLICY-NAME> Enter the EX3500 QoS class maps current name.
<NEW-EX3500-QOS-CLASS-MAP-POLICY-NAME> Enter the new name. Example nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#rename [TAB]
dscp test test2 nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#rename test2 IP_Precedence nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#rename [TAB]
dscp IP_Precedence test nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 260 GLOBAL CONFIGURATION COMMANDS 4.1.49.2.4 no ex3500-qos-class-map-policy config commands Removes this EX3500 QoS class map policys description and match criteria Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax no [description|match]
no description no match [access-list [ex3500-ext-access-list|ex3500-std-access-list|mac-acl]
<ACL-NAME>|cos <0-7>|ip [dscp <0-63>|precedence <0-7>]|ipv6 dscp <0-63>|vlan <1-
4094>]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes the EX3500 QoS class map policys settings based on the parameters passed Example The following example shows the EX3500 QoS class map policy test settings before the no command are executed:
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#show context ex3500-qos-class-map-policy dscp description "Matches packets marked for DSCP service 3"
match ip dscp 3 nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#no description nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#no match ip dscp The following example shows the EX3500 QoS class map policy test settings after the no command are executed:
nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#show context ex3500-qos-class-map-policy test nx9500-6C8809(config-ex3500-qos-class-map-policy-dscp)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 261 GLOBAL CONFIGURATION COMMANDS 4.1.50 ex3500-qos-policy-map Global Configuration Commands The following table lists EX3500 QoS policy map configuration mode commands:
Table 4.32 EX3500-QoS-Policy-Map Config Command Command ex3500-qos-
policy-map ex3500-qos-
policy-map config commands Description Creates a EX3500 policy map and enters its configuration mode Reference page 4-263 Summarizes EX3500 QoS policy map configuration mode commands page 4-264 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 262 GLOBAL CONFIGURATION COMMANDS 4.1.50.1 ex3500-qos-policy-map ex3500-qos-policy-map Creates an EX3500 policy map and enters its configuration mode An EX3500 policy map contains one or more EX3500 QoS class maps traffic classifications (existing and configured) and can be attached to multiple interfaces. Creates an EX3500 policy map, and then use the class parameter to configure policies for traffic that matches the criteria defined in the EX3500 QoS class map policy. For more information, see match. Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax ex3500-qos-policy-map <EX3500-QOS-POLICY-MAP-NAME>
Parameters ex3500-qos-policy-map <EX3500-QOS-POLICY-MAP-NAME>
<EX3500-QOS-POLICY-
MAP-NAME>
Specify the EX3500 policy maps name Example nx9500-6C8809(config)#ex3500-qos-policy-map testPolicyMap nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap)#?
EX3500_Qos_policy_map Mode commands:
class Defines a traffic classification for the policy description Policy-map description no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap)#
Related Commands no Removes an existing EX3500 QoS policy map Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 263 GLOBAL CONFIGURATION COMMANDS 4.1.50.2 ex3500-qos-policy-map config commands ex3500-qos-policy-map The following table summarizes EX3500 QoS policy map configuration mode commands:
Table 4.33 EX3500-QoS-Policy-Map Commands Command class description no Description Creates a policy map class and enters its configuration mode Configures this EX3500 QoS policy map's description Removes this EX3500 QoS policy map's settings. Use this keyword to remove or modify the description and to remove the QoS traffic classification created. Reference page 4-265 page 4-275 page 4-276 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 264 GLOBAL CONFIGURATION COMMANDS 4.1.50.2.1 class ex3500-qos-policy-map config commands Creates a policy map class and enters its configuration mode. The policy map class is a traffic classification upon which a policy can act. Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax class <EX3500-QoS-CLASS-MAP-POLICY-NAME>
Parameters class <EX3500-QoS-CLASS-MAP-POLICY-NAME>
<EX3500-QoS-
CLASS-MAP-
POLICY-NAME>
Specify the EX3500 QoS class map policys name (should be existing and configured) Example nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap)#class dscp nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#?
commands:
no Negate a command or set its defaults police Defines a policer for classified traffic set Classify IP traffic clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#
Related Commands no ex3500-qos-policy-
map Removes this policy map class association EX3500 QoS policy map configuration mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 265 GLOBAL CONFIGURATION COMMANDS 4.1.50.2.2 ex3500-qos-policy-map-class-config commands class The following table summarizes the policy map class configuration mode commands Table 4.34 EX3500-Policy-Map-Class Config Command Command police set no Description Configures an enforcer for classified traffic Sets class of service (CoS) value, per-hop behavior (PHB) value, and IP DSCP value in matching packets Removes this traffic classifications settings Reference page 4-267 page 4-272 page 4-274 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 266 GLOBAL CONFIGURATION COMMANDS 4.1.50.2.3 police ex3500-qos-policy-map-class-config commands Configures an enforcer for classified traffic Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax police [flow|srtcm-color-aware|srtcm-color-blind|trtcm-color-aware|trtcm-color-
blind]
police flow <0-1000000> <0-16000000> conform-action transmit violate-action
[<0-63>|drop]
police [srtcm-color-aware|srtcm-color-blind] <0-1000000> <0-16000000>
<0-16000000> conform-action transmit exceed-action [<0-63>|drop] violate-action
[<0-63>|drop]
police [trtcm-color-aware|trtcm-color-blind] <0-1000000> <0-16000000>
<0-1000000> <0-16000000> conform-action transmit exceed-action [<0-63>|drop]
violate-action [<0-63>|drop]
Parameters police flow <0-1000000> <0-16000000> conform-action transmit violate-action [<0-
63>|drop]
police flow <0-1000000>
<0-16000000>
Configures an enforcer for classified traffic Configures an enforcer for classified traffic based on the metered flow rate
<0-1000000> Configures the committed information rate (CIR) from 0 -1000000 kilobits per second.
<0-16000000> Configures the committed burst size (BC) from 0 - 16000000 bytes. Policing is based on a token bucket, where bucket depth (i.e., the maximum burst before the bucket overflows) is specified by the committed-burst field, and the average rate tokens are added to the bucket is specified by the committed-rate option. Note that the token bucket functions similar to that described in RFC 2697 and RFC 2698. The behavior of the meter is specified in terms of one token bucket (C), the rate at which the tokens are incremented CIR and the maximum size of the token bucket BC. The token bucket C is initially full, that is, the token count Tc(0) = BC. Thereafter, the token count Tc is updated CIR times per second as follows:
If Tc is less than BC, Tc is incremented by one, else Tc is not incremented. When a packet of size B bytes arrives at time t, the following happens:
If Tc(t)-B > OR = 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else The packet is red and Tc is not decremented. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 267 GLOBAL CONFIGURATION COMMANDS conform-action transmit violate-action
[<0-63>|drop]
Configures the action applied when packets fall within the specified CIR and BC limits transmit Transmits packets falling within the specified CIR and BC limits. This is subject to there being enough tokens to service the packet, in which case the packet is set green. Configures the action applied when packets violate the specified CIR and BC limits
<0-63> Applies a new DSCP value. Select the DSCP value from 0 - 63. drops Drops packets violating the specified CIR and BC limits police [srtcm-color-aware|srtcm-color-blind] <0-1000000> <0-16000000> <0-
16000000> conform-action transmit exceed-action [<0-63>|drop] violate-action [<0-
63>|drop]
police
[srtcm-color-aware|
srtcm-color-blind]
<0-1000000>
<0-16000000>
<0-16000000>
Configures an enforcer for classified traffic Configures an enforcer for classified traffic based on single rate three color meter
(srTCM) mode. The srTCM as defined in RFC 2697 meters a traffic stream and processes its packets according to three traffic parameters Committed Information Rate (CIR), Committed Burst Size (BC), and Excess Burst Size (BE). srtcm-color-blind - Single rate three color meter in color-blind mode srtcm-color-aware - Single rate three color meter in color-aware mode The meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored. In color-aware mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red. The marker (re)colors an IP packet according to the results of the meter. The color is coded in the DS field [RFC 2474] of the packet.
<0-1000000> Configures the CIR from 0 -1000000 kilobits per second.
<0-16000000> Configures the BC from 0 - 1600000 bytes.
<0-16000000> Configures the BE from 0 - 1600000 bytes. The behavior of the meter is specified in terms of its mode and two token buckets, C and E, which both share the common rate CIR. The maximum size of the token bucket C is BC and the maximum size of the token bucket E is BE. The token buckets C and E are initially full, that is, the token count Tc(0) = BC and the token count Te(0) = BE. Thereafter, the token counts Tc and Te are updated CIR times per second as follows:
If Tc is less than BC, Tc is incremented by one, else If Te is less then BE, Te is incremented by one, else neither Tc nor Te is incremented. When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in color-blind mode:
If Tc(t)-B > OR = 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else if Te(t)-B > OR = 0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 268 GLOBAL CONFIGURATION COMMANDS When a packet of size B bytes arrives at time t, the following happens if srTCM is configured to operate in color-aware mode:
If the packet has been pre-colored as green and Tc(t)-B ? 0, the packet is green and Tc is decremented by B down to the minimum value of 0, else If the packet has been pre-colored as yellow or green and if Te(t)-B > OR = 0, the packets is yellow and Te is decremented by B down to the minimum value of 0, else the packet is red and neither Tc nor Te is decremented. The metering policy guarantees a deterministic behavior where the volume of green packets is never smaller than what has been determined by the CIR and BC, that is, tokens of a given color are always spent on packets of that color. Refer to RFC 2697 for more information on other aspects of srTCM. Configures the action applied when packet rates fall within the specified CIR and BC limits transmit Transmits packets falling within the specified CIR and BC limits Configures the action applied when packet rates exceed the specified CIR and BC limits
<0-63> Applies a new DSCP value. Select the DSCP value from 0 - 63. drops Drops packets exceeding the specified CIR and BC limits Configures the action applied when packet rates exceed the specified BE limit
<0-63> Applies a new DSCP value. Select the DSCP value from 0 - 63. drops Drops packets exceeding the specified BE limit conform-action transmit exceed-action
[<0-63>|drop]
violate-action
[<0-63>|drop]
police [trtcm-color-aware|trtcm-color-blind] <0-1000000> <0-16000000> <0-
1000000> <0-16000000> conform-action transmit exceed-action [<0-63>|drop] violate-
action [<0-63>|drop]
police
[trtcm-color-aware|
trtcm-color-blind]
<0-1000000>
<0-16000000>
<0-1000000>
<0-16000000>
Configures an enforcer for classified traffic Configures an enforcer for classified traffic based on a two rate three color meter
(trTCM) mode. The trTCM as defined in RFC 2698 meters a traffic stream and processes its packets based on two rates Committed Information Rate (CIR) and Peak Information Rate (PIR), and their associated burst sizes - Committed Burst Size
(BC) and Peak Burst Size (BP). trtcm-color-blind - Two rate three color meter in color-blind mode trtcm-color-aware - Two rate three color meter in color-aware mode
<0-1000000> Configures the CIR from 0 - 1000000 kilobits per second
<0-16000000> Configures the BC from 0 - 1600000 bytes.
<0-1000000> Configures the PIR from 0 - 1000000 kilobits per second
<0-16000000> Configures the BP from 0 - 1600000 bytes The meter operates in one of two modes. In the color-blind mode, the meter assumes that the packet stream is uncolored. In color-aware mode the meter assumes that some preceding entity has pre-colored the incoming packet stream so that each packet is either green, yellow, or red. The marker (re)colors an IP packet according to the results of the meter. The color is coded in the DS field [RFC 2474] of the packet. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 269 GLOBAL CONFIGURATION COMMANDS The behavior of the meter is specified in terms of its mode and two token buckets, P and C, which are based on the rates PIR and CIR, respectively. The maximum size of the token bucket P is BP and the maximum size of the token bucket C is BC. The token buckets P and C are initially (at time 0) full, that is, the token count Tp(0) =
BP and the token count Tc(0) = BC. Thereafter, the token count Tp is incremented by one PIR times per second up to BP and the token count Tc is incremented by one CIR times per second up to BC. When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-blind mode:
If Tp(t)-B < 0, the packet is red, else if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else The packet is green and both Tp and Tc are decremented by B. When a packet of size B bytes arrives at time t, the following happens if trTCM is configured to operate in color-aware mode:
If the packet has been pre-colored as red or if Tp(t)-B < 0, the packet is red, else if the packet has been pre-colored as yellow or if Tc(t)-B < 0, the packet is yellow and Tp is decremented by B, else the packet is green and both Tp and Tc are decremented by B. The trTCM can be used to mark a IP packet stream in a service, where different, decreasing levels of assurances (either absolute or relative) are given to packets which are green, yellow, or red. Refer to RFC 2698 for more information on other aspects of trTCM. Configures the action applied when packet rates fall within the specified CIR and BP limits transmit Transmits packets falling within the specified CIR and BC limits Configures the action applied when packet rates exceed the specified CIR limit, but are within the specified PIR limit
<0-63> Applies a new DSCP value. Select the DSCP value from 0 - 63. drops Drops packets exceeding the specified CIR and BC limit Configures the action applied when packet rates exceed the specified PIR limit
<0-63> Applies a new DSCP value. Select the DSCP value from 0 - 63. drops Drops packets exceeding the specified BE limit conform-action transmit exceed-action
[<0-63>|drop]
violate-action
[<0-63>|drop]
Usage Guidelines When configuring the traffic class enforcer parameters, take into consideration the following factors:
You can configure up to 200 enforcers/policers (i.e., class maps) for ingress ports. The committed-rate cannot exceed the configured interface speed, and the committed-burst cannot exceed 16 Mbytes. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 270 GLOBAL CONFIGURATION COMMANDS Example The following example uses the police trtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the peak information rate to 1,000,000 Kbps, the peak burst size to 6000, to remark any packets exceeding the committed burst size, and to drop any packets exceeding the peak information rate. nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#police trtcm-color-blind 100000 4000 100000 6000 conform-action transmit exceed-action 0 violate-action drop nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#show context class dscp police trtcm-color-blind 100000 4000 100000 6000 conform-action transmit exceed-
action 0 violate-action drop nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#
Related Commands no Removes the traffic enforcer settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 271 GLOBAL CONFIGURATION COMMANDS 4.1.50.2.4 set ex3500-qos-policy-map-class-config commands Sets class of service (CoS) value, per-hop behavior (PHB) value, and IP DSCP value in matching packets Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax set [cos <0-7>|ip dscp <0-63>|phb <0-7>]
Parameters set [cos <0-7>|ip dscp <0-63>|phb <0-7>]
set cos <0-7>
ip dscp <0-63>
phb <0-7>
Sets the match criteria used to identify and classify traffic into different classes. The match criteria options are: CoS, IP DSCP, and PHB values. Configures the CoS value for a matching packet (as specified by the match command) in the packets VLAN tag
<0-7> Specify a value from 0 - 7. The CoS is modified to the value specified here. Modifies the IP DSCP value in a matching packet (as specified by the match command)
<0-63> Specify a value from 0 - 63. The DSCP value is modified to the value specified here. Configures a PHB value for a matching packets
<0-7> Specify a value from 0 -7. The PHB label is composed of five bits, three bits for per-hop behavior, and two bits for the color scheme used to control queue congestion. A packet is marked green, yellow, or red as per the following:
green if it does not exceed the CIR and BC limits yellow if it exceeds the CIR and BC limits, but not the BE limit, and red otherwise. Example The following example uses the set > phb command to classify the service that incoming packets will receive, and then uses the police > trtcm-color-blind command to limit the average bandwidth to 100,000 Kbps, the committed burst rate to 4000 bytes, the peak information rate to 1,000,000 Kbps, the peak burst size to 6000 bytes, to remark any packets exceeding the committed burst size, and to drop any packets exceeding the peak information rate. nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-test2)#set phb 3 nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-
test2)#police trtcm-color-blind 100000 4000 1000000 6000 conform-action transmit exceed-action 0 violate-action drop nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-test2)#show context class test2 set phb 3 police trtcm-color-blind 100000 4000 100000 6000 conform-action transmit exceed-
action 0 violate-action drop nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-test2)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 272 GLOBAL CONFIGURATION COMMANDS The following example uses the set > ip dscp command to classify the service that incoming packets will receive, and then uses the police > flow command to limit the average bandwidth to 100,000 Kbps, the burst rate to 4000 bytes, and configure the response to drop any violating packets:
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#set ip dscp 3 nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#police flow 100000 4000 conform-action transmit violate-action drop nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#show context class dscp set ip dscp 3 police flow 100000 4000 conform-action transmit violate-action drop nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#
Related Commands no Removes CoS value, PHB value, or IP DSCP value from this traffic class Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 273 GLOBAL CONFIGURATION COMMANDS 4.1.50.2.5 no ex3500-qos-policy-map-class-config commands Removes this traffic classifications settings Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax no [police|set]
no police [flow|srtcm-color-aware|srtcm-color-blind|trtcm-color-aware|trtcm-
color-blind]
no set [cos|ip dscp|phb]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes this traffic class settings based on the parameters passed Example nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#show context class dscp set ip dscp 3 police flow 100000 4000 conform-action transmit violate-action drop nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#
nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#no set ip dscp nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#no police flow nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#show context class dscp nx9500-6C8809(config-ex3500-qos-policy-map-testPolicyMap-pmap-class-dscp)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 274 GLOBAL CONFIGURATION COMMANDS 4.1.50.2.6 description ex3500-qos-policy-map config commands Configures this EX3500 QoS policy map's description Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax description <LINE>
Parameters description <LINE>
description <LINE>
Configures this EX3500 QoS policy map's description
<LINE> Enter a description that allows to you differentiate it from other policies with similar configuration (should not exceed 64 characters) Example nx9500-6C8809(config-ex3500-qos-policy-map-test)#description "This is a test EX3500 QoS Policy Map"
nx9500-6C8809(config-ex3500-qos-policy-map-test)#show context ex3500-qos-policy-map test description "This is a test EX3500 QoS Policy Map"
class test nx9500-6C8809(config-ex3500-qos-policy-map-test)#
Related Commands no Removes this EX3500 QoS policy map's description Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 275 GLOBAL CONFIGURATION COMMANDS 4.1.50.2.7 no ex3500-qos-policy-map config commands Removes this EX3500 QoS policy map's settings. Use this keyword to remove the description and to remove the QoS traffic classification created. Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax no [class <EX3500-QoS-POLICY-MAP-NAME>|description]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes this EX3500 QoS policy map's settings based on the parameters passed Example The following example shows the EX3500 QoS policy map test settings before the no command are executed:
nx9500-6C8809(config-ex3500-qos-policy-map-test)#show context ex3500-qos-policy-map test description "This is a test EX3500 QoS Policy Map"
class test nx9500-6C8809(config-ex3500-qos-policy-map-test)#
nx9500-6C8809(config-ex3500-qos-policy-map-test)#no description nx9500-6C8809(config-ex3500-qos-policy-map-test)#no class test The following example shows the EX3500 QoS policy map test settings after the no command are executed:
nx9500-6C8809(config-ex3500-qos-policy-map-test)#show context ex3500-qos-policy-map test nx9500-6C8809(config-ex3500-qos-policy-map-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 276 GLOBAL CONFIGURATION COMMANDS 4.1.51 ex3524 Global Configuration Commands Adds a EX3524 switch to the network The EX3500 series switch is a Gigabit Ethernet layer 2 switch with either 24 or 48 10/100/1000-BASE-T ports, and four Small Form Factor Pluggable (SFP) transceiver slots for fiber connectivity. To enable layer 3 adoption of the logged EX3524 switch to a NOC controller, navigate to the EX3524 switchs device configuration mode and execute the following command: controller > host > <IP/
HOSTANME>. EX3500 devices (EX3524 and EX3548) are layer 2 Gigabit Ethernet switches with either 24 or 48 10/100/
1000-BASE-T ports, and four SFP transceiver slots for fiber connectivity. Each 10/100/1000 Mbps port supports both the IEEE 802.3af and IEEE 802.3at-2009 PoE standards. An EX3500 switch has an SNMP-
based management agent that provides both in-band and out-of-band management access. The EX3500 switch utilizes an embedded HTTP Web agent and CLI, which in spite of being different from that of the WiNG operating system provides WiNG controllers PoE and port management resources. Going forward NX9500 and NX7500 WiNG managed series service platforms and WiNG VMs can discover, adopt, and partially manage EX3500 series Ethernet switches without modifying the proprietary operating system running the EX3500 switches. The WiNG service platforms utilize standardized WiNG interfaces to push configuration files to the EX3500 switches, and maintain a translation layer, understood by the EX3500 switch, for statistics retrieval. Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax ex3524 <DEVICE-EX3524-MAC>
Parameters ex3524 <DEVICE-EX3524-MAC>
<DEVICE-EX3524-MAC>
Specifies the MAC address of a EX3524 switch Example nx9500-6C8809(config)#ex3524 A1-C4-33-6D-66-07 nx9500-6C8809(config-device-A1-C4-33-6D-66-07)#?
EX35xx Device Mode commands:
hostname Set system's network name interface Select an interface to configure ip Internet Protocol (IP) no Negate a command or set its defaults power EX3500 Power over Ethernet Command remove-override Remove configuration item override from the device (so profile value takes effect) upgrade Configures upgrade option for ex3500 system use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 277 GLOBAL CONFIGURATION COMMANDS service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-device-A1-C4-33-6D-66-07)#
Related Commands no Removes a EX3524 switch from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 278 GLOBAL CONFIGURATION COMMANDS 4.1.52 ex3548 Global Configuration Commands Adds a EX3548 switch to the network The EX3500 series switch is a Gigabit Ethernet layer 2 switch with either 24 or 48 10/100/1000-BASE-T ports, and four SFP transceiver slots for fiber connectivity. Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax ex3548 <DEVICE-EX3548-MAC>
Parameters ex3548 <DEVICE-EX3548-MAC>
<DEVICE-EX3548-
MAC>
Specifies the MAC address of a EX3548 switch Example nx9500-6C8809(config)#ex3548 22-65-78-09-12-35 nx9500-6C8809(config-device-22-65-78-09-12-35)#?
EX35xx Device Mode commands:
hostname Set system's network name interface Select an interface to configure ip Internet Protocol (IP) no Negate a command or set its defaults power EX3500 Power over Ethernet Command remove-override Remove configuration item override from the device (so profile value takes effect) upgrade Configures upgrade option for ex3500 system use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-device-22-65-78-09-12-35)#
Related Commands no Removes a EX3548 switch from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 279 GLOBAL CONFIGURATION COMMANDS 4.1.53 firewall-policy Global Configuration Commands Configures a firewall policy. This policy defines a set of rules for managing network traffic and prevents unauthorized access to the network behind the firewall. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax firewall-policy <FIREWALL-POLICY-NAME>
Parameters firewall-policy <FIREWALL-POLICY-NAME>
<FIREWALL-POLICY-
NAME>
Specify the firewall policy name. If a firewall policy does not exist, it is created. Example rfs6000-81742D(config)#firewall-policy test rfs6000-81742D(config-fw-policy-test)#?
Firewall policy Mode commands:
acl-logging Log on flow creating traffic alg Enable ALG clamp Clamp value dhcp-offer-convert Enable conversion of broadcast dhcp offers to unicast dns-snoop DNS Snooping firewall Wireless firewall flow Firewall flow ip Internet Protocol (IP) ip-mac Action based on ip-mac table ipv6 Internet Protocol version 6 (IPv6) ipv6-mac Action based on ipv6-mac table logging Firewall enhanced logging no Negate a command or set its defaults proxy-arp Enable generation of ARP responses on behalf of another device proxy-nd Enable generation of ND responses (for IPv6) on behalf of another device stateful-packet-inspection-l2 Enable stateful packet inspection in layer2 firewall storm-control Storm-control virtual-defragmentation Enable virtual defragmentation for IPv4 packets (recommended for proper functioning of firewall) clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 280 GLOBAL CONFIGURATION COMMANDS terminal rfs6000-81742D(config-fw-policy-test)#
Related Commands no Removes an existing firewall policy NOTE: For more information on Firewall policy, see Chapter 13, FIREWALL-
POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 281 GLOBAL CONFIGURATION COMMANDS 4.1.54 global-association-list Global Configuration Commands Configures a global list of client MAC addresses. Based on the deny or permit rules specified, clients are either allowed or denied access to the managed network. The global association list serves the same purpose as an Association Access Control List (ACL). However, the Association ACL allows a limited number of entries, a few thousand only, and does not suffice the requirements of a large deployment. This gap is filled by a global association list, which is much larger
(with tens of thousands of entries). Both lists co-exist in the system. When an access request comes in, the association ACL is looked up first and if the requesting MAC address is listed in one of the deny ACLs, the association is denied. But, if the requesting client is permitted access, or if in case none of the ACLs list the clients MAC address, the global association ACL is checked. Once authenticated, the clients credentials are cached on the access point, and subsequent requests are not referenced to the controller. An entry in an APs credential cache means a pass in the global association list. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax global-association-list <GLOBAL-ASSOC-LIST-NAME>
Parameters global-association-list <GLOBAL-ASSOC-LIST-NAME>
<GLOBAL-ASSOC-
LIST-NAME>
Specify the global association list name. If a list with the same name does not exist, it is created. Map this global association list to a device (controller) or a controller profile. Once associated, the controller applies this association list to requests received from all adopted APs. For more information, see use. The global association list can also be mapped to a WLAN. The usage of global access lists is controlled on a per-WLAN basis. For more information, see association-list. Example rfs4000-229D58(config)#global-association-list my-clients rfs4000-229D58(config-global-assoc-list-my-clients)#?
Global Association List Mode commands:
default-action Configure the default action when the client MAC does not match any rule deny Specify MAC addresses to be denied no Negate a command or set its defaults permit Specify MAC addresses to be permitted clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 282 GLOBAL CONFIGURATION COMMANDS show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-global-assoc-list-my-clients)#
To enable global-association-list controlled client association, execute the following commands:
1 Create a global association list, and configure it as shown in the following examples:
rfs4000-229D58(config)#global-association-list vtt-list rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 01-22-33-44-55-66 description sample rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 40-B8-9A-39-F1-27 description acer rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 42-B8-9A-39-F1-27 description ami rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit 6C-40-08-B2-80-6C description mac rfs4000-880DA7(config-global-assoc-list-vtt-list)#permit E0-98-61-34-11-47 description my_mobile rfs4000-880DA7(config-global-assoc-list-vtt-list)#show context global-association-list vtt-list default-action deny permit 01-22-33-44-55-66 description sample permit 40-B8-9A-39-F1-27 description acer permit 42-B8-9A-39-F1-27 description ami permit 6C-40-08-B2-80-6C description mac permit E0-98-61-34-11-47 description my_mobile rfs4000-880DA7(config-global-assoc-list-vtt-list)#
2 Attach this global association list to the profile or device context of the access point or controller, as shown in the following examples:
3 On the access points profile context:
Note: Ensure that the global association list is associated with the profile being applied on the access point. rfs4000-880DA7(config-profile-testAP6522)#use global-association-list server vtt-list rfs4000-880DA7(config-profile-testAP6522)#show context include-factory |
include g lobal-association-list service global-association-list blacklist-interval 60 use global-association-list server vtt-list rfs4000-880DA7(config-profile-testAP6522)#
4 On the access points device context:
ap6522(config-device-B4-C7-99-EA-DF-2C)#use global-association-list server vtt-list ap6522 (config-device-B4-C7-99-EA-DF-2C)#show context include-factory | in clude global-association-list use global-association-list server vtt-list ap6522(config-device-B4-C7-99-EA-DF-2C)#
5 On the controllers device context:
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 283 GLOBAL CONFIGURATION COMMANDS rfs4000-880DA7(config-device-00-23-68-88-0D-A7)#use global-association-list server vtt-list rfs4000-880DA7(config-device-00-23-68-88-0D-A7)#show context include-factory
| in clude global-association-list use global-association-list server vtt-list ap6522(config-device-B4-C7-99-EA-DF-2C)#
6 Attach this global association list with the WLAN, as shown in the following example:
rfs4000-880DA7(config-wlan-GLAssList)#association-list global vtt-list rfs4000-880DA7(config-wlan-GLAssList)#show context include-factory | include association-list association-list global vtt-list rfs4000-880DA7(config-wlan-GLAssList)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 284 GLOBAL CONFIGURATION COMMANDS 4.1.55 guest-management Global Configuration Commands The following table summarizes the guest management policy configuration mode commands:
Table 4.35 Guest-Management Policy Config Command Command guest-management guest-management-
mode commands Description Creates a guest management policy and enters its configuration mode Summarizes guest management policy configuration mode commands Reference page 4-286 page 4-287 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 285 GLOBAL CONFIGURATION COMMANDS 4.1.55.1 guest-management guest-management Configures a guest management policy that redirects guest users to a registration portal upon association to a captive portal. Guest users are redirected to an internally (or) externally hosted registration page
(registration.html) where previously, not-registered guest users can register. The internally hosted captive portal registration page can be customized based on business requirements. Use the guest management policy commands to configure parameters, such as E-mail host and SMS gateway along with the credentials required for sending pass code to guest via e-mail and SMS. You can configure up to 32 different guest management policies. Each guest management policy allows you to configure the SMS gateway, SMS message body, E-mail SMTP server, E-mail subject contents, and E-mail message body. Although, at any point-in-time, multiple guest management policies may exist, only one guest management policy can be active per device. Guest registration is supported only on the NX95XX and NX7500 series service platforms. However, the number of user identity entries supported on each varies. It is 2 million and 1 million user-identity entries for the NX95XX and NX75XX model service platforms respectively. Supported in the following platforms:
Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax guest-management <POLICY-NAME>
Parameters guest-management <POLICY-NAME>
<POLICY-NAME>
Specify the guest management policy name. If the policy does not exist, it is created. Example nx9500-6C8809(config)#guest-management guest nx9500-6C8809(config-guest-management-guest)#?
Guest Management Mode commands:
email Email guest-notification configuration guest-database-backup Configure guest-database-backup parameters guest-database-export Configure guest-database-export parameters no Negate a command or set its defaults sms SMS guest-notification configuration sms-over-smtp Sms-over-smtp configuration to email sms gateway address clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-guest-management-guest)#
Related Commands no Removes an existing guest management policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 286 GLOBAL CONFIGURATION COMMANDS 4.1.55.2 guest-management-mode commands guest-management The following table summarizes guest management policy configuration mode commands:
Table 4.36 Guest-Management-Policy-Config-Mode Commands Description Configures guest user e-mail notification settings Enables periodic backup of the captive portals guest registration user database Command email guest-
database-
backup guest-
database-
export sms sms-over-smtp Configures an e-mail host server along with sender credentials and the Schedules an export of the Guest Management User database to a specified external server Configures guest user SMS notification settings recipients gateway e-mail address to which the message is e-mailed. The gateway server converts the e-mail into SMS and forwards the message to the guest userss mobile device. Removes this guest management policy settings no Reference page 4-288 page 4-290 page 4-291 page 4-292 page 4-294 page 4-296 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 287 GLOBAL CONFIGURATION COMMANDS 4.1.55.2.1 email guest-management-mode commands Configures guest user e-mail notification settings. When configured, guest users can register themselves with their e-mail credentials as a primary key for authentication. The captive portal system provides the pass code for their registration. Guest users need to use their registered e-mail, mobile, or member ID and the received pass code for subsequent logins to the captive portal. This option is disabled by default. Supported in the following platforms:
Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax email [host|message|subject]
email host [<IP/HOSTNAME>|<HOST-ALIAS-NAME>] sender <EMAIL-ADDRESS> security
[none|ssl|starttls] username <USER-NAME> password <PASSWORD>
email message <LINE>
email subject <LINE>
Parameters email host [<IP/HOSTNAME>|<HOST-ALIAS-NAME>] sender <EMAIL-ADDRESS> security
[none|ssl|starttls] username <USER-NAME> password <PASSWORD>
email host
[<IP/HOSTNAME>|
<HOST-ALIAS-
NAME>]
sender
<EMAIL-ADDRESS>
security
[none|ssl|starttls]
username
<USER-NAME>
Configures guest user e-mail notification settings Configures the SMTP servers IP address or hostname used for guest management e-
mail traffic, guest user credential validation, and pass code reception. Optionally you can use an existing host alias to identify the SMTP server host.
<IP/HOSTNAME> Specify the SMTP servers IPv4 address or hostname.
<HOST-ALIAS-NAME> Specify the host alias name (should be existing and configured). Consider providing the host as an alias. A host alias is a configuration item that maps the alias to a hostname. Once created, it can be used across different configuration modes. Where ever used the alias is replaced by the associated hostname. Configures the senders name for the guest user receiving the passcode required for registering their guest E-mail credentials using SMTP.
<EMAIL-SENDER> Specify the senders name (should not exceed 100 characters). Configures the encryption protocol used by the SMTP server when communicating the pass code none No encryption used. Use if no additional user authentication is needed beyond the required username and password combination. SSL Uses SSL encryption. This is the default setting. STARTTLS Uses STARTTLS encryption Configures a username unique to this SMS guest management configuration. After configuring the username, specify the associated password. Ensure that the password is correctly provided to receive the pass code required for registering guest user credentials with SMS.
<USER-NAME> Specify the username (should not exceed 100 characters). Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 288 GLOBAL CONFIGURATION COMMANDS password
<PASSWORD>
Configures the password associated with the specified SMTP user name
<PASSWORD> Specify the password (should not exceed 63 characters). email message <LINE>
email message <LINE>
Configures guest user e-mail notification content Configures the content of the e-mail sent to the guest user notifying the pass code
(should not exceed 1024 characters)
<LINE> Specify the message content. When entering the message, use the following tags:
GM-NAME for the guest users name GM_PASSCODE for the pass code CR-NL to enter a new line For example: Dear GM_NAME, CR-NL your internet access pass code is GM_PASSCODE. CR-NL Use this for internet access. email subject <LINE>
email subject <LINE>
Configures guest user e-mail notification subject line Configures the subject line of the e-mail sent to the guest user notifying the pass code
(should not exceed 100 characters)
<LINE> Specify the subject line content. When entering the subject line, use the following tag:
GM-NAME for the guest users name For example: GM_NAME, your internet access code Example nx9500-6C8809(config-guest-management-test)#email host 192.168.13.10 sender bob@extremenetworks.com security ssl username guest1 password guest1@123 nx9500-6C8809(config-guest-management-test)#show context guest-management test email host 192.168.13.10 sender bob@extremenetworks.com security ssl username guest1 password guest1@123 nx9500-6C8809(config-guest-management-test)#
nx9500-6C8809(config-guest-management-test2)#email message Dear GM_Guest2, CR-NL Your internet access passcode is GM_Guest2. CR-NL Use this for internet access. nx9500-6C8809(config-guest-management-test2)#email subject GM_Guest2 Your internet access code nx9500-6C8809(config-guest-management-test2)#show context guest-management test2 email subject GM_Guest2 Your internet access code email message Dear GM_Guest2, CR-NL Your internet access passcode is GM_Guest2. CR-NL Use this for internet access. nx9500-6C8809(config-guest-management-test2)#
Related Commands no Removes the e-mail settings used to send notification mails to the guest user Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 289 GLOBAL CONFIGURATION COMMANDS 4.1.55.2.2 guest-database-backup guest-management-mode commands Enables periodic backup of a captive portals guest registration user database. This option is enabled by default. Supported in the following platforms:
Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax guest-database-backup enable {<TIME>}
Parameters guest-database-backup enable {<TIME>}
guest-database-
backup enable
<TIME>
Enables periodic backup of a captive portals guest registration user database. This command also allows you to configure the time at which the system starts backing up the database. The default backup-start time is 00:00 (midnight every day).
<TIME> Optional. Resets the periodic database backup-start time to a user-defined value in the HH;MM format. When specified, the system starts periodic backup of the database, every day, at the specified time. Example nx9500-6C8809(config-guest-management-test)#guest-database-backup enable 12:30 vnx9500-6C8809(config-guest-management-test)#show context guest-management test guest-database-backup enable 12:30 nx9500-6C8809(config-guest-management-test)#
Related Commands no Disables periodic backup of a captive portals guest registration user database Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 290 GLOBAL CONFIGURATION COMMANDS 4.1.55.2.3 guest-database-export guest-management-mode commands Schedules an export of the Guest Management user database to a specified external server. This option is enabled by default. Supported in the following platforms:
Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax guest-database-export <TIME> frequency <1-168> url-directory <URL> {(format
[csv|json]|last-visit-within <1-168>)}
Parameters guest-database-export <TIME> frequency <1-168> url-directory <URL> {(format
[csv|json]|last-visit-within <1-168>)}
guest-database-
export <TIME>
frequency <1-168>
Schedules an export of the Guest Management User collection to an external server
<TIME> Configures the start time of the export operation in the HH:MM format Configures the user collection export frequency in hours
<1-168> Configures the frequency from 1 - 168 hours. If the frequency is set at 3 hours, the user database is exported once in every 3 hours. The default is 4 hours. url-directory <URL>
format [csv|json]
Configures external servers URL and directory to where the collection is exported
<URL> Specify the external servers URL Optional. Configures the file format csv Exports collection to the specified location in CSV format. This is the default last-visit-within
<1-168>
setting. json Exports collection to the specified location in JSON format Configures a filters guest users who have last visited within a specified period of time
<1-168> Specify a time period from 1 - 168 hours. If for example, the last-visit-within value is set at 2 hours, then only the last two hours guest user collections will be exported. The default is 4 hours. Example nx9500-6C8809(config-guest-management-gm1)#guest-database-export 10:30 frequency 6 url-directory ftp://admin:xxxxxx@192.168.13.10/dbe_dir format json last-visit
-within 168 nx9500-6C8809(config-guest-management-test)#show context guest-management test guest-database-export 12:30 frequency 20 url-directory ftp://
admin:xxxxxx@192.168.13.10/dbe_dir format json last-visit-within 168 nx9500-6C8809(config-guest-management-test)#
Related Commands no Reverts the guest database export parameters to default Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 291 GLOBAL CONFIGURATION COMMANDS 4.1.55.2.4 sms guest-management-mode commands Configures guest user SMS notification settings When configured, guest users can register themselves with their e-mail or mobile device ID as the primary key for authentication. The captive portal provides the pass code for registration. Guest users use their registered e-mail or mobile device ID and the received pass code for subsequent logins to the captive portal. NOTE: When using SMS, ensure that the WLANs mode of authentication is set to none and the mode of registration is set to user. In other words, captive portal authentication must always enforce guest registration. SMS is similar to MAC address-based self registration, but in addition the captive portal sends an SMS message, containing an access code, to the users mobile phone number provided at the time of registration. The captive portal verifies the code, returns the Welcome page and provides access. This allows the administrator to verify the phone number provided and can be traced back to a specific individual should the need arise. The default gateway used with SMS is Clickatell. A pass code can be sent with SMS to the guest user directly using Clickatell, or the pass code can be sent via e-mail to the SMS Clickatell gateway server, and Clickatell sends the pass code SMS to the guest user. Supported in the following platforms:
Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax sms [host|message]
sms host clickatell username <USER-NAME> password <PASSWORD> api-id <ID> user-agent
<PYCLICKATELL> {source-number <WORD>}
sms message <LINE>
Parameters sms host clickatell username <USER-NAME> password <PASSWORD> api-id <ID> user-
agent <PYCLICKATELL> {source-number <WORD>}
sms host clickatell username
<USER-NAME>
password
<PASSWORD>
api-id <ID>
Configures guest user SMS notification settings By default, clickatell is the host SMS gateway server resource. Upon receiving the pass code e-mail, the SMS gateway sends the actual notification pass code SMS to the guest user. Configures a username unique to this SMS guest management configuration. After configuring the username, specify the associated password. Ensure that the password is correctly provided to receive the pass code required for registering guest user credentials with SMS.
<USER-NAME> Specify the username (should not exceed 32 characters). Configures the password associated with the specified username
<PASSWORD> Specify the password (should not exceed 63 characters). Set a 32 character maximum API ID
<API-ID> Specify the API ID (should not exceed 32 characters). Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 292 GLOBAL CONFIGURATION COMMANDS user-agent
<PYCLICKATELL>
source-number
<WORD>
Since the SMS service provider by default is Clickatell, set the user agent name to pyclickatell. The user-agent value ensures the Clickatell SMS gateway server and its related credentials, needed for sending the pass code to guest users, are configured. Optional. Configures the long-address or the from-number associated with this Clickatell user account
<WORD> Specify the source number (should not exceed 32 characters). sms message <LINE>
SMS message <LINE>
Configures guest user SMS notification content Configures the content of the SMS sent to the guest user notifying the pass code
(should not exceed 1024 characters)
<LINE> Specify the message content. When entering the message, use the following tags:
GM-NAME for the guest users name GM_PASSCODE for the pass code For example: Dear GM_NAME, your internet access pass code is GM_PASSCODE. Example nx9500-6C8809(config-guest-management-test)#sms host clickatell username guest1 password guest1@123 api-id test user-agent pyclickatell nx9500-6C8809(config-guest-management-test)#sms message Dear guest1, Your passcode for internet access is GM-guest1 nx9500-6C8809(config-guest-management-test)#show context guest-management test email host 192.168.13.10 sender bob@extremenetworks.com security ssl username guest1 password guest1@123 sms host clickatell username guest1 password guest1@123 api-id test user-agent pyclickatell sms message Dear guest1, Your passcode for internet access is GM-guest1 nx9500-6C8809(config-guest-management-test)#
Related Commands no Removes the SMS settings used to send SMS to the guest user Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 293 GLOBAL CONFIGURATION COMMANDS 4.1.55.2.5 sms-over-smtp guest-management-mode commands Configures an e-mail host server (for example: smtp.gmail.com) along with sender related credentials and the recipient gateway e-mail address to which the message is E-mailed. The gateway server converts the e-mail into SMS and sends the message to the guest userss mobile device. When sending an e-mail, the e-mail client interacts with a SMTP server to handle the content transmission. The SMTP server on the host may have conversations with other SMTP servers to deliver the e-mail. Supported in the following platforms:
Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax sms-over-smtp [host|message|subject]
sms-over-smtp host [<IP/HOSTNAME>|<HOST-ALIAS-NAME>] sender <EMAIL-ADDRESS>
security [none|ssl|starttls] username <USER-NAME> password <PASSWORD> recipient
<EMAIL-ADDRESS>
sms-over-smtp message <LINE>
sms-over-smtp subject <LINE>
Parameters sms-over-smtp host [<IP/HOSTNAME>|<HOST-ALIAS-NAME>] sender <EMAIL-ADDRESS>
security [none|ssl|starttls] username <USER-NAME> password <PASSWORD> recipient
<EMAIL-ADDRESS>
sms-over-smtp host
[<IP/HOSTNAME>|
<HOST-ALIAS-
NAME>]
Configures guest user SMS over SMTP notification settings Configures the SMS gateway server resources IPv4 address or hostname used for guest management SMS over SMTP traffic, guest user credential validation and pass code reception. Optionally you can use an existing host alias to identify the SMS gateway server resource.
<IP/HOSTNAME> Specify the SMTP gateway server resources IP address or sender
<EMAIL-ADDRESS>
security
[none|ssl|starttls]
hostname.
<HOST-ALIAS-NAME> Specify the host alias name (should existing and configured). Consider providing the host as an alias. A host alias is a configuration item that maps the alias to a hostname. Once created, it can be used across different configuration modes. Where ever used the alias is replaced by the associated hostname. Configures the senders e-mail address. The sender here is the guest user receiving the pass code. Guest users require this pass code for registering their guest e-mail credentials using SMTP.
<EMAIL-ADDRESS> Specify the e-mail address (should not exceed 64 characters). Configures the encryption protocol used by the SMTP server when communicating the pass code none No encryption used. Use if no additional user authentication is needed beyond the required username and password combination. SSL Uses SSL encryption. This is the default setting. STARTTLS Uses STARTTLS encryption Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 294 GLOBAL CONFIGURATION COMMANDS username
<USER-NAME>
password
<PASSWORD>
recipient
<EMAIL-ADDRESS>
Configures a username unique to this SMTP guest management configuration. After configuring the username, specify the associated password. Ensure that the correct password is provided to receive the pass code required for registering guest user credentials with SMTP.
<USER-NAME> Specify the username (should not exceed 64 characters). Configures the password associated with the specified SMTP user name
<PASSWORD> Specify the password (should not exceed 64 characters). Configures the e-mail recipient's e-mail address
<EMAIL-ADDRESS> Specify the recipients e-mail address (should not exceed 64 characters in length. sms-over-smtp message <LINE>
sms-over-smtp message <LINE>
Configures guest user SMS over SMTP notification message content Configures the content of the SMS over SMTP sent to the guest user notifying the pass code (should not exceed 1024 characters)
<LINE> Specify the message content. When entering the message, use the following tags:
GM-NAME for the guest users name GM_PASSCODE for the pass code CR-NL to enter a new line For example: Dear GM_NAME, CR-NL your internet access pass code is GM_PASSCODE. CR-NL Use this access code for internet access. sms-over-smtp subject <LINE>
sms-over-smtp subject <LINE>
Configures guest user e-mail notification subject line content Configures the subject line of the SMS over SMTP sent to the guest user notifying the pass code (should not exceed 100 characters)
<LINE> Specify the subject line content. When entering the subject line, use the following tag:
GM-NAME for the guest users name For example: GM_NAME, your internet access code Example nx9500-6C8809(config-guest-management-test3)#sms-over-smtp host test sender bob@extremenetworks.com security ssl username bob password bob@123 recipient john@extremenetworks.com nx9500-6C8809(config-guest-management-test3)#show context guest-management test3 sms-over-smtp host test sender bob@extremenetworks.com security ssl username bob password bob@123 recipient john@extremenetworks.com nx9500-6C8809(config-guest-management-test3)#
Related Commands no Removes the SMS over SMTP settings used to send SMS to the guest user Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 295 GLOBAL CONFIGURATION COMMANDS 4.1.55.2.6 no guest-management-mode commands Removes this guest management policy settings Supported in the following platforms:
Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [email|guest-database-backup|guest-database-export|sms|sms-over-smtp]
no email [host|message|subject]
no guest-database-backup enable no guest-database-export no gmd report-generation enable no sms [host|message]
no sms-over-smtp [host|message|subject]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes this guest management policy settings based on the parameters passed Example nx9500-6C8809(config-guest-management-test3)#show context guest-management test3 sms-over-smtp host test sender bob@extremenetworks.com security ssl username bob password bob@123 recipient john@extremenetworks.com nx9500-6C8809(config-guest-management-test3)#
nx9500-6C8809(config-guest-management-test)#no sms-over-smtp host nx9500-6C8809(config-guest-management-test3)#show context guest-management test3 nx9500-6C8809(config-guest-management-test3)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 296 GLOBAL CONFIGURATION COMMANDS 4.1.56 host Global Configuration Commands Enters the configuration context of a remote device using its hostname Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax host <DEVICE-NAME>
Parameters host <DEVICE-NAME>
<DEVICE-NAME>
Specify the devices hostname. All discovered devices are displayed when Tab is pressed to auto complete this command. Example rfs4000-229D58(config)#host rfs4000-229D58 rfs4000-229D58(config-device-00-23-68-22-9D-58)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 297 GLOBAL CONFIGURATION COMMANDS 4.1.57 inline-password-encryption Global Configuration Commands Stores the encryption key in the startup configuration file By default, the encryption key is not stored in the startup-config file. Use the inline-password-encryption command to move the encrypted key to the startup-config file. This command uses the master key to encrypt the password, then moves it to the startup-config file. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax inline-password-encryption Parameters None Usage Guidelines When the configuration file is imported to a different device, it first decrypts the encryption key using the default key and then decrypts the rest of the configuration using the administrator configured encryption key. Example The following command uses the specified password for encryption key and stores it outside of startup-config:
rfs6000-81742D(config)#password-encryption secret 2 12345678 rfs6000-81742D(config)#commit write memory The following command moves the same password to the startup-config and encrypts it with the master key:
rfs6000-81742D(config)#inline-password-encryption Related Commands no password-encryption Disables storing of the encryption key in the startup configuration file Enables password encryption Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 298 GLOBAL CONFIGURATION COMMANDS 4.1.58 ip Global Configuration Commands Creates a IP access control list (ACL) and/or a SNMP IP ACL Access lists define access permissions to the network using a set of rules. Each rule specifies an action taken when a packet matches the rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip [access-list|snmp-access-list]
ip access-list <IP-ACL-NAME>
ip snmp-access-list <IP-SNMP-ACL-NAME>
Parameters ip access-list <IP-ACL-NAME>
access-list
<IP-ACL-NAME>
Creates an IP ACL and enters its configuration mode
<IP-ACL-NAME> Specify the ACL name. If the access list does not exist, it is created. ip snmp-access-list <IP-SNMP-ACL-NAME>
snmp-access-list
<IP-SNMP-ACL-
NAME>
Creates a SNMP IP ACL and enters its configuration mode. An SNMP IP ACL is an access control mechanism that uses a combination of IP ACL and SNMP community string. SNMP performs network management functions using a data structure called a Management Information Base (MIB). SNMP is widely implemented but not very secure, since it uses only text community strings for accessing controller or service platform configuration files. Use SNMP ACLs (firewalls) to help reduce SNMPs vulnerabilities, as SNMP traffic can be easily exploited to produce a denial of service (DoS).
<IP-SNMP-ACL-NAME> Specify the SNMP IP ACL name. If the access list does not exist, it is created. After creating the SNMP ACL, define the deny/permit rules based on the network and/or host IP addresses. Once created and configured, link this SNMP IP ACL with a SNMP community string. To link the SNMP community string with the SNMP IP ACL, in the management-
policy-config-mode, use the following command: snmp-server > community
<COMMUNITY-STRING> > [ro|rw] > ip-snmp-access-list <IP-SNMP-ACL-NAME>. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 299 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config)#ip access-list test rfs6000-81742D(config-ip-acl-test)#?
ACL Configuration commands:
deny Specify packets to reject disable Disable rule if not needed no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-ip-acl-test)#
rfs6000-81742D(config)#ip snmp-access-list SNMPAcl rfs6000-81742D(config-ip-snmp-acl-SNMPAcl)#?
SNMP ACL Configuration commands:
deny Specify packets to reject no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-ip-snmp-acl-SNMPAcl)#
Related Commands no Removes an IP access control list NOTE: For more information on access control lists, see Chapter 11, ACCESS-
LIST. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 300 GLOBAL CONFIGURATION COMMANDS 4.1.59 ipv6 Global Configuration Commands Creates a IPv6 ACL An IPv6 ACL defines a set of rules that filter IPv6 packets flowing through a port or interface. Each rule specifies the action taken when a packet matches the rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ipv6 access-list <IPv6-ACL-NAME>
Parameters ipv6 access-list <IPv6-ACL-NAME>
access-list
<IPv6-ACL-NAME>
Configures an IPv6 access list and enters its configuration mode
<IPv6-ACL-NAME> Specify the IPv6 ACL name. If the access list does not exist, it is created. Example rfs4000-229D58(config)#ipv6 access-list IPv6ACLTest rfs4000-229D58(config-ipv6-acl-IPv6ACLTest)#?
IPv6 Access Control Mode commands:
deny Specify packets to reject no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-ipv6-acl-IPv6ACLTest)#
Related Commands no Removes an IPv6 access control list NOTE: For more information on access control lists, see Chapter 11, ACCESS-
LIST. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 301 GLOBAL CONFIGURATION COMMANDS 4.1.60 ipv6-router-advertisement-policy Global Configuration Commands The following table lists the IPv6 router advertisement (RA) policy configuration commands:
Table 4.37 IPv6-Router-Advertisement-Policy-Config Commands Description Creates a new IPv6 RA policy and enters its configuration mode Reference page 4-303 Summarizes the IPv6 RA policy configuration mode commands page 4-305 Command ipv6-router-
advertisement-
policy ipv6-router-
advertisement-
policy-mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 302 GLOBAL CONFIGURATION COMMANDS 4.1.60.1 ipv6-router-advertisement-policy ipv6-router-advertisement-policy Creates an IPv6 RA policy and enters its configuration mode An IPv6 router policy allows routers to advertise their presence in response to solicitation messages. After receiving a neighbor solicitation message, the destination node sends an advertisement message. which includes the link layer address of the source node. After receiving the advertisement, the destination device replies with a neighbor advertisement message on the local link. After the source receives the advertisement it can communicate with other devices. Advertisement messages are also sent to indicate a change in link layer address for a node on the local link. With such a change, the multicast address becomes the destination address for advertisement messages. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ipv6-router-advertisement-policy <POLICY-NAME>
Parameters ipv6-router-advertisement-policy <POLICY-NAME>
ipv6-router-
advertisement-policy
<POLICY-NAME>
Specify an IPv6 RA policy name. If the policy does not exist, it is created. Example rfs4000-229D58(config)#ipv6-router-advertisement-policy test rfs4000-229D58(config-ipv6-radv-policy-test)#?
IPv6 Router Advertisement Policy Mode commands:
advertise Option to advertise in router advertisement assist-neighbor-discovery Send the Source Link Layer address option in Router Advertisement to assist in neighbor discovery check-ra-consistency Check if the parameters advertised by other routers on the link are in conflict with those configured on this router. Conflicts are logged. dns-server DNS Server domain-name Configure domain-name managed-config-flag Set the managed-address-configuration flag in Router Advertisements. When set, it indicates that the addresses are available via DHCPv6 nd-reachable-time Time that a node assumes a neighbor is reachable after having received a reachability confirmation no Negate a command or set its defaults ns-interval Time between retransmitted Neighbor Solicitation messages other-config-flag Set the other-configuration flag in Router Advertisements. When set, it indicates that other configuration information is Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 303 GLOBAL CONFIGURATION COMMANDS available via DHCPv6. ra Router Advertisements router-lifetime Lifetime associated with the default router router-preference Preference of this router over other routers unicast-solicited-advertisement Unicast the solicited Router Advertisements clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-ipv6-radv-policy-test)#
Related Commands no Removes the specified IPv6 RA policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 304 GLOBAL CONFIGURATION COMMANDS 4.1.60.2 ipv6-router-advertisement-policy-mode commands ipv6-router-advertisement-policy The following table summarizes IPv6 router advertisement policy configuration commands:
Table 4.38 IPv6-Router-Advertisement-Policy-Config-Mode Commands Description Enables advertisement of IPv6 maximum transmission unit (MTU) and hop-count value in RAs Enables advertisement of the source link layer address in RAs Reference page 4-306 page 4-307 Enables checking of consistency in RA values advertised by this router with those advertised by other routers, if any, on the same link Configures the DNS servers IPv6 address and lifetime advertised in RAs page 4-309 page 4-310 Configures the Domain name search label advertised in RAs page 4-311 Sets the managed address configuration flag in RAs page 4-308 Enables advertisement of neighbor reachable time in RAs Removes or reverts router advertisement policy settings Configures the interval between two successive retransmitted neighbor solicitation (NS) messages other-config-flag Sets the other-configuration flag in RAs ra Configures RA related parameters, such as the interval between two unsolicited successive RAs Configures the default routers lifetime, in seconds, advertised in RAs router-lifetime router-preference Configures the router preference field value advertised in RAs unicast-solicited-
advertisement Enables unicasting of solicited RAs page 4-312 page 4-313 page 4-314 page 4-315 page 4-316 page 4-317 page 4-318 page 4-319 Command advertise assist-neighbor-
discovery check-ra-
consistency dns-server domain-name managed-config-
flag nd-reachable-
time no ns-interval Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 305 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.1 advertise ipv6-router-advertisement-policy-mode commands Enables advertisement of IPv6 MTU and hop-count value in RAs Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax advertise [hop-limit|mtu]
Parameters advertise [hop-limit|mtu]
advertise
[hop-limit|mtu]
Enables advertisement of IPv6 MTU and hop-count value in RAs. Both these features are disabled by default. Example rfs6000-81742D(config-ipv6-radv-policy-test)#advertise hop-limit rfs6000-81742D(config-ipv6-radv-policy-test)#advertise mtu rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test advertise mtu advertise hop-limit rfs6000-81742D(config-ipv6-radv-policy-test)#
Related Commands no Disables advertisement of IPv6 MTU and hop-count value in RAs Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 306 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.2 assist-neighbor-discovery ipv6-router-advertisement-policy-mode commands Enables advertisement of the source link layer address in RAs to facilitate neighbor discovery. This feature is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax assist-neighbor-discovery Parameters None Example rfs6000-81742D(config-ipv6-radv-policy-test)#assist-neighbor-discovery Related Commands no Disables the advertisement of the source link layer address in RAs Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 307 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.3 check-ra-consistency ipv6-router-advertisement-policy-mode commands Enables checking of consistency in RA values advertised by this router with those advertised by other routers, if any, on the same link. If the values advertised are inconsistent, a conflict is logged. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax check-ra-consistency Parameters None Example rfs6000-81742D(config-ipv6-radv-policy-test)#check-ra-consistency rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test advertise mtu advertise hop-limit check-ra-consistency rfs6000-81742D(config-ipv6-radv-policy-test)#
Related Commands no Disables comparison of interface-specific parameters advertised by other routers, within the link, with those advertised with this router Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 308 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.4 dns-server ipv6-router-advertisement-policy-mode commands Configures the DNS servers IPv6 address and lifetime. The configured values are advertised in RAs. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dns-server <IPv6> {lifetime [<4-3600>|expired|infinite]}
Parameters dns-server <IPv6> {lifetime [<4-3600>|expired|infinite]}
dns-server <IPv6>
lifetime [<4-
3600>|expired|infinit e]
Configures the DNS servers IPv6 address Enables the use of a DNS server to resolve host names to IPv6 addresses. When an IPv6 host is configured with the address of a DNS server, the host sends DNS name queries to the server for resolution.
<IPv6> Specify the DNS servers address. This address is advertised in RAs. A maximum of four (4) entries can be made per policy. Optional. Configures the DNS servers (identified by the <IPv6> parameter) lifetime
<4-3600> Configures a lifetime in seconds. Specify a value form 4 - 3600 seconds. The default is 600 seconds. expired Advertises that this DNS servers lifetime has expired and should not be used infinite Advertises that this DNS servers lifetime is infinite Example rfs6000-81742D(config-ipv6-radv-policy-test)#dns-server 2002::2 lifetime 3000 rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 rfs6000-81742D(config-ipv6-radv-policy-test)#
Related Commands no Removes the DNS server settings advertised in RAs. Once removed these values are not advertised in RAs. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 309 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.5 domain-name ipv6-router-advertisement-policy-mode commands Configures the Domain name search label advertised in RAs Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax domain-name <WORD> {lifetime [<4-3600>|expired|infinite]}
Parameters domain-name
<WORD>
domain-name <WORD> {lifetime [<4-3600>|expired|infinite]}
Configures the Domain name search label advertised in RAs Enter a fully qualified domain name (FQDN), which is an unambiguous domain name available in a router advertisement resource. To distinguish an FQDN from a regular domain name, a trailing period is added. For example, somehost.example.com.
<WORD> Specify the Domain name search label. A maximum of four (4) entries can be made per policy. lifetime [<4-3600>|
expired|infinite]
Optional. Configures the Domain name search label's lifetime
<4-3600> Configures a lifetime in seconds. Specify a value form 4 - 3600 seconds. The default is 600 seconds. expired Advertises that this Domain name search label's lifetime has expired and should not be used infinite Advertises that this Domain name search label's lifetime is infinite Example rfs6000-81742D(config-ipv6-radv-policy-test)#domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#
Related Commands no Removes the Domain name settings advertised in RAs. Once removed these values are not advertised in RAs. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 310 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.6 managed-config-flag ipv6-router-advertisement-policy-mode commands Sets the managed address configuration flag in RAs. When set, it indicates that IPv6 addresses are available through DHCPv6. This feature is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax managed-config-flag Parameters None Example rfs6000-81742D(config-ipv6-radv-policy-test)#managed-config-flag rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test managed-config-flag advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#
Related Commands no Removes the managed address configuration flag advertised in RAs Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 311 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.7 nd-reachable-time ipv6-router-advertisement-policy-mode commands Enables advertisement of neighbor discovery reachable time in RAs. This feature is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax nd-reachable-time [<5000-3600000>|global]
Parameters nd-reachable-time [<5000-3600000>|global]
nd-reachable-time
[<5000-3600000>|
global]
Configures the interval, in milliseconds, that a node assumes a neighbor is reachable after receiving a reachability confirmation from the neighbor. Therefore, a neighbor is reachable, after being discovered, for a period specified here. This value is advertised in RAs. Use one of the following options:
<5000-3600000> Configures an interface-specific value. Specify a value from 5000 - 3600000 milliseconds. The default is 5000 milliseconds. global Advertises the neighbor reachable time configured for the system. This is the value configured at the device configuration mode. For more information, see use. Example rfs6000-81742D(config-ipv6-radv-policy-test)#nd-reachable-time 6000 rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test managed-config-flag nd-reachable-time 6000 advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#
Related Commands no Disables advertisement of neighbor reachable time in RAs Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 312 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.8 no ipv6-router-advertisement-policy-mode commands Removes or reverts router advertisement policy settings. Use the no command to remove or revert the interface-specific parameters that are advertised by link router. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [advertise [hop-limit|mtu]|assist-neighbor-discovery|check-ra-consistency|
dns-server <IPv6>|domain-name <WORD>|managed-config-flag|nd-reachable-time|
ns-interval|other-config-flag|ra [interval|suppress]|router-lifetime|
unicast-solicited-advertisement]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts this IPv6 router advertisement policys settings based on the parameters passed Example rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test managed-config-flag nd-reachable-time global advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#
rfs6000-81742D(config-ipv6-radv-policy-test)#no managed-config-flag rfs6000-81742D(config-ipv6-radv-policy-test)#no nd-reachable-time rfs6000-81742D(config-ipv6-radv-policy-test)#no check-ra-consistency rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test advertise mtu advertise hop-limit dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 313 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.9 ns-interval ipv6-router-advertisement-policy-mode commands Configures the neighbor solicitation (NS) retransmit timer value advertised in RAs. This is the interval between two successive NS messages. When specified, it enables the sending of the specified value in RAs. This feature is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ns-interval [<1000-3600000>|global]
Parameters ns-interval [<1000-3600000>|global]
ns-interval
[<1000-3600000>|
global]
Configures the NS interval advertised in RAs. Use one of the following options:
<1000-3600000> Specify a value from 1000 - 3600000 milliseconds. The default is 1000 milliseconds. global Advertises the NS interval configured for the system. This is configured on the device in the device configuration mode. For more information, see ipv6. Example rfs6000-81742D(config-ipv6-radv-policy-test)#ns-interval 3000 rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test managed-config-flag nd-reachable-time global ns-interval 3000 advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#
Related Commands no Disables advertisement of NS interval in RAs Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 314 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.10 other-config-flag ipv6-router-advertisement-policy-mode commands Sets the other-configuration flag in RAs. When set, it indicates that other configuration details, such as DNS-related information, are available through DHCPv6. This feature is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax other-config-flag Parameters None Example rfs6000-81742D(config-ipv6-radv-policy-test)#other-config-flag Related Commands no Removes the other-config-flag advertised on RAs Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 315 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.11 ra ipv6-router-advertisement-policy-mode commands Configures RA related parameters, such as the interval between two unsolicited successive RAs. It also allows suppression of RAs. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ra [interval <3-1800>|suppress]
Parameters ra [interval <3-1800>|suppress]
interval <3-1800>
suppress Configures the interval, in seconds, between two unsolicited successive RAs
<3-1800> Specify a value from 3 - 1800 seconds. The default is 300 seconds. The router-lifetime should be at least three times the specified router interval. Enables the suppression of RAs. When enabled, the transmission of RAs in IPv6 packets is suppressed. This option is disabled by default. The no > ra > suppress command enables the sending of RAs. Example rfs6000-81742D(config-ipv6-radv-policy-test)#ra interval 200 rfs6000-81742D(config-ipv6-radv-policy-test)#ra suppress rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test ra suppress ra interval 200 managed-config-flag nd-reachable-time global advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#
Related Commands no Removes the RA interval, and enables the sending of RAs Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 316 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.12 router-lifetime ipv6-router-advertisement-policy-mode commands Configures the default routers lifetime, in seconds, advertised in RAs Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax router-lifetime <0-9000>
Parameters router-lifetime <0-9000>
router-lifetime
<0-9000>
Configures the default routers lifetime
<0-9000> Specify a value from 0 - 9000 seconds. The default value is 1500 seconds. A value of 0 indicates that this router is not the default router. Example rfs6000-81742D(config-ipv6-radv-policy-test)#router-lifetime 2000 rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test ra suppress ra interval 200 managed-config-flag nd-reachable-time global router-lifetime 2000 advertise mtu advertise hop-limit check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#
Related Commands no Removes the default routers lifetime Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 317 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.13 router-preference ipv6-router-advertisement-policy-mode commands Configures the router preference field value advertised in RAs. The options are high, medium, and low. This value is used to prioritize and select the default router when multiple routers are discovered. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax router-preference [high|medium|low]
Parameters router-preference [high|medium|low]
router-preference
[high|medium|low]
Sets this routers preference over other routers, in the link, to be the default router. The options are high, low, and medium. The default value is medium. The following points should be taken into consideration when configuring router preference:
For a router to be selected as a default router, the routers lifetime should not be equal to 0. To enable default router selection, using router information contained in RAs, configure default router selection on that interface. Example rfs6000-81742D(config-ipv6-radv-policy-test)#router-preference high rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test ra suppress ra interval 200 managed-config-flag nd-reachable-time global router-lifetime 2000 advertise mtu advertise hop-limit router-preference high check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 318 GLOBAL CONFIGURATION COMMANDS 4.1.60.2.14 unicast-solicited-advertisement ipv6-router-advertisement-policy-mode commands Enables unicasting of solicited RAs. This feature is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax unicast-solicited-advertisement Parameters None Example rfs6000-81742D(config-ipv6-radv-policy-test)#unicast-solicited-advertisement rfs6000-81742D(config-ipv6-radv-policy-test)#show context ipv6-router-advertisement-policy test ra suppress ra interval 200 unicast-solicited-advertisement managed-config-flag nd-reachable-time global router-lifetime 2000 advertise mtu advertise hop-limit router-preference high check-ra-consistency dns-server 2002::2 lifetime 3000 domain-name TechPubs lifetime infinite rfs6000-81742D(config-ipv6-radv-policy-test)#
Related Commands no Disables unicasting of solicited RAs Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 319 GLOBAL CONFIGURATION COMMANDS 4.1.61 l2tpv3 Global Configuration Commands Configures a Layer 2 Tunnel Protocol Version 3 (L2TPv3) tunnel policy, used to create one or more L2TPv3 tunnels The L2TPv3 policy defines the control and encapsulation protocols needed for tunneling layer 2 frames between two IP nodes. This policy enables creation of L2TPv3 tunnels for transporting Ethernet frames between bridge VLANs and physical GE ports. L2TPv3 tunnels can be created between any vendor devices supporting L2TPv3 protocol. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax l2tpv3 policy <L2TPV3-POLICY-NAME>
Parameters l2tpv3 policy <L2TPV3-POLICY-NAME>
l2tpv3 policy
<L2TPV3-POLICY-
NAME>
Configures an L2TPv3 tunnel policy
<L2TPV3-POLICY-NAME> Specify a policy name. The policy is created if it does not exist. To modify an existing L2TPv3, specify its name. Example rfs6000-81742D(config)#l2tpv3 policy L2TPV3Policy1 rfs6000-81742D(config-l2tpv3-policy-L2TPV3Policy1)#?
L2tpv3 Policy Mode commands:
cookie-size Size of the cookie field present in each l2tpv3 data message failover-delay Time interval for re-establishing the tunnel after the failover (RF-Domain manager/VRRP-master/Cluster-master failover) force-l2-path-recovery Enables force learning of servers, gateways etc., behind the l2tpv3 tunnel when the tunnel is established hello-interval Configure the time interval (in seconds) between l2tpv3 Hello keep-alive messages exchanged in l2tpv3 control connection no Negate a command or set its defaults reconnect-attempts Maximum number of attempts to reestablish the tunnel. reconnect-interval Time interval between the successive attempts to reestablish the l2tpv3 tunnel retry-attempts Configure the maximum number of retransmissions for signaling message retry-interval Time interval (in seconds) before the initiating a retransmission of any l2tpv3 signaling message rx-window-size Number of signaling messages that can be received without sending the acknowledgement tx-window-size Number of signaling messages that can be sent without receiving the acknowledgement clrscr Clears the display screen commit Commit all changes made in this session Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 320 GLOBAL CONFIGURATION COMMANDS end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-l2tpv3-policy-L2TPV3Policy1)#
Related Commands no mint-policy Removes an existing L2TPv3 tunnel policy Configures the global MiNT policy NOTE: For more information on the L2TPv3 tunnel configuration mode and commands, see Chapter 22, L2TPV3-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 321 GLOBAL CONFIGURATION COMMANDS 4.1.62 mac Global Configuration Commands Configures a MAC ACLs Access lists define access permissions to the network using a set of rules. Each rule specifies an action taken when a packet matches the rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mac access-list <MAC-ACL-NAME>
Parameters mac access-list <MAC-ACL-NAME>
access-list
<MAC-ACL-NAME>
Configures a MAC access control list
<MAC-ACL-NAME> Specify the MAC ACL name. If the access control list does not exist, it is created. Example rfs6000-81742D(config)#mac access-list test rfs6000-81742D(config-mac-acl-test)#?
MAC Extended ACL Configuration commands:
deny Specify packets to reject disable Disable rule if not needed no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-mac-acl-test)#
Related Commands no Removes a MAC access control list NOTE: For more information on MAC access control lists, see Chapter 11, ACCESS-LIST. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 322 GLOBAL CONFIGURATION COMMANDS 4.1.63 management-policy Global Configuration Commands Configures a management policy. Management policies include services that run on a device, welcome messages, banners, etc. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax management-policy <MANAGEMENT-POLICY-NAME>
Parameters management-policy <MANAGEMENT-POLICY-NAME>
<MANAGEMENT-
POLICY-NAME>
Specify the management policy name. If the policy does not exist, it is created. Example
<DEVICE>(config)#management-policy test
<DEVICE>(config-management-policy-test)#?
Management Mode commands:
aaa-login Set authentication for logins allowed-locations Add allowed locations banner Define a login banner ftp Enable FTP server http Hyper Text Terminal Protocol (HTTP) https Secure HTTP idle-session-timeout Configure idle timeout for a configuration session
(GUI or CLI) ipv6 IPv6 Protocol no Negate a command or set its defaults passwd-retry Lockout user if too many consecutive login failures privilege-mode-password Set the password for entering CLI privilege mode rest-server Enable rest server for device on-boarding functionality restrict-access Restrict management access to the device snmp-server SNMP ssh Enable ssh t5 T5 configuration telnet Enable telnet user Add a user account clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-management-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 323 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes an existing management policy NOTE: For more information on Management policy configuration, see Chapter 15, MANAGEMENT-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 324 GLOBAL CONFIGURATION COMMANDS 4.1.64 meshpoint Global Configuration Commands Creates a new meshpoint and enters its configuration mode. Use this command to select and configure existing meshpoints. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax meshpoint [<MESHPOINT-NAME>|containing <WORD>]
Parameters meshpoint [<MESHPOINT-NAME>|containing <WORD>]
<MESHPOINT-NAME> Specify the meshpoint name. If the meshpoint does not exist, it is created. containing <WORD>
Selects existing meshpoints containing the sub-string <WORD> in their names Example rfs6000-81742D(config)#meshpoint TestMeshpoint rfs6000-81742D(config-meshpoint-TestMeshpoint)#?
Mesh Point Mode commands:
allowed-vlans Set the allowed VLANs beacon-format The beacon format of this meshpoint control-vlan VLAN for meshpoint control traffic data-rates Specify the 802.11 rates to be supported on this meshpoint description Configure a description of the usage of this meshpoint force Force suboptimal paths meshid Configure the Service Set Identifier for this meshpoint neighbor Configure neighbor specific parameters no Negate a command or set its defaults root Set this meshpoint as root security-mode The security mode of this meshpoint shutdown Shutdown this meshpoint use Set setting to use wpa2 Modify ccmp wpa2 related parameters clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-meshpoint-TestMeshpoint)#
Related Commands no Removes an existing meshpoint Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 325 GLOBAL CONFIGURATION COMMANDS NOTE: For more information on Meshpoint configuration, see Chapter 26, MESHPOINT. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 326 GLOBAL CONFIGURATION COMMANDS 4.1.65 meshpoint-qos-policy Global Configuration Commands Configures a set of parameters that defines the meshpoint quality of service (QoS) policy Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax meshpoint-qos-policy <MESHPOINT-QOS-POLICY-NAME>
Parameters meshpoint-qos-policy <MESHPOINT-QOS-POLICY-NAME>
<MESHPOINT-QOS-
POLICY-NAME>
Specify the meshpoint QoS policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#meshpoint-qos-policy TestMeshpointQoS rfs6000-81742D(config-meshpoint-qos-TestMeshpointQoS)#?
Mesh Point QoS Mode commands:
accelerated-multicast Configure accelerated multicast streams address and forwarding QoS classification no Negate a command or set its defaults rate-limit Configure traffic rate-limiting parameters on a per-meshpoint/per-neighbor basis clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-meshpoint-qos-TestMeshpointQoS)#
Related Commands no Removes an existing meshpoint QoS policy NOTE: For more information on Meshpoint QoS policy configuration, see Chapter 26, MESHPOINT. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 327 GLOBAL CONFIGURATION COMMANDS 4.1.66 mint-policy Global Configuration Commands Configures the global MiNT policy Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mint-policy global-default Parameters mint-policy global-default global-default Configures the global default MiNT policy Example rfs6000-81742D(config)#mint-policy global-default rfs6000-81742D(config-mint-policy-global-default)#?
Mint Policy Mode commands:
level Mint routing level lsp LSP mtu Configure the global Mint MTU no Negate a command or set its defaults router Mint router udp Configure mint UDP/IP encapsulation clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-mint-policy-global-default)#
Related Commands no Removes an existing MiNT policy NOTE: For more information on MiNT policy configuration, see Chapter 14, MINT-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 328 GLOBAL CONFIGURATION COMMANDS 4.1.67 nac-list Global Configuration Commands A Network Access Control (NAC) policy configures a list of devices that can access a network based on their MAC addresses. The following table lists NAC list configuration mode commands:
Table 4.39 NAC-List Config Command Command nac-list nac-list-mode commands Description Creates a NAC list and enters its configuration mode Summarizes NAC list configuration mode commands Reference page 4-330 page 4-331 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 329 GLOBAL CONFIGURATION COMMANDS 4.1.67.1 nac-list nac-list Configures a NAC list that manages access to the network Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax nac-list <NAC-LIST-NAME>
Parameters nac-list <NAC-LIST-NAME>
<NAC-LIST-NAME>
Specify the NAC list name. If the NAC list does not exist, it is created. Example rfs6000-81742D(config)#nac-list test rfs6000-81742D(config-nac-list-test)#?
NAC List Mode commands:
exclude Specify MAC addresses to be excluded from the NAC enforcement list include Specify MAC addresses to be included in the NAC enforcement list no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-nac-list-test)#
Related Commands no Removes a NAC list Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 330 GLOBAL CONFIGURATION COMMANDS 4.1.67.2 nac-list-mode commands nac-list The following table summarizes NAC list configuration mode commands:
Table 4.40 NAC-List-Mode Commands Command exclude include no Description Specifies the MAC addresses excluded from the NAC enforcement list Specifies the MAC addresses included in the NAC enforcement list Cancels an exclude or include NAC list rule Reference page 4-332 page 4-333 page 4-334 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 331 GLOBAL CONFIGURATION COMMANDS 4.1.67.2.1 exclude nac-list-mode commands Specifies the MAC addresses excluded from the NAC enforcement list Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax exclude <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-1000>]
Parameters exclude <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-1000>]
<START-MAC>
<END-MAC>
precedence
<1-1000>
Specifies a range of MAC addresses or a single MAC address to exclude from the NAC enforcement list
<START-MAC> Specify the first MAC address in the range. Use this parameter to specify a single MAC address. Specifies the last MAC address in the range (optional if a single MAC is added to the list)
<END-MAC> Specify the last MAC address in the range. Sets the rule precedence. Exclude entries are checked in the order of their rule precedence.
<1-1000> Specify a value from 1 - 1000. Example rfs6000-81742D(config-nac-list-test)#exclude 00-40-96-B0-BA-2A precedence 1 rfs6000-81742D(config-nac-list-test)#show context nac-list test exclude 00-40-96-B0-BA-2A 00-40-96-B0-BA-2A precedence 1 rfs6000-81742D(config-nac-list-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 332 GLOBAL CONFIGURATION COMMANDS 4.1.67.2.2 include nac-list-mode commands Specifies the MAC addresses included in the NAC enforcement list Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax include <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-1000>]
Parameters include <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-1000>]
<START-MAC>
<END-MAC>
precedence
<1-1000>
Specifies a range of MAC addresses or a single MAC address to include in the NAC enforcement list
<START-MAC> Specify the first MAC address in the range. Use this parameter to specify a single MAC address. Specifies the last MAC address in the range (optional if a single MAC is added to the list)
<END-MAC> Specify the last MAC address in the range. Sets the rule precedence. Include entries are checked in the order of their rule precedence.
<1-1000> Specify a value from 1 - 1000. Example rfs6000-81742D(config-nac-list-test)#include 00-15-70-38-06-49 precedence 2 rfs6000-81742D(config-nac-list-test)#show context nac-list test exclude 00-04-96-B0-BA-2A 00-04-96-B0-BA-2A precedence 1 include 00-15-70-38-06-49 00-15-70-38-06-49 precedence 2 rfs6000-81742D(config-nac-list-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 333 GLOBAL CONFIGURATION COMMANDS 4.1.67.2.3 no nac-list-mode commands Cancels an exclude or include NAC list rule Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [exclude|include]
no [exclude|include] <START-MAC> [<END-MAC> precedence <1-1000>|precedence <1-
1000>]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts this NAC lists settings based on the parameters passed Example The following example shows the NAC list test settings before the no command is executed:
rfs6000-81742D(config-nac-list-test)#show context nac-list test exclude 00-04-96-B0-BA-2A 00-04-96-B0-BA-2A precedence 1 include 00-15-70-38-06-49 00-15-70-38-06-49 precedence 2 rfs6000-81742D(config-nac-list-test)#
rfs6000-81742D(config-nac-list-test)#no exclude 00-40-96-B0-BA-2A precedence 1 The following example shows the NAC list test settings after the no command is executed:
rfs6000-81742D(config-nac-list-test)#show context nac-list test include 00-15-70-38-06-49 00-15-70-38-06-49 precedence 2 rfs6000-81742D(config-nac-list-test)#
Related Commands exclude include Specifies MAC addresses excluded from the NAC enforcement list Specifies MAC addresses included in the NAC enforcement list Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 334 GLOBAL CONFIGURATION COMMANDS 4.1.68 no Global Configuration Commands Negates a command, or reverts configured settings to their default Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [aaa-policy|aaa-tacacs-policy|alias|ap6521|ap6522|ap6532|ap6562|ap71xx|
ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|
ap8432|ap8533|nx5500|nx75xx|nx9000|nx9600|application|application-group|
application-policy|association-acl-policy|auto-provisioning-policy|bgp|bonjour-
gw-discovery-policy|bonjour-gw-forwarding-policy|bonjour-gw-query-forwarding-
policy|captive-portal|client-identity|client-identity-group|crypto-cmp-policy|
customize|database-policy|device|device-categorization|dhcp-server-policy|
dhcpv6-server-policy|dns-whitelist|event-system-policy|ex3500|
ex3500-management-policy|ex3500-qos-class-map-policy|ex3500-qos-policy-map|
ex3524|ex3548|firewall-policy|global-association-list|guest-management|
igmp-snoop-policy|inline-password-encryption|ip|ipv6|ipv6-router-advertisement-
policy|l2tpv3|mac|management-policy|meshpoint|meshpoint-qos-policy|nac-list|
nsight-policy|passpoint-policy|password-encryption|profile|radio-qos-policy|
radius-group|radius-server-policy|radius-user-pool-policy|rf-domain|rfs4000|
rfs6000|roaming-assist-policy|role-policy|route-map|routing-policy|
rtl-server-policy|schedule-policy|t5|sensor-policy|smart-rf-policy|url-filter|
url-list|vx9000|web-filter-policy|wips-policy|wlan|wlan-qos-policy|service]
no alias [address-range <ADDRESS-RANGE-ALIAS-NAME>|host <HOST-ALIAS-NAME>|network
<NETWORK-ALIAS-NAME>|network-group <NETWORK-GROUP-ALIAS-NAME> [address-
range|host|network]|network-service <NETWORK-SERVICE-ALIAS-NAME>|number <NUMBER-
ALIAS-NAME>|string <STRING-ALIAS-NAME>|vlan <VLAN-ALIAS-NAME>]
no [aaa-policy|aaa-tacacs-policy|application-policy|auto-provisioning-policy|
auto-provisioning-policy|bonjour-gw-discovery-policy|bonjour-gw-forwarding-
policy|bonjour-gw-query-forwarding-policy|database-policy|captive-portal|
crypto-cmp-policy|device-categorization|dhcp-server-policy|dhcpv6-server-policy|
dns-whitelist|event-system-policy|ex3500|ex3500-management-policy|ex3500-qos-
class-map-policy|ex3500-qos-policy|firewall-policy|global-association-list|
guest-management|igmp-snoop-policy|inline-password-encryption|ip|ipv6|
ipv6-router-advertisement-policy|l2tpv3|mac|management-policy|meshpoint|
meshpoint-qos-policy|nac-list|nsight-policy|passpoint-policy|radio-qos-policy|
radius-group|radius-server-policy|radius-user-pool-policy|roaming-assist-policy|
role-policy|routing-policy|rtl-server-policy|schedule-policy|sensor-policy|
smart-rf-policy|web-filter-policy|wips-policy|wlan-qos-policy] <POLICY-NAME>
no application <APPLICATION-NAME>
no application-group <APPLICATION-GROUP-NAME>
no [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|
ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|ex3524|ex3548|rfs4000|
rfs6000|t5|nx5500|nx75xx|nx9000|nx9600|vx9000] <MAC>
no client-identity <CLIENT-IDENTITY-NAME>
no client-identity-group <CLIENT-IDENTITY-GROUP-NAME>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 335 GLOBAL CONFIGURATION COMMANDS no device {containing <WORD>} {(filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|
ap7502|ap7522|ap7532|ap7562|ap81xx|ap82xx|ap8432|ap8533|ex3524|ex3548|rfs4000|
rfs6000|t5|nx5500|nx75xx|nx9000|nx9600|vx9000])}
no customize [hostname-column-width|show-wireless-client|show-wireless-client-
stats|show-wireless-client-stats-rf|show-wireless-meshpoint|show-wireless-
meshpoint-neighbor-stats|show-wireless-meshpoint-neighbor-stats-rf|show-
wireless-radio|show-wireless-radio-stats|show-wireless-radio-stats-rf]
no password-encryption secret 2 <OLD-PASSPHRASE>
no profile {ap6521|ap6522|ap6532|ap71xx|ap7502|ap7522|ap7532|ap7562|ap81xx|
ap82xx|ap8432|ap8533|ex3524|ex3548|containing|filter|rfs4000|rfs6000|nx5500|
nx75xx|nx9000|nx9600|t5|vx9000} <PROFILE-NAME>
no wlan [<WLAN-NAME>|all|containing <WLAN-NAME-SUBSTRING>]
no service set [command-history|reboot-history|upgrade-history] {on <DEVICE-NAME>}
The following no commands are specific to the RFS4000, RFS6000, and NX95XX platforms:
no t5 <T5-DEVICE-MAC>
The following no commands are specific to the RFS4000, RFS6000, and NX95XX platforms:
no bgp [as-path-list|community-list|extcommunity-list|ip-access-list|ip-prefix-
list] <LIST-NAME>
The following no commands are specific to the NX95XX series service platforms:
no route-map <ROUTE-MAP-NAME>
The following no commands are specific to the AP6522, AP6532, AP7161, AP7502, AP7522, AP7532, AP8132, RFS4000, RFS6000 platforms:
no url-filter <URL-FILTER-NAME>
no url-list <URL-LIST-NAME>
no web-filter-name <WEB-FILTER-NAME>
The following no command is specific to the VX9000 virtual machine platform:
no database-client-policy <POLICY-NAME>
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or resets settings, configurable in the global configuration mode, based on the parameters passed Example
<DEVICE>(config)#no ?
aaa-policy Delete a aaa policy aaa-tacacs-policy Delete a aaa tacacs policy alias Alias ap650 Delete an AP650 access point ap6511 Delete an AP6511 access point ap6521 Delete an AP6521 access point ap6522 Delete an AP6522 access point ap6532 Delete an AP6532 access point ap6562 Delete an AP6562 access point ap71xx Delete an AP7161 access point ap7502 Delete an AP7502 access point ap7522 Delete an AP7522 access point ap7532 Delete an AP7532 access point ap7562 Delete an AP7562 access point ap7602 Delete an AP7602 access point ap7612 Delete an AP7612 access point ap7622 Delete an AP7622 access point ap7632 Delete an AP7632 access point ap7662 Delete an AP7662 access point ap81xx Delete an AP81XX access point Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 336 GLOBAL CONFIGURATION COMMANDS ap82xx Delete an AP82XX access point ap8432 Delete an AP8432 access point ap8533 Delete an AP8533 access point application Delete an application application-group Delete an application-group application-policy Delete an application policy association-acl-policy Delete an association-acl policy auto-provisioning-policy Delete an auto-provisioning policy bgp BGP Configuration bonjour-gw-discovery-policy Disable Bonjour Gateway discovery policy bonjour-gw-forwarding-policy Disable Bonjour Gateway Forwarding policy bonjour-gw-query-forwarding-policy Disable Bonjour Gateway Query Forwarding policy captive-portal Delete a captive portal client-identity Client identity (DHCP Device Fingerprinting) client-identity-group Client identity group (DHCP Fingerprint Database) crypto-cmp-policy CMP policy customize Restore the custom cli commands to default database-client-policy Configure database policy database-policy Configure database policy device Delete multiple devices device-categorization Delete device categorization object dhcp-server-policy DHCP server policy dhcpv6-server-policy DHCPv6 server related configuration dns-whitelist Delete a whitelist object event-system-policy Delete a event system policy ex3500 EX3500 device ex3500-management-policy Delete a ex3500 management policy ex3500-qos-class-map-policy Delete a ex3500 qos class-map policy ex3500-qos-policy-map Delete a ex3500 qos policy-map ex3524 Delete an EX3524 wireless controller ex3548 Delete an EX3548 wireless controller firewall-policy Configure firewall policy global-association-list Delete a global association list guest-management Delete a guest management policy igmp-snoop-policy Remove device onboard igmp snoop policy inline-password-encryption Disable storing encryption key in the startup configuration file ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) ipv6-router-advertisement-policy IPv6 Router Advertisement related configuration l2tpv3 Negate a command or set its defaults mac MAC configuration management-policy Delete a management policy meshpoint Delete a meshpoint object meshpoint-qos-policy Delete a mesh point QoS configuration policy nac-list Delete an network access control list nsight-policy Delete a nsight policy nx5500 Delete an NX5500 wireless controller nx75xx Delete an NX75XX wireless controller nx9000 Delete an NX9000 wireless controller passpoint-policy Delete a passpoint configuration policy password-encryption Disable password encryption in configuration profile Delete a profile and all its associated configuration radio-qos-policy Delete a radio QoS configuration policy radius-group Local radius server group configuration radius-server-policy Remove device onboard radius policy radius-user-pool-policy Configure Radius User Pool rf-domain Delete one or more RF-domains and all their associated configurations Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 337 GLOBAL CONFIGURATION COMMANDS rfs4000 Delete an RFS4000 wireless controller rfs6000 Delete an RFS6000 wireless controller roaming-assist-policy Delete a roaming-assist policy role-policy Role based firewall policy route-map Dynamic routing route map Configuration routing-policy Policy Based Routing Configuration rtl-server-policy Delete a rtl server policy schedule-policy Delete a schedule policy sensor-policy Delete a sensor policy smart-rf-policy Delete a smart-rf-policy t5 Delete an T5 wireless controller url-filter Delete a url filter url-list Delete a URL list vx9000 Delete an VX9000 wireless controller web-filter-policy Delete a web filter policy wips-policy Delete a wips policy wlan Delete a wlan object wlan-qos-policy Delete a wireless lan QoS configuration policy service Service Commands
<DEVICE>(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 338 GLOBAL CONFIGURATION COMMANDS 4.1.69 nsight-policy Global Configuration Commands The following table lists NSight policy configuration mode commands:
Table 4.41 NSight-Policy Config Command Command nsight-policy nsight-policy commands Description Creates an NSight policy and enters its configuration mode Summarizes NSight policy configuration mode commands Reference page 4-340 page 4-342 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 339 GLOBAL CONFIGURATION COMMANDS 4.1.69.1 nsight-policy nsight-policy Creates an NSight policy and enters its configuration mode The NSight policy is an advance management, analytics, reporting, and troubleshooting tool, which when created and applied at the RF Domain level allows the RF Domain manager to send statistics (polled from devices within the RF Domain) to the NOC. The NOC, when enabled as the NSight server, stores this data in a locally or externally hosted database. This large, complex data is collated and presented on an NSight Dashboard that can be launched from the NSight-enabled NOC. For large networks, enabling NSight removes the inadequacies of the existing data collection, presentation, and analytics framework. It simplifies network monitoring, troubleshooting, and reporting. NOTE: NSight is a licensed feature, and can be enabled only on the application of an NSight license in the NSight servers self mode. The NSight features include:
Network statistic and event visualization - Simplified and unified network views based on defined user roles Custom dashboards - Live network health information in real-time to optimally assist network administrators Live troubleshooting tools - Packet capture, wireless debug logs, TCP/IP ping and traceroute Interactive floor maps with timeline views - Visualize and identify potential issues and problems areas Real-time trend analysis - Simplify network growth planning Exceptionally responsive interface - Any information the admin needs is three, or less, clicks away The WiNG NSight implementation consists of the following components:
An NSight server A database. This database consists of AP statistics gathered by RF Domain managers. An NSight UI portal An NSight client hosted on the RF Domain manager, which periodically gathers statistics from APs and forwards to the NSight server. Event history Event details for all APs adopted by the NOC. These are events received by the Cfgd every 30 seconds and sent to the MART server. Each event consists of the RF Domain name, wireless client MAC if applicable, AP MAC, event mnemonic, event timestamp, and the event string itself. Supported in the following platforms:
Service Platforms NX7500, NX9500, NX9510, NX9600, VX9000 Syntax nsight-policy <NSIGHT-POLICY-NAME>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 340 GLOBAL CONFIGURATION COMMANDS Parameters nsight-policy <NSIGHT-POLICY-NAME>
<NSIGHT-POLICY-
NAME>
Specify the NSight policy name. If the policy does not exist, it is created. Example nx9500-6C8809(config)#nsight-policy test nx9500-6C8809(config-nsight-policy-test)#?
Nsight Policy Mode commands:
enable Enable this Nsight policy event-history-size Size of the event history collection history-ttl Time to live for historical data no Negate a command or set its defaults nsight-server Enable Nsight server functionality server Configure Nsight server clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-nsight-policy-test)#
Related Commands no Removes an existing NSight policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 341 GLOBAL CONFIGURATION COMMANDS 4.1.69.2 nsight-policy commands nsight-policy The following table summarizes NSight policy configuration mode commands:
Table 4.42 NSight-Policy-Config Mode Commands Command enable event-history-
size history-ttl nsight-server server no Description Enables this NSight policy Converts and sizes the NSight event history collection to a capped collection Configures the time-to-live (TTL), in days, for historical data related to clients and devices Enables NSight server functionality and configures the SMTP report delivery settings Configures the NSight server host. This configuration is used by the NSight client to identify the NSight server host. Removes this NSight policy settings Reference page 4-343 page 4-344 page 4-345 page 4-346 page 4-348 page 4-349 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 342 GLOBAL CONFIGURATION COMMANDS 4.1.69.2.1 enable nsight-policy commands Enables this NSight policy. The default setting is enabled. Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax enable Parameters None Example nx9510-6C8A5C(config-nsight-policy-test2)#enable Related Commands no Disables this NSight policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 343 GLOBAL CONFIGURATION COMMANDS 4.1.69.2.2 event-history-size nsight-policy commands Converts and sizes the NSight event history collection to a capped collection. The conversion occurs when upgrading. Use this command to define the NSight event history collections size and prevent its unbounded growth. Note, resizing the collection results in the collection contents being dropped. Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax event-history-size [high|low|medium]
Parameters event-history-size [high|low|medium]
event-history-size
[high|low|medium]
Defines the size of the NSight event history collection. The options are:
high Sets the size at approximately 10 M events low Sets the size at approximately 500 K events. This is the default setting. medium Sets the size at approximately 5 M events Example nx9500-6C8809(config-nsight-policy-test)#event-history-size medium nx9500-6C8809(config-nsight-policy-test)#show context nsight-policy test event-history-size medium nx9500-6C8809(config-nsight-policy-test)#
Related Commands no Reverts the NSight event history collection size to default (5 M) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 344 GLOBAL CONFIGURATION COMMANDS 4.1.69.2.3 history-ttl nsight-policy commands Configures the time-to-live (TTL), in days, for historical data related to clients, devices, and guest users. This is the duration for which clients, devices, or guest user related data is retained in the NSight database. Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax history-ttl [clients|devices|guest-clients]
history-ttl [clients|devices] <1-3650>
history-ttl guest-clients <8-48>
Parameters history-ttl [clients|devices] <1-3650>
history-ttl
[client|devices]
<1-3650>
Configures the TTL for historical data related to clients and devices clients Configures the TTL for wireless clients related historical data devices Configures the TTL for devices (adopted access points or site controllers) related historical data The following is common to both the clients and devices keywords:
<1-3650> Specify a value from 1 - 3650 days. The default for both (clients and de-
vices) is 180 days. history-ttl guest-clients <8-48>
history-ttl guest-clients
<8-48>
Configures the TTL for historical data related to clients and devices guest-clients Configures the TTL for guest-client related historical data
<8-48> Specify a value from 8 - 48 hours. The default is 8 hours. Example nx9500-6C8809(config-nsight-policy-test)#history-ttl clients 250 nx9500-6C8809(config-nsight-policy-test)#show context nsight-policy test history-ttl clients 250 nx9500-6C8809(config-nsight-policy-test)#
Related Commands no Reverts the NSight clients or devices TTL duration to default (180 days) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 345 GLOBAL CONFIGURATION COMMANDS 4.1.69.2.4 nsight-server nsight-policy commands Enables NSight server functionality and configures the SMTP report delivery settings. Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax nsight-server {smtp-report-delivery|standalone}
nsight-server {smtp-report-delivery host <WORD> sender <EMAIL-ADD> [port <1-
65535>|security [none|ssl|starttls]|username <USER-NAME> password [0|2|<WORD>]]}
nsight-server {standalone}
Parameters nsight-server {smtp-report-delivery host <WORD> sender <EMAIL-ADD> [port <1-
65535>|security [none|ssl|starttls]|username <USER-NAME> password [0|2|<WORD>]]}
nsight-server smtp-report-delivery host <WORD>
Enables NSight server functionality on the host using this NSight policy Optional. Configures SMTP report delivery settings host <WORD> Configures the SMTP server host
<WORD> Specify the SMTP server hosts IP address or hostname. sender
<EMAIL-ADD>
port <1-65535>
security
[none|ssl|starttls]
username
<USER-NAME>
password
[0|2|<WORD>]
Optional. Configures the SMTP senders e-mail address
<EMAIL-ADD> Specify the senders e-mail address. Optional. Configures the SMTP server port
<1-65535> Specify the port from 1 - 65535. Optional. Configures the encryption protocol used by the SMTP server. The options are:
none Uses no encryption ssl Uses SSL encryption starttls Uses STARTTLS encryption Optional. Configures the SMTP username
<USER-NAME> Specify the user name password [0|2|<WORD>] Configures the password associated with the above con-
figured user 0 Configures a clear text password 2 Configures an encrypted password
<WORD> Enter the password. nsight-server {standalone}
nsight-server standalone Enables NSight server functionality on the host using this NSight policy Optional. Configures NSight server as standalone. Use this option in the split NSight deployment scenario where the NSight server and database are hosted on separate hosts. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 346 GLOBAL CONFIGURATION COMMANDS Example nx9510-6C8A5C(config-nsight-policy-test2)#nsight-server nx9510-6C8A5C(config-nsight-policy-test2)#show context nsight-policy test2 nsight-server nx9510-6C8A5C(config-nsight-policy-test2)#
Related Commands no Disables NSight server functionality on this NSight policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 347 GLOBAL CONFIGURATION COMMANDS 4.1.69.2.5 server nsight-policy commands Configures the NSight server host. This configuration is used by the NSight client to identify the NSight server host. Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax server host [<IP>|<HOSTNAME>|<X:X::X:X>] {http|https}
Parameters server host [<IP>|<HOSTNAME>|<X:X::X:X>] {http|https}
server host [<IP>|
<HOSTNAME>|
<X:X::X:X>]
{http|https}
Configures the NSight server hosts address. Use one of the following options to identify the NSight server host:
<IP> Configures the NSight servers IPv4 address
<HOSTNAME> Configures the NSight servers hostname
<X:X::X:X> Configures the NSight servers IPv6 address Optional. Configures the protocol used to communicate with the NSight server http Optional. Uses HTTP to communicate https Optional. Uses HTTPS to communicate (this is the default setting) Example nx9510-6C8A5C(config-nsight-policy-test2)#server host 172.22.0.153 http nx9510-6C8A5C(config-nsight-policy-test2)#show context nsight-policy test2 server host 172.22.0.153 http nsight-server nx9510-6C8A5C(config-nsight-policy-test2)#
Related Commands no Removes NSight server host settings from this NSight policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 348 GLOBAL CONFIGURATION COMMANDS 4.1.69.2.6 no nsight-policy commands Removes NSight policy settings Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax no [enable|event-history-size|history-ttl [clients|devices|guest-clients]|
nsight-server {smtp-report-delivery}|server host [<IP>|<HOSTNAME>|<X:X::X:X>]]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes NSight policy settings based on the parameters passed Example The following example shows the NSight policy test2 settings before the no command is executed:
nx9510-6C8A5C(config-nsight-policy-test2)#show context nsight-policy test2 server host 172.22.0.153 http nsight-server nx9510-6C8A5C(config-nsight-policy-test2)#
nx9510-6C8A5C(config-nsight-policy-test2)#no server host 172.22.0.153 The following example shows the NSight policy test2 settings after the no command is executed:
nx9500-6C8809(config-nsight-policy-test2)#show context nsight-policy test2 nsight-server nx9510-6C8A5C(config-nsight-policy-test2)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 349 GLOBAL CONFIGURATION COMMANDS 4.1.70 passpoint-policy Global Configuration Commands Creates a new passpoint policy and enters its configuration mode The passpoint policy implements the Hotspot 2.0 Wi-Fi Alliance standard, enabling interoperability between clients, infrastructure, and operators. It makes a portion of the IEEE 802.11u standard mandatory and adds Hotspot 2.0 extensions that allow clients to query a network before actually attempting to join it. The passpoint policy allows a single or set of Hotspot 2.0 configurations to be global and referenced by the devices that use it. It is mapped to a WLAN. However, only primary WLANs on a BSSID will have their passpoint policy configuration used. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax passpoint-policy <POLICY-NAME>
Parameters passpoint-policy <POLICY-NAME>
passpoint-policy
<POLICY-NAME>
Specify the passpoint policy name. If a passpoint policy does not exist, it is created. Example rfs4000-229D58(config)#passpoint-policy test rfs4000-229D58(config-passpoint-policy-test)#?
Passpoint Policy Mode commands:
3gpp Configure a 3gpp plmn (public land mobile network) id access-network-type Set the access network type for the passpoint connection-capability Configure the connection capability for the passpoint domain-name Add a domain-name for the passpoint hessid Set a homogeneous ESSID value for the passpoint internet Advertise the passopint having internet access ip-address-type Configure the advertised ip-address-type nai-realm Configure a NAI realm for the passpoint net-auth-type Add a network authentication type to the passpoint no Negate a command or set its defaults operator Add configuration related to the operator of the passpoint osu Online signup roam-consortium Add a roam consortium for the passpoint venue Set the venue parameters of the passpoint wan-metrics Set the wan-metrics of the passpoint clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 350 GLOBAL CONFIGURATION COMMANDS write Write running configuration to memory or terminal rfs4000-229D58(config-passpoint-policy-test)#
Related Commands no Removes an existing passpoint policy NOTE: For more information on passpoint policy, see Chapter 27, PASSPOINT POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 351 GLOBAL CONFIGURATION COMMANDS 4.1.71 password-encryption Global Configuration Commands Enables password encryption and configures the passphrase used to encrypt passwords. When enabled, passwords configured within the system are not displayed as clear text. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax password-encryption secret 2 <LINE>
Parameters password-encryption secret 2 <LINE>
secret 2 <LINE>
Encrypts passwords with a secret phrase 2 Specifies the encryption type as either SHA256 or AES256
<LINE> Specify the encryption passphrase. Example nx9500-6C8809(config)#password-encryption secret 2 test@123 To confirm if password encryption is enabled, execute the following command:
nx9500-6C8809(config)#show password-encryption status Password encryption is enabled nx9500-6C8809(config)#
The following example shows the privilege-mode-password as encrypted text. Note, the digit 1 preceding the password implies that displayed text is the encrypted password and not clear text. nx9500-6C8809(config-management-policy-test)#show context include-factory |
include privilege-mode-password privilege-mode-password 1 bc28e4d82bb11fa75a3c56346441d48f50f19c47184e2575a59a6a5d18e63925 nx9500-6C8809(config-management-policy-test)#
Related Commands no Disables password encryption Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 352 GLOBAL CONFIGURATION COMMANDS 4.1.72 profile Global Configuration Commands Configures profile related commands. If no parameters are given, all profiles are selected. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax profile {anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|containing|filter
|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000}
profile {anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx75xx|nx9000|nx9600|vx9000} <DEVICE-PROFILE-NAME>
profile {containing <DEVICE-PROFILE-NAME>} {filter type [ap6521|ap6522|ap6532|
ap6562|ap71xx|ap7502|ap7522|ap7532|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|
ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx75xx|nx9000|vx9000]}
profile {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|
ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|
rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000]}
Parameters profile {anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx75xx|nx9000|nx9600|vx9000} <DEVICE-PROFILE-NAME>
profile
<DEVICE-TYPE>
<DEVICE-PROFILE-
NAME>
Configures device profile commands. If no device profile is specified, the system configures all device profiles.
<DEVICE-TYPE> Optional. Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. After specifying the device type, specify the profile name.
<DEVICE-PROFILE-NAME> Specify the profile name. Select anyap to configure a profile applicable to any access point. The NX9600 profile option is only available on an NX9600 device. profile {containing <DEVICE-PROFILE-NAME>} {filter type [ap6521|ap6522|ap6532|
ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|
ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000]}
profile containing
<DEVICE-PROFILE-
NAME>
Configures device profile commands Optional. Configures profiles that contain a specified sub-string in the hostname
<DEVICE-PROFILE-NAME> Specify a substring in the profile name to filter profiles. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 353 GLOBAL CONFIGURATION COMMANDS filter type Optional. An additional filter used to configure a specific type of device profile. If no device type is specified, the system configures all device profiles. type Filters profiles by the device type. Select a device type from the following options: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. The NX9600 profile option is only available on an NX9600 device. profile {filter type [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|
ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|
rfs6000|nx5500|nx75xx|nx9000|nx9600|vx9000]}
profile filter type Configures device profile commands Optional. An additional filter used to configure a specific type of device profile. If no device type is specified, the system configures all device profiles. type Filters profiles by the device type. Select a device type from the following options: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000. The NX9600 profile option is only available on an NX9600 device. Example
<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME>
<DEVICE>(config-profile-<PROFILE-NAME>)#?
Profile Mode commands:
adopter-auto-provisioning-policy-lookup Use centralized auto-provisioning policy when adopted by another controller adoption Adoption configuration alias Alias application-policy Application Policy configuration area Set name of area where the system is located arp Address Resolution Protocol (ARP) auto-learn Auto learning autogen-uniqueid Autogenerate a unique id autoinstall Autoinstall settings bluetooth-detection Detect Bluetooth devices using the Bluetooth USB module - there will be interference on 2.4 Ghz radio in wlan mode bridge Ethernet bridge captive-portal Captive portal cdp Cisco Discovery Protocol cluster Cluster configuration configuration-persistence Enable persistence of configuration across reloads (startup config file) controller WLAN controller configuration critical-resource Critical Resource crypto Encryption related commands database Database command device-onboard Device-onboarding configuration device-upgrade Device firmware upgrade diag Diagnosis of packets dot1x 802.1X dpi Enable Deep-Packet-Inspection
(Application Assurance) dscp-mapping Configure IP DSCP to 802.1p priority mapping for untagged Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 354 GLOBAL CONFIGURATION COMMANDS frames eguest-server Enable EGuest Server functionality email-notification Email notification configuration enforce-version Check the firmware versions of devices before interoperating environmental-sensor Environmental Sensors Configuration events System event messages export Export a file file-sync File sync between controller and adoptees floor Set the floor within a area where the system is located gre GRE protocol http-analyze Specify HTTP-Analysis configuration interface Select an interface to configure ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) l2tpv3 L2tpv3 protocol l3e-lite-table L3e lite Table led Turn LEDs on/off on the device led-timeout Configure the time for the led to turn off after the last radio state change legacy-auto-downgrade Enable device firmware to auto downgrade when other legacy devices are detected legacy-auto-update Auto upgrade of legacy devices lldp Link Layer Discovery Protocol load-balancing Configure load balancing parameter logging Modify message logging facilities mac-address-table MAC Address Table mac-auth 802.1X management-server Configure management server address memory-profile Memory profile to be used on the device meshpoint-device Configure meshpoint device parameters meshpoint-monitor-interval Configure meshpoint monitoring interval min-misconfiguration-recovery-time Check controller connectivity after configuration is received mint MiNT protocol misconfiguration-recovery-time Check controller connectivity after configuration is received neighbor-inactivity-timeout Configure neighbor inactivity timeout neighbor-info-interval Configure neighbor information exchange interval no Negate a command or set its defaults noc Configure the noc related setting nsight NSight ntp Ntp server WORD offline-duration Set duration for which a device remains unadopted before it generates offline event otls Omnitrail Location Server power-config Configure power mode preferred-controller-group Controller group this system will prefer for adoption preferred-tunnel-controller Tunnel Controller Name this system will prefer for tunneling extended vlan traffic radius Configure device-level radius authentication parameters raid RAID remove-override Remove configuration item override from the device (so profile value Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 355 GLOBAL CONFIGURATION COMMANDS takes effect) rf-domain-manager RF Domain Manager router Dynamic routing slot PCI expansion Slot spanning-tree Spanning tree traffic-class-mapping Configure IPv6 traffic class to 802.1p priority mapping for untagged frames traffic-shape Traffic shaping trustpoint Assign a trustpoint to a service tunnel-controller Tunnel Controller group this controller belongs to use Set setting to use vrrp VRRP configuration vrrp-state-check Publish interface via OSPF/BGP only if the interface VRRP state is not BACKUP wep-shared-key-auth Enable support for 802.11 WEP shared key authentication zone Configure Zone name clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-profile-<PROFILE-NAME>)#
Related Commands no Removes a profile and its associated configurations NOTE: For more information on profiles and how to configure profiles, see Chapter 7, PROFILES. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 356 GLOBAL CONFIGURATION COMMANDS 4.1.73 radio-qos-policy Global Configuration Commands Configures a radio quality-of-service (QoS) policy Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax radio-qos-policy <RADIO-QOS-POLICY-NAME>
Parameters radio-qos-policy <RADIO-QOS-POLICY-NAME>
<RADIO-QOS-POLICY-
NAME>
Specify the radio QoS policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#radio-qos-policy test rfs6000-81742D(config-radio-qos-test)#?
Radio QoS Mode commands:
accelerated-multicast Configure multicast streams for acceleration admission-control Configure admission-control on this radio for one or more access categories no Negate a command or set its defaults smart-aggregation Configure smart aggregation parameters wmm Configure 802.11e/Wireless MultiMedia parameters clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-radio-qos-test)#
Related Commands no Removes an existing Radio QoS policy NOTE: For more information on radio qos policy, see Chapter 17, RADIO-
QOS-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 357 GLOBAL CONFIGURATION COMMANDS 4.1.74 radius-group Global Configuration Commands Configures RADIUS user group parameters Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax radius-group <RADIUS-GROUP-NAME>
Parameters radius-group <RADIUS-GROUP-NAME>
<RADIUS-GROUP-
NAME>
Specify a RADIUS user group name. The name should not exceed 64 characters. If the RADIUS user group does not exist, it is created. Example rfs6000-81742D(config)#radius-group testgroup rfs6000-81742D(config-radius-group-testgroup)#?
Radius user group configuration commands:
guest Make this group a Guest group no Negate a command or set its defaults policy Radius group access policy configuration rate-limit Set rate limit for group clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-radius-group-testgroup)#
Related Commands no Removes an existing RADIUS group NOTE: For more information on RADIUS user group commands, see Chapter 16, RADIUS-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 358 GLOBAL CONFIGURATION COMMANDS 4.1.75 radius-server-policy Global Configuration Commands Creates an onboard device RADIUS policy Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax radius-server-policy <RADIUS-SERVER-POLICY-NAME>
Parameters radius-server-policy <RADIUS-SERVER-POLICY-NAME>
<RADIUS-SERVER-
POLICY-NAME>
Specify the RADIUS server policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#radius-server-policy testpolicy rfs6000-81742D(config-radius-server-policy-testpolicy)#?
Radius Configuration commands:
authentication Radius authentication bypass Bypass Certificate Revocation List( CRL ) check chase-referral Enable chasing referrals from LDAP server crl-check Enable Certificate Revocation List( CRL ) check ldap-agent LDAP Agent configuration parameters ldap-group-verification Enable LDAP Group Verification setting ldap-server LDAP server parameters local RADIUS local realm nas RADIUS client no Negate a command or set its defaults proxy RADIUS proxy server session-resumption Enable session resumption/fast reauthentication by using cached attributes termination Enable Eap termination for proxy requests use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-radius-server-policy-testpolicy)#
Related Commands no Removes an existing RADIUS server policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 359 GLOBAL CONFIGURATION COMMANDS NOTE: For more information on RADIUS server policy commands, see Chapter 16, RADIUS-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 360 GLOBAL CONFIGURATION COMMANDS 4.1.76 radius-user-pool-policy Global Configuration Commands Configures a RADIUS user pool Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax radius-user-pool-policy <RADIUS-USER-POOL-POLICY-NAME>
Parameters radius-user-pool-policy <RADIUS-USER-POOL-POLICY-NAME>
<RADIUS-USER-
POOL-POLICY-NAME>
Specify the RADIUS user pool policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#radius-user-pool-policy testpool rfs6000-81742D(config-radius-user-pool-testpool)#?
Radius User Pool Mode commands:
duration Set a guest user's access duration no Negate a command or set its defaults user Radius user configuration clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-radius-user-pool-testpool)#
Related Commands no Removes an existing RADIUS user pool NOTE: For more information on RADIUS user group commands, see Chapter 16, RADIUS-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 361 GLOBAL CONFIGURATION COMMANDS 4.1.77 rename Global Configuration Commands Renames and existing TLO Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rename tlo <TLO-NAME>
Parameters rename tlo <TLO-NAME> <NEW-TLO-NAME>
Renames an existing TLO object
<TLO-NAME> Specify the TLOs name. This is the TLO that is to be renamed. rename tlo
<TLO-NAME>
<NEW-TLO-NAME>
<NEW-TLO-NAME> Specify the new name for this TLO Example The following example shows the top level objects available for renaming:
Enter rename and press Tab to list top level objects available for renaming. nx9500-6C8809(config)#rename aaa_policy aaa_tacacs_policy address_range_alias aif_policy ap300 app_group app_policy application assoc_acl auto_provisioning_policy bgp_as_path_list bgp_community_list bgp_extcommunity_list bgp_ip_access_list bgp_ip_prefix_list bonjour_gw_discovery_policy bonjour_gw_forwarding_policy bonjour_gw_query_forwarding_policy bridging_policy captive_portal centro_policy client_identity client_identity_group content_cache_policy content_filter_policy crypto_cmp_policy database_client_policy database_policy device_categorization dhcp_server_policy dhcpv6_server_policy dns_whitelist dr_route_map encrypted_string_alias event_system_policy ex3500_ext_ip_acl ex3500_management_policy ex3500_qos_class_map_policy ex3500_qos_policy_map ex3500_std_ip_acl ex3500_time_range firewall_policy global_assoc_list guest_management hashed_string_alias host_alias ip_acl ip_snmp_acl ipv6_acl ipv6_radv_policy l2tpv3_policy mac_acl management_policy meshpoint meshpoint_qos mint_policy mint_security_policy nac_list
--More--
nx9500-6C8809(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 362 GLOBAL CONFIGURATION COMMANDS The following examples first clones the existing IP access list BROADCAST-MULTICAST-CONTROL, and then renames the cloned IP access list:
nx9500-6C8809(config)#show context include-factory | include ip access-list ip access-list BROADCAST-MULTICAST-CONTROL nx9500-6C8809(config)#
nx9500-6C8809(config)#clone ip_acl BROADCAST-MULTICAST-CONTROL Test_IP_CLONED nx9500-6C8809(config)#commit nx9500-6C8809(config)#show context include-factory | include ip access-list ip access-list BROADCAST-MULTICAST-CONTROL ip access-list Test_IP_CLONED nx9500-6C8809(config)#
rfs4000-229D58(config)#rename ip_acl TestIP_CLONED TestIP_RENAMED rfs4000-229D58(config)#commit nx9500-6C8809(config)#rename ip_acl Test_IP_CLONED Test_IP_RENAMED nx9500-6C8809(config)#
nx9500-6C8809(config)#show context include-factory | include ip access-list ip access-list BROADCAST-MULTICAST-CONTROL ip access-list Test_IP_RENAMED nx9500-6C8809(config)#
Related Commands clone Creates a replica of an existing TLO or device Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 363 GLOBAL CONFIGURATION COMMANDS 4.1.78 replace Global Configuration Commands Selects an existing device by its MAC address or hostname and replaces it with a new device having a different MAC address. Internally, a new device is created with the new MAC address. The old devices configuration is copied to the new device, and then removed from the controllers configuration (i.e., the old devices configuration is no longer staged on the controller). Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax replace device [<MAC-ADDRESS>|<HOSTNAME>] <NEW-MAC-ADDRESS>
Parameters replace device [<MAC-ADDRESS>|<HOSTNAME>] <NEW-MAC-ADDRESS>
replace device
[<MAC-ADDRESS>|
<HOSTNAME>]
Replaces an existing device with a new device, such that the old devices configuration is copied on to the new device Identifies the device to replace by its MAC address or hostname
<MAC-ADDRESS> Identifies the device to replace by its MAC address. Specify the devices existing MAC address.
<HOSTNAME> Identifies the device to replace by its hostname. Specify the devices hostname.
<NEW-MAC-
ADDRESS>
Specifies the new devices MAC address Both the new and old devices should of the same model type. Example rfs4000-882A17(config)#replace device ap7131-4BF364 ?
AA-BB-CC-DD-EE-FF New device MAC address rfs4000-882A17(config)#replace device ap7131-4BF364 00-15-0F-BB-98-30 The following example shows an existing AP7502 (MAC: DD-AA-BB-88-12-43) configuration staged on a VX9000 controller:
VX9000-NOC-DE9D(config-device-DD-AA-BB-88-12-43)#show context ap7502 DD-AA-BB-88-12-43 use profile default-ap7502 use rf-domain default hostname ap7502-881243 interface radio1 wlan theMOZART bss 1 primary interface radio2 wlan theMOZART bss 1 primary interface ge1 switchport mode access switchport access vlan 1 controller host 12.12.12.2 VX9000-NOC-DE9D(config-device-DD-AA-BB-88-12-43)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 364 GLOBAL CONFIGURATION COMMANDS The following example shows AP7502 (MAC: DD-AA-BB-88-12-43) replaced by another AP7502 having MAC address 11-22-33-44-55-66:
Note that the new AP7502 device has the same configuration as the old AP7502 device. The HOSTNAME remains the same. Consequently, objects that refer to this particular hostname need not be updated. For example, an hostname alias identifying this particular device, and TLOs using this alias, such as IP/MAC ACLs, remain unchanged. VX9000-NOC-DE9D(config)#replace device DD-AA-BB-88-12-43 11-22-33-44-55-66 VX9000-NOC-DE9D(config)#ap7502 11-22-33-44-55-66 VX9000-NOC-DE9D(config-device-11-22-33-44-55-66)#show context ap7502 11-22-33-44-55-66 use profile default-ap7502 use rf-domain default hostname ap7502-881243 interface radio1 wlan theMOZART bss 1 primary interface radio2 wlan theMOZART bss 1 primary interface ge1 switchport mode access switchport access vlan 1 controller host 12.12.12.2 VX9000-NOC-DE9D(config-device-11-22-33-44-55-66)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 365 GLOBAL CONFIGURATION COMMANDS 4.1.79 rf-domain Global Configuration Commands An RF Domain groups devices that can logically belong to one network. The following table lists the RF Domain configuration mode commands:
Table 4.43 RF-Domain Config Commands Command rf-domain rf-domain-mode commands Description Creates a RF Domain policy and enters its configuration mode Invokes RF Domain configuration mode commands Reference page 4-367 page 4-369 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 366 GLOBAL CONFIGURATION COMMANDS 4.1.79.1 rf-domain rf-domain Creates an RF Domain or enters the RF Domain configuration context for one or more RF Domains. If the RF Domain does not exist, it is created. The configuration of controllers (wireless controllers, service platforms, and access points) comprises of RF Domains that define regulatory, location, and other relevant policies. At least one default RF Domain is assigned to each controller. RF Domains allow administrators to assign configuration data to multiple devices deployed in a common coverage area, such as in a floor, building, or site. Each RF Domain contains policies that set the Smart RF or WIPS configuration. RF Domains also enable administrators to override WLAN SSID name and VLAN assignments. This enables the deployment of a global WLAN across multiple sites and unique SSID name or VLAN assignments to groups of access points servicing the global WLAN. This WLAN override eliminates the need to define and manage a large number of individual WLANs and profiles. A controllers configuration contains:
A default RF Domain - Each controller utilizes a default RF Domain. Access Points are assigned to this default RF Domain as they are discovered by the controller. A default RF Domain can be used for single-site and multi-site deployments. Single-site deployment The default RF Domain can be used for single site deployments, where regional, regulatory, and RF policies are common between devices. Multi-site deployment A default RF Domain can omit configuration parameters to prohibit regulatory configuration from automatically being inherited by devices as they are discovered. This is desirable in multi-site deployments with devices spanning multiple countries. Omitting specific configuration parameters eliminates the risk of an incorrect country code from being automatically assigned to a device. A user-defined RF Domain - Created by administrators. A user-defined RF Domain can be assigned to multiple devices manually or automatically. Manually assigned Use the CLI or UI to manually assign a user-defined RF Domain to controllers and service platforms. Automatically assigned Use a AP provisioning policy to automatically assign specific RF Domains to access points based on the access points model, serial number, VLAN, DHCP option, and IP address or MAC address. Automatic RF Domain assignments are useful in large deployments, as they enable plug-n-play access point deployments by automatically applying RF Domains to remote access points. For more information on auto provisioning policy, see AUTO-PROVISIONING-
POLICY. Configure and deploy user-defined RF Domains for single or multiple sites where devices require unique regulatory and regional configurations, or unique Smart RF and WIPS policies. User-defined RF Domains can be used to:
Assign unique Smart RF or WIPS policies to access points deployed on different floors or buildings within in a site. Assign unique regional or regulatory configurations to devices deployed in different states or countries. Assign unique WLAN SSIDs and/or VLAN IDs to sites assigned a common WLAN without having to define individual WLANs for each site. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 367 GLOBAL CONFIGURATION COMMANDS Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rf-domain {<RF-DOMAIN-NAME>|containing <RF-DOMAIN-NAME>}
Parameters rf-domain {<RF-DOMAIN-NAME>|containing <RF-DOMAIN-NAME>}
rf-domain
<RF-DOMAIN-
NAME>
containing
<RF-DOMAIN-
NAME>
Creates a new RF Domain or enters its configuration context Optional. Specify the RF Domain name (should not exceed 32 characters and should represent the intended purpose). Once created, the name cannot be edited. Optional. Identifies an existing RF Domain that contains a specified sub-string in the domain name
<RF-DOMAIN-NAME> Specify a sub-string of the RF Domain name. Example rfs6000-81742D(config)#rf-domain rfs6000 rfs6000-81742D(config-rf-domain-rfs6000)#?
RF Domain Mode commands:
alias Alias channel-list Configure channel list to be advertised to wireless clients contact Configure the contact control-vlan VLAN for control traffic on this RF Domain controller-managed RF Domain manager for this domain will be an adopting controller country-code Configure the country of operation geo-coordinates Configure geo coordinates for this device layout Configure layout location Configure the location location-server LSENSE server configuration mac-name Configure MAC address to name mappings no Negate a command or set its defaults nsight-sensor Enable sensor for Nsight override-smartrf Configured RF Domain level overrides for smart-rf override-wlan Configure RF Domain level overrides for wlan sensor-server AirDefense sensor server configuration stats Configure the stats related setting timezone Configure the timezone tree-node Configure tree node under which this rf-domain appears use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-rf-domain-rfs6000)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 368 GLOBAL CONFIGURATION COMMANDS 4.1.79.2 rf-domain-mode commands rf-domain This section describes the default commands under RF Domain. The following table summarizes RF Domain configuration commands:
Table 4.44 RF-Domain-Mode Commands Command alias channel-list contact control-vlan controller-
managed country-code geo-coordinates layout location location-server Description Creates various types of aliases, such as network, VLAN, network-group, network-service, encrypted-string, hashed -string, etc. at the RF Domain level Configures the channel list advertised by radios Configures network administrators contact information (needed in case of any problems impacting the RF Domain) Configures VLAN for traffic control on a RF Domain Configures the adopting controller or service platform as this RF Domains manager Configures the country of operation Configures the longitude and latitude of the RF Domain in order to fix its exact geographical location on a map Configures layout information Configures the physical location of a RF Domain Configures an LSENSE server on the selected RF Domain. This command is supported only on the NX95XX series service platforms. Maps MAC addresses to names Negates a command or reverts configured settings to their default mac-name no override-smart-rf Configures RF Domain level overrides for Smart RF override-wlan Configures RF Domain level overrides for a WLAN sensor-server Configures an AirDefense sensor server on this RF Domain stats Configures stats related settings on this RF Domain. These settings define how RF Domain statistics are updated. Configures a RF Domains geographic time zone Configures the hierarchical (tree-node) structure under which this RF Domain appears Enables the use of a specified Smart RF and/or WIPS policy timezone tree-node use Reference page 4-370 page 4-377 page 4-378 page 4-379 page 4-380 page 4-381 page 4-382 page 4-383 page 4-385 page 4-386 page 4-387 page 4-388 page 4-390 page 4-391 page 4-394 page 4-396 page 4-397 page 4-399 page 4-401 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 369 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.1 alias rf-domain-mode commands Configures network, VLAN, host, string, network-service, etc. aliases at the RF Domain level For information on aliases, see alias. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax alias [address-range|encrypted-string|hashed-string|host|network|network-group|
network-service|number|string|vlan]
alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>
alias hashed-string <HASHED-STRING-ALIAS-NAME> 1 <LINE>
alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>
alias host <HOST-ALIAS-NAME> <HOST-IP>
alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>
alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range|host|network]
alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to
<ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|
network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]
alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|
gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|
ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport|ssh|telnet|tftp|www)}
alias number <NUMBER-ALIAS-NAME> <0-4294967295>
alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|
gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|
ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|
tftp|www)}
alias string <STRING-ALIAS-NAME> <LINE>
alias vlan <VLAN-ALIAS-NAME> <1-4094>
Parameters address-range
<ADDRESS-RANGE-
ALIAS-NAME>
alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>
Creates a new address-range alias for this RF Domain. Or associates an existing address-range alias with this RF Domain. An address-range alias maps a name to a range of IP addresses.
<ADDRESS-RANGE-ALIAS-NAME> Specify the address range alias name. Alias name should begin with $. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 370 GLOBAL CONFIGURATION COMMANDS
<STARTING-IP>
to <ENDING-IP>
Associates a range of IP addresses with this address range alias
<STARTING-IP> Specify the first IP address in the range. to <ENDING-IP> Specify the last IP address in the range. Aliases defined at any given level can be overridden at the next lower level. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>
encrypted-string
<ENCRYPTED-
STRING-ALIAS-
NAME>
[0|2] <LINE>
Creates an alias for an encrypted string. Use this alias for string configuration values that are encrypted when "password-encryption" is enabled. For example, in the management-policy, use it to define the SNMP community string. For more information, see snmp-server.
<ENCRYPTED-STRING-ALIAS-NAME> Specify the encrypted-string alias name. Alias name should begin with $. Configures the value associated with the alias name specified in the previous step
[0|2] <LINE> Configures the alias value Note, if password-encryption is enabled, in the show > running-config output, this clear text is displayed as an encrypted string, as shown below:
nx9500-6C8809(config)#show running-config
!............................... alias encrypted-string $enString 2 fABMK2is7UToNiZE3MQXbgAAAAxB0ZIysdqsEJwr6AH/Da//
!
--More--
nx9500-6C8809 In the above output, the 2 displayed before the encrypted-string alias value indicates that the displayed text is encrypted and not a clear text. However, if password-encryption is disabled the clear text is displayed as is:
nx9500-6C8809(config)#show running-config
!...............................
!
alias encrypted-string $enString 0 test11223344
!
--More--
nx9500-6C8809 For more information on enabling password-encryption, see password-encryption. alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>
hashed-string
<HASHED-STRING-
ALIAS-NAME>
Creates an alias for a hashed string. Use this alias for configuration values that are hashed string, such as passwords. For example, in the management-policy, use it to define the privilege mode password. For more information, see privilege-mode-
password.
<HASHED-STRING-ALIAS-NAME> Specify the hashed-string alias name. Alias name should begin with $. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 371 GLOBAL CONFIGURATION COMMANDS
<LINE>
Configures the hashed-string value associated with this alias. nx9500-6C8809(config)#show running-config
!
alias encrypted-string $WRITE 2 sBqVCDAoxs3oByF5PCSuFAAAAAd7HT2+EiT/l/BXm9c4SBDv
!
alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba05411 2ecfc75
--More--
nx9500-6C8809 In the above show > running-config output, the 1 displayed before the hashed-string alias value indicates that the displayed text is hashed and not a clear text. alias host <HOST-ALIAS-NAME> <HOST-IP>
host
<HOST-ALIAS-NAME>
<HOST-IP>
Creates a host alias for this RF Domain. Or associates an existing host alias with this RF Domain. A host alias maps a name to a single network host.
<HOST-ALIAS-NAME> Specify the host alias name. Alias name should begin with $. Associates the network hosts IP address with this host alias
<HOST-IP> Specify the network hosts IP address. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>
network
<NETWORK-ALIAS-
NAME>
<NETWORK-
ADDRESS/MASK>
Creates a network alias for this RF Domain. Or associates an existing network alias with this RF Domain. A network alias maps a name to a single network address.
<NETWORK-ALIAS-NAME> Specify the network alias name. Alias name should begin with $. Associates a single network with this network alias
<NETWORK-ADDRESS/MASK> Specify the networks address and mask. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to
<ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|
network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]
network-group
<NETWORK-GROUP-
ALIAS-NAME>
Creates a network-group alias for this RF Domain. Or associates an existing network-
group alias with this RF Domain.
<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name. Alias name should begin with $. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 372 GLOBAL CONFIGURATION COMMANDS After specifying the name, specify the following: a range of IP addresses, host addresses, or a range of network addresses. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. Associates a range of IP addresses with this network-group alias
<STARTING-IP> Specify the first IP address in the range. to <ENDING-IP> Specify the last IP address in the range.
<STARTING-IP> to <ENDING-IP> Optional. Specifies more than one range of IP addresses. A maximum of eight (8) IP address ranges can be configured. Associates a single or multiple hosts with this network-group alias
<HOST-IP> Specify the hosts IP address.
<HOST-IP> Optional. Specifies more than one host. A maximum of eight (8) hosts can be configured. address-range
<STARTING-IP>
to <ENDING-IP>
{<STARTING-IP>
to <ENDING-IP>}
host <HOST-IP>
{<HOST-IP>}
network <NETWORK-
ADDRESS/MASK>
{<NETWORK-
ADDRESS/MASK>}
Associates a single or multiple networks with this network-group alias
<NETWORK-ADDRESS/MASK> Specify the networks address and mask.
<NETWORK-ADDRESS/MASK> Optional. Specifies more than one network. A maximum of eight (8) networks can be configured. alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|
eigrp|gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|
https|ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|
telnet|tftp|www)}
alias network-service
<NETWORK-
SERVICE-ALIAS-
NAME>
proto [<0-254>|
<WORD>|eigrp|gre|
igmp|igp|ospf|vrrp]
Creates a network-service alias for this RF Domain. Or associates an existing network-
service alias with this RF Domain. A network-service alias maps a name to network services and the corresponding source and destination software ports.
<NETWORK-SERVICE-ALIAS-NAME> Specify a network-service alias name. Alias name should begin with $. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. Use one of the following options to associate an Internet protocol with this network-
service alias:
<0-254> Identifies the protocol by its number. Specify the protocol number from 0
- 254. This is the number by which the protocol is identified in the Protocol field of the IPv4 header and the Next Header field of IPv6 header. For example, the User Datagram Protocols (UDP) designated number is 17.
<WORD> Identifies the protocol by its name. Specify the protocol name. eigrp Selects Enhanced Interior Gateway Routing Protocol (EIGRP). The protocol number 88. gre Selects Generic Routing Encapsulation (GRE). The protocol number is 47. igmp Selects Internet Group Management Protocol (IGMP). The protocol number is 2. igp Selects Interior Gateway Protocol (IGP). The protocol number is 9. ospf Selects Open Shortest Path First (OSPF). The protocol number is 89. vrrp Selects Virtual Router Redundancy Protocol (VRRP). The protocol number is 112. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 373 GLOBAL CONFIGURATION COMMANDS
{(<1-65535>|
<WORD>|
bgp|dns|ftp|
ftp-data|gopher|
https|ldap|nntp|ntp|p op3|proto|
sip|smtp|sourceport
[<1-65535>|
<WORD>]|ssh|telnet|
tftp|www)}
After specifying the protocol, you may configure a destination port for this service. These keywords are recursive and you can configure multiple protocols and associate multiple destination and source ports.
<1-65535> Optional. Configures a destination port number from 1 - 65535
<WORD> Optional. Identifies the destination port by the service name provided. For example, the secure shell (SSH) service uses TCP port 22. bgp Optional. Configures the default Border Gateway Protocol (BGP) services port
(179) dns Optional. Configures the default Domain Name System (DNS) services port (53) ftp Optional. Configures the default File Transfer Protocol (FTP) control services port
(21) ftp-data Optional. Configures the default FTP data services port (20) gopher Optional. Configures the default gopher services port (70) https Optional. Configures the default HTTPS services port (443) ldap Optional. Configures the default Lightweight Directory Access Protocol (LDAP) services port (389) nntp Optional. Configures the default Newsgroup (NNTP) services port (119) ntp Optional. Configures the default Network Time Protocol (NTP) services port
(123) POP3 Optional. Configures the default Post Office Protocol (POP3) services port
(110) proto Optional. Use this option to select another Internet protocol in addition to the one selected in the previous step. sip Optional. Configures the default Session Initiation Protocol (SIP) services port
(5060) smtp Optional. Configures the default Simple Mail Transfer Protocol (SMTP) services port (25) sourceport [<1-65535>|<WORD>] Optional. After specifying the destination port, you may specify a single or range of source ports.
<1-65535> Specify the source port from 1 - 65535.
<WORD> Specify the source port range, for example 1-10. ssh Optional. Configures the default SSH services port (22) telnet Optional. Configures the default Telnet services port (23) tftp Optional. Configures the default Trivial File Transfer Protocol (TFTP) services port (69) www Optional. Configures the default HTTP services port (80) alias number <NUMBER-ALIAS-NAME> <0-4294967295>
alias number
<NUMBER-ALIAS-
NAME>
<0-4294967295>
Creates a new number alias or applies an existing number, identified by the
<NUMBER-ALIAS-NAME> keyword,
<NUMBER-ALIAS-NAME> Specify the number alias name.
<0-4294967295> Specify the number, from 0 - 4294967295, assigned to the number alias created. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 374 GLOBAL CONFIGURATION COMMANDS Number aliases map a name to a numeric value. For example, alias number
$NUMBER 100. The number alias name is: $NUMBER The value assigned is: 100 The value referenced by alias $NUMBER, wherever used, is 100. alias string <STRING-ALIAS-NAME> <LINE>
alias string
<STRING-ALIAS-
NAME>
Creates a string alias for this RF Domain. Or associates an existing string alias with this RF Domain. String aliases map a name to an arbitrary string value. For example, alias string $DOMAIN test.example_company.com. In this example, the string alias name is: $DOMAIN and the string value it is mapped to is:
test.example_company.com. In this example, the string alias refers to a domain name.
<STRING-ALIAS-NAME> Specify the string alias name.
<LINE> Specify the string value. Alias name should begin with $. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. alias vlan <VLAN-ALIAS-NAME> <1-4094>
alias vlan
<VLAN-ALIAS-NAME>
<1-4094>
Creates a VLAN alias for this RF Domain. Or associates an existing VLAN alias with this RF Domain. A VLAN alias maps a name to a VLAN ID.
<VLAN-ALIAS-NAME> Specify the VLAN alias name. Alias name should begin with $. Maps the VLAN alias to a VLAN ID
<1-4094> Specify the VLAN ID from 1 - 4094. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. Example rfs4000-229D58(config)#show context
!
! Configuration of RFS4000 version 5.9.1.0-008B
!
!
version 2.5
!
!
alias network-group $TestNetGrpAlias network 192.168.13.0/24 192.168.16.0/24 alias network-group $TestNetGrpAlias address-range 192.168.13.7 to 192.168.13.16 192.168.13.20 to 192.168.13.25
!
alias network $TestNetworkAlias 192.168.13.0/24
!
alias host $TestHostAlias 192.168.13.10
!
alias address-range $TestAddRanAlias 192.168.13.10 to 192.168.13.13
!
alias network-service $NetworkServAlias proto udp
!alias network-service $kerberos proto tcp 749 750 80 proto udp 68 sourceport 67
!
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 375 GLOBAL CONFIGURATION COMMANDS alias vlan $TestVLANAlias 1
--More--
rfs4000-229D58(config)#
In the following examples, the global aliases $kerberos and $TestVLANAlias are associated with the RF Domain test and overrides applied:
rfs4000-229D58(config-rf-domain-test)#alias network-service $kerberos proto tcp 749 750 80 rfs4000-229D58(config-rf-domain-test)#alias vlan $TestVLANAlias 10 rfs4000-229D58(config-rf-domain-test)#show context rf-domain test no country-code alias network-service $kerberos proto tcp 749 750 80 alias vlan $TestVLANAlias 10 rfs4000-229D58(config-rf-domain-test)#
nx9500-6C8809(config-rf-domain-test)#alias string $test example_company.com nx9500-6C8809(config-rf-domain-test)#show context rf-domain test no country-code alias string $test example_company.com nx9500-6C8809(config-rf-domain-test)#
Example 1:
In the following examples, the network-group alias $test is configured to include hosts 192.168.1.10 and 192.168.1.11, networks 192.168.2.0/24 and 192.168.3.0/24 and address-range 192.168.4.10 to 192.168.4.20. rfs4000-229D58(config)#alias network-group $test host 192.168.1.10 192.168.1.11 rfs4000-229D58(config)#alias network-group $test network 192.168.2.0/24 192.168.3.0/24 rfs4000-229D58(config)#alias network-group $test address-range 192.168.4.10 to 192.168.4.20 Associate this network-group alias $test to the RF Domain test and override the host element of the alias. rfs4000-229D58(config-rf-domain-test)#alias network-group $test host 192.168.10.10 rfs4000-229D58(config-rf-domain-test)#show context rf-domain test no country-code alias network-service $kerberos proto tcp 749 750 80 alias network-group $test host 192.168.10.10 alias network-group $test network 192.168.2.0/24 192.168.3.0/24 alias network-group $test address-range 192.168.4.10 to 192.168.4.20 alias vlan $TestVLANAlias 10 rfs4000-229D58(config-rf-domain-test)#
In the preceding example, the host element of the network-group alias $test has been overridden. But the network and address-range elements have been retained as is. Related Commands no Removes a network, network-group, network-service, VLAN, or string alias from this RF Domain Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 376 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.2 channel-list rf-domain-mode commands Configures the channel list advertised by radios. This command also enables a dynamic update of a channel list. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax channel-list [2.4GHz|5GHz|dynamic]
channel-list dynamic channel-list [2.4GHz|5GHz] <CHANNEL-LIST>
Parameters channel-list dynamic dynamic Enables a dynamic update of a channel list channel-list [2.4GHz|5GHz] <CHANNEL-LIST>
2.4GHz
<CHANNEL-LIST>
5GHz
<CHANNEL-LIST>
Configures the channel list advertised by radios operating in the 2.4 GHz mode
<CHANNEL-LIST> Specify the list of channels separated by commas or hyphens. Configures the channel list advertised by radios operating in the 5.0 GHz mode
<CHANNEL-LIST> Specify the list of channels separated by commas or hyphens. Example rfs6000-81742D(config-rf-domain-default)#channel-list 2.4GHz 1-10 rfs6000-81742D(config-rf-domain-default)#show context rf-domain default no country-code channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 rfs6000-81742D(config-rf-domain-default)#
Related Commands no Removes the list of channels configured on the selected RF Domain for 2.4 GHz and 5.0 GHz bands. Also disables dynamic update of a channel list. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 377 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.3 contact rf-domain-mode commands Configures the network administrators contact details. The network administrator is responsible for addressing problems impacting the network. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax contact <WORD>
Parameters contact <WORD>
contact <WORD>
Specify contact details, such as name and number. Example rfs6000-81742D(config-rf-domain-default)#contact Bob+14082778691 rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 no country-code channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 rfs6000-81742D(config-rf-domain-default)#
Related Commands no Removes a network administrators contact details Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 378 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.4 control-vlan rf-domain-mode commands Configures the VLAN designated for traffic control in this RF Domain Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax control-vlan [<1-4094>|<VLAN-ALIAS-NAME>]
Parameters control-vlan [<1-4094>|<VLAN-ALIAS-NAME>]
[<1-4094>|
<VLAN-ALIAS-
NAME>]
Specify the VLAN ID from 1 - 4094. Alternately, use a vlan-alias to identify the control VLAN. If using a vlan-alias, ensure that the alias is existing and configured. Example rfs6000-81742D(config-rf-domain-default)#control-vlan 1 rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 no country-code channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 control-vlan 1 rfs6000-81742D(config-rf-domain-default)#
Related Commands no Disables the VLAN designated for controlling RF Domain traffic Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 379 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.5 controller-managed rf-domain-mode commands Configures the adopting controller (wireless controller, access point, or service platform) as this RF Domains manager. In other words, the RF Domain is controller managed, and the managing controller is the device managing the RF Domain. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax controller-managed Parameters None Example rfs4000-229D58(config-rf-domain-test)#controller-managed rfs4000-229D58(config-rf-domain-test)#commit rfs4000-229D58(config-rf-domain-test)#show context rf-domain test country-code in controller-managed network-alias techPubs host 192.168.13.8 network-alias techPubs address-range 192.168.13.10 to 192.168.13.15 service-alias testing index 10 proto 9 destination-port range 21 21 rfs4000-229D58(config-rf-domain-test)#
Related Commands no Removes the adopting controller or service platform as this RF Domains manager Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 380 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.6 country-code rf-domain-mode commands Configures a RF Domains country of operation. Since device channels transmit in specific channels unique to the country of operation, it is essential to configure the country code correctly or risk using illegal operation. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax country-code <WORD>
Parameters country-code <WORD>
country-code
<WORD>
Configures the RF Domains country of operation Specify the two (2) letter ISO-3166 country code. Example rfs6000-81742D(config-rf-domain-default)#country-code ?
WORD The 2 letter ISO-3166 country code ae United Arab Emirates ag Antigua and Barbuda ai Anguilla al Albania an Dutch Antilles ar Argentina at Austria au Australia ba Bosnia-Herzegovina bb Barbados bd Bangladesh be Belgium bf Burkina Faso
--More--
rfs6000-81742D(config-rf-domain-default)#
rfs6000-81742D(config-rf-domain-default)#country-code us rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 country-code us channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 control-vlan 1 rfs6000-81742D(config-rf-domain-default)#
Related Commands no Removes or resets this RF Domains configured country of operation Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 381 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.7 geo-coordinates rf-domain-mode commands Configures the longitude and latitude of the RF Domain in order to fix its exact geographical location on a map. Use this command to define the geographical area where a common set of device configurations are deployed and managed by this RF Domain policy. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax geo-coordinates <-90.0000-90.0000> <-180.0000-180.0000>
Parameters geo-coordinates <-90.0000-90.0000> <-180.0000-180.0000>
geo-coordinates
<-90.0000-
90.0000> <-
180.0000-180.0000>
Configures the geo-coordinates of this RF Domain
<-90.0000-90.0000> Specify the latitude from -90.0000 - 90.0000.
-180.0000-180.0000 Specify the longitude from -180.0000 - 180.0000. Example nx9500-6C8809(config-rf-domain-TechPubs)#geo-coordinates 12.971599 77.594563 nx9500-6C8809(config-rf-domain-TechPubs)#show context rf-domain TechPubs location Bangalore geo-coordinates 12.9716 77.5946 timezone Asia/Calcutta country-code in use database-policy default use nsight-policy AP-rfd control-vlan 1 controller-managed use license WEBF nx9500-6C8809(config-rf-domain-TechPubs)#
Related Commands no Removes or resets this RF Domains configured geo-coordinates Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 382 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.8 layout rf-domain-mode commands Configures the RF Domain layout in terms of area, floor, and location on a map. It allows users to place APs across the deployment map. A maximum of 256 layouts is permitted. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax layout [area|description|floor|map-location] {(area|description|floor|map-
location)}
layout [area <AREA-NAME>|description <LINE>|floor <FLOOR-NAME> {<1-4094>}|
map-location <URL> units [feet|meters]] {(area <AREA-NAME>|description <LINE>|
floor <FLOOR-NAME> {<1-4094>}|map-location <URL> units [feet|meters])}
Parameters layout [area <AREA-NAME>|description <LINE>|floor <FLOOR-NAME> {<1-4094>}|
map-location <URL> units [feet|meters]] {(area <AREA-NAME>|description <LINE>|
floor <FLOOR-NAME> {<1-4094>}|map-location <URL> units [feet|meters])}
layout Configures the RF Domains layout in terms of area, floor, and location on a map These are recursive parameters and you can configure one or all of these parameters. area <AREA-NAME> Configures the RF Domains layout in terms of the area of location description <LINE>
<AREA-NAME> Specify the area name. After configuring the RF Domains area of functioning, optionally specify the floor name (and number), description, and/or the location on map. Configures a description for this RF Domain
<LINE> Specify a description that enables you to identify the RF Domain. For a multi-
worded string, use double quotes. floor <FLOOR-
NAME> <1-4094>
Configures the RF Domains layout in terms of the floor name and number
<FLOOR-NAME> Specify the floor name. map-location <URL>
units [feet|meters]
<1-4094> Optional. Specifies the floor number from 1 - 4094. The default floor number is 1. After configuring the RF Domains floor name (and number), optionally specify the area name, description, and/or the location on map. Configures the location of the RF Domain on the map
<URL> Specify the URL to configure the map location. units [feet|meters] Configures the map units. The options are: feet or meters feet Configures the map units in terms of feet meters Configures the map units in terms of meter After configuring the location of the RF Domain on the map, optionally specify the area name, floor name (and number), and/or description. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 383 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-rf-domain-default)#layout map-location www.firstfloor.com units meters area HamiltonAve floor Floor1 rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 country-code us channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 layout area HamiltonAve floor Floor1 map-location www.firstfloor.com units meters control-vlan 1 rfs6000-81742D(config-rf-domain-default)#
Related Commands no Removes the RF Domain layout details Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 384 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.9 location rf-domain-mode commands Configures the RF Domains physical locations name. The location could be as specific as the building name or floor number. Or it could be generic and include an entire site. The location defines the physical area where a set of devices with common configurations are deployed and managed by a RF Domain policy. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax location <WORD>
Parameters location <WORD>
location <WORD>
Configures the RF Domain location by specifying the area or building name
<WORD> Specify the location. Example rfs6000-81742D(config-rf-domain-default)#location SanJose rfs6000-81742D(config-rf-domain-default)#show context rf-domain default location SanJose contact Bob+14082778691 country-code us channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 layout area HamiltonAve floor Floor1 map-location www.firstfloor.com units meters control-vlan 1 rfs6000-81742D(config-rf-domain-default)#
Related Commands no Removes the RF Domain location Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 385 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.10 location-server rf-domain-mode commands Configures the L-Sense servers IP address or hostname on the selected RF Domain. When configured, the AP7522, AP7532, AP7562, AP8432 and AP8533 model access points, within the RF Domain, extract and forward client-location related data to the specified L-Sense server. L-Sense is a highly scalable indoor locationing platform that gathers location-related analytics, such as visitor trends, peak and off-peak times, dwell time, heat-maps, etc. to enable entrepreneurs deeper visibility at a venue. To enable the location tracking system, the L-Sense server should be up and running and the RF Domain Sensor configuration should point to the L-sense server. Supported in the following platforms:
Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510 Syntax location-server 1 ip <LSENSE-SERVER-IP/HOSTNAME> {port [443|<1-65535>]}
Parameters location-server 1 ip <LSENSE-SERVER-IP/HOSTNAME> {port [443|<1-65535>]}
location-server 1 ip
<LSENSE-SERVER-
IP/HOSTNAME>
port
[443|<1-65535>]
Configures the LSENSE server parameters 1 Sets the server ID as 1. As of now only one L-Sense server can be configured. ip <LSENSE-SERVER-IP/HOSTNAME> Specify the servers IPv4 address/host-
name. This is the L-Sense server designated to receive RSSI scan data from a WiNG dedicated sensor. Optional. Configures the port where the LSENSE server is reachable. The options are:
443 Configures port 443. This is the default setting.
<1-65535> Alternately, specify a port as the LSENSE server port from 1 - 65535. Example nx9500-6C8809(config-rf-domain-test)#location-server 1 ip 192.168.13.20 port 200 nx9500-6C8809(config-rf-domain-test)#show context rf-domain test no country-code location-server 1 ip 192.168.13.20 port 200 nx9500-6C8809(config-rf-domain-test)#
Related Commands no Removes the LSENSE server configurations Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 386 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.11 mac-name rf-domain-mode commands Configures a relevant name for each MAC address. Use this command to associate client names to specific connected client MAC addresses for improved client management. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mac-name <MAC> <NAME>
Parameters mac-name <MAC> <NAME>
mac-name <MAC>
<NAME>
Assigns a user-friendly name to this RF Domains member access points connected client to assist in its easy recognition
<MAC> Specify the MAC address
<NAME> Specify the client name for the specified MAC address. The name spec-
ified here will be used in events and statistics. Example rfs6000-81742D(config-rf-domain-default)#mac-name 11-22-33-44-55-66 TestDevice rfs6000-81742D(config-rf-domain-default)#show context rf-domain default location SanJose contact Bob+14082778691 country-code us channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 mac-name 11-22-33-44-55-66 TestDevice layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters control-vlan 1 rfs6000-81742D(config-rf-domain-default)#
Related Commands no Removes the MAC address to name mapping Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 387 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.12 no rf-domain-mode commands Negates a command or reverts configured settings to their default. When used in the config RF Domain mode, the no command negates or reverts RF Domain settings. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [alias|channel-list|contact|control-vlan|controller-managed|country-code|
geo-coordinates|layout|location|location-server|mac-name|nsight-sensor|
override-smartrf|override-wlan|sensor-server|stats|timezone|tree-node|use]
no [adoption-mode|channel-list [2.4GHz|5GHz|dynamic]|contact|control-vlan|
controller-managed|country-code|location|location-server 1|mac-name <MAC>||
nsight-sensor|sensor-server <1-3>|stats update-interval|timezone|tree-node]
no alias [address-range|host|network|network-group [address-range|host|network]|
network-service|number|string|vlan] <ALIAS-NAME>
no layout {(area <AREA-NAME>|floor <FLOOR-NAME>)}
no override-smartrf channel-list [2.4GHz|5GHz]
no override-wlan <WLAN-NAME> [shutdown|ssid|template|vlan-pool [<1-4094>|all]|
wep128 [key <1-3>|transmit-key]|wpa-wpa2-psk]
no use [database-policy|license|nsight-policy|smart-rf-policy|wips-policy]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts this RF Domains settings based on the parameters passed Example The following example shows the default RF Domain settings before the no commands are executed:
rfs6000-81742D(config-rf-domain-default)#show context rf-domain default location SanJose contact Bob+14082778691 country-code us channel-list 2.4GHz 1,2,3,4,5,6,7,8,9,10 mac-name 11-22-33-44-55-66 TestDevice layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters control-vlan 1 rfs6000-81742D(config-rf-domain-default)#
rfs6000-81742D(config-rf-domain-default)#no channel-list 2.4GHz 1-10 rfs6000-81742D(config-rf-domain-default)#no mac-name 11-22-33-44-55-66 rfs6000-81742D(config-rf-domain-default)#no location rfs6000-81742D(config-rf-domain-default)#no control-vlan Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 388 GLOBAL CONFIGURATION COMMANDS The following example shows the default RF Domain settings after the no commands are executed:
rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 country-code us layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters rfs6000-81742D(config-rf-domain-default)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 389 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.13 override-smart-rf rf-domain-mode commands Enables dynamic channel switching for Smart RF radios. This command allows you to configure an override list of channels that Smart RF can use for channel compensations on 2.4 GHz and 5.0 GHz radios. When a radio fails or is faulty, a Smart RF policy provides automatic recovery by instructing neighboring access points to increase their transmit power to compensate for the coverage loss. Once correct access point placement has been established, Smart-RF can optionally be leveraged for automatic detector radio selection. Smart-RF uses detector radios to monitor RF events and can ensure availability of adequate detector coverage. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax override-smartrf channel-list [2.4GHz|5GHZ] <CHANNEL-LIST>
Parameters override-smartrf channel-list [2.4GHz|5GHZ] <CHANNEL-LIST>
override-smartrf channel-list 2.4GHz
<CHANNEL-LIST>
5GHz
<CHANNEL-LIST>
Enables dynamic channel switching for Smart RF radios Configures a list of channels for 2.4 GHz and 5.0 GHz Smart RF radios Selects the 2.4 GHz Smart RF radio channels
<CHANNEL-LIST> Specify a list of channels separated by commas. Selects the 5.0 GHz Smart RF radio channels
<CHANNEL-LIST> Specify a list of channels separated by commas. Example rfs6000-81742D(config-rf-domain-default)#override-smartrf channel-list 2.4GHz 1,2,3 rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 country-code us override-smartrf channel-list 2.4GHz 1,2,3 layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters rfs6000-81742D(config-rf-domain-default)#
Related Commands no Removes the override-smartrf list of channels configured for 2.4 GHz and 5.0 GHz radios Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 390 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.14 override-wlan rf-domain-mode commands Configures RF Domain level overrides for a WLAN Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax override-wlan <WLAN-NAME> [shutdown|ssid|template|vlan-pool|wep128|wpa-wpa2-psk]
override-wlan <WLAN-NAME> [shutdown|ssid <SSID>|template <TEMPLATE-NAME>|vlan-
pool <1-4094> {limit <0-8192>}]
override-wlan <WLAN-NAME> wpa-wpa2-psk [0 <WORD>|2 <WORD>]
override-wlan <WLAN-NAME> wep128 [key <1-4> hex [0 <WORD>|2 <WORD>]|transmit-key
<1-4>]
Parameters override-wlan <WLAN-NAME> [shutdown|ssid <SSID>|template <TEMPLATE-NAME>|vlan-
pool <1-4094> {limit <0-8192>}]
<WLAN-NAME>
shutdown ssid <SSID>
template
<TEMPLATE-
NAME>
vlan-pool
<1-4094>
{limit <0-8192>}
Configures the WLAN name If applying RF Domain level overrides to an existing WLAN, specify its name. If creating a new WLAN, specify a name not exceeding 32 characters and representing the WLANs coverage area. After creating the WLAN, configure its override parameters. Shuts down WLAN operation on all mapped radios Configures a override SSID associated with this WLAN
<SSID> Specify the SSID (should not exceed 32 characters in length). Each WLAN provides associated wireless clients with a SSID. This has limitations, because it requires wireless clients to associate with different SSIDs to obtain QoS and security policies. However, a WiNG-managed RF Domain can have WLANs assigned and advertise a single SSID, and yet allow users to inherit different QoS or security policies. Configures a template name for this RF Domain
<TEMPLATE-NAME> Specify the template name (should not exceed 32 characters in length). Configures the override VLANs available to this WLAN
<1-4094> Specify the VLAN ID from 1 - 4094. limit <0-8192> Optional. Sets a limit to the number of users on this VLAN from 0 -
8192. The default is 0. Controllers and service platforms allow the mapping of a WLAN to more than one VLAN. Wireless clients associating with a WLAN are assigned VLANs, from the pool representative of the WLAN, in a way that ensures proper load balancing across VLANs. Clients are tracked per VLAN, and assigned to the least used/loaded VLAN. Client VLAN usage is tracked on a per-WLAN basis. The maximum allowed client limit is 8192 per VLAN. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 391 GLOBAL CONFIGURATION COMMANDS override-wlan <WLAN-NAME> wpa-wpa2-psk [0 <WORD>|2 <WORD>]
<WLAN-NAME>
wpa-wpa2-psk
<PASSPHRASE>
Configures the WLAN name If applying RF Domain level overrides to an existing WLAN, specify its name. If creating a new WLAN, specify a name not exceeding 32 characters and representing the WLANs coverage area. After creating the WLAN, configure its override parameters. Overrides a WLANs existing WPA-WPA2 pre-shared key or passphrase at the RF Domain level. WPA2 is a newer 802.11i standard that provides wireless security that is stronger than Wi-Fi Protected Access (WPA) and WEP.
<PASSPHRASE> Specify a WPA-WPA2 key or passphrase. It is an alphanumeric string of 8 to 64 ASCII characters or 64 HEX characters as the primary string, which both the transmitting and receiving authenticators must share in this new override PSK. The alphanumeric string allows character spaces. The string is converted to a numeric value. This passphrase saves the you the necessity of entering the 256-bit key each time keys are generated. override-wlan <WLAN-NAME> wep128 [key <1-4> hex [0 <WORD>|2 <WORD>]|transmit-key
<1-4>]
<WLAN-NAME>
Configures the WLAN name If applying RF Domain level overrides to an existing WLAN, specify its name. If creating a new WLAN, specify a name not exceeding 32 characters and representing the WLANs coverage area. After creating the WLAN, configure its override parameters. Overrides a WLANs existing WEP128 keys at the RF Domain level (not the profile level). WEP128 uses a 104 bit key, which is concatenated with a 24-bit initialization vector (IV) to form the RC4 traffic key. WEP may be all a small-business user needs for the simple encryption of wireless data on the WLAN. However, networks that require more security are at risk from a WEP flaw. WEP is only recommended if there are client devices incapable of using higher forms of security. The existing 802.11 standard alone offers administrators no effective method to update keys. Configures the WEP128 key. A total of four keys can be configured.
<1-4> Select the key index from 1- 4. hex Configures a hexadecimal key wep128 key <1-4> hex
[0 <WORD>|
2 <WORD>]
0 <WORD> Configures a clear text key 2 <WORD> Configures an encrypted key The following parameter is common to both clear-text and encrypted key options:
<WORD> Specify the WEP128/Keyguard key (should not exceed 26 hexadecimal characters in length). transmit-key
<1-4>
Configures transmit WEP/Keyguard key settings
<1-4> Transmit the key identified by the key index specified here. Specify the index from 1 - 4. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 392 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-rf-domain-default)#override-wlan test vlan-pool 2 limit 20 rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 country-code us override-smartrf channel-list 2.4GHz 1,2,3 override-wlan test vlan-pool 2 limit 20 layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters rfs6000-81742D(config-rf-domain-default)#
Related Commands no Resets the override WLAN settings its default Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 393 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.15 sensor-server rf-domain-mode commands Configures an AirDefense sensor server on this RF Domain. Sensor servers allow network administrators to monitor and download data from multiple sensors remote locations using Ethernet TCP/IP or serial communications. This enables administrators to respond quickly to interferences and coverage problems. The Wireless Intrusion Protection System (WIPS) protects the controller managed network, wireless clients and access point radio traffic from attacks and unauthorized access. WIPS provides tools for standards compliance and around-the-clock wireless network security in a distributed environment. WIPS allows administrators to identify and accurately locate attacks, rogue devices and network vulnerabilities in real time and permits both a wired and wireless lockdown of wireless device connections upon acknowledgement of a threat. In addition to dedicated AirDefense sensors, an access point radio can function as a sensor and upload information to a dedicated WIPS server (external to the controller). Unique WIPS server configurations can be used by RF Domains to ensure a WIPS server configuration is available to support the unique data protection needs of individual RF Domains. WIPS is not supported on a WLAN basis, rather sensor functionality is supported on the access point radio(s) available to each controller managed WLAN. When an access point radio is functioning as a WIPS sensor, it is able to scan in sensor mode across all legal channels within the 2.4 and 5.0 GHz bands. Sensor support requires a AirDefense WIPS Server on the network. Sensor functionality is not provided by the access point alone. The access point works in conjunction with a dedicated WIPS server. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax sensor-server <1-3> ip <IP/HOSTNAME> {port [443|<1-65535>]}
Parameters sensor-server <1-3> ip <IP/HOSTNAME> {port [443|<1-65535>]}
sensor-server <1-3>
Configures an AirDefense sensor server parameters
<1-3> Select the server ID from 1 - 3. The server with the lowest defined ID is reached first. The default is 1. ip <IP/HOSTNAME>
Configures the (non DNS) IPv4 address of the sensor server
<IP/HOSTNAME> Specify the sensor servers IPv4 address or hostname. port [443|<1-65535>] Optional. Configures the sensor server port. The options are:
443 Configures port 443, the default port used by the AirDefense server. This is the default setting.
<1-65535> Allows you to select a WIPS/AirDefense sensor server port from 1 - 65535 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 394 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-rf-domain-default)#sensor-server 2 ip 172.16.10.3 port 443 rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 country-code us sensor-server 2 ip 172.16.10.3 override-smartrf channel-list 2.4GHz 1,2,3 override-wlan test vlan-pool 2 limit 20 layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters rfs6000-81742D(config-rf-domain-default)#
Related Commands no Disables an AirDefense sensor server parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 395 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.16 stats rf-domain-mode commands Configures stats settings that define how RF Domain statistics are updated Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax stats update-interval stats update-interval [<5-300>|auto]
Parameters stats update-interval [<5-300>|auto]
stats update-interval
[<5-300>|auto]
Configures stats related settings on this RF Domain Configures the interval at which RF Domain statistics are updated. The options are:
<5-300> Specify an update interval from 5 - 300 seconds. auto The RF Domain manager automatically adjusts the update interval based on the load. This is the default setting. Example rfs6000-81742D(config-rf-domain-default)#stats update-interval 200 rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 stats update-interval 200 country-code us sensor-server 2 ip 172.16.10.3 override-smartrf channel-list 2.4GHz 1,2,3 override-wlan test vlan-pool 2 limit 20 layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters rfs6000-81742D(config-rf-domain-default)#
Related Commands no Resets stats related settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 396 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.17 timezone rf-domain-mode commands Configures the RF Domains geographic time zone. By default all WiNG devices are shipped with the time zone and time format set to Universal Time Coordinated (UTC) and 24-hour clock respectively. If the time zone is not reset, all devices within the RF Domain will display time relative to the UTC - Greenwich Time. Resetting the time zone is recommended, especially for RF Domains deployed across different geographical locations. The time zone can either be set on a specific device or on an RF Domain. When configured as RF Domain setting, it applies to all devices within the domain. For more information on configuring the time zone on a device, see timezone. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax timezone <TIMEZONE>
Parameters timezone <TIMEZONE>
time <TIMEZONE>
Specify the RF Domains time zone. The configured time zone will apply to all devices within the selected RF Domain. Example rfs6000-81742D(config-rf-domain-default)#timezone America/Los_Angeles rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 timezone America/Los_Angeles stats update-interval 200 country-code us sensor-server 2 ip 172.16.10.3 override-smartrf channel-list 2.4GHz 1,2,3 override-wlan test vlan-pool 2 limit 20 layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters rfs6000-81742D(config-rf-domain-default)#
The built-in WiNG timezones are:
nx9500-6C8809(config-rf-domain-test)#timezone <TAB>
Africa/ Asia/ Atlantic/ Australia/ CET CST6CDT EET EST5EDT Etc/ Europe/ MST7MDT Pacific/
PST8PDT US/ America/
nx9500-6C8809(config-rf-domain-test)#
Each of these time zones are further differentiated into sub time zones. For example, as shown in the following example:
nx9500-6C8809(config-rf-domain-test)#timezone Africa/
Africa/Cairo Africa/Casablanca Africa/Harare Africa/Johannesburg Africa/Lagos Africa/Nairobi nx9500-6C8809(config-rf-domain-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 397 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes a RF Domains time zone Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 398 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.18 tree-node rf-domain-mode commands Configures the hierarchical (tree-node) structure under which this RF Domain is located Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax tree-node [campus|city|country|region] {(campus|city|country|region)}
Parameters tree-node [campus|city|country|region] {(campus|city|country|region)}
tree-node campus city country region Usage Guidelines Configures the hierarchical tree structure defining the RF Domains location. The tree node hierarchy can be configured in any order, but will always appear as: country >
region > city > campus. Further, a higher node, such as country, cannot be defined under a lower node, such as region. An RF Domain can be placed under any one of the tree nodes. But, an RF Domain at the country level may have all four nodes defined. Whereas, an RF Domain restricted to a campus, cannot have the country, city, and region nodes. At least one of these four nodes must be defined. This feature is disabled by default. Configures the campus name for this RF Domain Configures the city for this RF Domain Configures the country for this RF Domain Configures the region for this RF Domain The following points need to be taken into consideration when creating the tree-node structure:
Adding a country first is a good idea since region, city, and campus can all be added as sub-nodes in the tree structure. However, the selected country is an invalid tree node until a RF Domain is mapped. A city and campus can be added in the tree structure as sub-nodes under a region. An RF Domain can be mapped anywhere down the hierarchy for a region and not just directly under a country. For example, a region can have city, campus, and one RF Domain mapped. Only a campus can be added as a sub-node under a city. The city is an invalid tree node until a RF Domain is mapped somewhere within the directory tree. A campus is the last node in the hierarchy before a RF Domain, and it is not valid unless it has a RF Domain mapped. After creating the tree structure do a commit and save for the tree configuration to take effect and persist across reboots. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 399 GLOBAL CONFIGURATION COMMANDS Example rfs4000-229D58(config-rf-domain-test)#tree-node campus EcoSpace City Bangalore country India region South rfs4000-229D58(config-rf-domain-test)#
rfs4000-229D58(config-rf-domain-test)#show context rf-domain test country-code in tree-node country India region South city Bangalore campus EcoSpace rfs4000-229D58(config-rf-domain-test)#
Related Commands no Removes the RF Domains tree-node configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 400 GLOBAL CONFIGURATION COMMANDS 4.1.79.2.19 use rf-domain-mode commands Associates the following with an RF Domain: database policy, NSight policy, sensor policy, Smart RF policy, WIPS policy, RTL server policy, and Web filtering license. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use [database-policy|license|nsight-policy|rtl-server-policy|sensor-policy|
smart-rf-policy|wips-policy]
use [database-policy <DATABASE-POLICY-NAME>|license <WEB-FILTERING-LICENSE>|
nsight-policy <NSIGHT-POLICY-NAME>|rtl-server-policy <RTL-SERVER-POLICY-NAME>
sensor-policy <SENSOR-POLICY-NAME>|smart-rf-policy <SMART-RF-POLICY-NAME>|
wips-policy <WIPS-POLICY-NAME>]
Parameters use [database-policy <DATABASE-POLICY-NAME>|license <WEB-FILTERING-LICENSE>|
nsight-policy <NSIGHT-POLICY-NAME>|rtl-server-policy <RTL-SERVER-POLICY-NAME>|
sensor-policy <SENSOR-POLICY-NAME>|smart-rf-policy <SMART-RF-POLICY-NAME>|
wips-policy <WIPS-POLICY-NAME>]
use database-policy
<DATABASE-POLICY-
NAME>
license
<WEB-FILTERING-
LICENSE>
nsight-policy
<NSIGHT-POLICY-
NAME>
rtl-server-policy
<RTL-SERVER-
POLICY-NAME>
sensor-policy
<SENSOR-POLICY-
NAME>
Associates the following policies with the RF Domain: database policy, NSight policy, sensor policy, Smart RF policy, WIPS policy. It also applies a Web filtering license to the selected RF Domain. Associates a database policy with the selected RF Domain
<DATABASE-POLICY-NAME> Specify the database policy name (should be existing and configured). Obtains the specified Web filtering license from the adopting controller
<WEB-FILTERING-LICENSE> Specify the WEBF license name. Associates an NSight policy to this RF Domain Specify the NSight policy name (should be existing and configured). When applied, it enables the RF Domain manager to gather statistical data from access points within the domain and forward to the NOC running the NSight server. For information on configuring NSight policy, see nsight-policy. Associates an Real Time Locationing (RTL) server policy with the selected RF Domain
<RTL-SERVER-POLICY-NAME> Specify the RTL server policy name (should be existing and configured Associates a sensor policy with the selected RF Domain
<SENSOR-POLICY-NAME> Specify the sensor policy name (should be existing and configured). Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 401 GLOBAL CONFIGURATION COMMANDS smart-rf-policy
<SMART-RF-POLICY-
NAME>
wips-policy
<WIPS-POLICY-
NAME>
Associates a Smart RF policy. When associated, the Smart RF policy provides automatic recovery from coverage loss (due to failed or faulty radio) by instructing neighboring access points to increase their transmit power. Once correct access point placement has been established, Smart-RF can optionally be leveraged for automatic detector radio selection. Smart-RF uses detector radios to monitor RF events to ensure availability of adequate detector coverage.
<SMART-RF-POLICY-NAME> Specify the Smart RF policy name (should be existing and configured). For more information on configuring smart RF policy, see SMART-
RF-POLICY. Associates a WIPS policy. A WIPS policy provides protection against wireless threats and acts as a key layer of security complementing wireless VPNs, encryption and authentication. A WIPS policy uses a dedicated sensor for actively detecting and locating rogue AP devices. After detection, WIPS uses mitigation techniques to block the devices by manual termination, air lockdown, or port suppression.
<WIPS-POLICY-NAME> Specify the WIPS policy name (should be existing and configured). For more information on configuring WIPS policy, see WIPS-POLICY. Example rfs6000-81742D(config-rf-domain-default)#use smart-rf-policy Smart-RF1 rfs6000-81742D(config-rf-domain-default)#use wips-policy WIPS1 rfs6000-81742D(config-rf-domain-default)#show context rf-domain default contact Bob+14082778691 timezone America/Los_Angeles stats update-interval 200 country-code us use smart-rf-policy Smart-RF1 use wips-policy WIPS1 sensor-server 2 ip 172.16.10.3 override-smartrf channel-list 2.4GHz 1,2,3 override-wlan test vlan-pool 2 limit 20 layout area Ecospace floor Floor1 map-location www.firstfloor.com units meters rfs6000-81742D(config-rf-domain-default)#
Related Commands no sensor-server wips-policy smart-rf-policy Resets profiles used with this RF Domain Configures an AirDefense sensor server on this RF Domain Configures a WIPS policy Configures a Smart RF policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 402 GLOBAL CONFIGURATION COMMANDS 4.1.80 rfs6000 Global Configuration Commands Adds a RFS6000 wireless controller to the network Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rfs6000 <DEVICE-RFS6000-MAC>
Parameters rfs6000 <DEVICE-RFS6000-MAC>
<DEVICE-RFS6000-
MAC>
Specify the RFS6000s MAC address. Example rfs6000-81742D(config)#rfs6000 11-20-30-40-50-61 rfs6000-81742D(config-device-11-20-30-40-50-61)#
Related Commands no Removes a RFS6000 wireless controller from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 403 GLOBAL CONFIGURATION COMMANDS 4.1.81 rfs4000 Global Configuration Commands Adds an RFS4000 wireless controller to the network Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rfs4000 <DEVICE-RFS4000-MAC>
Parameters rfs4000 <DEVICE-RFS4000-MAC>
<DEVICE-RFS4000-
MAC>
Specify the RFS4000s MAC address. Example rfs6000-81742D(config)#rfs4000 10-20-30-40-50-60 rfs6000-81742D(config-device-10-20-30-40-50-60)#
Related Commands no Removes an RFS4000 wireless controller from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 404 GLOBAL CONFIGURATION COMMANDS 4.1.82 nx5500 Global Configuration Commands Adds an integrated NX5500 series service platform to the network. If a profile for this service platform is not available, a new profile is created. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax nx5500 <DEVICE-NX5500-MAC>
Parameters nx5500 <DEVICE-NX5500-MAC>
<DEVICE-NX5500-
MAC>
Specifies the MAC address of a NX5500 series service platform. Example nx9500-6C8809(config)#nx5500 B4-C7-02-3C-FA-6E nx9500-6C8809(config-device-B4-C7-02-3C-FA-6E)#
Related Commands no Removes a NX5500 series service platform from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 405 GLOBAL CONFIGURATION COMMANDS 4.1.83 nx75xx Global Configuration Commands Adds an integrated NX75XX series service platform to the network. If a profile for service platform is not available, a new profile is created. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 NOTE: In this guide, NX7500, NX7510, NX7520, and NX7530 are collectively represented as a NX75XX series service platform. Syntax nx75xx <DEVICE-NX75XX-MAC>
Parameters nx75xx <DEVICE-NX75XX-MAC>
<DEVICE-NX75XX-
MAC>
Specifies the MAC address of a NX75XX series service platform. Example nx9500-6C8809(config)#nx75xx B4-C9-81-6C-FA-7C nx9500-6C8809(config-device-B4-C9-81-6C-FA-7C)#show context nx75xx B4-C9-81-6C-FA-7C use profile default-nx75xx use rf-domain default hostname nx75xx-6CFA7C nx9500-6C8809(config-device-B4-C9-81-6C-FA-7C)#
nx75xx-6CFA7C>show adoption status Adopted by:
Type : nx9000 System Name : nx9500-6C8809 MAC address : B4-C7-99-6C-88-09 MiNT address : 19.6C.88.09 Time : 1 days 01:57:50 ago Adopted Devices:
--------------------------------------------------------------------------------
-------
DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-ADOPTION UPTIME
--------------------------------------------------------------------------------
-------
ap7131-11E6C4 5.8.6.0-008B configured No nx75xx-6CFA7C 1 days 01:49:44 1 days 01:59:34
--------------------------------------------------------------------------------
-------
Total number of devices displayed: 1 nx75xx-6CFA7C>
Related Commands no Removes a NX75XX series service platform from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 406 GLOBAL CONFIGURATION COMMANDS 4.1.84 nx9000 Global Configuration Commands Adds a NX95XX series service platform to the network Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax nx9000 <DEVICE-NX95XX-MAC>
Parameters nx9000 <DEVICE-NX95XX-MAC>
<DEVICE-NX95XX-
MAC>
Specifies the MAC address of a NX95XX series service platform. Example nx9500-6C8809(config)#nx9000 B4-C7-89-7C-81-08 nx9500-6C8809(config-device-B4-C7-89-7C-81-08)#
Related Commands no Removes a NX95XX series service platform from the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 407 GLOBAL CONFIGURATION COMMANDS 4.1.85 roaming-assist-policy Global Configuration Commands Configures a roaming assist policy that enables access points to assist wireless clients in making roaming decisions, such as which access point to connect, etc. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax roaming-assist-policy <POLICY-NAME>
Parameters roaming-assist-policy <POLICY-NAME>
<POLICY-NAME>
Specify the roaming assist policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#roaming-assist-policy testPolicy rfs6000-81742D(config-roaming-assist-policy-testPolicy)#?
Roaming Assist Mode commands:
action Configure action - action is either to log / deauth aggressiveness Configure the roaming aggressiveness for a wireless client detection-threshold Configure the detection threshold - when exceeded, client monitoring starts disassoc-time Configure the disassociation time - time after which a disassociation is sent handoff-count Configure the handoff count - number of times client can exceed handoff threshold handoff-threshold Configure the handoff threshold - when exceeds an action is taken. monitoring-interval Configure the monitoring interval - interval at which client monitoring occurs no Negate a command or set its defaults sampling-interval Configure the sampling interval - interval at which client rssi values are checked clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-roaming-assist-policy-testPolicy)#
Related Commands no Removes an existing roaming assist policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 408 GLOBAL CONFIGURATION COMMANDS NOTE: For more information on roaming assist policy commands, see Chapter 30, ROAMING ASSIST POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 409 GLOBAL CONFIGURATION COMMANDS 4.1.86 role-policy Global Configuration Commands Configures a role-based firewall policy Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax role-policy <ROLE-POLICY-NAME>
Parameters role-policy <ROLE-POLICY-NAME>
<ROLE-POLICY-
NAME>
Specify the role policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#role-policy role1 rfs6000-81742D(config-role-policy-role1)#?
Role Policy Mode commands:
default-role Configuration for Wireless Clients not matching any role ldap-deadperiod Ldap dead period interval ldap-query Set the ldap query mode ldap-server Add a ldap server ldap-timeout Ldap query timeout interval no Negate a command or set its defaults user-role Create a role clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-role-policy-role1)#
Related Commands no Removes an existing role policy NOTE: For more information on role policy commands, see Chapter 18, ROLE-
POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 410 GLOBAL CONFIGURATION COMMANDS 4.1.87 route-map Global Configuration Commands Creates a dynamic BGP route map and enters its configuration mode BGP route maps are used by network administrators to define rules controlling redistribution of routes between routers and routing processes. These route maps are also used to control and modify routing information. Supported in the following platforms:
Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9600, VX9000 Syntax route-map <ROUTE-MAP-NAME>
Parameters route-map <ROUTE-MAP-NAME>
route-map
<ROUTE-MAP-NAME>
Creates a new BGP route map and enters its configuration mode Example nx9500-6C8809(config)#route-map test nx9500-6C8809(config-dr-route-map-test)#?
Route Map Mode commands:
deny Add a deny route map rule to deny set operations no Negate a command or set its defaults permit Add a permit route map rule to permit set operations clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-dr-route-map-test)#
Related Commands no Removes an existing dynamic BGP route map NOTE: For more information on BGP route maps, see Chapter 28, BORDER GATEWAY PROTOCOL. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 411 GLOBAL CONFIGURATION COMMANDS 4.1.88 routing-policy Global Configuration Commands Configures a routing policy Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax routing-policy <ROUTING-POLICY-NAME>
Parameters routing-policy <ROUTING-POLICY-NAME>
<ROUTING-POLICY-
NAME>
Specify the routing policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#routing-policy TestRoutingPolicy rfs6000-81742D(config-routing-policy-TestRoutingPolicy)#?
Routing Policy Mode commands:
apply-to-local-packets Use Policy Based Routing for packets generated by the device logging Enable logging for this Route Map no Negate a command or set its defaults route-map Create a Route Map use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-routing-policy-TestRoutingPolicy)#
Related Commands no Removes an existing routing policy NOTE: For more information on routing policy commands, see Chapter 24, ROUTING-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 412 GLOBAL CONFIGURATION COMMANDS 4.1.89 rtl-server-policy Global Configuration Commands The following table lists the Real Time Locationing (RTL) server policy configuration commands:
Table 4.45 RTL-Server-Policy Config Command Command rtl-server-policy rtl-server-policy-
mode commands Description Configures an RTL server policy and enters its configuration mode Summarizes RTL server policy configuration mode commands Reference page 4-414 page 4-416 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 413 GLOBAL CONFIGURATION COMMANDS 4.1.89.1 rtl-server-policy rtl-server-policy Creates an RTL server policy and enters its configuration mode. When configured and applied on an access point (AP7522, AP7532, AP8432, AP8533), this policy enables the sending of RSSI feeds from the access point to a third-party Euclid server. The RTL server policy provides the exact location (URL) of the Euclid server. The RSSI feeds sent are as per the sensor-policy configured and applied on the access point. Therefore, ensure that a sensor-policy, with the rssi-interval-duration specified, is existing, configured, and applied on the access points. To initiate RSSI feed posts to the Euclid locationing server, use the RTL server policy on the:
APs device/profile context, or APs RF Domain context. Supported in the following platforms:
Access Points AP7522, AP7532, AP8432, AP8533 Wireless Controllers RFS4000 Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax rtl-server-policy <RTL-POLICY-NAME>
Parameters rtl-server-policy <RTL-POLICY-NAME>
<RTL-SERVER-
POLICY-NAME>
Specify the RTL server policy name. If a RTL server policy with the specified name does not exist, it is created. Example nx9500-6C8809(config)#rtl-server-policy test nx9500-6C8809(config-rtl-server-policy-test)#?
RTL Server Policy Mode commands:
no Negate a command or set its defaults url Configure the url to send the real time RSSI feed to clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-rtl-server-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 414 GLOBAL CONFIGURATION COMMANDS Related Commands no use (profile/device configuration mode command) use (RF Domain configuration mode command) Removes an existing RTL server policy Documents the use command in a devices profile or device configuration context. Use this option to associate this RTL server policy to an access points profile or device. Documents the use command in the RF Domain configuration context. Use this option to associate this RTL server policy to an RF Domain. When associated, the policy is applied to all access points within the RF Domain. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 415 GLOBAL CONFIGURATION COMMANDS 4.1.89.2 rtl-server-policy-mode commands rtl-server-policy The following table summarizes the RTL server policy configuration mode commands:
Table 4.46 RTL-Server-Policy Mode Commands Command url no Description Configures the third-party Euclid RTL servers URL Removes the Euclid RTL servers URL configuration Reference page 4-417 page 4-418 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 416 GLOBAL CONFIGURATION COMMANDS 4.1.89.2.1 url rtl-server-policy-mode commands Configures the third-party Euclid RTL servers exact location. This is the URL at which the server can be reached. Supported in the following platforms:
Access Points AP7522, AP7532, AP8432, AP8533 Wireless Controllers RFS4000 Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax url <URL>
Parameters url <URL>
url <URL>
Configures the Euclid servers URL
<URL> Specify the URL. Example nx9500-6C8809(config-rtl-server-policy-test)#url https://testrtlsever.com nx9500-6C8809(config-rtl-server-policy-test)#show context rtl-server-policy test url https://testrtlsever.com nx9500-6C8809(config-rtl-server-policy-test)#
Related Commands no Removes the Euclid servers configured URL Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 417 GLOBAL CONFIGURATION COMMANDS 4.1.89.2.2 no rtl-server-policy-mode commands Removes the Euclid locationing servers URL configuration Supported in the following platforms:
Access Points AP7522, AP7532, AP8432, AP8533 Wireless Controllers RFS4000 Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax no url Parameters no url no url Example Removes the Euclid servers URL The following example displays the RTL server policy test settings before the no command is executed:
nx9500-6C8809(config-rtl-server-policy-test)#show context rtl-server-policy test url https://testrtlsever.com nx9500-6C8809(config-rtl-server-policy-test)#
nx9500-6C8809(config-rtl-server-policy-test)#no url The following example displays the RTL server policy test settings after the no command is executed:
nx9500-6C8809(config-rtl-server-policy-test)#show context rtl-server-policy test nx9500-6C8809(config-rtl-server-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 418 GLOBAL CONFIGURATION COMMANDS 4.1.90 schedule-policy Global Configuration Commands The following table summarizes the config schedule policy commands:
Table 4.47 Schedule-Policy Config Commands Command schedule-policy schedule-policy-mode commands Description Creates a schedule policy and enters its configuration mode Lists schedule policy configuration mode commands Reference page 4-420 page 4-421 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 419 GLOBAL CONFIGURATION COMMANDS 4.1.90.1 schedule-policy schedule-policy Creates a schedule policy and enters its configuration mode. A schedule policy strategically enforces application filter policy rules during administrator assigned intervals. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax schedule-policy <SCHEDULE-POLICY-NAME>
Parameters schedule-policy <SCHEDULE-POLICY-NAME>
schedule-policy
<SCHEDULE-POLICY-
NAME>
Specify the Schedule policy name. If the policy does not exist, it is created. The name should not exceed 32 characters in length. Example nx9500-6C8809(config)#schedule-policy test nx9500-6C8809(config-schedule-policy-test)#?
Schedule Policy Mode commands:
description Schedule policy description no Negate a command or set its defaults time-rule Configure a time rule clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-schedule-policy-test)#
Related Commands no Removes an existing schedule policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 420 GLOBAL CONFIGURATION COMMANDS 4.1.90.2 schedule-policy-mode commands schedule-policy The following table summarizes schedule-policy configuration mode commands:
Table 4.48 Schedule-Policy-Config-Mode Commands Command description time-rule no Description Configures a description for this schedule policy that differentiates it from other policies with similar time rule configurations Configures a time rule specifying the days and optionally the start and end times Removes the selected schedule policys settings Reference page 4-422 page 4-423 page 4-425 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 421 GLOBAL CONFIGURATION COMMANDS 4.1.90.2.1 description schedule-policy-mode commands Configures a description for this schedule policy that differentiates it from other policies with similar time rule configurations Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <WORD>
Parameters description <WORD>
description <WORD> Configures this schedule policys description
<WORD> Enter a description not exceeding 80 characters in length. The description should uniquely identify the policy from other policies with similar configuration. Example nx9500-6C8809(config-schedule-policy-test)#description "Denies social networking sites on weekdays."
nx9500-6C8809(config-schedule-policy-test)#show context schedule-policy test description "Denies social networking sites on weekdays."
nx9500-6C8809(config-schedule-policy-test)#
Related Commands no Removes this schedule policys description Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 422 GLOBAL CONFIGURATION COMMANDS 4.1.90.2.2 time-rule schedule-policy-mode commands Configures a time rule specifying the days and optionally the start and end times. When applied to an application-policy rule, the schedule policy defines the enforcement time of the rule. For more information, see application-policy. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax time-rule days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|all|
weekends|weekdays] {start-time <HH:MM> [end-time <HH:MM>]}
Parameters time-rule days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|all|
weekends|weekdays] {start-time <HH:MM> [end-time <HH:MM>]}
time-rule days
[sunday|monday|
tuesday|wednesday|
thursday|friday|
saturday|all|
weekends|
weekdays]
start-time <HH:MM>
[end-time <HH:MM>]
Configures a time rule in days and hours and minutes A schedule policy can have more than one non-overlapping time-rules. The following time-rules, having overlapping time periods, are invalid: weekdays, start-time 9:30 am, end-time 11:30 pm and all, start-time 12:00 am, end-time 12:00 pm. Specifies the days on which the time rule is applicable sunday Applicable on Sundays only monday Applicable on Mondays only tuesday Applicable on Tuesdays only wednesday Applicable on Wednesdays only thursday Applicable on Thursdays only friday Applicable on Fridays only saturday Applicable on Saturdays only weekends Applicable on weekends only weekdays Applicable on weekdays only all Applicable on all days After specifying the days of enforcement, specify the following:
start-time Optional. Specifies the enforcement start time
<HH:MM> Specify the start time in hours and minutes in the HH:MM format. If no start time is specified, the time rule is enforced, on the specified days, at all time. end-time Specifies the enforcement end time
<HH:MM> Specify the time in hours and minutes in the HH:MM format. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 423 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config-schedule-policy-test)#time-rule days weekdays start-time 10:00 end-time 23:30 nx9500-6C8809(config-schedule-policy-test)#show context schedule-policy test description "Denies social networking sites on weekdays."
time-rule days weekdays start-time 10:00 end-time 23:30 nx9500-6C8809(config-schedule-policy-test)#
Related Commands no Removes the time-rule from the schedule policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 424 GLOBAL CONFIGURATION COMMANDS 4.1.90.2.3 no schedule-policy-mode commands Removes the selected schedule policys settings Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [description|time-rule]
no description no time-rule days [sunday|monday|tuesday|wednesday|thursday|friday|saturday|
all|weekends|weekdays]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes the schedule policys settings based on the parameters passed Example The following example displays the schedule policy test settings before the no commands have been executed:
nx9500-6C8809(config-schedule-policy-test)#show context schedule-policy test description "Denies social networking sites on weekdays."
time-rule days weekdays start-time 10:00 end-time 23:30 nx9500-6C8809(config-schedule-policy-test)#
The following example displays the schedule policy test settings after the no commands have been executed:
nx9500-6C8809(config-schedule-policy-test)#no description nx9500-6C8809(config-schedule-policy-test)#no time-rule days weekdays nx9500-6C8809(config-schedule-policy-test)#show context schedule-policy test nx9500-6C8809(config-schedule-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 425 GLOBAL CONFIGURATION COMMANDS 4.1.91 self Global Configuration Commands Displays the logged devices configuration context Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax self Parameters None Example rfs6000-81742D(config)#self rfs6000-81742D(config-device-00-15-70-37-FA-BE)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 426 GLOBAL CONFIGURATION COMMANDS 4.1.92 sensor-policy Global Configuration Commands The following table summarizes the config sensor policy commands:0 Table 4.49 Sensor-Policy Config Commands Command sensor-policy sensor-policy-mode commands Description Creates a sensor policy and enters its configuration mode Lists sensor policy configuration mode commands Reference page 4-428 page 4-430 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 427 GLOBAL CONFIGURATION COMMANDS 4.1.92.1 sensor-policy sensor-policy In addition to WIPS support, sensor functionality has now been added for the Extreme Networks MPact locationing system. The MPact system for Wi-Fi locationing includes WiNG controllers, and access points functioning as sensors. Within the MPact architecture, sensors scan for RSSI data on an administrator defined interval and send to a dedicated MPact Server resource, as opposed to an ADSP server. The MPact Server collects the RSSI data from WiNG sensor devices, and calculates the location of Wi-Fi devices for MPact administrators. Use this command to configure a policy defining the mode of scanning, the channels to scan (in case scan-
mode is set to custom-scan), and the RSSI interval. For the sensor policy to take effect, use the policy either in the access points RF Domain context or in the access points device context. NOTE: If a dedicated sensor is utilized with WIPS for rogue detection, any sensor policy used is discarded and not utilized by the sensor. To avoid this situation, use ADSP channel settings exclusively to configure the sensor and not the WiNG interface. Supported in the following platforms:
Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510 Syntax sensor-policy <SENSOR-POLICY-NAME>
Parameters sensor-policy <SENSOR-POLICY-NAME>
sensor-policy
<SENSOR-POLICY-
NAME>
Specify the Sensor policy name. If a sensor policy with the specified name does not exist, it is created. The name should not exceed 32 characters in length. No character spaces are permitted within the name. Define a name unique to the policys channel and scan mode configuration to help differentiate it from other policies. Usage GuidelinesADSP WIPS/MPact Access point radios, functioning as sensors, along with AirDefense WIPS servers protect networks from attacks and unauthorized access. These access point sensors scan legal channels and (based on a WIPS policy settings) identify events potential threats to the managed network. These events are reported to the AirDefense WIPS server, which determines the action taken. In addition to WIPS support, sensor functionality has now been added for the MPact locationing system. The MPact system for Wi-Fi locationing includes WiNG controllers and access points functioning as sensors. Within the MPact architecture, sensors scan for RSSI data on an administrator-defined interval and send to a dedicated MPact server resource, as opposed to an ADSP server. The MPact server collects the RSSI data from WiNG sensor devices, and calculates the location of Wi-Fi devices. With the introduction of the MPact platform, the data collected by access point radios, functioning as sensors, is also used by the MPact server to provide real-time locationing services. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 428 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config)#sensor-policy test nx9500-6C8809(config-sensor-policy-test)#?
Sensor Policy Mode commands:
custom-scan Channel configuration in Custom Scan channels no Negate a command or set its defaults rssi-interval-duration Configure the periodicity of sensding RSSI info from sensor to server scan-mode Configure the Scan mode clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-sensor-policy-test)#
Related Commands no Removes an existing sensor policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 429 GLOBAL CONFIGURATION COMMANDS 4.1.92.2 sensor-policy-mode commands sensor-policy The following table summarizes sensor-policy configuration mode commands:
Table 4.50 Sensor-Policy-Config-Mode Commands Command custom-scan rssi-interval-
duration scan-mode no Description Configures the channel scanning settings when the scan-mode is set to custom-scan Configures the interval at which dedicated sensors scan channels for RSSI assessments and send the collected data to a specified MPact server resource Configures the mode of scanning used by dedicated sensors (access point radios) Removes or reverts to default a sensor policys settings Reference page 4-431 page 4-433 page 4-434 page 4-435 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 430 GLOBAL CONFIGURATION COMMANDS 4.1.92.2.1 custom-scan sensor-policy-mode commands Configures the channel scanning settings when the scan-mode is set to custom-scan NOTE: If the mode of scanning is set to Custom-Scan, use this command to configure the channels to be scanned. To set the mode of scanning to custom-scan, use the scan-mode > Custom-Scan command. For more information, see scan-mode. Supported in the following platforms:
Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax custom-scan channel-frequency <CHANNEL-FREQUENCY> width [20MHz|40MHz-Bth|40MHz-
Lower|40MHz-Upper|80MHz] scan-weight <SCAN-WEIGHT>
Parameters custom-scan channel-frequency <CHANNEL-FREQUENCY> width [20MHz|40MHz-Both|
40MHz-Lower|40MHz-Upper|80MHz] scan-weight <SCAN-WEIGHT>
custom-scan channel-frequency
<CHANNEL-
FREQUENCY>
Configures the custom-scan channel frequency, channel width, and scan weight Configures the channel frequency. A list of unique channels in the 2.4, 4.9, 5 and 6 GHz band can be collectively or individually enabled for customized channel scans and RSSI reporting.
<CHANNEL-FREQUENCY> Specify a single or multiple, comma-separated channel frequencies. width [20MHz|
40MHz-Both|
40MHz-Lower|
40MHz-Upper|
80MHz]
scan-weight <SCAN-
WEIGHT>
Configures the channel width. When custom channels are selected for RSSI scans, each selected channel can have its own width defined. Numerous channels have their width fixed at 20MHz, 802.11a radios support 20 and 40 MHz channel widths. 20MHz Sets the channel width as 20 Mhz 40Mhz-Both Sets the channel width as 40Mhz-Both 40Mhz-Lowe Sets the channel width as 40Mhz-Lower 40Mhz-Upper Sets the channel width as 40Mhz-Upper 80Mhz Sets the channel width as 80Mhz Configures the scan-weight (scanning duration) for each of the selected channels. Each selected channel can have its weight prioritized in respect to the amount of time a scan is permitted within the defined RSSI scan interval.
<SCAN-WEIGHT> Specify the scan weightage given to each selected channel. Example nx9500-6C8809(config-sensor-policy-test)#custom-scan channel-frequency 2412 width 20MHz scan-weight 1000 nx9500-6C8809(config-sensor-policy-test)#custom-scan channel-frequency 2417 width 20MHz scan-weight 1000 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 431 GLOBAL CONFIGURATION COMMANDS nx9500-6C8809(config-sensor-policy-test)#show context sensor-policy test scan-mode Custom-Scan custom-scan channel-frequency 2412 width 20MHz scan-weight 1000 custom-scan channel-frequency 2417 width 20MHz scan-weight 1000 nx9500-6C8809(config-sensor-policy-test)#
Related Commands no Removes channels from the channels-to-scan list in case of scan-mode being set to Custom-Scan Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 432 GLOBAL CONFIGURATION COMMANDS 4.1.92.2.2 rssi-interval-duration sensor-policy-mode commands Configures the interval, in seconds, at which dedicated sensors scan channels for RSSI assessments and send the RSSI data obtained to a specified server resource Supported in the following platforms:
Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rssi-interval-duration <1-60>
Parameters rssi-interval-duration <1-60>
rssi-interval-duration
<1-60>
Configures the RSSI interval duration in seconds. This is the interval at which the sensor scans channels for RSSI data and forwards the data to a dedicated server resource. The server calculates real-time locations of Wi-Fi devices based on the this data.
<1-60> Specify the RSSI interval duration from 1 - 60 seconds. The default is 1 second. The channels scanned for RSSI assessment depends on the scan-mode selected. For more information, see scan-mode and custom-scan. Ensure that the servers IP address or hostname has been configured in the access point sensors RF Domain context. Example nx9500-6C8809(config-sensor-policy-test)#rssi-interval-duration 30 nx9500-6C8809(config-sensor-policy-test)#show context sensor-policy test rssi-interval-duration 30 scan-mode Custom-Scan custom-scan channel-frequency 2412 width 20MHz scan-weight 1000 custom-scan channel-frequency 2417 width 20MHz scan-weight 1000 nx9500-6C8809(config-sensor-policy-test)#
Related Commands no Resets the interval at which RSSI data is collected and sent by the sensor to the MPact server host to default (1 second) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 433 GLOBAL CONFIGURATION COMMANDS 4.1.92.2.3 scan-mode sensor-policy-mode commands Configures the mode of scanning used by dedicated sensors (access point radios) Supported in the following platforms:
Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax scan-mode [Channel-Lock|Custom-Scan|Default-Scan]
scan-mode Channel-Lock lock-frequency <LOCK-FREQUENCY>
scan-mode [Custom-Scan|Default-Scan]
Parameters scan-mode Channel-Lock lock-frequency <LOCK-FREQUENCY>
scan-mode Channel-Lock lock-frequency
<LOCK-
FREQUENCY>
Configures the mode of scanning used by the sensors to scan system-defined or user-
defined channels for RSSI assessments. The options are: Channel-Lock, Custom-Scan, and Default-Scan. Configures the mode of scanning as Channel-Lock lock-frequency <LOCK-FREQUENCY> Locks scanning for RSSI data to one specific channel identified by the <LOCK-FREQUENCY> parameter.
<LOCK-FREQUENCY> Specify the channel frequency in MHz. When specified, the sensor scans only this specified channel. scan-mode [Custom-Scan|Default-Scan]
scan-mode Custom-Scan Default-Scan Configures the mode of scanning used by the sensor. The options are: channel-lock, custom-scan, and default-scan. Configures the mode of scanning as Custom-Scan Select this option to restrict scanning to user-defined channels. If selecting this option, use the custom-scan > channel-frequency command to configure the channels scanned by the dedicated sensor. For more information, see custom-scan. Configures the mode of scanning as Default-Scan. This is the default setting. By default the system has a fixed, built-in list of channels that are scanned. These channels are hard coded in a spread pattern of 1, 6, 11, 36, 40, 44, and 48. When selected, the dedicated sensor scans only these default channels. Example nx9500-6C8809(config-sensor-policy-test)#scan-mode Custom-Scan nx9500-6C8809(config-sensor-policy-test)#show context sensor-policy test rssi-interval-duration 30 scan-mode Custom-Scan custom-scan channel-frequency 2412 width 20MHz scan-weight 1000 custom-scan channel-frequency 2417 width 20MHz scan-weight 1000 nx9500-6C8809(config-sensor-policy-test)#
Related Commands no Reverts the scan-mode to default (Default-Scan) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 434 GLOBAL CONFIGURATION COMMANDS 4.1.92.2.4 no sensor-policy-mode commands Removes or reverts to default a sensor policys settings Supported in the following platforms:
Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [custom-scan|rss1-interval-duration|scan-mode]
no custom-scan channel-frequency <CHANNEL-FREQUENCY-LIST>
no rssi-interval-duration no scan-mode Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts to default a sensor policy settings based on the parameters passed Example The following example shows the sensor-policy test settings before the no commands are executed:
nx9500-6C8809(config-sensor-policy-test)#show context sensor-policy test rssi-interval-duration 30 scan-mode Custom-Scan custom-scan channel-frequency 2412 width 20MHz scan-weight 1000 custom-scan channel-frequency 2417 width 20MHz scan-weight 1000 nx9500-6C8809(config-sensor-policy-test)#
The scan-mode is reverted back to the default setting of 'Default-Scan', as show in the following output:
nx9500-6C8809(config-sensor-policy-test)#no scan-mode nx9500-6C8809(config-sensor-policy-test)#show context sensor-policy test rssi-interval-duration 30 scan-mode Default-Scan custom-scan channel-frequency 2412 width 20MHz scan-weight 1000 custom-scan channel-frequency 2417 width 20MHz scan-weight 1000 nx9500-6C8809(config-sensor-policy-test)#
nx9500-6C8809(config-sensor-policy-test)#no custom-scan channel-frequency 2412 nx9500-6C8809(config-sensor-policy-test)#no custom-scan channel-frequency 2417 nx9500-6C8809(config-sensor-policy-test)#show context sensor-policy test rssi-interval-duration 30 scan-mode Default-Scan nx9500-6C8809(config-sensor-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 435 GLOBAL CONFIGURATION COMMANDS 4.1.93 smart-rf-policy Global Configuration Commands Configures a Smart RF policy Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax smart-rf-policy <SMART-RF-POLICY-NAME>
Parameters smart-rf-policy <SMART-RF-POLICY-NAME>
Specify the Smart RF policy name. If the policy does not exist, it is created.
<SMART-RF-POLICY-
NAME>
Example rfs6000-81742D(config)#smart-rf-policy test rfs6000-81742D(config-smart-rf-policy-test)#?
Smart RF Mode commands:
area Specify channel list/ power for an area assignable-power Specify the assignable power during power-assignment avoidance-time Time to avoid a channel once dfs/adaptivity avoidance is necessary channel-list Select channel list for smart-rf channel-width Select channel width for smart-rf coverage-hole-recovery Recover from coverage hole enable Enable this smart-rf policy group-by Configure grouping parameters interference-recovery Recover issues due to excessive noise and interference neighbor-recovery Recover issues due to faulty neighbor radios no Negate a command or set its defaults sensitivity Configure smart-rf sensitivity (Modifies various other smart-rf configuration items) smart-ocs-monitoring Smart off channel scanning clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or term rfs6000-81742D(config-smart-rf-policy-test)#
Related Commands no Removes an existing Smart RF policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 436 GLOBAL CONFIGURATION COMMANDS NOTE: For more information on Smart RF policy commands, see Chapter 19, SMART-RF-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 437 GLOBAL CONFIGURATION COMMANDS 4.1.94 t5 Global Configuration Commands Invokes the configuration mode of a t5 wireless controller A T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating system used by RFS controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax t5 <T5-DEVICE-MAC>
Parameters t5 <T5-DEVICE-MAC>
t5 <T5-DEVICE-MAC> Specify the t5 devices MAC address. The system enters the identified devices configuration mode. A T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating system used by RFS wireless controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. The Customer Premises Equipment (CPEs) are the T5 controller managed radio devices using the IPX operating system. These CPEs use a Digital Subscriber Line (DSL) as their high speed Internet access mechanism using the CPEs physical wallplate connection and phone jack. After logging on to the T5 device, use the cpe keyword and configure the following mandatory settings:
vlan Set a VLAN from 1 - 4,094 used as a virtual interface for connections between the T5 controller and its managed CPE devices. start ip Set a starting IP address used in a range of addresses available to T5 con-
troller connecting CPE devices. end ip Set an end IP address used in a range of addresses available to T5 controller connecting CPE devices. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 438 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config)#t5 B4:C7:99:ED:5C:2C rfs6000-81742D(config-device-B4:C7:99:ED:5C:2C)#?
T5 Device Mode commands:
adsp-sensor-server Configure WIPS server bridge Sets MAC address expiration time in the bridge address table clock Configure clock options cpe T5 CPE configuration hostname Set system's network name interface Select an interface to configure ip Internet Protocol (IP) no Negate a command or set its defaults ntp Configure NTP override-wlan Configure RF Domain level overrides for wlan password T5 password configuration qos QOS settings radius-server Radius server settings t5 T5 configuration t5-logging Modify message logging facilities use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-device-B4:C7:99:ED:5C:2C)#
Related Commands no Removes the t5 wireless controller identified by the devices MAC address Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 439 GLOBAL CONFIGURATION COMMANDS 4.1.95 web-filter-policy Global Configuration Commands The following table lists commands that enable you to enter the Web Filter policy configuration mode:
Table 4.51 Commands Creating a Web-Filter-Policy Reference Description Creates a new Web Filter policy and enters its configuration mode page 4-552 page 4-443 Summarizes the Web Filter policy configuration mode commands Command web-filter-policy web-filter-policy-
config-mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 440 GLOBAL CONFIGURATION COMMANDS 4.1.95.1 web-filter-policy web-filter-policy Creates a Web Filtering policy and enters its configuration mode. This policy defines rules managing the local classification database and the cached data. When configured and applied, this policy also enables caching of URL classification records in a local database in a controller-based, hierarchically managed (HM) deployment. Use this option to specify the following: classification server details, size of the local database, time for which records are cached in the database, the action taken in case the classification server is unavailable, etc. The Web filter policy is applied at the profile or device level. For more information on URL filtering, see url-filter. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax web-filter-policy <WEB-FILTER-POLICY-NAME>
Parameters web-filter-policy <WEB-FILTER-POLICY-NAME>
<WEB-FILTER-
POLICY-NAME>
Specify the Web filter policy name. If the policy does not exist, it is created. Example nx9500-6C8809(config)#web-filter-policy test nx9500-6C8809(config-web-filter-policy-test)#?
Content Filter Mode commands:
cache-max-recs Configure the maximum number of records in local cache cache-save-interval Configure the time a record is saved in local cache logging Select logging method no Negate a command or set its defaults server-host Configure URL classification server if it is not the adopted controller server-unreachable Permission to access website when classification server is unreachable (default is pass) uncategorized-url Permission to website when server fails to classify the URL request (default is pass) clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-web-filter-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 441 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes an existing Web filter policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 442 GLOBAL CONFIGURATION COMMANDS 4.1.95.2 web-filter-policy-config-mode commands web-filter-policy The following table summarizes Web Filter policy configuration mode commands:
Table 4.52 Web-Filter-Policy-Config-Mode Commands Command cache-max-recs cache-save-
interval logging no server-host Description Configures the maximum number of records (URLs and Web pages) cached in the local database Configures the maximum time period for which a record (URL and Web page classification entry) is cached in the local database Configures the method used to log Web filtering events Reverts the selected Web Filter policy settings to default Configures the URL classification server in case it is not the adopted controller Configures the action taken in case the classification server is unreachable server-
unreachable uncategorized-url Configures the action taken in case the classification server fails to classify a URL/Website Reference page 4-444 page 4-445 page 4-446 page 4-447 page 4-448 page 4-449 page 4-450 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 443 GLOBAL CONFIGURATION COMMANDS 4.1.95.2.1 cache-max-recs web-filter-policy-config-mode commands Configures the maximum number of records (URL and Web page classification entries) cached in the local database Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cache-max-recs <1-1000000>
Parameters cache-max-recs <1-1000000>
cache-max-recs
<1-1000000>
Specify the maximum number of records cached in the local database from 1 -
1000000. When configuring this value take into consideration the type of device using the Web Filter policy. The value should approximately be as per the following information:
NX95XX <1-1000000> (default is 100000) NX75XX <1-100000> (default is 10000) RFS Switches <1-10000> (default is 1000) Access Points <1-1500> (default is 500) Example nx9500-6C8809(config-web-filter-policy-test)#cache-max-recs 9000 nx9500-6C8809(config-web-filter-policy-test)#show context web-filter-policy test cache-max-recs 9000 nx9500-6C8809(config-web-filter-policy-test)#
Related Commands no Reverts the maximum number of stored records to default. Please see the parameter table for default values for the different device types. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 444 GLOBAL CONFIGURATION COMMANDS 4.1.95.2.2 cache-save-interval web-filter-policy-config-mode commands Configures the maximum time period, in seconds, for which a record (URL and Web page classification entry) is cached in the local database. Once the specified time has expired the record is removed from the cache. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cache-save-interval <1-86400>
Parameters cache-save-interval <1-86400>
cache-save-interval
<1-86400>
Specify the maximum time period, in seconds, for which a record is cached in the local database from 1 - 86400 seconds. The default is 60 seconds. Example nx9500-6C8809(config-web-filter-policy-test)#cache-save-interval 1000 nx9500-6C8809(config-web-filter-policy-test)#show context web-filter-policy test cache-max-recs 9000 cache-save-interval 1000 nx9500-6C8809(config-web-filter-policy-test)#
Related Commands no Reverts the maximum time period for which a record (URL and Web page classification entry) is cached in the local database to default (60) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 445 GLOBAL CONFIGURATION COMMANDS 4.1.95.2.3 logging web-filter-policy-config-mode commands Configures the method used to log Web filtering events Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax logging [logfile|syslog]
Parameters logging [logfile|syslog]
logging
[logfile|syslog]
Selects the method used to log Web filtering events. The options are:
logfile Logs to a file. syslog Logs to the syslog server. This is the default setting. Example nx9500-6C8809(config-web-filter-policy-test)#logging logfile nx9500-6C8809(config-web-filter-policy-test)#show context web-filter-policy test logging logfile nx9500-6C8809(config-web-filter-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 446 GLOBAL CONFIGURATION COMMANDS 4.1.95.2.4 no web-filter-policy-config-mode commands Reverts the selected Web Filter policy settings to default, based on the parameters passed Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [cache-max-recs|cache-save-interval|server-host|server-unreachable|
uncategorized-url]
Parameters no <PARAMETERS>
no <PARAMETERS>
Reverts the selected Web Filter policy settings to default, based on the parameters passed. Specify the parameters to revert back to default value. Example The following example shows the Web Filter policy test settings before the no command is executed:
nx9500-6C8809(config-web-filter-policy-test)#show context web-filter-policy test cache-max-recs 9000 cache-save-interval 1000 uncategorized-url block server-unreachable block server-host ip-address 192.168.13.13 nx9500-6C8809(config-web-filter-policy-test)#
nx9500-6C8809(config-web-filter-policy-test)#no cache-max-recs nx9500-6C8809(config-web-filter-policy-test)#no server-unreachable nx9500-6C8809(config-web-filter-policy-test)#no uncategorized-url The following example shows the Web Filter policy test settings after the no command has been executed:
nx9500-6C8809(config-web-filter-policy-test)#show context web-filter-policy test cache-save-interval 1000 server-host ip-address 192.168.13.13 nx9500-6C8809(config-web-filter-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 447 GLOBAL CONFIGURATION COMMANDS 4.1.95.2.5 server-host web-filter-policy-config-mode commands Configures the URL classification server in case it is not the adopted controller Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax server-host [host-name <SERVER-HOST-NAME>|ip-address <SERVER-IPv4>|mint-id
<SERVER-MiNT-ID>]
Parameters server-host [host-name <SERVER-HOST-NAME>|ip-address <SERVER-IPv4>|mint-id
<SERVER-MiNT-ID>]
server-host
[host-name
<SERVER-HOST-
NAME>|
ip-address
<SERVER-IPv4>|
mint-id
<SERVER-MiNT-ID>]
Use one of the following options to identify the URL classification server:
host-name <SERVER-HOST-NAME> Identifies the classification server by its hostname. ip-address <SERVER-IPv4> Identifies the classification server by its IP address. mint-id <SERVER-MiNT-ID> Identifies the classification server by its MiNT ID. Example nx9500-6C8809(config-web-filter-policy-test)#server-host ip-address 192.168.13.13 nx9500-6C8809(config-web-filter-policy-test)#show context web-filter-policy test cache-max-recs 9000 cache-save-interval 1000 server-host ip-address 192.168.13.13 nx9500-6C8809(config-web-filter-policy-test)#
Related Commands no Removes the URL classification servers configured details, such as hostname, ip-address, or MiNT ID. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 448 GLOBAL CONFIGURATION COMMANDS 4.1.95.2.6 server-unreachable web-filter-policy-config-mode commands Configures the action taken in case the classification server is unreachable. Based on the value configured the an end users request for a URL/Website is either blocked or passed. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax server-unreachable [block|pass]
Parameters server-unreachable [block|pass]
server-unreachable
[block|pass]
Configures the action taken in case the classification server is unreachable. The options are:
block Denies access to the requested URL/Website pass Allows access to the requested URL/Website. This is the default value. Example nx9500-6C8809(config-web-filter-policy-test)#server-unreachable block nx9500-6C8809(config-web-filter-policy-test)#show context web-filter-policy test cache-max-recs 9000 cache-save-interval 1000 server-unreachable block server-host ip-address 192.168.13.13 nx9500-6C8809(config-web-filter-policy-test)#
Related Commands no Reverts the action taken in case the classification server is unreachable to default
(pass) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 449 GLOBAL CONFIGURATION COMMANDS 4.1.95.2.7 uncategorized-url web-filter-policy-config-mode commands Configures the action taken in case the classification server fails to classify a URL/Website. Based on the value configured the an end users request for a non-classified URL/Website is either blocked or passed. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax uncategorized-url [block|pass]
Parameters uncategorized-url [block|pass]
uncategorized-url
[block|pass]
Configures the action taken in case the classification server fails to classify a URL/
Website. The options are:
block Denies access to the requested non-classified URL/Website pass Allows access to the requested non-classified URL/Website. This is the default value. Example nx9500-6C8809(config-web-filter-policy-test)#uncategorized-url block nx9500-6C8809(config-web-filter-policy-test)#show context web-filter-policy test cache-max-recs 9000 cache-save-interval 1000 uncategorized-url block server-unreachable block server-host ip-address 192.168.13.13 nx9500-6C8809(config-web-filter-policy-test)#
Related Commands no Reverts the action taken in case the classification server fails to classify a URL/
Website to default (pass) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 450 GLOBAL CONFIGURATION COMMANDS 4.1.96 wips-policy Global Configuration Commands Configures a WIPS policy Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wips-policy <WIPS-POLICY-NAME>
Parameters wips-policy <WIPS-POLICY-NAME>
<WIPS-POLICY-
NAME>
Specify the WIPS policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#wips-policy test rfs6000-81742D(config-wips-policy-test)#?
Wips Policy Mode commands:
ap-detection Rogue AP detection enable Enable this wips policy event Configure an event history-throttle-duration Configure the duration for which event duplicates are not stored in history interference-event Specify events which will contribute to smart-rf wifi interference calculations no Negate a command or set its defaults signature Signature to configure use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-wips-policy-test)#
Related Commands no Removes an existing WIPS policy NOTE: For more information on WIPS policy commands, see Chapter 20, WIPS-
POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 451 GLOBAL CONFIGURATION COMMANDS 4.1.97 wlan Global Configuration Commands Configures a Wireless Local Area Network (WLAN) The following table lists WLAN configuration mode commands:
Table 4.53 WLAN-Policy Config Commands Description Creates a new wireless LAN and enters its configuration mode Summarizes WLAN configuration mode commands Reference page 4-453 page 4-457 Command wlan wlan-mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 452 GLOBAL CONFIGURATION COMMANDS 4.1.97.1 wlan wlan Configures a WLAN and enters its configuration mode. Use this command to modify an existing WLANs settings. A WLAN is a data-communications system that flexibly extends the functionality of a wired LAN. A WLAN links two or more computers or devices using spread-spectrum or Orthogonal Frequency Division Multiplexing (OFDM) modulation based technology. WLANs do not require lining up devices for line-of-
sight transmission, and are thus, desirable for wireless networking. Roaming users can be handed off from one access point to another, like a cellular phone system. WLANs can therefore be configured around the needs of specific user groups, even when they are not in physical proximity. WLANs can provide an abundance of services, including data communications (allowing mobile devices to access applications), e-mail, file, and print services or even specialty applications (such as guest access control and asset tracking). Each WLAN configuration contains encryption, authentication and QoS policies and conditions for user connections. Connected access point radios transmit periodic beacons for each BSS. A beacon advertises the SSID, security requirements, supported data rates of the wireless network to enable clients to locate and connect to the WLAN. WLANs are mapped to radios on each access point. A WLAN can be advertised from a single access point radio or can span multiple access points and radios. WLAN configurations can be defined to provide service to specific areas of a site. For example, a guest access WLAN may only be mapped to a 2.4 GHz radio in a lobby or conference room providing limited coverage, while a data WLAN is mapped to all 2.4 GHz and 5.0 GHz radios at the branch site to provide complete coverage. The maximum number of WLANs supported by different devices is as follows:
RFS4000 and RFS6000 wireless controllers 32 WLANs NX95XX series service platforms 1000 WLANs Access Points 16 WLANs Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wlan {<WLAN-NAME>|containing <WLAN-NAME>}
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 453 GLOBAL CONFIGURATION COMMANDS Parameters wlan {<WLAN-NAME>|containing <WLAN-NAME>}
wlan
<WLAN-NAME>
containing
<WLAN-NAME>
Configures a new WLAN
<WLAN-NAME> Optional. Specify the WLAN name. The WLAN name could be a logical representation of its coverage area (for example, engineering, marketing, etc.).The name cannot exceed 32 characters. Optional. Configures an existing WLANs settings
<WLAN-NAME> Specify a sub-string in the WLAN name. Use this parameter to filter a WLAN. This option allows you to select and enter the configuration mode of one or more WLANs. Example rfs6000-81742D(config)#wlan 1 rfs6000-81742D(config-wlan-1)#?
Wireless LAN Mode commands:
accounting Configure how accounting records are created for this wlan acl Actions taken based on ACL configuration [packet drop being one of them]
answer-broadcast-probes Include this wlan when responding to probe requests that do not specify an SSID assoc-response Association response threshold association-list Configure the association list for the wlan authentication-type The authentication type of this WLAN bridging-mode Configure how packets to/from this wlan are bridged broadcast-dhcp Configure broadcast DHCP packet handling broadcast-ssid Advertise the SSID of the WLAN in beacons captive-portal-enforcement Enable captive-portal enforcement on the wlan client-access Enable client-access (normal data operations) on this wlan client-client-communication Allow switching of frames from one wireless client to another on this wlan client-load-balancing Configure load balancing of clients on this wlan controller-assisted-mobility Enable controller assisted mobility to determine wireless clients' VLAN assignment data-rates Specify the 802.11 rates to be supported on this wlan description Configure a description of the usage of this wlan downstream-group-addressed-forwarding Enable downstream group addressed forwarding of packets dpi Deep-Packet-Inspection (Application Assurance) dynamic-vlan-assignment Dynamic VLAN assignment configuration eap-types Configure client access based on eap-type used for authentication encryption-type Configure the encryption to use on this wlan enforce-dhcp Drop packets from Wireless Clients with static IP address fast-bss-transition Configure support for 802.11r Fast Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 454 GLOBAL CONFIGURATION COMMANDS BSS Transition http-analyze Enable HTTP URL analysis on the wlan ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) kerberos Configure kerberos authentication parameters mac-authentication Configure mac-authentication related parameters no Negate a command or set its defaults nsight Nsight Server opendns OpenDNS related config for this wlan protected-mgmt-frames Protected Management Frames (IEEE 802.11w) related configuration (DEMO FEATURE) proxy-arp-mode Configure handling of ARP requests with proxy-arp is enabled proxy-nd-mode Configure handling of IPv6 ND requests with proxy-nd is enabled qos-map Support the 802.11u QoS map element and frame radio-resource-measurement Configure support for 802.11k Radio Resource Measurement radius Configure RADIUS related parameters registration Enable dynamic registration of device
(or) user relay-agent Configure dhcp relay agent info shutdown Shutdown this wlan ssid Configure the Service Set Identifier for this WLAN t5-client-isolation Isolate traffic among clients t5-security Configure encryption and authentication time-based-access Configure client access based on time use Set setting to use vlan Configure the vlan where traffic from this wlan is mapped vlan-pool-member Add a member vlan to the pool of vlans for the wlan (Note:
configuration of a vlan-pool overrides the 'vlan' configuration) wep128 Configure WEP128 parameters wep64 Configure WEP64 parameters wing-extensions Enable support for WiNG-Specific extensions to 802.11 wireless-client Configure wireless-client specific parameters wpa-wpa2 Modify tkip-ccmp (wpa/wpa2) related parameters clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-wlan-1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 455 GLOBAL CONFIGURATION COMMANDS The following example shows how to use the containing keyword to enter the configuration mode of an existing WLAN:
rfs6000-81742D(config)#wlan containing wlan1 rfs6000-81742D(config-wlan-{'containing': 'wlan1'})#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 456 GLOBAL CONFIGURATION COMMANDS 4.1.97.2 wlan-mode commands wlan This section documents the WLAN configuration mode commands in detail. Use the (config) instance to configure WLAN related parameters. To navigate to this instance, use the following command:
<DEVICE>(config)#wlan <WLAN-NAME>
The following table summarizes WLAN configuration mode commands:
Table 4.54 WLAN-Mode Commands Description Defines a WLAN accounting configuration Defines the actions based on an ACL rule configuration Allows a WLAN to respond to probes for broadcast ESS Configures a minimum receive signal strength indication (RSSI) value, below which the WLAN does not send a response to a clients association request Attaches an existing global association list to a WLAN Sets a WLANs authentication type Configures how packets to/from this WLAN are bridged Configures broadcast DHCP packet handling Advertises a WLANs SSID in beacons Configures a WLANs captive portal enforcement Reference page 4-460 page 4-462 page 4-464 page 4-465 page 4-466 page 4-467 page 4-469 page 4-470 page 4-471 page 4-472 Enables WLAN client access (normal data operations) Allows the switching of frames from one wireless client to another on a WLAN Enables load balancing of WLAN clients page 4-473 page 4-474 page 4-475 Enables controller assisted mobility to determine wireless clients' VLAN assignment Specifies the 802.11 rates supported on the WLAN Sets a WLANs description Enables forwarding of downstream packets addressed to a group page 4-477 page 4-478 page 4-481 page 4-482 Command accounting acl answer-
broadcast-probes assoc-response association-list authentication-
type bridging-mode broadcast-dhcp broadcast-ssid captive-portal-
enforcement client-access client-client-
communication client-load-
balancing controller-
assisted-mobility data-rates description downstream-
group-addressed-
forwarding dpi dynamic-vlan-
assignment eap-types encryption-type Enables extraction of metadata flows on the WLAN Configures dynamic VLAN assignment on this WLAN Configures client access based on eap-type used for authentication Sets a WLANs encryption type page 4-483 page 4-485 page 4-486 page 4-488 4 - 457 Access Point, Wireless Controller and Service Platform CLI Reference Guide GLOBAL CONFIGURATION COMMANDS Table 4.54 WLAN-Mode Commands Description Drops packets from clients with a static IP address Command enforce-dhcp fast-bss-transition Configures support for 802.11r fast BSS transition on a WLAN http-analyze ip ipv6 kerberos mac-
authentication no nsight opendns Enables HTTP URL analysis on the WLAN Configures IPv4 settings on this WLAN Configures IPv6 settings on this WLAN Configures Kerberos authentication parameters Configures MAC authentication parameters Negates a command or reverts settings to their default Enables retention of guest client history in the NSight database Configures the device ID, which is embedded in each DNS query packet going out from an access point, wireless controller, or service platform to the OpenDNS server Enables and configures the WLAN's frame protection mode and security association Enables the proxy ARP mode for ARP requests Configures the proxy ND mode for this WLAN member clients as either strict or dynamic Enables support for 802.11u QoS map element and frames Enables support for 802.11k radio resource measurement Configures RADIUS parameters Configures settings enabling dynamic registration of devices. Use this command to specify the mode of registration and to configure corresponding parameters. Enables support for DHCP relay agent information (option 82) feature on this WLAN Auto shuts down a WLAN Configures a WLANs SSID shutdown ssid t5-client-isolation Disallows clients connecting to the WLAN to communicate with one protected-mgmt-
frames proxy-arp-mode proxy-nd-mode qos-map radio-resource-
measurement radius registration relay-agent t5-security time-based-
access use vlan vlan-pool-
member wep128 wep64 another Configures T5 PowerBroadband security settings Configures time-based client access Defines WLAN mode configuration settings Sets VLAN assignment for a WLAN Adds a member VLAN to the pool of VLANs for a WLAN Configures WEP128 parameters Configures WEP64 parameters Reference page 4-489 page 4-490 page 4-491 page 4-493 page 4-494 page 4-495 page 4-497 page 4-498 page 4-502 page 4-503 page 4-505 page 4-507 page 4-508 page 4-509 page 4-510 page 4-511 page 4-513 page 4-516 page 4-518 page 4-520 page 4-521 page 4-522 page 4-524 page 4-525 page 4-529 page 4-530 page 4-532 page 4-534 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 458 GLOBAL CONFIGURATION COMMANDS Table 4.54 WLAN-Mode Commands Command wing-extensions wireless-client wpa-wpa2 service Reference Description page 4-536 Enables support for WiNG specific extensions to 802.11 page 4-539 Configures the transmit power for wireless clients transmission page 4-542 Modifies TKIP and CCMP (WPA/WPA2) related parameters Invokes service commands applicable in the WLAN configuration mode page 4-545 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 459 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.1 accounting wlan-mode commands Defines the WLANs accounting configuration Accounting is the method of collecting user data, such as start and stop times, executed commands (for example, PPP), number of packets and number of bytes received and transmitted. This data is sent to the security server for billing, auditing, and reporting purposes. Accounting enables wireless network administrators to track the services and network resources accessed and consumed by users. When enabled, this feature allows the network access server to report and log user activity to a RADIUS security server in the form of accounting records. Each accounting record is comprised of AV pairs and is stored on the access control server. The data can be analyzed for network management, client billing, and/or auditing. Accounting methods must be defined through AAA policies. Accounting can be enabled and applied to access point, wireless controller, or service platform managed WLANs. Once enabled, it uniquely logs accounting events specific to the managed WLAN. Accounting logs contain information about the use of remote access services by users. This information is of great assistance in partitioning local versus remote users and how to best accommodate each. Remote user information can be archived to a location outside of the access point for periodic network and user permission administration. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax accounting [radius|syslog|wait-client-ip]
accounting [radius|wait-client-ip]
accounting syslog [host|mac-address-format]
accounting syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|through-
controller|through-rf-domain-manager]}
accounting syslog mac-address-format [middle-hyphen|no-delim|pair-colon|pair-
hyphen|quad-dot] case [lower|upper]
Parameters accounting [radius|wait-client-ip]
accounting radius accounting wait-client-ip Enables support for WLAN RADIUS accounting messages. This option is disabled by default. When enabled, the WLAN uses an external RADIUS resource for accounting. Use the use > aaa-policy > <AAA-POLICY-NAME> command to associate an appropriate AAA policy with this WLAN. This AAA policy should be existing and should define the accounting, authentication, and authorization parameters. Enables waiting for clients IP before commencing the accounting procedure Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 460 GLOBAL CONFIGURATION COMMANDS accounting syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|through-
controller|through-rf-domain-manager]}
accounting syslog host
<IP/HOSTNAME>
port <1-65535>
proxy-mode
[none|
through-controller|
through-rf-domain-
manager]
Enables support for WLAN syslog accounting messages in standard syslog format
(RFC 3164). This option is disabled by default. Configures a syslog destination hostname or IP address for accounting records
<IP/HOSTNAME> Specify the IP address or name of the destination host. Optional. Configures the syslog servers UDP port (this port is used to connect to the server)
<1-65535> Specify the port from 1 - 65535. Default port is 514. Optional. Configures the request proxying mode none Requests are directly sent to the server from the device through-controller Proxies requests through the controller (access point, wireless controller, or service platform) configuring the device through-rf-domain-manager Proxies requests through the local RF Domain manager accounting syslog mac-address-format [middle-hyphen|no-delim|pair-colon|pair-
hyphen|quad-dot] case [lower|upper]
Enables support for WLAN syslog accounting messages accounting syslog mac-address-format Configures the MAC address format used in syslog messages middle-hyphen no-delim pair-colon pair-hyphen Configures the MAC address format with middle hyphen (AABBCC-DDEEFF) Configures the MAC address format without delimitors (AABBCCDDEEFF) Configures the MAC address format with pair-colon delimitors (AA:BB:CC:DD:EE:FF) Configures the MAC address format with pair-hyphen deli mi tors (AA-BB-CC-DD-EE-
FF). This is the default setting. Configures the MAC address format with quad-dot delimitors (AABB.CCDD.EEFF) The following keywords are common to all:
case Specifies MAC address case (upper or lower) quad-dot case [lower|upper]
lower Specifies MAC address is filled in lower case (for example, aa-bb-cc-dd-ee-
ff) upper Specifies MAC address is filled in upper case (for example, AA-BB-CC-DD-
EE-FF) Example rfs6000-81742D(config-wlan-test)#accounting syslog host 172.16.10.4 port 2 proxy-
mode none rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none accounting syslog host 172.16.10.4 port 2 rfs6000-81742D(config-wlan-test)#
Related Commands no Disables sending of accounting message to the RADIUS server, disables syslog accounting, or disables waiting for clients IP before sending accounting messages Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 461 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.2 acl wlan-mode commands Defines the actions taken based on an ACL rule configuration Use the use > ip-access-list <IP-ACCESS-LIST-NAME> command to associate an ACL with the WLAN. The ACL rule is determined by the associated ACLs configuration. A firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the network. The means by which this is accomplished varies, but in principle, a firewall can be thought of as mechanisms allowing and denying data traffic in respect to administrator defined rules. For an overview of firewalls, see FIREWALL-POLICY. WLANs use firewalls like Access Control Lists (ACLs) to filter/mark packets based on the WLAN from which they arrive, as opposed to filtering packets on layer 2 ports. An ACL contains an ordered list of Access Control Entries (ACEs). Each ACE specifies an action and a set of conditions (rules) a packet must satisfy to match the ACE. The order of conditions in the list is critical since filtering is stopped after the first match. IP based firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC. Additionally, administrators can filter layer 2 traffic on a physical layer 2 interface using MAC addresses. A MAC Firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to WLAN packet traffic. Keep in mind IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax acl exceed-rate wireless-client-denied-traffic <0-1000000> {blacklist <0-86400>|
disassociate}
Parameters acl exceed-rate wireless-client-denied-traffic <0-1000000> {blacklist <0-86400>|
disassociate}
acl exceed-rate Sets the action taken based on an ACL rule configuration (for example, drop a packet) exceed-rate Action is taken when the rate exceeds a specified value Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 462 GLOBAL CONFIGURATION COMMANDS wireless-client-
denied-traffic
<0-1000000>
Sets the action to deny traffic to the wireless client when the rate exceeds the specified value
<0-1000000> Specify a allowed rate threshold of disallowed traffic in packets/sec. If enabled, this option allows an associated client, exceeding the thresholds configured for storm traffic, to be either de-authenticated or blacklisted depending on the action selected. This option is disabled by default. blacklist <0-86400> Optional. When enabled, sets the time interval, in seconds, to blacklist a wireless client.
<0-86400> Configures the blacklist duration from 0 - 86400 seconds. Offending clients are re-authenticated once the blacklist duration, configured here, has exceeded. disassociate Optional. When enabled, disassociates a wireless client Example rfs6000-81742D(config-wlan-test)#acl exceed-rate wireless-client-denied-traffic 20 disassociate rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none accounting syslog host 172.16.10.4 port 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate rfs6000-81742D(config-wlan-test)#
Related Commands no Removes the action (de-authenticate or blacklist) to be taken when an associated client exceeds the thresholds configured for storm traffic Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 463 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.3 answer-broadcast-probes wlan-mode commands Allows the WLAN to respond to probe requests that do not specify a SSID. These probes are for broadcast ESS. This feature is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax answer-broadcast-probes Parameters None Example rfs6000-81742D(config-wlan-1)#answer-broadcast-probes rfs6000-81742D(config-wlan-1)#
Related Commands no Does not allow this WLAN to respond to probe requests that do not specify a SSID Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 464 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.4 assoc-response wlan-mode commands Configures the deny-threshold and rssi-threshold values. These threshold values are considered when responding to a clients association/authentication request. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax assoc-response [deny-threshold <1-12>|rssi-threshold <-100--40>]
Parameters assoc-response [deny-threshold <1-12>|rssi-threshold <-100--40>]
assoc-response deny-threshold
<1-12>
rssi-threshold
<-100--40>
Configures the association response thresholds Configures the number of times association/authentication request, from a client, is ignored if the RSSI is less than the configured RSSI threshold. This option is disabled by default.
<1-12> Specify the deny-threshold from 1 - 12. Configures an association response RSSI threshold value. If the RSSI is below the configured threshold value, the clients association/authentication request is ignored. This option is disabled by default. rssi-threshold <-100--40> Specify a value from -100 - -40 dBm. Example nx9500-6C8809(config-wlan-test)#assoc-response rssi-threshold -60 nx9500-6C8809(config-wlan-test)#assoc-response deny-threshold 4 nx9500-6C8809(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type none assoc-response rssi-threshold -60 assoc-response deny-threshold 4 registration user group-name guest expiry-time 2000 agreement-refresh 14400 nx9500-6C8809(config-wlan-test)#
Related Commands no Removes the configured deny-threshold and rssi-threshold values Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 465 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.5 association-list wlan-mode commands Attaches an existing global association list with this WLAN. For more information on global association lists, see global-association-list. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax association-list global <GLOBAL-ASSO-LIST-NAME>
Parameters association-list global <GLOBAL-ASSO-LIST-NAME>
association-list global <GLOBAL-
ASSO-LIST-NAME>
Attaches an existing global association list with this WLAN
<GLOBAL-ASSO-LIST-NAME> Specify the global association list name (should be existing and configured). Example rfs4000-229D58(config-wlan-test)#association-list global my-clients rfs4000-229D58(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none association-list global my-clients rfs4000-229D58(config-wlan-test)#
Related Commands no Removes the global association lists association with this WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 466 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.6 authentication-type wlan-mode commands Sets the WLANs authentication type Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax authentication-type [eap|eap-mac|eap-psk|kerberos|mac|none]
Parameters authentication-type [eap|eap-mac|eap-psk|kerberos|mac|none]
authentication-type Configures a WLANs authentication type eap eap-mac eap-psk The authentication types are: EAP, EAP-MAC, EAP-PSK, Kerberos, MAC, and none. Configures EAP authentication (802.1X) EAP is the de-facto standard authentication method used to provide secure authenticated access to controller managed WLANs. EAP provides mutual authentication, secured credential exchange, dynamic keying and strong encryption. 802.1X EAP can be deployed with WEP, WPA or WPA2 encryption schemes to further protect user information forwarded over controller managed WLANs. The EAP process begins when an unauthenticated supplicant (client device) tries to connect with an authenticator (in this case, the authentication server). An access point passes EAP packets from the client to an authentication server on the wired side of the access point. All other packet types are blocked until the authentication server
(typically, a RADIUS server) verifies the clients identity. If using EAP authentication ensure that a AAA policy is mapped to the WLAN. Configures EAP or MAC authentication depending on client. (This setting is valid only with the None encryption type. EAP-MAC is useful when in a hotspot environment, as some clients support EAP and an administrator may want to authenticate based on just the MAC address of the device. Configures EAP authentication or pre-shared keys depending on client (This setting is only valid with Temporal Key Integrity Protocol (TKIP) or Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) encryption types). When using PSK with EAP, the controller sends a packet requesting a secure link using a pre-shared key. The controller and authenticating device must use the same authenticating algorithm and pass code during authentication. EAP-PSK is useful when transitioning from a PSK network to one that supports EAP. If using eap-psk authentication ensure that a AAA policy is mapped to the WLAN. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 467 GLOBAL CONFIGURATION COMMANDS Configures Kerberos authentication (encryption will change to WEP128 if its not already WEP128 or Keyguard) Kerberos (designed and developed by MIT) provides strong authentication for client/
server applications using secret-key cryptography. Using Kerberos, a client must prove its identity to a server (and vice versa) across an insecure network connection. Once a client and server use Kerberos to validate their identity, they encrypt all communications to assure privacy and data integrity. Kerberos can only be used on the access point with 802.11b clients. Kerberos uses Network Time Protocol (NTP) for synchronizing the clocks of its Key Distribution Center (KDC) server(s). Configures MAC authentication (RADIUS lookup of MAC address) MAC is a device level authentication method used to augment other security schemes when legacy devices are deployed using static WEP. MAC authentication can be used for device level authentication by permitting WLAN access based on device MAC address. MAC authentication is typically used to augment WLAN security options that do not use authentication (such as static WEP, WPA-PSK and WPA2-PSK) MAC authentication can also be used to assign VLAN memberships, Firewall policies and time and date restrictions. MAC authentication can only identify devices, not users. If using mac authentication ensure that an AAA policy is mapped to the WLAN. No authentication is used or the client uses pre-shared keys. This is the default value. kerberos mac none Example rfs6000-81742D(config-wlan-test)#authentication-type eap rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate rfs6000-81742D(config-wlan-test)#
Related Commands no Resets the authentication mode used with this WLAN to default (none/pre-shared keys) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 468 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.7 bridging-mode wlan-mode commands Configures how packets are bridged to and from a WLAN Use this command to define which VLANs are bridged, and how local VLANs are bridged between the wired and wireless sides of the network. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bridging-mode [local|tunnel]
Parameters bridging-mode [local|tunnel]
Configures how packets are bridged to and from a WLAN. The options are local and tunnel. Bridges packets between WLAN and local ethernet ports. This is the default mode. Tunnels packets to other devices (typically a wireless controller or service platform) bridging-mode local tunnel Example rfs6000-81742D(config-wlan-test)#bridging-mode local rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate rfs6000-81742D(config-wlan-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 469 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.8 broadcast-dhcp wlan-mode commands Configures broadcast DHCP packet handling parameters Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax broadcast-dhcp validate-offer Parameters broadcast-dhcp validate-offer validate-offer Enables validation of the broadcast DHCP packet destination (a wireless client associated to the radio) before forwarding over the air. This option is disabled by default. Example rfs6000-81742D(config-wlan-test)#broadcast-dhcp validate-offer rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offer rfs6000-81742D(config-wlan-test)#
Related Commands no Disables validation of the broadcast DHCP packet destination (a wireless client associated to the radio) before forwarding over the air Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 470 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.9 broadcast-ssid wlan-mode commands Advertises the WLAN SSID in beacons. If a hacker tries to isolate and hack a SSID from a client, the SSID will display since the ESSID is in the beacon. This feature is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax broadcast-ssid Parameters None Example rfs6000-81742D(config-wlan-1)#broadcast-ssid rfs6000-81742D(config-wlan-1)#
Related Commands no Disables the broadcasting of the WLANs SSID in beacons Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 471 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.10 captive-portal-enforcement wlan-mode commands Configures the captive portal enforcement on this WLAN. When enabled, provides successfully authenticated guests temporary and restricted access to the network. If enforcing captive-portal authentication, specify the captive-portal policy to use. For more information, see use. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax captive-portal-enforcement {fall-back}
Parameters captive-portal-enforcement {fall-back}
captive-portal-
enforcement fall-back Enables captive portal enforcement on a WLAN. This option is disabled by default. Optional. Enforces captive portal validation if WLAN authentication fails (applicable to EAP or MAC authentication only) Example rfs6000-81742D(config-wlan-test)#captive-portal-enforcement fall-back rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 captive-portal-enforcement fall-back acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offer rfs6000-81742D(config-wlan-test)#
Related Commands no Disables captive portal enforcement Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 472 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.11 client-access wlan-mode commands Enables WLAN client access (for normal data operations) Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax client-access Parameters None Example rfs6000-81742D(config-wlan-1)#client-access rfs6000-81742D(config-wlan-1)#
Related Commands no Disables WLAN client access Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 473 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.12 client-client-communication wlan-mode commands Allows frame switching from one client to another on a WLAN This option is enabled by default. It allows clients to exchange packets with other clients. It does not necessarily prevent clients on other WLANs from sending packets to this WLAN, but as long as this setting is also disabled on that WLAN, clients are not permitted to interoperate. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax client-client-communication Parameters None Example rfs6000-81742D(config-wlan-1)#client-client-communication rfs6000-81742D(config-wlan-1)#
Related Commands no Disables frame switching from one client to another on a WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 474 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.13 client-load-balancing wlan-mode commands Enforces client load balancing on a WLANs access point radios. AP6522, AP6532, AP6562, AP81XX, and AP82XX models can support 256 clients per access point. AP6511 and AP6521 models can support up to 128 clients per access point. When enforced, loads are balanced by ignoring association and probe requests. Probe and association requests are not responded to, forcing a client to associate with another access point radio. This feature is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax client-load-balancing {allow-single-band-clients|band-discovery-intvl|
capability-ageout-time|max-probe-req|probe-req-invl}
client-load-balancing {allow-single-band-clients [2.4ghz|5ghz]|band-discovery-
intvl <0-10000>|capability-ageout-time <0-10000>}
client-load-balancing {max-probe-req|probe-req-intvl} [2.4ghz|5ghz] <0-10000>
Parameters client-load-balancing {allow-single-band-clients [2.4ghz|5ghz]|band-discovery-
intvl <0-10000>|capability-ageout-time <0-10000>}
band-discovery-intvl
<0-10000>
client-load-balancing Configures client load balancing on a WLAN allow-single-band-
clients [2.4ghz|5ghz]
Optional. Allows single band clients to associate even during load balancing 2.4ghz Enables load balancing across 2.4 GHz channels 5ghz Enables load balancing across 5.0 GHz channels This option is enabled by default for 2.4 and 5.0 GHz radios. Optional. Configures the interval to discover a client's band capability before connection
<0-10000> Specify a value from 0 - 10000 seconds. The default is 10 seconds. Optional. Configures a client's capability ageout interval. This is the time for which a clients capabilities are retained in the devices internal table. Once this time is exceeded the clients capabilities are aged out.
<0-10000> Specify a value from 0 - 10000 seconds. The default is 3600 seconds. client-load-balancing {max-probe-req|probe-req-intvl} [2.4ghz|5ghz] <0-10000>
capability-ageout-
time <0-10000>
client-load-balancing Configures WLAN client load balancing max-probe-req
[2.4ghz|5ghz]
<0-10000>
Optional. Configures client probe request interval limits for device association 2.4ghz Configures maximum client probe requests on 2.4 GHz radios 5ghz Configures maximum client probe requests on 5.0 GHz radios
<0-10000> Specify a client probe request threshold from 0 - 10000. The default for both 2.4 and 5.0 GHz radios is 60. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 475 GLOBAL CONFIGURATION COMMANDS probe-req-intvl
[2.4ghz|5ghz]
<0-10000>
Optional. Configures client probe request interval limits for device association 2.4ghz Configures the client probe request interval on 2.4 GHz radios 5ghz Configures the client probe request interval on 5.0 GHz radios
<0-10000> Specify a value from 0 - 10000. The default for both 2.4 and 5.0 GHz radios is 10 seconds. Example rfs6000-81742D(config-wlan-test)#client-load-balancing band-discovery-intvl 2 rfs6000-81742D(config-wlan-test)#client-load-balancing probe-req-intvl 5ghz 5 rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offer rfs6000-81742D(config-wlan-test)#
Related Commands no Disables client load balancing on a WLANs access point radios Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 476 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.14 controller-assisted-mobility wlan-mode commands Enables controller or service platform assisted mobility to determine a wireless clients VLAN assignment. When enabled, a controller or service platforms mobility database is used to assist in roaming between RF Domains. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax controller-assisted-mobility Parameters None Example rfs4000-229D58(config-wlan-test)#controller-assisted-mobility rfs4000-229D58(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none controller-assisted-mobility rfs4000-229D58(config-wlan-test)#
Related Commands no Disables controller or service platform assisted mobility to determine a wireless clients VLAN assignment Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 477 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.15 data-rates wlan-mode commands Specifies the 802.11 rates supported on a WLAN Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax data-rates [2.4GHz|5GHz]
data-rates 2.4GHz [b-only|bg|bgn|custom|default|g-only|gn]
data-rates 2.4GHz custom [1|11|12|18|2|24|36|48|5.5|54|6|9|basic-1|basic-11|
basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|
basic-6|basic-9|basic-mcs-1s|mcs-1s|mcs-2s|mcs-3s]
data-rates 5GHz [a-only|an|custom|default]
data-rates 5GHz custom [12|18|24|36|48|54|6|9|basic-1|basic-11|basic-12|
basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|
basic-mcs-1s|mcs-1s|mcs2s|mcs3s]
Parameters data-rates 2.4GHz [b-only|bg|bgn|default|g-only|gn]
data-rates b-only bg bgn default g-only gn Specifies the 802.11 rates supported when mapped to a 2.4 GHz radio Uses rates that support only 11b clients Uses rates that support both 11b and 11g clients Uses rates that support 11b, 11g and 11n clients Uses the default rates configured for a 2.4 GHz radio Uses rates that support operation in 11g only Uses rates that support 11g and 11n clients data-rates 5GHz [a-only|an|default]
data-rates a-only an default Specifies the 802.11 rates supported when mapped to a 5.0 GHz radio Uses rates that support operation in 11a only Uses rates that support 11a and 11n clients Uses default rates configured for a 5.0 GHz data-rates [2.4GHz|5GHz] custom [1|11|12|18|2|24|36|48|5.5|54|6|9|basic-1|
basic-11|basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|
basic-54|basic-6|basic-9|basic-mcs-1s|mcs-1s|mcs-2s|mcs-3s]
data-rates
[2.4GHz|5GHz]
Specifies the 802.11 rates supported when mapped to a 2.4 GHz or 5.0 GHz radio Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 478 custom 1,11,2,5.5
[12,18,24,36,48,54,6,9, basic-1,basic-11, basic-12,basic-18, basic-2,basic-36, basic-48,basic-5.5, basic-54,basic-6, basic-9, basic-mcs-1s, mcs-1s,mcs2s, mcs-3s]
GLOBAL CONFIGURATION COMMANDS Configures a data rates list by specifying each rate individually. Use 'basic-' prefix before a rate to indicate it is used as a basic rate (For example, 'data-rates custom basic-1 basic-2 5.5 11'). The data-rates for 2.4 GHz and 5.0 GHz channels are the same with a few exceptions. The 2.4 GHz channel has a few extra data rates: 1, 11, 2, and 5.5. The following data rates are specific to the 2.4 GHz channel:
1 1-Mbps 11 11-Mbps 2 2-Mbps 5.5 5.5-Mbps The following data rates are common to both the 2.4 GHz and 5.0 GHz channels:
12 12 Mbps 18 18-Mbps 24 24 Mbps 36 36-Mbps 48 48-Mbps 54 54-Mbps 6 6-Mbps 9 9-Mbps basic-1 basic 1-Mbps basic-11 basic 11-Mbps basic-12 basic 12-Mbps basic-18 basic 18-Mbps basic-2 basic 2-Mbps basic-36 basic 36-Mbps basic-48 basic 48-Mbps basic-5.5 basic 5.5-Mbps basic-54 basic 54-Mbps basic-6 basic 6-Mbps basic-9 basic 9-Mbps basic-mcs-1s Modulation and coding scheme data rates for 1 Spatial Stream mcs-1s Applicable to 1-spatial stream data rates mcs-2s Applicable to 2-spatial stream data rates mcs-3s Applicable to 3-spatial stream data rates Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 479 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-wlan-test)#data-rates 2.4GHz gn rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offer rfs6000-81742D(config-wlan-test)#
Related Commands no Resets the 802.11 data rates supported on a WLAN for the 2.4 GHz or 5.0 GHz radios Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 480 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.16 description wlan-mode commands Defines the WLAN description Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <LINE>
Parameters description <LINE>
<LINE>
Example Specify a WLAN description The WLANs description should help differentiate it from others with similar configurations. The description should not exceed 64 characters. rfs6000-81742D(config-wlan-test)#description TestWLAN rfs6000-81742D(config-wlan-test)#show context wlan test description TestWLAN ssid test bridging-mode local encryption-type none authentication-type eap accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offer rfs6000-81742D(config-wlan-test)#
Related Commands no Removes a WLANs configured description Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 481 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.17 downstream-group-addressed-forwarding wlan-mode commands Enables forwarding of downstream broadcast/multicast (BC/MC) packets to a group on this WLAN. This feature is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax downstream-group-addressed-forwarding Parameters None Example rfs4000-229D58(config-wlan-test)#downstream-group-addressed-forwarding rfs4000-229D58(config-wlan-test)#
Related Commands no Disables forwarding of downstream BCMC packets to a group on this WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 482 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.18 dpi wlan-mode commands Enables DPI on this WLAN. When enabled, all traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction. DPI is an advanced packet analysis technique, which analyzes packet and packet content headers to determine the nature of network traffic. When enabled, DPI inspects packets of all flows to identify applications (such as, Netflix, Twitter, Facebook, etc.) and extract metadata (such as, host name, server name, TCP-RTT, etc.) for further use by the WiNG firewall. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dpi metadata [http|ssl|tcp-rtt|voice-video]
Parameters dpi metadata [http|ssl|tcp-rtt|voice-video]
dpi metadata
[http|ssl|tcp-rtt|
voice-video]
Enables extraction of the following metadata flows:
http Extracts HTTP flows. When enabled, administrators can track HTTP Websites accessed by both internal and guest clients and visualize HTTP data usage, hits, active time and total clients on the NSight applications dashboard. This setting is disabled by default. ssl Extracts SSL flows. When enabled, administrators can track SSL Websites accessed by both internal and guest clients and visualize SSL data usage, hits, active time and total clients on the NSight applications dashboard.This setting is disabled by default tcp-rtt Extracts Round Trip Time (RTT) information from Transmission Control Protocol (TCP) flows. However, this TCP-RTT metadata is viewable only on the NSight dashboard. Therefore, ensure the NSight server is up and NSight analytics data collection is enabled. voice-video Extracts voice and video flows. When enabled, voice and video calls can be tracked by extracting parameters, such as packets transferred and lost, jitter, and application name. Most Enterprise VoIP applications like facetime, skype for business and VoIP terminals can be monitored for call quality and visualized on the NSight dashboard in manner similar to HTTP and SSL. Call quality and metrics can only be determined from calls established unencrypted. This setting is disabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 483 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-wlan-test)#dpi metadata http rfs6000-81742D(config-wlan-test)#dpi metadata ssl rfs6000-81742D(config-wlan-test)#dpi metadata voice-video rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none dpi metadata voice-video dpi metadata http dpi metadata ssl rfs6000-81742D(config-wlan-test)#
Related Commands no Disables extraction of metadata flows on the WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 484 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.19 dynamic-vlan-assignment wlan-mode commands Enables dynamic VLAN assignment on this WLAN, and adds or removes VLANs for the selected WLAN. Configure this feature to allow an override to the WLAN configuration. If, as part of the authentication process, the RADIUS server returns a client's VLAN-ID in a RADIUS Access-Accept packet, and this feature is enabled, all client traffic is forward on that VLAN. If disabled, the RADIUS server returns VLAN-ID is ignored and the WLANs VLAN configuration is used. For more information, see vlan. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dynamic-vlan-assignment allowed-vlans <VLAN-ID>
Parameters dynamic-vlan-assignment allowed-vlans <VLAN-ID>
dynamic-vlan-
assignment allowed-vlans
<VLAN-ID>
Enables dynamic VLAN assignment and configures a list of VLAN IDs or VLAN alias allowed access to the WLAN Specify the list of VLAN IDs or the VLAN alias names. For example, 10-20, 25, 30-35,
$guest. For information on VLAN aliases, see alias. Example rfs4000-229D58(config-wlan-test)#dynamic-vlan-assignment allowed-vlans 10-20 rfs4000-229D58(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none dynamic-vlan-assignment allowed-vlans 10-20 rfs4000-229D58(config-wlan-test)#
Related Commands no Disables dynamic VLAN assignment on this WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 485 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.20 eap-types wlan-mode commands Configures client access based on the EAP type used Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax eap-types [allow|deny] [aka|all|fast|peap|sim|tls|ttls] {(aka|all|fast|peap|sim|
tls|ttls)}
Parameters eap-types [allow|deny] [aka|all|fast|peap|sim|tls|ttls] {(aka|all|fast|
peap|sim|tls|ttls)}
eap-types
[allow|deny]
[aka|all|fast|peap|sim|
tls|ttls]
Configures a list of allowed or denied EAP types allow Configures a list of EAP types allowed for WLAN client authentication deny Configures a list of EAP types not allowed for WLAN client authentication The following EAP types are common to the allow and deny keywords:
aka Configures EAP Authentication and Key Agreement (AKA) and EAP-AKA (AKA Prime). EAP-AKA is one of the methods in the EAP authentication framework. It uses Universal Mobile Telecommunications System (UMTS) and Universal Subscriber Identity Module (USIM) for client authentication and key distribution. all Allows or denies usage of all EAP types on the WLAN. This is the default setting. fast Configures EAP Flexible Authentication via Secure Tunneling (FAST). EAP-FAST establishes a Transport Layer Security (TLS) tunnel, to verify client credentials, using Protected Access Credentials (PAC). peap Configures Protected Extensible Authentication Protocol (PEAP). PEAP or Protected EAP uses encrypted and authenticated TLS tunnel to encapsulate EAP. sim Configures EAP Subscriber Identity Module (SIM). EAP-SIM uses Global System for Mobile Communications (GSMC) SIM for client authentication and key distribution. tls Configures EAP Transport Layer Security (TLS). EAP-TLS is an EAP authentication method that uses PKI to communicate with a RADIUS server or any other authentication server. ttls Configures Tunneled Transport Layer Security (TTLS). EAP-TTLS is an extension of TLS. Unlike TLS, TTLS does not require every client to generate and install a CA-
signed certificate. These options are recursive, and more than one EAP type can be selected. The selected options are added to the allowed or denied EAP types list. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 486 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-wlan-test)#eap-types allow fast sim tls rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none eap-types allow fast sim tls rfs6000-81742D(config-wlan-test)#
Related Commands no Reverts to default setting - eap-types allow all Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 487 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.21 encryption-type wlan-mode commands Sets a WLANs encryption type Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax encryption-type [ccmp|keyguard|none|tkip-ccmp|wep128|web128-keyguard|wep64]
Parameters encryption-type [ccmp|keyguard|none|tkip-ccmp|wep128|web128-keyguard|wep64]
encryption-type ccmp keyguard none tkip-ccmp wep128 wep128-keyguard wep64 Configures the WLANs data encryption parameters Configures Advanced Encryption Standard (AES) Counter Mode CBC-MAC Protocol
(AES-CCM/CCMP) Configures Keyguard-MCM (Mobile Computing Mode) No encryption used. This is the default setting. Configures the TKIP and AES-CCM/CCMP encryption modes Configures WEP with 128 bit keys Configures WEP128 as well as Keyguard-MCM encryption modes Configures WEP with 64 bit keys. A WEP64 configuration is insecure when two WLANs are mapped to the same VLAN, and one uses no encryption while the other uses WEP. Example rfs6000-81742Dconfig-wlan-test)#encryption-type tkip-ccmp rfs6000-81742D(config-wlan-test)#show context wlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offer rfs6000-81742D(config-wlan-test)#
Related Commands no Resets the WLANs encryption type to default (none) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 488 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.22 enforce-dhcp wlan-mode commands Enables dropping of packets from clients with a static IP address. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax enforce-dhcp Parameters None Example rfs6000-81742D(config-wlan-test)#enforce-dhcp rfs6000-81742D(config-wlan-test)#show context wlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back acl exceed-rate wireless-client-denied-traffic 20 disassociate enforce-dhcp broadcast-dhcp validate-offer rfs6000-81742D(config-wlan-test)#
Related Commands no Disables dropping of packets from clients with a static IP address Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 489 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.23 fast-bss-transition wlan-mode commands Enables support for 802.11r Fast-BSS Transition (FT) on the selected WLAN. This feature is disabled by default. 802.11r is an attempt to undo the burden that security and QoS added to the handoff process, and restore it back to an original four message exchange process. The central application for the 802.11r standard is VOIP using mobile phones within wireless Internet networks. 802.11r FT redefines the security key negotiation protocol, allowing parallel processing of negotiation and requests for wireless resources. Enabling FT standards provides wireless clients fast, secure and seamless transfer from one base station to another, ensuring continuous connectivity. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax fast-bss-transition {over-ds}
Parameters fast-bss-transition {over-ds}
fast-bss-transition over-ds Enables 802.11r FT support on this WLAN over-ds Optional. Enables 802.11r client roaming over the Distribution System (DS). When enabled, all client communication with the target AP is via the current AP. This communication, carried in FT action frames, is first sent by the client to the current AP, then forwarded to the target AP through the controller. Example rfs6000-81742D(config-wlan-test)#fast-bss-transition rfs6000-81742D(config-wlan-test)#show context wlan test ssid test vlan 1 bridging-mode tunnel encryption-type none authentication-type none fast-bss-transition rfs6000-81742D(config-wlan-test)#
Related Commands no Disables support for 802.11r Fast-BSS Transition (FT) on a WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 490 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.24 http-analyze wlan-mode commands Enables HTTP URL analysis on the WLAN Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax http-analyze [filter|syslog]
http-analyze filter [images|post|query-string]
http-analyze syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|
through-controller|through-rf-domain-manager]}
Parameters http-analyze filter [images|post|query-string]
filter images post query-string Filters URLs, based on the parameters set, before forwarding them Filters out URLs referring to images (does not forward URL requesting images) Filters out URLs requesting POST (does not forward POST requests). This option is disabled by default. Removes query strings from URLs before forwarding them (forwards requests and no data). This option is disabled by default. http-analyze syslog host <IP/HOSTNAME> {port <1-65535>} {proxy-mode [none|
through-controller|through-rf-domain-manager]}
syslog host <IP/
HOSTNAME>
port <1-65535>
proxy-mode
[none|
through-controller|
through-rf-domain-
manager]
Forwards client and URL information to a syslog server host <IP/HOSTNAME> Specify the syslog servers IP address or hostname Optional. Specifies the UDP port to connect to the syslog server from 1 - 65535 Optional. Specifies if the request is to be proxied through another device none Requests are sent directly to syslog server from device through-controller Proxies requests, to the syslog server, through the controller configuring the device through-rf-domain-manager Proxies requests, to the syslog server, through the local RF Domain manager Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 491 GLOBAL CONFIGURATION COMMANDS Example rfs4000-229D58(config-wlan-test)#http-analyze syslog host 192.168.13.10 port 21 proxy-mode through-controller rfs4000-229D58(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none http-analyze syslog host 192.168.13.10 port 21 proxy-mode through-controller rfs4000-229D58(config-wlan-test)#
Related Commands no Disables HTTP URL analysis on the WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 492 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.25 ip wlan-mode commands Configures Internet Protocol (IP) settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip [arp|dhcp]
ip arp [header-mismatch-validation|trust]
ip dhcp trust Parameters ip arp [header-mismatch-validation|trust]
ip arp header-mismatch-
validation trust Configures the IP settings for ARP packets Verifies mismatch of source MAC address in the ARP and Ethernet headers. This option is enabled by default. Sets ARP responses as trusted for a WLAN/range. This option is disabled by default. ip dhcp trust ip dhcp trust Configures the IP settings for DHCP packets Sets DHCP responses as trusted for a WLAN/range. This option is disabled by default. Example rfs6000-81742D(config-wlan-test)#ip dhcp trust rfs6000-81742D(config-wlan-test)#show context wlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back ip dhcp trust acl exceed-rate wireless-client-denied-traffic 20 disassociate enforce-dhcp broadcast-dhcp validate-offer http-analyze controller rfs6000-81742D(config-wlan-test)#
Related Commands no Resets IP ARP or DHCP trust parameters to default. ARP trust is disabled, ARP mismatch verification is enabled, or DHCP trust is disabled. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 493 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.26 ipv6 wlan-mode commands Sets the DHCPv6 and ICMPv6 neighbor discovery (ND) components for this WLAN Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ipv6 [dhcpv6|nd]
ipv6 dhcpv6 trust ipv6 nd [header-mismatch-validation|raguard|trust]
Parameters ipv6 dhcpv6 trust ipv6 dhcpv6 trust Enables DHCPv6 trust state for DHCPv6 responses on this WLAN. When enabled, all DHCPv6 responses received on this WLAN are trusted and forwarded. This option is disabled by default. ipv6 nd [header-mismatch-validation|raguard|trust]
ipv6 nd header-mismatch-
validation raguard trust Example Sets the IPv6 ND settings for this WLAN Checks for mismatch of source MAC address in the ICMPv6 ND message and Ethernet header (link layer option). This option is enabled by default. Allows redirection of router advertisements (RAs) and ICMPv6 packets originating on this WLAN. This option is disabled by default. Enables trust state for ND requests received on this WLAN. When enabled, all ND requests on an IPv6 firewall, on this WLAN, are trusted. This option is disabled by default. rfs6000-81742D(config-wlan-test)#ipv6 dhcpv6 trust rfs6000-81742D(config-wlan-test)#ipv6 nd trust rfs6000-81742D(config-wlan-test)#show context wlan test ssid test vlan 1 bridging-mode tunnel encryption-type none authentication-type none ipv6 dhcpv6 trust ipv6 nd trust rfs6000-81742D(config-wlan-test)#
Related Commands no Resets IPv6 ND or DHCPv6 trust parameters to default. ND request trust is disabled, ND header mismatch verification is enabled, ND RA and ICMPv6 redirection is disabled, or DHCPv6 trust is disabled. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 494 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.27 kerberos wlan-mode commands Configures Kerberos authentication parameters on a WLAN Kerberos (designed and developed by MIT) provides strong authentication for client/server applications using secret-key cryptography. Using Kerberos, a client must prove its identity to a server (and vice versa) across an insecure network connection. Once a client and server use Kerberos to validate their identity, they encrypt all communications to assure privacy and data integrity. Kerberos can only be used on the access point with 802.11b clients. Kerberos uses Network Time Protocol (NTP) for synchronizing the clocks of its Key Distribution Center (KDC) server(s). Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax kerberos [password|realm|server]
kerberos password [0 <LINE>|2 <LINE>|<LINE>]
kerberos realm <REALM>
kerberos server [primary|secondary|timeout]
kerberos server [primary|secondary] host <IP/HOSTNAME> {port <1-65535>}
kerberos server timeout <1-60>
Parameters kerberos password [0 <LINE>|2 <LINE>|<LINE>]
kerberos password Configures a WLANs Kerberos authentication parameters The parameters are: password, realm, and server. Configures a Kerberos KDC server password. The password should not exceed 127 characters. The password options are:
0 <LINE> Configures a clear text password 2 <LINE> Configures an encrypted password
<LINE> Specify the password. kerberos realm <REALM>
kerberos realm <REALM>
Configures a WLANs Kerberos authentication parameters The parameters are: password, realm, and server. Configures a Kerberos KDC server realm. The REALM should not exceed 127 characters. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 495 GLOBAL CONFIGURATION COMMANDS kerberos server [primary|secondary] host <IP/HOSTNAME> {port <1-65535>}
kerberos server
[primary|secondary]
Configures a WLANs Kerberos authentication parameters The parameters are: password, realm, and server. Configures the primary and secondary KDC server parameters primary Configures the primary KDC server parameters secondary Configures the secondary KDC server parameters host <IP/HOSTNAME> Sets the primary or secondary KDC server address port <1-65535>
<IP/HOSTNAME> Specify the IP address or name of the KDC server. Optional. Configures the UDP port used to connect to the KDC server
<1-65535> Specify the port from 1 - 65535. The default is 88. kerberos server timeout <1-60>
kerberos timeout <1-60>
Configures a WLANs Kerberos authentication parameters The parameters are: password, realm, and server. Modifies the Kerberos KDC servers timeout parameters
<1-60> Specifies the wait time for a response from the Kerberos KDC server before retrying. Specify a value from 1 - 60 seconds. Example rfs6000-81742D(config-wlan-test)#kerberos server timeout 12 rfs6000-81742D(config-wlan-test)#kerberos server primary host 172.16.10.2 port 88 rfs6000-81742D(config-wlan-test)#show context wlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap kerberos server timeout 12 kerberos server primary host 172.16.10.2 accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back ip dhcp trust acl exceed-rate wireless-client-denied-traffic 20 disassociate enforce-dhcp broadcast-dhcp validate-offer http-analyze controller rfs6000-81742D(config-wlan-test)#
Related Commands no Removes Kerberos authentication related parameters on a WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 496 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.28 mac-authentication wlan-mode commands Enables MAC authentication. When enabled, the system uses cached credentials (RADIUS server lookups are skipped) to authenticate clients. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mac-authentication [cached-credentials|enforce-always]
Parameters mac-authentication [cached-credentials|enforce-always]
mac-authentication cached-credentials enforce-always Enables MAC authentication on this WLAN and configures related parameters Uses cached credentials to skip RADIUS lookups. This option is disabled by default. Enforces MAC authentication on this WLAN. When enabled, MAC authentication is enforced, each time a client logs in, even when the authentication type specified
(using the authentication-type command) is not MAC authentication. This option is disabled by default. Example rfs4000-229D58(config-wlan-test)#mac-authentication cached-credentials rfs4000-229D58(config-wlan-test)#
Related Commands no Disables MAC authentication related parameters: Disables use of cached credentials to skip RADIUS lookups, or disables enforcement of MAC authentication on this WLAN. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 497 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.29 no wlan-mode commands Negates WLAN mode commands and reverts values to their default Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [accounting|acl|answer-broadcast-probes|assoc-response|association-list|
authentication-type|broadcast-dhcp|broadcast-ssid|captive-portal-enforcement|
client-access|client-client-communication|client-load-balancing|
controller-assisted-mobility|data-rates|description|downstream-group-addressed-
forwarding|dpi|dynamic-vlan-assignment|eap-types|encryption-type|enforce-
dhcp|fast-bss-transition|http-analyze|ip|ipv6|kerberos|mac-authentication|
nsight|opendns|protected-mgmt-frames|proxy-arp-mode|proxy-nd-mode|qos-map|radio-
resource-measurement|radius|registration|relay-agent|shutdown|ssid|t5-client-
isolation|t5-security|time-based-access|use|vlan|vlan-pool-member|wep128|wep64|
wing-extensions|wireless-client|wpa-wpa2|service]
no accounting [radius|syslog|wait-client-ip]
no acl exceed-rate wireless-client-denied-traffic no [answer-broadcast-probes|association-list global|authentication-type|
broadcast-dhcp validate-offer|broadcast-ssid|captive-portal-enforcement|
client-access|client-client-communication|client-load-balancing allow-single-
band-clients|controller-assisted-mobility|data-rates [2.4GHz|5GHz]|description|
downstream-group-addressed-forwarding|dynamic-vlan-assignment allowed-vlans|
eap-types|encryption-type|enforce-dhcp|fast-bss-transition over-ds|
opendns device-id|protected-mgmt-frames {sa-query}|proxy-arp-mode|proxy-nd-mode|
qos-map|ssid|t5-client-isolation|t5-security|vlan]
no assoc-response [deny-threshold|rssi-threshold]
no http-analyze {filter|syslog}
no http-analyze {filter [images|post|query-string]}
no ip [arp|dhcp]
no ip arp [header-mismatch-validation|trust]
no ip dhcp trust no dpi metadata [http|ssl|voice-video]
no ipv6 [dhcpv6|nd]
no ipv6 dhcpv6 trust no ipv6 nd [header-mismatch-validation|raguard|trust]
no kerberos [password|realm|server]
no kerberos server [primary host|secondary host|timeout]
no mac-authentication [cached-credentials|enforce-always]
no nsight client-history no radio-resource-measurement {channel-report|neighbor-report {hybrid}}
no radius [dynamic-authorization|nas-identifier|nas-port-id|vlan-assignment]
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 498 GLOBAL CONFIGURATION COMMANDS no registration {external}
no relay-agent [dhcp-option82|dhcpv6-ldra]
no shutdown {on-critical-resource|on-meshpoint-loss|on-primary-port-link-loss|
on-unadoption}
no time-based-access days [all|friday|monday|saturday|sunday|thursday|tuesday|
wednesday|weekdays|weekends]
no use [aaa-policy|association-acl-policy|bonjour-gw-discovery-policy|captive-
portal|ip-access-list|ipv6-access-list|mac-access-list|passpoint-policy|
roaming-assist-policy|url-filter|wlan-qos-policy]
no vlan-pool-member [<1-40 95>|<VLAN-ALIAS-NAME>]
no [wep128|wep64] [key {1-4}|transmit-key]
no wing-extension [move-command|smart-scan|wing-load-information|wmm-load-
information]
no wireless-client [count-per-radio|cred-cache-ageout|hold-time|inactivity-
timeout|max-firewall-sessions|reauthentication|roam-notification|t5-inactivity-
timeout|tx-power|vlan-cache-ageout]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts this WLANs settings based on the parameters passed Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example rfs6000-81742D(config-wlan-test)#no ?
accounting Configure how accounting records are created for this wlan acl Actions taken based on ACL configuration [ packet drop being one of them]
answer-broadcast-probes Do not Include this wlan when responding to probe requests that do not specify an SSID assoc-response Association response threshold association-list Configure the association list for the wlan authentication-type Reset the authentication to use on this wlan to default (none/Pre-shared keys) broadcast-dhcp Configure broadcast DHCP packet handling broadcast-ssid Do not advertise the SSID of the WLAN in beacons captive-portal-enforcement Configure how captive-portal is enforced on the wlan client-access Disallow client access on this wlan
(no data operations) client-client-communication Disallow switching of frames from one wireless client to another on this wlan client-load-balancing Disable load-balancing of clients on this wlan controller-assisted-mobility Disable configure assisted mobility Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 499 GLOBAL CONFIGURATION COMMANDS data-rates Reset data rate configuration to default description Reset the description of the wlan downstream-group-addressed-forwarding Disable downstream group addressed forwarding of packets dpi Deep-Packet-Inspection (Application Assurance) dynamic-vlan-assignment Dynamic VLAN assignment configuration eap-types Allow all EAP types on this wlan encryption-type Reset the encryption to use on this wlan to default (none) enforce-dhcp Drop packets from Wireless Clients with static IP address fast-bss-transition Disable support for 802.11r Fast BSS Transition http-analyze Enable HTTP URL analysis on the wlan ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) kerberos Configure kerberos authentication parameters mac-authentication Configure mac-authentication related parameters nsight Nsight Server opendns OpenDNS related config for this wlan protected-mgmt-frames Disable support for Protected Management Frames (IEEE 802.11w) proxy-arp-mode Configure handling of ARP requests with proxy-arp is enabled proxy-nd-mode Configure handling of IPv6 ND requests with proxy-nd is enabled qos-map Disable the 802.11u QoS map element and frame radio-resource-measurement Disable support for 802.11k Radio Resource Measurement radius Configure RADIUS related parameters registration Dynamic registration of device (or) user relay-agent Configure dhcp relay agent info shutdown Enable the use of this wlan ssid Configure ssid t5-client-isolation Do not Isolate traffic among clients t5-security Configure encryption and authentication time-based-access Reset time-based-access parameters to default use Set setting to use vlan Map the default vlan (vlan-id 1) to the wlan vlan-pool-member Delete a mapped vlan from this wlan wep128 Reset WEP128 parameters wep64 Reset WEP64 parameters wing-extensions Disable support for WiNG-Specific extensions to 802.11 wireless-client Configure wireless-client specific parameters wpa-wpa2 Modify tkip-ccmp (wpa/wpa2) related parameters service Service to monitor to show no-service page to user rfs6000-81742D(config-wlan-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 500 GLOBAL CONFIGURATION COMMANDS The test settings before execution of the no command:
rfs6000-81742D(config-wlan-test)#show context wlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap kerberos server timeout 12 kerberos server primary host 172.16.10.2 accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 captive-portal-enforcement fall-back ip dhcp trust acl exceed-rate wireless-client-denied-traffic 20 disassociate enforce-dhcp broadcast-dhcp validate-offer http-analyze controller rfs6000-81742D(config-wlan-test)#
rfs6000-81742D(config-wlan-test)#no accounting syslog rfs6000-81742D(config-wlan-test)#no description rfs6000-81742D(config-wlan-test)#no authentication-type rfs6000-81742D(config-wlan-test)#no encryption-type rfs6000-81742D(config-wlan-test)#no enforce-dhcp rfs6000-81742D(config-wlan-test)#no kerberos server primary host rfs6000-81742D(config-wlan-test)#no kerberos server timeout rfs6000-81742D(config-wlan-test)#no data-rates 2.4GHz rfs6000-81742D(config-wlan-test)#no ip dhcp trust rfs6000-81742D(config-wlan-test)#no captive-portal-enforcement The test settings after the execution of the no command:
rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type none wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate broadcast-dhcp validate-offer http-analyze controller rfs6000-81742D(config-wlan-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 501 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.30 nsight wlan-mode commands Enables retention of client-history A typical NSight-server enabled, guest access environment may be visited by thousands of unique clients on a daily basis. Some of these guest clients are not regular visitors, accessing the network infrequently. However, by default, historical data of all guest clients, irrespective of their network access frequency, is retained by the NSight server for up to 180 days. This results in the database containing thousands if not millions of unique MAC addresses of infrequent guest clients. To address this potential problem it is recommended to disable client-history retention on a guest WLAN, and use the nsight-policy context to configure a separate timer (8 hours by default) specifying the guest client data lifespan in the database. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax nsight client-history Parameters nsight client-history nsight client-history Enables retention of client-history in the database. This option is enabled by default. Example On a WLAN, the client-history option is enabled by default. When enabled, all client history (including guest-clients) is retained in the NSight server database for 180 days. To disable this option, execute the no > nsight > client-history command. When disabled, guest client history is retained only for 8 hours, which is the default setting defined by the NSight policy applied on the access point (through which the guest client accesses the WLAN) or the access points RF Domain. However, the default historical data retention duration for regular clients and devices (access point and controllers) remains unchanged (180 days) as per the NSight policy settings. nx9500-6C8809(config-wlan-test3)#no nsight client-history nx9500-6C8809(config-wlan-test3)#show context wlan test3 ssid test3 bridging-mode local encryption-type none authentication-type none no nsight client-history nx9500-6C8809(config-wlan-test3)#
Use the NSight policy context to define separate client-history retention time for regular clients, devices, and guest clients. For more information, see nsight-policy. Related Commands no Disables client-history retention in the NSight database Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 502 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.31 opendns wlan-mode commands Configures the pre-fetched OpenDNS device_id. Once configured, all DNS queries originating from wireless clients associating with the WLAN are appended with an additional 31 bytes of data (representing the device ID) at the end of the DNS packet. The device ID is a sixteen (16) character hex string representing a 64 bit unsigned integer and is fetched from the OpenDNS site. This command is part of a series of configurations that are required to integrate WiNG access points, wireless controllers, and service platforms with OpenDNS. When all the parameters have been configured, DNS queries from wireless clients, associating with the WLAN, are redirected to OpenDNS (208.67.220.220 OR 208.67.222.222). These OpenDNS resolvers act as proxy DNS servers that provide additional functionalities, such as Web filtering, reporting, and performance enhancement. For more information on the entire configuration, see opendns. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax opendns device-id <DEVICE-ID>
Parameters opendns device-id <DEVICE-ID>
opendns device-id
<DEVICE-ID>
Configures the device ID to embed in DNS queries sent to OpenDNS
<DEVICE-ID> Specify the device ID. Example The following command fetches the device_id from the OpenDNS site. ap7131-E6D512#opendns ApiToken 9110B39543DEB2ECA1F473AE03E8899C00019073 device_id = 0014AADF8EDC6C59 ap7131-E6D512#
Use this device_id in the WLAN configuration context. ap7131-E6D512(config)#wlan opendns ap7131-E6D512(config-wlan-opendns)#opendns device-id 0014AADF8EDC6C59 ap7131-E6D512(config-wlan-opendns)#commit ap7131-E6D512(config-wlan-opendns)#show context wlan opendns ssid opendns vlan 1 bridging-mode local encryption-type none authentication-type none opendns device-id 0014AADF8EDC6C59 ap7131-E6D512(config-wlan-opendns)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 503 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes the device ID configured to be embedded in the DNS queries originating from the WiNG devices Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 504 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.32 protected-mgmt-frames wlan-mode commands Configures the WLAN's frame protection mode and security association (SA) query parameters 802.11w provides protection for both unicast management frames and broadcast/multicast management frames. The robust management frames are action, disassociation, and deauthentication frames. The standard provides one security protocol CCMP for protection of unicast robust management frames. Protected management frames (PMF) protocol only applies to robust management frames after establishment of RSNA PTK. Robust management frame protection is achieved by using CCMP for unicast management frames, broadcast/multicast integrity protocol (BIP) for broadcast/multicast management frames and SA query protocol for protection against (re)association attacks. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax protected-mgmt-frames [mandatory|optional|sa-query [attempts <1-10>|timeout <100-
1000>]]
Parameters protected-mgmt-frames [mandatory|optional|sa-query [attempts <1-10>|timeout
<100-1000>]]
protected-mgmt-
frames mandatory optional sa-query
[attempts <1-10>|
timeout <100-1000>]
Enables and configures WLAN's frame protection mode and SA query parameters. Use this command to specify whether management frames are continually or optionally protected. Frame protection mode is disabled by default. Enforces protected management frames (PMF) on this WLAN (management frames are continually optionally protected) Provides PMF only for those clients that support PMF (management frames are optionally protected) Configures the following SA parameters:
attempts <1-10> Configures the number of SA query attempts from 1 - 10. The default is 5. timeout <100-1000> Configures the interval, in milliseconds, used to timeout association requests that exceed the defined interval. Specify a value from 100 - 1000 milliseconds. The default value is 201 milliseconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 505 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-wlan-test)#protected-mgmt-frames mandatory rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none protected-mgmt-frames mandatory rfs6000-81742D(config-wlan-test)#
Related Commands no Disables enforcement of protected management frames on this WLAN. And reverts protected management frames sa-query timeout and attempts to 201 milliseconds and 5 respectively. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 506 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.33 proxy-arp-mode wlan-mode commands Enables proxy ARP mode for handling ARP requests Proxy ARP is the technique used to answer ARP requests intended for another system. By faking its identity, the access point accepts responsibility for routing packets to the actual destination. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax proxy-arp-mode [dynamic|strict]
Parameters proxy-arp-mode [dynamic|strict]
proxy-arp-mode dynamic strict Example Enables proxy ARP mode for handling ARP requests. The options available are dynamic and strict. Forwards ARP requests to the wireless side (for which a response could not be proxied). This is the default setting. Does not forward ARP requests to the wireless side rfs6000-81742D(config-wlan-test)#proxy-arp-mode strict rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate proxy-arp-mode strict broadcast-dhcp validate-offer http-analyze controller rfs6000-81742D(config-wlan-test)#
Related Commands no Reverts the proxy ARP mode to default (dynamic) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 507 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.34 proxy-nd-mode wlan-mode commands Configures the proxy ND mode for this WLAN member clients as either strict or dynamic ND proxy is used in IPv6 to provide reachability by allowing a client to act as proxy. Proxy certificate signing can be done either dynamically (requiring exchanges of identity and authorization information) or statically when the network topology is defined. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax proxy-nd-mode [dynamic|strict]
Parameters proxy-nd-mode [dynamic|strict]
proxy-nd-mode
[dynamic|strict]
Configures the proxy ND mode for this WLAN member clients. The options are:
dynamic and strict dynamic Forwards ND request to wireless for which a response could not be proxied. This is the default value. strict Does not forward ND requests to the wireless side Example rfs6000-81742D(config-wlan-test)#proxy-nd-mode strict rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none wpa-wpa2 server-only-authentication proxy-nd-mode strict opendns device-id 44-55-66 rfs6000-81742D(config-wlan-test)#
Related Commands no Reverts the proxy ND mode to default (dynamic) Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 508 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.35 qos-map wlan-mode commands Enables support for 802.11u QoS map element and frames Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax qos-map Parameters None Example rfs6000-81742D(config-wlan-test)#qos-map rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none qos-map wpa-wpa2 server-only-authentication proxy-nd-mode strict opendns device-id 44-55-66 rfs6000-81742D(config-wlan-test)#
Related Commands no Disables support for 802.11u QoS map element and frames Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 509 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.36 radio-resource-measurement wlan-mode commands Enables support for 802.11k radio resource measurement capabilities (IEEE 802.11k) on this WLAN 802.11k improves how traffic is distributed. In a WLAN, devices normally connect to the access point with the strongest signal. Depending on the number and location of clients, this arrangement can lead to excessive demand on one access point and under utilization of others, resulting in degradation of overall network performance. With 802.11k, if the access point with the strongest signal is loaded to its capacity, a client connects to an under-utilized access point. Even if the signal is weaker, the overall throughput is greater since it's an efficient use of the network's resources. This feature is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax radio-resource-measurement {channel-report|neighbor-report {hybrid}}
Parameters radio-resource-measurement {channel-report|neighbor-report {hybrid}}
radio-resource-
measurement channel-report neighbor-report
{hybrid}
Enables support for 802.11k radio resource measurement capabilities Optional. Includes the channel-report element in beacons and probe responses Optional. Enables responding to neighbor-report requests hybrid Optional. Uses the hybrid model of smart-rf neighbors and roaming frequency to neighbors Example rfs4000-229D58(config-wlan-test)#radio-resource-measurement rfs4000-229D58(config-wlan-test)#show context wlan test ssid test vlan 1 bridging-mode tunnel encryption-type none authentication-type none radio-resource-measurement controller-assisted-mobility rfs4000-229D58(config-wlan-test)#
Related Commands no Disables support for 802.11k radio resource measurement capabilities (IEEE 802.11k) on this WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 510 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.37 radius wlan-mode commands Configures RADIUS related parameters Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax radius [dynamic-authorization|nas-identifier|nas-port-id|vlan-assignment]
radius [dynamic-authorization|nas-identifier <NAS-ID>|nas-port-id <NAS-PORT-ID>|
vlan-assignment]
Parameters radius [dynamic-authorization|nas-identifier <NAS-ID>|nas-port-id <NAS-PORT-
ID>|vlan-assignment]
dynamic-authorization Enables support for disconnect and change of authorization messages (RFC5176) nas-identifier
<NAS-ID>
When enabled, this option extends the RADIUS protocol to support unsolicited messages from the RADIUS server. These messages allow administrators to issue change of authorization (CoA) messages, which affect session authorization, or disconnect messages (DM) that terminate a session immediately. This option is disabled by default. Configures the network access server (NAS) identifier attribute, a value that identifies the access point or controller where the RADIUS messages originate. The value specified here is included in the RADIUS NAS-Identifier field for WLAN authentication and accounting packets.
<NAS-ID> Specify the NAS identifier attribute (should not exceed 256 characters in length). nas-port-id
<NAS-PORT-ID>
Configures the NAS port ID attribute, a value that identifies the port from where the RADIUS messages originate
<NAS-PORT-ID> Specify the NAS port ID attribute (should not exceed 256 characters in length). The profile database on the RADIUS server consists of user profiles for each connected NAS port. Each profile is matched to a username representing a physical port. When authorizing users, it queries the user profile database using a username representative of the physical NAS port making the connection. Set the numeric port value from 0 - 4294967295. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 511 GLOBAL CONFIGURATION COMMANDS vlan-assignment Configures the VLAN assignment of a WLAN. RADIUS VLAN assignment is disabled by default. When enabled, this option assigns clients to the RADIUS server specified VLANs, overriding the WLAN configuration. This option is disabled by default. If, as part of the authentication process, the RADIUS server returns a client's VLAN-ID in a RADIUS access-accept packet, and this feature is enabled, all client traffic is forwarded on that VLAN. If disabled, the RADIUS server returned VLAN-ID is ignored and the VLAN specified using the vlan/vlan-pool-member options (in the WLAN config mode) is used. If both the RADIUS VLAN assignment and the post authentication VLAN options are enabled, then RADIUS VLAN assignment takes priority over post authentication VLAN configuration. Example rfs6000-81742D(config-wlan-test)#radius vlan-assignment rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2
--More--
rfs6000-81742D(config-wlan-test)#
Related Commands no Disables support for disconnect and change of authorization messages. Disables the use of VLAN information received in RADIUS server responses, instead uses the VLAN provided in the WLAN configuration. Removes the NAS identifier and NAS port identifiers configured. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 512 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.38 registration wlan-mode commands Configures settings enabling dynamic registration and validation of devices by their MAC addresses. When configured, this option registers a devices MAC address, and allows direct access to a previously registered device. This command also configures the external guest registration and validation server details. If using an external server to perform guest registration, authentication and accounting, use this command to configure the external servers IP address/hostname. When configured, access points and controllers forward guest registration requests to the specified registration server. In case of EGuest deployment, this external resource should point to the EGuest registration server. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax registration [device|device-OTP|external|user]
registration [device|device-OTP|user] group-name <RAD-GROUP-NAME> {agreement-
refresh <0-144000>|expiry-time <1-43800>}
registration external [follow-aaa|host]
registration external follow-aaa {send-mode [http|https|udp]}
registration external host <IP/HOSTNAME> {proxy-mode|send-mode}
registration external host <IP/HOSTNAME> {proxy-mode [none|through-controller|
through-rf-domain-manager|through-centralized-controller]|send-mode [https|
https|udp]}
Parameters registration external follow-aaa {send-mode [http|https|udp]}
registration external follow-aaa Enables dynamic guest-user registration and validation. This option is disabled by default. Specifies that the guest registration is handled by an external resource. Access points/controllers send registration requests to the external registration server. Uses an AAA policy to point to the guest registration, authentication, and accounting server. When used, guest registration is handled by the RADIUS server specified in the AAA policy used in the WLAN context. In case of EGuest deployment, the RADIUS authentication and accounting server configuration in the AAA policy should point to the EGuest server. The use of follow-
aaa option is recommended in EGuest replica-set deployments. For more information on enabling the EGuest server, see eguest-server (VX9000 only). For more information on configuring an EGuest deployment, see configuring ExtremeGuest captive-portal. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 513 GLOBAL CONFIGURATION COMMANDS send-mode
[https|https|udp]
Optional. Specifies the protocol used to forward registration requests to the external AAA policy servers. The options are;
HTTPS Sends registration requests as HTTPS packet HTTP Sends registration requests as HTTP packet UDP Sends registration requests as UDP packet, using the UPD port 12322. This is the default setting. registration external host <IP/HOSTNAME> {proxy-mode [none|through-controller|
through-rf-domain-manager|through-centralized-controller]|send-mode [https|
https|udp]}
registration external host
<IP/HOSTNAME>
proxy-mode
{none|
through-controller|
through-rf-domain-
manager|through-
centralized-controller}
send-mode
[https|https|udp]
Configures dynamic guest registration and validation parameters. This option is disabled by default. Specifies that the guest registration is handled by an external resource. Access points/controllers send registration requests to the external registration server. Specifies the external registration servers IP address or hostname. When configured, access points/ controllers forward guest registration requests to the external registration server specified here. Optional. Specifies the proxy mode. If a proxy is needed for connection, specify the proxy mode as through-controller, through-rf-domain. If no proxy is needed, select none. none Optional. Requests are sent directly to the controller from the requesting device through-controller Optional. Requests are proxied through the controller configuring the device through-rf-domain-manager Optional. Requests are proxied through the local RF Domain manager through-centralized-controller Optional. Request are proxied through one of the controllers in a cluster.that is operating as the designated forwarder. Select this option if capture and redirection is on a cluster of wireless controller/service platforms managing dependent/independent access points when redundancy is required. After specifying the proxy-mode, optionally specify the protocol used to send the requests to the external registration server host. Optional. Specifies the communication protocol used. The options are;
HTTPS Sends registration requests as HTTPS packets HTTP Sends registration requests as HTTP packets UDP Sends registration requests as UDP packet, using the UPD port 12322. This is the default setting. registration [device|device-OTP|user] group-name <RAD-GROUP-NAME> {agreement-
refresh <0-144000>|expiry-time <1-43800>}
registration Configures dynamic guest registration and validation parameters. This option is disabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 514
[device|device-OTP|
user]
group-name
<RAD-GROUP-NAME>
expiry-time
<1-43800>
agreement-refresh
<0-144000>
GLOBAL CONFIGURATION COMMANDS Configures the mode used to register guest users of this WLAN. Options include device, external, user, and device-OTP device-OTP Registers a device by its MAC address. During registration, the user, using the registered device, has to provide the e-mail address, mobile number, or member id, and the one-time-passcode (OTP) sent to the registered e-mail id or mobile number to complete registration. On subsequent logins, the user has to enter the OTP. If the MAC address of the device attempting login and the OTP combination matches, the user is allowed access. If using this option, set the WLAN authentication type as MAC authentication. device Registers a device by its MAC address. On subsequent logins, already registered MAC addresses are allowed access. If using this option, set the WLAN authentication type as MAC authentication. user Registers guest users using one of the following options: e-mail address, mobile-number, or member-id. If using any one of the above modes of registration, specify the RADIUS group to which the registered device or user is to be assigned post authentication. Configures the RADIUS group name to which registered users are associated. When left blank, users are not associated with a RADIUS group.
<RAD-GROUP-NAME> Specify the RADIUS group name (should not exceed 64 characters). Optional. Configures the amount of time, in hours, before registered addresses expire and must be re-entered
<1-43800> Specify a value from 1 - 43800 hrs. The default is 1500 hrs. Optional. Sets the time, in minutes, after which an inactive user has to refresh the WLANs terms of agreement. For example, if the agreement refresh period is set to 1440 minutes, a user, who has been inactive for more than 1440 minutes (1 day) is served the agreement page, and is allowed access only after refreshing the terms of agreement.
<0-100> Specify a value from 0 - 144000. The default is 0 minutes. Example nx9500-6C8809(config-wlan-test)#registration user group-name guest agreement-ref resh 14400 expiry-time 2000 nx9500-6C8809(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type none registration user group-name guest expiry-time 2000 agreement-refresh 14400 nx9500-6C8809(config-wlan-test)#
Related Commands no Disables dynamic user registration and removes associated configurations. ALso disables forwarding of user information to an external device. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 515 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.39 relay-agent wlan-mode commands Enables support for DHCP/DHCPv6 relay agent information (option 82 and DHCPv6-LDRA) feature on this WLAN. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax relay-agent [dhcp-option82|dhcpv6-ldra]
Parameters relay-agent [dhcp-option82|dhcpv6-ldra]
relay-agent dhcp-option82 dhcpv6-ldra Enables support for the following DHCP and DHCPv6 options: option 82 and Lightweight DHCPv6 Relay Agent (LDRA) respectively. When enabled, this feature allows the DHCP/DHCPv6 relay agent to insert the relay agent information option
(option 82, LDRA) in client requests forwarded to the DHCP/DHCPv6 server. This information provides the following:
circuit ID suboption Provides the SNMP port interface index remote ID Provides the controllers MAC address Enables DHCP option 82. DHCP option 82 provides client physical attachment information. This option is disabled by default. Enables the DHCPv6 relay agent. The LDRA feature allows DHCPv6 messages to be transmitted on existing networks that do not currently support IPv6 or DHCPv6. This option is disabled by default. Example rfs4000-229D58(config-wlan-test)#relay-agent dhcp-option82 rfs4000-229D58(config-wlan-test)#show context wlan test ssid test vlan 1 bridging-mode tunnel encryption-type none authentication-type none radio-resource-measurement relay-agent dhcp-option82 controller-assisted-mobility rfs4000-229D58(config-wlan-test)#
rfs6000-81701D(config-wlan-test)#relay-agent dhcpv6-ldra rfs6000-81701D(config-wlan-test)#show context wlan test ssid test bridging-mode tunnel encryption-type none authentication-type none relay-agent dhcpv6-ldra rfs6000-81701D(config-wlan-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 516 GLOBAL CONFIGURATION COMMANDS Related Commands no Disables support for DHCP/DHCPv6 relay agent information (option 82 and DHCPv6-
LDRA) feature on this WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 517 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.40 shutdown wlan-mode commands Auto shuts down a WLAN The auto shutdown mechanism helps regulate the availability of a WLAN based on an administrator defined access period. Use this feature to shut down a WLAN on specific days and hours and restrict periods when the WLAN traffic is either not desired or cannot be properly administrated. The normal practice is to shut down WLANs when there are no users on the network, such as after hours, weekends or holidays. This allows administrators more time to manage mission critical tasks since the WLAN's availability is automated. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax shutdown {on-critical-resource <CR-NAME>|on-meshpoint-loss|on-primary-port-link-
loss|on-unadoption}
Parameters shutdown {on-critical-resource <CR-NAME>|on-meshpoint-loss|on-primary-port-
link-loss|on-unadoption}
shutdown on-critical-resource
<CR-NAME>
Auto shuts down the WLAN when specified events occur. Disabled by default. Optional. Auto shuts down the WLAN when critical resource failure occurs. Disabled by default.
<CR-NAME> Specifies the name of the critical resource being monitored for this WLAN. on-meshpoint-loss on-primary-port-link-
loss on-unadoption Optional. Auto shuts down the WLAN when the root meshpoint link fails (is unreachable). Disabled by default. Optional. Auto shuts down the WLAN when a device losses its primary Ethernet port (ge1/up1) link. Disabled by default. Optional. Auto shuts down the WLAN when an adopted device becomes unadopted. Disabled by default. Usage Guidelines If the shutdown on-meshpoint-loss feature is enabled, the WLAN status changes only if the meshpoint and the WLAN are mapped to the same VLAN. If the meshpoint is mapped to VLAN 1 and the WLAN is mapped to VLAN 2, then the WLAN status does not change on loss of the meshpoint. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 518 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-wlan-test)#shutdown on-unadoption rfs6000-81742D(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate proxy-arp-mode strict broadcast-dhcp validate-offer shutdown on-unadoption http-analyze controller rfs6000-81742D(config-wlan-test)#
Related Commands no Disables auto shut down WLAN. Use the optional keywords provided to disable auto shut down of the WLAN upon critical resource failure, when meshpoint links fail, when the primary Ethernet port (e1/up1) loses link, or when the WLAN gets unadopted. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 519 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.41 ssid wlan-mode commands Configures a WLANs SSID Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ssid <SSID>
Parameters ssid <SSID>
<SSID>
Example Specify the WLANs SSID. The WLAN SSID is case sensitive and alphanumeric. Its length should not exceed 32 characters. rfs6000-81742D(config-wlan-test)#ssid testWLAN1 rfs6000-81742D(config-wlan-test)#show context wlan test ssid testWLAN1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 acl exceed-rate wireless-client-denied-traffic 20 disassociate proxy-arp-mode strict broadcast-dhcp validate-offer shutdown on-unadoption http-analyze controller rfs6000-81742D(config-wlan-test)#
Related Commands no Removes the WLANs SSID Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 520 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.42 t5-client-isolation wlan-mode commands Disallows clients connecting to the WLAN to communicate with one another. This setting applies exclusively to CPE devices managed by aT5 controller and is disabled by default. A T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating system used by RFS wireless controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. The CPEs are the T5 controller managed radio devices using the IPX operating system. These CPEs use a DSL as their high speed Internet access mechanism using the CPEs physical wallplate connection and phone jack. NOTE: This setting is applicable only when this WLAN supports T5 controllers and their connected CPEs. Supported in the following platforms:
Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax t5-client-isolation Parameters None Example nx9500-6C8809(config-wlan-test)#t5-client-isolation nx9500-6C8809(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type none t5-client-isolation nx9500-6C8809(config-wlan-test)#
Related Commands no Allows clients connecting to the WLAN to communicate with one another Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 521 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.43 t5-security wlan-mode commands Configures T5 PowerBroadband security settings A T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating system used by RFS controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. The CPEs are the T5 controller managed radio devices using the IPX operating system. These CPEs use DSL as their high speed Internet access mechanism using the CPEs physical wallplate connection and phone jack. NOTE: This setting is applicable only when this WLAN supports T5 controllers and their connected CPEs. Supported in the following platforms:
Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax t5-security [static-wep|wpa-enterprise|wpa-personal]
t5-security static-wep encryption-type [wep128|wep64] [hex <STRING>|passphrase
<STRING>]
t5-security [wpa-enterprise|wpa-personal] encryption-type [ccmp|tkip|tkip-ccmp]
version [mixed|wpa|wpa2]
Parameters t5-security static-wep encryption-type [wep128|wep64] [hex <STRING>|passphrase
<STRING>]
t5-security static-wep Configures the T5 WLAN security type as static-wep encryption-type
[wep128|wep64]
hex <STRING>
Applies one of the following encryption algorithms to the T5 support WLAN configuration: WEP64 or WEP128 Configures the hex password (used to derive the security key)
<STRING> Specify the hex password (should not exceed the 10 - 26 characters). passphrase <STRING> Configures the passphrase shared by both transmitting and receiving authenticators
<STRING> Specify the passphrase. It could either be an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters. The alphanumeric string allows character spaces. This string is converted to a numeric value. Configuring a passphrase saves you the need to create a 256-bit key each time keys are generated. t5-security [wpa-enterprise|wpa-personal] encryption-type [ccmp|tkip|tkip-ccmp]
version [mixed|wpa|wpa2]
t5-security
[wpa-enterprise|
wpa-personal]
Configures the T5 WLAN security type as: wpa-enterprise OR wpa-personal Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 522 GLOBAL CONFIGURATION COMMANDS encryption-type
[ccmp|tkip|tkip-ccmp]
version
[mixed|wpa|wpa2]
The following parameters are common to the wpa-enterprise and wpa-personal keywords:
Applies one of the following encryption algorithms to the T5 support WLAN configuration: CCMP, TKIP, or TKIP-CCMP The following parameters are common to the wpa-enterprise and wpa-personal keywords:
version Applies one of the following encryption schemes to the T5 support WLAN configuration: WPA, WPA2, or mixed Example nx9500-6C8809(config-wlan-test)#t5-security wpa-enterprise encryption-type ccmp version wpa nx9500-6C8809(config-wlan-test)#show context wlan test ssid test bridging-mode local encryption-type none authentication-type none t5-security wpa-enterprise encryption-type ccmp version wpa t5-client-isolation nx9500-6C8809(config-wlan-test)#
Related Commands no Removes the configured T5 PowerBroadband security settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 523 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.44 time-based-access wlan-mode commands Configures time-based client access to the network resources Administrators can use this feature to assign fixed days and time of WLAN access for wireless clients Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax time-based-access days [sunday|monday|tuesday|wednesday|thursday|friday|
saturday|all|weekends|weekdays] {start <START-TIME>} [end <END-TIME>]
Parameters time-based-access days [sunday|monday|tuesday|wednesday|thursday|friday|
saturday|all|weekends|weekdays] {start <START-TIME>} [end <END-TIME>]
day <option>
start <START-TIME>
end <END-TIME>
Specifies the day or days on which the client can access the WLAN sunday Allows access on Sundays only monday Allows access on Mondays only tuesday Allows access on Tuesdays only wednesday Allows access on Wednesdays only thursday Allows access on Thursdays only friday Allows access on Fridays only saturday Allows access on Saturdays only weekends Allows access on weekends only weekdays Allows access on weekdays only all Allows access on all days Optional. Specifies the access start time in hours and minutes (HH:MM) Specifies the access end time in hours and minutes (HH:MM) Example rfs6000-81742D(config-wlan-test)#time-based-access days weekdays start 10:00 end 16:30 rfs6000-81742D(config-wlan-test)#show context wlan test ssid testWLAN1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30
--More--
rfs6000-81742D(config-wlan-test)#
Related Commands no Removes the configured time-based-access settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 524 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.45 use wlan-mode commands This command associates an existing captive portal with a WLAN. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use [aaa-policy|application-policy|association-acl-policy|bonjour-gw-discovery-
policy|captive-portal|ip-access-list|ipv6-access-list|mac-access-list|passpoint-
policy|roaming-assist-policy|url-filter|wlan-qos-policy]
use [aaa-policy <AAA-POLICY-NAME>|application-policy <POLICY-NAME>|association-
acl-policy <ASSOCIATION-POLICY-NAME>|bonjour-gw-discovery-policy <POLICY-
NAME>|captive-portal <CAPTIVE-PORTAL-NAME>|passpoint-policy <PASSPOINT-POLICY-
NAME>|roaming-assist-policy <POLICY-NAME>|url-filter <URL-FILTER-NAME>|wlan-qos-
policy <WLAN-QOS-POLICY-NAME>]
use ip-access-list [in|out] <IP-ACCESS-LIST-NAME>
use ipv6-access-list [in|out] <IPv6-ACCESS-LIST-NAME>
use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME>
Parameters use [aaa-policy <AAA-POLICY-NAME>|application-policy <POLICY-NAME>|
association-acl-policy <ASSOCIATION-POLICY-NAME>|bonjour-gw-discovery-policy
<POLICY-NAME>|captive-portal <CAPTIVE-PORTAL-NAME>|passpoint-policy <PASSPOINT-
POLICY-NAME>|roaming-assist-policy <POLICY-NAME>|url-filter <URL-FILTER-NAME>|
wlan-qos-policy <WLAN-QoS-POLICY-NAME>]
aaa-policy
<AAA-POLICY-NAME>
application-policy
<POLICY-NAME>
association-acl
<ASSOCIATION-
POLICY-NAME>
bonjour-gw-
discovery-policy
<POLICY-NAME>
Uses an existing AAA policy with a WLAN
<AAA-POLICY-NAME> Specify the AAA policy name. Uses an existing application policy with a WLAN. An application policy defines actions to perform on a packet when it matches a specified set of pre-defined applications or application categories. For more information, see application-policy.
<POLICY-NAME> Specify the policy name. Uses an existing association ACL policy with a WLAN
<ASSOCIATION-POLICY-NAME> Specify the association ACL policy name. Uses an existing Bonjour GW Discovery policy with a WLAN. When associated, the Bonjour GW Discovery policy defines a list of services clients can discover across subnets. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 525 GLOBAL CONFIGURATION COMMANDS Bonjour enables discovery of services on a LAN. Bonjour allows the setting up a network (without any configuration) in which services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with a special DNS configuration, it can be extended to find services across broadcast domains.
<POLICY-NAME> Specify the Bonjour GW Discovery policy name (should be existing and configured). For more information on Bonjour GW Discovery policy, see bonjour-gw-discovery-
policy. Specifies the captive-portal policy to use if enforcing captive-portal authentication on this WLAN
<CAPTIVE-PORTAL-NAME> Specify the captive-portal policy name. Should be existing and configured. Associates a passpoint policy (Hotspot2 configuration) with this WLAN
<PASSPOINT-POLICY-NAME> Specify the Hotspot 2.0 policy name. For more information on passpoint policy, see passpoint-policy. Map a passpoint policy to a WLAN. Since the configuration gets applied to the radio by BSS, only the Hotspot 2.0 configuration of primary WLANs on a BSSID is used. Incoming Hotspot 2.0 GAQ/ANQP requests from clients are identified by their destination MAC addresses and are handled by the passpoint policy from the primary WLAN on that BSS. Define one passpoint policy for every WLAN configured. Associates an existing roaming assist policy with this WLAN
<POLICY-NAME> Specify the Roaming Assist policy name. For more information on roaming assist policy, see roaming-assist-policy. Associates an existing URL list with this WLAN
<URL-FILTER-NAME> Specify the URL filter name. For more information on configuring a URL list, see url-list. Uses an existing WLAN QoS policy with a WLAN
<wlan-qos-policy-name> Specify the WLAN QoS policy name. captive-portal
<CAPTIVE-PORTAL-
NAME>
passpoint-policy
<PASSPOINT-POLICY-
NAME>
roaming-assist-policy
<POLICY-NAME>
url-filter
<URL-FILTER-NAME>
wlan-qos-policy
<WLAN-QOS-POLICY-
NAME>
use ip-access-list [in|out] <IP-ACCESS-LIST-NAME>
ip-access-list [in|out]
<IP-ACCESS-LIST-
NAME>
Specifies the IP access list for incoming and outgoing packets in Applies the IP ACL to incoming packets out Applies IP ACL to outgoing packets
<IP-ACCESS-LIST-NAME> Specify the IP access list name. use ipv6-access-list [in|out] <IPv6-ACCESS-LIST-NAME>
ipv6-access-list
[in|out] <IPv6-
ACCESS-LIST-NAME>
Specifies the IPv6 access list for incoming and outgoing packets in Applies the IPv6 ACL to incoming packets out Applies IPv6 ACL to outgoing packets
<IPv6-ACCESS-LIST-NAME> Specify the IPv6 access list name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 526 GLOBAL CONFIGURATION COMMANDS use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME>
mac-access-list
[in|out] <MAC-
ACCESS-LIST-NAME>
Specifies the MAC access list for incoming and outgoing packets. in Applies the MAC ACL to incoming packets out Applies MAC ACL to outgoing packets
<MAC-ACCESS-LIST-NAME> Specify the MAC access list name. Usage Guidelines IP and MAC ACLs act as firewalls within a WLAN. WLANs use ACLs as firewalls to filter or mark packets based on the WLAN from which they arrive, as opposed to filtering packets on layer 2 ports. An ACL contains an ordered list of Access Control Entries (ACEs). Each ACE specifies a set of conditions (rules) and the action taken in case of a match. The action can be permit, deny, or mark. Therefore, when a packet matches an ACEs conditions, it is either forwarded, dropped, or marked depending on the action specified in the ACE. The order of conditions in the list is critical since filtering is stopped after the first match. IP ACLs contain deny and permit rules specifying source and destination IP addresses. Each rule has a precedence order assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC. Additionally, you can filter layer 2 traffic on a physical layer 2 interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny, or mark designation to WLAN packet traffic. Keep in mind IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface. Example rfs6000-81742D(config-wlan-test)#use aaa-policy test rfs6000-81742D(config-wlan-test)#use association-acl-policy test rfs6000-81742D(config-wlan-test)#show context wlan test ssid testWLAN1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30 wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 use aaa-policy test use association-acl-policy test acl exceed-rate wireless-client-denied-traffic 20 disassociate proxy-arp-mode strict broadcast-dhcp validate-offer shutdown on-unadoption http-analyze controller rfs6000-81742D(config-wlan-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 527 GLOBAL CONFIGURATION COMMANDS rfs6000-81742D(config-wlan-ipad_clients)#use bonjour-gw-discovery-policy generic rfs6000-81742D(config-wlan-ipad_clients)#show context wlan ipad_clients ssid ipad_clients vlan 41 bridging-mode local encryption-type none authentication-type none use bonjour-gw-discovery-policy generic rfs6000-81742D(config-wlan-ipad_clients)#
Related Commands no Removes the following policies associated with a WLAN: aaa-policy, application-policy, association-acl-policy, bonjour-gw-discovery-policy, captive-portal, ip-access-list, ipv6-access-list, mac-access-list, passpoint-policy, roaming-assist-policy, url-filter, or wlan-qos-policy. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 528 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.46 vlan wlan-mode commands Sets the VLAN where traffic from a WLAN is mapped Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax vlan [<1-4094>|<VLAN-ALIAS-NAME>]
Parameters vlan [<1-4094>|<VLAN-ALIAS-NAME>]
<1-4094>
Sets a WLANs VLAN ID. This command starts a new VLAN assignment for a WLAN index. All prior VLAN settings are erased. Use this command to assign just one VLAN to the WLAN. Utilizing a single VLAN per WLAN is a more typical deployment scenario than using a VLAN pool.
<VLAN-ALIAS-NAME> Assigns a VLAN alias to the WLAN. The VLAN alias should to existing and configured. A VLAN alias maps a name to a VLAN ID. When applied to ports (for example GE ports) using the trunk mode, a VLAN alias denies or permits traffic, on the port, to and from the VLANs specified in the alias. For more information on aliases, see alias. Example rfs6000-81742D(config-wlan-test)#vlan 4 rfs6000-81742D(config-wlan-test)#show context wlan test ssid testWLAN1 vlan 4 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30 wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 use aaa-policy test use association-acl-policy test acl exceed-rate wireless-client-denied-traffic 20 disassociate proxy-arp-mode strict broadcast-dhcp validate-offer shutdown on-unadoption http-analyze controller rfs6000-81742D(config-wlan-test)#
Related Commands no Removes a WLANs default VLAN mapping Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 529 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.47 vlan-pool-member wlan-mode commands Adds a member VLAN to a WLANs VLAN pool. Use this option to define the VLANs available to this WLAN. Additionally, define the number of wireless clients supported by each VLAN. NOTE: Configuration of a VLAN pool overrides the 'vlan' configuration. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax vlan-pool-member <WORD> {limit <0-8192>}
Parameters vlan-pool-member <WORD> {limit <0-8192>}
vlan-pool-member
<WORD>
limit <0-8192>
Adds a member VLAN to a WLANs VLAN pool Since users belonging to separate VLANs can share the same WLAN, it is not necessary to create a new WLAN for every VLAN in the network. Define the VLANs available to this WLAN. It is either a single index, or a list of VLAN IDs (for example, 1,3,7), or a range (for example, 1-10) Optional. Is ignored if the number of clients are limited and well within the limits of the DHCP pool on the VLAN
<0-8192> Specifies the number of users allowed Example rfs6000-81742D(config-wlan-test)#vlan-pool-member 1-10 limit 1 rfs6000-81742D(config-wlan-test)#show context wlan test ssid testWLAN1 vlan-pool-member 1 limit 1 vlan-pool-member 2 limit 1 vlan-pool-member 3 limit 1 vlan-pool-member 4 limit 1 vlan-pool-member 5 limit 1 vlan-pool-member 6 limit 1 vlan-pool-member 7 limit 1 vlan-pool-member 8 limit 1 vlan-pool-member 9 limit 1 vlan-pool-member 10 limit 1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30
--More--
rfs6000-81742D(config-wlan-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 530 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes the list of VLANs mapped to a WLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 531 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.48 wep128 wlan-mode commands Configures WEP128 parameters Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wep128 [key|keys-from-passkey|transmit-key]
wep128 key <1-4> [ascii|hex] [0 <WORD>|2 <WORD>|<WORD>]
wep128 keys-from-passkey <WORD>
wep128 transmit-key <1-4>
Parameters wep128 key <1-4> [ascii|hex] [0 <WORD>|2 <WORD>|<WORD>]
wep128 key <1-4>
ascii
[0 <WORD>|
2 <WORD>||
<WORD>]
hex
[0 <WORD>|
2 <WORD>|
<WORD>]
Configures WEP128 parameters. The parameters are: key, key-from-passkey, and transmit-key. Configures pre-shared hex keys
<1-4> Configures a maximum of four key indexes. Select the key index from 1 - 4. Sets keys as ASCII characters (5 characters for WEP64, 13 for WEP128) 0 <WORD> Configures a clear text key 2 <WORD> Configures an encrypted key
<WORD> Configures keys as 13 ASCII characters converted to hex, or 26 hexadecimal characters Sets keys as hexadecimal characters (10 characters for WEP64, 26 for WEP128) 0 <WORD> Configures a clear text key 2 <WORD> Configures an encrypted key
<WORD> Configures keys as 13 ASCII characters converted to hex, or 26 hexadecimal characters wep128 keys-from-passkey <WORD>
keys-from-passkey
<WORD>
Specifies a passphrase from which keys are derived
<WORD> Specify a passphrase from 4 - 32 characters. wep128 transmit-key <1-4>
transmit-key <1-4>
Configures the key index used for transmission from an AP to a wireless client or service platform
<1-4> Specify a key index from 1 - 4. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 532 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-wlan-test)#wep128 keys-from-passkey example@123 rfs6000-81742D(config-wlan-test)#show context wlan test ssid testWLAN1 vlan-pool-member 1 limit 1 vlan-pool-member 2 limit 1 vlan-pool-member 3 limit 1 vlan-pool-member 4 limit 1 vlan-pool-member 5 limit 1 vlan-pool-member 6 limit 1 vlan-pool-member 7 limit 1 vlan-pool-member 8 limit 1 vlan-pool-member 9 limit 1 vlan-pool-member 10 limit 1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory wep128 key 1 hex 0 25f6e7ed9718918a87a75acc75 wep128 key 2 hex 0 2b3fb36924b22dffe98c86c315 wep128 key 3 hex 0 1ebf3394431700194762ebd5b2 wep128 key 4 hex 0 e3de75be311bd787aeac5e4e8b radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30
--More--
rfs6000-81742D(config-wlan-test)#
Related Commands no Resets the WEP128 PSK and transmission keys to factory-default values. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 533 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.49 wep64 wlan-mode commands Configures WEP64 parameters Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wep64 [key|keys-from-passkey|transmit-key]
wep64 key <1-4> [ascii|hex] [0 <WORD>|2 <WORD>|<WORD>]
wep64 keys-from-passkey <WORD>
wep64 transmit-key <1-4>
Parameters wep64 key <1-4> [ascii|hex] [0 <WORD>|2 <WORD>|<WORD>]
wep64 key <1-4>
ascii
[0 <WORD>|
2 <WORD>|
<WORD>]
hex
[0 <WORD>|
2 <WORD>|
<WORD>]
Configures WEP64 parameters The parameters are: key, key-from-passkey, and transmit-key. Configures pre-shared hex keys
<1-4> Configures a maximum of four key indexes. Select a key index from 1 - 4. Sets keys as ASCII characters (5 characters for WEP64, 13 for WEP128) 0 <WORD> Configures a clear text key 2 <WORD> Configures an encrypted key
<WORD> Configures key (10 hex or 5 ASCII characters for WEP64, 26 hex or 13 ASCII characters for WEP128). Sets keys as hexadecimal characters (10 characters for WEP64, 26 for WEP128) 0 <WORD> Configures a clear text key 2 <WORD> Configures an encrypted key
<WORD> Configures the key (10 hex or 5 ASCII characters for WEP64, 26 hex or 13 ASCII characters for WEP128) wep64 keys-from-passkey <WORD>
keys-from-passkey
<WORD>
Specifies a passphrase from which keys are derived
<WORD> Specify a passphrase from 4 - 32 characters. wep64 transmit-key <1-4>
transmit-key <1-4>
Configures the key index used for transmission from an AP to a wireless client or service platform
<1-4> Specify a key index from 1 - 4. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 534 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-wlan-test)#wep64 key 1 ascii test1 rfs6000-81742D(config-wlan-test)#wep64 transmit-key 1 rfs6000-81742D(config-wlan-test)#show context wlan test ssid testWLAN1 vlan-pool-member 1 limit 1 vlan-pool-member 2 limit 1 vlan-pool-member 3 limit 1 vlan-pool-member 4 limit 1 vlan-pool-member 5 limit 1 vlan-pool-member 6 limit 1 vlan-pool-member 7 limit 1 vlan-pool-member 8 limit 1 vlan-pool-member 9 limit 1 vlan-pool-member 10 limit 1 bridging-mode local encryption-type none authentication-type none protected-mgmt-frames mandatory wep64 key 1 hex 0 7465737431 radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30 wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5 client-load-balancing band-discovery-intvl 2 use aaa-policy test
--More--
rfs6000-81742D(config-wlan-test)#
Related Commands no Resets the WEP64 PSK and transmission keys to factory-default values Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 535 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.50 wing-extensions wlan-mode commands Enables support for WiNG-specific client extensions to the IEEE 802.11x WLAN standards that potentially increase client roaming reliability and handshake speed Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wing-extensions [ap-attributes-information {include-hostname}|
coverage-hole-detection {11k-clients|offset <5-20>|threshold <-80--60}|
ft-over-ds-aggregate|move-command|scan-assist {channel-info-interval <6-9>}|
smart-scan|wing-load-information|wmm-load-information]
Parameters wing-extensions [ap-attributes-information {include-hostname}|
coverage-hole-detection {11k-clients|offset <5-20>|offset <5-20>|threshold <-80--
60}|ft-over-ds-aggregate|move-command|scan-assist {channel-info-interval <6-9>}|
smart-scan|wing-load-information|wmm-load-information]
wing-extensions ap-attributes-
information
{include-hostname}
Enables support for inclusion of WiNG-specific client extensions in radio transmissions Enables support for AP attributes information element (IE) include-hostname Optional. When enabled, includes APs hostname, as a sub-
element, in the AP attributes IE. overage-hole-
detection
{11k-clients|
offset <5-20>|
threshold <-80--60>}
The AP attributes IE is vendor-specific and, when enabled, is added to beacons and probe responses. Inclusion of AP attributes IE allows Extreme Networks terminals to:
- Recognize Extreme APs
- Determine if the AP supports PAN BU features, irrespective of whether these features are enabled or not. AP attributes IE is not added to beacons and probe responses by default. Enables coverage hole detection (CHD) and configures CHD parameters. When enabled, allows clients (MUs) to inform an access point when it experiences a coverage hole. A coverage hole is an area of poor wireless coverage not supported by a WiNG managed access point radio. Enable radio resource measurement prior to enabling CHD. For enabling radio resource measurement, see radio-resource-
measurement. CHD is disabled by default. After enabling CHD, optionally configure the following parameters:
11k-clients Optional. Provides coverage hole detection to 802.11k-only-capable clients. This is a reduced set of coverage hole detection capabilities (standard 11k messages and behaviors). This option is disabled by default. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 536 GLOBAL CONFIGURATION COMMANDS offset <5-20> Optional. Configures the offset added to the threshold to obtain the access points signal strength (as seen by the client) considered adequate.
<5-20> Specify the offset value from 5 - 20. The default is 5. threshold Optional. Configures the access points signal strength threshold. When Radio Resource Measurement and CVG Hole are enabled, specify a threshold for the APs signal strength (as seen by the client) below which a coverage hole incident is reported by the client.
<-80--60> Specify the threshold from -80 - -60 dBm. The default is -70 dBm. Enables fast-transition (FT) aggregation of action frames. When enabled, increases roaming speed by eliminating separate key exchange handshake frames with potential roam candidates. Enable fast transition to complete an initial FT over distribution system (DS) handshake with multiple roam candidates (up to 6) at once, eliminating the need to send separate FT over DS handshakes to each roam candidate. This option is disabled by default. Enables use of Hyper Fast Secure Roaming (HFSR) for clients on this WLAN. This feature applies only to certain client devices. This option is disabled by default. Enables support for scanning assist. When enabled, allows faster roams on Dynamic Frequency Selection (DFS) channels by eliminating passive scans. Clients get channel information directly from possible roam candidates. This option is disabled by default. channel-info-interval <6-9> Optional. Configures the interval at which channel information is periodically retrieved from potential roam candidates without requesting scan assist.
<6-9> Specify the interval from 6 - 9 seconds. When enabled, the default value is 8 seconds. ft-over-ds-aggregate move-command scan-assist
{channel-info-interval
<6-9>}
smart-scan Enables a smart scan to refine a clients channel scans to just a few channels as opposed to all available channels. This option is disabled by default. wing-load-information Enables support for the WiNG load information element (Element ID 173) with legacy Symbol Technology clients, thus making them optimally interoperable with the latest Extreme Networks access points. This option is enabled by default. Enables support for WiNG Wi-Fi MultiMedia (WMM) Load Information Element in radio transmissions with legacy clients. This option is disabled by default. wmm-load-
information Example rfs6000-81742D(config-wlan-test)#wing-extensions wmm-load-information rfs6000-81742D(config-wlan-test)#show context wlan test description TestWLAN ssid test bridging-mode local encryption-type tkip-ccmp authentication-type eap kerberos server timeout 12 kerberos server primary host 172.16.10.2 accounting syslog host 172.16.10.4 port 2 data-rates 2.4GHz gn wing-extensions wmm-load-information client-load-balancing probe-req-intvl 5ghz 5
--More--
rfs6000-81742D(config-wlan-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 537 GLOBAL CONFIGURATION COMMANDS Related Commands no Disables support for WiNG-specific client extensions to the IEEE 802.11x WLAN standards. Use the keywords provided to disable a specific wing-extension. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 538 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.51 wireless-client wlan-mode commands Configures the transmit power indicated to clients Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wireless-client [count-per-radio|cred-cache-ageout|hold-time|inactivity-timeout|
max-firewall-sessions|reauthentication|roam-notification|t5-inactivity-timeout|
tx-power|vlan-cache-ageout]
wireless-client [count-per-radio <0-256>|cred-cache-ageout <60-86400>|hold-time
<1-86400>|inactivity-timeout <60-86400>|max-firewall-sessions <10-10000>|
reauthentication <30-86400>|t5-inactivity-timeout <60-86400>|tx-power <0-20>|
vlan-cache-ageout <60-86400>]
wireless-client roam-notification [after-association|after-data-ready|auto]
Parameters wireless-client [count-per-radio <0-256>|cred-cache-ageout <60-86400>|hold-time
<1-86400>|inactivity-timeout <60-86400>|max-firewall-sessions <10-10000>|
reauthentication <30-86400>|t5-inactivity-timeout <60-86400>|tx-power <0-20>|
vlan-cache-out <60-86400>]
wireless-client count-per-radio
<0-256>
cred-cache-ageout
<60-86400>
Configures the transmit power indicated to wireless clients for transmission Configures the maximum number of clients allowed on this WLAN per radio
<0-256> Specify a value from 0 - 256. Configures the timeout period for which client credentials are cached across associations
<60-86400> Specify a value from 60 - 86400 seconds. hold-time <1-86400> Configures the time period for which wireless client state information is cached post inactivity-timeout
<60-86400>
max-firewall-sessions
<10-10000>
reauthentication
<30-86400>
t5-inactivity-timeout
<60-86400>
roaming
<1-86400> Specify a value from 1 - 86400 seconds. Configures an inactivity timeout period in seconds. If a frame is not received from a wireless client for this period of time, the client is disassociated.
<60-86400> Specify a value from 60 - 86400 seconds. Configures the maximum firewall sessions allowed per client on a WLAN
<10-10000> Specify the maximum number of firewall sessions allowed from 10 - 10000. Configures periodic reauthentication of associated clients
<30-86400> Specify the client reauthentication interval from 30 - 86400 seconds. Configures and inactivity timeout, in seconds, for T5 devices. When configured, the T5 device is disassociated if the time lapsed after the last frame received from it exceeds the value specified here.
<60-86400> Specify a value from 60 - 86400 seconds. The default is 60 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 539 GLOBAL CONFIGURATION COMMANDS tx-power <0-20>
vlan-cache-ageout
<60-86400>
Configures the transmit power indicated to clients
<0-20> Specify a value from 0 - 20 dBm. Configures the timeout period for which client VLAN information is cached across associations.
<60-86400> Specify a value from 60 - 86400 seconds. wireless-client roam-notification [after-association|after-data-ready|auto]
wireless-client roam-notification after-association after-data-ready auto Example Configures the transmit power indicated to wireless clients for transmission Configures when a roam notification is transmitted Transmits a roam notification after a client has associated Transmits a roam notification after a client is data-ready (after completion of authentication, handshakes, etc.) Transmits a roam notification upon client association (if the client is known to have authenticated to the network) rfs6000-81742D(config-wlan-test)#wireless-client cred-cache-ageout 65 rfs6000-81742D(config-wlan-test)#wireless-client hold-time 200 rfs6000-81742D(config-wlan-test)#wireless-client max-firewall-sessions 100 rfs6000-81742D(config-wlan-test)#wireless-client reauthentication 35 rfs6000-81742D(config-wlan-test)#wireless-client tx-power 12 rfs6000-81742D(config-wlan-test)#show context wlan test ssid testWLAN1 vlan-pool-member 1 limit 1 vlan-pool-member 2 limit 1 vlan-pool-member 3 limit 1 vlan-pool-member 4 limit 1 vlan-pool-member 5 limit 1 vlan-pool-member 6 limit 1 vlan-pool-member 7 limit 1 vlan-pool-member 8 limit 1 vlan-pool-member 9 limit 1 vlan-pool-member 10 limit 1 bridging-mode local encryption-type none authentication-type none wireless-client hold-time 200 wireless-client cred-cache-ageout 65 wireless-client max-firewall-sessions 100 protected-mgmt-frames mandatory wireless-client reauthentication 35 wep64 key 1 hex 0 7465737431 wep128 key 1 hex 0 25f6e7ed9718918a87a75acc75 wep128 key 2 hex 0 2b3fb36924b22dffe98c86c315 wep128 key 3 hex 0 1ebf3394431700194762ebd5b2 wep128 key 4 hex 0 e3de75be311bd787aeac5e4e8b radius vlan-assignment time-based-access days weekdays start 10:00 end 16:30 wing-extensions wmm-load-information wireless-client tx-power 12 client-load-balancing probe-req-intvl 5ghz 5
--More--
rfs6000-81742D(config-wlan-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 540 GLOBAL CONFIGURATION COMMANDS Related Commands no Removes or reverts to default configured wireless client related parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 541 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.52 wpa-wpa2 wlan-mode commands Modifies TKIP-CCMP (WPA/WPA2) related parameters Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wpa-wpa2 [exclude-wpa2-tkip|handshake|key-rotation|opp-pmk-caching|pmk-caching|
preauthentication|server-only-authentication|psk|tkip-countermeasures|
use-sha256-akm]
wpa-wpa2 [exclude-wpa2-tkip|opp-pmk-caching|pmk-caching|preauthentication|
server-only-authentication|use-sha256-akm]
wpa-wpa2 handshake [attempts|init-wait|priority|timeout]
wpa-wpa2 handshake [attempts <1-5>|init-wait <5-1000000>|priority [high|normal]|
timeout <10-5000> {10-5000}]
wpa-wpa2 key-rotation [broadcast|unicast] <30-86400>
wpa-wpa2 psk [0 <LINE>|2 <LINE>|<LINE>]
wpa-wpa2 tkip-countermeasures holdtime <0-65535>
Parameters wpa-wpa2 [exclude-wpa2-tkip|opp-pmk-caching|pmk-caching|preauthentication|
server-only-authentication|use-sha256-akm]
wpa-wpa2 exclude-wpa2-tkip opp-pmk-caching pmk-caching preauthentication server-only-
authentication use-sha256-akm Modifies TKIP-CCMP (WPA/WPA2) related parameters Excludes the Wi-Fi Protected Access II (WPA2) version of TKIP. It supports the WPA version of TKIP only. This option is disabled by default. Uses opportunistic key caching (same Pairwise Master Key (PMK) across APs for fast roaming with EAP.802.1x. This option is enabled by default. Uses cached pair-wise master keys (fast roaming with eap/802.1x). This option is enabled by default. Uses pre-authentication mode (WPA2 fast roaming) Uses online sign up server-only-authenticated encryption network. This option is disabled by default. Uses sha256 authentication key management suite. This option is disabled by default. wpa-wpa2 handshake [attempts <1-5>|init-wait <5-1000000>|priority
[high|normal]|timeout <10-5000> {10-5000}]
wpa-wpa2 handshake attempts <1-5>
Modifies TKIP-CCMP (WPA/WPA2) related parameters Configures WPA/WPA2 handshake parameters Configures the total number of times a message is transmitted towards a non-
responsive client
<1-5> Specify a value from 1 - 5. The default is 2. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 542 GLOBAL CONFIGURATION COMMANDS init-wait
<5-1000000>
priority
[high|normal]
Configures a minimum wait-time period, in microseconds, before the first handshake message is transmitted from the AP. This option is disabled by default.
<5-1000000> Specify a value from 5 - 1000000 microseconds. Configures the relative priority of handshake messages compared to other data traffic high Treats handshake messages as high priority packets on a radio. This is the default timeout <10-5000>
<10-5000>
setting. normal Treats handshake messages as normal priority packets on a radio Configures the timeout period, in milliseconds, for a handshake message to retire. Once this period is exceed, the handshake message is retired.
<10-5000> Specify a value from 10 - 5000 milliseconds. The default is 500 milliseconds.
<10-5000> Optional. Configures a different timeout between the second and third attempts wpa-wpa2 key-rotation broadcast
<30-86400>
wpa-wpa2 key-rotation [broadcast|unicast] <30-86400>
Modifies TKIP-CCMP (WPA/WPA2) related parameters Configures parameters related to periodic rotation of encryption keys. The periodic key rotation parameters are broadcast, multicast, and unicast traffic. Configures the periodic rotation of keys used for broadcast and multicast traffic. This parameter specifies the interval, in seconds, at which keys are rotated. This option is disabled by default.
<30-86400> Specify a value from 30 - 86400 seconds. unicast <30-86400> Configures a periodic interval for the rotation of keys, used for unicast traffic. This option is disabled by default.
<30-86400> Specify a value from 30 - 86400 seconds. wpa-wpa2 psk [0 <LINE>|2 <LINE>|<LINE>]
wpa-wpa2 psk 0 <LINE>
2 <LINE>
<LINE>
Modifies TKIP-CCMP (WPA/WPA2) related parameters Configures a pre-shared key. The key options are: 0, 2, and LINE Configures a clear text key Configures an encrypted key Enter the pre-shared key either as a passphrase not exceeding 8 - 63 characters, or as a 64 character (256bit) hexadecimal value wpa-wpa2 tkip-countermeasures holdtime <0-65535>
Modifies TKIP-CCMP (WPA/WPA2) parameters Configures a hold time period for implementation of TKIP counter measures wpa-wpa2 tkip-
countermeasures holdtime <0-65535> Configures the amount of time a WLAN is disabled when TKIP counter measures are invoked
<0-65535> Specify a value from 0 - 65535 seconds. The default is 60 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 543 GLOBAL CONFIGURATION COMMANDS Example rfs6000-81742D(config-wlan-test)#wpa-wpa2 tkip-countermeasures hold-time 2 rfs6000-81742D(config-wlan-test)#show context wlan test ssid testWLAN1 vlan-pool-member 1 limit 1 vlan-pool-member 2 limit 1 vlan-pool-member 3 limit 1 vlan-pool-member 4 limit 1 vlan-pool-member 5 limit 1 vlan-pool-member 6 limit 1 vlan-pool-member 7 limit 1 vlan-pool-member 8 limit 1 vlan-pool-member 9 limit 1 vlan-pool-member 10 limit 1 bridging-mode local encryption-type none authentication-type none wireless-client hold-time 200 wireless-client cred-cache-ageout 65 wireless-client max-firewall-sessions 100 protected-mgmt-frames mandatory wireless-client reauthentication 35 wpa-wpa2 tkip-countermeasures hold-time 2 wep64 key 1 hex 0 7465737431 wep128 key 1 hex 0 25f6e7ed9718918a87a75acc75
--More--
rfs6000-81742D(config-wlan-test)#
Related Commands no Removes or reverts to default TKIP-CCMP (WPA/WPA2) related parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 544 GLOBAL CONFIGURATION COMMANDS 4.1.97.2.53 service wlan-mode commands Invokes service commands applicable in the WLAN configuration mode Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax service [allow-ht-only|allow-open-passpoint|client-load-balancing|cred-cache|
eap-mac-mode|eap-mac-multicopy|eap-mac-multikeys|eap-throttle|
enforce-pmkid-validation|key-index|monitor|radio-crypto|reauthentication|
session-timeout|tx-deauth-on-roam-detection|unresponsive-client|wpa-wpa2|show]
service [allow-ht-only|allow-open-passpoint|cred-cache [clear-on-4way-timeout|
clear-on-disconnect]|eap-mac-multicopy|eap-mac-multikeys|enforce-pmkid-
validation|radio-crypto|reauthentication seamless|session-timeout mac|
tx-deauth-on-roam-detection|show cli]
service eap-mac-mode [mac-always|normal]
service eap-throttle <0-254>
service key-index eap-wep-unicast <1-4>
service monitor [aaa-server|adoption|captive-portal|dhcp|dns]
service monitor [aaa-server|adoption vlan <1-4094>|captive-portal external-server]
service monitor [dhcp|dns] crm <RESOURCE-NAME> vlan <1-4094>
service unresponsive-client [attempts <1-1000>|ps-detect {threshold <1-1000>}|
timeout <1-60>]
service wpa-wpa2 exclude-ccmp Parameters service [allow-ht-only|allow-open-passpoint|cred-cache [clear-on-4way-timeout|
clear-on-disconnect]|eap-mac-multicopy|eap-mac-multikeys|enforce-pmkid-
validation|radio-crypto|reauthentication seamless|session-timeout mac|tx-deauth-
on-roam-detection|show cli]
allow-ht-only Only allows clients capable of High Throughput (802.11n) data rates to associate. This option is disabled by default. allow-open-passpoint Enables non-WPA2 security for passpoint WLANs. This option is disabled by default. cred-cache
[clear-on-4way-
timeout|
clear-on-disconnect]
For more information on passpoint policy and configuration, see PASSPOINT POLICY. Clears credential cache based on the parameter passed clear-on-4way-timeout Clears cached client credentials after the 4way handshake with a client has timed out. This option is enabled by default. clear-on-disconnect Clears cached client credentials after the client has disconnected from the network. This option is disabled by default. eap-mac-multicopy Enables sending of multiple copies of broadcast and unicast messages. This option is disabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 545 GLOBAL CONFIGURATION COMMANDS eap-mac-multikeys enforce-pmkid-
validation radio-crypto reauthentication seamless session-timeout mac tx-deauth-on-roam-
detection show cli Enables configuration of different key indices for MAC authentication. This option is disabled by default. Validates the Predictive real-time pairwise master key identifier (PMKID) contained in a clients association request against the one present in the wpa-wpa2 handshake. This option is enabled by default. This functionality is based on the Proactive Key Caching (PKC) extension of the 802.11i EEEE standard. Whenever a wireless client successfully authenticates with a AP it receives a pairwise master key (PMK). PKC allows clients to cache this PMK and reuse it for future re-authentications with the same AP. The PMK is unique for every client and is identified by the PMKID. The PMKID is a combination of the hash of the PMK, a string, the station and the MAC addresses of the AP. Uses radio hardware for encryption and decryption. This is applicable only for devices using Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (CCMP) encryption mode. This option is enabled by default. Enables seamless EAP client reauthentication without disconnecting client after the session has timed out. This option is enabled by default. Enables reauthentication of MAC authenticated clients without disconnecting client after the session has timed out. This option is enabled by default. Transmits a deauthentication on the air while disassociating a client because its roam is detected on the wired side. This option is disabled by default. Displays the CLI tree of the current mode. When used in the WLAN mode, this command displays the WLAN CLI structure. service eap-mac-mode [mac-always|normal]
eap-mac-mode mac-always normal Configures the EAP and/or MAC authentication mode used with this WLAN. This option is enabled by default. Enables both EAP and MAC authentication. MAC authentication is performed first, followed by EAP authentication. Clients are granted access based on the EAP authentication result. If a client does not have EAP, the MAC authentication result is used to grant access. Grants client access if the client clears either EAP or MAC authentication. This is the default setting. service eap-throttle <0-254>
eap-throttle <0-254>
Enables EAP request throttling. Use this command to specify the maximum number of parallel EAP sessions allowed on this WLAN. Once this specified value is exceeded, all incoming EAP session requests are throttled. This option is enabled by default.
<0-254> Specify a value from 0 - 254. This default value is 0. service key-index eap-wep-unicast <1-4>
key-index eap-wep-unicast
<1-4>
Configures an index with each key during EAP authentication with WEP. This option is enabled by default.
<1-4> Select a index from 1 - 4. The default value is 1. service wpa-wpa2 exclude-ccmp wpa-wpa2 exclude-ccmp Configures exclusion of CCMP requests when the authentication mode is set to tkip-
ccmp. When enabled, it provides compatibility for client devices not compliant with tkip-ccmp. This option is disabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 546 GLOBAL CONFIGURATION COMMANDS service monitor [aaa-server|adoption vlan <1-4094>|captive-portal external-
server]
monitor aaa-server adoption vlan
<1-4094>
captive-portal external-server Enables critical resource monitoring. In a WLAN, service monitoring enables regular monitoring of external AAA servers, captive portal servers, access point adoption, DHCP and DNS servers. When enabled, it allows administrators to notify users of a services availability and make resource substitutions in case of unavailability of a service. Enables external AAA server failure monitoring. When enabled monitors an external RADIUS server resources AAA activity and ensures its adoption and availability. This feature is disabled by default. Enables adoption failure monitoring on an adopted AP. Also configures a adoption failover VLAN. This feature is disabled by default. VLAN <1-4094> Specify the VLAN on which clients are placed when the connectivity between the AAP and the controller is lost. Configure a DHCP pool and gateway for the failover VLAN. Ensure the DHCP server is running on the AP. Also ensure that the DHCP pool is configured to have less lease time. When this feature is enabled on a WLAN, it allows adopted APs to monitor their connectivity with the controller. If and when this connectivity is lost, all new clients are placed in the configured adoption failover VLAN. They are served an IP by the DHCP server running on the AP. In this situation if a client tries to access a Web URL, the AP redirects the client to a page stating that the service is down. When the AAPs link to the switch is restored, clients are placed back in the WLANs configured VLAN, and are served an IP from the corresponding configured DHCP server (external or on the AP/controller). Enables external captive portal server failure monitoring. When enabled, monitors externally hosted captive portal activity, and user access to the controller or service platform managed network. This feature is disabled by default. When enabled, this feature enables APs to display, to an externally located captive portals user, the no-service page when the captive portals server is not reachable. service monitor [dhcp|dns] crm <RESOURCE-NAME> vlan <1-4094>]
monitor dhcp dns crm
<RESOURCE-NAME>
Enables DHCP and/or DNS server monitoring on this WLAN. Enables monitoring of a specified DHCP server. When the connection to the DHCP server is lost, captive portal users automatically migrate to a pre-defined VLAN. The feature is disabled by default. Use the crm keyword to specify the DHCP server to monitor. Enables monitoring of a specified DNS server. When the connection to the DNS server is lost, captive portal users automatically migrate to a pre-defined VLAN. The feature is disabled by default. Use the crm keyword to specify the DNS server to monitor. This keyword is common to the dhcp and dns parameters. crm Identifies the DHCP and/or DNS server to monitor
<RESOURCE-NAME> Specify the name of the DHCP or DNS server. Once enabled, the CRM server monitors the DHCP/DNS server and updates their status as up or down depending on the availability of the resource. When either of these resources is down the wireless client is mapped to the failover VLAN and served with the no-service page through the access point. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 547 GLOBAL CONFIGURATION COMMANDS vlan <1-4094>
This keyword is common to the dhcp and dns parameters. After specifying the DHCP/DNS sever resource, specify the failover VLAN. VLAN <1-4094> Configures the failover VLAN from 1 - 4094. When the DHCP server resource becomes unavailable, the device falls back to the VLAN defined here. This VLAN has a DHCP server configured that provides a pool of IP addresses with a lease time less than the main DHCP server. When this DNS server resource becomes unavailable, the device falls back to the VLAN defined here. This VLAN has a DNS server configured that provides DNS address resolution until the main DNS server becomes available. service unresponsive-client [attempts <1-1000>|ps-detect {threshold <1-1000>}|
timeout <1-60>]
eap-mac-mode attempts <1-1000>
ps-detect {threshold
<1-1000>}
timeout <1-60>
Configures handling of unresponsive clients Configures the maximum number of successive packets that failed transmission
<1-1000> Specify a value from 1 - 1000. The default is 7. Enables the detection of power-save mode clients, whose PS stats has not been updated on the AP. This option is enabled by default. threshold Optional. Configures the threshold at which power-save client detection is triggered
<1-1000> Configures the number of successive unacknowledged packets received before power-save detection is triggered. Specify a value from 1 - 1000. The default is 3. Configures the interval, in seconds, for successive packets not acknowledged by the client
<1-60> Specify a value from 1 - 60 seconds. The default is 3 seconds. Example rfs4000-229D58(config-wlan-test)#service allow-ht-only rfs4000-229D58(config-wlan-test)#service monitor aaa-server rfs4000-229D58(config-wlan-test)#show context wlan test ssid test vlan 1 bridging-mode tunnel encryption-type none authentication-type none service monitor aaa-server service allow-ht-only controller-assisted-mobility rfs4000-229D58(config-wlan-test)#
Related Commands no Removes or reverts to default WLAN settings configured using the service command Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 548 GLOBAL CONFIGURATION COMMANDS 4.1.98 wlan-qos-policy Global Configuration Commands Configures a WLAN QoS policy Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wlan-qos-policy <WLAN-QOS-POLICY-NAME>
Parameters wlan-qos-policy <WLAN-QOS-POLICY-NAME>
<WLAN-QOS-POLICY-
NAME>
Specify the WLAN QoS policy name. If the policy does not exist, it is created. Example rfs6000-81742D(config)#wlan-qos-policy test rfs6000-81742D(config-wlan-qos-test)#?
WLAN QoS Mode commands:
accelerated-multicast Configure accelerated multicast streams address assnd forwarding QoS classification classification Select how traffic on this WLAN must be classified
(relative prioritization on the radio) multicast-mask Egress multicast mask (frames that match bypass the PSPqueue. This permits intercom mode operation without delay even in the presence of PSP clients) no Negate a command or set its defaults qos Quality of service rate-limit Configure traffic rate-limiting parameters on a per-wlan/per-client basis svp-prioritization Enable spectralink voice protocol support on this wlan voice-prioritization Prioritize voice client over other client (for non-WMM clients) wmm Configure 802.11e/Wireless MultiMedia parameters clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-81742D(config-wlan-qos-test)#
Related Commands no Removes an existing WLAN QoS Policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 549 GLOBAL CONFIGURATION COMMANDS NOTE: For more information on WLAN QoS policy commands, see Chapter 21, WLAN-QOS-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 550 GLOBAL CONFIGURATION COMMANDS 4.1.99 url-filter Global Configuration Commands The following table lists the commands that allow you to enter the URL filter configuration mode:
Table 4.55 Commands Creating a URL Filter Command url-filter url-filter-config-
mode commands Description Creates a new URL filter and enters its configuration mode Summarizes the URL filter configuration mode commands Reference page 4-552 page 4-555 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 551 GLOBAL CONFIGURATION COMMANDS 4.1.99.1 url-filter url-filter Creates a new URL filter (Web filter) and enters its configuration mode. URL filtering is a licensed feature. When applied to a WiNG device the license allows you to enable URL filtering on the device, create and apply a URL filter defining the banned and/or allowed URLs. When enabled, the URL filter is applied to all user-initiated URL requests to determine if the requested URL is banned or allowed. Only if allowed is the users request (in the form of a HTTP request packet) forwarded to the Web server. URL filters can be applied at any of the following points: the users application (browser/email reader), the networks gateway, at the Internet service providers (ISP) end, and also on a Web portal. For wireless clients, the WLAN infrastructure is the best place to implement these filters. A URL filter is a set of whitelist and/or blacklist rules. The whitelist allows access only to those Websites and URLs specified in it. All other Websites and URLs, apart from those specified in the whitelist, are banned. On the other hand, the blacklist bans all Websites and URLs specified in it. All other Websites and URLs, apart from those specified in the blacklist, are allowed. To simplify URL filter configuration, Websites have been classified into pre-defined category-types and categories. The system provides 12 category-types and 64 categories. To further simplify configuration, these 12 category-types have been grouped into five (5) pre-defined levels. (See Usage Guidelines section for the list of category-types, categories, and levels). The actual classification of URLs (on the basis of the pre-defined factors mentioned above) is done by the classification server. A local database also helps by caching URL records for a user-defined time period. The classification server host is specified in the Web filter policy. The Web filter policy also defines the URL database parameters. For more information, see web-filter-policy. The WiNG software also allows you to create URL lists. Each URL list contains a list of user-defined URLs. Use the URL list in a URL filter (whitelist or blacklist rule) to identify the URLs to ban or allow. For example, a URL list named SocialNetworking is created listing the following three sites: Facebook, Twitter, and LinkedIn. When applied to a URL filters blacklist these three sites are banned. Where as, when applied to a whitelist only these three sites are allowed. For more information on configuring a URL list, see url-list. NOTE: URL filtering is a licensed feature. Procure and install the license in the device configuration mode. For more information, see license. Supported in the following platforms:
Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax url-filter <URL-FILTER-NAME>
Parameters url-filter <URL-FILTER-NAME>
<URL-FILTER-
NAME>
Creates a new URL filter and enters its configuration mode. Specify the URL filter name. If the filter does not exist, it is created. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 552 1 2 3 4 5 6 7 8 9 GLOBAL CONFIGURATION COMMANDS Usage Guidelines Alcohol & Tobacco, Dating & Personals, Gambling, Nudity, Pornography/Sexually Explicit, Sex Education, Weapons Web-based Email Category Type Category Adult Content Business Communication Chat, Instant Messaging Entertainment File Sharing and Backup Gaming News Sports and General Streaming Media & Downloads Download Sites Games Arts, Business, Computer & Technology, Education, Entertainment, Fashion & Beauty, Finance, Forum & Newsgroups, General, Government, Greeting Card, Health &
Medicine, Information Security, Job Search, Leisure & Recreation, Network Errors, News, Non-Profits & NGO, Personal Sites, Politics, Private IP Addresses, Real Estates, Religion, Restaurants & Dinning, Search Engine & Portals, Shopping, Sports, Transportation, Translators, Travel Peer to Peer Child Abuse Images, Cults, Hacking, Hate & Intolerance, Illegal Drug, Illegal Sharing, Illegal Software, School Cheating, Tasteless, Violence Advertisement & Pop-ups, Anonymizers, Botnets, Compromised, Criminal Activity, Malware, Parked Domains, Phishing & Fraud, Spam Sites Social Networking N/A Description Blocks sites/URL categorized as Security Risk Blocks sites/URL categorized as Adult Content + Basic Blocks sites/URL categorized as File Sharing and Backup, P2P, Questionable /
Unethical + Low Blocks sites/URL categorized as Gaming + Medium Blocks sites/URL categorized as Communication, Entertainment, Social and Photo Sharing + Medium High Peer-to-Peer
(P2P) Questionable/
Unethical 10 Security Risk 11 12 1 2 3 4 5 Social and Photo Sharing Software Update Level Basic Low Medium Medium High High Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 553 GLOBAL CONFIGURATION COMMANDS Example nx9500-6C8809(config-url-filter-test)#?
URL Filter Mode commands:
blacklist Block access to URL blockpage Configure blocking page parameters description Url filter description no Negate a command or set its defaults whitelist Allow access to URL clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-url-filter-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 554 GLOBAL CONFIGURATION COMMANDS 4.1.99.2 url-filter-config-mode commands url-filter The following table summarizes URL filter configuration mode commands:
Table 4.56 URL-Filter-Config-Mode Commands Command blacklist blockpage description no whitelist Description Creates a blacklist rule defining a list of banned Websites and URLs Configures the parameters that retrieve the page or content displayed by the clients browser when a requested URL is blocked and cannot be viewed Configures an appropriate description for this URL filter Removes this URL filters configured parameters Creates a whitelist rule defining a list of Websites and URLs allowed access by clients. Reference page 4-556 page 4-559 page 4-561 page 4-562 page 4-563 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 555 GLOBAL CONFIGURATION COMMANDS 4.1.99.2.1 blacklist url-filter-config-mode commands Creates a blacklist rule. A blacklist is a list of Websites and URLs denied access by clients. Clients requesting blacklisted URLs are presented with a page displaying the Web page blocked message. Parameters relating to this page are configured using the blockpage option. URL filtering is based on the classification of Websites into pre-defined category-types. Some of the category-types are further divided into multiple categories. Currently available are 12 built-in category types, and 64 categories. These built-in category-types and categories cannot be modified. Use the available options to identify the URL category-types and categories to include in the blacklist. In addition to identifying URLs by the categories and category-types they are classified into, the system also provides five (5) levels of Web filtering (basic, high, low, medium, and medium-high). Each level identifies a specific set of URL categories to blacklist. For more information on category-types, categories, and URL filtering levels, see url-filter. Supported in the following platforms:
Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax blacklist [category-type|level|url-list]
blacklist category-type [adult-content|all|business|communication|entertainment|
file-sharing-backup|gaming|news-sports-general|p2p|questionable|security-risk|
social-photo-sharing|software-updates] precedence <1-500> {description <LINE>}
blacklist level [basic|high|low|medium|medium-high] precedence <1-500>
{description <LINE>}
blacklist url-list <URL-LIST-NAME> precedence <1-500> {description <LINE>}
Parameters blacklist category-type [adult-content|all|business|communication|
entertainment|file-sharing-backup|gaming|news-sports-general|p2p|questionable|
security-risk|social-photo-sharing|software-updates] precedence <1-500>
{description <LINE>}
blacklist category-type
<SELECT-
CATEGORY-TYPE>
Selects the category-type to blacklist. A category is a pre-defined URL list available in the WiNG software. Categories are based on an external database, and cannot be modified or removed. Custom categories can created with the URL List and added to the database. Websites have been classified into the following 12 category types:
adult-content, business, communication, entertainment, file-sharing-backup, gaming, news-sports-general, p2p, questionable, security-risk, social-photo-sharing, and software-updates Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 556 GLOBAL CONFIGURATION COMMANDS Select all to blacklist all category-types. Some of the category-types are further classified into categories. For example, the adult-content category-type is differentiated into the following categories:
alcohol-tobacco, dating-personals, gambling, nudity, pornography-sexually-explicit, sex-education, and weapons. The system blocks all categories (URLs falling within their limits) within the selected category-type. Configures the precedence value for this blacklist rule. Rules are applied in the increasing order of their precedence. Therefore, rules with lower precedence are applied first. precedence
<1-500>
description <LINE> Optional. Configures a description (not exceeding 80 characters) for this blacklist rule. Enter a description that allows you to identify the purpose of the rule. blacklist level [basic|high|low|medium|medium-high] precedence <1-500>
{description <LINE>}
blacklist level
[basic|high|low|
medium|medium-
high]
precedence
<1-500>
Configures the Web filtering level as basic, high, low, medium, or medium-high. Each of these filter-levels are pre-configured to use a set of category types and this mapping cannot be modified. Configures the precedence value for this blacklist rule. Rules are applied in the increasing order of their precedence. Therefore, rules with lower precedence are applied first. description <LINE> Optional. Configures a description (not exceeding 80 characters) for this blacklist rule. Enter a description that allows you to identify the purpose of the rule. blacklist url-list <URL-LIST-NAME> precedence <1-500> {description <LINE>}
blacklist url-list
<URL-LIST-NAME>
precedence
<1-500>
Associates a URL list with this URL filter. When associated with a blacklist rule, all URLs listed in the specified URL list are blacklisted. URL lists are customized categories included in the custom filter-level setting. URL lists enable an administrator to blacklist or whitelist URLs in addition to the built-in categories. For more information on configuring a URL list, see url-list.
<URL-LIST-NAME> Enter URL list name (should be existing and configured) Configures the precedence value for this blacklist rule. Rules are applied in the increasing order of their precedence. Therefore, rules with lower precedence are applied first. description <LINE> Optional. Configures a description (not exceeding 80 characters) for this blacklist rule. Enter a description that allows you to identify the purpose of the rule. Example rfs6000-81742D(config-url-filter-test)#blacklist level medium-high precedence 10 rfs6000-81742D(config-url-filter-test)#blacklist category-type adult-content category alcohol-tobacco precedence 1 rfs6000-81742D(config-url-filter-test)#blacklist category-type security-risk category botnets precedence 3 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 557 GLOBAL CONFIGURATION COMMANDS rfs6000-81742D(config-url-filter-test)#show context url-filter test blacklist level medium-high precedence 10 blacklist category-type security-risk category botnets precedence 3 blacklist category-type adult-content category alcohol-tobacco precedence 1 rfs6000-81742D(config-url-filter-test)#
Related Commands no Removes a blacklist rule from this URL filter. Specify the category-type, category, and precedence to identify the blacklist rule. The identified rule is removed form the URL filter. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 558 GLOBAL CONFIGURATION COMMANDS 4.1.99.2.2 blockpage url-filter-config-mode commands Configures the parameters that retrieve the page or content displayed by the clients browser when a requested URL is blocked and cannot be viewed Supported in the following platforms:
Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax blockpage [external|internal|path]
blockpage path [external|internal]
blockpage external url <URL>
blockpage internal [content|footer|header|main-logo|org-name|org-signature|
small-logo|title] <LINE/IMAGE-URL>
Parameters blockpage path [external|internal]
blockpage path
[external|internal]
Specifies if the location of the page displayed, to the client when a requested URL is blocked, is external or internal external Indicates the page displayed is hosted on an external Web server resource. If selecting this option, use the blockpage > external > url <URL> command to provide the path to the external Web server hosting the page. internal Indicates the page displayed is hosted internally. This is the default setting. If selecting this option, use the blockpage > internal > <SELECT-PAGE-TYPE> > <LINE/
IMAGE-URL> command to define the page configuration. blockpage external url <URL>
blockpage external url <URL>
Configures the URL of the external Web server hosting the page (displayed to the client when a requested URL is blocked). url <URL> Specify the URL of the Web server and the blocking page name Valid URLs should begin with http:// or https://
The URL can contain query strings. Use '&' or '?' character to separate field-value pair. Enter 'ctrl-v' followed by '?' to configure query strings blockpage internal [content|footer|header|main-logo|org-name|org-signature|
small-logo|title] <LINE/IMAGE-URL>
blockpage internal
[content|footer|
header|main-logo|
org-name|
org-signature|
small-logo|title]
<LINE/IMAGE-URL>
Configures the internally hosted blocking page parameters, such as the content displayed, page footer and header, organization (the organization enforcing the Web page blocking) details (name, signature, and logo), and page title content Configures the text (message) displayed on the blocking page footer Configures the text displayed as the blocking page footer Contd... Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 559 GLOBAL CONFIGURATION COMMANDS header Configures the text displayed as the blocking page header org-name Configures the organizations name displayed on the blocking page org-signature Configures the organizations signature displayed on the blocking page title Configures the title of the blocking page. main-logo Configures the location of the main logo (organizations large logo) small-logo Configures the location of the small logo (organizations small logo) The following keyword is common to all of the above parameters:
<LINE/IMAGE-URL> Specify the location of the logo (main and small) image file. The image is retrieved and displayed from the location configured here. If you are using this option to provide content, such as organization name, footer, header, etc. enter a text string not exceeding 255 characters in length. Example rfs6000-81742D(config-url-filter-test)#blockpage internal content "The requested Web page is blocked and cannot be displayed for viewing"
rfs6000-81742D(config-url-filter-test)#show context url-filter test blacklist level medium-high precedence 10 blacklist category-type security-risk category botnets precedence 3 blacklist category-type adult-content category alcohol-tobacco precedence 1 blockpage internal content "The requested Web page is blocked and cannot be displayed for viewing"
rfs6000-81742D(config-url-filter-test)#
Related Commands no Removes the blocking page configurations Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 560 GLOBAL CONFIGURATION COMMANDS 4.1.99.2.3 description url-filter-config-mode commands Configures a description for this URL filter. Provide a description that enables you to identify the purpose of this URL filter. Supported in the following platforms:
Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <LINE>
Parameters description <LINE>
description <LINE>
Enter an appropriate description for this URL filter. The description should identify the URL filters purpose and should not exceed 80 characters in length. Example rfs6000-81742D(config-url-filter-test)#description Blacklists sites inappropriate for children and are security risks. rfs6000-81742D(config-url-filter-test)#show context url-filter test description "Blacklists sites inappropriate for children and are security risks."
blacklist level medium-high precedence 10 blacklist category-type security-risk category botnets precedence 3 blacklist category-type adult-content category alcohol-tobacco precedence 1 blockpage internal content "The requested Web page is blocked and cannot be displayed for viewing"
rfs6000-81742D(config-url-filter-test)#
Related Commands no Removes this URL filters description Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 561 GLOBAL CONFIGURATION COMMANDS 4.1.99.2.4 no url-filter-config-mode commands Use the no command to remove this URL filters configured parameters Supported in the following platforms:
Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [blacklist|blockpage|description|whitelist]
no blacklist [category-type|level|url-list]
no blacklist [category-type <SELECT-CATEGORY-TYPE>|level <SELECT-LEVEL>|
url-list <URL-LIST-NAME>] precedence <1-500>
no blockpage [external|internal [content|footer|header|main-logo|org-name|
org-signature|small-logo|title]|path]
no description no whitelist [category-type|url-list]
no whitelist [category-type <SELECT-CATEGORY-TYPE>|url-list <URL-LIST-NAME>]
precedence <1-500>
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes this URL filters configured parameters based on the values passed here Example The following example displays the URL filter test settings before the no is executed:
rfs6000-81742D(config-url-filter-test)#show context url-filter test description "Blacklists sites inappropriate for children and are security risks."
blacklist level medium-high precedence 10 whitelist category-type communication category chat precedence 7 blacklist category-type security-risk category botnets precedence 3 blacklist category-type adult-content category alcohol-tobacco precedence 1 blockpage internal content "The requested Web page is blocked and cannot be displayed for viewing"
rfs6000-81742D(config-url-filter-test)#
rfs6000-81742D(config-url-filter-test)#no description rfs6000-81742D(config-url-filter-test)#no blacklist category-type adult-content category alcohol-tobacco precedence 1 rfs6000-81742D(config-url-filter-test)#no whitelist category-type communication category chat precedence 7 The following example displays the URL filter test settings after the no is executed:
rfs6000-81742D(config-url-filter-test)#show context url-filter test blacklist level medium-high precedence 10 blacklist category-type security-risk category botnets precedence 3 blockpage internal content "The requested Web page is blocked and cannot be displayed for viewing"
rfs6000-81742D(config-url-filter-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 562 GLOBAL CONFIGURATION COMMANDS 4.1.99.2.5 whitelist url-filter-config-mode commands Creates a whitelist rule. A whitelist is a list of Websites and URLs allowed access by clients. URL filtering is based on the classification of Websites into pre-defined category-types. Some of the category-types are further divided into multiple categories. Currently available are 12 built-in category types, and 64 categories. These built-in category-types and categories cannot be modified. Use the available options to identify the category-types and categories to include in the whitelist. Supported in the following platforms:
Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax whitelist [category-type|url-list]
whitelist category-type [adult-content|all|business|communication|entertainment|
file-sharing-backup|gaming|news-sports-general|p2p|questionable|security-risk|
social-photo-sharing|software-updates] precedence <1-500> {description <LINE>}
whitelist url-list <URL-LIST-NAME> precedence <1-500> {description <LINE>}
Parameters whitelist category-type [adult-content|all|business|communication|
entertainment|file-sharing-backup|gaming|news-sports-general|p2p|questionable|
security-risk|social-photo-sharing|software-updates] precedence <1-500>
{description <LINE>}
whitelist category-type
<SELECT-
CATEGORY-TYPE>
precedence
<1-500>
Selects the category-type to add to this whitelist. A category is a pre-defined URL list available in the WiNG software. Categories are based on an external database, and cannot be modified or removed. Custom categories can created with the URL List and added to the database. Websites have been classified into the following 12 category types: adult-content, business, communication, entertainment, file-sharing-backup, gaming, news-sports-general, p2p, questionable, security-risk, social-photo-sharing, and software-updates. Select all to whitelist all category-types. Some of the category-types are further classified into categories. For example, the adult-content category-type is differentiated into the following categories:
alcohol-tobacco, dating-personals, gambling, nudity, pornography-sexually-explicit, sex-education, and weapons. The system allows all categories (URLs falling within their limits) within the selected category-type. Configures the precedence value for this whitelist rule. Rules are applied in the increasing order of their precedence. Therefore, rules with lower precedence are applied first. description <LINE> Optional. Configures a description (not exceeding 80 characters) for this whitelist rule. Enter a description that allows you to identify the purpose of the rule. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 563 GLOBAL CONFIGURATION COMMANDS whitelist url-list <URL-LIST-NAME> precedence <1-500> {description <LINE>}
whitelist url-list
<URL-LIST-NAME>
precedence
<1-500>
Associates a URL list with this URL filter. When associated with a whitelist rule, all URLs listed in the specified URL list are allowed access. URL lists are customized categories included in the custom filter-level setting. URL lists enable an administrator to blacklist or whitelist URLs in addition to the built-in categories. For more information on configuring a URL list, see url-list.
<URL-LIST-NAME> Enter URL list name (should be existing and configured) Configures the precedence value for this whitelist rule. Rules are applied in the increasing order of their precedence. Therefore, rules with lower precedence are applied first. description <LINE> Optional. Configures a description (not exceeding 80 characters) for this whitelist rule. Enter a description that allows you to identify the purpose of the rule. Example rfs6000-81742D(config-url-filter-test)#whitelist category-type communication category chat precedence 7 rfs6000-81742D(config-url-filter-test)#show context url-filter test description "Blacklists sites inappropriate for children and are security risks."
blacklist level medium-high precedence 10 whitelist category-type communication category chat precedence 7 blacklist category-type security-risk category botnets precedence 3 blacklist category-type adult-content category alcohol-tobacco precedence 1 blockpage internal content "The requested Web page is blocked and cannot be displayed for viewing"
rfs6000-81742D(config-url-filter-test)#
Related Commands no Removes a whitelist rule from this URL filter. Specify the category-type, category, and precedence to identify the blacklist rule. The identified rule is removed form the URL filter. Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 564 GLOBAL CONFIGURATION COMMANDS 4.1.100 url-list Global Configuration Commands The following table lists the commands that allow you to enter the URL list configuration mode:
Table 4.57 Commands Creating a URL List Command url-list url-list-config-
mode commands Description Creates a new URL list and enters its configuration mode Summarizes the URL list configuration mode commands Reference page 4-566 page 4-567 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 565 GLOBAL CONFIGURATION COMMANDS 4.1.100.1 url-list url-list Creates a URL list and enters its configuration mode. URL lists are a means of categorizing URLs on the basis of various criteria, such as frequently used, not-permitted, etc. It is used in URL filters to identify whitelisted/blacklisted URLs. Web requests are blocked or approved based on URL filter whitelist/blacklist rules. A whitelist bans all sites except the categories and URL lists defined in the whitelist. The blacklist allows all sites except the categories and URL lists defined in the blacklist Supported in the following platforms:
Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax url-list <URL-LIST-NAME>
Parameters url-list <URL-LIST-NAME>
<URL-LIST-NAME>
Specify the URL list name. The URL list is created if another list with the same name does not exist. Example nx9500-6C8809(config)#url-list URLlist1 nx9500-6C8809(config-url-list-URLlist1)#?
URL List Mode commands:
description Description of the category no Negate a command or set its defaults url Add a URL entry clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-url-list-URLlist1)#
nx9500-6C8809(config-url-list-URLlist1)#url http://www.example_company.com depth 10 nx9500-6C8809(config-url-list-test)#show context url-list test url http://www.example_company.com depth 10 nx9500-6C8809(config-url-list-URLlist1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 566 GLOBAL CONFIGURATION COMMANDS 4.1.100.2 url-list-config-mode commands url-list The following table summarizes URL list configuration mode commands:
Table 4.58 URL-Filter-Config-Mode Commands Command description url no Description Creates a blacklist rule defining a list of banned Web sites and URLs Adds URL entries to this URL list Removes this URL lists settings Reference page 4-568 page 4-569 page 4-570 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 567 GLOBAL CONFIGURATION COMMANDS 4.1.100.2.1 description url-list-config-mode commands Configures a description for this URL list. The description should be unique and enable you to identify the type of URLs listed in the URL list. Supported in the following platforms:
Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <LINE>
Parameters description <LINE>
description <LINE>
Provide a unique description for this URL list (should not exceed 500 characters in length) Example nx9500-6C8809(config-url-list-test)#description This URL list contains social media URLs nx9500-6C8809(config-url-list-test)#show context url-list test description This URL list contains social media URLs nx9500-6C8809(config-url-list-test)#
Related Commands no Removes this URL lists description Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 568 GLOBAL CONFIGURATION COMMANDS 4.1.100.2.2 url url-list-config-mode commands Adds URL entries to this URL list Supported in the following platforms:
Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax url <WORD> {depth <1-10>}
Parameters url <WORD> {depth <1-10>}
Adds a URL entry
<WORD> Specify the URL to add. url <WORD>
{depth <1-10>}
depth Optional. Sets number of levels to be cached. Since Web sites have different parameters to uniquely identify specific content, the same content may be stored on multiple origin servers. Smart caching uses subsets of these parameters to recognize that the content is the same and serves it from cache.
<1-10> Specify the depth from 1 - 10. Example nx9500-6C8809(config-url-list-test)#url http://www.facebook.com nx9500-6C8809(config-url-list-test)#show context url-list test description This URL list contains social communication URLS url https://www.facebook.com depth 5 nx9500-6C8809(config-url-list-test)#
Related Commands no Removes a URL entry from this URL list Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 569 GLOBAL CONFIGURATION COMMANDS 4.1.100.2.3 no url-list-config-mode commands Removes this URL lists settings Supported in the following platforms:
Access Points AP6522, AP6532, AP7131, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [description|url]
no description no url <WORD>
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes this URLs settings based on the parameters passed Example The following example displays the URL list test settings before the no command is executed:
nx9500-6C8809(config-url-list-test)#show context url-list test description This URL list contains social communication URLS url https://www.facebook.com depth 5 nx9500-6C8809(config-url-list-test)#
nx9500-6C8809(config-url-list-test)#no url www.facebook.com The following example displays the URL list test settings after the no command is executed:
nx9500-6C8809(config-url-list-test)#show context url-list test description This URL list contains social communication URLS nx9500-6C8809(config-url-list-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 570 GLOBAL CONFIGURATION COMMANDS 4.1.101 vx9000 Global Configuration Commands Configures a Virtual WLAN Controller (V-WLC) in a virtual machine (VM) environment. V-WLC can be deployed on a shared, third-party server hardware, thereby reducing overhead costs of procuring and maintaining dedicated appliances. The external, third-party hardware needs to have installed hypervisors, such as VmWare, Xen, VirtualBox, KVM, Amazon EC2 or Hyper-V, enabling it to communicate with V-WLC software. The V-WLC controls and manages access points and other controllers (at NOC or as a site-controller) in the network. The traffic between the access points and the V-WLC is over the layer-3 MINT protocol. V-WLC is a licensed feature, and the WiNG software provides the following two new licenses:
VX When installed, this license activates VM controller instance, and enables the V-WLC to trigger adoption process allowing access points to adopt to the V-WLC. The adoption capacity of the V-
WLC is determined by the number of licenses installed on it. VX-DEMO This is a 60 day trial license. This license also activates VM controller instance, and enables the V-WLC to adopt access points. But, the access point adoption capacity is limited to 16. Having installed this license on a device, the only other license that you can install on it is the VX license. All existing installed licenses will continue to work as before. Since this license has a limited validity period, ensure that the system clock on the license generating tool and the device are in sync. preferably through NTP. To install the VX or VX-DEMO license on an existing V-WLC instance, use the license command. For more information, see the examples provided in this section. Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600 Syntax vx9000 <MAC>
Parameters vx9000 <MAC>
vx <MAC>
Configures a V-WLC and enters its configuration mode The V-WLC configuration is the same as that of a normal controller. Example nx9500-6C8809(config)#vx9000 11-22-33-44-55-66 nx9500-6C8809(config-device-11-22-33-44-55-66)#?
Device Mode commands:
adopter-auto-provisioning-policy-lookup Use centralized auto-provisioning policy when adopted by another controller adoption Adoption configuration adoption-site Set system's adoption site adoption-mode Configure the adoption mode for the access-points in this RF-Domain alias Alias application-policy Application Poicy configuration area Set name of area where the system is located arp Address Resolution Protocol (ARP) auto-learn Auto learning Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 571 GLOBAL CONFIGURATION COMMANDS autogen-uniqueid Autogenerate a unique id autoinstall Autoinstall settings bluetooth-detection Detect Bluetooth devices using the Bluetooth USB module - there will be interference on 2.4 Ghz radio in wlan mode bridge Ethernet bridge captive-portal Captive portal cdp Cisco Discovery Protocol channel-list Configure channel list to be advertised to wireless clients cluster Cluster configuration configuration-persistence Enable persistence of configuration across reloads (startup configfile) contact Configure the contact controller WLAN controller configuration country-code Configure the country of operation critical-resource Critical Resource crypto Encryption related commands database Database command device-upgrade Device firmware upgrade dot1x 802.1X dpi Enable Deep-Packet-Inspection
(Application Assurance) dscp-mapping Configure IP DSCP to 802.1p priority mapping for untagged frames email-notification Email notification configuration enforce-version Check the firmware versions of devices before interoperating environmental-sensor Environmental Sensors Configuration events System event messages export Export a file file-sync File sync between controller and adoptees floor Set the floor within a area where the system is located geo-coordinates Configure geo coordinates for this device gre GRE protocol hostname Set system's network name http-analyze Specify HTTP-Analysis configuration interface Select an interface to configure ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) l2tpv3 L2tpv3 protocol l3e-lite-table L3e lite Table layout-coordinates Configure layout coordinates for this device led Turn LEDs on/off on the device led-timeout Configure the time for the led to turn off after the last radio state change legacy-auto-downgrade Enable device firmware to auto downgrade when other legacy devices are detected legacy-auto-update Auto upgrade of legacy devices license License management command lldp Link Layer Discovery Protocol load-balancing Configure load balancing parameter location Configure the location logging Modify message logging facilities mac-address-table MAC Address Table mac-auth 802.1X mac-name Configure MAC address to name mappings management-server Configure management server address memory-profile Memory profile to be used on the Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 572 GLOBAL CONFIGURATION COMMANDS device meshpoint-device Configure meshpoint device parameters meshpoint-monitor-interval Configure meshpoint monitoring interval min-misconfiguration-recovery-time Check controller connectivity after configuration is received mint MiNT protocol mirror Mirroring misconfiguration-recovery-time Check controller connectivity after configuration is received mpact-server MPACT server configuration neighbor-inactivity-timeout Configure neighbor inactivity timeout neighbor-info-interval Configure neighbor information exchange interval no Negate a command or set its defaults noc Configure the noc related setting nsight NSight ntp Ntp server WORD offline-duration Set duration for which a device remains unadopted before it generates offline event override Override a command override-wlan Configure RF Domain level overrides for wlan power-config Configure power mode preferred-controller-group Controller group this system will prefer for adoption preferred-tunnel-controller Tunnel Controller Name this system will prefer for tunneling extended vlan traffic radius Configure device-level radius authentication parameters raid RAID remove-override Remove configuration item override from the device (so profile value takes effect) rf-domain-manager RF Domain Manager router Dynamic routing rsa-key Assign a RSA key to a service sensor-server AirDefense sensor server configuration slot PCI expansion Slot spanning-tree Spanning tree timezone Configure the timezone traffic-class-mapping Configure IPv6 traffic class to 802.1p priority mapping for untagged frames trustpoint Assign a trustpoint to a service tunnel-controller Tunnel Controller group this controller belongs to use Set setting to use vrrp VRRP configuration vrrp-state-check Publish interface via OSPF/BGP only if the interface VRRP state is not BACKUP wep-shared-key-auth Enable support for 802.11 WEP shared key authentication clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 573 GLOBAL CONFIGURATION COMMANDS previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-device-11-22-33-44-55-66)#
vx-0099CC(config-device-00-0C-29-00-99-CC)~*#license ?
WORD Feature name (AP/AAP/ADSEC/HTANLT/VX) for which license is to be added vx-0099CC(config-device-00-0C-29-00-99-CC)~*#license vx 80ee9649eddc94b48b5a35d7 eaf8e73b376a51649291714d04c84769b0fc4b3766816878d2739c24 vx-0099CC(config-device-00-0C-29-00-99-CC)~*#com wr Jan 16 13:48:11 2014: vx-0099CC : %SYSTEM-6-CONFIG_COMMIT: Configuration commit by user 'root' (mapsh) from 'Console'
Jan 16 13:48:11 2014: vx-0099CC : %SYSTEM-6-CONFIG_REVISION: Configuration revision updated to 9 from 8 Jan 16 13:48:12 2014: vx-0099CC : %LICMGR-6-LIC_INSTALLED: VX license installed
[OK]
vx-0099CC(config-device-00-0C-29-00-99-CC)~*#Jan 16 13:48:12 2014: vx-0099CC :
%SYSTEM-6-CONFIG_REVISION: Configuration revision updated to 10 from 9 vx-0099CC(config-device-00-0C-29-00-99-CC)~*#
vx-0099CC(config-device-00-0C-29-00-99-CC)~*#
vx-0099CC(config-device-00-0C-29-00-99-CC)~*#sh licenses Serial Number : 000C290099CCC0A80001 WARNING: Recommended minimum system resource requirements not met for the current license pack or cluster configs. Please check user guide and reconfigure the system Device Licenses:
AP-LICENSE String :
Value : 10240 AAP-LICENSE String :
Value : 10240 ADVANCED-SECURITY String : DEFAULT-ADV-SEC-LICENSE VX-LICENSE String :
80ee9649eddc94b48b5a35d7eaf8e73b376a51649291714d04c84769b0fc4b3766816878d2739c24 Cluster Licenses:
AP-LICENSE Value : 10240 Used : 0 AAP-LICENSE Value : 10240 Used : 0 Cluster MAX AP Capacity:
Value : 10240 Used : 0 Active Members:
--------------------------------------------------------------------------------
-------------------
MEMBER SERIAL LIC TYPE VALUE BORROWED TOTAL NO.APS NO.AAPS
--------------------------------------------------------------------------------
-------------------
00-0C-29-00-99-CC 000C290099CCC0A80001 AP 10240 0 10240 0 0 Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 574 GLOBAL CONFIGURATION COMMANDS 00-0C-29-00-99-CC 000C290099CCC0A80001 AAP 10240 0 10240 -
-
--------------------------------------------------------------------------------
-------------------
vx-0099CC(config-device-00-0C-29-00-99-CC)~*#
Related Commands no Removes a VX9000 wireless controller Access Point, Wireless Controller and Service Platform CLI Reference Guide 4 - 575 5 COMMON COMMANDS This chapter describes the CLI commands used in the USER EXEC, PRIV EXEC, and GLOBAL CONFIG modes. The PRIV EXEC command set contains commands available within the USER EXEC mode. Some commands can be entered in either mode. Commands entered in either the USER EXEC or PRIV EXEC mode are referred to as EXEC mode commands. If a user or privilege is not specified, the referenced command can be entered in either mode. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 1 COMMON COMMANDS 5.1 Common Commands COMMON COMMANDS The following table summarizes commands common to the User Exec, Priv Exec, and Global Config modes:
Table 5.1 Commands Common to Controller CLI Modes Command Description Reference clrscr commit exit help no revert service show write Clears the display screen Commits (saves) changes made in the current session Ends and exits the current mode and moves to the PRIV EXEC mode Displays the interactive help system Negates a command or reverts values to their default settings Reverts changes to their last saved configuration Invokes service commands to troubleshoot or debug (config-if) instance configurations page 5-58 Displays running system information Writes the systems running configuration to memory or to the terminal page 5-60 page 5-3 page 5-4 page 5-5 page 5-6 page 5-9 page 5-12 page 5-13 NOTE: The input parameter <HOSTNAME> cannot include an underscore character. In other words, a devices hostname cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 2 COMMON COMMANDS 5.1.1 clrscr Common Commands Clears the screen and refreshes the prompt, irrespective of the mode Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax clrscr Parameters None Example The terminal window or screen before the clrscr command is executed:
rfs4000-229D58#device-upgrade ?
DEVICE-NAME Name/MAC address of device all Upgrade all devices ap650 Upgrade AP650 Device ap6511 Upgrade AP6511 Device ap6521 Upgrade AP6521 Device ap6522 Upgrade AP6522 Device ap6532 Upgrade AP6532 Device ap6562 Upgrade AP6562 Device ap71xx Upgrade AP7161 Device ap7502 Upgrade AP7502 Device ap7522 Upgrade AP7522 Device ap7532 Upgrade AP7532 Device ap7562 Upgrade AP7562 Device ap81xx Upgrade AP81XX Device ap82xx Upgrade AP82XX Device ap8432 Upgrade AP8432 Device ap8533 Upgrade AP8533 Device cancel-upgrade Cancel upgrading the device load-image Load the device images to controller for device-upgrades rf-domain Upgrade all devices belonging to an RF Domain rfs4000 Upgrade RFS4000 Device rfs4000-229D58#
The terminal window or screen after the clrscr command is executed:
rfs4000-229D58#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 3 COMMON COMMANDS 5.1.2 commit Common Commands Commits changes made in the active session. Use the commit command to save and invoke settings entered during the current transaction. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax commit {write}{memory}
Parameters commit {write}{memory}
write memory Optional. Commits changes made in the current session Optional. Writes to memory. This option ensures current changes persist across reboots. Example nx9500-6C8809#commit write memory
[OK]
nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 4 COMMON COMMANDS 5.1.3 exit Common Commands The exit command works differently in the User Exec, Priv Exec, and Global Config modes. In the Global Config mode, it ends the current mode and moves to the previous mode, which is Priv Exec mode. The prompt changes from (config)# to #. When used in the Priv Exec and User Exec modes, the exit command ends the current session, and connection to the terminal device is terminated. If the current session has changes that have not been committed, the system prompts you to either do a commit or a revert before terminating the session. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax exit Parameters None Example nx9500-6C8809(config)#exit nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 5 COMMON COMMANDS 5.1.4 help Common Commands Describes the interactive help system Use this command to access the advanced help feature. Use ? anytime at the command prompt to access the help topic. Two kinds of help are provided:
Full help is available when ready to enter a command argument Partial help is provided when an abbreviated argument is entered and you want to know what arguments match the input (for example 'show ve?'). Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax help {search}
help {search <WORD>} {detailed|only-show|skip-no|skip-show}
Parameters help {search <WORD>} {detailed|only-show|skip-no|skip-show}
search <WORD>
detailed only-show skip-no skip-show Optional. Searches for CLI commands related to a specified target term
<WORD> Specify a target term (for example, a feature or a configuration parameter). After specifying the term, select one of the following options: detailed, only-show, skip-no, or skip-show. The system displays information based on the option selected. Optional. Searches and displays help strings in addition to mode and commands Optional. Displays only show commands. Does not display configuration commands Optional. Displays only configuration commands. Does not display no commands Optional. Displays only configuration commands. Does not display show commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 6 COMMON COMMANDS Example nx9500-6C8809>help search crypto detailed found more than 64 references, showing the first 64 Context : Command Command : clear crypto ike sa (A.B.C.D|all)(|on DEVICE-NAME)
\ Clear
\ Encryption Module
\ IKE SA
\ Flush IKE SAs
\ Flush IKE SAs for a given peer
\ Flush all IKE SA
\ On AP/Controller
\ AP/Controller name
: clear crypto ipsec sa(|on DEVICE-NAME)
\ Clear
\ Encryption Module
\ IPSec database
\ Flush IPSec SAs
\ On AP/Controller
\ AP/Controller name
: crypto key export rsa WORD URL (passphrase WORD|) (background|) ...
\ Encryption related commands
--More--
nx9500-6C8809>
nx9500-6C8809>help search crypto only-show Context : Command Command : show crypto cmp request status(|on DEVICE-NAME)
: show crypto ike sa (version 1|version 2|)(peer A.B.C.D|) (detail...
: show crypto ipsec sa (peer A.B.C.D|) (detail|) (|on DEVICE-NAME...
: show crypto key rsa (|public-key-detail) (|on DEVICE-NAME)
: show crypto pki trustpoints (WORD|all|)(|on DEVICE-NAME) nx9500-6C8809>
nx9500-6C8809>help search service skip-show found more than 64 references, showing the first 64 Context : Command Command : service block-adopter-config-update
: service clear adoption history(|on DEVICE-NAME)
: service clear captive-portal-page-upload history (|(on DOMAIN-NA...
: service clear command-history(|on DEVICE-NAME)
: service clear device-upgrade history (|on DOMAIN-NAME)
: service clear noc statistics
: service clear reboot-history(|on DEVICE-NAME)
: service clear unsanctioned aps (|on DEVICE-OR-DOMAIN-NAME)
: service clear upgrade-history(|on DEVICE-NAME)
: service clear web-filter cache(|on DEVICE-NAME)
: service clear wireless ap statistics (|(AA-BB-CC-DD-EE-FF)) (|on...
: service clear wireless client statistics (|AA-BB-CC-DD-EE-FF) (|...
: service clear wireless controller-mobility-database
: service clear wireless dns-cache(|on DEVICE-OR-DOMAIN-NAME)
: service clear wireless radio statistics (|(DEVICE-NAME (|<1-3>))...
: service clear wireless wlan statistics (|WLAN) (|on DEVICE-OR-DO...
: service clear xpath requests (|<1-100000>)
: service show block-adopter-config-update
: service show captive-portal servers(|on DEVICE-NAME)
: service show captive-portal user-cache(|on DEVICE-NAME)
: service show cli nx9500-6C8809>
--More--
Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 7 COMMON COMMANDS nx9500-6C8809>help search mint only-show Found 25 references for "mint"
Context : Command Command : show debugging mint (|on DEVICE-OR-DOMAIN-NAME)
: show mint config(|on DEVICE-NAME)
: show mint dis (|details)(|on DEVICE-NAME)
: show mint id(|on DEVICE-NAME)
: show mint info(|on DEVICE-NAME)
: show mint known-adopters(|on DEVICE-NAME)
: show mint links (|details)(|on DEVICE-NAME)
: show mint lsp
: show mint lsp-db (|details AA.BB.CC.DD)(|on DEVICE-NAME)
: show mint mlcp history(|on DEVICE-NAME)
: show mint mlcp(|on DEVICE-NAME)
: show mint neighbors (|details)(|on DEVICE-NAME)
: show mint route(|on DEVICE-NAME)
: show mint stats(|on DEVICE-NAME)
: show mint tunnel-controller (|details)(|on DEVICE-NAME)
: show mint tunneled-vlans(|on DEVICE-NAME)
: show wireless mint client (|on DEVICE-OR-DOMAIN-NAME)
: show wireless mint client portal-candidates(|(DEVICE-NAME (|<1-3...
: show wireless mint client statistics (|on DEVICE-OR-DOMAIN-NAME)...
: show wireless mint client statistics rf (|on DEVICE-OR-DOMAIN-NA...
: show wireless mint detail (|(DEVICE-NAME (|<1-3>))) (|(filter {|...
: show wireless mint links (|on DEVICE-OR-DOMAIN-NAME)
: show wireless mint portal (|on DEVICE-OR-DOMAIN-NAME)
: show wireless mint portal statistics (|on DEVICE-OR-DOMAIN-NAME)...
: show wireless mint portal statistics rf (|on DEVICE-OR-DOMAIN-NA... nx9500-6C8809>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 8 COMMON COMMANDS 5.1.5 no Common Commands Negates a command or sets its default. Though the no command is common to the User Exec, Priv Exec, and Global Config modes, it negates a different set of commands in each mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no <PARAMETERS>
Parameters no <PARAMATERS>
no <PARAMETERS>
The no command is common across all configuration modes and sub modes. It resets or reverts settings based on the mode in which executed. For example, when executed in the AAA policy configuration mode, it allows you to reset or revert a specific AAA policy settings. Similarly, when executed in the global configuration mode, it only resets or reverts settings configured in the global configuration mode. Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example Global Config mode: No command options rfs6000-81742D(config)##no ?
aaa-policy Delete a aaa policy aaa-tacacs-policy Delete a aaa tacacs policy alias Alias ap621 Delete an AP621 access point ap622 Delete an AP622 access point ap650 Delete an AP650 access point ap6511 Delete an AP6511 access point ap6521 Delete an AP6521 access point ap6522 Delete an AP6522 access point ap6532 Delete an AP6532 access point ap6562 Delete an AP6562 access point ap71xx Delete an AP71XX access point ap7502 Delete an AP7502 access point ap7522 Delete an AP7522 access point ap7532 Delete an AP7532 access point ap7562 Delete an AP7562 access point ap81xx Delete an AP81XX access point ap82xx Delete an AP82XX access point ap8432 Delete an AP8432 access point ap8533 Delete an AP8533 access point application Delete an application application-group Delete an application-group application-policy Delete an application policy association-acl-policy Delete an association-acl policy auto-provisioning-policy Delete an auto-provisioning policy bgp BGP Configuration bonjour-gw-discovery-policy Disable Bonjour Gateway discovery policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 9 COMMON COMMANDS bonjour-gw-forwarding-policy Disable Bonjour Gateway Forwarding policy bonjour-gw-query-forwarding-policy Disable Bonjour Gateway Query Forwarding policy captive-portal Delete a captive portal client-identity Client identity (DHCP Device Fingerprinting) client-identity-group Client identity group (DHCP Fingerprint Database) crypto-cmp-policy CMP policy customize Restore the custom cli commands to default device Delete multiple devices device-categorization Delete device categorization object dhcp-server-policy DHCP server policy dhcpv6-server-policy DHCPv6 server related configuration dns-whitelist Delete a whitelist object event-system-policy Delete a event system policy ex3500 Ex3500 device ex3500-management-policy Delete a ex3500 management policy ex3500-qos-class-map-policy Delete a ex3500 qos class-map policy ex3500-qos-policy-map Delete a ex3500 qos policy-map ex3524 Delete an EX3524 wireless controller ex3548 Delete an EX3548 wireless controller firewall-policy Configure firewall policy global-association-list Delete a global association list igmp-snoop-policy Remove device onboard igmp snoop policy inline-password-encryption Disable storing encryption key in the startup configuration file ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) ipv6-router-advertisement-policy IPv6 Router Advertisement related configuration l2tpv3 Negate a command or set its defaults mac MAC configuration management-policy Delete a management policy meshpoint Delete a meshpoint object meshpoint-qos-policy Delete a mesh point QoS configuration policy nac-list Delete an network access control list nsight-policy Delete a nsight policy passpoint-policy Delete a passpoint configuration policy password-encryption Disable password encryption in configuration profile Delete a profile and all its associated configuration radio-qos-policy Delete a radio QoS configuration policy radius-group Local radius server group configuration radius-server-policy Remove device onboard radius policy radius-user-pool-policy Configure Radius User Pool rf-domain Delete one or more RF-domains and all their associated configurations rfs4000 Delete an RFS4000 wireless controller rfs6000 Delete an RFS6000 wireless controller roaming-assist-policy Delete a roaming-assist policy role-policy Role based firewall policy route-map Dynamic routing route map Configuration routing-policy Policy Based Routing Configuratino rtl-server-policy Delete a rtl server policy schedule-policy Delete a schedule policy sensor-policy Delete a sensor policy smart-rf-policy Delete a smart-rf-policy t5 Delete an T5 DSL switch url-filter Delete a url filter url-list Delete a URL list web-filter-policy Delete a web filter policy wips-policy Delete a wips policy wlan Delete a wlan object Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 10 COMMON COMMANDS wlan-qos-policy Delete a wireless lan QoS configuration policy service Service Commands rfs6000-81742D(config)#
Priv Exec mode: No command options rfs6000-81742D#no ?
adoption Reset adoption state of the device (& all devices adopted to it) captive-portal Captive portal commands cpe T5 CPE configuration crypto Encryption related commands debug Debugging functions logging Modify message logging facilities page Toggle paging service Service Commands terminal Set terminal line parameters upgrade Remove a patch wireless Wireless Configuration/Statistics commands rfs6000-81742D#
user Exec mode: No command options rfs6000-81742D>no ?
adoption Reset adoption state of the device (& all devices adopted to it) captive-portal Captive portal commands crypto Encryption related commands debug Debugging functions logging Modify message logging facilities page Toggle paging service Service Commands terminal Set terminal line parameters wireless Wireless Configuration/Statistics commands rfs6000-81742D>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 11 COMMON COMMANDS 5.1.6 revert Common Commands Reverts changes made, in the current session, to their last saved configuration Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax revert Parameters None Example nx9500-6C8809>revert nx9500-6C8809>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 12 COMMON COMMANDS 5.1.7 service Common Commands Service commands are used to view and manage configurations. The service commands and their corresponding parameters vary from mode to mode. The User Exec mode and Priv Exec mode commands provide same functionalities with a few minor changes. The Global Config service command sets the size of history files. It also enables viewing the current modes CLI tree. This section consists of the following sub-sections:
Syntax (User Exec Mode) Syntax (Privilege Exec Mode) Syntax (Privilege Exec Mode: NX9500 and NX9510) Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax (User Exec Mode) service [block-adopter-config-update|clear|cli-tables-skin|cluster|database|
delete-offline-aps|force-send-config|force-update-vm-stats|guest-registration|
load-balancing|load-ssh-authorized-keys|locator|nsight|radio|radius|
request-full-config-from-adopter|set|show|smart-rf|ssm|snmp|syslog|wireless]
service [block-adopter-config-update|request-full-config-from-adopter]
service clear [adoption|captive-portal-page-upload|command-history|device-
upgrade|diag|dpi|file-sync|noc|reboot-history|unsanctioned|upgrade-history|
virtual-machine-history|web-filter|wireless|xpath]
service clear adoption history {on <DEVICE-NAME>}
service clear device-upgrade history {on <DOMAIN-NAME>}
service clear dpi [all|app|app-category] stats {on <DEVICE-OR-DOMAIN-NAME>}
service clear diag pkts service clear file-sync history {on <DOMAIN-NAME>}
service clear captive-portal-page-upload history {on <DOMAIN-NAME>}
service clear [command-history|reboot-history|upgrade-history|virtual-machine-
history] {on <DEVICE-NAME>}
service clear noc statistics service clear unsanctioned aps {on <DEVICE-OR-DOMAIN-NAME>}
service clear web-filter cache {on <DEVICE-NAME>}
service clear wireless [ap|client|controller-mobility-database|dns-
cache|radio|wlan]
service clear wireless controller-mobility-database service clear wireless [ap|client] statistics {<MAC>} {(on <DEVICE-OR-DOMAIN-
NAME>)}
service clear wireless dns-cache on {(on <DEVICE-OR-DOMAIN-NAME)}
service clear wireless radio statistics {<MAC/HOSTNAME>} {<1-3>} {(on <DEVICE-OR-
DOMAIN-NAME>)}
service clear wireless wlan statistics {<WLAN-NAME>} {(on <DEVICE-OR-DOMAIN-NAME)}
service clear xpath requests {<1-100000>}
service cli-tables-skin [ansi|hashes|minimal|none|percent|stars|thick|thin|utf-8]
{grid}
Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 13 COMMON COMMANDS service cluster force [active|configured-state|standby]
service database [authentication|start-shell]
service database authentication [create-user|delete-user]
service database authentication create-user username <USER-NAME> password
<PASSWORD>
service database authentication delete-user username <USER-NAME>
Note, the other service > database command options are documented latter in this section under the (Privilege Exec Mode) section. service database start-shell service delete-offline-aps [all|offline-for]
service delete-offline-aps offline-for days <0-999> {time <TIME>}
service force-send-config {on <DEVICE-OR-DOMAIN-NAME>}
service force-update-vm-stats {on <DEVICE-NAME>}
service guest-registration [backup|delete|export|import]
service guest-registration backup [delete|restore]
service guest-registration delete [all|email <EMAIL-ADD>|group <RAD-GROUP-NAME>|
mac <MAC>|mobile <MOBILE-NUMBER>|name <CLIENT-FULL-NAME>|non-social|offline-for days <1-999>|otp-incomplete-for days <1-999>|social [facebook|google]|
wlan <WLAN-NAME>]
service guest-registration export format [csv|json] <DEST-URL> {(rfdomain <DOMAIN-
NAME>|time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all]|wlan <WLAN-NAME>)}
service guest-registration import format <JSON> <SOURCE-URL>
service load-balancing clear-client-capability [<MAC>|all] {on <DEVICE-NAME>}
service load-ssh-authorized-keys <PUBLIC-KEY> {on <DEVICE-NAME>}
service locator {<1-60>} {(on <DEVICE-NAME>)}
service nsight clear-offline [all|offline-for days <0-999> {time <TIME>}]
service radio <1-3> [adaptivity|channel-switch|dfs]
service radio <1-3> adaptivity service radio <1-3> channel-switch <36-196> [160|20|40|80]
service radio <1-3> dfs simulator-radar [extension|primary]
service radius test [<IP>|<HOSTNAME>] [<WORD>|port]
service radius test [<IP>|<HOSTNAME>] <WORD> <USERNAME> <PASSWORD> {wlan <WLAN-
NAME> ssid <SSID>} {(on <DEVICE-NAME>)}
service radius test [<IP>|<HOSTNAME>] port <1024-65535> <WORD> <USERNAME>
<PASSWORD> {wlan <WLAN-NAME> ssid <SSID>} {(on <DEVICE-NAME>)}
service set validation-mode [full|partial] {on <DEVICE-NAME>}
service show [block-adopter-config-update|captive-portal|cli|client-identity-
defaults|command-history|configuration-revision|crash-info|dhcp-lease|diag|fast-
switching|fib|fib6|guest-registration|info|ip-access-list|mac-vendor|mem|mint|
noc|nsight|pm|process|reboot-history|rf-domain-manager|sites|snmp|
ssh-authorized-keys|startup-log|sysinfo|top|upgrade-history|virtual-machine-
history|watch-dog|wireless|xpath-history]
Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 14 COMMON COMMANDS service show block-adopter-config-update service show captive-portal [log-internal|servers|user-cache]
service show captive-portal log-internal service show captive-portal [servers|user-cache] {on <DEVICE-NAME>}
service show [cli|client-identity-defaults|configuration-revision|mac-vendor
<OUI/MAC>|noc diag|snmp session|xpath-history]
service show [command-history|crash-info|info|mem|process|reboot-history|startup-
log|ssh-authorized-keys|sysinfo|top|upgrade-history|watchdog] {on <DEVICE-NAME>}
service show ip-access-list wlan <WLAN-NAME> status {detail} {on <DEVICE-OR-
DOMAIN-NAME>}
service show dhcp-lease {<INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1} (on <DEVICE-
NAME>)}
service show diag [fds|led-status|pkts|psu|stats]
service show diag [fds|pkts]
service show diag [led-status|psu|stats] {on <DEVICE-NAME>}
service show fast-switching {on <DEVICE-NAME>}
service show [fib|fib6] {table-id <0-255>}
service show guest-registration [export-status|import-status|restore-status]
service show mint [adopted-devices {on <DEVICE-NAME>}|ports]
service show pm {history} {(on <DEVICE-NAME>)}
service show rf-domain-manager [diag|info] {<MAC/HOSTNAME>} {(on <DEVICE-OR-
DOMAIN-NAME>)}
service show sites service show virtual-machine-history {on <DEVICE-NAME>}
service show wireless [aaa-stats|adaptivity-status|client|config-internal|
credential-cache|dns-cache|log-internal|meshpoint|neighbors|radar-status|
radio-internal|reference|stats-client|vlan-usage]
service show wireless [aaa-stats|adaptivity-status|credential-cache|dns-cache|
radar-status|vlan-usage] {on <DEVICE-NAME>}
service show wireless [config-internal|log-internal|neighbors]
service show wireless [client|meshpoint neighbor] proc [info|stats] {<MAC>}
{{on <DEVICE-OR-DOMAIN-NAME>)}
service show wireless radio-internal [radio1|radio2] <LINE>
service show wireless reference [channels|frame|handshake|mcs-rates|reason-codes|
status-codes]
service show wireless stats-client diag {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-
NAME>)}
service smart-rf [clear-config|clear-history|clear-interfering-aps|save-config]
service smart-rf clear-config {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>}
service smart-rf [clear-history||clear-interfering-aps|save-config] {on <DOMAIN-
NAME>}
service snmp sysoid wing5 Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 15 COMMON COMMANDS service ssm [dump-core-snapshot|trace]
service ssm trace pattern <WORD> {on <DEVICE-NAME>}
service syslog test {level [<0-7>|alerts|critical|debugging|emergencies|errors|
informational|notifications|warnings]} {(on <DEVICE-NAME>)}
service wireless [client|dump-core-snapshot|meshpoint|qos|trace|unsanctioned|
wips]
service wireless client [beacon-request|quiet-element|trigger-bss-transition|
trigger-wnm]
service wireless client beacon-request <MAC> mode [active|passive|table] ssid
[<SSID>|any] channel-report [<CHANNEL-LIST>|none] {on <DEVICE-NAME>}
service wireless client quiet-element [start|stop]
service wireless client trigger-bss-transition mac <MAC> {timeout <0-65535>} {url
<URL>} {on <DEVICE-OR-DOMAIN-NAME>}
service wireless client trigger-wnm mac <MAC> type [deauth-imminent|subscription-
remediation] {uri <WORD>}
service wireless dump-core-snapshot service wireless meshpoint zl <MESHPOINT-NAME> [on <DEVICE-NAME>] {<ARGS>|timeout
<1-65535>}
service wireless qos delete-tspec <MAC> tid <0-7>
service wireless trace pattern <WORD> {on <DEVICE-NAME>}
service wireless unsanctioned ap air-terminate <MAC> {on <DOMAIN-NAME>}
service wireless wips [clear-client-blacklist|clear-event-history|dump-managed-
config]
service wireless wips clear-client-blacklist [all|mac <MAC>]
service wireless wips clear-event-history {on <DEVICE-OR-DOMAIN-NAME>}
Parameters (User Exec Mode) service service [block-adopter-config-update|request-full-config-from-adopter]
block-adopter-config-
update request-full-config-
from-adopter Blocks the configuration updates sent from the NOC server Configures a request for full configuration updates from the adopter device In an hierarchically managed (HM) network devices are deployed in two levels. The first level consists of the Network Operations Center (NOC) controllers. The second level consists of the site controllers that can be grouped to form clusters. The NOC controllers adopt and manage the site controllers. Access points within the network are adopted and managed by the site controllers. The adopted devices (access points and site controllers) are referred to as the adoptee. The devices adopting the adoptee are the adopters. service clear adoption history {on <DEVICE-NAME>}
clear adoption history Clears adoption history on this device and its adopted access points Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 16 COMMON COMMANDS on <DEVICE-NAME>
Optional. Clears adoption history on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service clear device-upgrade history {on <DOMAIN-NAME>}
clear device-upgrade history on <DOMAIN-NAME> Optional. Clears all firmware upgrade history in a specified RF Domain Clears device upgrade history
<DOMAIN-NAME> Specify the RF Domain name. service clear diag pkts clear diag pkts Clears the looped packets queue logged by the dataplane. The dataplane logs up to 16 looped packets at a time in a separate queue, which has to be manually cleared to make space for new packet logging. For more information on viewing logged looped packet information execute the service > show > diag > pkts command. service clear dpi [all|app|app-category] stats {on <DEVICE-OR-DOMAIN-NAME>}
clear dpi
[all|app|app-category]
stats on <DEVICE-OR-
DOMAIN-NAME>
Clears Deep Packet Inspection (DPI) statistics When enabled, DPI allows application and/or application category recognition. The DPI statistics are maintained by the system for every hit registered by the DPI engine. Use the following filter options to clear all or specific DPI statistics:
all Clears all DPI related (application and app-category) statistics app Clears only application related statistics app-category Clears only app-category related statistics Optional. Clears DPI statistics based on the parameters passed on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the access point, controller, service platform, or RF Domain. service clear file-sync history {on <DOMAIN-NAME>}
clear file-sync history Clears client-bridge certificate synchronization statistics When an AP6522/AP6562 access point is configured as a client bridge, the EAP-TLS X.509 (PKCS#12) certificate is synchronized between the staging-controller and adoptee AP6522/AP6562 client-bridge access points. This command allows you to clear client-bridge certificate synchronization statistics. on <DOMAIN-NAME> Optional. Clears file synchronization history on all devices within a specified RF Domain
<DOMAIN-NAME> Specify the RF Domain name. service clear captive-portal-page-upload history {on <DOMAIN-NAME>}
clear captive-portal-
page-upload history on <DOMAIN-NAME> Optional. Clears captive portal page upload history on a specified RF Domain Clears captive portal page upload history
<DOMAIN-NAME> Specify the RF Domain name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 17 COMMON COMMANDS service clear [command-history|reboot-history|upgrade-history|virtual-machine-
history] {on <DEVICE-NAME>}
clear [command-
history|reboot-history|
upgrade-history]
clear virtual-machine-
history on <DEVICE-NAME>
Clears command history, reboot history, or device upgrade history Clears virtual-machine history on the logged device or a specified device This command is applicable only on the NX9500 and NX9510 series service platforms. Optional. Clears history on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. When executing the clear virtual-machine-history command, provide the name of the service platform running the VMs. service clear noc statistics clear noc statistics Clears Network Operations Center (NOC) applicable statistics counters service clear unsanctioned aps {on <DEVICE-OR-DOMAIN-NAME>}
clear unsanctioned aps on <DEVICE-OR-
DOMAIN-NAME>
Clears the unsanctioned APs list Optional. Clears the unsanctioned APs list on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. service clear wireless [ap|client] {<MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}
clear wireless
[ap|client] statistics Clears wireless statistics counters based on the parameters passed ap statistics Clears applicable AP statistics counters client statistics Clears applicable wireless client statistics counters
<MAC>
{on <DEVICE-OR-
DOMAIN-NAME>}
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. The following keywords are common to the ap and client parameters:
<MAC> Optional. Clears statistics counters for a specified AP or client. Specify the AP/client MAC address. on <DEVICE-OR-DOMAIN-NAME> Optional. Clears AP/client statistics counters on a specified device or RF Domain. Specify the name of the AP, wireless controller, service platform, or RF Domain. service clear wireless controller-mobility-database clear wireless controller-mobility-
database Clears the controller assisted mobility database service clear web-filter cache {on <DEVICE-NAME>}
clear web-filter cache Clears the cache used for Web filtering Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 18 COMMON COMMANDS on <DEVICE-NAME>
Optional. Clears the Web filtering cache on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service clear wireless radio statistics {<MAC/HOSTNAME>} {<1-3>}
{(on <DEVICE-OR-DOMAIN-NAME>)}
clear wireless radio statistics
<MAC/HOSTNAME>
<1-3>
Clears applicable wireless radio statistics counters Optional. Specify the MAC address or hostname of the radio, or append the interface number to form the radio ID in the AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX format.
<1-3> Optional. Specify the radio interface index, if not specified as part of the radio ID. on <DEVICE-OR-
DOMAIN-NAME>
Optional. This is a recursive parameter, which clears wireless radio statistics on a specified device or RF Domain. Specify the name of the device.
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. service clear wireless wlan statistics {<WLAN-NAME>} {(on <DEVICE-OR-DOMAIN-
NAME>)}
clear wireless wlan statistics
<WLAN-NAME>
on <DEVICE-OR-
DOMAIN-NAME>
Clears WLAN statistics counters Optional. Clears statistics counters on a specified WLAN. Specify the WLAN name. Optional. This is a recursive parameter, which clears WLAN statistics on a specified device or RF Domain. Specify the name of the device.
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. service clear xpath requests {<1-100000>}
clear xpath requests
<1-100000>
Clears XPATH related information Clears pending XPATH get requests Optional. Specifies the session number (cookie from show sessions)
<1-100000> Specify the session number from 1 - 100000. Note: Omits clearing the current sessions pending XPATH get requests. service cli-tables-skin [ansi|hashes|minimal|none|percent|stars|thick|thin|utf-
8] {grid}
cli-tables-skin
[ansi|hashes|minimal|
none|percent|stars|
thick|thin|uf-8]
Selects a formatting layout or skin for CLI tabular outputs ansi Uses ANSI characters for borders hashes Uses hashes (#) for borders minimal Uses one horizontal line between title and data rows none Displays space separated items with no decoration percent Uses the percent sign (%) for borders stars Uses asterisks (*) for borders thick Uses thick lines for borders Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 19 COMMON COMMANDS grid thin Uses thin lines for borders utf-8 Uses UTF-8 characters for borders Optional. Uses a complete grid instead of just title lines service cluster force [active|configured-state|standby]
cluster force active configured-state standby Enables cluster protocol management Forces action commands on a cluster (active, configured-state, and standby) Changes the cluster run status to active Restores a cluster to the configured state Changes the cluster run status to standby service database authentication create-user username <USER-NAME> password
<PASSWORD>
database authentication create-
user username <USER-
NAME> password
<PASSWORD>
Performs database related actions This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Creates users having access rights to the database. Execute this command on the database host. However, before creating users, on the database, generate the database keyfile. For more information on generating the keyfile, see database. username <USER-NAME> Configures databse username password <PASSWORD> Configures a password for the username specified above In the database-policy ensure that authentication is enabled and username and password is configured. The database-client-policy also should have the same username and password configured. For more information on database-policy and database-client-policy, see database-policy and database-client-policy. database authentication delete-user username <USER-NAME>
database database authentication delete-
user username <USER-
NAME>
Performs database related actions This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Deletes the username requires to access rights the captive-portal/NSight database username <USER-NAME> Deletes the username identified by the <USER-NAME>
keyword Once deleted, the database cannot be accessed using the specified combination of username and password. service database start-shell database start-shell Performs database related actions This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Starts the database shell service delete-offline-aps all delete-offline-aps all Deletes all off-line access points service delete-offline-aps offline-for days <0-999> {time <TIME>}
delete-offline-aps Deletes off-line access points for a specified interval Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 20 COMMON COMMANDS day <0-999>
time <TIME>
Deletes off-line access points for a specified number of days
<0-999> Specify the number of off-line days from 0 - 999. Optional. Deletes off-line access points for a specified time
<TIME> Specify the time in HH:MM:SS format. service force-send-config {on <DEVICE-OR-DOMAIN-NAME>}
force-send-config on <DEVICE-OR-
DOMAIN-NAME>
Resends configuration to device(s) Optional. Resends configuration to a specified device or all devices in a specified RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. service force-update-vm-stats {on <DEVICE-NAME>}
force-update-vm-stats Forcefully pushes VM statistics on to the NOC on <DEVICE-NAME>
Optional. Executes the command on a specified device
<DEVICE-NAME> Specify the name of the device. service guest-registration backup [delete|restore]
service guest-registration backup
[delete|restore]
Deletes or restores all guest registration backup snapshots based on the parameter passed delete Deletes all guest registration backup snapshots restores Restores all guest registration backup snapshots Note: To view the status of the restore process, use the service > show > guest-registration > restore-status command. service guest-registration delete [all|email <EMAIL-ADD>|group <RAD-GROUP-
NAME>|mac <MAC>|mobile <MOBILE-NUMBER>|name <CLIENT-FULL-NAME>|non-social|
offline-for days <1-999>|wlan <WLAN-NAME>|otp-incomplete-for days <1-999>|
social [facebook|google]
service guest-registration delete
[all|email <EMAIL-
ADD>|group <RAD-
GROUP-NAME>|
mac <MAC>|mobile
<MOBILE-NUMBER>|
name <CLIENT-FULL-
NAME>]|non-social|
offline-for days
<1-999>|wlan <WLAN-
NAME>|otp-incomplete-
for days <1-999>|social
[facebook|google]
Deletes a specified user or all user records from the guest-registration database To delete a specific user, use one of the following options as an identification parameter: email, group, mac, mobile number, name, offline-for, wlan, otp-
incomplete-for, or social. Following are the user filtering options: The user identified by one of the following parameters is deleted from the guest-registration database. email <EMAIL-ADD> Identifies user by the e-mail address
<EMAIL-ADD> Provide the users e-mail address. mac <MAC> Identifies user by the MAC address
<MAC> Provide the users MAC address. group <RAD-GROUP-NAME> Identifies users by their RADIUS group association
<RAD-GROUP-NAME> Specify the RADIUS group name. mobile <MOBILE-NUMBER> Identifies user by the registered mobile number
<MOBILE-NUMBER> Provide the users mobile number. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 21 COMMON COMMANDS name <CLIENT-FULL-NAME> Identifies user by the registered full name
<CLIENT-FULL-NAME> Provide the users full name. non-social Identifies users that have not registered through social authentication offline-for days <1-999> Filters users who have not accessed the network for a specified number of days days <1-999> Specify the number of days from 1 - 999. wlan <WLAN-NAME> Identifies users accessing a specified WLAN
<WLAN-NAME> Specify the WLAN name. otp-incomplete-for days <1-999> Identifies records of users that have not used their one-time-password (OTP) to complete registration within a specified number of days days <1-999> Specify the number of days from 1 - 999. social [facebook|google] Identifies users using either Facebook or Google credentials to access the network facebook Identifies users using Facebook authentication google Identifies users using Google authentication service guest-registration export format [csv|json] <DEST-URL> {(rfdomain
<DOMAIN-NAME>|time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all]|wlan <WLAN-
NAME>)}
service guest-registration export format [csv|json]
<DEST-URL>
Exports guest registration user data files in the Comma-Separated Values (CSV) or JavaScript Object Notation (JSON) format Use the rfdomain, wlan, and time options to filter users for a specified RF Domain, WLAN, and/or time period. These are recursive parameters and you can apply all or any of these three filters. Specifies the file format. The options are:
csv Exports user data files in the CSV format json Exports user data files in the JSON format Configures the destination URL. The files are exported to the specified location. Both IPv4 and IPv6 address formats are supported. IPv4 URLs:
tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file IPv6 URLs:
tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file rfdomain
<DOMAIN-NAME>
wlan
<WLAN-NAME>
Optional. Filters user data based on RF Domain name. Only the filtered data are exported.
<DOMAIN-NAME> Specify the RF Domain name. Optional. Filters user data based on WLAN name. Only the filtered data are exported.
<WLAN-NAME> Specify the WLAN name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 22 COMMON COMMANDS time [1-Day|1-Month|
1-Week|2-Hours|
30-Mins|5-Hours|all]
Optional. Filters user data for a specified time period. Only the filtered data are exported. 1-Day Filters and exports previous days data 1-Month Filters and exports previous months data 1-Week Filters and exports previous weeks data 2-Hours Filters and exports last 2 hours data 30-Mins Filters and exports last 30 minutes data 5-Hours Filters and exports last 5 hours data all Exports the entire database service guest-registration import format json <SOURCE-URL>
service guest-registration import format json
<SOURCE-URL>
Imports user data from a specified location Specifies the file format json Imports user data files in the JSON format Configures the Source URL. The files are imported from the specified location. Both IPv4 and IPv6 address formats are supported. IPv4 URLs:
tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>:<passwd>@<hostname|IP>[:port]>/path/file IPv6 URLs:
tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file sftp://<user>:<passwd>@<hostname|[IPv6]>[:port]>/path/file service load-balancing clear-client-capability [<MAC>|all] {on <DEVICE-NAME>}
load-balancing clear-client-capability
[<MAC>|all]
on <DEVICE-NAME>
Enables wireless load balancing by clearing client capability records Clears a specified client or all clients capability records
<MAC> Clears capability records of a specified client. Specify the clients MAC address in the AA-BB-CC-DD-EE-FF format. all Clears the capability records of all clients Optional. Clears client capability records on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service load-ssh-authorized-keys <PUBLIC-KEY> {on <DEVICE-NAME>}
load-ssh-authorized-
keys
<PUBLIC-KEY>
on <DEVICE-NAME>
Loads SSH public (client) key on a device Enter the public key. The public key should be in the OpenSSH rsa/dsa format. Optional. Loads the specified public key on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 23 COMMON COMMANDS service locator {<1-60>} {(on <DEVICE-NAME>)}
locator
<1-60>
on <DEVICE-NAME>
Enables LEDs Sets LED flashing time from 1 - 60 seconds. The following keyword is recursive and common to the <1-60> parameter:
on <DEVICE-NAME> Optional. Enables LEDs on a specified device
<DEVICE-NAME> Specify name of the AP, wireless controller, or service plat-
form. service nsight clear-offline [all|offline-for days <0-999> {time <TIME>}]
Clears NSight data received from offline controllers, based on the parameters passed. Select one of the following options:
all Clears NSight data received from all offline controllers offline-for days <0-999> time <TIME> Clears NSight data received from controllers nsight clear-offline
[all|offline-for days <0-999>
{time <TIME>}]
that have been offline for a specified time period days <0-999> Specifies the number of days controllers have been offline
<0-999> Specify the number of days from 0 - 999 days. Select 0 to identify controllers offline less than 24 hours. time <TIME> Optional. Specifies the total time for which controllers have been offline
<TIME> Specify the time in HH:MM:SS format. Note: This command is applicable only to the NX95XX, NX9600, and VX9000 platforms. service radio <1-3> adaptivity radio <1-3>
adaptivity Configures radios parameters
<1-3> Specify the radio index from 1 - 3. Simulates the presence of interference on the current channel service radio <1-3> channel-switch <36-196> [160|20|40|80|80-80]
radio <1-3>
channel-switch
<36-196>
[160|20|40|80|
80-80]
Configures radios parameters
<1-3> Specify the radio index from 1 - 3. Enables channel switching
<36-196> Specifies the channel to switch to from 36 - 196. 160|20|40|80|80-80] Specifies the bandwidth for the above specified channel. Select the appropriate option. service radio <1-3> dfs simulate-radar [extension|primary]
radio <1-3>
dfs simulate-radar
[extension|primary]
Configures radios parameters
<1-3> Specify the radio index from 1 - 3. Enables Dynamic Frequency Selection (DFS) Simulates the presence of a radar on a channel. Select the channel type from the following options:
extension Simulates a radar on the radios current extension channel primary Simulates a radar on the radios current primary channel Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 24 COMMON COMMANDS service radius test [<IP>|<HOSTNAME>] <WORD> <USERNAME> <PASSWORD> {wlan <WLAN-
NAME> ssid <SSID>} {(on <DEVICE-NAME>)}
radius test
[<IP>|<HOSTNAME>]
<WORD>
<USERNAME>
<PASSWORD>
wlan <WLAN-NAME>
ssid <SSID>
on <DEVICE-NAME>
Tests RADIUS servers account. This command sends an access-request packet to the RADIUS server. Use this command to confirm time and data/bandwidth parameters for valid wireless clients. test Tests the RADIUS servers account with user provided parameters Sets the RADIUS servers IP address or hostname
<IP> Specifies the RADIUS servers IP address
<HOSTNAME> Specifies the RADIUS servers hostname Specify the RADIUS servers shared secret. Specify username for authentication. Specify the password. Optional. Tests the RADIUS server on the local WLAN. Specify the local WLAN name. ssid <SSID> Specify the local RADIUS servers SSID. Optional. This is a recursive parameter also applicable to the WLAN parameter. Performs tests on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service radius test [<IP>|<HOSTNAME>] port <1024-65535> <WORD> <USERNAME>
<PASSWORD> {wlan <WLAN-NAME> ssid <SSID>} {(on <DEVICE-NAME>)}
radius test
[<IP>|<HOSTNAME>]
port <1024-65535>
<WORD>
<USERNAME>
<PASSWORD>
wlan <WLAN-NAME>
ssid <SSID>
on <DEVICE-NAME>
Tests a RADIUS servers account. This command sends an access-request packet to the RADIUS server. Use this command to confirm time and data/bandwidth parameters for valid wireless clients. test Tests the RADIUS servers account with user provided parameters Sets the IP address or hostname of the RADIUS server
<IP> Specify the RADIUS servers IP address.
<HOSTNAME> Specify the RADIUS servers hostname. Specify the RADIUS server port from 1024 - 65535. The default port is 1812. Specify the RADIUS servers shared secret. Specify username for authentication. Specify the password. Optional. Tests the RADIUS server on the local WLAN. Specify the local WLAN name. ssid <SSID> Specify the RADIUS servers SSID. Optional. This is a recursive parameter also applicable to the WLAN parameter. Performs tests on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service set validation-mode [full|partial] {on <DEVICE-NAME>}
Sets the validation mode for running configuration validation set Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 25 COMMON COMMANDS validation-mode
[full|partial]
on <DEVICE-NAME>
Sets the validation mode full Performs a full configuration validation partial Performs a partial configuration validation Optional. Performs full or partial configuration validation on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service show block-adopter-config-update show block-adopter-config-
update Displays running system statistics based on the parameters passed Displays NOC configuration blocking status service show captive-portal log-internal show captive-portal log-internal Displays running system statistics based on the parameters passed Displays captive portal information Displays recent captive portal debug logs (information and above severity level) service show captive-portal [servers|user-cache] {on <DEVICE-NAME>}
show captive-portal servers user-cache on <DEVICE-NAME>
Displays running system statistics based on the parameters passed Displays captive portal information Displays server information for active captive portals Displays cached user details for a captive portal Optional. Displays server information or cached user details on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service show [cli|client-identity-defaults|configuration-revision|mac-user-
import-status|mac-vendor <OUI/MAC>|noc diag|snmp session|xpath-history]
Displays running system statistics based on the parameters passed Displays CLI tree of the current mode Displays default client-identities and their configuration show cli client-identity-
defaults configuration-revision Displays current configuration revision number mac-user-import-
status mac-vendor
<OUI/MAC>
Displays status of file import initiated by a MAC-user Displays vendor name for a specified MAC address or Organizationally Unique Identifier (OUI) part of the MAC address
<OUI/MAC> Specify the MAC address or its OUI. The first six digits of the MAC address is the OUI. Use the AABBCC or AA-BB-CC format to provide the OUI. noc diag snmp session xpath-history Displays NOC diagnostic details Displays SNMP session details Displays XPath history Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 26 COMMON COMMANDS service show [command-history|crash-info|info|mem|process|reboot-history|
startup-log|ssh-authorized-keys|sysinfo|top|upgrade-history|watchdog] {on
<DEVICE-NAME>}
show command-history crash-info info mem process reboot-history startup-log ssh-authorized-keys sysinfo top upgrade-history watchdog on <DEVICE-NAME>
Displays running system statistics based on the parameters passed Displays command history (lists all commands executed) Displays information about core, panic, and AP dump files Displays snapshot of available support information Displays a systems current memory usage (displays the total memory and available memory) Displays active system process information (displays all processes currently running on the system) Displays the devices reboot history Displays the devices startup log Displays all devices (device hostnames) that have ssh authorized keys loaded Displays systems memory usage information Displays system resource information Displays the devices upgrade history (displays details, such as date, time, and status of the upgrade, old version, new version, etc.) Displays the devices watchdog status The following keywords are common to all of the above:
on <DEVICE-NAME> Optional. Displays information for a specified device. If no device is specified, the system displays information for logged device(s)
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. service show ip-access-list wlan <WLAN-NAME> status {detail} {on <DEVICE-OR-
DOMAIN-NAME>}
show ip-access-list wlan <WLAN-NAME>
status detail Displays status of IP Access Control List (ACL) to WLAN mappings on a specified device or all devices within a specified RF Domain. This command also displays if IP ACLs are properly applied in the dataplane. Specifies the WLAN, for which the IP ACL to WLAN mapping status is required
<WLAN-NAME> Specify the WLAN name. Displays only failed IP ACL to WLAN mappings details Optional. Displays all (failed as well as successful) IP ACL to WLAN mapping status on <DEVICE-OR-
DOMAIN-NAME>
Optional. Specifies the device name or the RF Domain name.
<DEVICE-OR-DOMAIN-NAME> Specify the device name or the RF Domain. When specified, the system displays IP ACL to WLAN mapping status on the specified device or all devices within the specified RF Domain. service show dhcp-lease {<INTERFACE-NAME>|on|pppoe1|vlan <1-4094>|wwan1} {(on
<DEVICE-NAME>)}
show dhcp-lease Displays running system statistics based on the parameters passed Displays DHCP lease information received from the server Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 27 COMMON COMMANDS
<INTERFACE-NAME>
on pppoe1 vlan <1-4094>
wwan1 on <DEVICE-NAME>
Optional. Displays DHCP lease information for a specified router interface
<INTERFACE-NAME> Specify the router interface name. Optional. Displays DHCP lease information for a specified device Optional. Displays DHCP lease information for a PPP over Ethernet interface Optional. Displays DHCP lease information for a VLAN interface
<1-4094> Specify a VLAN index from 1 - 4094. Optional. Displays DHCP lease information for a Wireless WAN interface The following keywords are common to all of the above:
on <DEVICE-NAME> Optional. Displays DHCP lease information for a specified device. If no device is specified, the system displays information for the logged device.
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. service show diag [fds|pkts]
show diag fds pkts Displays diagnostic statistics, such as LED status, fan speed, sensor temperature, open file descriptors, looped packets etc. Displays the number of file descriptors (fds) opened by key processes, such as the CFGD. When executed, the command displays only the file name and FD. Displays details of looped packets captured by the dataplane and pushed to a separate queue. These queued packets are written to a log file (named loop_pkt_info.log) available at the /var2/log/ directory. Use the service > start-shell command and enter the path cat /var2/log/ to view if the loop_pkt_info.log file exists. However, looped packet logging has to be enabled in the profile/device context. For more information, see diag. The dataplane can log up to 16 looped packets at a time. Once the queue is full, no new loop packet is logged until the existing queue is cleared. To clear the logged looped packet queue execute the service > clear > diag > pkts command. Following are the loop codes and the corresponding loop reasons:
(5) - "pkt looping in dataplane"
(51) - "loop in packet path"
(367) - "wispe encapsulation loop"
(432) - "mcx loop prevention"
(532) - "Port loop detected"
(536) - "packet loop detected by wireless bridge"
(41) - "IPv4 TTL exceeded"
(493) - "IPv6 TTL exceeded"
(540) - "mint TTL exceeded"
service show diag [led-status|psu|stats] {(on <DEVICE-NAME>)}
show diag led-status psu Displays running system statistics based on the parameters passed Displays diagnostic statistics, such as LED status, fan speed, and sensor temperature Displays LED state variables and the current state Displays power supply information Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 28 COMMON COMMANDS stats on <DEVICE-NAME>
Displays fan speed and sensor temperature statistics Optional. Displays diagnostic statistics for a specified device. If no device is specified, the system displays information for the logged device.
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service show guest-registration [export-status|import-status|restore-status]
show guest-registration export-status import-status export-status Displays running system statistics based on the parameters passed Displays status of the guest-registration database snapshot related processes
(export, import, and restore) Note: To export, import, or restore a guest-registration database, use the service > guest-registration > [backup|export|import] command.]
Displays the status of the latest export process initiated Displays the status of the latest import process initiated Displays the status of the latest restore process initiated service show fast-switching {on <DEVICE-NAME>}
show fast-switching on <DEVICE-NAME>
Displays running system statistics based on the parameters passed Displays fast switching state (enabled or disabled) Optional. Displays fast switching state for a specified device. If no device is specified, the system displays information for the logged device.
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service show [fib|fib6] {table-id <0-255>}
show fib fib6 table-id <0-255>
Displays running system statistics based on the parameters passed Displays entries in the Forwarding Information Base (FIB) Displays FIB IPv6 static routing entries The WiNG software allows the IPv6 FIB to maintain only IPv6 static and interface routes. FIB is a collection of routing entries. A route entry consists of IPv6 network (which can also be a host) address, the prefix length for the network (for IPv6 routes this is between 0 - 128), and the next hops (gateway) IPv6 address. Since a destination can be reached through multiple next hops, you can configure multiple routes to the same destination with multiple next hops. Optional. Displays FIB information maintained by the system based on the table ID
<0-255> Specify the table ID from 0 - 255. service show mint [adopted-devices {on <DEVICE-NAME>}|ports]
show mint Displays running system statistics based on the parameters passed Displays MiNT protocol details Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 29 adopted-devices on <DEVICE-NAME>
ports show pm history on <DEVICE-NAME>
COMMON COMMANDS Displays adopted devices status in dpd2 on <DEVICE-NAME> Optional. Displays MiNT protocol details for a specified device. If no device is specified, the system displays information for the logged device.
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. Displays MiNT ports used by various services and features Displays running system statistics based on the parameters passed Displays the Process Monitor (PM) controlled process details Optional. Displays process change history (the time at which the change was implemented, and the events that triggered the change) Optional. Displays process change history for a specified device. If no device is specified, the system displays information for the logged device.
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service show pm {history} {(on <DEVICE-NAME>)}
service show rf-domain-manager [diag|info] {<MAC/HOSTNAME>} {(on <DEVICE-OR-
DOMAIN-NAME>)}
show rf-domain-manager diag info Displays running system statistics based on the parameters passed Displays RF Domain manager information Displays RF Domain manager related diagnostics statistics The following keyword is common to the diag and info parameters:
Displays RF Domain manager related information
<MAC/HOSTNAME> Optional. Specify the MAC address or hostname of the RF Domain manager. on <DEVICE-OR-
DOMAIN-NAME>
The following keyword is common to the diag and info parameters:
Optional. Displays diagnostics statistics on a specified device or domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. service show sites show sites Displays running system statistics based on the parameters passed Displays NOC sites related information service show virtual-machine-history {on <DEVICE-NAME>}
show virtual-machine-
history on <DEVICE-NAME>
Displays virtual machine history based on the parameters passed This command is applicable only to the NX9500, and NX9510 series service platforms. It is also available on the Privilege Executable Mode of these devices. Optional. Displays virtual machine history on a specified device. If no device is specified, the system displays information for the logged device.
<DEVICE-NAME> Specify the name of the service platform. service show wireless [aaa-stats|adaptivity-status|credential-cache|dns-cache|
radar-status|vlan-usage] {on <DEVICE-NAME>}
show Displays running system statistics based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 30 COMMON COMMANDS wireless aaa-stats adaptivity-status credential-cache dns-cache radar-status vlan-usage on <DEVICE-NAME>
Displays WLAN statistics (WLAN AAA policy, configuration parameters, VLAN assignment, etc.) Displays AAA policy statistics Displays the current list of channels (with interference levels exceeding the configured threshold resulting in adaptivity kicking in) and time when adaptivity kicked in on a device Displays clients cached credentials statistics (VLAN, keys, etc.) Displays cache of resolved names of servers related to wireless networking Displays radar discovery status. This option displays following information:
If a radar has been discovered by the AP The time of discovery Displays VLAN statistics across WLANs The following keywords are common to all of the above:
on <DEVICE-NAME> Optional. Displays running system statistics on a specified device. If no device is specified, the system displays information for the logged device.
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. service show wireless [config-internal|log-internal|neighbors]
show wireless config-internal log-internal neighbors Displays running system statistics based on the parameters passed Displays WLAN statistics (WLAN AAA policy, configuration parameters, VLAN usage, etc.) Displays internal configuration parameters Displays recent internal wireless debug logs (info and above severity) Displays neighboring device statistics for roaming and flow migration service show wireless [client|meshpoint neighbor] proc [info|stats] {<MAC>}
{(on <DEVICE-OR-DOMAIN-NAME)}
show wireless client meshpoint neighbor proc info stats Displays running system statistics based on the parameters passed Displays WLAN statistics (WLAN AAA policy, configuration parameters, VLAN usage, etc.) Displays WLAN client statistics Displays meshpoint related proc entries The following keyword is common to client and meshpoint neighbor parameters:
proc Displays dataplane proc entries based on the parameter selected Note: These proc entries provide statistics on each wireless client on the WLAN. Note: For the meshpoint parameter, it displays proc entries about neighbors. This parameter is common to client and meshpoint neighbor parameters. Displays information for a specified device (wireless client or neighbor) or RF Domain This parameter is common to client and meshpoint neighbor parameters. Displays information for a specified device (wireless client or neighbor) or RF Domain Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 31 COMMON COMMANDS
<MAC>
on <DEVICE-OR-
DOMAIN-NAME>
Displays information for a specified device (wireless client or neighbor) or RF Domain This parameter is common to client and meshpoint neighbor parameters. Displays information for a specified device (wireless client or neighbor) or RF Domain.
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. service show wireless radio-internal [radio1|radio2] <LINE>
show wireless radio-internal
[radio1|radio2]
<LINE>
Displays running system statistics based on the parameters passed Displays WLAN statistics (WLAN AAA policy, configuration parameters, VLAN usage, etc.) Displays radio internal debug logs. Select the radio from the following options:
radio1 Selects radio 1 radio2 Selects radio 2. Specify the radio internal debug command to enable. service show wireless reference [channels|frame|handshake|mcs-rates|reason-
codes|status-codes]
show wireless reference channels frame handshake mcs-rates reason-codes status-codes Displays running system statistics based on the parameters passed Displays WLAN statistics (WLAN AAA policy, configuration parameters, VLAN usage, etc.) Displays look up reference information related to standards, protocols, etc. Displays 802.11 channels information Displays 802.11 frame structure Displays a flow diagram of 802.11 handshakes Displays MCS rate information Displays 802.11 reason codes (for deauthentication, disassociation, etc.) Displays 802.11 status codes (for association response) service show wireless stats-client diag {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-
NAME)}
show wireless stats-client
<MAC/HOSTNAME>
on <DEVICE-OR-
DOMAIN-NAME>
Displays running system statistics based on the parameters passed Displays WLAN statistics (WLAN AAA policy, configuration parameters, VLAN usage, etc.) Displays managed AP statistics Optional. Specify the MAC address or hostname of the AP. Optional. Displays statistics on a specified AP, or all APs on a specified domain.
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. service smart-rf clear-config {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>}
smart-rf clear-config Enables Smart RF management Clears WLAN Smart RF configuration on a specified device or on all devices Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 32 COMMON COMMANDS
<MAC>
<DEVICE-NAME>
Optional. Clears WLAN Smart RF configuration on a device identified by its MAC address. Specify the devices MAC address in the AA-BB-CC-DD-EE-FF format. Optional. Clears WLAN Smart RF configuration on a device identified by its hostname. Specify the devices hostname. on <DOMAIN-NAME> Optional. Clears WLAN Smart RF configuration on all devices in a specified RF Domain
<DOMAIN-NAME> Specify the RF Domain name. service smart-rf [clear-history|clear-interfering-aps|save-config] {on <DOMAIN-
NAME>}
smart-rf clear-history clear-interfering-aps save-config Enables Smart RF management Clears WLAN Smart RF history on all devices Clears Smart-RF interfering APs Saves the Smart RF configuration on all devices, and also saves the history on the RF Domain Manager on <DOMAIN-NAME> Optional. Clears WLAN Smart RF configuration on all devices in a specified RF Domain
<DOMAIN-NAME> Specify the RF Domain name. service snmp sysoid wing5 snmp sysoid wing5 Configures a new sysObjectID (sysoid), in the MIB, for devices running WiNG 5.X devices When configured, the SNMP manager returns sysoid for WiNG 5.X OS. Hardwares running the WiNG 4.X and WiNG 5.X images have different sysoids. For example, the sysoid for a RFS4000 using the WiNG 4.X image differs from another RFS4000 running the WiNG 5.X image. This command is applicable only to RFS4000 and RFS6000 platforms, since they have the same sysoid supported in WiNG 4.X and WiNG 5.X. The WiNG 4.X sysoids are:
RFS4000 1.3.6.1.4.1.388.18 RFS6000 1.3.6.1.4.1.388.16 The WiNG 5.X sysoids are:
RFS4000 1.3.6.1.4.1.388.50.1.1.35 RFS6000 1.3.6.1.4.1.388.50.1.1.36 service ssm dump-core-snapshot ssm dump-core-snapshot Triggers a debug core dump of the SSM module service syslog test {level [<0-7>|alerts|critical|debugging|emergencies|errors|
informational|notifications|warnings]} {(on <DEVICE-NAME>)}
syslog test Sends a test message to the syslog server to confirm server availability Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 33 COMMON COMMANDS level Optional. Sets the logging level. In case syslog server is unreachable, an event is logged based on the logging level defined. This is an optional parameter, and the system configures default settings, if no logging severity level is specified.
<0-7> Optional. Specify the logging severity level from 0-7. The various levels and their implications are as follows:
alerts Optional. Immediate action needed (severity=1) critical Optional. Critical conditions (severity=2) debugging Optional. Debugging messages (severity=7) emergencies Optional. System is unusable (severity=0) errors Optional. Error conditions (severity=3) informational Optional. Informational messages (severity=6) notifications Optional. Normal but significant conditions (severity=5) warnings Optional. Warning conditions (severity=4). This is the default setting. on <DEVICE-NAME>
Optional. Executes the command on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service ssm trace pattern <WORD> {on <DEVICE-NAME>}
ssm trace pattern <WORD>
on <DEVICE-NAME>
Displays the SSM module trace based on parameters passed Configures the pattern to match
<WORD> Specify the pattern to match. Optional. Displays the SSM module trace on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service wireless client beacon-request <MAC> mode [active|passive|table] ssid
[<SSID>|any] channel-report [<CHANNEL-LIST>|none] {on <DEVICE-NAME>}
wireless client beacon-requests
<MAC>
mode
[active|passive|table]
ssid [<SSID>|any]
channel-report
[<CHANNEL-LIST>|
none]
on <DEVICE-NAME>
Sends beacon measurement requests to a wireless client Specify the wireless clients MAC address. Specifies the beacon measurement mode. The following modes are available:
Active Requests beacon measurements in the active mode Passive Requests beacon measurements in the passive mode Table Requests beacon measurements in the table mode Specifies if the measurements have to be made for a specified SSID or for any SSID
<SSID> Requests beacon measurement for a specified SSID any Requests beacon measurement for any SSID Configures channel report in the request. The request can include a list of channels or can apply to all channels.
<CHANNEL-LIST> Request includes a list of channels. The client has to send beacon measurements only for those channels included in the request none Request applies to all channels Optional. Sends requests on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 34 COMMON COMMANDS service wireless client quiet-element [start|stop]
wireless client quiet-element start stop Enables the quite-element information in beacons sent to wireless clients Enables the quite-element information in beacons sent to wireless clients. This is the interval for which all wireless clients are to remain quiet. Disables the quite-element information in beacons sent to wireless clients. Once disabled, this information is no longer included in beacons. service wireless client trigger-bss-transition mac <MAC> {timeout <0-65535} {url
<URL>} {on <DEVICE-OR-DOMAIN-NAME>}
wireless client trigger-
bss-transition mac <MAC>
timeout <0-65535>
url <URL>
on
<DEVICE-OR-
DOMAIN-NAME>
Sends a 80211v-Wireless Network Management BSS transition request to a client Specifies the wireless clients MAC address Specifies the time remaining, for this client. before BSS transition is initiated. In other words on completion of the specified time period, BSS transition is triggered.
<0-65535> Specify a time from 0 -65535 seconds. Optional. Specifies session termination URL Optional. Sends request on a specified device
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. service wireless client trigger-wnm mac <MAC> type [deauth-imminent|
subscription-remediation] {uri <WORD>}
wireless client trigger-wnm mac <MAC>
type [deauth-
imminent|
subscription-
remediation]
uri <WORD>
Sends a WNM notification (action frame) to a wireless client Specifies the wireless clients MAC address Configures the WNM notification type deauth-imminent Sends a de-authentication imminent frame subscription-remediation Sends a subscription remediation needed frame Optional. Specifies the unique resource identifier (URI) service wireless dump-core-snapshot wireless client dump-core-snapshot Triggers a debug core dump of the wireless module service wireless meshpoint zl <MESHPOINT-NAME> [on <DEVICE-NAME>] {<ARGS>|
timeout <1-65535>}
service wireless meshpoint zl
<MESHPOINT-NAME>
on <DEVICE-NAME>
Triggers a zonal level debug of a specified meshpoints modules Specify the meshpoint name Triggers zonal level debug of a specified meshpoints modules on a specified device
<DEVICE-NAME> Specify the name of the device (AP, wireless controller, or service platform) Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 35 COMMON COMMANDS
<ARGS>
timeout <1-65535>
Optional. Specifies the zonal arguments. These zonal arguments represent the meshpoint modules identified by the zonal and subzonal arguments passed here. Also specify the debug level from 0 -7. Please see the Examples section, at the end of this topic, for more information. Optional. Specifies a timeout value from 1 - 65535 seconds. When specified, meshpoint logs are debugged for the time specified here. wireless qos delete-tspec
<MAC>
tid <0-7>
service wireless qos delete-tspec <MAC> tid <0-7>
Sends a delete TSPEC request to a wireless client Specify the MAC address of the wireless client. Deletes the Traffic Identifier (TID)
<0-7> Select the TID from 0 - 7. service wireless trace pattern <WORD> {on <DEVICE-NAME>}
wireless trace pattern <WORD>
on <DEVICE-NAME>
Displays the wireless module trace based on parameters passed Configures the pattern to match
<WORD> Specify the pattern to match. Optional. Displays the wireless module trace on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service wireless unsanctioned ap air-terminate <MAC> {on <DOMAIN-NAME>}
Enables unsanctioned access points termination wireless unsanctioned ap air-terminate
<MAC>
on <DOMAIN-NAME> Optional. Specifies the RD Domain of the access point Configures the unsanctioned access points BSSID (MAC address)
<DOMAIN-NAME> Specify the name of the RF Domain. service wireless wips clear-client-blacklist [all|mac <MAC>]
wireless wips clear-client-blacklist
[all|mac <MAC>]
Enables management of WIPS parameters Removes a specified client or all clients from the blacklist all Removes all clients from the blacklist mac <MAC> Removes a specified client form the blacklist
<MAC> Specify the wireless clients MAC address. service wireless wips clear-event-history {on <DEVICE-OR-DOMAIN-NAME}
wireless wips clear-event-history on <DEVICE-OR-
DOMAIN-NAME>
Enables WIPS management Clears event history Optional. Clears event history on a device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 36 Syntax (Privilege Exec Mode) COMMON COMMANDS NOTE: The service command of the Priv Exec Mode is the same as the service command in the User Exec Mode. There a few modifications that have been documented in this section. For the syntax and parameters of the other commands refer to the (User Exec Mode) syntax and (User Exec Mode) parameters sections of this chapter. service service [block-adopter-config-updates|clear|cli-tables-skin|cluster|copy|
database|delete|delete-offline-aps|force-send-config|force-update-vm-stats|
guest-registration|load-balancing|locator|mint|pktcap|pm|radio|radius|
request-full-config-from-adopter|restore|set|show|signal|smart-rf|snmp|ssm|
start-shell|syslog|trace|wireless]
service clear crash-info {on <DEVICE-NAME>}
service copy [stats-report|tech-support]
service copy stats-report [global|rf-domain <DOMAIN-NAME>] (<FILE>|<URL>) service copy tech-support [<FILE>|<URL>]
service database [authentication|compact|drop|maintenance-mode|primary-stepdown|
remove-all-files|replica-set|server|start-shell]
service database authentication [create-user|delete-user]
service database authentication create-user username <USER-NAME> password
<PASSWORD>
service database authentication delete-user username <USER-NAME>
service database compact [all|captive-portal|nsight]
service database drop [captive-portal|nsight] collection <COLLECTION-NAME>
service database [maintenance-mode|primary-stepdown|remove-all-files|start-shell]
service database replica-set [add|delete]
service database replica-set add member [<IP>|<FQDN>] [arbiter|priority <0-255>]
service database replica-set delete member [<IP>|<FQDN>]
service database server [restart|start|stop]
service delete sessions <SESSION-COOKIES>
service mint [clear|debug-log|expire|flood]
service mint [clear [lsp-db|mlcp]|debug-log [flash-and-syslog|flash-only]|expire
[lsp|spf]|flood [csnp|lsp]]
service pktcap on [bridge|deny|drop|ext-vlan|interface|radio|rim|router|vpn|
wireless]
service pktcap on [bridge|deny|drop|ext-vlan|rim|router|vpn|wireless] {(acl-name
<ACL>,count <1-1000000>,direction [any|inbound|outbound],filter <LINE>,hex,rate
<1-100>,snap <1-2048>,tcpdump,verbose,write [file|url|tzsp [<IP/TZSP-HOSTNAME>])}
service pktcap on interface [<INTERFACE-NAME>|ge <1-4>|me1|port-channel <1-2>|
pppoe1|vlan <1-4094>|wwan1] {(acl-name <ACL>,count <1-1000000>,direction
[any|inbound|outbound],filter <LINE>,hex,rate <1-100>,snap <1-2048>,tcpdump, verbose,write [file|url|tzsp [<IP/TZSP-HOSTNAME>])}
Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 37 COMMON COMMANDS service pktcap on radio [<1-1024>|all] {(acl-name <ACL>,count <1-1000000>, direction [any|inbound|outbound],filter <LINE>,hex,promiscuous,rate <1-100>, snap <1-2048>,tcpdump,verbose,write [file|url|tzsp [<IP/TZSP-HOSTNAME>])}
service pm stop {on <DEVICE-NAME>}
service restore analytics-support [<FILE>|<URL>]
service show last-passwd service signal [abort <PROCESS-NAME>|kill <PROCESS-NAME>]
service start-shell service trace <PROCESS-NAME> {summary}
Parameters (Privilege Exec Mode) service service copy tech-support [<FILE>|<URL>]
copy tech-support
<FILE>
<URL>
Copies extensive system information used for troubleshooting Specify the location to copy file using the following format:
usbX:/path/file Specify the location URL to copy file. Both IPv4 andIPv6 address formats are supported. tftp://<hostname|IPv4/IPv6>[:port]/path/file ftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/file sftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]>/path/file service copy stats-report [global|rf-domain <DOMAIN-NAME>] (<FILE>|<URL>) copy stats-report
[global|rf-domain
<DOMAIN-NAME>]
<FILE>
<URL>
Copies extensive statistical data useful for troubleshooting Identifies the RF Domain to copy statistical data global Copies extensive statistical data of all configured RF Domains rf-domain <DOMAIN-NAME> Copies extensive statistical data of a specified RF Domain. Specify the domain name. Specify the location to copy file using the following format:
usbX:/path/file Specify the location URL to copy file. Both IPv4 andIPv6 address formats are supported. tftp://<hostname|IPv4/IPv6>[:port]/path/file ftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/file sftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]>/path/file service clear crash-info {on <DEVICE-NAME>}
clear crash-info on <DEVICE-NAME>
Clears all crash files Optional. Clears crash files on a specified device. These crash files are core, panic, and AP dump.
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 38 COMMON COMMANDS service database authentication create-user username <USER-NAME> password
<PASSWORD>
database database authentication create-
user username <USER-
NAME> password
<PASSWORD>
Performs captive-portal/NSight database related actions This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Creates the username and password required to access the database. Execute this command on the database host. However, before creating users, on the database, generate the database keyfile. For more information on generating the keyfile, see database. username <USER-NAME> Configures a database username password <PASSWORD> Configures a password for the username created above In the database-policy context, enable authentication and configure this username and password. The database-client-policy also should have the same user credentials configured. For more information on database-policy and database-client-policy, see database-policy and database-client-policy. database authentication delete-user username <USER-NAME>
database database authentication delete-
user username <USER-
NAME>
Performs database related actions This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Deletes existing users having access rights to the database username <USER-NAME> Identifies the user to delete by the username
<USER-NAME> Specify the user name. Once deleted, the database cannot be accessed using the specified combination of username and password. service database compact [all|captive-portal|nsight]
database compact [all|
captive-portal|nsight]
Performs database related actions Note: This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Compacts collections within the database. Each database (captive-portal and NSight) contains one or more collection, where each collection is a set of records. Use this command to make a single compact set of all collections within a database. all Compacts collections within all databases (captive-portal and NSight) being maintained captive-portal Compacts all collections within the captive portal database only nsight Compacts all collections within the NSight database only service database drop [captive-portal|nsight] collection <COLLECTION-NAME>
database Performs database related actions Note: This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 39 COMMON COMMANDS drop
[captive-portal|nsight]
collection
<COLLECTION-NAME>
Drops the specified collection from the selected database. Select the database type and specify the collection. captive-portal Drops a captive portal database collection nsight Drops an NSight database collection The following keyword is common to both the captive-portal and NSight databases:
collection <COLLECTION-NAME> Drops the collection identified by the <COL-
LECTION-NAME> parameter.
<COLLECTION-NAME> Specify the collection name. service database [maintenance-mode|primary-stepdown|remove-all-files|start-
shell]
database maintenance-mode primary-stepdown remove-all-files start-shell Performs database related actions Note: This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Places the database server in the maintenance mode Requests the primary replica-set to step down. For more information on replica-sets and its creation, see database-policy. Removes all database-server related files (captive-portal and NSight). Use in a scenario where complete removal of all database related files is necessary, such as when downgrading to 5.8.1 or 5.8.0 version. Extreme caution is recommended when using this command. Starts the database shell service database replica-set add member [<IP>|<FQDN>] [arbiter|priority <0-255>]
database replica-set add member
[<IP>|<FQDN>]
Performs database related actions Note: This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Adds members to the database replica set. A replica set is a group of devices running the database instances that maintain the same data set. Replica sets provide redundancy and high availability, and are the basis for all production deployments. The replica set can contain a maximum of fifty (50) members, with each member
(with the exception of the arbiter) hosting an instance of the database. For more information on creating replica sets, see database-policy. Adds members to the database replica set
<IP> Identifies the member by its IP address. Specify the members IP address.
<FQDN> Identifies the member by its Fully Qualified Domain Name (FQDN). Specify the members FQDN address. Note: Ensure that the identified members have the database instance running prior to being added to the replica set. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 40 COMMON COMMANDS
[arbiter|
priority <0-255>]
After identifying the new member, optionally specify if the member is the arbiter or not. If not the arbiter, specify the members priority value. arbiter Identifies the new member as the arbiter. The arbiter does not maintain a data set and is added to the replica set to facilitate the election of the fall-back primary member. It provides that one extra vote required in the election of the primary member. priority <0-255> Identifies the new member as not being the arbiter and configures its priority value.
<0-255> Specify the priority value from 0 - 255. Not applicable for the arbiter. The priority value determines the members position within the replica set as primary or secondary. It also helps in electing the fall-back primary member in the eventuality of the current primary member being unreachable. All identified members should have the database instances running prior to being added to the replica set. service database replica-set delete member [<IP>|<FQDN>]
database replica-set delete member
[<IP>|<FQDN>]
Performs database related actions Note: This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Allows deletion of members in a database replica set. For each database a single three-member replica-set can be created and maintained. For more information on creating replica sets, see database-policy. Deletes members from an existing database replica set
<IP> Identifies the member by its IP address. Specify the members IP address.
<FQDN> Identifies the member by its FQDN. Specify the members FQDN address. service database server [restart|start|stop]
database server
[restart|start|stop]
Performs database related actions Note: This command is supported only on the NX95XX, NX9600, and VX9000 platforms. Performs the following actions on the database server:
restart Restarts the server start Starts the server stop Stops the server service delete sessions <SESSION-COOKIES>
delete sessions
<SESSION-COOKIES>
Deletes session cookies
<SESSION-COOKIES> Provide a list of cookies to delete. service mint [clear [lsp-dp|mlcp]|debug-log [flash-and-syslog|flash-only]|
expire [lsp|spf]|flood [csnp|lsp]]
mint clear [lsp-dp|mlcp]
Enables MiNT protocol management (clears LSP database, enables debug logging, enables running silence, etc.) Clears LSP database and MiNT Link Control Protocol (MLCP) links lsp-dp Clears MiNT Label Switched Path (LSP) database mlcp Clears MLCP links Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 41 COMMON COMMANDS debug-log
[flash-and-syslog|
flash-only]
expire [lsp|spf]
flood [csnp|lsp]
Enables debug message logging flash-and-syslog Logs debug messages to the flash and syslog files flash-only Logs debug messages to the flash file only Forces expiration of LSP and recalculation of Shortest Path First (SPF) lsp Forces expiration of LSP spf Forces recalculation of SPF Floods control packets csnp Floods our Complete Sequence Number Packets (CSNP) lsp Floods our LSP service pm stop {on <DEVICE-NAME>}
pm stop on <DEVICE-NAME>
Stops the Process Monitor (PM) Stop the PM from monitoring all daemons Optional. Stops the PM on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. service pktcap on [bridge|deny|drop|ext-vlan|rim|router|vpn|wireless]
{(acl-name <ACL>,count <1-1000000>,direction [any|inbound|outbound],filter,hex, rate <1-100>,snap <1-2048>,tcpdump,verbose,write [file|url|tzsp <IP/TZSP-
HOSTNAME>])}
pktcap on bridge deny drop ext-vlan rim router vpn wireless acl-name <ACL>
count <1-1000000>
direction
[any|inbound|
outbound]
Captures data packets crossing at a specified location on Defines the packet capture location Captures packets transiting through the Ethernet bridge Captures packets denied by an Access Control List (ACL) Captures packets at the drop locations Captures packets forwarded to or from an extended VLAN Captures packets at the Radio Interface Module (RIM) Captures packets transiting through an IP router Captures packets forwarded to or from a VPN link Captures packets forwarded to or from a wireless device Optional. Specify the ACL that matches the acl-name for the 'deny' location Optional. Limits the captured packet count. Specify a value from 1 -1000000. Optional. Changes the packet direction with respect to a device. The direction can be set as any, inbound, or outbound. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 42 COMMON COMMANDS Optional. Filters packets based on the option selected (must be used as a last option) The filter options are:
<LINE> Defines user defined packet capture filter arp Matches ARP packets capwap Matches CAPWAP packets cdp Matches CDP packets dot11 Matches 802.11 packets dropreason Matches packet drop reason dst Matches IP destination ether Matches Ethernet packets failed Matches failed 802.11 transmitted frames host Matches host destination icmp Matches ICMP packets icmp6 Matches ICMPv6 frames ip Matches IPV4 packets ipv6 Matches IPV6 packets l2 Matches L2 header l3 Matches L3 header l4 Matches L4 header mint Matches MiNT packets lldp Matches LLDP packets net Matches IP in subnet not Filters out any packet that matches the filter criteria (For example, if not TCP is used, all tcp packets are filtered out) port Matches TCP or UDP port priority Matches packet priority radio Matches radio rssi Matches Received Signal Strength Indication (RSSI) of received radio signals src Matches IP source stp Matches STP packets tcp Matches TCP packets tcp6 Matches TCP over IPv6 packets udp Matches UDP packets udp6 Matches UDP over IPv6 packets vlan Matches VLAN wlan Matches WLAN Optional. Provides binary output of the captured packets Optional. Specifies the packet capture rate
<1-100> Specify a value from 1 - 100 seconds. Optional. Captures the data length
<1-2048> Specify a value from 1 - 2048 characters. Optional. Decodes tcpdump. The tcpdump analyzes network behavior, performance, and infrastructure. It also analyzes applications that generate or receive traffic. filter
[<LINE>|arp|capwap|c dp|dot11|dropreason|d st|ether|failed|host|icm p|icmp6|igmp|ip|ipv6|l 2|l3|l4|lldp|mint|net|no t|port|priority|radio|rss i|src|stp|tcp|tcp6|udp|
udp6|vlan|wlan]
hex rate <1-100>
snap <1-2048>
tcpdump Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 43 COMMON COMMANDS verbose write Optional. Displays full packet body Captures packets to a specified file. Specify the location to capture file:
FILE flash:/path/file usbX:/path/file vram:startup-config URL Specify the location URL to capture file. Both IPv4 and IPv6 address formats are supported. tftp://<hostname|IPv4/IPv6>[:port]/path/file ftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/file sftp://<user>@<hostname|IPv4/IPv6>[:port]>/path/file tzsp Tazman Sniffer Protocol (TZSP) host. Specify the TZSP hosts IP address or hostname. service pktcap on radio [<1-1024>|all] {(acl-name <ACL>,count <1-1000000>, direction [any|inbound|outbound],filter <LINE>,hex,promiscuous,rate <1-100>,snap
<1-2048>,tcpdump,verbose,write [file|url|tzsp <IP/TZSP-HOSTNAME>])}
pktcap on radio
<1-1024>
all acl-name <ACL>
count <1-1000000>
direction
[any|inbound|
outbound]
filter <LINE>
hex rate <1-100>
snap <1-2048>
tcpdump verbose Captures data packets on a radio (802.11) Captures data packets on a specified radio
<1-1024> specify the radio index from 1 - 1024. Captures data packets on all radios Optional. Specify the ACL that matches the ACL name for the 'deny' location Optional. Sets a specified number of packets to capture
<1-1000000> Specify a value from 1 - 1000000. Optional. Changes the packet direction with respect to a device. The direction can be set as any, inbound, or outbound. Optional. Filters packets based on the option selected (must be used as a last option)
<LINE> Define a packet capture filter or select any one of the available options. Optional. Provides binary output of the captured packets Optional. Specifies the packet capture rate
<1-100> Specify a value from 1 - 100 seconds. Optional. Captures the data length
<1-2048> Specify a value from 1 - 2048 characters. Optional. Decodes the TCP dump Optional. Provides verbose output Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 44 COMMON COMMANDS write Captures packets to a specified file. Specify the location to capture file:
FILE flash:/path/file usbX:/path/file nvram:startup-config URL Specify the location URL to capture file. Both IPv4 and IPv6 address formats are supported. tftp://<hostname|IPv4/IPv6>[:port]/path/file ftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/file sftp://<user>@<hostname|IPv4/IPv6>[:port]>/path/file tzsp The TZSP host. Specify the TZSP hosts IP address or hostname. service pktcap on interface [<INTERFACE>|ge <1-4>|me|port-channel <1-2>|vlan
<1-4094>] {(acl-name <ACL>,count <1-1000000>,direction [any|inbound|outbound], filter <LINE>,hex,rate <1-100>,snap <1-2048>,tcpdump,verbose,write [file|url|tzsp
<IP/TZSP-HOSTNAME>])}
pktcap on interface
[<INTERFACE>|
ge <1-4>|me1|
port-channel <1-2>|
vlan <1-4094>]
acl-name <ACL>
count <1-1000000>
direction
[any|inbound|
outbound]
filter <LINE>
hex rate <1-100>
snap <1-2048>
tcpdump verbose Captures data packets at a specified interface on Specify the capture location. Captures packets at a specified interface. The options are:
<INTERFACE> Specify the interface name. ge <1-4> Selects a GigabitEthernet interface index from 1 - 4 me1 Selects the FastEthernet interface port-channel <1-2> Selects a port-channel interface index from 1- 2 vlan <1-4094> Selects a VLAN ID from 1 - 4094 Optional. Specify the ACL that matches the ACL name for the 'deny' location Optional. Sets a specified number of packets to capture
<1-1000000> Specify a value from 1 - 1000000. Optional. Changes the packet direction with respect to a device. The direction can be set as any, inbound, or outbound. Optional. Filters packets based on the option selected (must be used as a last option)
<LINE> Define a packet capture filter or select any one of the available options. Optional. Provides binary output of the captured packets Optional. Specifies the packet capture rate
<1-100> Specify a value from 1 - 100 seconds. Optional. Captures the data length
<1-2048> Specify a value from 1 - 2048 characters. Optional. Decodes the TCP dump Optional. Provides verbose output Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 45 COMMON COMMANDS write Captures packets to a specified file. Specify the location to capture file:
FILE flash:/path/file usbX:/path/file nvram:startup-config URL Specify the location URL to capture file. Both IPv4 and IPv6 address formats are supported. tftp://<hostname|IPv4/IPv6>[:port]/path/file ftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/file sftp://<user>@<hostname|IPv4/IPv6>[:port]>/path/file tzsp The TZSP host. Specify the TZSP hosts IP address or hostname. service show last-passwd show last-passwd Displays running system statistics based on the parameters passed Displays the last password used to enter shell service signal [abort <PROCESS-NAME>|kill <PROCESS-NAME>]
signal abort kill Sends a signal to a process tech-support Copies extensive system information useful for troubleshooting Sends an abort signal to a process, and forces it to dump to core
<PROCESS-NAME> Specify the process name. Sends a kill signal to a process, and forces it to terminate without a core
<PROCESS-NAME> Specify the process name. service start-shell start-shell Provides shell access service trace <PROCESS-NAME> {summary}
trace
<PROCESS-NAME>
summary Traces a process for system calls and signals Specifies the process name Optional. Generates summary report of the specified process Syntax (Privilege Exec Mode: NX9500 and NX9510) service The following service commands are specific to the NX9500 and NX9510 series service platforms:
service copy analytics-support [<FILE>|<URL>]
Parameters (Privilege Exec Mode: NX9500 and NX9510) service copy analytics-support [<FILE>|<URL>]
copy analytics-
support
<FILE>
Enables copying of analytics information to a specified. Use one of the following options to specify the file:
This information is useful to troubleshoot issues by the Technical Support team. Specify the file name and location using one of the following formats:
usb1:/path/file usb2:/path/file Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 46 COMMON COMMANDS
<URL>
Usage Guidelines Specify the location URL to copy file. Both IPv4 and IPv6 formats are supported. tftp://<hostname|IPv4/IPv6>[:port]/path/file ftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]/path/file sftp://<user>:<passwd>@<hostname|IPv4/IPv6>[:port]>/path/file The NX9500 and NX9510 model service platforms (NOC) provide granular and robust analytic reporting for a RFS4000 or RFS6000 device managed network. The data analyzed is collected at intervals specified by the administrator. To enable data analytics, procure and apply a separate hot spare analytics license at the NOC. The license restricts the number of access point streams processed at the NOC or forwarded to partner systems for further processing. The analytics feature can be turned on at select APs by enabling them in configuration. This way the customer can enable analytics on a select set of APs and not the entire system as long as the number of APs on which it is enabled is less than or equal to the total number of AP analytics licenses available at the NOC controller. In an NOC managed network, the analytics engine parses and processes Smart RF events as they are received. The analytics engine parses the new channel and power information from the Smart RF event, as opposed to retrieving the event from the devices themselves. Syntax (Global Config Mode) service service [set|show cli]
service set [command-history <10-300>|upgrade-history <10-100>|reboot-history <10-
100>|virtual-machine-history <10-200>] {on <DEVICE-NAME>}
service show cli Parameters (Global Config Mode) service set [command-history <10-300>|upgrade-history <10-100>|reboot-history
<10-100>|virtual-machine-history <10-200>] {on <DEVICE-NAME>}
set command-history
<10-300>
upgrade-history
<10-100>
reboot-history
<10-100>
virtual-machine-
history <10-200>
Sets the size of history files Sets the size of the command history file
<10-300> Specify a value from 10 - 300. The default is 200. Sets the size of the upgrade history file
<10-100> Specify a value from 10 - 100. The default is 50. Sets the size of the reboot history file
<10-100> Specify a value from 10 - 100. The default is 50. Sets the size of the virtual-machine history file
<10-200> Specify a value from 10 - 200. The default is 100. This command is applicable only to the NX9500 and NX9510 series service platforms. Use the no > service > set > virtual-machine-history > {on <DEVICE-NAME>}
command to revert the history file size to 100. on <DEVICE-NAME> Optional. Sets the size of history files on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 47 COMMON COMMANDS service show cli show cli Displays running system configuration details cli Displays the CLI tree of the current mode Example rfs6000-81742D>service show cli Command mode: +-do
+-help [help]
+-search
+-WORD [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-detailed [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-only-show [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-skip-show [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-skip-no [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-show
+-commands [show commands]
+-adoption
+-log
+-adoptee [show adoption log adoptee(|on DEVICE-NAME)]
+-on
+-DEVICE-NAME [show adoption log adoptee(|on DEVICE-NAME)]
+-adopter [show adoption log adopter (|mac AA-BB-CC-DD-EE-FF)(|on DEVICE-
NAME)]
+-mac
+-AA-BB-CC-DD-EE-FF [show adoption log adopter (|mac AA-BB-CC-DD-EE-
FF)(|on DEVICE-NAME)]
+-on
+-DEVICE-NAME [show adoption log adopter (|mac AA-BB-CC-DD-EE-FF)(|on DEVICE-NAME)]
--More--
rfs6000-81742D>
rfs6000-81742D#service signal abort testprocess Sending an abort signal to testprocess rfs6000-81742D#
nx9500-6C8809*#service show crash-info
--------------------------------------------------------------------------------
CRASH FILE SIZE LAST MODIFIED
--------------------------------------------------------------------------------
cfgd.log_NX9500_5.9.0.0-014D.error.1 8369 Tue Apr 12 03:54:54 2017
--------------------------------------------------------------------------------
nx9500-6C8809*#
rfs6000-81742D#service show command-history Configured size of command history is 200 Date & Time User Location Command
=====================================================================
Apr 12 09:31:41 2017 admin 192.168.13.10 22 rf-domain test Apr 11 03:00:56 2017 admin 192.168.13.10 93 reload force Apr 11 03:00:35 2017 admin 192.168.13.10 93 write memory Apr 11 03:00:31 2017 admin 192.168.13.10 93 commit Apr 11 03:00:24 2017 admin 192.168.13.10 93 no cluster name Apr 10 21:29:50 2017 admin 192.168.13.10 93 commit Apr 10 21:29:48 2017 admin 192.168.13.10 93 use rf-domain TechPubs Apr 10 21:29:44 2017 admin 192.168.13.10 93 self Apr 10 21:29:40 2017 admin 192.168.13.10 93 write memory Apr 10 21:29:34 2017 admin 192.168.13.10 93 commit Apr 10 21:29:27 2017 admin 192.168.13.10 93 use license WEBF Apr 10 21:29:27 2017 admin 192.168.13.10 93 controller-managed Apr 10 21:29:27 2017 admin 192.168.13.10 93 control-vlan 1
--More--
rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 48 COMMON COMMANDS rfs6000-81742D#service show diag stats fan 1 (fan 1) current speed: 0 min_speed: 2000 hysteresis: 250 fan 2 (fan 2) current speed: 10320 min_speed: 2000 hysteresis: 250 fan 3 (fan 3) current speed: 10620 min_speed: 2000 hysteresis: 250 fan 4 (fan 4) current speed: 10740 min_speed: 2000 hysteresis: 250 Sensor 1 (upwind of CPU) Temperature 31.0 C Sensor 2 (CPU die) Temperature 47.0 C Sensor 3 (left side) Temperature 37.0 C Sensor 4 (by FPGA) Temperature 31.0 C Sensor 5 (front right) Temperature 30.0 C Sensor 6 (front left) Temperature 31.0 C rfs6000-81742D#
rfs6000-81742D#service show info 7.7M out of 8.0M available for logs. 32.9M out of 34.0M available for history. 20.4M out of 84.0M available for crashinfo. List of Files:
adopts.log 1.7K Apr 12 11:20 anald.log 1.1K Apr 12 11:20 cfgd.log 48.8K Apr 12 12:35 dpd2.log 40.1K Apr 12 12:07 messages.log 22.4K Apr 12 12:27 startup.log 6.0K Apr 11 09:08 upgrade.log 60.9K Apr 12 11:40 vlan-usage.log 0 Apr 12 12:18 command.history 10.5K Apr 12 09:31 reboot.history 1.1K Apr 11 09:07 ugrade.history 116 Apr 11 09:05 Please export these files or delete them for more space. rfs6000-81742D#
rfs6000-81742D#service show mac-vendor B4-C7-99-6C-88-09 B4-C7-99 : Extreme Networks rfs6000-81742D#
nx9500-6C8809>service show upgrade-history Configured size of upgrade history is 50 Date & Time Old Version New Version Status Date & Time Old Version New Version Status
=====================================================================
Apr 11 07:57:33 2017 5.9.0.0-012D 5.9.0.0-014D Successful Mar 30 15:00:48 2017 5.9.0.0-010D 5.9.0.0-012D Successful Mar 22 13:35:20 2017 5.9.0.0-009D 5.9.0.0-010D Successful Mar 22 11:54:25 2017 5.8.6.0-010R 5.9.0.0-009D Successful Feb 21 08:40:22 2017 5.8.6.0-009R 5.8.6.0-010R Successful Feb 21 08:22:45 2017 5.8.6.0-009R 5.8.6.0-009R Failure in openssl. Verification failure. Feb 15 10:55:00 2017 5.8.6.0-007B 5.8.6.0-009R Successful Feb 15 10:45:40 2017 5.8.6.0-007B 5.8.6.0-008B Successful Feb 15 10:45:07 2017 5.8.6.0-007B 5.8.6.0-007B Unable to get update file. ftpget:
unexpected server response to RETR: 550 LatestBuilds/W586/NX9000.img: The system cannot find the file specified. Feb 11 12:26:20 2017 5.8.6.0-007B 5.8.6.0-008B Successful Feb 11 12:21:04 2017 5.8.6.0-007B 5.8.6.0-008B Successful Feb 11 12:20:34 2017 5.8.6.0-007B 5.8.6.0-007B Unable to get update file. ftpget:
bad address '1921.68.13.10'
---More--
nx9500-6C8809>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 49 COMMON COMMANDS rfs6000-81742Drfs6000-81742D#service show wireless reference reason-codes CODE DESCRIPTION 0 Success 1 Unspecified Reason 2 Previous authentication no longer valid 3 Deauth because sending STA is leaving IBSS or ESS 4 Disassoc due to inactivity 5 Disassoc because AP is unable to handle all currently assoc STA 6 Class 2 frame received from non-authenticated STA 7 Class 3 frame received from nonassociated STA 8 Disassoc because STA is leaving BSS 9 STA requesting association is not authentication with corresponding STA 10 Disassoc because info in the power capability elem is unacceptable
--More--
rfs6000-81742D#
rfs6000-81742D#service show wireless reference status-codes CODE DESCRIPTION 0 Successful 1 Unspecified failure 2-9 Reserved 10 Cannot support all requested capabilities in the Capability Information field 11 Reassociation denied due to inability to confirm that association exists 12 Association denied due to reason outside the scope of this standard 13 Responding STA does not support the specified authentication algorithm 14 Received an auth frame with authentication transaction seq number out of expected sequence 15 Authentication rejected because of challenge failure
--More--
rfs6000-81742D#
nx9500-6C8809>service show wireless config-internal
! Startup-Config-Playback Completed: Yes no debug wireless country-code in nx9500-6C8809>
nx9500-6C8809>service show wireless log-internal 08:16:45.901: wlan:Starting credcache checkup/sync (credcache.c:1536) 07:56:41.900: wlan:Starting credcache checkup/sync (credcache.c:1536) 07:36:40.899: wlan:Starting credcache checkup/sync (credcache.c:1536) 07:16:32.898: wlan:Starting credcache checkup/sync (credcache.c:1536) 06:56:31.898: wlan:Starting credcache checkup/sync (credcache.c:1536) 06:36:24.897: wlan:Starting credcache checkup/sync (credcache.c:1536) 06:16:22.897: wlan:Starting credcache checkup/sync (credcache.c:1536) 05:56:18.896: wlan:Starting credcache checkup/sync (credcache.c:1536) 05:16:09.895: wlan:Starting credcache checkup/sync (credcache.c:1536) 04:56:01.894: wlan:Starting credcache checkup/sync (credcache.c:1536) 04:35:58.893: wlan:Starting credcache checkup/sync (credcache.c:1536) 04:34:41.63: config:commit done in cfgd (config.c:5382) 04:15:55.893: wlan:Starting credcache checkup/sync (credcache.c:1536) 03:55:54.891: wlan:Starting credcache checkup/sync (credcache.c:1536) 03:20:30.397: config:commit done in cfgd (config.c:5382) 03:19:50.188: config:commit done in cfgd (config.c:5382)
--More--
nx9500-6C8809>
nx9500-6C8809#service show xpath-history
********************************************************************************
************************************************************
* DATE&TIME * USER * XPATH
* DURATION(MS)*
********************************************************************************
************************************************************
* Wed Apr 12 12:45:28 2017 * system @ rfs6000-81742D * wing-stats/device/B4-C7-99-
6C-88-09/_internal/feature_license_request * 0 *
Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 50 COMMON COMMANDS
* Wed Apr 12 12:45:24 2017 * system @ rfs6000-81742D * wing-stats/device/B4-C7-99-
6C-88-09/_internal/feature_license_request * 0 *
* Wed Apr 12 12:45:13 2017 * system @ rfs6000-81742D * wing-stats/device/B4-C7-99-
6C-88-09/_internal/feature_license_request * 0 *
* Wed Apr 12 12:45:02 2017 * system * wing-stats/device/B4-C7-99-
6C-88-09/_internal/feature_license_request * 0 *
--More--
nx9500-6C8809#
The following example shows the service > show > virtual-machine-history output on a NX9500 service platform:
nx9500-6C874D>service show virtual-machine-history Configured size of virtual machine history is 100 Date & Time Virtual Machine Event
=====================================================
Jan 16 05:39:46 2017 Domain-0 autostart Jan 10 03:47:09 2017 Domain-0 autostart Jan 02 05:53:48 2017 Domain-0 autostart Dec 27 10:52:59 2016 Domain-0 autostart Oct 14 05:56:14 2016 Domain-0 autostart Oct 14 03:01:48 2016 Domain-0 autostart Oct 12 04:11:52 2016 Domain-0 autostart Sep 30 04:41:08 2016 Domain-0 autostart
--More--
nx9500-6C874D>
rfs4000-229D58#service show fib6
-------------------------------------------------------------------------------
Route Table ID : 254
::1/128 Next Hop: :: Interface: lo Route Type: ROUTE_TYPE_CONNECT Route Status: ROUTE_STATUS_KERNEL Metric: 0 Distance: 0 fe80::/64 Next Hop: :: Interface: vlan2 Route Type: ROUTE_TYPE_CONNECT Route Status: ROUTE_STATUS_KERNEL Metric: 256 Distance: 0 2001::/64 Next Hop: 2001::6 Interface: Route Type: ROUTE_TYPE_STATIC Route Status: ROUTE_STATUS_PENDING Metric: 256 Distance: 1 rfs4000-229D58#
Examples for the service > wireless > meshpoint command. The following example displays meshpoint modules:
ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C
| SUBZONE
| 0 1 2 3 4 5 6 7
-------+-----------------------------------------
ZONE |
| GEN TX RX BEA TXF 2-LLC | 0 0 0 0 0
| GEN TX RX NBR LQM LSA 3-ND | 0 0 0 0 0 0
| GEN 4-ORL | 0
| GEN TX RX HEL PRO 5-LQ | 0 0 0 0 0
| GEN 6-PS | 0
| GEN ROOT NBR REC 7-RS | 0 0 0 0
| GEN 8-IA | 0
| GEN SET GET 11-MGT | 0 0 0
| GEN RX TX R0 LMST LSUP LKEY KEY 13-LSA | 0 0 0 0 0 0 0 0 Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 51 COMMON COMMANDS
| GEN SCAN TRIG 14-ACS | 0 0 0
| GEN 15-EAP | 0
| GEN 16-L2P | 0 ROOT1-ap81xx-71174C#
In the preceding example, The meshpoint name is mesh_root The device on which the command is executed is ROOT1-ap81xx-71174C The vertical ZONE column represents meshpoint modules. For example, 3-ND presents the Neighbor Discovery module. The SUBZONE 0 to 7 represents the available processes for each of the zonal modules. Debugging is disabled for all modules for the mesh-root meshpoint. A value of 0 (Zero) represents debugging disabled. To enable meshpoint module debugging, specify the module number and the process number separated by a period (.). And then specify the debugging level from 0 - 7. ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C 3.2 7 In the preceding command, The meshpoint module number provided is 3 (ND) The process number provided is 2 (RX - Received signals from neighbors) The debugging level provided is 7 (highest level - warning) ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C
| SUBZONE
| 0 1 2 3 4 5 6 7
-------+-----------------------------------------
ZONE |
| GEN TX RX BEA TXF 2-LLC | 0 0 0 0 0
| GEN TX RX NBR LQM LSA 3-ND | 0 0 7(D) 0 0 0
| GEN 4-ORL | 0
| GEN TX RX HEL PRO 5-LQ | 0 0 0 0 0
| GEN 6-PS | 0
| GEN ROOT NBR REC 7-RS | 0 0 0 0
| GEN 8-IA | 0
| GEN SET GET 11-MGT | 0 0 0
| GEN RX TX R0 LMST LSUP LKEY KEY 13-LSA | 0 0 0 0 0 0 0 0
| GEN SCAN TRIG 14-ACS | 0 0 0
| GEN 15-EAP | 0
| GEN 16-L2P | 0 ROOT1-ap81xx-71174C#
In the preceding example, level 7 debugging has been enabled only for the ND modules received signals. Note that debugging for all other modules and processes are still disabled. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 52 COMMON COMMANDS To disable debugging for all modules, specify 0 (zero) in the command. For example:
ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C 0 To enable debugging for all modules, specify the debugging level number. For example:
ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C 5 ROOT1-ap81xx-71174C#service wireless meshpoint zl mesh_root on ROOT1-ap81xx-71174C
| SUBZONE
| 0 1 2 3 4 5 6 7
-------+-----------------------------------------
ZONE |
| GEN TX RX BEA TXF 2-LLC | 5(N) 5(N) 5(N) 5(N) 5(N)
| GEN TX RX NBR LQM LSA 3-ND | 5(N) 5(N) 5(N) 5(N) 5(N) 5(N)
| GEN 4-ORL | 5(N)
| GEN TX RX HEL PRO 5-LQ | 5(N) 5(N) 5(N) 5(N) 5(N)
| GEN 6-PS | 5(N)
| GEN ROOT NBR REC 7-RS | 5(N) 5(N) 5(N) 5(N)
| GEN 8-IA | 5(N)
| GEN SET GET 11-MGT | 5(N) 5(N) 5(N)
| GEN RX TX R0 LMST LSUP LKEY KEY 13-LSA | 5(N) 5(N) 5(N) 5(N) 5(N) 5(N) 5(N) 5(N)
| GEN SCAN TRIG 14-ACS | 5(N) 5(N) 5(N)
| GEN 15-EAP | 5(N)
| GEN 16-L2P | 5(N) ROOT1-ap81xx-71174C#
rfs4000-1BE644#service show ssh-authorized-keys
'extreme@extreme-quadcore'
rfs4000-1BE644#
rfs4000-1BE644#service load-ssh-autorized-keys "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPERY9aTibRYlFMnERTYP2iyylJ00YElxjUElY7Zm9Ky2yeSmg 15UKerJ+IP161Gdm0AoEfXyeheRntK+Z6NWHa341RWJ0UrQMcp7hSEE5jbDpLKJOuEoW22Ag45BZzMV7 EnM7lHowboNsQhSzX5uBBlVViWlBxBqDroX4BcuB/
CFugezHTt95UQ2ZRUfHvePS6jQdOArf1alwk0Slcsz4HNSl5KDutJ4VY+6vRvlf5Gy/
3GNehMwNsmsRKK4UVKV5RpuuKIjkbZE+goPFAKYVPNmZngjaOyDfvNGE7JIwmYlti/
AId6tv2zAbM4qSomWAgUOO0hkXS9m4m74FnHPr extreme@extreme-quadcore"
Successfully added the ssh key rfs4000-1BE644#
rfs4000-1BE644#no service load-ssh-autorized-keys rfs4000-1BE644 Successfully removed the ssh key rfs4000-1BE644#
nx9500-6C8809#service show diag fds Process open fds cfgd 86 nx9500-6C8809#
nx9500-6C8809#service show diag pkts Date: 11-4-2016, Time: 8:41:08.501033, Len: 64, 802.3, Proto: 0x8783, Vlan: 1, Priority: 0, Ingress: ge1, vlan1 Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 53 COMMON COMMANDS Loop reason: Unknown(540) TRUNCATED BB-7C-4D-80-C2-AC > 10-01-00-D2-68-99 at 64 bytes Date: 11-4-2016, Time: 8:41:08.707631, Len: 64, 802.3, Proto: 0x8783, Vlan: 1, Priority: 0, Ingress: ge1, vlan1 Loop reason: Unknown(540) TRUNCATED BB-7C-4D-80-C2-AC > 10-01-00-D2-68-99 at 64 bytes Date: 11-4-2016, Time: 8:41:08.830963, Len: 64, 802.3, Proto: 0x8783, Vlan: 1, Priority: 0, Ingress: ge1, vlan1 Loop reason: Unknown(540) TRUNCATED BB-7C-4D-83-30-A4 > 10-01-00-42-68-99 at 64 bytes
--More--
nx9500-6C8809#
nx9500-6C8809#service clear diag pkts nx9500-6C8809#service show diag pkts nx9500-6C8809#
nx9500-6C8809#service show diag psu PSU1 (upper):
status unplugged PSU2 (lower):
status normal nx9500-6C8809#
The following examples show the purging of users from the guest-registration database:
nx7500-112233#service guest-registration delete ?
all Delete all users email Email address group Group mac MAC address mobile Mobile phone number name Full name offline-for Specify minimum amount of time offline otp-incomplete-for Specify minimum amount of time registration with one-time-passcode incomplete social Social site used to log in wlan Wireless LAN nx7500-112233#
Purges users belonging to a specified RADIUS group. Purges users using social-site (Facebook or Google) credentials to login. nx7500-112233#service guest-registration delete group mac_reg_gr1 delete user status: delete users matching a group will take time, please wait nx7500-112233#
nx7500-112233#service guest-registration delete social facebook delete user status: delete users matching a social category will take time, please wait nx7500-112233#
nx7500-112233#service guest-registration delete offline-for days 5 delete user status: Deleting users offline for minimum 5 days. This will take time, please wait nx7500-112233#
Purges users inactive for a specified time period. Purges users who have failed to complete registration using the one-time-passcode (OTP) within a specified time period. nx7500-112233#service guest-registration delete otp-incomplete-for days 5 Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 54 COMMON COMMANDS delete user status: Deleting registration with one-time-passcode incomplete for minimum 5 days. This will take time, please wait nx7500-112233#
The following example displays IP ACLs to WLAN mapping summary on the TechPubs RF Domain:
nx9500-6C8809#service show ip-access-list wlan TechPubs status Reporting Device: ap7131-99BB7C - success Reporting Device: ap7532-80C2AC - success Reporting Device: ap7562-84A224 - success Reporting Device: nx9500-6C8809 - success Reporting Device: ap8132-74B45C - success Total reporting devices: 5 nx9500-6C8809#
Consider an RF Domain (name guest-domain) with 3 APs adopted to a controller. The CLI output for the service > show > ip-access-list command in this set up varies for different scenarios, as shown in the following examples:
Scenario 1: Executing the command on a device (access point). AP01#service show ip-access-list wlan status Reporting Device: AP01 - fail WLAN: XPO-Guest-PSK use ip-access-list in guest_access_inbound : fail Total reporting devices: 1 AP01#
AP01#service show ip-access-list wlan status detail
==============================================================================
==
Reporting Device: AP01
------------------------------------------------------------------------------
--
WLAN: XPO-Guest-PSK use ip-access-list in guest_access_inbound : fail use ip-access-list out BC-MC-CONTROL : success
------------------------------------------------------------------------------
--
WLAN: PartnerNet use ip-access-list in default : success use ip-access-list out default : success
------------------------------------------------------------------------------
--
Total reporting devices: 1 AP01#
SW01#service show ip-access-list wlan status on guest-domain Reporting Device: AP01 - success Reporting Device: AP02 - success Reporting Device: AP03 - success Total reporting devices: 3 SW01#
Scenario 2: IP ACL to WLAN mapping is successful for all APs in a specified RF Domain. Scenario 3: IP ACL has failed in dataplane due to unknown reasons. SW01#service show ip-access-list wlan status on guest-domain Reporting Device: AP01 - fail WLAN: XPO-Guest-PSK use ip-access-list in guest_access_inbound : fail Reporting Device: AP02 - success Reporting Device: AP03 - success Total reporting devices: 3 SW01#service show ip-access-list wlan status detail on guest-domain
==============================================================================
==
Reporting Device: AP01
------------------------------------------------------------------------------
--
Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 55 COMMON COMMANDS WLAN: XPO-Guest-PSK use ip-access-list in guest_access_inbound : fail use ip-access-list out BC-MC-CONTROL : success
------------------------------------------------------------------------------
--
WLAN: PartnerNet use ip-access-list in guest_access_inbound : success use ip-access-list out BC-MC-CONTROL : success
------------------------------------------------------------------------------
--
==============================================================================
==
Reporting Device: AP02
------------------------------------------------------------------------------
--
WLAN: PartnerNet use ip-access-list in guest_access_inbound : success use ip-access-list out BC-MC-CONTROL : success
------------------------------------------------------------------------------
--
==============================================================================
==
Reporting Device: AP03
------------------------------------------------------------------------------
--
WLAN: PartnerNet use ip-access-list in guest_access_inbound : success use ip-access-list out BC-MC-CONTROL : success
------------------------------------------------------------------------------
--
Total reporting devices: 3 SW01#
Scenario 4: AP in RF Domain is unreachable or does not support this functionality. SW01#service show ip-access-list wlan status on guest-domain Reporting Device: AP01 - unreachable Reporting Device: AP02 - success Reporting Device: AP03 - success Total reporting devices: 3 SW01#
SW01#service show ip-access-list wlan status detail on guest-domain
==============================================================================
==
Reporting Device: AP01 Timed out waiting for remote device: xpath=wing-stats/device/00-23-68-0B-86-38/
firewall/ip_acl_intf_status/wlan[mac='*']
==============================================================================
==
Reporting Device: AP02
------------------------------------------------------------------------------
--
WLAN: PartnerNet use ip-access-list in guest_access_inbound : success use ip-access-list out BC-MC-CONTROL : success
------------------------------------------------------------------------------
--
==============================================================================
==
Reporting Device: AP03
------------------------------------------------------------------------------
--
WLAN: PartnerNet Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 56 COMMON COMMANDS use ip-access-list in guest_access_inbound : success use ip-access-list out BC-MC-CONTROL : success
------------------------------------------------------------------------------
--
Total reporting devices: 3 Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 57 COMMON COMMANDS 5.1.8 show Common Commands Displays specified system component settings. There are a number of ways to invoke the show command:
When invoked without any arguments, it displays information about the current context. If the current context contains instances, the show command (usually) displays a list of these instances. When invoked with the display parameter, it displays information about that component. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show <PARAMETERS>
Parameters show <PARAMATERS>
show <PARAMETERS>
The show command displays configuration details based on the configuration mode, in which the command is executed, and the parameters passed. For example, when executed in the AAA policy configuration mode, it displays the logged AAA policys current settings. The example below shows the configuration details that can be viewed in the Priv Executable mode. Example nx9500-6C8809#show ?
adoption Adoption related information bluetooth Bluetooth Configuration/Statistics commands bonjour Bonjour Gateway related commands boot Display boot configuration. captive-portal Captive portal commands captive-portal-page-upload Captive portal internal and advanced page upload cdp Cisco Discovery Protocol classify-url Query the category of an URL clock Display system clock cluster Cluster Protocol cmp-factory-certs Display the CMP certificate status commands Show command lists context Information about current context critical-resources Critical Resources crypto Encryption related commands database Database debug Debugging functions debugging Debugging functions device-upgrade Device Upgrade dot1x 802.1X dpi Deep Packet Inspection eguest Registration EGuest process environmental-sensor Display Environmental Sensor Module status event-history Display event history event-system-policy Display event system policy ex3500 EX3500 device details extdev External device (T5, Ex3500..) file Display filesystem information file-sync File sync between controller and adoptees firewall Wireless Firewall Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 58 COMMON COMMANDS global Global-level information gre Show l2gre tunnel info guest-notification-config Show guest-notification information guest-registration Guest registration commands interface Interface Configuration/Statistics commands ip Internet Protocol (IP) ip-access-list IP ACL ipv6 Internet Protocol version 6 (IPv6) ipv6-access-list IPV6 ACL l2tpv3 L2TPv3 information lacp LACP commands ldap-agent LDAP Agent Configuration licenses Show installed licenses and usage lldp Link Layer Discovery Protocol logging Show logging information mac-access-list MAC ACL mac-address-table Display MAC address table mac-auth MAC authentication mac-auth-clients MAC authenticated clients mint MiNT protocol mirroring Show mirroring sessions nsight Nsight Server Module ntp Network time protocol password-encryption Pasword encryption pppoe-client PPP Over Ethernet client privilege Show current privilege level radius RADIUS statistics commands raid Show RAID status reload Scheduled reload information remote-debug Show details of remote debug sessions rf-domain-manager Show RF Domain Manager selection details role Role based firewall route-maps Display Route Map Statistics rtls RTLS Statistics running-config Current operating configuration session-changes Configuration changes made in this session session-config This session configuration sessions Display sessions site-config-diff Difference between site configuration on the NOC and actual site configuration slot Expansion slots stats smart-rf Smart-RF Management Commands spanning-tree Display spanning tree information startup-config Startup configuration t5 Display T5 inventory information terminal Display terminal configuration parameters timezone The timezone traffic-shape Display traffic shaping upgrade-status Display last image upgrade status version Display software & hardware version virtual-machine Virtual Machine vrrp VRRP protocol web-filter Web filter what Perform global search wireless Wireless commands wwan Display wireless WAN Status nx9500-6C8809#
NOTE: For more information on the show command, see Chapter 6, SHOW COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 59 COMMON COMMANDS 5.1.9 write Common Commands Writes the system running configuration to memory or terminal Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax write [memory|terminal]
Parameters write [memory|terminal]
memory terminal Writes to the non-volatile (NV) memory Writes to the terminal Example nx9500-6C8809>write memory
[OK]
nx9500-6C8809>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 5 - 60 6 SHOW COMMANDS Show commands display configuration settings or statistical information. Use this command to view the current running configuration as well as the start-up configuration. The show command also displays the current contexts configuration. This chapter describes the show CLI commands used in the USER EXEC, PRIV EXEC, and GLOBAL CONFIG modes. Commands entered in either USER EXEC mode or PRIV EXEC mode are referred to as EXEC mode commands. If a user or privilege is not specified, the referenced command can be entered in either mode. This chapter also describes the show commands in the GLOBAL CONFIG mode. The commands can be entered in all three modes, except commands like file, IP access list statistics, MAC access list statistics, and upgrade statistics, which cannot be entered in the USER EXEC mode. NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 1 SHOW COMMANDS 6.1 show commands SHOW COMMANDS The following table summarizes show commands:
Table 6.1 Show Commands Description Reference Command show adoption bluetooth boot bonjour captive-portal captive-portal-
page-upload cdp classify-url Displays settings for the specified system component Displays information related to adoption Displays Bluetooth radio statistics for RF Domain member access points Displays a device boot configuration Displays the configured Bonjour services available on local and remote sites Displays WLAN hotspot functions Displays captive portal page related information Displays a Cisco Discovery Protocol (CDP) neighbor table Queries a specified global data center or a pre-configured classification server for the category of a specified URL. Displays the software system clock Displays cluster commands Displays factory installed CMP certificates clock cluster cmp-factory-
certs commands context critical-resources Displays critical resource information crypto Displays encryption mode information database Displays database-related statistics and status device-upgrade Displays device firmware upgradation information for devices adopted Displays command list Displays information about the current context dot1x dpi eguest environmental-
sensor event-history event-system-
policy ex3500 extdev by a wireless controller or access point Displays dot1x information on interfaces Displays statistics for all configured and canned applications Displays EGuest server status and EGuest registration statistics Displays environmental sensors historical data (applicable only to AP8132) Displays event history Displays event system policy configuration information Displays EX3500-related statistical data Displays external device (T5 or EX3500) configuration error history page 6-5 page 6-10 page 6-14 page 6-16 page 6-17 page 6-18 page 6-20 page 6-22 page 6-24 page 6-25 page 6-26 page 6-28 page 6-29 page 6-30 page 6-31 page 6-32 page 6-35 page 6-37 page 6-39 page 6-41 page 6-44 page 6-45 page 6-48 page 6-49 page 6-50 page 6-53 Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 2 SHOW COMMANDS Table 6.1 Show Commands Description Reference page 6-54 page 6-62 page 6-63 page 6-56 page 6-60 Displays file synchronization settings and status on a controller. The file-sync command syncs trustpoint/wireless-bridge certificate between the staging-controller and its adopted access points Displays wireless firewall information Displays global information for network devices based on the parameters passed Displays GRE tunnel related information Displays guest registration statistics based on the option and time entered page 6-71 Displays interface status page 6-75 Displays IP related information page 6-82 Displays IP access list statistics page 6-84 Displays IPv6 related information page 6-88 Displays IPv6 access list statistics page 6-89 Displays Layer 2 Tunnel Protocol Version 3 (L2TPV3) information Displays Link Aggregation Control Protocol (LACP) related information page 6-92 page 6-95 Displays an LDAP agents join status (join status to a LDAP server domain) Displays installed licenses and usage information Displays Link Layer Discovery Protocol (LLDP) information Displays logging information Displays MAC access list statistics Displays MAC address table entries page 6-96 page 6-99 page 6-100 page 6-101 page 6-102 Displays details of wired ports that have MAC address-based authentication enabled mac-auth-clients Displays MAC-authenticated clients based on the parameters passed mint nsight Displays MiNT protocol configuration commands Displays NSight module related statistics and also displays the database server status (reachable or not) Displays Network Time Protocol (NTP) information Displays password encryption status Displays Point to Point Protocol over Ethernet (PPPoE) client information Displays current privilege level information Displays the amount of access time consumed and the access time remaining for all guest users configured on a RADIUS server Displays scheduled reload information page 6-103 page 6-105 page 6-107 page 6-111 page 6-112 page 6-114 page 6-115 page 6-116 page 6-117 page 6-119 Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 3 Command file-sync firewall global gre guest-
registration interface ip ip-access-list ipv6 ipv6-access-list l2tpv3 lacp ldap-agent licenses lldp logging mac-access-list mac-address-
table mac-auth ntp password-
encryption pppoe-client privilege radius reload SHOW COMMANDS Command Table 6.1 Show Commands Description Displays RF Domain manager selection details Displays role-based firewall information Display route map statistics Displays Real Time Location Service (RTLS) statistics of access points Displays configuration file contents rf-domain-
manager role route-maps rtls running-config session-changes Displays configuration changes made in this session session-config sessions site-config-diff Displays a list of currently active open sessions on the device Displays CLI sessions Displays the difference between site configuration available on NOC and the actual site configuration Displays Smart RF management commands Displays spanning tree information Displays complete startup configuration script on the console Displays adopted T5 controller details. This command is applicable only on the RFS4000, RFS6000, NX9500, NX9510, and VX9000. Displays terminal configuration parameters Displays timezone information for the system and managed devices Displays traffic-shaping related configuration details and statistics Displays image upgrade status Displays a devices software and hardware version Displays Virtual Router Redundancy Protocol (VRRP) protocol details Displays pre-configured, in-built Web filter options available. These options are: category (URL category), category-types, filter-level, etc. This command also displays Web filter statistics and status. Displays details of a specified search phrase Displays wireless configuration parameters Displays the wireless WAN status what wireless wwan virtual-machine Displays the virtual-machine (VM) configuration, logs, and statistics raid Displays Redundant Array of Independent Disks (RAID) related information, such as array status, consistency check status, and RAID log. smart-rf spanning-tree startup-config t5 terminal timezone traffic-shape upgrade-status version vrrp web-filter Reference page 6-120 page 6-121 page 6-122 page 6-123 page 6-125 page 6-132 page 6-133 page 6-134 page 6-135 page 6-136 page 6-140 page 6-142 page 6-143 page 6-151 page 6-152 page 6-153 page 6-155 page 6-156 page 6-157 page 6-159 page 6-161 page 6-162 page 6-185 page 6-186 page 6-189 Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 4 SHOW COMMANDS 6.1.1 show show commands The show command displays following information:
A devices current configuration A devices start-up configuration A devices current context configuration, such as profiles and policies Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show <PARAMETERS>
Parameters show <PARAMATERS>
show <PARAMETERS>
The show command displays configuration details based on the configuration mode, in which the command is executed, and the parameters passed. For example, when executed in the AAA policy configuration mode, it displays the logged AAA policys current settings. The examples below show the configuration parameters that can be viewed in the User Executable, Priv Executable, and Global Configurable modes. Example The following examples list the show commands in the User Exec, Priv Exec, and Global Config modes:
GLOBAL CONFIG Mode
<DEVICE>(config)#show ?
adoption Adoption related information bluetooth Bluetooth Configuration/Statistics commands bonjour Bonjour Gateway related commands boot Display boot configuration. captive-portal Captive portal commands captive-portal-page-upload Captive portal internal and advanced page upload cdp Cisco Discovery Protocol classify-url Query the category of an URL clock Display system clock cluster Cluster Protocol cmp-factory-certs Display the CMP certificate status commands Show command lists context Information about current context critical-resources Critical Resources crypto Encryption related commands database Database debug Debugging functions debugging Debugging functions device-upgrade Device Upgrade dot1x 802.1X dpi Deep Packet Inspection eguest ExtremeGuest environmental-sensor Display Environmental Sensor Module status event-history Display event history Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 5 SHOW COMMANDS event-system-policy Display event system policy ex3500 EX3500 device details extdev External device (T5, Ex3500..) file Display filesystem information file-sync File sync between controller and adoptees firewall Wireless Firewall global Global-level information gre Show l2gre tunnel info guest-notification-config Show guest-notification information guest-registration Guest registration commands interface Interface Configuration/Statistics commands ip Internet Protocol (IP) ip-access-list IP ACL ipv6 Internet Protocol version 6 (IPv6) ipv6-access-list IPV6 ACL l2tpv3 L2TPv3 information lacp LACP commands ldap-agent LDAP Agent Configuration licenses Show installed licenses and usage lldp Link Layer Discovery Protocol logging Show logging information mac-access-list MAC ACL mac-address-table Display MAC address table mac-auth MAC authentication mac-auth-clients MAC authenticated clients mint MiNT protocol mirroring Show mirroring sessions nsight Nsight Server Module ntp Network time protocol password-encryption Pasword encryption pppoe-client PPP Over Ethernet client privilege Show current privilege level radius RADIUS statistics commands raid Show RAID status reload Scheduled reload information remote-debug Show details of remote debug sessions rf-domain-manager Show RF Domain Manager selection details role Role based firewall route-maps Display Route Map Statistics rtls RTLS Statistics running-config Current operating configuration session-changes Configuration changes made in this session session-config This session configuration sessions Display sessions site-config-diff Difference between site configuration on the NOC and actual site configuration slot Expansion slots stats smart-rf Smart-RF Management Commands spanning-tree Display spanning tree information startup-config Startup configuration t5 Display T5 inventory information terminal Display terminal configuration parameters timezone The timezone traffic-shape Display traffic shaping upgrade-status Display last image upgrade status version Display software & hardware version virtual-machine Virtual Machine vrrp VRRP protocol web-filter Web filter what Perform global search wireless Wireless commands wwan Display wireless WAN Status
<DEVICE>(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 6 SHOW COMMANDS rfs6000-81742D(config)#show clock 2017-04-06 15:49:10 IST rfs6000-81742D(config)#
PRIVILEGE EXEC Mode
<DEVICE>#show ?
adoption Adoption related information bluetooth Bluetooth Configuration/Statistics commands bonjour Bonjour Gateway related commands boot Display boot configuration. captive-portal Captive portal commands captive-portal-page-upload Captive portal internal and advanced page upload cdp Cisco Discovery Protocol classify-url Query the category of an URL clock Display system clock cluster Cluster Protocol cmp-factory-certs Display the CMP certificate status commands Show command lists context Information about current context critical-resources Critical Resources crypto Encryption related commands database Database debug Debugging functions debugging Debugging functions device-upgrade Device Upgrade dot1x 802.1X dpi Deep Packet Inspection eguest ExtremeGuest environmental-sensor Display Environmental Sensor Module status event-history Display event history event-system-policy Display event system policy ex3500 EX3500 device details extdev External device (T5, Ex3500..) file Display filesystem information file-sync File sync between controller and adoptees firewall Wireless Firewall global Global-level information gre Show l2gre tunnel info guest-notification-config Show guest-notification information guest-registration Guest registration commands interface Interface Configuration/Statistics commands ip Internet Protocol (IP) ip-access-list IP ACL ipv6 Internet Protocol version 6 (IPv6) ipv6-access-list IPV6 ACL l2tpv3 L2TPv3 information lacp LACP commands ldap-agent LDAP Agent Configuration licenses Show installed licenses and usage lldp Link Layer Discovery Protocol logging Show logging information mac-access-list MAC ACL mac-address-table Display MAC address table mac-auth MAC authentication mac-auth-clients MAC authenticated clients mint MiNT protocol mirroring Show mirroring sessions nsight Nsight Server Module ntp Network time protocol password-encryption Pasword encryption pppoe-client PPP Over Ethernet client privilege Show current privilege level radius RADIUS statistics commands raid Show RAID status reload Scheduled reload information remote-debug Show details of remote debug sessions rf-domain-manager Show RF Domain Manager selection details Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 7 SHOW COMMANDS role Role based firewall route-maps Display Route Map Statistics rtls RTLS Statistics running-config Current operating configuration session-changes Configuration changes made in this session session-config This session configuration sessions Display sessions site-config-diff Difference between site configuration on the NOC and actual site configuration slot Expansion slots stats smart-rf Smart-RF Management Commands spanning-tree Display spanning tree information startup-config Startup configuration t5 Display T5 inventory information terminal Display terminal configuration parameters timezone The timezone traffic-shape Display traffic shaping upgrade-status Display last image upgrade status version Display software & hardware version virtual-machine Virtual Machine vrrp VRRP protocol web-filter Web filter what Perform global search wireless Wireless commands wwan Display wireless WAN Status
<DEVICE>#
rfs6000-81742D#show terminal Terminal Type: xterm Length: 24 Width: 80 rfs6000-81742D#
USER EXEC Mode
<DEVICE>>show ?
adoption Adoption related information bluetooth Bluetooth Configuration/Statistics commands bonjour Bonjour Gateway related commands boot Display boot configuration. captive-portal Captive portal commands captive-portal-page-upload Captive portal internal and advanced page upload cdp Cisco Discovery Protocol classify-url Query the category of an URL clock Display system clock cluster Cluster Protocol cmp-factory-certs Display the CMP certificate status commands Show command lists context Information about current context critical-resources Critical Resources crypto Encryption related commands database Database debug Debugging functions debugging Debugging functions device-upgrade Device Upgrade dot1x 802.1X dpi Deep Packet Inspection eguest ExtremeGuest environmental-sensor Display Environmental Sensor Module status event-history Display event history event-system-policy Display event system policy ex3500 EX3500 device details extdev External device (T5, Ex3500..) file-sync File sync between controller and adoptees firewall Wireless Firewall global Global-level information gre Show l2gre tunnel info guest-notification-config Show guest-notification information Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 8 SHOW COMMANDS guest-registration Guest registration commands interface Interface Configuration/Statistics commands ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) lacp LACP commands licenses Show installed licenses and usage lldp Link Layer Discovery Protocol logging Show logging information mac-address-table Display MAC address table mac-auth MAC authentication mac-auth-clients MAC authenticated clients mint MiNT protocol mirroring Show mirroring sessions nsight Nsight Server Module ntp Network time protocol password-encryption Pasword encryption pppoe-client PPP Over Ethernet client privilege Show current privilege level radius RADIUS statistics commands raid Show RAID status rf-domain-manager Show RF Domain Manager selection details role Role based firewall route-maps Display Route Map Statistics rtls RTLS Statistics running-config Current operating configuration session-changes Configuration changes made in this session session-config This session configuration sessions Display sessions site-config-diff Difference between site configuration on the NOC and actual site configuration slot Expansion slots stats smart-rf Smart-RF Management Commands spanning-tree Display spanning tree information startup-config Startup configuration t5 Display T5 inventory information terminal Display terminal configuration parameters timezone The timezone traffic-shape Display traffic shaping version Display software & hardware version virtual-machine Virtual Machine vrrp VRRP protocol web-filter Web filter what Perform global search wireless Wireless commands wwan Display wireless WAN Status
<DEVICE>>
nx9500-6C8809(config)#show wireless ap configured
--------------------------------------------------------------------------------
-------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
--------------------------------------------------------------------------------
-------
1 ap7532-80C2AC 84-24-8D-80-C2-AC default-ap7532 TechPubs B4-C7-
99-6C-88-09 2 ap8132-711728 B4-C7-99-71-17-28 default-ap81xx TechPubs B4-C7-
99-6D-B5-D4 3 t5-ED7C6C B4-C7-99-ED-7C-6C default-t5 TechPubs B4-C7-
99-6C-88-09 4 rfs4000-880DA7 00-23-68-88-0D-A7 default-rfs4000 TechPubs B4-C7-
99-6C-88-09 5 ap7131-99BB7C 00-23-68-99-BB-7C default-ap71xx TechPubs B4-C7-
99-6C-88-09
--More--
nx9500-6C8809(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 9 SHOW COMMANDS 6.1.2 adoption show commands Displays adoption related information, and is common to the User Exec, Priv Exec, and Global Config modes. In an hierarchically managed (HM) network devices are deployed in two levels. The first level consists of the Network Operations Center (NOC) controllers. The second level consists of the site controllers. that can be grouped to form clusters. The NOC controllers adopt and manage the site controllers. Access points within the network are adopted and managed by the site controllers. Use this command to confirm if a device is an adoptee or an adopter. This command also allows you to determine the devices adopted by an adopter device. NOTE: A NOC controllers capacity is equal to or higher than a site controllers capacity. The following devices can be deployed at NOC and sites:
NOC controller RFS6000, NX65XX, NX9500, NX9510, or NX9600. Site controller RFS6000 or RFS4000. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show adoption [config-errors|controllers|history|info|log|offline|pending|status|
timeline]
show adoption offline show adoption config-errors <DEVICE-NAME>
show adoption log [adoptee|adopter {<MAC>}] {on <DEVICE-NAME>}
show adoption [controllers {include-ipv6}|history|info|pending|status {summary}|
timeline] {on <DEVICE-NAME>}
Parameters show adoption offline adoption offline Displays adoption related information. It also displays configuration errors. Displays non-adopted status of the logged device and its adopted access points show adoption config-errors <DEVICE-NAME>
adoption config-errors
<DEVICE-NAME>
Displays adoption related information. It also displays configuration errors. Displays configuration errors for a specified adopted device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show adoption log [adoptee|adopter {<MAC>}] {on <DEVICE-NAME>}
adoption Displays adoption related information. It also displays configuration errors. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 10 log [adoptee|
adopter {MAC}]
{on <DEVICE-NAME>}
SHOW COMMANDS Displays adoption logs, for the specified device. If no device name is specified, the system displays logs for the logged device. adoptee Displays adoption logs for adoptee devices (APs, wireless controllers, and service platforms). To view logs for a specified adoptee, specify the devices name. If no device name is specified, the system displays logs for the logged device. If the logged device is not an adoptee, the system states that the device is a controller. For example, 2013-01-19 22:00:13:MLCP_TAG_CLUSTER_MASTER not present and this device is a controller. Ignoring on <DEVICE-NAME> Optional. Displays adoptee status and details for the device identified by the <DEVICE-NAME> keyword
<DEVICE-NAME> Specify the devices name. adopter Displays adoption logs for adopter devices (APs, wireless controllers, and service platforms). To view logs for a specified adopter, specify the devices name. If no device name is specified, the system displays logs for the logged device.
<MAC> Optional. Filters adopters by the adoptee devices MAC address. Specify the adoptee devices MAC address. The system displays logs for the device that has adopted the device identified by the <MAC> keyword. on <DEVICE-NAME> Optional. Displays adopter status and details for the device identified by the <DEVICE-NAME> keyword.
<DEVICE-NAME> Specify the adopter devices name. A wireless controller or service platform cannot be configured as an adoptee and an adopter simultaneously. In other words, an adopted wireless controller or service platform cannot be configured to adopt another device and vice versa. show adoption [history|controllers {include-ipv6}|info|pending|status
{summary}|timeline] {on <DEVICE-NAME>}
adoption controllers
{include-ipv6}
history info pending status {summary}
timeline on <DEVICE-NAME>
Displays adoption related information. It also displays configuration errors. Displays information about adopted controllers. This is applicable in a Hierarchically managed network, where site controllers are adopted by the NOC controllers. include-ipv6 Optional. Displays the controllers IPv6 address, if assigned, in the output Displays adoption history of the logged device and its adopted access points Displays adopted device information Displays information for devices pending adoption Displays adoption status for the logged device. When executed without using the on
<DEVICE-NAME> parameter, this command displays detailed information of all devices adopted by the device on which the command is executed. summary Optional. Displays a summary of all devices adopted by the logged device. Displays the logged devices adoption timeline. It also shows the adoption time for logged devices adopted APs. To view the adoption timeline of a specific device, use the on <device-name> option to specify the device. The following keywords are common to all of the above parameters:
on <DEVICE-NAME> Optional. Displays a devices adoption information, based on the parameter passed.
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 11 SHOW COMMANDS Usage Guidelines In a devices Global Config mode, use the customize > show-adoption-status command to customize the show > adoption > status command output. The following columns can be added to the output:
nx9500-6C8809(config)#customize show-adoption-status ?
adopted-by Device name to which the AP is adopted ap-name Host-name of the adopted AP cdp-lldp-info Cdp/lldp info of the Adopted AP config-status Configuration status of the adopted AP last-adoption Last known adoption time msgs Messages status uptime Uptime of the adopted AP version Current version of the adopted AP nx9500-6C8809(config)#
For more information on the customise command, see customize. Example The following example displays details of the:
device to which the logged device (rfs6000-81742D) is adopted, and devices adopted (ap7532-A2A4B0, ap7532-80C2AC, ap7562-84A224, etc.) by the logged device. rfs6000-81742D(config)#show adoption status Adopted by:
Type : nx9000 System Name : nx9500-6C8809 MAC address : B4-C7-99-6C-88-09 MiNT address : 19.6C.88.09 Time : 7 days 01:02:34 ago Adopted Devices:
--------------------------------------------------------------------------------
-------------------------------
DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-
ADOPTION UPTIME
--------------------------------------------------------------------------------
-------------------------------
ap7532-A2A4B0 5.9.1.0-012D configured No rfs6000-81742D 0 days 23:42:11 0 days 23:46:12 Snap004...ssPoint 5.9.1.0-012D configured No rfs6000-81742D 1 days 00:25:33 1 days 02:30:57 ap7532-80C2AC 5.9.1.0-012D error Yes rfs6000-81742D 1 days 00:10:00 1 days 00:11:40 ap7562-84A224 5.9.1.0-012D configured No rfs6000-81742D 1 days 00:23:12 1 days 02:13:48
-More--
rfs6000-81742D(config)#
nx9500-6C8809#show adoption info
--------------------------------------------------------------------------------
--------------------
HOST-NAME MAC TYPE MODEL SERIAL-NUMBER
--------------------------------------------------------------------------------
--------------------
rfs6000-81742D 00-15-70-81-74-2D rfs6000 RFS-6010-1000-WR 7295520400121 t5-ED7C6C B4-C7-99-ED-7C-6C t5 TS-0524-WR 14213522400004
--------------------------------------------------------------------------------
--------------------
Total number of devices displayed: 2 nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 12 SHOW COMMANDS nx9500-6C8809#show adoption status
--------------------------------------------------------------------------------
-------------------------------
DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-
ADOPTION UPTIME
--------------------------------------------------------------------------------
-------------------------------
rfs6000-81742D 5.9.1.0-012D configured No nx9500-6C8809 7 days 01:06:02 7 days 01:08:45 t5-ED7C6C 5.4.2.0-010R configured No nx9500-6C8809 7 days 01:22:09 114 days 04:37:10
--------------------------------------------------------------------------------
--------------------------------
Total number of devices displayed: 2 nx9500-6C8809#
nx9500-6C8809#show adoption offline
-----------------------------------------
MAC HOST-NAME TYPE RF-DOMAIN TIME OFFLINE CONNECTED-TO
--------------------------------------------------------------------------------
-------
00-23-68-11-E6-C4 ap71xx-11E6C4 ap71xx TechPubs unknown None 00-23-68-9C-63-D4 ap7131-9C63D4 ap71xx default unknown None 5C-0E-8B-A6-57-80 ap650-A65780 ap650 default unknown None 5C-0E-8B-A6-ED-14 ap650-A6ED14 ap650 default unknown None 84-24-8D-16-01-C4 ap7532-1601C4 ap7532 default unknown None B4-C7-99-4B-F3-64 ap7131-4BF364 ap71xx default unknown None
--------------------------------------------------------------------------------
-------
Total number of devices displayed: 6 nx9500-6C8809#
rfs6000-81742D#show adoption log adoptee on ap7532-80C2AC 2017-04-05 10:19:56:Received OK from cfgd, adoption complete to 70.81.74.2D 2017-04-05 10:19:56:Waiting for cfgd OK, adopter should be 70.81.74.2D 2017-04-05 10:19:56:Adoption state change: 'Connecting to adopter' to 'Waiting for Adoption OK'
2017-04-05 10:19:56:Adoption state change: 'Adoption failed' to 'Connecting to adopter'
2017-04-05 10:19:56:Try to adopt to 70.81.74.2D (cluster master 70.81.74.2D in adopters) 2017-04-05 10:19:27:Ignoring MLCP Offer, vlan_state MLCP_DONE != MLCP_DISCOVERING
/ MLCP_STP_WAITING
--More--
rfs6000-81742D#
nx9500-6C8809#show adoption controllers include-ipv6
--------------------------------------------------------------------------------
--------------------------------------------------
NAME RF-DOMAIN MAC MINT-ID IP IPV6 ADOPTED-BY
--------------------------------------------------------------------------------
--------------------------------------------------
rfs6000-81742D TechPubs 00-15-70-81-74-2D 70.81.74.2D 192.168.13.24 :: nx9500-6C8809
--------------------------------------------------------------------------------
--------------------------------------------------
Total number of devices displayed: 1 nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 13 SHOW COMMANDS 6.1.3 bluetooth show commands Displays Bluetooth radio statistics for RF Domain member access points AP8432 and AP8533 model access points utilize a built-in Bluetooth chip for specific Bluetooth functional behaviors in a WiNG managed network. AP8432 and AP8533 models support both Bluetooth classic and Bluetooth low energy (BLE) technology. These platforms use their Bluetooth classic enabled radio to sense other Bluetooth enabled devices and report device data (MAC address, RSSI and device calls) to an ADSP server for intrusion detection. If the device presence varies in an unexpected manner, ADSP can raise an alarm. NOTE: AP8132 model access points support an external USB Bluetooth radio providing ADSP Bluetooth classic sensing functionality only, not the BLE beaconing functionality available for AP8432 and AP8533 model access points described in this section. AP8432 and AP8533 model access points support Bluetooth beaconing to emit either iBeacon or Eddystone-URL beacons. The access points Bluetooth radio sends non-connectable, undirected low-energy
(LE) advertisement packets periodically. These advertisement packets are short and sent on Bluetooth advertising channels that conform to already-established iBeacon and Eddystone-URL standards. Supported in the following platforms:
Access Points AP8432, AP8533 Syntax show bluetooth radio {detail|on}
show bluetooth radio {detail {<DEVICE-NAME> <1-1>|filter bluetooth-radio-mac <BT-
RADIO-MAC>}} {(on <DEVICE-OR-DOMAIN-NAME>)}
Parameters show bluetooth radio {detail {<DEVICE-NAME> <1-1>|filter bluetooth-radio-mac
<BT-RADIO-MAC>}} {(on <DEVICE-OR-DOMAIN-NAME>)}
bluetooth radio detail
<DEVICE-NAME> <1-
1>
Displays Bluetooth radio utilization statistics based on the parameters passed Optional. Displays detailed Bluetooth radio utilization statistics. Optionally, to view detailed information for a specific access points Bluetooth radio, specify the access points and the radios MAC addresses.
<DEVICE-NAME> <1-1> Optional. Specify the access points hostname or MAC address.
<1-1> Specify the bluetooth radio interface index number from 1 - 1. As of now only one Bluetooth radio interface is supported. The Interface index number is appended to the APs hostname or MAC address in the following format: ap8533-06FBE1:B1 OR 74-67-F7-06-FB-E1:B1 The following information is displayed:
access points hostname as its network identifier access points alias. If an alias has been defined for the access point its listed here. The alias value is expressed in the form of
<hostname>:B<Bluetooth_radio_number>. If the access point has a administrator assigned hostname, it is used in place of the access points default hostname. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 14 contd.. access points factory encoded MAC address access point and bluetooth radios administrator assigned area of deployment (the SHOW COMMANDS filter bluetooth-radio-
mac
<BT-RADIO-MAC>
on <DEVICE-OR-
DOMAIN-NAME>
APs geographical location) bluetooth radios state (on/off) bluetooth radios reason for inactivity (in case the radio is off) bluetooth radios factory encoded MAC address serving as this devices hardware identifier on the network bluetooth radios functional mode: bt-sensor or le-beacon bluetooth radios beacon period bluetooth radios beacon type descriptive text on any error thats preventing the Bluetooth radio from operating Optional. Specifies additional filters to get table values. Filters data based on the Bluetooth radios MAC address.
<BT-RADIO-MAC> Specify the Bluetooth radios MAC address. The system only displays statistics related to the specified Bluetooth radio. The following keywords are recursive and common to all of the above. on <DEVICE-OR-DOMAIN-NAME> Optional. Displays Bluetooth radio statistics on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the device or RF Domain. If the device name is explicitly given, the results display data for the specified AP only. If the RF Domain is explicitly given, the results display data for all APs within the spec-
ified RF Domain. If no device/RF Domain is specified, the results include data for all Bluetooth radios within the controllers RF Domain. If the controller is in the on rf-domain all mode, the results include data for all Bluetooth radios for all APs in each domain known to the controller. Example nx9500-6C8809(config)#show bluetooth radio on ap8533-06F808
-----------------------------------------------------------------------------
BLUETOOTH RADIO RADIO MAC MODES STATE
-----------------------------------------------------------------------------
ap8533-06F808:B1 74-67-F7-08-A3-B0 BLE-Beacon On
-----------------------------------------------------------------------------
Total number of Bluetooth radios displayed: 0 nx9500-6C8809(config)#
nx9500-6C8809(config)#show bluetooth radio detail 74-67-F7-06-F8-08 1 Radio: 74-67-F7-06-F8-08:B1, alias ap8533-06F808:B1 STATE : Off [shutdown in cfg]
PHY INFO : MAC: 74-67-F7-08-A3-B0 ACCESS POINT : Name: ap8533-06F808 Location: default Placement: Indoor ENABLED MODES : BLE-Beacon BEACON TYPES : Eddystone-URL BEACON PERIOD : 1000ms Last error :
nx9500-6C8809(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 15 SHOW COMMANDS 6.1.4 boot show commands Displays a devices boot configuration. Use this command to view the primary and secondary image details, such as Build Date, Install Date, and Version. This command also displays the current boot and next boot information. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show boot {on <DEVICE-NAME>}
Parameters show boot {on <DEVICE-NAME>}
boot Displays primary and secondary image boot configuration details (build date, install date, version, and the image used to boot the current session) on <DEVICE-NAME> Optional. Displays a specified devices boot configuration
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Note: Use the on <DEVICE-NAME> option to view a remote devices boot configuration. Example nx9500-6C8809#show boot
--------------------------------------------------------------------------------
IMAGE BUILD DATE INSTALL DATE VERSION
--------------------------------------------------------------------------------
Primary 05/31/2017 22:24:22 06/02/2017 14:22:51 5.9.0.0-029R Secondary 05/27/2017 01:00:26 05/30/2017 10:35:55 5.9.0.0-028B
--------------------------------------------------------------------------------
Current Boot : Primary Next Boot : Primary Software Fallback : Enabled VM support : Not present nx9500-6C8809#
nx9500-6C8809#show boot on TechPubs/rfs6000-6DB5D4
--------------------------------------------------------------------------------
IMAGE BUILD DATE INSTALL DATE VERSION
--------------------------------------------------------------------------------
Primary 05/31/2017 22:24:22 06/02/2017 14:22:51 5.9.0.0-029R Secondary 05/27/2017 01:00:26 05/30/2017 10:35:55 5.9.0.0-028B
--------------------------------------------------------------------------------
Current Boot : Primary Next Boot : Primary Software Fallback : Enabled VM support : Not present nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 16 SHOW COMMANDS 6.1.5 bonjour show commands Displays the configured Bonjour services available on local and remote sites Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show bonjour services {on <DEVICE-NAME>}
Parameters show bonjour services {on <DEVICE-NAME>}
bonjour services on <DEVICE-NAME> Optional. Displays Bonjour services available on a specified device Displays the configured Bonjour services available on local and remote sites
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs6000-81742D#show bonjour services on ap7131-11E6C4
--------------------------------------------------------------------------------
----------------------------------------------------------------------
SERVICE_NAME INSTANCE_NAME IP:PORT VLAN-ID VLAN_TYPE EXPIRY
--------------------------------------------------------------------------------
----------------------------------------------------------------------
_pdl-datastream._tcp.local Brother MFC-8510DN._pdl-datastream._tcp.local 172.110.0.146:9100 110 Local Tue Sep 12 02:07:44 2017 _universal._sub._ipp._tcp.local Brother MFC-8510DN._ipp._tcp.local 172.110.0.146:631 110 Local Tue Sep 12 02:36:13 2017 _ipp._tcp.local Brother MFC-8510DN._ipp._tcp.local 172.110.0.146:631 110 Local Tue Sep 12 02:36:13 2017
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------
rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 17 SHOW COMMANDS 6.1.6 captive-portal show commands Displays WLAN captive portal information. Use this command to view a configured captive portals client information. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show captive-portal sessions {include-ipv6|on <DEVICE-OR-DOMAIN-NAME>|
statistics} {(filter [captive-portal [<CAPTIVE-PORTAL>|not <CAPTIVE-PORTAL>]|
ip [<IPv4>|not <IPv4>]|ipv6 [<IPv6>|not <IPv6>]|state [pending|success|not
[pending|success]|vlan [<VLAN-ID>|not <VLAN-ID>]|wlan [<WLAN-NAME>|not <WLAN-
NAME>]])}
Parameters show captive-portal sessions {include-ipv6|on <DEVICE-OR-DOMAIN-NAME>|
statistics} {(filter [captive-portal [<CAPTIVE-PORTAL>|not <CAPTIVE-PORTAL>]|ip
[<IPv4>|not <IPv4>]|ipv6 [<IPv6>|not <IPv6>]|state [pending|success|not
[pending|success]|vlan [<VLAN-ID>|not <VLAN-ID>]|wlan [<WLAN-NAME>|not <WLAN-
NAME>]])}
captive-portal sessions include-ipv6 statistics on <DEVICE-OR-
DOMAIN-NAME>
filter captive-portal
[<CAPTIVE-PORTAL>|
not <CAPTIVE-
PORTAL>]
Displays active captive portal client session details Optional. Includes IPv6 address (if known) of captive portal clients By default the system only displays IPv4 addresses. The include-ipv6 parameter includes IPv6 address (if known) of each client. Optional. Displays statistical information regarding client sessions Optional. Displays active captive portal session details on a specified device or RF Domain.
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. This parameter is recursive and can be used with any of the above parameters to define additional filters. Optional. Defines additional filters. Use one of the following options: captive-portal, ip, ipv6, state, vlan, or wlan. Optional. Displays captive portal client and client session information, based on the captive portal name passed
<CAPTIVE-PORTAL> Specify the captive portal name. Displays client details for the specified captive portal. not <CAPTIVE-PORTAL> Inverts the match selection. Displays client details for all captive portals other than the specified captive portal. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 18 SHOW COMMANDS ip [<IPv4>|not
<IPv4>]
Optional. Displays captive portal client/client sessions information, based on the IPv4 address passed
<IPv4> Specify the clients IPv4 address. Displays information of the client identified ipv6 [<IPv6>|not
<IPv6>]
state
[pending|success|
not
[pending|success]]
vlan [<VLAN-ID>|
not <VLAN-ID>]
by the <IPv4> parameter not <IPv4> Inverts the match selection. Displays client details for all clients other than the one identified by the <IPv4> parameter. This filter option is available only for the include-ipv6 keyword. Optional. Displays captive portal client/client sessions information, based on the IPv6 address passed
<IPv6> Specify the clients IPv6 address. Displays information of the client identified by the <IPv6> parameter not <IPv6> Inverts the match selection. Displays client details for all clients other than the one identified by the <IPv6> parameter. Optional. Filters clients/client sessions based on the clients authentication state pending Displays information of clients redirected for authentication success Displays information of successfully authenticated clients not [pending|success] Inverts match selection pending Displays information of successfully authenticated clients (opposite of pending authentication) success Displays information of clients redirected for authentication (opposite of successful authentication) Optional. Displays captive portal client/client sessions information based on the VLAN ID passed
<VLAN-ID> Specify the VLAN ID. Displays client details for the specified VLAN. not <VLAN-ID> Inverts match selection. Displays client details for all VLANs other than the one identified by the <VLAN-ID> parameter. wlan [<WLAN-
NAME>|
not <WLAN-NAME>]
Optional. Displays captive portal client/client sessions information based on the WLAN name passed
<WLAN-NAME> Specify the WLAN name. Displays client details for the specified WLAN. not <WLAN-NAME> Inverts match selection. Displays client details for all WLANs other than the one identified by the <WLAN-NAME> parameter. Example rfs4000-229D58#show captive-portal sessions
================================================================================
=======
CLIENT IPv4 CAPTIVE-PORTAL WLAN/PORT VLAN STATE SESSION TIME
--------------------------------------------------------------------------------
-------
00-26-55-F4-5F-79 192.168.3.99 cappo rfs4000-229D58:ge2 400 Success 23:58:35
================================================================================
=======
Total number of captive portal sessions displayed: 1 rfs4000-229D58#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 19 SHOW COMMANDS 6.1.7 captive-portal-page-upload show commands Displays captive portal page information, such as upload history, upload status, and page file download status Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show captive-portal-page-upload [history|list-files|load-image-status|status]
show captive-portal-page-upload load-image-status show captive-portal-page-upload history {on <RF-DOMAIN-NAME>}
show captive-portal-page-upload status {on [<RF-DOMAIN-NAME>|<RF-DOMAIN-
MANAGER>]}
show captive-portal-page-upload list-files <CAPTIVE-PORTAL-NAME>
Parameters show captive-portal-page-upload load-image-status load-image-status Displays captive portal advanced page file download status on the logged device show captive-portal-page-upload history {on <RF-DOMAIN-NAME>}
history
{on <RF-DOMAIN-
NAME>}
Displays captive portal page upload history on <RF-DOMAIN-NAME> Optional. Displays captive portal page upload history within a specified RF Domain. Specify the RF Domain name. show captive-portal-page-upload status {on [<RF-DOMAIN-NAME>|<RF-DOMAIN-
MANAGER>]}
status
{on <RF-DOMAIN-
NAME>|
on <RF-DOMAIN-
MANAGER>}
Displays captive portal page upload status on <RF-DOMAIN-NAME> Optional. Displays captive portal page upload status within a specified RF Domain. Specify the RF Domain name. on <RF-DOMAIN-MANAGER> Optional. Displays captive portal page upload status for a specified RF Domain Manager. Specify the RF Domain Manager name. show captive-portal-page-upload list-files <CAPTIVE-PORTAL-NAME>
list-files
<CAPTIVE-PORTAL-
NAME>
Displays a list of all captive portal Web page files, of a specified captive portal, uploaded (internal and advanced page files)
<CAPTIVE-PORTAL-NAME> Specify the captive portal name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 20 SHOW COMMANDS Example nx7500-7F2C13#captive-portal-page-upload CP-BW all
--------------------------------------------------------------------------------
CONTROLLER STATUS MESSAGE
--------------------------------------------------------------------------------
84-24-8D-7F-2C-13 Success Added 1 APs to upload queue
--------------------------------------------------------------------------------
nx7500-7F2C13#
nx7500-7F2C13#show captive-portal-page-upload load-file-status Download of CP-BW page file is complete nx7500-7F2C13#
nx7500-7F2C13#show captive-portal-page-upload list-files CP-BW
--------------------------------------------------------------------------------
NAME SIZE LAST MODIFIED
--------------------------------------------------------------------------------
CP-BW-1.tar.gz 6133 2016-05-16 10:38:40 CP-BW.tar.gz 3370 2016-05-16 10:45:44
--------------------------------------------------------------------------------
nx7500-7F2C13#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 21 SHOW COMMANDS 6.1.8 cdp show commands Displays the Cisco Discovery Protocol (CDP) neighbor table Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show cdp [neighbors|report] {detail {on <DEVICE-NAME>}|on <DEVICE-NAME>}
Parameters show cdp [neighbors|report] {detail {on <DEVICE-NAME>}|on <DEVICE-NAME>}
cdp [neighbors|report] Displays CDP neighbors table or aggregated CDP neighbors table detail
{on <DEVICE-NAME>}
Optional. Displays detailed CDP neighbors table or aggregated CDP neighbors table on <DEVICE-NAME> Optional. Displays table details on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. on <DEVICE-NAME>
Optional. Displays table details on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service Example platform. The following example shows detailed CDP neighbors table:
nx9500-6C8809#show cdp neighbors detail
-------------------------
Device ID: ap8132-74B45C Entry address(es):
IP Address: 192.168.13.26 Platform: AP-8132-66040-WR, Capabilities: Router Switch Interface: ge1, Port ID (outgoing port): ge1 Hold Time: 165 sec advertisement version: 2 Native VLAN: 1 Duplex: full Version :
5.8.6.0-008B
-------------------------
Device ID: ap7532-80C2AC Entry address(es):
IP Address: 192.168.13.28 Platform: AP-7532-67040-WR, Capabilities: Router Switch Interface: ge1, Port ID (outgoing port): ge1 Hold Time: 169 sec
--More--
nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 22 SHOW COMMANDS The following example shows a non-detailed CDP neighbors table:
rfs6000-81742D#show cdp neighbors
--------------------------------------------------------------------------------
Device ID Platform Local Interface Port ID Duplex
--------------------------------------------------------------------------------
nx9500-6C8809 NX-9500-100R0-WR ge2 ge1 full rfs6000-81742D RFS-6010-1000-WR ge2 ge1 full rfs4000-880DA7 RFS-4011-11110-US ge2 ge1 full ap6521-42936C AP-6521E-60020-WR ge2 ge1 full
--------------------------------------------------------------------------------
rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 23 SHOW COMMANDS 6.1.9 classify-url show commands Displays a specified URLs category. Use this command to query the category of a specific URL. The query is sent to a configured classification server. This option is available only if a valid URL filter license is available. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show classify-url [<URL-TO-QUERY>|datacenter <URL-TO-QUERY>]
Parameters show classify-url [<URL-TO-QUERY>|datacenter <URL-TO-QUERY>]
classify-url
<URL-TO-QUERY>
datacenter
<URL-TO-QUERY>
Queries the category of a specified URL Specify the URL to query. The query is sent to the configured classification server. The query is sent to a global classification datacenter
<URL-TO-QUERY> Specify the URL to query. Example nx9500-6C8809#show classify-url www.google.com Categories: search-engines-portals, Custom Categories:
nx9500-6C8809#
nx9500-6C8809#show classify-url www.ndtv.com Categories: news, Custom Categories: list1, nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 24 SHOW COMMANDS 6.1.10 clock show commands Displays a selected systems clock Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show clock {on <DEVICE-NAME>}
Parameters show clock {on <DEVICE-NAME>}
clock on <DEVICE-NAME>
Displays a systems clock Optional. Displays system clock on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Example rfs6000-81742D#show clock 2017-04-06 15:50:42 IST rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 25 SHOW COMMANDS 6.1.11 cluster show commands Displays cluster information (cluster configuration parameters, members, status, etc.) Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show cluster [configuration|history|members|status]
show cluster [configuration|history {on <DEVICE-NAME>}|members {detail}|status]
Parameters show cluster [configuration|members {detail}|status]
cluster configuration history on <DEVICE-
NAME>
Displays cluster information Displays cluster configuration details Displays cluster history status
<DEVICE-NAME> Optional. Specify the controller or access point name. If the device members {detail}
status Example name is not specified, the system displays all cluster history. Displays cluster members configured on the logged device detail Optional. Displays detailed information of known cluster members Displays cluster status rfs6000-380649(config)#show cluster configuration Cluster Configuration Information Name : SiteConRFS6k Configured Mode : Active Master Priority : 128 Force configured state : Disabled Force configured state delay : 5 minutes Handle STP : Disabled Radius Counter DB Sync Time : 5 minutes rfs6000-380649(config)#
rfs6000-380649(config)#show cluster members detail
--------------------------------------------------------------------------------
-------
ID MAC MODE AP COUNT AAP COUNT AP LICENSE AAP LICENSE VERSION
--------------------------------------------------------------------------------
-------
70.38.06.49 00-15-70-38-06-49 Active 0 1 0 0 5.8.6.0-008B 70.81.74.2D 00-15-70-81-74-2D Active 0 0 1 0 5.8.6.0-008B
--------------------------------------------------------------------------------
-------
rfs6000-380649(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 26 SHOW COMMANDS rfs6000-380649(config)#show cluster status Cluster Runtime Information Protocol version : 1 Cluster operational state : active AP license : 1 AAP license : 0 AP count : 0 AAP count : 1 Max AP adoption capacity : 256 Number of connected member(s): 1 rfs6000-380649(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 27 SHOW COMMANDS 6.1.12 cmp-factory-certs show commands Displays factory installed CMP certificates Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show cmp-factory-certs {all}
Parameters show cmp-factory-certs {all}
cmp-factory-certs
{all}
Displays factory installed CMP certificates on the logged device. Optionally use the all keyword to view certificate details. Example nx9500-6C8809>show cmp-factory-certs No CMP factory certificate exist nx9500-6C8809>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 28 SHOW COMMANDS 6.1.13 commands show commands Displays commands available for the current mode Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show commands Parameters None Example rfs4000-880DA7(config)#show commands help help search WORD (|detailed|only-show|skip-show|skip-no) show commands show adoption log adoptee(|on DEVICE-NAME) show adoption log adopter (|mac AA-BB-CC-DD-EE-FF)(|on DEVICE-NAME) show adoption info (|on DEVICE-NAME) show adoption status (|on DEVICE-NAME) show adoption status summary (|on DEVICE-NAME) show adoption config-errors DEVICE-NAME show adoption offline show adoption pending (|on DEVICE-NAME) show adoption history (|on DEVICE-NAME) show adoption timeline (|on DEVICE-NAME) show adoption controllers (|on DEVICE-NAME) show adoption controllers include-ipv6(|on DEVICE-NAME) show debugging (|on DEVICE-OR-DOMAIN-NAME) show debugging cfgd(|on DEVICE-NAME) show debugging fib(|on DEVICE-NAME) show debugging adoption (|on DEVICE-OR-DOMAIN-NAME) show debugging wireless (|on DEVICE-OR-DOMAIN-NAME) show debugging snmp (|on DEVICE-NAME) show debugging ssm (|on DEVICE-NAME) show debugging voice (|on DEVICE-OR-DOMAIN-NAME)
--More--
rfs4000-880DA7(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 29 SHOW COMMANDS 6.1.14 context show commands Displays the current context details Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, NX7500, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show context {include-factory|session-config {include-factory}}
Parameters show context {include-factory|session-config {include-factory}}
include-factory session-config
{include-factory}
Optional. Includes factory defaults Optional. Displays running system information in the current context include-factory Optional. Includes factory defaults Example rfs4000-880DA7(config)#show context
!
! Configuration of RFS4000 version 5.9.1.0-015D
!
!
version 2.5
!
!
client-identity-group default load default-fingerprints
!
ip snmp-access-list default permit any
!
firewall-policy default no ip dos tcp-sequence-past-window
!
!
mint-policy global-default
!
radio-qos-policy default
!
auto-provisioning-policy 4K
!
--More--
rfs4000-880DA7(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 30 SHOW COMMANDS 6.1.15 critical-resources show commands Displays critical resource information. Critical resources are resources vital to the network. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show critical-resources {on <DEVICE-NAME>}
Parameters critical-resources on <DEVICE-NAME>
show critical-resources {on <DEVICE-NAME>}
Displays critical resources information Optional. Displays critical resource information on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs4000-229D58(config)#show critical-resources
--------------------------------------------------------------------------
CRITICAL RESOURCE IP VLAN PING-MODE STATE
--------------------------------------------------------------------------
172.168.1.103 1 arp-icmp up
--------------------------------------------------------------------------
rfs4000-229D58(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 31 SHOW COMMANDS 6.1.16 crypto show commands Displays encryption mode information Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show crypto [cmp|ike|ipsec|key|pki]
show crypto cmp request status show crypto ike sa {detail|on|peer|version}
show crypto ike sa {detail|peer <IP>} {on <DEVICE-NAME>}
show crypto ike sa {version [1|2]} {peer <IP>} {(on <DEVICE-NAME>)}
show crypto ipsec sa {detail|on|peer}
show crypto ipsec sa {detail} {on <DEVICE-NAME>}
show crypto ipsec sa {peer <IP>} {detail} {(on <DEVICE-NAME>)}
show crypto key rsa {on|public-key-detail}
show crypto key rsa {public-key-detail} {(on <DEVICE-NAME>)}
show crypto pki trustpoints {<TRUSTPOINT-NAME>|all|on}
show crypto pki trustpoints {<TRUSTPOINT-NAME>|all} {(on <DEVICE-NAME>)}
Parameters show crypto cmp request status crypto cmp request status Displays current status of in-progress certificate management protocol (CMP) requests For more information, see CRYPTO-CMP-POLICY. show crypto ike sa {detail|peer <IP>} {on <DEVICE-NAME>}
crypto ike sa detail peer <IP>
on <DEVICE-NAME>
Displays Internet Key Exchange (IKE) security association (SA) statistics Displays detailed IKE SA statistics Optional. Displays IKE SA statistics for a specified peer
<IP> Specify the peers IP address in the A.B.C.D format Optional. Displays IKE SA statistics on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 32 SHOW COMMANDS show crypto ike sa {version [1|2]} {peer <IP>} {(on <DEVICE-NAME>)}
crypto ike sa version [1|2]
peer <IP>
on <DEVICE-NAME>
Displays IKE SA details Optional. Displays IKE SA version statistics 1 Displays IKEv1 statistics 2 Displays IKEv2 statistics Optional. Displays IKE SA version statistics for a specified peer
<IP> Specify the peers IP address in the A.B.C.D format The following keyword is recursive and common to the peer ip parameter:
on <DEVICE-NAME> Optional. Displays IKE SA statistics on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show crypto ipsec sa {detail} {on <DEVICE-NAME>}
crypto ipsec sa detail on <DEVICE-NAME>
Displays Internet Protocol Security (IPSec) SA statistics. The IPSec encryption authenticates and encrypts each IP packet in a communication session Optional. Displays detailed IPSec SA statistics Optional. Displays IPSec SAs on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show crypto sa {peer <IP>} {detail} {(on <DEVICE-NAME>)}
crypto ipsec sa peer <IP> detail on <DEVICE-NAME>
Displays IPSec SA statistics. The IPSec encryption authenticates and encrypts each IP packet in a communication session Optional. Displays IPSec SA statistics for a specified peer
<IP> Specify the peers IP address in the A.B.C.D format. detail Displays detailed IPSec SA statistics for the specified peer The following keyword is recursive:
on <DEVICE-NAME> Optional. Displays IPSec SAs on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show crypto key rsa {public-key-detail} {(on <DEVICE-NAME>)}
crypto key rsa public-key-detail on <DEVICE-NAME>
Displays RSA public keys Optional. Displays public key in the Privacy-Enhanced Mail (PEM) format The following keyword is recursive:
on <DEVICE-NAME> Optional. Displays public key on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show crypto pki trustpoints {<TRUSTPOINT-NAME>|all} {(on <DEVICE-NAME>)}
crypto pki trustpoints
<TRUSTPOINT-NAME>
Displays PKI related information Displays WLAN trustpoints This command displays all trustpoints including CMP-generated trustpoints. Optional. Displays a specified trustpoint details. Specify the trustpoint name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 33 SHOW COMMANDS all on <DEVICE-NAME>
Optional. Displays details of all trustpoints The following keyword is recursive and common to the trustpoint-name and all parameters:
on <DEVICE-NAME> Optional. Displays trustpoints configured on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example nx9500-6C8809(config)#show crypto key rsa public-key-detail RSA key name: ting Key-length: 2048
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtLj11yR38+/mcInGRlrw 3DaasuTJhKsWg7kcSVkM7RLd/Wq/mPZEsqwFLnvFIm4rVIke+mVdWBqV4oGE1TUm Z4YqKtzlANSAG7EZREr3MXEIHd49NHYeK8U+1EAmHN9F21XCxTO+yRMngKDJeHfz Za2/64PdBsnRlV4nqCGMGHbbaaCwGe5X0a RSA key name: default_rsa_key Key-length: 2048
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3hyJDk9aMk97X3PhoyMb 6nufFLFUkpF9YwSqO2fNyp9SutqpoML/VAMHHotmaa6SsxPURF8mC66bT7De32r7 wwPd7pIWwALTscwCzd3CrB1jY8s2OQ7ZHGCH6MLau+LeoNPE0c+uH3tNLloTAvSG xtUAHfwFa4rM6vlzs/ejJ4InnboI8i4uIA nx9500-6C8809(config)#
nx9500-6C8809(config)#show crypto key rsa
--------------------------------------------------------------------------------
# KEY NAME KEY LENGTH
--------------------------------------------------------------------------------
1 ting 2048 2 default_rsa_key 2048
--------------------------------------------------------------------------------
nx9500-6C8809(config)#
nx9500-6C8809(config)#show crypto pki trustpoints all Trustpoint Name: default-trustpoint (self signed)
-------------------------------------------------------------------------------
CRL present: no Server Certificate details:
Key used: default_rsa_key Serial Number: 051d Subject Name:
/CN=NX9500-B4-C7-99-6C-88-09 Issuer Name:
/CN=NX9500-B4-C7-99-6C-88-09 Valid From : Thu Dec 5 04:15:59 2013 UTC Valid Until: Sun Dec 3 04:15:59 2023 UTC nx9500-6C8809(config)#
nx9500-6C8809>show crypto cmp request status CMP Request Status: ir-req-reset nx9500-6C8809>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 34 SHOW COMMANDS 6.1.17 database show commands Displays database-related statistics and status Supported in the following platforms:
Service Platforms NX9500, NX9510, VX9000 Syntax show database [backup-status|keyfile|restore-status|statistics|status|users] {on
<DEVICE-NAME>}
Parameters show database [backup-status|keyfile|restore-status|statistics|status|users]
{on <DEVICE-NAME>}
database backup-status keyfile back-restore statistics status users on <DEVICE-NAME>
Displays all configured database-related statistics and status Displays the last database backup status Displays the keyfiles generated on the database host to enable authenticated database access Displays the last database restore status Displays database-related statistics, such as name of the database (NSight or captive portal), data size, storage size, free disk space available, etc. Displays database status, such as online time. Displays database users created. These are the users that can access the databases. Optional. Displays database-related information on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example vx9000-D031F2(config)#show database backup-status detail Last Database Backup Status : Failed(Error in ftp: 1) Last Database Backup Time : 2017-04-11 08:03:10
-----------------------------------------------
Starting backup of mart ... connected to: 127.0.0.1 2015-05-20T14:02:46.340+0530 DATABASE: mart to dump/mart 2015-05-20T14:02:46.341+0530 mart.system.indexes to dump/mart/
system.indexes.bson 2015-05-20T14:02:46.341+0530 61 documents 2015-05-20T14:02:46.341+0530 mart.wlan_info to dump/mart/wlan_info.bson 2015-05-20T14:02:46.341+0530 5 documents 2015-05-20T14:02:46.342+0530 Metadata for mart.wlan_info to dump/mart/
wlan_info.metadata.json 2015-05-20T14:02:46.342+0530 mart.rf_domain_info to dump/mart/
rf_domain_info.bson 2015-05-20T14:02:46.342+0530 21 documents 2015-05-20T14:02:46.342+0530 Metadata for mart.rf_domain_info to dump/mart/
rf_domain_info.metadata.json
--More--
vx9000-D031F2(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 35 SHOW COMMANDS vx9000-D031F2(config)#show database status
--------------------------------------------------------------------------------
MEMBER STATE ONLINE TIME
--------------------------------------------------------------------------------
localhost PRIMARY 2 days 3 hours 45 min 24 sec
--------------------------------------------------------------------------------
Authentication: Disabled Authentication User: None
--------------------------------------------------------------------------------
[*] indicates this device. vx9000-D031F2(config)#
vx9000-D031F2(config)#show database statistics
--------------------------------------------------------------------------------
DATABASE STORAGE SIZE DATA SIZE INDEX SIZE DISK FREE
--------------------------------------------------------------------------------
admin 32k 335 48k 594.5G captive-portal 4k 0 24k 594.5G nsightcache 96k 2.0k 264k 594.5G nsight 26.1M 136.6M 18.9M 594.5G
--------------------------------------------------------------------------------
vx9000-D031F2(config)#
nx9500-6C8809#show database keyfile SLz6lVXyi9vyTCChUKs04THRo3mWOjZheM58Dt6NC0MDkdgV+5+wWN9/IT6zfy1s KPut4BPpUWyM8MEaRmapg4kRrN/SMSMlH6sPITMGTLMu6wRYFEUgKgO01Wn/BohE 5n+uuhY0xiZQsN0LS7IaA8Yb9rX859YRQ7v9By5aEpi1NIDR4KX09Xs3TqIB+5v2 jE3vv7OsKK+LX63bCIoYo35MX251T2pHdL+fMdLfKPMt8ZbzYzx2b22Yvukfg0gm xHsMCB+bLAsfkjeCPgHCAq/WWi3Kxna6ysFjp8J4US2Bm+GL1COvALbCQBwkPPN+
o7M90qT40AubibBkeID2S9rkQkKcXqGESbL5xG6ip+26jIxiLv7GP6/SQZGFOqC/
ZZEkCNhGhkiyktiOIxBfoXwoy66sqQ4KBwLF449eqBe7Svel/dzpFPNfYZpW8SMY LD6iLTPR9BddjsBBej8kGGc5R+M0R6lgQFEew2WX6Rqz45YTGEcfOkl8c9wl3taD xn4imhI/esjMppFDu5muxRHF5RHa5RncTGnsMfc7ndvUl78QaGHLZvDqjNLBUnuP c8QmyohEnKf70TYx/ruG9Vb2AP0Jw5OODTNh2lmaoFjicKYQr+xIHUJpHc0qY43C 5WzlWf84CK67cu7kOPiJoaxvufzSXhJB18BiCXTuv40+ZZ6e3PcisZuIrPXxCZup GJ3KpuHq61IJyVCydFd5zl4Fho+RGaQ9dlDIlaLjbW+YT4CEH1bTiUmreUt+D/X2 zcB9nec77wIIAcdfl2qysgGIqmkI3jRI89d3XM5Y7Kc2TuXBVZOazYldPj+qE/yi EgVWcbtvyS834jit35MGbVXhvQ2d45qgo42WZwdTVLXC9memzoKa3YIZoj32uP3U iOrzD8E1gMte4gDE/KmGkYya+hsWswBmKC1v0gj5NQ6TejYS4z+nefqLHUSVXbQ8 NxRel1huGi8P1ns4dWCwClWp8GpxUTa7GuN1DySA7/l2OJM=
nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 36 SHOW COMMANDS 6.1.18 device-upgrade show commands Displays device firmware upgradation information for devices adopted by a wireless controller or access point Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show device-upgrade [history|load-image-status|status|versions]
show device-upgrade [history {on <DOMAIN-NAME>}|load-image-status|versions {on
<DEVICE-OR-DOMAIN-NAME>}
show device-upgrade status {on [<DOMAIN-NAME>|rf-domain-manager]|summary {on
<DOMAIN-NAME>}}
Parameters show device-upgrade [history {on <DOMAIN-NAME>}|load-image-status|versions {on
<DEVICE-OR-DOMAIN-NAME>}]
device-upgrade history
{on <DOMAIN-NAME>}
Displays device upgrade information based on the parameters passed Displays device upgrade history on <DOMAIN-NAME> Optional. Displays upgrade history for all devices within a specified RF Domain. Specify the RF Domain name. load-image-status versions {on <DEVICE-
OR-DOMAIN-NAME>}
Displays firmware image loading status. The output displays the <DEVICE> image loading status in percentage. For example:
#show device-upgrade load-image-status Download of ap81xx firmware file is 47 percent complete Displays firmware image versions on <DEVICE-OR-DOMAIN-NAME> Optional. Displays firmware image versions loaded on specified device or RF Domain. Specify the name of the AP, wireless controller, service platform, or RF Domain.
<DEVICE-OR-DOMAIN-NAME> Specify the AP, wireless controller, service plat-
form, or RF Domain name. show device-upgrade status {on [<DOMAIN-NAME>|rf-domain-manager]|summary {on
<DOMAIN-NAME>}}]
device-upgrade status on [<DOMAIN-NAME>|
rf-domain-manager]
Displays device upgrade information based on the parameters passed Displays in progress device upgrade status Optional. Displays in progress upgrade status of all devices within a specified RF Domain, or all devices upgraded by the RF Domain manager. Use this option to view upgrade status of multiple devices.
<DOMAIN-NAME> Specify the RF Domain name. rf-domain-manager Select to view devices upgraded by the RF Domain manager. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 37 SHOW COMMANDS summary
{on <DOMAIN-NAME>}
Displays a summary of in-progress upgrade processes on <DOMAIN-NAME> Optional. Displays in-progress upgrade processes within a specified RF Domain
<DOMAIN-NAME> Specify the RF Domain name. Example nx9500-6C8809#device-upgrade load-image rfs6000 ftp://anonymous:anonymous@192.16 8.13.10/LatestBuilds/W59/RFS6000-LEAN.img nx9500-6C8809#show device-upgrade load-image-status Download of rfs6000 firmware file is complete nx9500-6C8809#
nx9500-6C8809#show device-upgrade status Number of devices currently being upgraded : 0 Number of devices waiting in queue to be upgraded : 1 Number of devices currently being rebooted : 0 Number of devices waiting in queue to be rebooted : 0 Number of devices failed upgrade : 0
--------------------------------------------------------------------------------
-------------------------
DEVICE STATE UPGRADE TIME REBOOT TIME PROGRESS RETRIES LAST UPDATE ERROR UPGRADED BY
--------------------------------------------------------------------------------
-------------------------
rfs6000-81742D waiting immediate immediate 0 0 -
nx9500-6C8809
--------------------------------------------------------------------------------
-------------------------
nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 38 SHOW COMMANDS 6.1.19 dot1x show commands Displays dot1x information on interfaces Dot1x (or 802.1x) is an IEEE standard for network authentication. Devices supporting dot1x allow the automatic provision and connection to the wireless network without launching a Web browser at login. When within range of a dot1x network, a dot1X-enabled device automatically connects and authenticates without needing to manually login. However, dot1x-enabled devices can be configured either as:
supplicants only Devices seeking network access authenticators only Devices authenticating the supplicants, or supplicants as well authenticators Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 NOTE: Dot.1x supplicant configuration is supported on the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000 Service Platforms NX5500, NX7500 NOTE: Dot.1x authenticator configuration is supported on the following platforms:
Access Points AP6521, AP6522, AP6562, AP7161, AP7502, AP81XX Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500 Syntax show dot1x {all|interface|on}
show dot1x {all {on <DEVICE-NAME>}|on <DEVICE-NAME>}
show dot1x {interface [<INTERFACE-NAME>|ge <1-4>|port-channel <1-2>} {on <DEVICE-
NAME>}
Parameters show dot1x {all {on <DEVICE-NAME>}|on <DEVICE-NAME>}
Optional. Displays dot1x information for all interfaces on <DEVICE-NAME> Optional. Displays dot1x information for all interfaces on a dot1x all
{on <DEVICE-NAME>}
specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 39 SHOW COMMANDS dot1x
{on <DEVICE-NAME>}
Optional. Displays dot1x information for interfaces on a specified device
<DEVICE-NAME> Specify the name of AP, wireless controller, or service platform. show dot1x {interface [<INTERFACE-NAME>|ge <1-4>|port-channel <1-2>]} {on
<DEVICE-NAME>}
dot1x interface
<INTERFACE-NAME>
ge <1-4>
port-channel <1-2>
on <DEVICE-NAME>
Optional. Displays dot1x information for a specified interface or interface type Displays dot1x information for the layer 2 (Ethernet port) interface specified by the
<INTERFACE-NAME> parameter Displays dot1x for a specified GigabitEthernet interface
<1-4> Select the interface index from 1 - 4. Displays dot1x for a specified port channel interface
<1-2> Select the interface index from 1 - 2. The following keywords are common to all of the above parameters:
on <DEVICE-NAME> Optional. Displays dot1x interface information on a specified device
<DEVICE-NAME> Specify the name of AP, wireless controller, or service plat-
form. Example rfs6000-81742D#show dot1x all 802.1X information
------------------------------
SysAuthControl : disabled Guest-Vlan : disabled AAA-Policy : none Holdtime : 60 802.1X information for interface GE1
--------------------------------------
Supplicant MAC N/A Auth SM State : FORCE AUTHORIZED Bend SM State : REQUEST Port Status : AUTHORIZED Host Mode : SINGLE Auth Vlan : None Guest Vlan : None 802.1X information for interface GE2
--------------------------------------
Supplicant MAC N/A Auth SM State : FORCE AUTHORIZED Bend SM State : REQUEST Port Status : AUTHORIZED
--More--
rfs6000-81742D#
rfs6000-81742D#show dot1x interface ge 1 802.1X information for interface GE1
--------------------------------------
Supplicant MAC N/A Auth SM State : FORCE AUTHORIZED Bend SM State : REQUEST Port Status : AUTHORIZED Host Mode : SINGLE Auth Vlan : None Guest Vlan : None rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 40 SHOW COMMANDS 6.1.20 dpi show commands Displays Deep Packet Inspection (DPI) statistics for all configured and canned applications. DPI is an advanced packet analysis technique, which analyzes packet and packet content headers to determine the nature of network traffic. When DPI is enabled, packets of all flows are subjected to DPI to get accurate results. DPI identifies applications (such as, Netflix, Twitter, Facebook, etc.) and also extracts metadata
(such as, host name, server name, TCP-RTT, etc.) for further use by the WiNG firewall. NOTE: The show > dpi command returns results only if executed on a device that supports DPI and has DPI logging enabled. DPI logging can be enabled either on the device or on the profile applied to the device. For more information, see dpi. Supported in the following platforms:
Access Points AP7522, AP7532, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show dpi [app|app-category|application|application-policy|per-category]
show dpi app wireless-clients stats <MAC> {on <DEVICE-OR-DOMAIN-NAME>}
show dpi [app|app-category] stats [<APPLICATION/APP-CATEGORY-NAME>|all] {on
<DEVICE-OR-DOMAIN-NAME>}
show dpi application-policy stats <APPLICATION-POLICY-NAME> {on <DEVICE-OR-DOMAIN-
NAME>}
show dpi application brief show dpi per-category stats <APP-CATEGORIES> [bytes-in|bytes-out|total-bytes] {on
<DEVICE-OR-DOMAIN-NAME>}
Parameters show dpi app wireless-clients stats <MAC> {<DEVICE-OR-DOMAIN-NAME>}
Displays application-related statistics for all or a specified wireless clients
<MAC> Displays statistics for a specified wireless client. Specify the clients MAC dpi app wireless-clients
<MAC>
address. on <DEVICE-OR-
DOMAIN-NAME>
Optional. Displays statistical data on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the access point, wireless controller, service platform, or RF Domain. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 41 SHOW COMMANDS show dpi [app|app-category] stats [<APPLICATION/APP-CATEGORY-NAME>|all]
{on <DEVICE-OR-DOMAIN-NAME>}
dpi [app|
app-category] stats Displays statistics for a application or application category app Displays statistics for a specified application or all applications app-category Displays statistics for a specified application category or all categories. Note: The applications are the RF Domain member allowed applications whose data
(bytes) are passing through the WiNG managed network. And, the application categories are existing WiNG or user defined application groups (video, streaming, mobile, audio, etc.) that assist administrators to permit or deny forwarding of application data. This parameter is common to the app and app-category keywords.
<APPLICATION/APP-CATEGORY-NAME> Displays statistics for a specified application or application category, depending on the option selected in the previous step. Specify the application name or application category name. all Displays statistics for all applications or application categories, depending on the option selected in the previous step
[<APPLICATION/APP-
CATEGORY-
NAME>|all]
on <DEVICE-OR-
DOMAIN-NAME>
Optional. Displays statistical data on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the access point, wireless controller, service platform, or RF Domain. show dpi application-policy stats <APPLICATION-POLICY-NAME> {on <DEVICE-OR-
DOMAIN-NAME>}
dpi application-policy stats
<APPLICATION-
POLICY-NAME>
on <DEVICE-OR-
DOMAIN-NAME>
Displays statistics for an existing application policy Displays statistics for a specified application-policy. Specify the application-policy name. Optional. Displays application-policy related statistical data on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the access point, wireless controller, service platform, or RF Domain. show dpi application brief dpi application brief Displays a brief summary of applications their status and configuration show dpi per-category stats <APP-CATEGORIES> [bytes-in|bytes-out|total-bytes]
{on <DEVICE-OR-DOMAIN-NAME>}
dpi per-category stats
<APP-CATEGORIES> Specify the application category name. The system displays statistics for the top ten Displays statistics for the top ten applications based on the application category and the Sort ID specified. The Sort ID options are: bytes-in, bytes-out or total-bytes. applications in this category. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 42 SHOW COMMANDS
[bytes-in|bytes-out|
total-bytes]
Filters and displays statistical data for the top ten utilized applications in respect to the following:
bytes-in Displays total data bytes uploaded through the controller managed network. If this application data is not aligned with application utilization expectations, consider allowing or denying additional applications and categories or adjusting their precedence (priority). bytes-out Displays total data bytes downloaded through the controller managed network. If this application data is not aligned with application utilization expectations, consider allowing or denying additional applications and categories or adjusting their precedence (priority). total-bytes Displays total data bytes (uploaded and downloaded) through the controller managed network. These are only the administrator allowed applications approved for proliferation within the managed network. on <DEVICE-OR-
DOMAIN-NAME>
Optional. Displays statistical data on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the access point, wireless controller, service platform, or RF Domain. Example nx9500-6C8809>show dpi application brief 1-clickshare-com This application recognizes DirectDownloadLink 1-clickshare traffic Application Category : filetransfer Predefined Application : Yes 1-upload-com This application recognizes DirectDownloadLink 1-upload-com traffic Application Category : filetransfer Predefined Application : Yes 1-upload-to This application recognizes DirectDownloadLink 1-upload-to traffic Application Category : filetransfer Predefined Application : Yes 10upload-com This application recognizes DirectDownloadLink 10upload-com traffic Application Category : filetransfer Predefined Application : Yes 123upload-pl This application recognizes DirectDownloadLink 123upload-pl traffic
--More--
nx9500-6C8809>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 43 SHOW COMMANDS 6.1.21 eguest show commands Displays EGuest server status and EGuest registration statistics Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax eguest [registration statistics|status]
Parameters registration statistics status eguest [registration statistics|status]
Displays the EGuest registration statistics Displays the current status of EGuest servers Example vx-eguest-primary#show eguest status
-----------------------------------
pid process
-----------------------------------
2521 gmd 2529 regserver 2539 acct_server 2569 guest_manager 2636 acct_server 2642 acct_server 2643 acct_server 2649 acct_server 2655 acct_server 2708 acct_server-helper 2770 guest_manager 2776 guest_manager 2777 guest_manager 2783 guest_manager 3628 gmd 3630 gmd 3631 gmd 3632 gmd 3633 gmd 3634 gmd 5729 radiusd
-----------------------------------
Database server is local Database server is reachable vx-eguest-primary#
vx-eguest-primary#show eguest registration statistics msg_received - number of registration messages received user_try_to_add - number of database add attempts user_added - number of messages succesfully added to db user_failed - number of messages failed adding to db
------------------------------------------------------------------------
msg_received user_try_to_add user_added user_failed
------------------------------------------------------------------------
189 11 11 0 vx-eguest-primary#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 44 SHOW COMMANDS 6.1.22 environmental-sensor show commands Displays environmental sensors recorded data. The environmental sensor has to be enabled and configured in order to collect data related to humidity, light, motion, and temperature. NOTE: The environmental senor is supported only on an AP8132. When executed on any controller (other than an AP8132), the show >
environmental-sensor > <parameters> command displays environmental-
sensor details for adopted AP8132s (if any). Supported in the following platforms:
Access Points AP8132 Syntax show environmental-sensor [history|humidity|light|motion|summary|temperature|
version]
show environmental-sensor history {<1-HOUR>|<20-MINUTE>|<24-HOUR>}
show environmental-sensor [humidity|light|motion|summary|temperature|version]
Parameters show environmental-sensor history {<1-HOUR>|<20-MINUTE>|<24-HOUR>}
environmental-
sensor history 1-hour 20-minute 24-hour Displays environmental sensor history once in every hour, 20 minutes, or 24 hours History includes the humidity, light, motion, and temperature data recorded by the sensor at specified time interval. Optional. Displays environmental sensor history once in every 1 (one) hour Optional. Displays environmental sensor history once in every 20 minutes Optional. Displays environmental sensor history once in every 24 hours show environmental-sensor [humidity|light|motion|summary|temperature|
version]
environmental-
sensor humidity light motion temperature version summary Displays environmental sensors recorded data, based on the parameters passed. The system displays the specified recorded data. The environmental sensor records data at the following intervals: 20 minutes, 1 hour, and 24 hours. Displays the minimum, average, and maximum humidity recorded Displays the minimum, average, and maximum light recorded Displays the minimum, average, and maximum motion recorded Displays the minimum, average, and maximum temperature recorded Displays the hardware and firmware versions Displays a summary of the data recorded at following intervals:
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 45 SHOW COMMANDS Example ap8132-711728#show environmental-sensor summary Maat Device uptime: 0 days 15:25:11 ERROR: Maat device is offline!
threshold polling-interval: 5 historical data polled 0 times per 2-minutes interval since Maat online motion-sensor: Enabled(Demo) current value: 0 detected
-------------------------------
motion detected
-------------------------------
20-minute 0 1-hour 0 6-hour 0 24-hour 0 temperature-sensor: Enabled(Demo) current value: -40.00 deg. C
-------------------------------
min/average/max
-------------------------------
20-minute 0/0/0 1-hour 0/0/0 6-hour 0/0/0 24-hour 0/0/0 light-sensor: Enabled threshold-high:+400.00 threshold-low:+200.00 holdtime:11 action radio-shutdown: radio-1 and radio-2 light-on:1 light-on/off event sent:0/0 current value: 0.00 lux
-------------------------------
min/average/max
-------------------------------
20-minute 0/0/0 1-hour 0/0/0 6-hour 0/0/0 24-hour 0/0/0 humidity-sensor: Enabled(Demo) current value: 0.00 %
-------------------------------
min/average/max
-------------------------------
20-minute 0/0/0 1-hour 0/0/0 6-hour 0/0/0 24-hour 0/0/0 ap8132-711728#
ap8132-711634#show env-sensor history Current Time: 2015-06-20 14:08:01 UTC
-------------------------------------------------------------------------------
Sample-Interval Motion Temperature Light Humidity
(deg. C) (lux) (%)
----------- min/average/max ------------
-------------------------------------------------------------------------------
20-minute 1 64/65/66 77/80 58/60/61 1-hour 24 63/67/70 75/81 57/59/61 6-hour 128 60/62/69 71/79 52/56/71 24-hour 188 54/58/70 15/45 49/57/73 ap8132-711634#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 46 SHOW COMMANDS ap8132-711634#show env-sensor history 20-min
--------------------------------------------------------------------------------
-
timestamp Motion Temperature Light Humidity
--------------------------------------------------------------------------------
-
2015-11-20 13:51:35 UTC 0 66 79 59 2015-11-20 13:53:35 UTC 0 66 79 59 2015-11-20 13:55:35 UTC 0 65 79 58 2015-11-20 13:57:35 UTC 1 66 80 59 2015-11-20 13:59:35 UTC 0 66 79 59 2015-11-20 14:02:35 UTC 0 65 79 60 2015-11-20 14:03:35 UTC 0 64 79 60 2015-11-20 14:05:35 UTC 2 66 80 60 2015-11-20 14:07:35 UTC 0 66 80 61 2015-11-20 14:09:35 UTC 0 66 80 61 ap8132-711634#
ap8132-711634#show env-sensor history 1-hr
--------------------------------------------------------------------------------
--timestamp Motion Temperature Light Humidity
--------------------------------------------------------------------------------
--
2015-11-20 13:51:35 UTC 0 66 79 59 2015-11-20 13:53:35 UTC 0 66 79 59 2015-11-20 13:55:35 UTC 0 65 79 58 2015-11-20 13:57:35 UTC 1 66 80 59 2015-11-20 13:59:35 UTC 0 66 79 59 2015-11-20 14:01:35 UTC 0 65 79 60 2015-11-20 14:03:35 UTC 0 64 79 60 2015-11-20 14:05:35 UTC 2 66 80 60 2015-11-20 14:07:35 UTC 0 66 80 61 2015-11-20 14:09:35 UTC 0 66 80 61 2015-11-20 14:42:35 UTC 0 65 81 60 2015-11-20 14:43:35 UTC 0 64 80 59 2015-11-20 14:45:35 UTC 3 66 80 60 ap8132-711634#
<DEVICE-NAME>#show env-sensor history 24-hr
--------------------------------------------------------------------------------
--
timestamp Motion Temperature Light Humidity
--------------------------------------------------------------------------------
--
2015-11-20 10:10:20 UTC 27 66 80 60 2015-11-20 10:30:20 UTC 17 66 80 60 2015-11-20 10:50:20 UTC 17 66 81 60 2015-11-20 11:10:20 UTC 25 66 81 60 2015-11-20 11:30:20 UTC 24 66 81 60 2015-11-20 11:50:20 UTC 26 66 81 60 2015-11-21 08:10:20 UTC 9 65 80 59 2015-11-21 08:30:20 UTC 7 65 80 59 2015-11-21 08:50:20 UTC 12 65 80 60 2015-11-21 09:10:20 UTC 10 65 80 60 2015-11-21 09:30:20 UTC 15 65 80 60 2015-11-21 09:50:20 UTC 19 66 80 60
<DEVICE-NAME>#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 47 SHOW COMMANDS 6.1.23 event-history show commands Displays event history report Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show event-history {on <DEVICE-OR-DOMAIN-NAME>}
Parameters show event-history {on <DEVICE-OR-DOMAIN-NAME>}
event-history on <DEVICE-OR-
DOMAIN-NAME>
Displays event history report Optional. Displays event history report on a device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Example nx9500-6C8809#show event-history Generated on '2016-09-21 05:19:55 UTC' by 'admin'
2017-06-06 10:40:19 nx9500-6C8809 SYSTEM LOGIN Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'
2017-06-06 10:38:36 nx9500-6C8809 SYSTEM LOGOUT Logged out user
'admin' with privilege 'superuser' from '192.168.100.214'
2017-06-06 10:27:34 nx9500-6C8809 SYSTEM LOGIN Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'
2017-06-06 10:27:34 nx9500-6C8809 SYSTEM LOGOUT Logged out user
'admin' with privilege 'superuser' from '192.168.100.214'
2016-09-20 23:52:49 nx9500-6C8809 SYSTEM LOGIN Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'
2016-09-20 05:39:01 nx9500-6C8809 SYSTEM LOGOUT Logged out user 'admin' with privilege 'superuser' from '192.168.100.165'
2016-09-20 05:08:54 nx9500-6C8809 SYSTEM LOGIN Successfully logged in user 'admin' with privilege 'superuser' from 'ssh'
--More--
nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 48 SHOW COMMANDS 6.1.24 event-system-policy show commands Displays detailed event system policy configuration Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show event-system-policy [config|detail] <EVENT-SYSTEM-POLICY-NAME>
Parameters show event-system-policy [config|detail] <EVENT-SYSTEM-POLICY-NAME>
event-system-policy Displays event system policy configuration config Displays configuration for a specified policy Displays detailed configuration for a specified policy detail
<EVENT-SYSTEM-
Specify the event system policy name. POLICY-NAME>
Example rfs6000-81742D(config)#show event-system-policy config testpolicy
--------------------------------------------------------------------------
MODULE EVENT SYSLOG SNMP FORWARD EMAIL
--------------------------------------------------------------------------
aaa radius-discon-msg on on on default
--------------------------------------------------------------------------
rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 49 SHOW COMMANDS 6.1.25 ex3500 show commands Displays EX3500-related statistical data Supported in the following platforms:
Service Platforms NX7500, NX9500 Syntax show ex3500 [dir|interfaces|system|upgrade|version|whichboot]
show ex3500 dir {boot-rom|config|on|opcode} {<FILE-NAME>} {on <EX3500-DEVICE-
NAME>}
show ex3500 interfaces counters [ether-like stats|ethernet <1-1> <1-52>|ext-if-
table stats|if-table stats|portUtil stats|rmon stats] {on <EX3500-DEVICE-NAME>}
show ex3500 [system|upgrade|version|whichboot] {on <EX3500-DEVICE-NAME>}
Parameters show ex3500 dir {boot-rom|config|on|opcode} {<FILE-NAME>} {on <EX3500-DEVICE-
NAME>}
ex3500 dir boot-rom config opcode
<FILE-NAME>
on
<EX3500-DEVICE-
NAME>
Displays EX3500 directory information based on the option selected. The options are: boot-rom, config, opcode Note: If none of the specified options is selected, all EX3500 system-related information is displayed. Optional. Displays only the Boot-ROM information Optional. Displays only the configuration file Optional. Displays only the run-time operation code Displays the contents of a specified file identified by the <FILE-NAME> keyword. This is the name of configuration file or code image. Optional. Executes the command on a specified EX3500 device
<DEVICE-NAME> Specify the devices name. show ex3500 interfaces counters [ether-like stats|ethernet <1-1> <1-52>|
ext-if-table stats|if-table stats|portUtil stats|rmon stats] {on <EX3500-DEVICE-
NAME>}
ex3500 interfaces counters ether-like stats ethernet <1-1> <1-52>
ext-if-table stats Displays EX3500 interface counter information based on the option selected. The options are: ether-like, ethernet, ext-if-table, if-table, portUtil, rmon Displays Managed Information Base (MIB) object statistics for Ethernet-like interfaces Displays the Ethernet port statistics based on the unit identifier and port number selected
<1-1> Specify the EX3500 units identifier from 1 - 1.
<1-52> Specify the port number from 1 - 52. This range varies for the EX3524 (1-
28) and EX3548 (1-52) devices. Note: This option displays the following for the selected Ethernet interface: extended interface table stats, interface table stats, port utilization information, and remote monitoring stats. Displays only the extended interface table statistics Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 50 SHOW COMMANDS if-table stats portUtil stats rmon stats on <EX3500-DEVICE-
NAME>
Displays only the interface table statistics Displays only the port utilization information Displays only remote monitoring (RMon) statistics Optional. Executes the command on a specified EX3500 device
<DEVICE-NAME> Specify the devices name. show ex3500 [system|upgrade|version|whichboot] {on <EX3500-DEVICE-NAME>}
ex3500 system upgrade version whichboot on <EX3500-DEVICE-
NAME>
Displays the following information for a specified EX3500 device or all EX3500 devices in the managed network Displays EX3500 system information, such as device description, OID string, up time, name, location, contact, MAC address, etc. Some of these information
(example, system name) are configurable items, and if not configured are left blank. Displays the opcode upgrade configuration settings Displays hardware and software version information for a EX3500 system Displays boot information Optional. Executes the command on a specified EX3500 device
<DEVICE-NAME> Specify the devices name. Example nx9500-6C8809#show ex3500 interfaces counters ethernet 1 17 Ethernet 1/ 17
===== IF table Stats =====
2166458 Octets Input 14734059 Octets Output 14707 Unicast Input 19806 Unicast Output 0 Discard Input 0 Discard Output 0 Error Input 0 Error Output 0 Unknown Protocols Input 0 QLen Output
===== Extended Iftable Stats =====
23 Multi-cast Input 5525 Multi-cast Output 170 Broadcast Input 11 Broadcast Output
===== Ether-like Stats =====
0 Alignment Errors 0 FCS Errors 0 Single Collision Frames 0 Multiple Collision Frames 0 SQE Test Errors 0 Deferred Transmissions 0 Late Collisions 0 Excessive Collisions 0 Internal Mac Transmit Errors 0 Internal Mac Receive Errors 0 Frames Too Long 0 Carrier Sense Errors 0 Symbol Errors 0 Pause Frames Input 0 Pause Frames Output
===== RMON Stats =====
0 Drop Events 16900558 Octets 40243 Packets Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 51 SHOW COMMANDS 170 Broadcast PKTS 23 Multi-cast PKTS 0 Undersize PKTS 0 Oversize PKTS 0 Fragments 0 Jabbers 0 CRC Align Errors 0 Collisions 21065 Packet Size <= 64 Octets 3805 Packet Size 65 to 127 Octets 2448 Packet Size 128 to 255 Octets 797 Packet Size 256 to 511 Octets 2941 Packet Size 512 to 1023 Octets 9187 Packet Size 1024 to 1518 Octets
===== Port Utilization (recent 300 seconds) =====
0 Octets Input in kbits per second 0 Packets Input per second 0.00 % Input Utilization 0 Octets Output in kbits per second 0 Packets Output per second 0.00 % Output Utilization nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 52 SHOW COMMANDS 6.1.26 extdev show commands Displays external device (T5 or EX3500) configuration error history Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510 Syntax show extdev error history {on <T5/EX3500-DEVICE-NAME>}
Parameters show extdev error history {on <T5/EX3500-DEVICE-NAME>}
extdev error history on <T5/EX3500-
DEVICE-NAME>
Displays external device error history. This command is applicable only to the external devices T5, and EX3500 series switches. Use this command to view configuration error history for all or a specified external device adopted and managed by a WiNG NX9500 series service platform. Optional. Displays configuration error history on a specified T5 or EX3500 device
<T5/EX3500-DEVICE-NAME> Specify the name of the device. Example nx9500-6C8809#show extdev error history on t5-ED5EAC
%% No History for this device nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 53 SHOW COMMANDS 6.1.27 file-sync show commands Displays file synchronization settings and status on a controller The file-sync command syncs wireless-bridge certificate and trustpoint between the staging-controller and its adopted access points. The show > file-sync command displays information related to this process. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510 Syntax show file-sync [configuration|history|load-file-status|status] {on <DEVICE-OR-
DOMAIN-NAME>}
Parameters show file-sync [configuration|history|load-file-status|status] {on <DEVICE-OR-
DOMAIN-NAME>}
file-sync configuration history load-file-status status Displays the following file-synchronization (trustpoint and wireless-bridge certificate) related information: configuration, history, load-file-status, and status Displays the following file-synchronization configuration details:
automatic file-syncing enabled or disabled. The default setting is disabled. The X.509 certificate needs synchronization only if the access points radio2 is configured to use EAP-TLS authentication. In which case PKCS#12 certificate needs to be pushed on AP adoption. To enable automatic file syncing, in the controllers device/profile configuration mode, execute the file-sync > auto command. For more information, see file-sync. Number of access points to which the certificate can be simultaneously uploaded. The default is 10. To modify the number of simultaneous uploads, in the controllers device/profile configuration mode, execute the file-sync > count <1-20> command. For more information, see file-sync. Scheduled certificate upload, if any, details, such time and date of upload. To schedule certificate upload, use the file-sync > wireless-certificate command. For more information, see file-sync. Displays file synchronization history. Use this option to view statistical data relating to wireless-bridge certificate synchronization between staging controller and its access points. When executed, a list of all certificate transfers made to the APs is displayed, with the latest transfer listed at the top. Displays the status of the file upload to the controller. Use this command to view the status of a in-progress certificate upload, For more information on initiating a PKCS#12 certificate upload, see file-sync. Displays status of the file synchronization between the controller and its adopted access point. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 54 SHOW COMMANDS on <DEVICE-OR-
DOMAIN- NAME>
Optional. Displays file synchronization settings and status on a specified device or RF Domain
<DEVICE-OR-DOMAIN- NAME> Specify the name of the controller, service platform, or RF Domain. Example nx9500-6C8809#show file-sync configuration File Sync Configuration Information Auto : Disabled Simultaneous Upload Count : 128 Wireless Bridge Cert Load Time : Thu May 29 23:23:35 2015 nx9500-6C8809#
nx9500-6C8809#show file-sync load-file-status Download of wireless_bridge certificate is complete nx9500-6C8809#
nx9500-6C8809#show file-sync history
-------------------------------------------------------------------------------------
AP RESULT TIME RETRIES SYNCED-BY LAST-SYNC-ERROR
-------------------------------------------------------------------------------------
AP6522-491220 done 2015-05-27 01:37:32 B4-C7-99-6C-88-09 -
ME733ANACBMOT21 done 2015-05-27 02:02:51 0 B4-C7-99-6C-88-09 -
nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 55 SHOW COMMANDS 6.1.28 firewall show commands Displays wireless firewall information, such as Dynamic Host Configuration Protocol (DHCP) snoop table entries, denial of service statistics, active session summaries, etc. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show firewall [dhcp|flows|neighbors]
show firewall dhcp snoop-table {on <DEVICE-NAME>}
show firewall flows {filter|management|on|stats|wireless-client}
show firewall flows {filter} {(dir|dst port <1-65535>|ether|flow-type|icmp|
icmpv6|igmp|ip|ipv6|max-idle|min-bytes|min-idle|min-pkts|not|port|src|tcp|udp)}
show firewall flows {management {on <DEVICE-NAME>}|stats {on <DEVICE-NAME>}|
wireless-client <MAC>|on <DEVICE-NAME>}
show firewall neighbors snoop-table {on <DEVICE-NAME>}
Parameters show firewall dhcp snoop-table {on <DEVICE-NAME>}
firewall dhcp snoop-table on <DEVICE-NAME>
Displays DHCP snoop table entries snoop-table Displays DHCP snoop table entries DHCP snooping acts as a firewall between non-trusted hosts and the DHCP server. Snoop table entries contain MAC address, IP address, lease time, binding type, and interface information of non-trusted interfaces. The following keyword is common to the DHCP snoop table and DoS stats parameters:
on <DEVICE-NAME> Optional. Displays snoop table entries, or DoS stats on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. show firewall flows {filter} {(dir|dst|ether|flow-type|icmp|icmpv6|igmp|ip|
ipv6|max-idle|min-bytes|min-idle|min-pkts|not|port|src|tcp|udp)}
firewall flows filter dir [wired-wired|
wired-wireless|
wireless-wired|
wireless-wireless]
Notifies a session has been established Optional. Defines additional firewall flow filter parameters Optional. Matches the packet flow direction wired-wired Wired to wired flows wired-wireless Wired to wireless flows wireless-wired Wireless to wired flows wireless-wireless Wireless to wireless flows Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 56 SHOW COMMANDS dst port
<1-65535>
ether
[dst <MAC>|
host <MAC>|
src <MAC>|
vlan <1-4094>]
flow-type
[bridged|natted|
routed|wired|
wireless]
icmp {code|type}
icmpv6 {code|type}
igmp ip [dst <IP>|
host <IP>|
proto <0-254>|
src <IP>]
ipv6 [dst <IPv6>|
host <IPv6>|
proto <0-254>|
src <IPv6>]
max-idle
<1-4294967295>
min-bytes
<1-4294967295>
min-idle
<1-4294967295>
min-pkts
<1-4294967295>
not Optional. Matches the destination port with the specified port port <1-65535> Specifies the destination port number from 1 - 65535 Optional. Displays Ethernet filter options dst <MAC> Matches only the destination MAC address host <MAC> Matches flows containing the specified MAC address src <MAC> Matches only the source MAC address vlan <1-4094> Matches the VLAN number of the traffic with the specified value. Specify a value from 1- 4094. Optional. Matches the traffic flow type bridged Bridged flows natted Natted flows routed Routed flows wired Flows belonging to wired hosts wireless Flows containing a mobile unit Optional. Matches flows with the specified Internet Control Message Protocol (ICMP) version 4 code and type code Optional. Matches flows with the specified ICMPv4 code type Optional. Matches flows with the specified ICMPv4 type Optional. Matches flows with the specified ICMP version 6 code and type code Optional. Matches flows with the specified ICMPv6 code type Optional. Matches flows with the specified ICMPv6 type Optional.Matches Internet Group Management Protocol (IGMP) flows Optional. Filters firewall flows based on the IPv4 parameters passed dst <IP> Matches destination IP address host <IP> Matches flows containing IPv4 address proto <0-254> Matches the IPv4 protocol number with the specified number src <IPv4> Matches source IP address Optional. Filters firewall flows based on the IPv6 parameters passed dst <IPv6> Matches destination IPv6 address host <IPv6> Matches flows containing IPv6 address proto <0-254> Matches the IPv6 protocol number with the specified number src <IPv6> Matches source IPv6 address Optional. Filters firewall flows idle for at least the specified duration. Specify a max-
idle value from 1 - 4294967295 bytes. Optional. Filters firewall flows with at least the specified number of bytes. Specify a min-bytes value from 1 - 4294967295 bytes. Optional. Filters firewall flows idle for at least the specified duration. Specify a min-
idle value from 1 - 4294967295 bytes. Optional. Filters firewall flows with at least the given number of packets. Specify a min-bytes value from 1 - 4294967295 bytes. Optional. Negates the filter expression selected Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 57 SHOW COMMANDS port <1-65535>
src <1-65535>
tcp udp Optional. Matches either the source or destination port. Specify a port from 1 -
65535. Optional. Matches only the source port with the specified port. Specify a port from 1
- 65535. Optional. Matches TCP flows Optional. Matches UDP flows show firewall flows {management {on <DEVICE-NAME>}|stats {on <DEVICE-NAME>}|
wireless-client <MAC>|on <DEVICE-NAME>}
firewall flows management
{on <DEVICE-NAME>}
Notifies a session has been established Optional. Displays management traffic firewall flows on <DEVICE-NAME> Optional. Displays firewall flows on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. stats
{on <DEVICE-NAME>}
Optional. Displays active session summary on <DEVICE-NAME> Optional. Displays active session summary on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. wireless-client <MAC> Optional. Displays wireless clients firewall flows on <DEVICE-NAME>
<MAC> Specify the MAC address of the wireless client. Optional. Displays all firewall flows on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show firewall neighbors snoop-table {on <DEVICE-NAME>}
firewall neighbors snoop-table on <DEVICE-NAME>
Displays IPv6 neighbors snoop table entries Optional. Displays IPv6 neighbors snoop table entries on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs6000-81742D(config)#show fi file-sync firewall file rfs6000-81742D(config)#show firewall dhcp snoop-table Snoop Binding <192.168.13.24, 00-15-70-81-74-2D, Vlan 1>
Type switch-SVI, Touched 427779 seconds ago
-------------------------------------------------------------------------------
rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 58 SHOW COMMANDS rfs6000-81742D(config)#show firewall dos stats
--------------------------------------------------------------------------------
ATTACK TYPE COUNT LAST OCCURENCE
--------------------------------------------------------------------------------
udp-short-hdr 0 Never multicast-icmpv6 0 Never icmp-router-solicit 0 Never tcp-xmas-scan 0 Never ascend 0 Never twinge 0 Never tcp-post-syn 0 Never land 0 Never broadcast-multicast-icmp 0 Never ftp-bounce 0 Never spoof 0 Never source-route 0 Never tcp-null-scan 0 Never tcp-fin-scan 0 Never ipv6-hop-limit-zero 0 Never tcp-bad-sequence 97 0 days 02:24:32 ago fraggle 0 Never router-advt 0 Never snork 0 Never raguard 0 Never
--More--
rfs6000-81742D(config)#
rfs6000-81742D(config)#show firewall flows management
========== Flow# 1 Summary ==========
Forward:
IPv4 Vlan 1, TCP 192.168.13.10 port 1646 > 192.168.13.24 port 22 00-02-B3-28-D1-55 > 00-15-70-81-74-2D, ingress port up1 Egress port: <local>, Egress interface: vlan1, Next hop: <local> (00-15-70-81-74-
2D) 1170 packets, 99960 bytes, last packet 0 seconds ago Reverse:
IPv4 Vlan 1, TCP 192.168.13.24 port 22 > 192.168.13.10 port 1646 00-15-70-81-74-2D > 00-02-B3-28-D1-55, ingress port local Egress port: up1, Egress interface: vlan1, Next hop: 192.168.13.10 (00-02-B3-28-
D1-55) 873 packets, 98797 bytes, last packet 0 seconds ago TCP state: Established Flow times out in 1 hour 30 minutes rfs6000-81742D(config)#
rfs6000-81742D(config)#show firewall flows stats Active Flows 2 TCP/IPv4 flows 2 UDP/IPv4 flows 0 DHCP/IPv4 flows 0 ICMP/IPv4 flows 0 IPsec/IPv4 flows 0 TCP/IPv6 flows 0 UDP/IPv6 flows 0 DHCP/IPv6 flows 0 ICMP/IPv6 flows 0 IPsec/IPv6 flows 0 L3/Unknown flows 0 rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 59 SHOW COMMANDS 6.1.29 global show commands Displays global information for network devices based on the parameters passed Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show global [device-list|domain]
show global device-list {filter {offline|online|rf-domain}}
show global device-list {filter {offline|online}}
show global device-list {filter rf-domain [<DOMAIN-NAME>|not <DOMAIN-NAME>]}
show global domain managers Parameters show global device-list {filter {offline|online}}
global device-list Displays global information for all network devices. Use the following keywords to specify additional filters: offline, online, and rf-domain. filter {offline|online} Optional. Specifies additional filters offline Optional. Displays global information for offline devices only online Optional. Displays global information for online devices only show global device-list {filter rf-domain [<DOMAIN-NAME>|not <DOMAIN-NAME>]}
Displays global information for all network devices. Use the following keywords to specify additional filters: offline, online, and rf-domain. Optional. Specifies additional filters rf-domain Optional. Displays global information for all devices in a specified RF global device-list filter rf-domain
[<DOMAIN-NAME>|
not <DOMAIN-
NAME>]
Domain
<DOMAIN-NAME> Optional. Displays information of all devices within the domain identified by the <DOMAIN-NAME> keyword not <DOMAIN-NAME> Optional. Displays information of all devices in domains not matching the <DOMAIN-NAME> keyword show global domain managers global domain managers Displays global information for all RF Domains and managers in the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 60 SHOW COMMANDS Example rfs6000-81742D(config)#show global device-list filter rf-domain TechPubs
--------------------------------------------------------------------------------
------------------------------
MAC HOST-NAME TYPE CLUSTER RF-DOMAIN ADOPTED-BY ONLINE
--------------------------------------------------------------------------------
------------------------------
00-15-70-81-74-2D rfs6000-81742D rfs6000 SiteConRFS6k TechPubs B4-
C7-99-6C-88-09 online
--------------------------------------------------------------------------------
------------------------------
Total number of clients displayed: 1 rfs6000-81742D(config)#
rfs6000-81742D(config)#show global domain managers
--------------------------------------------------------------------------------
---------------------
RF-DOMAIN MANAGER HOST-
NAME APS CLIENTS
--------------------------------------------------------------------------------
---------------------
default ? rf-domain manager 00-15-70-38-03-E7 not in configuration TechPubs 00-15-70-81-74-2D rfs6000-
81742D 0 0
--------------------------------------------------------------------------------
---------------------
Total number of RF-domain displayed: 2 rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 61 SHOW COMMANDS 6.1.30 gre show commands Displays layer 2 Generic Routing Encapsulation (GRE) tunnel traffic flow information GRE is one of the available tunneling mechanisms which uses IP as the transport protocol and can be used for carrying many different passenger protocols. The tunnels behave as virtual point-to-point links that have two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show gre info {detail} {(on <DEVICE-NAME>)}
Parameters show gre info {detail} {(on <DEVICE-NAME>)}
gre info detail on <DEVICE-NAME>
Displays GRE tunnel information Optional. Displays GRE tunnel information in detail, such as tunnel state, tunnels remote-end peer devices IP address, session ID of an operational tunnel, total number of packets received and transmitted through the tunnel, and the number of dropped packets during tunneled exchanges between access point and a peer at the remote end of the tunnel. Optional. Executes the command on a specified device
<DEVICE-NAME> Specify the name of the access point, controller, or service platform. Example rfs6000-81742D#show gre info Gre Tunnel info:
Tunnel info not found rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 62 SHOW COMMANDS 6.1.31 guest-registration show commands Displays information on the performance of clients using guest access permissions to obtain network resources within the WiNG network. The reporting timeline can be adjusted as needed, as can the RF Domain(s) and WLAN(s) used to filter and report guest client statistics. Supported in the following platforms:
Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510 Syntax show guest-registration [age-range|backup-snapshots|browsers|client|devices|
gender|loyalty-app-status|notification-status|os|social|user-trends|visitors]
{on <DEVICE-NAME>}
show guest-registration backup-snapshots show guest-registration [age-range|browsers|devices|gender|os|user-trends|
visitors] time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all] {(rfdomain
<DOMAIN-NAME>|wlan <WLAN-NAME>)}
show guest-registration client [email|mac|member|mobile|name|time]
show guest-registration client [email <EMAIL-ADDRESS>|mac <MAC>|member <MEMBER-
ID>|mobile <MOBILE-NUMBER>|name <NAME>]
show guest-registration client time [1-Hour|10-Mins|15-Mins|2-Mins|30-Mins|
30-Secs|5-Mins] {(rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>)}
show guest-registration loyalty-app-status time [1-Day|1-Month|1-Week|2-Hours|
30-Mins|5-Hours|all] {rfdomain <RF-DOMAIN-NAME>|wlan <WLAN-NAME>}
show guest-registration notification-status show guest-registration social time [1-Day|1-Month|1-Week|2-Hours|30-Mins|
5-Hours|all] {(facebook|rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>|google)}
Parameters show guest-registration backup-snapshots guest-registration backup-snapshots Displays guest registration statistics based on the parameters passed Displays a list of periodically backed up snapshots of the database. By default, the system maintains a snapshot of the database on a daily basis. Note: Use the service > guest-registration > backup [delete|restore] command to delete these snapshots and to restore deleted snapshots. For more information, see service. show guest-registration [age-range|browsers|devices|gender|os|user-
trends|visitors] time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-Hours|all]
{(rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>)}
guest-registration age-range browsers devices Displays guest registration statistics based on the parameters and time entered. Optionally, use the rfdomain and/or wlan keywords to view guest registration statistics for a specified RF Domain and/or WLAN. Displays the age ranges of logged guest users for a selected time period Displays the browsers used by guest users logged in within a selected time period Displays the device types used by guest users logged in within a selected time period Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 63 SHOW COMMANDS gender os user-trends visitors time [1-Day|1-Month|
1-Week|2-Hours|
30-Mins|5-Hours|all]
[rfdomain
<DOMAIN-NAME|
wlan <WLAN-NAME>]
Displays the gender of guest users logged in within a selected time period Displays the operating system (OS) of devices logged in within a selected time period Displays guest user login trends for a selected time period. It displays statistical data, such as number of new users, number of return users, and total of number users. Displays type of visitors logged in within a selected time period Displays guest registration statistics, for a specified time period. The stats displayed depends on the option selected in the previous step. Specify the time period using one of the following options:
1-Day Displays previous days statistics 1-Month Displays previous months statistics 1-Week Displays previous weeks statistics 2-Hours Displays last 2 hours statistics 30-Mins Displays last 30 minutes statistics 5-Hours Displays last 5 hours statistics all Displays statistics from the day the database was created Use the following options as additional filters:
rfdomain <DOMAIN-NAME> Optional. Displays guest registration statistics for a specified RF Domain.
<DOMAIN-NAME> Specify the RF Domain name. wlan <WLAN-NAME> Optional. Displays guest registration statistics for a specified WLAN.
<WLAN-NAME> Specify the WLAN name. show guest-registration client [email <EMAIL-ADDRESS>|mac <MAC>|member <MEMBER-
ID>|mobile <MOBILE-NUMBER>|name <NAME>]
guest-registration client email
<EMAIL-ADDRESS>
mac <MAC>
member
<MEMBER-ID>
Displays guest registration statistics based on the parameters and time entered. Optionally, use the rfdomain and/or wlan keywords to view guest registration statistics for a specified RF Domain and/or WLAN. Displays statistical data for a specific client. Use the e-mail, mac, member, mobile, name to provide a match criteria. Displays statistical data for the client with e-mail address matching the
<EMAIL-ADDRESS> parameter
<EMAIL-ADDRESS> Specify the clients e-mail address. Displays statistical data for the client with MAC address matching the <MAC>
parameter
<MAC> Specify the clients MAC address Displays statistical data for the client with member ID matching the <MEMBER-ID>
parameter
<MEMBER-ID> Specify the clients member ID. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 64 SHOW COMMANDS mobile
<MOBILE-NUMBER>
name <NAME>
Displays statistical data for the client with mobile number matching the
<MOBILE-NUMBER> parameter
<MOBILE-NUMBER> Specify the clients mobile number. Displays statistical data for the client with name matching the <NAME> parameter
<MOBILE-NUMBER> Specify the clients name. show guest-registration client time [1-Hour|10-Mins|15-Mins|2-Mins|30-Mins|30-
Secs|5-Mins] {(rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>)}
guest-registration client time [1-Day|1-Month|
1-Week|2-Hours|
30-Mins|5-Hours|all]
[rfdomain
<DOMAIN-NAME|
wlan <WLAN-NAME>]
Displays guest registration statistics based on the parameters and time entered. Optionally, use the rfdomain and/or wlan keywords to view guest registration statistics for a specified RF Domain and/or WLAN. Displays statistical data for all clients logged in within a specified time period Use one of the following options to specify the time period:
1-Day Displays previous days statistics 1-Month Displays previous months statistics 1-Week Displays previous weeks statistics 2-Hours Displays last 2 hours statistics 30-Mins Displays last 30 minutes statistics 5-Hours Displays last 5 hours statistics all Displays entire statistics, from the day the database was created Use the following options as additional filters:
rfdomain <DOMAIN-NAME> Optional. Displays guest registration statistics for a specified RF Domain.
<DOMIAIN-NAME> Specify the RF Domain name. wlan <WLAN-NAME> Optional. Displays guest registration statistics for a specified WLAN.
<WLAN-NAME> Specify the WLAN name. show guest-registration loyalty-app-status time [1-Day|1-Month|1-Week|2-
Hours|30-Mins|5-Hours|all] {rfdomain <RF-DOMAIN-NAME>|wlan <WLAN-NAME>}
guest-registration loyalty-app-status time [1-Day|1-Month|
1-Week|2-Hours|
30-Mins|5-Hours|all]
Displays guest registration statistics based on the parameters and time entered Displays captive portal clients Loyalty Application analytics, such as the number of guest clients with loyalty application detection enabled, associating with the captive portals access point during a specified time period Loyalty application detection occurs on the access point to which the guest client is associated, allowing a retail administrator to assess whether a captive portal client is using specific retail (loyalty) applications in their captive portal. For more information on enabling loyalty application detection on a captive portal, see report-loyalty-application. Specifies the time period, using one of the following options:
1-Day Displays previous days captive portal clients Loyalty Application analytics 1-Month Displays previous months captive portal clients Loyalty Application analytics Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 65 SHOW COMMANDS 1-Week Displays previous weeks captive portal clients Loyalty Application analytics 2-Hours Displays last 2 hours captive portal clients Loyalty Application analytics 30-Mins Displays last 30 minutes captive portal clients Loyalty Application analytics 5-Hours Displays last 5 hours captive portal clients Loyalty Application analytics all Displays the entire Loyalty Application analytics, from the day the database was created
{rfdomain
<RF-DOMAIN-NAME>|
wlan <WLAN-NAME>}
Optional. Specifies the rfdomain and/or wlan to view guest registration statistics for a specified RF Domain and/or WLAN rfdomain <RF-DOMAIN-NAME> Displays Loyalty App analytics for a specified RF Domain
<RF-DOMAIN-NAME> Specify the RF Domain name. wlan <WLAN-NAME> Displays Loyalty App analytics for a specified WLAN
<WLAN-NAME> Specify the WLAN name. show guest-registration notification-status guest-registration notification-status Displays guest registration statistics based on the parameters and time entered. Optionally, use the rfdomain and/or wlan keywords to view guest registration statistics for a specified RF Domain and/or WLAN. Displays guest registration notification status show guest-registration social time [1-Day|1-Month|1-Week|2-Hours|30-Mins|5-
Hours|all] {(facebook|rfdomain <DOMAIN-NAME>|wlan <WLAN-NAME>|google)}
guest-registration social Displays the social sites used by guests to register. Optionally, use the rfdomain time [1-Day|1-Month|
1-Week|2-Hours|
30-Mins|5-Hours|all]
facebook rfdomain
<DOMAIN-NAME>
wlan <WLAN-NAME>
google and/or wlan keywords to view social site used by guests of a specified RF Domain and/or WLAN. Displays social site statistics for a specified time period. Use one of the following time options:
1-Day Displays previous days statistics 1-Month Displays previous months statistics 1-Week Displays previous weeks statistics 2-Hours Displays last 2 hours statistics 30-Mins Displays last 30 minutes statistics 5-Hours Displays last 5 hours statistics all Displays the entire database Displays guest users using Facebook to log in Displays guest users for a specific RF Domain
<DOMAIN-NAME> Specify the RF Domain name. Displays guest users for a specific WLAN
<WLAN-NAME> Specify the WLAN name. Displays guest users using Google to log in Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 66 Example SHOW COMMANDS nx9500-6C8809#show guest-registration age-range time all Timeline: all
---------------------------------
AGE RANGE COUNT
---------------------------------
less_than_18 0 ( 0%) 18_to_24 1 ( 20%) 25_to_34 0 ( 0%) 35_to_44 1 ( 20%) 45_to_54 1 ( 20%) 55_to_64 2 ( 40%) greater_than_64 0 ( 0%)
---------------------------------
nx9500-6C8809#
nx9500-6C8809#show guest-registration browsers time 1-Day rfdomain Test-rfdomain-
10RF Domain: Test-rfdomain-10 Timeline: 1-Day
-----------------------------------
BROWSER COUNT
-----------------------------------
Safari 1 ( 50%) Chrome 1 ( 50%) nx9500-6C8809#
nx9500-6C8809#show guest-registration devices time 30-Mins wlan Test-ssid-9 WLAN: Test-ssid-9 Timeline: 30-Mins
-------------------------------
DEVICE COUNT
-------------------------------
Windows PC 1 (100%) nx9500-6C8809#
nx9500-6C8809#show guest-registration gender time all wlan Test-ssid-10 rfdomain Test-rfdomain-10 RF Domain: Test-rfdomain-10 WLAN: Test-ssid-10 Timeline: all
---------------------------------------------
GENDER COUNT
---------------------------------------------
Male 1 ( 50%) Female 1 ( 50%) Other 0 ( 0%) nx9500-6C8809#
nx9500-6C8809#show guest-registration gender time all wlan Test-ssid-10 rfdomain Test-rfdomain-9
%% No guests registered for specified inputs. nx9500-6C8809#
nx9500-6C8809#show guest-registration os time 1-Day Timeline: 1-Day
-------------------------------
OS COUNT
-------------------------------
Windows 7 3 ( 30%) Apple iOS 3 ( 30%) Macintosh 3 ( 30%) Windows 8 1 ( 10%) nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 67 SHOW COMMANDS nx9500-6C8809#show guest-registration social time 30-Mins Timeline: 30-Mins
---------------------------------------------
SOCIAL ONLINE TOTAL
---------------------------------------------
google 1 (100%) 1 ( 10%) Local 0 ( 0%) 9 ( 90%) nx9500-6C8809#
nx9500-6C8809#show guest-registration user-trends time all Timeline: all
----------------------------------------------------------------------------
SAMPLE RANGE NEW USERS RETURN USERS TOTAL
----------------------------------------------------------------------------
2014-2-16 - 2014-4-17 0 ( 0%) 0 ( 0%) 0 2014-4-17 - 2014-6-16 0 ( 0%) 0 ( 0%) 0 2014-6-16 - 2014-8-15 0 ( 0%) 0 ( 0%) 0 2014-8-15 - 2014-10-14 0 ( 0%) 0 ( 0%) 0 2014-10-14 - 2014-12-13 0 ( 0%) 0 ( 0%) 0 2014-12-13 - 2015-2-11 10 (100%) 0 ( 0%) 10
----------------------------------------------------------------------------
nx9500-6C8809#
nx9500-6C8809#show guest-registration user-trends time 1-Day Timeline: 1-Day
----------------------------------------------------------------------------
SAMPLE RANGE NEW USERS RETURN USERS TOTAL
----------------------------------------------------------------------------
23:16 - 3:16 0 ( 0%) 0 ( 0%) 0 3:16 - 7:16 0 ( 0%) 0 ( 0%) 0 7:16 - 11:16 0 ( 0%) 0 ( 0%) 0 11:16 - 15:16 0 ( 0%) 0 ( 0%) 0 15:16 - 19:16 0 ( 0%) 0 ( 0%) 0 19:16 - 23:16 0 ( 0%) 0 ( 0%) 0
----------------------------------------------------------------------------
nx9500-6C8809#
nx9500-6C8809#show guest-registration visitors time 30-Mins Timeline: 30-Mins
-----------------------------------
VISITORS COUNT
-----------------------------------
New Users 7 ( 70%) Return Users 3 ( 30%) nx9500-6C8809#
nx9500-6C8809#show guest-registration client time 30-Mins email Guest_9@abc.com
-----------------------------------
ATTRIBUTE VALUE
-----------------------------------
city Brooklyn wlan Test-ssid-10 name Guest_9 zip 11204 mobile 9131373709 gender female llogintime 2015-01-20 19:11:14.001000 mobileok on devtype Windows PC createtime 2015-01-20 18:27:14.001000 email Guest_9@abc.com mac 10-00-00-10-00-09 reg_type otp rfd Test-rfdomain-10 Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 68 SHOW COMMANDS agerange <18 group mac_reg_gr1 mid 1234100009 os Windows 7 exptime 2015-11-16 19:21:14.001000 browser Safari
-----------------------------------
nx9500-6C8809#
nx9500-6C8809#show guest-registration client time 30-Mins rfdomain Test-rfdomain-8
-----------------------------------
ATTRIBUTE VALUE
-----------------------------------
loggedin yes wlan Test-ssid-8 name Guest_1 locale en_US llogintime 2015-01-20 19:15:14 devtype Macintosh exptime 2015-11-16 19:21:14 lname Guest_100000 source google mac 10-00-00-10-00-01 email Guest_1@abc.com id 657669862939196 reg_type device fname Test-Guest_1 rfd Test-rfdomain-8 agerange 35-44 timezone 7 profilePic https://www.google.com/user_id/657669862939196/
os Macintosh createtime 2015-01-20 18:45:14 group mac_reg_gr1 browser Chrome
-----------------------------------
city Santa Cruz group mac_reg_gr1 name Guest_2 zip 95062 mobile 3700870747 mid 1234100001 llogintime 2015-01-20 19:18:14 mobileok on devtype Apple iPad exptime 2015-11-16 19:21:14 createtime 2015-01-20 19:11:14 mac 10-00-00-10-00-02 reg_type otp rfd Test-rfdomain-8 agerange 55-64 wlan Test-ssid-8 os Apple iOS email Guest_2@abc.com browser Chrome
-----------------------------------
city Los Angeles group mac_reg_gr1 name Guest_5 zip 90001 mobile 9129618672 mid 1234100005 llogintime 2015-01-20 19:20:14 devtype Macintosh exptime 2015-11-16 19:21:14 createtime 2015-01-20 19:05:14 Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 69 SHOW COMMANDS mac 10-00-00-10-00-05 reg_type device rfd Test-rfdomain-8 agerange 18-24 wlan Test-ssid-8 os Macintosh email Guest_5@abc.com browser Chrome
-----------------------------------
nx9500-6C8809#
nx7500-112233#show guest-registration loyalty-app-status time all Timeline: all
---------------------------------------------
LOYALTY APP STATUS COUNT
---------------------------------------------
Loyalty App Users 491 ( 49%) Others 510 ( 51%) nx7500-112233#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 70 SHOW COMMANDS 6.1.32 interface show commands Displays configured system interfaces and their status Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show interface {<INTERFACE-NAME>|brief|counters|ge|me1|port-channel|pppoe1|
switchport|vlan|wwan1}
show interface {<INTERFACE-NAME>|brief|counters|ge <1-4>|me1|port-channel <1-2>|
pppoe1|switchport|vlan <1-4094>|wwan1} {on <DEVICE-NAME>}
Parameters show interface {<INTERFACE-NAME>|brief|counters|ge <1-4>|me1|port-channel <1-
2>|pppoe1|switchport|vlan <1-4094>|wwan1} {on <DEVICE-NAME>}
interface
<INTERFACE-NAME> Optional. Displays status of the interface specified by the <INTERFACE-NAME>
Optional. Displays system interface status based on the parameters passed brief counters ge <1-4>
me1 port-channel <1-2>
pppoe1 switchport vlan <1-4094>
wwan1 on <DEVICE-NAME>
parameter. Specify the interface name. Optional. Displays a brief summary of the interface status and configuration Optional. Displays interface Tx or Rx counters Optional. Displays Gigabit Ethernet interface status and configuration
<1-4> Select the Gigabit Ethernet interface index from 1 - 4. Optional. Displays Fast Ethernet interface status and configuration Optional. Displays port channel interface status and configuration
<1-2> Specify the port channel index from 1 - 2. Optional. Displays PPP over Ethernet interface status and configuration Optional. Displays layer 2 interface status Optional. Displays VLAN interface status and configuration
<1-4094> Specify the Switch Virtual Interface (SVI) VLAN ID from 1 - 4094. Optional. Displays Wireless WAN interface status, configuration, and counters The following keywords are common to all of the above interfaces:
on <DEVICE-NAME> Optional. Displays interface related information on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 71 SHOW COMMANDS Example Following interfaces are available on a RFS6000 controller:
rfs6000-81742D(config)#show interface ?
WORD Interface name brief Brief summary of interface status and configuration counters Interface tx/rx counters ge GigabitEthernet interface me1 FastEthernet interface on On AP/Controller port-channel Port-Channel interface pppoe1 PPP Over Ethernet interface switchport Status of Layer2 interfaces up1 WAN Ethernet interface vlan Switch VLAN interface wwan1 Wireless WAN interface
| Output modifiers
> Output redirection
>> Output redirection appending
<cr>
rfs6000-81742D(config)#
rfs6000-81742D(config)#show interface switchport
--------------------------------------------------------------------------------
-------
INTERFACE STATUS MODE VLAN(S)
--------------------------------------------------------------------------------
-------
ge1 DOWN access 1 ge2 DOWN access 1 ge3 DOWN access 1 ge4 DOWN access 1 ge5 DOWN access 1 ge6 DOWN access 1 ge7 DOWN access 1 ge8 DOWN access 1 up1 UP access 1
--More--
rfs6000-81742D(config)#
rfs6000-81742D(config)#show interface ge 1 Interface ge1 is DOWN Hardware-type: ethernet, Mode: Layer 2, Address: 00-15-70-81-74-2E Index: 2001, Metric: 1, MTU: 1500 Speed: Admin Auto, Operational n/a, Maximum 1G Duplex: Admin Auto, Operational n/a Active-medium: n/a Switchport settings: access, access-vlan: 1 Input packets 0, bytes 0, dropped 0 Received 0 unicasts, 0 broadcasts, 0 multicasts Input errors 0, runts 0, giants 0 CRC 0, frame 0, fragment 0, jabber 0 Output packets 0, bytes 0, dropped 0 Sent 0 unicasts, 0 broadcasts, 0 multicasts Output errors 0, collisions 0, late collisions 0 Excessive collisions 0 rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 72 SHOW COMMANDS rfs6000-81742D(config)#show interface counters
--------------------------------------------------------------------------------
------------------------------
INTF MAC RX-PKTS RX-BYTES RX-DROP TX-PKTS TX-BYTES TX-DROP
--------------------------------------------------------------------------------
------------------------------
me1 00-15-70-81-74-36 0 0 0 0 0 0 vlan1 00-15-70-81-74-2D 1578154 279596323 0 82096 14710688 0 ge1 00-15-70-81-74-2E 0 0 0 0 0 0 ge2 00-15-70-81-74-2F 0 0 0 0 0 0 ge3 00-15-70-81-74-30 0 0 0 0 0 0 ge4 00-15-70-81-74-31 0 0 0 0 0 0 ge5 00-15-70-81-74-32 0 0 0 0 0 0 ge6 00-15-70-81-74-33 0 0 0 0 0 0
--More--
rfs6000-81742D(config)#
rfs6000-81742D(config)#show interface vlan 1 Interface vlan1 is UP Hardware-type: vlan, Mode: Layer 3, Address: 00-15-70-81-74-2D Index: 5, Metric: 1, MTU: 1500 IP-Address: 192.168.13.24/24 input packets 1578392, bytes 279625825, dropped 0, multicast packets 0 input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0 output packets 82159, bytes 14717966, dropped 0 output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0 collisions 0 IPv6 mode is disabled rfs6000-81742D(config)#
nx9500-6C8809(config)#show interface switchport
--------------------------------------------------------------------------------
-------
INTERFACE STATUS MODE VLAN(S)
--------------------------------------------------------------------------------
-------
ge1 UP access 1 ge2 DOWN access 1
--------------------------------------------------------------------------------
-------
A '*' next to the VLAN ID indicates the native vlan for that trunk port nx9500-6C8809(config)#
nx9500-6C8809(config)#show interface vlan 1 Interface vlan1 is UP Hardware-type: vlan, Mode: Layer 3, Address: B4-C7-99-6C-88-09 Index: 5, Metric: 1, MTU: 1500 IP-Address: 192.168.13.13/24 input packets 4623946, bytes 568905032, dropped 0, multicast packets 0 input errors 0, length 0, overrun 0, CRC 0, frame 0, fifo 0, missed 0 output packets 458235, bytes 90317187, dropped 0 output errors 0, aborted 0, carrier 0, fifo 0, heartbeat 0, window 0 collisions 0 IPv6 mode is disabled nx9500-6C8809(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 73 SHOW COMMANDS nx9500-6C8809(config)#show interface ge 1 Interface ge1 is UP Hardware-type: ethernet, Mode: Layer 2, Address: 00-1E-67-4B-BF-BC Index: 2001, Metric: 1, MTU: 1500 Speed: Admin Auto, Operational 1G, Maximum 1G Duplex: Admin Auto, Operational Full Active-medium: n/a Input packets 2326745, bytes 348775278, dropped 0 Received 2326745 unicasts, 4367 broadcasts, 1219173 multicasts Input errors 0, runts 0, giants 0 CRC 0, frame 0, fragment 0, jabber 0 Output packets 1080901, bytes 244595966, dropped 0 Sent 1080901 unicasts, 392 broadcasts, 132573 multicasts Output errors 0, collisions 0, late collisions 0 Excessive collisions 0 nx9500-6C8809(config)#
nx9500-6C8809(config)#show interface counters
--------------------------------------------------------------------------------
------------------------------
INTF MAC RX-PKTS RX-BYTES RX-DROP TX-PKTS TX-BYTES TX-DROP
--------------------------------------------------------------------------------
------------------------------
vlan1 B4-C7-99-6C-88-09 2571193 341672167 0 625888 90924957 0 ge1 00-1E-67-4B-BF-BC 2326629 348759017 0 1080855 244588229 0 ge2 00-1E-67-4B-BF-BD 0 0 0 0 0 0 port..nel1 00-1E-67-4B-BF-BC 2326631 348759243 0 1080857 244588673 0
--------------------------------------------------------------------------------
------------------------------
nx9500-6C8809(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 74 SHOW COMMANDS 6.1.33 ip show commands Displays IP related information Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show ip [arp|bgp|ddns|default-gateways|dhcp|dhcp-vendor-options|domain-name|
extcommunity-list|igmp|interface|name-server|nat|ospf|route|routing]
show ip arp {<VLAN-NAME>} {(on <DEVICE-NAME>)}
show ip bgp {<IP>|<IP/M>|community|community-list|filter-list|neighbors|on|paths|
prefix-list|regexp|route-map|state|summary}
show ip ddns bindings {on <DEVICE-NAME>}
show ip dhcp [binding|networks|status]
show ip dhcp binding {manual} {(on <DEVICE-NAME>)}
show ip dhcp [networks|status] {on <DEVICE-NAME>}
show ip [default-gateways|dhcp-vendor-options|domain-name|name-server|routing]
{on <DEVICE-NAME>}
show ip extcommunity-list [<1-500>|<NAME>]
show ip igmp snooping [mrouter|querier|vlan]
show ip igmp snooping [mrouter|querier] vlan <1-4095> {on <DEVICE-NAME>}
show ip igmp snooping vlan <1-4095> {<IP>} {(on <DEVICE-NAME>)}
show ip interface {<INTERFACE-NAME>|brief|on}
show ip interface {<INTERFACE-NAME>|brief} {(on <DEVICE-NAME>)}
show ip nat translations verbose {on <DEVICE-NAME>}
show ip route {<INTERFACE-NAME>|ge|me1|on|port-channel|pppoe1|vlan|wwan1}
show ip route {<INTERFACE-NAME>|ge <1-4>|me1|port-channel <1-2>|vlan <1-4094>|
pppoe1|wwan1} {(on <DEVICE-NAME>)}
show ip ospf {border-router|interface|neighbor|on|route|state}
show ip ospf {border-router|neighbor|route|on|state} {on <DEVICE-NAME>}
show ip ospf {interface} {vlan|on}
show ip ospf {interface} {vlan <1-4094>} {(on <DEVICE-NAME>)}
NOTE: The show ip ospf command is also available under the profile and device modes. Parameters show ip arp {<VLAN-NAME>} {(on <DEVICE-NAME>)}
ip arp
<VLAN-NAME>
Displays Address Resolution Protocol (ARP) mappings Optional. Displays ARP mapping on a specified VLAN. Specify the VLAN name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 75 SHOW COMMANDS on
<DEVICE-NAME>
The following keyword is recursive and common to the vlan-name parameter:
on <DEVICE-NAME> Optional. Displays ARP configuration details on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. show ip bgp {<IP>|<IP/M>|community|community-list|filter-list|neighbors|on|
paths|prefix-list|regexp|route-map|state|summary}
ip bgp
<IP>
<IP/M>
community community-list filter-list neighbors Displays BGP routing table statistics based on the match criteria specified here. Routes matching the specified criteria are filtered. Use available options to filter the information displayed. This command is applicable to the RFS4000, RFS6000, NX9XXX model devices. Optional. Filters routes matching the specified IP address Optional. Filters routes matching the specified network Optional. Filters routes based on the community attribute specified. The options are:
AA:NN Filters routes based on the community number (AA: is the autonomous system number (ASN), NN: is the community number within the specified ASN) local-as Filters routes carrying the local-as attribute (these routes are not sent outside the local AS) no-advertise Filters routes carrying the no-advertise attribute (these routes are not advertised to any peers) no-export Filters routes carrying no-export attribute (these routes are not exported to next AS) Optional. Displays routes that are members of communities included in the specified BGP community-list
<1-500> Specify the community-list number.
<WORD> Specify the community-list name. Optional. Filters routes having AS-path matching the specified AS-path access list. Specify the AS-path ACL name. Optional. Displays BGP neighbor details. Specify the IP address, to view a specific neighbor details. Use one of the following options to filter information:
advertised-routes Displays route information for routes advertised to the selected neighbor device received-routes Displays route information for routes received from the selected neighbor device routes Displays the route information for routes learned from the selected neighbor device If no neighbor IP address is specified, the system displays all neighbor-related routes on the logged device. on <DEVICE-NAME> Optional. Displays BGP routing table statistics on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. paths prefix-list
<PREFIX-LIST-NAME>
Optional. Displays BGP path details Optional. Displays routes confirming to the specified prefix-list
<PREFIX-LIST-NAME> Specify the prefix list name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 76 SHOW COMMANDS regexp <LINE>
route-map
<ROUTE-MAP-
NAME>
Optional. Displays routes matching the specified AS path regular expression
<LINE> Specify the regular expression. Optional. Displays routes matching the specified route map
<ROUTE-MAP-NAME> Specify the route map name. show ip ddns bindings {on <DEVICE-NAME>}
ip ddns bindings
{on <DEVICE-NAME>}
Displays Dynamic Domain Name Server (DDNS) configuration details Displays DDNS address bindings on <DEVICE-NAME> Optional. Displays address bindings on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. show ip dhcp [networks|status] {on <DEVICE-NAME>}
ip dhcp networks status on <DEVICE-NAME>
Displays DHCP server related details, such as network and status Displays DHCP server network details Displays DHCP server status The following keyword is common to all of the above parameters:
on <DEVICE-NAME> Optional. Displays server status and network details on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. show ip dhcp binding {manual} {(on <DEVICE-NAME>)}
ip dhcp bindings manual on <DEVICE-NAME>
Displays the DHCP server configuration details Displays DHCP address bindings Optional. Displays static DHCP address bindings The following keyword is recursive and common to the manual parameter:
on <DEVICE-NAME> Optional. Displays DHCP address bindings on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. show ip extcommunity-list [<1-500>|<NAME>]
ip extcommunity-list
[<1-500>|<NAME>]
Displays the specified extended community list details
<1-500> Specify the extended community number from 1 - 500.
<NAME> Specify the extended community name. This command is applicable to the RFS4000, RFS6000, NX95XX model devices. show ip [default-gateways|dhcp-vendor-options|domain-name|name-server|
routing] {on <DEVICE-NAME>}
ip default-gateways ip dhcp-vendor-
options ip domain-name Displays all learnt default gateways Displays DHCP 43 parameters received from the DHCP server. This output includes the interface from which the option was learned. Displays the DNS default domain Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 77 SHOW COMMANDS ip name-server ip routing on <DEVICE-NAME>
Displays the DNS name server details Displays routing status The following keywords are common to all of the above parameters:
on <DEVICE-NAME> Optional. Displays IP related information, based on the parameters passed, on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. show ip igmp snooping [mrouter|querier] vlan <1-4095> {on <DEVICE-NAME>}
ip igmp snooping mrouter querier vlan <1-4095>
{on <DEVICE-NAME>}
Displays the IGMP snooping configuration Displays the IGMP snooping multicast router (mrouter) configuration Displays the IGMP snooping multicast querier configuration Displays the IGMP snooping multicast router configuration for a VLAN
<1-4095> Specify the VLAN ID from 1 - 4095. on <DEVICE-NAME> Optional. Displays the IGMP snooping mrouter configuration on a specified device
<DEVICE-NAME> Specify the name of the AP or wireless controller. show ip igmp snooping vlan <1-4095> {<IP>} {(on <DEVICE-NAME>)}
ip igmp snooping vlan <1-4095>
<IP>
on <DEVICE-NAME>
Displays the IGMP snooping configuration Displays the VLAN IGMP snooping configuration
<1-4095> Specify the VLAN ID from 1 - 4095. Optional. Specifies the multicast group IP address The following keyword is recursive and common to the ip parameter:
on <DEVICE-NAME> Optional. Displays configuration details on a specified device
<DEVICE-NAME> Specify the name of the AP or wireless controller. show ip interface {<INTERFACE-NAME>|brief} {(on <DEVICE-NAME>)}
ip interface Displays an administrative and operational status of all layer 3 interfaces or a specified layer 3 interface
<INTERFACE-NAME> Optional. Displays a specified interface status. Specify the interface name. Optional. Displays a brief summary of all interface status and configuration brief The following keyword is recursive and common to the interface-name and brief on <DEVICE-NAME>
parameters:
on <DEVICE-NAME> Optional. Displays interface status and summary, based on the parameters passed, on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. show ip nat translations verbose {on <DEVICE-NAME>}
ip nat translations verbose Displays Network Address Translation (NAT) translations Displays detailed NAT translations on <DEVICE-NAME> Optional.Displays NAT translations on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 78 SHOW COMMANDS show ip route {<INTERFACE-NAME>|ge <1-4>|me1|port-channel <1-2>|vlan <1-4094>|
pppoe1|wwan1} {(on <DEVICE-NAME>)}
ip route Displays route table details. The route tables use flags to distinguish between routes. The different flags are:
C Connected G Gateway O OSPF route S Static route Note: Flags S and O identify static learned routes and dynamic learned routes respectively.
<INTERFACE-NAME> Optional. Displays route table details for a specified interface. Specify the interface ge <1-4>
me1 port-channel <1-2>
vlan <1-4094>
pppoe1 wwan1 on <DEVICE-NAME>
name Optional. Displays GigabitEthernet interface route table details
<1-4> Specify the GigabitEthernet interface index from 1 - 4. Optional. Displays FastEthernet interface route table details Optional. Displays port channel interface route table details. Specify the port channel index from 1 - 2. Optional. Displays VLAN interface route table details. Select the VLAN interface ID from 1 - 4094. Optional. Displays Point-to-point Protocol over Ethernet (PPPoE) interface route table details Optional. Displays Wireless WAN route table details The following keywords are recursive and common to all of the above parameters:
on <DEVICE-NAME> Displays route table details, based on the parameters passed, on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. show ip ospf {border-router|interface|neighbor|route|on|state} {on <DEVICE-
NAME>}
ip ospf border-router interface
{on| vlan <1-4094>}
{on <DEVICE-NAME>}
Displays overall OSPF information Optional. Displays details of all the border routers connected Optional. Displays details of all the interfaces with OSPF enabled on <DEVICE-NAME> Optional. Displays specified device details vlan <1-4094> Displays VLAN interface details neighbor route on <DEVICE-NAME>
<DEVICE-NAME> Specify the name of the AP or wireless controller. Optional. Displays an OSPF neighbors list Optional. Displays OFPS routes information Optional. Displays overall OSPF information on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. state Optional. Displays an OSPF process state Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 79 SHOW COMMANDS on <DEVICE-NAME>
The following keywords are recursive and common to all of the above parameters:
on <DEVICE-NAME> Optional. Displays overall OSPF information, based on the parameters passed, on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. Example rfs6000-81742D(config)#show ip arp
--------------------------------------------------------------------------------
IP MAC INTERFACE TYPE
--------------------------------------------------------------------------------
192.168.13.10 00-02-B3-28-D1-55 vlan1 dynamic 192.168.13.13 B4-C7-99-6C-88-09 vlan1 dynamic 192.168.13.2 00-0F-8F-19-BA-4C vlan1 dynamic
--------------------------------------------------------------------------------
rfs6000-81742D(config)#
rfs6000-81742D(config)#show ip interface brief
-------------------------------------------------------------------------------
INTERFACE IP-ADDRESS/MASK TYPE STATUS PROTOCOL
-------------------------------------------------------------------------------
me1 unassigned n/a UP down vlan1 192.168.13.24/24 primary UP up
-------------------------------------------------------------------------------
rfs6000-81742D(config)#
rfs6000-81742D(config)#show ip route
--------------------------------------------------------------------------------
DESTINATION GATEWAY FLAGS INTERFACE METRIC DISTANCE
--------------------------------------------------------------------------------
default 192.168.13.2 S vlan1 0 1 192.168.13.0/24 0.0.0.0 C vlan1 0 0
--------------------------------------------------------------------------------
Flags: C - Connected G - Gateway O - OSPF B - BGP S - Static Gateway: N - Normalized Gateway Address rfs6000-81742D(config)#
rfs6000-81701D(config)#show ip route port-channel 1
--------------------------------------------------------------------------------
DESTINATION GATEWAY FLAGS INTERFACE METRIC DISTANCE
--------------------------------------------------------------------------------
192.168.0.0/24 direct C me1 0 0 172.18.0.0/24 direct C vlan1 0 0 10.2.0.0/24 172.18.0.1 S vlan1 0 1 default 192.168.13.2 S vlan192 0 1 192.168.13.0/24 direct C vlan192 0 0
--------------------------------------------------------------------------------
Flags: C - Connected G - Gateway O - OSPF B - BGP S - Static Gateway: N - Normalized Gateway Address rfs6000-81701D(config)#
nx9500-6C8809(config)#show ip routing on rfs6000-81742D IP routing is enabled. nx9500-6C8809(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 80 SHOW COMMANDS nx9500-6C8809(config)#show ip dhcp status State of DHCP server: not-running nx9500-6C8809(config)#
rfs6000-81701D(config)#show ip ospf state Maximum number of OSPF routes allowed: 9216 Number of OSPF routes received: 0 Ignore-count allowed: 5, current ingore-count: 0 Ignore-time 60 seconds, reset-time 360 seconds Current OSPF process state: Running rfs6000-81701D(config)#
rfs6000-81742D(config)#show ip route on ap7532-A2A56C
--------------------------------------------------------------------------------
DESTINATION GATEWAY FLAGS INTERFACE METRIC DISTANCE
--------------------------------------------------------------------------------
169.254.0.0/16 0.0.0.0 C vlan1 0 0 default 192.168.9.2 CG vlan1 0 1 192.168.9.0/24 0.0.0.0 C vlan1 0 0
--------------------------------------------------------------------------------
Flags: C - Connected G - Gateway O - OSPF B - BGP S - Static Gateway: N - Normalized Gateway Address rfs6000-81742D(config)#
rfs6000-81742D(config)#show ip dhcp-vendor-options
--------------------------------------------------------------------------------
ITEM VALUE INTERFACE
--------------------------------------------------------------------------------
Server Info n/a vlan1 Firmware Image File n/a vlan1 Config File n/a vlan1 Legacy Adoption Info n/a n/a AP Adoption Info n/a n/a Controller Adoption Info n/a n/a
--------------------------------------------------------------------------------
rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 81 SHOW COMMANDS 6.1.34 ip-access-list show commands Displays IP access list statistics NOTE: This command is not available in the USER EXEC Mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show ip-access-list stats {<IP-ACCESS-LIST-NAME>|detail|on}
show ip-access-list stats {<IP-ACCESS-LIST-NAME>|detail <IP-ACCESS-LIST-NAME>}
{(on <DEVICE-NAME>)}
Parameters show ip-access-list stats {<IP-ACCESS-LIST-NAME>|detail <IP-ACCESS-LIST-NAME>}
{(on <DEVICE-NAME>)}
ip-access-list stats
<IP-ACCESS-LIST-
NAME>
detail
<IP-ACCESS-LIST-
NAME>
on <DEVICE-NAME>
Displays IP access list statistics Optional. Displays statistics for a specified IP access list. Specify the IP access list name. Optional. Displays detailed statistics for a specified IP access list. Specify the IP access list name. The following keyword is recursive and common to the IP-ACCESS-LIST-NAME and detail parameters:
on <DEVICE-NAME> Optional. Displays all or a specified IP access list statistics on a specified device.
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. Example rfs6000-81742D(config)#show ip-access-list stats IP Access-list: # Restrict Management ACL #
permit tcp any any eq ftp rule-precedence 1 Hitcount: 0 permit tcp any any eq www rule-precedence 2 Hitcount: 4 permit tcp any any eq ssh rule-precedence 3 Hitcount: 448 permit tcp any any eq https rule-precedence 4 Hitcount: 0 permit udp any any eq snmp rule-precedence 5 Hitcount: 0 permit tcp any any eq telnet rule-precedence 6 Hitcount: 4 rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 82 SHOW COMMANDS The following example displays the auto-tunnel-acl IP ACL configuration:
rfs4000-229D58(config)#ip access-list auto-tunnel-acl rfs4000-229D58(config-ip-acl-auto-tunnel-acl)#show context ip access-list auto-tunnel-acl permit ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2 permit ip host 200.200.200.99 any rule-precedence 3 rfs4000-229D58(config-ip-acl-auto-tunnel-acl)#
The following example displays the statistics for the auto-tunnel-acl ACL:
rfs4000-229D58#show ip-access-list stats IP Access-list: auto-tunnel-acl permit ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2 Hitcount: 0 permit ip host 200.200.200.99 any rule-precedence 3 Hitcount: 0 rfs4000-229D58#
nx9500-6C8809#show ip-access-list stats scaleacl | i 125 permit ip host 125.1.1.1 any rule-precedence 125 Hitcount: 893 Hardware Hitcount: 3120 permit ip host 125.2.1.1 any rule-precedence 346 Hitcount: 0 Hardware Hitcount: 0 nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 83 SHOW COMMANDS 6.1.35 ipv6 show commands Displays IPv6 related information Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show ipv6 [default-gateways|delegated-prefix|dhcp|hop-limit|interface|mld|name-
server|neighbors|route]
show ipv6 [default-gateways|delegated-prefix|hop-limit|name-server] {on <DEVICE-
NAME>}
show ipv6 dhcp [client received-options|relay status|status] {on <DEVICE-NAME>}
show ipv6 interface {<IF-NAME>|brief} {(on <DEVICE-NAME>)}
show ipv6 mld snooping [mrouter vlan <1-4095>|querier vlan <1-4095>|vlan <1-4095>]
{on <DEVICE-NAME>}
show ipv6 neighbors <VLAN-NAME> {(on <DEVICE-NAME>)}
show ipv6 route {<IF-NAME>|ge <1-X>|me1|port-channel <1-2>|ppppoe1|serial <1-4>|
t1e1 <1-4> <1-1>|up|vlan <1-4095>|wwan1|xge} {(on <DEVICE-NAME>)}
Parameters show ipv6 [default-gateways|delegated-prefix|hop-limit|name-server] {on
<DEVICE-NAME>}
ipv6 default-gateways delegated-prefix hop-limit name-server on <DEVICE-NAME>
Displays IPv6 related information Displays all learnt default gateways Displays prefix delegation information Displays the configured IPv6 hop count value Displays DNS name servers This parameter is common to all of the above keywords. on <DEVICE-NAME> Optional. Displays the specified information on a device
(access point, wireless controller, or service platform)
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show ipv6 dhcp [client received-options|relay status|status] {on <DEVICE-NAME>}
Displays IPv6 related information Displays DHCPv6 related information ipv6 dhcp client received-options Displays DHCP options received from clients relay status status Displays the DHCPv6 relay agents running status Displays the DHCPv6 stateless server daemons status. In case the DHCPv6 server is up and running, it also displays interface names. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 84 SHOW COMMANDS on <DEVICE-NAME>
This parameter is common to all of the above keywords. on <DEVICE-NAME> Optional. Displays the specified information on a device
(access point, wireless controller, or service platform)
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show ipv6 interface {<IF-NAME>|brief} {(on <DEVICE-NAME>)}
ipv6 interface
{<IF-NAME>|brief}
Displays IPv6 related information Displays IPv6 status and configuration on a specified interface related information
<IF-NAME> Optional. Specify the interface name. brief Optional. Displays a brief summary of IPv6 status and configuration on the on <DEVICE-NAME>
specified interface This parameter is common to all of the above keywords. on <DEVICE-NAME> Optional. Displays the specified information on a device
(access point, wireless controller, or service platform)
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show ipv6 mld snooping [mrouter vlan <1-4095>|querier vlan <1-4095>|vlan <1-
4095>] {on <DEVICE-NAME>}
ipv6 mld snooping mrouter vlan
<1-4095>
querier vlan
<1-4095>
vlan <1-4095>
on <DEVICE-NAME>
Displays IPv6 related information Displays Multicast Listener Discovery Protocol (MLD) snooping related information Displays IPv6 multicast router information on the specified VLAN Displays IPv6 multicast querier information on the specified VLAN Displays MLD snooping related information on the specified VLAN This parameter is common to all of the above keywords. on <DEVICE-NAME> Optional. Displays the specified information on a device
(access point, wireless controller, or service platform)
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show ipv6 neighbors <VLAN-NAME> {(on <DEVICE-NAME>)}
ipv6 neighbors
<VLAN-NAME>
on <DEVICE-NAME>
Displays IPv6 related information Displays IPv6 neighbors on the specified VLAN Optional. Displays IPv6 neighbors on a specified device (access point, wireless controller, or service platform)
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show ipv6 route {<IF-NAME>|ge <1-X>|me1|port-channel <1-2>|ppppoe1|serial <1-4>|
t1e1 <1-4> <1-1>|up|vlan <1-4095>|wwan1|xge} {(on <DEVICE-NAME>)}
ipv6 Displays IPv6 related information Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 85 SHOW COMMANDS route
<IF-NAME>
ge <1-X>
me1 port-channel <1-2>
pppoe1 vlan <1-4095>
up wwan1 xge <1-4>
on <DEVICE-NAME>
Displays IPv6 route table Optional. Displays IPv6 route table for the interface identified by the <IF-NAME>
keyword Optional. Displays IPv6 route table for the selected GigabitEthernet interface Optional. Displays IPv6 route table for the FastEthernet interface Optional. Displays IPv6 route table for the selected port-channel interface Optional. Displays IPv6 route table for the PPP over Ethernet interface Optional. Displays IPv6 route table for the selected VLAN interface Optional. Displays IPv6 route table for the WAN Ethernet interface Optional. Displays IPv6 route table for the wireless WAN interface Optional. Displays IPv6 route table for the selected TenGigabitEthernet interface Applicable only for the NX9500 and NX9510 service platforms. This parameter is common to all of the above keywords. on <DEVICE-NAME> Optional. Displays the specified information on a device
(access point, wireless controller, or service platform)
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs6000-81742D(config)#show ipv6 dhcp client received-options DHCPv6 Client received options:
Interface:
None Server Identifier:
None Client Identifier:
None DNS Servers:
None Domain Name:
None Sip Servers:
None Sip Domain Name:
None Refresh Time:
None Server Preference:
None Vendor Options:
None rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 86 SHOW COMMANDS rfs4000-229D58(config)#show ipv6 route
--------------------------------------------------------------------------------
DESTINATION GATEWAY FLAGS INTERFACE
--------------------------------------------------------------------------------
2000:abcd::/64 fe80::300:1 S vlan300 default fe80::11:1 R vlan11 4444:1111::/64 direct C vlan1
--------------------------------------------------------------------------------
Flags: C - Connected G - Gateway S - Static R - IPv6-RA rfs4000-229D58(config)#
rfs4000-229D58#show ipv6 default-gateways
--------------------------------------------------------------------------------
Source: IPv6-RA Gateway-address : fe80::100:1 Preference: medium Status : not-monitored Insatlled : NO Interface : vlan100 Remaining Lifetime: 1471 sec
--------------------------------------------------------------------------------
Source: IPv6-RA Gateway-address : fe80::1:2 Preference: low Status : not-monitored Insatlled : NO Interface : vlan1 Remaining Lifetime: 1488 sec
--------------------------------------------------------------------------------
Source: Static-Route Gateway-address : fe80::2000:1 Preference: NA Status : unreachable Insatlled : NO Interface : vlan2000 Remaining Lifetime: forever
--------------------------------------------------------------------------------
Source: IPv6-RA Gateway-address : fe80::11:1 Preference: high Status : reachable Insatlled : YES Interface : vlan11 Remaining Lifetime: 1471 sec
--------------------------------------------------------------------------------
rfs4000-229D58#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 87 SHOW COMMANDS 6.1.36 ipv6-access-list show commands Displays IPv6 access list statistics NOTE: This command is not available in the USER EXEC Mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show ipv6-access-list stats <IPv6-ACCESS-LIST-NAME> {(on <DEVICE-NAME>)}
Parameters show ipv6-access-list stats <IPv6-ACCESS-LIST-NAME> {(on <DEVICE-NAME>)}
ipv6-access-list stats Displays IPv6 access list statistics
<IPv6-ACCESS-LIST-
NAME>
Optional. Displays statistics for a specified IPv6 access list. Specify the IPv6 access list name. If IPv6 ACL name is not provided, the system displays statistics for all ACLs configured and applied. on <DEVICE-NAME> Optional. Displays all or a specified IPv6 access list statistics on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs6000-81742D#show ipv6-access-list stats IPV6 Access-list: test deny ipv6 any any rule-precedence 20 Hitcount: 4 rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 88 SHOW COMMANDS 6.1.37 l2tpv3 show commands Displays a Layer 2 Tunnel Protocol Version 3 (L2TPV3) session information Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 NOTE: This command is not available in the USER EXEC mode. Syntax l2tpv3 {on|tunnel|tunnel-summary}
l2tpv3 {on <DEVICE-NAME>}
l2tpv3 {tunnel <L2TPV3-TUNNEL-NAME>} {session <L2TPV3-SESSION-NAME>} {(on <DEVICE-
NAME>)}
l2tpv3 {tunnel-summary} {down|on|up}
l2tpv3 {tunnel-summary} {on <DEVICE-NAME>}
l2tpv3 {tunnel-summary} {down|up} {on <DEVICE-NAME>}
Parameters l2tpv3 {on <DEVICE-NAME>}
l2tpv3
{on <DEVICE-NAME>}
Displays a L2TPv3 tunnel and session details or summary on <DEVICE-NAME> Optional. Displays L2TPv3 information on a specified access point or wireless controller
<DEVICE-NAME> Specify the name of AP, wireless controller, or service plat-
form. l2tpv3 {tunnel <L2TPV3-TUNNEL-NAME>} {session <L2TPV3-SESSION-NAME>} {(on
<DEVICE-NAME>)}
l2tpv3 tunnel
<L2TPV3-TUNNEL-
NAME>
session
<L2TPV3-SESSION-
NAME>
on <DEVICE-NAME>
Displays a L2TPv3 tunnel and session details or summary Optional. Displays a specified L2TPv3 tunnel information
<L2TPV3-TUNNEL-NAME> Specify the L2TPv3 tunnel name. Optional. Displays a specified L2TPv3 tunnel session information
<L2TPV3-SESSION-NAME> Specify the session name. The following keyword is recursive and common to the session <L2TPV3-SESSION-
NAME> parameter. on <DEVICE-NAME> Optional. Displays a L2TPv3 tunnel and session details, based on the parameters passed, on a specified device.
<DEVICE-NAME> Specify the name of AP, wireless controller, or service plat-
form. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 89 SHOW COMMANDS l2tpv3 {tunnel-summary} {on <DEVICE-NAME>}
l2tpv3 tunnel-summary
{on <DEVICE-NAME>}
Displays L2TPv3 tunnel and session details or summary For an L2TPv3 tunnel over Auto IPSec, the tunnel status is displayed as: Established
(secured by ipsec) Optional. Displays L2TPv3 tunnel summary on <DEVICE-NAME> Optional. Displays a L2TPv3 tunnel summary on a specified device
<DEVICE-NAME> Specify the name of AP, wireless controller, or service plat-
form. l2tpv3 {tunnel-summary} {down|up} {on <DEVICE-NAME>}
l2tpv3 tunnel-summary down up on <DEVICE-NAME>
Displays a L2TPv3 tunnel and session details or summary Optional. Displays a L2TPv3 tunnel summary, based on the parameters passed Optional. Displays un-established tunnels summary Optional. Displays established tunnels summary The following keyword is common to the down and up parameters:
on <DEVICE-NAME> Optional. Displays summary, for un-established or established tunnels, on a specified device
<DEVICE-NAME> Specify the name of AP, wireless controller, or service plat-
form. Example ap7131-11E6C4#show l2tpv3 tunnel-summary
--------------------------------------------------------------------------------
-------
Sl No Tunnel Name Tunnel State Estd/Total Sessions Encapsulation Protocol
--------------------------------------------------------------------------------
-------
1 testTunnel Established (secured by ipsec) 1/1 IP Total Number of Tunnels 1 ap7131-11E6C4#
ap7131-11E6C4#show l2tpv3
-------------------------------------------------------------------------------
Tunnel Name : testTunnel Control connection id : 2238970979 Peer Address : 30.1.1.1 Local Address : 30.1.1.30 Encapsulation Protocol : IP MTU : 1460 Peer Host Name : rfss Peer Vendor Name : Example Company Peer Control Connection ID : 322606389 Tunnel State : Established (secured by ipsec) Establishment Criteria : always Sequence number of the next msg to the peer : 29 Expected sequence number of the next msg from the peer :42 Sequence number of the next msg expected by the peer : 29 Retransmission count : 0 Reconnection count : 0 Uptime : 0 days 1 hours 2 minutes 47 seconds
-------------------------------------------------------------------------------
Session Name : session1 VLANs : 30 Pseudo Wire Type : Ethernet_VLAN Serial number for the session : 6 Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 90 SHOW COMMANDS Local Session ID : 129538998 Remote Session ID : 8151374 Size of local cookie (0, 4 or 8 bytes) : 0 First word of local cookie : 0 Second word of local cookie : 0 Size of remote cookie (0, 4 or 8 bytes) : 0 First word of remote cookie : 0 Second word of remote cookie : 0 Session state : Established Remote End ID : 444 Trunk Session : 1 Native VLAN tagged : Enabled Native VLAN ID : 0 Number of packets received : 0 Number of bytes received : 0 Number of packets sent : 0 Number of bytes sent : 0 Number of packets dropped : 0 ap7131-11E6C4#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 91 SHOW COMMANDS 6.1.38 lacp show commands Displays Link Aggregation Control Protocol (LACP) related information NOTE: For more information on enabling dynamic LACP, see lacp, lacp-channel-group, and lacp. Supported in the following platforms:
Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show lacp [<1-4>|counters|details|sys-id]
show lacp <1-4> ([counters|details]) show lacp sys-id Parameters show lacp <1-4> ([counters|details]) show lacp <1-4>
counters details Shows the LACP related information for a specified port-channel or all port-channels using LACP
<1-4> Select the port-channel index number from 1 - 4. Note, LACP is supported only on the NX5500, NX7500, and NX9500 model service platforms. However, the NX9500 series service platforms support only two (2) port-channels. Where as the other model service platforms support four (4) port-channels. If the port-channel index number is not specified, the system displays LACP counters and details for all port-channels configured on the device. Shows LACP counters for LACP-enabled port-channels. When passed without the
<1-4> keyword, the system displays LACP counters for all configured port-channels. However, if the port-channel index number is specified, the system displays LACP counters only for the specified port-channel. Shows details for LACP-enabled port-channels. When passed without the <1-4>
keyword, the system displays LACP details for all configured port-channels. However, if the port-channel index number is specified, the system displays LACP details only for the specified port-channel. show lacp sys-id show lacp sys-id Shows the LACP related information for all LACP-enabled port-channels sys-id Shows the LACP system identifier and priority. This is the identifier assigned to the LACP peers (devices). Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 92 Example SHOW COMMANDS NOC-controller#show interface port-channel 1 Interface port-channel1 is UP Hardware-type: aggregate, Mode: Layer 2, Address: 84-24-8D-7F-35-C8 Index: 2018, Metric: 1, MTU: 1500 Speed: Admin Auto, Operational 20G, Maximum 20G Duplex: Admin Auto, Operational Full Active-medium: n/a Channel-members: xge1 xge2 Switchport settings: trunk, access-vlan: n/a Input packets 5121052, bytes 807510883, dropped 0 Received 5121052 unicasts, 0 broadcasts, 516544 multicasts Input errors 0, runts 0, giants 0 CRC 0, frame 0, fragment 0, jabber 0 Output packets 4804420, bytes 1053174746, dropped 0 Sent 4804420 unicasts, 0 broadcasts, 0 multicasts Output errors 0, collisions 0, late collisions 0 Excessive collisions 0 NOC-controller#
NOC-controller#show interface port-channel 4 Interface port-channel4 is UP Hardware-type: aggregate, Mode: Layer 2, Address: 84-24-8D-7F-35-C4 Index: 2016, Metric: 1, MTU: 1500 Speed: Admin Auto, Operational 4G, Maximum 4G Duplex: Admin Auto, Operational Full Active-medium: n/a Channel-members: ge2 ge3 ge4 ge5 Switchport settings: trunk, access-vlan: n/a Input packets 5848499493, bytes 8772550780653, dropped 0 Received 5848499493 unicasts, 0 broadcasts, 120167 multicasts Input errors 0, runts 0, giants 0 CRC 0, frame 0, fragment 0, jabber 0 Output packets 362245, bytes 33129264, dropped 0 Sent 362245 unicasts, 0 broadcasts, 0 multicasts Output errors 0, collisions 0, late collisions 0 Excessive collisions 0 NOC-controller#
NOC-controller#show lacp counters Port-Channel Interface LACPDU Marker Packet error Sent Recv Sent Recv Sent Recv pc1 xge1 11548 12479 0 0 0 0 pc1 xge2 11550 12469 0 0 0 0 pc4 ge2 14081 14041 0 0 0 0 pc4 ge3 15877 15874 0 0 0 0 pc4 ge4 15875 15874 0 0 0 0 pc4 ge5 14064 14052 0 0 0 0 NOC-controller#
NOC-controller#show lacp details Port-Channel pc1 Interface xge1:
Actor admin port key : 1 Actor oper port key : 1 Actor port priority : 32768 Actor port number : 2011 Actor admin port state : ActiveLACP LongTimeout Aggregatable OUT_OF_SYNC Defaulted Actor oper port state : ActiveLACP LongTimeout Aggregatable IN_SYNC Collecting Distributing Partner admin system ID : 32768, 00-00-00-00-00-00 Partner oper system ID : 32768, 44-03-A7-BF-00-00 Partner admin key : 0 Partner oper key : 1 Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 93 SHOW COMMANDS Partner admin port priority : 0 Partner oper port priority : 32768 Partner admin port number : 0 Partner oper port number : 286 Partner admin port state : PassiveLACP LongTimeout Aggregatable OUT_OF_SYNC Defaulted Partner oper port state : ActiveLACP LongTimeout Aggregatable IN_SYNC Collecting Distributing Receive machine state : Current Periodic transmission machine state : Slow periodic Mux machine state : Collecting/Distributing Port-Channel pc1 Interface xge2:
Actor admin port key : 1 Actor oper port key : 1 Actor port priority : 32768 Actor port number : 2012 Actor admin port state : ActiveLACP LongTimeout Aggregatable OUT_OF_SYNC Defaulted
--More--
NOC-controller#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 94 SHOW COMMANDS 6.1.39 ldap-agent show commands Displays an LDAP agents join status (join status to a LDAP server domain) Use this command When LDAP is specified the external resource (as opposed to local RADIUS resources) to validate PEAP-MS-CHAP v2 authentication requests, user credentials, and password information needs to be made available locally to successfully connect to the external LDAP server. Up to two LDAP Agents
(primary and secondary external resources) can be defined as external resources for PEAP-MS-CHAP v2 authentication requests. NOTE: This command is not available in the USER EXEC Mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show ldap-agent join-status {on <DEVICE-NAME>}
Parameters ldap-agent join-status on <DEVICE-NAME>
show ldap-agent join-status {on <DEVICE-NAME>}
Displays LDAP agent related configuration Displays if the LDAP agent has successfully joined a LDAP servers domain Optional. Displays if the LDAP agent has successfully joined a specified LDAP servers domain.
<DEVICE-NAME> Specify the name of the device running the LDAP server (access point, wireless controller, or service platform). Example rfs6000-81701D#show ldap-agent join-status Primary LDAP Server's agent join-status : Joined domain TEST. Secondary LDAP Server's agent join-status : Not Configured rfs6000-81701D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 95 SHOW COMMANDS 6.1.40 licenses show commands Displays installed licenses and usage information Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show licenses {borrowed|lent}
Parameters show licenses {borrowed|lent}
licenses
{borrowed|lent}
Usage Guidelines Displays installed licenses and usage information borrowed Optional. Displays information on licenses borrowed lent Optional. Displays information on licenses lent The WiNG HM network defines a three-tier structure, consisting of multiple wireless sites managed by a single Network Operations Center (NOC) controller, The NOC and the site controllers constitute the first and second tiers of the hierarchy respectively. The site controllers in turn adopt and manage access points that form the third tier of the hierarchy. The site controllers may or may not be grouped to form clusters. At the time of adoption, access points and adaptive access points are provided license by the adopting controller. These license packs can be installed on both the NOC and site controllers. When a AP/AAP is adopted by a controller, the controller pushes a license on to the device. At this point the various possible scenarios are:
AP/AAP license packs installed on the NOC controller only. The NOC controller provides the site controllers with the AP licenses, ensuring that per platform limits are not exceeded. AP/AAP license packs installed on the NOC and site controllers. The site controller uses its installed licenses and, in case of a shortage, the site controller borrows additional licenses from the NOC. If the NOC controller is unable to allocate sufficient licenses, the site controller unadopts some of the AP/AAPs. AP/AAP license packs installed on one controller within a cluster. The site controller shares its installed and borrowed licenses with other cluster controllers. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 96 SHOW COMMANDS Example rfs4000-229D58#show licenses Serial Number : 9184521800027 Device Licenses:
AP-LICENSE String : DEFAULT-6AP-LICENSE Value : 6 Borrowed : 0 Total : 6 Used : 0 AAP-LICENSE String :
Value : 0 Borrowed : 0 Total : 0 Used : 0 ADVANCED-SECURITY String : DEFAULT-ADV-SEC-LICENSE rfs4000-229D58#
The following example shows the show > licenses command output on a NOC controller:
nx9500-6C8809#show licenses Serial Number : B4C7996C8809 Device Licenses:
AP-LICENSE String :
Value : 0 Lent : 0 Total : 0 Used : 0 AAP-LICENSE String :
66069c24b3bb1259b34ff016c723a9e299dd408f0ff891e7c5f7e279a382648397d6b3e975e356a1 Value : 10250 Lent : 0 Total : 10250 Used : 7 HOTSPOT-ANALYTICS String :
66069c24b3bb1259eb36826cab3cc83999dd408f0ff891e74b62b2d3594f0b3dde7967f30e49e497 Total Licenses Including Licenses in Adopted Controllers:
AP-LICENSE Value : 14 Used : 1 AAP-LICENSE Value : 10250 Used : 7 nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 97 SHOW COMMANDS In the following example, the VALIDITY(HRS) column specifies the validity period, in days and hours, of a lent license. On a NOC controller, a VALIDITY(HRS) value of current implies that the site controller is currently adopted. Whereas, a numerical VALIDITY(HRS) value indicates the days and hours the lent license is valid for a site controller that is not reachable. nx9500-6C8809#show licenses lent
--------------------------------------------------------------------------------
----------------------------
MAC HOST-NAME TYPE LENT BORROWER-MAC BORROWER-
HOST-NAME VALIDITY
--------------------------------------------------------------------------------
----------------------------
B4-C7-99-6C-88-09 nx9500-6C8809 AAP 5 00-15-70-81-74-2D rfs6000-
81742D current B4-C7-99-6C-88-09 nx9500-6C8809 AAP 9 B4-C7-99-6D-CD-4B rfs7000-
6DCD4B 97 days, 21 hours
--------------------------------------------------------------------------------
----------------------------
nx9500-6C8809#
rfs4000-881E4B#show licenses borrowed
-----------------------------------------------------------------------------
MAC HOST-NAME TYPE BORROWED VALIDITY
-----------------------------------------------------------------------------
00-15-70-37-FD-89 rfs7000-37FD89 AAP 2 99 days, 23 hours 00-15-70-81-70-1D rfs6000-81701D AP 1 99 days, 23 hours
-----------------------------------------------------------------------------
rfs4000-881E4B#
The following examples show the show > licenses output on the devices participating in the process:
nx9500-6C8809>show licenses lent
--------------------------------------------------------------------------------
----------------------------
MAC HOST-NAME TYPE LENT BORROWER-MAC BORROWER-
HOST-NAME VALIDITY
--------------------------------------------------------------------------------
----------------------------
B4-C7-99-6C-88-09 nx9500-6C8809 AAP 1 00-15-70-81-74-2D rfs6000-
81742D current B4-C7-99-6C-88-09 nx9500-6C8809 AAP 9 B4-C7-99-6D-CD-4B rfs7000-
6DCD4B 99 days, 23 hours
--------------------------------------------------------------------------------
----------------------------
nx9500-6C8809>
rfs6000-81742D(config)#show licenses borrowed
-----------------------------------------------------------------------------
MAC HOST-NAME TYPE BORROWED VALIDITY
-----------------------------------------------------------------------------
B4-C7-99-6C-88-09 nx9500-6C8809 AAP 1 current
-----------------------------------------------------------------------------
rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 98 SHOW COMMANDS 6.1.41 lldp show commands Displays Link Layer Discovery Protocol (LLDP) information Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show lldp [neighbors|report]
show lldp neighbors {on <DEVICE-NAME>}
show lldp report {detail|on}
show lldp report {detail} {(on <DEVICE-OR-DOMAIN-NAME>)}
Parameters show lldp neighbors {on <DEVICE-NAME>}
lldp neighbors on <DEVICE-NAME>
Displays an LLDP neighbors table or aggregated LLDP neighbors table Displays an LLDP neighbors table Optional. Displays an LLDP neighbors table on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show lldp report {detail} {(on <DEVICE-OR-DOMAIN-NAME>)}
lldp report detail on <DEVICE-OR-
DOMAIN-NAME>
Displays an LLDP neighbors table or aggregated LLDP neighbors table Displays an aggregated LLDP neighbors table detail Optional. Displays detailed aggregated LLDP neighbors table Note: If the on keyword is used without the detail keyword, the system displays LLDP neighbors table summary on the specified device or RF Domain. The following keyword is recursive and common to the report detail parameter:
on <DEVICE-OR-DOMAIN-NAME> Displays an aggregated LLDP neighbors table on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Example nx9500-6C8809#show lldp neighbors
-------------------------
Chassis ID: 00-18-71-D0-0B-00 System Name: TechPubs-ProCurve-Switch Platform: ProCurve J8697A Switch 5406zl, revision K.12.1X, ROM K.11.03 (/sw/code/
build/btm(sw_esp1)) Capabilities: Bridge Router Enabled Capabilities: Bridge Local Interface: ge1, Port ID(Port Description) (outgoing port): 5(A5) TTL: 113 sec Management Addresses: 192.168.13.40 nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 99 SHOW COMMANDS 6.1.42 logging show commands Displays the networks activity log Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show logging {on <DEVICE-NAME>}
Parameters show logging {on <DEVICE-NAME>}
logging
{on <DEVICE-NAME>}
Displays logging information on a specified device on <DEVICE-NAME> Optional. Executes the command on a specified device.
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example nx9500-6C8809#show logging Logging module: enabled Aggregation time: disabled Console logging: level debugging Monitor logging: disabled Buffered logging: level warnings Syslog logging: level warnings Facility: local7 Log Buffer (1666269 bytes):
May 14 05:30:23 2015: nx9500-6C8809 : %DIAG-4-PWRSPLY_FAIL: Power supply failure, no longer redundant May 14 05:30:13 2015: nx9500-6C8809 : %DEVICE-4-OFFLINE: Device B4-C7-99-74-B4-
5C(ap8132-74B45C) is offline, last seen:10 minutes ago on switchport rfs6000-
6DB5D4:ge1 May 14 05:20:16 2015: nx9500-6C8809 : %DIAG-4-PWRSPLY_FAIL: Power supply failure, no longer redundant May 14 05:19:43 2015: nx9500-6C8809 : %DEVICE-4-OFFLINE: Device B4-C7-99-74-B4-
5C(ap8132-74B45C) is offline, last seen:10 minutes ago on switchport rfs6000-
380649:ge1
--More--
nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 100 SHOW COMMANDS 6.1.43 mac-access-list show commands Displays MAC access list statistics NOTE: This command is not present in USER EXEC mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show mac-access-list stats {<MAC-ACCESS-LIST-NAME>|on}
show mac-access-list stats {<MAC-ACCESS-LIST-NAME>} {(on <DEVICE-NAME>)}
Parameters show mac-access-list stats {<MAC-ACCESS-LIST-NAME>} {(on <DEVICE-NAME>)}
mac-access-list stats
<MAC-ACCESS-LIST> Optional. Displays statistics for a specified MAC access list. Specify the MAC access Displays MAC access list statistics on <DEVICE-NAME>
list name. Note: The system displays all configured ACL statistics if no ACL name is specified. Optional. Displays all or a specified MAC access list statistics on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example nx9500-6C8809#show mac-access-list stats scalemacacl | i 311 permit D0-67-E5-3F-C0-00 FF-FF-FF-FF-F0-00 host 00-1E-EC-F2-0A-76 rule-
precedence 311 Hitcount: 0 Hardware Hitcount: 0 nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 101 SHOW COMMANDS 6.1.44 mac-address-table show commands Displays MAC address table entries Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show mac-address-table {on <DEVICE-NAME>}
Parameters show mac-address-table {on <DEVICE-NAME>}
mac-address-table on <DEVICE-NAME>
Displays MAC address table entries Optional. Displays MAC address table entries on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs6000-81742D(config)#show mac-address-table
--------------------------------------------------------
BRIDGE VLAN PORT MAC STATE
--------------------------------------------------------
1 1 up1 00-02-B3-28-D1-55 forward 1 1 up1 00-0F-8F-19-BA-4C forward 1 1 up1 84-24-8D-80-C2-AC forward 1 1 up1 84-24-8D-80-BF-34 forward 1 1 up1 1C-7E-E5-18-FA-67 forward 1 1 up1 84-24-8D-83-30-A4 forward 1 1 up1 B4-C7-99-DD-31-C8 forward 1 1 up1 B4-C7-99-6C-88-09 forward 1 1 up1 00-18-71-D0-1B-F3 forward 1 1 up1 B4-C7-99-71-17-28 forward 1 1 up1 FC-0A-81-42-93-6C forward 1 1 up1 B4-C7-99-6D-CD-4B forward 1 1 up1 84-24-8D-84-A2-24 forward 1 1 up1 3C-CE-73-F4-47-83 forward 1 1 up1 B4-C7-99-74-B4-5C forward
--------------------------------------------------------
Total number of MACs displayed: 15 rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 102 SHOW COMMANDS 6.1.45 mac-auth show commands Displays details of wired ports that have MAC address authentication enabled Use this command to view MAC authentication configuration and authentication state. The command displays the current authentication state of the wired host, the authorization state of the Ge1 port, and the wired hosts MAC address. The port status displays as Authorized if the wired host has successfully authenticated and Not Authorized if the wired host has not authenticated or has failed MAC authentication. For more information on enabling MAC address authentication on a wired port, see mac-auth. Supported in the following platforms:
Access Points AP6511 Wireless Controllers RFS4000, RFS6000 Syntax show mac-auth {all|interface|on}
show mac-auth {all|interface [<INTERFACE-NAME>|ge <1-5>|port-channel <1-3>|t1e1
<1-4>|up <1-2>|xge <1-4>]} {(on <DEVICE-NAME>)}
Parameters show mac-auth {all|interface [<INTERFACE-NAME>|ge <1-5>|port-channel <1-3>|t1e1
<1-4>|up <1-2>|xge <1-4>]} {(on <DEVICE-NAME>)}
mac-auth all interface
[<INTERFACE-
NAME>|ge <1-5>|
port-channel <1-3>|
t1e1 <1-4>|up <1-2>|
xge <1-4>]
on <DEVICE-NAME>
Displays MAC authentication related information for all interfaces or all interfaces Optional. Displays MAC authentication related information for all interfaces Optional. Displays MAC authentication related information for a specified interface. Specify the interface using one of the following options:
<INTERFACE-NAME> Selects the interface identified by the <INTERFACE-NAME>
keyword ge <1-5> Selects the GigabitEthernet interface identified by the index number port-channel <1-3> Selects the port channel interface identified by the index number t1e1 <1-4> Selects the layer 2 interface (Ethernet port) up <1-2> Selects the WAN Ethernet interface identified by the index number xge <1-4> Selects the TenGigabitEthernet interface identified by the index number The following keywords are common to the all and interface parameters:
on <DEVICE-NAME> Optional. Displays MAC authentication related information on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. Note: When the on keyword is used exclusively, without the all and interface options, the system displays MAC authentication related information for interfaces configured on the specified device. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 103 SHOW COMMANDS Example rfs4000-229D58(config)#show mac-auth all AAA-Policy is none Mac Auth info for interface GE1
-----------------------------------
Mac Auth Enabled Mac Auth Not Authorized Mac Auth info for interface GE2
-----------------------------------
Mac Auth Disabled Mac Auth Not Authorized Mac Auth info for interface GE3
-----------------------------------
Mac Auth Disabled Mac Auth Not Authorized Mac Auth info for interface GE4
-----------------------------------
Mac Auth Disabled Mac Auth Authorized Mac Auth info for interface GE5
-----------------------------------
Mac Auth Disabled Mac Auth Not Authorized Mac Auth info for interface UP1
-----------------------------------
Mac Auth Disabled Mac Auth Not Authorized rfs4000-229D58(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 104 SHOW COMMANDS 6.1.46 mac-auth-clients show commands Displays MAC authenticated clients Supported in the following platforms:
Access Points AP6511 Wireless Controllers RFS4000, RFS6000 Syntax show mac-auth-clients [all|interface]
show mac-auth-clients all {on <DEVICE-NAME>}
show mac-auth-clients interface {<INF-NAME>|ge <1-X>|port-channel <1-2>|xge <1-4>}
Parameters show mac-auth-clients all {on <DEVICE-NAME>}
mac-auth-clients all on <DEVICE-NAME>
Displays MAC authenticated clients based on the parameters passed. The options are: all and interface. Displays MAC authenticated clients for all interfaces Optional. Displays MAC authenticated clients for all interfaces on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show mac-auth-clients interface {<INF-NAME>|ge <1-X>|port-channel <1-2>|xge <1-
4>}
mac-auth-clients interface
[<INF-NAME>|
ge <1-X>|
port-channel <1-2>|
xge <1-4>]
on <DEVICE-NAME>
Displays MAC authenticated clients based on the parameters passed. The options are: all and interface. Displays MAC authenticated clients for the specified interface. Select the interface type from the following options:
<INF-NAME> Optional. Displays MAC authenticated clients for the interface identified by the <INF-NAME> keyword. Specify the layer 2 (ethernet port) interface name. ge <1-X> Optional. Displays MAC authenticated clients for the selected GigabitEthernet interface. Specify the GE interface index from 1 - X. This will vary for different device types. port-channel <1-2> Optional. Displays MAC authenticated clients for the selected port channel interface. Specify the port channel interface index from 1 - 2. xge <1-4> Optional. Displays MAC authenticated clients for the selected TenGigabitEthernet interface. Specify the interface index from 1 - 4. Optional. Displays MAC authenticated clients for the specified interface on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 105 SHOW COMMANDS Example nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show mac-auth-clients interface ge 1
-----------------------------------------------
MAC STATE INTERFACE
-----------------------------------------------
-----------------------------------------------
Total number of MACs displayed: 0 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 106 SHOW COMMANDS 6.1.47 mint show commands Displays MiNT protocol related statistics Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show mint [config|dis|id|info|known-adopters|links|lsp|lsp-db|mlcp|neighbors|
route|stats|tunnel-controller|tunneled-vlans]
show mint [config|id|info|known-adopters|route|stats|tunneled-vlans] {on <DEVICE-
NAME>}
show mint [dis|links|neighbors|tunnel-controller] {details} {(on <DEVICE-NAME>)}
show mint lsp show mint lsp-db {details <MINT-ADDRESS>} {(on <DEVICE-NAME>)}
show mint mlcp {history} {(on <DEVICE-NAME>)}
Parameters show mint [config|id|info|known-adopters|route|stats|tunneled-vlans] {on
<DEVICE-NAME>}
mint config id info known-adopters route stats tunneled-vlans on <DEVICE-NAME>
Displays MiNT protocol information based on the parameters passed Displays MiNT configuration Displays local MiNT ID Displays MiNT status Displays known, possible, or reachable adopters Displays MiNT route table details Displays MiNT related statistics Displays MiNT tunneled VLAN details The following keywords are common to all of the above parameters:
on <DEVICE-NAME> Optional. Displays MiNT protocol details on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. show mint [dis|links|neighbors|tunnel-controller] {details} {(on <DEVICE-NAME>)}
mint dis links neighbors Displays MiNT protocol information based on the parameters passed Displays MiNT network Designated Intermediate Systems (DISes) and Ethernet Virtualization Interconnects (EVISes) Displays MiNT networking link details Displays adjacent MiNT peer details Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 107 SHOW COMMANDS tunnel-controller details
{(on <DEVICE-
NAME>)}
Displays details of MiNT VLAN network tunnel wireless controllers for extended VLAN load balancing The following keywords are common to the dis, links, neighbors, and tunnel-
controller parameters:
details Optional. Displays detailed MiNT information on <DEVICE-NAME> Optional. This is a recursive parameter, which displays MiNT information on a specified device.
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. show mint lsp mint lsp Displays MiNT protocol information based on the parameters passed Displays this router's MiNT Label Switched Paths (LSPs) show mint lsp-db {details <MINT-ADDRESS>} {(on <DEVICE-NAME>)}
mint lsp-db details
<MINT-ADDRESS>
on <DEVICE-NAME>
Displays MiNT protocol information based on the parameters passed Displays MiNT LSP database entries Optional. Displays detailed MiNT LSP database entries
<MINT-ADDRESS> Specify the MiNT address in the AA.BB.CC.DD format. The following keyword is recursive and common to the details parameter:
on <DEVICE-NAME> Optional. Displays MiNT LSP database entries on a specified device
<DEVICE-NAME> Specify the name of the AP or wireless controller show mint mlcp {history} {(on <DEVICE-NAME>)}
mint mlcp history on <DEVICE-NAME>
Displays MiNT protocol information based on the parameters passed This command displays the hello-interval and hold-time default values for both IP and VLAN links. Displays IPv4 and IPv6 MiNT Link Creation Protocol (MLCP) status Optional. Displays MLCP client history on <DEVICE-NAME> Optional. Displays MLCP client history on a specified device The following keyword is recursive and common to the history parameter:
on <DEVICE-NAME> Optional. Displays MLCP client history on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. Example nx9500-6C8809#show mint stats 9 Level-1 neighbors Level-1 LSP DB size 26 LSPs (4 KB) Last Level-1 SPFs took 0.000s Level-1 SPF (re)calculated 818 times. 26 Level-1 paths. 0 Level-2 neighbors Level-2 LSP DB size 0 LSPs (0 KB) Last Level-2 SPFs took 0.000s Level-2 SPF (re)calculated 0 times. 0 Level-2 paths. nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 108 SHOW COMMANDS nx9500-6C8809#show mint lsp id 19.6C.88.09, level 1, 9 adjacencies, 0 extended-vlans seqnum 1476782, expires in 29 minutes, republish in 1362 seconds 161 bytes, can-adopt: True, adopted-by: 00.00.00.00, dis-priority 5, Level-2-
gateway: False hostname "nx9500-6C8809"
cluster id "TechPubs"
rf-domain "TechPubs", priority vector: 0x60dc0000 adjacent to 4D.83.30.A4, cost 10 adjacent to 4D.84.A2.24, cost 10 adjacent to 19.74.B4.5C, cost 10 adjacent to 19.6D.CD.4B, cost 10 adjacent to 19.DD.31.C8, cost 10 adjacent to 4D.80.C2.AC, cost 10 adjacent to 4D.80.BF.34, cost 10 adjacent to 19.71.17.28, cost 10 adjacent to 70.81.74.2D, cost 10 nx9500-6C8809#
nx9500-6C8809#show mint lsp-db 26 LSPs in LSP-db of 19.6C.88.09:
LSP 19.6C.88.09 at level 1, hostname "nx9500-6C8809", 9 adjacencies, seqnum 1476782 LSP 19.6C.8A.49 at level 1, hostname "nx9500-6C8A49pp", 9 adjacencies, seqnum 67397 LSP 19.6D.CD.4B at level 1, hostname "rfs7000-6DCD4B", 9 adjacencies, seqnum 1143297 LSP 19.71.17.28 at level 1, hostname "ap8132-711728", 9 adjacencies, seqnum 837272 LSP 19.72.D4.F4 at level 1, hostname "ap650-72D4F4", 2 adjacencies, seqnum 107768 LSP 19.72.D5.44 at level 1, hostname "ap4600-72D544", 9 adjacencies, seqnum 10889 LSP 19.72.E6.C4 at level 1, hostname "ap6532-72E6C4", 2 adjacencies, seqnum 109985 LSP 19.74.B4.5C at level 1, hostname "ap8132-74B45C", 9 adjacencies, seqnum 1659590 LSP 19.DD.31.C8 at level 1, hostname "rfs4000-DD31C8", 25 adjacencies, seqnum 1787045 LSP 1A.7C.D5.A4 at level 1, hostname "ap8222-7CD5A4", 9 adjacencies, seqnum 440488 LSP 1A.7E.79.E8 at level 1, hostname "ap8122-7E79E8", 9 adjacencies, seqnum 100282 LSP 1A.B1.9C.40 at level 1, hostname "ap7131-B19C40", 9 adjacencies, seqnum 95001 LSP 4D.80.BF.34 at level 1, hostname "Rajeev-AP", 9 adjacencies, seqnum 232516 LSP 4D.80.C2.AC at level 1, hostname "ap7532-80C2AC", 9 adjacencies, seqnum 842369 LSP 4D.83.30.A4 at level 1, hostname "ap7522-8330A4", 9 adjacencies, seqnum 478482 LSP 4D.84.A2.24 at level 1, hostname "ap7562-84A224", 9 adjacencies, seqnum 562219 LSP 4D.8A.15.C8 at level 1, hostname "AP1", 1 adjacencies, seqnum 92687 LSP 68.88.10.D1 at level 1, hostname "rfs4000-8810D1", 9 adjacencies, seqnum 115580 LSP 70.38.03.E7 at level 1, hostname "rfs7000-3803E7", 9 adjacencies, seqnum 947279 LSP 70.81.74.2D at level 1, hostname "rfs6000-81742D", 9 adjacencies, seqnum 487287 LSP 75.A2.A4.90 at level 1, hostname "ap7532-A2A490", 4 adjacencies, seqnum 181692 LSP 75.A2.A4.B0 at level 1, hostname "ap7532-A2A4B0", 4 adjacencies, seqnum 180804 LSP 75.A2.A5.54 at level 1, hostname "ap7532-A2A554", 4 adjacencies, seqnum 156084 LSP 75.A2.A5.6C at level 1, hostname "Snap004-AceessPoint", 4 adjacencies, seqnum 169181 LSP 75.D1.AA.7A at level 1, hostname "ap7622-D1AA7A", 9 adjacencies, seqnum 5471 LSP 75.D1.B2.68 at level 1, hostname "ap7602-D1B268", 9 adjacencies, seqnum 6054 nx9500-6C8809#
nx9500-6C8809#show mint route Destination : Next-Hop(s) 4D.84.A2.24 : 4D.84.A2.24 via vlan-1 1A.7C.D5.A4 : 19.DD.31.C8 via vlan-1 68.88.10.D1 : 19.DD.31.C8 via vlan-1 19.72.E6.C4 : 19.DD.31.C8 via vlan-1 75.A2.A5.54 : 19.DD.31.C8 via vlan-1 1A.B1.9C.40 : 19.DD.31.C8 via vlan-1 70.81.74.2D : 70.81.74.2D via vlan-1 19.6C.8A.49 : 19.DD.31.C8 via vlan-1 19.74.B4.5C : 19.74.B4.5C via vlan-1 19.6D.CD.4B : 19.6D.CD.4B via vlan-1 19.72.D5.44 : 19.DD.31.C8 via vlan-1 75.D1.AA.7A : 19.DD.31.C8 via vlan-1 75.A2.A4.B0 : 19.DD.31.C8 via vlan-1 19.71.17.28 : 19.71.17.28 via vlan-1 Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 109 SHOW COMMANDS 70.38.03.E7 : 19.DD.31.C8 via vlan-1 4D.80.C2.AC : 4D.80.C2.AC via vlan-1 19.6C.88.09 : 19.6C.88.09 via self 75.A2.A4.90 : 19.DD.31.C8 via vlan-1 1A.7E.79.E8 : 19.DD.31.C8 via vlan-1 19.DD.31.C8 : 19.DD.31.C8 via vlan-1 75.A2.A5.6C : 19.DD.31.C8 via vlan-1 19.72.D4.F4 : 19.DD.31.C8 via vlan-1 4D.83.30.A4 : 4D.83.30.A4 via vlan-1 4D.80.BF.34 : 4D.80.BF.34 via vlan-1 4D.8A.15.C8 : 19.DD.31.C8 via vlan-1 75.D1.B2.68 : 19.DD.31.C8 via vlan-1 nx9500-6C8809#
nx9500-6C8809#show mint known-adopters 19.6C.8A.49 nx9500-6C8809#
nx9500-6C8809#show mint known-adopters 19.6C.8A.49 nx9500-6C8809#
nx9500-6C8809#show min config Base priority 5 DIS priority 5 Control priority 220 UDP/IP Mint encapsulation port 24576 Global Mint MTU 1500 nx9500-6C8809#
ap7532-15E6E4#show mint mlcp MLCP VLAN state: MLCP_DONE Potential VLAN links: 1 All VLANs were scanned 2 times Link created on VLAN 1 MLCP IP state: MLCP_DISCOVERING Potential L3 Links:
192.168.1.43 MCLP IP Hello Interval: 15s(default), Adjacency hold time: 46s(default) MCLP VLAN Hello Interval: 4s(default), Adjacency hold time: 13s(default) ap7532-15E6E4#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 110 SHOW COMMANDS 6.1.48 nsight show commands Displays NSight related information and also displays the database server status (reachable or not) Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax show nsight status Parameters show nsight status nsight Example Displays the NSight module related status, such as:
NSight is enabled or not on the device NSight report and aggregation daemon is running or not NSight alarm daemon is running or not NSight server daemon is running or not Database server is reachable or not nx9500-6C8809(config)#show nsight status Nsight is enabled Nsight report and aggregation daemon is running Nsight alarm daemon is running Nsight server daemon is running Database server is local Database server is reachable nx9500-6C8809(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 111 SHOW COMMANDS 6.1.49 ntp show commands Displays Network Time Protocol (NTP) information. NTP enables clock synchronization within a network. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show ntp [associations|status]
show ntp [associations {detail|on}|status {on <DEVICE-NAME>}]
Parameters show ntp [associations {detail|on}|status {on <DEVICE-NAME>}]
ntp associations
{detail|on}
ntp status
{on <DEVICE-NAME>}
Displays existing NTP associations. The interaction between the controller or service platform and a SNTP server constitutes an association. SNTP associations are of two kinds:
- peer associations - where a controller or service platform synchronizes to another system or allows another system to synchronize to it, or
- server associations - where only the controller or service platform synchronizes to the SNTP resource, not the other way around. detail Optional. Displays detailed NTP associations on <DEVICE-NAME> Optional. Displays NTP associations on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Note: If the on keyword is used without the detail keyword, the system displays a summary of existing NTP associations on the specified device or RF Domain. Displays the performance (status) information relative to the NTP association status. Use this command to view the access point, controller, or service platforms current NTP resource. on <DEVICE-NAME> Optional. Displays NTP association status on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 112 SHOW COMMANDS Example nx9500-6C8809#show ntp associations
--------------------------------------------------------------------------------
-----------------------------------
STATUS NTP SERVER IP ADDR REF CLOCK IP ADDR STRATUM WHEN POLL REACH DELAY OFFSET DISPERSION
--------------------------------------------------------------------------------
-----------------------------------
~ 12.12.12.12 INIT 16 - 1024 0 0.0 0.0 15937.5
~ 11.11.11.11 INIT 16 - 1024 0 0.0 0.0 15937.5
--------------------------------------------------------------------------------
-------
STATUS Notation: * master (synced), # master (unsynced), + selected, - candidate,
~ configured nx9500-6C8809#
nx9500-6C8809#show ntp status
--------------------------------------------------------------------------------
ITEM VALUE
--------------------------------------------------------------------------------
Leap Clock is unsynchronized Stratum 16 Reference INIT Frequency 0.0000 Hz Precision 2^-20 Reference time 00000000.00000000 (Feb 07 11:58:16 UTC 2036) Clock Offset 0.000 msec Root delay 0.000 msec Root Dispersion 0.000 msec
--------------------------------------------------------------------------------
nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 113 SHOW COMMANDS 6.1.50 password-encryption show commands Displays password encryption status (enabled/disabled) Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show password-encryption status Parameters show password-encryption status password-encryption status Displays password encryption status (enabled/disabled) Example rfs6000-81742D(config)#show password-encryption status Password encryption is enabled rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 114 SHOW COMMANDS 6.1.51 pppoe-client show commands Displays Point-to-Point Protocol over Ethernet (PPPoE) client information Use this command to view PPPoE statistics derived from access to high-speed data and broadband networks. PPPoE uses standard encryption, authentication, and compression methods as specified by the PPPoE protocol. PPPoE enables point-to-points connection to an ISP over existing Ethernet interface. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show pppoe-client [configuration|status] {on <DEVICE-NAME>}
Parameters pppoe-client configuration status on <DEVICE-NAME>
show pppoe-client [configuration|status] {on <DEVICE-NAME>}
Displays PPPoE client information (configuration and status) Displays detailed PPPoE client configuration Displays detailed PPPoE client status The following keywords are common to configuration and status parameters:
on <DEVICE-NAME> Optional. Displays detailed PPPoE client status or configuration on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example nx9500-6C8809#show pppoe-client configuration PPPoE Client Configuration:
+-------------------------------------------
| Mode : Disabled
| Service Name :
| Auth Type : pap
| Username :
| Password : fJx5O+5duPjaOaPuXmtLDQAAAAAmvgEXcQ1+eUK4ByHK4aRi
| Idle Time : 600
| Keepalive : Disabled
| Local n/w : vlan1
| Static IP : __wing_internal_not_set__
| MTU : 1492
+-------------------------------------------
nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 115 SHOW COMMANDS 6.1.52 privilege show commands Displays a devices existing privilege level Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show privilege Parameters None Example rfs6000-81742D(config)#show privilege Current user privilege: superuser rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 116 SHOW COMMANDS 6.1.53 radius show commands Displays the amount of access time consumed and the amount of access time remaining for all guest users configured on a RADIUS server Every captive portal guest user can access the captive portal for a specified duration. This results in following three scenarios:
Scenario 1: Access duration not specified (in this case the default of 1440 minutes is applied) Scenario 2: Access duration is specified and is greater than 0 Scenario 3: Access duration is specified and equals to 0 (in this case the guest user has unlimited access) In all the three scenarios the access time consumed is the duration for which the guest user has logged. But the access time remaining varies. It is calculated as follows:
Scenarios 1 & 2 - It is the lesser of the following two values: difference between the configured access duration and the time consumed AND the time until user account expiration. Scenario 3 - It is the time until user account expiration Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show radius [guest-users|server]
show radius guest-users {brief|<GUEST-USER-NAME>}
show radius server Parameters show radius guest-users {brief|<GUEST-USER-NAME>}
radius guest-users
{brief|<GUEST-
USER-NAME>}
Displays RADIUS servers guest users access details: total time for which the user has logged in, and the amount of access time remaining. brief Displays the total number of guest users provided RADIUS access
<GUEST-USER-NAME> Optional. Provide the name of the guest user (whose access details are to be viewed). If no name is provided, the system displays details of all guest users who have successfully logged in at least once. Use this command in the captive-portal context to view time and data statistics for guest user(s) having bandwidth-based or time-based vouchers configured. In such a scenario, the system displays the following information: data configured, data remaining, configured and current bandwidths (for both downlink and uplink), time configured, and time remaining. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 117 SHOW COMMANDS If bandwidth-based voucher is not applicable to a guest user, the data configured and data remaining values are displayed as unlimited. The bandwidth columns are blank. If time-based voucher is not applicable to a guest user, the only value displayed is the time remaining (which is the time till the expiration of the guest users account). Note: For more information on configuring bandwidth-based and time-based vouchers, see user. show radius server show radius server Displays RADIUS server related statistical data Example rfs4000-229D58#show radius guest-users TIME (min:sec) USED REMAINING GUEST USER 0:00 9:00 time9 0:00 5:00 time5 0:00 15:00 time15 0:00 305416:35 notime 2:31 7:29 time10 rfs4000-229D58#
The following example shows a RADIUS user pool with guest users having bandwidth-based, time-
based, bandwidth and time based, and no bandwidth or time based vouchers:
rfs4000-229D58(config-captive-portal-wdws)#show context radius-user-pool-policy wdws user time_and_data password 0 both group wdws guest expiry-time 12:00 expiry-
date 12/31/2015 access-duration 8000 data-limit 500 committed-downlink 3000 committed-uplink 2000 reduced-downlink 1000 reduce4 user neither password 0 nine group wdws guest expiry-time 12:00 expiry-date 12/31/2015 user data_only password 0 data group wdws guest expiry-time 12:00 expiry-date 12/31/2015 data-limit 125 committed-downlink 1000 committed-uplink 800 reduced-downlink 500 reduced-uplink 400 rfs4000-229D58(config-captive-portal-wdws)#
The following example shows the captive portal access details for the above mentioned RADIUS user pool users:
rfs4000-229D58(config-captive-portal-wdws)#show radius guest-users TIME (DD:HH:MM:SS) DATA (kilobytes) BANDWIDTH (kbps) GUEST USER CONFIGURED REMAINING CONFIGURED REMAINING CFGD DN CURR DN CFGD UP CURR UP time_and_data 5:13:20:00 5:12:00:50 512000 433727 3000 0 2000 0 neither till expiry 221:19:44:54 unlimited unlimited data_only till expiry 221:19:44:54 128000 127587 1000 0 800 0 time_only 3:11:20:00 3:11:19:47 unlimited unlimited Current time: 17:15:07 rfs4000-229D58(config-captive-portal-wdws)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 118 SHOW COMMANDS 6.1.54 reload show commands Displays scheduled reload information for a specific device NOTE: This command is not present in the USER EXEC mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show reload {on <DEVICE-OR-DOMAIN-NAME>}
Parameters show reload {on <DEVICE-OR-DOMAIN-NAME>}
reload
{on <DEVICE-OR-
DOMAIN-NAME>}
Displays scheduled reload information for a specified device on <DEVICE-OR-DOMAIN-NAME> Optional. Displays configuration on a specified device
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Example rfs6000-81742D(config)#show reload No reload is scheduled. rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 119 SHOW COMMANDS 6.1.55 rf-domain-manager show commands Displays RF Domain manager selection details Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show rf-domain-manager {on <DEVICE-OR-DOMAIN-NAME>}
Parameters show rf-domain-manager {on <DEVICE-OR-DOMAIN-NAME>}
rf-domain-manager on <DEVICE-OR-
DOMAIN-NAME>
Displays RF Domain manager selection details Optional. Displays RF Domain manager selection details on a specified device or domain
<DEVICE-OR-DOMAIN-NAME> specify the name of the AP, wireless controller, service platform, or RF Domain. Example nx9500-6C8809#show rf-domain-manager RF Domain TechPubs RF Domain Manager:
ID: 19.6C.88.09 Controller Managed Device under query:
Priority: 220 Has IP MiNT links Has wired MiNT links nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 120 SHOW COMMANDS 6.1.56 role show commands Displays role based firewall information Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show role [ldap-stats|wireless-clients]
show role [ldap-stats|wireless-clients] {on <DEVICE-NAME>}
Parameters show role [ldap-stats|wireless-clients] {on <DEVICE-NAME>}
role ldap-stats role wireless-clients on <DEVICE-NAME>
Displays LDAP server status and statistics Displays clients associated with roles The following parameters are common to the ldap-stats and wireless-clients keywords:
on <DEVICE-NAME> Optional. Displays clients associated with roles on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, and service platform. Example nx9500-6C8809(config)#show role wireless-clients No ROLE statistics found. nx9500-6C8809(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 121 SHOW COMMANDS 6.1.57 route-maps show commands Displays route map statistics for defined device routes Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show route-maps {on <DEVICE-NAME>}
Parameters show route-maps {on <DEVICE-NAME>}
route-maps on <DEVICE-NAME>
Displays configured route map statistics for all defined routes For more information on route maps, see route-map. Optional. Displays route map statistics on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example nx9500-6C8809(config)#show route-maps nx9500-6C8809(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 122 SHOW COMMANDS 6.1.58 rtls show commands Displays Real Time Location Service (RTLS) statistics for access points contributing locationing information Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show rtls [aeroscout|ekahau|omnitrail] {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-
NAME>)}
Parameters show rtls [aeroscout|ekahau|omnitrail] {<MAC/HOSTNAME>} {(on <DEVICE-OR-DOMAIN-
NAME>)}
rtls aeroscout ekahau omnitrail
<MAC/HOSTNAME>
on <DEVICE-OR-
DOMAIN-NAME>
Displays access point RTLS statistics Displays access point Aeroscout statistics Displays access point Ekahau statistics Displays access point Omnitrail statistics Optional. Displays Aeroscout or Ekahau statistics for a specified access point. Specify the MAC address or hostname of the access point. The following keyword is recursive and common to Aeroscout and Ekahau parameters:
on <DEVICE-OR-DOMAIN-NAME> Optional. Displays Aeroscout or Ekahau statistics on a specified device or domain.
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Example rfs4000-229D58(config)#show rtls aeroscout Aeroscout Engine IP: 0.0.0.0 Port: 0 Send Count : 0 Recv Count : 0 Tag Reports : 0 Nacks : 0 Acks : 0 Lbs : 0 AP Status : 0 AP Notif : 0 Send Err : 0 Errmsg Count : 0 Total number of APs displayed: 1 rfs4000-229D58(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 123 SHOW COMMANDS ap8533-84A224##show rtls omnitrail Engine IP: 157.235.90.41 Control Port: 8890 Otls 2.4 GHz Engine status: CONNECTED Otls 5 GHz Engine status: CONNECTED Data Port configured for forwarding 2.4GHz Radio detected beacons: 8888 Data Port configured for forwarding 5GHz Radio detected beacons:8889 Heart beats sent for 2.4GHz Port : 1 Heart beats sent for 5GHz Port : 0 Beacon tags received on 2.4GHz Radio and forwarded: 6883 Beacon tags received on 5GHz Radio and forwarded: 0 Beacon tags received on Sensor Radio (2.4GHz Band) and forwarded: 5187 Beacon tags received on Sensor Radio (5Ghz Band) and forwarded: 0 Total number of APs displayed: 1 ap8533-84A224#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 124 SHOW COMMANDS 6.1.59 running-config show commands Displays configuration files (where all configured MAC and IP access lists are applied to an interface) Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show running-config {aaa-policy|application|application-group|
application-policy|association-acl-policy|auto-provisioning-policy|
captive-portal-policy|device|database-client-policy|database-policy|device|
device-overrides|dhcp-server-policy|dhcpv6-server-policy|ex3500-management-
policy|ex3500-qos-class-map-policy|ex3500-qos-policy-map|exclude-devices|
firewall-policy|flag-unwritten-changes|guest-management-policy|hide-encrypted-
values|include-factory|interface|ip-access-list|ipv6-access-list|mac-access-
list|management-policy|meshpoint|nsight-policy|profile|radio-qos-policy|
rf-domain|roaming-assist-policy|rtl-server-policy|schedule-policy|smart-rf-
policy|url-filter|url-list|web-filter-policy|wlan|wlan-qos-policy}
show running-config {aaa-policy|application-policy|association-acl-policy|auto-
provisioning-policy|captive-portal-policy|database-client-policy|database-
policy|dhcp-server-policy|dhcpv6-server-policy|ex3500-management-policy|ex3500-
qos-class-map-policy|ex3500-qos-policy-map|guest-management-policy|firewall-
policy|management-policy|nsight-policy|radio-qos-policy|roaming-assist-policy|
rtl-server-policy|schedule-policy|smart-rf-policy|web-filter-policy|wlan-qos-
policy} <POLICY-NAME> {include-factory}
show running-config {flag-unwritten-changes}
show running-config {application <APPLICATION-NAME>|application-group
<APPLICATION-GROUP-NAME>}
show running-config exclude-devices show running-config {device [<MAC>|self]} {include-factory}
show running-config {device-overrides {brief}}
show running-config {hide-encrypted-values {exclude-devices|include-factory}}
show running-config {include-factory}
show running-config {interface} {<INTERFACE-NAME>|ge|include-factory|me|port-
channel|pppoe1|vlan|wwan1}
show running-config {interface} {<INTERFACE-NAME>|ge <1-4>|include-
factory|me1|port-channel <1-2>|pppoe1|vlan <1-4094>|wwan1} {include-factory}
show running-config {ip-access-list <IP-ACCESS-LIST-NAME>|ipv6-access-list <IPv6-
ACCESS-LIST-NAME>|mac-access-list <MAC-ACCESS-LIST-NAME} {include-factory}
show running-config {meshpoint <MESHPOINT-NAME>} {include-factory}
show running-config {profile [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|
ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|
ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600] <PROFILE-NAME>}
{include-factory}
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 125 SHOW COMMANDS show running-config {rf-domain <DOMAIN-NAME>} {include-factory}
show running-config {wlan <WLAN-NAME>} {include-factory}
show running-config url-filter <URL-FILTER-NAME>
show running-config url-list <URL-LIST-NAME> {include-factory}
Parameters show running-config {flag-unwritten-changes}
running-config flag-unwritten-
changes Flags unsaved changes in the show > running-config command output. Optionally use the flag-unwritten-changes keyword to view changes that have been committed but not saved in the startup configuration. When used, all unsaved changes are marked with a === marker, as shown in the following show > running-config > flag-
unwritten-changes output:
nx9500-6C8809(config)#show running-config flag-unwritten-
changes
!
! Configuration of NX9500 version 5.9.1.0-017D
!
!
version 2.5
!
!
client-identity-group default load default-fingerprints
!
client-identity-group test2 load default-fingerprints
!
===alias encrypted-string $WRITE 2 o5gA2zqj/q/
REWi8rTa7vQAAAAh4yA1YNBjqTVf4mMBsGA4i
!
===alias encrypted-string $enAlias2 2 JI4lPuMaCdMMx7rfBeyIAwAAAAoZ6tR1FfTlFXWvSicTMVZc
!
--More--
nx9500-6C8809(config)#
Execute the write > memory command to save these changes. show running-config {aaa-policy|application-policy|association-acl-policy|
auto-provisioning-policy|captive-portal-policy|database-client-policy|database-
policy|dhcp-server-policy|dhcpv6-server-policy|ex3500-management-policy|ex3500-
qos-class-map-policy|ex3500-qos-policy-map|guest-management-policy|firewall-
policy|management-policy|nsight-policy|radio-qos-policy|roaming-assist-policy|
rtl-server-policy|schedule-policy|smart-rf-policy|web-filter-policy|wlan-qos-
policy} <POLICY-NAME> {include-factory}
running-config
<POLICY-TYPE>
<POLICY-NAME>
Displays current running configuration Optionally, execute the command along with one of the associated keywords to view the running configuration for that top-level object. For example, to view a policy and its configuration, specify the policy type and provide the policy name. Note: If the command is executed without a keyword, the system displays the entire running configuration. Optional. Select the policy type, for example, aaa-policy, auto-provisioning-policy, captive-portal-policy, etc. and then specify the policy name. The system displays the selected policys configuration.
<POLICY-NAME> Specify the name of the policy (should be existing and configured). Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 126 SHOW COMMANDS include-factory The following keyword is common to all policies:
include-factory Optional. Includes factory defaults show running-config {application <APPLICATION-NAME>|apllication-group
<APPLICATION-GROUP-NAME>}
running-config application
<APPLICATION-
NAME>
application-group
<APPLICATION-
GROUP-NAME>
Displays current running configuration Optionally, execute the command along with one of the associated keywords to view the running configuration for that top-level object. For example, to view a policy and its configuration, specify the policy type and provide the policy name. If the command is executed without a keyword, the system displays the entire running configuration. Displays an applications configuration. The application can be system-provided or user-defined.
<APPLICATION-NAME> Specify the application name (should be existing). Displays an application-groups configuration
<APPLICATION-GROUP-NAME> Specify the application-group name (should be existing and configured). show running-config {device [<MAC>|self]} {include-factory}
running-config device [<MAC>|self]
Displays current running configuration Optionally, execute the command along with one of the associated keywords to view the running configuration for that top-level object. For example, to view a policy and its configuration, specify the policy type and provide the policy name. If the command is executed without a keyword, the system displays the entire running configuration. Optional. Displays device configuration
<MAC> Displays a specified device configuration. Specify the MAC address of the device. include-factory self Displays the logged devices configuration The following keyword is common to the <MAC> and self parameters:
Optional. Displays factory defaults show running-config {hide-encrypted-values {exclude-devices|include-factory}}
running-config hide-encrypted-values
{exclude-
devices|include-
factory}
Displays current running configuration Optionally, execute the command along with one of the associated keywords to view the running configuration for that top-level object. For example, to view a policy and its configuration, specify the policy type and provide the policy name. If the command is executed without a keyword, the system displays the entire running configuration. Optional. Replaces all encrypted passwords with the standard characters ****** in the show > running-config output exclude-devices Optional. Excludes devices from the running configuration displayed include-factory Optional. Includes factory default values in the running configuration displayed Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 127 SHOW COMMANDS show running-config {device-overrides {brief}}
running-config device-overrides brief Optional. Displays overrides applied at the devices configuration Displays current running configuration brief Optional. Displays a brief summary of device overrides show running-config {exclude-devices}
running-config exclude-devices Displays current running configuration Optional. Excludes device configuration details from the running configuration displayed show running-config {include-factory}
running-config include-factory Displays current running configuration Optional. Includes factory defaults show running-config {interface} {<INTERFACE-NAME>|ge <1-4>|include-factory|
me1|port-channel <1-2>|pppoe1|vlan <1-4094>|wwan1} {include-factory}
running-config interface
<INTERFACE-NAME> Optional. Displays a specified interface configuration. Specify the interface name. ge <1-4>
Displays current running configuration Optional. Displays interface configuration me1 port-channel <1-2>
pppoe1 vlan <1-4094>
wwan1 include-factory Optional. Displays GigabitEthernet interface configuration
<1-4> Specify the GigabitEthernet interface index from 1 - 4. Optional. Displays FastEthernet interface configuration Optional. Displays port channel interface configuration
<1-2> Specify the port channel interface index from 1 - 2. Optional. Displays PPP over Ethernet interface configuration Displays VLAN interface configuration
<1-4094> Specify the VLAN interface number from 1 - 4094. Optional. Displays Wireless WAN interface configuration The following keyword is common to all interfaces:
Optional. Includes factory defaults show running-config {ip-access-list <IP-ACCESS-LIST-NAME>|ipv6-access-list
<IPv6-ACCESS-LIST-NAME>|mac-access-list <MAC-ACCESS-LIST-NAME} {include-factory}
running-config
<ACL-TYPE>
<IP/IPv6/MAC-ACL-
NAME>
Displays current running configuration Optionally, you can execute the command along with one of the associated keywords to view the running configuration for that top-level object. To view a access-list and its configuration, specify the ACL type and provide the ACL name. Note: If the command is executed without a keyword, the system displays the entire running configuration. Optional. Select the ACL type, for example, ip-access-list, ipv6-access-list, or mac-
access-list, and then specify the ACL name. The system displays the selected ACLs configuration.
<IP/IPv6/MAC-ACL-NAME> Specify the name of the ACL (should be existing and configured). Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 128 SHOW COMMANDS include-factory The following keyword is common to the ip-access-list and mac-access-list parameters:
Optional. Includes factory defaults show running-config {meshpoint <MESHPOINT-NAME>} {include-factory}
include-factory running-config meshpoint
<MESHPOINT-NAME>
Displays current running configuration Optional. Displays meshpoint configuration
<MESHPOINT-NAME> Specify the meshpoint name Optional. Includes factory defaults along with running configuration details show running-config {profile [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|
ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|
ap8432|ap8533|rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600] <PROFILE-NAME>}
{include-factory}
running-config profile
<DEVICE-TYPE>
<PROFILE-NAME>
include-factory Displays current running configuration Optional. Displays current configuration for a specified profile. Select the device type, and then specify the profile name.
<DEVICE-TYPE> Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, and VX9000.
<PROFILE-NAME> Specify the profile name for the selected <DEVICE-TYPE>. Note: Select the anyap option to view the running configuration of any type of device. Optional. This parameter is common to all profiles. When selected, it includes factory defaults in the output. show running-config {rf-domain <DOMAIN-NAME>} {include-factory}
running-config rf-domain <DOMAIN-
NAME>
Displays current running configuration Optional. Displays current configuration for a RF Domain
<DOMAIN-NAME> Displays current configuration for a specified RF Domain. include-factory Optional. Includes factory defaults Specify the RF Domain name. show running-config {wlan <WLAN-NAME>} {include-factory}
running-config wlan <WLAN-NAME> Optional. Displays current configuration for a WLAN Displays current running configuration
<WLAN-NAME> Displays current configuration for a specified WLAN. Specify the WLAN name. include-factory Optional. Includes factory defaults show running-config url-filter <URL-FILTER-NAME>
running-config url-filter <URL-FILTER-
NAME>
Displays current running configuration Optional. Displays current configuration for the URL filter identified by the <URL-
FILTER-NAME> keyword
<URL-FILTER-NAME> Specify the URL filters name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 129 SHOW COMMANDS show running-config url-list <URL-LIST-NAME> {include-factory}
running-config url-list <URL-LIST-
NAME>
include-factory Displays current running configuration Optional. Displays current configuration for the URL list identified by the <URL-LIST-
NAME> keyword
<URL-FILTER-NAME> Specify the URL lists name. Optional. Includes factory defaults Example rfs6000-81742D#show running-config device self
!
version 2.5
!
!
ip snmp-access-list default permit any
!
firewall-policy default no ip dos tcp-sequence-past-window
!
!
mint-policy global-default
!
!
management-policy default no telnet no http server https server no ftp ssh user admin password 1 fd07f19c6caf46e5b7963a802d422a708ad39a24906e04667c8642299c8462f1 role superuser access all
--More--
rfs6000-81742D#
rfs6000-81742D#show running-config profile ap81xx default-ap81xx profile ap81xx default-ap81xx autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto remote-vpn-client interface radio1 interface radio2 interface radio3 interface ge1
--More--
rfs6000-81742D#
nx9500-6C8809#show running-config url-filter URL_FILTER_Shopping include-factory url-filter URL_FILTER_Shopping no description blacklist category-type p2p precedence 20 description description blacklist category-type news-sports-general category shopping precedence 10 description description blockpage path internal blockpage internal org-name Your Organization Name Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 130 SHOW COMMANDS blockpage internal org-signature Your Organization Name, All Rights Reserved. blockpage internal title This URL may have been filtered. blockpage internal header The requested URL could not be retrieved. blockpage internal footer If you have any questions please contact your IT department. blockpage internal content The site you have attempted to reach may be considered inappropriate for access. no blockpage internal main-logo no blockpage internal small-logo no blockpage external nx9500-6C8809#
nx9500-6C8809#show running-config url-list AllowedShopping url-list AllowedShopping url ebay.com depth 10 url amazon.com depth 10 nx9500-6C8809#
nx9500-6C8809#show running-config application Bing application Bing app-category streaming use url-list Bing nx9500-6C8809#
nx9500-6C8809#sho running-config application-group amazon application-group amazon application amazon_cloud application amazon_shop application amazon-prime-music application amazon-prime-video nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 131 SHOW COMMANDS 6.1.60 session-changes show commands Displays configuration changes made in the current session Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show session-changes Parameters None Example rfs6000-81742D(config)#show session-changes No changes in this session rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 132 SHOW COMMANDS 6.1.61 session-config show commands Lists active open sessions on a device Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show session-config {exclude-devices|include-factory}
Parameters show session-config {exclude-devices|include-factory}
session-config
{exclude-devices|
include-factory}
Displays current session configuration exclude-devices Optional. Excludes device configuration details from the output include-factory Optional. Includes factory defaults Example nx9500-6C8809(config)#show session-config
!
! Configuration of NX9500 version 5.9.1.0-017D
!
!
version 2.5
!
!
client-identity-group default load default-fingerprints
!
ip access-list BROADCAST-MULTICAST-CONTROL permit tcp any any rule-precedence 10 rule-description "permit all TCP traffic"
permit udp any eq 67 any eq dhcpc rule-precedence 11 rule-description "permit DHCP replies"
deny udp any range 137 138 any range 137 138 rule-precedence 20 rule-description
"deny windows netbios"
deny ip any 224.0.0.0/4 rule-precedence 21 rule-description "deny IP multicast"
deny ip any host 255.255.255.255 rule-precedence 22 rule-description "deny IP local broadcast"
permit ip any any rule-precedence 100 rule-description "permit all IP traffic"
!
mac access-list PERMIT-ARP-AND-IPv4 permit any any type ip rule-precedence 10 rule-description "permit all IPv4 tra
--More--
nx9500-6C8809(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 133 SHOW COMMANDS 6.1.62 sessions show commands Displays CLI sessions initiated on a device Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show sessions all {on <DEVICE-NAME>}
Parameters show sessions all {on <DEVICE-NAME>}
sessions all on <DEVICE-NAME> Optional. This is a recurring keyword and is common to the all parameter. Displays Displays CLI sessions initiated on a device Displays all sessions including internal CLI sessions on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example nx9500-6C8809#show sessions INDEX COOKIE NAME START TIME FROM ROLE 1 2 snmp 2017-06-02 14:31:23 127.0.0.1 superuser 2 3 snmp2 2017-06-02 14:31:23 127.0.0.1 superuser 3 18 admin 2017-06-06 10:38:36 192.168.13.17 superuser nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 134 SHOW COMMANDS 6.1.63 site-config-diff show commands Displays the difference in site configuration available on the NOC and a site. The WiNG HM network defines a three-tier structure, consisting of multiple wireless sites managed by a single Network Operations Center (NOC) controller, The NOC controller constitutes the first and the site controllers constitute the second tier of the hierarchy. The site controllers may or may not be grouped to form clusters. The site controllers in turn adopt and manage access points that form the third tier of the hierarchy. NOC controllers possess default site configuration details. Overrides applied at the site level result in a mismatch of configuration at the site and the default site configuration available on the NOC controller. Use this command to view this difference. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show site-config-diff <SITE-NAME>
Parameters show site-config-diff <SITE-NAME>
site-config-diff
<SITE-NAME>
Displays the configuration difference for the specified site
<SITE-NAME> Specify the site name. Example nx9500-6C874D#show site-config-diff 5C-0E-8B-18-06-F4
---- Config diff for switch 5C-0E-8B-18-06-F4 ----
rfs6000 5C-0E-8B-18-06-F4 interface pppoe1 no shutdown nx9500-6C874D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 135 SHOW COMMANDS 6.1.64 smart-rf show commands Displays Self-Monitoring At Run Time (Smart RF) statistical history to assess adjustments made to device configurations to compensate for detected coverage holes or device failures When invoked by an administrator, Smart RF instructs access point radios to change to a specific channel and begin beaconing using the maximum available transmit power. Within a well-planned deployment, any RF Domain member access point radio should be reachable by at least one other radio. Smart RF records signals received from its neighbors as well as signals from external, un-managed radios. AP-to-AP distance is recorded in terms of signal attenuation. The information from external radios is used during channel assignment to minimize interference. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show smart-rf [ap|channel-distribution|history|history-timeline|interfering-ap|
interfering-neighbors|radio]
show smart-rf ap {<MAC>|<DEVICE-NAME>|activity|energy|neighbors|on <DOMAIN-NAME>}
show smart-rf ap {<MAC>|<DEVICE-NAME>} {on <DOMAIN-NAME>}
show smart-rf ap (activity|energy|neighbors} [<MAC>|<DEVICE-NAME>] {(on <DOMAIN-
NAME>)}
show smart-rf [channel-distribution|history|history-timeline] {on <DOMAIN-NAME>}
show smart-rf radio {<MAC>|activity|all-11an|all-11bgn|channel|energy|neighbors|
on <DOMAIN-NAME>}
show smart-rf radio {<MAC>|all-11an|all-11bgn|energy <MAC>} {on <DOMAIN-NAME>}
show smart-rf radio {activity|neigbors} {<MAC>|all-11an|all-11bgn} {on <DOMAIN-
NAME>}
show smart-rf interfering-ap {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>}
show smart-rf interfering-neighbors {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>|
threshold <50-100>}
Parameters show smart-rf ap {<MAC>|<DEVICE-NAME>} {on <DOMAIN-NAME>}
smart-rf ap
<MAC>
Displays Smart RF related information Displays access point related Smart RF information Optional. Uses MAC addresses to identify access points. Displays all access points, if no MAC address is specified. Optional. Uses an administrator defined name to identify an access point
<DEVICE-NAME>
on <DOMAIN-NAME> Optional. Displays access point details on a specified RF Domain
<DOMAIN-NAME> Specify the domain name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 136 show smart-rf ap (activity|energy|neighbors} [<MAC>|<DEVICE-NAME>] {(on <DOMAIN-
NAME>)}
SHOW COMMANDS smart-rf ap activity energy neighbors
{<MAC>|
<DEVICE-NAME>}
Displays Smart RF related information Displays AP related Smart RF information Optional. Displays Smart RF activity related information Use this option to view the following:
Time-period Lists the frequency Smart RF activity is trended for the RF Domain. Trending periods include the current hour, last 24 hours, or the last seven days. Comparing Smart RF adjustments versus the last seven days enables an administrator to assess whether periods of interference and poor performance were relegated to just specific periods. Power changes Displays the number of Smart RF initiated power level changes needed for RF Domain member devices during each of the three trending periods. Determine whether power compensations were relegated to known device outages or if compensations were consistent over the course of a day or week. Channel changes Lists the number of Smart RF initiated channel changes needed for RF Domain member devices during each of the three trending periods. Determine if channel adjustments were relegated to known device count increases or decreases over the course of a day or week. Coverage changes Displays the number of Smart RF initiated coverage changes needed for RF Domain member devices during each of the three trending periods. Determine if coverage changes were relegated to known device failures or known periods of interference over the course of a day or week. Optional. Displays AP energy for a specified AP or all APs Use this option to view an RF Domain member access points operating channels, noise level and neighbor count. This information helps assess whether Smart RF neighbor recovery is needed in respect to poorly performing access points. Optional. Displays AP neighbors Use this option to view attributes of neighbor radio resources available for Smart RF radio compensations for other RF Domain member device radios. The following keywords are common to all of the above parameters:
<MAC> Displays all of the above mentioned information for a specified AP, identified by its MAC address. Specify the APs MAC address.
<DEVICE-NAME> Displays all of the above mentioned information for a specified AP, identified by its hostname. Specify the APs hostname. on <DOMAIN-NAME> Optional.Displays access point details on a specified RF Domain
<DOMAIN-NAME> Specify the domain name. show smart-rf [channel-distribution|history|history-timeline] {on <DOMAIN-
NAME>}
smart-rf channel-distribution Displays Smart RF related information Displays Smart RF channel distribution information. This provides an overview of how RF Domain member devices are utilizing different channels to optimally support connect devices and avoid congestion and interference with neighboring devices. Assess whether the channel spectrum is being effectively utilized and whether channel changes are warranted to improve RF Domain member device performance. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 137 SHOW COMMANDS history history-timeline on <DOMAIN-NAME>
Displays Smart RF calibration history Use this option to view description and types of Smart RF events impacting RF Domain member devices. Displays extended Smart RF calibration history on an hourly or daily timeline Use this option to view the time stamp when Smart RF status was updated on behalf of a Smart RF adjustment within the selected RF Domain. The following keyword is common to all of the above parameters:
on <DOMAIN-NAME> Optional. Displays Smart RF configuration, based on the parameters passed, on a specified RF Domain on <DOMAIN-NAME> Specify the RF Domain name. show smart-rf radio {<MAC>|all-11an|all-11bgn|energy <MAC>} {on <DOMAIN-NAME>}
smart-rf radio
<MAC>
all-11an all-11bgn energy {<MAC>}
Displays Smart RF related information Displays radio related commands Optional. Displays details of a specified radio. Specify the radios MAC address in the AA-BB-CC-DD-EE-FF format. Optional. Displays all 11a radios currently in the configuration Optional. Displays all 11bg radios currently in the configuration Optional. Displays radio energy
<MAC> Optional. Specify the radios MAC address in the AA-BB-CC-DD-EE-FF format. Use this option to view an RF Domain member access point radios operating channel, noise level and neighbor count. This information helps assess whether Smart RF neighbor recovery is needed in respect to poorly performing radios. on <DOMAIN-NAME> The following keyword is common to all of the above parameters:
on <DOMAIN-NAME> Optional. Displays radio details on a specified RF Domain
<DOMAIN-NAME> Specify the RF Domain name. show smart-rf radio {activity|neighbors} {<MAC>|all-11an|all-11bgn} {on <DOMAIN-
NAME>}
smart-rf radio activity
<MAC>
Displays Smart RF related information Displays Smart RF radio related commands Optional. Displays changes related to radio power, number of radio channels, or coverage holes. Use additional filters to view specific details. Optional. Displays radio activity for a specified radio
<MAC> Specify the radios MAC address. Optional. Displays radio activity of all 11a radios in the configuration Optional. Displays radio activity of all 11bg radios in the configuration all-11an all-11bgn on <DOMAIN-NAME> Optional. Displays radio activity of all radios within a specified RF Domain
<DOMAIN-NAME> Specify the RF Domain name. show smart-rf interfering-ap {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>}
smart-rf interfering-ap Displays Smart RF related information Displays interfering access points (requiring potential isolation) information Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 138 SHOW COMMANDS
<MAC>
<DEVICE-NAME>
Optional. Displays information of a specified interfering access point
<MAC> Specify the access points MAC address. Note: Considers all APs if this parameter is omitted Optional. Displays interfering access point information on a specified device
<DEVICE-NAME> Specify the device name. Note: Considers all APs if this parameter is omitted on <DOMAIN-NAME> Optional. Displays all interfering access point information within a specified RF Domain
<DOMAIN-NAME> Specify the RF Domain name. show smart-rf interfering-neighbors {<MAC>|<DEVICE-NAME>|on <DOMAIN-NAME>|
threshold <50-100>}
smart-rf interfering-ap
<MAC>
<DEVICE-NAME>
threshold <50-100>
Displays Smart RF related information Displays interfering neighboring access point information Optional. Displays interfering neighboring access point information
<MAC> Specify the access points MAC address. Considers all APs if this parameter is omitted Optional. Displays all interfering neighboring access point information on a specified device
<DEVICE-NAME> Specify the device name. Considers all APs if this parameter is omitted Optional. Specifies the maximum attenuation threshold of interfering neighbors.
<50-100> Specify a value from 50 -100 dB. Attenuation is a measure of the reduction of signal strength during transmission. Attenuation is the opposite of amplification, and is normal when a signal is sent from one point to another. If the signal attenuates too much, it becomes unintelligible. Attenuation is measured in decibels. on <DOMAIN-NAME> Optional. Displays radio activity of all radios within a specified RF Domain
<DOMAIN-NAME> Specify the RF Domain name. Example rfs6000-81742D(config)#show smart-rf calibration-status No calibration currently in progress rfs6000-81742D(config)#
rfs6000-81742D(config)#show smart-rf history
--------------------------------------------------------------------------------
-------
TIME EVENT DESCRIPTION
--------------------------------------------------------------------------------
-------
--------------------------------------------------------------------------------
-------
Total number of history entries displayed: 0 rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 139 SHOW COMMANDS 6.1.65 spanning-tree show commands Displays spanning tree utilization information Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show spanning-tree mst {configuration|detail|instance|on <DEVICE-NAME>}
show spanning-tree mst {configuration} {(on <DEVICE-NAME>)}
show spanning-tree mst {detail} {interface|on}
show spanning-tree mst {detail} interface {<INTERFACE-NAME>|ge <1-4>|me1|port-
channel <1-2>|pppoe1|vlan <1-4094>|wwan1} {(on <DEVICE-NAME>)}
show spanning-tree mst {instance <1-15>} {interface <INTERFACE-NAME>} {(on
<DEVICE-NAME>)}
Parameters show spanning-tree mst {configuration} {(on <DEVICE-NAME>)}
spanning-tree mst configuration
{on <DEVICE-
NAME>}
Displays spanning tree utilization information Displays Multiple Spanning Tree (MST) related information Optional. Displays MST configuration on <DEVICE-NAME> Optional. Displays MST configuration on a specified device
<DEVICE-NAME> Specify the name of the AP or wireless controller. Note: If the on keyword is used without any of the other options, the system displays a summary of spanning tree utilization information on the specified device. show spanning-tree mst {detail} interface {<INTERFACE-NAME>|ge <1-4>|me1|port-
channel <1-2>|pppoe1|vlan <1-4094>|wwan1} {(on <DEVICE-NAME>)}
spanning-tree mst detail interface
[<INTERFACE>|
ge <1-4>|me1|
port-channel <1-2>|
pppoe1|
vlan <1-4094>
wwan1]
Displays spanning tree information Displays MST configuration Optional. Displays detailed MST configuration, based on the parameters passed Displays detailed MST configuration for a specified interface
<INTERFACE> Displays detailed MST configuration for a specified interface. Specify the interface name. ge <1-4> Displays GigabitEthernet interface MST configuration
<1-4> Select the GigabitEthernet interface index from 1 - 4. me1 Displays FastEthernet interface MST configuration port-channel Displays port channel interface MST configuration
<1-2> Select the port channel interface index from 1 - 2. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 140 SHOW COMMANDS on <DEVICE-NAME>
pppoe1 Displays PPP over Ethernet interface MST configuration vlan Displays VLAN interface MST configuration
<1-4094> Select the SVI VLAN ID from 1 - 4094. wwan1 Displays Wireless WAN interface MST configuration The following keyword is common to all interfaces:
on <DEVICE-NAME> Optional. Displays detailed MST configuration on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. show spanning-tree mst {instance <1-15>} {interface <INTERFACE-NAME>} {(on
<DEVICE-NAME>)}
spanning-tree mst instance <1-15>
interface
<INTERFACE-NAME>
Displays spanning tree information Displays MST configuration. Use additional filters to view specific details. Optional. Displays information for a particular MST instance
<1-15> Specify the instance ID from 1 - 15. Optional. Displays MST configuration for a specific interface instance. The options are:
<INTERFACE-NAME> Displays MST configuration for a specified interface. Specify on <DEVICE-NAME> Optional. Displays MST configuration on a specified device the interface name.
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example rfs6000-81742D#show spanning-tree mst configuration
%%
% MSTP Configuration Information for bridge 1 :
%%------------------------------------------------------
% Format Id : 0
% Name : My Name
% Revision Level : 0
% Digest : 0xac36177f50283cd4b83821d8ab26de62
%%------------------------------------------------------
rfs6000-81742D#
rfs6000-81742D#show spanning-tree mst detail interface ge 1
% Bridge up - Spanning Tree Disabled
% CIST Root Path Cost 0 - CIST Root Port 0 - CIST Bridge Priority 32768
% Forward Delay 15 - Hello Time 2 - Max Age 20 - Max hops 20
% 1: CIST Root Id 800000157081742e
% 1: CIST Reg Root Id 800000157081742e
% 1: CIST Bridge Id 800000157081742e
% portfast bpdu-filter disabled
% portfast bpdu-guard disabled
% portfast portfast errdisable timeout disabled
% portfast errdisable timeout interval 300 sec
% cisco interoperability not configured - Current cisco interoperability off
% ge1: Port 2001 - Id 87d1 - Role Disabled - State Forwarding
% ge1: Designated External Path Cost 0 - Internal Path Cost 0
%
--More--
rfs6000-81742D#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 141 SHOW COMMANDS 6.1.66 startup-config show commands Displays complete startup configuration script Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show startup-config {include-factory}
Parameters show startup-config {include-factory}
startup-config include-factory Displays startup configuration script include-factory Optional. Includes factory defaults Example nx9500-6C8809#show startup-config
!
! Configuration of NX9500 version 5.9.1.0-017D
!
!
version 2.5
!
password-encryption-version 1.0 inline-password-encryption password-encryption-key secret 2 2cd258b63fa0e16a753394d779cbc5a20000002065d2c29edf373ed42131fa410426d5cb8b0296ff ea49331cb72e122e421acc9c
!
client-identity-group default load default-fingerprints
!
client-identity-group test2 load default-fingerprints
!
alias network-group $NetGrpAlias address-range 192.168.13.7 to 192.168.13.16 192.168.13.20 to 192.168.13.25 alias network-group $NetGrpAlias network 192.168.13.0/24 192.168.16.0/24
!
alias network $NetworkAlias 192.168.13.0/24
!
--More--
nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 142 SHOW COMMANDS 6.1.67 t5 show commands Displays adopted T5 controller statistics Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7510, NX7520, NX9500, NX9510, NX9600, VX9000 NOTE: This command is applicable only on WiNG controllers with adopted and managed T5 controllers. Syntax show t5 [boot|clock|cpe|interface|mac|system|temperature|uptime|version|
wireless] {on <T5-DEVICE-NAME>}
show t5 [boot|clock|system|temperature|uptime|version] {on <T5-DEVICE-NAME>}
show t5 cpe [address|boot|ether port status|led|reset|system|uptime|version] {on
<T5-DEVICE-NAME>}
show t5 interface [dsl|fe|ge|radio]
show t5 interface [dsl|fe|ge] [counter|description|errors|status|utilization] {on
<T5-DEVICE-NAME>}
show t5 interface dsl custom [avg|dses|dsses|peak|uses|usses] {on <T5-DEVICE-
NAME>}
show t5 interface radio [stats|status|wlam-map] {on <T5-DEVICE-NAME>}
show t5 mac table [filter name [dsl<1-24>|ge <1-2>|vlan <1-4094>|wlan <1-24>] {on
<T5-DEVICE-NAME>}]
show t5 wireless [client|wlan]
show t5 wireless client {filter name [association-status|authentication-
status|bss|mac-address|retry-percentage|rssi-value]} {on <T5-DEVICE-NAME>}
show t5 wireless wlan counters [qos|rate|size] {on <T5-DEVICE-NAME>}
Parameters show t5 [boot|clock|system|temperature|uptime|version] {on <T5-DEVICE-NAME>}
t5 boot clock system temperature uptime Displays adopted T5 controller statistics Displays the T5 devices boot details. Use this option to view the primary and secondary image files available to use for booting up. Displays the T5 controllers system time, as reported from the controller itself or its remote NTP time resource Displays T5 controllers system information, which includes the T5 controllers hostname, MAC address, RF Domain, system clock, uptime Displays T5 controllers current temperature Displays the T5 controllers uptime (the time it has been actively deployed and operational) Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 143 SHOW COMMANDS version on <T5-DEVICE-
NAME>
Displays the T5 controllers primary and secondary firmware images Optional. Executes the command on a specified T5 device
<T5-DEVICE-NAME> Specify the T5 devices hostname. An error message is displayed if no T5 device name is specified. show t5 cpe [address|boot|ether port status|led|reset|system|uptime|version]
{on <T5-DEVICE-NAME>}
t5 cpe address boot ether port status led reset system uptime version on <T5-DEVICE-
NAME>
Displays adopted T5 controller statistics Displays the T5 controller managed Customer Premises Equipment (CPE) statistics based on the parameters passed. Use this command to verify each CPE address credentials and whether currently disconnected or ready for radio coverage area support. Displays each linked CPE's current IP address used as its network identifier Displays the primary and secondary firmware versions available to each CPE, along with status of the most recent upgrade operation details Displays Ethernet port status Displays whether the CPEs currently have their LEDs enabled or disabled. In places like hospitals, its not uncommon for access points to be operational, but their LEDs off as to not disturb patients. Displays the number times a CPE has been reset Displays device hardware and SKU information for each CPE. Use this information to assess whether a controller is managing the correct CPE devices out of the total number of CPEs available. Displays the time each CPE device has been actively deployed and operational Displays the application and boot versions utilized by the CPE devices Optional. Executes the command on a specified T5 device
<T5-DEVICE-NAME> Specify the T5 devices hostname. An error message is displayed if no T5 device name is specified. show t5 interface [dsl|fe|ge] [counter|description|errors|status|utilization]
{on <T5-DEVICE-NAME>}
t5 interface
[dsl|fe|ge|radio]
[counter|description|
errors|status|
utilization]
Displays adopted T5 controller statistics Displays T5 interface-related statistics based on the interface selected Select the interface type. The options are: dsl, fe, ge. dsl Displays Digital Subscriber Line (DSL) interface related information fe Displays Fast Ethernet (FE) interface related information ge Displays Gigabit Ethernet (GE) interface related information The system displays the following information for the DSL, GE, and FE ports:
counter Displays the following:
Number of octets (bytes) received and transmitted on this port Number of data packets received and transmitted on this port Number of flow control (layer 2) packets received and transmitted on this port Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 144 contd.. description Displays the following:
SHOW COMMANDS The selected ports name The numeric index assignable to each port The 64 character maximum, unique, administrator-assigned description to each port errors Displays the following DSL interface related errors:
The name of the DSL utilized by each T5 controller connected CPE device. The number of FECs detected in the downstream direction. Forward Error Correction (FEC) or channel coding is used for controlling errors over unreliable or noisy communication channels. The number of CPE DSL coding violations (badly coded packets) detected in the downstream direction. The number of FECs detected in the upstream direction. The number of CPE DSL coding violations (badly coded packets) detected in the upstream direction. status Displays the following:
The selected ports name Whether the port is currently up or down as a T5 controller transmit and receive resource The port's current speed in MB Whether pause packet utilization is currently off or on for the selected port Whether each listed port is enabled or disabled by the administrator utilization Displays the following:
The selected ports name The ports receive and transmit data rates (in Kbps) The packet per second port receive and transmit rates (p/s) Each port's receive and transmit direction utilization as a percentage of the total transmit bandwidth available. on <T5-DEVICE-
NAME>
Optional. Executes the command on a specified T5 device
<T5-DEVICE-NAME> Specify the T5 devices hostname. An error message is displayed if no T5 device name is specified. show t5 interface dsl custom [avg|dses|dsses|peak|uses|usses]
{on <T5-DEVICE-NAME>}
t5 interface dsl Displays adopted T5 controller statistics Displays T5 interface-related statistics based on the interface selected Selects A T5 controllers DSL interface. A T5 controller uses the operating system to manage its connected radio devices, as opposed to the WiNG operating used by RFS controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. The CPEs are the T5 controller managed radio devices using the operating system. These CPEs use a DSL as their high speed Internet access mechanism using the CPEs physical wallplate connection and phone jack. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 145 SHOW COMMANDS custom
[avg|dses|dsses|peak|u ses|usses]
Displays following custom CPE DSL data:
avg Each DSL's average response time in microseconds dses The number of seconds downstream DSL transmissions were negatively impacted by code violations. dsses The number of seconds downstream DSL transmissions were severely negatively impacted by code violations. peak Each DSL's maximum (best to date since the screen was refreshed) response time in microseconds. uses The number of seconds upstream DSL transmissions were negatively impacted by code violations. usses The number of seconds upstream DLS transmissions were severely negatively impacted by code violations. on <T5-DEVICE-
NAME>
Optional. Executes the command on a specified T5 device
<T5-DEVICE-NAME> Specify the T5 devices hostname. An error message is displayed if no T5 device name is specified. show t5 interface radio [stats|status|wlam-map] {on <T5-DEVICE-NAME>}
t5 interface radio
[stats|status|
wlan-map]
Displays adopted T5 controller statistics Displays T5 interface-related statistics based on the interface selected Displays following radio interface related information:
stats Displays T5 radio interface statistics. A T5 controller uses the operating system to manage its connected radio devices, as opposed to the WiNG operating used by RFS controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. The CPEs are the T5 controller managed radio devices using the operating system. Use this option to view the following:
name The administrator assigned name of each listed CPE radio as its unique identifier Rx (Kbps) The listed CPE radio's receive data rate (in Kbps). Use this information to assess RF activity versus other T5 managed CPE radios in the same radio cover-
age area. Rx Octets The number of octets (bytes) received with no errors by the listed T5 controller managed CPE radio. Rx Packets The number of data packets received for the listed T5 managed CPE radio since this screen was last refreshed. Tx (Kbps) The listed CPE radio's transmit data rate (in Kbps). Use this informa-
tion to assess RF activity versus other T5 managed CPE radios in the same radio coverage area. Tx Octets Displays the number of octets (bytes) transmitted with no errors by the listed T5 controller managed CPE radio. Tx Packets The number of data packets transmitted from the listed T5 managed CPE radio since this screen was last refreshed. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 146 SHOW COMMANDS contd.. status Displays T5 radio interface status information name The administrator assigned name of each listed CPE radio as its unique identifier. Operational status The radio interfaces operational status (enabled/disabled). mac The T5 radio interface's MAC address. transmit power The T5 radio interfaces transmit power. Channel The T5 radio interfaces channel of operation. wlan-map Displays WLAN map membership data for T5 controller managed CPE radio devices. Use this option to view the following:
name The administrator assigned name of each listed CPE radio as its unique identifier. status Whether a CPE radio is currently enabled or disabled as a radio resource for the WLAN(s) the CPE radio has been mapped to. wlan-radio-mapping The managed WLAN(s) each listed radio has been mapped to. on <T5-DEVICE-
NAME>
Optional. Executes the command on a specified T5 device
<T5-DEVICE-NAME> Specify the T5 devices hostname. An error message is displayed if no T5 device name is specified. show t5 mac table [filter name [dsl<1-24>|ge <1-2>|vlan <1-4094>|wlan <1-24>]
{on <T5-DEVICE-NAME>}
t5 mac table
[dsl<1-24>|ge <1-2>|
vlan <1-4094>|
wlan <1-24>]
on <T5-DEVICE-
NAME>
Displays adopted T5 controller statistics Displays T5 MAC address table. The T5 MAC table displays a dynamic list of MAC addresses learned by the T5 controller over its ethernet interfaces. Use this information to identify devices and the interfaces on which they can be found. Use the following additional filters to filter on the basis of the VLAN or DSL interface:
dsl <1-24> Filters information on the basis of the selected DSL port ge <1-2> Filters information on the basis of the selected GE port vlan <1-4094 Filters information on the basis of the selected VLAN port wlan <1-24> Filters on the basis of the selected CPE Optional. Executes the command on a specified T5 device
<T5-DEVICE-NAME> Specify the T5 devices hostname. An error message is displayed if no T5 device name is specified. show t5 wireless client {filter name [association-status|authentication-
status|bss|mac-address|retry-percentage|rssi-value]} {on <T5-DEVICE-NAME>}
t5 wireless client Displays adopted T5 controller statistics Displays the T5 wireless client and WLAN related statistics client Displays read-only device information for wireless clients associated with the selected T5 controller and its connected CPE device radios. Use this information to assess if configuration changes are required to improve client performance. Use the additional filters available to view specific client-related information. The options are:
association-status Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 147 SHOW COMMANDS authentication-status bss retry-percentage rssi-value on <T5-DEVICE-
NAME>
Optional. Executes the command on a specified T5 device
<T5-DEVICE-NAME> Specify the T5 devices hostname. An error message is displayed if no T5 device name is specified. show t5 wireless wlan counters [qos|rate|size] {on <T5-DEVICE-NAME>}
t5 wireless wlan
[qos|rate|size]
Displays adopted T5 controller statistics Displays the T5 wireless WLAN related statistics wlan Displays following T5 controller traffic counter statistics:
qos T5 controller WLAN QoS utilization. Displays the number of background
(low priority) and best-effort packets received and transmitted on each listed T5 controller managed WLANs rates Displays T5 controller's WLAN utilization data rate statistics Lists the number of data packets received and transmitted in the WLAN that have been relegated to a 1 Mbps data rate Lists the number of data packets received and transmitted in the WLAN by T5 controller connected devices at 54Mbps size Displays the number of data packets received and transmitted, in each listed WLAN, greater than 1024 bytes on <T5-DEVICE-
NAME>
Optional. Executes the command on a specified T5 device
<T5-DEVICE-NAME> Specify the T5 devices hostname. An error message is displayed if no T5 device name is specified. Example The following examples are for show commands executed on the t5-ED7C6C controller adopted by the nx9500-6C8809 wireless controller:
nx9500-6C8809(config)#show t5 boot on t5-ED7C6C Primary Version: 5.4.2.0-010R Secondary Version: 5.4.2.0-006B Next Boot: Primary Upgrade Status: none Upgrade Progress %: 0 nx9500-6C8809(config)#
nx9500-6C8809(config)#show t5 version on t5-ED7C6C Bootloader Version: 5.4.2.0-010R Application Version: 5.4.2.0-010R nx9500-6C8809(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 148 SHOW COMMANDS nx9500-6C8809(config)#show t5 system on t5-ED7C6C Serial Number 14213522400004 SKU TS-0524-WR Hardware Rev 5 Mac Address B4-C7-99-ED-7C-6C Description 24-port PowerBroadband VDSL2 Switch Version 5.4.2.0-010R Contact NULL Name t5-ED7C6C Location NULL nx9500-6C8809(config)#
nx9500-6C8809(config)#show t5 clock on t5-ED7C6C Time 6-6-2017 17:14:30 UTC nx9500-6C8809(config)#
nx9500-6C8809(config)#show t5 interface ge counter on t5-ED7C6C
--------------------------------------------------------------------------------
-----------------------------------
INTERFACE RECEIVE OCTETS RECEIVE PACKETS RECEIVE PAUSE PKTS TRANSMIT OCTETS TRANSMIT PACKETS TRANSMIT PAUSE PKTS
--------------------------------------------------------------------------------
-----------------------------------
ge1 711128918 89636040 0 2558110037 133720283 0 ge2 2515775064 133311355 0 3422167586 78735853 0
--------------------------------------------------------------------------------
-----------------------------------
nx9500-6C8809(config)#
nx9500-6C8809(config)#show t5 uptime on t5-ED7C6C Up Time 0 days 1 day, 3:19:43 nx9500-6C8809(config)#
nx9500-6C8809(config)#show t5 temperature on t5-ED7C6C
============ Temperature ============
--------------------------------------------------------------------
INDEX CURRENT (C) FANS @ FULL SPEED (C) FANS @ VARIABLE SPEED (C)
--------------------------------------------------------------------
1 39 70 60
--------------------------------------------------------------------
nx9500-6C8809(config)#
nx9500-6C8809(config)#show t5 cpe address on t5-ED7C6C
--------------------------------------------------------------------------------
DEVICE STATUS IP ADDRESS MAC ADDRESS
--------------------------------------------------------------------------------
cpe1 ready 192.168.13.32 00-C0-23-69-80-CD cpe2 ready 192.168.13.33 74-6F-F7-40-16-62 cpe3 disconnected 0.0.0.0 00-00-00-00-00-00 cpe4 disconnected 0.0.0.0 00-00-00-00-00-00 cpe5 disconnected 0.0.0.0 00-00-00-00-00-00
--More--
nx9500-6C8809(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 149 SHOW COMMANDS nx9500-6C8809(config)#show t5 cpe led on t5-ED7C6C
--------------------------------------------------------------------------------
-------
DEVICE LED STATUS
--------------------------------------------------------------------------------
---
cpe1 enable cpe2 enable cpe3 enable cpe4 enable cpe5 enable
--More--
nx9500-6C8809(config)#
nx9500-6C8809(config)#show t5 mac table filter name vlan 1 on t5-ED7C6C
--------------------------------------------------------------------------------
-------
T5-MAC VLAN ADDRESS INTERFACE VENDOR
--------------------------------------------------------------------------------
-------
B4-C7-99-ED-7C-6C 1 00-02-B3-28-D1-55 ge1 Intel Corp B4-C7-99-ED-7C-6C 1 00-1E-67-4B-BF-BD ge1 Intel Corp B4-C7-99-ED-7C-6C 1 00-23-68-11-E6-C4 ge1 Extreme Tech B4-C7-99-ED-7C-6C 1 00-23-68-88-0D-A7 ge1 Extreme Tech B4-C7-99-ED-7C-6C 1 00-23-68-99-BB-7C ge1 Extreme Tech B4-C7-99-ED-7C-6C 1 00-A0-F8-68-D5-70 ge1 Extreme Tech B4-C7-99-ED-7C-6C 1 00-C0-23-69-80-CD dsl1 00-C0-23 B4-C7-99-ED-7C-6C 1 1C-7E-E5-18-FA-67 ge1 D-
Link Corp B4-C7-99-ED-7C-6C 1 3C-CE-73-F4-47-83 ge1 Cisco Systems B4-C7-99-ED-7C-6C 1 74-6F-F7-40-16-62 dsl2 Wistron Corp
--More--
nx9500-6C8809(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 150 SHOW COMMANDS 6.1.68 terminal show commands Displays terminal configuration parameters Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show terminal Parameters None Example rfs6000-81742D(config)#show terminal Terminal Type: xterm Length: 24 Width: 200 rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 151 SHOW COMMANDS 6.1.69 timezone show commands Displays a devices timezone Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show timezone Parameters None Example rfs6000-81742D(config)#show timezone Timezone is America/Los_Angeles rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 152 SHOW COMMANDS 6.1.70 traffic-shape show commands Displays traffic-shaping related configuration details and statistics Traffic shaping regulates network data transfers to ensure a specific performance level. Traffic shaping delays the flow of packets defined as less important than prioritized traffic streams. Traffic shaping enables traffic control out an interface to match its flow to the speed of a remote targets interface and ensure traffic conforms applied policies. Traffic can be shaped to meet downstream requirements and eliminate network congestion when data rates are in conflict. Apply traffic shaping to specific applications to apply application categories. When application and ACL rules are conflicting, ACL rules take precedence for the traffic shaping class. Using traffic shaping, an application takes precedence over an application category. Supported in the following platforms:
Access Points AP6521, AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530 Syntax show traffic-shape [priority-map|statistics {class <1-4>}|status] {on <DEVICE-
NAME>}
Parameters show traffic-shape [priority-map|statistics {class <1-4>}|status] {on <DEVICE-
NAME>}
traffic-shape priority-map statistics class <1-4>
status on <DEVICE-NAME>
Displays traffic-shaping related configuration details and statistics Displays the traffic shaper queue priority. There are 8 queues (0 - 7), and traffic is queued in each based on incoming packets 802.1p markings. Displays traffic-shaping related statistics for all traffic shaper classes or for a selected class class <1-4> Optional. Specify the traffic class from 1 - 4. The system displays traffic shaping statistics for the selected class. If not selected, the system statistics for all classes. Displays the controller or service platforms traffic shaping status (whether running or not) Optional. Displays traffic-shaping related configuration details and statistics on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 153 SHOW COMMANDS Example ap7532-DEB9B0#show traffic-shape priority-map
----------------------------------------
DOT1P-PRIORITY TX-SHAPER-PRIORITY
----------------------------------------
0 2 1 0 2 1 3 3 4 4 5 5 6 6 7 7
----------------------------------------
ap7532-DEB9B0#
ap7532-DEB9B0#show traffic-shape status State of Traffic shaper: running ap7532-DEB9B0#
ap7532-DEB9B0#show traffic-shape statistics Traffic shaper class : 1 Class 1 is not configured:
Traffic shaper class : 3 Class 3 is not configured:
Traffic shaper class : 2 Rate: 1500 Kbps
--------------------------------------------------------------------------------
-------
PRIORITY PKTS-SENT PKTS-DELAYED PKTS-DROPPED CURRENT-QUEUE-LEN CURRENT-
LATENCY(IN USECS)
--------------------------------------------------------------------------------
-------
1 0 0 0 0 0 0 0 0 0 0 0 3 0 0 0 0 0 2 152153035 151924251 1508343 11 33447 5 0 0 0 0 0 4 0 0 0 0 0 7 0 0 0 0 0 6 0 0 0 0 0
--------------------------------------------------------------------------------
-------
Traffic shaper class : 4 Class 4 is not configured:
ap7532-DEB9B0#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 154 SHOW COMMANDS 6.1.71 upgrade-status show commands Displays the last image upgrade status NOTE: This command is not available in the USER EXEC Mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show upgrade-status {detail|on}
show upgrade-status {detail} {(on <DEVICE-NAME>)}
Parameters show upgrade-status {detail} {(on <DEVICE-NAME>)}
upgrade-status detail on <DEVICE-NAME>
Displays last image upgrade status and log Optional. Displays last image upgrade status in detail The following keyword is recursive and common to the detail parameter:
on <DEVICE-NAME> Optional. Displays last image upgrade status on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. Note: If the on keyword is used without the detail keyword, the system displays a summary of upgrade status and log on the specified device. Example nx9500-6C8809#show upgrade-status Last Image Upgrade Status :In_Progress(17 percent completed) Last Image Upgrade Time : 2017-02-11 12:26:29 nx9500-6C8809#
nx9500-6C8809#show upgrade-status detail Last Image Upgrade Status : Successful Last Image Upgrade Time : 2017-06-02 14:22:51
-----------------------------------------------
Running from partition /dev/sda8 var2 is 1 percent full
/tmp is 4 percent full Free Memory 33357504 kB FWU invoked via Linux shell Validating image file header Removing other partition Tue May 30 10:43:36 IST 2017 debug: cmdline -C /boot/lilo.conf -R 5.9.0.0-028B -P fix LILO version 22.6-CCB, Copyright (C) 1992-1998 Werner Almesberger
--More--
nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 155 SHOW COMMANDS 6.1.72 version show commands Displays a devices software and hardware version Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show version {on <DEVICE-NAME>}
Parameters show version {on <DEVICE-NAME>}
version
{on <DEVICE-
NAME>}
Displays software and hardware versions on all devices or a specified device on <DEVICE-NAME> Optional. Displays software and hardware versions on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. Example nx9500-6C8809#show version NX9500 version 5.9.0.0-029R Copyright (c) 2004-2017 Extreme Networks, Inc. All rights reserved. Booted from primary nx9500-6C8809 uptime is 3 days, 20 hours 49 minutes CPU is Intel(R) Xeon(R) CPU E5645 @ 2.40GHz, No. of CPUs 24 Base ethernet MAC address is B4-C7-99-6C-88-09 System serial number is B4C7996C8809 Model number is NX-9500-100R0-WR nx9500-6C8809#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 156 SHOW COMMANDS 6.1.73 vrrp show commands Displays the following Virtual Router Redundancy Protocol (VRRP) related statistics: configuration error, router redundancy information in brief and detail. VRRP configuration errors include mismatch of authentication credentials, invalid packet checksums, invalid packet types, invalid virtual route IDs, TTL errors, packet length errors and invalid (non matching) VRRP versions. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show vrrp [brief|details|error-stats|stats]
show vrrp [brief|details|stats] {<1-255>} {(on <DEVICE-NAME>)}
show vrrp error-stats {on <DEVICE-NAME>}
Parameters show vrrp [brief|details|stats] {<1-255>} {(on <DEVICE-NAME>)}
vrrp brief details stats
<1-255>
on <DEVICE-NAME>
Displays VRRP related statistics in brief or in detail depending on the option selected Displays virtual router information in brief Displays virtual router information in detail Displays virtual router statistics The following keyword is common to all of the above parameters:
<1-255> Optional. Displays information for a specified Virtual Router. Specify the router's ID from 1 - 255. The following keyword is recursive and common to the <1-255> parameter:
on <DEVICE-NAME> Optional. Displays specified router information on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. show vrrp error-stats {on <DEVICE-NAME>}
vrrp error-stats
{on <DEVICE-NAME>}
Displays VRRP related statistics in brief or in detail depending on the option selected Displays global error statistics on <DEVICE-NAME> Optional. Displays global error statistics on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service plat-
form. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 157 SHOW COMMANDS Example rfs6000-81742D(config)#show vrrp error-stats Last protocol error reason: none IP TTL errors: 0 Version mismatch: 0 Packet Length error: 0 Checksum error: 0 Invalid virtual router id: 0 Authentication mismatch: 0 Invalid packet type: 0 rfs6000-81742D(config)#
rfs6000-81742D(config)#show vrrp details VRRP Group 1:
version 2 interface none configured priority 1 advertisement interval 1 sec preempt enable, preempt-delay 0 virtual mac address 00-00-5E-00-01-01 sync group disable rfs6000-81742D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 158 SHOW COMMANDS 6.1.74 web-filter show commands Displays Web filtering related information Use this command to view information on Web requests for content and whether the requests were blocked or approved based on URL filter settings defined for the selected controller or service platform. A URL filter is comprised of several filter rules. A whitelist bans all sites except the categories and URL lists defined in the whitelist. The blacklist allows all sites except the categories and URL lists defined in the blacklist. Supported in the following platforms:
Access Points AP6522, AP6532, AP7161, AP7502, AP7522, AP7532, AP7562, AP8132 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show web-filter [category|category-type|config|filter-level [basic|high|low|
medium|medium-high]|statistics {on <DEVICE-NAME>}|status]
Parameters web-filter category category-type config filter-level [basic|
high|low|medium|
medium-high]
show web-filter [category|category-type|config|filter-level [basic|high|low|
medium|medium-high]|statistics {on <DEVICE-NAME>}|status]
Displays an existing and configured Web filter details Displays Web filter categories. A category is a pre-defined URL list available in the WiNG software. Displays the Web filter category types. This is a pre-configured list of categories and sub-categories in to which commonly accessed URLs have been classified. Displays all existing Web filters and their configuration details Displays category types for the selected filter-level. Each filter level is pre-configured to use a set of category types. You cannot change the categories in the category types used for these pre-configured filter-level setting. Nor can you add, modify, or remove the category types mapped to a filter-level setting.The options are:
basic Displays all category types configured for the basic filter-level high Displays all category types configured for the high filter-level low Displays all category types configured for the low filter-level medium Displays all category types configured for the medium filter-level medium-high Displays all category types configured for the medium-high filter-
level statistics
{on <DEVICE-NAME>}
Displays Web filter statistics on a specified device on <DEVICE-NAME> Optional. Specifies the device name
<DEVICE-NAME> Specify the name of the AP, controller, or service platform. Note: Web filtering is a licensed feature, and only when enforced can the system display Web filtering statistics. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 159 SHOW COMMANDS status
{on <DEVICE-NAME>}
Displays Web filter status on a specified device on <DEVICE-NAME> Optional. Specifies the device name
<DEVICE-NAME> Specify the name of the AP, controller, or service platform. Note: Web filtering is a licensed feature, and only when enforced can the system display Web filtering status. Example nx9500-6C8809(config)#show web-filter category advertisement-popups Sites that provide advertising graphics or other ad content files such as banners and pop-ups. alcohol-tobacco Sites that promote or sell alcohol- or tobacco-related products or services. anonymizers Sites and proxies that act as an intermediary for surfing to other websites in an anonymous fashion, whether to circumvent web filtering or for other reasons. arts Sites with artistic content or relating to artistic institutions such as theaters, museums, galleries, dance companies, photography, and digital graphic resources. botnets Sites that use bots (zombies) including command-and-control sites.
--More--
nx9500-6C8809(config)#
nx9500-6C8809(config)#show web-filter config URL filters configured for this device are:
WebFilter_ShoppingSites Blacklisted categories:
shopping, Whitelisted categories:
<AllowedShopping>, nx9500-6C8809(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 160 SHOW COMMANDS 6.1.75 what show commands Displays details of a specified search phrase (performs global search) Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show what [contain|is] <WORD> {on <DEVICE-OR-DOMAIN-NAME>}
Parameters show what [contain|is] <WORD> {on <DEVICE-OR-DOMAIN-NAME>}
contain <WORD>
is <WORD>
on <DEVICE-OR-
DOMAIN-NAME>
Searches on all the items that contain a specified word
<WORD> Specify a word to search (for example, MAC address, hostname, etc.). Searches on an exact match
<WORD> Specify a word to search (for example, MAC address, hostname, etc.). Optional. Performs global search on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Example rfs4000-229D58#show what contain default
--------------------------------------------------------------------------------
--------------------------------------------------------------------
NO. CATEGORY MATCHED OTHER KEY INFO (1) OTHER KEY INFO (2) OTHER KEY INFO (3) NAME/VALUE NAME/VALUE NAME/
VALUE NAME/VALUE
--------------------------------------------------------------------------------
--------------------------------------------------------------------
https-trustpoint type mac rf_domain_name 1 device-cfg default-trustpoint rfs4000 00-
23-68-22-9D-58 default __obj_name__ name 2 firewall_policy default default __obj_name__ name https idle_session_timeout 3 management_policy default default True 30 qos_policy name control_vlan beacon_format
--More--
rfs4000-229D58#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 161 SHOW COMMANDS 6.1.76 wireless show commands Displays wireless configuration parameters Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show wireless [ap|bridge|client|coverage-hole-incidents|meshpoint|mint|mobility-
database|radio|regulatory|rf-domain|sensor-server|unsanctioned|wips|wlan]
show wireless ap {configured|detail|load-balancing|on <DEVICE-NAME>}
show wireless ap {configured}
show wireless ap {detail} {<MAC/HOST-NAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless ap {load-balancing} {client-capability|events|neighbors} {(on
<DEVICE-NAME>)}
show wireless bridge {candidate-ap|certificate|config|hosts|on|statistics}
show wireless bridge {candidate-ap} {<MAC/HOSTNAME> {<1-3>}} {(filter radio-mac
<RADIO-MAC>)} {(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless bridge {certificate} status {on <DEVICE-NAME>}
show wireless bridge {config}
show wireless bridge {hosts} {on <DEVICE-OR-DOMAIN-NAME>}
show wireless bridge {statistics} {rf|traffic} {(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless client {association-history|detail|filter|include-ipv6|on <DEVICE-
OR-DOMAIN-NAME>|statistics|tspec}
show wireless client {association-history <MAC>} {on <DEVICE-OR-DOMAIN-NAME>}
show wireless client {detail <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless client {filter [ip|on|state|wlan]}
show wireless client {filter} {ip [<IP>|not <IP>]} {on <DEVICE-OR-DOMAIN-NAME>}
show wireless client {filter} {on <DEVICE-OR-DOMAIN-NAME>}
show wireless client {filter} {state [data-ready|not [data-ready|roaming]|
roaming]} {on <DEVICE-OR-DOMAIN-NAME>}
show wireless client {filter} {wlan [<WLAN-NAME>|not <WLAN-NAME>]} {on <DEVICE-OR-
DOMAIN-NAME>}
show wireless client {include-ipv6} {detail|on|filter}
show wireless client {include-ipv6} {detail <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless client {include-ipv6} {filter {ip|ipv6|state|wlan}}
show wireless client {statistics} {detail|on|rf|window-data}
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 162 SHOW COMMANDS show wireless client {statistics} {detail <MAC>|rf|window-data <MAC>} {(on
<DEVICE-OR-DOMAIN-NAME>)}
show wireless client {tspec <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless coverage-hole-incidents [detail|on|summary]
show wireless coverage-hole-incidents detail {filter [ap <MAC/HOSTNAME>|client-mac
<MAC>]|summary} {(on <DOMAIN-NAME>)}]
show wireless meshpoint {config|detail|multicast|neighbor|on|path|proxy|root|
security|statistics|tree|usage-mappings}
show wireless meshpoint {config} {filter [device <DEVICE-NAME>|rf-domain <DOMAIN-
NAME>]}
show wireless meshpoint {detail} {<MESHPOINT-NAME>}
show wireless meshpoint {on <DEVICE-OR-DOMAIN-NAME>}
show wireless meshpoint {multicast|path|proxy|root|security|statistics}
[<MESHPOINT-NAME>|detail] {on <DEVICE-OR-DOMAIN-NAME>}
show wireless meshpoint neighbor [<MESHPOINT-NAME>|detail|statistics {rf}] {on
<DEVICE-OR-DOMAIN-NAME>}
show wireless meshpoint {tree} {on <DEVICE-OR-DOMAIN-NAME>}
show wireless meshpoint {usage-mappings}
show wireless mobility-database {on <DEVICE-NAME>}
show wireless mint [client|detail|links|portal]
show wireless [client|detail] {on|portal-candidates {<DEVICE-NAME>|filter <RADIO-
MAC>}|statistics} (<DEVICE-OR-DOMAIN-NAME>) show wireless mint links {on <DEVICE-OR-DOMAIN-NAME>}
show wireless mint portal statistics {on <DEVICE-OR-DOMAIN-NAME>}
show wireless radio {detail|on <DEVICE-OR-DOMAIN-NAME>|statistics|tspec|wlan-map}
show wireless radio {detail} {<DEVICE-NAME>|filter|on <DEVICE-OR-DOMAIN-NAME>}
show wireless radio {detail} {<DEVICE-NAME> {<1-3>|filter|on}}
show wireless radio {detail} {filter <RADIO-MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless radio {statistics} {detail|on|rf|windows-data}
show wireless radio {statistics} {on <DEVICE-OR-DOMAIN-NAME>|rf {on <DEVICE-OR-
DOMAIN-NAME>}}
show wireless radio {statistics} {detail|window-data} {<DEVICE-NAME>} {<1-
3>|filter <RADIO-MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless radio {tspec} {<DEVICE-NAME>|filter|on <DEVICE-OR-DOMAIN-
NAME>|option}
show wireless radio {wlan-map} {on <DEVICE-OR-DOMAIN-NAME>}
show wireless regulatory [channel-info <WORD>|country-code <WORD>|device-type]
show wireless regulatory device-type [ap6521|ap6522|ap6532|ap6562|ap7131|ap7161|
ap7181|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap8132|
ap8163|ap82xx|ap8432|ap8533|rfs4000] <WORD>
show wireless rf-domain statistics {detail} {(on <DEVICE-OR-DOMAIN-NAME>)}
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 163 SHOW COMMANDS show wireless sensor-server {on <DEVICE-OR-DOMAIN-NAME>}
show wireless unsanctioned aps {detail|statistics} {(on <DEVICE-OR-DOMAIN-NAME>)}
show wireless wips [client-blacklist|event-history] {on <DEVICE-OR-DOMAIN-NAME>}
show wireless wlan {config|detail <WLAN>|on <DEVICE-OR-DOMAIN-NAME>|policy-
mappings|statistics|usage-mappings}
show wireless wlan {detail <WLAN>|on <DEVICE-OR-DOMAIN-NAME>|policy-
mappings|usage-mappings}
show wireless {config filter {device <DEVICE-NAME>|rf-domain <DOMAIN-NAME>}}
show wireless wlan statistics {<WLAN>|detail|traffic} {on <DEVICE-OR-DOMAIN-NAME>}
Parameters show wireless ap {configured}
wireless ap configured Displays wireless configuration parameters Displays managed access point information Optional. Displays configured AP information, such as name, MAC address, profile, RF Domain, and adoption status show wireless ap {detail} {<MAC/HOST-NAME>} {(on <DEVICE-OR-DOMAIN-NAME>)}
wireless ap detail
<MAC/HOST-NAME>
Displays wireless configuration parameters Displays managed access point information Optional. Displays detailed information for all APs or a specified AP
<MAC/HOST-NAME> Optional. Displays information for a specified AP. Specify the APs MAC address. on <DEVICE-OR-
DOMAIN-NAME>
The following keyword is recursive and common to the detail <MAC/HOST-
NAME> parameter:
on <DEVICE-OR-DOMAIN-NAME> Optional. Displays information on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-
ler, service platform, or RF Domain. show wireless ap {load-balancing} {client-capability|events|neighbors} {(on
<DEVICE-NAME)}
wireless ap load-balancing
{client-capability|
events|neighbors}
on <DEVICE-NAME>
Displays wireless configuration parameters Displays managed access point information Optional. Displays load balancing status. Use additional filters to view specific details. client-capability Optional. Displays client band capability events Optional. Displays client events neighbors Optional. Displays neighboring clients The following keyword is recursive and common to the client-capability, events, and neighbors parameters:
on <DEVICE-NAME> Optional. Displays load balancing information, based on the parameters passed, on a specified device
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 164 SHOW COMMANDS show wireless bridge {candidate-ap} {<MAC/HOSTNAME> {<1-3>}} {(filter radio-mac
<RADIO-MAC>)} {(on <DEVICE-OR-DOMAIN-NAME>)}
wireless bridge candidate-ap
<MAC/HOSTNAME>
<1-3>
filter radio-mac <RADIO-
MAC>
on <DEVICE-OR-
DOMAIN-NAME>
Displays wireless configuration statistics Optional. Displays information about the candidate infrastructure access points as well as the infrastructure access point that the client-bridge radio has selected Note: When enabled, the client-bridge radio scans its defined channels to locate the best candidate access point servicing the infrastructure WLAN. Optional. Specify the client-bridge access points hostname or MAC address. Optionally append the radio interfaces number to form client-bridge in the form of AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX.
<1-3> Optional. Radio interface index if not specified as part of mesh ID. This is a recursive parameter and common to all of the above options. filter radio-mac Optional. Provides additional filters to specifically identify the radio by its MAC address
<RADIO-MAC> Specify the radios MAC address. This is a recursive parameter and common to all of the above options. on <DEVICE-OR-DOMAIN-NAME> Optional. Executes the command on a specified device or devices within a specified RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the AP, controller, service platform, or RF Domain name. show wireless bridge {certificate} status {on <DEVICE-NAME>}
wireless bridge certificate status Optional. Displays all client bridges in configuration and the status of their Displays wireless configuration statistics on <DEVICE-NAME>
PKCS#12 certificates Optional. Executes the command on a specified device
<DEVICE-NAME> Specify the AP, controller, service platform name. show wireless bridge {config}
wireless bridge config Displays wireless configuration statistics Optional. Displays all client bridges in configuration The output displays the configured client-bridges hostname, MAC address, profile, RF Domain, SSID, band, encryption, authentication, and EAP username. show wireless bridge {hosts} {on <DEVICE-OR-DOMAIN-NAME>}
wireless bridge hosts Displays wireless configuration statistics Optional. Displays the client bridge host information The output displays the configured client-bridges hosts MAC Address, bridge MAC address, IPv4 address, bridging status, and activity Note: The HOST MAC column displays real MAC addresses of wired hosts, while the BRIDGE MAC column displays the translated MAC addresses. The BRIDGE MAC column is based on the radio 2 base MAC address and increments by 1 for each wired host connected to the client bridges Ge1 port. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 165 SHOW COMMANDS on <DEVICE-OR-
DOMAIN-NAME>
Optional. Executes the command on a specified device or devices within a specified RF Domain
<DEVICE-OR-DOMAIN-NAME> Optional. Specify the AP, controller, service platform, or Domain name. show wireless bridge {statistics} {rf|traffic} {(on <DEVICE-OR-DOMAIN-NAME>)}
wireless bridge statistics rf traffic on <DEVICE-OR-
DOMAIN-NAME>
Displays wireless configuration statistics Optional. Displays the client-bridge related statistics Optional. Displays the client-bridge related RF statistics The output displays the signal, noise, SNR, TX/RX rates, retries, and errors. Optional. Displays the client-bridge related traffic statistics The output displays TX/RX bytes, TX/RX packets, TX/RX bits/second, and dropped packets. Optional. Executes the command on a specified device or devices within a specified RF Domain on <DEVICE-OR-DOMAIN-NAME> Optional. Specify the AP, controller, service platform, or Domain name. show wireless client {association-history <MAC>} {on <DEVICE-OR-DOMAIN-NAME>}
wireless client association-history
<MAC>
on <DEVICE-OR-
DOMAIN-NAME>
Displays wireless configuration parameters Displays client information based on the parameters passed Optional. Displays association history for a specified client
<MAC> Specify the MAC address of the client. Optional. Displays association history on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. show wireless client {detail <MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}
wireless client detail <MAC>
Displays wireless configuration parameters Displays client information based on the parameters passed Optional. Displays detailed wireless client(s) information
<MAC> Optional. Displays detailed information for a specified wireless client. Specify the MAC address of the client. on <DEVICE-OR-
DOMAIN-NAME>
The following keyword is recursive and common to the detail <MAC> parameter:
on <DEVICE-OR-DOMAIN-NAME> Optional. Displays detailed information on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. show wireless client {filter ip [<IP>|not <IP>]} {on <DEVICE-OR-DOMAIN-NAME>}
wireless client Displays wireless configuration parameters Displays client information based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 166 SHOW COMMANDS filter IP
[<IP>|not <IP>]
on <DEVICE-OR-
DOMAIN-NAME>
Optional. Uses IP addresses to filter wireless clients
<IP> Selects clients with IP address matching the <IP> parameter not <IP> Inverts the match selection The following keyword is common to the IP and not IP parameters:
on <DEVICE-OR-DOMAIN-NAME> Optional. Displays selected wireless client information on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-
ler, service platform, or RF Domain. show wireless client {filter} {state [data-ready|not [data-ready|roaming]|
roaming]} {on <DEVICE-OR-DOMAIN-NAME>}
wireless client filter state
[data-ready|
not [data-ready|
roaming]|
roaming]
on <DEVICE-OR-
DOMAIN-NAME>
Displays wireless configuration parameters Displays client information based on the parameters passed Optional. Filters clients based on their state data-ready Selects wireless clients in the data-ready state not [data-ready|roaming] Inverts match selection. Selects wireless clients neither ready nor roaming Roaming Selects roaming clients The following keyword is common to the ready, not, and roaming parameters:
on <DEVICE-OR-DOMAIN-NAME> Optional. Displays selected client details on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-
ler, service platform, or RF Domain. show wireless client {filter} {wlan [<WLAN-NAME>|not <WLAN-NAME>]} {on <DEVICE-
OR-DOMAIN-NAME>}
wireless client filter wlan
[<WLAN-NAME>|
not <WLAN-NAME>]
on <DEVICE-OR-
DOMAIN-NAME>
Displays wireless configuration parameters Displays client information based on the parameters passed Optional. Filters clients on a specified WLAN
<WLAN-NAME> Specify the WLAN name. not <WLAN-NAME> Inverts the match selection The following keyword is common to the WLAN and not parameters:
on <DEVICE-OR-DOMAIN-NAME> Optional. Filters clients on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-
ler, service platform, or RF Domain. show wireless client {statistics} {detail <MAC>|rf|window-data <MAC>} {(on
<DEVICE-OR-DOMAIN-NAME>)}
wireless client Displays wireless configuration parameters Displays client information based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 167 SHOW COMMANDS statistics
{detail <MAC>|rf|
window-data <MAC>}
on <DEVICE-OR-
DOMAIN-NAME>
Optional. Displays detailed client statistics. Use additional filters to view specific details. detail <MAC> Optional. Displays detailed client statistics
<MAC> Optional. Displays detailed statistics for a specified client. Specify the clients MAC address. rf Optional. Displays detailed client statistics on a specified device or RF Domain window-data <MAC> Optional. Displays historical data, for a specified client
<MAC> Optional. Specify the clients MAC address The following keyword is recursive and common to the detail <MAC>, RF, and window-data <MAC> parameters:
on <DEVICE-OR-DOMAIN-NAME> Optional. Displays client statistics, based on the parameters passed, on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. show wireless client {tspec} {<MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}
wireless client tspec <MAC>
on <DEVICE-OR-
DOMAIN-NAME>
Displays wireless configuration parameters Displays client information based on the parameters passed Optional. Displays detailed traffic specification (TSPEC) information for all clients or a specified client
<MAC> Optional. Displays detailed TSPEC information for a specified client. Specify the MAC address of the client. The following keyword is recursive and common to the tspec <MAC> parameter:
on <DEVICE-OR-DOMAIN-NAME> Optional. Displays detailed TSPEC information for wireless clients on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-
ler, service platform, or RF Domain. show wireless client {include-ipv6} {detail <MAC>} {(on <DEVICE-OR-DOMAIN-
NAME>)}
wireless client include-ipv6 detail <MAC>
on <DEVICE-OR-
DOMAIN-NAME>
Displays wireless configuration parameters Displays client information based on the parameters passed Includes IPv6 address (if known) of wireless clients Optional. Displays detailed wireless client(s) information
<MAC> Optional. Displays detailed information for a specified wireless client. Specify the MAC address of the client. The following keyword is recursive and common to the detail <MAC> parameter:
on <DEVICE-OR-DOMAIN-NAME> Optional. Displays detailed information on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-
ler, service platform, or RF Domain. show wireless client {include-ipv6} {filter {ip|ipv6|state|wlan}}
wireless client Displays wireless configuration parameters Displays wireless client information based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 168 SHOW COMMANDS include-ipv6 {filter}
Optional. Includes IPv6 address (if known) of wireless clients filter Optional. Defines additional filters. Use one of the following options to filter clients: ip, ipv6, state, and wlan ip [<IPv4>|not <IPv4>]
ipv6 [<IPv6>|
not <Pv6>]
filter state [data-ready|
not [data-ready|
roaming]|roaming]
wlan [<WLAN-NAME>|
not <WLAN-NAME>]
By default the system only displays the IPv4 address of clients. The include-ipv6 parameter includes the known IPv6 address of each client. Optional. Displays wireless client information based on the IPv4 address passed
<IPv4> Displays information of the client identified by the <IPv4> parameter not <IPv4> Inverts the match selection Optional. Displays wireless client information based on the IPv6 address passed
<IPv6> Displays information of the client identified by the <IPv6> parameter not <IPv6> Inverts the match selection Optional. Filters wireless client information based on their state data-ready Displays information of wireless clients in the data-ready state not [data-ready|roaming] Inverts match selection. Displays information of wireless clients neither ready nor roaming Roaming Displays information of roaming clients Optional. Displays wireless client information based on the WLAN name passed
<WLAN-NAME> Specify the WLAN name. not <WLAN-NAME> Inverts match selection show wireless coverage-hole-incidents {detail} {filter [ap <MAC/HOSTNAME>|
client-mac <MAC>]|summary} {(on <DOMAIN-NAME>)}
wireless coverage-hole-incidents detail filters
[ap <MAC/HOSTNAME>|
client-mac <MAC>]
summary on <DOMAIN-NAME>
Displays wireless configuration parameters. Use this option to view coverage-hole related incidents encountered by wireless clients and reported to associated access points. Displays coverage-hole related statistics Optional. Displays detailed coverage-hole related statistics filters Optional. Displays detailed coverage-hole related statistics on a per access point or wireless-client basis ap <MAC/HOSTNAME> Displays detailed coverage-hole related statistics for a specified access point
<MAC/HOSTNAME> Specify the access points device name or MAC ad-
dress. client-mac <MAC> Displays detailed coverage-hole related statistics encoun-
tered by a specified wireless client
<MAC> Specify the wireless clients MAC address Note: If the command is executed without any parameters being included, the system displays all coverage-hole related statistics. Optional. Displays a summary of coverage-hole related statistics This parameter is recursive and is common to the detail and summary keywords:
on <DOMAIN-NAME> Optional. Displays detailed or summary coverage-hole related statistics on a specified RF Domain
<DOMAIN-NAME> Specify the domain name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 169 SHOW COMMANDS show wireless meshpoint {config} {filter [device <DEVICE-NAME>|rf-domain
<DOMAIN-NAME>]}
wireless meshpoint config filters
[device <DEVICE-
NAME>|rf-domain
<DOMAIN-NAME>]
Displays wireless configuration parameters. Use this option to view detailed statistics on each Mesh-capable client available within controllers adopted access points radio coverage area. A mesh network is where one where each node is able to communicate with other nodes and maintain more then one path to the other mesh nodes within the mesh network. A mesh network provides robust, reliable and redundant connectivity to all the members of the mesh network. When one member of the mesh network becomes unavailable, the other mesh nodes are still able to communicate with one another either directly or indirectly through intermediate nodes. Displays meshpoint related information Optional. Displays all meshpoint configuration Optional. Provides additional filter options, such as device name and RF Domain name. device <DEVICE-NAME> Displays meshpoints applied to a specified device
<DEVICE-NAME> Specify the device name. rf-domain <DOMAIN-NAME> Displays meshpoints applied to a specified RF Domain
<DOMAIN-NAME> Specify the domain name. show wireless meshpoint {detail} {<MESHPOINT-NAME>}
wireless meshpoint detail
<MESHPOINT-NAME>
Displays wireless configuration parameters Displays meshpoint related information. Use this option to view detailed statistics on each Mesh-capable client available within controllers adopted access points radio coverage area. A mesh network is where one where each node is able to communicate with other nodes and maintain more then one path to the other mesh nodes within the mesh network. A mesh network provides robust, reliable and redundant connectivity to all the members of the mesh network. When one member of the mesh network becomes unavailable, the other mesh nodes are still able to communicate with one another either directly or indirectly through intermediate nodes. Optional. Displays detailed information for all meshpoints or a specified meshpoint
<MESHPOINT-NAME> Optional. Displays detailed information for a specified meshpoint. Specify the meshpoint name. show wireless meshpoint {multicast|path|proxy|root|security|statistics}
[<MESHPOINT-NAME>|detail] {on <DEVICE-OR-DOMAIN-NAME>}
wireless Displays wireless configuration parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 170 SHOW COMMANDS meshpoint multicast path proxy root security statistics
[<MESHPOINT-NAME>|
detail]
on <DEVICE-OR-
DOMAIN-NAME>
Displays meshpoint related information. Use this option to view detailed statistics on each Mesh-capable client available within controllers adopted access points radio coverage area. A mesh network is where one where each node is able to communicate with other nodes and maintain more then one path to the other mesh nodes within the mesh network. A mesh network provides robust, reliable and redundant connectivity to all the members of the mesh network. When one member of the mesh network becomes unavailable, the other mesh nodes are still able to communicate with one another either directly or indirectly through intermediate nodes. Optional. Displays meshpoint multicast information Optional. Displays meshpoint path information Optional. Displays meshpoint proxy information Optional. Displays meshpoint root information Optional. Displays meshpoint security information Optional. Displays meshpoint statistics The following keywords are common to all of the above parameters:
<MESHPOINT-NAME> Displays meshpoint related information for a specified meshpoint. Specify the meshpoint name. detail Displays detailed multicast information for all meshpoints The following keyword is common to all of the above parameters:
on <DEVICE-OR-DOMAIN-NAME> Optional. Displays detailed multicast information on a specified device or RF Domain.
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-
ler, service platform, or RF Domain. show wireless meshpoint {neighbor} [<MESHPOINT-NAME>|detail|statistics {rf}]
{on <DEVICE-OR-DOMAIN-NAME>}
wireless meshpoint neighbor
[<MESHPOINT-
NAME>|detail|
statistics {rf}]
Displays wireless configuration parameters Displays meshpoint related information. Use this option to view detailed statistics on each Mesh-capable client available within controllers adopted access points radio coverage area. A mesh network is where one where each node is able to communicate with other nodes and maintain more then one path to the other mesh nodes within the mesh network. A mesh network provides robust, reliable and redundant connectivity to all the members of the mesh network. When one member of the mesh network becomes unavailable, the other mesh nodes are still able to communicate with one another either directly or indirectly through intermediate nodes. Optional. Displays meshpoint neighbor information, based on the parameters passed Select one of the following parameter to view neighbor related information
<MESHPOINT-NAME> Displays detailed multicast information for a specified meshpoint. Specify the meshpoint name. detail Displays detailed multicast information for all meshpoints statistics Displays neighbors related statistics rf Optional. Displays RF related statistics for neighbors Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 171 SHOW COMMANDS on <DEVICE-OR-
DOMAIN-NAME>
The following keyword is common to all of the above parameters:
on <DEVICE-OR-DOMAIN-NAME> Optional. Displays meshpoint neighbor information, based on the parameters passed, on a specified device or RF Domain.
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-
ler, service platform, or RF Domain. show wireless meshpoint {tree} {on <DEVICE-OR-DOMAIN-NAME>}
wireless meshpoint tree on <DEVICE-OR-
DOMAIN-NAME>
Displays wireless configuration parameters Displays meshpoint related information Note: The show > wireless > meshpoint > tree command can be executed only from a wireless controller. Optional. Displays meshpoint network tree Optional. Displays meshpoint network tree on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Optional. Specify the name of AP, wireless controller, service platform, or RF Domain show wireless meshpoint {usage-mappings|on <DEVICE-OR-DOMAIN-NAME>}
wireless meshpoint usage-mappings on <DEVICE-OR-
DOMAIN-NAME>
Displays wireless configuration parameters Displays meshpoint related information Optional. Lists all devices and profiles using the meshpoint Optional. Displays meshpoint applied to a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Optional. Specify the name of AP, wireless controller,service platform, or RF Domain show wireless mobility-database {on <DEVICE-NAME>}
wireless mobility-database on <DEVICE-OR-
DOMAIN-NAME>
Displays wireless configuration parameters Displays controller-assisted mobility database The following keyword is recursive and common to the filter <RADIO-MAC>
parameter:
on <DEVICE-OR-DOMAIN-NAME> Optional. Displays detailed radio operation status for all or a specified radio on a specified device or RF Domain.
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-
ler, service platform, or RF Domain. show wireless mint [client|detail] {portal-candidates {<DEVICE-NAME>|filter
<RADIO-MAC>}|statistics} (on <DEVICE-OR-DOMAIN-NAME>) wireless mint
[client|detail]
portal-candidates Displays radio MiNT-mesh related statistics client Displays MiNT-mesh client related information. Use the client option to view detailed statistics on each Mesh capable client available within the selected access points radio coverage area. detail Displays detailed MiNT-mesh related information Displays detailed information about portal candidates for a MiNT-mesh. Mesh points connected to an external network and forwarding traffic in and out are Mesh portals. Mesh points must find paths to a portal to access the Internet. When multiple portals exist, the mesh point must select one. Use the additional filter option to view specific portal candidate details. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 172 SHOW COMMANDS statistics on <DEVICE-OR-
DOMAIN-NAME>
This option is common to the client and detail keyword. Displays MiNT-mesh client statistical data This option is common to the client and detail keyword. Displays MiNT-mesh client related information on a specific device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the access point, controller, or RF Domain name. how wireless mint portal statistics {on <DEVICE-OR-DOMAIN-NAME>}
wireless mint links on <DEVICE-OR-
DOMAIN-NAME>
Displays radio MiNT-mesh related statistics Displays MiNT-mesh links related information. MiNT Links are automatically created between controllers and access points during adoption using MLCP
(MiNT Link Creation Protocol). They can also be manually created between a controller and access point (or) between access points. MiNT links are manually created between controllers while configuring a cluster. Level 2 (or) remote MiNT links are controller aware links, and requires IP network for communication. This level 2 MiNT links at access points are intended for remote adaptive AP deployment and management from NOC. With Level2 MiNT links, access points are only aware of the controllers and not about other access points. Level 2 MiNT links also provide partitioning, between access points deployed at various remote sites. Displays MiNT-mesh links on a specific device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the access point, controller, or RF Domain name. show wireless mint portal statistics {on <DEVICE-OR-DOMAIN-NAME>}
wireless mint portal on <DEVICE-OR-
DOMAIN-NAME>
Displays radio MiNT-mesh related statistics Displays legacy client on MiNT-mesh portal Displays legacy client on MiNT-mesh portal on a specific device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the access point, controller, or RF Domain name. show wireless radio {detail} {<DEVICE-NAME> {<1-3>|filter|on}}
wireless radio detail
<DEVICE-NAME>
Displays wireless configuration parameters Displays radio operation status and other related information. Use this option to view radio association data, including radio ID, connected APs, radio type, quality index and Signal to Noise Ratio (SNR). This data is reported to the managing controller or service platform from connected access point radios and should be refreshed periodically. A radios RF Mode displays as:
2.4GHz-wlan If it is configured to provide 2.4 GHz WLAN service 5GHz-wlan If it is configured to provide 5.0 GHz WLAN service bridge If it is configured to provide client-bridge operation Optional. Displays detailed radio operation status Optional. Displays detailed information for a specified radio. Specify the MAC address or hostname, or append the interface number to form the radio ID in the AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX format. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 173 SHOW COMMANDS
<1-3>
filter <RADIO-MAC>
on <DEVICE-OR-
DOMAIN-NAME>
Optional. Specify the radio interface index from 1 - 3 (if not specified as part of the radio ID) Optional. Provides additional filters
<RADIO-MAC> Optional. Filters based on the radio MAC address Optional. After specifying the radio MAC address, further refine the search by specifying a device or RF Domain.
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. show wireless radio {detail} {filter <RADIO-MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}
wireless radio detail filter
<RADIO-MAC>
on <DEVICE-OR-
DOMAIN-NAME>
Displays wireless configuration parameters Displays radio operation status and other related information. Use this option to view radio association data, including radio ID, connected APs, radio type, quality index and Signal to Noise Ratio (SNR). This data is reported to the managing controller or service platform from connected access point radios and should be refreshed periodically. A radios RF Mode displays as:
2.4GHz-wlan If it is configured to provide 2.4 GHz WLAN service 5GHz-wlan If it is configured to provide 5.0 GHz WLAN service bridge If it is configured to provide client-bridge operation Optional. Displays detailed radio operation status Optional. Provides additional filter options
<RADIO-MAC> Uses MAC address to filter radios The following keyword is recursive and common to the filter <RADIO-MAC>
parameter:
on <DEVICE-OR-DOMAIN-NAME> Optional. Displays detailed radio operation status for all or a specified radio on a specified device or RF Domain.
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-
ler, service platform, or RF Domain. show wireless radio {statistics} {on <DEVICE-OR-DOMAIN-NAME>|rf {on <DEVICE-OR-
DOMAIN-NAME>}}
wireless radio statistics Displays wireless configuration parameters Displays radio operation status and other related information. Use this option to view radio association data, including radio ID, connected APs, radio type, quality index and SNR. This data is reported to the managing controller or service platform from connected access point radios and should be refreshed periodically. A radios RF Mode displays as:
2.4GHz-wlan If it is configured to provide 2.4 GHz WLAN service 5GHz-wlan If it is configured to provide 5.0 GHz WLAN service bridge If it is configured to provide client-bridge operation Optional. Displays radio traffic and RF statistics Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 174 SHOW COMMANDS on <DEVICE-OR-
DOMAIN-NAME>
Optional. Displays traffic and RF related statistics on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. rf {on <DEVICE-OR-
DOMAIN-NAME>}
Optional. Displays RF statistics on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. show wireless radio {statistics} {detail|window-data} {<DEVICE-NAME>} {<1-3>|
filter <RADIO-MAC>} {(on <DEVICE-OR-DOMAIN-NAME>)}
wireless radio statistics
{detail|window-data}
<DEVICE-NAME>
<1-3>
filter <RADIO-MAC>
on <DEVICE-OR-
DOMAIN-NAME>
Displays wireless configuration parameters Displays radio operation status and other related information. Use this option to view radio association data, including radio ID, connected APs, radio type, quality index and SNR. This data is reported to the managing controller or service platform from connected access point radios and should be refreshed periodically. A radios RF Mode displays as:
2.4GHz-wlan If it is configured to provide 2.4 GHz WLAN service 5GHz-wlan If it is configured to provide 5.0 GHz WLAN service bridge If it is configured to provide client-bridge operation Optional. Displays radio traffic and RF statistics. Use additional filters to view specific details. The options are: are:
detail Displays detailed traffic and RF statistics of all radios window-data Displays historical data over a time window The following keywords are common to the detail and window-data parameters:
<DEVICE-NAME> Optional. Specify the MAC address or hostname, or append the interface number to form the radio ID in the AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX format. Optional. Specify the radio interface index from 1- 3, if not specified as part of the radio ID using the preceding parameter. Optional. Provides additional filters
<RADIO-MAC> Optional. Filters based on the radio MAC address Optional. After specifying the radio MAC address, further refine the search by specifying a device or RF Domain.
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. show wireless radio {tspec} {<DEVICE-NAME>|filter|on <DEVICE-OR-DOMAIN-NAME>|
option}
wireless Displays wireless configuration parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 175 SHOW COMMANDS radio tspec
<DEVICE-NAME>
filter on <DEVICE-OR-
DOMAIN-NAME>
Displays radio operation status and other related information. Use this option to view radio association data, including radio ID, connected APs, radio type, quality index and Signal to Noise Ratio (SNR). This data is reported to the managing controller or service platform from connected access point radios and should be refreshed periodically. A radios RF Mode displays as:
2.4GHz-wlan If it is configured to provide 2.4 GHz WLAN service 5GHz-wlan If it is configured to provide 5.0 GHz WLAN service bridge If it is configured to provide client-bridge operation Optional.Displays TSPEC information on a radio Optional. Specify the MAC address or hostname, or append the interface number to form the radio ID in the AA-BB-CC-DD-EE-FF:RX or HOSTNAME:RX format. Optional. Provides additional filters
<RADIO-MAC> Optional. Filters based on the radio MAC address Optional. After specifying the radio MAC address, further refine the search by specifying a device or RF Domain.
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. show wireless regulatory [channel-info <WORD>|county-code <WORD>]
wireless regulatory channel-info <WORD>
country-code <WORD>
Displays wireless configuration parameters Displays wireless regulatory information Displays channel information
<WORD> Specify the channel number. Displays country code to country name information
<WORD> Specify the two letter ISO-3166 country code. wireless regulatory device-type <DEVICE-
TYPE> <WORD>
show wireless regulatory device-type [ap6521|ap6522|ap6532|ap6562|ap7131|
ap7161|ap7181|ap7502|ap7522|ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|
ap8132|ap8163|ap82xx|ap8432|ap8533|rfs4000] <WORD>
Displays wireless configuration parameters Displays wireless regulatory information Displays wireless regulatory information based on the device type selected. Select the device type. The options are:
AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP8132, AP8163, AP8232, AP8432, AP8533 and RFS4000. After specifying the device type, specify the country code.
<WORD> Specify the two letter ISO-3166 country code. show wireless rf-domain statistics {detail} {(on <DEVICE-OR-DOMAIN-NAME>)}
wireless rf-domain statistics details Displays wireless configuration parameters Displays RF Domain statistics Optional. Displays detailed RF Domain statistics Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 176 SHOW COMMANDS on <DEVICE-OR-
DOMAIN-NAME>
The following keyword is recursive and common to the detail parameter:
on <DEVICE-OR-DOMAIN-NAME> Optional. Displays RF Domain statistics on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-
ler, service platform, or RF Domain. show wireless sensor-server {on <DEVICE-OR-DOMAIN-NAME>}
wireless sensor- server
{on <DEVICE-OR-
DOMAIN-NAME>}
Displays wireless configuration parameters Displays AirDefense sensor server configuration details on <DEVICE-OR-DOMAIN-NAME> Optional. Displays AirDefense sensor server configuration on a specified device or RF Domain show wireless unsanctioned aps {detailed|statistics} {(on <DEVICE-OR-DOMAIN-
NAME>)}
wireless unsanctioned aps detailed statistics on <DEVICE-OR-
DOMAIN-NAME>
Displays wireless configuration parameters Displays unauthorized APs. Use additional filters to view specific details. Optional. Displays detailed unauthorized APs information Optional. Displays channel statistics The following keyword is common to the detailed and statistics parameters:
on <DEVICE-OR-DOMAIN-NAME> Optional. Specify the name of the AP, wireless controller, service platform, or RF Domain.
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-
ler, service platform, or RF Domain. show wireless wips [client-blacklist|event-history] {on <DEVICE-OR-DOMAIN-NAME>}
wireless wips [client-
blacklist|event-history]
on <DEVICE-OR-
DOMAIN-NAME>
Displays wireless configuration parameters Displays the WIPS details client-blacklist Displays blacklisted clients event-history Displays event history The following keyword is common to the client-blacklist and event-history parameters:
on <DEVICE-OR-DOMAIN-NAME> Optional. Displays the WIPS details on a specified device or RF Domain.
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-
ler, service platform, or RF Domain. show wlan {detail <WLAN>|on <DEVICE-OR-DOMAIN-NAME>|policy-mappings|usage-
mappings}
wireless wlan detail <WLAN>
on <DEVICE-OR-
DOMAIN-NAME>
Displays wireless configuration parameters Displays WLAN related information based on the parameters passed Optional. Displays WLAN configuration
<WLAN> Specify the WLAN name. Optional. Displays WLAN configuration on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless controller, service platform, or RF Domain. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 177 SHOW COMMANDS policy-mappings usage-mappings Optional. Displays WLAN policy mappings Optional. Lists all devices and profiles using the WLAN show wlan {config filter {device <DEVICE-NAME>|rf-domain <DOMAIN-NAME>}
wireless wlan config filter device <DEVICE-NAME> Optional. Filters WLAN information based on the device name Displays wireless configuration parameters Displays WLAN related information based on the parameters passed Optional. Filters WLAN information based on the device name or RF Domain rf-domain
<DOMAIN-NAME>
<DEVICE-NAME> Specify the device name. Optional. Filters WLAN information based on the RF Domain
<DOMAIN-NAME> Specify the RF Domain name. show wlan {statistics {<WLAN>|detail} {(on <DEVICE-OR-DOMAIN-NAME>)}
wireless wlan statistics
{<WLAN>|detail}
on <DEVICE-OR-
DOMAIN-NAME>
Usage Guidelines Displays wireless configuration parameters Displays WLAN related information based on the parameters passed Optional. Displays WLAN statistics. Use additional filters to view specific details
<WLAN> Optional. Displays WLAN statistics. Specify the WLAN name. detail Optional. Displays detailed WLAN statistics The following keyword is common to the WLAN and detail parameters:
on <DEVICE-OR-DOMAIN-NAME> Optional. Displays WLAN statistics on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the name of the AP, wireless control-
ler, service platform, or RF Domain. The customize command enables you to customize the show > wireless command output. rfs6000-81742D(config)#customize ?
cdp-lldp-info-column-width Customize cdp-lldp-info column width hostname-column-width Customize hostname column width show-adoption-offline Customize the output of (show adoption offline) command show-adoption-status Customize the output of (show adoption status) command show-wireless-bridge Customize the output of (show wireless bridge) command show-wireless-bridge-hosts Customize the output of (show wireless bridge hosts) command show-wireless-bridge-stats Customize the output of (show wireless bridge stats) command show-wireless-bridge-stats-rf Customize the output of (show wireless bridge stats rf) command show-wireless-bridge-stats-traffic Customize the output of (show wireless bridge stats) command show-wireless-client Customize the output of (show wireless client) command show-wireless-client-stats Customize the output of (show wireless client stats) command show-wireless-client-stats-rf Customize the output of (show Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 178 SHOW COMMANDS wireless client stats rf) show-wireless-legacy-mesh-client-stats Customize the output of (show wireless mint client stats) command show-wireless-meshpoint Customize the output of (show wireless meshpoint) command show-wireless-meshpoint-accelerated-multicast Customize the output of (show wireless meshpoint accelerated-multicast) command show-wireless-meshpoint-neighbor-stats Customize the output of (show wireless meshpoint neighbor stats) command show-wireless-meshpoint-neighbor-stats-rf Customize the output of (show wireless meshpoint neighbor stats rf) command show-wireless-mint-client Customize the output of (show wireless mint client) show-wireless-mint-client-stats Customize the output of (show wireless mint client stats) command show-wireless-mint-client-stats-rf Customize the output of (show wireless mint client stats rf) command show-wireless-mint-portal Customize the output of (show wireless mint portal) show-wireless-mint-portal-stats Customize the output of (show wireless mint portal stats) command show-wireless-mint-portal-stats-rf Customize the output of (show wireless mint portal stats rf) command show-wireless-radio Customize the output of (show wireless radio) command show-wireless-radio-stats Customize the output of (show wireless radio stats) command show-wireless-radio-stats-rf Customize the output of (show wireless radio stats rf) command rfs6000-81742D(config)#
The default setting for the show > wireless > client command is as follows:
rfs6000-81742D(config)#show wireless client
--------------------------------------------------------------------------------
-------
MAC IPv4 VENDOR RADIO-ID WLAN VLAN STATE
--------------------------------------------------------------------------------
-------
--------------------------------------------------------------------------------
-------
Total number of wireless clients displayed: 0 rfs6000-81742D(config)#
The above output can be customized, using the customize > show-wireless-client command, as follows:
rfs6000-81742D(config)#customize show-wireless-client mac ip vendor vlan radio-id state wlan location radio-alias radio-type rfs6000-81742D(config)#commit rfs6000-81742D(config)#show wireless client
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--
MAC IP VENDOR VLAN RADIO-ID STATE WLAN AP-LOCATION RADIO RADIO-TYPE
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 179 Example SHOW COMMANDS
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--
Total number of wireless clients displayed: 0 rfs6000-81742D(config)#
nx9500-6C8809(config)#show wireless wlan config
--------------------------------------------------------------------------------
NAME ENABLE SSID ENCRYPTION AUTHENTICATION VLAN BRIDGING MODE
--------------------------------------------------------------------------------
test Y test wep64 none 1 local
--------------------------------------------------------------------------------
nx9500-6C8809(config)#
nx9500-6C8809(config)#show wireless wips client-blacklist No wireless clients blacklisted nx9500-6C8809(config)#
rfs6000-81742D#show wireless regulatory channel-info 36 Center frequency for channel 36 is 5180MHz rfs6000-81742D#
nx9500-6C8809(config)#show wireless regulatory country-code
--------------------------------------------------------------------------------
ISO CODE NAME
--------------------------------------------------------------------------------
gt Guatemala co Colombia cn China cm Cameroon cl Chile
--More--
nx9500-6C8809(config)#
nx9500-6C8809(config)#show wireless regulatory device-type ap7502 us
--------------------------------------------------------------------------------
--------------------
# Channel Set Power(mW) Power (dBm) Placement DFS CAC(mins) TPC
--------------------------------------------------------------------------------
--------------------
1 1-11 4000 36 Indoor/Outdoor NA NA NA 2 36-48 4000 36 Indoor/Outdoor Not Required 0 Not Required 3 52-64 500 27 Indoor/Outdoor Required 1 Not Required 4 52-64 1000 30 Indoor/Outdoor Required 1 Required 5 100-140 500 27 Indoor/Outdoor Required 1 Not Required 6 100-140 1000 30 Indoor/Outdoor Required 1 Required 7 149-165 4000 36 Indoor/Outdoor Not Required 0 Not Required
--------------------------------------------------------------------------------
--------------------
nx9500-6C8809(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 180 SHOW COMMANDS rfs6000-81742D#show wire ap detail AP: 84-24-8D-84-A2-24 AP Name : ap7562-84A224 Location : Bangalore RF-Domain : TechPubs Type : ap7562 Model : AP-7562-67040-US IP : 192.168.13.29 IPv6 : ::
Num of radios : 2 Num of clients : 0 Last Smart-RF time : not done Stats update mode : auto Stats interval : 30 Radio Modes :
radio-1 : wlan radio-2 : wlan Country-code : not-set Site-Survivable : True Last error : in [India] not supported on hardware model AP-7562-67040-US Fault Detected : False Power management information for ap7562:
--More--
rfs6000-81742D#
nx9500-6C8809#show wireless ap load-balancing on rfs6000-81742D Column Name Reference:
Ap-Ld : Load of the AP as reported by it. Avg-Ld : Average AP load in the AP's neighborhood. 2.4g-Ld : 2.4GHz band load in the AP's neighborhood. 5g-Ld : 5GHz band load in the AP's neighborhood. Ap-2.4g-Ch-Ld : Load in the AP's 2.4GHz channel in its neighborhood. Avg-2.4g-Ch-Ld : Average load of a 2.4GHz channel in AP's neighborhood. Ap-5g-Ch-Ld : Load in the AP's 5GHz channel in its neighborhood. Avg-5g-Ch-Ld : Average load of a 5GHz channel in AP's neighborhood. Allow-2.4g-Req : AP responds to client requests on 2.4ghz radio Allow-5g-Req : AP responds to client requests on 5ghz radio
--------------------------------------------------------------------------------
------------------------------------------------
No. Ap-Name Ap- Avg- 2.4g- 5g- Band Cfgd- Ap-
Ap- Avg- Avg- Allow Allow Load Load Load Load Ratio Band 2.4g-
5g- 2.4g- 5g- 2.4g- 5g-
Ratio Ch-
Ld Ch-Ld Ch-Ld Ch-Ld Req Req
--------------------------------------------------------------------------------
------------------------------------------------
1 rfs6000-81742D 0% 0% 0% 0% 0:0 0:1 182%
240% 0% 70% yes yes
--------------------------------------------------------------------------------
------------------------------------------------
nx9500-6C8809#
nx9600-7F5124#show wireless meshpoint tree on PTP-AP In progress ....... 1:PTP-Radio2 [7 MPs(2 roots, 5 bound)]
|-ap7562-84A484-ROOT1
| |-ap7562-84A2CC-VMM
| |-ap7532-80C28C-NR
| |-ap7532-82CCA4-NR
| |-ap7562-84A22C-NR2
| |-ap7532-160114
|-ap7562-84A280-ROOT2 Total number of meshes displayed: 1 nx9600-7F5124#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 181 SHOW COMMANDS ap6532-000001#show wireless meshpoint multicast detail Multicast Paths @00-23-68-00-00-01 (ap6532-000001), mesh1 [00-23-68-2E-64-B2]
--------------------------------------------------------------------------------
Group-Addr Subscriber Name Subscriber MPID Timeout (mSecs)
--------------------------------------------------------------------------------
01-00-5E-01-01-01 ap6532-000001 00-23-68-2E-64-B2 N/A
--------------------------------------------------------------------------------
Total number of meshpoint displayed: 1 ap6532-000001#
ap6532-000001#show wireless meshpoint neighbor detail Neighbors @00-23-68-00-00-01 (ap6532-000001), mesh1 [00-23-68-2E-64-B2]
--------------------------------------------------------------------------------
---------------------------------------------------------------------------
Neighbor Name Neighbor MPID.IFID Root Name Root MPID RMet Hops Type Interface Auth-State Resourced Rank LQ% LMet Age
--------------------------------------------------------------------------------
---------------------------------------------------------------------------
5C-0E-8B-21-76-22.5C-0E-8B-21-74-40 00-23-68-2E-97-60 115 1 Fixed 00-23-68-00-00-01:R2 Enabled Yes 0 97 87 20 00-23-68-30-F7-82.00-23-68-30-F8-F0 00-23-68-2E-97-60 99 1 Fixed 00-23-68-00-00-01:R2 Init Yes 0 97 86 30 00-23-68-30-F7-82.00-23-68-30-F7-82 00-23-68-2E-97-60 99 1 Fixed 00-23-68-00-00-01:R1 Enabled Yes 0 96 94 0 5C-0E-8B-21-76-22.5C-0E-8B-21-76-22 00-23-68-2E-97-60 115 1 Fixed 00-23-68-00-00-01:R1 Enabled Yes 0 96 93 30 00-23-68-2E-AB-50.00-23-68-2E-AB-50 00-23-68-2E-AB-50 0 0 Root 00-23-68-00-00-01:R2 Enabled Yes 7 96 87 40 00-23-68-2E-97-60.00-23-68-2E-97-60 00-23-68-2E-97-60 0 0 Root 00-23-68-00-00-01:R2 Enabled Yes 8 94 90 10
--------------------------------------------------------------------------------
---------------------------------------------------------------------------
Total number of meshpoint displayed: 1 ap6532-000001#
ap6532-000001#show wireless meshpoint proxy detail Proxies @00-23-68-00-00-01 (ap6532-000001), mesh1 [00-23-68-2E-64-B2]
--------------------------------------------------------------------------------
Destination Addr Owner Name Owner MPID Persist VLAN Age
--------------------------------------------------------------------------------
00-23-68-00-00-01 ap6532-000001 00-23-68-2E-64-B2 Permanent 101 180654310 00-1E-E5-A6-66-E2 ap6532-000001 00-23-68-2E-64-B2 Untimed 103 231920
--------------------------------------------------------------------------------
Total number of meshpoint displayed: 1 ap6532-000001#
ap6532-000001#show wireless meshpoint multicast mesh1 Multicast Paths @00-23-68-00-00-01 (ap6532-000001), mesh1 [00-23-68-2E-64-B2]
--------------------------------------------------------------------------------
Group-Addr Subscriber Name Subscriber MPID Timeout (mSecs)
--------------------------------------------------------------------------------
01-00-5E-01-01-01 ap6532-000001 00-23-68-2E-64-B2 -1
--------------------------------------------------------------------------------
Total number of meshpoint displayed: 1 ap6532-000001#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 182 SHOW COMMANDS ap6532-000001#show wireless meshpoint path detail Paths @00-23-68-00-00-01 (ap6532-000001), mesh1 [00-23-68-2E-64-B2]
--------------------------------------------------------------------------------
-----------------------------------------------------------------
Destination Name Destination Addr Next Hop Name Next Hop IFID State Hops Type Binding Metric Timeout Path-Timeout Sequence MiNT ID
--------------------------------------------------------------------------------
-----------------------------------------------------------------
00-23-68-2E-AB-50 00-23-68-2E-AB-50 Valid 1 Root Bound 89 8730 0 23847 68.31.19.58 00-23-68-2E-97-60 00-23-68-2E-97-60 Valid 1 Root Unbound 92 5200 0 3481 68.31.1A.80
--------------------------------------------------------------------------------
-----------------------------------------------------------------
ap6532-000001#
rfs4000-22A24E#show wireless client
--------------------------------------------------------------------------------
---------------------------------
Report start on RF-Domain: qs1 MAC IP VENDOR RADIO-ID WLAN VLAN STATE
--------------------------------------------------------------------------------
---------------------------------
Report end on RF-Domain: qs1
--------------------------------------------------------------------------------
---------------------------------
--------------------------------------------------------------------------------
---------------------------------
Report start on RF-Domain: Store-1 MAC IP VENDOR RADIO-ID WLAN VLAN STATE
--------------------------------------------------------------------------------
---------------------------------
00-01-02-03-04-10 2.3.4.16 3Com Corp 00-01-02-03-04-00:R1 sim-wlan-
1 1 Data-Ready 00-01-02-03-05-10 2.3.5.16 3Com Corp 00-01-02-03-04-00:R2 sim-wlan-
1 1 Data-Ready Report end on RF-Domain: Store-1
--------------------------------------------------------------------------------
---------------------------------
--------------------------------------------------------------------------------
---------------------------------
Report start on RF-Domain: default database not available Report end on RF-Domain: default
--------------------------------------------------------------------------------
---------------------------------
Total number of clients displayed: 2 rfs4000-22A24E#
The following examples show client-bridge related information:
NX9500(config)#show adoption status
--------------------------------------------------------------------------------
-------
DEVICE-NAME VERSION CFG-STAT MSGS ADOPTED-BY LAST-ADOPTION UPTIME
--------------------------------------------------------------------------------
-------
ap6562-167598 5.9.1.0-017DB configured No NX9500 0 days 00:01:59 0 days 00:03:22
--------------------------------------------------------------------------------
-------
Total number of devices displayed: 1 NX9500(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 183 SHOW COMMANDS NX9500(config)#show wireless bridge on ap6562-167598
--------------------------------------------------------------------------------
-----------------
LOCAL RADIO LOCAL BSSID SELECTED AP RF-BAND CHANNEL STATE UP TIME ACTIVITY
(sec ago)
--------------------------------------------------------------------------------
-----------------
ap6562-167598:R2 FC-0A-81-16-69-50 B4-C7-99-CA-A1-F0 5GHz 104 Selected 0 days 00:01:55 00:00:00
--------------------------------------------------------------------------------
-----------------
Total number of radios displayed: 1 NX9500(config)#
NX9500(config)#show wireless bridge config
--------------------------------------------------------------------------------
------------------------------------------------------------
IDX NAME MAC PROFILE RF-DOMAIN SSID BAND ENCRYPTION AUTHENTICATION EAP-USERNAME
--------------------------------------------------------------------------------
------------------------------------------------------------
1 ap6562-167598 FC-0A-81-16-75-98 default-ap6562 default inf_ap 2.4GHz/5GHz ccmp eap hoabeo
--------------------------------------------------------------------------------
------------------------------------------------------------
NX9500(config)#
NX9500(config)#show wireless bridge hosts
-----------------------------------------------------------------------------
HOST MAC BRIDGE MAC IP BRIDGING STATUS ACTIVITY
(sec ago)
-----------------------------------------------------------------------------
FC-0A-81-16-75-98 FC-0A-81-16-69-50 172.16.34.55 UP 00:00:00
-----------------------------------------------------------------------------
Total number of hosts displayed: 1 NX9500(config)#
NX9500(config)#show wireless bridge statistics
--------------------------------------------------------------------------------
-------
LOCAL RADIO CONNECTED AP SIGNAL SNR TX-RATE RX-RATE Tx Rx RETRY
(dbm) db (Mbps) (Mbps) bps bps AVG
--------------------------------------------------------------------------------
-------
ap6562-167598:R2 B4-C7-99-CA-A1-F0 -52 50 53 36 1 k 3 k 10
--------------------------------------------------------------------------------
-------
Total number of radios displayed: 1 NX9500(config)#
NX9500(config)#show wireless bridge candidate-ap on ap6562-167598 Client Bridge Candidate APs:
AP-MAC BAND CHANNEL SIGNAL(dbm) STATUS B4-C7-99-CA-A1-F0 5 GHz 104 -39 selected Total number of candidates displayed: 1 NX9500(config)#
NX9500(config)#show wireless bridge certificate status on ap6562-167598 Certificate Last Updated Status: Thu Jul 23 11:41:40 2017 NX9500(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 184 SHOW COMMANDS 6.1.77 wwan show commands Displays wireless WAN status Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show wwan [configuration|status] {on <DEVICE-OR-DOMAIN-NAME>}
Parameters show wwan [configuration|status] {on <DEVICE-OR-DOMAIN-NAME>}
wwan configuration status on <DEVICE-OR-
DOMAIN-NAME>
Displays wireless WAN configuration and status details Displays wireless WAN configuration information Displays wireless WAN status information The following keyword is common to the configuration and status parameters:
on <DEVICE-OR-DOMAIN-NAME> Optional. Displays configuration or status details on a specified device or RF Domain
<DEVICE-OR-DOMAIN-NAME> Specify the AP, wireless controller, service platform, or RF Domain name. Example rfs4000-229D58(config-device-00-23-68-22-9D-58)#show wwan configuration
>>> WWAN Configuration:
+-------------------------------------------
| Access Port Name : isp.cingular
| User Name : testuser
| Cryptomap : map1
+-------------------------------------------
rfs4000-229D58(config-device-00-23-68-22-9D-58)#
rfs4000-229D58(config-device-00-23-68-22-9D-58)#show wwan status
>>> WWAN Status:
+-------------------------------------------
| State : ACTIVE
| DNS1 : 209.183.54.151
| DNS2 : 209.183.54.151
+-------------------------------------------
rfs4000-229D58(config-device-00-23-68-22-9D-58)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 185 SHOW COMMANDS 6.1.78 virtual-machine show commands Displays the virtual-machine (VM) configuration, logs, and statistics Supported in the following platforms:
Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510 Syntax show virtual-machine [configuration|debugging|export|statistics]
show virtual-machine [configuration|statistics] {<VM-NAME>|team-urc|team-rls|
team-vowlan} {(on <DEVICE-NAME>)}
show virtual-machine debugging {level|on}
show virtual-machine debugging {level [debug|error|info|warning]} {on <DEVICE-
NAME>}
show virtual-machine export <VM-NAME> {on <DEVICE-NAME>}
show virtual-machine [configuration|statistics] {<VM-NAME>|adsp|team-cmt}
Parameters show virtual-machine [configuration|statistics] {<VM-NAME>|team-urc|team-rls|
team-vowlan} {(on <DEVICE-NAME>)}
virtual-machine configuration statistics
[<VM-NAME>|
team-urc|team-rls|
team-vowlan]
Displays the following VM-related information: configuration or statistics Displays detailed VM configuration Displays VM statistics The following keywords are common to the configuration and statistics parameters:
<VM-NAME> Optional. Displays VM configuration or statistics for the virtual machine identified by the <VM-NAME> keyword. Specify the VM name. team-urc Optional. Displays TEAM-URC (IP-PBX) VM configuration/statistics team-rls Optional. Displays TEAM-RLS (Radio Link Server) VM configuration/
statistics team-vowlan Optional. Displays TEAM-VoWLAN (Voice over WLAN) VM configuration/statistics on <DEVICE-NAME>
Optional. Specifies the name of the device on which the command is executed
<DEVICE-NAME> Specify the name of the service platform. show virtual-machine [configuration|statistics] {<VM-NAME>|adsp|team-cmt}
{(on <DEVICE-NAME>)}
virtual-machine configuration statistics Displays the following VM-related information: configuration or statistics Displays detailed VM configuration Displays VM statistics Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 186 SHOW COMMANDS
[<VM-NAME>|adsp|
team-cmt]
on <DEVICE-NAME>
The following keywords are common to the configuration and statistics parameters:
<VM-NAME> Optional. Displays VM configuration or statistics for the virtual machine identified by the <VM-NAME> keyword. Specify the VM name. adsp Optional. Displays Air-Defense Services Platform (ADSP) VM configuration/
statistics team-cmt Optional. Displays TEAM-CMT VM configuration/statistics These keywords are specific to the NX9500 and NX9510 service platforms. Optional. Specifies the name of the device on which the command is executed
<DEVICE-NAME> Specify the name of the service platform. show virtual-machine debugging {level[debug|error|info|warning]} {on <DEVICE-
NAME>}
virtual-machine debugging level [debug|
error|info|warning]
on <DEVICE-NAME>
Displays the following VM-related information: configuration or statistics Displays VM logs Optional. Displays VM logs based on the level selected. The available options are:
debug Displays VM logs of level debug and above error Displays VM logs of level error info Displays VM logs of level Info and above warning Displays logs of level warning and above The NX9500 and NX9510 series service platforms will display ADSP and TEAM-CMT VM debugging logs. Optional. Specifies the name of the device on which the command is executed
<DEVICE-NAME> Specify the name of the service platform. show virtual-machine export <VM-NAME> {on <DEVICE-NAME>}
virtual-machine export
<VM-NAME>
on <DEVICE-NAME>
Displays the following VM-related information: configuration or statistics Displays VM configuration export related information Displays VM configuration export related information for the virtual machine identified by the <VM-NAME> keyword. Specify the VM name. The NX9500 and NX9510 series service platforms will display ADSP and TEAM-CMT VM configuration export information Optional. Specifies the name of the device on which the command is executed
<DEVICE-NAME> Specify the name of the service platform. Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 187 SHOW COMMANDS Example nx9500-6C874D#show virtual-machine statistics
--------------------------------------------------------------------------------
NAME STATE VCPUS MEM (MB) BRIDGE-IF IP
--------------------------------------------------------------------------------
WiNG - - 18432 - -
adsp Halted - - unknown -
team-cmt Halted - - unknown -
--------------------------------------------------------------------------------
nx9500-6C874D#
nx9500-6C874D#show virtual-machine configuration
--------------------------------------------------------------------------------
NAME AUTOSTART MEMORY(MB) VCPUS
--------------------------------------------------------------------------------
WiNG - 18432 -
adsp ignore 12000 12 team-cmt ignore 1024 1
--------------------------------------------------------------------------------
nx9500-6C874D#
nx9500-6C874D>show virtual-machine statistics adsp VM name: adsp Base Version : unknown Install Status : not_installed nx9500-6C874D>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 188 SHOW COMMANDS 6.1.79 raid show commands Displays Redundant Array of Independent Disks (RAID) related information, such as array status, consistency check status, and RAID log. Use this command to assess the RAID arrays drive utilization and whether the drives are currently online. Since there is only one RAID array controller reporting status to the service platform, it is important to know if other drive s house hot spare drives as additional resources should one of the dedicated drives fail. This command also displays whether a physical within the RAID array has a drive installed, and whether the drive is currently online. Supported in the following platforms:
Service Platforms NX9500 Syntax show raid {on <DEVICE-NAME>}
Parameters show raid {on <DEVICE-NAME>}
raid on <DEVICE-NAME> Optional. Displays RAID status and statistics on a specified device Displays the RAID array status and statistics
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. Example nx9500-6C874D(config)#show raid Logical drive info:
Size 930 GB, State optimal Alarm enabled Last check: Sat Aug 10 02:56:54 2013 Last check result: ending Physical drive info:
Drive 0: online Drive 1: online Drive 2: not-installed Drive 3: not-installed Drive 4: not-installed nx9500-6C874D(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 6 - 189 7 PROFILES Profiles enable administrators to assign a common set of configuration parameters, policies, and WLANs to service platforms, controllers, and access points across a large, multi segment, site. The configuration parameters within a profile are based on the hardware model the profile was created to support. The service platforms, wireless controllers, and access points support both default and user-defined profiles. Each default and user-defined profile contains policies and configurations that are applied to devices assigned to the profile. Changes made to these configurations are automatically inherited by the devices. The central benefit of a profile is its ability to update devices collectively without having to modify individual device configurations. Default profiles are system maintained and are automatically applied to service platforms and wireless controllers. The default AP profile is automatically applied to a AP (discovered by a wireless controller or service platform), unless an AP auto-provisioning policy is defined specifically to assign APs to a user-
defined profile. After adoption, changes made to a profiles parameters are reflected across all devices using the profile. Default profiles are ideal for single site deployments where service platforms, wireless controllers, and access points share a common configuration. User-defined profiles, on the other hand, are manually created for each supported service platform, wireless controller, and access point model. User-defined profiles are recommended for larger deployments using centralized controllers and service platforms when groups of devices on different floors, buildings or sites share a common configuration. These user-defined profiles can be manually, or automatically assigned to through an auto provisioning policy. An auto provisioning policy provides the means to assign profiles to access points based on model, serial number, VLAN ID, DHCP options, IP address (subnet) and MAC address. For more information, see AUTO-PROVISIONING-POLICY. Each default and user-defined profile contains policies and configuration parameters. A user defined profile can be created for each of the following device type:
AP6521 Adds an AP6521 access point profile AP6522 Adds an AP6522 access point profile AP6532 Adds an AP6532 access point profile AP6562 Adds an AP6562 access point profile AP7161 Adds an AP7161 access point profile AP7502 Adds an AP7502 access point profile AP7522 Adds an AP7522 access point profile AP7532 Adds an AP7532 access point profile AP7562 Adds an AP7562 access point profile AP7602 Adds an AP7602 access point profile AP7612 Adds an AP7612 access point profile AP7622 Adds an AP7622 access point profile AP7632 Adds an AP7632 access point profile AP7662 Adds an AP7662 access point profile AP81XX Adds an AP81XX access point profile supporting the AP8132 and AP8163 models AP8232 Adds an AP8232 access point profile AP8432 Adds an AP8432 access point profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 1 PROFILES AP8533 Adds an AP8533 access point profile EX3524 Adds an EX3524 wireless controller profile EX3548 Adds an EX3548 wireless controller profile RFS4000 Adds an RFS4000 wireless controller profile RFS6000 Adds an RFS6000 wireless controller profile NX5500 Adds an NX5500 wireless controller profile NX7500 Adds an NX75XX series service platform profile supporting the NX7510, NX7520, and NX7530 models NX9000 Adds an NX95XX series service platform profile supporting the NX9500 and NX9510 models NX9600 Adds an NX96XX series service platform profile supporting the NX9600 and NX9610 models. Supported only on an NX96XX model device. VX9000 Adds a VX9000 wireless controller profile T5 Adds a T5 controller profile NOTE: A T5 profile can be created only on the following platforms:
RFS4000, RFS6000, NX9500, NX9510, and NX9600. Although profiles assign a common set of configuration parameters across devices, individual devices can still be assigned unique configuration parameters that follow the flat configuration model. As individual device updates are made, these devices no longer share the profile based configuration they originally supported. Therefore, changes made to a profile are not automatically inherited by devices who have had their configuration customized. These devices require careful administration, as they cannot be tracked as profile members. Their customized configurations overwrite their profile configurations until the profile is re-applied. NOTE: The commands present under Profiles are also available under the Device mode. The additional commands specific to the Device mode are listed separately. This chapter is organized into the following topics:
Profile Config Commands Device Config Commands T5 Profile Config Commands EX3524 & EX3548 Profile/Device Config Commands To view the list of device profiles supported, use the following command:
<DEVICE>(config)#profile ?
anyap Any access point profile ap650 AP650 access point profile ap6511 AP6511 access point profile ap6521 AP6521 access point profile ap6522 AP6522 access point profile ap6532 AP6532 access point profile ap6562 AP6562 access point profile ap71xx AP7161 access point profile ap7502 AP7502 access point profile ap7522 AP7522 access point profile ap7532 AP7532 access point profile ap7562 AP7562 access point profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 2 PROFILES ap81xx AP81XX access point profile ap82xx AP8232 access point profile ap8432 AP8432 access point profile ap8533 AP8533 access point profile containing Specify profiles that contain a sub-string in the profile name ex3524 EX3524 wireless controller profile ex3548 EX3548 wireless controller profile filter Specify addition selection filter nx5500 NX5500 wireless controller profile nx75xx NX75XX wireless controller profile nx9000 NX9000 wireless controller profile nx9600 NX9600 wireless controller profile rfs4000 RFS4000 wireless controller profile rfs6000 RFS6000 wireless controller profile rfs7000 RFS7000 wireless controller profile t5 T5 wireless controller profile vx9000 VX9000 wireless controller profile
<DEVICE>(config)#
rfs6000-37FABE(config)#profile rfs6000 default-rfs6000 rfs6000-37FABE(config-profile-default-rfs6000)#
rfs6000-37FABE(config)#profile ap71xx default-ap71xx rfs6000-37FABE(config-profile-default-ap71xx)#
<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME>
<DEVICE>(config-profile-<PROFILE-NAME>)#
<DEVICE>(config-profile-<PROFILE-NAME>)#?
Profile Mode commands:
adopter-auto-provisioning-policy-lookup Use centralized auto-provisioning policy when adopted by another controller adoption Adoption configuration adoption-mode Configure the adoption mode for the access-points in this RF-Domain alias Alias application-policy Application Poicy configuration area Set name of area where the system is located arp Address Resolution Protocol (ARP) auto-learn Auto learning autogen-uniqueid Autogenerate a unique id autoinstall Autoinstall settings bridge Ethernet bridge captive-portal Captive portal cdp Cisco Discovery Protocol cluster Cluster configuration configuration-persistence Enable persistence of configuration across reloads (startup config file) controller WLAN controller configuration critical-resource Critical Resource crypto Encryption related commands database Database command device-onboard Device-onboarding configuration device-upgrade Device firmware upgrade diag Diagnosis of packets dot1x 802.1X dpi Enable Deep-Packet-Inspection
(Application Assurance) dscp-mapping Configure IP DSCP to 802.1p priority mapping for untagged frames eguest-server Enable ExtremeGuest Server functionality email-notification Email notification configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 3 PROFILES enforce-version Check the firmware versions of devices before interoperating environmental-sensor Environmental Sensors Configuration events System event messages export Export a file file-sync File sync between controller and adoptees floor Set the floor within a area where the system is located gre GRE protocol http-analyze Specify HTTP-Analysis configuration interface Select an interface to configure ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) l2tpv3 L2tpv3 protocol l3e-lite-table L3e lite Table led Turn LEDs on/off on the device led-timeout Configure the time for the led to turn off after the last radio state change legacy-auto-downgrade Enable device firmware to auto downgrade when other legacy devices are detected legacy-auto-update Auto upgrade of legacy devices lldp Link Layer Discovery Protocol load-balancing Configure load balancing parameter logging Modify message logging facilities mac-address-table MAC Address Table mac-auth 802.1X management-server Configure management server address memory-profile Memory profile to be used on the device meshpoint-device Configure meshpoint device parameters meshpoint-monitor-interval Configure meshpoint monitoring interval min-misconfiguration-recovery-time Time interval to check controller connectivity after configuration is received mint MiNT protocol misconfiguration-recovery-time Check controller connectivity after configuration is received neighbor-inactivity-timeout Configure neighbor inactivity timeout neighbor-info-interval Configure neighbor information exchange interval no Negate a command or set its defaults noc Configure the noc related setting nsight NSight ntp Ntp server WORD offline-duration Set duration for which a device remains unadopted before it generates offline event otls Omnitrail Location Server power-config Configure power mode preferred-controller-group Controller group this system will prefer for adoption preferred-tunnel-controller Tunnel Controller Name this system will prefer for tunneling extended vlan traffic radius Configure device-level radius authentication parameters raid RAID remote-debug Configure remote debug parameters remove-override Remove configuration item override from the device (so profile value takes effect) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 4 PROFILES rf-domain-manager RF Domain Manager router Dynamic routing slot PCI expansion Slot spanning-tree Spanning tree traffic-class-mapping Configure IPv6 traffic class to 802.1p priority mapping for untagged frames traffic-shape Traffic shaping trustpoint Assign a trustpoint to a service tunnel-controller Tunnel Controller group this controller belongs to use Set setting to use vrrp VRRP configuration vrrp-state-check Publish interface via OSPF/BGP only if the interface VRRP state is not BACKUP wep-shared-key-auth Enable support for 802.11 WEP shared key authentication zone Configure Zone name clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-profile-<PROFILE-NAME>)#
<DEVICE>(config-profile-<T5-PROFILE-NAME>)#?
T5 Profile Mode commands:
cpe T5 CPE configuration interface Select an interface to configure ip Internet Protocol (IP) no Negate a command or set its defaults ntp Configure NTP override-wlan Configure RF Domain level overrides for wlan t5 T5 configuration t5-logging Modify message logging facilities use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-profile-<T5-PROFILE-NAME>)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 5 PROFILES
<DEVICE>(config-profile-<EX3524/EX3548-PROFILE-NAME>)#?
EX3500 Profile Mode commands:
interface Select an interface to configure ip Internet Protocol (IP) no Negate a command or set its defaults power Ex3500 Power over Ethernet Command upgrade Configures upgrade option for ex3500 system use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-profile-<EX3524/EX3548-PROFILE-NAME>)#
NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 6 PROFILES 7.1 Profile Config Commands PROFILES The following table summarizes profile configuration mode commands:
Description Enables the use of a centralized auto provisioning policy on this profile Reference page 7-11 Command adopter-auto-
provisioning-
policy-lookup adoption alias application-
policy area arp auto-learn autogen-
uniqueid autoinstall bridge captive-portal Configures a minimum and maximum delay time in the initiation of the device adoption process Creates various types of aliases, such as network, VLAN, network-group, network-service, encrypted-string, hashed -string, etc. at the profile level Associates a RADIUS server provided application policy with this profile. When associated, the application policy allows wireless clients (MUs) to always find the RADIUS-supplied application policy in the dataplane. Sets the systems area of location (the area name) Configures static address resolution protocol Enables controllers or service platforms to maintain a local configuration record of devices requesting adoption and provisioning. The command also enables learning of a devices host name via DHCP options. Auto-generates a unique local ID for devices using this profile. When executed in the device configuration mode, this command generates a unique ID for the logged device. Configures the automatic install feature Configures bridge specific parameters Configures captive portal advanced Web page upload on a device profile Enables Cisco Discovery Protocol (CDP) on a device Configures a cluster name Enables persistence of configuration across reloads cdp cluster configuration-
persistence controller critical-resource Monitors resources that are critical to the health of the service platform, Configures a wireless controller or service platform crypto database wireless controller, or access point managed network. These critical resources are identified by their configured IP addresses. Configures data encryption related protocols and settings Backs up captive-portal and/or NSight database to a specified location and file and configures a low-disk-space threshold value device-onboard Configures the logo image file name and title displayed on the EGuest device-onboarding portal. This is the portal a vendor-admin user uses to onboard devices. device-upgrade Configures device firmware upgrade settings on this profile diag Enables looped packet logging page 7-13 page 7-15 page 7-22 page 7-24 page 7-25 page 7-27 page 7-28 page 7-30 page 7-31 page 7-62 page 7-63 page 7-64 page 7-67 page 7-68 page 7-72 page 7-80 page 7-143 page 7-144 page 7-145 page 7-147 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 7 PROFILES Command dot1x dpi dscp-mapping eguest-server
(VX9000 only) eguest-server
(NOC Only) email-
notification enforce-version environmental-
sensor events export file-sync floor gre http-analyze interface ip ipv6 l2tpv3 l3e-lite-table led led-timeout legacy-auto-
downgrade legacy-auto-
update lldp load-balancing logging mac-address-
table mac-auth Description Configures 802.1x standard authentication controls Enables Deep Packet Inspection (DPI) on this profile Configures an IP DSCP to 802.1p priority mapping for untagged frames Enables the EGuest daemon when executed without the host option Reference page 7-148 page 7-150 page 7-153 page 7-154 Points to the EGuest server, when executed along with the host option page 7-155 Configures e-mail notification settings Enables checking of a devices firmware version before attempting adoption or clustering Configures the environmental sensor settings on this profile (applicable to AP8132 model access point only) Enables system event logging and message generation. This command also configures event message forwarding settings. Enables export of startup.log file after every boot Configures parameters enabling synching of trustpoint and/or wireless-
bridge certificate between the staging-controller and adopted access point Sets the floor name where the system is located Enables Generic Routing Encapsulation (GRE) tunneling on this profile Configures HTTP analysis settings Configures an interface (VLAN, radio, GE, etc.) Configures IPv4 components Configures IPv6 components Defines the Layer 2 Tunnel Protocol (L2TP) protocol for tunneling layer 2 payloads using Virtual Private Networks (VPNs) Configures L3e Lite Table with this profile Turns device LEDs on or off Configures LED-timeout timer. This command is specific to the NX95XX series service platforms. Auto downgrades a legacy device firmware Auto upgrades a legacy device firmware Configures Link Layer Discovery Protocol (LLDP) Configures load balancing parameters Modifies message logging settings Configures the MAC address table Enables 802.1x user authentication protocol on this profile page 7-156 page 7-158 page 7-159 page 7-161 page 7-162 page 7-163 page 7-164 page 7-165 page 7-177 page 7-180 page 7-348 page 7-358 page 7-362 page 7-364 page 7-365 page 7-366 page 7-368 page 7-369 page 7-370 page 7-372 page 7-377 page 7-379 page 7-381 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 8 Configures the minimum device connectivity verification time Configures meshpoint monitoring interval Configures a meshpoint device parameters Description Configures a management server with this profile Command management-
server memory-profile Configures the memory profile used on the device meshpoint-
device meshpoint-
monitor-interval min-
misconfiguration
-recovery-time mint misconfiguration
-recovery-time neighbor-
inactivity-
timeout neighbor-info-
interval no Configures neighbor information exchange interval Configures neighbor inactivity timeout Configures MiNT protocol settings Verifies device connectivity after a configuration is received Removes or reverts settings to their default. The no command, when used in the profile configuration mode, removes the selected profiles settings or reverts them to their default. Configures NOC settings Configures NSight database related parameters Configures NTP server settings Configures support for detection and forwarding of OmniTrail beacon tags Sets the duration, in minutes, for which a device remains un-adopted before it generates offline event Configures the power mode Specifies the wireless controller or service platform group preferred for adoption Configures the tunnel wireless controller or service platform preferred by the system to tunnel extended VLAN traffic Configures device-level RADIUS authentication parameters Enables alarm on the array. This command is supported only on the NX9500 and NX9510 series service platform profile/device config modes. Enables devices using this profile to be elected as RF Domain manager. Also sets the priority value for devices using this profile in the RF Domain manager election process. Configures dynamic router protocol settings Configures spanning tree related settings Maps the IPv6 traffic class value of incoming IPv6 untagged packets to 802.1p priority noc nsight ntp otls offline-duration power-config preferred-
controller-group preferred-
tunnel-controller radius raid rf-domain-
manager router spanning-tree traffic-class-
mapping PROFILES Reference page 7-384 page 7-385 page 7-386 page 7-388 page 7-389 page 7-390 page 7-397 page 7-398 page 7-399 page 7-400 page 7-402 page 7-403 page 7-408 page 7-411 page 7-414 page 7-415 page 7-417 page 7-418 page 7-419 page 7-493 page 7-420 page 7-421 page 7-423 page 7-426 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 9 Description Enables traffic shaping and configures traffic shaping parameters Configures the trustpoint assigned for validating a CMP auth Operator Command traffic-shape trustpoint
(profile-config-
mode) tunnel-controller Configures the name of tunneled WLAN (extended VLAN) wireless controller or service platform Uses pre configured policies with this profile Configures Virtual Router Redundancy Protocol (VRRP) group settings use vrrp vrrp-state-check Publishes interface via OSPF or BGP based on VRRP status virtual-controller Enables an access point as a virtual-controller (VC) or dynamic virtual controller (DVC). Note, DVC is supported only on the AP7522, AP7532, and AP7562 model access points. Enables support for 802.11 WEP shared key authentication wep-shared-
key-auth service zone Service commands are used to view and manage configurations. The service commands and their corresponding parameters vary from mode to mode. Configures the zone for devices using this profile. The zone can also be configured on the devices self context. PROFILES Reference page 7-428 page 7-434 page 7-436 page 7-437 page 7-443 page 7-447 page 7-448 page 7-450 page 7-451 page 7-456 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 10 PROFILES 7.1.1 adopter-auto-provisioning-policy-lookup Profile Config Commands Enables the use of a centralized auto provisioning policy on this profile. When enabled, the auto-
provisioning policy applied on the NOC gets precedence over the one applied at the site controller level. Optionally, use the evaluate-always option to set flag to run centralized auto-provisioning policy every time a device (access point/controller) is adopted. The devices previous adoption status is not taken into consideration. This command is also applicable in the device configuration context. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax adopter-auto-provisioning-policy-lookup {evaluate-always}
Parameters adopter-auto-provisioning-policy-lookup {evaluate-always}
adopter-auto-
provisioning-policy-
lookup
{evaluate-always}
Enables the use of a centralized auto provisioning policy on this profile or device evaluate-always Optional. Sets flag to run centralized auto-provisioning policy every time a device (access point/controller) is adopted. Example rfs6000-81742D(config-profile-default-rfs6000)#adopter-auto-provisioning-policy-
lookup evaluate-always rfs6000-81742D(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto remote-vpn-client interface me1 interface up1 interface ge1 interface ge2 interface ge3 interface ge4 interface ge5 interface ge6 interface ge7 interface ge8 interface wwan1 interface pppoe1 use firewall-policy default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 11 PROFILES logging on service pm sys-restart adopter-auto-provisioning-policy-lookup router ospf router bgp rfs6000-81742D(config-profile-default-rfs6000)#
Related Commands no Disables the application of centralized auto provisioning policy on this profile or device Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 12 PROFILES 7.1.2 adoption Profile Config Commands Configures a minimum and maximum delay time in the initiation of the device adoption process. When configured, devices do not attempt adoption immediately on coming up. The process is initiated after the lapse of a specified period of time (configured using this command as the start-delay minimum time). Once configured and applied, this setting is applicable on all devices using this profile. This option is also available in the device-configuration mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax adoption start-delay min <0-30> max <0-30>
Parameters adoption start-delay min <0-30> max <0-30>
Delays start of device adoption process min <0-30> Configures the minimum time to lapse before a device attempts adoption start-delay min <0-30>
max <0-30>
adoption. Specify a value from 0 - 30 seconds. A device, on coming up, attempts adoption only after the lapse of the time specified here. The default is 5 seconds. max <0-30> Configures the maximum time to lapse before a device attempts adoption. Specify a value from 0 - 30 seconds. The default is 20 seconds. Example rfs6000-81742D(config-profile-default-rfs6000)#adoption start-delay min 10 max 30 rfs6000-81742D(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto remote-vpn-client interface me1 interface up1 interface ge1 interface ge2 interface ge3 interface ge4 interface ge5 interface ge6 interface ge7 interface ge8 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 13 PROFILES interface wwan1 interface pppoe1 use firewall-policy default logging on service pm sys-restart adopter-auto-provisioning-policy-lookup router ospf router bgp adoption start-delay min 10 max 30 rfs6000-81742D(config-profile-default-rfs6000)#
Related Commands no Removes the configured minimum start-delay value. When removed, devices attempt adoption immediately on coming up. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 14 PROFILES 7.1.3 alias Profile Config Commands Configures network, VLAN, and service aliases. The aliases defined on this profile applies to all devices using this profile. Aliases can be also defined at the device level. NOTE: You can apply overrides to aliases at the device level. Overrides applied at the device level take precedence. For more information on aliases, see alias. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax alias [address-range|encrypted-string|hashed-string|host|network|network-group|
network-service|number|string|vlan]
alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>
alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>
alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>
alias host <HOST-ALIAS-NAME> <HOST-IP>
alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>
alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range|host|network]
alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to
<ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|network
<NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]
alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|
gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|
ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport|ssh|telnet|tftp|www)}
alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|eigrp|
gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|https|
ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|telnet|tftp|
www)}
alias number <NUMBER-ALIAS-NAME> <0-4294967295>
alias string <STRING-ALIAS-NAME> <LINE>
alias vlan <VLAN-ALIAS-NAME> <1-4094>
Parameters alias address-range <ADDRESS-RANGE-ALIAS-NAME> <STARTING-IP> to <ENDING-IP>
address-range
<ADDRESS-RANGE-
ALIAS-NAME>
Creates a new address-range alias for this profile. Or associates an existing address-
range alias with this profile. An address-range alias maps a name to a range of IP addresses. Use this option to create unique address-range aliases for different deployment scenarios. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 15 PROFILES For example, if an ACL defines a pool of network addresses as 192.168.10.10 through 192.168.10.100 for an entire network, and a remote locations network range is 172.16.13.20 through 172.16.13.110, the remote locations ACL can be overridden using an alias. At the remote location, the ACL works with the 172.16.13.20-110 address range. A new ACL need not be created specifically for the remote deployment location.
<ADDRESS-RANGE-ALIAS-NAME> Specify the address range alias name. Note: Alias name should begin with $. Associates a range of IP addresses with this address range alias
<STARTING-IP> Specify the first IP address in the range. to <ENDING-IP> Specify the last IP address in the range. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.
<STARTING-IP>
to <ENDING-IP>
alias encrypted-string <ENCRYPTED-STRING-ALIAS-NAME> [0|2] <LINE>
encrypted-string
<ENCRYPTED-
STRING-ALIAS-
NAME>
[0|2] <LINE>
Creates an alias for an encrypted string. Use this alias for string configuration values that are encrypted when "password-encryption" is enabled. For example, in the management-policy, use it to define the SNMP community string. For more information, see snmp-server.
<ENCRYPTED-STRING-ALIAS-NAME> Specify the encrypted-string alias name. Alias name should begin with $. Configures the value associated with the alias name specified in the previous step
[0|2] <LINE> Configures the alias value Note, if password-encryption is enabled, in the show > running-config output, this clear text is displayed as an encrypted string, as shown below:
nx9500-6C8809(config)#show running-config
!............................... alias encrypted-string $enString 2 fABMK2is7UToNiZE3MQXbgAAAAxB0ZIysdqsEJwr6AH/Da//
!
--More--
nx9500-6C8809 In the above output, the 2 displayed before the encrypted-
string alias value indicates that the displayed text is encrypted and not a clear text. However, if password-encryption is disabled the clear text is displayed as is:
nx9500-6C8809(config)#show running-config
!...............................
!
alias encrypted-string $enString 0 test11223344
!
--More--
nx9500-6C8809 For more information on enabling password-encryption, see password-encryption. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 16 PROFILES alias hashed-string <HASHED-STRING-ALIAS-NAME> <LINE>
hashed-string
<HASHED-STRING-
ALIAS-NAME>
<LINE>
Creates an alias for a hashed string. Use this alias for configuration values that are hashed string, such as passwords. For example, in the management-policy, use it to define the privilege mode password. For more information, see privilege-mode-
password.
<HASHED-STRING-ALIAS-NAME> Specify the hashed-string alias name. Alias name should begin with $. Configures the hashed-string value associated with this alias. nx9500-6C8809(config)#show running-config
!
alias encrypted-string $WRITE 2 sBqVCDAoxs3oByF5PCSuFAAAAAd7HT2+EiT/l/BXm9c4SBDv
!
alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ec fc75
--More--
nx9500-6C8809 In the above show > running-config output, the 1 displayed before the hashed-string alias value indicates that the displayed text is hashed and not a clear text. alias host <HOST-ALIAS-NAME> <HOST-IP>
host
<HOST-ALIAS-NAME>
<HOST-IP>
Creates a new host alias for this profile. Or associates an existing host alias with this profile. A host alias configuration is for a particular host devices IP address. Use this option to create unique host aliases for different deployment scenarios. For example, if a central network DNS server is set a static IP address, and a remote locations local DNS server is defined, this host can be overridden at the remote location. At the remote location, the network is functional with a local DNS server, but uses the name set at the central network. A new host need not be created at the remote location. This simplifies creating and managing hosts and allows an administrator to better manage specific local requirements.
<HOST-ALIAS-NAME> Specify the host alias name. Alias name should begin with $. Associates the network hosts IP address with this host alias
<HOST-IP> Specify the network hosts IP address. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. alias network <NETWORK-ALIAS-NAME> <NETWORK-ADDRESS/MASK>
network
<NETWORK-ALIAS-
NAME>
Creates a new network alias for this profile. Or associates an existing network alias with this profile. A network alias configuration is utilized for an IP address on a particular network. Use this option to create unique Network aliases for different deployment scenarios. For example, if a central network ACL defines a network as 192.168.10.0/24, and a remote locations network range is 172.16.10.0/24, the ACL can be overridden at the remote location to suit their local (but remote) requirement. At the remote location, the ACL functions with the 172.16.10.0/24 network. A new ACL need not be created specifically for the remote deployment. This simplifies ACL definition and allows an administrator to better manage specific local requirements.
<NETWORK-ALIAS-NAME> Specify the network alias name. Alias name should begin with $. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 17 PROFILES
<NETWORK-
ADDRESS/MASK>
Associates a single network with this network alias
<NETWORK-ADDRESS/MASK> Specify the networks address and mask. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. alias network-group <NETWORK-GROUP-ALIAS-NAME> [address-range <STARTING-IP> to
<ENDING-IP> {<STARTING-IP> to <ENDING-IP>}|host <HOST-IP> {<HOST-IP>}|
network <NETWORK-ADDRESS/MASK> {<NETWORK-ADDRESS/MASK>}]
network
<NETWORK-GROUP-
ALIAS-NAME>
address-range
<STARTING-IP>
to <ENDING-IP>
{<STARTING-IP>
to <ENDING-IP>}
host <HOST-IP>
{<HOST-IP>}
Creates a new network-group alias for this profile. Or associates an existing network-
group alias with this profile.
<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name. Alias name should begin with $. The network-group aliases are used in ACLs, to define the network-specific components. ACLs using aliases can be used across sites by re-defining the network-
group alias elements at the device or profile level. After specifying the name, specify the following: a range of IP addresses, host addresses, or a range of network addresses. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. Associates a range of IP addresses with this network-group alias
<STARTING-IP> Specify the first IP address in the range. to <ENDING-IP> Specify the last IP address in the range.
<STARTING-IP> to <ENDING-IP> Optional. Specifies more than one range of IP addresses. A maximum of eight (8) IP address ranges can be configured. Associates a single or multiple hosts with this network-group alias
<HOST-IP> Specify the hosts IP address.
<HOST-IP> Optional. Specifies more than one host. A maximum of eight (8) hosts can be configured. network <NETWORK-
ADDRESS/MASK>
{<NETWORK-
ADDRESS/MASK>}
Associates a single or multiple networks with this network-group alias
<NETWORK-ADDRESS/MASK> Specify the networks address and mask.
<NETWORK-ADDRESS/MASK> Optional. Specifies more than one network. A maximum of eight (8) networks can be configured. alias network-service <NETWORK-SERVICE-ALIAS-NAME> proto [<0-254>|<WORD>|
eigrp|gre|igmp|igp|ospf|vrrp] {(<1-65535>|<WORD>|bgp|dns|ftp|ftp-data|gopher|
https|ldap|nntp|ntp|pop3|proto|sip|smtp|sourceport [<1-65535>|<WORD>]|ssh|
telnet|tftp|www)}
alias network-service
<NETWORK-
SERVICE-ALIAS-
NAME>
Creates a new network-service alias for this profile. Or associates an existing network-
service alias with this profile. A network service alias is a set of configurations that consist of protocol and port mappings. Both source and destination ports are configurable. For each protocol, up to 2 source port ranges and up to 2 destination port ranges can be configured. A maximum of 4 protocol entries can be configured per network service alias.
<NETWORK-SERVICE-ALIAS-NAME> Specify a network-service alias name. Alias name should begin with $. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 18 proto [<0-254>|
<WORD>|eigrp|gre|
igmp|igp|ospf|vrrp]
{(<1-65535>|
<WORD>|bgp|dns|
ftp|ftp-data|gopher|
https|ldap|nntp|ntp|
pop3|proto|sip|smtp|
sourceport
[<1-65535>|
<WORD>]|ssh|telnet|
tftp|www)}
PROFILES The network-service aliases are used in ACLs, to define the service-specific components. ACLs using aliases can be used across sites by re-defining the network-
service alias elements at the device or profile level. Note: Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. Use one of the following options to associate an Internet protocol with this network-
service alias:
<0-254> Identifies the protocol by its number. Specify the protocol number from 0
- 254. This is the number by which the protocol is identified in the Protocol field of the IPv4 header and the Next Header field of IPv6 header. For example, the User Datagram Protocols (UDP) designated number is 17.
<WORD> Identifies the protocol by its name. Specify the protocol name. eigrp Selects Enhanced Interior Gateway Routing Protocol (EIGRP). The protocol number 88. gre Selects Generic Routing Encapsulation (GRE). The protocol number is 47. igmp Selects Internet Group Management Protocol (IGMP). The protocol number is 2. igp Selects Interior Gateway Protocol (IGP). The protocol number is 9. ospf Selects Open Shortest Path First (OSPF). The protocol number is 89. vrrp Selects Virtual Router Redundancy Protocol (VRRP). The protocol number is 112. After specifying the protocol, you may configure a destination port for this service. These keywords are recursive and you can configure multiple protocols and associate multiple destination and source ports.
<1-65535> Optional. Configures a destination port number from 1 - 65535
<WORD> Optional. Identifies the destination port by the service name provided. For example, the secure shell (SSH) service uses TCP port 22. bgp Optional. Configures the default Border Gateway Protocol (BGP) services port
(179) dns Optional. Configures the default Domain Name System (DNS) services port (53) ftp Optional. Configures the default File Transfer Protocol (FTP) control services port
(21) ldap Optional. Configures the default Lightweight Directory Access Protocol (LDAP) services port (389) ftp-data Optional. Configures the default FTP data services port (20) gopher Optional. Configures the default gopher services port (70) https Optional. Configures the default HTTPS services port (443) nntp Optional. Configures the default Newsgroup (NNTP) services port (119) ntp Optional. Configures the default Network Time Protocol (NTP) services port
(123) proto Optional. Use this option to select another Internet protocol in addition to the one selected in the previous step. sip Optional. Configures the default Session Initiation Protocol (SIP) services port
(5060). Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 19 PROFILES sourceport [<1-65535>|<WORD>] Optional. After specifying the destination port, you may specify a single or range of source ports.
<1-65535> Specify the source port from 1 - 65535.
<WORD> Specify the source port range, for example 1-10. ssh Optional. Configures the default SSH services port (22) telnet Optional. Configures the default Telnet services port (23) tftp Optional. Configures the default Trivial File Transfer Protocol (TFTP) services port (69) www Optional. Configures the default HTTP services port (80) alias number <NUMBER-ALIAS-NAME> <0-4294967295>
alias number
<NUMBER-ALIAS-
NAME>
<0-4294967295>
Creates a number alias identified by the <NUMBER-ALIAS-NAME> keyword. Number aliases map a name to a numeric value. For example, alias number $NUMBER 100 The number alias name is: $NUMBER The value assigned is: 100 The value referenced by alias $NUMBER, wherever used, is 100.
<NUMBER-ALIAS-NAME> Specify the number alias name.
<0-4294967295> Specify the number, from 0 - 4294967295, assigned to the number alias created. Alias name should begin with $. alias string <STRING-ALIAS-NAME> <LINE>
alias string
<STRING-ALIAS-
NAME>
Creates a new string alias for this profile. Or associates an existing string alias with this profile. String aliases map a name to an arbitrary string value. Use this option to create unique string aliases for different deployment scenarios. For example, if the main domain at a remote location is called loc1.domain.com and at another deployment location it is called loc2.domain.com, the alias can be overridden at the remote location to suit the local (but remote) requirement. At one remote location, the alias functions with the loc1.domain.com domain and at the other with the loc2.domain.com domain.
<VLAN-ALIAS-NAME> Specify the string alias name.
<LINE> Specify the string value. Alias name should begin with $. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence. alias vlan <VLAN-ALIAS-NAME> <1-4094>
alias vlan
<VLAN-ALIAS-NAME>
Creates a new VLAN alias for this profile. Or associates an existing VLAN alias with this profile. A VLAN alias maps a name to a VLAN ID. A VLAN alias is a configuration for optimal VLAN re-use and management for local and remote deployments. Use this option to create unique VLANs aliases for different deployment scenarios. For example, if a VLAN ID is set as 10 for the central network, and the VLAN is set as 26 at a remote location, the VLAN can be overridden at the remote location using an alias. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 20 PROFILES At the remote location, the network is functional with an ID of 26, but utilizes the name defined at the central local network. A new VLAN need not be created specifically at the remote location.
<VLAN-ALIAS-NAME> Specify the VLAN alias name. Alias name should begin with $. Maps the VLAN alias to a VLAN ID
<1-4094> Specify the VLAN ID from 1 - 4094. Aliases defined at any given level can be overridden at the next lower levels. For example, a global alias can be redefined on a selected set of RF Domains, profiles, or devices. Overrides applied at the device level take precedence.
<1-4094>
Example The following example shows the global aliases configured. Note the network-service alias $kerberos settings. nx9500-6C8809(config)#show running-config | include alias alias network-group $NetGrpAlias address-range 192.168.13.7 to 192.168.13.16 192.168.13.20 to 192.168.13.25 alias network-group $NetGrpAlias network 192.168.13.0/24 192.168.16.0/24 alias network $NetworkAlias 192.168.13.0/24 alias host $HostAlias 192.168.13.10 alias address-range $AddRanAlias 192.168.13.10 to 192.168.13.13 alias network-service $kerberos proto tcp 23 22 proto udp 25 alias vlan $VlanAlias 1 alias string $AREA Ecospace alias string $IN-Blr-EcoSpace-Floor-4 IBEF4 alias encrypted-string $READ 2 CdO6glQ9w29hybKxfbd6JwAAAAa7lKMBMk9EiDQfFRf9kegO alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75 nx9500-6C8809(config)#
The following examples show the overrides applied to the network-service alias $kerberos at the profile level:
nx9500-6C8809(config-profile-testRFS4k)#alias network-service $kerberos proto tcp 88 proto udp 389 nx9500-6C8809(config-profile-testRFS4k)#
The following example shows the overrides applied to the network-service alias $kerberos at the profile level:
nx9500-6C8809(config-profile-testRFS4k)#show running-config | include alias alias network-group $NetGrpAlias address-range 192.168.13.7 to 192.168.13.16 192.168.13.20 to 192.168.13.25 alias network-group $NetGrpAlias network 192.168.13.0/24 192.168.16.0/24 alias network $NetworkAlias 192.168.13.0/24 alias host $HostAlias 192.168.13.10 alias address-range $AddRanAlias 192.168.13.10 to 192.168.13.13 alias network-service $kerberos proto tcp 23 22 proto udp 25 alias vlan $VlanAlias 1 alias string $AREA Ecospace alias string $IN-Blr-EcoSpace-Floor-4 IBEF4 alias encrypted-string $READ 2 /Mfbt1Et8XRhybKxfbd6JwAAAAZ9yrIYq7mNl4+gNNiiMIZI alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75 alias network-service $kerberos proto tcp 88 proto udp 389 nx9500-6C8809(config-profile-testRFS4k)#
Related Commands no Removes the use of centralized auto provisioning policy on this profile or device Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 21 PROFILES 7.1.4 application-policy Profile Config Commands Associates a RADIUS server provided application policy with this profile. This command is also applicable to the device configuration mode. When associated, the application policy allows wireless clients (MUs) to always find the RADIUS-supplied application policy in the dataplane. An application policy defines the actions executed on recognized HTTP (Facebook), enterprise (Webex) and peer-to-peer (gaming) applications or application-categories. The following are the actions that can be applied in an application policy:
Allow - Allows packets for a specific application and its defined category type (for e.g., social networking) Deny - Denies (restricts) packets to a specific application and its defined category type Mark - Marks recognized packets with DSCP/8021p value Rate-limit - Rate limits packets from specific application type For more information on configuring an application policy, see application-policy. Supported in the following platforms:
Access Points AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax application-policy radius <APP-POLICY-NAME>
Parameters application-policy radius <APP-POLICY-NAME>
application-policy radius
<APP-POLICY-NAME>
Associates a RADIUS server provided application policy with this profile
<APP-POLICY-NAME> Specify the application policy name (should be existing and configured). Example nx9500-6C8809(config)#show context include-factory | include application-policy application-policy Bing no use application-policy no use application-policy no use application-policy no use application-policy no use application-policy no use application-policy no use application-policy no use application-policy no use application-policy nx9500-6C8809(config)#
nx9500-6C8809(config-profile-testNX9500)#application-policy radius Bing nx9500-6C8809(config-profile-testNX9500)#show context include-factory | include application-policy application-policy radius Bing nx9500-6C8809(config-profile-testNX9500)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 22 PROFILES nx9500-6C8809(config-application-Bing)#Show context application Bing app-category streaming use url-list Bing nx9500-6C8809(config-application-Bing)#
Related Commands no Removes the RADIUS-server provided application policy associated with this profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 23 PROFILES 7.1.5 area Profile Config Commands Sets the systems area of location (the physical area of deployment) Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax area <WORD>
Parameters area <WORD>
area <WORD>
Sets the systems area of location
<WORD> Specify the area name (should not exceed 64 characters). Example rfs6000-37FABE(config-profile-default-rfs6000)#area Ecospace rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 ip igmp snooping ip igmp snooping querier area Ecospace autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure interface me1 interface ge1
--More--
rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Resets the configured area name Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 24 PROFILES 7.1.6 arp Profile Config Commands Adds a static Address Resolution Protocol (ARP) IP address in the ARP cache The ARP protocol maps an IP address to a hardware MAC address recognized on the network. ARP provides protocol rules for making this correlation and providing address conversion in both directions. When an incoming packet destined for a host arrives, ARP finds a physical host or MAC address that matches the IP address. ARP looks in its ARP cache and, if it finds the address, provides it so the packet can be converted to the right packet length, formatted, and sent to its destination. If no entry is found for the IP address, ARP broadcasts a request packet in a special format on the LAN to locate a device that recognizes the IP address. A device that recognizes the IP address as its own returns a reply indicating it. ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax arp [<IP>|timeout]
arp <IP> <MAC> arpa [<L3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1|serial <1-4>
<1-1> <1-1>] {dhcp-server|router}
arp timeout <15-86400>
Parameters arp <IP> <MAC> arpa [<L3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1|serial <1-
4> <1-1> <1-1>] {dhcp-server|router}
arp <IP>
<MAC>
arpa
<L3-INTERFACE-
NAME>
pppoe1 vlan <1-4094>
wwan1
{dhcp-server|router}
Adds a static ARP IPv4 address in the ARP cache
<IP> Specify the static IP address. Specify the MAC address associated with the IP and the Switch Virtual Interface
(SVI). Sets ARP encapsulation type to ARPA Configures static ARP entry for a specified router interface
<L3-INTERFACE-NAME> Specify the router interface name. Configures static ARP entry for PPP over Ethernet interface Configures static ARP entry for a VLAN interface
<1-4094> Specify a SVI VLAN ID from 1 - 4094. Configures static ARP entry for Wireless WAN interface The following keywords are common to all off the above interface types:
dhcp-server Optional. Sets ARP entries for a DHCP server router Optional. Sets ARP entries for a router Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 25 PROFILES arp timeout <15-86400>
arp timeout
<15-86400>
Sets ARP entry timeout
<TIME> Sets the ARP entry timeout in seconds. Specify a value from 15 - 86400 seconds. The default is 3600 seconds. Example rfs6000-37FABE(config-profile-default-rfs6000)#arp timeout 2000 rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier arp timeout 2000 crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure interface me1 interface ge1 ip dhcp trust qos trust dscp qos trust 802.1p interface ge2 ip dhcp trust
--More--
rfs6000-37FABE(config-profile-default-rfs7000)#
Related Commands no Removes an entry from the ARP cache Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 26 PROFILES 7.1.7 auto-learn Profile Config Commands Enables controllers or service platforms to maintain a local configuration record of devices requesting adoption and provisioning. The command also enables learning of a devices host name via DHCP options. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax auto-learn [host-name-via-dhcp <WORD>|staging-config]
Parameters auto-learn [host-name-via-dhcp <WORD>|staging-config]
auto-learn
[host-name-via-dhcp
<WORD>|
staging-config]
Enables auto-learning of:
host-name-via-dhcp A devices host name via DHCP option.
<WORD> Provide the optional template with substitution token. For example,
'outdoor-$DHCP[1:3]-ap', where the $DHCP token references DHCP Option value re-
ceived by the adopting device. The $DHCP token should be present. This option is dis-
abled by default. staging-config The network configuration of devices requesting adoption. This option is enabled by default. For dependent access points that are pre-staged prior to deployment, it is recommended that the auto-learn-staging-config parameter re-
mains enabled so that hostnames, VLAN and IP addressing configuration can be maintained upon initial adoption. However, if dependent access points are to be cen-
trally managed and configured, it is recommended that the auto-learn-staging-config parameter be disabled. Example nx9500-6C8809(config-profile-test)#auto-learn staging-config nx9500-6C8809(config-profile-test)#show context include-factory | include auto-
learn auto-learn staging-config no auto-learn host-name-via-dhcp nx9500-6C8809(config-profile-test)#
Related Commands no Disables automatic recognition of devices hostname and devices pending adoption Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 27 PROFILES 7.1.8 autogen-uniqueid Profile Config Commands Auto-generates a unique ID for devices using this profile. When executed in the device configuration mode, this command generates a unique ID for the logged device. A devices unique ID is a combination of a user-defined string (prefix, suffix, or both) and a substitution token. The WiNG implementation provides two built-in substitution tokens: $SN and $MiNT-ID that represent the devices serial number and MiNT-ID respectively. The value referenced by these substitution tokens are internally retrieved and combined with the user-defined string to auto generate a unique identity for the device. The general format of this command is: <PREFIX><SUBSTITUTION-TOKEN><SUFFIX>. You can provide both (prefix and suffix) or just a prefix or suffix. For example, given the following set of inputs:
user-defined prefix TestAP6522 substitution token $SN The unique ID is generated using TestAP6522$SN, where $SN is replaced with the devices serial number. When executed on an AP6522 (having serial number B4C7996C8809), the autogen-uniqueid TestAP6522$SN command generates the unique ID: TestAP6522B4C7996C8809. When configured on an AP6522 profile, all AP6522s using the profile auto-generate a unique ID in which the devices serial number is preceded by the string TestAP6522. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax autogen-uniqueid <WORD>
Parameters autogen-uniqueid <WORD>
autogen-uniqueid
<WORD>
Auto-generates a devices unique ID (not exceeding 64 characters in length) The ID generated is a combination of the text provided and the value referenced through the substitution token $SN or $MiNT-ID. Where ever the autogen-uniqueid is used the devices serial number OR MiNT-ID is referenced depending on the substitution token used.
<WORD> Specify a auto generate unique ID format using one of the following substitution tokens:
Available tokens:
$SN - references SERIAL NUMBER of the device
$MINT-ID - references MINT-ID of the device For example, Test-$SN-TechPubs. In this example Test and TechPubs represent the user-defined prefix and suffix respectively. And $SN is the substitution token. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 28 PROFILES Example nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#autogen-uniqueid Test-$MiNT-ID-
TechPubs nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context nx9000 B4-C7-99-6C-88-09 use profile default-nx9000 use rf-domain TechPubs hostname nx9500-6C8809 license AAP 66069c24b3bb1259b34ff016c723a9e299dd408f0ff891e7c5f7e279a382648397d6b3e975e356a1 license HTANLT 66069c24b3bb1259eb36826cab3cc83999dd408f0ff891e74b62b2d3594f0b3dde7967f30e49e497 timezone Asia/Calcutta use database-policy default use nsight-policy noc autogen-uniqueid Test-$MiNT-ID-TechPubs ip default-gateway 192.168.13.2 device-upgrade auto rfs6000 ap81xx ap71xx ap7562 ap7532 interface ge1 switchport mode access switchport access vlan 1 interface ge2
--More--
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#
Related Commands no When executed in the device configuration mode, removes the devices autogen-
uniqueid. When executed in the profile configuration mode, removes the autogen-
uniqueid on all devices using the profile. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 29 PROFILES 7.1.9 autoinstall Profile Config Commands Automatically installs firmware image and startup configuration parameters on to the selected device. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax autoinstall [configuration|firmware|start-interval <WORD>]
Parameters autoinstall [configuration|firmware|start-interval <WORD>]
configuration firmware start-interval
<WORD>
Autoinstalls startup configuration. Setup parameters are automatically configured on devices using this profile. This option is disabled by default. Autoinstalls firmware image. Firmware images are automatically installed on devices using this profile. This option is disabled by default. Configures the interval between system boot and start of autoinstall process (this is the time, from system boot, after which autoinstall should start)
<WORD> Specify the interval in minutes. The default is 10 minutes. Note: Zero (0) implies firmware or startup configuration installation can start any time. Example rfs6000-37FABE(config-profile-default-rfs6000)#autoinstall configuration rfs6000-37FABE(config-profile-default-rfs6000)#autoinstall firmware rfs7000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier arp timeout 2000 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure interface me1 interface ge1 ip dhcp trust
--More--
rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Disables the auto install settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 30 PROFILES 7.1.10 bridge Profile Config Commands The following table summarizes Ethernet bridge configuration commands:
Command bridge bridge-vlan-
mode commands Description Enables Ethernet bridge configuration context Summarizes bridge VLAN configuration mode commands Reference page 7-32 page 7-35 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 31 PROFILES 7.1.10.1 bridge bridge Configures VLAN Ethernet bridging parameters. Use this command to configure a Bridge NAT or Bridge VLAN settings Configuring bridge Network Address Translation (NAT) parameters, allows management of Internet traffic originating at a remote site. In addition to traditional NAT functionality, bridge NAT provides a means of configuring NAT for bridged traffic through an access point. NAT rules are applied to bridged traffic through the access point, and matching packets are NATed to the WAN link instead of being bridged on their way to the router. Using bridge NAT, a tunneled VLAN (extended VLAN) is created between the NOC and a remote location. When a remote client needs to access the Internet, Internet traffic is routed to the NOC, and from there routed to the Internet. This increases the access time for the end user on the client. To resolve latency issues, bridge NAT identifies and segregates traffic heading towards the NOC and outwards towards the Internet. Traffic towards the NOC is allowed over the secure tunnel. Traffic towards the Internet is switched to a local WLAN link with access to the Internet. A Virtual LAN (VLAN) is a separately administrated virtual network within the same physical managed network. VLANs are broadcast domains defined within wireless controllers or service platforms to allow control of broadcast, multicast, unicast, and unknown unicast within a layer 2 device. For example, say several computers are used in conference room X and some in conference Y. The systems in conference room X can communicate with one another, but not with the systems in conference room Y. The VLAN enables the systems in conference rooms X and Y to communicate with one another even though they are on separate physical subnets. The systems in conference rooms X and Y are managed by the same single wireless controller or service platform, but ignore the systems that are not using the same VLAN ID. Administrators often need to route traffic between different VLANs. Bridging VLANs are only for non-
routable traffic, like tagged VLAN frames destined to some other device, which will untag it. When a data frame is received on a port, the VLAN bridge determines the associated VLAN based on the port of reception. Using forwarding database information, the bridge VLAN forwards the data frame on the appropriate port(s). VLANs are useful to set separate networks to isolate some computers from others, without actually having to have separate cabling and Ethernet switches. Controllers can do this on their own, without need for the computer or other gear to know itself what VLAN it is on (this is called port-
based VLAN, since it is assigned by port of the switch). Another common use is to put specialized devices like VoIP Phones on a separate network for easier configuration, administration, security, or quality of service. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Switch Note: For more information on the interface types and the devices support-
ing them, see interface. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 32 PROFILES Syntax bridge [nat|vlan]
bridge nat source list <IP-ACCESS-LIST-NAME> precedence <1-500> interface
[<LAYER3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1] [(address|interface|
overload|pool <NAT-POOL-NAME>)]
bridge vlan [<1-4094>|<VLAN-ALIAS-NAME>]
Parameters bridge nat source list <IP-ACCESS-LIST-NAME> precedence <1-500> interface
[<LAYER3-INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1]
[(address|interface|overload|pool <NAT-POOL-NAME>)]
nat source list
<IP-ACCESS-LIST-
NAME>
precedence <1-500>
interface
[<LAYER3-INTERFACE-
NAME>|
pppoe1|vlan <1-4094>|
wwan1]
[(address|interface|
overload|pool
<NAT-POOL-NAME>)]
Configures bridge NAT parameters Configures NAT source addresses Associates an access control list (ACL) with this bridge NAT policy. The ACL specifies the IP address permit/deny rules applicable to this bridge NAT policy.
<IP-ACCESS-LIST-NAME> Specify access list name. precedence <1-500> Specifies a precedence value for this bridge NAT policy. Selects one of the following as the primary interface (between the source and destination points):
<LAYER3-INTERFACE-NAME> A router interface. Specify interface name. pppoe1 A PPP over Ethernet interface. vlan <1-4094> A VLAN interface. Specify the VLAN interface index from 1 - 4094. wwan1 A Wireless WAN interface. The following keywords are recursive and common to all interface types:
address Configures the interface IP address used for NAT interface Configures the failover interface (default setting) overload Enables use of one global address for multiple local addresses
(terminates command) pool <NAT-POOLNAME> Configures the NAT pool used with this bridge NAT policy. Specify the NAT pool name. For more information on configuring a NAT pool, see nat-pool-config-instance. bridge vlan [<1-4094>|<VLAN-ALIAS-NAME>]
vlan <1-4094>
vlan <VLAN-ALIAS-
NAME>
Usage Guidelines Configures the numerical identifier for the Bridge VLAN when it was initially created.
<1-4094> Specify a VLAN index from 1 - 4094. Configures the VLAN alias (should be existing and configured) identifying the bridge VLAN
<VLAN-ALIAS-NAME> Specify a VLAN alias name. Creating customized filter schemes for bridged networks limits the amount of unnecessary traffic processed and distributed by the bridging equipment. If a bridge does not hear Bridge Protocol Data Units (BPDUs) from the root bridge within the specified interval, defined in the max-age (seconds) parameter, assume the network has changed and recomputed the spanning-tree topology. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 33 PROFILES Example rfs6000-37FABE(config-profile-default-rfs6000)#bridge vlan 1 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#?
Bridge VLAN Mode commands:
Bridge VLAN Mode commands:
bridging-mode Configure how packets on this VLAN are bridged captive-portal Captive Portal captive-portal-enforcement Enable captive-portal enforcement on this extended VLAN description Vlan description edge-vlan Enable edge-VLAN mode firewall Enable vlan firewall(IPv4) http-analyze Forward URL and Data to controller ip Internet Protocol (IP) ipv6 Internet Protocol version 6
(IPv6) l2-tunnel-broadcast-optimization Enable broadcast optimization l2-tunnel-forward-additional-packet-types Forward additional packet types not normally forwarded by l2 broadcast optimization mac-auth Enable mac-auth for this bridge vlan no Negate a command or set its defaults stateful-packet-inspection-l2 Enable stateful packet inspection in layer2 firewall tunnel Vlan tunneling settings tunnel-over-level2 Tunnel extended VLAN traffic over level 2 MiNT links use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 34 PROFILES 7.1.10.2 bridge-vlan-mode commands bridge The following table summarizes bridge VLAN configuration mode commands:
Command bridging-mode captive-portal captive-portal-
enforcement description edge-vlan firewall http-analyze ip ipv6 l2-tunnel-
broadcast-
optimization l2-tunnel-forward-
additional-packet-
types mac-auth no stateful-packet-
inspection-l2 tunnel tunnel-over-level2 use Description Configures how packets on this VLAN are bridged Enables IP packet snooping on wired captive portals, and also configures the subnet to snoop Enables auto-enforcement of captive portal rules on this extended VLAN interface Configures VLAN bridge description Enables edge VLAN mode Enables firewall on this bridge VLAN interface Enables the analysis of URLs and data traffic on this Bridge VLAN Configures IP components Configures IPv6 components Enables broadcast optimization Reference page 7-36 page 7-38 page 7-39 page 7-40 page 7-41 page 7-42 page 7-43 page 7-44 page 7-47 page 7-50 Enables forwarding of Wireless Network Management Protocol
(WNMP) packets across L2 tunnels. These WNMP packets are normally not forwarded if L2 tunnel broadcast optimization is enabled. Enables MAC authentication for Extended VLAN and Tunneled traffic page 7-51 page 7-54 Negates a command or reverts settings to their default page 7-56 Enables stateful packet inspection in the layer 2 fire wall page 7-53 Enables tunneling of unicast messages to unknown MAC destinations, on the selected VLAN bridge Enables extended VLAN traffic over level 2 MiNT links Associates a captive-portal, access control list (IP, IPv6, or MAC), and a URL filter with this bridge VLAN page 7-57 page 7-59 page 7-60 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 35 PROFILES 7.1.10.2.1 bridging-mode bridge-vlan-mode commands Configures how packets are bridged on the selected VLAN Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bridging-mode [auto|isolated-tunnel|local|tunnel]
Parameters bridging-mode [auto|isolated-tunnel|local|tunnel]
bridging-mode auto isolated-tunnel local tunnel Configures the VLAN bridging mode Automatically selects the bridging mode to match the WLAN, VLAN and bridging mode configurations. When selected, the controller or access point determines the best bridging mode for the VLAN. (default setting) Bridges packets between local Ethernet ports and local radios, and passes tunneled packets through without de-tunneling Select this option for a dedicated tunnel for bridging VLAN traffic. Bridges packets normally between local Ethernet ports and local radios (if any) Local mode is typically configured in remote branch offices where traffic on remote private LAN segments need to be bridged locally. Local mode implies that traffic, wired and wireless, is to be bridged locally. Bridges packets between local Ethernet ports, local radios, and tunnels to other APs, wireless controllers, or service platforms Select this option to use a shared tunnel for bridging VLAN traffic. In tunnel mode, the traffic at the AP is always forwarded through the best path. The APs decide the best path to reach the destination and forward packets accordingly. Setting the VLAN to tunnel mode ensures packets are bridged between local Ethernet ports, any local radios, and tunnels to other APs, wireless controllers, and service platforms. Usage Guidelines ACLs can only be used with tunnel or isolated-tunnel modes. They do not work with the local and automatic modes. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 36 PROFILES Example rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#bridging-mode isolated-tunnel rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#show context bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#
Related Commands no Resets bridging mode to auto Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 37 PROFILES 7.1.10.2.2 captive-portal bridge-vlan-mode commands Enables IP (IPv4 and IPv6) packet snooping on wired captive portals, and also configures the subnet to snoop. When enabled, IP packets received from wired captive portal clients, on the specified subnet, are snooped to learn IP to MAC mapping. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax captive-portal [ipv4-snooping|ipv6-snooping] subnet <IPv4/M|IPv6/M> {excluded-
address <IPv4|IPv6>}
Parameters captive-portal [ipv4-snooping|ipv6-snooping] subnet <IPv4/M|IPv6/M> {excluded-
address <IPv4|IPv6>}
captive-portal
[ipv4-snooping|
ipv6-snooping]
subnet <IPv4/M|
IPv6/M>
excluded-address
<IPv4|IPv6>
Enables snooping of IPv4 or IPv6 packets (based on the option selected) for wired captive portal clients Enables IPv4 or IPv6 packet snooping on a specified subnet
<IPv4/M|IPv6/M> Specify the subnet address in the A.B.C.D/M or X:X::X:X/M format to identify an IPv4 or IPv6 subnet respectively. When specified, this is the IPv4/IPv6 subnet on which IP packets are to be snooped. Optional. Configures the IPv4 or IPv6 address excluded from snooping within the specified IPv4|IPv6 subnet.
<IPv4|IPv6> Specify the IPv4 or IPv6 address. Use this parameter to configure the gateways address. Example nx9500-6C8809(config-profile NX9500Test-bridge-vlan-4)#captive-portal ip-snooping subnet 192.168.13.0/24 excluded-address 192.168.13.7 nx9500-6C8809(config-profile NX9500Test-bridge-vlan-4)#show context bridge vlan 4 captive-portal ip-snooping subnet 192.168.13.0/24 excluded-address 192.168.13.7 ip igmp snooping ip igmp snooping querier ipv6 mld snooping ipv6 mld snooping querier nx9500-6C8809(config-profile NX9500Test-bridge-vlan-4)#
Related Commands no Disables IP packet snooping on wired captive portals Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 38 PROFILES 7.1.10.2.3 captive-portal-enforcement bridge-vlan-mode commands Enables auto-enforcement of captive portal rules on this extended VLAN interface. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax captive-portal-enforcement {fall-back}
Parameters captive-portal-enforcement {fallback}
captive-portal-
enforcement fall-back Enables auto-enforcement of captive portal access permission rules to data transmitted over this extended VLAN interface. When enforced, wired network users can pass traffic through the captive portal without being redirected to an authentication page. Authentication instead takes place when the RADIUS server is queried against the wired user's MAC address. If the MAC address is in the RADIUS server's user database, the user is allowed access. A captive portal is an access policy for providing temporary and restrictive access using a standard Web browser. Captive portals capture and re-direct a wired/wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access the network. Optional. If enabling source MAC authentication for Extended VLAN and tunneled traffic on this bridge VLAN, use this option to enforce captive-portal authentication as the fall-back mode of authentication in case MAC authentication fails. Example nx9500-6C8809(config-profile testAP7602-bridge-vlan-20)#show context bridge vlan 20 captive-portal-enforcement ip igmp snooping ip igmp snooping querier ipv6 mld snooping ipv6 mld snooping querier nx9500-6C8809(config-profile testAP7602-bridge-vlan-20)#
Related Commands no Disables auto-enforcement of captive portal rules on this extended VLAN interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 39 PROFILES 7.1.10.2.4 description bridge-vlan-mode commands Configures this extended VLANs description Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7632, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <WORD>
Parameters description <WORD>
description <WORD>
Configures a description for this VLAN bridge
<WORD> Enter a description. The description should be unique to the VLANs specific configuration to help differentiate it from other VLANs with similar configurations. Example rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#description This is a description for the bridged VLAN rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#show context bridge vlan 1 description "This is a description for the bridged VLAN"
bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#
Related Commands no Removes VLANs description Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 40 PROFILES 7.1.10.2.5 edge-vlan bridge-vlan-mode commands Enables the edge VLAN mode. In the edge VLAN mode, a protected port does not forward traffic to another protected port on the same wireless controller or service platform. This feature is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax edge-vlan Parameters None Example rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#edge-vlan rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#
Related Commands no Disables the edge VLAN mode Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 41 PROFILES 7.1.10.2.6 firewall bridge-vlan-mode commands Enables IPv4 firewall on this bridge VLAN interface. This feature is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax firewall Parameters None Example rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#firewall rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#
Related Commands no Disables firewall on this bridge VLAN interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 42 PROFILES 7.1.10.2.7 http-analyze bridge-vlan-mode commands Enables the analysis of URLs and data traffic on this Bridge VLAN. When enabled, URLs and data are forwarded to the controller running the HTTP analytics engine. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax http-analyze {filter [images|post|query-string]}
Parameters http-analyze {filter [images|post|query-string]}
http-analyze filter [images|post|
query-string]
Enables URL and HTTP data analysis. Optionally use the filter keyword to filter out specific URLs filter Optional. Filters out specific URLs images Filters out URLs referring to images post Filters out URLs referring to POSTs query-string Filters out query strings received from URLs Example rfs4000-229D58(config-device 00-23-68-22-9D-58-bridge-vlan-4)#http-analyze filter images rfs4000-229D58(config-device 00-23-68-22-9D-58-bridge-vlan-4)#show context bridge vlan 4 http-analyze filter images rfs4000-229D58(config-device 00-23-68-22-9D-58-bridge-vlan-4)#
Related Commands no Disables forwarding of URLs and data to the controller running the HTTP analytics engine Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 43 PROFILES 7.1.10.2.8 ip bridge-vlan-mode commands Configures VLAN bridge IP components Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip [arp|dhcp|igmp]
ip [arp|dhcp] trust ip igmp snooping {fast-leave|forward-unknown-multicast|last-member-query-count|
mrouter|querier}
ip igmp snooping {fast-leave|forward-unknown-multicast|last-member-query-count
<1-7>}
ip igmp snooping {mrouter [interface|learn]}
ip igmp snooping {mrouter [interface <INTERFACE-LIST>|learn pim-dvmrp]}
ip igmp snooping {querier} {address|max-response-time|timer|version}
ip igmp snooping {querier} {address <IP>|max-response-time <1-25>|timer expiry
<60-300>|version <1-3>}
Parameters ip [arp|dhcp] trust ip arp trust dhcp trust Configures the VLAN bridge IP parameters Configures the ARP trust parameter. Trusted ARP packets are used to update the DHCP snoop table to prevent IP spoof and arp-cache poisoning attacks. This option is disabled by default. trust Trusts ARP responses on the VLAN bridge Configures the DHCP trust parameter. Uses DHCP packets, from a DHCP server, as trusted and permissible within the access point, wireless controller, or service platform managed network. DHCP packets are used to update the DHCP snoop table to prevent IP spoof attacks. This feature is enabled by default. trust Trusts DHCP responses on the VLAN bridge ip igmp snooping {fast-leave|forward-unknown-multicast|last-member-query-count
<1-7>}
ip igmp snooping Configures the VLAN bridge IP parameters Configures Internet Group Management Protocol (IGMP) snooping parameters. IGMP snooping is enabled by default. IGMP establishes and maintains multicast group memberships for interested members. Multicasting allows a networked device to listen to IGMP network traffic and forward IGMP multicast packets to radios on which the interested hosts are connected. The device also maintains a map of the links that require multicast streams, there by reducing unnecessary flooding of the network with multicast traffic. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 44 PROFILES fast-leave forward-unknown-
multicast last-member-query-
count <1-7>
Optional. Enables fast leave processing. When enabled, layer 2 LAN interfaces are removed from the IGMP snooping forwarding table entry without initially sending IGMP group-specific queries to the interface. When receiving a group specific IGMPv2 leave message, IGMP snooping removes the interface from the Layer 2 forwarding table entry for that multicast group, unless a multicast router was learned on the port. Fast-leave processing enhances bandwidth management for all hosts on the network. This option is disabled by default. This feature is supported only on the AP7502, AP8232, AP8533 model access points. Optional. Enables forwarding of multicast packets from unregistered multicast groups. If disabled, the unknown multicast forward feature is also disabled for individual VLANs. This option is enabled by default. Optional. Configures the last member query count used in determining the number of group-specific queries sent before removing the snoop entry
<1-7> Specify the count from 1 - 7. The default value is 2. ip igmp snooping {mrouter [interface <INTERFACE-LIST>|learn pim-dvmrp]}
ip igmp snooping mrouter interface
<INTERFACE-LIST>
learn pim-dvmrp Configures the VLAN bridge IP parameters Configures the IGMP snooping parameters Optional. Configures the multicast router parameters Configures the multicast router interfaces. This option is disabled by default.
<INTERFACE-LIST> Specify a comma-separated list of interface names. Configures the multicast router learning protocols. This option is disabled by default. pim-dvmrp Enables Protocol-Independent Multicast (PIM) and Distance-Vector Multicast Routing Protocol (DVMRP) snooping of packets ip igmp snooping {querier} {address <IP>|max-response-time <1-25>|
timer expiry <60-300>|version <1-3>}
ip igmp snooping querier address <IP>
Configures the VLAN bridge IP parameters Configures the IGMP snooping parameters Optional. Configures the IGMP querier parameters. This option is disabled by default. Enables IGMP querier. IGMP snoop querier keeps host memberships alive. It is primarily used in a network where there is a multicast streaming server and hosts subscribed to the server and no IGMP querier present. The access point, wireless controller, or service platform performs the IGMP querier role. An IGMP querier sends out periodic IGMP query packets. Interested hosts reply with an IGMP report packet. IGMP snooping is only conducted on wireless radios. IGMP multicast packets are flooded on wired ports. IGMP multicast packet are not flooded on the wired port. IGMP membership is also learnt on it and only if present, then it is forwarded on that port. Optional. Configures the IGMP querier source IP address. This address is used as the default VLAN querier IP address.
<IP> Specify the IGMP querier source IP address. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 45 PROFILES max-response-time
<1-25>
Optional. Configures the IGMP querier maximum response time. This option is disabled by default.
<1-25> Specify the maximum response time from 1 - 25 seconds. The access point, wireless controller, or service platform forwards multicast packets only to radios present in the snooping table. IGMP reports from wired ports are forwarded to the multicast router ports. If no reports are received from a radio, it is removed from the snooping table. The radio then stops receiving multicast packets. timer expiry <60-300> Optional. Configures the IGMP querier expiry time. The value specified is used as the timeout interval for other querier resources. This option is disabled by default. expiry Configures the IGMP querier timeout version <1-3>
<60-300> Specify the IGMP querier timeout from 60 - 300 seconds. Optional. Configures the IGMP version. This option is disabled by default.
<1-3> Specify the IGMP version. The versions are 1- 3. Example rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip arp trust rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip dhcp trust rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip igmp snooping mrouter interface ge1 ge2 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip igmp snooping mrouter learn pim-dvmrp rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip igmp snooping querier max-response-time 24 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip igmp snooping querier timer expiry 100 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#ip igmp snooping querier version 2 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#show context bridge vlan 1 description This is a description for the bridged VLAN ip arp trust ip dhcp trust ip igmp snooping ip igmp snooping querier ip igmp snooping querier version 2 ip igmp snooping querier max-response-time 24 ip igmp snooping querier timer expiry 100 ip igmp snooping mrouter interface ge2 ge1 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#
Related Commands no Disables or reverts the VLAN Ethernet bridge parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 46 PROFILES 7.1.10.2.9 ipv6 bridge-vlan-mode commands Configures this VLAN bridges IPv6 components Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ipv6 [dhcpv6|firewall|mld|nd]
ipv6 dhcpv6 trust ipv6 firewall ipv6 mld snooping {forward-unknown-multicast|mrouter|querier}
ipv6 mld snooping {forward-unknown-multicast}
ipv6 mld snooping {mrouter [interface|learn]}
ipv6 mld snooping {mrouter [interface <INTERFACE-LIST>|learn pim-dvmrp]}
ipv6 mld snooping {querier} {max-response-time|timer|version}
ipv6 mld snooping {querier} {max-response-time <1-25000>|timer expiry <60-300>|
version <1-2>}
ipv6 nd raguard Parameters ipv6 dhcpv6 trust ipv6 dhcpv6 trust Configures the VLAN bridge IPv6 parameters Enables the DHCPv6 trust option. When enabled all DHCPv6 responses are trusted on this bridge VLAN. This option is enabled by default. trust Trusts DHCPv6 responses on this bridge VLAN ipv6 firewall ipv6 firewall Configures the VLAN bridge IPv6 parameters Enables IPv6 firewall on this bridge VLAN. This option is enabled by default. Devices utilizing IPv6 addressing require firewall protection unique to IPv6 traffic. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters. Routers respond to such a request with a router advertisement (RA) packet that contains Internet layer configuration parameters. ipv6 mld snooping {forward-unknown-multicast}
ipv6 Configures the VLAN bridge IPv6 parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 47 PROFILES mld snooping forward-unknown-
multicast Configures Multicast Listener Discovery Protocol (MLD) snooping parameters MLD snooping enables a access point, wireless controller, or service platform to examine MLD packets and make forwarding decisions based on the content. MLD is used by IPv6 devices to discover devices wanting to receive multicast packets destined for specific multicast addresses. MLD uses multicast listener queries and multicast listener reports to identify which multicast addresses have listeners and join multicast groups. MLD snooping caps the flooding of IPv6 multicast traffic on controller, service platform or access point VLANs. When enabled, MLD messages between hosts and multicast routers are examined to identify the hosts receiving multicast group traffic. The access point, wireless controller, or service platform forward multicast traffic only to those interfaces connected to interested receivers instead of flooding traffic to all interfaces. This option is enabled by default. Optional. Enables forwarding of multicast packets from unregistered multicast groups. If disabled, the unknown multicast forward feature is also disabled for individual VLANs. This option is enabled by default. ipv6 mld snooping {mrouter [interface <INTERFACE-LIST>|learn pim-dvmrp]}
ipv6 mld snooping mrouter interface
<INTERFACE-LIST>
learn pim-dvmrp Configures the VLAN bridge IPv6 parameters Configures MLD snooping parameters. This option is enabled by default. Optional. Configures the multicast router parameters, such as interfaces and learning protocol used. Configures the multicast router interfaces. This option is disabled by default.
<INTERFACE-LIST> Specify a comma-separated list of interface names. Configures the multicast router learning protocols. This option is disabled by default. pim-dvmrp Enables PIM and DVMRP snooping of packets ipv6 mld snooping {querier} {max-response-time <1-25000>|timer expiry <60-300>|
version <1-2>}
ipv6 mld snooping querier max-response-time
<1-25000>
Configures the VLAN bridge IPv6 parameters Configures IPv6 MLD snooping parameters. This option is disabled by default. Optional. Enables and configures the MLD querier parameters. When enabled, the device (access point, wireless controller, and service platform) sends query messages to discover which network devices are members of a given multicast group. This option is disabled by default. Optional. Configures the IPv6 MLD queriers maximum response time. This option is disabled by default.
<1-25000> Specify the maximum response time from 1 - 25000 milliseconds. timer expiry <60-300> Optional. Configures the IPv6 MLD other queriers timeout. This option is disabled version <1-2>
by default.
<60-300> Specify the MLD other queriers timeout from 60 - 300 seconds. Optional. Configures the IPv6 MLD querier version. This option is disabled by default.
<1-2> Specify the MLD version. The versions are 1- 2. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 48 PROFILES ipv6 nd raguard ipv6 nd raguard Configures the VLAN bridge IPv6 parameters Allows router advertisement (RA) or ICMPv6 redirects on this VLAN bridge. This option is enabled by default. Example rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 dhcpv6 trust rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 firewall rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping forward-
unknown-multicast rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping mrouter interface ge1 ge2 rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping mrouter learn pim-dvmrp rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping querier max-
response-time 20000 rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping querier timer expiry 200 rfs7000-37FABE(config-profile test-bridge-vlan-2)#ipv6 mld snooping querier version 2 rfs7000-37FABE(config-profile test-bridge-vlan-2)#show context bridge vlan 2 ip igmp snooping ip igmp snooping querier ipv6 mld snooping ipv6 mld snooping querier ipv6 mld snooping mrouter interface ge2 ge1 ipv6 mld snooping querier version 2 ipv6 mld snooping querier max-response-time 20000 ipv6 mld snooping querier timer expiry 200 rfs7000-37FABE(config-profile test-bridge-vlan-2)#
Related Commands no Disables or reverts the VLAN Ethernet bridge IPV6 parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 49 PROFILES 7.1.10.2.10 l2-tunnel-broadcast-optimization bridge-vlan-mode commands Enables broadcast optimization on this bridge VLAN. L2 Tunnel Broadcast Optimization prevents flooding of ARP packets over the virtual interface. Based on the learned information, ARP packets are filtered at the wireless controller level. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax l2-tunnel-broadcast-optimization Parameters None Example rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#l2-tunnel-broadcast
-optimization rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#show context bridge vlan 1 description This is a description for the bridged VLAN l2-tunnel-broadcast-optimization bridging-mode isolated-tunnel ip arp trust ip dhcp trust ip igmp snooping ip igmp snooping querier ip igmp snooping mrouter interface ge2 ge1 ip igmp snooping querier version 2 ip igmp snooping querier max-response-time 24 ip igmp snooping querier timer expiry 100 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#
Related Commands no Disables L2 tunnel broadcast optimization Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 50 PROFILES 7.1.10.2.11 mac-auth bridge-vlan-mode commands Enables source MAC authentication for Extended VLAN and tunneled traffic (MiNT and L2TPv3) on this bridge VLAN NOTE: If enabling MAC authentication, ensure that an AAA policy is configured and for enforcing MAC Authentication. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mac-auth {attempts <1-5>|throttle <0-255>}
Parameters mac-auth {attempts <1-5>|throttle <0-255>}]
mac-auth attempts <1-5>
Enables MAC Authentication Optional. Configures the maximum number of retries allowed for MAC authentication requests.
<1-5> Specify the maximum allowed authentication retries from 1 - 5. The default is 3. throttle <0-255>
Optional. Configures the throttle value for MAC authentication requests
<0-255> Specify the MAC authentication request throttle value from 0 -255. The default is 64. Usage Guidelines Applying AAA Policy for MAC Authentication To enable MAC authentication, Create an AAA policy. nx9500-6C8809(config)#aaa-policy MAC-Auth Use the AAA policy on the device for MAC Authentication. nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#mac-auth use aaa-policy MAC-Auth In the bridge VLAN context, enable MAC Authentication, nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#mac-auth Optionally, configure the following MAC Authentication parameters. If not specified, default values are applied. nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#mac-auth attempts 2 nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#mac-auth throttle 100 Usage Guidelines Enabling Fall-back Captive Portal Authentication To enable fall-back captive-portal authentication on the bridge VLAN, apply a captive-portal policy to the bridge VLAN. nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#use captive-portal test Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 51 PROFILES enable captive-portal authentication as the fall-back authentication mode. nx9500-6C8809(config-device B4-C7-99-6C-88-09-bridge-vlan-20)#captive-portal-enforcement fall-
back Example nx9500-6C8809(config-profile testNX9000-bridge-vlan-20)#mac-auth attempts 2 nx9500-6C8809(config-profile testNX9000-bridge-vlan-20)#mac-auth throttle 80 nx9500-6C8809(config-profile testNX9000-bridge-vlan-20)#show context bridge vlan 20 mac-auth attempts 2 mac-auth throttle 80 ip igmp snooping ip igmp snooping querier ipv6 mld snooping ipv6 mld snooping querier nx9500-6C8809(config-profile testNX9000-bridge-vlan-20)#
Related Commands no Disables MAC authentication for Extended VLAN and Tunneled traffic on this bridge VLAN Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 52 PROFILES 7.1.10.2.12 l2-tunnel-forward-additional-packet-types bridge-vlan-mode commands Enables forwarding of Wireless Network Management Protocol (WNMP) packets across L2 tunnels. Under normal circumstances, if L2 tunnel broadcast optimization is enabled. WNMP packets are not forwarded across the L2 tunnels. Use this option to enable the forwarding of only WNMP packets. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax l2-tunnel-forward-additional-packet-types wnmp Parameters None Example nx9500-6C8809(config-profile testNX9000-bridge-vlan-1)#l2-tunnel-forward-
additional-packet-types wnmp nx9500-6C8809(config-profile testNX9000-bridge-vlan-1)#show context bridge vlan 1 l2-tunnel-broadcast-optimization l2-tunnel-forward-additional-packet-types wnmp ip igmp snooping ip igmp snooping querier ipv6 mld snooping ipv6 mld snooping querier nx9500-6C8809(config-profile testNX9000-bridge-vlan-1)#
Related Commands no Disables WNMP packet forwarding across L2 tunnel Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 53 PROFILES 7.1.10.2.13 no bridge-vlan-mode commands Negates a command or reverts settings to their default. The no command, when used in the bridge VLAN mode, negates the VLAN bridge settings or reverts them to their default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [bridging-mode|captive-portal|captive-portal-enforcement|description|edge-
vlan|firewall|http-analyze|ip|ipv6|l2-tunnel-broadcast-optimization|l2-tunnel-
forward-additional-packet-types|mac-auth|stateful-packet-inspection-l2|tunnel|
tunnel-over-level2|use]
no [bridging-mode|captive-portal-enforcement|description|edge-vlan|firewall|
l2-tunnel-broadcast-optimization|l2-tunnel-forward-additional-packet-types|
mac-auth|stateful-packet-inspection-l2|tunnel-over-level2]
no captive-portal [ip-snooping|ipv6-snooping] subnet <IPv4/M|IPv6/M> {excluded-
address <IPv4|IPv6>}
no http-analyze {filter [images|post|query-string]}
no ip [arp|dhcp|igmp]
no ip [arp|dhcp] trust no ip igmp snooping {fast-leave|forward-unknown-multicast|last-member-query-
count|mrouter|querier}
no ip igmp snooping {forward-unknown-multicast}
no ip igmp snooping {mrouter [interface <INTERFACE-LIST>|learn pin-dvmrp]}
no ip igmp snooping {querier} {address|max-response-time|timer expiry|version}
no ipv6 [dhcpv6|firewall|mld|nd]
no ipv6 dhcpv6 trust no ipv6 firewall no ipv6 mld snooping {forward-unknown-multicast}
no ipv6 mld snooping {mrouter [interface <INTERFACE-LIST>|learn pin-dvmrp]}
no ipv6 mld snooping {querier} {max-response-time|timer expiry|version}
no ipv6 nd raguard no tunnel [rate-limit level2|unknown-unicast]
no use [application-policy|captive-portal|ip-access-list|ipv6-access-list|
mac-access-list|url-list] tunnel out Parameters no <PARAMETERS>
no <PARAMETERS>
Resets or reverts this bridge VLANs settings based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 54 Example PROFILES The following example displays bridge VLAN 20 settings before the no commands are executed:
nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#show context bridge vlan 20 ip igmp snooping ip igmp snooping querier ipv6 mld snooping ipv6 mld snooping querier nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#
nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#no ip igmp snooping nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#no ipv6 mld snooping The following example displays bridge VLAN 20 settings after the no commands are executed:
nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#show context bridge vlan 20 no ip igmp snooping ip igmp snooping querier no ipv6 mld snooping ipv6 mld snooping querier nx9500-6C8809(config-profile testNX9500-bridge-vlan-20)#
nx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#show context bridge vlan 20 mac-auth attempts 2 mac-auth throttle 80 ip igmp snooping ip igmp snooping querier ipv6 mld snooping ipv6 mld snooping querier nx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#
nx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#no mac-auth nx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#show context bridge vlan 20 ip igmp snooping ip igmp snooping querier ipv6 mld snooping ipv6 mld snooping querier nx9500-6C8809(config-profile TestProfileNX9500-bridge-vlan-20)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 55 PROFILES 7.1.10.2.14 stateful-packet-inspection-l2 bridge-vlan-mode commands Enables a stateful packet inspection (SPI) at the layer 2 firewall. SPI, also referred to as dynamic packet filtering, is a security feature that tracks the operating state and characteristics of network connections traversing it. It distinguishes legitimate packets for different types of connections, and only allows packets matching a known active connection to pass. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax stateful-packet-inspection-l2 Parameters None Example rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#stateful-packet-ins inspection-l2 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#
Related Commands no Disables stateful packet inspection at the layer 2 firewall Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 56 PROFILES 7.1.10.2.15 tunnel bridge-vlan-mode commands Enables tunneling of unicast messages, to unknown MAC destinations, on the selected VLAN bridge Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax tunnel [rate-limit|unknown-unicast]
tunnel rate-limit level2 rate <50-1000000> max-burst-size <2-1024> {red-threshold
[background <0-100>|best-effort <0-100>|video <0-100>|voice <0-100>]}
tunnel unknown-unicast Parameters tunnel rate-limit level2 rate <50-1000000> max-burst-size <2-1024> {red-
threshold [background <0-100>|best-effort <0-100>|video <0-100>|voice <0-100>]}
tunnel rate-limit level2 rate
<50-1000000>
max-burst-size
<2-1024>
Configures a rate-limit parameters (max-burst-size and rate) for tunneled VLAN traffic over level 2 MiNT links rate Optional. Configures the data rate, in kilobits per second, for the incoming and outgoing extended VLAN traffic tunneled over MiNT level 2 links
<50-1000000> Specify a value from 50 - 1000000 Kbps. The default is 5000 Kbps. max-burst-size Optional. Configures the maximum burst size
<2-1024> Specify the maximum burst size from 2 - 1024 kbytes. The de-
fault is 320 kbytes. After specifying the max-burst-size, optionally specify the red-threshold value for the different traffic types. The red-threshold is configured as a % of the specified max-
burst-size. red-threshold Optional. Configures the random early detection (red) threshold for the different traffic types background Configures the red-threshold for low priority traffic from 0 - 100. The default is 50% of the specified max-burst-size. best-effort Configures the red-threshold for normal priority traffic from 0 - 100. The default is 50% of the specified max-burst-size. video Configures the red-threshold for video traffic from 0 - 100. The default is 25% of the specified max-burst-size. voice Configures the red-threshold for voice traffic from 0 - 100. The default is 0%
of the specified max-burst-size. tunnel unknown-unicast tunnel unknown-unicast Enables tunneling of unicast packets destined for unknown MAC addresses Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 57 PROFILES Example rfs6000-37FABE(config-profile TestAP81xx-bridge-vlan-1)#tunnel unknown-unicast rfs6000-37FABE(config-profile TestAP81xx-bridge-vlan-1)#no tunnel unknown-unicast rfs6000-37FABE(config-profile TestAP81xx-bridge-vlan-1)#show context bridge vlan 1 ip igmp snooping ip igmp snooping querier no tunnel unknown-unicast rfs6000-37FABE(config-profile TestAP81xx-bridge-vlan-1)#
Related Commands no Disables tunneling of unicast messages, to unknown MAC destinations, on the selected VLAN bridge Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 58 PROFILES 7.1.10.2.16 tunnel-over-level2 bridge-vlan-mode commands Enables extended VLAN (tunneled VLAN) traffic over level 2 MiNT links. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax tunnel-over-level2 Parameters None Example rfs4000-229D58(config-profile testRFS4000-bridge-vlan-1)#tunnel-over-level2 rfs4000-229D58(config-profile testRFS4000-bridge-vlan-1)#show context bridge vlan 1 description This is a description for the bridged VLAN l2-tunnel-broadcast-optimization bridging-mode isolated-tunnel tunnel-over-level2 ip arp trust ip dhcp trust ip igmp snooping ip igmp snooping querier rfs4000-229D58(config-profile testRFS4000-bridge-vlan-1)#
Related Commands no Disables extended VLAN traffic over level 2 MiNT links Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 59 PROFILES 7.1.10.2.17 use bridge-vlan-mode commands Associates a captive-portal, access control list (IPv4, IPv6, or MAC), and/or a URL filter with this bridge VLAN Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use [application-policy|captive-portal|ip-access-list|ipv6-access-list|mac-
access-list|url-filter]
use application-policy <APP-POLICY-NAME>
use captive-portal <CAPTIVE-PORTAL-NAME>
use [ip-access-list|ipv6-access-list|mac-access-list] tunnel out <IP/ipv6/MAC-
ACCESS-LIST-NAME>
use url-filter <URL-FILTER-NAME>
Parameters use application-policy <APP-POLICY-NAME>
use application-policy
<APP-POLICY-NAME>
Enforces application detection on this VLAN bridge
<APP-POLICY-NAME> Specify the application policy name (should be existing and configured). For more information on application definitions and application policies, see application and application-policy. use captive-portal <CAPTIVE-PORTAL-NAME>
use captive-portal Applies an existing captive portal configuration to restrict access to the bridge VLAN configuration A captive portal is an access policy for providing temporary and restrictive access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the network. Once logged into the captive portal, additional terms and agreement, welcome, fail, and no-service pages provide the administrator with a number of options on captive portal screen flow and user appearance.
<CAPTIVE-PORTAL-NAME> Specify the captive portal name. use [ip-access-list|ipv6-access-list|mac-access-list] tunnel out <IP/IPv6/MAC-
ACCESS-LIST-NAME>
use ip-access-list ipv6-access-list mac-access-list Sets this VLAN bridge policy to use an IPv4/IPv6 access list or a MAC access list Associates a pre-configured IPv4 access list with this VLAN-bridge interface Associates a pre-configured IPv6 access list with this VLAN-bridge interface Associates a pre-configured MAC access list with this VLAN- bridge interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 60 PROFILES tunnel out
<IP/IPv6/MAC-ACCESS-
LIST-NAME>
The following keywords are common to the IPv4/IPv6 access list and MAC access list parameters:
tunnel Applies IPv4/IPv6 access list or MAC access list to all packets going into the tunnel out Applies IPv4/IPv6 access list or MAC access list to all outgoing packets
<IP/IPv6/MAC-ACCESS-LIST-NAME> Specify the IP/IPv6 access list or MAC access list name. use url-filter <URL-FILTER-NAME>
use url-filter
<URL-FILTER-NAME>
Sets this VLAN bridge to use a URL filter Specify the URL filter name. It should be existing and configured. This option enforces URL filtering on the VLAN bridge. Example rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#use mac-access-list tunnel out PERMIT-ARP-AND-IPv4 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#show context bridge vlan 1 ip igmp snooping ip igmp snooping querier use mac-access-list tunnel out PERMIT-ARP-AND-IPv4 rfs6000-37FABE(config-profile-default-rfs6000-bridge-vlan-1)#
Related Commands no Disables or reverts VLAN Ethernet bridge settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 61 PROFILES 7.1.11 captive-portal Profile Config Commands Configures captive portal advanced Web page uploads on this profile A captive portal is a means of providing guests temporary and restrictive access to the controller managed wireless network. A captive portal provides secure authenticated controller access by capturing and re-
directing a wireless users Web browser session to a captive portal login page, where the user must enter valid credentials. Once the user is authenticated and logged into the controller managed network, additional agreement, welcome, and fail pages provide the administrator with options to control the captive portals screen flow and user appearance. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax captive-portal page-upload count <1-20>
Parameters captive-portal page-upload count <1-20>
page-upload count <1-20>
Enables captive portal advanced Web page upload Sets the maximum number of APs that can be uploaded concurrently
<1-20> Set a value from 1 - 20. The default is 10. Example nx9500-6C8809(config-profile-testNX9500)#captive-portal page-upload count 15 nx9500-6C8809(config-profile-testNX9500)#show context include-factory | include captive-portal captive-portal page-upload count 15 no captive-portal-enforcement no captive-portal-enforcement no captive-portal-enforcement no captive-portal-enforcement no captive-portal-enforcement no captive-portal-enforcement service captive-portal-server connections-per-ip 3 nx9500-6C8809(config-profile-testNX9500)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 62 PROFILES 7.1.12 cdp Profile Config Commands Enables Cisco Discovery Protocol (CDP), a proprietary data link layer network protocol implemented in Cisco networking equipment and used to share network information amongst different vendor wireless devices Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cdp [holdtime|run|timer]
cdp [holdtime <10-1800>|run|timer <5-900>]
Parameters cdp [holdtime <10-1800>|run|timer <5-900>]
holdtime <10-1800>
run timer <5-900>
Specifies the holdtime after which transmitted packets are discarded
<10-1800> Specify a value from 10 - 1800 seconds. The default is 180 seconds. Enables CDP sniffing and transmit globally. This feature is enabled by default. Specifies the interval, in seconds, between successive CDP packet transmission
<5-900> Specify a value from 5 - 900 seconds. The default is 60 seconds. Example rfs6000-37FABE(config profile-default-rfs6000)#cdp run rfs6000-37FABE(config profile-default-rfs6000)#cdp holdtime 1000 rfs7000-37FABE(config profile-default-rfs6000)#cdp timer 900 rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 no edge-vlan l2-tunnel-broadcast-optimization
............................................................. qos trust 802.1p interface pppoe1 use firewall-policy default cdp holdtime 1000 cdp timer 900 service pm sys-restart router ospf rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Disables CDP on this profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 63 PROFILES 7.1.13 cluster Profile Config Commands Sets the cluster configuration Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cluster [force-configured-state|force-configured-state-delay|handle-stp|master-
priority|member|mode|name|radius-counter-db-sync-time]
cluster [force-configured-state|force-configured-state-delay <3-1800>|handle-stp|
master-priority <1-255>]
cluster member [ip|vlan]
cluster member [ip <IP> {level [1|2]}|vlan <1-4094>]
cluster mode [active|standby]
cluster name <CLUSTER-NAME>
cluster radius-counter-db-sync-time <1-1440>
Parameters cluster [force-configured-state|force-configured-state-delay <3-1800>|handle-
stp|master-priority <1-255>]
force-configured-state Forces adopted APs to auto revert when a failed wireless controller or service platform (in a cluster) restarts When an active controller (wireless controller, or service platform) fails, a standby controller in the cluster takes over APs adopted by the failed active controller. If the failed active controller were to restart, it starts a timer based on the force-
configured-state-delay interval specified. At the expiration of this interval, the standby controller releases all adopted APs and goes back to a monitoring mode. If the active controller fails during this interval, the force-configured-state-delay timer is stopped. The timer restarts as soon as the active controller comes back up. This feature is disabled by default. Forces cluster transition to the configured state after a specified interval
<3-1800> Specify a delay from 3 - 1800 minutes. The default is 5 minutes. This is the interval a standby controller waits before releasing adopted APs when a failed primary controller becomes active again. Enables Spanning Tree Protocol (STP) convergence handling. This feature is disabled by default. In layer 2 networks, this protocol is enabled to prevent network looping. If enabled, the network forwards data only after STP convergence. Enabling STP convergence delays the redundancy state machine execution until the STP convergence is completed (the standard protocol value for STP convergence is 50 seconds). Delaying the state machine is important to load balance APs at startup. force-configured-
state-delay <3-1800>
handle-stp Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 64 PROFILES master-priority
<1-255>
Configures cluster master priority
<1-255> Specifies cluster master election priority. Assign a value from 1 - 255. Higher the value higher is the precedence. The default is 128. In a cluster environment one device from the cluster is elected as the cluster master. A devices master priority value decides the devices priority to become cluster master. cluster member [ip <IP> {level [1|2]}|vlan <1-4094>]
member ip <IP> level [1|2]
Adds a member to the cluster. It also configures the cluster VLAN where members can be reached. Adds IP address of the new cluster member
<IP> Specify the IP address. level Optional. Configures routing level for the new member. Select one of the fol-
lowing routing levels:
1 Level 1, local routing 2 Level 2, In-site routing vlan <1-4094>
Configures the cluster VLAN where members can be reached
<1-4094> Specify the VLAN ID from 1- 4094. cluster mode [active|standby]
mode [active|standby] Configures cluster members mode as active or standby active Configures cluster mode as active. This is the default setting. standby Configures cluster mode as standby A member can be in either an Active or Standby mode. All active member controllers can adopt access points. Standby members only adopt access points when an active member has failed or sees an access point not adopted by a controller. cluster name <CLUSTER-NAME>
name
<CLUSTER-NAME>
Configures the cluster name
<CLUSTER-NAME> Specify the cluster name. cluster radius-counter-db-sync-time <1-1440>
radius-counter-db-
sync-time <1-1440>
Configures the interval, in minutes, at which the RADIUS counter database is synchronized with the dedicated NTP server resource.
<1-1440> Specify a value from 1 - 1440 minutes. The default is 5 minutes. Use the show > cluster > configuration command to view RADIUS counter DB sync time. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 65 PROFILES Example rfs6000-37FABE(config-profile-default-rfs6000)#cluster name cluster1 rfs6000-37FABE(config-profile-default-rfs6000)#cluster member ip 172.16.10.3 rfs6000-37FABE(config-profile-default-rfs6000)#cluster mode active rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 description Vlan1
....................................................................... cluster name cluster1 cluster member ip 172.16.10.3 cluster member vlan 1 rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Removes cluster member Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 66 PROFILES 7.1.14 configuration-persistence Profile Config Commands Enables configuration persistence across reloads. This option is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax configuration-persistence {auto|secure}
Parameters configuration-persistence {auto|secure}
auto secure Example Optional. Assigns default value based on the device type Optional. Ensures parts of a file that contain security information are not written during a reload rfs6000-37FABE(config-profile-default-rfs6000)#configuration-persistence secure rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 no edge-vlan ip igmp snooping no ip igmp snooping unknown-multicast-fwd no ip igmp snooping mrouter learn pim-dvmrp autoinstall configuration autoinstall firmware
.......................................................................... cluster name cluster1 cluster member ip 1.2.3.4 level 2 cluster member ip 172.16.10.3 cluster member vlan 4094 cluster handle-stp cluster force-configured-state holdtime 1000 timer 900 configuration-persistence secure rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Disables automatic write up of startup configuration file Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 67 PROFILES 7.1.15 controller Profile Config Commands Configures the WiNG controller (wireless controller or service platform) adoption settings Adoption is the process a controller or service platform uses to discover available access points and/or peer controllers/service platforms, establish an association and provision the adopted device. Adoption settings are configurable and supported within a profile and applied to all devices supported by the profile. Use this command to add a controller to a pool and group. This command also enables and disables adoption on controllers, and specifies the device types that can be adopted by a controller. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax controller [adopted-devices|adoption|group|hello-interval|vlan|host]
controller adopted-devices [aps {controllers}|controllers {aps}|external-devices|
external-devices-monitoring-only]hel controller adoption controller [group <CONTROLLER-GROUP-NAME>|vlan <1-4094>]
controller hello-interval <1-120> adjacency-hold-time <2-600>
controller host [<IPv4>|<IPv6>|<HOSTNAME>] {ipsec-secure|level|pool|remote-vpn-
client}
controller host [<IPv4>|<IPv6>|<HOSTNAME>] {ipsec-secure} {gw [<IP>|<HOSTNAME>]}
controller host [<IPv4>|<IPv6>|<HOSTNAME>] {level [1|2]|pool <1-2> level [1|2]}
{ipsec-secure {gw [<IP>|<HOSTNAME>]}|remote-vpn-client}
controller host [<IPv4>|<IPv6>|<HOSTNAME>] {remote-vpn-client}
Parameters controller adopted-devices [aps {controllers}|controllers {aps}|external-
devices|external-devices-monitoring-only]
controller adopted-devices aps {controllers}
Configures the WLANs controller adoption settings Configures the types of device (AP/controller) this controller can adopt Enables the adoption of network access points by this controller. This option is enabled by default. controllers Optional. Enables the adoption of peer controllers by this controller All adopted devices (referred to as adoptee) receive complete configuration from the adopting controller (referred to as adopter). Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 68 PROFILES controllers {aps}
external-devices external-devices-
monitoring-only Enables the adoption of peer controllers by this controllers aps Optional. Enables the adoption of network access points by this controller A controller cannot be configured as an adoptee and an adopter simultaneously. In other words, an adopted controller (adoptee) cannot be configured to adopt another controller. Use the no > controller > adopted-devices command to remove this setting. Enables adoption of external devices by this controller. This option is disabled by default. When enabled, a WiNG controller can adopt and manage T5 controllers and EX3500 switches (using the IPX operating system) within a WiNG managed device subnet. This setting is disabled by default. To disable T5 or EX3500 adoption, use the no > controller > external-devices command. This feature is supported only on RFS4000, NX9500, NX9510, NX9600, and VX9000 platforms. Enables only monitoring of external devices by this controller or service platform. This option is disabled by default. controller adoption controller adoption Enables the adoption of the logged device (wireless controller or service platform) by other controllers. This option is disabled by default. Use the no > controller > adoption command to disable adoption. controller [group <CONTROLLER-GROUP-NAME>|vlan <1-4094>]
controller group
<CONTROLLER-
GROUP-NAME>
vlan <1-4094>
Configures the WLANs controller adoption settings Configures the wireless controller or service platform group
<CONTROLLER-GROUP-NAME> Specify the wireless controller or service platform group name. Configures the wireless controller or service platform VLAN
<1-4094> Specify the VLAN ID from 1 - 4094. controller hello-interval <1-120> adjacency-hold-time <2-600>
controller hello-interval <1-120>
adjacency-hold-time
<2-600>
Configures the WLANs controller settings Configures the hello-interval in seconds. This is the interval between consecutive hello packets exchanged between AP and wireless controller or service platform.
<1-120> Specify a value from 1 - 120 seconds. Configures the adjacency hold time in seconds. This is the time since the last received hello packet, after which the adjacency between wireless controller or service platform and AP is lost, and the link is re-established.
<2-600> Specify a value from 2 - 600 seconds. controller host [<IPv4>|<IPv6>|<HOSTNAME>] {ipsec-secure} {gw [<IP>|<HOSTNAME>]}
controller Configures the WLANs controller adoption settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 69 PROFILES host [<IPv4>|<IPv6>|
<HOSTNAME>]
ipsec-secure
{gw [<IP>|
<HOSTNAME>]}
Configures wireless controller or service platforms IPv4/IPv6 address or hostname
<IPv4> Configures wireless controller or service platforms IPv4 address
<IPv6> Configures wireless controller or service platforms IPv6 address
<HOSTNAME> Configures wireless controller or service platforms hostname Optional. Enables Internet Protocol Security (IPSec) peer authentication on the connection (link) between the adopting devices. This option is disabled by default. gw Optional. Specifies a IPSec gateway other than the wireless controller or service platform
<IP> Use this option to specify the IPSec gateways IP address.
<HOSTNAME> Use this option to specify the IPSec gateways hostname. If the gateways IP address or hostname is not specified, the system assumes the logged controller as the IPSec gateway. controller host [<IPv4>|<IPv6>|<HOSTNAME>] {level [1|2]|pool <1-2> level [1|2]}
{ipsec-secure {gw [<IP>|<HOSTNAME>]}|remote-vpn-client}
controller host [<IPv4>|<IPv6>|
<HOSTNAME>]
level [1|2]
pool <1-2> level [1|2]
{ipsec-secure
{gw [<IP>|
<HOSTNAME>]}|
remote-vpn-client}
Configures the WLANs controller adoption settings Configures wireless controller or service platforms IPv4/IPv6 address or name
<IPv4> Configures wireless controller or service platforms IPv4 address
<IPv6> Configures wireless controller or service platforms IPv6 address
<HOSTNAME> Configures wireless controller or service platforms name The following keywords are common to the IP, IPv6, and hostname parameters:
Optional. After providing the wireless controller or service platforms address, optionally select one of the following routing levels:
1 Optional. Level 1, local routing 2 Optional. Level 2, inter-site routing Note: After specifying the routing level, you can, optionally enable IPSec Secure authentication and remote VPN client. The following keywords are common to the IP, IPv6, and hostname parameters:
Optional. Sets the wireless controller or service platforms pool
<1-2> Select either 1 or 2 as the pool. The default is 1. After selecting the pool, optionally select one of the following two routing levels:
1 Optional. Level 1, local routing 2 Optional. Level 2, inter-site routing After specifying the routing level and or devices pool, you can optionally specify the following:
ipsec-secure Optional. Enables IPSec peer authentication on the connection (link) between the adopting devices. This option is disabled by default. gw Optional. Specifies a IPSec gateway other than the wireless controller or service platform
<IP> Use this option to specify the IPSec gateways IP address.
<HOSTNAME> Use this option to specify the IPSec gateways hostname. Note: If the gateways IP address or hostname is not specified, the system assumes the logged controller as the IPSec gateway. Contd.... Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 70 PROFILES remote-vpn-client Forces MiNT link creation protocol (MLCP) to use remote VPN connection on the controller The controller uses remote VPN tunnel for this traffic. If multiple controller hosts are configured, either all the hosts should use remote-vpn-client or none. When enabled, an MLCP connection is not initiated until remote VPN connection is UP and virtual IP, DNS server, source route, etc. are installed on the AP. controller host [<IPv4>|<IPv6>|<HOSTNAME>] {remote-vpn-client}
controller host [<IPv4>|<IPv6>|
<HOSTNAME>]
remote-vpn-client Configures the WLANs controller settings Configures wireless controller or service platforms IPv4/IPv6 address or hostname
<IP> Configures wireless controller or service platforms IPv4 address
<IPv6> Configures wireless controller or service platforms IPv6 address
<HOSTNAME> Configures wireless controller or service platforms name Forces MLCP to use remote VPN connection on the controller The controller uses remote VPN tunnel for this traffic. If multiple controller hosts are configured, either all the hosts should use remote-vpn-client or none. When enabled, an MLCP connection is not initiated until remote VPN connection is UP and virtual IP, DNS server, source route, etc. are installed on the AP. Example rfs6000-37FABE(config-profile-default-rfs6000)controller group test rfs6000-37FABE(config-profile-default-rfs6000)#controller host 1.2.3.4 pool 2 rfs7000-37FABE(config-profile-default-rfs7000)#show context profile rfs6000 default-rfs6000 no autoinstall configuration no autoinstall firmware crypto isakmp policy default crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
.......................................................... interface ge4 ip dhcp trust qos trust dscp qos trust 802.1p use firewall-policy default controller host 1.2.3.4 pool 2 controller group test service pm sys-restart
--More--
rfs6000-37FABE(config-profile-default-rfs6000)#
rfs4000-229D58(config-profile-testRFS4000)#controller adopted-devices aps controllers rfs4000-229D58(config-profile-testRFS4000)#show context profile rfs4000 testRFS4000 autoinstall configuration
.................................................................... logging on service pm sys-restart router ospf controller adopted-devices aps controllers rfs4000-229D58(config-profile-testRFS4000)#
Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 71 PROFILES 7.1.16 critical-resource Profile Config Commands Enables monitoring of resources critical to the health of the service platform, wireless controller, or access point managed network. These critical resources are identified by their configured IP addresses. When enabled, the system monitors these devices regularly and logs their status. Use this command to create a critical resource monitoring (CRM) policy. A critical resource can be a gateway, AAA server, WAN interface, any hardware, or a service on which the stability of the network depends. Monitoring these resources is therefore essential. When enabled, this feature pings critical resources regularly to ascertain their status. If there is a connectivity issue, an event is generated stating a critical resource is unavailable. By default, there is no enabled critical resource policy and one needs to be created and implemented. Critical resources can be monitored directly through the interfaces on which they are discovered. For example, a critical resource on the same subnet as an AP8132 access point can be monitored by its IP address. However, a critical resource located on a VLAN must continue to be monitored on that VLAN. Critical resource monitoring can be enabled on service platforms, wireless controllers, and access points through their respective device profiles. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax critical-resource [<CR-NAME>|monitor|retry-count]
critical-resource <CR-NAME> [monitor|monitor-using-flows]
critical-resource <CR-NAME> monitor [direct|via]
critical-resource <CR-NAME> monitor direct [all|any] [<IP/HOST-ALIAS-NAME>|sync-
adoptees] {<IP/HOST-ALIAS-NAME>|arp-only vlan [<1-4094>|<VLAN-ALIAS-NAME>]{<IP/
HOST-ALIAS-NAME>|port [<LAYER2-IF-NAME>|ge <1-4>|port-channel <1-2>]}}
critical-resource <CR-NAME> monitor via [<IP/HOST-ALIAS-NAME>|<LAYER3-INTERFACE-
NAME>|pppoe1|vlan|wwan1]
critical-resource <CR-NAME> monitor via [<IP/HOST-ALIAS-NAME>|<LAYER3-INTERFACE-
NAME>|pppoe1|vlan <1-4094>|wwan1] [all|any] [<IP/HOST-ALIAS-NAME>|
sync-adoptees] {<IP/HOST-ALIAS-NAME>|arp-only [vlan <1-4094>|<VLAN-ALIAS-NAME>]
{<IP/HOST-ALIAS-NAME>|port [<LAYER2-IF-NAME>|ge <1-4>|port-channel <1-2>]}}
critical-resource <CR-NAME> monitor-using-flows [all|any]
[criteria|dhcp|dns|sync-adoptees]
critical-resource <CR-NAME> monitor-using-flows [all|any] criteria [all|cluster-
master|rf-domain-manager] (dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|
dns <IP/HOST-ALIAS-NAME>) {dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-
ALIAS-NAME>}
critical-resource <CR-NAME> monitor-using-flows [all|any] dhcp vlan <1-4094> {dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 72 PROFILES critical-resource <CR-NAME> monitor-using-flows [all|any] dns <IP/HOST-ALIAS-NAME>
{dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}
critical-resource <CR-NAME> monitor-using-flows [all|any] sync-adoptees criteria
[all|cluster-master|rf-domain-manager] (dhcp [vlan <1-4094>|<VLAN-ALIAS-
NAME>]|dns <IP/HOST-ALIAS-NAME>) {dhcp [vlan <1-4094>|
<VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}
critical-resource monitor interval <5-86400>
critical-resource retry-count <0-10>
Parameters critical-resource <CR-NAME> monitor direct [all|any] [<IP/HOST-ALIAS-NAME>|sync-
adoptees] {<IP/HOST-ALIAS-NAME>|arp-only [vlan <1-4094>|<VLAN-ALIAS-NAME>] {<IP/
HOST-ALIAS-NAME>|port [<LAYER2-IF-NAME>|ge <1-4>|port-channel <1-2>]}}
<CR-NAME>
monitor direct [all|any]
[<IP/HOST-ALIAS-
NAME>|
sync-adoptees]
arp-only vlan [<1-4094>|<VLAN-
ALIAS-NAME>]
{<IP/HOST-ALIAS-
NAME>|
port [<LAYER2-
IFNAME>|ge|
port-channel]}
Identifies the critical resource to be monitored. Provide the name of the critical resource. Enables critical resource(s) monitoring Monitors critical resources using the default routing engine all Monitors all resources that are going down (generates an event when all specified critical resources are unreachable) any Monitors any resource that is going down (generates an event when any one of the specified critical resource is unreachable)
<IP/HOST-ALIAS-NAME> Configures the IP address of the critical resource being monitored (for example, the DHCP or DNS server). Specify the IP address in the A.B.C.D format. You can use a host-alias to identify the critical resource. If us-
ing a host-alias, ensure that the host-alias is existing and configured. sync-adoptees Syncs adopted access points with the controller. In the stand-
alone AP scenario, where the CRM policy is running on the AP, the AP is directly intimated in case a critical resource goes down. On the other hand, when an AP is adopted to a controller (running the CRM policy), it is essential to enable the sync-
adoptees option in order to sync the AP with the controller regarding the latest CRM status. The following keywords are common to the all and any parameters:
arp-only vlan <1-4094> Optional. Uses ARP to determine if the IP address is reachable (use this option to monitor resources that do not have IP addresses). ARP is used to resolve hardware addresses when only the network layer address is known. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Specifies the VLAN ID on which to send the probing ARP requests. Specify the VLAN ID from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured.
<IP/HOST-ALIAS-NAME> Optional. Limits ARP to a device specified by the
<IP> parameter. You can use a host-alias to specify the IP address. If using a host-alias, ensure that the host-alias is existing and configured. port [<LAYER2-IF-NAME>|ge|port-channel] Optional. Limits ARP to a specified port Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 73 PROFILES critical-resource <CRM-POLICY-NAME> monitor via [<IP/HOST-ALIAS-NAME>|<LAYER3-
INTERFACE-NAME>|pppoe1|vlan <1-4094>|wwan1] [all|any] [<IP/HOST-ALIAS-NAME>|
sync-adoptees] {<IP/HOST-ALIAS-NAME>|arp-only vlan [<1-4094>|<VLAN-ALIAS-NAME>]
{<IP>|port [<LAYER2-IFNAME>|ge|port-channel]}}
<CR-NAME>
monitor via Identifies the critical resource to be monitored. Provide the name of the critical resource. Enables critical resource(s) monitoring Specifies the interface or next-hop via which the ICMP pings should be sent. Configures the interface or next-hop via which ICMP pings are sent. This does not apply to IP addresses configured for arp-only. For interfaces which learn the default-gateway dynamically (like DHCP clients and PPP interfaces), use an interface name for VIA, or use an IP address.
<IP/HOST-ALIAS-NAME> Specify the IP address of the next-hop via which the critical resource(s) are monitored. Configures up to four IP addresses for monitoring. All the four IP addresses constitute critical resources. You can use a host-alias to specify the IP address. If using a host-alias, ensure that the host-alias is existing and configured. Specify the layer 3 Interface name (router interface)
<LAYER3-INTERFACE-
NAME>
pppoe1 vlan [<1-4094>|<VLAN-
ALIAS-NAME>]
wwan1
[all|any]
[<IP/HOST-ALIAS-
NAME>|
sync-adoptees]
arp-only vlan [<1-4094>|<VLAN-
ALIAS-NAME>]
{<IP/HOST-ALIAS-
NAME>|
port [<LAYER2-
IFNAME>|ge|
port-channel]}
Specifies PPP over Ethernet interface Specifies the wireless controller or service platforms VLAN interface. Specify VLAN ID from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured. Specifies Wireless WAN interface Monitors critical resources using the default routing engine all Monitors all resources that are going down (generates an event when all specified critical resource IP addresses are unreachable) any Monitors any resource that is going down (generates an event when any one of the specified critical resource IP address is unreachable)
<IP/HOST-ALIAS-NAME> Configures the IP address of the critical resource being monitored (for example, the DHCP or DNS server). Specify the IP address in the A.B.C.D format. You can use a host-alias to specify the IP address. If using a host-alias, ensure that the host-alias is existing and configured. sync-adoptees Syncs adopted access points with the controller. In the stand-
alone AP scenario, where the CRM policy is running on the AP, the AP is directly intimated in case a critical resource goes down. On the other hand, when an AP is adopted to a controller (running the CRM policy), it is essential to enable the sync-
adoptees option in order to sync the AP with the controller regarding the latest CRM status. The following keywords are common to the all and any parameters:
arp-only vlan <1-4094> Optional. Uses ARP to determine if the IP address is reachable (use this option to monitor resources that do not have IP addresses). ARP is used to resolve hardware addresses when only the network layer address is known. Contd.... Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 74 PROFILES vlan [<1-4094>|<VLAN-ALIAS-NAME>] Specifies the VLAN ID to send the probing ARP requests. Specify the VLAN ID from 1 - 4094. Alternately, use a vlan-
alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured.
<IPHOST-ALIAS-NAME> Optional. Limits ARP to a device specified by the
<IP> parameter. You can use a host-alias to specify the IP address. If using a host-alias, ensure that the host-alias is existing and configured. port [<LAYER2-IF-NAME>|ge|port-channel] Optional. Limits ARP to a specified port critical-resource <CRM-POLICY-NAME> monitor-using-flows [all|any] criteria
[all|cluster-master|rf-domain-manager] (dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|
dns <IP/HOST-ALIAS-NAME>) {dhcp [vlan <1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-
ALIAS-NAME>}
<CR-NAME>
monitor-using-flows
[all|any]
Identifies the critical resource to be monitored. Provide the name of the critical resource. Enables critical resource(s) monitoring using message flows for DHCP or DNS
(DHCP discover, DHCP offer, etc.) instead of ICMP or ARP packets in order to reduce the amount of traffic on the network. Configures how critical resource event messages are generated. Options include all and any. all Monitors all resources that are going down (generates an event when all specified critical resources are unreachable) any Monitors any resource that is going down (generates an event when any one of the specified critical resource is unreachable) criteria
[all|cluster-master|
rf-domain-manager]
Configures the resource that will monitor critical resources and update the rest of the devices in a group. Options include all, rf-domain-manager, or cluster-master. all Configures all devices within a group (cluster or RF Domain) as the monitoring dhcp vlan [<1-4094>|
<VLAN-ALIAS-NAME>]
dns <IP/HOST-ALIAS-
NAME>
resource cluster-master Configures the cluster master as the monitoring resource rf-domain-manager Configures the RF Domain manager as the monitoring resource The following parameters are recursive and common to the all, cluster-master, and rf-domain-manager keywords:
dhcp Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Configures the VLAN on which the critical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured. The following parameters are recursive and common to the all, cluster-master, and rf-domain-manager keywords:
dns Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.
<IP/HOST-ALIAS-NAME> Configures the IPv4 address or host alias of the crit-
ical resource. Specify the IPv4 address or host alias name (should be existing and configured). Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 75 PROFILES
{dhcp [vlan <1-4094>|
<VLAN-ALIAS-NAME>]|
dns <IP/HOST-ALIAS-
NAME>}
The dhcp and dns parameters are recursive and you can optionally configure multiple VLANs and critical resource IPv4 addresses (or host alias names). dhcp Optional. Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Configures the VLAN on which the critical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured. dns Optional. Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.
<IP/HOST-ALIAS-NAME> Configures the IPv4 address or host alias of the crit-
ical resource. Specify the IPv4 address or host alias name (should be existing and configured). critical-resource <CRM-POLICY-NAME> monitor-using-flows [all|any] dhcp vlan [<1-
4094>|<VLAN-ALIAS-NAME>] {dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/HOST-
ALIAS-NAME>}
<CR-NAME>
monitor-using-flows
[all|any]
dhcp vlan [<1-4094>|
<VLAN-ALIAS-NAME>]
{dhcp vlan [<1-4094>|
<VLAN-ALIAS-NAME>]|
dns <IP/HOST-ALIAS-
NAME>}
Identifies the critical resource to be monitored. Provide the name of the critical resource. Enables critical resource(s) monitoring using message flows for DHCP or DNS
(DHCP Discover, DHCP Offer, etc.) instead of ICMP or ARP packets in order to reduce the amount of traffic on the network. Configures how critical resource event messages are generated. Options include all and any. all Monitors all resources that are going down (generates an event when all specified critical resources are unreachable) any Monitors any resource that is going down (generates an event when any one of the specified critical resource is unreachable) Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Configures the VLAN on which the critical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured. The following parameters are recursive and optional. Use them to configure multiple VLANs and critical resource IPv4 addresses (or host alias names):
dhcp Optional. Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Configures the VLAN on which the critical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured. Contd... Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 76 PROFILES dns Optional. Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.
<IP/HOST-ALIAS-NAME> Configures the IPv4 address or host alias of the crit-
ical resource. Specify the IPv4 address or host alias name (should be existing and configured). critical-resource <CRM-POLICY-NAME> monitor-using-flows [all|any] dns <IP/HOST-
ALIAS-NAME> {dhcp vlan [<1-4094><VLAN-ALIAS-NAME>]|dns <IP/HOST-ALIAS-NAME>}
<CR-NAME>
monitor-using-flows
[all|any]
dns <IP/HOST-ALIAS-
NAME>
{dhcp vlan [<1-4094>|
<VLAN-ALIAS-NAME>|
dns <IP/HOST-ALIAS-
NAME>}
Identifies the critical resource to be monitored. Provide the name of the critical resource. Enables critical resource(s) monitoring using message flows for DHCP or DNS
(DHCP Discover, DHCP Offer, etc.) instead of ICMP or ARP packets in order to reduce the amount of traffic on the network. Configures how critical resource event messages are generated. Options include all and any. all Monitors all resources that are going down (generates an event when all specified critical resources are unreachable) any Monitors any resource that is going down (generates an event when any one of the specified critical resource is unreachable) Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.
<IP/HOST-ALIAS-NAME> Configures the IPv4 address or host alias of the critical resource. Specify the IPv4 address or host alias name (should be existing and configured). The following parameters are recursive and optional. Use them to configure multiple VLANs and critical resource IPv4 addresses (or host alias names):
dhcp Optional. Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Configures the VLAN on which the critical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured. dns Optional. Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.
<IP/HOST-ALIAS-NAME> Configures the IPv4 address or host alias of the critical resource. Specify the IPv4 address or host alias name (should be existing and configured). critical-resource <CRM-POLICY-NAME> monitor-using-flows [all|any] sync-adoptees criteria [all|cluster-master|rf-domain-manager] (dhcp vlan [<1-4094>|<VLAN-ALIAS-
NAME>]|dns <IP/HOST-ALIAS-NAME>) {dhcp vlan [<1-4094>|<VLAN-ALIAS-NAME>]|dns <IP/
HOST-ALIAS-NAME>}
<CR-NAME>
Identifies the critical resource to be monitored. Provide the name of the critical resource. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 77 PROFILES monitor-using-flows
[all|any]
syn-adoptees criteria
[all|cluster-master|
rf-domain-manager]
dhcp vlan [<1-4094>|
<VLAN-ALIAS-NAME>]
dns <IP/HOST-ALIAS-
NAME>
{dhcp vlan {<1-4094>|
<VLAN-ALIAS-NAME>]|
dns <IP/HOST-ALIAS-
NAME>}
Enables critical resource(s) monitoring using message flows for DHCP or DNS
(DHCP Discover, DHCP Offer, etc.) instead of ICMP or ARP packets in order to reduce the amount of traffic on the network. Configures how critical resource event messages are generated. Options include all and any. all Monitors all resources that are going down (generates an event when all specified critical resources are unreachable) any Monitors any resource that is going down (generates an event when any one of the specified critical resource is unreachable) Syncs adopted access points with the controller. In the stand-alone AP scenario, where the CRM policy is running on the AP, the AP is directly intimated in case a critical resource goes down. On the other hand, when an AP is adopted to a controller (running the CRM policy), it is essential to enable the sync-adoptees option in order to sync the AP with the controller regarding the latest CRM status. Configures the resource that will monitor critical resources and update the rest of the devices in a group. Options include all, rf-domain-manager, or cluster-master. all Configures all devices within a group (cluster or RF Domain) as the monitoring resource cluster-master Configures the cluster master as the monitoring resource rf-domain-manager Configures the RF Domain manager as the monitoring resource The following parameters are recursive and common to the all, cluster-master, and rf-domain-manager keywords:
dhcp Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Configures the VLAN on which the critical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured. The following parameters are recursive and common to the all, cluster-master, and rf-domain-manager keywords:
dns Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.
<IP/HOST-ALIAS-NAME> Configures the IPv4 address or host alias of the critical resource. Specify the IPv4 address or host alias name (should be existing and configured). The dhcp and dns parameters are recursive and you can optionally configure multiple VLANs and critical resource IPv4 addresses (or host alias names). dhcp Optional. Configures DHCP as the mode of monitoring critical resources. When configured, DHCP message flows (DHCP Discover, DHCP Offer, etc.) are used instead of ICMP or ARP packets to confirm critical resource availability. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Configures the VLAN on which the critical resource(s) is available. Specify the VLAN from 1 - 4094. Alternately, use a vlan-alias to identify the VLAN. If using a vlan-alias, ensure that the alias is existing and configured. Contd... Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 78 PROFILES dns Optional. Configures DNS as the mode of monitoring critical resources. When configured, DNS message flows are used instead of ICMP or ARP packets to confirm critical resource availability.
<IP/HOST-ALIAS-NAME> Configures the IPv4 address or host alias of the critical resource. Specify the IPv4 address or host alias name (should be existing and configured). critical-resource monitor interval <5-86400>
monitor interval
<5-86400>
Configures the critical resource monitoring frequency. This is the interval between two successive pings to the critical resource being monitored.
<5-86400> Specifies the frequency in seconds. Specify the time from 5 - 86400 seconds. The default is 30 seconds. critical-resource retry-count <0-10>
retry-count <0-10>
Configures the maximum number of failed attempts allowed to connect to a critical resource, using DHCP/DNS message flows, before marking it as down
<0-10> Specifies the maximum number of retries from 0 - 10. The default value is 3 attempts. Example nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#critical-resource test monitor direct all 192.168.13.10 arp-only vlan 1 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#critical-resource monitor interval 40 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context rfs6000 B4-C7-99-6D-B5-D4 use profile default-rfs6000 use rf-domain default hostname rfs6000-6DB5D4 license AP 6c781f42a3638757d8849c38268b4ea48e483e2f986ae392ebbcdd6a8f6f309443e93ad3123c3d76 mint mlcp ip ip default-gateway 192.168.13.2 interface vlan1 ip address 192.168.13.16/24 ip dhcp client request options all cluster mode standby cluster member ip 192.168.13.16 level 1 controller host 192.168.13.13 critical-resource monitor interval 40 critical-resource test monitor direct all 192.168.13.10 arp-only vlan 1 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 79 PROFILES 7.1.17 crypto Profile Config Commands Use the crypto command to define a system-level local ID for Internet Security Association and Key Management Protocol (ISAKMP) negotiation and to enter the ISAKMP policy, ISAKMP client, or ISAKMP peer command set. The following table summarizes crypto configuration mode commands:
Command crypto crypto-auto-
ipsec-tunnel commands crypto-ikev1/
ikev2-policy commands crypto-ikev1/
ikev2-peer commands crypto-map-
config-
commands crypto-remote-
vpn-client commands Description Invokes commands used to configure ISAKMP policy, ISAKMP client, and ISAKMP peer Creates an auto IPSec VPN tunnel and enters its configuration mode Reference page 7-81 page 7-87 Creates a crypto IKEv1/IKEv2 policy and enters its configuration mode page 7-94 Creates a IKEv1/IKEv2 peer and enters its configuration mode page 7-103 Creates a crypto map and enters its configuration mode page 7-111 Creates a remote VPN client and enters its configuration mode page 7-136 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 80 PROFILES 7.1.17.1 crypto crypto Use the crypto command to define a system-level local ID for ISAKMP negotiation and enter the ISAKMP policy, ISAKMP client, or ISAKMP peer configuration mode. A crypto map entry is a single policy that describes how certain traffic is secured. There are two types of crypto map entries: ipsec-manual and ipsec-ike entries. Each entry is given an index (used to sort the ordered list). When a non-secured packet arrives on an interface, the crypto map associated with that interface is processed (in order). If a crypto map entry matches the non-secured traffic, the traffic is discarded. When a packet is transmitted on an interface, the crypto map associated with that interface is processed. The first crypto map entry that matches the packet is used to secure the packet. If a suitable Security Association (SA) exists, it is used for transmission. Otherwise, IKE is used to establish a SA with the peer. If no SA exists (and the crypto map entry is respond only), the packet is discarded. When a secured packet arrives on an interface, its Security Parameter Index (SPI) is used to look up a SA. If a SA does not exist (or if the packet fails any of the security checks), it is discarded. If all checks pass, the packet is forwarded normally. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax crypto [auto-ipsec-secure|enable-ike-uniqueids|ike-version|ikev1|ikev2|ipsec|
load-management|map|pki|plain-text-deny-acl-scope|remote-vpn-client]
crypto [auto-ipsec-secure|enable-ike-uniqueids|load-management]
crypto ike-version [ikev1-only|ikev2-only]
crypto ikev1 [dpd-keepalive <10-3600>|dpd-retries <1-100>|nat-keepalive <10-
3600>|peer <IKEV1-PEER>|policy <IKEV1-POLICY-NAME>|remote-vpn]
crypto ikev2 [cookie-challenge-threshold <1-100>|dpd-keepalive <10-3600>|
dpd-retries <1-100>|nat-keepalive <10-3600>|peer <IKEV2-PEER>|policy <IKEV2-
POLICY-NAME>|remote-vpn]
crypto ipsec [df-bit|security-association|transform-set]
crypto ipsec df-bit [clear|copy|set]
crypto ipsec security-association lifetime [kilobytes <500-2147483646>|seconds
<120-86400>]
crypto ipsec transform-set <TRANSFORM-SET-TAG> [esp-3des|esp-aes|esp-aes-192|
esp-aes-256|esp-des|esp-null] [esp-aes-xcbc-mac|esp-md5-hmac|esp-sha-hmac|esp-
sha256-hmac]
crypto map <CRYPTO-MAP-TAG> <1-1000> [ipsec-isakmp {dynamic}|ipsec-manual]
crypto pki import crl <TRUSTPOINT-NAME> URL <1-168>
crypto plain-text-deny-acl-scope [global|interface]
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 81 PROFILES crypto remote-vpn-client Parameters crypto [auto-ipsec-secure|enable-ike-uniqueids|load-management]
auto-ipsec-secure enable-ike-uniqueids load-management Configures the Auto IPSec Secure parameter settings. For Auto IPSec tunnel configuration commands, see crypto-auto-ipsec-tunnel commands. Enables Internet Key Exchange (IKE) unique ID check For more information on IKE unique IDs, see remotegw. Configures load management for platforms using software cryptography crypto ike-version [ikev1-only|ikev2-only]
ike-version
[ikev1-only|ikev2-only]
Selects and starts the IKE daemon ikev1-only Enables support for IKEv1 tunnels only ikev2-only Enables support for IKEv2 tunnels only crypto ikev1 [dpd-keepalive <10-3600>|dpd-retries <1-100>|nat-keepalive <10-
3600>|peer <IKEV1-PEER>|policy <IKEV1-POLICY-NAME>|remote-vpn]
ikev1 dpd-keepalive
<10-3600>
dpd-retries <1-1000>
nat-keepalive
<10-3600>
peer <IKEV1-PEER>
policy
<IKEV1-POLICY-NAME>
remote-vpn Configures the IKE version 1 parameters Sets the global Dead Peer Detection (DPD) keep alive interval from 10 - 3600 seconds. This is the interval between successive IKE keep alive messages sent to detect if a peer is dead or alive. The default is 30 seconds. Sets the global DPD retries count from 1 - 1000. This is the number of keep alive messages sent to a peer before the tunnel connection is declared as dead. The default is 5. Sets the global NAT keep alive interval from 10 - 3600 seconds. This is the interval between successive NAT keep alive messages sent to detect if a peer is dead or alive. The default is 20 seconds. Specify the name/Identifier for the IKEv1 peer. For IKEV1 peer configuration commands, see crypto-ikev1/ikev2-peer commands. Configures an ISKAMP policy. Specify the name of the policy. The local IKE policy and the peer IKE policy must have matching group settings for successful negotiations. For IKEV1 policy configuration commands, see crypto-ikev1/ikev2-policy commands. Specifies the IKEV1 remote-VPN server configuration (responder only) crypto ikev2 [cookie-challenge-threshold <1-100>|dpd-keepalive <10-3600>|dpd-
retries <1-100>|nat-keepalive <10-3600>|peer <IKEV2-PEER>|policy <IKEV2-POLICY-
NAME>|remote-vpn]
ikev2 cookie-challenge-
threshold <1-100>
dpd-keepalive
<10-3600>
dpd-retries <1-100>
nat-keepalive
<10-3600>
Configures the IKE version 2 parameters Starts the cookie challenge mechanism after the number of half open IKE SAs exceeds the specified limit. Specify the limit from 1 - 100. The default is 5. Sets the global DPD keepalive interval from 10 - 3600 seconds. The default is 30 seconds. Sets the global DPD retries count from 1 - 100. The default is 5. Sets the global NAT keepalive interval from 10 - 3600 seconds. The default is 20 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 82 PROFILES peer <IKEV2-PEER>
policy
<IKEV2-POLICY-NAME>
remote-vpn Specify the name/Identifier for the IKEv2 peer Configures an ISKAMP policy. Specify the policy name. The local IKE policy and the peer IKE policy must have matching group settings for successful negotiations. Specifies an IKEv2 remote-VPN server configuration (responder only) crypto ipsec df-bit [clear|copy|set]
ipsec df-bit [clear|copy|set]
Configures the IPSec policy parameters Configures Dont-Fragment (DF) bit handling for encapsulating header. The options are:
clear Clears the DF bit in the outer header and ignores in the inner header copy Copies the DF bit from the inner header to the outer header. This is the default setting. set Sets the DF bit in the outer header crypto ipsec security-association lifetime [kilobytes <500-2147483646>|seconds
<120-86400>]
ipsec security-association lifetime
[kilobyte |seconds]
Configures the IPSec policy parameters Configures the IPSec SAs parameters Defines the IPSec SAs lifetime (in kilobytes and/or seconds). Values can be entered in both kilobytes and seconds, which ever limit is reached first, ends the SA. When the SA lifetime ends it is renegotiated as a security measure. kilobytes Specifies a volume-based key duration (minimum is 500 KB and maximum is 2147483646 KB)
<500-2147483646> Specify a value from 500 - 2147483646 KB. The default is 4608000 KB. seconds Specifies a time-based key duration (minimum is 120 seconds and maximum is 86400 seconds)
<120-86400> Specify a value from 120 - 86400 seconds. The default is 3600 seconds. The security association lifetime can be overridden under crypto maps. crypto ipsec transform-set <TRANSFORM-SET-TAG> [esp-3des|esp-aes|esp-aes-192|
esp-aes-256|esp-des|esp-null] [esp-aes-xcbc-mac|esp-md5-hmac|esp-sha-hmac|esp-
sha256-hmac]
ipsec transform-set
<TRANSFORM-SET-
TAG>
esp-3des Configures the IPSec policy parameters Defines the transform set configuration (authentication and encryption) for securing data. A transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected traffic.
<TRANSFORM-SET-TAG> Specify the transform set name. After specifying the transform set used by the IPSec transport connection, set the encryption method and the authentication scheme used with the transform set. The encryption methods are: DES, 3DES, AES, AES-192 and AES-256. Note: The authentication schemes available are: esp-md5-hmac and esp-sha-hmac. Configures the ESP transform using 3DES cipher (168 bits). The transform set is assigned to a crypto map using the maps set > transform-set command. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 83 PROFILES esp-aes esp-aes-192 esp-aes-256 esp-des esp-null
[esp-aes-xcbc-mac|
esp-md5-hmac|
esp-sha-hmac|
esp-sha256-hmac]
Configures the ESP transform using Advanced Encryption Standard (AES) cipher. The transform set is assigned to a crypto map using the maps set > transform-set command. Configures the ESP transform using AES cipher (192 bits). The transform set is assigned to a crypto map using the maps set > transform-set command. Configures the ESP transform using AES cipher (256 bits). The transform set is assigned to a crypto map using the maps set > transform-set command. This is the default setting. Configures the ESP transform using Data Encryption Standard (DES) cipher (56 bits). The transform set is assigned to a crypto map using the maps set >
transform-set command. Configures the ESP transform with no encryption The following keywords are common to all of the above listed transform sets. After specifying the transform set type, configure the authentication scheme used to validate identity credentials. The options are:
esp-aes-xcbc-mac Configures ESP transform using AES-XCBC authorization esp-md5-hmac Configures ESP transform using HMAC-MD5 authorization esp-sha-hmac Configures ESP transform using HMAC-SHA authorization. This is the default setting. esp-sha256-hmac Configures ESP transform using HMAC-SHA256 authorization crypto map <CRYPTO-MAP-TAG> <1-1000> [ipsec-isakmp {dynamic}|ipsec-manual]
map
<CRYPTO-MAP-TAG>
<1-1000>
ipsec-isakmp
{dynamic}
ipsec-manual Configures the crypto map, a software configuration entity that selects data flows that require security processing. The crypto map also defines the policy for these data flows.
<CRYPTO-MAP-TAG> Specify a name for the crypto map. The name should not exceed 32 characters. For crypto map configuration commands, see crypto-map-
ipsec-manual-instance. Defines the crypto map entry sequence. Each crypto map uses a list of entries, each entry having a specific sequence number. Specifying multiple sequence numbers within the same crypto map provides the flexibility to connect to multiple peers from the same interface. Specify a value from 1 - 1000. Configures IPSEC w/ISAKMP. dynamic Optional. Configures dynamic map entry (remote VPN configuration) for XAUTH with mode-config or ipsec-l2tp configuration Configures IPSEC w/manual keying. Remote configuration is not allowed for manual crypto map. crypto pki import crl <TRUSTPOINT-NAME> <URL> <1-168>
pki import Configures certificate parameters. The Public Key Infrastructure (PKI) protocol creates encrypted public keys using digital certificates from certificate authorities. Imports a trustpoint related configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 84 PROFILES crl
<TRUSTPOINT-NAME>
<URL>
<1-168>
Imports a Certificate Revocation List (CRL). Imports a trustpoint including either a private key and server certificate or a certificate authority (CA) certificate or both. A CRL is a list of revoked certificates that are no longer valid. A certificate can be revoked if the CA had improperly issued a certificate, or if a private-key is compromised. The most common reason for revocation is the user no longer being in sole possession of the private key.
<TRUSTPOINT-NAME> Specify the trustpoint name. Specify the CRL source address in the following format. Both IPv4 and IPv6 address formats are supported. tftp://<hostname|IPv4 or IPv6>[:port]/path/file ftp://<user>:<passwd>@<hostname|IPv4 or IPv6>[:port]/path/file sftp://<user>:<passwd>@<hostname|IPv4 or IPv6>[:port]>/path/file http://<hostname|IPv4 or IPv6>[:port]/path/file cf:/path/file usb<n>:/path/file Sets command replay duration from 1 - 168 hours. This is the interval (in hours) after which devices using this profile copy a CRL file from an external server and associate it with a trustpoint. crypto plain-text-deny-acl-scope [global|interface]
Configures plain-text-deny-acl-scope parameters plain-text-deny-acl-
scope global interface Applies the plain text deny ACL globally. This is the default setting. Applies the plain text deny ACL to the interface only crypto remote-vpn-client remote-vpn-client Configures remote VPN client settings. For more information, see crypto-remote-
vpn-client commands. Example rfs6000-37FABE(config-profile-default-rfs6000)#crypto ipsec transform-set tpsec-
tag1 esp-aes-256 esp-md5-hmac rfs6000-37FABE(config-profile-default-rfs6000)#crypto map map1 10 ipsec-isakmp dynamic rfs6000-37FABE(config-profile-default-rfs6000)#crypto plain-text-deny-acl-scope interface rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 tunnel-over-level2 ip igmp snooping ip igmp snooping querier no autoinstall configuration no autoinstall firmware device-upgrade persist-images crypto ikev1 dpd-retries 1 crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ipsec transform-set tpsec-tag1 esp-aes-256 esp-md5-hmac crypto map map1 10 ipsec-isakmp dynamic crypto ikev1 remote-vpn Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 85 PROFILES crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto plain-text-deny-acl-scope interface interface radio1 interface radio2 interface up rfs6000-37FABE(config-profile-default-rfs6000)#
rfs6000-37FABE(config-profile-default-rfs6000)#crypto ipsec transform-set tag1 esp-null esp-md5-hmac rfs6000-37FABE(config-profile-default-rfs6000-transform-set-tag1)#?
Crypto Ipsec Configuration commands:
mode Encapsulation mode (transport/tunnel) no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile-default-rfs6000-transform-set-tag1)#
Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 86 PROFILES 7.1.17.2 crypto-auto-ipsec-tunnel commands crypto Creates an auto IPSec VPN tunnel and changes the mode to auto-ipsec-secure mode for further configuration Auto IPSec tunneling provides a secure tunnel between two networked peer controllers or service platforms and associated access points that are within a range of valid IP addresses. You can define which packets are sent within the tunnel, and how they are protected. When a tunneled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination or associated access point. Tunnels are sets of SA between two peers. SAs define the protocols and algorithms applied to sensitive packets and specify the keying mechanisms used by tunneled peers. SAs are unidirectional and exist in both the inbound and outbound direction. SAs are established per the rules and conditions of defined security protocols (AH or ESP). The IKE protocol is a key management protocol used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE enables secure communications without time consuming manual pre-configuration for auto IPSec tunneling. rfs7000-37FABE(config-profile-default-rfs7000)#crypto auto-ipsec-secure rfs7000-37FABE(config-profile-default-rfs7000-crypto-auto-ipsec-secure)#?
Crypto Auto IPSEC Tunnel commands:
groupid Local/Remote identity and Authentication credentials for Auto IPSec Secure IKE negotiation ike-lifetime Set lifetime for ISAKMP security association ikev2 IKEv2 configuration commands ip Internet Protocol config commands no Negate a command or set its defaults remotegw Auto IPSec Secure Remote Peer IKE clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs7000-37FABE(config-profile-default-rfs7000-crypto-auto-ipsec-secure)#
The following table summarizes the crypto IPSec auto tunnel configuration mode commands:
Command groupid ip ike-lifetime ikev2 remotegw no Description Specifies the identity string used for IKE authentication Enables the controller or service platform to uniquely identify APs and the hosts present in the APs subnet Configures the IKE SAs key lifetime in seconds Enables the forced re-authentication of IKEv2 peer Defines the IKE version used for an auto IPSec tunnel using secure gateways Removes or reverts the crypto auto IPSec tunnel settings Reference page 7-88 page 7-89 page 7-90 page 7-91 page 7-92 page 7-93 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 87 PROFILES 7.1.17.2.1 groupid crypto-auto-ipsec-tunnel commands Specifies the identity string used for IKE authentication Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax groupid <WORD> [psk|rsa]
groupid <WORD> [psk [0 <WORD>|2 <WORD>|<WORD>]|rsa]
Parameters groupid <WORD> [psk [0 <WORD>|2 <WORD>|<WORD>]|rsa]
<WORD>
psk [0 <WORD>|
2 <WORD>|
<WORD>]
rsa Specify a string not exceeding 64 characters. This is the group identity used for IKE exchange for auto IPSec secure peers. After providing a group ID, specify the authentication method used to authenticate peers on the auto IPSec secure tunnel. The options are: psk and rsa. Configures the pre-shared key (PSK) as the authentication type for secure peer authentication on the auto IPSec secure tunnel 0 <WORD> Configures a clear text key 2 <WORD> Configures an encrypted key
<WORD> Specify a string value from 8 - 21 characters. Configures the Rivest-Shamir-Adleman (RSA) key. RSA is an algorithm for public key cryptography. It is the first algorithm known to be suitable for signing, as well as encryption. This is the default setting. NOTE: Only one group ID is supported on the controller or service platform. All APs, controllers, and service platform must use the same group ID. Example rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#groupid testgroup@123 rsa rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-secure groupid testgroup@123 rsa rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 88 PROFILES 7.1.17.2.2 ip crypto-auto-ipsec-tunnel commands Enables the controller to uniquely identify APs and the hosts present in the APs subnet. This allows the controller to correctly identify the destination host and create a dynamic site-to-site VPN tunnel between the host and the private network behind the controller. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip nat crypto Parameters ip nat crypto ip nat crypto Enables unique identification of APs and the hosts present in each APs subnet Providing a unique ID enables the access point, wireless controller, or service platform to uniquely identify the destination device. This is essential in networks where there are multiple APs behind a router, or when two (or more) APs behind two
(or more) different routers have the same IP address. Further, the same subnet exists behind these APs. For example, let us consider a scenario where there are two APs (A and B) behind two routers (1 and 2). AP A is behind router 1. And AP B is behind router 2. Both these APs have the same IP address (192.168.13.8). The subnet behind APs A and B is also the same (100.1.1.0/24). In such a scenario the controller fails to uniquely identify the hosts present in either APs subnet. For more information, see remotegw and crypto. Example rfs4000-229D58config-profile-testRFS4000-crypto-auto-ipsec-secure)#ip nat crypto rfs4000-229D58config-profile-testRFS4000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-secure remotegw ike-version ikev2 uniqueid ip nat crypto rfs4000-229D58config-profile-testRFS4000-crypto-auto-ipsec-secure)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 89 PROFILES 7.1.17.2.3 ike-lifetime crypto-auto-ipsec-tunnel commands Configures the IKE SAs key lifetime in seconds The lifetime defines how long a connection (encryption/authentication keys) should last, from successful key negotiation to expiration. Two peers need not exactly agree on the lifetime, though if they do not, there is some clutter for a superseded connection on the peer defining the lifetime as longer. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ike-lifetime <600-86400>
Parameters ike-lifetime <600-86400>
ike-lifetime
<600-86400>
Sets the IKE SAs key lifetime in seconds
<600-86400> Specify a value fro m 600 - 86400 seconds. The default is 8600 seconds. Example rfs4000-229D58(config-profile-testRFS4000-crypto-auto-ipsec-secure)#ike-lifetime 800 rfs4000-229D58(config-profile-testRFS4000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-secure ike-lifetime 800 rfs4000-229D58(config-profile-testRFS4000-crypto-auto-ipsec-secure)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 90 PROFILES 7.1.17.2.4 ikev2 crypto-auto-ipsec-tunnel commands Enables the forced IKEv2 peer re-authentication. This option is disabled by default. In most IPSec tunnel configurations, the lifetime of IKE SAs between peers is limited. Once the IKE SA key expires it is renegotiated. In such a scenario, the IKEv2 tunnel peers may or may not re-authenticate themselves. When enabled, IKE tunnel peers have to re-authenticate each time the IKE SA is renegotiated. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ikev2 peer reauth Parameters ikev2 peer reauth ikev2 peer reauth Enables IKEv2 peer re-authentication. When enabled, IKE tunnel peers are forced to re-authenticate each time the IKE key is renegotiated. Example rfs4000-229D58(config-profile-testRFS4000-crypto-auto-ipsec-secure)#ikev2 peer reauth Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 91 PROFILES 7.1.17.2.5 remotegw crypto-auto-ipsec-tunnel commands Defines the IKE version used for auto IPSEC tunnel negotiation with the IPSec remote gateway other than the controller Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax remotegw ike-version [ikev1-aggr|ikev1-main|ikev2] {uniqueid}
Parameters remotegw ike-version [ikev1-aggr|ikev1-main|ikev2] {uniqueid}
remotegw ike-version ikev1-aggr ikev1-main ikev2 uniqueid Configures the IKE version used for initiating auto IPSec tunnel with secure gateways other than the controller Aggregation mode is used by the auto IPSec tunnel initiator to set up the connection Main mode is used by the auto IPSec tunnel initiator to establish the connection IKEv2 is the preferred method when wireless controller/AP only is used This keyword is common to all of the above parameters. uniqueid Optional. Enables the assigning of a unique ID to APs (using this profile) behind a router by prefixing the MAC address to the group ID Providing a unique ID enables the access point, wireless controller, or service platform to uniquely identify the destination device. This is essential in networks where there are multiple APs behind a router, or when two (or more) APs behind two
(or more) different routers have the same IP address. For example, let us consider a scenario where there are two APs (A and B) behind two routers (1 and 2). AP A is behind router 1. And AP B is behind router 2. Both these APs have the same IP address (192.168.13.8). In such a scenario, the controller fails to establish an Auto IPSec VPN tunnel to either APs, because it is unable to uniquely identify them. After enabling unique ID assignment, enable IKE unique ID check. For more information, see crypto. Example rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#remotegw ike-version ikev2 uniqueid rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-secure remotegw ike-version ikev2 uniqueid rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 92 PROFILES 7.1.17.2.6 no crypto-auto-ipsec-tunnel commands Removes or resets this auto IPSec tunnel settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [groupid|ike-lifetime|ikev2 peer reauth|ip nat crypto]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or resets this auto IPSec tunnels settings based on the parameters passed Example The following example shows the Auto IPSec VLAN bridge settings before the no command is executed:
rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-secure groupid testpassword@123 rsa rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#
rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#no groupid The following example shows the Auto IPSec VLAN bridge settings after the no command is executed:
rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#show context crypto auto-ipsec-secure rfs6000-37FABE(config-profile-default-rfs6000-crypto-auto-ipsec-secure)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 93 PROFILES 7.1.17.3 crypto-ikev1/ikev2-policy commands crypto Defines crypto-IKEv1/IKEv2 commands in detail IKE protocol is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE automatically negotiates IPSec SAs and enables secure communications without time consuming manual pre-configuration. Use the (config) instance to configure IKEv1/IKEv2 policy configuration commands. To navigate to the IKEv1/IKEv2 policy config instance, use the following commands:
<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME>
<DEVICE>(config-profile-<PROFILE-NAME>)#crypto ikev1/ikev2 policy <IKEV1/IKEV2-
POLICY-NAME>
rfs7000-37FABE(config-profile-default-rfs7000)#crypto ikev1 policy ikev1-
testpolicy rfs7000-37FABE(config-profile-default-rfs7000-ikev1-policy-ikev1-testpolicy)#?
Crypto IKEv1 Policy Configuration commands:
dpd-keepalive Set Dead Peer Detection interval in seconds dpd-retries Set Dead Peer Detection retries count isakmp-proposal Configure ISAKMP Proposals lifetime Set lifetime for ISAKMP security association mode IKEv1 mode (main/aggressive) no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs7000-37FABE(config-profile-default-rfs7000-ikev1-policy-ikev1-testpolicy)#
rfs7000-37FABE(config-profile-test-ikev2-policy-ikev2-testpolicy)#?
Crypto IKEv2 Policy Configuration commands:
dpd-keepalive Set Dead Peer Detection interval in seconds isakmp-proposal Configure ISAKMP Proposals lifetime Set lifetime for ISAKMP security association no Negate a command or set its defaults sa-per-acl Setup single SA for all rules in the ACL (ONLY APPLICABLE FOR SITE-TO-SITE VPN) clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs7000-37FABE(config-profile-test-ikev2-policy-ikev2-testpolicy)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 94 PROFILES NOTE: IKEv2 being an improved version of the original IKEv1 design, is recommended in most deployments. IKEv2 provides enhanced cryptographic mechanisms, NAT and firewall traversal, attack resistance, etc. The following table summarizes crypto IKEv1/iKEv2 configuration mode commands:
Command dpd-keepalive dpd-retries isakmp-
proposal lifetime mode no Description Sets DPD keep alive packet interval Sets the maximum number of attempts for sending DPD keep alive packets (applicable only to the IKEv1 policy) Configures ISAKMP proposals Specifies how long an IKE SA is valid before it expires Sets the mode of the tunnels (applicable only to the IKEv1 policy) Removes or reverts IKEv1/IKEv2 policy settings Reference page 7-96 page 7-97 page 7-98 page 7-100 page 7-101 page 7-102 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 95 PROFILES 7.1.17.3.1 dpd-keepalive crypto-ikev1/ikev2-policy commands Sets the DPD keep-alive packet interval Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dpd-keepalive <10-3600>
Parameters dpd-keepalive <10-3600>
<10-3600>
Specifies the interval, in seconds, between successive DPD keep alive packets.The IKE keep alive message is used to detect a dead peer on the remote end of the IPSec VPN tunnel. Specify the time from 10 - 3600 seconds. The default is 30 seconds. Example rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#
dpd-keepalive 11 rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-testpolicy)#show context crypto ikev1 policy testpolicy dpd-keepalive 11 isakmp-proposal default encryption aes-256 group 2 hash sha rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-testpolicy)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 96 PROFILES 7.1.17.3.2 dpd-retries crypto-ikev1/ikev2-policy commands Sets the maximum number of times DPD keep-alive packets are sent to a peer. Once this value is exceeded, without a response from the peer, the VPN tunnel connection is declared dead. This option is available only for the IKEv1 policy. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dpd-retries <1-100>
Parameters dpd-retries <1-100>
<1-100>
Declares a peer dead after the specified number of retries. Specify a value from 1 - 100. The default is 5. Example rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#
dpd-retries 10 rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#
show context crypto ikev1 policy testpolicy dpd-keepalive 11 dpd-retries 10 isakmp-proposal default encryption aes-256 group 2 hash sha rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 97 PROFILES 7.1.17.3.3 isakmp-proposal crypto-ikev1/ikev2-policy commands Configures ISAKMP proposals and their parameters Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax isakmp-proposal <WORD> encryption [3des|aes|aes-192|aes-256] group [14|2|5] hash
[aes-xcbc-mac|md5|sha|sha256]
Parameters isakmp-proposal <WORD> encryption [3des|aes|aes-192|aes-256] group [14|2|5] hash
[aes-xcbc-mac|md5|sha|sha256]
<WORD>
encryption
[3des|aes|aes-192|
aes-256]
group [14|2|5]
hash
[maes-xcbc-mac|
md5|sha|sha256]
Assigns the target peer (tunnel destination) a 32 character maximum name to distinguish it from others with a similar configuration. Configures the encryption method used by the tunneled peers to securely inter-
operate 3des Configures triple data encryption standard aes Configures AES (128 bit keys) aes-192 Configures AES (192 bit keys) aes-256 Configures AES (256 bit keys). This is the default setting. Specifies the Diffie-Hellman (DH) group identifier used by VPN peers to derive a shared secret password without having to transmit. DH groups determine the strength of the key used in key exchanges. The higher the group number, the stronger and more secure the key. Options include 2, 5 and 14. 14 Configures DH group 14 2 Configures DH group 2. This is the default setting. 5 Configures DH group 5 Specifies the hash algorithm used to authenticate data transmitted over the IKE SA. The hash algorithm specified here is used by VPN peers to exchange credential information. aes-xcbc-mac Uses AES XCBC Auth hash algorithm. This option is applicable only to the IKEv2 policy configuration context. md5 Uses Message Digest 5 (MD5) hash algorithm sha Uses Secure Hash Authentication (SHA) hash algorithm. This is the default setting. sha256 Uses Secure Hash Standard 2 algorithm Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 98 PROFILES Example rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#
isakmp-proposal testproposal encryption aes group 2 hash sha rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#
show context crypto ikev1 policy testpolicy dpd-keepalive 11 dpd-retries 10 isakmp-proposal default encryption aes-256 group 2 hash sha isakmp-proposal testpraposal encryption aes group 2 hash sha rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 99 PROFILES 7.1.17.3.4 lifetime crypto-ikev1/ikev2-policy commands Specifies how long an IKE SA (encryption/authentication keys) is valid. The value specified is the validity period of the IKE SA from successful key negotiation to expiration. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax lifetime <600-86400>
Parameters lifetime <600-86400>
lifetime <600-86400> Specifies how many seconds an IKE SA lasts before it expires. Set a time stamp from 600 - 86400 seconds.
<600-86400> Specify a value from 600 - 86400 seconds. The default is 86400 seconds. Example rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#
lifetime 655 rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#
show context crypto ikev1 policy testpolicy dpd-keepalive 11 dpd-retries 10 lifetime 655 isakmp-proposal default encryption aes-256 group 2 hash sha isakmp-proposal testpraposal encryption aes group 2 hash sha rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 100 PROFILES 7.1.17.3.5 mode crypto-ikev1/ikev2-policy commands Configures the IPSec mode of operation for the IKEv1 policy. This option is not available for IKEv2 policy. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mode [aggresive|main]
Parameters mode [aggresive|main]
mode [aggresive|main] Sets the mode of the tunnels aggressive Initiates the aggressive mode main Initiates the main mode If configuring the IKEv1 IPSec policy, define the IKE mode as either main or aggressive. In the aggressive mode, 3 messages are exchanged between the IPSec peers to setup the SA. On the other hand, in the main mode, 6 messages are exchanged. The default setting is main. Example rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#
mode aggressive rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#
show context crypto ikev1 policy testpolicy dpd-keepalive 11 dpd-retries 10 lifetime 655 isakmp-proposal default encryption aes-256 group 2 hash sha isakmp-proposal testpraposal encryption aes group 2 hash sha mode aggressive rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 101 PROFILES 7.1.17.3.6 no crypto-ikev1/ikev2-policy commands Removes or reverts IKEv1/IKEv2 policy settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [dpd-keepalive|dpd-retries|isakmp-proposal <WORD>|lifetime|mode]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts this IKEv1/IKEv2 policy settings based on parameters passed Example The following example shows the IKEV1 Policy settings before the no commands are executed:
rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#
show context crypto ikev1 policy testpolicy dpd-keepalive 11 dpd-retries 10 lifetime 655 isakmp-proposal default encryption aes-256 group 2 hash sha isakmp-proposal testpraposal encryption aes group 2 hash sha mode aggressive rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#
rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#no mode rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#no dpd-keepalive rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#no dpd-retries The following example shows the IKEV1 Policy settings after the no commands are executed:
rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#
show context crypto ikev1 policy testpolicy lifetime 655 isakmp-proposal default encryption aes-256 group 2 hash sha isakmp-proposal testpraposal encryption aes group 2 hash sha rfs6000-37FABE(config-profile-default-rfs6000-ikev1-policy-ikev1-testpolicy)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 102 PROFILES 7.1.17.4 crypto-ikev1/ikev2-peer commands crypto Use the (config) instance to configure IKEv1/IKEv2 peer configuration commands. To navigate to the IKEv1/
IKEv2 peer config instance, use the following commands:
<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME>
<DEVICE>(config-profile-<PROFILE-NAME>)#crypto ikev1/ikev2 peer <IKEV1/IKEV2-
PEER-NAME>
rfs7000-37FABE(config-profile-default-rfs7000)#crypto ikev1 peer peer1 rfs7000-37FABE(config-profile-default-rfs7000-ikev1-peer-peer1)#?
Crypto IKEV1 Peer Configuration commands:
authentication Configure Authentication credentials ip Configure peer address/fqdn localid Set local identity no Negate a command or set its defaults remoteid Configure remote peer identity use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs7000-37FABE(config-profile-default-rfs7000-ikev1-peer-peer1)#
rfs7000-37FABE(config-profile-default-rfs7000)#crypto ikev2 peer peer1 rfs7000-37FABE(config-profile-default-rfs7000-ikev2-peer-peer1)#?
Crypto IKEV2 Peer Configuration commands:
authentication Configure Authentication credentials ip Configure peer address/fqdn localid Set local identity no Negate a command or set its defaults remoteid Configure remote peer identity use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs7000-37FABE(config-profile-default-rfs7000-ikev2-peer-peer1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 103 PROFILES The following table summarizes crypto IPSec IKEv1/IKEv2 peer configuration mode commands:
Command authentication ip localid remoteid use no Description Configures a peers authentication mode and the pre-shared key Configures the peers IP address Configures a peers local identity details Configures a remote peers identity details Associates an IKEv1 policy and IKEv2 policy with the IKEv1 and IKEv2 peer respectively Negates a command or reverts settings to their default. The no command, when used in the ISAKMP policy mode, defaults the ISAKMP protection suite settings. Reference page 7-105 page 7-106 page 7-107 page 7-108 page 7-109 page 7-110 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 104 PROFILES 7.1.17.4.1 authentication crypto-ikev1/ikev2-peer commands Configures IKEv1/IKEv2 peers authentication mode and the pre-shared key Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax authentication [psk|rsa]
authentication psk [0 <WORD>|2 <WORD>|<WORD>] {local|remote}
authentication rsa Parameters authentication psk [0 <WORD>|2 <WORD>|<WORD>] {local|remote}
psk [0 <WORD>|
2 <WORD>|
<WORD>]
{local|remote}
Configures the authentication mode as pre-shared key (PSK). The PSK is a string, 8 -
12 characters long. It is shared by both ends of the VPN tunnel connection. If using IKEv2, both a local and remote string must be specified for handshake validation at both ends (local and remote) of the VPN connection. 0 <WORD> Configures a clear text key 2 <WORD> Configures an encrypted key
<WORD> Configures the pre-shared key The following keywords are available only in the IKEv2 peer configuration mode:
local Optional. Uses the specified key for local peer authentication only remote Optional. Uses the specified key for remote peer authentication only Note: In case the peer type is not specified, this string is used for authenticating both local and remote peers. rsa Example authentication rsa Configures the authentication mode as Rivest, Shamir, and Adleman (RSA) This is the default setting (for both IKEv1 and IKEv2). RSA is the first known public-key cryptography algorithm designed signing and encryption. If configuring the IKEv2 peer, the rsa option allows you to enable authentication at both ends of the VPN connection (local and remote). rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#authentication rsa rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#authentication psk 0 key@123456 rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1 authentication psk 0 key@123456 local authentication psk 0 key@123456 remote rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 105 PROFILES 7.1.17.4.2 ip crypto-ikev1/ikev2-peer commands Sets the IP address or Fully Qualified Domain Name (FQDN) of the IPSec VPN peer used in the tunnel setup Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip [address <IP>|fqdn <WORD>]
Parameters ip [address <IP>|fqdn <WORD>]
address <IP>
fqdn <WORD>
Specify the peer devices IP address. Specify the peer devices FQDN hostname. Example rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#ip address 172.16.10.12 rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#show context crypto ikev1 peer peer1 ip address 172.16.10.12 rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#
rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#ip address 192.168.10.6 rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1 ip address 192.168.10.6 authentication psk 0 test@123456 local authentication psk 0 test@123456 remote rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 106 PROFILES 7.1.17.4.3 localid crypto-ikev1/ikev2-peer commands Sets a IKEv1/IKEv2 peers local identity. This local identifier is used with this peer configuration for an IKE exchange with the target VPN IPSec peer. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax localid [address|autogen-uniqueid|dn|email|fqdn|string]
localid [address <IP>|autogen-uniqueid <WORD>|dn <WORD>|email <WORD>|fqdn <WORD>|
string <WORD>]
Parameters localid [address <IP>|dn <WORD>|email <WORD>|fqdn <WORD>|string <WORD>]
address <IP>
autogen-uniqueid
<WORD>
dn <WORD>
email <WORD>
fqdn <WORD>
string <WORD>
Configures the peers IP address. The IP address is used as local identity. Generates a localid using the device's unique identity. The system prefixes the device's unique identity to the string provided here. The devices unique identity should be existing and configured. For more information on configuring a devices unique identity, see autogen-uniqueid.
<WORD> Provide the string. Configures the peers distinguished name. (for example, "C=us ST=<state>
L=<location> O=<organization> OU=<org unit>". The maximum length is 128 characters. Configures the peers e-mail address. The maximum length is 128 characters. Configures the peers FQDN. The maximum length is 128 characters. Configures the peers identity string. The maximum length is 128 characters. This is the default setting. Example rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#localid email bob@examplecompany.com rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#show context crypto ikev1 peer peer1 ip address 172.16.10.12 localid email bob@examplecompany.com rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 107 PROFILES 7.1.17.4.4 remoteid crypto-ikev1/ikev2-peer commands Configures a IKEv1/IKEV2 peers remote identity. This remote identifier is used with this peer configuration for an IKE exchange with the target VPN IPSec peer. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax remoteid [address <IP>|dn <WORD>|email <WORD>|fqdn <WORD>|string <WORD>]
Parameters remoteid [address <IP>|dn <WORD>|email <WORD>|fqdn <WORD>|string <WORD>
address <IP>
dn <WORD>
email <WORD>
fqdn <WORD>
string <WORD>
Configures the remote IKEv1/IKEV2 peers IP address. The IP address is used as the peers remote identity. Configures the remote peers distinguished name. For example, "C=us ST=<state>
L=<location> O=<organization> OU=<org unit>". The maximum length is 128 characters. Configures the remote peers e-mail address. The maximum length is 128 characters. Configures a peers FQDN. The maximum length is 128 characters. Configures a peers identity string. The maximum length is 128 characters. Example rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#remoteid dn SanJose rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#show context crypto ikev1 peer peer1 ip address 172.16.10.12 remoteid dn SanJose localid email bob@examplecompany.com rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#
rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#remoteid address 157.235.209.63 rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1 remoteid address 157.235.209.63 rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 108 PROFILES 7.1.17.4.5 use crypto-ikev1/ikev2-peer commands Associates IKEv1/IKEv2 policy with the IKEv1/IKEv2 peer respectively Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use ikev1-policy <IKEV1-POLICY-NAME>
use ikev2-policy <IKEV2-POLICY-NAME>
Parameters use ikev1-policy <IKEV1-POLICY-NAME>
Specify the IKEv1 policy name. The local IKEv1 policy and the peer IKEv1 policy must have matching group settings for successful negotiations. use ikev1-policy
<IKEV1-POLICY-
NAME>
use ikev2-policy <IKEV2-POLICY-NAME>
Specify the IKEv2 policy name. The local IKEv2 policy and the peer IKEv2 policy must have matching group settings for successful negotiations. use ikev2-policy
<IKEV2-POLICY-
NAME>
Example rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#use ikev1-policy test-ikev1policy rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#show context crypto ikev1 peer peer1 ip address 172.16.10.12 remoteid dn SanJose localid email bob@examplecompany.com use ikev1-policy test-ikev1policy rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#
rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#use ikev2-policy test-ikev2policy rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1 remoteid address 157.235.209.63 use ikev2-policy test-ikev2policy rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 109 PROFILES 7.1.17.4.6 no crypto-ikev1/ikev2-peer commands Removes or reverts IKEv1/IKEv2 peer settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [authentication|ip|localid|remoteid|use <IKEv1/IKEv2-POLICY-NAME>]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts IKEv1/IKEv2 peer settings based on the parameters passed Example The following example shows the Crypto IKEV1 peer1 settings before the no commands are executed:
rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#show context crypto ikev1 peer peer1 ip address 172.16.10.12 remoteid dn SanJose localid email bob@examplecompany.com use ikev1-policy test-ikev1policy rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#
rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#no localid rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#no remoteid The following example shows the Crypto IKEV1 peer1 settings after the no commands are executed:
rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#show context crypto ikev1 peer peer1 ip address 172.16.10.12 use ikev1-policy test-ikev1policy rfs6000-37FABE(config-profile-default-rfs6000-ikev1-peer-peer1)#
The following example shows the Crypto IKEV2 peer1 settings before the no commands are executed:
rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1 remoteid address 157.235.209.63 use ikev2-policy test rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#
The following example shows the Crypto IKEV2 peer1 settings after the no commands are executed:
rfs6000-37FABE(config-profile-default-rfs7000-ikev2-peer-peer1)#no use ikev2-
policy rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#show context crypto ikev2 peer peer1 remoteid address 157.235.209.63 rfs6000-37FABE(config-profile-default-rfs6000-ikev2-peer-peer1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 110 PROFILES 7.1.17.5 crypto-map-config-commands crypto This section explains crypto map configuration mode commands in detail. A crypto map entry is a single policy that describes how certain traffic is secured. There are two types of crypto map entries: ipsec-manual and ipsec-ike. Each entry is given an index (used to sort the ordered list). IPSec VPN provides a secure tunnel between two networked peers. Administrators can define which packets are sent within the tunnel, and how they're protected. When a tunneled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination. Tunnels are sets of SA between two peers. SAs define the protocols and algorithms applied to sensitive packets and specify the keying mechanisms used by tunneled peers. SAs are unidirectional and exist in both the inbound and outbound direction. SAs are established per the rules and conditions of defined security protocols (AH or ESP). IKE is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE automatically negotiates IPSec SAs, and enables secure communications without time consuming manual pre-configuration. Use crypto maps to configure IPSec VPN SAs. Crypto maps combine the elements comprising IPSec SAs. Crypto maps also include transform sets. A transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected traffic. One crypto map is utilized for each IPSec peer, however for remote VPN deployments one crypto map is used for all the remote IPSec peers. Use the (config) instance to enter the crypto map configuration mode. To navigate to the crypto-map configuration instance, use the following commands:
In the device-config mode:
<DEVICE>(config-device-<DEVICE-MAC>)#crypto map <CRYPTO-MAP-TAG> <1-1000>
[ipsec-isakmp {dynamic}|ipsec-manual]
In the profile-config mode:
<DEVICE>(config-profile-<PROFILE-NAME>)#crypto map <CRYPTO-MAP-TAG> <1-1000>
[ipsec-isakmp {dynamic}|ipsec-manual]
There are three different configurations defined for each listed crypto map: site-to-site manual (ipsec-
manual), site-to-site-auto tunnel (ipsec-isakmp), and remote VPN client (ipsec-isakmp dynamic). With site-
to-site deployments, an IPSec tunnel is deployed between two gateways, each at the edge of two different remote networks. With remote VPN, an access point located at remote branch defines a tunnel with a security gateway. This facilitates the end points in the branch office to communicate with the destination endpoints (behind the security gateway) in a secure manner. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 111 PROFILES Each crypto map entry is given an index (used to sort the ordered list). rfs6000-37FABE(config-profile-default-rfs6000)#crypto map map1 1 ipsec-manual rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#?
Manual Crypto Map Configuration commands:
local-endpoint-ip Use this IP as local tunnel endpoint address, instead of the interface IP (Advanced Configuration) mode Set the tunnel mode no Negate a command or set its defaults peer Set peer security-association Set security association parameters session-key Set security session key parameters use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#
The following table summarizes crypto map configuration mode commands:
Command crypto-map auto-vpn-
tunnel/remote-
vpn-client instance crypto-map-
ipsec-manual-
instance Description Configures an auto site-to-site VPN or remote VPN client Reference page 7-113 Configures a manual site-to-site VPN page 7-127 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 112 PROFILES 7.1.17.5.1 crypto-map auto-vpn-tunnel/remote-vpn-client instance crypto-map-config-commands To navigate to the auto site-to-site VPN tunnel configuration instance, use the following command:
In the device-config mode:
<DEVICE>(config-device-<DEVICE-MAC>)#crypto map <CRYPTO-MAP-TAG> <1-1000> ipsec-
isakmp In the profile-config mode:
<DEVICE>(config-profile-<PROFILE-NAME>)#crypto map <CRYPTO-MAP-TAG> <1-1000>
ipsec-isakmp rfs4000-229D58(config-device-00-23-68-22-9D-58)#crypto map test 1 ipsec-isakmp rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#?
Site to Site Crypto Map Configuration commands:
ip Internet Protocol config commands local-endpoint-ip Use this IP as local tunnel endpoint address, instead of the interface IP (Advanced Configuration) no Negate a command or set its defaults peer Add a remote peer pfs Specify Perfect Forward Secrecy security-association Security association parameters transform-set Specify IPSec transform to use use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#
To navigate to the remote VPN client configuration instance, use the following command:
In the device-config mode:
<DEVICE>(config-device-<DEVICE-MAC>)#crypto map <CRYPTO-MAP-TAG> <1-1000> ipsec-
isakmp {dynamic}
In the profile-config mode:
<DEVICE>(config-profile-<PROFILE-NAME>)#crypto map <CRYPTO-MAP-TAG> <1-1000>
ipsec-isakmp {dynamic}
rfs4000-229D58(config-device-00-23-68-22-9D-58)#crypto map test 2 ipsec-isakmp dynamic rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#?
Dynamic Crypto Map Configuration commands:
local-endpoint-ip Use this IP as local tunnel endpoint address, instead of the interface IP (Advanced Configuration) modeconfig Set the mode config method no Negate a command or set its defaults peer Add a remote peer pfs Specify Perfect Forward Secrecy remote-type Set the remote VPN client type security-association Security association parameters transform-set Specify IPSec transform to use use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 113 PROFILES do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
The following table lists the IPSec-Auto-VPN/Remote-VPN tunnel configuration commands:
Command ip local-endpoint-
ip modeconfig peer pfs remote-type security-
association transform-set use no Description Enables this setting to utilize IP/Port NAT on the VPN tunnel. This command is applicable only to the site-to-site VPN tunnel. Uses the configured IP as local tunnel endpoint address, instead of the interface IP. This command is applicable to the site-to-site VPN tunnel and remote VPN client. Configures the mode config method (pull or push) associated with the remote VPN client. This command is applicable only to the remote VPN client. Configures the IKEv1 or IKEv2 peer for the VPN tunnel. This command is applicable to the site-to-site VPN tunnel and remote VPN client. Configures the Perfect Forward Secrecy (PFS) for the VPN tunnel. This command is applicable to the site-to-site VPN tunnel and remote VPN client. Configures the remote VPN client type as either None or XAuth. This command is applicable only to the remote VPN client. Defines this automatic VPN tunnels IPSec SA settings. This command is applicable to the site-to-site VPN tunnel and remote VPN client. Applies a transform set (encryption and hash algorithms) to the VPN tunnel. This command is applicable to the site-to-site VPN tunnel and remote VPN client. Applies an existing and configured IP access list to the VPN tunnel. This command is applicable to the site-to-site VPN tunnel and remote VPN client. Removes or reverts site-to-site VPN tunnel or remote VPN client settings Reference page 7-115 page 7-116 page 7-117 page 7-118 page 7-119 page 7-120 page 7-121 page 7-123 page 7-124 page 7-125 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 114 PROFILES 7.1.17.5.2 ip crypto-map auto-vpn-tunnel/remote-vpn-client instance Enables this setting to utilize IP/Port NAT on this auto site-to-site VPN tunnel. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip nat crypto Parameters ip nat crypto ip nat crypto Enables this setting to utilize IP/Port NAT on the site-to-site VPN tunnel. This setting is disabled by default. Example rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 115 PROFILES 7.1.17.5.3 local-endpoint-ip crypto-map auto-vpn-tunnel/remote-vpn-client instance Uses the configured IP as local tunnel endpoint address, instead of the interface IP Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax local-endpoint-ip <IP>
Parameters local-endpoint-ip <IP>
local-endpoint-ip
<IP>
Configures the local VPN tunnels (site-to-site VPN tunnel or remote VPN client) endpoint IP address
<IP> Specify the IP address. The specified IP address must be available on the interface. Example Site-to-site VPN tunnel:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#local-endpoint-
ip 192.168.13.10 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp local-endpoint-ip 192.168.13.10 ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#
Remote VPN client:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#local-endpoint-
ip 157.235.204.62 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic local-endpoint-ip 157.235.204.62 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 116 PROFILES 7.1.17.5.4 modeconfig crypto-map auto-vpn-tunnel/remote-vpn-client instance Configures the mode config method (pull or push) associated with the remote VPN client Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax modeconfig [pull|push]
Parameters modeconfig [pull|push]
modeconfig
[pull|push]
Configures the mode config method associated with a remote VPN client. The options are: pull and push. The mode (pull or push) defines the method used to assign a virtual IP. This setting is relevant for IKEv1 only, since IKEv2 always uses the configuration payload in pull mode. The default setting is push. Example Remote VPN client:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#modeconfig pull rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic modeconfig pull rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 117 PROFILES 7.1.17.5.5 peer crypto-map auto-vpn-tunnel/remote-vpn-client instance Configures the IKEv1 or IKEv2 peer for the auto site-to-site VPN tunnel or remote VPN client. The peer device can be specified either by its hostname or by its IP address. A maximum of three peers can be configured. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax peer <1-3> [ikev1|ikev2] <IKEv1/IKEv2-PEER-NAME>
Parameters peer <1-3> [ikev1|ikev2] <IKEv1/IKEv2-PEER-NAME>
peer <1-3>
ikev1 <IKEv1-PEER-
NAME>
ikev2<IKEv2-PEER-
NAME>
Creates a new peer and configures the peers priority level. Peer 1 is the primary peer, and peer 3 is redundant. Configures an IKEv1 peer
<IKEv1-PEER-NAME> Specify the IKEv1 peers name. Configures an IKEv2 peer
<IKEv2-PEER-NAME> Specify the IKEv2 peers name. Example Site-to-site tunnel:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#peer 1 ikev2 ikev2Peer1 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp peer 1 ikev2 ikev2Peer1 local-endpoint-ip 192.168.13.10 ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#
Remote VPN client:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#peer 1 ikev1 Re moteIKEv1Peer1 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic peer 1 ikev1 RemoteIKEv1Peer1 local-endpoint-ip 157.235.204.62 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 118 PROFILES 7.1.17.5.6 pfs crypto-map auto-vpn-tunnel/remote-vpn-client instance Configures Perfect Forward Secrecy (PFS) for the auto site-to-site VPN tunnel or remote VPN client PFS is the key-establishment protocol, used to secure VPN communications. If one encryption key is compromised, only data encrypted by that specific key is compromised. For PFS to exist, the key used to protect data transmissions must not be used to derive any additional keys. Options include 2, 5 and 14. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax pfs [14|2|5]
Parameters pfs [14|2|5]
pfs [14|2|5]
Configures PFS 14 Configures D-H Group14 (2048-bit modp) 2 Configures D-H Group2 (1024-bit modp) 5 Configures D-H Group5 (1536-bit modp) Example Site-to-site VPN tunnel:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#pfs 5 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp peer 1 ikev2 ikev2Peer1 local-endpoint-ip 192.168.13.10 pfs 5 ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#
Remote VPN client:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#pfs 14 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic peer 1 ikev1 RemoteIKEv1Peer1 local-endpoint-ip 157.235.204.62 pfs 14 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 119 PROFILES 7.1.17.5.7 remote-type crypto-map auto-vpn-tunnel/remote-vpn-client instance Configures the remote VPN client type as either None or XAuth Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax remote-type [none|xauth]
Parameters remote-type [none|xauth]
remote-type
[none|xauth]
Specify the remote VPNs client type none Configures remote VPN client with No XAUTH xauth Configures remote VPN client as using XAUTH (applicable only for IKEv1). This is the default setting. XAuth (extended authentication) provides additional authentication validation by permitting an edge device to request extended authentication information from an IPSec host. This forces the host to respond with additional authentication credentials. The edge device respond with a failed or passed message. Example Remote VPN client:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#remote-type none rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic peer 1 ikev1 RemoteIKEv1Peer1 local-endpoint-ip 157.235.204.62 pfs 14 remote-type none rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 120 PROFILES 7.1.17.5.8 security-association crypto-map auto-vpn-tunnel/remote-vpn-client instance Defines the IPSec SAs (created by this auto site-to-site VPN tunnel or remote VPN client) settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax security-association [inactivity-timeout|level|lifetime]
security-association [inactivity-timeout <120-86400>|level perhost]
security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]
Parameters security-association [inactivity-timeout <120-86400>|level perhost]
inactivity-timeout
<120-86400>
Specifies an inactivity period, in seconds, for this IPSec VPN SA. Once the set value is exceeded, the association is timed out.
<120-86400> Specify a value from 120 - 86400 seconds. The default is 900 seconds. level perhost Specifies the granularity level for this IPSec VPN SA perhost Sets the IPSec VPN SAs granularity to the host level lifetime
[kilobytes
<500-2147483646>|
seconds
<120-86400>]
security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]
Defines the IPSec SAs lifetime (in kilobytes and/or seconds). Values can be entered in both kilobytes and seconds. Which ever limit is reached first, ends the security association. kilobytes <500-2147483646> Defines volume based key duration. Specify a value from 500 - 2147483646 kilobytes. Select this option to define a connection volume lifetime (in kilobytes) for the duration of the IPSec VPN SA. Once the set volume is exceeded, the association is timed out. This option is disabled by default. seconds <120-86400> Defines time based key duration. Specify the time frame from 120 - 86400 seconds. Select this option to define a lifetime (in seconds) for the duration of the IPSec VPN SA. Once the set value is exceeded, the association is timed out. This option is disabled by default. Example Site-to-site tunnel:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#security-
association inactivity-timeout 200 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#security-
association level perhost rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#security-
association lifetime kilobytes 250000 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 121 PROFILES rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp security-association level perhost peer 1 ikev2 ikev2Peer1 local-endpoint-ip 192.168.13.10 pfs 5 security-association lifetime kilobytes 250000 security-association inactivity-timeout 200 ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#
Remote VPN client:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#security-
association lifetime seconds 10000 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic peer 1 ikev1 RemoteIKEv1Peer1 local-endpoint-ip 157.235.204.62 pfs 14 security-association lifetime seconds 10000 remote-type none rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 122 PROFILES 7.1.17.5.9 transform-set crypto-map auto-vpn-tunnel/remote-vpn-client instance Applies a transform set (encryption and hash algorithms) to site-to-site VPN tunnel or remote VPN client. This command allows you to provide customized data protection for each crypto map can be customized with its own data protection and peer authentication schemes. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax transform-set <TRANSFORM-SET-TAG> {<TRANSFORM-SET-TAG>}
Parameters transform-set <TRANSFORM-SET-TAG> {<TRANSFORM-SET-TAG>}
transform-set
<TRANSFORM-SET-
TAG>
<TRANSFORM-SET-
TAG>
Applies a transform set. The transform set should be existing and configured.
<TRANSFORM-SET-TAG> Specify the transform sets name.
<TRANSFORM-SET-TAG> Optional. Specify a second transform set. You can pro-
vide multiple, space-separated, transform set tags. Example Site-to-site VPN tunnel:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#transform-set AutoVPN rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp security-association level perhost peer 1 ikev2 ikev2Peer1 local-endpoint-ip 192.168.13.10 pfs 5 security-association lifetime kilobytes 250000 security-association inactivity-timeout 200 transform-set AutoVPN ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#
Remote VPN client:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#transform-set RemoteVPN rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic peer 1 ikev1 RemoteIKEv1Peer1 local-endpoint-ip 157.235.204.62 pfs 14 security-association lifetime seconds 10000 transform-set RemoteVPN remote-type none rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 123 PROFILES 7.1.17.5.10 use crypto-map auto-vpn-tunnel/remote-vpn-client instance Applies an existing and configured IP access list to the auto site-to-site VPN tunnel or remote VPN client. Based on the IP access lists settings traffic is permitted or denied across the VPN tunnel. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use ip-access-list <IP-ACCESS-LIST-NAME>
Parameters use ip-access-list <IP-ACCESS-LIST-NAME>
ip-access-list
<IP-ACCESS-LIST-
NAME>
Specify the IP access list name. Example Site-to-site VPN tunnel:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#use ip-access-
list test rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp use ip-access-list test security-association level perhost peer 1 ikev2 ikev2Peer1 local-endpoint-ip 192.168.13.10 pfs 5 security-association lifetime kilobytes 250000 security-association inactivity-timeout 200 transform-set AutoVPN ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#
Remote VPN client:
rrfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#use ip-access-
list test1 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context
' crypto map test 2 ipsec-isakmp dynamic use ip-access-list test1 peer 1 ikev1 RemoteIKEv1Peer1 local-endpoint-ip 157.235.204.62 pfs 14 security-association lifetime seconds 10000 transform-set RemoteVPN remote-type none rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 124 PROFILES 7.1.17.5.11 no crypto-map auto-vpn-tunnel/remote-vpn-client instance Removes or reverts the auto site-to-site VPN tunnel or remote VPN client settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [ip|local-endpoint-ip|modeconfig|peer|pfs|remote-type|security-association|
transform-set|use]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or resets this auto site-to-site/remote VPN settings based on the parameters passed Example The following example shows the IPSec site-to-site VPN tunnel test settings before the no commands are executed:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp use ip-access-list test security-association level perhost peer 1 ikev2 ikev2Peer1 local-endpoint-ip 192.168.13.10 pfs 5 security-association lifetime kilobytes 250000 security-association inactivity-timeout 200 transform-set AutVPN ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no use ip-
access-list rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no security-
association level perhost rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no ip nat crypto rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no pfs rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#no local-
endpoint-ip The following example shows the IPSec site-to-site VPN tunnel test settings after the no commands are executed:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#show context crypto map test 1 ipsec-isakmp peer 1 ikev2 ikev2Peer1 security-association lifetime kilobytes 250000 security-association inactivity-timeout 200 transform-set AutoVPN rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 125 PROFILES The following example shows the IPSec remote VPN client test settings before the no commands are executed:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic use ip-access-list test2 peer 1 ikev1 RemoteIKEv1Peer1 local-endpoint-ip 157.235.204.62 pfs 14 security-association lifetime seconds 10000 transform-set RemoteVPN remote-type none rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#no use ip-
access-list rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#no peer 1 rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#no transform-set The following example shows the IPSec remote VPN client test settings after the no commands are executed:
rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#show context crypto map test 2 ipsec-isakmp dynamic local-endpoint-ip 157.235.204.62 pfs 14 security-association lifetime seconds 10000 remote-type none rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#2)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 126 PROFILES 7.1.17.5.12 crypto-map-ipsec-manual-instance crypto-map-config-commands To navigate to the automatic IPSec manual VPN tunnel configuration instance, use the following command:
In the device-config mode:
<DEVICE>(config-device-<DEVICE-MAC>)#crypto map <CRYPTO-MAP-TAG> <1-1000> ipsec-
manual In the profile-config mode:
<DEVICE>(config-profile-<PROFILE-NAME>)#crypto map <CRYPTO-MAP-TAG> <1-1000>
ipsec-manual rfs4000-229D58(config-device-00-23-68-22-9D-58)#crypto map test 3 ipsec-manual rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#3)#?
Manual Crypto Map Configuration commands:
local-endpoint-ip Use this IP as local tunnel endpoint address, instead of the interface IP (Advanced Configuration) mode Set the tunnel mode no Negate a command or set its defaults peer Set peer security-association Set security association parameters session-key Set security session key parameters use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-device-00-23-68-22-9D-58-cryptomap-test#3)#
The following table summarizes IPSec manual VPN tunnel configuration mode commands:
Command local-endpoint-
ip mode peer security-
association session-key use no Description Uses the configured IP as local tunnel endpoint address, instead of the interface IP (Advanced Configuration) Sets the tunnel mode Sets the peer devices IP address Defines the lifetime (in kilobytes and/or seconds) of IPSec SAs created by a crypto map Defines encryption and authentication keys for a crypto map Uses the configured IP access list Removes or reverts crypto map IPSec manual settings Reference page 7-128 page 7-129 page 7-130 page 7-131 page 7-132 page 7-134 page 7-135 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 127 PROFILES 7.1.17.5.13 local-endpoint-ip crypto-map-ipsec-manual-instance Uses the configured IP as local tunnel endpoint address, instead of the interface IP (Advanced Configuration) Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax local-endpoint-ip <IP>
Parameters local-endpoint-ip <IP>
local-endpoint-ip
<IP>
Uses the configured IP as local tunnels endpoint address
<IP> Specify the IP address. The specified IP address must be available on the interface. Example rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#local-endpoint-
ip 172.16.10.3 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 128 PROFILES 7.1.17.5.14 mode crypto-map-ipsec-manual-instance Sets the crypto map tunnel mode Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mode [transport|tunnel]
Parameters mode [transport|tunnel]
mode [transport|tunnel] Sets the mode of the tunnel for this crypto map transport Initiates transport mode tunnel Initiates tunnel mode (default setting) Example rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#mode transport rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual mode transport rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 129 PROFILES 7.1.17.5.15 peer crypto-map-ipsec-manual-instance Sets the peer devices IP address. This can be set for multiple remote peers. The remote peer can be an IP address. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax peer <IP>
Parameters peer <IP>
peer <IP>
Enter the peer devices IP address. If not configured, it implies respond to any peer. Example rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#peer 172.16.10.12 rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual peer 172.16.10.12 rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 130 PROFILES 7.1.17.5.16 security-association crypto-map-ipsec-manual-instance Defines the lifetime (in kilobytes and/or seconds) of IPSec SAs created by this crypto map Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]
Parameters security-association lifetime [kilobytes <500-2147483646>|seconds <120-86400>]
lifetime
[kilobytes
<500-2147483646>|
seconds
<120-86400>]
Values can be entered in both kilobytes and seconds. Which ever limit is reached first, ends the security association. kilobytes <500-2147483646> Defines volume based key duration. Specify a value from 500 - 2147483646 bytes. seconds <120-86400> Defines time based key duration. Specify the time frame from 120 - 86400 seconds. NOTE: This command is not applicable to the ipsec-manual crypto map. Example rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map2#2)#security-
association lifetime seconds 123 rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map2#2)#show context Command not applicable to this crypto map rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map2#2)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 131 PROFILES 7.1.17.5.17 session-key crypto-map-ipsec-manual-instance Defines encryption and authentication keys for this crypto map Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax session-key [inbound|outbound] [ah|esp] <256-4294967295>
session-key [inbound|outbound] ah <256-4294967295> [0|2|authenticator [md5|sha]]
<WORD>
session-key [inbound|outbound] esp <256-4294967295> [0|2|cipher [3des|aes|aes-192|
aes-256|des|esp-null]] <WORD> authenticator [md5|sha] <WORD>
Parameters session-key [inbound|outbound] ah <256-4294967295> [0|2|authenticator [md5|sha]]
<WORD>
session-key
[inbound|outbound]
ah <256-
4294967295>
[0|2|authenticator
[md5|sha] <WORD>]
Defines the manual inbound and outbound security association key parameters Configures authentication header (AH) as the security protocol for the security session
<256-4294967295> Sets the SPI for the security association from 256 - 4294967295 The SPI (in combination with the destination IP address and security protocol) identifies the security association. Specifies the key type 0 Sets a clear text key 2 Sets an encrypted key authenticator Sets AH authenticator details md5 <WORD> AH with MD5 authentication sha <WORD> AH with SHA authentication
<WORD> Sets security association key value. The following key lengths (in hex characters) are required (w/o leading 0x).AH-MD5: 32, AH-SHA: 40 session-key [inbound|outbound] esp <256-4294967295> [0|2|cipher [3des|aes|aes-
192|aes-256|des|esp-null]] <WORD> authenticator [md5|sha] <WORD>
session-key
[inbound|outbound]
esp <256-
4294967295>
Defines the manual inbound and outbound security association key parameters Configures Encapsulating Security Payloads (ESP) as the security protocol for the security session. This is the default setting.
<256-4294967295> Sets the SPI for the security association from 256 - 4294967295 The SPI (in combination with the destination IP address and security protocol) identifies the security association. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 132 PROFILES
[0|2|cipher
[3des|aes|aes-192|
aes-256|des|
esp-null]]
0 Sets a clear text key 2 Sets an encrypted key cipher Sets encryption/decryption key details 3des ESP with 3DES encryption aes ESP with AES encryption aes-192 ESP with AES-192 encryption aes-256 ESP with AES-256 encryption des ESP with DES encryption esp-null ESP with no encryption authenticator Specify ESP authenticator details md5 <WORD> ESP with MD5 authentication sha <WORD> ESP with SHA authentication
<WORD> Sets security association key value. The following key lengths
(in hex characters) are required (w/o leading 0x).AH-MD5: 32, AH-SHA:
40 Example rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#session-key inbound esp 273 cipher esp-null authenticator sha 58768979 rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual peer 172.16.10.2 mode transport session-key inbound esp 273 0 cipher esp-null authenticator sha 58768979 rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 133 PROFILES 7.1.17.5.18 use crypto-map-ipsec-manual-instance Associates an existing IP access list with this crypto map. The ACL protects the VPN traffic. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use ip-access-list <IP-ACCESS-LIST-NAME>
Parameters use ip-access-list <IP-ACCESS-LIST-NAME>
ip-access-list
<IP-ACCESS-LIST-
NAME>
Specify the IP access list name. Example rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#use ip-access-
list test rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual use ip-access-list test peer 172.16.10.12 mode transport session-key inbound esp 273 0 cipher esp-null authenticator sha 5876897 rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 134 PROFILES 7.1.17.5.19 no crypto-map-ipsec-manual-instance Removes or resets this crypto maps settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [local-endpoint-ip|mode|peer|security-association|session-key|use]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or resets this crypto map settings based on the parameters passed Example rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual use ip-access-list test peer 172.16.10.12 mode transport session-key inbound esp 273 0 cipher esp-null authenticator sha 5876897 rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#
rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#no use ip-access-
list rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#no peer rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#no mode rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#show context crypto map map1 1 ipsec-manual session-key inbound esp 273 0 cipher esp-null authenticator sha 58768979 rfs6000-37FABE(config-profile-default-rfs6000-cryptomap-map1#1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 135 PROFILES 7.1.17.6 crypto-remote-vpn-client commands crypto This section documents the IKEV2 remote VPN client configuration settings. Use this command to define the server resources used to secure (authenticate) a remote VPN connection with a target peer. Use the profile-config instance to configure remote VPN client settings. To navigate to the remote-vpn-
client configuration instance, use the following commands:
<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME>
<DEVICE>(config-profile-<PROFILE-NAME>)#crypto remote-vpn-client
<DEVICE>(config-profile-<PROFILE-NAME>-crypto-ikev2-remote-vpn-client)#
NOTE: To configure remote VPN client settings on a device, on the devices configuration mode, use the crypto > remote-vpn-client command. For example: rfs4000-229D58(config-device-00-23-68-22-9D-58)#crypto remote-vpn-client NOTE: The following configuration enables a access point to adopt to a controller over the remote VPN link:
On a profile: rfs4000-229D58(config-profile-testRFS4000)#controller host
<HOST-IP> remote-vpn-client On a device: rfs4000-229D58(config-00-23-68-22-9D-58)#controller host
<HOST-IP> remote-vpn-client rfs4000-229D58(config)#profile rfs4000 testRFS4000 rfs4000-229D58(config-profile-testRFS4000)#
rfs4000-229D58(config-profile-testRFS4000)#crypto remote-vpn-client rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#?
Crypto IKEV2 Remote Vpn Client Config commands:
dhcp-peer Configure parameters for peers received via DHCP option no Negate a command or set its defaults peer Add a remote peer shutdown Disable remote vpn client transform-set Specify IPSec transform to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 136 PROFILES The following table summarizes crypto remote VPN client configuration mode commands:
Command dhcp-peer peer shutdown transform-set no Description Configures DHCP peers local ID and authentication settings Adds a remote IKEv2 peer Disables the remote VPN client Associates an existing IPSec transform set with this remote VPN client Removes the remote VPN client settings Reference page 7-138 page 7-139 page 7-140 page 7-141 page 7-142 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 137 PROFILES 7.1.17.6.1 dhcp-peer crypto-remote-vpn-client commands Configures DHCP peers local ID and authentication settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dhcp-peer [authentication|localid]
dhcp-peer authentication [psk [0 <WORD>|2 <WORD>|<WORD>]|rsa]
dhcp-peer localid [autogen-uniqueid <WORD>|string <WORD>]
Parameters dhcp-peer authentication [psk [0 <WORD>|2 <WORD>|<WORD>]|rsa]
dhcp-peer authentication psk
[0 <WORD>|
2 <WORD>|
<WORD>]
dhcp-peer authentication rsa Configures the DHCP peers authentication type as PSK 0 <WORD> Configures a clear text authentication key 2 <WORD> Configures an encrypted authentication key
<WORD> Provide a 8 - 21 character shared key password for DHCP peer authentication Configures the DHCP peers authentication type as RSA. This is the default setting. dhcp-peer localid [autogen-uniqueid <WORD>|string <WORD>]
dhcp-peer localid
[autogen-uniqueid
<WORD>|
string <WORD>]
Configures the DHCP peer's localid using one of the following options:
autogen-uniqueid - Generates a localid using the device's unique identity. The system prefixes the device's unique identity to the string provided here. The devices unique identity should be existing and configured. For more information on configuring a devices unique identity, see autogen-uniqueid.
<WORD> Provide the string. string - Uses the value provided here as the DHCP peers localid.
<WORD> - Provide the string. Example rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#dhcp-
peer authentication psk 0 @123testing rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show context crypto remote-vpn-client dhcp-peer authentication psk 0 @123testing rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 138 PROFILES 7.1.17.6.2 peer crypto-remote-vpn-client commands Configures IKEv2 peers and assigns them priorities for utilization with remote VPN client connections. A maximum of three (3) peers can be added to support redundancy. IKEv2 uses an initial handshake in which VPN peers negotiate cryptographic algorithms, mutually authenticate, and establish a session key, creating an IKE-SA. Additionally, a first IPSec SA is established during the initial SA creation. All IKEv2 messages are request/response pairs. It is the responsibility of the side sending the request to retransmit if it does not receive a timely response. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax peer <1-3> ikev2 <IKEV2-PEER-NAME>
Parameters peer <1-3> ikev2 <IKEV2-PEER-NAME>
peer <1-3>
Adds a IKEv2 peer. You can add maximum of three (3) peers to achieve redundancy.
<1-3> Specify a priority level for the peer from 1 - 3 (1 = primary, 2 = secondary, and 3 = redundant). ikev2
<IKEV2-PEER-
NAME>
Specify the IKEv2 peers name. Note: The peer should be existing and configured. To configure an IKEv2 peer use the crypto > ikev2 > peer > <IKEv2-PEER-NAME> command. Example rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#peer 1 ikev2 ikev2Peer1 rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#peer 2 ikev2 ikev2Peer2 rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show context crypto remote-vpn-client peer 1 ikev2 ikev2Peer1 peer 2 ikev2 ikev2Peer2 rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 139 PROFILES 7.1.17.6.3 shutdown crypto-remote-vpn-client commands Disables remote-vpn-client on this profile or device. Remote VPN client feature is enabled by default. To enable a disabled remote VPN client execute the no > shutdown command. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax shutdown Parameters None Example rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#
shutdown rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 140 PROFILES 7.1.17.6.4 transform-set crypto-remote-vpn-client commands Specifies the IPSec Transform set to use with this remote VPN client. A transform set is a combination of security protocols, algorithms, and other settings applied to IPSec protected client traffic. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax transform-set <IPSEC-XFORM-TAG> {<IPSEC-XFORM-TAG>}
Parameters transform-set <IPSEC-XFORM-TAG> {<IPSEC-XFORM-TAG>}
transform-set
<IPSEC-XFORM-
TAG>
<IPSEC-XFORM-
TAG>
Associates an IPSec Transform (should be existing and configured) set with this remote VPN client. You can optionally associate more than one transform set with this remote VPN client configuration. List the transform set tags separated by a space. Note: To configure a transform-set, use the crypto > ipsec > transform-set command in the profile or device configuration mode. Example rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-
client)#transform-set TransformSet1 rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show context crypto remote-vpn-client peer 1 ikev2 ikev2Peer1 transform-set TransformSet1 rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 141 PROFILES 7.1.17.6.5 no crypto-remote-vpn-client commands Removes the remote VPN client settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [dhcp-peer|peer <1-3>|shutdown|transform-set]
no dhcp-peer [authentication|localid]
no peer <1-3>
no shutdown no transform-set Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or resets this remote VPN client settings based on the parameters passed Example rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show context crypto remote-vpn-client peer 1 ikev2 peer5 rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#
rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#no peer 1 rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#show context crypto remote-vpn-client rfs4000-229D58(config-profile-testRFS4000-crypto-ikev2-remote-vpn-client)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 142 PROFILES 7.1.18 database Profile Config Commands Backs up captive-portal and/or NSight database to a specified location and file. When applied to devices, this profile will enable the back up of the specified database. This command also enables you to configures a low-disk-space threshold value. These parameters can also be configured in the device configuration context of an NX95XX series service platform. Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax database [backup|low-disk-space-threshold]
database backup database [captive-portal|nsight] <URL>
database low-disk-space-threshold <10-50>
Parameters database backup database [captive-portal|nsight] <URL>
database backup database
[captive-portal|
nsight]
<URL>
Backs up captive portal and/or NSight database to a specified location and file. Select the database to backup. database Selects the database to backup captive-portal Backs up captive portal database nsight Backs up NSight database After specifying the database type, configure the destination location and file name. Configures the destination location. The database is backed up at the specified location. Specify the location URL in one of the following formats:
ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz sftp://<user>:<passwd>@<hostname|IP>[:port]/path/file.tar.gz tftp://<hostname|IP>[:port]/path database low-disk-space-threshold <10-50>
database low-disk-
space-threshold <10-
50>
Configures the low disk space threshold for syslog warning. Once the threshold value configured here is reached a syslog warning is sent.
<10-50> Specify the threshold from 10 - 50. The default is 30. Example nx9500-6C8809(config-profile-testNX9500)#database backup database nsight ftp://
anonymous:anonymous@192.168.13.10/backups/nsight/nsight.tar.gz Related Commands no Removes database backup configurations Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 143 PROFILES 7.1.19 device-onboard Profile Config Commands Configures the logo image file name and title displayed on the EGuest device-onboarding portal. The EGuest UI can be accessed only by vendor-admin users. NOTE: Vendor admin users are configured in the Management policy context. For more information, see user. Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax device-onboard [logo|title] <WORD>
Parameters device-onboard [logo|title] <WORD>
device-onboard
[logo|title] <WORD>
Configures the logo and page title displayed on the device-onboarding portal logo Specify the logo image file name. Note, logo image dimensions must not exceed 109 pixel and 52 pixel in width and height respectively. title Specify the UI portal title. Note, the title should not exceed 32 characters in length. The following keyword is common to both of the above parameters:
<WORD> Specify the logo image file name/page title. Example Split-EG-Server(config-device-00-0C-29-09-3C-CC)#device-onboard logo extremenetworks.png Split-EG-Server(config-device-00-0C-29-09-3C-CC)#device-onboard title EXTREME NETWORKS ONBOARDING UI Split-EG-Server(config-device-00-0C-29-09-3C-CC)#show context include-factory |
include device-onboard device-onboard title EXTREME NETWORKS ONBOARDING UI device-onboard logo extremenetworks.png Split-EG-Server(config-device-00-0C-29-09-3C-CC)#
Following example shows a Management Policy, vendor-admin user configuration:
EC-NOC(config-management-policy-EGuest)#show context include-factory | include user user onboard-user password 1 1d5e9d60425bde727261b66b5e7eb0236058e7aae45225961ce7b872ea238240 role vendor-
admin group Samsung,Philips,Nest1,Orbit1 EC-NOC(config-management-policy-EGuest)#
Related Commands no Removes the device-onboarding UI portals logo image file name and title configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 144 PROFILES 7.1.20 device-upgrade Profile Config Commands Configures device firmware upgrade settings on this profile Administrators can customize profiles with unique device configuration file and firmware upgrade support. In a clustered environment, operations performed on one device are propagated to each member of the cluster and then onwards to devices managed by each cluster member. The number of concurrent device upgrades and their start times can be customized to ensure a sufficient number of devices remain in duty while upgrades are administered to others. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax device-upgrade [add-auto|auto|count|persist-images]
device-upgrade add-auto [(ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|
ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|
rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600)]
device-upgrade auto {(ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|
ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|
rfs6000|nx5500|nx75xx|nx9000|nx9600)}
device-upgrade count <1-128>
device-upgrade persist-images Parameters device-upgrade add-auto[(ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|
ap7532|ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|
rfs4000|rfs6000|nx5500|nx75xx|nx9000|nx9600)]
device-upgrade add-
auto
[<DEVICE-TYPE>]
Configures a list of devices types for automatic firmware upgrade This command specifies the types of devices that can be automatically upgraded (if enabled). To enable automatic device firmware upgrade, use the auto command. When enabled, access points, wireless controllers, and service platforms, using this profile, will automatically upgrade firmware on adopted devices that match the specified device types. Specifies the type of devices to be upgraded. Select the device type. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, VX9000. Note: Multiple device types can be added to the add-auto list. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 145 PROFILES device-upgrade auto {(ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|
ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|
rfs6000|nx5500|nx75xx|nx9000|nx9600)}
device-upgrade auto
<DEVICE-TYPE>
Enables automatic firmware upgrade on specified device types. When used along with the add-auto command, the auto command allows access points, wireless controllers, and service platforms to automatically upgrade firmware on adopted devices matching the specified device types. Optional. Specifies the type of device to be lined up for automatic firmware upgrade. The options are: AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, NX9600, VX9000. Note: Multiple device types can be added to the auto list. device-upgrade count <1-128>
device-upgrade count
<1-128>
Configures the maximum number of concurrent upgrades possible
<1-128> specify a value from 1 - 128. The default is 10. device-upgrade persist-images device-upgrade persist-images Configures parameters for automatic firmware upgrade of adopted devices. Use this command to select the device types and the maximum number of concurrent upgrades. Enables RF Domain manager to retain AP firmware image after upgrade, subject to availability of space. This option is enabled by default. This option is enabled for all controllers and service platforms RF Domain managers with the flash memory capacity to store firmware images for the selected access point models they provision. This feature is disabled for access point RF Domain managers that do not typically have the flash memory capacity needed. Example rfs4000-229D58(config-profile-default-rfs4000)#device-upgrade auto ap71xx rfs4000-229D58config-profile-default-rfs4000)#show context profile rfs4000 default-rfs4000 autoinstall configuration autoinstall firmware device-upgrade auto ap71xx device-upgrade persist-ap-image crypto ikev1 policy ikev1-default qos trust 802.1p
--More--
rfs4000-229D58(config-profile-default-rfs4000)#
Related Commands no device-upgrade (show commands) Removes device firmware upgrade settings on this profile Displays device upgrade details Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 146 PROFILES 7.1.21 diag Profile Config Commands Enables looped packet logging. When enabled, devices, using this profile, start logging looped packets to a separate queue. This option is disabled by default. Looped packet logging can also be enabled in the device configuration context. NOTE: To view logged looped packets, execute the service > show > diag > pkts command. For more information, see service. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax diag pkts Parameters diag pkts diag pkts Enables looped packet logging Example nx9500-6C8809(config-profile-default-nx75xx)#diag pkts nx9500-6C8809(config-profile-default-nx75xx)#show context include-factory |
include diag diag pkts nx9500-6C8809(config-profile-default-nx75xx)#
Related Commands no Disables looped packet logging Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 147 PROFILES 7.1.22 dot1x Profile Config Commands Configures 802.1x standard authentication controls Dot1x (or 802.1x) is an IEEE standard for network authentication. It enables media-level (layer 2) access control, providing the capability to permit or deny connectivity based on user or device identity. Dot1x allows port-based access using authentication. An dot1x enabled port can be dynamically enabled or disabled depending on user identity or device connection. Devices supporting dot1x allow the automatic provision and connection to the wireless network without launching a Web browser at login. When within range of a dot1x network, a device automatically connects and authenticates without needing to manually login. Before authentication, the endpoint is unknown, and traffic is blocked. Upon authentication, the endpoint is known and traffic is allowed. The controller or service platform uses source MAC filtering to ensure only the authenticated endpoint is allowed to send traffic. Dot1x authentication capabilities is supported on the following platforms:
Supported in the following platforms:
Access Points AP6511, AP6521, AP6522, AP6562, AP7161, AP7502, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432 Wireless Controllers RFS4000, RFS6000, NX5500, NX7500 Dot1x supplicant capabilities is supported on the following platforms:
Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, NX5500, NX7500 Syntax dot1x [guest-vlan|holdtime|system-auth-control|use]
dot1x holdtime <0-600>
dot1x system-auth-control dot1x guest-vlan supplicant dot1x use aaa-policy <AAA-POLICY-NAME>
Parameters dot1x system-auth-control system-auth-control Enables system auth control. Enables dot1x authorization globally for the controller. This feature is disabled by default. dot1X holdtime <0-600>
holdtime <0-600>
Configures a holdtime value. This is the interval after which an authentication attempt is ignored or failed.
<0-600> Specify a value from 0 - 600 seconds. A value of 0 indicates no holdtime. The default is 600 seconds or 10 minutes. Adding a hold time at startup allows time for the network to converge before receiving or transmitting 802.1x authentication packets. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 148 PROFILES dot1x guest-vlan supplicant guest-vlan supplicant Configures guest VLAN and supplicant behavior This feature is disabled by default. Allows 802.1x capable supplicant to enter guest VLAN. When enabled, this is the VLAN that supplicants traffic is bridged on. dot1x use aaa-policy <AAA-POLICY-NAME>
use aaa-policy <AAA-
POLICY-NAME>
Associates a specified 802.1x AAA policy (for MAC authentication) with this access point profile
<AAA-POLICY-NAME> Specify the AAA policy name. Once specified, this AAA policy is utilized for authenticating user requests. Example nx9500-6C8809(config-profile-test-nx5500)#dot1x use aaa-policy OnBoarding nx9500-6C8809(config-profile-test-nx5500)#dot1x system-auth-control nx9500-6C8809(config-profile-test-nx5500)#show context profile nx5500 test-nx5500 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto load-management crypto remote-vpn-client interface ge1 interface ge2 interface ge3 interface ge4 interface ge5 interface ge6 interface pppoe1 use firewall-policy default service pm sys-restart router ospf router bgp dot1x system-auth-control dot1x use aaa-policy OnBoarding nx9500-6C8809(config-profile-test-nx5500)#
Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 149 PROFILES 7.1.23 dpi Profile Config Commands Enables Deep Packet Inspection (DPI) on this profile. DPI is an advanced packet analysis technique, which analyzes packet and packet content headers to determine the nature of network traffic. When enabled, DPI inspects packets of all flows to identify applications (such as, Netflix, Twitter, Facebook, etc.) and extract metadata (such as, host name, server name, TCP-RTT, etc.) for further use by the WiNG firewall. This command is also available in the device configuration mode. Supported in the following platforms:
Access Points AP7522, AP7532, AP7602, AP7612, AP7622, AP7632, AP7662 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax dpi {custom-app|logging|metadata}
dpi {custom-app <CUSTOM-APP-NAME>}
dpi {logging [level [<0-7>|alerts|critical|debugging|emergencies|errors|
informational|notifications|warnings]|on]}
dpi {metadata [http|ssl|tcp-rtt|voice-video]}
dpi {metadata [http|ssl|voice-video]}
dpi {metadata tcp-rtt {app-group <APPLICATION-GROUP-NAME>}}
Parameters dpi {custom-app <CUSTOM-APP-NAME>}
dpi custom-app
<CUSTOM-APP-
NAME>
Enables DPI on this profile/device context and configures DPI settings. When enabled, all flow traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction. Optional. Adds custom application to this profile
<CUSTOM-APP-NAME> Specify custom application name (should be existing and configured) If no custom application is specified, the system detects the PACE built-in applications. Note: For more information on application categories and application detection, see application. dpi {logging [level [<0-7>|alerts|critical|debugging|emergencies|errors|
informational|notifications|warnings]|on]}
dpi Enables DPI on this profile/device context and configures DPI settings. When enabled, all flow traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 150 PROFILES logging [level [<0-7>|
alerts|critical|
debugging|
emergencies|
errors|informational|
notifications|
warnings]|on]
Optional. Enables DPI logging and sets the logging level level Configures the DPI logging level. Use one of the following options to specify the logging level:
<0-7> Logging severity level alerts Immediate action needed (1) critical Critical conditions (2) debugging Debugging messages (7) emergencies System is unusable (0) errors Conditions (3) nformational Informational messages (6) notifications Normal but significant conditions (5) - Default setting warnings Warning conditions (4) Either specify the logging level index (from 0 - 7) or the description. For example, to log all alerts either enter 1 or alerts. on Enables application detection event logging. DPI logging is disabled by de-
fault. dpi {metadata [http|ssl|voice-video]}
dpi metadata
[http|ssl|voice-video]
Enables DPI on this profile/device context and configures DPI settings. When enabled, all flow traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction. Optional. Enables metadata extraction from following flows:
http HTTP flows. This option is disabled by default. ssl SSL flows. This option is disabled by default. voice-video Voice and video classified flows. This option is disabled by default. dpi {metadata tcp-rtt {app-group <APPLICATION-GROUP-NAME>}}
dpi metadata tcp-rtt
{app-group
<APPLICATION-
GROUP-NAME>}
Enables DPI on this profile/device context and configures DPI settings. When enabled, all flow traffic is subjected to DPI for detection of applications, application categories, custom applications, and metadata extraction. Optional. Enables Transmission Control Protocol - Round Trip Time (TCP-RTT) metadata collection for application groups. Before executing this command, ensure that you have created at least one application group. Enable this option in the profile/device contexts of the AP7522, AP7532, AP7562, AP8432, AP8533 access point models, as only these APs support TCP-RTT metadata collection. app-group Optional. Specifies the customized application-group name containing the applications for which TCP-RTT is to be collected
<APPLICATION-GROUP-NAME> Specify the app-group name (should be existing and configured). If not specified, the system collects TCP-RTT metadata for all the customized app-groups created. You can enable TCP-RTT metadata collection on eight (8) application groups at a time. For more information on creating customized application-groups, see application-
group. The TCP-RTT metadata is viewable only on the NSight dashboard. Therefore, ensure the NSight server and database is up and NSight analytics data collection is enabled. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 151 PROFILES Example nx9500-6C8809(config-profile-testNX9500)#dpi logging on nx9500-6C8809(config-profile-testNX9500)#dpi logging level 7 nx9500-6C8809(config-profile-testNX9500)#show context profile nx9000 testNX9500 bridge vlan 10 ip igmp snooping ip igmp snooping querier ipv6 mld snooping
......................................................... router bgp dpi logging on dpi logging level debugging nx9500-6C8809(config-profile-testNX9500)#
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#dpi metadata tcp-rtt app-group amazon Related Commands no Disables DPI (application assurance) on this profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 152 PROFILES 7.1.24 dscp-mapping Profile Config Commands Configures IP Differentiated Services Code Point (DSCP) to 802.1p priority mapping for untagged frames Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dscp-mapping <WORD> priority <0-7>
Parameters dscp-mapping <word> priority <0-7>
<WORD>
priority <0-7>
Specifies the DSCP value of a received IP packet. This could be a single value or a list. For example, 10-20, 25, 30-35. Specifies the 802.1p priority to use for a packet if untagged. The priority is set on a scale of 0 - 7. The priority values are:
0 Best effort 1 Background 2 Spare 3 Excellent effort 4 Controlled load 5 Video 6 Voice 7 Network control Note: The specified 802.1p priority value is added as a 3-bit IP precedence value in the Type of Service (ToS) field of the IP header used to set the priority. Up to 64 entries are permitted. Example rfs7000-37FABE(config-profile-default-rfs7000)#dscp-mapping 20 priority 7 rfs7000-37FABE(config-profile-default-rfs7000)#show context profile rfs7000 default-rfs7000 dscp-mapping 20 priority 7 no autoinstall configuration no autoinstall firmware crypto isakmp policy default crypto ipsec transform-set default esp-aes-256 esp-sha-hmac interface me1 interface ge1 ip dhcp trust qos trust dscp rfs7000-37FABE(config-profile-default-rfs7000)#
Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 153 PROFILES 7.1.25 eguest-server (VX9000 only) Profile Config Commands Enables the ExtremeGuest (EGuest) server The WiNG EGuest solution is an independently installable VM/Server that provides integrated guest management and analytics. Use this command to enable the EGuest daemon on the EGuest server. NOTE: EGuest being a licensed feature, ensure that the EGUEST-DEV license is applied on the EGuest servers self context. For more information, see license. Supported in the following platforms:
Service Platforms VX9000 NOTE: For more information on configuring an EGuest captive-portal deployment, see configuring ExtremeGuest captive-portal. Syntax eguest-server Parameters eguest-server eguest-server Example Execute this command, without the host option, on the EGuest server. When executed, the EGuest daemon is enabled on the host. EGuest server can be hosted only a VX9000 platform. On the EGuest server, execute the command without the host option to enable the EGuest daemon. EG-Server(config-device-02-EE-1A-7E-AE-5B)#eguest-server EG-Server(config-device-02-EE-1A-7E-AE-5B)#show context include-factory | include eguest-server eguest-server EG-Server(config-device-02-EE-1A-7E-AE-5B)#
Related Commands no Disables the EGuest server by stopping the EGuest daemon Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 154 PROFILES 7.1.26 eguest-server (NOC Only) Profile Config Commands Points to the EGuest server when executed along with the host option. The WiNG EGuest solution is an independently installable VM/Server that provides integrated guest management and analytics. Use this command to enable the EGuest daemon on the EGuest server. NOTE: EGuest being a licensed feature, ensure that the EGUEST-DEV license is applied on the EGuest servers self context. For more information, see license. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 NOTE: For more information on configuring an EGuest captive-portal deployment, see configuring ExtremeGuest captive-portal. Syntax eguest-server <1-3> host <IPv4/IPv6/HOSTNAME> {http|https}
Parameters eguest-server <1-3> host <IPv4/IPv6/HOSTNAME> {http|https}
eguest-server <1-3>
host <IPv4/IPv6/
HOSTNAME>
{http|https}
Configures the EGuest server details in the profile/device context of the NOC
(access point/controller). When configured, the NOC posts registration requests and captive-portal related data directly to the specified EGuest server.
<1-3> Configures the EGuest server index number. A maximum of three EGuest servers can be configured. host <IPv4/IPv6/HOSTNAME> Configures the EGuest servers IPv4/IPv6 ad-
dress or hostname.
{http|https} Optional. Configures the mode of connection as HTTP or HTTPS. Note: HTTPS is recommended as it uses encryption for transmission and is therefore more secure. Example On the NOC, execute along with the host option to point to the EGuest server. EG-NOC(config-device-74-67-F7-5C-64-4A)#eguest-server 1 host EG-Server https EG-NOC(config-device-74-67-F7-5C-64-4A)#show context include-factory | include eguest-server no eguest-server eguest-server 1 host EG-Server https EG-NOC(config-device-74-67-F7-5C-64-4A)#
Related Commands no Removes the EGuest server IP address/hostname configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 155 PROFILES 7.1.27 email-notification Profile Config Commands Configures e-mail notification settings. When a system event occurs e-mail notifications are sent (provided message logging is enabled) based on the settings configured here. Use this option to configure the outgoing SMTP server settings. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax email-notification [host|recipient]
email-notification recipient <RECIPIENT-NAME>
email-notification host <SMTP-SERVER-IP/HOSTNAME> sender <SENDER-EMAIL>
[port|security|username]
email-notification host <SMTP-SERVER-IP/HOSTNAME> sender <SENDER-EMAIL> [(port <1-
65535>, security [none|ssl|starttls], username <SMTP-USERNAME> password [2 <WORD>|
<WORD>])]
Parameters email-notification recipient <RECIPIENT-EMAIL>
recipient
<RECIPIENT-EMAIL>
Defines the recipients e-mail address. A maximum of 6 (six) e-mail addresses can the configured.
<RECIPIENT-EMAIL> Specify the recipients e-mail address (should not exceed 64 characters in length). email-notification host <SMTP-SERVER-IP/HOSTNAME> sender <SENDER-EMAIL> [(port
<1-65535>, security [none|ssl|starttls], username <SMTP-USERNAME> password [2
<WORD>|<WORD>])]
host
<SMTP-SERVER-IP/
HOSTNAME>
sender
<SENDER-EMAIL>
port <1-65535>
Configures the host SMTP servers IP address or hostname
<SMTP-SERVER-IP/HOSTNAME> Specify the SMTP servers IP address or hostname. Defines the senders e-mail address. This is the from address on notification e-mails.
<SENDER-EMAIL> Specify the senders e-mail address (should not exceed 64 characters in length). Use the email-notification > recipient > <EMAIL-ADDRESS>
command to configure the recipient's address. This option is recursive and applicable to the security and username parameters. Configures the SMTP server port. Use this option to configure a non-standard SMTP port on the outgoing SMTP server. The standard SMTP port is 25.
<1-65535> Specify the port from 1 - 65535. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 156 PROFILES security
[none|ssl|starttls]
username
<SMTP-USERNAME>
password
[2 <WORD>|
<WORD>]
This option is recursive and applicable to the port and username parameters. Configures the SMTP encryption type used none No encryption used ssl Uses Secure Sockets Layer (SSL) encryption between the SMTP server and the client starttls Uses STARTTLS encryption between the SMTP server and the client This option is recursive and applicable to the port and security parameters. Configures the SMTP senders username. Many SMTP servers require users to authenticate with a username and password before sending e-mail through the server.
<SMTP-USERNAME> Specify the SMTP username (should not exceed 64 characters in length). password Configures the SMTP server password. Specify the password associ-
ated with the username of the sender on the outgoing SMTP server. 2 <WORD> Configures an encrypted password
<WORD> Specify the password (should not exceed 127 characters in length). Example rfs6000-37FABE(config-profile-default-rfs6000)#email-notification recipient test@examplecompany.com rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs7000 default-rfs7000 dscp-mapping 20 priority 7 no autoinstall configuration no autoinstall firmware
............................................................. interface ge4 ip dhcp trust qos trust dscp qos trust 802.1p use firewall-policy default email-notification recipient test@examplecompany.com service pm sys-restart rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 157 PROFILES 7.1.28 enforce-version Profile Config Commands Enables checking of a devices firmware version before attempting adoption or clustering Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax enforce-version [adoption|cluster] [full|major|minor|none|strict]
Parameters enforce-version [adoption|cluster] [full|major|minor|none|strict]
adoption cluster full major minor none strict Example Verifies firmware versions before adopting. This option is enabled by default. Verifies firmware versions before clustering. This option is enabled by default. Allows adoption or clustering when the first four octets of the firmware versions match
(for example 5.8.6.0) Allows adoption or clustering when the first two octets of the firmware versions match
(for example 5.8) Allows adoption or clustering when the first three octets of the firmware versions match
(for example 5.8.6) Allows adoption or clustering between any firmware versions Allows adoption or clustering only when firmware versions exactly match (for example 5.8.6.0-008B). This is the default setting for both adoption and cluster options. nx9500-6C8809(config-profile-test-nx5500)#enforce-version cluster full nx9500-6C8809(config-profile-test-nx5500)#enforce-version adoption major nx9500-6C8809(config-profile-test-nx5500)#show context profile nx5500 test-nx5500 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha
.................................................... interface pppoe1 use firewall-policy default enforce-version adoption major enforce-version cluster full service pm sys-restart router ospf router bgp dot1x system-auth-control dot1x use aaa-policy OnBoarding nx9500-6C8809(config-profile-test-nx5500)#
Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 158 PROFILES 7.1.29 environmental-sensor Profile Config Commands Configures the environmental sensor settings An AP8132 sensor module is a USB environmental sensor extension to an AP8132 model access point. It provides a variety of sensing mechanisms, allowing the monitoring and reporting of the AP8132's radio coverage area. Supported in the following platforms:
Access Points AP8132 Syntax environmental-sensor [humidity|light|motion|polling-interval|temperature]
environmental-sensor [humidity|motion|polling-interval <1-100>|temperature]
environmental-sensor light {holdtime|radio-shutdown|threshold}
environmental-sensor light {holdtime <10-201>|radio-shutdown [all|radio-1|radio-
2]}
environmental-sensor light {threshold [high <100-10000>|low <0-1000>]}
Parameters environmental-sensor [humidity|motion|polling-interval <1-100>|temperature]
environmental-
sensor humidity motion polling-interval
<1-100>
temperature Configures environmental sensor settings on this profile Enables (turns on) humidity sensors. This setting is enabled by default. Enables (turns on) motion sensors.This setting is enabled by default. Configures polling interval, in seconds, on all sensors. This is the interval after which the sensor module polls its environment to assess the various parameters, such as light intensity.
<1-100> Specify a value from 1 - 100 seconds. The default is 5 seconds. Enables (turns on) temperature sensors. This setting is enabled by default. environmental-sensor light {holdtime <10-201>|radio-shutdown [all|radio-1|
radio-2]}
environmental-
sensor light holdtime
<10-201>
Configures environmental sensor settings on this profile Enables (turns on) light sensors and specifies its settings When enabled, the sensor module polls the environment to determine the light intensity. Based on the reading, the system determines whether the AP8132s deployment location has lights on or off. Light intensity also helps determine whether the access points deployment location is currently populated with clients. Optional. Configures a holdtime, in seconds, for the light sensor
<10-201> Specify a value from 10 - 201 seconds. The default value is 11 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 159 PROFILES radio-shutdown
[all|radio1|radio2]
Optional. Shuts down the sensors radios all Shuts down all radios. This is the default setting. radio1 Shuts down radio 1 radio2 Shuts down radio 2 AP8132s using this profile have their radios shut down, when the radios power falls below the specified threshold. Use the environmental-sensor > light > threshold >
[high|low] command to set the threshold values. environmental-sensor light {threshold [high <100-10000>|low <0-1000>]}
environmental-
sensor light threshold high
<100-10000>
low <0-1000>
Configures environmental sensor settings on this profile Enables (turns on) light sensors and specifies its settings Optional. Configures the upper and lower thresholds for the amount of light in the environment Specifies the upper threshold from 100 - 10000 lux. This value determines whether lighting is on in the AP8132s deployment location. The radios are turned off if the average reading value is lower than the value set here. The default is 400 lux. The light sensor triggers an event if the amount of light exceeds the specified value. Specifies the lower threshold from 0 - 1000 lux. This value determines whether lighting is off in the AP8132s deployment location. The radios are turned on when the average value is higher than the value set here. The default is 200 lux. The light sensor triggers an event if the amount of light drops below the specified value. Example rfs4000-229D58(config-profile-testRFS4000)#environmental-sensor humidity rfs4000-229D58(config-profile-testRFS4000)#environmental-sensor polling-interval 60 rfs4000-229D58(config-profile-testRFS4000)#environmental-sensor light radio-
shutdown all rfs4000-229D58(config-profile-testRFS4000)#environmental-sensor light threshold high 300 rfs4000-229D58(config-profile-testRFS4000)#environmental-sensor light threshold low 100 rfs4000-229D58(config-profile-testRFS4000)#show context profile rfs4000 testRFS4000 bridge vlan 1 tunnel-over-level2 ip igmp snooping ip igmp snooping querier environmental-sensor polling-interval 60 environmental-sensor light threshold high 300 environmental-sensor light threshold low 100 environmental-sensor light radio-shutdown all no autoinstall configuration no autoinstall firmware device-upgrade persist-images
--More--
rfs4000-229D58(config-profile-testRFS4000)#
Related Commands no Removes the environmental sensors settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 160 PROFILES 7.1.30 events Profile Config Commands Displays system event messages Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax events [forward on|on]
Parameters events [forward on|on]
Forwards system event messages to the wireless controller, service platform, or cluster members. This feature is enabled by default. on Enables forwarding of system events Generates system events. This feature is enabled by default. forward on on Example rfs6000-37FABE(config-profile-default-rfs6000)#events forward on rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 161 PROFILES 7.1.31 export Profile Config Commands Enables export of startup.log file after every boot Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax export startup-log [max-retries|retry-interval|url]
export startup-log [max-retries <2-65535>|retry-interval <30-86400>|url <URL>]
Parameters export startup-log [max-retries <2-65535>|retry-interval <30-86400>|url <URL>]
export startup-log max-retries
<2-65535>
retry-interval
<30-86400>
url <URL>
Enables export of the startup.log file after every boot. This option is disabled by default. Configures the maximum number of retries in case the export process fails
<2-65535> Specify a value from 2 - 65535. Configures the interval between two consecutive retries
<30-86400> Specify a value from 30 - 86400 seconds. Configures the destination URL in the following format:
tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file sftp://<user>@<hostname|IP>[:port]>/path/file Example nx9500-6C8809(config-profile-test-nx5500)#export startup-log max-retries 10 retry-interval 30 url ftp://anonymous:anonymous@192.168.13.10/log/startup.log nx9500-6C8809(config-profile-test-nx5500)#show context profile nx5500 test-nx5500 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default
....................................................... interface ge5 interface ge6 interface pppoe1 use firewall-policy default export startup-log max-retries 10 retry-interval 30 url ftp://
anonymous:anonymous@192.168.13.10/log/startup.log enforce-version adoption major enforce-version cluster full service pm sys-restart
--More--g nx9500-6C8809(config-profile-test-nx5500)#
Related Commands no Disables export of startup.log file Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 162 PROFILES 7.1.32 file-sync Profile Config Commands Configures parameters enabling auto syncing of trustpoint/wireless-bridge certificate between the staging-
controller and its adopted access points This command is applicable to the access points profile as well as device configuration modes. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax file-sync [auto|count <1-20>]
Parameters file-sync [auto|count <1-20>]
file-sync
[auto|count <1-20>]
Configures the following file-synching parameters:
auto Enables the staging controller to autoinstall trustpoint/wireless-bridge certificate on an access point when it comes up for the first time and adopts to the controller. Prior to enabling file syncing, ensure that the wireless-bridge certificate is present on the staging controller. To upload the certificate on the controller, in the user or privilege executable modes, execute the following command: file-sync > load-file >
<URL>. count <1-20> Configures the maximum number of access points that can be concurrently auto-installed.
<1-20> Specify a value from 1 - 20. The default is 10 access points. For the NX95XX service platforms the count-range is from 1 - 128. Example nx9500-6C8809(config-profile-default-rfs6000)#file-sync auto nx9500-6C8809(config-profile-default-rfs6000)#file-sync count 8 nx9500-6C8809(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 no autoinstall configuration no autoinstall firmware no device-upgrade auto file-sync count 8 file-sync auto crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
--More--
nx9500-6C8809(config-profile-default-rfs6000)#
Related Commands no Disables automatic file syncing between the staging-controller and its access points Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 163 PROFILES 7.1.33 floor Profile Config Commands Sets the floor name where the target device (access point, wireless controller, or service platform using this profile) is physically located. Assigning a building floor name helps in grouping devices within the same general coverage area. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax floor <WORD> {<1-4094>}
Parameters floor <WORD> {<1-4094>}
floor <WORD>
{<1-4094>}
Sets the floor name where the target device is located
<WORD> Specify the floor name (should not exceed 64 characters in length).
<1-4094> Optional. Configures the floor number from 1 - 4094. The default is 1. Example rfs6000-37FABE(config-profile-default-rfs6000)#floor fifth rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs7000 default-rfs7000 bridge vlan 1 ip igmp snooping ip igmp snooping querier area Ecospace floor fifth autoinstall configuration autoinstall firmware
--More--
rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Resets the configured floor name and number Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 164 PROFILES 7.1.34 gre Profile Config Commands The following table summarizes commands that allow you to enter the GRE configuration mode:
Command gre gre-config-
instance Description Enables GRE tunneling on a profile/device This command also creates a GRE tunnel and enters its configuration mode. Use this command to modify an existing GRE tunnels settings. Summarizes GRE tunnel configuration mode commands Reference page 7-166 page 7-168 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 165 PROFILES 7.1.34.1 gre gre Enables Generic Routing Encapsulation (GRE) tunneling on this profile, and creates a new GRE tunnel or modifies an existing GRE tunnel. The GRE protocol allows encapsulation of one protocol over another. It is a tunneling protocol that transports any layer 3 protocol over an IP network. When enabled, a payload packet is first encapsulated in the GRE protocol. The GRE encapsulated payload is then encapsulated in another IP packet before being forwarded to the destination. GRE tunneling can be configured to bridge Ethernet packets between WLANs and a remote WLAN gateway over an IPv4 GRE tunnel. The tunneling of 802.3 packets using GRE is an alternative to MiNT or L2TPv3. Related features like ACLs for extended VLANs are still available using layer 2 tunneling over GRE. Using GRE, access points map one or more VLANs to a tunnel. The remote end point is a user-configured WLAN gateway IP address, with an optional secondary IP address should connectivity to the primary GRE peer be lost. VLAN traffic is expected in both directions in the GRE tunnel. A WLAN mapped to these VLANs can be either open or secure. Secure WLANs require authentication to a remote RADIUS server available within your deployment using standard RADIUS protocols. Access Points can reach both the GRE peer as well as the RADIUS server using IPv4. The WiNG software now supports for both IPv4 or IPv6 tunnel endpoints. However, a tunnel needs to contain either IPv4 or IPv6 formatted device addresses and cannot be mixed. With the new IPv6 tunnel implementation, all outbound packets are encapsulated with the GRE header, then the IPv6 header. The header source IP address is the local address of the IPv6 address of tunnel interface, and the destination address peer address of the tunnel. All inbound packets are de-capsulated by removing the IPv6 and GRE header before sending it over to the IP stack. NOTE: Only one GRE tunnel can be created for every profile. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax gre tunnel <GRE-TUNNEL-NAME>
Parameters gre tunnel <GRE-TUNNEL-NAME>
gre tunnel
<GRE-TUNNEL-NAME>
Creates a new GRE tunnel or modifies an existing GRE tunnel
<GRE-TUNNEL-NAME> If creating a new tunnel, specify a unique name for it. If modifying an existing tunnel, specify its name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 166 PROFILES Example rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#?
GRE Tunnel Mode commands:
dscp Differentiated Services Code Point establishment-criteria Set tunnel establishment criteria failover L2gre tunnel failover mtu L2GRE tunnel endpoint maximum transmission unit(MTU) native Native trunking characteristics no Negate a command or set its defaults peer L2GRE peer tunneled-vlan VLANs to tunnel clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#
rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#peer 1 ip 192.168.13.8 rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#peer 2 ip 192.168.13.10 rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#show context gre tunnel testGREtunnel peer 1 ip 192.168.13.8 peer 2 ip 192.168.13.10 rfs4000-229D58(config-profile testRFS4000-gre-tunnel-testGREtunnel)#
rfs4000-229D58(config-profile-testRFS4000)#show context profile rfs4000 testRFS4000 bridge vlan 1 tunnel-over-level2 ip igmp snooping ip igmp snooping querier
................................................................................ . use firewall-policy default service pm sys-restart router ospf gre tunnel testGREtunnel peer 1 ip 192.168.13.8 peer 2 ip 192.168.13.10 rfs4000-229D58(config-profile-testRFS4000)#
Related Commands no Disables GRE tunneling on this profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 167 PROFILES 7.1.34.2 gre-config-instance gre The following table summarizes GRE tunnel configuration mode commands:
Command dscp establishment-
criteria failover mtu native no peer tunneled-vlan Description Sets the GRE tunnels Differentiated Services Code Point (DSCP) / 802.1q priority value Configures the GRE tunnel establishment criteria Reference page 7-169 page 7-169 Enables periodic pinging of the primary gateway to assess its availability, in case it is unreachable Configures the maximum transmission unit (MTU) for IPv4/IPv6 L2GRE tunnel endpoints Configures native trunking settings for this GRE tunnel Removes the GRE tunnel settings based on the parameters passed Configures the GRE tunnels end-point peers Defines the VLAN that connected clients use to route GRE-tunneled traffic within their respective WLANs page 7-171 page 7-172 page 7-173 page 7-174 page 7-175 page 7-176 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 168 PROFILES 7.1.34.2.1 dscp gre-config-instance Sets the GRE tunnels DSCP / 802.1q priority value from encapsulated packets to the outer packet IPv4 header. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dscp [<0-63>|reflect]
Parameters dscp [<0-63>|reflect]
dscp <0-63>
dscp reflect Specifies the DSCP 802.1q priority value for outer packets from 0 - 63. The default is 1. Copies the DSCP 802.1q value from inner packets Example rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#dscp 20 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel dscp 20 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#
Related Commands no Removes the GRE tunnel settings based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 169 PROFILES 7.1.34.2.2 establishment-criteria gre-config-instance Configures the GRE tunnel establishment criteria In a multi-controller RF domain, it is always the master node that establishes the tunnel. The tunnel is created only if the tunnel device is designated as one of the following: vrrp-master, cluster-master, or rf-
domain-manager. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax establishment-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-
255>]
Parameters establishment-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-
255>]
establishment-criteria
[always|
cluster-master|
rf-domain-manager|
vrrp-master <1-255>]
Configures the GRE tunnel establishment criteria. The options are:
always Always automatically establishes tunnel (default setting). The tunnel device need not be a cluster master, RF Domain manager, or VRRP master to establish the GRE tunnel. This is the default setting. cluster-master Establishes tunnel only if the tunnel device is designated as the cluster master rf-domain-manager Establishes tunnel only if the tunnel device is designated as the RF Domain manager vrrp-master <1-255> Establishes tunnel only if the tunnel device is designated as the Virtual Router Redundancy (VRRP) master
<1-255> Configures the VRRP group ID from 1 - 255. A VRRP group enables the creation of a group of routers as a default gateway for redundancy. Clients can point to the IP address of the VRRP virtual router as their default gateway and utilize a dif-
ferent group member if a master becomes unavailable. Example nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#establishment-
criteria rf-domain-manager nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#show context gre tunnel testGREtunnel establishment-criteria rf-domain-manager nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 170 PROFILES 7.1.34.2.3 failover gre-config-instance Enables periodic pinging of the primary gateway to assess its availability. When enabled, the system continues pinging, an unreachable gateway, for a specified number of times and at the specified interval. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax failover interval <1-250> retry <1-10>
Parameters failover interval <1-250> retry <1-10>
failover interval
<1-250>
retry <1-10>
Specifies the interval, in seconds, between two successive pings to the primary gateway. If the primary gateway is unreachable, the system pings it at intervals specified here.
<1-250> Specify a value from 1 - 250 seconds. retry Specifies the maximum number attempts made to ping the primary gate-
way before the session is terminated.
<1-10> Specify a value from 1 - 10. Example rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#failover interval 200 retry 5 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel dscp 20 failover interval 200 retry 5 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#
Related Commands no Removes the GRE tunnel settings based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 171 PROFILES 7.1.34.2.4 mtu gre-config-instance Configures the MTU for IPv4/IPv6 L2GRE tunnel endpoints The MTU is the largest physical packet size (in bytes) transmittable within the tunnel. Any messages larger than the configured MTU are divided into smaller packets before transmission. Larger the MTU greater is the efficiency because each packet carries more user data, while protocol overheads, such as headers or underlying per-packet delays remain fixed; the resulting higher efficiency means a slight improvement in bulk protocol throughput. A larger MTU results in the processing of fewer packets for the same amount of data. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mtu [ipv4 <900-1476>|ipv6 <1236-1456>]
Parameters mtu [ipv4 <900-1476>|ipv6 <1236-1456>]
mtu
[ipv4 <900-1476>|
ipv6 <1236-1456>]
Configures the MTU for L2GRE tunnel endpoints ipv4 <900-1476> Configures IPv4 L2GRE tunnel endpoint MTU from 900 - 1476. The default is 1476. ipv6 <1236-1456> Configures IPv6 L2GRE tunnel endpoint MTU from 1236 - 1456. The default is 1456. Example nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#mtu ipv4 1200 nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#mtu ipv6 1300 nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#show context gre tunnel testGREtunnel mtu ipv4 1200 mtu ipv6 1300 establishment-criteria rf-domain-manager nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 172 PROFILES 7.1.34.2.5 native gre-config-instance Configures native trunking settings for this GRE tunnel Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax native [tagged|vlan <1-4094>]
Parameters native [tagged|vlan <1-4094>]
native tagged native vlan <1-4094>
Enables native VLAN tagging The IEEE 802.1Q specification is supported for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs. If the upstream Ethernet device does not support IEEE 802.1Q tagging, it does not interpret the tagged frames. When VLAN tagging is required between devices, both devices must support tagging and be configured to accept tagged VLANs. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so upstream Ethernet devices know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. This feature is disabled by default. Specifies a numerical VLAN ID (1 - 4094) for the native VLAN The native VLAN allows an Ethernet device to associate untagged frames to a VLAN, when no 802.1q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk mode. Example nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#native tagged nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#native vlan 20 nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#show context gre tunnel testGREtunnel native vlan 20 native tagged mtu ipv4 1200 mtu ipv6 1300 establishment-criteria rf-domain-manager nx9500-6C8809(config-profile testNX9500-gre-tunnel-testGREtunnel)#
Related Commands no Removes the GRE tunnel settings based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 173 PROFILES 7.1.34.2.6 no gre-config-instance Removes or resets the GRE tunnel settings based on the parameters passed Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [dscp|establishment-criteria|failover|mtu|native|peer|tunneled-vlan]
no [dscp|establishment-criteria|failover|tunneled-vlan]
no mtu [ipv4|ipv6]
no native [tagged|vlan]
no peer <1-2>
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or resets the GRE tunnels settings based on the parameters passed Example The following example shows the GRE tunnel testGRETunnel settings before the no commands are executed:
rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel peer 1 ip 192.168.13.6 native vlan 1 tunneled-vlan 1,10 native tagged dscp 20 failover interval 200 retry 5 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#
rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no dscp rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no native vlan rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no tunneled-vlan rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#no failover The following example shows the GRE tunnel testGRETunnel settings after the no commands are executed:
rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel peer 1 ip 192.168.13.6 native tagged rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 174 PROFILES 7.1.34.2.7 peer gre-config-instance Adds the GRE tunnels end-point peers. A maximum of two peers, representing the tunnels end points, can be added for each GRE tunnel. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax peer <1-2> ip <IPv4/IPv6>
Parameters peer <1-2> ip <IPv4/IPv6>
peer <1-2> ip
<IPv4/IPv6>
Configures the tunnels end-point peers
<1-2> Specify a numeric index for each peer to help differentiate the tunnel end points. ip Specify the IP address (IPv4/IPv6) of the added GRE peer to serve as a network address identifier.
<IPv4/IPv6> Specify the peers IPv4 or IPv6 address. Example rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#peer 1 ip 192.168.13.6 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel peer 1 ip 192.168.13.6 native tagged dscp 20 failover interval 200 retry 5 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#
Related Commands no Removes the GRE tunnel settings based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 175 PROFILES 7.1.34.2.8 tunneled-vlan gre-config-instance Defines the VLAN that connected clients use to route GRE tunneled traffic within their respective WLANs Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax tunneled-vlan <VLAN-ID>
Parameters tunneled-vlan <VLAN-ID>
tunneled-vlan
<VLAN-ID>
Specifies the VLANs associated with this GRE tunnel
<VLAN-ID> Specify the VLAN IDs. Specify a comma-separated list of IDs, to specify multiple VLANs. For example, 1,10,12,16-20. Example rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#
tunneled-vlan 10 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#show context gre tunnel testGRETunnel peer 1 ip 192.168.13.6 native vlan 1 tunneled-vlan 1,10 native tagged dscp 20 failover interval 200 retry 5 rfs4000-229D58(config-device 00-23-68-22-9D-58-gre-tunnel-testGRETunnel)#
Related Commands no Removes the GRE tunnel settings based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 176 PROFILES 7.1.35 http-analyze Profile Config Commands Enables forwarding of HTTP request related data to the HTTP analytics engine Wireless clients (MUs) connect to APs and route their HTTP requests through the APs. These APs extract and forward HTTP request packets, through MiNT, to the NX series controller. The NX series controller uses a new analytic daemon to cache, format, and forward information to the analytics engine. Currently the analytics daemon is supported only on the NX series service platform. Therefore, it is essential that all APs should use an NX series service platform as controller. In a hierarchically organized network, HTTP analytics data forwarding is a simple and transparent process. The site controllers receive the HTTP data from adopted APs adopted. This data is compressed and forwarded to the Network Operations Center (NOC) controller. There is no need for a separate configuration to enable this feature. Use this command to configure the mode and interval at which data is sent to the controller and the external analytics engine. This command also configures the external engines details, such as URL, credentials, etc. NOTE: The Analytics module helps gather data about customer behavior such as web sites visited, search terms used, mobile device types, number of new users vs. repeat users. This data provides a better understanding of pricing strategies and promotions being run by competitors. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax http-analyze [compress|external-server|update-interval <1-3600>]
http-analyze [compress|update-interval <1-3600>
http-analyze external-server [password <WORD>|proxy <URL>|update-interval <1-
3600>|url <URL>|username <WORD>|validate-server-certificate]
Parameters http-analyze compress update-interval
<1-3600>
http-analyze [compress|update-interval <1-3600>]
Configures HTTP analysis related parameters Compresses update files before forwarding to the controller. This option is disabled by default. Configures the interval, in seconds, at which buffered packets are pushed to the controller
<1-3600> Specify the interval from 1 - 3600 seconds. The default is 60 seconds. http-analyze external-server [password <WORD>|proxy <URL>|update-interval|
url|username|validate-server-certificate]
http-analyze external-
server Configures the external HTTP analytics engines parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 177 PROFILES password <WORD>
Configures the external analytics engines password
<WORD> Provide the login password. This is the password associated with the proxy <URL>
user name needed to access the external analytics engine. Configures the proxy servers uniform resource locator (URL)
<URL> Specify the proxy servers URL in the following format: http://
username:password@proxy-server:port. For example, http://
mot:sym@wwwgate0.mot.com:1080 update-interval
<1-36000>
url <URl>
username <WORD>
validate-server-
certificate Configures the interval, in seconds, at which buffered packets are pushed to the external analytics engine
<1-3600> Specify the interval from 1 - 3600 seconds. The default is 60 seconds. Configures the external analytics engines IP address or URL
<URL> Provide the IP address or URL. Configures the user name needed to access the external analytics engine
<WORD> Provide the user name. Validates the external analytics engines certificate, if it is using HTTPS as the mode of access Example rfs6000-37FABE(config-profile-default-rfs6000)#http-analyze compress rfs6000-37FABE(config-profile-default-rfs6000)#http-analyze update-interval 200 rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs7000 default-rfs7000 bridge vlan 1
..................................................................... qos trust 802.1p interface pppoe1 use firewall-policy default http-analyze update-interval 200 http-analyze compress service pm sys-restart router ospf rfs6000-37FABE(config-profile-default-rfs6000)#
nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server username anonymous nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server password anonymous nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server validate-
server-certificate nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server update-
interval 100 nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server url https://192.168.13.10 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 178 PROFILES nx9500-6C8809(config-profile-test-nx5500)#show context profile nx5500 test-nx5500 no autoinstall configuration no autoinstall firmware
...................................................... interface ge5 interface ge6 interface pppoe1 use firewall-policy default export startup-log max-retries 10 retry-interval 30 url ftp://
anonymous:anonymous@192.168.13.10/log/startup.log http-analyze external-server url https://192.168.13.10 http-analyze external-server username anonymous http-analyze external-server password anonymous http-analyze external-server update-interval 100 enforce-version adoption major enforce-version cluster full
--More--
nx9500-6C8809(config-profile-test-nx5500)#
nx9500-6C8809(config-profile-test-nx5500)#http-analyze external-server proxy http://mot:sym@wwwgate0.mot.com:1080 nx9500-6C8809(config-profile-test-nx5500)#show context profile nx5500 test-nx5500 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default
............................................................... http-analyze external-server url https://192.168.13.10 http-analyze external-server username anonymous http-analyze external-server password anonymous http-analyze external-server update-interval 100 http-analyze external-server proxy http://mot:sym@wwwgate0.mot.com:1080 enforce-version adoption major enforce-version cluster full service pm sys-restart router ospf router bgp dot1x system-auth-control dot1x use aaa-policy OnBoarding nx9500-6C8809(config-profile-test-nx5500)#
Related Commands no Disables HTTP analyze settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 179 PROFILES 7.1.36 interface Profile Config Commands The following table summarizes interface configuration commands:
Command interface interface-config-ge-
instance interface-config-
vlan-instance interface-config-
port-channel-
instance interface-config-
radio-instance interface-config-
wwan-instance interface-config-
bluetooth-instance Description Selects an interface to configure Summarizes Ethernet interface (associated with the wireless controller or service platform) configuration commands Summarizes VLAN interface configuration commands Reference page 7-181 page 7-184 page 7-217 Summarizes port-channel interface configuration commands page 7-235 Summarizes radio interface configuration commands (applicable to devices with built-in radios) Summarizes WWAN interface configuration commands Summarizes the Bluetooth radio interface configuration commands
(supported only on the AP8432 and AP8533 model access points page 7-252 page 7-327 page 7-337 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 180 PROFILES 7.1.36.1 interface interface Selects an interface to configure A profiles interface configuration can be defined to support separate physical Ethernet configurations both unique and specific to RFS4000, RFS6000 controllers and NX7500 and NX95XX series service platforms. Ports vary depending on the platform, but controller or service platform models do have some of the same physical interfaces. A controller or service platform requires its virtual interface be configured for layer 3 (IP) access or layer 3 service on a VLAN. A virtual interface defines which IP address is associated with each VLAN ID the controller or service platform is connected to. If the profile is configured to support an access point radio, an additional radio interface is available, unique to the access points radio configuration. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax Service Platforms interface [<INTERFACE-NAME>|fe <1-4>|ge <1-24>|me1|port-channel <1-4>|pppoe1|
radio [1|2|3]|serial <1-4>|t1e1 <1-4>|up <1-2>|vlan <1-4094>|wwan1|xge <1-4>]
Syntax Access Points and Wireless Controllers interface [<INTERFACE-NAME>|bluetooth <1-1>|fe <1-4>|ge <1-8>|me1|port-channel <1-
4>|pppoe1|radio [1|2|3]|up1|vlan <1-4094>|wwan1|xge <1-4>]
Parameters interface [<INTERFACE-NAME>|bluetooth <1-1>|fe <1-4>|ge <1-8>|me1|port-channel
<1-4>|radio [1|2|3]|serial <1-4>|t1e1 <1-4>|up <1-2>|vlan <1-4094>|wwan1|xge <1-
4>]
<INTERFACE-NAME>
bluetooth <1-1>
Enters the configuration mode of the interface identified by the <INTERFACE-
NAME> keyword Selects the Bluetooth radio interface
<1-1> Specify the Bluetooth radio interface index from 1 - 1. As of now only one Bluetooth radio interface is supported. fe <1-4>
ge <1-24>
This interface is applicable only for the AP8432 and AP8533 model access points. Selects a FastEthernet interface
<1-4> Specify the interface index from 1 - 4. Selects a GigabitEthernet interface
<1-24> Specify the interface index from 1 - 24. (4 for RFS7000 and 8 for RFS6000). Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 181 PROFILES me1 port-channel <1-4>
pppoe1 radio [1|2|3]
up1 vlan <1-4094>
wwan1 xge <1-4>
Usage Guidelines Selects a management interface Not applicable for RFS4000 model devices. The management interface is applicable only for RFS6000 and RFS7000 model controllers. Selects the port channel interface
<1-4> Specify the interface index from 1 - 4. Selects the PPP over Ethernet interface to configure Selects a radio interface 1 Selects radio interface 1 2 Selects radio interface 2 3 Selects radio interface 3 The radio interface is not available on wireless controllers or service platforms. Selects the uplink GigabitEthernet interface Selects a VLAN interface
<1-4094> Specify the SVI VLAN ID from 1 - 4094. Selects a Wireless WAN interface This interface is applicable only to AP7161, AP81XX, AP8232, RFS4000, RFS6000 model access points and controllers. Selects a TenGigabitEthernet interface
<1-2> Specify the interface index from 1 - 4. The ports available on a device vary depending on the model. For example, the following ports are available on RFS4000, RFS6000 and RFS7000 model wireless controllers:
RFS4000 - ge1, ge2, ge3, ge4, ge5, up1 RFS6000 - ge1, ge2, ge3, ge4, ge5, ge6, ge7, ge8, me1, up1 GE ports on are RJ-45 supporting 10/100/1000Mbps.. ME ports are available on RFS6000 platforms. ME ports are out-of-band management ports used to manage the controller via CLI or Web UI, even when the other ports on the controller are unreachable. The ports available on service platforms also vary depending on the model. For example, the following ports are available on NX series service platforms:
NX7500 - ge1-ge10, xge1-xge2 NX95XX series - ge1, ge2, xge1-xge4 EX3500 ge1-1 to ge1-24 EX3548 ge1-1 to ge1-48 GE ports are available on devices, such as RFS4000 and RFS6000controllers. GE ports are RJ-45 supporting 10/100/1000Mbps. ME ports are available on RFS6000 platforms. ME ports are out-of-band management ports used to manage the controller via CLI or Web UI, even when the other ports on the controller are unreachable. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 182 UP ports are available on RFS4000 and RFS6000 platforms. A UP port is used to connect to the backbone network. UP ports are available on devices, such as RFS4000 and RFS6000 controllers. A UP port supports either RJ-45 or fiber. The UP port is the preferred means to connect to the backbone as it has a non-blocking 1gbps connection unlike the GE ports. PROFILES The following ports are available on access points:
AP6511 - fe1, fe2, fe3, fe4, up1 AP6521 - GE1/POE (LAN) AP6522 - GE1/POE (LAN) AP6532 - GE1/POE AP6562 - GE1/POE AP7161 - GE1/POE (LAN), GE2 (WAN) AP7502 - GE1 (THRU), fe1, fe2, fe3, AP7522 - GE1/POE (LAN) AP7532 - GE1/POE (LAN) AP81XX - GE1/POE (LAN), GE2 (WAN) AP82XX - GE1/POE (LAN), GE2 (WAN) Example NOTE: For a NX7500 model service platform, there are options for either a 2 port or 4 port network management card. Either card can be managed using WiNG. If the 4 port card is used, ports ge7-ge10 are available. If the 2 port card is used, ports xge1-xge2 are available. rfs6000-37FABE(config-profile-default-rfs6000-if-vlan44)#
rfs6000-37FABE(config-profile-default-rfs6000-if-vlan44)#?
SVI configuration commands:
crypto Encryption module description Vlan description dhcp Dynamic Host Configuration Protocol (DHCP) dhcp-relay-incoming Allow on-board DHCP server to respond to relayed DHCP packets on this interface ip Interface Internet Protocol config commands ipv6 Internet Protocol version 6 (IPv6) no Negate a command or set its defaults shutdown Shutdown the selected interface use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile-default-rfs6000-if-vlan44)#
Related Commands no Removes the selected interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 183 PROFILES 7.1.36.2 interface-config-ge-instance interface This section documents the GigabitEthernet configuration commands. GE port placement and quantity varies depending on the controller, service platform, or access point model. Configure the GE interface either in the devices profile-config context or directly on a device. The following example uses the config-profile-default-rfs7000 instance to configure a GigabitEthernet interface:
nx9500-6C8809(config-profile-testNX9000-if-ge2)#?
Interface configuration commands:
captive-portal-enforcement Enable captive-portal enforcement on this port cdp Cisco Discovery Protocol channel-group Channel group commands description Interface specific description dot1x 802.1X duplex Set duplex to interface ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) lacp LACP commands lacp-channel-group LACP channel commands lldp Link Local Discovery Protocol mac-auth Enable mac-auth for this port no Negate a command or set its defaults power PoE Command qos Quality of service remove-override Remove configuration item override from the device (so profile value takes effect) shutdown Shutdown the selected interface spanning-tree Spanning tree commands speed Configure speed switchport Set switching mode characteristics use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-profile-testNX9000-if-ge2)#
The following table summarizes the interface configuration commands:
Command captive-portal-
enforcement cdp channel-group description dot1x
(authenticator) Description Enables captive-portal enforcement on this Ethernet port Enables Cisco Discovery Protocol (CDP) on this Ethernet port Assigns this Ethernet port to a channel group Configures a description for this Ethernet port Configures 802.1X authenticator settings Reference page 7-186 page 7-187 page 7-188 page 7-189 page 7-190 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 184 Command dot1x
(supplicant) duplex ip ipv6 lacp lacp-channel-
group lldp mac-auth no power qos shutdown spanning-tree speed switchport use Description Configures 802.1X supplicant settings Specifies the duplex mode for the interface Sets the IP address for this Ethernet port Sets the DHCPv6 and ICMPv6 neighbor discovery (ND) components for this interface Configures the selected GE ports Link Aggregation Control Protocol
(LACP) port-priority value Configures the selected GE port as a member of a port-channel group
(also referred as LAG) Configures Link Local Discovery Protocol (LLDP) Enables MAC-based authentication on this Ethernet port Removes or reverts the selected Ethernet port settings Configures Power over Ethernet (PoE) settings on this interface Enables QoS Disables the selected Ethernet port Configures spanning tree parameters Specifies the speed on this Ethernet port Sets interface switching mode characteristics Associates IPv4, IPv6, and/or MAC ACL with the selected Ethernet port PROFILES Reference page 7-193 page 7-195 page 7-196 page 7-197 page 7-199 page 7-200 page 7-202 page 7-203 page 7-204 page 7-205 page 7-206 page 7-207 page 7-208 page 7-211 page 7-212 page 7-215 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 185 PROFILES 7.1.36.2.1 captive-portal-enforcement interface-config-ge-instance Enables application of captive portal access permission rules to data transmitted over this specific Ethernet port. This setting is disabled by default. Captive portal enforcement allows users on the wired network to pass traffic through the captive portal without being redirected to an authentication page. Authentication instead takes place when the RADIUS server is queried against the wired user's MAC address. If the MAC address is in the RADIUS server's user database, the user can pass traffic on the captive portal. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax captive-portal-enforcement {fall-back}
Parameters captive-portal-enforcement {fall-back}
captive-portal-
enforcement fall-back Enables captive-portal enforcement on this Ethernet port fall-back Optional. Enforces captive portal validation only if port authentication fails. When selected, captive portal policies are enforced only when RADIUS authentication of the client MAC address is not successful. If this option is not selected, captive portal policies are enforced regardless of the client's MAC address being in the RADIUS server's user database or not. Example rfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge2)#captive-portal-
enforcement rfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge2)#show context interface ge2 captive-portal-enforcement rfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge2)#
Related Commands no Disables captive-portal enforcement on this interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 186 PROFILES 7.1.36.2.2 cdp interface-config-ge-instance Enables CDP on the selected GE port Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cdp [receive|transmit]
Parameters cdp [receive|transmit]
receive transmit Enables CDP packet snooping on this interface. When enabled, the port receives periodic interface updates from a multicast address. This option is enabled by default. Enables CDP packet transmission on this interface. When enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors. This option is enabled by default. Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#cdp transmit Related Commands no Disables CDP packet snooping on the controller or service platforms selected GE ports Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 187 PROFILES 7.1.36.2.3 channel-group interface-config-ge-instance Assigns this Ethernet port to a channel group. Ethernet ports can be aggregated to form a channel group. For example, an RFS7000 has four (4) Ethernet ports (1, 2, 3, & 4). These can be aggregated to form a minimum of one and maximum of two channel groups. A port can be a member of only one channel group at a time. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax channel-group <1-4>
Parameters channel-group <1-4>
<1-4>
Example Specifies a channel group number from 1 - 4. The number of channel groups supported varies with the device type. For example:
RFS7000 Supports two channel groups RFS6000 Supports four channel groups RFS4000 Supports three channel groups NX5500 Supports three channel groups NX75XX Supports four channel groups NX95XX Supports two channel groups rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#channel-group 1 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1 ip dhcp trust qos trust dscp qos trust 802.1p channel-group 1 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#
Related Commands no Removes the channel group to which this port belongs Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 188 PROFILES 7.1.36.2.4 description interface-config-ge-instance Configures a description for this Ethernet port Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description [<LINE>|<WORD>]
Parameters description [<LINE>|<WORD>]
<LINE>
<WORD>
Configures the maximum length (number of characters) of the interface description Configures a unique description for this interface. The description should not exceed the length specified by the <LINE> parameter. Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#description This is GigabitEthernet interface for Royal King rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1 description "This is GigabitEthernet interface for Royal King"
ip dhcp trust qos trust dscp qos trust 802.1p channel-group 1 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#
Related Commands no Removes the interface description Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 189 PROFILES 7.1.36.2.5 dot1x (authenticator) interface-config-ge-instance Configures 802.1X authenticator settings Dot1x (or 802.1x) is an IEEE standard for network authentication. It enables media-level (layer 2) access control, providing the capability to permit or deny connectivity based on user or device identity. Dot1x allows port-based access using authentication. An dot1x enabled port can be dynamically enabled or disabled depending on user identity or device connection. Devices supporting dot1x allow the automatic provision and connection to the wireless network without launching a Web browser at login. When within range of a dot1x network, a device automatically connects and authenticates without needing to manually login. Before authentication, the endpoint is unknown, and traffic is blocked. Upon authentication, the endpoint is known and traffic is allowed. The controller or service platform uses source MAC filtering to ensure only the authenticated endpoint is allowed to send traffic. Supported in the following platforms:
Access Points AP6521, AP6522, AP6562, AP7161, AP7502, AP81XX, AP8232, AP8432 Wireless Controllers RFS4000, RFS6000, NX5500, NX7500 Syntax dot1x authenticator [guest-vlan|host-mode|max-reauth-req|port-control|
reauthenticate|timeout]
dot1x authenticator [guest-vlan <1-4094>|host-mode [multi-host|single-host]|
max-reauth-req <1-10>|port-control [auto|force-authorized|force-unauthorized]|
reauthenticate|timeout [quiet-period|reauth-period] <1-65535>]
NOTE: The dot1x (802.1x) supplicant settings are documented in the next section. Parameters dot1x authenticator [guest-vlan <1-4094>|host-mode [multi-host|single-host]|
max-reauth-req <1-10>|port-control [auto|force-authorized|force-unauthorized]|
reauthenticate|timeout [quiet-period|reauth-period]]
dot1x authenticator guest-vlan <1-4094>
host-mode
[multi-host|
single-host]
max-reauth-req
<1-10>
Configures 802.1x authenticator settings Configures the guest VLAN for this interface. This is the VLAN, traffic is bridged on if this port is unauthorized and the guest VLAN is globally enabled. Select the VLAN index from 1 - 4094. Configures the host mode for this interface multi-host Configures multiple host mode single-host Configures single host mode. This is the default setting. Configures maximum number of re-authorization retries for the supplicant. This is the maximum number of re-authentication attempts made before this port is moved to unauthorized.
<1-10> Specify a value from 1 -10. The default is 2. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 190 PROFILES port-control
[auto|
force-authorized|
force-unauthorized]
reauthenticate timeout [quiet-period|
reauth-period]
<1-65535>
Configures port control state auto Configures auto port state force-authorized Configures authorized port state. This is the default setting. force-unauthorized Configures unauthorized port state Enables re-authentication for this port. When enabled, clients are forced to re-
authenticate on this port. The setting is disabled by default. Therefore, clients are not required to re-authenticate for connection over this port until this setting is enabled. Configures timeout settings for this interface quiet-period Configures the quiet period timeout in seconds. This is the interval, in seconds, between successive client authentication attempts. reauth-period Configures the time after which re-authentication is initiated The following option is common to quiet-period and reauth-period keywords:
<1-65535> Specify a quiet-period or reauth-period from 1 - 65535 seconds. Example rfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x authenticator guest-vlan 2 rfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x authenticator host-mode multi-host rfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x authenticator max-reauth-
req 6 rfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x authenticator reauthenticate rfs4000-229D58(config-profile-testRFS4000-if-ge1)#show context interface ge1 dot1x authenticator host-mode multi-host dot1x authenticator guest-vlan 2 dot1x authenticator reauthenticate dot1x authenticator max-reauth-count 6 ip dhcp trust qos trust dscp qos trust 802.1p rfs4000-229D58(config-profile-testRFS4000-if-ge1)#
The following examples show the configurations made on an RFS6000 to enable it as a dot1X authenticator:
1 Configure AAA policy on the authenticator, and identify the authentication server as onboard (self):
rfs6000-817379(config-aaa-policy-aaa-wireddot1x)#show context aaa-policy aaa-wireddot1x authentication server 1 onboard controller rfs6000-817379(config-aaa-policy-aaa-wireddot1x)#
This AAA policy is used in the authenticators self configuration mode as shown in the last step. 2 Configure RADIUS user policy on the authenticator:
rfs6000-817379(config-radius-user-pool-wired-dot1x-users)#show con radius-user-pool-policy wired-dot1x-users user bob password 0 bob1234 rfs6000-817379(config-radius-user-pool-wired-dot1x-users)#
The user name and password configured here should match that of the supplicant. For more information, see the examples provided in the dot1x (supplicant) section. 3 Configure RADIUS server policy on the authenticator, and associate the RADIUS user policy created in the previous step:
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 191 PROFILES rfs6000-817379(config-radius-server-policy-for-wired-dot1x)#show con radius-server-policy for-wired-dot1x use radius-user-pool-policy wired-dot1x-users rfs6000-817379(config-radius-server-policy-for-wired-dot1x)#
4 In the authenticators self configuration mode, associate the RADIUS server policy, created in the previous step, and configure other parameters (in bold) as shown in the following example:
rfs6000-817379(config-device-00-15-70-81-73-79)#use radius-server-policy for-
wired-dot1x 5 In the authenticators interface > ge configuration mode, configure the following parameters:
rfs6000-817379(config-device-00-15-70-81-73-79-if-ge2)#dot1x authenticator host-mode single-host rfs6000-817379(config-device-00-15-70-81-73-79-if-ge2)#dot1x authenticator port-control auto 6 In the authenticators self configuration mode, configure the following parameters:
rfs6000-817379(config-device-00-15-70-81-73-79)#dot1x system-auth-control rfs6000-817379(config-device-00-15-70-81-73-79)#dot1x use aaa-policy aaa-
wireddot1x Following example displays the above configured parameters:
rfs6000-817379(config-device-00-15-70-81-73-79)#show context use profile default-rfs6000 use rf-domain default hostname rfs6000-817379 use radius-server-policy for-wired-dot1x interface me1 ip address 192.168.0.1/24 interface ge2 dot1x authenticator host-mode single-host dot1x authenticator port-control auto interface vlan1 ip address dhcp ip dhcp client request options all logging on logging console debugging dot1x system-auth-control dot1x use aaa-policy aaa-wireddot1x
--More--
rfs6000-817379(config-device-00-15-70-81-73-79)#
Related Commands no Disables or reverts interface settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 192 PROFILES 7.1.36.2.6 dot1x (supplicant) interface-config-ge-instance Configures 802.1X supplicant (client) settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, NX5500, NX7500 Syntax dot1x supplicant username <USERNAME> password [0 <WORD>|2 <WORD>|<WORD>]
Parameters dot1x supplicant username <USERNAME> password [0 <WORD>|2 <WORD>|<WORD>]
dot1x supplicant username
<USERNAME>
password
[0 <WORD>|
2 <WORD>|
<WORD>]
Configures 802.1x suppliant settings Sets the username for authentication
<USERNAME> Specify the supplicants username. Sets the password associated with the supplicants username. Select any one of the following options:
0 <WORD> Sets a clear text password 2 <WORD> Sets an encrypted password
<WORD> Specify the password. Example rfs4000-229D58(config-profile-testRFS4000-if-ge1)#dot1x supplicant username bob password 0 test@123 rfs4000-229D58(config-profile-testRFS4000-if-ge1)#show context interface ge1 dot1x supplicant username bob password 0 test@123 dot1x authenticator host-mode multi-host dot1x authenticator guest-vlan 2 dot1x authenticator reauthenticate dot1x authenticator max-reauth-count 6 ip dhcp trust qos trust dscp qos trust 802.1p rfs4000-229D58(config-profile-testRFS4000-if-ge1)#
The following example shows the configuration made on an AP7522 to enable it as a dot1X supplicant:
ap7522-85B19C(config-device-84-24-8D-85-B1-9C-if-ge2)#dot1x supplicant username bob password 0 bob1234 ap7522-85B19C(config-device-84-24-8D-85-B1-9C)#show context use profile default-ap7522 use rf-domain default hostname ap7522-85B19C no adoption-mode interface ge1 switchport mode access switchport access vlan 1 dot1x supplicant username bob password 0 bob1234 logging on logging console debugging
--More--
ap7522-85B19C(config-device-84-24-8D-85-B1-9C Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 193 Related Commands no Removes 802.1X supplicant (client) settings PROFILES Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 194 PROFILES 7.1.36.2.7 duplex interface-config-ge-instance Configures duplex mode (for the flow of packets) on this Ethernet port Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax duplex [auto|half|full]
Parameters duplex [auto|half|full]
auto half full Example Enables automatic duplexity on an interface port. The port automatically detects whether it should run in full or half-duplex mode. (default setting) Sets the port to half-duplex mode. Allows communication in one direction only at any given time. When selected, data is sent over the port, then immediately data is received from the direction in which the data was transmitted. Sets the port to full-duplex mode. Allows communication in both directions simultaneously. When selected, the port can send data while receiving data as well. rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#duplex full rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1 description "This is GigabitEthernet interface for Royal King"
duplex full dot1x supplicant username Bob password 0 test@123 ip dhcp trust qos trust dscp qos trust 802.1p channel-group 1 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#
Related Commands no Reverts to default (auto) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 195 PROFILES 7.1.36.2.8 ip interface-config-ge-instance Sets the ARP and DHCP components for this Ethernet port Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip [arp|dhcp]
ip [arp [header-mismatch-validation|trust]|dhcp trust]
Parameters ip [arp [header-mismatch-validation|trust]|dhcp trust]
arp [header-
mismatch-validation|
trust]
Configures ARP packet settings header-mismatch-validation Enables matching of source MAC address in the ARP and Ethernet headers to check for mismatch. This option is disabled by default. dhcp trust trust Enables trust state for ARP responses on this interface. When enabled, ARP packets received on this port are considered trusted and information from these packets is used to identify rogue devices within the network. This option is disabled by default. Enables trust state for DHCP responses on this interface. When enabled, only DHCP responses are trusted and forwarded on this port, and a DHCP server can be connected only to a DHCP trusted port. This option is enabled by default. Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#ip dhcp trust rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#ip arp header-mismatch-
validation rfs7000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1 description "This is GigabitEthernet interface for Royal King"
duplex full dot1x supplicant username Bob password 0 test@123 ip dhcp trust ip arp header-mismatch-validation qos trust dscp qos trust 802.1p channel-group 1 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#
Related Commands no Removes the ARP and DHCP components configured for this interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 196 PROFILES 7.1.36.2.9 ipv6 interface-config-ge-instance Sets the DHCPv6 and ICMPv6 neighbor discovery (ND) components for this interface The ICMPv6 ND protocol uses ICMP messages and solicited multicast addresses to track neighboring devices on the same local network. These messages are used to discover a neighbors link layer address and to verify if a neighboring device is reachable. The ICMP messages are neighbor solicitation (NS) and neighbor advertisement (NA) messages. When a destination host receives an NS message from a neighbor, it replies back with a NA. The NA contains the following information:
Source address This is the IPv6 address of the device sending the NA Destination address This is the IPv6 address of the device from whom the NS message is received Data portion Includes the link layer address of the device sending the NA NS messages are used to verify a neighbors (whose ink layer address is known) reachability. To confirm a neighbors reachability a node sends an NS message in which the neighbors unicast address is specified as the destination address. If the neighbor sends back an acknowledgment on receipt of the NS message it is considered reachable. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ipv6 [dhcpv6|nd]
ipv6 dhcpv6 trust ipv6 nd [header-mismatch-validation|raguard|trust]
Parameters ipv6 dhcpv6 trust ipv6 dhcpv6 trust Enables trust state for DHCPv6 responses on this interface. When enabled, all DHCPv6 responses received on this port are trusted and forwarded. This option is enabled by default. A DHCPv6 server can be connected to a DHCPv6 trusted port. ipv6 nd [header-mismatch-validation|raguard|trust]
ipv6 nd header-mismatch-
validation raguard Configures IPv6 ND settings Enables matching of source MAC address in the ICMPv6 ND and Ethernet headers
(link layer option) to check for mismatch. This option is disabled by default. Allows redirection of router advertisements (RAs) and ICMPv6 packets originating on this interface. When selected, RAs are periodically sent to hosts or sent in response to neighbor solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. This option is enabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 197 PROFILES trust Example Enables trust state for IPv6 ND requests received on this interface. When enabled, IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to the request with a router advertisement packet containing Internet Layer configuration parameters. This option is disabled by default. rfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge1)#ipv6 dhcpv6 trust rfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge1)#ipv6 nd header-mismatch-
validation rfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge1)#ipv6 nd trust rfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge1)#show context interface ge1 switchport mode access switchport access vlan 1 ipv6 nd trust ipv6 nd header-mismatch-validation ipv6 dhcpv6 trust rfs6000-37FABE(config-device-B4-C7-99-6D-CD-4B-if-ge1)#
Related Commands no Removes or reverts IPv6 settings on this interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 198 PROFILES 7.1.36.2.10 lacp interface-config-ge-instance Configures the selected GE ports Link Aggregation Control Protocol (LACP) port-priority value. If LACP is enabled, and the selected port is a member of a link aggregation group (LAG), use this command to configure the ports priority within the LAG. As per the IEEE 802.3ad standard, LACP enables aggregation of multiple physical links to form a single logical channel. Each aggregated group of physical links is a LAG. When enabled, LACP dynamically determines if link aggregation is possible between two peers, and automatically configures the aggregation. LACP also allows the switch to dynamically reconfigure the LAGs. The LAG is enabled only when LACP detects that the remote device is also using LACP and is able to join the LAG. Enabling LACP provides automatic recovery in case one or more of the aggregated physical links fail. NOTE: Use the lacp-channel-group command to configure this port as a LAG member. Supported in the following platforms:
Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax lacp port-priority <1-65535>
Parameters lacp port-priority <1-65535>
lacp port-priority
<1-65535>
Configures the selected GE ports port-priority value. The selected ports actual priority within the LAG is determined by the port-priority value specified here along with the ports number. Higher the value, lower is the priority. Use this option to manipulate a ports priority. For example, in a LAG having five physical ports, four active and one standby, manually increasing the standby ports priority ensures that if one of the active port fails, the standby port is included in the LAG during re-
negotiation.
<1-65535> Specify a value from 1 - 65535. The default value is 32768. Example nx9500-6C8809(config-profile-testnx9000-if-ge1)#lacp port-priority 2 nx9500-6C8809(config-profile-testnx9000-if-ge1)#show context interface ge1 lacp port-priority 2 nx9500-6C8809(config-profile-testnx9000-if-ge1)#
Related Commands no Removes the selected GE ports configured port-priority value Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 199 PROFILES 7.1.36.2.11 lacp-channel-group interface-config-ge-instance Configures the selected GE port as a member of a port channel group (also referred as LAG) As per the IEEE 802.3ad standard, LACP enables the aggregation of multiple physical links (ethernet ports) to form a single logical channel. When enabled, LACP dynamically determines if link aggregation is possible and then automatically configures the aggregation. LACP also allows the switch to dynamically reconfigure the LAGs. The LAG is enabled only when LACP detects that the remote device is also using LACP and is able to join the LAG. NOTE: Successful aggregation of two or more physical links is feasible only if the aggregating physical links are configured identically. To ensure uniformity in configuration across LAG members, implement configuration changes (such as changes in the switching mode, speed, etc.) on the logical port (the port-channel) and not on the physical port. Changes made on the port-channel will cascade down to each member of the LAG thereby retaining uniformity. Supported in the following platforms:
Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax lacp-channel-group <1-4> mode [active|passive]
Parameters lacp-channel-group <1-4> mode [active|passive]
lacp-channel-group <1-
4>
Associates this GE port with an existing port-channel group
<1-4> Specify a value from 1 - 4. Use the interface > port-channel > <1-4> command to configure a port-channel group. For more information, see interface-config-port-channel-instance. mode [active|passive] After configuring the selected port as a LAG member, specify whether the port is an active or passive member within the group. An active member initiates and participates in LACP negotiations. active Configures the port as an active member. When set to active, the port always transmits LACPDU irrespective of the remote devices port mode. passive Configures the port as passive member. When set to passive, the port will only respond to LACPDU received from its corresponding Active port. At least one port within a LAG, on either of the two negotiating peers, should be in the active mode. LACP negotiations are not initiated if all LAG member ports are passive. Further, the peer-to-peer LACP negotiations are always initiated by the peer with the lower system-priority value. For more information on configuring the system-priority, see lacp. Example nx9500-6C8809(config-profile-testnx9000-if-ge1)#lacp-channel-group 2 mode active nx9500-6C8809(config-profile-test2nx9000-if-ge1)#show context interface ge1 lacp-channel-group 2 mode active lacp port-priority 2 nx9500-6C8809(config-profile-test2nx900-if-ge1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 200 To enable dynamic link aggregation on a device (service platform), execute the following steps:
PROFILES 1 Create a port-channel group on the device. Enter the port-channel configuration mode. nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#interface port-channel 1 a Set the switching mode to access or trunk as per requirement. In this example, the mode is set to access. nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-port-channel1)#switchport mode access b Specify the VLAN to switch, commit changes and exit. nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-port-channel1)#switchport access vlan 1 nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-port-channel1)#commit nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-port-channel1)#exit 2 Enable dynamic link aggregation on the devices physical port. Enter the GE ports configuration mode. nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#interface ge 2 a Enable link aggregation and associate the port with the port-channel group created in step 1. nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-ge2)#lacp-channel-group 1 mode active Note, the mode can be set to passive. However, at least one of the aggregated GE ports in the port-channel group should be active in order to initiate link aggregation negotiations with other LACP-enabled peers. b Specify the GE ports priority value. nx9500-6C8809(config-device-B4-C7-99-6C-88-09-if-ge2)#lacp port-priority 2 Related Commands no Removes the selected GE ports port-channel group membership Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 201 PROFILES 7.1.36.2.12 lldp interface-config-ge-instance Configures Link Local Discovery Protocol (LLDP) parameters on this Ethernet port Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax lldp [receive|transmit]
Parameters lldp [receive|transmit]
receive transmit Enables LLDP Protocol Data Units (PDUs) snooping. When enabled, the port receives periodic updates from a multicast address informing about presence of neighbors. This option is enabled by default. Enables LLDP PDU transmission. When enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors. This option is enabled by default. Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#lldp transmit Related Commands no Disables or reverts interface settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 202 PROFILES 7.1.36.2.13 mac-auth interface-config-ge-instance Enables authentication of MAC addresses on the selected wired port. When enabled, this feature authenticates the MAC address of a device, connecting to this interface, with a RADIUS server. When successfully authenticated, packets from the source are processed. Since only one MAC address is supported per wired port, packets from all other sources are dropped. For more information on enabling this feature, see mac-auth. Enable port MAC authentication in conjunction with Wired 802.1x settings to configure a MAC authentication AAA policy. This option is also available in the device configuration mode. Supported in the following platforms:
Access Points AP6522 AP6562, AP7161, AP7502, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mac-auth Parameters None Example rfs4000-229D58(config-profile-testRFS4000-if-ge1)#mac-auth rfs4000-229D58(config-profile-testRFS4000-if-ge1)#show context interface ge1 mac-auth ip dhcp trust qos trust dscp qos trust 802.1p channel-group 1 rfs4000-229D58(config-profile-testRFS4000-if-ge1)#
rfs4000-229D58(config-profile-testRFS4000-if-ge5)#mac-auth rfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge5)#show context interface ge5 switchport mode access switchport access vlan 1 dot1x authenticator host-mode single-host dot1x authenticator guest-vlan 5 dot1x authenticator port-control auto mac-auth rfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge5)#
Related Commands no Disables authentication of MAC addresses on the selected wired port Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 203 PROFILES 7.1.36.2.14 no interface-config-ge-instance Removes or reverts the selected Ethernet port settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [captive-portal-enforcement|cdp|channel-group|description|dot1x|duplex|ip|
ipv6|lacp|lacp-channel-group|lldp|mac-auth|power|qos|shutdown|spanning-tree|
speed|switchport|use]
no [captive-portal-enforcement|channel-group|description|duplex|mac-auth|
shutdown|speed]
no [cdp|lldp] [receive|transmit]
no dot1x [authenticator [guest-vlan|host-mode|max-reauth-req|port-control|
reauthentication|timeout [quiet-period|reauth-period]]|supplicant]
no ip [arp [header-mismatch-validation|trust]|dhcp trust]
no ipv6 [dhcpv6 trust|nd [header-mismatch-validation|raguard|trust]]
no [lacp port-priority|lacp-channel-group]
no power {best-effort|limit|priority}
no qos trust [802.1p|cos|dscp]
no spanning-tree [bpdufilter|bpduguard|force-version|guard|link-type|mst|
portfast]
no switchport [access vlan|mode|trunk native tagged]
no use [ip-access-list|ipv6-access-list|mac-access-list] in Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts this Ethernet port settings based on the parameters passed Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#no cdp rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#no duplex Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 204 PROFILES 7.1.36.2.15 power interface-config-ge-instance Configures Power over Ethernet (PoE) settings on this interface When configured, this option allows the selected port to use Power over Ethernet. When enabled, the controller supports 802.3af PoE on each of its GE ports. PoE allows users to monitor port power consumption and configure power usage limits and priorities for each GE port. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Syntax power {best-effort|limit <0-40>|priority [critical|high|low]}
Parameters power {best-effort|limit <0-40>|priority [critical|high|low]}
power best-effort limit <0-40>
priority
[critical|high|low]
Configures power related thresholds for this interface Optional. Enables power when the device is not operating from an 802.3at class 4 power source Optional. Configures the PoE power limit from 0 - 40 Watts. The default is 30 Watts. Optional. Configures the PoE power priority on this interface. This is the priority assigned to this port versus the power requirements of the other ports available on the controller. critical Sets PoE priority as critical high Sets PoE priority as high low Sets PoE priority as low. This is the default setting. Example rfs4000-229D58(config-profile-testRFS4000-if-ge1)#power limit 30 rfs4000-229D58(config-profile-testRFS4000-if-ge1)#power priority critical rfs4000-229D58(config-profile-testRFS4000-if-ge1)#show context interface ge1 ip dhcp trust qos trust dscp qos trust 802.1p power limit 30 power priority critical rfs4000-229D58(config-profile-testRFS4000-if-ge1)#
Related Commands no Removes PoE settings on this interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 205 PROFILES 7.1.36.2.16 qos interface-config-ge-instance Defines Quality of Service (QoS) settings on this Ethernet port Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax qos trust [802.1p|cos|dscp]
Parameters qos trust [802.1p|cos|dscp]
trust [802.1p|cos|dscp]
Trusts QoS values ingressing on this interface 802.1p Trusts 802.1p COS values ingressing on this interface cos Trusts 802.1p COS values ingressing on this interface. This option is enabled by default. dscp Trusts IP DSCP QOS values ingressing on this interface. This option is enabled by default. Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#qos trust dscp rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#qos trust 802.1p rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1 description "This is GigabitEthernet interface for Royal King"
duplex full dot1x supplicant username Bob password 0 test@123 ip dhcp trust ip arp header-mismatch-validation qos trust dscp qos trust 802.1p channel-group 1 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#
Related Commands no Removes QoS settings on the selected interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 206 PROFILES 7.1.36.2.17 shutdown interface-config-ge-instance Shuts down (disables) an interface. The interface is administratively enabled unless explicitly disabled using this command. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax shutdown Parameters None Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#shutdown Related Commands no Disables or reverts interface settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 207 PROFILES 7.1.36.2.18 spanning-tree interface-config-ge-instance Configures spanning tree parameters Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax spanning-tree [bpdufilter|bpduguard|force-version|guard|link-type|mst|port-cisco-
interoperability|portfast]
spanning-tree [force-version <0-3>|guard root|portfast]
spanning-tree [bpdufilter|bpduguard] [default|disable|enable]
spanning-tree link-type [point-to-point|shared]
spanning-tree mst <0-15> [cost <1-200000000>|port-priority <0-240>]
spanning-tree port-cisco-interoperability [disable|enable]
Parameters spanning-tree [force-version <0-3>|guard root|portfast]
force-version <0-3>
guard root portfast Specifies the spanning tree force version. A version identifier of less than 2 enforces the spanning tree protocol. Select one of the following versions:
0 Spanning Tree Protocol (STP) 1 Not supported 2 Rapid Spanning tree Protocol (RSTP) 3 Multiple Spanning Tree Protocol (MSTP). This is the default setting Enables Root Guard for the port The Root Guard disables superior Bridge Protocol Data Unit (BPDU) reception. The Root Guard ensures the enabled port is a designated port. If the Root Guard enabled port receives a superior BPDU, it moves to a discarding state (root-inconsistent STP state). This state is equivalent to a listening state, and data is not forwarded across the port. Therefore, enabling the guard root enforces the root bridge position. Use the no parameter with this command to disable the Root Guard. Enables rapid transitions. Enabling PortFast allows the port to bypass the listening and learning states. spanning-tree [bpdufilter|bpduguard] [default|disable|enable]
bpdufilter
[default|disable|
enable]
Sets a PortFast BPDU filter for the port Use the no parameter with this command to revert the port BPDU filter to its default. The spanning tree protocol sends BPDUs from all ports. Enabling the BPDU filter ensures PortFast enabled ports do not transmit or receive BPDUs. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 208 PROFILES bpduguard
[default|disable|
enable]
Enables BPDU guard on a port Use the no parameter with this command to set BPDU guard to its default. When the BPDU guard is set for a bridge, all PortFast-enabled ports that have the BPDU guard set to default shut down upon receiving a BPDU. If this occurs, the BPDU is not processed. The port can be brought back either manually (using the no shutdown command), or by configuring the errdisable-timeout to enable the port after a specified interval. link-type
[point-to-point|shared]
spanning-tree link-type [point-to-point|shared]
Enables point-to-point or shared link types point-to-point Enables rapid transition. This option indicates the port should be treated as connected to a point-to-point link. A port connected to a controller is a point-to-point link. shared Disables rapid transition. This option indicates this port should be treated as having a shared connection. A port connected to a hub is on a shared link, spanning-tree mst <0-15> [cost <1-200000000>|port-priority <0-240>]
mst <0-15>
cost <1-200000000>
port-priority <0-240>
Configures MST on a spanning tree Defines path cost for a port from 1 - 200000000. The default path cost depends on the speed of the port. The cost helps determine the role of the port in the MSTP network. The designated cost is the cost for a packet to travel from this port to the root in the MSTP configuration. The slower the media, the higher the cost. Defines port priority for a bridge from 1 - 240. Lower the priority greater is the likelihood of the port becoming a designated port. Applying a higher value impacts the port's likelihood of becoming a designated port. spanning-tree port-cisco-interoperability [disable|enable]
port-cisco-
interoperability enable disable Enables interoperability with Cisco's version of MSTP (which is incompatible with standard MSTP) Enables CISCO Interoperability Disables CISCO Interoperability. The default is disabled. Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#spanning-tree bpdufilter disable rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#spanning-tree bpduguard enable rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#spanning-tree force-version 1 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#spanning-tree guard root rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#spanning-tree mst 2 port-
priority 10 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 209 PROFILES rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1 description "This is GigabitEthernet interface for Royal King"
duplex full spanning-tree bpduguard enable spanning-tree bpdufilter disable spanning-tree force-version 1 spanning-tree guard root spanning-tree mst 2 port-priority 10
--More--
rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#
Related Commands no Removes spanning tree settings configured on this interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 210 PROFILES 7.1.36.2.19 speed interface-config-ge-instance Specifies the speed of a FastEthernet (10/100) or GigabitEthernet (10/100/1000) port. This is the speed at which the port can receive and transmit the data. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax speed [10|100|1000|auto]
Parameters speed [10|100|1000|auto]
10 100 1000 auto Usage Guidelines Forces 10 Mbps operation Forces 100 Mbps operation Forces 1000 Mbps operation Port automatically detects its operational speed based on the port at the other end of the link. Select this option to enable the port to automatically exchange information about data transmission speed and duplex capabilities. Auto negotiation is helpful when in an environment where different devices are connected and disconnected on a regular basis. Set the interface speed to auto detect and use the fastest speed available. Speed detection is based on connected network hardware. Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#speed 10 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1 description "This is GigabitEthernet interface for Royal King"
speed 10 duplex full spanning-tree bpduguard enable spanning-tree bpdufilter disable spanning-tree force-version 1 spanning-tree guard root spanning-tree mst 2 port-priority 10 dot1x supplicant username Bob password 0 test@123 ip dhcp trust ip arp header-mismatch-validation qos trust dscp qos trust 802.1p channel-group 1 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#
Related Commands no Resets speed to default (auto) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 211 PROFILES 7.1.36.2.20 switchport interface-config-ge-instance Sets switching mode characteristics for the selected interface Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax switchport [access|mode|trunk]
switchport access vlan [<1-4094>|<VLAN-ALIAS-NAME>]
switchport mode [access|trunk]
switchport trunk [allowed|native]
switchport trunk allowed vlan [<VLAN-ID>|add <VLAN-ID>|none|remove <VLAN-ID>]
switchport trunk native [tagged|vlan [<1-4094>|<VLAN-ALIAS-NAME>]]
Parameters switchport access vlan [<1-4094>|<VLAN-ALIAS-NAME>]
access vlan
[<1-4094>|
<VLAN-ALIAS-
NAME>]
Sets the VLAN when interface is in the access mode. You can either directly specify the native VLAN ID or use a VLAN alias to identify the native VLAN.
<1-4094> Specify the SVI VLAN ID from 1 - 4094.
<VLAN-ALIAS-NAME> Specify the VLAN alias name (should be existing and configured). An Ethernet port in the access mode accepts packets only from the native VLAN. Frames are forwarded out the port untagged with no 802.1Q header. All frames received on the port are expected as untagged and are mapped to the native VLAN. switchport mode [access|trunk]
mode [access|trunk]
Sets the interfaces switching mode to access or trunk (can only be used on physical
- layer 2 - interfaces) access If access mode is selected, the access VLAN is automatically set to VLAN1. In this mode, only untagged packets in the access VLAN (vlan1) are accepted on this port. All tagged packets are discarded. trunk If trunk mode is selected, tagged VLAN packets are accepted. The native VLAN is automatically set to VLAN1. Untagged packets are placed in the native VLAN by the wireless controller or service platform. Outgoing packets in the native VLAN are sent untagged. The default mode for both ports is trunk. switchport trunk allowed vlan [<VLAN-ID>|add <VLAN-ID>|none|remove <VLAN-ID>]
Sets trunking mode, allowed VLANs characteristics of the port. Use this option to add VLANs that exclusively send packets over the listed port. trunk allowed Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 212 PROFILES vlan
[<VLAN-ID>|
add <VLAN-ID>|
none|
remove <VLAN-ID>
Sets allowed VLAN options. The options are:
<VLAN-ID> Allows a group of VLAN IDs. Specify the VLAN IDs, can be either a range (55-60) or a comma-separated list (35, 41, etc.) none Allows no VLANs to transmit or receive through the layer 2 interface add <VLAN-ID> Adds VLANs to the current list
<VLAN-ID> Specify the VLAN IDs. Can be either a range of VLAN (55-60) or a list of comma separated IDs (35, 41, etc.) remove <VLAN-ID> Removes VLANs from the current list
<VLAN-ID> Specify the VLAN IDs. Can be either a range of VLAN (55-60) or a list of comma separated IDs (35, 41, etc.) Allowed VLANs are configured only when the switching mode is set to trunk. switchport trunk native [tagged|vlan [<1-4094>|<VLAN-ALIAS-NAME>]]
trunk native
[tagged|
vlan [<1-4094>|
<VLAN-ALIAS-
NAME>]]
Sets trunking mode characteristics of the switchport Configures the native VLAN ID for the trunk-mode port The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk mode. tagged Tags the native VLAN. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header enabling upstream Ethernet devices to know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. A native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Sets the native VLAN for classifying untagged traffic when the interface is in trunking mode.
<1-4094> Specify a value from 1 - 4094.
<VLAN-ALIAS-NAME> Specify the VLAN alias name used to identify the VLANs. The VLAN alias should be existing and configured. Usage Guidelines Interfaces ge1 - ge4 can be configured as trunk or in access mode. An interface configured as trunk allows packets (from the given list of VLANs) to be added to the trunk. An interface configured as access allows packets only from native VLANs. Use the [no] switchport (access|mode|trunk) to undo switchport configurations. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 213 PROFILES Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#switchport trunk native tagged rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#switchport access vlan 1 rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1 description "This is GigabitEthernet interface for Royal King"
speed 10 duplex full switchport mode access switchport access vlan 1 spanning-tree bpduguard enable spanning-tree bpdufilter disable
--More--
rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#
Related Commands no Disables or reverts interface settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 214 PROFILES 7.1.36.2.21 use interface-config-ge-instance Specifies the IP (IPv4 and IPv6) access list and MAC access list used with this Ethernet port. The associated ACL firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use [ip-access-list in <IPv4-ACCESS-LIST-NAME>|ipv6-access-list <IPv6-ACCESS-
LIST-NAME>|mac-access-list in <MAC-ACCESS-LIST-NAME>]
Parameters use [ip-access-list in <IPv4-ACCESS-LIST-NAME>|ipv6-access-list <IPv6-ACCESS-
LIST-NAME>|mac-access-list in <MAC-ACCESS-LIST-NAME>]
ip-access-list in
<IPv4-ACCESS-LIST-
NAME>
ipv6-access-list in
<IPv6-ACCESS-LIST-
NAME>
mac-access-list in
<MAC-ACCESS-LIST-
NAME>
Associates an IPv4 access list with this Ethernet port. IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity. in Applies the IPv4 ACL on incoming packets
<IPv4-ACCESS-LIST-NAME> Specify the IPv4 access list name (it should be an existing and configured). Associates an IPv6 access list with this Ethernet port. IPv6 is the latest revision of the IP designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. in Applies the IPv6 ACL on incoming packets
<IPv6-ACCESS-LIST-NAME> Specify the IPv6 access list name (it should be an existing and configured). Associates a MAC access list with this Ethernet port. MAC ACLs filter/mark packets based on the MAC address from which they arrive, as opposed to filtering packets on layer 2 ports. in Applies the MAC ACL on incoming packets
<MAC-ACCESS-LIST-NAME> Specify the MAC access list name (it should be an existing and configured). Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 215 PROFILES Example rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#use mac-access-list in test rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#use ip-access-list in test rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#show context interface ge1 description "This is GigabitEthernet interface for Royal King"
speed 10 duplex full switchport mode accessi switchport access vlan 1 use ip-access-list in test use mac-access-list in test spanning-tree bpduguard enable spanning-tree bpdufilter disable spanning-tree force-version 1
--More--
rfs6000-37FABE(config-profile-default-rfs6000-if-ge1)#
Related Commands no Disassociates the IP access list or MAC access list from the interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 216 PROFILES 7.1.36.3 interface-config-vlan-instance interface Use the config-profile-<DEVICE-PROFILE-NAME> mode to configure Ethernet, VLAN and tunnel settings. To switch to this mode, use the following commands:
<DEVICE>(config-profile-default-<DEVICE-TYPE>)#interface [<INTERFACE-NAME>|fe <1-
4>|ge <1-24>|me1|port-channel <1-4>|pppoe1|radio [1|2|3]|up1|vlan <1-4094>|wwan1|
xge <1-24>]
The following example uses the config-profile-default-rfs7000 instance to configure a VLAN interface:
rfs6000-37FABE(config-profile-default-rfs6000)#interface vlan 8 rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#
rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#?
SVI configuration commands:
crypto Encryption module description Vlan description dhcp Dynamic Host Configuration Protocol (DHCP) dhcp-relay-incoming Allow on-board DHCP server to respond to relayed DHCP packets on this interface ip Interface Internet Protocol config commands ipv6 Internet Protocol version 6 (IPv6) no Negate a command or set its defaults shutdown Shutdown the selected interface use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#
The following table summarizes interface VLAN configuration commands:
Commands crypto description dhcp dhcp-relay-
incoming ip ipv6 no shutdown use Description Defines the encryption module used with this VLAN interface Defines the VLAN interface description Enables inclusion of optional fields (client identifier) in DHCP client requests Allows an onboard DHCP server to respond to relayed DHCP packets on this interface Configures the VLAN interfaces IP settings Configures the VLAN interfaces IPv6 settings Removes or reverts this VLAN interfaces settings to default Shuts down this VLAN interface Associates an IP (IPv4 and IPv6) access list, bonjour-gw-discovery policy, and an IPv6-route-advertisement policy with this VLAN interface Reference page 7-218 page 7-219 page 7-220 page 7-221 page 7-222 page 7-225 page 7-230 page 7-232 page 7-233 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 217 PROFILES 7.1.36.3.1 crypto interface-config-vlan-instance Associates an existing and configured VPN crypto map with this VLAN interface. Crypto map entries are sets of configuration parameters for encrypting packets that pass through the VPN tunnel. For more information on crypto maps, see crypto-map-config-commands. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax crypto map <CRYPTO-MAP-NAME>
Parameters crypto map <CRYPTO-MAP-NAME>
map
<CRYPTO-MAP-NAME>
Attaches a crypto map to the selected VLAN interface. The crypto map should be existing and configured.
<CRYPTO-MAP-NAME> Specify the crypto map name. Example rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#crypto map map1 rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8 crypto map map1 rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#
Related Commands no Disables or reverts interface VLAN settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 218
1 2 3 4 | WiNG 5.9.1 CLI Reference Guide Part 2 | Users Manual | 5.11 MiB |
PROFILES 7.1.36.3.2 description interface-config-vlan-instance Defines this VLAN interfaces description. Use this command to provide additional information about the VLAN. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <WORD>
Parameters description <WORD>
description <WORD>
Configures a description for this VLAN interface (should not exceed 64 characters in length)
<WORD> Specify a description unique to the VLANs specific configuration, to help differentiate it from other VLANs with similar configurations. Example rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#description This VLAN interface is configured for the Sales Team rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8 description "This VLAN interface is configured for the Sales Team"
crypto map map1 rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#
Related Commands no Removes the VLAN interface description Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 219 PROFILES 7.1.36.3.3 dhcp interface-config-vlan-instance Enables inclusion of optional fields (client identifier) in DHCP client requests. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dhcp client include client-identifier Parameters dhcp client include client-identifier dhcp client include client-identifier Enables inclusion of client identifier in DHCP client requests Example rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#dhcp client include client-identifier rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8 dhcp client include client-identifier rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#
Related Commands no Disables inclusion of client identifier in DHCP client requests Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 220 PROFILES 7.1.36.3.4 dhcp-relay-incoming interface-config-vlan-instance Allows an onboard DHCP server to respond to relayed DHCP packets. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dhcp-relay-incoming Parameters None Example rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#dhcp-relay-incoming rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8 description "This VLAN interface is configured for the Sales Team"
crypto map map1 dhcp-relay-incoming rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#
Related Commands no Disables or reverts interface VLAN settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 221 PROFILES 7.1.36.3.5 ip interface-config-vlan-instance Configures the VLAN interfaces IP settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip [address|dhcp|helper-address|nat|ospf]
ip helper-address <IP>
ip address [<IP/M>|<NETWORK-ALIAS-NAME>|dhcp|zeroconf]
ip address [<IP/M>|<NETWORK-ALIAS-NAME>|zeroconf] {secondary}
ip address dhcp ip dhcp client request options all ip nat [inside|outside]
ip ospf [authentication|authentication-key|bandwidth|cost|message-digest-key|
priority]
ip ospf authentication [message-digest|null|simple-password]
ip ospf authentication-key simple-password [0 <WORD>|2 <WORD>]
ip ospf [bandwidth <1-10000000>|cost <1-65535>|priority <0-255>]
ip ospf message-digest-key key-id <1-255> md5 [0 <WORD>|2 <WORD>]
Parameters ip helper-address <IP>
helper-address <IP>
Enables DHCP and BOOTP requests forwarding for a set of clients. Configure a helper address on the VLAN interface connected to the client. The helper address should specify the address of the BOOTP or DHCP servers to receive the requests. If you have multiple servers, configure one helper address for each server.
<IP> Specify the IP address of the DHCP or BOOTP server. ip address [<IP/M>|<NETWORK-ALIAS-NAME>|zeroconf] {secondary}
address
<IP/M>
<NETWORK-ALIAS-
NAME>
Sets the VLAN interfaces IP address Specifies the interface IP address in the A.B.C.D/M format secondary Optional. Sets the specified IP address as a secondary address Uses a pre-defined network alias to provide this VLAN interfaces IP address. Specify the network alias name. secondary Optional. Sets the network-alias provided IP address as the secondary address zeroconf {secondary} Uses Zero Configuration Networking (zeroconf) to generate an IP address for this interface Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 222 PROFILES Zero configuration can be a means of providing a primary or secondary IP addresses for the virtual interface. Zero configuration (or zero config) is a wireless connection utility included with Microsoft Windows XP and later as a service dynamically selecting a network to connect based on a user's preferences and various default settings. Zero config can be used instead of a wireless network utility from the manufacturer of a computer's wireless networking device. secondary Optional. Sets the generated IP address as a secondary address ip address dhcp address dhcp Sets the VLAN interfaces IP address Uses a DHCP client to obtain an IP address for this VLAN interface ip dhcp client request options all dhcp client request options all Uses a DHCP client to configure a request on this VLAN interface Configures a DHCP client Configures DHCP client request Configures DHCP client request options Configures all DHCP client request options ip nat [inside|outside]
nat [inside|outside]
Defines NAT settings for the VLAN interface. NAT is disabled by default. inside Enables NAT on the inside interface. The inside network is transmitting data over the network to the intended destination. On the way out, the source IP address is changed in the header and replaced by the (public) IP address. outside Enables NAT on the outside interface. Packets passing through the NAT on the way back to the managed LAN are searched against the records kept by the NAT engine. There, the destination IP address is changed back to the specific internal private class IP address in order to reach the LAN over the network. ip ospf authentication [message-digest|null|simple-password]
ospf authentication message-digest null simple-password Configures OSPF authentication scheme. Options are message-digest, null, and simple-password. Configures md5 based authentication No authentication required Configures simple password based authentication ip ospf authentication-key simple-password [0 <WORD>|2 <WORD>]
ospf authentication-
key simple-password
[0 <WORD>|2
<WORD>]
Configures an OSPF authentication key Configures a simple password OSPF authentication key 0 <WORD> Configures clear text key 2 <WORD> Configures encrypted key ip ospf [bandwidth <1-10000000>|cost <1-65535>|priority <0-255>]
bandwidth
<1-10000000>
Configures bandwidth for the physical port mapped to this layer 3 interface
<1-10000000> Specify the bandwidth from 1 - 10000000. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 223 PROFILES cost <1-65535>
priority <0-255>
Configures OSPF cost
<1-65535> Specify OSPF cost value from 1 - 65535. Configures OSPF priority
<0-255> Specify OSPF priority value from 0 - 255. ip ospf message-digest-key key-id <1-255> md5 [0 <WORD>|2 <WORD>]
ospf message-digest key-id <1-255>
md5
[0 <WORD>|2
<WORD>]
Configures message digest authentication parameters Configures message digest authentication key ID from 0 - 255 Configures md5 key 0 <WORD> Configures clear text key 2 <WORD> Configures encrypted key Example rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#ip address 10.0.0.1/8 rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#ip nat inside rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#ip helper-address 172.16.10.3 rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#ip dhcp client request options all rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8 description "This VLAN interface is configured for the Sales Team"
ip address 10.0.0.1/8 ip dhcp client request options all ip helper-address 172.16.10.3 ip nat inside crypto map map1 dhcp-relay-incoming rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#
Related Commands no Removes or resets IP settings on this interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 224 PROFILES 7.1.36.3.6 ipv6 interface-config-vlan-instance Configures the VLAN interfaces IPv6 settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ipv6 [accept|address|dhcp|enable|enforce-dad|mtu|redirects|request-dhcpv6-
options|router-advertisements]
ipv6 accept ra {(no-default-router|no-hop-limit|no-mtu)}
ipv6 address [<IPv6/M>|autoconfig|eui-64|link-local|prefix-from-provider]
ipv6 address [<IPv6/M>|autoconfig]
ipv6 address eui-64 [<IPv6/M>|prefix-from-provider <WORD> <IPv6-PREFIX/PREFIX-
LENGTH>]
ipv6 address prefix-from-provider <WORD> <HOST-PORTION/LENGTH>
ipv6 address link-local <LINK-LOCAL-ADD>
ipv6 dhcp [client [information|prefix-from-provider <WORD>]|relay destination
<DEST-IPv6-ADD>]
ipv6 [enable|enforce-dad|mtu <1280-1500>|redirects|request-dhcpv6-options]
ipv6 router-advertisements [prefix <IPv6-PREFIX>|prefix-from-provider <WORD>] {no-
autoconfig|off-link|site-prefix|valid-lifetime}
Parameters ipv6 accept ra {(no-default-router|no-hop-limit|no-mtu)}
ipv6 accept ra no-default-router no-hop-limit no-mtu Enables processing of router advertisements (RAs) on this VLAN interface. This option is enabled by default. When enabled, IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to the request with a router advertisement packet containing Internet layer configuration parameters. Optional. Disables inclusion of routers on this interface in the default router selection process. This option is disabled by default. Optional. Disables the use of RA advertised hop-count value on this interface. This option is disabled by default. Optional. Disables the use of RA advertised MTU value on this interface. This option is disabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 225 PROFILES ipv6 address [<IPv6/M>|autoconfig]
ipv6 address
[<IPv6/M>|autoconfig]
Configures IPv6 address related settings on this VLAN interface
<IPv6> Specify the non-link local static IPv6 address and prefix length of the interface in the X:X::X:X/M format. autoconfig Enables stateless auto-configuration of IPv6 address, based on the prefixes received from RAs (with auto-config flag set). These prefixes are used to auto-configure the IPv6 address. This option is enabled by default. Use the no > ipv6
> address > autoconfig command to negate the use of prefixes received in RAs. ipv6 address eui-64 [<IPv6/M>|prefix-from-provider <WORD> <IPv6-PREFIX/PREFIX-
LENGTH>]
ipv6 address eui-64
<IPv6/M>
prefix-from-provider
<WORD>
<IPv6-PREFIX/
PREFIX-LENGTH>
Configures the IPv6 prefix and prefix length. This prefix is used to auto-generate the static IPv6 address (for this interface) in the modified Extended Unique Identifier
(EUI)-64 format. Implementing the IEEE's 64-bit EUI64 format enables a host to automatically assign itself a unique 64-bit IPv6 interface identifier, without manual configuration or DHCP. This is accomplished on a virtual interface by referencing the already unique 48-bit MAC address, and reformatting it to match the EUI-64 specification. In the EUI-64 IPv6 address the prefix and host portions are each 64 bits in length. Specify the IPv6 prefix and prefix length. This configured value is used as the prefix portion of the auto-generated IPv6 address, and the host portion is derived from the MAC address of the interface. Any bits of the configured value exceeding the prefix-length M are ignored and replaced by the host portion derived from the MAC address. For example:
Prefix portion provided using this command: ipv6 > address > eui-64 >
2004:b055:15:dead::1111/64. Host portion derived using the interfaces MAC address (00-15-70-37-FB-5E):
215:70ff:fe37:fb5e Auto-configured IPv6 address using the above prefix and host portions:
2004:b055:15:dead:215:70ff:fe37:fb5e/64 In this example, the host part ::1111 is ignored and replaced with the modified eui-64 formatted host address. Configures the prefix-from-provider named object and the associated IPv6 prefix and prefix length. This configured value is used as the prefix portion of the auto-
generated IPv6 address, and the host portion is derived from the MAC address of the interface.
<WORD> Specify the IPv6 prefix-from-provider objects name. This is the IPv6 general prefix (32 character maximum) name provided by the Internet service provider. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 226 PROFILES
<IPv6-PREFIX/PREFIX-LENGTH> Specify the IPv6 address subnet and host parts along with prefix length (site-renumbering). For example:
Prefix portion provided using this command: ipv6 > address > eui-64 > prefix-from-
provider > ISP1-prefix > 2002::/64 Host portion derived using the interfaces MAC address (00-15-70-37-FB-5E):
215:70ff:fe37:fb5e Auto-configured IPv6 address using the above prefix and host portions:
2002::215:70ff:fe37:fb5e/64 ipv6 address prefix-from-provider <WORD> <HOST-PORTION/LENGTH>]
ipv6 address prefix-from-provider
<WORD>
<HOST-PORTION/
LENGTH>
Configures the IPv6 address related settings on this VLAN interface Configures the prefix-from-provider named object and the host portion of the IPv6 interface address. The prefix derived from the specified prefix-from-provide and the host portion (second parameter) are combined together (using the prefix-length of the specified prefix-from-provide) to generate the interfaces IPv6 address.
<WORD> Provide the prefix-from-provider objects name. This is the IPv6 general prefix (32 character maximum) name provided by the service provider.
<HOST-PORTION/LENGTH> Provide the subnet number, host portion, and prefix length used to form the actual address along with the prefix derived from the prefix-from-provider object identified by the <WORD> keyword. ipv6 address link-local <LINK-LOCAL-ADD>
ipv6 address link-local
<LINK-LOCAL-ADD>
Configures the IPv6 address related settings on this VLAN interface Configures IPv6 link-local address on this interface. The configured value overrides the default link-local address derived from the interfaces MAC address. Use the no >
ipv6 > link-local command to restore the default link-local address derived from MAC address. It is mandatory for an IPv6 interface to always have a link-local address. ipv6 dhcp [client [information|prefix-from-provider <WORD>]|relay destination
<DEST-IPv6-ADD>]
ipv6 dhcp client
[information|
prefix-from-provider
<WORD>]
Configures DHCPv6 client-related settings on this VLAN interface information Configures stateless DHCPv6 client on this interface. When enabled. the device can request configuration information from the DHCPv6 server using stateless DHCPv6. This option is disabled by default. prefix-from-provider Configures prefix-delegation client on this interface. Enter the IPv6 general prefix (32 character maximum) name provided by the service provider. This option is disabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 227 PROFILES relay destination
<DEST-IPv6-ADD>
Enables DHCPv6 packet forwarding on this VLAN interface destination Forwards DHCPv6 packets to a specified DHCPv6 relay
<DEST-IPv6-ADD> Specify the destination DHCPv6 relays address. DHCPv6 relay enhances an extended DHCP relay agent by providing support in IPv6. DHCP relays exchange messages between a DHCPv6 server and client. A client and relay agent exist on the same link. When a DHCP request is received from the client, the relay agent creates a relay forward message and sends it to a specified server address. If no addresses are specified, the relay agent forwards the message to all DHCP server relay multicast addresses. The server creates a relay reply and sends it back to the relay agent. The relay agent then sends back the response to the client. ipv6 [enable|enforce-dad|mtu <1280-1500>|redirects|request-dhcp-options]
ipv6 enable enforce-dad mtu <1280-1500>
redirects Configures IPv6 settings on this VLAN interface Enables IPv6 on this interface. This option is disabled by default. Enforces Duplicate Address Detection (DAD) on wired ports. This option is enabled by default. Configures the Maximum Transmission Unit (MTU) for IPv6 packets on this interface
<1280-1500> Specify a value from 1280 - 1500. The default is 1500. Enables ICMPv6 redirect messages sending on this interface. This option is enabled by default. request-dhcp-options Requests options from DHCPv6 server on this interface. This option is disabled by default. ipv6 router-advertisements [prefix <IPv6-PREFIX>|prefix-from-provider <WORD>]
{no-autoconfig|off-link|site-prefix <SITE-PREFIX>|valid-lifetime}
ipv6 router-
advertisements prefix <IPv6-PREFIX> Configures a static prefix and its related parameters. The configured value is Configures IPv6 RA related settings on this VLAN interface prefix-from-provider
<WORD>
no-autoconfig off-link advertised on RAs.
<IPv6-PREFIX> Specify the IPv6 prefix. Configures a static prefix-from-provider named object and its related parameters on this VLAN interface. The configured value is advertised on RAs.
<WORD> Specify the prefix-from-provider named objects name This parameter is common to the general-prefix, prefix, and prefix-from-
provider keywords. no-autoconfig Optional. Disables the setting of the auto configuration flag in the prefix. When configured, the configured prefixes are not used for IPv6 address generation. The autoconfiguration option is enabled by default. Using no-autoconfig disables it. This parameter is common to the general-prefix, prefix, and prefix-from-
provider keywords. off-link Optional. Disables the setting of the on-link flag in the prefix. The on-link option is enabled by default. Using off-link disables it. site-prefix
<SITE-PREFIX>
This parameter is common to the general-prefix, prefix, and prefix-from-
provider keywords. site-prefix <SITE-PREFIX> Configures subnet (site) prefix Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 228 PROFILES valid-lifetime
[<30-4294967294>|
at|infinite]
(preferred-lifetime) This parameter is common to the general-prefix, prefix, and prefix-from-
provider keywords. valid-lifetime Configures the valid lifetime for the prefix preferred-lifetime Configures preferred lifetime for the prefix
<30-4294967294> Configures the valid/preferred lifetime in seconds at Configures expiry time and date of the valid/preferred lifetime infinite Configures the valid/preferred lifetime as infinite Example rfs6000-81742D(config-profile-test-if-vlan4)#ipv6 enable rfs6000-81742D(config-profile-test-if-vlan4)#ipv6 accept ra no-mtu rfs6000-81742D(config-profile-test-if-vlan4)#ipv6 address eui-64 prefix-from-
provider ISP1-prefix 2002::/64 rfs6000-81742D(config-profile-test-if-vlan4)#show context interface vlan4 ipv6 enable ipv6 address eui-64 prefix-from-provider ISP1-prefix 2002::/64 ipv6 accept ra no-mtu rfs6000-81742D(config-profile-test-if-vlan4)#
Related Commands no Removes or resets IPv6 settings on this VLAN interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 229 PROFILES 7.1.36.3.7 no interface-config-vlan-instance Negates a command or reverts to defaults. The no command, when used in the Config Interface VLAN mode, negates VLAN interface settings or reverts them to their default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [crypto|description|dhcp|dhcp-relay-incoming|ip|ipv6|shutdown|use]
no dhcp client include client-identifier no [crypto map|description|dhcp-relay-incoming|shutdown]
no ip [address|dhcp|helper-address|nat|ospf]
no ip [helper-address <IP>|nat]
no ip address {<IP/M> {secondary}|<NETWORK-ALIAS-NAME> {secondary}|dhcp|zeroconf
{secondary}}
no ip dhcp client request options all no ip ospf [authentication|authentication-key|bandwidth|cost|message-digest-key|
priority]
no ipv6 [accept|address|dhcp|enable|enforce-dad|mtu|redirects|request-dhcpv6-
options|router-advertisement]
no ipv6 [accept ra|enable|enforce-dad|mtu|redirects|request-dhcpv6-options]
no ipv6 address [<IPv6/M>|autoconfig|eui-64|link-local|prefix-from-provider>]
no ipv6 dhcp [client|relay]
no ipv6 router-advertisement [prefix <WORD>|prefix-from-provider <WORD>]
no use [bonjour-gw-discovery-policy>|ip-access-list in|ipv6-access-list in|ipv6-
router-advertisement-policy|url-filter]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts this VLAN interfaces settings based on the parameters passed Example The following example shows the VLAN interface settings before the no commands are executed:
rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8 description "This VLAN interface is configured for the Sales Team"
ip address 10.0.0.1/8 ip dhcp client request options all ip helper-address 172.16.10.3 ip nat inside crypto map map1 dhcp-relay-incoming rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#
rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#no crypto map rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#no description rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#no dhcp-relay-incoming rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#no ip dhcp client request options all Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 230 PROFILES The following example shows the VLAN interface settings after the no commands are executed:
rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8 ip address 10.0.0.1/8 ip helper-address 172.16.10.3 ip nat inside rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 231 PROFILES 7.1.36.3.8 shutdown interface-config-vlan-instance Shuts down the selected interface. Use the no shutdown command to enable an interface. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax shutdown Parameters None Example rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#shutdown rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8 ip address 10.0.0.1/8 ip helper-address 172.16.10.3 shutdown rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#
Related Commands no Disables or reverts interface VLAN settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 232 PROFILES 7.1.36.3.9 use interface-config-vlan-instance Associates an IP (IPv4 and IPv6) access list, bonjour-gw-discovery policy, and an IPv6-router-
advertisement policy with this VLAN interface Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use [bonjour-gw-discovery-policy <POLICY-NAME>|ip-access-list in <IP-ACL-
NAME>|ipv6-access-list in <IPv6-ACL-NAME>|ipv6-router-advertisement-policy
<POLICY-NAME>|url-filter <URL-FILTER-NAME>]
Parameters use [bonjour-gw-discovery-policy <POLICY-NAME>|ip-access-list in <IP-ACL-
NAME>|ipv6-access-list in <IPv6-ACL-NAME>|ipv6-router-advertisement-policy
<POLICY-NAME>|url-filter <URL-FILTER-NAME>]
bonjour-gw-discovery-
policy <POLICY-
NAME>
Uses an existing Bonjour GW Discovery policy with this VLAN interface. When associated, the Bonjour GW Discovery policy is applied for the Bonjour requests coming over the VLAN interface.
<POLICY-NAME> Specify the Bonjour GW Discovery policy name (should be existing and configured). ip-access-list in
<IP-ACCESS-LIST-
NAME>
ipv6-access-list in
<IPv6-ACCESS-LIST-
NAME>
ipv6-router-
advertisement-policy
<POLICY-NAME>
For more information on Bonjour GW Discovery policy, see bonjour-gw-discovery-
policy. Uses a specified IPv4 access list with this interface in Applies IPv4 ACL to incoming packets
<IP-ACCESS-LIST-NAME> Specify the IPv4 access list name. Uses a specified IPv6 access list with this interface in Applies IPv6 ACL to incoming packets
<IPv6-ACCESS-LIST-NAME> Specify the IPv6 access list name. Uses an existing IPv6 router advertisement policy with this VLAN interface.
<POLICY-NAME> Specify the IPv6 router advertisement policy name (should be existing and configured). url-filter
<URL-FILTER-NAME>
Enforces URL filtering on this VLAN interface by associating a URL filter
<URL-FILTER-NAME> Specify the URL filter name (should be existing and configured). Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 233 PROFILES Example rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#use ip-access-list in test rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#show context interface vlan8 ip address 10.0.0.1/8 use ip-access-list in test ip helper-address 172.16.10.3 rfs6000-37FABE(config-profile-default-rfs6000-if-vlan8)#
Related Commands no Disables or reverts interface VLAN settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 234 PROFILES 7.1.36.4 interface-config-port-channel-instance interface Profiles can utilize customized port channel configurations as part of their interface settings. Existing port channel profile configurations can be overridden as they become obsolete for specific device deployments. The following example uses the config-profile-testNX9000 instance to configure a port-channel interface:
nx9500-6C8809(config-profile-testNX9000)#interface port-channel 1 nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#
Port Channel Mode commands:
description Port description duplex Set duplex to interface ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) no Negate a command or set its defaults port-channel Portchannel commands qos Quality of service remove-override Remove configuration item override from the device (so profile value takes effect) shutdown Shutdown the selected interface spanning-tree Spanning tree commands speed Configure speed switchport Set switching mode characteristics use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#
Commands description duplex ip ipv6 no shutdown spanning-tree speed switchport use Description Configures a brief description for this port-channel interface Configures the duplex-mode (that is the data transmission mode) for this port-channel interface Configures ARP and DHCP related security parameters on this port-
channel interface Configures IPv6 related parameters on this port-channel interface Removes or reverts to default this port-channel interfaces settings Shutsdown this port-channel interface Configures spanning-tree related parameters on this port channel interface Configures the speed at which this port-channel interface receives and transmits data Configures the packet switching parameters for this port-channel interface Configures access controls on this port-channel interface Reference page 7-236 page 7-237 page 7-106 page 7-239 page 7-242 page 7-244 page 7-245 page 7-248 page 7-249 page 7-251 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 235 PROFILES 7.1.36.4.1 description interface-config-port-channel-instance Configures a brief description for this port channel interface Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <LINE>
Parameters description <LINE>
description <LINE>
Configures a description for this port-channel interface that uniquely identifies it from other port channel interfaces
<LINE> Provide a description not exceeding 64 characters in length. Example nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#description "This port
-channel is for enabling dynamic LACP."
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1 nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#
Related Commands no Removes this port-channel interfaces description Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 236 PROFILES 7.1.36.4.2 duplex interface-config-port-channel-instance Configures the duplex-mode (that is the data transmission mode) for this port channel interface Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax duplex [auto|half|full]
Parameters duplex [auto|half|full]
duplex [auto|half|full] Configures the mode of data transmission as auto, full, or half auto Select this option to enable the controller, service platform, or access point to dynamically duplex as port channel performance needs dictate. This is the default setting. full Select this option to simultaneously transmit data to and from the port channel. half Select this option to send data over the port channel, then immediately receive data from the same direction in which the data was transmitted. Example nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#duplex full nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1 description "This port-channel is for enabling dynamic LACP."
duplex full nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#
Related Commands no Reverts the duplex-mode to the default value (auto) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 237 PROFILES 7.1.36.4.3 ip interface-config-port-channel-instance Configures ARP and DHCP related security parameters on this port-channel interface Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip [arp|dhcp]
ip arp [header-mismatch-validation|trust]
ip dhcp trust Parameters ip arp [header-mismatch-validation|trust]
ip arp [header-
mismatch-validation|
trust]
Configures ARP related parameters on this port-channel interface header-mismatch-validation Enables a source MAC mismatch check in both the ARP and ethernet headers. This option is enabled by default. trust Enables ARP trust on this port channel. If enabled, ARP packets received on this port are considered trusted, and information from these packets is used to identify rogue devices. This option is disabled by default. ip dhcp trust ip dhcp trust Enables DHCP trust. If enabled, only DHCP responses are trusted and forwarded on this port channel, and a DHCP server can be connected only to a DHCP trusted port. This option is enabled by default. Example nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#ip arp trust nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1 description "This port-channel is for enabling dynamic LACP."
duplex full ip arp trust nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#
Related Commands no Removes or reverts to default the ARP and DHCP security parameters configured Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 238 PROFILES 7.1.36.4.4 ipv6 interface-config-port-channel-instance Configures IPv6 related parameters on this port-channel interface Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ipv6 [dhcpv6|nd]
ipv6 dhcpv6 trust ipv6 nd [header-mismatch-validation|raguard|trust]
Parameters ipv6 dhcpv6 trust ipv6 dhcpv6 trust Enables DHCPv6 trust. If enabled, only DHCPv6 responses are trusted and forwarded on this port channel, and a DHCPv6 server can be connected only to a trusted port. This option is enabled by default. ipv6 nd [header-mismatch-validation|raguard|trust]
ipv6 nd [header-
mismatch-validation|
raguard|trust]
Configures IPv6 neighbor discovery (ND) parameters header-mismatch-validation Enables a mismatch check for the source MAC in both the ND header and link layer options. This option is disabled by default. Enables router advertisements or IPv6 redirects from this port. Router advertisements are periodically sent to hosts or are sent in response to solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. This option is enabled by default. Enables DHCPv6 trust. If enabled, only DHCPv6 responses are trusted and forwarded on this port channel, and a DHCPv6 server can be connected only to a trusted port. This option is enabled by default. raguard trust Example nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#ipv6 nd header-
mismatch-validation nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#ipv6 nd trust nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1 description "This port-channel is for enabling dynamic LACP."
duplex full ipv6 nd trust ipv6 nd header-mismatch-validation ip arp trust nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#
Related Commands no Removes or reverts to default the IPv6 related parameters on this port-channel interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 239 PROFILES 7.1.36.4.5 port-channel interface-config-port-channel-instance Configures client load balancing parameters on this port-channel interface Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax port-channel load-balance [src-dst-ip|src-dst-mac]
Parameters port-channel load-balance [src-dst-ip|src-dst-mac]
port-channel load-
balance [src-dst-ip|
src-dst-mac]
Specifies whether port channel load balancing is conducted using a source/
destination IP or a source/destination MAC. src-dst-ip Uses a source/destination IP to conduct client load balancing. This is the default setting. src-dst-mac Uses a source/destination MAC to conduct client load balancing Example nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#port-channel load-
balance src-dst-mac nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1 description "This port-channel is for enabling dynamic LACP."
duplex full ipv6 nd trust ipv6 nd header-mismatch-validation ip arp trust port-channel load-balance src-dst-mac nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#
Related Commands no Removes or reverts to default the client load balancing parameters on this port-
channel interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 240 PROFILES 7.1.36.4.6 qos interface-config-port-channel-instance Configures Quality of Service (QoS) related parameters on this port-channel interface Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax qos trust [802.1p|dscp]
Parameters qos trust [802.1p|dscp]
qos trust
[802.1p|dscp]
Configures the following QoS related parameters:
802.1p Trusts 802.1p class of service (COS) values ingressing on this port channel. This option is enabled by default. dscp Trusts IP DSCP QOS values ingressing on this port channel. This option is enabled by default. Example nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#qos trust dscp nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context Related Commands no Removes the QoS related parameters configured on this port-channel interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 241 PROFILES 7.1.36.4.7 no interface-config-port-channel-instance Removes or reverts to default this port-channel interfaces settings Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no beacon [description|duplex|ip|ipv6|port-channel|qos|shutdown|spanning-tree|
speed|switchport|use]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts to default this port-channels interfaces settings based on the parameters passed
<PARAMETERS> Specify the parameters. Example The following example shows the port-channel interfaces interface settings before the no commands are executed:
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context description "This port-channel is for enabling dynamic LACP."
speed 100 duplex full switchport mode trunk switchport trunk native vlan 1 no switchport trunk native tagged switchport trunk allowed vlan 1 use ip-access-list in BROADCAST-MULTICAST-CONTROL ipv6 nd trust ipv6 nd header-mismatch-validation spanning-tree portfast spanning-tree bpduguard enable spanning-tree bpdufilter enable spanning-tree mst 1 port-priority 1 spanning-tree mst 1 cost 20000 ip arp trust port-channel load-balance src-dst-mac nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#no duplex nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#no ip arp trust nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#no ipv6 nd trust nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#no port-channel load-
balance Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 242 PROFILES The following example shows the port-channel interfaces interface settings after the no commands are executed:
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1 description "This port-channel is for enabling dynamic LACP."
speed 100 switchport mode trunk switchport trunk native vlan 1 no switchport trunk native tagged switchport trunk allowed vlan 1 use ip-access-list in BROADCAST-MULTICAST-CONTROL ipv6 nd header-mismatch-validation spanning-tree portfast spanning-tree bpduguard enable spanning-tree bpdufilter enable spanning-tree mst 1 port-priority 1 spanning-tree mst 1 cost 20000 no qos trust dscp nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 243 PROFILES 7.1.36.4.8 shutdown interface-config-port-channel-instance Shutsdown this port-channel interface Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax shutdown Parameters None Example nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#shutdown Related Commands no Re-enables this port-channel interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 244 PROFILES 7.1.36.4.9 spanning-tree interface-config-port-channel-instance Configures spanning-tree related parameters on this port-channel interface Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax spanning-tree [bpdufilter|bpduguard|force-version|guard|link-type|mst|port-cisco-
interoperability|portfast]
spanning-tree [bpdufilter|bpduguard] [default|disable|enable]
spanning-tree [force-version <0-3>|guard root|portfast|port-cisco-
interoperability [disable|enable]]
spanning-tree link-type [point-to-point|shared]
spanning-tree mst <0-15> [cost <1-200000000>|port-priority <0-240>]]
Parameters spanning-tree [bpdufilter|bpduguard] [default|disable|enable]
spanning-tree
[bpdufilter|
bpduguard]
Configures the following BPDU related parameters for this port channel:
bpdufilter Configures the BPDU filtering options. The options are:
default When selected, makes the bridge BPDU filter value to take effect. This is the default setting. disable Disables BPDU filtering enable Enables BPDU filtering. Enabling the BPDU filter feature ensures this port channel does not transmit or receive any BPDUs. bpduguard Configures the BPDU guard options. The options are default When selected, makes the bridge BPDU guard value to take effect. This is the default setting. disable Disables guarding this port from receiving BPDUs enable Enables BPDU guarding. Enabling the BPDU guard feature means this port will shutdown on receiving a BPDU. Thus, no BPDUs are processed. Execute the portfast command to ensure that fast transitions is enabled on this port channel before configuring BPDU filtering and guarding. spanning-tree [force-version <0-3>|guard root|portfast|port-cisco-
interoperability [disable|enable]]
spanning-tree
[force-version <0-3>|
guard root|
portfast|
port-cisco-
interoperability
[disable|enable]
Configures the following MSTP related parameters for this port channel:
force-version <0-3> Sets the protocol version to either STP(0), Not Supported(1), RSTP(2) or MSTP(3). MSTP is the default setting guard root Enforces root bridge placement. Setting the guard to Root ensures the port is a designated port. Typically, each guard root port is a designated port, unless two or more ports (within the root bridge) are connected together. Contd... Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 245 PROFILES If the bridge receives superior (BPDUs) on a guard root-enabled port, the guard root moves the port to a root-inconsistent STP state. This state is equivalent to a listening state. No data is forwarded across the port. Thus, the guard root enforces the root bridge position. portfast Enables fast transitions on this port channel. When enabled, BPDU filtering and guarding can be enforced on this port. Enable the portfast option and then use the bpdufilter and bpduguard options to configure BPDU filtering and guarding parameters. This option is disabled by default. port-cisco-interoperability [disable|enable] Enables or disables interoperability with Cisco's version of MSTP, which is incompatible with standard MSTP. This option is disabled by default. spanning-tree link-type [point-to-point|shared]
spanning-tree link-type
[point-to-point|
shared]
Configures the link type applicable on this port channel. The options are:
point-to-point Configures a point-to-point link, which indicates the port should be treated as connected to a point-to-point link. Note, a port connected to the wireless device is a point-to-point link. This is the default setting. shared Configures a shared link, which indicates this port should be treated as having a shared connection. Note, A port connected to a hub is on a shared link. spanning-tree mst <0-15> [cost <1-200000000>|port-priority <0-240>]
spanning-tree mst
<0-15> [cost <1-
200000000>|
port-priority <0-
240>]
Configures the following Multiple Spanning Tree (MST) parameters on this port:
mst <0-15> Select the MST instance from 0 - 15. cost <1-200000000> Configures the port cost from 1 - 200000000. The default path cost depends on the user defined port speed.The cost helps determine the role of the port channel in the MSTP network. The designated cost is the cost for a packet to travel from this port to the root in the MSTP configuration. The slower the media, high-
er the cost. port-priority <0-240> Configures the port priority from 0 - 240. The lower the priority, greater is the likelihood of the port becoming a designated port. Example nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#spanning-tree portfast nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#spanning-tree bpdufilter enable nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#spanning-tree bpduguard enable nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#spanning-tree force-
version 3 nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#spanning-tree mst 1 cost 20000 nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#spanning-tree mst 1 port-priority 1 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 246 PROFILES nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1 description "This port-channel is for enabling dynamic LACP."
duplex full ipv6 nd trust ipv6 nd header-mismatch-validation spanning-tree portfast spanning-tree bpduguard enable spanning-tree bpdufilter enable spanning-tree mst 1 port-priority 1 spanning-tree mst 1 cost 20000 ip arp trust port-channel load-balance src-dst-mac nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#
Related Commands no Removes or reverts to default the spanning-tree related parameters configured on this port channel interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 247 PROFILES 7.1.36.4.10 speed interface-config-port-channel-instance Configures the speed at which this port-channel interface receives and transmits data Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax speed [10|100|1000|auto]]]
Parameters speed [10|100|1000|auto]
speed [10|100|1000|
auto]
Configure the data receive-transmit speed for this port channel. The options are:
10 10 Mbps 100 100 mbps 1000 1000 Mbps auto Enables the system to auto select the speed. This is the default setting. Select either of these options to establish a 10, 100 or 1000 Mbps data transfer rate for the selected half duplex or full duplex transmission over the port. The auto option enables the port-channel to automatically exchange information about data transmission speed and duplex capabilities. Auto negotiation is helpful in an environment where different devices are connected and disconnected on a regular basis. Example nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#speed 100 nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1 description "This port-channel is for enabling dynamic LACP."
speed 100 duplex full ipv6 nd trust ipv6 nd header-mismatch-validation spanning-tree portfast spanning-tree bpduguard enable spanning-tree bpdufilter enable spanning-tree mst 1 port-priority 1 spanning-tree mst 1 cost 20000 ip arp trust port-channel load-balance src-dst-mac nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#
Related Commands no Removes or reverts to default the speed at which this port-channel interface receives and transmits data Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 248 PROFILES 7.1.36.4.11 switchport interface-config-port-channel-instance Configures the VLAN switching parameters for this port-channel interface Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax switchport [access|mode|trunk]
switchport access vlan [<1-4094>|<VLAN-ALIAS-NAME>]
switchport mode [access|trunk]
switchport trunk [allowed|native]
switchport trunk allowed vlan [<VLAN-ID>|add <VLAN-ID>|none|remove <VLAN-ID>]
switchport trunk native [tagged|vlan [<1-4094>|<VLAN-ALIAS-NAME>]]
Parameters switchport access vlan [<1-4094>|<VLAN-ALIAS-NAME>]
access vlan
[<1-4094>|
<VLAN-ALIAS-
NAME>]
Configures the VLAN to which this port-channel interface is mapped when the switching mode is set to access.
<1-4094> Specify the SVI VLAN ID from 1 - 4094.
<VLAN-ALIAS-NAME> Specify the VLAN alias name (should be existing and configured). switchport mode [access|trunk]
mode [access|trunk]
Configures the VLAN switching mode over the port channel access If selected, the port channel accepts packets only form the native VLANs. Frames are forwarded out the port untagged with no 802.1Q header. All frames received on the port are expected as untagged and are mapped to the native VLAN. This is the default setting. trunk If selected, the port channel allows packets from a list of VLANs you add to the trunk. A port channel configured as Trunk supports multiple 802.1Q tagged VLANs and one Native VLAN which can be tagged or untagged. trunk allowed switchport trunk allowed vlan [<VLAN-ID>|add <VLAN-ID>|none|remove <VLAN-ID>]
If configuring the VLAN switching mode as trunk, use this option to configure the VLANs allowed on this port channel. Add VLANs that exclusively send packets over the port channel. Use this keyword to add/remove the allowed VLANs
<VLAN-ID> Allows a group of VLAN IDs. Specify the VLAN IDs, can be either a range (55-60) or a comma-separated list (35, 41, etc.) none Allows no VLANs to transmit or receive through the layer 2 interface Contd.. vlan
[<VLAN-ID>|
add <VLAN-ID>|
none|
remove <VLAN-ID>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 249 PROFILES add <VLAN-ID> Adds VLANs to the current list
<VLAN-ID> Specify the VLAN IDs. Can be either a range of VLAN (55-60) or a list of comma separated IDs (35, 41, etc.) remove <VLAN-ID> Removes VLANs from the current list
<VLAN-ID> Specify the VLAN IDs. Can be either a range of VLAN (55-60) or a list of comma separated IDs (35, 41, etc.) Allowed VLANs are configured only when the switching mode is set to trunk. switchport trunk native [tagged|vlan [<1-4094>|<VLAN-ALIAS-NAME>]]
trunk native
[tagged|
vlan [<1-4094>|
<VLAN-ALIAS-
NAME>]]
If configuring the VLAN switching mode as trunk, use this option to configure the native VLAN on this port channel. Configures the native VLAN ID for the trunk-mode port The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk mode. tagged Tags the native VLAN. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header enabling upstream Ethernet devices to know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. A native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. vlan [<1-4094>|<VLAN-ALIAS-NAME>] Sets the native VLAN for classifying untagged traffic when the interface is in trunking mode.
<1-4094> Specify a value from 1 - 4094.
<VLAN-ALIAS-NAME> Specify the VLAN alias name used to identify the VLANs. The VLAN alias should be existing and configured. Example nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#switchport mode trunk nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1 description "This port-channel is for enabling dynamic LACP."
speed 100 duplex full switchport mode trunk switchport trunk native vlan 1 no switchport trunk native tagged switchport trunk allowed vlan 1 ipv6 nd trust ipv6 nd header-mismatch-validation spanning-tree portfast spanning-tree bpduguard enable spanning-tree bpdufilter enable spanning-tree mst 1 port-priority 1 spanning-tree mst 1 cost 20000 ip arp trust port-channel load-balance src-dst-mac nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#
Related Commands no Removes the packet switching parameters configured on this port-channel interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 250 PROFILES 7.1.36.4.12 use interface-config-port-channel-instance Configures access controls on this port-channel interface Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use [ip-access-list|ipv6-access-list|mac-access-list] in <IP/IPv6/MAC-ACCESS-
LIST-NAME>]]
Parameters use [ip-access-list|ipv6-access-list|mac-access-list] in <IP/IPv6/MAC-ACCESS-
LIST-NAME>]
use [ip-access-list|
ipv6-access-list|
mac-access-list]
<IP/IPv6/MAC-
ACCESS-LIST-
NAME>]
Associates an access list controlling the inbound traffic on this port channel. ip-access-list Specify the IPv4 specific firewall rules to apply to this profiles port channel configuration. IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity. ipv6-access-list Specify the IPv6 specific firewall rules to apply to this profiles port channel configuration. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. mac-access-list Specify the MAC specific firewall rules to apply to this profiles port channel configuration.
<IP/IPv6/MAC-ACCESS-LIST-NAME> Provide the IPv4, IPv6, or MAC access list name based on the option selected. The access list specified should be existing and configured. Example nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#use ip-access-list in BROADCAST-MULTICAST-CONTROL nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#show context interface port-channel1 description "This port-channel is for enabling dynamic LACP."
speed 100 duplex full switchport mode trunk switchport trunk native vlan 1 no switchport trunk native tagged switchport trunk allowed vlan 1 use ip-access-list in BROADCAST-MULTICAST-CONTROL ipv6 nd trust ipv6 nd header-mismatch-validation spanning-tree portfast
--More--
nx9500-6C8809(config-profile-testNX9000-if-port-channel1)#
Related Commands no Removes the access controls configured on this port-channel interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 251 PROFILES 7.1.36.5 interface-config-radio-instance interface This section documents radio interface configuration parameters applicable only to the access point profiles. The access point radio interface can be radio1, radio2, or radio3. The AP7161 models contain either a single or a dual radio configuration. Newer AP7161N model access points support single, dual, or triple radio configurations. To enter the AP/RFS4000 profile > radio interface context, use the following commands:
<DEVICE>(config)#profile <AP-TYPE> <PROFILE-NAME>
rfs6000-37FABE(config)#profile ap71xx 71xxTestProfile rfs6000-37FABE(config-profile-71xxTestProfile)#
rfs6000-37FABE(config-profile-71xxTestProfile)#interface radio 1 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#?
Radio Mode commands:
adaptivity Adaptivity aeroscout Aeroscout Multicast MAC/Enable aggregation Configure 802.11n aggregation related parameters airtime-fairness Enable fair access to medium for clients based on their usage of airtime antenna-diversity Transmit antenna diversity for non-11n transmit rates antenna-downtilt Enable ADEPT antenna mode antenna-elevation Specifies the antenna elevation gain antenna-gain Specifies the antenna gain of this radio antenna-mode Configure the antenna mode (number of transmit and receive antennas) on the radio assoc-response Configure transmission parameters for Association Response frames association-list Configure the association list for the radio beacon Configure beacon parameters bridge Bridge rf-mode related configuration channel Configure the channel of operation for this radio data-rates Specify the 802.11 rates to be supported on this radio description Configure a description for this radio dfs-rehome Revert to configured home channel once dfs evacuation period expires dynamic-chain-selection Automatic antenna-mode selection (single antenna for non-11n transmit rates) ekahau Ekahau Multicast MAC/Enable extended-range Configure extended range fallback-channel Configure the channel to be used for falling back in the event of radar being detected on the current operating channel guard-interval Configure the 802.11n guard interval ldpc Configure support for Low Density Parity Check Code lock-rf-mode Retain user configured rf-mode setting for this radio max-clients Maximum number of wireless clients allowed to associate subject to AP limit mesh Configure radio mesh parameters meshpoint Enable meshpoints on this radio mu-mimo Enable multi user MIMO on this radio (selected platforms only) no Negate a command or set its defaults Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 252 PROFILES non-unicast Configure handling of non-unicast frames off-channel-scan Enable off-channel scanning on the radio placement Configure the location where this radio is operating power Configure the transmit power of the radio preamble-short Use short preambles on this radio probe-response Configure transmission parameters for Probe Response frames radio-resource-measurement Configure support for 802.11k Radio Resource Measurement radio-share-mode Configure the radio-share mode of operation for this radio rate-selection Default or Opportunistic rate selection remove-override Negate a command or set its defaults rf-mode Configure the rf-mode of operation for this radio rifs Configure Reduced Interframe Spacing (RIFS) parameters rts-threshold Configure the RTS threshold shutdown Shutdown the selected radio interface smart-rf Configure radio specific smart-rf settings sniffer-redirect Capture packets and redirect to an IP address running a packet capture/analysis tool stbc Configure Space-Time Block Coding (STBC) parameters transmit-beamforming Enable Transmit Beamforming use Set setting to use wips Wireless intrusion prevention related configuration wireless-client Configure wireless client related parameters wlan Enable wlans on this radio clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
The following table summarizes the radio interface configuration commands:
Reference page 7-256 Commands adaptivity Description Configures an adaptivity timeout value, in minutes, for avoidance of channels detected with radar or high levels of interference aeroscout page 7-257 Enables Aeroscout multicast packet forwarding aggregation page 7-258 Configures 802.11n aggregation parameters airtime-fairness page 7-261 Enables fair access for clients based on airtime usage antenna-diversity Transmits antenna diversity for non-11n transmit rates page 7-262 antenna-downtilt Enables Advanced Element Panel Technology (ADEPT) antenna mode page 7-263 antenna-
page 7-264 elevation antenna-gain antenna-mode Configures the antennas elevation gain. This command is applicable only to the AP7562 model access point Specifies the antenna gain for the selected radio Configures the radio antenna mode page 7-266 page 7-267 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 253 Commands assoc-response association-list beacon bridge channel data-rates description dfs-rehome dynamic-chain-
selection ekahau extended-range fallback-channel guard-interval ldpc lock-rf-mode max-clients mesh meshpoint mu-mimo no Description Enables an access point to ignore or respond to an association/
authorization request based on the configured Received Signal Strength Index (RSSI) threshold and deny-threshold values Associates an existing global association list with this radio interface Configures beacon parameters Configures client-bridge related parameters, if the selected radios RF mode is set to bridge Configures a radios channel of operation Specifies the 802.11 rates supported on a radio Configures the selected radios description Reverts to configured home channel once Dynamic Frequency Selection (DFS) evacuation period expires Enables automatic antenna mode selection Enables Ekahau multicast packet forwarding Configures extended range Configures the channel to which the radio switches in case of radar detection on the current channel Configures the 802.11n guard interval Enables support for Low Density Parity Check (LDPC) on the radio interface Retains user configured RF mode settings for the selected radio Configures the maximum number of wireless clients allowed to associate with this radio Configures radio mesh parameters Maps an existing meshpoint to this radio interface Enables multi-user multiple input multiple output (MU-MIMO) support on a radio Negates or resets radio interface settings configures on a profile or a device Configures the handling of non unicast frames on this radio non-unicast off-channel-scan Enables selected radios off channel scanning parameters placement power preamble-short probe-response radio-resource-
measurement radio-share-
mode rate-selection Defines selected radios deployment location Configures the transmit power on this radio Enables the use of short preamble on this radio Configures transmission parameters for probe response frames Enables 802.11k radio resource measurement Configures the mode of operation, for this radio, as radio-share Sets the rate selection method to standard or opportunistic PROFILES Reference page 7-268 page 7-269 page 7-270 page 7-272 page 7-278 page 7-280 page 7-284 page 7-285 page 7-286 page 7-287 page 7-288 page 7-289 page 7-290 page 7-291 page 7-292 page 7-293 page 7-294 page 7-296 page 7-297 page 7-298 page 7-301 page 7-303 page 7-305 page 7-306 page 7-307 page 7-308 page 7-309 page 7-310 page 7-311 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 254 PROFILES Commands rf-mode rifs rts-threshold service shutdown smart-rf sniffer-redirect stbc transmit-
beamforming use wips wireless-client wlan Description Configures the radios RF mode Configures Reduced Interframe Spacing (RIFS) parameters on this radio Configures the Request to Send (RTS) threshold value on this radio Enables dynamic control function. This dynamic function controls performance of the radio receiver's low noise amplifiers (LNAs). Terminates or shuts down selected radio interface Overrides Smart RF channel width setting on the selected radio interface Captures and redirects packets to an IP address running a packet capture/analysis tool Configures radios Space Time Block Coding (STBC) mode Enables transmit beamforming on the selected radio interface Enables use of an association ACL policy and a radio QoS policy by selected radio interface Enables access point to change its channel of operation in order to terminate rogue devices Configures wireless client parameters on selected radio Enables a WLAN on selected radio Reference page 7-312 page 7-314 page 7-315 page 7-316 page 7-317 page 7-318 page 7-319 page 7-321 page 7-322 page 7-323 page 7-324 page 7-325 page 7-326 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 255 PROFILES 7.1.36.5.1 adaptivity interface-config-radio-instance Configures an interval, in minutes, for avoiding channels detected with high levels of interference As per the European Telecommunications Standards Institutes (ETSI) EN 300 328 V1.8.1/ ETSI EN 301 893 V1.7.1 requirements, access points have to monitor interference levels on operating channels, and stop functioning on channels with interference levels exceeding ETSI-specified threshold values. This command configures the interval for which a channel is avoided on detection of interference, and is applicable only if the channel selection mode is set to ACS, Random, or Fixed. NOTE: If the channel selection mode is set to Smart, in the Smart-RF policy mode, use the avoidance-time > [adaptivity|dfs] > <30-3600> command to specify the interval for which a channel is avoided on detection of high levels of interference or radar. For more information, see avoidance-time. When configured, this feature ensures recovery by switching the radio to a new operating channel. Once adaptivity is triggered, the evacuated channel becomes inaccessible and is available again only after the adaptivity timeout, specified here, expires. In case of fixed channel, the radio switches back to the original channel of operation after the adaptivity timeout expires. On the other hand, ACS-enabled radios continue operating on the new channel even after the adaptivity timeout period expires. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax adaptivity [recovery|timeout <30-3600>]
Parameters adaptivity [recovery|timeout <30-3600>]
adaptivity recovery timeout
<30-3600>
Configures adaptivity parameters on the radio. These parameters are: recovery and timeout. Enables switching of channels when an access points radio is in the adaptivity mode. In the adaptivity mode, an access point monitors interference on its set channel and stops functioning when the radios defined interference tolerance level is exceeded. When the defined adaptivity timeout is exceeded, the radio resumes functionality on a different channel. This option is enabled by default. Configures an adaptivity timeout
<30-3600> Specify a value from 30 - 3600 minutes. The default is 90 minutes. Example nx4500-5CFA2B(config-profile-testAP7532-if-radio1)#adaptivity timeout 200 nx4500-5CFA2B(config-profile-testAP7532-if-radio1)#show context interface radio1 adaptivity timeout 200 nx4500-5CFA2B(config-profile-testAP7532-if-radio1)#
Related Commands no Removes the configured adaptivity timeout value and disables adaptivity recovery Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 256 PROFILES 7.1.36.5.2 aeroscout interface-config-radio-instance Enables Aeroscout multicast packet forwarding. This feature is disabled by default. Supported in the following platforms:
Access Points AP6532, AP7502, AP7522 Syntax aeroscout [forward ip <IP> port <0-65535>|mac <MAC>]
Parameters aeroscout [forward ip <IP> port <0-65535>|mac <MAC>]
aeroscout forward ip <IP> port
<0-65535>
Enables Aeroscout packet forwarding and configures the packet forwarding parameters Configures the following Aeroscout locationing engine details:
ip Configures Aeroscout engines IP address
<IP> Specify the Aeroscout engines IP address. When specified, the AP forwards Aeroscout beacons directly to the Aeroscout locationing engine without proxying through the controller or RF Domain manager. port Configures the port on which the Aeroscout engine is reachable
<0-65535> Specify the port number from 0 - 65535. mac <MAC>
Configures the multicast MAC address to forward the Aeroscout packets
<MAC> Specify the MAC address in the AA-BB-CC-DD-EE-FF format. The default value is 01-0C-CC-00-00-00. Example nx9500-6C8809(config-profile-ProfileTestAP7532-if-radio2)#aeroscout forward ip 10.233.84.206 port 22 nx9500-6C8809(config-profile-ProfileTestAP7532-if-radio2)#show context interface radio2 aeroscout forward ip 10.233.84.206 port 22 nx9500-6C8809(config-profile-ProfileTestAP7532-if-radio2)#
Related Commands no Disables Aeroscout packet forwarding Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 257 PROFILES 7.1.36.5.3 aggregation interface-config-radio-instance Configures 802.11n frame aggregation parameters. Frame aggregation increases throughput by sending two or more data frames in a single transmission. There are two types of frame aggregation: MAC Service Data Unit (MSDU) aggregation and MAC Protocol Data Unit (MPDU) aggregation. Both modes group several data frames into one large data frame. Supported in the following platforms:
Access Points AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax aggregation [ampdu|amsdu]
aggregation ampdu [rx-only|tx-only|tx-rx|none|max-aggr-size|min-spacing]
aggregation ampdu [rx-only|tx-only|tx-rx|none]
aggregation ampdu max-aggr-size [rx|tx]
aggregation ampdu max-aggr-size rx [8191|16383|32767|65535]
aggregation ampdu max-aggr-size tx <2000-65535>
aggregation ampdu min-spacing [0|1|2|4|8|16]
aggregation amsdu [rx-only|tx-rx]
Parameters aggregation ampdu [rx-only|tx-only|tx-rx|none]
aggregation ampdu tx-only rx-only tx-rx none Configures 802.11n frame aggregation parameters Configures Aggregate MAC Protocol Data Unit (AMPDU) frame aggregation parameters AMPDU aggregation collects Ethernet frames addressed to a single destination. It wraps each frame in an 802.11n MAC header. This aggregation mode is less efficient, but more reliable in environments with high error rates. It enables the acknowledgement and retransmission of each aggregated data frame individually. Supports the transmission of AMPDU aggregated frames only Supports the receipt of AMPDU aggregated frames only Supports the transmission and receipt of AMPDU aggregated frames (default setting) Disables support for AMPDU aggregation aggregation ampdu max-aggr-size rx [8191|16383|32767|65535]
aggregation ampdu max-aggr-size Configures 802.11n frame aggregation parameters Configures AMPDU frame aggregation parameters AMPDU aggregation collects Ethernet frames addressed to a single destination. It wraps each frame in an 802.11n MAC header. This aggregation mode is less efficient, but more reliable in environments with high error rates. It enables the acknowledgement and retransmission of each aggregated data frame individually. Configures AMPDU packet size limits. Configure the packet size limit on packets both transmitted and received. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 258 PROFILES rx
[8191|16383|32767|
65535]
Configures the maximum limit (in bytes) advertised for received frames 8191 Advertises a maximum of 8191 bytes 16383 Advertises a maximum of 16383 bytes 32767 Advertises a maximum of 32767 bytes 65535 Advertises a maximum of 65535 bytes (default setting) aggregation ampdu max-aggr-size tx <2000-65535>
aggregation ampdu max-aggr-size tx <2000-65535>
Configures 802.11n frame aggregation parameters Configures AMPDU frame aggregation parameters AMPDU aggregation collects Ethernet frames addressed to a single destination. It wraps each frame in an 802.11n MAC header. This aggregation mode is less efficient, but more reliable in environments with high error rates. It enables the acknowledgement and retransmission of each aggregated data frame individually. Configures AMPDU packet size limits. Configure the packet size limit on packets both transmitted and received. Configures the maximum size (in bytes) for AMPDU aggregated transmitted frames
<2000-65535> Sets the limit from 2000 - 65535 bytes. The default is 65535 bytes. aggregation ampdu min-spacing [0|1|2|4|8|16|auto]
aggregation ampdu mn-spacing
[0|1|2|4|8|16]
Configures 802.11n frame aggregation parameters Configures AMPDU frame aggregation parameters AMPDU aggregation collects Ethernet frames addressed to a single destination. It wraps each frame in an 802.11n MAC header. This aggregation mode is less efficient, but more reliable in environments with high error rates. It enables the acknowledgement and retransmission of each aggregated data frame individually. Configures the minimum gap, in microseconds, between AMPDU frames 0 Configures the minimum gap as 0 microseconds 1 Configures the minimum gap as 1 microseconds 2 Configures the minimum gap as 2 microseconds 4 Configures the minimum gap as 4 microseconds 8 Configures the minimum gap as 8 microseconds 16 Configures the minimum gap as 16 microseconds auto Auto configures the minimum gap depending on the platform and radio type
(default setting) aggregation amsdu [rx-only|tx-rx]
aggregation amsdu rx-only tx-rx Configures 802.11n frame aggregation parameters Configures Aggregated MAC Service Data Unit (AMSDU) frame aggregation parameters. AMSDU aggregation collects Ethernet frames addressed to a single destination. But, unlike AMPDU, it wraps all frames in a single 802.11n frame. Supports the receipt of AMSDU aggregated frames only (default setting) Supports the transmission and receipt of AMSDU aggregated frames Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 259 PROFILES Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#aggregation ampdu tx-
only rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 aggregation ampdu tx-only aeroscout forward rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Disables 802.11n aggregation parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 260 PROFILES 7.1.36.5.4 airtime-fairness interface-config-radio-instance Enables fair access to the medium for wireless clients based on their airtime usage (i.e. regardless of whether the client is a high-throughput (802.11n) or legacy client). This option is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax airtime-fairness {prefer-ht} {weight <1-10>}
Parameters airtime-fairness {prefer-ht} {weight <1-10>}
airtime-fairness prefer-ht weight <1-10>
Enables fair access to the medium for wireless clients based on their airtime usage Optional. Prioritizes high throughput (802.11n) clients over clients with slower throughput (802.11 a/b/g) and legacy clients Optional. Configures the relative weightage for 11n clients over legacy clients.
<1-10> Sets a weightage ratio for 11n clients from 1 - 10 Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#airtime-fairness prefer-
ht weight 6 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 aggregation ampdu tx-only aeroscout forward airtime-fairness prefer-ht weight 6 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Disables fair access for wireless clients (provides access on a round-robin mode) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 261 PROFILES 7.1.36.5.5 antenna-diversity interface-config-radio-instance Configures transmit antenna diversity for non-11n transmit rates Antenna diversity uses two or more antennas to increase signal quality and strength. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax antenna-diversity Parameters None Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#antenna-diversity rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 aggregation ampdu tx-only aeroscout forward antenna-diversity airtime-fairness prefer-ht weight 6 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Uses single antenna for non-11n transmit rates Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 262 PROFILES 7.1.36.5.6 antenna-downtilt interface-config-radio-instance Enables the Advanced Element Panel Technology (ADEPT) antenna mode. The ADEPT mode increases the probability of parallel data paths enabling multiple spatial data streams. This option is disabled by default. Supported in the following platforms:
Access Point AP7161 NOTE: This feature is not supported on AP6521, AP6522, AP6532, AP6562, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, and AP8533. Syntax antenna-downtilt Parameters None Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#antenna-downtilt rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 antenna-gain 12.0 aggregation ampdu tx-only aeroscout forward antenna-diversity airtime-fairness prefer-ht weight 6 antenna-downtilt rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Disables the ADEPT antenna mode Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 263 PROFILES 7.1.36.5.7 antenna-elevation interface-config-radio-instance Configures an antenna's elevation gain. Antenna gain is the ratio of an antenna's radiation intensity in a given direction to the intensity produced by a no-loss, isotropic antenna radiating equally in all directions. An antenna's gain along the horizon and at an elevation of 30 degree may vary. The elevation gain is defined as the maximum antenna gain at 30 to 150 degrees above the horizon. If elevation gain is configured, the transmit (TX) power calculations maximize the allowable TX power for an elevation below 30 degree. Access Points must conform to U.S. Federal Communications Commission's (FCC) limitations. FCC has now stipulated a 21dBm Effective Isotropic Radiated Power (EIRP) limit for power directed 30 degrees above the horizon. For Extreme Networks -supplied antennas, compatible with 5.0 GHz on the AP7562 access point, refer to the Antenna Guide for "Elevation Gain" information. If using a third-party antenna, it is required that you obtain the antenna-elevation gain information from the antenna manufacturer. The elevation gain should be configured if the access point:
Is deployed outdoors, and Is used with a dipole antenna (panel antenna and polarized antenna are for point to point only, and are excluded from this requirement), and Is transmitting in the 5.15 - 5.25 GHz Unlicensed National Information Infrastructure-1 (UNII-1) band. Professional installers must complete the following steps to ensure compliance with the FCC rule:
1 Configure the antenna type. For example:
ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#service antenna-type dipole 2 Configure the antenna peak gain. For example:
ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#antenna-gain 7.0 3 Configure the antenna placement. For example:
ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#placement outdoor 4 Configure the antenna elevation gain. For example:
ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#antenna-elevation 5.0 After the professional installer enters the antenna type, gain, placement, and elevation gain using the CLI as outlined above, the firmware will use this information and hardcoded maximum limits determined during testing (See Annex C in FCC Report #FR4D0448AB) to limit the EIRP below 21dBm for outdoor use in UNII-1 band. The antenna information is provided in the Installation guide and antenna guide. Supported in the following platforms:
Access Points AP7562 Syntax antenna-elevation <-30.0-36.0>
NOTE: The antenna elevation gain feature is supported only on the AP7562 model access point. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 264 PROFILES Parameters antenna-elevation <-30.0-36.0>
antenna-elevation
<-30.0-36.0>
Configures the antenna elevation gain from -30.0 - 36.0 dB. Refer to the antenna specifications for antenna-elevation gain information. The default value is 0 dB. Example ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#antenna-elevation 5.0 ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#show context interface radio2 antenna-elevation 5.0 ap7562-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio2)#
Related Commands no Resets antenna elevation gain to default (0 dB) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 265 PROFILES 7.1.36.5.8 antenna-gain interface-config-radio-instance Configures the antenna gain for the selected radio Antenna gain is the ability of an antenna to convert power into radio waves and vice versa. The access point or wireless controllers Power Management Antenna Configuration File (PMACF) automatically configures the access point orwireless controllers radio transmit power based on the antenna type, its antenna gain (provided here) and the deployed countrys regulatory domain restrictions. Once provided, the access point or wireless controller calculates the power range. Antenna gain relates the intensity of an antenna in a given direction to the intensity that would be produced ideally by an antenna that radiates equally in all directions (isotropically), and has no losses. Although the gain of an antenna is directly related to its directivity, its gain is a measure that takes into account the efficiency of the antenna as well as its directional capabilities. It is recommended that only a professional installer set the antenna gain. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax antenna-gain <0.0-15.0>
Parameters antenna-gain <0.0-15.0>
antenna-gain
<0.0-15.0>
Sets the antenna gain from 0.0 - 15.0 dBi. The default is 0.00 dBi. Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#antenna-gain 12.0 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 antenna-gain 12.0 aggregation ampdu tx-only aeroscout forward antenna-diversity airtime-fairness prefer-ht weight 6 antenna-downtilt rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Resets the radios antenna gain parameter Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 266 PROFILES 7.1.36.5.9 antenna-mode interface-config-radio-instance Configures the antenna mode (the number of transmit and receive antennas) on the access point This command sets the number of transmit and receive antennas on the access point. The 1x1 mode is used for transmissions over just the single -A- antenna, 1xALL is used for transmissions over the -A- antenna and all three antennas for receiving. The 2x2 mode is used for transmissions and receipts over two antennas for dual antenna models. 3x3x3 is used for transmissions and receipts over three antennas for AP81XX models. The default setting is dynamic based on the access point model deployed and its transmit power settings. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax antenna-mode [1*1|1*ALL|2*2|3*3|default]
Parameters antenna-mode [1*1|1*ALL|2*2|default]
antenna-mode 1*1 1*ALL 2*2 3*3 default Usage Guidelines Configures the antenna mode Uses only antenna A to receive and transmit Uses antenna A to transmit and receives on all antennas Uses antennas A and C for both transmit and receive Uses antenna A, B, and C for both transmit and receive Uses default antenna settings. This is the default setting. To support STBC feature on AP7161 profile, the antenna-mode should not be configured to 1*1. Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#antenna-mode 2x2 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 antenna-gain 12.0 aggregation ampdu tx-only aeroscout forward antenna-mode 2x2 antenna-diversity airtime-fairness prefer-ht weight 6 antenna-downtilt rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Resets the radio antenna mode (the number of transmit and receive antennas) to its default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 267 PROFILES 7.1.36.5.10 assoc-response interface-config-radio-instance Configures the parameters determining whether the access point ignores or responds to an association/
authorization request Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax assoc-response [deny-threshold <1-12>|rssi-threshold <-128--40>]
Parameters assoc-response [deny-threshold <1-12>|rssi-threshold <-128--40>]
assoc-response deny-threshold
<1-12>
rssi-threshold
<-128--40>
Configures the following thresholds, based on which the AP ignores or responds to an association/authorization request: deny-threshold and rssi-threshold. Both these options are disabled by default. Configures the number of times the AP ignores association/authorization requests, if the RSSI is below the configured RSSI threshold value
<1-12> Specify a value from 1 - 12. Note: The AP always ignores association/authorization requests when deny-threshold is not specified and rssi-threshold is specified. Configures the RSSI threshold. If the RSSI is lower than the threshold configured here, the AP ignores the association/authorization request.
<128--40> Specify the RSSI threshold from -128 - -40 dBi. Example rfs6000-37FABE(config-profile-71XXTestProfile-if-radio1)#assoc-response rssi-
threshold -128 rfs6000-37FABE(config-profile-71XXTestProfile-if-radio1)#show context interface radio1 assoc-response rssi-threshold -128 rfs6000-37FABE(config-profile-71XXTestProfile-if-radio1)#
Related Commands no Removes the RSSI threshold, based on which an association/authorization request is either ignored or responded. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 268 PROFILES 7.1.36.5.11 association-list interface-config-radio-instance Associates an existing global association list with this radio interface An association ACL is a policy-based access control list (ACL) that either prevents or allows wireless clients from connecting to a managed access point radio. An ACL is a sequential collection of permit and deny rules that apply to incoming and outgoing packets. When a packet is received on an interface, the controller, service platform, or access point compares the fields in the packet against the applied ACLs to verify the packet has the required permissions to be forwarded. If a packet does not meet any of the criteria specified in the ACL, it is dropped. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax association-list global <GLOBAL-ASSOC-LIST-NAME>
Parameters association-list global <GLOBAL-ASSOC-LIST-NAME>
association-list global <GLOBAL-
ASSOC-LIST-NAME>
Associates an existing global association list with this radio interface Example rfs4000-880DA7(config-profile-test-if-radio1)#association-list global test rfs4000-880DA7(config-profile-test-if-radio1)#show context interface radio1 association-list global test rfs4000-880DA7(config-profile-test-if-radio1)#
Related Commands no Removes the global association list associated with this radio interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 269 PROFILES 7.1.36.5.12 beacon interface-config-radio-instance Configures radio beacon parameters A beacon is a packet broadcasted by adopted radios to keep the network synchronized. Included in a beacon is information, such as the WLAN service area, the radio address, the broadcast destination addresses, a time stamp, and indicators about traffic and delivery such as a Delivery Traffic Indication Message (DTIM). Increase the DTIM/beacon settings (lengthening the time) to let nodes sleep longer and preserve battery life. Decrease these settings (shortening the time) to support streaming-multicast audio and video applications that are jitter sensitive. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax beacon [dtim-period|period]
beacon dtim-period [<1-50>|bss]
beacon dtim-period [<1-50>|bss <1-16> <1-50>]
beacon period [50|100|200]
Parametersd beacon dtim-period [<1-50>|bss <1-8> <1-50>]
beacon dtim-period
<1-50>
bss <1-16> <1-50>
Configures radio beacon parameters Configures the radio DTIM interval. A DTIM is a message that informs wireless clients about the presence of buffered multicast or broadcast data. These are simple data frames that require no acknowledgement, so nodes sometimes miss them. Increase the DTIM/ beacon settings (lengthening the time) to let nodes sleep longer and preserve their battery life. Decrease these settings (shortening the time) to support streaming multicast audio and video applications that are jitter-sensitive. Configures a single value to use on the radio. Specify a value between 1 and 50. Configures a separate DTIM for a Basic Service Set (BSS) on this radio interface
<1-16> Sets the BSS number from 1 - 16
<1-50> Sets the BSS DTIM from 1 - 50. The default is 2. beacon period [50|100|200]
period [50|100|200]
Configures the beacon period (the interval between consecutive radio beacons) 50 Configures 50 K-uSec interval between beacons 100 Configures 100 K-uSec interval between beacons (default) 200 Configures 200 K-uSec interval between beacons Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 270 PROFILES Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#beacon dtim-period bss 2 20 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#beacon period 50 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 beacon period 50 beacon dtim-period bss 1 2 beacon dtim-period bss 2 20 beacon dtim-period bss 3 2
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Removes the configured beacon parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 271 PROFILES 7.1.36.5.13 bridge interface-config-radio-instance Configures the client-bridge parameters for radios with rf-mode set to bridge. When configured as a client bridge, the radio can authenticate and associate to the Wireless LAN (WLAN) hosted on the infrastructure access point. After successfully associating with the infrastructure WLAN, the client-bridge access point switches frames between its bridge radio and wired/wireless client(s) connected either to its GE port(s) or to the other radio, there by providing the clients access to the infrastructure WLAN resources. NOTE: The radio interface configured to form the client-bridge will not be able to service wireless clients as its RF mode is set to bridge and not 2.5 GHz or 5.0 GHz. Supported in the following platforms:
Access Points AP6522, AP6562, AP7522, AP7532, AP7562, AP7602, AP7622 Syntax bridge [authentication-type [eap|none]|channel-dwell-time <50-2000>|channel-list
[2.4GHz|5GHz] <LIST>|connect-through-bridges|eap [password <PASSWORD>|type [peap-
mschapv2|tls]|username <USERNAME>]|encryption-type [ccmp|none|tkip]|inactivity-
timeout <0-864000>|keepalive [frame-type [null-data|wnmp]|interval <0-36000>]|
max-clients <1-64>|on-link-loss shutdown-other-radio <1-1800>|on-link-up refresh-
vlan-interface|roam-criteria [missed-beacons <1-60>|rssi-threshold <-128--
40>]|ssid <SSID>|wpa-wpa2 psk [0|2|<LINE>]]
Parameters bridge [authentication-type [eap|none]|channel-dwell-time <50-2000>|channel-
list [2.4GHz|5GHz] <LIST>|connect-through-bridges|eap [password <PASSWORD>]|type
[peap-mschapv2|tls]|username <USERNAME>]|encryption-type [ccmp|none|tkip]|
inactivity-timeout <0-864000>|keepalive [frame-type [null-data|wnmp]|interval <0-
36000>]|max-clients <1-64>|on-link-loss shutdown-other-radio <1-1800>|on-link-up refresh-vlan-interface|roam-criteria [missed-beacons <1-60>|rssi-threshold <-128-
-40>]|ssid <SSID>|wpa-wpa2 psk [0|2|<LINE>]]
bridge authentication-type
[eap|none]
channel-dwell-time
<50-2000>
Configures client-bridge related parameters on the selected radio Prior to configuring the client-bridge parameters, set the radios rf-mode to bridge. Configures the authentication method used to authenticate with the infrastructure WLAN. The authentication mode specified here should be the same as that configured on the infrastructure WLAN. The options are:
eap Uses EAP authentication (802.1X). If using EAP, use the eap keyword to configure EAP related parameters. none Uses no authentication. This is the default setting. Configures the channel-dwell time in milliseconds. This is the time the client-bridge radio dwells on each channel (configured in the channel-list) when scanning for an infrastructure WLAN.
<50-2000> Specify a value from 50 -2000 milliseconds. The default is 150 milliseconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 272 PROFILES channel-list
[2.4GHz|5GHz] <LIST>
Configures the list of channels the radio scans when scanning for an infrastructure WLAN access point to associate 2.4GHz <LIST> Configures a list of channels for scanning across all the channels in connect-through-
bridges eap [password
[<PASSWORD>]|
type [peap-mschapv2|
tls]|username
<UESERNAME>]
encryption-type
[ccmp|none|tkip]
inactivity-timeout
<0-864000>
the 2.4GHz radio band 5GHz <LIST> Configures a list of channels for scanning across all the channels in the 5.0 GHz radio band The following parameter is common to both of the 2.5 GHz and 5.0 GHz bands:
<LIST> Provide the list of channels separated by commas. Enables the client-bridge access point radio to connect to an infrastructure WLAN, which already has other client-bridge radios associated with it. The client-bridge access points, in this scenario, are said to be daisy chained together. Configures EAP authentication parameters if the authentication mode is set as EAP password [0|2|<PASSWORD>] Configures the EAP authentication password to use with the infrastructure WLAN. The password type depends on the EAP authentication type configured. PEAP-MSCHAPv2 - PEAP password TLS PKCS #12 certificate secret Use of EAP-TLS authentication is recommended since it is stronger than PEAP-
MSCHAPv2.
<PASSWORD> Enter the password. type [peap-mschapv2|tls] Configures the EAP authentication type as:
PEAP-MSCHAPv2 Configures the EAP authentication type as PEAP-MSCHAPv2. This is the default setting. TLS Configures the EAP authentication type as TLS username <USERNAME> Configures the EAP authentication user name to use with the infrastructure WLAN.
<USERNAME> Specify the EAP username. PEAP-MSCHAPv2 PEAP username (example client-bridge) TLS Username in the CN field of the installed PKCS #12 client certificate (example client-bridge@example.com) Configures the encryption mode. The encryption mode specified here should be the same as that configured on the infrastructure WLAN. The options are:
ccmp Uses WPA/WPA2 CCMP encryption none Uses no encryption method. This is the default setting. tkip Uses WPA/WPA2 TKIP encryption If using CCMP or TKIP, use the wpa2-wpa2 keyword to configure the pre-shared key
(PSK). Configures the inactivity timeout for each bridge MAC address. This is the time for which the client-bridge access point waits before deleting a MAC address from which a frame has not been received for more than the time specified here. For example, if the inactivity time is set at 120 seconds, and if no frames are received from a MAC address for 120 seconds, it is deleted. The default value is 600 seconds.
<0-864000> Specify a value from 0 - 864000 seconds. The default is 600 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 273 PROFILES keepalive [frame-type
[null-data|wnmp]|
interval <0-36000>]
max-clients <1-64>
on-link-loss shutdown-other-radio
<1-1800>
on-link-up refresh-
vlan-interface roam-criteria
[missed-beacons
<1-60>|
rssi-threshold
<-128--40>]
Configures the keep-alive frame type and interval frame-type Configures the keepalive frame type exchanged between the client-
bridge access point and the infrastructure access point/controller. The options are:
null-data Transmits 802.11 NULL data frames. This is the default setting. wnmp Transmits Wireless Network Management Protocol (WNMP) multicast packet interval <0-36000> Configures the interval, in seconds, between two successive keep-alive frame transmission.
<0-36000> Specify a value from 0 - 36000 seconds. The default is 300 seconds. Configures the maximum number of clients that the client-bridge AP can support
<1-14> Specify a value from 1 - 64. The default is 64. Configures the radio-link behaviour when the link between the client-bridge and infrastructure access points is lost. shutdown-other-radio Enables shutting down of the non-client bridge radio (this is the radio to which wireless-clients associate) when the link between the client-bridge and infrastructure access points is lost. When enabled, clients associated with the non-client bridge radio are pushed to search for and associate with other access points having backhaul connectivity. This option is disabled by default.
<1-1800> If enabling this option, use this parameter to configure the time, in sec-
onds, for which the non-client bridge radio is shut down. Specify a value from 1 - 1800 seconds. Configures the radio-link behaviour when the link between the client-bridge and infrastructure access points comes up. refresh-vlan-interface Enables the SVI to refresh on re-establishing client bridge link to infrastructure Access Point. And, if using a DHCP assigned IP address, causes a DHCP renew. This option is enabled by default. Configures the following roaming criteria parameters missed-beacons <1-60> Configures the missed beacon interval from 0 - 60 seconds.This is the time for which the client-bridge Access Point waits for after missing a beacon from the associated infrastructure Access Point, before roaming to another infrastructure Access Point. For example, if the missed-beacon time is set to 30 seconds, and if more than 30 seconds have passed since the last received beacon, from the associated infrastructure Access Point, the client-bridge Access Point resumes scanning for another infrastructure Access Point. The default value s 20 seconds.
<1-60> Specify a value from 1 - 60 seconds. The default is 20 seconds. rssi-threshold <-128--40> Configures the minimum signal strength, received from target AP, for the bridge connection to be maintained before roaming
<-128--40> Specify a value from -128 - -40 dBm. If the RSSI value of signals re-
ceived from the infrastructure access point falls below the specified value, the client-
bridge access point resumes scanning for another infrastructure access point. The default is -75 dBm. ssid <SSID>
Configures the infrastructure WLAN SSID the client bridge connects to
<SSID> Specify the SSID. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 274 PROFILES wpa-wpa2 psk
[0|2|<LINE>]
Configures the encryption pre-shared key (PSK) to use with the infrastructure WLAN 0 Configures clear text psk 2 Configures encrypted psk
<LINE> Enter the key Note: Pre-shared keys are valid only when the authentication-type is set to none and the encryption-type is set to tkip or ccmp. Note: The PSK should be 8 - 32 characters in length. Usage Guidelines EAP Authentication Use the following commands to view client-bridge configuration:
1 show > wireless > bridge > config Shows the current client bridge configuration. 2 show > wireless > bridge > candidate-ap Shows the available infrastructure WLAN candidates that are found during the last scan. 3 show > wireless > bridge > host Shows the wired/wireless clients that are being bridged. 4 show > wireless > bridge > statistics > rf Shows the client bridge RF statistics. 5 show > wireless > bridge > statistics > traffic Shows the client bridge traffic statistics. 6 show > wireless > bridge > certificate > status Shows the client bridge authentication certificate status. Example The following examples show the basic parameters that need to be configured on the Infrastructure and the client-bridge APs in order to enable the client-bridge AP to associate with the Infrastructure WLAN. Note, in this example, the authentication mode is set to none and the encryption-type is set to ccmp. The authentication and encryption modes used will vary as per requirement. 1 Configuring the Infrastructure WLAN:
InfrastrNOC(config)#wlan cb-psk InfrastrNOC(config-wlan-cb-psk)#ssid cb-psk InfrastrNOC(config-wlan-cb-psk)#encryption-type ccmp InfrastrNOC(config-wlan-cb-psk)#wpa-wpa2 psk extreme@123 InfrastrNOC(config-wlan-cb-psk)#authentication-type none InfrastrNOC(config)#show running-config wlan cb-psk wlan cb-psk ssid cb-psk bridging-mode local encryption-type ccmp authentication-type none wpa-wpa2 psk 0 extreme@123 InfrastrNOC(config)#
2 Associating the cb-psk WLAN to the Infrastructure APs radio. Infra7131-5F5078(config-device-B4-C7-99-5F-50-78-if-radio2)#wlan cb-psk Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 275 PROFILES Infra7131-5F5078(config-device-B4-C7-99-5F-50-78)#show context ap71xx B4-C7-99-5F-50-78 use profile default-ap71xx use rf-domain default hostname Infra7131-5F5078 country-code us channel-list 5GHz 149,153,157,161,165 trustpoint radius-ca TP-infra-AP trustpoint radius-server TP-infra-AP use radius-server-policy cb-rad-srvr interface radio2 rf-mode 5GHz-wlan channel smart power smart data-rates default wlan cb-psk bss 1 primary no preamble-short bridge ssid cb-psk bridge encryption-type ccmp bridge authentication-type none bridge wpa-wpa2 psk 0 extreme@123 logging on logging console debugging controller host 192.168.9.31 Infra7131-5F5078(config-device-B4-C7-99-5F-50-78)#
3 Confirming the Infrastructure APs radio interface status. Infra7131-5F5078(config)#show wireless radio
------------------------------------------------------------------------------
----------------
RADIO RADIO-MAC RF-MODE STATE CHANNEL POWER #CLIENT
------------------------------------------------------------------------------
----------------
Infra7131-5F5078:R1 B4-C7-99-5E-51-40 2.4GHz-wlan Off N/A ( smt) 0 (smt) 0 Infra7131-5F5078:R2 B4-C7-99-5E-1A-40 5GHz-wlan On 165 ( 165) 17 (smt) 2
------------------------------------------------------------------------------
----------------
Total number of radios displayed: 2 Infra7131-5F5078(config)#
4 Configuring the client-bridge APs radio parameters. ap7532-85B274(config-device-84-24-8D-85-B2-74-if-radio2)#bridge ssid cb-psk ap7532-85B274(config-device-84-24-8D-85-B2-74-if-radio2)#bridge encryption-
type ccmp ap7532-85B274(config-device-84-24-8D-85-B2-74-if-radio2)#bridge authentication-t ype none ap7532-85B274(config-device-84-24-8D-85-B2-74-if-radio2)#wpa-wpa2 psk extreme@123 ap7532-85B274(config-device-84-24-8D-85-B2-74-if-radio2)#show context interface radio2 bridge ssid cb-psk bridge encryption-type ccmp bridge authentication-type none bridge wpa-wpa2 psk 0 extreme@123 ap7532-85B274(config-device-84-24-8D-85-B2-74-if-radio2)#
Note, the SSID, encryption-type, and authentication mode are the same as that of the Infrastructure WLAN. 5 Confirming the client-bridge APs radio interface status. ap7532-85B274#show wireless radio Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 276 PROFILES
------------------------------------------------------------------------------
----------------
RADIO RADIO-MAC RF-MODE STATE CHANNEL POWER #CLIENT
------------------------------------------------------------------------------
----------------
ap7532-85B274:R1 84-24-8D-AC-2D-B0 2.4GHz-wlan Off N/A ( smt) 0 (smt) 0 ap7532-85B274:R2 84-24-8D-AC-CC-10 bridge On 165 ( smt) 20 (smt) 0
------------------------------------------------------------------------------
----------------
Total number of radios displayed: 2
===================================================
ap7532-85B274(config-device-84-24-8D-85-B2-74)#
6 Viewing the candidate-ap (connected Infrastructure APs) details on the client-bridge AP. ap7532-85B274(config-device-84-24-8D-85-B2-74)#show wireless bridge candidate-
ap 84-24-8D-AC-CC-10 Client Bridge Candidate APs:
AP-MAC BAND CHANNEL SIGNAL(dbm) STATUS B4-C7-99-5E-1A-40 5 GHz 165 -21 selected Total number of candidates displayed: 1 Total number of client bridges displayed: 1
=======================================================
ap7532-85B274(config-device-84-24-8D-85-B2-74)#
7 Viewing the bridge host details on the client-bridge AP. ap7532-85B274(config-device-84-24-8D-85-B2-74)#show wireless bridge hosts
-----------------------------------------------------------------------------
HOST MAC BRIDGE MAC IP BRIDGING STATUS ACTIVITY
(sec ago)
-----------------------------------------------------------------------------
84-24-8D-85-B2-74 84-24-8D-AC-CC-10 10.1.0.249 UP 00:00:07
-----------------------------------------------------------------------------
Total number of hosts displayed: 1 ap7532-85B274(config-device-84-24-8D-85-B2-74)#
Related Commands no Removes or resets this client-bridge settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 277 PROFILES 7.1.36.5.14 channel interface-config-radio-instance Configures a radios channel of operation Only a trained installation professional should define the radio channel. Select Smart for the radio to scan non-overlapping channels listening for beacons from other access points. After the channels are scanned, the radio selects the channel with the fewest access points. In case of multiple access points on the same channel, it selects the channel with the lowest average power level. NOTE: Channels with a w appended to them are unique to the 40 MHz band. Channels with a ww appended to them are 802.11ac specific, and appear only when using an AP8232, and are unique to the 80 MHz band. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax channel [smart|acs|random|1|2|3|4|-------]
Parameters channel [smart|acs|random|1|2|3|4|-------]
channel
[smart|acs|random|1|2|3|
4|-------]
Configures a radios channel of operation Configures a radios channel of operation. The options are:
smart Uses Smart RF to assign a channel (uses uniform spectrum spreading if Smart RF is not enabled). This is the default setting. acs Uses automatic channel selection (ACS) to assign a channel random Randomly assigns a channel 1 Channel 1 in 20 MHz mode 2 Channel 2 in 20 MHz mode Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#channel 1 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 channel 1 beacon period 50 beacon dtim-period bss 1 5 beacon dtim-period bss 2 2
........................................................................ beacon dtim-period bss 14 5 beacon dtim-period bss 15 5 beacon dtim-period bss 16 5 antenna-gain 12.0 aggregation ampdu tx-only aeroscout forward antenna-mode 2x2 antenna-diversity
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 278 Related Commands no Resets a radios channel of operation PROFILES Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 279 PROFILES 7.1.36.5.15 data-rates interface-config-radio-instance Configures the 802.11 data rates on this radio This command sets the rate options depending on the 802.11 protocol and the radio band selected. If 2.4 GHz is selected as the radio band, select separate 802.11b, 802.11g and 802.11n rates and define how they are used in combination. If 5.0 GHz is selected as the radio band, select separate 802.11a and 802.11n rates then define how they are used together. If dedicating the radio to either 2.4 or 5.0 GHz support, use the custom keyword to set a 802.11n modulation and coding scheme (MCS) in respect to the radios channel width and guard interval. A MCS defines (based on RF channel conditions) an optimal combination of rates, bonded channels, multiple spatial streams, different guard intervals and modulation types. Clients can associate as long as they support basic MCS (as well as non-11n basic rates). Data rates are fixed and not user configurable for radios functioning as sensors. NOTE: Use the rf-mode command to configure a radios mode of operation. NOTE: The MCS-1s and MCS-2s options are available for each supported access point. However, the MCS-3s option is only available to the AP8232 model access point, and its ability to provide 3x3x3 MIMO support. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax data-rates [b-only|g-only|a-only|bg|bgn|gn|an|default|custom|mcs]
data-rates [b-only|g-only|a-only|bg|bgn|gn|an|default]
data-rates custom [1|2|5.5|6|9|11|12|18|24|36|48|54|mcs-1s|mcs-2s|mcs-3s|basic-1|
basic-2|basic-5.5|basic-6|basic-9|basic-11|basic-12|basic-18|basic-24|basic-36|
basic-48|basic-54|basic-mcs-1s]
data-rates mcs qam-only Parameters data-rates [b-only|g-only|a-only|bg|bgn|gn|an|default]
data-rates b-only g-only a-only Configures the 802.11 data rates on this radio Supports operation in the 802.11b mode only (applicable for 2.4 and 4.9 GHz bands) Uses rates that support operation in the 802.11g mode only (applicable for 2.4 and 4.9 GHz bands) Uses rates that support operation in the 802.11a mode only (applicable for 5.0 GHz band only) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 280 PROFILES bg bgn gn an default Uses rates that support 802.11b and 802.11g wireless clients (applicable for 2.4 and 4.9 GHz bands) Uses rates that support 802.11b, 802.11g, and 802.11n wireless clients (applicable for 2.4 and 4.9 GHz bands) Uses rates that support 802.11g and 802.11n wireless clients (applicable for 2.4 and 4.9 GHz bands) Uses rates that support 802.11a and 802.11n wireless clients (applicable for 5.0 GHz band only) Enables the default data rates according to the radios band of operation data-rates custom [1|2|5.5|6|9|11|12|18|24|36|48|54||mcs-1s|mcs-2s|mcs-3s|
basic-1|basic-2|basic-5.5|basic-6|basic-9|basic-11|basic-12|basic-18|basic-24|
basic-36|basic-48|basic-54|basic-mcs-1s]
data-rates custom Configures the 802.11 data rates on this radio Configures a list of data rates by specifying each rate individually. Use 'basic-' prefix before a rate to indicate its used as a basic rate (For example, 'data-rates custom basic-1 basic-2 5.5 11') 1 1-Mbps 2 2-Mbps 5.5 5.5-Mbps 6 6-Mbps 9 9-Mbps 11 11-Mbps 12 12-Mbps 18 18-Mbps 24 24-Mbps 36 36-Mbps 48 48-Mbps 54 54-Mbps mcs-1s Applicable to 1-spatial stream data rates mcs-2s Applicable to 2-spatial stream data rates mcs-3s Applicable to 3-spatial stream data rates (supported only on AP8232 for the MIMO feature) basic-1 Basic 1-Mbps basic-2 Basic 2-Mbps basic-5.5 Basic 5.5-Mbps basic-6 Basic 6-Mbps basic-9 Basic 9-Mbps basic-11 Basic 11-Mbps basic-12 Basic 12-Mbps basic-18 Basic 18-Mbps basic-24 Basic 24-Mbps basic-36 Basic 36-Mbps Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 281 PROFILES basic-48 Basic 48-Mbps basic-54 Basic 54-Mbps basic-mcs-1s Modulation and Coding Scheme data rates for 1 Spatial Stream Note: Refer to the Usage Guidelines (Supported data rates) section for 802.11an and 802.11ac MCS detailed dates rates for both with and without short guard intervals (SGI). data-rates mcs qam-only data-rates mcs qam-only Configures the 802.11 data rates on this radio Configures supports for MCS QAM data rates only Usage Guidelines (Supported data rates) The following table defines the 802.11n MCS for MCS 1 streams, both with and without SGI:
20 MHz No SGI 20 MHz With 40 MHz No SGI 20 MHz With The following table defines the 802.11n MCS for MCS 2 streams, both with and without SGI:
20 MHz No SGI 20 MHz With 40 MHz No SGI 20 MHz With MCS-1Stream Index 0 1 2 3 4 5 6 7 Number of Streams 1 1 1 1 1 1 1 1 MCS-2Stream Index 0 1 2 3 4 5 6 7 Number of Streams 2 2 2 2 2 2 2 2 MCS-3Stream Index 0 1 2 3 4 5 6 7 Number of Streams 3 3 3 3 3 3 3 3 6.5 13 19.5 26 39 52 58.5 65 13 26 39 52 78 104 117 130 19.5 39 58.5 78 117 156 175.5 195 SGI 7.2 14.4 21.7 28.9 43.4 57.8 65 72.2 SGI 14.4 28.9 43.4 57.8 86.7 115.6 130 144.4 SGI 21.7 43.3 65 86.7 130.7 173.3 195 216.7 13.5 27 40.5 54 81 108 121.5 135 27 54 81 108 162 216 243 270 SGI 15 30 45 60 90 120 135 150 SGI 30 60 90 120 180 240 270 300 40 MHz No SGI 40.5 81 121.5 162 243 324 364.5 405 20 MHz With SGI 45 90 135 180 270 360 405 450 The following table defines the 802.11n MCS for MCS 3 streams, both with and without SGI:
20 MHz No SGI 20 MHz With Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 282 The following table defines the 802.11ac MCS rates (theoretical throughput for single spatial streams) both with and without SGI:
PROFILES MCS Index 20 MHz No SGI 20 MHz With 40 MHz No SGI 40 MHz With SGI 7.2 14.4 21.7 28.9 43.3 57.8 65 72.2 86.7 N/A 13.5 27 40.5 54 81 108 121.5 135 162 180 SGI 15 30 45 60 90 120 135 150 180 200 80 MHz No SGI 80 MHz No SGI 29.3 58.5 87.8 117 175.5 234 263.3 292,5 351 390 32.5 65 97.5 130 195 260 292.5 325 390 433.3 0 1 2 3 4 5 6 7 8 9 Example 6.5 13 19.5 26 39 52 58.5 65 78 N/A rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#data-rates b-only rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 channel 1 data-rates b-only beacon period 50 beacon dtim-period bss 1 5 beacon dtim-period bss 2 2 beacon dtim-period bss 3 5
........................................................ beacon dtim-period bss 13 5 beacon dtim-period bss 14 5 beacon dtim-period bss 15 5 beacon dtim-period bss 16 5 antenna-gain 12.0 aggregation ampdu tx-only aeroscout forward
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no rf-mode Resets the 802.11 data rates on a radio Configures the radios RF mode of operation Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 283 PROFILES 7.1.36.5.16 description interface-config-radio-instance Configures the selected radios description that helps differentiate it from other radios with similar configurations Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax description <WORD>
Parameters description <WORD>
description <WORD>
Provide a description for the selected radio (should not exceed 64 characters in length). Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#description "Primary radio to use"
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 description "Primary radio to use"
channel 1 data-rates b-only beacon period 50 beacon dtim-period bss 1 5 beacon dtim-period bss 2 2 beacon dtim-period bss 3 5 beacon dtim-period bss 4 5 beacon dtim-period bss 5 5 beacon dtim-period bss 6 5 beacon dtim-period bss 7 5 beacon dtim-period bss 8 5 beacon dtim-period bss 9 5 beacon dtim-period bss 10 5 beacon dtim-period bss 11 5 beacon dtim-period bss 12 5 beacon dtim-period bss 13 5 beacon dtim-period bss 14 5 beacon dtim-period bss 15 5 beacon dtim-period bss 16 5 antenna-gain 12.0 aggregation ampdu tx-only
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Removes a radios description Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 284 PROFILES 7.1.36.5.17 dfs-rehome interface-config-radio-instance Reverts to configured home channel once the Dynamic Frequency Selection (DFS) evacuation period expires NOTE: This option is applicable only if the radios RF mode is set to 5GHz-
wlan. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax dfs-rehome {holdtime <30-3600>}
Parameters dfs-rehome {holdtime <30-3600>}
dfs-rehome
{holdtime <30-
3600>}
Enables the radio to revert to the configured home channel once the DFS evacuation period expires holdtime Optional. Specifies the duration, in minutes, to stay in the new channel
<30-3600> Specify the holdtime from 30 - 3600 minutes. The default is 90 min-
utes. Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#dfs-rehome holdtime 500 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 dfs-rehome holdtime 500 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Stays on DFS elected channel after evacuation period expires Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 285 PROFILES 7.1.36.5.18 dynamic-chain-selection interface-config-radio-instance Enables automatic antenna mode selection. When enabled, the radio can dynamically change the number of transmit chains used (uses a single chain/antenna for frames at non-11n transmit rates). This option is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax dynamic-chain-selection Parameters None Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#dynamic-chain-selection rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Uses the configured transmit antenna mode for all clients Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 286 PROFILES 7.1.36.5.19 ekahau interface-config-radio-instance Enables Ekahau multicast packet forwarding. When enabled, Ekahau small, battery powered Wi-Fi tags are attached to tracked assets or assets carried by people. Ekahau processes locations, rules, messages, and environmental data and turns the information into locationing maps, alerts and reports. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax ekahau [forward ip <IP> port <0-65535>|mac <MAC>]
Parameters ekahau [forward ip <IP> port <0-65535>|mac <MAC>]
ekahau forward ip <IP>
port <0-65535>
mac <MAC>
Enables Ekahau multicast packet forwarding on this radio Enables multicast packet forwarding to the Ekahau engine ip <IP> Configures the IP address of the Ekahau engine in the A.B.C.D format port <0-65535> Specifies the TaZman Sniffer Protocol (TZSP) port on Ekahau engine from 0 - 65535 TZSP is an encapsulation protocol, which is generally used to wrap 802.11 wireless packets. Configures the multicast MAC address to forward the Ekahau multicast packets
<MAC> Specify the MAC address in the AA-BB-CC-DD-EE-FF format. Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#ekahau forward ip 172.16.10.1 port 3 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 description "Primary radio to use"
channel 1 data-rates b-only beacon period 50 beacon dtim-period bss 1 5 beacon dtim-period bss 2 2 beacon dtim-period bss 3 5 beacon dtim-period bss 4 5 beacon dtim-period bss 5 5 beacon dtim-period bss 6 5 beacon dtim-period bss 7 5
................................................. beacon dtim-period bss 16 5 antenna-gain 12.0 aggregation ampdu tx-only aeroscout forward ekahau forward ip 172.16.10.1 port 3 antenna-mode 2x2
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Uses default Ekahau multicast MAC address Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 287 PROFILES 7.1.36.5.20 extended-range interface-config-radio-instance Enables the extended range capability for AP7161 model access point. When enabled, these access points can exchange signals with their clients at greater distances without being timed out. This option is disabled by default. Supported in the following platforms:
Access Point AP7161 Syntax extended-range <1-25>
Parameters extended-range <1-25>
extended-range <1-25>
Configures extended range on this radio interface from 1 - 25 kilometers. The default is 2 km on 2.4 GHz band and 7 km on 5.0 GHz band. Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#extended-range 15 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 description "Primary radio to use"
channel 1 data-rates b-only beacon period 50 beacon dtim-period bss 1 5 beacon dtim-period bss 2 2 beacon dtim-period bss 3 5 beacon dtim-period bss 4 5 beacon dtim-period bss 5 5 beacon dtim-period bss 6 5 beacon dtim-period bss 7 5 beacon dtim-period bss 8 5 beacon dtim-period bss 9 5 beacon dtim-period bss 10 5 beacon dtim-period bss 11 5 beacon dtim-period bss 12 5 beacon dtim-period bss 13 5 beacon dtim-period bss 14 5 beacon dtim-period bss 15 5 beacon dtim-period bss 16 5 antenna-gain 12.0 aggregation ampdu tx-only aeroscout forward ekahau forward ip 172.16.10.1 port 3 antenna-mode 2x2 antenna-diversity airtime-fairness prefer-ht weight 6 extended-range 15
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Resets the extended range to default (7 km for 2.4 GHz and 5 km for 5.0 GHz) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 288 PROFILES 7.1.36.5.21 fallback-channel interface-config-radio-instance Configures the channel to which the radio switches in case of radar detection on the current channel Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax fallback-channel [100|100w|100ww|104|104w|104ww|108|108w...............]
Parameters fallback-channel [100|100w|100ww|104|104w|104ww|108|108w...............]
fallback-channel
[100|100w|...........]
Configures the fallback channel. This is the channel the radio switches to in case a radar is detected on the radios current operating channel.
[100|100w|100ww|...] Select the fall back channel from the available options. Note: Channels with a w appended to them are unique to the 40 MHz band. Channels with a ww appended to them are 802.11ac specific, and appear only when using an AP8232, and are unique to the 80 MHz band. Example nx9500-6C8809(config-profile-testAP81XX-if-radio2)#fallback-channel 104 NOTE: Functionality is supported only in the US regulatory domain and only a non-
dfs channel can be configured as a fallback channel nx9500-6C8809(config-profile-testAP81XX-if-radio2)#show context interface radio2 fallback-channel 104 nx9500-6C8809(config-profile-testAP81XX-if-radio2)#
Related Commands no Removes the fallback-channel configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 289 PROFILES 7.1.36.5.22 guard-interval interface-config-radio-instance Configures the 802.11n guard interval. A guard interval ensures distinct transmissions do not interfere with one another. It provides immunity to propagation delays, echoes and reflection of radio signals. The guard interval is the space between transmitted characters. The guard interval eliminates inter symbol interference (ISI). ISI which occurs when echoes or reflections from one symbol interferes with another. Adding time between transmissions allows echoes and reflections to settle before the next symbol is transmitted. A shorter guard interval results in shorter symbol times, which reduces overhead and increases data rates by up to 10%. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax guard-interval [any|long]
Parameters guard-interval [any|long]
guard-interval any long Configures the 802.11n guard interval Enables the radio to use any short (400nSec) or long (800nSec) guard interval Enables the use of long guard interval (800nSec). This is the default setting. Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#guard-interval long rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 description "Primary radio to use"
channel 1 data-rates b-only beacon period 50 beacon dtim-period bss 1 5 beacon dtim-period bss 2 2 beacon dtim-period bss 3 5 beacon dtim-period bss 4 5 beacon dtim-period bss 5 5 beacon dtim-period bss 6 5 beacon dtim-period bss 7 5 beacon dtim-period bss 8 5 beacon dtim-period bss 9 5 beacon dtim-period bss 10 5 beacon dtim-period bss 11 5 beacon dtim-period bss 12 5 beacon dtim-period bss 13 5 beacon dtim-period bss 14 5 beacon dtim-period bss 15 5 beacon dtim-period bss 16 5 antenna-gain 12.0 guard-interval long
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Resets the 802.11n guard interval to default (long: 800nSec) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 290 PROFILES 7.1.36.5.23 ldpc interface-config-radio-instance Enables support for Low Density Parity Check (LDPC) codes on the radio interface LDPC consists of forward error correcting codes that enable error control in data transmission. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax ldpc Parameters None Example rfs4000-229D58(config-profile-Test81XX-if-radio1)#ldpc rfs4000-229D58(config-profile-Test81XX-if-radio1)#show context interface radio1 ldpc rfs4000-229D58(config-profile-Test81XX-if-radio1)#
Related Commands no Disables LDPC support Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 291 PROFILES 7.1.36.5.24 lock-rf-mode interface-config-radio-instance Retains user configured RF mode settings for the selected radio. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax lock-rf-mode Parameters None Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#lock-rf-mode rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 description "Primary radio to use"
channel 1 data-rates b-only beacon period 50 beacon dtim-period bss 1 5 beacon dtim-period bss 2 2 beacon dtim-period bss 3 5 beacon dtim-period bss 4 5 beacon dtim-period bss 5 5 beacon dtim-period bss 6 5 beacon dtim-period bss 7 5 beacon dtim-period bss 8 5 beacon dtim-period bss 9 5 beacon dtim-period bss 10 5 beacon dtim-period bss 11 5 beacon dtim-period bss 12 5 beacon dtim-period bss 13 5 beacon dtim-period bss 14 5 beacon dtim-period bss 15 5 beacon dtim-period bss 16 5 antenna-gain 12.0 guard-interval long aggregation ampdu tx-only aeroscout forward ekahau forward ip 172.16.10.1 port 3 antenna-mode 2x2 antenna-diversity airtime-fairness prefer-ht weight 6 lock-rf-mode extended-range 15
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Allows Smart RF to change a radios RF mode settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 292 PROFILES 7.1.36.5.25 max-clients interface-config-radio-instance Configures the maximum number of wireless clients allowed to associate with this radio Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax max-clients <0-256>
Parameters max-clients <0-256>
max-clients <0-256>
Configures the maximum number of clients allowed to associate with a radio, subject to the access points limit. Specify a value from 0 - 256. The default is 256. Note: The AP6511 and AP6521 model access points can only support 128 clients. Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#max-clients 100 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 description "Primary radio to use"
channel 1 data-rates b-only beacon period 50 beacon dtim-period bss 1 5 beacon dtim-period bss 2 2
.............................................. beacon dtim-period bss 12 5 beacon dtim-period bss 13 5 beacon dtim-period bss 14 5 beacon dtim-period bss 15 5 beacon dtim-period bss 16 5 antenna-gain 12.0 guard-interval long aggregation ampdu tx-only aeroscout forward ekahau forward ip 172.16.10.1 port 3 antenna-mode 2x2 antenna-diversity max-clients 100 airtime-fairness prefer-ht weight 6 lock-rf-mode extended-range 15 antenna-downtilt rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Resets the maximum number of wireless clients allowed to associate with a radio Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 293 PROFILES 7.1.36.5.26 mesh interface-config-radio-instance Use this command to configure radio mesh parameters. A Wireless Mesh Network (WMN) is a network of radio nodes organized in a mesh topology. It consists of mesh clients, mesh routers, and gateways. Each radio setting can have a unique mesh mode and link configuration. This provides a customizable set of connections to other mesh supported radios within the same radio coverage area. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533 Syntax mesh [client|links|portal|preferred-peer|psk]
mesh [client|links <1-6>|portal|preferred-peer <1-6> <MAC>|psk [0 <LINE>|2 <LINE>|
<LINE>]]
Parameters mesh [client|links <1-6>|portal|preferred-peer <1-6> <MAC>|psk [0 <LINE>|2
<LINE>|<LINE>]]
mesh client links <1-6>
portal preferred-peer <1-6>
<MAC>
psk [0 <LINE>|2
<LINE>| <LINE>]
Configures radio mesh parameters, such as maximum number of mesh links, preferred peer device, client operations, etc. Enables operation as a client Setting the mesh mode to client enables the radio to operate as a mesh client that scans for and connects to mesh portals or nodes that are connected to portals. Configures the maximum number of mesh links a radio attempts to create
<1-6> Sets the maximum number of mesh links from 1 - 6. The default is 6. Enables operation as a portal Setting the mesh mode to portal turns the radio into a mesh portal. The radio starts beaconing immediately and accepts connections from other mesh nodes, typically the node with a connection to the wired network. Configures a preferred peer device
<1-6> Configures the priority at which the peer node will be added When connecting to the mesh infrastructure, nodes with lower priority are given precedence over nodes with higher priority.
<MAC> Sets the MAC address of the preferred peer device (Ethernet MAC of either a AP, wireless controller, or service platform with onboard radios) Configures the pre-shared key. Ensure this key is configured on the access point when staged for mesh, and added to the mesh client and to the portal access points configuration on the controller or service platform. 0 <LINE> Enter a clear text key 2 <LINE> Enter an encrypted key
<LINE> Enter the pre-shared key Pre-shared keys should be 8 - 64 characters in length. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 294 PROFILES Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#mesh client rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 description "Primary radio to use"
channel 1 data-rates b-only mesh client beacon period 50
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Disables mesh mode operation of the selected radio Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 295 PROFILES 7.1.36.5.27 meshpoint interface-config-radio-instance Maps an existing meshpoint to this radio Use this command to assign each WLAN its own BSSID. If using a single-radio access point, there are 8 BSSIDs available. If using a dual-radio access point there are 8 BSSIDs for the 802.11b/g/n radio and 8 BSSIDs for the 802.11a/n radio. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533 Syntax meshpoint <MESHPOINT-NAME> {bss <1-16>}
Parameters meshpoint <MESHPOINT-NAME> {bss <1-16>}
meshpoint
<MESHPOINT-NAME>
bss <1-16>
Maps a meshpoint to this radio. Specify the meshpoint name. Optional. Specifies the radios BSS where this meshpoint is mapped
<1-16> Specify the BSS number from 1 - 16. Example rfs6000-37FABE(config-profile-ap71xxTest-if-radio1)#meshpoint test bss 7 rfs6000-37FABE(config-profile-ap71xxTest-if-radio1)#show context interface radio1 meshpoint test bss 7 rfs6000-37FABE(config-profile-ap71xxTest-radio1)#
Related Commands no Disables meshpoint on the selected radio Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 296 PROFILES 7.1.36.5.28 mu-mimo interface-config-radio-instance Enables multi-user multiple input multiple output (MU-MIMO) support on the selected radio. When enabled, multiple users are able to simultaneously access the same channel using the spatial degrees of freedom offered by MIMO. Supported in the following platforms:
Access Points AP7532, AP7562, AP81XX, AP8232, AP8432, AP8533 Syntax mu-mimo Parameters None Example nx9500-6C8809(config-profile-TestAP81xx-if-radio1)#mu-mimo nx9500-6C8809(config-profile-TestAP81xx-if-radio1)#show context include-factory |
include mu-mimo mu-mimo nx9500-6C8809(config-profile-TestAP81xx-if-radio1)#
ap7532-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio1)#mu-mimo ap7532-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio1)#show context include-
factory | include mu-mimo mu-mimo ap7532-80C2AC(config-device-84-24-8D-80-C2-AC-if-radio1)#
Related Commands no Disables mu-mimo on the selected radio Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 297 PROFILES 7.1.36.5.29 no interface-config-radio-instance Negates a command or resets settings to their default. When used in the profile/device > radio interface configuration mode, the no command disables or resets radio interface settings. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax no <PARAMETERS>
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts this radio interfaces settings based on the parameters passed Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example rfs6000-37FABE(config-profile-ap71xxTest-if-radio1)#no ?
adaptivity Adaptivity aeroscout Use Default Aeroscout Multicast MAC Address aggregation Configure 802.11n aggregation related parameters airtime-fairness Disable fair access to medium for clients, provide access in a round-robin mode antenna-diversity Use single antenna for non-11n transmit rates antenna-downtilt Reset ADEPT antenna mode antenna-elevation Reset the antenna elevation of this radio to default antenna-gain Reset the antenna gain of this radio to default antenna-mode Reset the antenna mode (number of transmit and receive antennas) on the radio to its default assoc-response Configure transmission parameters for Association Response frames association-list Configure the association list for the radio beacon Configure beacon parameters bridge Bridge rf-mode related configuration channel Reset the channel of operation of this radio to default data-rates Reset radio data rate configuration to default description Reset the description of the radio to its default dfs-rehome Stay on dfs elected channel after evacuation period expires dynamic-chain-selection Use the configured transmit antenna mode for all clients ekahau Use Default Ekahau Multicast MAC Address extended-range Reset extended range to default fallback-channel Clear the DFS fallback channel for this radio guard-interval Configure default value of 802.11n guard interval (long: 800nSec) ldpc Configure support for Low Density Parity Check Code lock-rf-mode Allow smart-rf to change rf-mode setting for this radio max-clients Maximum number of wireless clients allowed to associate mesh Disable mesh mode operation of the radio Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 298 PROFILES meshpoint Disable a meshpoint from this radio mu-mimo Disable multi user MIMO on this radio (selected platforms only) non-unicast Configure handling of non-unicast frames off-channel-scan Disable off-channel scanning on the radio placement Reset the placement of the radio to its default power Reset the transmit power of this radio to default preamble-short Disable the use of short-preamble on this radio probe-response Configure transmission parameters for Probe Response frames radio-resource-measurement Configure support for 802.11k Radio Resource Measurement radio-share-mode Configure the radio-share mode of operation for this radio rate-selection Monotonic rate selection rf-mode Reset the RF mode of operation for this radio to default (2.4GHz on radio1, 5GHz on radio2, sensor on radio3) rifs Configure Reduced Interframe Spacing (RIFS) parameters rts-threshold Reset the RTS threshold to its default (65536) shutdown Re-enable the selected interface smart-rf Reset smart-rf related configuration to default sniffer-redirect Disable capture and redirection of packets stbc Configure Space-Time Block Coding (STBC) parameters transmit-beamforming Disable Transmit Beamforming use Set setting to use wips Wireless intrusion prevention related configuration wireless-client Configure wireless client related parameters wlan Disable a wlan from this radio service Service Commands rfs6000-37FABE(config-profile-ap71xxTest-if-radio1)#
The following example shows radio interface settings before the no commands are executed:
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 description "Primary radio to use"
channel 1 data-rates b-only mesh client beacon period 50 beacon dtim-period bss 1 5 beacon dtim-period bss 2 2 beacon dtim-period bss 3 5 beacon dtim-period bss 4 5 beacon dtim-period bss 5 5 beacon dtim-period bss 6 5 beacon dtim-period bss 7 5 beacon dtim-period bss 8 5 beacon dtim-period bss 9 5 beacon dtim-period bss 10 5 beacon dtim-period bss 11 5 beacon dtim-period bss 12 5 beacon dtim-period bss 13 5 beacon dtim-period bss 14 5 beacon dtim-period bss 15 5 beacon dtim-period bss 16 5 antenna-gain 12.0 guard-interval long aggregation ampdu tx-only aeroscout forward ekahau forward ip 172.16.10.1 port 3 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 299 PROFILES antenna-mode 2x2 antenna-diversity max-clients 100 airtime-fairness prefer-ht weight 6 lock-rf-mode extended-range 15 antenna-downtilt rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#no channel rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#no antenna-gain rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#no description rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#no antenna-mode rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#no beacon dtim-period rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#no beacon period The following example shows radio interface settings after the no commands are executed:
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 data-rates b-only mesh client guard-interval long aggregation ampdu tx-only aeroscout forward ekahau forward ip 172.16.10.1 port 3 antenna-diversity max-clients 100 airtime-fairness prefer-ht weight 6 lock-rf-mode extended-range 15 antenna-downtilt rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 300 PROFILES 7.1.36.5.30 non-unicast interface-config-radio-instance Configures support for forwarding of non-unicast (multicast and broadcast) frames on this radio Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax non-unicast [forwarding|queue|tx-rate]
non-unicast forwarding [follow-dtim|power-save-aware]
non-unicast queue [<1-200>|bss]
non-unicast queue [<1-200>|bss <1-16> <1-200>]
non-unicast tx-rate [bss <1-16>|dynamic-all|dynamic-basic|highest-basic|lowest-
basic]
non-unicast tx-rate bss <1-16> [dynamic-all|dynamic-basic|highest-basic|lowest-
basic]
Parameters non-unicast forwarding [follow-dtim|power-save-aware]
non-unicast forwarding Enables non-unicast frame forwarding on this radio. Once enabled, select one of the available options to specify whether these frames should always follow DTIM, or only follow DTIM when using power save aware mode. Specifies frames always wait for the DTIM interval to time out. The DTIM interval is configured using the beacon command. This is the default setting. Enables immediate forwarding of frames only if all associated wireless clients are in the power save mode power-save-aware follow-dtim non-unicast queue [<1-200>|bss <1-16> <1-200>]
non-unicast queue
<1-200>
bss <1-16> <1-200>
Enables non-unicast frame forwarding on this radio. Once enabled, specify the number of broadcast packets queued per BSS on this radio. This option is enabled by default. This command also enables you to override the default on a specific BSS. Specify a number from 1 - 200. This value applies to all BSSs. The default is 50 frames per BSS. Overrides the default on a specified BSS
<1-16> Select the BSS number from 1 - 16.
<1-200> Specify the number of broadcast packets queued for the selected BSS from 1 - 200. non-unicast tx-rate [bss <1-16>|dynamic-all|dynamic-basic|highest-basic|
lowest-basic]
non-unicast tx-rate bss <1-16>
Enables non-unicast frame forwarding on this radio. Once enabled, use one of the available options to configure the rate at which these frames are transmitted. Overrides the default on a specified BSS
<1-16> Select the BSS number from 1 - 16. The transmit rate selected is applied only to the BSS specified here. The tx-rate options are: dynamic-all, dynamic-basic, highest-basic, lowest-basic. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 301 PROFILES dynamic-all dynamic-basic highest-basic lowest-basic Dynamically selects a rate from all supported rates based on current traffic conditions Dynamically selects a rate from all supported basic rates based on current traffic conditions Uses the highest configured basic rate. This is the default setting. Uses the lowest configured basic rate Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#non-unicast queue bss 2 3 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#non-unicast tx-rate bss 1 dynamic-all rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 data-rates b-only mesh client guard-interval long aggregation ampdu tx-only aeroscout forward ekahau forward ip 172.16.10.1 port 3 non-unicast tx-rate bss 1 dynamic-all non-unicast tx-rate bss 2 highest-basic non-unicast tx-rate bss 3 highest-basic non-unicast tx-rate bss 4 highest-basic non-unicast tx-rate bss 5 highest-basic non-unicast tx-rate bss 6 highest-basic non-unicast tx-rate bss 7 highest-basic non-unicast tx-rate bss 8 highest-basic non-unicast tx-rate bss 9 highest-basic non-unicast tx-rate bss 10 highest-basic non-unicast tx-rate bss 11 highest-basic non-unicast tx-rate bss 12 highest-basic non-unicast tx-rate bss 13 highest-basic non-unicast tx-rate bss 14 highest-basic non-unicast tx-rate bss 15 highest-basic non-unicast tx-rate bss 16 highest-basic non-unicast queue bss 1 50 non-unicast queue bss 2 3
--More--
antenna-diversity max-clients 100 airtime-fairness prefer-ht weight 6 lock-rf-mode extended-range 15 antenna-downtilt rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Resets the handling of non-unicast frames to its default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 302 PROFILES 7.1.36.5.31 off-channel-scan interface-config-radio-instance Enables off channel scanning on this radio. This option is disabled by default. Channel scanning uses the access points resources and is time consuming. Therefore, enable this option only if the radio has the bandwidth to support channel scan without negatively impacting client support. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax off-channel-scan {channel-list|max-multicast|scan-interval|sniffer-redirect}
off-channel-scan {channel-list [2.4Ghz|5Ghz]} {<CHANNEL-LIST>}
off-channel-scan {max-multicast <0-100>|scan-interval <2-100>}
off-channel-scan {sniffer-redirect tzsp <IP>}
Parameters off-channel-scan {channel-list [2.4Ghz|5Ghz]} {<CHANNEL-LIST>}
off-channel-scan channel-list
[2.4GHz|5GHz]
<CHANNEL-LIST>
Enables off-channel scanning and configures related parameters. These parameters are optional, and the system configures default settings if no values are specified. Optional. Selects the 2.4GHz or 5GHz access point radio band. Restricting off channel scans to specific channels frees bandwidth otherwise utilized for scanning across all channels. 2.4GHz Selects the 2.4 GHz band 5GHz Selects the 5.0 GHz band Optional. Specifies a list of 20 MHz, 40 MHz, or 80 MHz channels for the selected band (the channels are separated by commas or hyphens) off-channel-scan {max-multicast <0-100>|scan-interval <2-100>}
off-channel-scan Enables off-channel scanning and configures related parameters. These parameters are optional, and the system configures default settings if no values are specified. max-multicast <0-100> Optional. Configures the maximum multicast/broadcast messages used to perform scan-interval <2-100>
OCS
<0-100> Specify a value from 0 - 100. The default is 4. Optional. Configures the scan interval in dtims
<2-100> Specify a value from 2 - 100. The default is 20 dtims. off-channel-scan {sniffer-redirect tzsp <IP>}
off-channel-scan Enables off-channel scanning and configures related parameters. These parameters are optional, and the system configures default settings if no values are specified. sniffer-redirect tzsp <IP> Optional. Captures and redirects packets to a host running a packet capture/
analysis tool. Use this command to configure the IP address of the host. tzsp Encapsulates captured packets in TZSP before redirecting to the specified host
<IP> Specify the destination device IP address. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 303 PROFILES Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#off-channel-scan channel-list 2.4GHz 1 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 data-rates b-only mesh client off-channel-scan channel-list 2.4GHz 1 guard-interval long aggregation ampdu tx-only aeroscout forward ekahau forward ip 172.16.10.1 port 3 non-unicast tx-rate bss 1 dynamic-all non-unicast tx-rate bss 2 highest-basic non-unicast tx-rate bss 3 highest-basic non-unicast tx-rate bss 4 highest-basic non-unicast tx-rate bss 5 highest-basic non-unicast tx-rate bss 6 highest-basic non-unicast tx-rate bss 7 highest-basic non-unicast tx-rate bss 8 highest-basic non-unicast tx-rate bss 9 highest-basic non-unicast tx-rate bss 10 highest-basic non-unicast tx-rate bss 11 highest-basic non-unicast tx-rate bss 12 highest-basic non-unicast tx-rate bss 13 highest-basic non-unicast tx-rate bss 14 highest-basic non-unicast tx-rate bss 15 highest-basic
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Disables radio off channel scanning Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 304 PROFILES 7.1.36.5.32 placement interface-config-radio-instance Defines the radios location (whether the radio is deployed indoors or outdoors). The radios placement should depend on the country of operation selected and its regulatory domain requirements for radio emissions. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax placement [indoor|outdoor]
Parameters placement [indoor|outdoor]
placement indoor outdoor Defines the radios location Radio is deployed indoors (uses indoor regulatory rules). This is the default setting. Radio is deployed outdoors (uses outdoor regulatory rules) Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#placement outdoor rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 data-rates b-only placement outdoor mesh client off-channel-scan channel-list 2.4GHz 1 guard-interval long aggregation ampdu tx-only aeroscout forward ekahau forward ip 172.16.10.1 port 3 non-unicast tx-rate bss 1 dynamic-all non-unicast tx-rate bss 2 highest-basic non-unicast tx-rate bss 3 highest-basic non-unicast tx-rate bss 4 highest-basic non-unicast tx-rate bss 5 highest-basic non-unicast tx-rate bss 6 highest-basic non-unicast tx-rate bss 7 highest-basic non-unicast tx-rate bss 8 highest-basic non-unicast tx-rate bss 9 highest-basic non-unicast tx-rate bss 10 highest-basic non-unicast tx-rate bss 11 highest-basic non-unicast tx-rate bss 12 highest-basic non-unicast tx-rate bss 13 highest-basic non-unicast tx-rate bss 14 highest-basic
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Resets a radios deployment location Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 305 PROFILES 7.1.36.5.33 power interface-config-radio-instance Configures the radios transmit power setting The transmit power control (TPC) mechanism automatically reduces the used transmission output power when other networks are within range. Reduced power results in reduced interference issues and increased battery capacity. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax power [<1-30>|smart]
Parameters power [<1-30>|smart]
power
<1-30>
smart Example Configures a radios transmit power Configures the transmit power from 1 - 30 dBm (actual power could be lower based on regulatory restrictions) For APs with dual or three radios, each radio should be configured with a unique transmit power in respect to its intended client support function. Enables Smart RF to determine the optimum transmit power needed. By default APs use Smart RF to determine transmit power. rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#power 12 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 power 12 data-rates b-only placement outdoor mesh client off-channel-scan channel-list 2.4GHz 1 guard-interval long aggregation ampdu tx-only aeroscout forward ekahau forward ip 172.16.10.1 port 3 non-unicast tx-rate bss 1 dynamic-all non-unicast tx-rate bss 2 highest-basic non-unicast tx-rate bss 3 highest-basic non-unicast tx-rate bss 4 highest-basic non-unicast tx-rate bss 5 highest-basic non-unicast tx-rate bss 6 highest-basic non-unicast tx-rate bss 7 highest-basic
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Resets a radios transmit power Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 306 PROFILES 7.1.36.5.34 preamble-short interface-config-radio-instance Enables short preamble on this radio. If using an 802.11bg radio, enable short preamble. Short preambles improve throughput. However, some devices (SpectraLink phones) require long preambles. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Syntax preamble-short Parameters None Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#preamble-short rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 power 12 data-rates b-only placement outdoor mesh client off-channel-scan channel-list 2.4GHz 1 preamble-short guard-interval long aggregation ampdu tx-only aeroscout forward ekahau forward ip 172.16.10.1 port 3 non-unicast tx-rate bss 1 dynamic-all non-unicast tx-rate bss 2 highest-basic non-unicast tx-rate bss 3 highest-basic non-unicast tx-rate bss 4 highest-basic non-unicast tx-rate bss 5 highest-basic non-unicast tx-rate bss 6 highest-basic non-unicast tx-rate bss 7 highest-basic non-unicast tx-rate bss 8 highest-basic non-unicast tx-rate bss 9 highest-basic non-unicast tx-rate bss 10 highest-basic non-unicast tx-rate bss 11 highest-basic non-unicast tx-rate bss 12 highest-basic
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Disables the use of short preamble on a radio Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 307 PROFILES 7.1.36.5.35 probe-response interface-config-radio-instance Configures transmission parameters for probe response frames Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax probe-response [rate|retry|rssi-threshold]
probe-response retry probe-response rate [follow-probe-request|highest-basic|lowest-basic]
probe-response rssi-threshold <-128--40>
Parameters probe-response retry probe-response retry Enables retransmission of probe-response frames if no acknowledgement is received from the client. This option is enabled by default. probe-response rate [follow-probe-request|highest-basic|lowest-basic]
probe-response rate Configures the rates used for transmission of probe response frames. The tx-rate options available for transmitting probe response frames are: follow-probe-request, highest-basic, lowest-basic. Transmits probe responses at the same rate as the received request (default setting) Uses the highest configured basic rate Uses the lowest configured basic rate probe-response rssi-threshold <-128--40>
follow-probe-request highest-basic lowest-basic probe-response rssi-threshold
<-128--40>
Ignores probe request from client if the received signal strength is less than the RSSI threshold specified here
<-128--40> Specify a value from -128 - -40. Example nx9500-6C8809(config-profile-testAP7161-if-radio1)#probe-response rate highest-
basic nx9500-6C8809(config-profile-testAP7161-if-radio1)#probe-response retry nx9500-6C8809(config-profile-testAP7161-if-radio1)#probe-response rssi-threshold
-60 nx9500-6C8809(config-profile-testAP7161-if-radio1)#show context interface radio1 probe-response rate highest-basic probe-response rssi-threshold -60 nx9500-6C8809(config-profile-testAP7161-if-radio1)#
Related Commands no Resets transmission parameters for probe response frames Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 308 PROFILES 7.1.36.5.36 radio-resource-measurement interface-config-radio-instance Enables 802.11k radio resource measurement. When enabled, the radio station sends channel and neighbor reports. The IEEE 802.11 Task Group k defined a set of specifications regarding radio resource measurements. These specifications specify the radio resources to be measured and the mechanism used to communicate measurement requests and results. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax radio-resource-measurement [attenuation-threshold <1-199>|max-entries <1-12>]
Parameters radio-resource-measurement [attenuation-threshold <1-199>|max-entries <1-12>]
radio-resource-
measurement attenuation-threshold
<1-199>
max-entries <1-12>
Enables 802.11k radio resource measurement on the radio Configures the neighbor attenuation threshold, considered when generating channel and neighbor reports
<1-199> Specify the attenuation threshold from 1 -199. The default is 90. Configures the maximum number of entries to include in channel and neighbor reports
<1-12> Specify a value from 1 - 12. The default is 6. Example rfs4000-229D58(config-device-00-23-68-22-9D-58-if-radio1)#radio-resource-
measurement attenuation-threshold 20 rfs4000-229D58(config-device-00-23-68-22-9D-58-if-radio1)#radio-resource-
measurement max-entries 10 rfs4000-229D58(config-device-00-23-68-22-9D-58-if-radio1)#show context interface radio1 radio-resource-measurement max-entries 10 radio-resource-measurement attenuation-threshold 20 rfs4000-229D58(config-device-00-23-68-22-9D-58-if-radio1)#
Related Commands no Disables 802.11k radio resource measurement support Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 309 PROFILES 7.1.36.5.37 radio-share-mode interface-config-radio-instance Configures the radios mode of operation as radio share. A radio operating in the radio share mode services clients and also performs sensor functions (defined by the radios AirDefense Services Platform (ADSP) licenses and profiles). NOTE: The sensor capabilities of the radio are restricted to the channel and WLANs defined on the radio. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Syntax radio-share-mode [inline|off|promiscuous]
Parameters radio-share-mode [inline|off|promiscuous]
radio-share-mode inline off promiscuous Enables sharing of packets, switched by this radio, with the WIPS sensor module. There are two radio-share modes, these are: inline and promiscuous Enables sharing of all WLAN packets (matching the BSSID of the radio) serviced by the radio with the WIPS sensor module. Disables radio share (no packets shared with the WIPS sensor module) Enables the promiscuous radio share mode. In this mode the radio is configured to receive all packets on the channel irrespective of whether the destination address is the radio or not, and shares these packets with the WIPS sensor module for analysis
(i.e. without filtering based on BSSI). Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#radio-share-mode promiscuous rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 power 12 data-rates b-only placement outdoor mesh client off-channel-scan channel-list 2.4GHz 1 preamble-short guard-interval long
......................................................... non-unicast queue bss 16 50 antenna-diversity max-clients 100 radio-share-mode promiscuous airtime-fairness prefer-ht weight 6 lock-rf-mode extended-range 15 antenna-downtilt rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Resets the radio share mode for this radio to its default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 310 PROFILES 7.1.36.5.38 rate-selection interface-config-radio-instance Sets the data-rate selection mode to standard or opportunistic Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax rate-selection [opportunistic|standard]
Parameters rate-selection [opportunistic|standard]
rate-selection standard opportunistic Sets the rate selection mode to standard or opportunistic Configures the monotonic rate selection mode. This is the default setting. Configures the opportunistic radio link adaptation (ORLA) rate selection mode The ORLA algorithm is designed to select data rates that provide best throughput. Instead of using local conditions to decide whether a data rate is acceptable or not, ORLA pro-actively probes other rates to determine if greater throughput is available. If these other rates do provide improved throughput, ORLA intelligently adjusts its selection tables to favour higher performance. ORLA provides improvements both on the client side of a mesh network as well as in the backhaul capabilities. Note: The ORLA rate selection mode is supported only on the AP7161 and AP8163 model access points. Example nx9500-6C8809(config-profile-testAP7161-if-radio1)#rate-selection opportunistic nx9500-6C8809(config-profile-testAP7161-if-radio1)#show context interface radio1 rate-selection opportunistic nx9500-6C8809(config-profile-testAP7161-if-radio1)#
Related Commands no Resets the rate selection mode to standard (monotonic) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 311 PROFILES 7.1.36.5.39 rf-mode interface-config-radio-instance Configures the radios RF mode of operation This command sets the mode to either 2.4 GHz WLAN or 5.0 GHz WLAN support depending on the radios intended client support. If you are currently licensed to use 4.9 GHz, configure the 4.9 GHz-WLAN option. Set the mode to sensor if using the radio for rogue device detection. The radio cannot support rogue detection when one of the other radios is functioning as a WIPS sensor. To set a radio as a detector, disable sensor support on the other access point radios. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax rf-mode [2.4GHz-wlan|4.9GHz-wlan|5GHz-wlan|bridge|scan-ahead|sensor]
Parameters rf-mode [2.4GHz-wlan|4.9GHz-wlan|5GHz-wlan|bridge|scan-ahead|sensor]
rf-mode 2.4GHz-wlan 4.9GHz-wlan 5GHz-wlan bridge scan-ahead Configures the radios RF mode of operation Provides WLAN service in the 2.4 GHz bandwidth Provides WLAN service in the 4.9 GHz bandwidth Provides WLAN service in the 5.0 GHz bandwidth Enables this radio to operate as client bridge that can authenticate and associate to a defined infrastructure Wireless LAN (WLAN) access point Note: This option is applicable only on the AP6522, AP6562, AP7522, AP7532, and AP7562 model access points. Enable this option only if the access point is to provide client-bridge support. Once enabled, configure the client-bridge parameters. For more information, see bridge. Enables this radio to operate as a scan-ahead radio A radio functioning in the scan-ahead mode is used for forward scanning only. The radio does not support WLAN or mesh services. The scan ahead feature is used in Dynamic Frequency Selection (DFS) aware countries for infrastructure devices, static, and vehicular mounted modems (VMMs). It enables a secondary radio to scan ahead for an active channel for backhaul transmission, in the event of a radar trigger on the primary radio. The device then switches radios allowing transmission to continue. This is required in environments where handoff is required and DFS triggers are common. With a secondary radio dedicated for forward scanning, the primary radio, in case of radar hit, hands over the channel availability check (CAC) function to the secondary radio. This avoids a break in data communication, which would have resulted if the primary radio was to do CAC itself. The secondary radio periodically does a scan of the configured channel list, searching for the other available meshpoint roots. When configured on the root meshpoint, the scan-ahead feature also scans for cleaner channels. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 312 PROFILES sensor Example Operates as a sensor radio. Configures this radio to function as a scanner, providing scanning services on both 2.4 GHz and 5.0 GHz bands. The radio does not provide WLAN services. rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#rf-mode sensor rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 rf-mode sensor placement outdoor mesh client off-channel-scan channel-list 2.4GHz 1 guard-interval long aggregation ampdu tx-only aeroscout forward ekahau forward ip 172.16.10.1 port 3 non-unicast tx-rate bss 1 dynamic-all
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no data-rates Resets the radios RF mode of operation Configures the 802.11 data rates on this radio Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 313 PROFILES 7.1.36.5.40 rifs interface-config-radio-instance Configures Reduced Interframe Spacing (RIFS) parameters on this radio This value determines whether interframe spacing is applied to access point transmitted or received packets, both, or none. Inter-frame spacing is the interval between two consecutive Ethernet frames that enable a brief recovery between packets and allow target devices to prepare for the reception of the next packet. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax rifs [none|rx-only|tx-only|tx-rx]
Parameters rifs none rx-only tx-only tx-rx Example rifs [none|rx-only|tx-only|tx-rx]
Configures RIFS parameters Disables support for RIFS Consider setting the value to None for high-priority traffic to reduce packet delay. Supports RIFS possession only Supports RIFS transmission only Supports both RIFS transmission and possession (default setting) rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#rifs tx-only rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 rf-mode sensor placement outdoor mesh client off-channel-scan channel-list 2.4GHz 1 guard-interval long aggregation ampdu tx-only rifs tx-only aeroscout forward ekahau forward ip 172.16.10.1 port 3 non-unicast tx-rate bss 1 dynamic-all non-unicast tx-rate bss 2 highest-basic non-unicast tx-rate bss 3 highest-basic non-unicast tx-rate bss 4 highest-basic
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Disables radios RIFS parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 314 PROFILES 7.1.36.5.41 rts-threshold interface-config-radio-instance Configures the Request to Send (RTS) threshold value on this radio RTS is a transmitting stations signal that requests a Clear To Send (CTS) response from a receiving client. This RTS/CTS procedure clears the air where clients are contending for transmission time. Benefits include fewer data collisions and better communication with nodes that are hard to find (or hidden) because of other active nodes in the transmission path. The RTS threshold controls RTS/CTS by initiating an RTS/CTS exchange for data frames larger than the threshold, and sends (without RTS/CTS) any data frames smaller than the threshold. Consider the trade-offs when setting an appropriate RTS threshold for the WLANs access point radios. A lower RTS threshold causes more frequent RTS/CTS exchanges. This consumes more bandwidth because of additional latency (RTS/CTS exchanges) before transmissions can commence. A disadvantage is the reduction in data-frame throughput. An advantage is quicker system recovery from electromagnetic interference and data collisions. Environments with more wireless traffic and contention for transmission make the best use of a lower RTS threshold. A higher RTS threshold minimizes RTS/CTS exchanges, consuming less bandwidth for data transmissions. A disadvantage is less help to nodes that encounter interference and collisions. An advantage is faster data-frame throughput. Environments with less wireless traffic and contention for transmission make the best use of a higher RTS threshold. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax rts-threshold <0-65536>
Parameters rts-threshold <0-65536>
rts-threshold <0-65536>
Specify the RTS threshold value from 0 - 65536 bytes. The default is 65536 bytes. Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#rts-threshold 100 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 rf-mode sensor placement outdoor mesh client rts-threshold 100 off-channel-scan channel-list 2.4GHz 1 guard-interval long aggregation ampdu tx-only
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Resets a radios RTS threshold to its default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 315 PROFILES 7.1.36.5.42 service interface-config-radio-instance Enables dynamic control function. This dynamic function controls performance of the radio receiver's low noise amplifiers (LNAs). When enabled, the control function, in the presence of very strong received signals, improves the receivers performance on radio 1. Strong signals are caused if the distance between the WiFi client and the AP is within two (2) meters. When disabled, the control function is a useful debug tool in case the uplink throughput is less than expected and the AP-to-client separation is greater than two (2) meters. Disabling the control function does not affect the receive sensitivity of the radio. Supported in the following platforms:
Access Points AP6522, AP6562 Syntax service radio-lna [agc|ms]
Parameters service radio-lna [agc|ms]
service radio-lna
[agc|ms]
Enables dynamic control function agc Enables dynamic LNA control function. This is the default setting. ms Disables dynamic LNA control function Example nx9500-6C8809(config-profile-testAP6522-if-radio1)#service radio-lna ms nx9500-6C8809(config-profile-testAP6522-if-radio1)#show context interface radio1 service radio-lna ms nx9500-6C8809(config-profile-testAP6522-if-radio1)#
Related Commands no Reverts radio-lna mode to default (agc) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 316 PROFILES 7.1.36.5.43 shutdown interface-config-radio-instance Terminates or shuts down selected radio interface Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax shutdown Parameters None Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#shutdown rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Enables a disabled radio interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 317 PROFILES 7.1.36.5.44 smart-rf interface-config-radio-instance Overrides Smart RF channel width setting on this radio. When configured, the radio overrides the Smart RF selected channel setting and operates in the channel configured using this command. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax smart-rf preferred-channel-width [20MHz|40MHz|80MHz]
Parameters smart-rf preferred-channel-width [20MHz|40MHz|80MHz]
smart-rf preferred-
channel-width [20MHz|
40MHz|80MHz]
Configures the preferred channel width. The options are:
20MHz Sets 20 MHz as the preferred channel of operation 40MHz Sets 40MHz as the preferred channel of operation 80MHz Sets 80MHz as the preferred channel of operation (default setting) Example nx9500-6C8809(config-profile-testAP7161-if-radio1)#smart-rf preferred-channel-
width 40MHz nx9500-6C8809(config-profile-testAP7161-if-radio1)#show context interface radio1 smart-rf preferred-channel-width 40MHz rate-selection opportunistic nx9500-6C8809(config-profile-testAP7161-if-radio1)#
Related Commands no Enables use of Smart RF selected channel of operation Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 318 PROFILES 7.1.36.5.45 sniffer-redirect interface-config-radio-instance Captures and redirects packets to an IP address running a packet capture/analysis tool Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax sniffer-redirect [omnipeek|tzsp] <IP> channel [1|10|100|100w --------] {snap <1-
65535> (append descriptor)}
Parameters sniffer-redirect [omnipeek|tzsp] <IP> channel [1|10|100|100w ---------] {snap
<1-65535> (append descriptor)}
sniffer-redirect omnipeek tzsp
<IP>
Captures and redirects packets to an IP address running a packet capture/analysis tool Encapsulates captured packets in proprietary header (used with OmniPeek and plug-in) Encapsulates captured packets in TZSP (used with WireShark and other tools) Specify the IP address of the device running the capture/analysis tool (the host to which captured off channel scan packets are redirected)
[1|10|100|100w ----------] Specify the channel to capture packets 1 Channel 1 in 20 MHz mode (default setting) 10 Channel 10 in 20 MHz mode 100 Channel 100 in 20 MHz mode 100w Channels 100w in 40 MHz mode (channels 100*,104) Optional. Allows truncating of large captured frames at a specified length (in bytes). This option is useful when capturing traffic with large frames. Use this option when only headers are needed for analysis, since it reduces the bandwidth needed for sniffing, and (for typical values) eliminates any fragmentation of the outer packet.
<1-65535> Specify the maximum truncated byte length of captured packets. Optional Enables appending of the radio's receive descriptor to the captured packet snap <1-65535>
append descriptor Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#sniffer-redirect omnipeek 172.16.10.1 channel 1 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 rf-mode sensor placement outdoor mesh client rts-threshold 100 off-channel-scan channel-list 2.4GHz 1 guard-interval long aggregation ampdu tx-only rifs tx-only sniffer-redirect omnipeek 172.16.10.1 channel 1 aeroscout forward ekahau forward ip 172.16.10.1 port 3 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 319 PROFILES non-unicast tx-rate bss 1 dynamic-all non-unicast tx-rate bss 2 highest-basic non-unicast tx-rate bss 3 highest-basic non-unicast tx-rate bss 4 highest-basic non-unicast tx-rate bss 5 highest-basic non-unicast tx-rate bss 6 highest-basic
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Disables packet capture and redirection Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 320 PROFILES 7.1.36.5.46 stbc interface-config-radio-instance Configures the radios Space Time Block Coding (STBC) mode. STBC is a pre-transmission encoding scheme providing an improved SNR ratio (even at a single RF receiver). STBC transmits multiple data stream copies across multiple antennas. The receiver combines the copies into one to retrieve data from the signal. These transmitted data versions provide redundancy to increase the odds of receiving data streams with a good data decode (especially in noisy environments). NOTE: STBC requires the radio has at least two antennas with the capability to transmit two streams. If the antenna mode is configured to 1x1 (or falls back to 1x1 for some reason), STBC support is automatically disabled. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax stbc [auto|none|tx-only]
Parameters stbc [auto|none|tx-only]
stbc auto none tx-only Example Configures the radios STBC mode Autoselects STBC settings based on the platform type and other radio interface settings. This is the default setting. Disables STBC support Configures the AP radio to format and broadcast the special stream (enables STBC support for transmit only) rfs6000-37FABE(config-profile-81xxTestProfile-if-radio1)#stbc tx-only rfs6000-37FABE(config-profile-81xxTestProfile-if-radio1)#show context interface radio1 stbc tx-only rfs6000-37FABE(config-profile-81xxTestProfile-if-radio1)#
Related Commands no Disables STBC support Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 321 PROFILES 7.1.36.5.47 transmit-beamforming interface-config-radio-instance Enables transmit beamforming on this radio interface. This option is disabled by default. When enabled, this option steers signals to peers in a specific direction to enhance signal strength and improve throughput amongst meshed devices (not clients). Each access point radio supports up to 16 beamforming capable mesh peers. When enabled, a beamformer steers its wireless signals to its peers. A beamformee device assists the beamformer with channel estimation by providing a feedback matrix. The feedback matrix is a set of values sent by the beamformee to assist the beamformer in computing a steering matrix. A steering matrix is an additional set of values used to steer wireless signals at the beamformer so constructive signals arrive at the beamformee for better SNR and throughput. Any beamforming capable mesh peer connecting to a radio whose capacity is exhausted cannot enable beamforming itself. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562,AP8122, AP8132, AP8163, AP8432, AP8533 Syntax transmit-beamforming Parameters None Example nx9500-6C8809(config-profile-testAP81XX-if-radio1)#transmit-beamforming Related Commands no Disables transmit beamforming on this radio interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 322 PROFILES 7.1.36.5.48 use interface-config-radio-instance Applies an association ACL policy and a radio QoS policy on this radio interface An association ACL is a policy-based Access Control List (ACL) that either prevents or allows wireless clients from connecting to a controller managed access point radio. An ACL is a sequential collection of permit and deny conditions that apply to controller packets. When a packet is received on an interface, the controller compares the fields in the packet against any applied ACLs to verify the packet has the required permissions to be forwarded, based on the criteria specified in the access lists. If a packet does not meet any of the criteria specified in the ACL, the packet is dropped. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax use [association-acl-policy|radio-qos-policy]
use [association-acl-policy <ASSOC-ACL-POLICY-NAME>|radio-qos-policy <RADIO-QOS-
POLICY-NAME>]
Parameters use [association-acl-policy <ASSOC-ACL-POLICY-NAME>|radio-qos-policy <RADIO-
QOS-POLICY-NAME>]
use association-acl-policy Applies an association ACL policy and a radio QoS policy on this radio interface Uses a specified association ACL policy with this radio interface
<ASSOC-ACL-POLICY-NAME> Specify the association ACL policy name (should be existing and fully configured). radio-qos-policy Uses a specified radio QoS policy with this radio interface
<RADIO-QoS-POLICY-NAME> Specify the radio QoS policy name (should be existing and fully configured). Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#use association-acl-
policy test rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 rf-mode sensor placement outdoor mesh client rts-threshold 100 off-channel-scan channel-list 2.4GHz 1 guard-interval long aggregation ampdu tx-only rifs tx-only use association-acl-policy test sniffer-redirect omnipeek 172.16.10.1 channel 1 aeroscout forward ekahau forward ip 172.16.10.1 port 3
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Dissociates the specified association ACL policy and radio QoS policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 323 PROFILES 7.1.36.5.49 wips interface-config-radio-instance Enables access point to change its channel of operation in order to terminate rogue devices. The radio should be configured to provide WLAN service. This option is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 NOTE: AP7522 and AP7532 access points use Smart RF to perform off-
channel scans. Therefore, ensure that a Smart RF policy is configured and applied to AP7522 and AP7532 access points RF Domains to enable them perform rogue detection and termination. Syntax wips airtime-termination allow-channel-change Parameters wips airtime-termination allow-channel-change wips airtime-termination allow-channel-change Enables access point to change its channel of operation (to that of the rogue device) in order to terminate the rogue device Example nx9500-6C8809(config-profile-testAP81XX-if-radio1)#wips air-termination allow-
channel-change Related Commands no Disables access point to change its channel of operation in order to terminate rogue devices Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 324 PROFILES 7.1.36.5.50 wireless-client interface-config-radio-instance Configures wireless client parameters on this radio Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax wireless-client tx-power [<0-20>|mode]
wireless-client <0-20>
wireless-client tx-power mode [802.11d {wing-ie}|wing-ie {802.11d}]
Parameters wireless-client tx-power <0-20>
wireless-client tx-power <0-20>
Configures wireless client parameters Configures the transmit power indicated to wireless clients. If using a dual or three radio model access point, each radio should be configured with a unique transmit power in respect to its intended client support function. A setting of 0 defines the radio as using Smart RF to determine its output power. 20 dBm is the default value.
<0-20> Specify transmit power from 0 - 20 dBm. wireless-client tx-power mode [802.11d {wing-ie}|wing-ie {802.11d}]
wireless-client tx-power
[802.11d|wing-ie]
Configures wireless client parameters Configures the transmit power indicated to wireless clients 802.11d Advertises in the IEEE 802.11d country information element wing-ie Optional. Advertises in the WiNG information element (173) wing-ie Advertises in the WiNG information element (173). This is the default setting. 802.11d Optional. Advertises in the IEEE 802.11d country information element Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#wireless-client tx-power 20 rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 rf-mode sensor placement outdoor mesh client rts-threshold 100 wireless-client tx-power 20 off-channel-scan channel-list 2.4GHz 1 guard-interval long aggregation ampdu tx-only
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Resets the transmit power indicated to wireless clients Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 325 PROFILES 7.1.36.5.51 wlan interface-config-radio-instance Enables a WLAN on this radio Use this command to configure WLAN/BSS mappings for an existing access point deployment. Administrators can assign each WLAN its own BSSID. If using a single-radio access point, there are 8 BSSIDs available. If using a dual-radio access point there are 8 BSSIDs for the 802.11b/g/n radio and 8 BSSIDs for the 802.11a/n radio. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax wlan <WLAN-NAME> {bss|primary}
wlan <WLAN-NAME> {bss <1-16>} {primary}
Parameters wlan <WLAN-NAME> {bss <1-16>} {primary}
<WLAN-NAME>
{bss <1-16> |primary}
Specify the WLAN name (it must have been already created and configured) bss <1-16> Optional. Specifies a BSS for the radio to map the WLAN
<1-18> Specify the BSS number from 1 - 16. primary Optional. Uses the specified WLAN as the primary WLAN, when multiple WLANs exist on the BSS primary Optional. Uses the specified WLAN as the primary WLAN, when multiple WLANs exist on the BSS Example rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#wlan TestWLAN primary rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#show context interface radio1 rf-mode sensor placement outdoor mesh client rts-threshold 100 wireless-client tx-power 20 wlan TestWLAN bss 1 primary off-channel-scan channel-list 2.4GHz 1 guard-interval long aggregation ampdu tx-only rifs tx-only use association-acl-policy test sniffer-redirect omnipeek 172.16.10.1 channel 1 aeroscout forward ekahau forward ip 172.16.10.1 port 3 non-unicast tx-rate bss 1 dynamic-all non-unicast tx-rate bss 2 highest-basic
--More--
rfs6000-37FABE(config-profile-71xxTestProfile-if-radio1)#
Related Commands no Disables a WLAN on a radio Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 326 PROFILES 7.1.36.6 interface-config-wwan-instance interface A Wireless Wide Area Network (WWAN) card is a specialized network interface card that allows a device to connect, transmit and receive data over a Cellular Wide Area Network. The RFS4000 and RFS6000 each have a PCI Express card slot that supports 3G WWAN cards. The WWAN card uses point to point protocol
(PPP) to connect to the Internet Service Provider (ISP) and gain access to the Internet. PPP is the protocol used for establishing Internet links over dial-up modems, DSL connections, and many other types of point-
to-point communications. PPP packages your systems TCP/IP packets and forwards them to the serial device where they can be put on the network. PPP is a full-duplex protocol that can be used on various physical media, including twisted pair or fiber optic lines or satellite transmission. It uses a variation of High Speed Data Link Control (HDLC) for packet encapsulation. To switch to the WWAN Interface configuration mode, use the following command:
<DEVICE>(config)#profile <DEVICE-TYPE> <DEVICE-PROFILE-NAME>
<DEVICE>(config-profile-<DEVICE-PROFILE-NAME>)#interface wwan1
<DEVICE>(config-profile-<DEVICE-PROFILE-NAME>)#?
Interface configuration commands:
apn Enter the access point name provided by the service provider auth-type Type of authentication, Eg chap, pap crypto Encryption Module description Port description ip Internet Protocol (IP) no Negate a command or set its defaults password Enter password provided by the service provider shutdown Disable wireless wan feature use Set setting to use username Enter username provided by the service provider clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-profile-<DEVICE-PROFILE-NAME>)#
The following table summarizes WWAN interface configuration commands:
Commands apn auth-type crypto ip no password use username Description Configures the access points name provided by the service provider Configures the authentication types used on this interface Associates a crypto map with this interface Associates an IP ACL with this interface Removes or reverts the WWAN interface settings Configures a password for this WWAN interface Associates an IP ACL with this interface Configures the names of users accessing this interface Reference page 7-328 page 7-329 page 7-330 page 7-331 page 7-332 page 7-333 page 7-335 page 7-336 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 327 PROFILES 7.1.36.6.1 apn interface-config-wwan-instance Configures the cellular data providers name. This setting is needed in areas with multiple cellular data providers using the same protocols, such as Europe and Asia. Supported in the following platforms:
Access Point AP7161, AP81XX, AP8232 Wireless Controllers RFS4000, RFS6000 Syntax apn <WORD>
Parameters apn <WORD>
apn <WORD>
Specify the name of the cellular data service provider. Example nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#apn AT&T nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1 apn AT&T nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#
Related Commands no Removes the configured access point name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 328 PROFILES 7.1.36.6.2 auth-type interface-config-wwan-instance Configures the authentication type used by the cellular data provider Supported in the following platforms:
Access Point AP7161, AP81XX, AP8232 Wireless Controllers RFS4000, RFS6000 Syntax auth-type [chap|mschap|mschap-v2|pap]
Parameters auth-type [chap|mschap|mschap-v2|pap]
auth-type chap mschap mschapv2 pap Example Configures the authentication protocol used on this interface. The options are: PAP, CHAP, MSCHAP, and MSCHAP-v2 Configures Challenge-Handshake Authentication Protocol (CHAP). This is the default value. Configures Microsoft Challenge-Handshake Authentication Protocol (MSCHAP) Configures Microsoft Challenge-Handshake Authentication Protocol (MSCHAP) version 2 Configures Password Authentication Protocol (PAP) nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#auth-type mschap-v2 nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1 apn AT&T auth-type mschap-v2 nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#
Related Commands no Removes the authentication protocol configured on this interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 329 PROFILES 7.1.36.6.3 crypto interface-config-wwan-instance Associates a crypto map with this interface Supported in the following platforms:
Access Point AP7161, AP81XX, AP8232 Wireless Controllers RFS4000, RFS6000 Syntax crypto map <CRYPTO-MAP-NAME>
Parameters crypto map <CRYPTO-MAP-NAME>
crypto map
<CRYPTO-MAP-
NAME>
Associates a crypto map with this interface
<CRYPTO-MAP-NAME> Specify the crypto map name (should be existing and configured). Example nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#crypto map test nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1 apn AT&T auth-type mschap-v2 crypto map test nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#
Related Commands no Removes the crypto map associated with this interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 330 PROFILES 7.1.36.6.4 ip interface-config-wwan-instance Configures IP related settings on this interface Supported in the following platforms:
Access Point AP7161, AP81XX, AP8232 Wireless Controllers RFS4000, RFS6000 Syntax ip [default-gateway|nat]
ip default-gateway priority <1-8000>
ip nat [inside|outside]
Parameters ip default-gateway priority <1-8000>
ip default-gateway priority <1-8000>
Configures IP related settings on this interface Configures the default-gateways (learned by the wireless WAN) priority.
<1-8000> Specify a value from 1 - 8000. The default is 3000. ip nat [inside|outside]
ip nat [inside|outside]
Configures IP related settings on this interface Configures the NAT settings. This option is disabled by default. inside Marks this WWAN interface as NAT inside. The inside network is transmitting data over the network to its intended destination. On the way out, the source IP address is changed in the header and replaced by the (public) IP address. outside Marks this WWAN interface as NAT outside. Packets passing through the NAT on the way back to the controller or service platform managed LAN are matched against the records kept by the NAT engine. There, the destination IP address is changed back to the specific internal private class IP address in order to reach the LAN over the network. Example nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#ip default-gateway priority 1 nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#ip nat inside nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1 apn AT&T auth-type mschap-v2 crypto map test ip nat inside ip default-gateway priority 1 nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#
Related Commands no Removes IP related settings on this interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 331 PROFILES 7.1.36.6.5 no interface-config-wwan-instance Removes or reverts the WWAN interface settings Supported in the following platforms:
Access Point AP7161, AP81XX, AP8232 Wireless Controllers RFS4000, RFS6000 Syntax no [all|apn|auth-type|crypto|description|ip|password|shutdown|use|username]
no [all|apn|auth-type|description|password|shutdown|username]
no crypto map no ip [default-gateway priority|nat]
no use ip-access-list in Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts this WWAN interfaces settings based on the parameters passed Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example The following example displays the WWAN interface settings before the no commands are executed:
nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1 apn AT&T auth-type mschap-v2 crypto map test ip nat inside ip default-gateway priority 1 nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#
nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#no apn nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#no auth-type nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1 crypto map test ip nat inside ip default-gateway priority 1 nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#
The following example displays the WWAN interface settings after the no commands are executed:
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 332 PROFILES 7.1.36.6.6 password interface-config-wwan-instance Configures a password for this WWAN interface. The configured value is used for authentication support by the cellular data carrier. Supported in the following platforms:
Access Point AP7161, AP81XX, AP8232 Wireless Controllers RFS4000, RFS6000 Syntax password [2 <WORD>|<WORD>]
Parameters password [2 <WORD>|<WORD>]
password 2 <WORD>
<WORD>
Configures a password for this WWAN interface Configures an encrypted password. Use this option when copy pasting the password from another device. Enter the password string (should not exceed 32 characters in length. Example nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#password 2 TechPubsTesting@123 nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1 password TechPubsTesting@123 crypto map test ip nat inside ip default-gateway priority 1 nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#
Related Commands no Removes the configured password Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 333 PROFILES 7.1.36.6.7 shutdown interface-config-wwan-instance Shuts down this WWAN interface. Use the no > shutdown command to re-start the WWAN interface. Supported in the following platforms:
Access Point AP7161, AP81XX, AP8232 Wireless Controllers RFS4000, RFS6000 Syntax shutdown Parameters None Example nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#shutdown nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1 shutdown nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#
Related Commands no Re-starts the WWAN interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 334 PROFILES 7.1.36.6.8 use interface-config-wwan-instance Associates an IP ACL with this interface. The ACL should be existing and configured. The ACL applies an IP based firewall to all incoming packets. The ACL identifies a single IP or a range of IPs that are to be allowed or denied access on this interface. Supported in the following platforms:
Access Point AP7161, AP81XX, AP8232 Wireless Controllers RFS4000, RFS6000 Syntax use ip-access-list in <ACCESS-LIST-NAME>
Parameters use ip-access-list in <ACCESS-LIST-NAME>
use ip-access-list in
<ACCESS-LIST-
NAME>
Associates an inbound IPv4 ACL with this interface. This setting applies to IPv4 inbound traffic only and not IPv6 traffic. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike TCP). IPv4 hosts can use link local addressing to provide local connectivity.
<ACCESS-LIST-NAME> Specify the IP ACL name. Example nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#use ip-access-list in test nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1 password TechPubsTesting@123 crypto map test ip nat inside use ip-access-list in test ip default-gateway priority 1 nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#
Related Commands no Removes the IP ACL associated with this interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 335 PROFILES 7.1.36.6.9 username interface-config-wwan-instance Configures the names of users accessing this interface Supported in the following platforms:
Access Point AP7161, AP81XX, AP8232 Wireless Controllers RFS4000, RFS6000 Syntax username <WORD>
Parameters username <WORD>
username <WORD>
Configures the username for authentication support by the cellular data carrier
<WORD> Specify the username (should not exceed 32 characters). Example nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#username TechPubsUser1 nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#show context interface wwan1 username TechPubsUser1 password TechPubsTesting@123 crypto map test ip nat inside use ip-access-list in test ip default-gateway priority 1 nx9500-6C8809(config-profile-testRFS6000-if-wwan1)#
Related Commands no Removes the configured username Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 336 PROFILES 7.1.36.7 interface-config-bluetooth-instance interface AP8432 and AP8533 model access points utilize a built-in Bluetooth chip for specific Bluetooth functional behaviors in a WiNG managed network. AP8432 and AP8533 models support both Bluetooth classic and Bluetooth low energy (BLE) technology. These platforms use their Bluetooth classic enabled radio to sense other Bluetooth enabled devices and report device data (MAC address, RSSI and device calls) to an ADSP server for intrusion detection. If the device presence varies in an unexpected manner, ADSP can raise an alarm. NOTE: AP8132 model access points support an external USB Bluetooth radio providing ADSP Bluetooth classic sensing functionality only, not the BLE beaconing functionality available for AP8432 and AP8533 model access points described in this section. AP8432 and AP8533 model access points support Bluetooth beaconing to emit either iBeacon or Eddystone-URL beacons. The access points Bluetooth radio sends non-connectable, undirected low-energy
(LE) advertisement packets periodically. These advertisement packets are short and sent on Bluetooth advertising channels that conform to already-established iBeacon and Eddystone-URL standards. However, portions of the advertising packet are customizable via the Bluetooth radio interface configuration context. To switch to this mode, use the following commands:
<DEVICE>(config)#profile <ap8432/ap8533> <PROFILE-NAME>
<DEVICE>(config-profile-default-ap8432)#interface bluetooth ?
<1-1> Bluetooth interface index?
The following example uses the default-ap8432 profile instance to configure the Bluetooth radio interface:
nx9500-6C8809(config-profile-default-ap8432)#interface bluetooth 1 nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#
Bluetooth Radio Mode commands:
beacon Configure low-energy beacon operation parameters description Configure a description for this bluetooth radio eddystone Configure eddystone beacon payload parameters ibeacon Configure iBeacon beacon payload parameters mode Set the bluetooth opreation mode no Negate a command or set its defaults shutdown Shutdown the selected bluetooth radio interface clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#
Commands beacon description Description Reference Configures the Bluetooth radios beacons emitted transmission pattern page 7-339 page 7-341 Configures a description for the Bluetooth radio interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 337 PROFILES Commands eddystone ibeacon mode shutdown no Description Configures Eddystone beacon payload parameters. Configure these parameters if the operational mode is set to le-beacon and the beacon transmission pattern is set to eddystone-url1 or eddystone-
url2. Configures iBeacon beacon payload parameters. Configure these parameters if the operational mode is set to le-beacon and the beacon transmission pattern is set to ibeacon. Configures the Bluetooth radios mode of operation Shutdowns the selected Bluetooth radio interface Removes or reverts to default this Bluetooth radio interfaces settings Reference page 7-342 page 7-343 page 7-345 page 7-346 page 7-347 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 338 PROFILES 7.1.36.7.1 beacon interface-config-bluetooth-instance Configures the Bluetooth radios beacons emitted transmission pattern for Bluetooth radios functioning in the low energy beacon (le-beacon) mode. This option is applicable only if the Bluetooth radios operational mode is set to le-beacon. Supported in the following platforms:
Access Points AP8432, AP8533 Syntax beacon [pattern|period]
beacon pattern [eddystone-url1|eddystone-ulr2|ibeacon]
beacon period <100-10000>
Parameters beacon pattern [eddystone-url1|eddystone-ulr2|ibeacon]
beacon pattern
[eddystone-url1|
eddystone-ulr2|
ibeacon]
When the beacon mode is set to le-beacon, use this command to configure the Bluetooth radios beacons emitted transmission pattern. Select one of the following beacon patterns:
eddystone-url1 Transmits an Eddystone-URL beacon using URL 1. This is the default setting. eddystone-url2 Transmits an Eddystone-URL beacon using URL 2 An Eddystone-URL frame broadcasts a URL using a compressed encoding scheme to better fit within a limited advertisement packet. Once decoded, the URL can be used by a client for Internet access. If an Eddystone-URL beacon broadcasts https:anysite, clients receiving the packet can access that URL. If setting the transmission pattern as eddystone-url1 or eddystone-ulr2, use the eddystone keyword to configure Eddystone beacon payload parameters. For more information, see eddystone. ibeacon Transmits an ibeacon beacon. iBeacon was created by Apple for use in iPhone OS (iOS) devices (beginning with iOS version 7.0). There are three data fields Apple has made available to iOS applications, a Universally Unique IDentifier (UUID) for device identification, a Major value for device class and a Minor value for more refined information like product category. If setting the transmission pattern as ibeacon, use the ibeacon keyword to configure ibeacon beacon payload parameters. For more information, see ibeacon. For more information on configuring the Bluetooth radios operational mode, see mode. beacon period <100-10000>
beacon period
<100-10000>
Configures the Bluetooth radios beacon transmission period, in milliseconds, from 100
- 10000. As the defined period increases, so does the CPU processing time and the number of packets incrementally transmitted (typically one per minute).
<100-10000> Specify a value from 100 - 10000 milliseconds. The default value is 1000 milliseconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 339 PROFILES Example nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#beacon pattern eddystone-url2 nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#beacon period 900 nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context interface bluetooth1 shutdown description AP8432-BLE-Radio1 mode le-beacon beacon pattern eddystone-url2 beacon period 900 nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#
Related Commands no Removes or reverts to default this Bluetooth radios beacon-related configurations Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 340 PROFILES 7.1.36.7.2 description interface-config-bluetooth-instance Configures a description for the Bluetooth radio interface, differentiating it from other Bluetooth supported radios within the same RF Domain Supported in the following platforms:
Access Points AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533 Syntax description <WORD>
Parameters description <WORD>
description <WORD> Configures a description for the AP8432/AP8533 access points Bluetooth radios description
<WORD> Provide a description that uniquely identifies this radio interface from other similar Bluetooth supported radios (should not exceed 64 characters) within an RF Domain. Example nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#description AP8432-
BLE-Radio1 nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context interface bluetooth1 shutdown description AP8432-BLE-Radio1 nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#
Related Commands no Removes this Bluetooth radio interfaces description Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 341 PROFILES 7.1.36.7.3 eddystone interface-config-bluetooth-instance Configures Eddystone beacon payload parameters. Configure these parameters only if the Bluetooth radio interfaces operational mode is set to le-beacon, and the beacons emitted transmission pattern is set to either eddystone-url1 or eddystone-ulr2. Supported in the following platforms:
Access Points AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533 Syntax eddystone [calibration-rssi <-127-127>|url [1|2] <WORD>]
Parameters eddystone [calibration-rssi|url [1|2] <WORD>]
eddystone
[calibration-rssi
<-127-127>|
url [1|2] <WORD>]
If the Beacon transmission pattern has been set to either eddystone-url1 or eddystone-url2, configure the following Eddystone parameters:
calibration-rssi Configures the Eddystone beacon measured calibration signal strength, from -127 to 127 dBm, at 0 meters. Mobile devices can approximate their distance to beacons based on received signal strength. However, distance readings can fluctuate since they depend on several external factors. The closer you are to a beacon, the more accurate the reported distance. This setting is the projected calibration signal strength at 0 meters.
<-127-127> Specify a value from -127 - 127 dBm. The default value is -19 dBm. url [1|2] <WORD> Configures the Eddystone URL as URL1 OR URL2 1 Selects the Eddystone URL number 1 2 Selects the Eddystone URL number 2 The following keyword is common to the eddystone-url1 and eddystone-url2 keywrods:
<WORD> Enter a 64 character maximum eddystone-URL1/eddystone-URL2. The URL must be 18 characters or less once auto-encoding is applied. URL encoding is used when placing text in a query string to avoid confusion with the URL itself. It is typically used when a browser sends data to a Web server. Example nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#eddystone calibration-
rssi -120 nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context interface bluetooth1 shutdown description AP8432-BLE-Radio1 mode le-beacon beacon pattern eddystone-url2 beacon period 900 eddystone calibration-rssi -120 nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#
Related Commands no Removes or reverts to default this Bluetooth radios Eddystone beacon payload configurations Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 342 PROFILES 7.1.36.7.4 ibeacon interface-config-bluetooth-instance Configures iBeacon beacon payload parameters. Configure these parameters only if the Bluetooth radio interfaces operational mode is set to le-beacon, and the beacons emitted transmission pattern is set to ibeacon. Supported in the following platforms:
Access Points AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533 Syntax ibeacon [calibration-rssi <-127-127>|major <0-65535>|minor <0-65535>|uuid <WORD>]
ibeacon [calibration-rssi <-127-127>|uuid <WORD>]
ibeacon [major|minor] <0-65535>
Parameters ibeacon [calibration-rssi <-127-127>|major <0-65535>|minor <0-65535>|uuid
<WORD>]
ibeacon calibration-rssi
<-127-127>
major <0-65535>
minor <0-65535>
uuid <WORD>
Configures following iBeacon beacon payload parameters: calibration-rssi, major, minor, and uuid Configures the ibeacon measured calibration signal strength, from -127 to 127 dBm, at 1 meter. Mobile devices can approximate their distance to beacons based on received signal strength. However, distance readings can fluctuate since they depend on several external factors. The closer you are to a beacon, the more accurate the reported distance. This setting is the projected calibration signal strength at 1 meter.
<-127-127> Specify a value from -127 - 127 dBm. The default value is -60 dBm. Configures the iBeacon Major value from 0 - 65535. Major values identify and distinguish groups. For example, each beacon on a specific floor in a building could be assigned a unique major value.
<0-65535> Specify a value from 0 - 65535. The default value is 1111. Configures the iBeacon Minor value from 0 - 65535. Minor values identify and distinguish individual beacons. Minor values help identify individual beacons within a group of beacons assigned a major value. The default setting is 2,222.
<0-65535> Specify a value from 0 - 65535. The default value is 2222. Configures a 32 hex character maximum UUID. The UUID classification contains 32 hexadecimal digits, split into 5 groups, separated by dashes. For example, f2468da65fa82e841134bc5b71e0893e. The UUID distinguishes iBeacons in the network from all other beacons in networks outside of your direct administration.
<WORD> Specify the UUID (should not exceed 32 hexadecimal characters). The default value is 01F101F101F101F101F101F101F101F1. Example nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#ibeacon calibration-
rssi -70 nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#ibeacon major 1110 nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#ibeacon minor 2210 nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#ibeacon uuid f2468da65fa82e841134bc5b71e0893e Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 343 PROFILES nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context interface bluetooth1 shutdown mode le-beacon beacon pattern ibeacon ibeacon calibration-rssi -70 ibeacon major 1110 ibeacon minor 2210 ibeacon uuid f2468da65fa82e841134bc5b71e0893e nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#
Related Commands no Removes or reverts to default this Bluetooth radios iBeacon beacon payload parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 344 PROFILES 7.1.36.7.5 mode interface-config-bluetooth-instance Configures the Bluetooth radio interfaces mode of operation as bt-sensor or le-beacon Supported in the following platforms:
Access Points AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533 Syntax mode [bt-sensor|le-beacon|le-tracking]
Parameters mode [bt-sensor|le-beacon|le-tracking]
mode Example Configures the Bluetooth radio interfaces mode of operation. The options are:
bt-sensor Select this option to provide Bluetooth support for legacy devices. bt-
sensors are Bluetooth classic sensors providing robust wireless connections for legacy devices. Typically these connections are not ideally suited for the newer Bluetooth low energy (BLE) technology supported devices. This is the default setting. le-beacon Select this option to provide Bluetooth support for newer BLE technology supported devices. le-beacons are newer Bluetooth low energy beacons ideal for applications requiring intermittent or periodic transfers of small amounts of data. le-
beacons are not designed as replacements for classic beacon sensors. If selecting this option, use the beacon keyword to configure the Beacon transmission period and Beacon transmission pattern. le-tracking Select this option to provide Bluetooth support for BLE asset tracking. When enabled, it uses the APs Bluetooth radio to detect BLE asset tags within the managed network. This information is reported to a back-end server (NSight server). nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#mode le-beacon nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context interface bluetooth1 shutdown mode le-beacon beacon pattern ibeacon ibeacon calibration-rssi -70 ibeacon major 1110 ibeacon minor 2210 ibeacon uuid f2468da65fa82e841134bc5b71e0893e nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#
Related Commands no Reverts this Bluetooth radios mode of operation to le-beacon Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 345 PROFILES 7.1.36.7.6 shutdown interface-config-bluetooth-instance Shutsdown the selected AP8432/AP8533 Bluetooth radio interface Supported in the following platforms:
Access Points AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533 Syntax shutdown Parameters None Example nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#shutdown nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context interface bluetooth1 shutdown mode le-beacon beacon pattern ibeacon ibeacon calibration-rssi -70 ibeacon major 1110 ibeacon minor 2210 ibeacon uuid f2468da65fa82e841134bc5b71e0893e nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#
Related Commands no Reverses shutdown Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 346 PROFILES 7.1.36.7.7 no interface-config-bluetooth-instance Removes or reverts to default this AP8432/AP8533 Bluetooth radio interfaces settings Supported in the following platforms:
Access Points AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533 Syntax no [beacon|description|eddystone|ibeacon|mode|shutdown]
no beacon [pattern|period]
no description no eddystone [calibration-rssi|url [1|2]
no ibeacon [calibration-rssi|major|minor|uuid]
no mode no shutdown Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts to default this Bluetooth radio interfaces settings based on the parameters passed
<PARAMETERS> Specify the parameters. Example The following example shows the AP8432 default profiles Bluetooth radio interface settings:
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context interface bluetooth1 shutdown mode le-beacon beacon pattern ibeacon ibeacon calibration-rssi -70 ibeacon major 1110 ibeacon minor 2210 ibeacon uuid f2468da65fa82e841134bc5b71e0893e nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#no shutdown nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#no ibeacon minor nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#no ibeacon calibration-rssi The following example shows the AP8432 default profiles Bluetooth radio interface settings after the no commands are executed:
nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#show context interface bluetooth1 no shutdown mode le-beacon beacon pattern ibeacon ibeacon major 1110 ibeacon uuid f2468da65fa82e841134bc5b71e0893e nx9500-6C8809(config-profile-default-ap8432-if-bluetooth1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 347 PROFILES 7.1.37 ip Profile Config Commands The following table summarizes NAT pool configuration commands:
Command ip nat-pool-config-
instance Description Configures IP components, such as default gateway, DHCP, DNS server forwarding, name server, domain name, routing standards, etc. Invokes NAT pool configuration parameters Reference page 7-349 page 7-355 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 348 PROFILES 7.1.37.1 ip ip Configures IPv4 routing components, such as default gateway, DHCP, DNS server forwarding, name server, domain name, routing standards, etc. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax ip [default-gateway|dhcp|dns-server-forward|domain-lookup|domain-name|igmp|name-
server|nat|route|routing]
ip default-gateway [<IP>|<HOST-ALIAS-NAME>|failover|priority [dhcp-client <1-
1800>|static-route <1-1800>]]
ip [dns-server-forward|domain-lookup|domain-name <DOMAIN-NAME>|name-server <IP>|
routing]
ip dhcp client [hostname|persistent-lease]
ip igmp snooping {fast-leave|forward-unknown-multicast|querier}
ip igmp snooping {fast-leave|forward-unknown-multicast}
ip igmp snooping {querier} {max-response-time <1-25>|query-interval <1-18000>|
robustness-variable <1-7>|timer expiry <60-300>|version <1-3>}
NOTE: The command ip igmp snooping can be configured under bridge VLAN context also. For example: rfs7000-37FABE(config-device 00-15-70-
37-FA-BE-bridge-vlan-1)#ip igmp snooping forward-unknown-multicast ip nat [crypto|inside|outside|pool]
ip nat [crypto source pool|pool] <NAT-POOL-NAME>
ip nat [inside|outside] [destination|source]
ip nat [inside|outside] destination static <ACTUAL-IP> <1-65535> [tcp|udp]
[(<NATTED-IP> {<1-65535>})]
ip nat [inside|outside] source [list|static]
ip nat [inside|outside] source static <ACTUAL-IP> <1-65535> [tcp|udp] [(<NATTED-
IP> {<1-65535>})]
ip nat [inside|outside] source list <IP-ACCESS-LIST-NAME> interface [<INTERFACE-
NAME>|pppoe1|vlan <1-4094>|wwan1] [(address <IP>|interface <L3-IF-
NAME>|overload|pool <NAT-POOL-NAME>)]
ip route <IP/M> [<IP>|<HOST-ALIAS-NAME>]
Parameters ip default-gateway [<IP>|<HOST-ALIAS-NAME>|failover|priority [dhcp-client <1-
1800>|static-route <1-1800>]]
ip Configures IPv4 routing components Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 349 PROFILES default-gateway
<IP>
failover Configures default gateway (next-hop router) parameters Configures default gateways IP address
<IP> Specify the default gateways IP address. Configures failover to the gateway (with next higher priority) when the current default gateway is unreachable (In case of multiple default gateways). This option is enabled by default.
<HOST-ALIAS-NAME> Configures the host alias mapped to the required default gateway priority
[dhcp-client
<1-1800>|
static-route
<1-1800>]
<HOST-ALIAS-NAME> Specify the host alias name (should be existing and configured). Host alias names begin with a $. Configures default gateway priority dhcp-client <1-1800> Defines a priority for the default gateway acquired by the DHCP client on the VLAN interface. The default setting is 1000. static-route <1-1800> Defines the weight (priority) assigned to this static route versus others that have been defined to avoid potential congestion. The default setting is 100. The following keyword is common to dhcp-client and static-route parameters:
<1-1800> Specify the priority from 1 - 18000 (lower the value higher is the priority). ip [dns-server-forward|domain-lookup|domain-name <DOMAIN-NAME>|name-server
<IP>|routing]
ip dns-server-forward domain-lookup domain-name
<DOMAIN-NAME>
name-server <IP>
routing Configures IPv4 routing components Enables DNS forwarding. This command enables the forwarding of DNS queries to DNS servers outside of the network. This option is disabled by default. Enables domain lookup. When enabled, human friendly domain names are converted into numerical IP destination addresses. The option is enabled by default. Configures a default domain name
<DOMAIN-NAME> Specify a name for the DNS (should not exceed 64 characters in length). Configures the name servers IP address
<IP> Specify the IP address of the name server. Enables IP routing of logically addressed packets from their source to their destination. IPv4 routing is enabled by default. ip dhcp client [hostname|persistent-lease]
ip dhcp client
[hostname|
persistent-lease]
Configures IPv4 routing components Configures the DHCP client and host Sets the DHCP client hostname Includes the hostname in the DHCP lease for the requesting client. This option is enabled by default. persistent-lease Retains the last lease across reboots if the DHCP server is unreachable. A persistent DHCP lease assigns the same IP address and other network information to the device each time it renews its DHCP lease. This option is disabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 350 PROFILES ip igmp snooping {fast-leave|forward-unknown-multicast}
ip fats-leave igmp snooping forward-unknown-
multicast Configures IPv4 routing components Optional. Enables fast leave processing. When enabled, leave messages are processed quickly, preventing the host from receiving further traffic. Should be configured for one (wired) host network only. This option is disabled by default. This feature is supported only on the AP7502, AP8232, AP8533 model access points. Optional. Enables unknown multicast data packets to be flooded in the specified VLAN. This option is disabled by default. ip igmp snooping {querier} {max-response-time <1-25>|query-interval <1-18000>|
robustness-variable <1-7>|timer expiry <60-300>|version <1-3>}
ip igmp snooping querier max-response-time
<1-25>
query-interval
<1-18000>
robustness-variable
<1-7>
timer expiry <60-
300>
version <1-3>
Configures IPv4 routing components Optional. Enables the IGMP querier functionality for the specified VLAN. By default IGMP snooping querier is disabled. Configures the IGMP maximum query response interval used in IGMP V2/V3 queries for the given VLAN. The default is 10 seconds. Configures the IGMP querier query interval in seconds. Specify a value from 1 - 18000 seconds. The default is 60 seconds. Configures the IGMP robustness variable from 1 - 7. The default is 2. Configures the other querier time out value for the given VLAN. The default is 60 seconds. Configures the IGMP query version for the given VLAN. The default is 3. ip nat [crypto source pool|pool <NAT-POOL-NAME>]
ip nat crypto source pool
<NAT-POOL-NAME>
pool <NAT-POOL-
NAME>
Configures IPv4 routing components Configures the NAT parameters Configures the NAT source address translation settings for IPSec tunnels
<NAT-POOL-NAME> Specify a NAT pool name. Configures a pool of IP addresses for NAT
<NAT-POOL-NAME> Specify a name for the NAT pool. ip nat [inside|outside] destination static <ACTUAL-IP> <1-65535> [tcp|udp]
[(<NATTED-IP> {<1-65535>})]
ip nat
[inside|outside]
destination static
<ACTUAL-IP>
Configures IPv4 routing components Configures the NAT parameters Configures inside and outside address translation for the destination inside Configures inside address translation outside Configures outside address translation The following keywords are common to the inside and outside parameters:
destination Specifies destination address translation parameters static Specifies static NAT local to global mapping
<ACTUAL-IP> Specify the actual outside IP address to map. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 351 PROFILES
<1-65535> [tcp|udp]
<1-65535> Configures the actual outside port. Specify a value from 1 - 65535. tcp Configures Transmission Control Protocol (TCP) port udp Configures User Datagram Protocol (UDP) port
<NATTED-IP>
<1-65535>
Enables configuration of the outside natted IP address
<NATTED-IP> Specify the outside natted IP address.
<1-65535> Optional. Configures the outside natted port. Specify a value from 1 - 65535. ip nat [inside|outside] source static <ACTUAL-IP> <1-65535> [tcp|udp] [(<NATTED-
IP> {<1-65535>})]
ip nat
[inside|outside]
source static
<ACTUAL-IP>
Configures IPv4 routing components Configures the NAT parameters Configures inside and outside address translation for the source inside Configures inside address translation outside Configures outside address translation The following keywords are common to the inside and outside parameters:
source Specifies source address translation parameters static Specifies static NAT local to global mapping
<ACTUAL-IP> Specify the actual inside IP address to map.
<1-65535> [tcp|udp]
<1-65535> Configures the actual outside port. Specify a value from 1 - 65535. tcp Configures Transmission Control Protocol (TCP) port udp Configures User Datagram Protocol (UDP) port
<NATTED-IP>
<1-65535>
Enables configuration of the outside natted IP address
<NATTED-IP> Specify the outside natted IP address.
<1-65535> Optional. Configures the outside natted port. Specify a value from 1 - 65535. ip nat [inside|outside] source list <IP-ACCESS-LIST-NAME> interface [<INTERFACE-
NAME>|pppoe1|vlan <1-4094>|wwan1] [(address <IP>|interface <L3-IF-NAME>|overload|
pool <NAT-POOL-NAME>)]
ip nat
[inside|outside]
source list
<IP-ACCESS-LIST-
NAME>
interface
[<INTERFACE-
NAME>|
pppoe1|
vlan <1-4094>|
wwan1]
address <IP>
Configures IPv4 routing components Configures the NAT parameters Configures inside and outside IP access list Configures an access list describing local addresses
<IP-ACCESS-LIST-NAME> Specify a name for the IP access list. Selects an interface to configure. Select a layer 3 router interface or a VLAN interface.
<INTERFACE-NAME> Selects a layer 3 interface. Specify the layer 3 router interface name. vlan Selects a VLAN interface
<1-4094> Set the SVI VLAN ID of the interface. pppoe1 Selects PPP over Ethernet interface wwan1 Selects Wireless WAN interface The following keyword is recursive and common to all interface types:
address <IP> Configures the interface IP address used with NAT Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 352 PROFILES interface
<L3-IF-NAME>
The following keyword is recursive and common to all interface types:
interface <L3-IF-NAME> Configures a wireless controller or service platforms VLAN overload pool
<NAT-POOL-NAME>
interface
<L3IFNAME> Specify the SVI VLAN ID of the interface. The following keyword is recursive and common to all interface types:
overload Enables use of global address for many local addresses The following keyword is recursive and common to all interface types:
pool <NAT-POOL-NAME> Specifies the NAT pool
<NAT-POOL-NAME> Specify the NAT pool name. ip route <IP/M> [<IP>|<HOST-ALIAS-NAME>]
Configures IPv4 routing components Configures the static routes Specify the IP destination prefix in the A.B.C.D/M format. Specify the IP address of the gateway. ip route
<IP/M>
<IP>
<HOST-ALIAS-NAME> Configures the host alias mapped to the required default gateway Example
<HOST-ALIAS-NAME> Specify the host alias name (should be existing and configured). Host alias names begin with a $. rfs6000-37FABE(config-profile-default-rfs6000)#ip default-gateway 172.16.10.4 rfs6000-37FABE(config-profile-default-rfs6000)#ip dns-server-forward rfs6000-37FABE(config-profile-default-rfs6000)#ip nat inside source list test interface vlan 1 pool pool1 overload rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier ip default-gateway 172.16.10.4 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
........................................................ qos trust 802.1p interface ge3 ip dhcp trust qos trust dscp qos trust 802.1p interface ge4 ip dhcp trust qos trust dscp qos trust 802.1p interface pppoe1 use firewall-policy default ip dns-server-forward ip nat inside source list test interface vlan1 pool pool1 overload service pm sys-restart router ospf rfs6000-37FABE(config-profile-default-rfs6000)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 353 PROFILES rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#?
Nat Policy Mode commands:
address Specify addresses for the nat pool no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile-default-rfs7000-nat-pool-pool1) Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 354 PROFILES 7.1.37.2 nat-pool-config-instance ip Use the config-profile-<DEVICE-PROFILE-NAME> instance to configure Network Address Translation (NAT) pool settings. The following example uses the config-profile-default-rfs7000 instance to configure NAT pool settings:
rfs6000-37FABE(config-profile-default-rfs6000)#ip nat pool pool1 rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#
rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#?
Nat Policy Mode commands:
address Specify addresses for the nat pool no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1) The following table summarizes NAT pool configuration commands:
Command address no Description Configures NAT pool addresses Negates a command or sets its default Reference page 7-356 page 7-357 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 355 PROFILES 7.1.37.2.1 address nat-pool-config-instance Configures NAT pool of IP addresses Define a range of IP addresses hidden from the public Internet. NAT modifies network address information in the defined IP range while in transit across a traffic routing device. NAT only provides IP address translation and does not provide a firewall. A branch deployment with NAT by itself will not block traffic from being potentially routed through a NAT device. Consequently, NAT should be deployed with a stateful firewall. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax address [<IP>|range <START-IP> <END-IP>]
Parameters address [<IP>|range <START-IP> <END-IP>]
address <IP>
range <START-IP>
<END-IP>
Adds a single IP address to the NAT pool Adds a range of IP addresses to the NAT pool
<START-IP> Specify the starting IP address of the range.
<END-IP> Specify the ending IP address of the range. Example rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#address range 172. 16.10.2 172.16.10.8 rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#show context ip nat pool pool1 address range 172.16.10.2 172.16.10.8 rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#
Related Commands no Removes address(es) configured with this NAT pool Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 356 PROFILES 7.1.37.2.2 no nat-pool-config-instance Removes address(es) configured with this NAT pool Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax no address [<IP>|range <START-IP> <END-IP>]
Parameters no address [<IP>|range <START-IP> <END-IP>]
Removes a single IP address or a range of IP addresses from this NAT pool no address [<IP>|
range <START-IP>
<END-IP>]
Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#show context ip nat pool pool1 address range 172.16.10.2 172.16.10.8 rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#
rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#no address range 1 72.16.10.2 172.16.10.8 rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#show context ip nat pool pool1 rfs6000-37FABE(config-profile-default-rfs6000-nat-pool-pool1)#
Related Commands address Configures NAT pool IP address(es) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 357 PROFILES 7.1.38 ipv6 Profile Config Commands Configures IPv6 routing components, such as default gateway, DNS server forwarding, name server, routing standards, etc. These IPv6 settings are applied to all devices using this profile. You can also configure IPv6 settings on a device, using the devices configuration mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 NOTE: The IPv6 settings configured at the profile/device level are global configuration settings and not interface-specific. Syntax ipv6 [default-gateway|dns-server-forward|hop-limit|mld|name-server|nd-reachable-
time|neighbor|ns-interval|ra-convert|route|ula-reject-route|unicast-routing]
ipv6 [default-gateway <IPv6> {vlan <VLAN-ID>}|dns-server-forward|hop-limit <1-
255>|name-server <IPv6>|nd-reachable-time <5000-3600000>|ns-interval <1000-
3600000>|ula-reject-route|unicast-routing]
ipv6 ra-convert {throttle interval <3-1800> max-RAs <1-256>}
ipv6 mld snooping {forward-unknown-multicast|querier}
ipv6 mld snooping {forward-unknown-multicast}
ipv6 mld snooping {querier} {max-response-time <1-25000>|query-interval <1-
18000>|robustness-variable <1-7>|timer expiry <60-300>|version <1-2>}
ipv6 neighbor [<IPv6>|timeout]
ipv6 neighbor <IPv6> <MAC> [<INTF-NAME>|pppoe1|vlan <1-4094>|wwan1] {dhcp-server|
router}
ipv6 neighbor timeout <15-86400>
ipv6 route <DEST-IPv6-PREFIX/PREFIX-LENGTH> <IPv6-GATEWAY-ADDRESS> {vlan <VLAN-
ID>}
Parameters ipv6 [default-gateway <IPv6> {vlan <VLAN-ID>}|dns-server-forward|hop-limit <1-
255>|name-server <IPv6>|nd-reachable-time <5000-3600000>|ns-interval <1000-
3600000>|ula-reject-route|unicast-routing]
Configures IPv6 routing components Configures IPv6 default gateways address in the ::/0 format vlan <VLAN-ID> Optional. Specify the VLAN interfaces ID through which the ipv6 default-gateway
<IPv6> {vlan <VLAN-
ID>}
default gateway is accessible. dns-server-forward Enables DNS server forwarding. This command enables the forwarding of DNS queries to DNS servers outside of the network. This feature is disabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 358 PROFILES hop-limit <1-255>
name-server <IPv6>
nd-reachable-time
<5000-3600000>
ns-interval
<1000-3600000>
Configures the IPv6 hop count limit
<1-255> Specify a value between 1 - 255. The default is 64. Configures the IPv6 name servers address
<IPv6> Specify the address of the IPv6 name server. Configures the time, in milliseconds, that a neighbor is assumed to be reachable after having received neighbor discovery (ND) confirmation for their reachability
<5000-3600000> Specify a value from 5000 - 3600000 milliseconds. The default is 30,000 milliseconds. Configures the interval, in milliseconds, between two consecutive retransmitted neighbor solicitation (NS) messages. NS messages are sent by a node to determine the link layer address of a neighbor, or verify a neighbor is still reachable via a cached link-layer address.
<1000-3600000> Specify a value from 1000 - 3600000. The default is 1000 milliseconds. ula-reject-route Installs a "reject" route for Unique Local Address (ULA) prefixes. This ensures that site-border routers and firewalls do not forward packets with ULA source or destination addresses outside of the site, unless explicitly configured with routing information about specific /48 or longer Local IPv6 prefixes. This option is disabled by default. The ULA is an IPv6 address used in private networks for local communication within a site (for example a company, campus, or within a set of branch office networks). These site local addresses are IPv6 addresses that fall in the block fc00::/7, defined in RFC 4193. Enables IPv6 unicast routing. This feature is enabled by default. ipv6 ra-convert {throttle interval <3-1800> max-RAs <1-256>}
unicast-routing ipv6 ra-convert {throttle interval <3-1800>
max-RAs <1-256>
Configures IPv6 routing components Enables conversion of multicast router advertisements (RAs) to unicast RAs at the dot11 layer. This feature is disabled by default. throttle Optional. Throttles multicast RAs before converting to unicast interval <3-1800> Throttles multicast RAs for a specified time period. Specify the interval from 3 - 1800 seconds. The default is 3 seconds. max-RAs <1-256> Specifies the maximum number of RAs per IPv6 router during the specified throttle interval. Specify a value from 1 - 256. The default is 1. ipv6 mld snooping {forward-unknown-multicast}
ipv6 mld snooping forward-unknown-
multicast Configures IPv6 routing components Enables multicast listener discovery (MLD) protocol snooping. This feature is disabled by default. When enabled, IPv6 devices (access point, wireless controller, or service platform) can examine MLD messages exchanged between hosts and multicast routers to discern which hosts are receiving multicast group traffic. Based on the information gathered these devices forward multicast traffic only to those interfaces connected to interested receivers instead of flooding traffic to all interfaces. This prevents VLANs from getting flooded with IPv6 multicast traffic. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 359 PROFILES forward-unknown-multicast Optional. Enables unknown multicast forwarding. This feature is enabled by default. ipv6 mld snooping {querier} {max-response-time <1-25000>|query-interval <1-
18000>|robustness-variable <1-7>|timer expiry <60-300>|version <1-2>}
ipv6 mld snooping querier Enables MLD protocol snooping Configures IPv6 routing components max-response-time
<1-25000>
query-interval
<1-18000>
robustness-variable
<1-7>
timer expiry
<60-300>
version <1-2>
querier Optional. Enables the on-board MLD querier. When enabled, IPv6 devices send query messages to discover which network devices are members of a given multicast group.This option is disabled by default. Configures the MLD queriers maximum query response time. This is the time for which the querier waits before sending a responding report. Queriers use MLD reports to join and leave multicast groups and receive group traffic.
<1-25000> Specify a value from 1 - 25000 milliseconds. The default is 10 milliseconds. Configures the interval, in seconds, between two consecutive MLD queriers queries The robustness variable is an indication of how susceptible the subnet is to lost packets. MLD can recover from robustness variable minus 1 lost MLD packets.
<1-18000> Specify a value from 1 - 18000 seconds. The default is 60 seconds. Configures the MLD IGMP robustness variable. This value is used by the sender of a query.
<1-7> Select a value from 1 - 7. The default is 2. Configures the MLD other querier (any external querier) timeout
<60-300> Specify a value from 60 - 300 seconds. The default is 60 seconds. Configures the MLD queriers version. MLD version 1 is based on IGMP version 2 for IPv4. MLD version 2 is based on IGMP version 3 for IPv4 and is fully backward compatible. IPv6 multicast uses MLD version 2.
<1-2> Select the MLD version from 1 - 2. The default is 2. ipv6 neighbor <IPv6> <MAC> [<INTF-NAME>|pppoe1|vlan <1-4094>|wwan1] {dhcp-
server|router}
ipv6 neighbor
<IPv6>
<MAC>
[<INTF-NAME>|
pppoe1|
vlan <1-4094>|
wwan1]
{dhcp-server|router}
Configures IPv6 routing components Configures static IPv6 neighbor entries Specify the IPv6 address for which a static neighbor entry is created. Specify the MAC address associated with the specified IPv6 address. Specify the following interface settings:
<INTF-NAME> Selects the layer 3 router interface. Specify the interface name. pppoe1 Selects the PPP over Ethernet interface vlan <1-4094> Selects the VLAN interface. Specify the VLAN interface index. wwan1 Selects the wireless WAN interface After specifying interface type, you can optionally specify the device type for this neighbor solicitation. dhcp-server Optional. States this neighbor entry is for a DHCP server router Optional. States this neighbor entry is for a router Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 360 PROFILES ipv6 neighbor timeout <15-86400>
neighbor timeout <15-86400>
Configures static IPv6 neighbor entries Configures the timeout, in seconds, for the static neighbor entries
<15-86400> Specify a value from 15 - 86400 seconds. The default is 3600 seconds. ipv6 route <DEST-IPv6-PREFIX/PREFIX-LENGTH> <IPv6-GATEWAY-ADDRESS> {vlan <VLAN-
ID>}
ipv6 route
<DEST-IPv6-PREFIX/
PREFIX-LENGTH>
<IPv6-GATEWAY-
ADDRESS>
vlan <VLAN-ID>
Configures IPv6 routing components Configures the static routes These routes are maintained in the IPv6 Forwarding Information Base (FIB). To view FIB6 routing entries, use the service > show fib6 > <TABLE-ID> command. Specify the IPv6 destination prefix (IPV6 network) and the prefix length. Specify the IPv6 gateways address. Optional. specify the VLAN interfaces ID (through which the defalut gateway is accessible) This parameter is needed only if the gateway address is a link local address. Example rfs6000-81742D(config-profile-TestRFS6000)#ipv6 default-gateway 2001:10:10:10:10:10:10:2 rfs6000-81742D(config-profile-TestRFS6000)#ipv6 dns-server-forward rfs6000-81742D(config-profile-TestRFS6000)#ipv6 mld snooping rfs6000-81742D(config-profile-TestRFS6000)#show context profile rfs6000 TestRFS6000 ipv6 mld snooping ipv6 dns-server-forward ipv6 default-gateway 2001:10:10:10:10:10:10:2 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha
--More--
rfs6000-81742D(config-profile-TestRFS6000)#
Related Commands no Disables or reverts IPv6 settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 361 PROFILES 7.1.39 l2tpv3 Profile Config Commands Defines the L2TPV3 settings for tunneling layer 2 payloads using VPNs L2TPv3 is an IETF standard that defines the control and encapsulation protocol settings for tunneling layer 2 frames in an IP network (and access point profile) between two IP nodes. Use L2TPv3 to create tunnels for transporting layer 2 frames. L2TPv3 enables WiNG supported controllers and access points to create tunnels for transporting Ethernet frames to and from bridge VLANs and physical ports. L2TPv3 tunnels can be defined between WiNG devices and other vendor devices supporting the L2TPv3 protocol. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax l2tpv3 [hostname <HOSTNAME>|inter-tunnel-bridging|logging|manual-session|router-
id [<1-4294967295>|<IP>]|tunnel|udp-listen-port <1024-65535>]
l2tpv3 logging ip-address [<IP>|any] hostname [<HOSTNAME>|any] router-id
[<IP>|<WORD>|any]
Parameters l2tpv3 hostname
<HOSTNAME>
l2tpv3 [hostname <HOSTNAME>|inter-tunnel-bridging|manual-session|router-id [<1-
4294967295>|<IP>]|tunnel|udp-listen-port <1024-65535>]
Configures the L2TPv3 protocol settings for a profile Configures the host name sent in the L2TPv3 signalling messages. Tunnel establishment involves exchanging 3 message types (SCCRQ, SCCRP and SCCN) with the peer. Tunnel IDs and capabilities are exchanged during the tunnel establishment with the host.
<HOSTNAME> Specify the L2TPv3 specific host name. inter-tunnel-bridging Enables inter tunnel bridging of packets. This feature is disabled by default. manual-session router-id
[<1-4294967295>|
<IP>]
tunnel udp-listen-port
<1024-65535>
Creates/modifies L2TPv3 manual sessions For more information, see l2tpv3-manual-session-commands. Configures the router ID sent in the L2TPv3 signaling messages. These signaling (AVP) messages help to identify tunneled peers.
<1-4294967295> Configures the router ID in decimal format from 1 - 4294967295
<IP> Configures the router ID in the IP address (A.B.C.D) format Creates/modifies a L2TPv3 tunnel For more information, see l2tpv3-tunnel-commands. Configures the UDP port used to listen for incoming traffic
<1024-65535> Specify the UDP port from 1024 - 65535 (default is 1701) l2tpv3 logging ip-address [<IP>|any] hostname [<HOSTNAME>|any] router-id
[<IP>|<WORD>|any]
l2tpv3 Configures L2TPv3 protocol settings for a profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 362 PROFILES logging ip-address
[<IP>|any]
Enables L2TPv3 tunnel event logging and debugging. When enabled, all events relating to Ethernet frames to and from bridge VLANs and physical ports on a specified IP address, host or router ID are logged. This option is disabled by default. Configures the L2TPv3 peer tunnel IP address for which event logging is enabled. The options are:
<IP> Specify the peers IP address. L2TPv3 events are captured and logged for the specified peer. any Peers IP address is not specified. Enables event logging for all incoming connections from any IP address. hostname
[<HOSTNAME>|
any]
Configures the L2TPv3 peer tunnel hostname for which event logging is enabled. The options are:
<HOSTNAME> Specify the peers host name. L2TPv3 events are captured and logged router-id
[<IP>|<WORD>|any]
for specified host. any Peers hostname is not specified. Enables debugging for all incoming connections from any host. Configures the L2TPv3 tunnel router ID for which event logging is enabled. The options are:
<IP> Specify the router ID in the IP address format.
<WORD> Specify the router ID in the form of an integer or range. For example 100-
200. any Router ID is not specified. Enables debugging for all incoming connections from any L2TPv3 router. Example rfs6000-37FABE(config-profile-default-rfs6000)#l2tpv3 hostname l2tpv3Host1 rfs6000-37FABE(config-profile-default-rfs6000)#l2tpv3 inter-tunnel-bridging rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier
................................................. l2tpv3 hostname l2tpv3Host1 l2tpv3 inter-tunnel-bridging rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Negates a L2TPv3 tunnel settings on this profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 363 PROFILES 7.1.40 l3e-lite-table Profile Config Commands Configures L3e lite table aging time The L3e Lite table stores information about destinations and their location within a specific IPSec tunnel. This enables quicker packet transmissions. The table is updated as nodes transmit packets. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax l3e-lite-table aging-time <10-1000000>
Parameters l3e-lite-table aging-time <10-1000000>
l3e-lite-table aging-time
<10-1000000>
Configures the aging time in seconds. The aging time defines the duration a learned L3e entry (IP, VLAN) remains in the L3e Lite table before deletion due to lack of activity. The default is 300 seconds. Example rfs6000-37FABE(config-profile-default-rfs6000)#l3e-lite-table aging-time 1000 rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs7000 default-rfs7000 bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier
.......................................................... interface ge4 ip dhcp trust qos trust dscp qos trust 802.1p interface pppoe1 use firewall-policy default l3e-lite-table aging-time 1000
--More--
rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Removes the L3e lite table aging time configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 364 PROFILES 7.1.41 led Profile Config Commands Turns on and off access point LEDs Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax led {flash-pattern}
Parameters led {flash-pattern}
led flash-pattern Optional. Enables LED flashing on the device using this profile Select this option to flash an access points LEDs in a distinct manner (different from its operational LED behavior). Enabling this feature allows an administrator to validate an access point has received its configuration (perhaps remotely at the site of deployment) without having to log into the managing controller or service platform. This feature is disabled by default. Example rfs6000-37FABE(config-profile-RFS6000Test)#led flash-pattern rfs6000-37FABE(config-profile-RFS6000Test)#show context profile rfs6000 RFS6000Test no autoinstall configuration no autoinstall firmware led flash-pattern crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure
--More--
rfs6000-37FABE(config-profile-RFS6000Test)#
Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 365 PROFILES 7.1.42 led-timeout Profile Config Commands Configures the LED-timeout timer in the device or profile configuration mode Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax led-timeout [<15-1440>|shutdown]
Parameters led-timeout [<15-1440>|shutdown]
led-time [<15-1440>|
shutdown]
Sets the LED-timeout timer. The value provided here determines the interval (time to lapse) for which a devices LEDs are turned off after the last radio state change. For example, if set at 15 minutes, the LEDs are turned off for 15 minutes after the last radio state change.
<15-1440> Specify a value from 15 - 1400 minutes. The default is 30 minutes. shutdown Shuts down the LED-timeout timer. The device LEDs are not turned off. Example nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#led-timeout 25 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context nx9000 B4-C7-99-6C-88-09 use profile default-nx9000 use rf-domain default hostname nx9500-6C8809 license AAP 66069c24b3bb1259b34ff016c723a9e299dd408f0ff891e7c5f7e279a382648397d6b3e975e356a1 license HTANLT 66069c24b3bb1259eb36826cab3cc83999dd408f0ff891e74b62b2d3594f0b3dde7967f30e49e497 no autogen-uniqueid ip default-gateway 192.168.13.2 led-timeout 25
--More--
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#led-timeout shutdown nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context nx9000 B4-C7-99-6C-88-09 use profile default-nx9000 use rf-domain default hostname nx9500-6C8809 license AAP 66069c24b3bb1259b34ff016c723a9e299dd408f0ff891e7c5f7e279a382648397d6b3e975e356a1 license HTANLT 66069c24b3bb1259eb36826cab3cc83999dd408f0ff891e74b62b2d3594f0b3dde7967f30e49e497 no autogen-uniqueid ip default-gateway 192.168.13.2 led-timeout shutdown crypto ikev2 peer IKEv2Peer1
--More--
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 366 Related Commands no Disables LED-timeout timer PROFILES Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 367 PROFILES 7.1.43 legacy-auto-downgrade Profile Config Commands Enables device firmware to auto downgrade when legacy devices are detected Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax legacy-auto-downgrade Parameters None Example rfs6000-37FABE(config-profile-default-rfs6000)#legacy-auto-downgrade Related Commands no Prevents device firmware from auto downgrading when legacy devices are detected Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 368 PROFILES 7.1.44 legacy-auto-update Profile Config Commands Auto updates an AP7161 legacy access point firmware Supported in the following platforms:
Access Points AP7161 Syntax legacy-auto-update ap71xx image <FILE>]
Parameters legacy-auto-update ap71xx image <FILE>
legacy-auto-update ap71xx image <FILE>
Updates a legacy AP7161 access point firmware Auto updates legacy AP7161 firmware image Sets the path to the firmware image
<FILE> Specify the path and filename in the flash:/ap.img format. Example rfs6000-37FABE(config-profile-default-rfs6000)#legacy-auto-update ap71xx image flash:/ap47d.img Related Commands no Disables automatic legacy firmware upgrade Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 369 PROFILES 7.1.45 lldp Profile Config Commands Enables LLDP on this profile and configures LLDP settings LLDP or IEEE 802.1AB is a vendor-neutral Data Link Layer protocol used by network devices for advertising of (announcing) identity, capabilities, and interconnections on a IEEE 802 LAN network. The protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity Discovery. Both LLDP snooping and ability to generate and transmit LLDP packets is provided. Information obtained via CDP and LLDP snooping is available in the UI. Information obtained using LLDP is provided during the adoption process, so the layer 2 device detected by the access point can be used as a criteria in the provisioning policy. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax lldp [holdtime|med-tlv-select|run|timer]
lldp [holdtime <10-1800>|run|timer <5-900>]
lldp med-tlv-select [inventory-management|power-management {auto}]
Parameters lldp [holdtime <10-1800>|run|timer <5-900>]
lldp holdtime <10-1800>
run timer <5-900>
Enables LLDP on this profile and configures LLDP settings Sets the holdtime for transmitted LLDP PDUs. This command specifies the time a receiving device holds information before discarding.
<10-1800> Specify a holdtime from 10 - 1800 seconds. The default is 180 seconds. Enables LLDP on this profile Sets the transmit interval. This command specifies the transmission frequency of LLDP updates in seconds.
<5-900> Specify transmit interval from 5 - 900 seconds. The default is 60 seconds. lldp med-tlv-select [inventory-management|power-management {auto}]
lldp med-tlv-select
[inventory-
management|
power-management
{auto}]
Enables LLDP on this profile and configures LLDP settings Provides additional media endpoint device TLVs to enable inventory and power management discovery. Specifies the LLDP MED TLVs to send or receive. inventory-management Enables inventory management discovery. Allows an endpoint to convey detailed inventory information about itself. This information includes details, such as manufacturer, model, and software version, etc. This option is enabled by default. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 370 PROFILES power-management auto Enables extended power via MDI discovery. Allows endpoints to convey power information, such as how the device is powered, power priority, etc. auto Optional. Assigns default value based on device type Example rfs6000-37FABE(config-profile-default-rfs6000)#lldp timer 20 rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1
........................................... use firewall-policy default ip dns-server-forward ip nat pool pool1 address range 172.16.10.2 172.16.10.8 ip nat inside source list test interface vlan1 pool pool1 overload lldp timer 20
--More--
rfs6000-37FABE(config-profile-default-rfs7000)#
Related Commands no Disables LLDP on this profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 371 PROFILES 7.1.46 load-balancing Profile Config Commands Configures load balancing parameters Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax load-balancing [advanced-params|balance-ap-loads|balance-band-loads|balance-
channel-loads|band-control-startegy|band-ratio|group-id|neighbor-selection-
strategy]
load-balancing advanced-params [2.4GHz-load|5GHz-load|ap-load|equality-margin|
hiwater-threshold|max-neighbors|max-preferred-band-load|min-common-clients|min-
neighbor-rssi|min-probe-rssi]
load-balancing advanced-params [2.4GHz-load|5GHz-load|ap-load] [client-
weightage|throughput-weightage] <0-100>
load-balancing advanced-params equality-margin [2.4GHz|5GHz|ap|band] <0-100>
load-balancing advanced-params hiwater-threshold [ap|channel-2.4GHz|channel-
5GHz]<0-100>
load-balancing advanced-params max-preferred-band-load [2.4GHz|5GHz] <0-100>
load-balancing advanced-params [max-neighbors <0-16>|min-common-clients <0-256>|
min-neighbor-rssi <-100-30>|min-probe-rssi <-100-30>]
load-balancing [balance-ap-loads|balance-band-loads|balance-channel-loads
[2.4GHz|5GHz]]
load-balancing band-control-strategy [distribute-by-ratio|prefer-2.4GHz|prefer-
5GHz]
load-balancing band-ratio [2.4GHz|5GHz] [0|<1-10>]
load-balancing group-id <GROUP-ID>
load-balancing neighbor-selection-strategy [use-common-clients|use-roam-
notification|use-smart-rf]
Parameters load-balancing advanced-params [2.4GHz-load|5GHz-load|ap-load] [client-
weightage|throughput-weightage] <0-100>
load-balancing advanced-params 2.4GHz-load
[client-weightage|
throughput-
weightage]
<0-100>
Configures advanced load balancing parameters Configures 2.4 GHz load calculation weightages client-weightage Specifies weightage assigned to the client-count when calculating the 2.4 GHz load Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 372 PROFILES throughput-weightage Specifies weightage assigned to throughput, when calculating the 2.4 GHz load The following keyword is common to the client-weightage and throughput-
weightage parameters:
<0-100> Sets the margin as a load percentage from 1 - 100. The default client-
weightage is 90%. The default throughput-weightage is 10%. 5GHz-load
[client-weightage|
throughput-
weightage]
<0-100>
Configures 5.0 GHz load calculation weightages client-weightage Specifies weightage assigned to the client-count when calculating the 5.0 GHz load throughput-weightage Specifies weightage assigned to throughput, when calculating the 5.0 GHz load ap-load
[client-weightage|
throughput-
weightage]
<0-100>
The following keyword is common to the client-weightage and throughput-
weightage parameters:
<0-100> Sets the margin as a load percentage from1 - 100. The default client-
weightage is 90%. The default throughput-weightage is 10%. Configures AP load calculation weightages client-weightage Specifies weightage assigned to the client-count, when calculating the AP load throughput-weightage Specifies weightage assigned to throughput, when calculating the AP load The following keyword is common to the client-weightage and throughput-
weightage parameters:
<0-100> Sets the margin as a load percentage from 1 - 100. The default client-
weightage is 90%. The default throughput-weightage is 10%. load-balancing advanced-params equality-margin [2.4GHz|5GHz|ap|band] <0-100>
load-balancing advanced-params equality-margin
[2.4GHz|5GHz|ap|
band] <0-100>
Configures advanced load balancing parameters Configures the maximum load difference considered equal. The load is compared for different 2.4 GHz channels, 5.0 GHz channels, APs, or bands. 2.4GHz Configures the maximum load difference considered equal when comparing loads on different 2.4 GHz channels 5GHz Configures the maximum load difference considered equal when comparing loads on different 5.0 GHz channels ap Configures the maximum load difference considered equal when comparing loads on different APs band Configures the maximum load difference considered equal when comparing loads on different bands The following keyword is common to 2.4 GHz channels, 5.0 GHz channels, APs, and bands:
<0-100> Sets the margin as a load percentage from 1 - 100. The default equality-margin for 2.5 GHz, 5.0 GHz, ap, and band loads is 1%. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 373 PROFILES load-balancing advanced-params hiwater-threshold [ap|channel-2.4GHz|channel-
5GHz] <0-100>
load-balancing advanced-params hiwater-threshold
[ap|channel-2.4GHz|
channel-5GHz]
<0-100>
Configures advanced load balancing parameters Configures the load beyond which load balancing is invoked Select one of the following options:
ap Configures the AP load beyond which load balancing begins channel-2.4GHz Configures the AP load beyond which load balancing begins (for APs on 2.4 GHz channel) channel-5GHz Configures the AP load beyond which load balancing begins for (APs on 5.0 GHz channel) The following keyword is common for the AP, channel-2.4GHz, and channel-5GHz parameters:
<0-100> Sets the load threshold as a number from 1 - 100. The default hiwater-
threshold for channel-2.5GHz, channel-5GHz, and ap loads is 5. load-balancing advanced-params max-preferred-band-load [2.4GHGz|5GHzd] <0-100>
load-balancing advanced-params max-preferred-band-
load
[2.4GHz|5GHz]
<0-100>
Configures advanced load balancing parameters Configures the maximum load on the preferred band, beyond which the other band is equally preferred Select one of the following options:
2.4GHz Configures the maximum load on 2.4 GHz, when it is the preferred band 5GHz Configures the maximum load on 5.0 GHz, when it is the preferred band The following keyword is common to the 2.4 GHz and 5.0 GHz bands:
<0-100> Configures the maximum load as a percentage from 0 - 100. The de-
fault value for 2.4GHz and 5.GHz is 75%. load-balancing advanced-params [max-neighbors <0-16>|min-common-clients <0-
256>|min-neighbor-rssi <-100-30>|min-probe-rssi <-100-30>]
load-balancing advanced-params max-neighbors <0-16> Configures the maximum number of confirmed neighbors to balance Configures advanced load balancing parameters min-common-clients
<0-256>
<0-16> Specify a value from 0 - 16. Optionally configure a minimum of 0 neighbors and a maximum of 16 neighbors. The default is 16. Configures the minimum number of common clients that can be shared with the neighbor for load balancing
<0-256> Specify a value from 0 - 256. Optionally configure a minimum of 0 clients and a maximum of 256 clients. The default is 0. min-neighbor-rssi
<-100-30>
Configures the minimum signal strength (RSSI) of a neighbor detected
<-100-30> Sets the signal strength in dBm. Specify a value from -100 - 30 dBm. The default is -65 dBm. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 374 PROFILES min-probe-rssi
<-100-30>
Configures the minimum received probe signal strength required to qualify the sender as a common client
<0-100> Sets the signal strength in dBm. Specify a value from -100 - 30 dBm. The default is -100 dBm. load-balancing [balance-ap-loads|balance-band-loads|balance-channel-loads
[2.4GHz|5GHz]]
load-balancing balance-ap-loads balance-band-loads balance-channel-loads
[2.4GHz|5GHz]
Configures the following load balancing parameters: ap-loads, band-loads, and channel-loads. Enables neighbor AP load balancing. This option distributes the access points radio load amongst other controller managed access point radios. This option is disabled by default. Enables balancing of the total band load amongst neighbors. This option balances the access points radio load by assigning a ratio to both the 2.4 GHz and 5.0 GHz bands. Balancing radio load by band ratio allows an administrator to assign a greater weight to radio traffic on either the 2.4 GHz or 5.0 GHz band. This option is disabled by default. Enables the following:
2.4GHz Channel load balancing on 2.4 GHz band. This option is disabled by default. Balances the access points 2.4 GHz radio load across channels supported within the country of deployment. This can prevent congestion on the 2.4 GHz radio if a channel is over utilized. 5GHz Channel load balancing on 5.0 GHz band. This option is disabled by default. Balances the access points 5.0 GHz radio load across channels supported within the country of deployment. This can prevent congestion on the 5.0 GHz radio if a channel is over utilized. load-balancing band-control-strategy [distribute-by-ratio|prefer-2.4GHz|
prefer-5GHz]
load-balancing band-
control-strategy Configures a band control strategy By default, this option steers 5.0 GHz-capable clients to the 5.0 GHz band. When an access point hears a request from a client to associate on both the 2.4 GHz and 5.0 GHz bands, it knows the client is capable of operation in 5.0 GHz. Band steering steers the client by responding only to the 5.0 GHz association request and not the 2.4 GHz request. Consequently, the client only associates in the 5.0 GHz band. Distributes clients to either band according to the band-ratio Nudges all dual-band clients to 2.4 GHz band Nudges all dual-band clients to 5.0 GHz band. This is the default setting. distribute-by-ratio prefer-2.4GHz prefer-5GHz load-balancing band-ratio [2.4GHz|5GHz] [0|<1-10>]
load-balancing band-
ratio 2.4GHz [0|<1-10>]
Configures the relative loading of 2.4 GHz band and 5.0 GHz band.This allows an administrator to weight client traffic load if wishing to prioritize client traffic load on the 2.4 GHz or the radio band. The higher the value set, the greater the weight assigned to radio traffic load on the 2.4 GHz or 5.0 GHz radio band. Configures the relative loading of 2.4 GHz band 0 Selecting 0 steers all dual-band clients preferentially to the other band
<0-10> Configures a relative load as a number from 0 - 10. The default is 0. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 375 PROFILES 5ghz [0|<1-10>]
Configures the relative loading of 5.0 GHz band 0 Selecting 0 steers all dual-band clients preferentially to the other band
<0-10> Configures a relative load as a number from 0 - 10. The default is 1. load-balancing group-id <GROUP-ID>
load-balancing group-id
<GROUP-ID>
Configures group ID to facilitate load balancing
<GROUP-ID> Specify the group ID. This option is enabled only when a group ID is configured. load-balancing neighbor-selection-strategy [use-common-clients|use-roam-
notification|use-smart-rf]
load-balancing neighbor-selection-
strategy use-common-clients use-roam-notification use-smart-rf Configures a neighbor selection strategy. The options are: use-common-clients, use-
roam-notification, and use-smart-rf Selects neighbors based on probes from clients common to neighbors. This option is enabled by default. Selects neighbors based on roam notifications from roamed clients. This option is enabled by default. Selects neighbors detected by Smart RF. This option is enabled by default. Example rfs6000-37FABE(config-profile-default-rfs6000)#load-balancing advanced-params 2.4ghz-load throughput-weightage 90 rfs6000-37FABE(config-profile-default-rfs6000)#load-balancing advanced-params hiwater-threshold ap 90 rfs6000-37FABE(config-profile-default-rfs6000)#load-balancing balance-ap-loads rfs7000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier ip default-gateway 172.16.10.4 autoinstall configuration autoinstall firmware load-balancing advanced-params 2.4ghz-load throughput-weightage 90 load-balancing advanced-params hiwater-threshold ap 90 load-balancing balance-ap-loads
--More--
rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Disables load balancing on this profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 376 PROFILES 7.1.47 logging Profile Config Commands Enables message logging and configures logging settings. When enabled, the profile logs individual system events to a user-defined log file or a syslog server. Message logging is disabled by default. Enabling message logging is recommended, because system event logs can be analyzed to determine an overall pattern that may be negatively impacting performance. This command can also be executed in the device configuration mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax logging [aggregation-time|buffered|console|facility|forward|host|on|syslog]
logging [aggregation-time <1-60>|host [<IPv4>|<IPv6>] {port <1-65535>}|on]
logging [buffered|console|syslog|forward] [<0-7>|emergencies|alerts|critical|
errors|warnings|notifications|informational|debugging]
logging facility [local0|local1|local2|local3|local4|local5|local6|local7]
Parameters logging [aggregation-time <1-60>|host [<IPv4>|<IPv6>] {port <1-65535>}|on]
logging aggregation-time
<1-60>
host [<IPv4>|<IPv6>]
{port <1-65535>}
Enables message logging and configures logging settings Sets the number of seconds for aggregating repeated messages. This is the interval at which system events are logged on behalf of this profile. The shorter the interval, the sooner the event is logged.
<1-60> Specify a value from 1 - 60 seconds. The default value is 0. Configures a remote host to receive log messages. Defines numerical (non DNS) IPv4 or IPv6 addresses for external resources where logged system events can be sent on behalf of the profile (or device). A maximum of four entries can be made.
<IPv4> Specify the IPv4 address of the remote host.
<IPv6> Specify the IPv6 address of the remote host. port <1-65535> Optional. Configures the syslog port
<1-65535> Specify the syslog port from 1 - 65535. The default port is 514. on Enables the logging of system messages logging [buffered|console|syslog|forward] [<0-7>|emergencies|alerts|critical|
errors|warnings|notifications|informational|debugging]
logging buffered console syslog Enables message logging and configures logging settings Sets the buffered logging level Sets the console logging level Sets the syslog servers logging level Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 377 PROFILES forward
[<0-7>|alerts|
criticail|debugging|
emergencies|errors|
informational|
notifications|
warnings]
Forwards system debug messages to the wireless controller or service platform The following keywords are common to the buffered, console, syslog, and forward parameters. All incoming messages have different severity levels based on their importance. The severity level is fixed on a scale of 0 - 7.
<0-7> Sets the message logging severity level on a scale of 0 - 7 emergencies Severity level 0: System is unusable alerts Severity level 1: Requires immediate action critical Severity level 2: Critical conditions errors Severity level 3: Error conditions warnings Severity level 4: Warning conditions (default) notifications Severity level 5: Normal but significant conditions informational Severity level 6: Informational messages debugging Severity level 7: Debugging messages logging facility [local0|local1|local2|local3|local4|local5|local6|local7]
logging facility [local0|local1|
local2|local3|local4|
local5|local6|local7]
Enables message logging and configures logging settings Enables the syslog to decide where to send the incoming message There are 8 logging facilities, from syslog0 to syslog7. local0 Syslog facility local0 local1 Syslog facility local1 local2 Syslog facility local2 local3 Syslog facility local3 local4 Syslog facility local4 local5 Syslog facility local5 local6 Syslog facility local6 local7 Syslog facility local7 Example rfs6000-37FABE(config-profile-default-rfs6000)#logging facility local4 rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1
................................................... ip dns-server-forward logging facility local4 ip nat pool pool1 address range 172.16.10.2 172.16.10.8 ip nat inside source list test interface vlan1 pool pool1 overload lldp timer 20 service pm sys-restart router ospf l2tpv3 hostname l2tpv3Host1 l2tpv3 inter-tunnel-bridging rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Disables logging on this profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 378 PROFILES 7.1.48 mac-address-table Profile Config Commands Configures the MAC address table. Use this command to create MAC address table entries by assigning a static address to the MAC address table. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mac-address-table [aging-time|detect-gateways|static]
mac-address-table aging-time [0|<10-1000000>]
mac-address-table detect-gateways mac-address-table static <MAC> vlan <1-4094> interface [<L2-INTERFACE>|ge <1-4>|
port-channel <1-2>]
Parameters mac-address-table aging-time [0|<10-1000000>]
mac-address-table aging-time
[0|<10-1000000>]
Sets the duration a learned MAC address persists after the last update 0 Entering the value 0 disables the aging time
<10-1000000> Sets the aging time from 10 -100000 seconds. The default is 300 seconds. mac-address-table detect-gateways mac-address-table detect-gateways Enables automatic detection of gateways. Detected gateways are remembered in the MAC address table. mac-address-table static <MAC> vlan <1-4094> interface [<L2-INTERFACE>|ge <1-4>|
port-channel <1-2>]
mac-address-table static <MAC>
vlan <1-4094>
interface
[<L2-INTERFACE>|
ge <1-4>|
port-channel <1-2>]
Creates a static MAC address table entry
<MAC> Specifies the static address to add to the MAC address table. Specify the MAC address in the AA-BB-CC-DD-EE-FF, AA:BB:CC:DD:EE:FF, or AABB.CCDD.EEFF format. Assigns a static MAC address to a specified VLAN port
<1-4094> Specify the VLAN index from 1 - 4094. Specifies the interface type. The options are: layer 2 Interface, GigabitEthernet interface, and a port channel interface
<L2-INTERFACE> Specify the layer 2 interface name. ge Specifies a GigabitEthernet interface
<1-4> Specify the GigabitEthernet interface index from 1 - 4. port-channel Specifies a port channel interface
<1-2> Specify the port channel interface index from 1 - 2. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 379 PROFILES Example rfs6000-37FABE(config-profile-default-rfs6000)#mac-address-table static 00-40-96-
B0-BA-2A vlan 1 interface ge 1 rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1
......................................................... logging facility local4 mac-address-table static 00-40-96-B0-BA-2A vlan 1 interface ge1 ip nat pool pool1
--More--
rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 380 PROFILES 7.1.49 mac-auth Profile Config Commands Enables authentication of a clients MAC address on wired ports. When configured, MAC authentication will be enabled on devices using this profile. To enable MAC address authentication on a device, enter the devices configuration mode and execute the mac-auth command. When enabled, the source MAC address of a device, connected to the specified wired port, is authenticated with the RADIUS server. Once authenticated the device is permitted access to the managed network and packets from the authenticated source are processed. If not authenticated the device is either denied access or provided guest access through the guest VLAN (provided guest VLAN access is configured on the port). Enabling MAC authentication requires you to first configure a AAA policy specifying the RADIUS server. Configure the clients MAC address on the specified RADIUS server. Attach this AAA policy to a profile or a device. Finally, enable MAC authentication on the desired wired port of the device or device-profile. Only one MAC address is supported for every wired port. Consequently, when one source MAC address is authenticated, packets from all other sources are dropped. To enable client MAC authentication on a wired port:
1 Configure the user on the RADIUS server. The following examples create a RADIUS server user entry. a <DEVICE>(config)#radius-group <RAD-GROUP-NAME>
<DEVICE>(config-radius-group-<RAD-GROUP-NAME>)#policy vlan <VLAN-ID>
b <DEVICE>(config)#radius-user-pool-policy <RAD-USER-POOL-NAME>
<DEVICE>(config-radius-user-pool-<RAD-USER-POOL-NAME>)#user <USER-NAME> password
<PASSWORD> group <RAD-GROUP-OF-STEP-A>
Note: The <USER-NAME> and <PASSWORD> should be the clients MAC address. This address will be matched against the MAC address of incoming traffic at the specified wired port. c <DEVICE>(config)#radius-server-policy <RAD-SERVER-POL-NAME>
<DEVICE>(config-radius-server-policy-<RAD-SERVER-POL-NAME>)#use radius-user-
pool-policy <RAD-USER-POOL-OF-STEP-B>
2 Configure a AAA policy exclusively for wired MAC authentication and specify the authentication
(RADIUS) server settings. The following example creates a AAA policy macauth and enters its configuration mode:
<DEVICE-A>(config)#aaa-policy macauth
<DEVICE-A>(config-aaa-policy-macauth)#... a Specify the RADIUS server details.
<DEVICE-A>(config)#aaa-policy macauth
<DEVICE-A>(config-aaa-policy-macauth)#authentication server <1-6> [host
<IP>|onboard]
3 Attach the AAA policy to the device or profile. When attached to a profile, the AAA policy is applied to all devices using this profile.
<DEVICE>(config-device-aa-bb-cc-dd-ee)#mac-auth use aaa-policy macauth
<DEVICE>(config-profile-<DEVICE-PROFILE-NAME>)#mac-auth use aaa-policy macauth Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 381 PROFILES 4 Enable mac-auth on the devices desired GE port. When enabled on a profile, MAC address authentication is enabled, on the specified GE port, of all devices using this profile.
<DEVICE>(config-device-aa-bb-cc-dd-ee)#interface ge x
<DEVICE>(config-device-aa-bb-cc-dd-ee-gex)#mac-auth
<DEVICE>(config-profile-<PROFILE-NAME>)#interface ge x
<DEVICE>(config-profile-<PROFILE-NAME>)#mac-auth Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mac-auth use aaa-policy <AAA-POLICY-NAME>
Parameters mac-auth use aaa-policy <AAA-POLICY-NAME>
mac-auth use aaa-policy
<AAA-POLICY-NAME>
Enables 802.1X authentication of MAC addresses on this profile. Use the device configuration mode to enable this feature on a device. Associates an existing AAA policy with this profile (or device)
<AAA-POLICY NAME> Specify the AAA policy name. The AAA policy used should be created especially for MAC authentication. Example The following examples demonstrate the configuration of authentication of MAC addresses on wired ports:
rfs4000-229D58(config-aaa-policy-mac-auth)#authentication server 1 onboard controller rfs4000-229D58(config-aaa-policy-mac-auth)#show context aaa-policy mac-auth authentication server 1 onboard controller rfs4000-229D58(config-aaa-policy-mac-auth)#
rfs4000-229D58(config)#radius-group RG rfs4000-229D58(config-radius-group-RG)#policy vlan 11 rfs4000-229D58(config-radius-group-RG)#show context radius-group RF policy vlan 11 rfs4000-229D58(config-radius-group-RG)#
rfs4000-229D58(config)#radius-user-pool-policy RUG rfs4000-229D58(config-radius-user-pool-RUG)#user 00-16-41-55-F8-5D password 0 0-16-41-55-F8-5D group RG rfs4000-229D58(config-radius-user-pool-RUG)#show context radius-user-pool-policy RUG user 00-16-41-55-F8-5D password 0 00-16-41-55-F8-5D group RG rfs4000-229D58(config-radius-user-pool-RUG)#
rfs4000-229D58(config)#radius-server-policy RS rfs4000-229D58(config-radius-server-policy-RS)#use radius-user-pool-policy RUG rfs4000-229D58(config-radius-server-policy-RS)#show context Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 382 PROFILES radius-server-policy RS use radius-user-pool-policy RUG rfs4000-229D58(config-radius-server-policy-RS)#
rfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge4)#show context interface ge4 dot1x authenticator host-mode single-host dot1x authenticator port-control auto mac-auth rfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge4)#
rfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge5)#show context interface ge5 switchport mode access switchport access vlan 1 dot1x authenticator host-mode single-host dot1x authenticator guest-vlan 5 dot1x authenticator port-control auto mac-auth rfs4000-229D58(config-device-00-23-68-22-9D-58-if-ge5)#
rfs4000-229D58(config-device-00-23-68-22-9D-58)#show macauth interface ge 4 Mac Auth info for interface GE4
-----------------------------------
Mac Auth Enabled Mac Auth Authorized Client MAC 00-16-41-55-F8-5D rfs4000-229D58(config-device-00-23-68-22-9D-58)#
rfs4000-229D58(config-device-00-23-68-22-9D-58)#show macauth interface ge 5 Mac Auth info for interface GE5
-----------------------------------
Mac Auth Enabled Mac Auth Not Authorized rfs4000-229D58(config-device-00-23-68-22-9D-58)#
Related Commands no Disables authentication of MAC addresses on wired ports settings on this profile (or device) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 383 PROFILES 7.1.50 management-server Profile Config Commands Configures a management server with this profile. This command is also applicable to the device configuration context. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax management-server <HOST-NAME> port <1-65535>
Parameters management-server <HOST-NAME> port <1-65535>
management-server
<HOST-NAME> port
<1-65535>
Configures a management server with this profile. Use this command to identify the management server.
<HOST-NAME> Specify the management servers host name. port <1-65535> Specify the port where the management server is reachable. The default setting is port 443. Example rfs6000-81742D(config-profile-testRFS6000)#management-server nx9500-6C8809 port 300 rfs6000-81742D(config-profile-testRFS6000)#show context include-factory | include management-server management-server nx9500-6C8809 port 300 rfs6000-81742D(config-profile-testRFS6000)#
Related Commands no Removes the management server configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 384 PROFILES 7.1.51 memory-profile Profile Config Commands Configures memory profile used on the device Supported in the following platforms:
Access Points AP6511, AP6521 Syntax memory-profile [adopted|standalone]
Parameters memory-profile [adopted|standalone]
memory-profile adopted standalone Configures memory profile used on the device Configures adopted mode (no GUI and higher MiNT routes, firewall flows) Configures standalone mode (GUI and fewer MiNT routes, firewall flows) Example nx9500-6C8809(config-profile-testAP6511)#memory-profile adopted Note: memory-profile change will take effect after device reboot nx9500-6C8809(config-profile-testAP6511)#
Related Commands no Resets device's memory profile configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 385 PROFILES 7.1.52 meshpoint-device Profile Config Commands Configures meshpoint device parameters. This feature is configurable in the profile and device configuration modes. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax meshpoint-device <MESHPOINT-NAME>
Parameters meshpoint-device <MESHPOINT-NAME>
meshpoint-device
<MESHPOINT-NAME>
Configures meshpoint device parameters
<MESHPOINT-NAME> Specify meshpoint name. Usage Guidelines For Vehicular Mounted Modem (VMM) access points or other mobile devices, set the path selection method as mobile-snr-leaf in the config-meshpoint-device mode. For more information, see path-method. Example rfs6000-37FABE(config-profile-testAP7161)#meshpoint-device test rfs6000-37FABE(config-profile-testAP7161-meshpoint-test)#?
Mesh Point Device Mode commands:
acs Configure auto channel selection parameters exclude Exclude neighboring Mesh Devices hysteresis Configure path selection SNR hysteresis values monitor Event Monitoring no Negate a command or set its defaults path-method Path selection method used to find a root node preferred Configure preferred path parameters root Set this meshpoint as root root-select Root selection method parameters clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile-testAP7161-meshpoint-test)#
Related Commands no Removes a specified meshpoint Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 386 PROFILES NOTE: For more information on the meshpoint-device configuration parameters, see Chapter 26, MESHPOINT. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 387 PROFILES 7.1.53 meshpoint-monitor-interval Profile Config Commands Configures the meshpoint monitoring interval. This is the interval, in seconds, at which the meshpoint status is checked. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax meshpoint-monitor-interval <1-65535>
Parameters meshpoint-monitor-interval <1-65535>
meshpoint-monitor-
interval <1-65535>
Configures the meshpoint monitoring interval in seconds
<1-65535> Specify the interval from 1 - 65535 seconds. The default is 30 seconds. Example rfs6000-37FABE(config-profile-default-rfs6000)#meshpoint-monitor-interval 100 rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier meshpoint-monitor-interval 100 ip default-gateway 172.16.10.4
--More--
rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Resets the meshpoint monitoring interval to default (30 seconds) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 388 PROFILES 7.1.54 min-misconfiguration-recovery-time Profile Config Commands Configures the minimum device connectivity verification time Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax min-misconfiguration-recovery-time <60-3600>
Parameters min-misconfiguration-recovery-time <60-3600>
min-misconfiguration-
recovery-time
<60-3600>
Configures the minimum connectivity (with the associated device) verification interval
<60-3600> Specify a value from 60 - 3600 seconds (default is 60 seconds). Example nx9500-6C8809(config-profile-testRFS4000)#min-misconfiguration-recovery-time 500 nx9500-6C8809(config-profile-testRFS4000)#show context profile rfs4000 testRFS4000 meshpoint-monitor-interval 300 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto remote-vpn-client interface radio1 interface radio2 interface up1 interface ge1 interface ge2 interface ge3 interface ge4 interface ge5 interface wwan1 interface pppoe1 use firewall-policy default min-misconfiguration-recovery-time 500 service pm sys-restart router ospf router bgp nx9500-6C8809(config-profile-testRFS4000)#
Related Commands no Resets setting to default (60 seconds) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 389 PROFILES 7.1.55 mint Profile Config Commands Configures MiNT protocol parameters required for MiNT creation and adoption MiNT links are required for adoption of a device (APs, wireless controller, and service platform) to a controller. The MiNT link is created on both the adoptee and the adopter. WiNG provides several commands to configure MiNT links and establish adoption for both IPv4 and IPv6 addresses. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mint [dis|inter-tunnel-bridging|level|link|mlcp|rate-limit|spf-latency|tunnel-
across-extended-vlan|tunnel-controller-load-balancing]
mint dis [priority-adjustment <-255-255>|strict-evis-reachability]
mint inter-tunnel-bridging mint level 1 area-id [<1-16777215>|<NUMBER-ALIAS-NAME>]
mint link [force|ip|listen|vlan]
mint link force ip [<IPv4>|<IPv6>] [<1-65535> level 2|level 2] {adjacency-hold-
time <2-600>|cost <1-10000>|hello-interval <1-120>|ipsec-secure {gw [<IP>|<HOST-
NAME>]}}
mint link [listen ip [<IPv4>|<IPv6>|<HOST-ALIAS-NAME>]|vlan <1-4094>] {adjacency-
hold-time <2-600>|cost <1-10000>|hello-interval <1-120>|ipsec-security {gw
[<IP>|<HOST-NAME>]}|level [1|2]}
mint link ip [<IPv4>|<IPv6>|<HOST-ALIAS-NAME>] {<1-65535>|adjacency-hold-time <2-
600>|cost <1-10000>|hello-interval <1-120>|ipsec-security {gw [<IP>|<HOST-
NAME>]}|level [1|2]}
mint mlcp [ip|ipv6|vlan]
mint rate-limit level2 [link|mlcp]
mint rate-limit level2 [link [ip [<IPv4>|<IPv6>] <1-65535>|vlan <1-4094>]|mlcp
[ip|ipv6|vlan]] rate <50-1000000> max-burst-size <2-1024> {red-threshold
[background|best-effort|video|voice] <0-100>}
mint spf-latency <0-60>
mint tunnel-across-extended-vlan mint tunnel-controller-load-balancing level1 Parameters mint dis [priority-adjustment <-255-255>|strict-evis-reachability]
mint Configures MiNT protocol parameters required for MiNT link creation and adoption Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 390 PROFILES dis priority-adjustment
<-255-255>
strict-evis-reachability Sets the relative priority for the router to become DIS (designated router) priority-adjustment Sets priority adjustment added to base priority The Designated IS (DIS) priority adjustment is the value added to the base level DIS priority to influence the DIS election. A value of +1 or greater increases DISiness.
<-255-255> Specify a value from -255 - 255. The default is 0. Higher numbers result in higher priorities Enables reaching Ethernet Virtualization Interconnect (EVIS) election winners through MiNT. This option is enabled by default. mint inter-tunnel-bridging mint inter-tunnel-bridging Configures MiNT protocol parameters required for MiNT link creation, adoption and communication Enables forwarding of broadcast multicast (BCMC) packets between devices communicating via Level 2 MiNT links. When enabled, MiNT tunnels across Level 2, adopted access points are bridged. One of the advantages of inter-tunnel bridging is the enabling of roaming between these access points. This option is disabled by default. If enabling this option, use ACLs to filter unwanted BCMC traffic. mint level 1 area-id [<1-16777215>|<NUMBER-ALIAS-NAME>]
mint level 1 area-id
[<1-16777215>|
<NUMBER-ALIAS-
NAME>]
Configures MiNT protocol parameters required for MiNT link creation and adoption Configures local MiNT routing settings 1 Configures local MiNT routing level Specifies the level 1 routing area identifier. Use one of the following options to specify the area ID:
<1-16777215> Specify a value from 1 - 16777215.
<NUMBER-ALIAS-NAME> Specify a number alias (should be existing and configured). Aliases are configuration items that can be defined once and used in different configuration contexts. For more information on creating a number alias, see alias. mint link force ip [<IPv4>|<IPv6>] [<1-65535> level 2|level 2] {adjacency-hold-
time <2-600>|cost <1-10000>|hello-interval <1-120>|ipsec-security {gw [<IP>|<HOST-
NAME>]}}
mint link force ip [<IPv4>|<IPv6>]
Configures MiNT protocol parameters required for MiNT link creation and adoption Creates a MiNT routing link as a forced link force Forces a MiNT routing link to be created even if not necessary Creates a MiNT tunnel over UDP/IPv4 or IPv6 Use this keyword to specify the IP address (IPv4 or IPv6) used by peers for inter-
operation when supporting the MINT protocol.
<IPv4> Specify the MiNT tunnel peers IPv4 address.
<IPv6> Specify the MiNT tunnel peers IPv6 address. After specifying the MiNT peers address, configure the following MiNT link parameters: UDP port, adjacency-hold-time, cost, hello-interval, IPSec security gateway, and routing level. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 391 PROFILES
<1-65535> level 2 adjacency-hold-time
<2-600>
cost <1-100000>
hello-interval <1-120>
ipsec-security {gw
[<IP>|<HOST-NAME>]}
Optional. Specifies a custom UDP port for MiNT links. Specify the port from 1 -
65535. level Specifies the routing level 2 Configures level 2 inter-site MiNT routing Optional. Specifies the adjacency lifetime after hello packets cease
<2-600> Specify a value from 2 - 600 seconds. The default is 46 seconds. Optional. Specifies the link cost in arbitrary units
<1-100000> Specify a value from 1 - 100000. The default is 100. Optional. Specifies the interval, in seconds, between successive hello packets
<1-120> Specify a value from 1 - 120 seconds. The default is 15 seconds. Optional. Enables IPSec secure peer authentication on the MiNT link connection
(link). This option is disabled by default. gw [<IP>|<HOSTNAME>] Optional. Configures the IPSec secure gateway. When enabling IPSec, you can optionally specify the IPSec secure gateways numerical IP address or administrator defined hostname. mint link [listen ip [<IPv4>|<IPv6>|<HOST-ALIAS-NAME>]|vlan <1-4094>]
{adjacency-hold-time <2-600>|cost <1-10000>|hello-interval <1-120>|level
[1|2]|ipsec-security {gw [<IP>|<HOST-NAME>]}}
mint link listen ip
[<IPv4>|<IPv6>|
<HOST-ALIAS-NAME>]
Configures MiNT protocol parameters required for MiNT link creation and adoption Creates a MiNT routing link listen Creates a MiNT listening link ip Creates a MiNT listening link over UDP/IP or IPv6
<IPv4> Specify the IPv4 address of the listening UDP/IP link.
<IPv6> Specify the IPv6 address of the listening UDP/IP link.
<HOST-ALIAS-NAME> Specify the host alias identifying the MiNT link ad-
dress. The host alias should existing and configured. UDP/IP links can be created by configuring a matching pair of links, one on each end point. However, that is error prone and does not scale. So UDP/IP links can also listen (in the TCP sense), and dynamically create connected UDP/IP links when contacted. The typical configuration is to have a listening UDP/IP link on the IP address S.S.S.S, and for all the APs to have a regular UDP/IP link to S.S.S.S. Enables MiNT routing on VLAN vlan Defines a VLAN ID used by peers for inter-operation when supporting the MINT protocol.
<1-4094> Select VLAN ID from 1 - 4094. link vlan <1-4094>
adjacency-hold-time
<2-600>
This parameter is common to the listen and vlan parameters:
adjacency-hold-time <2-600> Optional. Specifies the adjacency lifetime after hello packets cease
<2-600> Specify a value from 2 - 600 seconds. The default is 46 seconds. cost <1-100000>
For MiNT VLAN routing, the default is 13 seconds. This parameter is common to the listen and vlan parameters:
cost <1-100000> Optional. Specifies the link cost in arbitrary units
<1-100000> Specify a value from 1 - 100000. The default is 100. For MiNT VLAN routing, the default is 10. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 392 PROFILES hello-interval <1-120>
level [1|2]
ipsec-security
{gw [<IP>|
<HOST-NAME>]}
This parameter is common to the listen and vlan parameters:
hello-interval <1-120> Optional. Specifies the interval, in seconds, between successive hello packets
<1-120> Specify a value from 1 - 120. The default is 15 seconds. For MiNT VLAN routing the default is 4 seconds. This parameter is common to the listen and vlan parameters:
Optional. Specifies the routing levels for this routing link. The options are:
1 Configures local routing 2 Configures inter-site routing This parameter is common to the listen and vlan parameters:
ipsec-security Optional. Enables IPSec secure peer authentication on the MiNT connection (link). This option is disabled by default. gw [<IP>|<HOSTNAME>] Optional. Configures the IPSec secure gateway. When enabling IPSec, you can optionally specify the IPSec secure gateways numerical IP address or administrator defined hostname. mint link ip [<IPv4>|<IPv6>|<HOST-ALIAS-NAME>] {<1-65535>|adjacency-hold-time
<2-600>|cost <1-10000>|hello-interval <1-120>|level [1|2]|ipsec-security {gw
[<IP>|<HOST-NAME>]}}
mint link ip [<IPv4>|<IPv6>|
<HOST-ALIAS-NAME>]
<1-65535>
adjacency-hold-time
<2-600>
cost <1-100000>
hello-interval <1-120>
level [1|2]
ipsec-security
{gw [<IP>|
<HOST-NAME>]}
Configures MiNT protocol parameters required for MiNT link creation and adoption Creates a MiNT routing link ip Creates a MiNT tunnel over UDP/IP or IPv6 Use this keyword to specify the IP address (IPv4 or IPv6) used by peers for inter-
operation when supporting the MINT protocol.
<IPv4> Specify the IPv4 address used by peers.
<IPv6> Specify the IPv6 address used by peers.
<HOST-ALIAS-NAME> Specify the host alias identifying the MiNT tunnel peers address. The host alias should existing and configured. Select the peer UDP port from 1 - 65535. Optional. Specifies the adjacency lifetime after hello packets cease
<2-600> Specify a value from 2 - 600 seconds. The default is 46 seconds. Optional. Specifies the link cost in arbitrary units
<1-100000> Specify a value from 1 - 100000. The default is 100. Optional. Specifies the interval, in seconds, between successive hello packets
<1-120> Specify a value from 1 - 120. The default is 15 seconds. Optional. Specifies the routing levels for this routing link. The options are:
1 Configures local routing 2 Configures inter-site routing Optional. Enables IPSec secure peer authentication on the MiNT connection (link). This option is disabled by default. gw [<IP>|<HOSTNAME>] Optional. Configures the IPSec secure gateway. When enabling IPSec, you can optionally specify the IPSec secure gateways numerical IP address or administrator defined hostname. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 393 PROFILES mint mlcp [ip|ipv6|vlan]
mint mlcp [ip|ipv6|vlan]
Configures MiNT protocol parameters required for MiNT link creation and adoption Configures the MLCP using the IP address or VLAN. MLCP is used to create a UDP/
IP link from the device to a neighbor. The neighboring device does not need to be a wireless controller or service platform, it can be another access point with a path to the wireless controller or service platform. vlan Enables MLCP over layer 2 (VLAN) links ip Enables MLCP over layer 3 (UDP/IP) links. When enabled, allows adoption over IPv4 address. ipv6 Enables MLCP over layer 3 (UDP/IPv6) links. When enabled, allows adoption over IPv6 address. mint rate-limit level2 [link [ip [<IPv4>|<IPv6>] <1-65535>|vlan <1-4094>]|
mlcp [ip|ipv6|vlan]] rate <50-1000000> max-burst-size <2-1024> {red-threshold
[background|best-effort|video|voice] <0-100>}
mint mint rate-limit level2 link [ip <IPv4/IPv6>
<1-65535>|
vlan <1-4094>]
mlcp [ip|ipv6|vlan]
Configures MiNT protocol parameters required for MiNT link creation and adoption Applies rate limits on extended VLAN traffic Excessive traffic can cause performance issues on an extended VLAN. Excessive traffic can be caused by numerous sources including network loops, faulty devices, or malicious software. Rate limiting reduces the maximum rate sent or received per wireless client. It prevents any single user from overwhelming the wireless network, and also provides differential service for service providers. Uplink and downlink rate limits are usually configured on a RADIUS server using vendor specific attributes. Rate limits are extracted from the RADIUS servers response. When such attributes are not present, the settings defined on the controller, service platform or access point are applied. You can set separate QoS rate limit configurations for data types transmitted from the network (upstream) and data transmitted from a wireless clients back to associated radios (downstream). Configures rate limit parameters applicable for all statically configured MiNT links on level2. Select the link-type as IP or VLAN. ip <IPv4/IPv6> Configures rate limits for MiNT link traffic over UDP/IP
<IPv4/IPv6> Specify the MiNT peers IPv4 or IPV6 address in the A.B.C.D and X:X::X:X formats respectively.
<1-65535> Configures the virtual port used for rate limiting traffic. Specify the UDP port from 1 - 65535. vlan <1-4094 Configures rate limits for MiNT link traffic on specified VLAN
<1-4094> Specify the VLAN ID from 1 - 4094. Configures rate limit parameters applicable for MLCP MLCP creates a UDP/IP link from the device to a neighbor. The neighboring device does not need to be a controller or service platform, it can be an access point with a path to the controller or service platform. ip Configures rate-limits for MLCP over UDP/IPv4 links ipv6 Configures rate-limits for MLCP over UDP/IPv6 links vlan Configures rate-limits for MLCP over VLAN links Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 394 PROFILES rate <50-1000000>
Configures the rate limit from 50 - 1000000 Kbps This limit constitutes a threshold for the maximum number of packets transmitted or received (from all access categories). Traffic exceeding the defined rate is dropped and a log message is generated. The default setting is 5000 Kbps. max-burst-size <2-1024> Configures the maximum burst size from 0 - 1024 Kbytes red-threshold
[background|best-
effort|video|voice] <0-
100>
Smaller the burst size, lesser is the probability of the upstream packet transmission resulting in congestion for the WLANs client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, add a 10% margin (minimally) to allow for traffic bursts. The default burst size is 320 Kbytes. Optional. Configures the random early detection (RED) threshold (as a percentage) for the following traffic types:
background Configures the RED threshold for low priority background traffic. Background packets are dropped and a log message generated if the rate exceeds the set value. Background traffic consumes the least bandwidth of any access category, so this value can be set to a lower value once a general upstream rate is known by the network administrator (using a time trend analysis). The default setting is 50%. best-effort Configures the RED threshold for low priority best-effort traffic. Best-
effort packets are dropped and a log message generated if the rate exceeds the set value. Best effort traffic consumes little bandwidth, so this value can be set to a lower value once a general upstream rate is known by the network administrator
(using a time trend analysis).The default setting is 50%. video Configures the RED threshold for high priority video traffic. Video packets are dropped and a log message generated if the rate exceeds the set value. Video traffic consumes significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis).The default setting is 25%. voice Configures the RED threshold for high priority voice traffic. Voice packets are dropped and a log message generated if the rate exceeds the set value. Voice applications consume significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis).The default setting is 0%.
<0-100> After selecting the traffic type, specify the RED threshold from 0 - 100%. mint spf-latency <0-60>
mint spf-latency <0-60>
Configures MiNT protocol parameters required for MiNT link creation and adoption Specifies the latency of SPF routing recalculation This option allows you to set the latency of routing recalculation option (within the Shortest Path First (SPF) field). This option is disabled by default.
<0-60> Specify the latency from 0 - 60 seconds. mint tunnel-across-extended-vlan mint tunnel-across-extended-
vlan Configures MiNT protocol parameters required for MiNT link creation and adoption Enables tunneling of MiNT protocol packets across an extended VLAN. This setting is disabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 395 PROFILES mint tunnel-controller-load-balancing level1 mint tunnel-controller-load-
balancing level1 Configures MiNT protocol parameters required for MiNT link creation and adoption Enables load balancing of MiNT extended VLAN traffic across tunnels level1 Enables balancing of load of a tunnel wireless controller or service platform over VLAN links Example rfs6000-37FABE(config-profile-default-rfs6000)#mint level 1 area-id 88 rfs6000-37FABE(config-profile-default-rfs6000)#mint link ip 1.2.3.4 level 2 rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 mint link ip 1.2.3.4 level 2 mint level 1 area-id 88 bridge vlan 1
--More--
rfs7000-37FABE(config-profile-default-rfs6000)#
nx9500-6C8809(config-device-84-24-8D-1B-B9-0C)#show context ap7522 84-24-8D-1B-B9-0C use profile default-ap7522 use rf-domain default hostname ap7522-1BB90C no staging-config-learnt nx9500-6C8809(config-device-84-24-8D-1B-B9-0C) nx9500-6C8809(config-device-84-24-8D-1B-B9-0C)#mint inter-tunnel-bridging nx9500-6C8809(config-device-84-24-8D-1B-B9-0C)#show context ap7522 84-24-8D-1B-B9-0C use profile default-ap7522 use rf-domain default hostname ap7522-1BB90C no staging-config-learnt mint inter-tunnel-bridging nx9500-6C8809(config-device-84-24-8D-1B-B9-0C)#
Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 396 PROFILES 7.1.56 misconfiguration-recovery-time Profile Config Commands Verifies connectivity after a configuration is received Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax misconfiguration-recovery-time [0|<60-300>]
Parameters misconfiguration-recovery-time [0|<60-300>]
<60-300>
0 Sets the recovery time from 60 - 300 seconds (default is 180 seconds) Disables recovery from misconfiguration Example rfs6000-37FABE(config-profile-default-rfs6000)#misconfiguration-recovery-time 65 rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88 bridge vlan 1 bridging-mode isolated-tunnel
................................................. qos trust 802.1p interface pppoe1 use firewall-policy default misconfiguration-recovery-time 65 service pm sys-restart router ospf rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Reverts to default (180 seconds) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 397 PROFILES 7.1.57 neighbor-inactivity-timeout Profile Config Commands Configures neighbor inactivity timeout Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax neighbor-inactivity-timeout <1-1000>
Parameters
<1-1000>
neighbor-inactivity-timeout <1-1000>
Sets neighbor inactivity timeout
<1-1000> Specify a value from 1 - 1000 seconds. The default is 30 seconds. Example rfs6000-37FABE(config-profile-default)#neighbor-inactivity-timeout 500 rfs6000-37FABE(config-profile-default-rfs7000)#show context profile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88 bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier neighbor-inactivity-timeout 500 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure interface me1 interface ge1 ip dhcp trust qos trust dscp qos trust 802.1p
--More--
rfs6000-37FABE(config-profile-default-rfs6000)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 398 PROFILES 7.1.58 neighbor-info-interval Profile Config Commands Configures the neighbor information exchange interval Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax neighbor-info-interval <1-100>
Parameters neighbor-info-interval <1-100>
<1-100>
Sets interval from 1 - 100 seconds. The default is 10 seconds. Example rfs6000-37FABE(config-profile-default-rfs6000)#neighbor-info-interval 6 rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88 bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier neighbor-info-interval 6 neighbor-inactivity-timeout 500 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure interface me1 interface ge1 ip dhcp trust qos trust dscp
--More--
rfs6000-37FABE(config-profile-default-rfs6000)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 399 PROFILES 7.1.59 no Profile Config Commands Negates a command or resets values to their default Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [adopter-auto-provisioning-policy-lookup|adoption|alias||application-
policy|area|arp|auto-learn|autogen-uniqueid|autoinstall|bluetooth-detection|
bridge|cdp|cluster|configuration-persistence|controller|critical-resource|
crypto|database-backup|device-upgrade|diag|dot1x|dpi|dscp-mapping|eguest-
server|email-notification|environmental-sensor|events|export|file-sync|
floor|gre|http-analyze|interface|ip|ipv6|lacp|l2tpv3|l3e-lite-table|led|
led-timeout|legacy-auto-downgrade|legacy-auto-update|lldp|load-balancing|
logging|mac-address-table|mac-auth|management-server|memory-profile|
meshpoint-device|meshpoint-monitor-interval|min-misconfiguration-recovery-time|
mint|misconfiguration-recovery-time|noc|ntp|otls|offline-duration|power-
config|preferred-controller-group|preferred-tunnel-controller|radius|raid|
rf-domain-manager|router|spanning-tree|traffic-class-mapping|traffic-shape|
trustpoint|tunnel-controller|use|virtual-controller|vrrp|vrrp-state-check|zone|
wep-shared-key-auth|service]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts this profiles settings based on the parameters passed Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example rfs6000-81742D(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto remote-vpn-client interface me1 interface up1 interface ge1 interface ge2 interface ge3 interface ge4 interface ge5 interface ge6 interface ge7 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 400 PROFILES interface ge8 interface wwan1 interface pppoe1 use firewall-policy default logging on service pm sys-restart adopter-auto-provisioning-policy-lookup router ospf router bgp adoption start-delay min 10 max 30 rfs6000-81742D(config-profile-default-rfs6000)#
rfs6000-81742D(config-profile-default-rfs6000)#no adopter-auto-provisioning-
policy-lookup rfs6000-81742D(config-profile-default-rfs6000)#no adoption start-delay rfs6000-81742D(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto remote-vpn-client interface me1 interface up1 interface ge1 interface ge2 interface ge3 interface ge4 interface ge5 interface ge6 interface ge7 interface ge8 interface wwan1 interface pppoe1 use firewall-policy default logging on service pm sys-restart router ospf router bgp rfs6000-81742D(config-profile-default-rfs6000)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 401 PROFILES 7.1.60 noc Profile Config Commands Configures Network Operations Center (NOC) statistics update interval. This is the interval at which statistical updates are sent by the RF Domain manager to its adopting controller (the NOC controller). Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax noc update-interval [<5-3600>|auto]
Parameters noc update-interval [<5-3600>|auto]
noc update-interval
[<5-3600>|auto]
Configures NOC statistics update interval
<5-3600> Specify the update interval from 5 - 3600 seconds. auto The NOC statistics update interval is automatically adjusted by the wireless controller or service platform based on load. This option is enabled by default. Example rfs6000-37FABE(config-profile-default-rfs6000)#noc update-interval 25 rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88 bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier
................................................... interface pppoe1 use firewall-policy default misconfiguration-recovery-time 65 noc update-interval 25 service pm sys-restart router ospf rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Resets NOC related parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 402 PROFILES 7.1.61 nsight Profile Config Commands Configures NSight database related parameters. Use this command to configure the data-update periodicity, number of applications posted to the NSight server for a wireless client, and the duration for which data is stored in the NSight databases buckets. These parameters impact the amount of data stored in the NSight DB and interval at which data is aggregated and expired within the NSight DB. For more information on data aggregation and expiration, see (Data Aggregation and Expiration). Configure these parameters in the NSight servers profile configuration mode. These parameters are also configurable on the NSight servers device configuration mode. Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax nsight database [statistics|summary]
nsight database statistics [avc-update-interval|max-apps-per-client|max-http-
usage-metadata|max-http-visits-metadata|max-ssl-usage-metadata|max-ssl-visits-
metadata|update-interval|wireless-clients-update-interval]
nsight database statistics [avc-update-interval|update-interval|wireless-clients-
update-interval] [120|30|300|60|600]
nsight database statistics max-apps-per-client <1-1000>
nsight database statistics [max-http-usage-metadata|max-http-visits-metadata|
max-ssl-usage-metadata|max-ssl-visits-metadata] <1-1000>
nsight database summary duration <1-24> <1-168> <1-2160> <24-26280>
Parameters nsight database statistics [avc-update-interval|update-interval|wireless-
clients-update-interval] [120|30|300|60|600]
nsight database statistics avc-update-interval update-interval Configures NSight database statistics related parameters Configures the interval, in seconds, at which Application Visibility and Control (AVC) statistics is updated to the NSight database. This interval represents the rate at which AVC-related data is inserted in the NSight databases first bucket. This first bucket data is referred to as the RAW records. A bucket is a database collection that holds statistical data on a per RF Domain basis. For more information, see (Data Aggregation and Expiration). When configured, RF Domain managers posting AVC-related data to the NSight server receive a reply from the NSight server intimating the next update time. The NSight server calculates the next update time based on the avc-update-interval configured here. Configures the interval, in seconds, at which data is updated to the NSIght server. This interval represents the rate at which data (excluding AVC and wireless-clients related statistics) is inserted in the NSight databases first bucket. This first bucket data is referred to as the RAW records. A bucket is a database collection that holds statistical data on a per RF Domain basis. For more information, see (Data Aggregation and Expiration). Contd... Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 403 PROFILES contd.. wireless-clients-
update-interval
[120|30|300|60|600]
When configured, RF Domain managers posting data to the NSight server receive a reply from the NSight server intimating the next update time. The NSight server calculates the next update time based on the update-interval configured here. Note: Use the avc-update-interval and wireless-clients-update-interval keywords to configure update interval for AVC-related and wireless-clients related information respectively. Configures the interval, in seconds, at which wireless-client statistics is updated to the NSIght server. This interval represents the rate at which wireless-clients related statistics is inserted in the NSight databases first bucket. This first bucket data is referred to as the RAW records. A bucket is a database collection that holds statistical data on a per RF Domain basis. For more information, see (Data Aggregation and Expiration). When configured, RF Domain managers posting wireless-client related data to the NSight server receive a reply from the NSight server intimating the next update time. The NSight server calculates the next update time based on the wireless-
clients-update-interval configured here. The following keywords are common to all of the above parameters:
120 Sets the data-update periodicity as 120 seconds (2 minutes) 30 Sets the data-update periodicity as 30 seconds 300 Sets the data-update periodicity as 300 seconds (5 minutes). This is the default setting for the avc-update-interval and wireless-clients-update-interval parameters. 60 Sets the data-update periodicity as 60 seconds (1 minute). This is the default setting for the update-interval parameter. 600 Sets the data-update periodicity as 600 seconds (10 minutes) nsight database statistics max-apps-per-client <1-1000>
nsight database statistics max-apps-per-client
<1-1000>
Configures NSight database statistics related parameters Configures the maximum number of applications per wireless-client to be posted to the NSight server within the configured data-update interval. This information is included in the AVC statistics posted by RF Domain managers to the NSight server. Specify the number of applications posted from 1 - 1000. The default is 10 applications per wireless client. nsight database statistics [max-http-usage-metadata|max-http-visits-metadata|
max-ssl-usage-metadata|max-ssl-visits-metadata] <1-1000>
nsight database statistics
[max-http-usage-
metadata|max-http-
visits-metadata|max-
ssl-usage-metadata|
max-ssl-visits-
metadata]
Configures NSight database statistics related parameters Configures the number of HTTP and/or SSL metadata posted within an update interval max-http-usage-metadata Configures the NSight database maximum http-
metadata by usage (rx+tx) to be posted in an update-interval max-http-visits-metadata Configures the NSight databases maximum http-
metadata by the number of visits to be posted within an update-interval max-ssl-usage-metadata Configures the NSight database maximum ssl-metadata by usage (rx+tx) to be posted in an update-interval Contd... Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 404 PROFILES contd... max-ssl-visits-metadata Configures the NSight databases maximum ssl-metadata by the number of visits to be posted within an update-interval The following keyword is common to all of the above mentioned metadata options:
<1-1000> Specify a value from 1 - 1000. The default is 10 metadata for each. nsight database summary duration <1-24> <1-168> <1-2160> <24-26280>
nsight database summary duration <1-24>
<1-168> <1-2160> <24-
26280>
Configures the NSight databases per-bucket data storage duration Configures the duration for which data is stored on a per-bucket basis
<1-24> Specify the bucket 1 duration from 1 - 24 hours (i.e. 1 hour to 1 day). The default is 8 hours.
<1-168> Specify the bucket 2 duration from 1 - 168 hours (i.e. 1 hour to 7 days). The default is 24 hours.
<1-2160> Specify the bucket 3 duration from 1 - 2160 hours (i.e. 1 hour to 90 days). The default is 7 days (168 hours).
<24-26280> Specify the bucket 4 duration from 24 - 26280 hours (i.e. 1 day to 3 years). The default is 365 days (1 year). A bucket is a database collection that holds statistical data for each RF Domain within the network. (Note, only those RF Domains that are using an NSight policy with the NSight server host configured will post data to the NSight server. (For more information, see use in the RF Domain configuration mode.) NSight database has four (4) buckets. The data from each bucket is aggregated and pushed to the next bucket once the data storage duration, specified for the bucket, has exceeded. For more information on data aggregation, see (Data Aggregation and Expiration). Usage Guidelines(Data Aggregation and Expiration) Data Aggregation:
The NSight functionality, a data analytics tool, analyzes data that is generated periodically by the nodes within the managed wireless LAN. For large WLAN networks, generating significantly large amount of data, storing data forever is neither feasible nor beneficial. Therefore, older statistics are summarized into aggregated (averaged) records. All records, for a fixed time period in past, are summarized into one record by taking an average of them. Although this causes a loss in the datas granularity, average numbers for any given time period is still available. Statistical data periodically posted by RF Domain managers to the NSight server are stored in buckets
(database collections) within the NSight database. There are four buckets in total. These are:
First bucket (termed as the RAW bucket) - B1 Second bucket - B2 Third bucket - B3 Fourth bucket - B4 On completion of the data storage duration, records from a bucket are aggregated (at a fixed rate) and inserted into the next bucket. The rate at which records are aggregated into the next bucket becomes the next buckets granularity. For example, the B1 records (that have exceeded the data storage duration configured for B1) are aggregated (at the rate specified) and inserted into B2. Similarly, data from B2 are aggregated into B3, and from B3 to B4. The fixed rate of aggregation (or granularity) AND default storage duration for each bucket is as follows:
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 405 PROFILES B1: storage duration 8 hours B2: granularity 10 minutes / storage duration 24 hours B3: granularity 1 hour / storage duration 7 days B4: granularity 1 day / storage duration 1 year Let us consider (with default update-interval settings) the growth of any one of the statistical buckets. Since B1s default data storage duration is 8 hours, B1 will hold a maximum of 960 records per RF Domain after 8 hours (updated at the rate of 30 seconds). Since B2s granularity is 10 minutes, every 10 minutes 20 records from the B1 will be aggregated into a single record and inserted into B2. Since B2s default storage duration is 24 hours, it will contain a maximum of 144 records per RF Domain after 24 hours. Since B3s granularity is 1 hour, every hour 6 records from B2 will be aggregated into a single record and inserted into B3. Since B3s default storage duration is 7 days, it will contain a maximum of 168 records per RF Domain after 7 days. Since B4s granularity is 1 day, every day 24 records from B3 will be aggregated into a single record and inserted into B4. Since B4s default storage duration is 365 days, it will contain a maximum of 365 records per RF Domain after 1 year. Data Expiration:
The expiration of older records (also referred to as purging or deleting of records) occurs along with data aggregation for each bucket. Let us consider (with default data storage-duration settings) the expiration of data for any one of the statistical buckets. As stated earlier, at the end of 8 hours B1 will have 960 records per RF Domain. After a period of 8 hours and 10 minutes, all 960 records are aggregated into 144 records and inserted into B2. To enable B1 to hold exactly 8 hours worth of data, 20 of the oldest records (corresponding to the first 10 minutes) are purged from B1 at the end of 8 hours and 10 minutes. This expiration cycle is triggered every 10 minutes. At the end of 24 hours B2 will have 144 records per RF Domain. After a period of 24 hours and 10 minutes, one of the oldest record (corresponding to the first 10 minutes) is purged from B2. This expiration cycle is triggered every 10 minutes to enable B2 to maintain exactly 24 hours worth of data. At the end of 7 days B3 will have 168 records per RF Domain. After a period of 7 days and one hour one of the oldest record (corresponding to the first hour) is purged from B3. This expiration cycle is triggered every 1 hour to enable B3 to maintain exactly 7 days worth of data. At the end of 365 days B4 will have 365 records per RF Domain. After 365 days, the oldest records
(corresponding to the first day) are purged from B4. This expiration cycle is triggered every 1 day to enable B4 to maintain exactly 365 days worth of data. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 406 PROFILES Example nx9500-6C8809(config-profile-testNX9500)#nsight database statistics avc-update-interval 120 nx9500-6C8809(config-profile-testNX9500)#nsight database statistics update-interval 30 nx9500-6C8809(config-profile-testNX9500)#nsight database statistics wireless-clients-update-interval 600 nx9500-6C8809(config-profile-testNX9500)#nsight database statistics max-apps-per-client 20 nx9500-6C8809(config-profile-testNX9500)#nsight database summary duration 12 30 200 500 nx9500-6C8809(config-profile-testNX9500)#show context include-factory | include nsight use nsight-policy nsight-noc nsight database statistics update-interval 30 nsight database statistics wireless-clients-update-interval 600 nsight database summary duration 12 30 200 500 nsight database statistics avc-update-interval 120 nsight database statistics max-apps-per-mu 20 nx9500-6C8809(config-profile-testNX9500)#
Related Commands no Reverts the NSight database related parameters configured to default values Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 407 PROFILES 7.1.62 ntp Profile Config Commands Configures the Network Time Protocol (NTP) server settings NTP manages time and/or network clock synchronization within the network. NTP is a client/server implementation. Controllers, service platforms, and access points (NTP clients) periodically synchronize their clock with a master clock (an NTP server). For example, a controller resets its clock to 07:04:59 upon reading a time of 07:04:59 from its designated NTP server. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ntp server <PEER-IP/HOSTNAME> {autokey|key|maxpoll|minpoll|prefer|version}
ntp server <PEER-IP/HOSTNAME> {autokey}
ntp server <PEER-IP/HOSTNAME> {maxpoll [1024|2048|4096|8192]}
ntp server <PEER-IP/HOSTNAME> {minpoll [1024|128|256|512|64]}
ntp server <PEER-IP> {key <1-65534> md5 [0 <WORD>|2<WORD>|<WORD>]}
ntp server <PEER-IP/HOSTNAME> {prefer version <1-4>|version <1-4> prefer}
Parameters ntp server <PEER-IP/HOSTNAME> {autokey} {prefer version <1-4>|version <1-4>}
ntp server
<PEER-IP/
HOSTNAME>
autokey Configures NTP server resources that are used to obtain system time
<PEER-IP/HOSTNAME> Identifies the NTP server resource by its IP address or hostname. Specify the NTP servers IP address or hostname. Optional. Enables automatic configuration of authentication key for the specified NTP server. This option is disabled by default. If not enabled, use the key option to configure an authentication key for the NTP server. ntp server <PEER-IP/HOSTNAME> {maxpoll [1024|2048|4096|8192]}
ntp server
<PEER-IP/
HOSTNAME>
maxpoll
[1024|2048|4096|
8192]
Configures NTP server resources that are used to obtain system time
<PEER-IP/HOSTNAME> Identifies the NTP server resource by its IP address or hostname. Specify the NTP servers IP address or hostname. Optional. Configures the maximum polling interval. Once set, the specified NTP server is polled no later than the defined interval. Select one of the following options:
1024 Configures the maximum polling interval as 1024 seconds. This is the default setting. 2048 Configures the maximum polling interval as 2048 seconds 4096 Configures the maximum polling interval as 4096 seconds 8192 Configures the maximum polling interval as 8192 seconds Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 408 PROFILES ntp server <PEER-IP/HOSTNAME> {minpoll [1024|128|256|512|64]}
ntp server
<PEER-IP/
HOSTNAME>
minpoll
[1024|128|256|512|
64]
Configures NTP server resources that are used to obtain system time
<PEER-IP/HOSTNAME> Identifies the NTP server resource by its IP address or hostname. Specify the NTP servers IP address or hostname. Optional. Configures the minimum polling interval. Once set, the specified NTP server is polled no sooner than the defined interval. Select one of the following options:
1024 Configures the minimum polling interval as 1024 seconds 128 Configures the minimum polling interval as 128 seconds 256 Configures the minimum polling interval as 256 seconds 512 Configures the minimum polling interval as 512 seconds 64 Configures the minimum polling interval as 64 seconds. This is the default setting. ntp server <PEER-IP/HOSTNAME> {key <1-65534> md5 [0 <WORD>|2<WORD>|<WORD>]}
ntp server
<PEER-IP/
HOSTNAME>
Configures NTP server resources that are used to obtain system time
<PEER-IP/HOSTNAME>> Identifies the NTP server resource by its IP address or hostname. Specify the NTP servers IP address or hostname. key <1-65534> md5
[0 <WORD>|
2 <WORD>|<WORD>]
Optional. Defines the authentication key for the specified NTP server. This option is used to configure the key when autokey configuration is not enabled.
<1-65534> Specify the peer key number. Should not exceed 64 characters in length. md5 Sets MD5 authentication 0 <WORD> Configures a clear text password 2 <WORD> Configures an encrypted password
<WORD> Sets an authentication key ntp server <PEER-IP/HOSTNAME> {prefer version <1-4>|version <1-4> prefer}
ntp server <PEER-IP/
HOSTNAME>
Configures NTP server resources that are used to obtain system time
<PEER-IP/HOSTNAME> Identifies the NTP server resource by its IP address or hostname. Specify the NTP servers IP address or hostname. prefer version <1-4>
version <1-4> prefer Optional. Designates the specified NTP server as a preferred NTP resource. This setting is disabled by default. version Optional. Configures the NTP version
<1-4> Select the NTP version from 1 - 4. If not specified, the default value of 0 is applied, which implies that the NTP servers version is ignored. Optional. Configures the version number used by the specified NTP server resource
<1-4> Select the NTP version from 1 - 4. The default setting is 0. A value of 0 implies that the NTP servers version is ignored. prefer Optional. Designates the specified NTP server as a preferred NTP resource. This setting is disabled by default. The NTP version number specified using the ver-
sion <1-4> keyword is applied to this preferred NTP resource. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 409 PROFILES Example rfs6000-37FABE(config-profile-default-rfs6000)#ntp server 172.16.10.10 version 1 prefer rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88 bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier
............................................... interface pppoe1 use firewall-policy default ntp server 172.16.10.10 prefer version 1 misconfiguration-recovery-time 65 noc update-interval 25 service pm sys-restart router ospf rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 410 PROFILES 7.1.63 otls Profile Config Commands Enables support for OmniTrail Location Server (OTLS) beacon identification OmniTrail (offered by OmniTrail technologies) is a Wi-Fi based locationing protocol used in positioning and tracking location solutions. Access points supporting OTLS beacon identification lock their radios to scan channels for beacons with OTLS tags. Beacons received by the access point are matched for the OTLS signature, and in case of a match, the beacons are forwarded to the OTLS server as UDP payload. Use this command to configure OTLS server details on the AP and enable OTLS data forwarding. Alternately, OTLS parameters can be configured in the APs profile on the controller or service platform, and pushed to adopted access points. When configured, APs establish connection with the OTLS server and forward OTLS locationing feeds to the server. Supported in the following platforms:
Access Points AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP8432, AP8533 Syntax otls [apid|control-port|data-port|forward|server-ip]
otls apid <WORD>
otls control-port <0-65535>
otls data-port [2.4GHz|5GHz] <0-65535>
otls forward [2.4GHz|5GHz] [disable|enable]
otls server-ip <OTLS-SERVER-IP>
Parameters otls apid <WORD>
otls apid <WORD>
Configures a unique identification for the OTLS-enabled access point. The access point identifier (APID) enables the OTLS server to identify the AP forwarding the OTLS tag.
<WORD> Specify an ID for the AP. To ensure that OTLS-enabled APs have unique OTLS ID, it is recommended that the APID is configured in the device context of each AP. otls control-port <0-65535>
otls control-port
<0-65535>
Configures the port used by the AP to establish and maintain connection with the OTLS server
<0-65535> Specify the control port from 0 - 655635. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 411 PROFILES otls data-port [2.4GHz|5GHz] <0-65535>
otls data-port
[2.4GHz|5GHz]
<0-65535>
Configures the port used by the AP to forward OTLS beacons to the OTLS server. However, OTLS data forwarding has to be enabled on the APs. Use the otls >
forward > [2.4GHz|5GHz] > [disable|enable] command to enable data forwarding. 2.4GHz Configures the port used to forward OTLS beacons received on the 2.4 GHz band 5.0GHz Configures the port used to forward OTLS beacons received on the 5.0 GHz band The following keyword is common to the above parameters:
<0-65535> Specify a data-forwarding port from 0 - 65535. otls forward [2.4GHz|5GHz] [disable|enable]
Enables or disables OTLS tag forwarding 2.4GHz Enables or disables forwarding of OTLS beacons received on the 2.4 GHz otls forward
[2.4GHz|5GHz]
[disable|enable]
band 5GHz Enables or disables forwarding of OTLS beacons received on the 5.0 GHz band The following keywords are common to the above parameters:
disable Disables OTLS tag forwarding. By default OTLS beacon forwarding is dis-
abled for both 2.4 GHz and 5.0 GHz bands. enable Enables OTLS tag forwarding otls server-ip <OTLS-SERVER-IP>
otls server-ip
<OTLS-SERVER-IP>
Configures the OTLS servers IP address
<OTLS-SERVER-IP> Specify the OTLS servers IP address. Example ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls apid 112233 ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls forward 2.4GHz enable ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls forward 5GHz enable ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls control-port 8890 ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls data-port 2.4GHz 8888 ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls data-port 5GHz 8889 ap8533-84A224(config-device-84-24-8D-84-A2-24)#otls server-ip 192.168.13.10 ap8533-84A224(config-device-84-24-8D-84-A2-24)#show context include-factory |
include otls otls forward 5GHz enable otls forward 2.4GHz enable otls server-ip 192.168.13.10 otls control-port 8890 otls data-port 2.4GHz 8888 otls data-port 5GHz 8889 otls apid 112233 ap8533-84A224(config-device-84-24-8D-84-A2-24) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 412 PROFILES The following example displays OTLS parameters configured on an AP8533 profile:
nx9500-6C8809(config-profile-testAP8533)#show context include-factory | include otls otls forward 5GHz enable otls forward 2.4GHz enable otls server-ip 192.168.13.10 otls control-port 8890 otls data-port 2.4GHz 8888 otls data-port 5GHz 8889 otls apid 12345 nx9500-6C8809(config-profile-testAP8533)#
Related Commands no Removes the OTLS-related parameters configured on an AP or on an APs profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 413 PROFILES 7.1.64 offline-duration Profile Config Commands Sets the duration, in minutes, for which a device remains unadopted before it generates offline event This command is also supported on the device configuration mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax offline-duration <5-43200>
Parameters offline-duration <5-43200>
offline-duration
<5-43200>
Specify a value from 5 - 43200 minutes. The default is 10 minutes. Example rfs4000-229D58(config-profile-test)#offline-duration 200 rfs4000-229D58(config-profile-test)#show context profile rfs4000 test no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha
................................................................ interface wwan1 interface pppoe1 use firewall-policy default service pm sys-restart router ospf offline-duration 200 rfs4000-229D58(config-profile-test)#
Related Commands no Resets the offline-duration to default (10 minutes) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 414 PROFILES 7.1.65 power-config Profile Config Commands Configures the power option mode. Use this command in the profile configuration mode to configure the transmit output power of access point radios. This command is also available in the device-config mode. Single radio model access points always operate using a full power configuration. The power management configurations described in this section do not apply to single radio models. When an access point is powered on for the first time, the system determines the power budget available to the access point. If 802.3af is selected, the access point assumes 12.95 watts is available. If the mode is changed, the access point requires a reset to implement the change. If 802.3at is selected, the access point assumes 23 - 26 watts is available. NOTE: Single radio model access points (AP6511 and AP6521) always operate using a full power configuration. The power management configurations described in this section do not apply to single radio models. The access point has to be restarted for power management changes to take effect. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax power-config [af-option|at-option|mode]
power-config [af-option|at-option] [range|throughput]
power-config mode [auto|3af]
Parameters power-config [af-option|at-option] [range|throughput]
power-config af-option
[range|throughput]
Configures the power option mode Configures the 802.3.af power mode option. The options are:
range Configures the af power range mode. This mode provides higher power but fewer transmission (tx) chains. Select range when range is preferred over performance for broadcast/multicast
(group) traffic. The data rates used for range are the lowest defined basic rates. throughput Configures the af power throughput mode. This mode provides lower power but has more tx chains. This is the default setting. Select throughput to transmit packets at the radios highest defined basic rate (based on the radios current basic rate settings). This option is optimal in environments where transmission range is secondary to broadcast/multicast transmission performance. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 415 PROFILES at-option
[range|throughput]
Configures the 802.3 at power mode option. The options are:
range Configures the at power range mode. This mode provides higher power but fewer tx chains. Select range when range is preferred over performance for broadcast/multicast
(group) traffic. The data rates used for range are the lowest defined basic rates. throughput Configures the at power throughput mode. This mode provides lower power but has more tx chains. This is the default setting. Select throughput to transmit packets at the radios highest defined basic rate (based on the radios current basic rate settings). This option is optimal in environments where transmission range is secondary to broadcast/multicast transmission performance. power-config mode [auto|3af]
power-config mode [auto|3af]
Configures the power option mode Configures the AP power mode 3af Forces an AP to power up in the 802.3af power mode auto Sets the detection auto mode (default setting) The automatic power-config mode enables an access point to automatically determine the best power configuration based on the available power budget. Example nx9500-6C8809(config-profile-testAP7161)#power-config mode 3af nx9500-6C8809(config-profile-testAP7161)#power-config af-option range nx9500-6C8809(config-profile-testAP7161)#show context profile ap71xx testAP7161 no autoinstall configuration no autoinstall firmware power-config mode 3af power-config af-option range crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
--More--
nx9500-6C8809(config-profile-testAP7161)#
Related Commands no Reverts the power mode setting on this profile to default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 416 PROFILES 7.1.66 preferred-controller-group Profile Config Commands Specifies the controller group preferred for adoption At adoption, an access point solicits and receives multiple adoption responses from controllers and service platforms available on the network. These adoption responses contain loading policy information the access point uses to select the optimum controller or service platform for adoption. After selecting the controller or service platform, the access point associates with it and optionally obtains an image upgrade and configuration. By default, an auto provisioning policy generally distributes AP adoption evenly amongst available controllers and service platforms. Use this command to specify the controller or service platform preferred for adoption. Once configured, the access point adopts to the specified preferred controller or service platform. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Syntax preferred-controller-group <WORD>
Parameters preferred-controller-group <WORD>
<WORD>
Specify the name of the controller (wireless controller or service platform) group preferred for adoption. Devices using this profile are added, on adoption, to the controller group specified here. Example rfs6000-37FABE(config-profile-default-rfs6000)#preferred-controller-group testGroup rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88 bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier
...................................................... qos trust 802.1p interface pppoe1 use firewall-policy default ntp server 172.16.10.10 prefer version 1 preferred-controller-group testGroup misconfiguration-recovery-time 65 noc update-interval 25 service pm sys-restart router ospf rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Removes the preferred controller group configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 417 PROFILES 7.1.67 preferred-tunnel-controller Profile Config Commands Configures the tunnel controller's name preferred for tunneling extended VLAN traffic. Devices using this profile will prefer to route their extended VLAN traffic through the specified tunnel controller (wireless controller or service platform). Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax preferred-tunnel-controller <NAME>
Parameters preferred-tunnel-controller <NAME>
preferred-tunnel-
controller <NAME>
Configures the preferred tunnel name Example rfs6000-37FABE(config-profile-default-rfs6000)#preferred-tunnel-controller testtunnel Related Commands no Removes the preferred tunnel configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 418 PROFILES 7.1.68 radius Profile Config Commands Configures device level RADIUS authentication parameters Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax radius [nas-identifier|nas-port-id] <WORD>
Parameters radius [nas-identifier|nas-port-id] <WORD>
radius nas-identifier
<WORD>
nas-port-id <WORD>
Configures RADIUS authentication parameters Specifies the RADIUS Network Access Server (NAS) identifier attribute used by this device
<WORD> Specifies the NAS identifier Specifies the RADIUS NAS port ID attribute used by this device
<WORD> Specifies the NAS port ID Example rfs6000-37FABE(config-profile-default-rfs6000)#radius nas-port-id 1 rfs6000-37FABE(config-profile-default-rfs6000)#radius nas-identifier test rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88 bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier radius nas-identifier test radius nas-port-id 1 neighbor-info-interval 6 neighbor-inactivity-timeout 500
--More--
rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 419 PROFILES 7.1.69 rf-domain-manager Profile Config Commands Configures the RF Domain manager election criteria Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rf-domain-manager [capable|priority <1-255>]
Parameters rf-domain-manager [capable|priority <1-255>]
rf-domain-manager capable priority <1-255>
Configures the RF Domain manager election criteria Enables devices using this profile capable of being elected as the RF Domain manager. The RF Domain manager stores and provisions configuration and firmware images for other members of the RF Domain. It also updates state changes, if any, to RF Domain members. This option is enabled by default. Assigns a priority value for devices using this profile in the RF Domain manager election process. The higher the number set, higher is the devices priority in the RF Domain manager election process.
<1-255> Select a priority value from 1 - 255. Example rfs6000-37FABE(config-profile-default-rfs6000)#rf-domain-manager priority 9 rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88
.............................................. rf-domain-manager priority 9 preferred-controller-group testGroup misconfiguration-recovery-time 65 noc update-interval 25 service pm sys-restart preferred-tunnel-controller testtunnel router ospf rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 420 PROFILES 7.1.70 router Profile Config Commands Enables dynamic routing (BGP and/or OSPF) and enters the routing protocol configuration mode Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 NOTE: BGP is supported only on RFS4000, RFS6000, NX75XX, and NX9500 model controllers and service platforms. The NX9500 and NX9510 service platforms do not support OSPF routing. The access points only support OSPF routing. Syntax router [bgp|ospf]
Parameters router [bgp|ospf]
router bgp ospf Enables dynamic routing and enters the routing protocol configuration mode Enables BGP dynamic routing and configures relevant settings BGP is an inter-ISP routing protocol, which establishes routing between ISPs. ISPs use BGP to exchange routing and reachability information between Autonomous Systems
(AS) on the Internet. BGP uses TCP as its transport protocol, eliminating the need to implement explicit update fragmentation, retransmission, acknowledgement, and sequencing. Routing information exchanged through BGP supports destination based forwarding only. It assumes a router forwards packets based on the destination address carried in the IP header of the packet. An AS is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packets within the AS. For more information on dynamic BGP routing configurations, see BORDER GATEWAY PROTOCOL. Enables OSPF dynamic routing and configures relevant settings. Changes configuration mode to router mode OSPF is a link-state IGP. OSPF routes IP packets within a single routing domain
(autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets. For more information on dynamic OSPF routing configurations, see ROUTER-MODE COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 421 PROFILES Example rfs6000-37FABE(config-profile-default-rfs6000)#router ospf rfs6000-37FABE(config-profile default-rfs6000-router-ospf)#?
Router OSPF Mode commands:
area OSPF area auto-cost OSPF auto-cost default-information Distribution of default information ip Internet Protocol (IP) network OSPF network no Negate a command or set its defaults ospf Ospf passive Make OSPF Interface as passive redistribute Route types redistributed by OSPF route-limit Limit for number of routes handled OSPF process router-id Router ID clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile default-rfs6000-router-ospf)#
Related Commands no Disables OSPF settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 422 PROFILES 7.1.71 spanning-tree Profile Config Commands Enables spanning tree commands. Use these commands to configure the errdisable, multiple spanning tree and portfast settings. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax spanning-tree [errdisable|mst|portfast]
spanning-tree errdisable recovery [cause bpduguard|interval <10-1000000>]
spanning-tree mst [<0-15>|cisco-interoperability|enable|forward-time|hello-
time|instance|max-age|max-hops|region|revision]
spanning-tree mst [<0-15> priority <0-61440>|cisco-interoperability
[enable|disable]|enable|forward-time <4-30>|hello-time <1-10>|instance <1-15>|
max-age <6-40>|max-hops <7-127>|region <LINE>|revision <0-255>]
spanning-tree portfast [bpdufilter|bpduguard] default Parameters spanning-tree errdisable recovery [cause bpduguard|interval <10-1000000>]
spanning-tree errdisable recovery cause bpduguard interval
<10-1000000>
Configures spanning-tree related parameters Disables or shuts down ports where traffic is looping, or ports with traffic in one direction Enables the timeout mechanism for a port to be recovered. This option is disabled by default. Specifies the reason for errdisable bpduguard Recovers from errdisable due to bpduguard Specifies the interval after which a port is enabled
<10-1000000> Specify a value from 10 - 1000000 seconds. The default is 300 seconds. spanning-tree mst [<0-15> priority <0-61440>|cisco-interoperability
[enable|disable]|enable|forward-time <4-30>|hello-time <1-10>|instance <1-15>|
max-age <6-40>|max-hops <7-127>|region <LINE>|revision <0-255>]
spanning-tree mst Configures spanning-tree related parameters Configures Multiple Spanning Tree (MST) commands The MSTP provides an extension to STP to optimize the usefulness of VLANs. MSTP allows for a separate spanning tree for each VLAN group, and blocks all but one of the possible alternate paths within each spanning tree topology. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 423 PROFILES
<0-15> priority
<0-61440>
cisco interoperability
[enable|disable]
enable forward-time <4-30>
hello-time <1-10>
instance <1-15>
max-age <6-40>
max-hops <7-127>
region <LINE>
revision <0-255>
Specifies the number of instances required to configure MST. Select a value from 0 -
15. priority Sets the bridge priority to the specified value. This value is used to determine the root bridge. Use the no parameter with this command to restore the default bridge priority value.
<0-61440> Sets the bridge priority in increments (Lower priority indicates greater likelihood of becoming root) Enables CISCO interoperability Enables interoperability with CISCOs version of MSTP, which is incompatible with standard MSTP. This setting is disabled by default. Enables MST protocol Specifies the forwarding delay time in seconds
<4-30> Specify a value from 4 - 30 seconds. The default is 15 seconds. Specifies the hello BDPU interval in seconds
<1-10> Specify a value from 1 - 10 seconds. The default is 2 seconds. Defines the instance ID to which the VLAN is associated
<1-15> Specify an instance ID from 1 - 10. Defines the maximum time to listen for the root bridge
<6-40> Specify a value from 4 - 60 seconds. The default is 20 seconds. Defines the maximum hops when BPDU is valid
<7-127> Specify a value from 7 - 127. The default is 20. Specifies the MST region
<LINE> Specify the region name. Sets the MST bridge revision number. This enables the retrieval of configuration information.
<0-255> Specify a value from 0 - 255. This default is 0. spanning-tree portfast [bpdufilter|bpduguard] default spanning-tree portfast [bpdufilter|
bpduguard] default Configures spanning-tree related parameters Enables PortFast on a bridge bpdufilter default Sets the BPDU filter for the port. The BPDU filter is disabled by default. The spanning tree protocol sends BPDUs from all ports. Enabling the BPDU filter ensures that PortFast enabled ports do not transmit or receive BPDUs. bpduguard default Guards PortFast ports against BPDU receive. The BPDU guard is disabled by default. Enabling the BPDU guard means this port will shutdown on receiving a BPDU. default Enables the BPDU filter and/or BPDU guard on PortFast enabled ports by default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 424 PROFILES Usage Guidelines If a bridge does not hear BPDUs from the root bridge within the specified interval, assume the network has changed and recomputed the spanning-tree topology. Generally, spanning tree configuration settings in the config mode define the configuration for bridge and bridge instances. MSTP is based on instances. An instance is a group of VLANs with a common spanning tree. A single VLAN cannot be associated with multiple instances. Wireless Controllers or service platforms with the same instance, VLAN mapping, revision number and region names define a unique region. Wireless Controllers or service platforms in the same region exchange BPDUs with instance record information within. Example rfs6000-37FABE(config-profile-default-rfs6000)#spanning-tree errdisable recovery cause bpduguard rfs6000-37FABE(config-profile-default-rfs6000)#spanning-tree mst 2 priority 4096 rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88 bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier radius nas-identifier test radius nas-port-id 1 neighbor-info-interval 6 neighbor-inactivity-timeout 500 spanning-tree mst 2 priority 4096 spanning-tree errdisable recovery cause bpduguard autoinstall configuration
--More--
rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 425 PROFILES 7.1.72 traffic-class-mapping Profile Config Commands Maps the IPv6 traffic class value of incoming IPv6 untagged packets to 802.1p priority. This mapping is required to provide priority of service to some packets over others. For example, VoIP packets get higher priority than data packets to provide a better quality of service for high priority voice traffic. Devices use the traffic class field in the IPv6 header to set this priority. This command allows you to assign a priority for different IPv6 traffic types. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax traffic-class-mapping <IPv6-TRAFFIC-CLASS-VALUE> priority <0-7>
Parameters traffic-class-mapping <IPv6-TRAFFIC-CLASS-VALUE> priority <0-7>
traffic-class-mapping Maps the IPv6 traffic class value of incoming IPv6 untagged packets to 802.1p
<IPv6-TRAFFIC-
CLASS-VALUE>
priority <0-7>
priority Specify the traffic class value of incoming IPv6 untagged packet(s) (could be a single value or a list. For example, 10-20, 25, 30-35). This is the DSCP 6-bit parameter in the header of every IP packet used for packet classification. Specify the 802.1p priority to map with the traffic-class value specified in the previous step
<0-7> Specify a value from 0 - 7. The 802.1p priority is a 3-bit IP precedence value in the Type of Service field of the IP header used to set the priority. The valid values for this field are 0-7. Up to 64 entries are permitted. The priority values are:
0 Best Effort 1 Background 2 Spare 3 Excellent Effort 4 Controlled Load 5 Video 6 Voice 7 Network Control Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 426 PROFILES Example rfs4000-229D58(config-profile-TestRFS4000)#traffic-class-mapping 25 priority 2 rfs4000-229D58(config-profile-TestRFS4000)#show context profile rfs4000 TestRFS4000 traffic-class-mapping 25 priority 2 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure crypto remote-vpn-client
-More-
rfs4000-229D58(config-profile-TestRFS4000)#
Related Commands no Removes mapping between IPv6 traffic class value (of incoming IPv6 untagged packets) and 802.1p priority Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 427 PROFILES 7.1.73 traffic-shape Profile Config Commands Enables traffic shaping and configures traffic shaping parameters. This command is applicable to both the profile and device configuration modes. Traffic shaping is a means of regulating data transfers and ensuring a specific level of performance within a network. Traffic shaping does the following:
Controls flow of packets based on their priority value. Prioritized traffic streams are given priority over less important traffic. Controls traffic on an interface to match its flow to the speed of a remote targets interface and ensure traffic conforms to applied policies Shapes traffic to meet downstream requirements and eliminate network congestion when data rates are in conflict. Use this option to apply traffic shaping to specific applications or application categories. Note, in scenarios where a traffic class is matched against an application, application-category, and ACL rule, the application rule will be applied first, followed by the application-category, and finally the ACL. Further, using traffic shaping, an application takes precedence over an application category. To enable traffic shaping, configure QoS values on the basis of which priority of service is provided to some packets over others. For example, VoIP packets get higher priority than data packets to provide a better quality of service for high priority voice traffic. For configuring IPv6 traffic class mappings, see traffic-class-mapping. And for configuring DSCP traffic class mappings, see dscp-mapping. Supported in the following platforms:
Access Points AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530 Syntax traffic-shape [activation-criteria|app-category|application|class|enable|
priority-map|total-bandwidth]
traffic-shape activation-criteria [always|cluster-master|rf-domain-manager|vrrp-
master <1-255>]
traffic-shape app-category <APP-CATEGORY-NAME> class <1-4>
traffic-shape application <APPLICATION-NAME> class <1-4>
traffic-shape class <1-4> [max-buffers|max-latency|rate]
traffic-shape class <1-4> max-buffers <1-400> {red-level <1-400>|red-percent <1-
100>}
traffic-shape class <1-4> max-latency <1-1000000> [msec|usec]
traffic-shape class <1-4> rate [<1-250000> [Kbps|Mbps]|total-bandwidth-percent <1-
100>]
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 428 PROFILES NOTE: The available range for the rate field will vary depending on the unit selected. It is 250 - 250000 for Kbps and 1 - 250 for Mbps. traffic-shape priority-map <0-7>
traffic-shape total-bandwidth <1-1000000> [Kbps|Mbps]
NOTE: The available range for the total-bandwidth field will vary depending on the unit selected. It is 250 - 1000000 for Kbps and 1 - 1000 for Mbps. traffic-shape enable Parameters traffic-shape activation-criteria [always|cluster-master|rf-domain-manager|
vrrp-master <1-255>]
traffic-shape activation-criteria always cluster-master rf-domain-manager vrrp-master <1-255>
Configures traffic-shape activation criteria that determines when the device invokes traffic shaping Always invokes traffic shaping. This is the default setting. Invokes traffic shaping when the device is the cluster master. The solitary cluster master (elected using a priority assignment scheme) is a cluster member that provides management configuration and Smart RF data to other members within the cluster. Cluster requests go through the elected master before dissemination to other cluster members. Invokes traffic shaping when the device is the RF Domain manager. The RF Domain manager is the elected member capable of storing and provisioning configuration and firmware images for other members of the RF Domain. Invokes traffic shaping when the device is the VRRP master. As the VRRP master, the device responds to ARP requests, forwards packets with a destination link MAC layer address equal to the virtual router MAC layer address, rejects packets addressed to the IP associated with the virtual router and accepts packets addressed to the IP associated with the virtual router.
<1-255> Specify the VRRP group ID from 1 - 255. traffic-shape app-category <APP-CATEGORY-NAME> class <1-4>
traffic-shape app-category
<APP-CATEGORY-
NAME> class <1-4>
Configures an application category to traffic-class mapping. Use this option to apply an application category to traffic-shaper class mapping. Naming and categorizing applications that do not fall into existing groups is an additional means of filtering and potentially limiting network airtime to consumptive non required applications negatively impacting network performance. Note: app-category <APP-CATEGORY-NAME> Specify the application category name. To list the available application categories, press [TAB] after entering app-category. Select the required category from the displayed list. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 429 PROFILES class <1-4> Map the specified application category to a traffic-shaper class from 1
- 4. Before configuring an application category to class mapping, ensure that the specified classes have been configured. Use the class > [max-buffers|max-
latency|rate] option available with this command to configure a traffic shaper class. For more information, see following parameter tables. traffic-shape application <APPLICATION-NAME> class <1-4>
traffic-shape app-category
<APPLICATION-
NAME> class <1-4>
Configures an application to traffic-class mapping. Use this option to apply an application to traffic-shaper class mapping. app-category <APPLICATION-NAME> Specify the application name. class <1-4> Map the specified application to a traffic-shaper class from 1 - 4. Note: Before configuring an application to class mapping, ensure that the specified classes have been configured. Use the class > [max-buffers|max-latency|rate] option available with this command to configure a traffic shaper class. For more information, see following tables. traffic-shape class <1-4> max-buffers <1-400> {red-level <1-400>|red-percent <1-
100>}
traffic-shape class <1-4>
max-buffers <1-400>
red-level <1-400>
red-percent <1-100>
Configures the queue length limit for different traffic-shaper class class <1-4> Specify the traffic-shaper class from 1 - 4. max-buffers <1-400> Configures the maximum queue lengths for packets of dif-
ferent priority queues, after which the queue starts to drop packets.
<1-400> Configure the queue length limit from 1 - 400 for packets of priority queues 0, 1, 2, 3, 4, 5, 6, and 7. Note: For access points the upper queue length limit is 400. Optional. Performs Random Early Drop (RED) when a specified queue length in packets is reached
<1-400> Configure the queue length limit from 1 - 400 for packets of priority queues 0, 1, 2, 3, 4, 5, 6, and 7. The RED algorithm is a queuing technique for congestion avoidance. RED monitors the average queue size and drops or marks packets. If the buffer is near empty, all incoming packets are accepted. When the queue grows, the probability for dropping an incoming packet also grows. When the buffer is full, the probability has reached 1 and all incoming packets are dropped. Note: For more information on default values, see the Usage Guidelines section in this topic. Optional. Performs RED when a specified value, which is a percentage of the max-
buffers configured, is reached
<1-100> Configure the percentage of the maxi-buffers from 1 - 100 for packets of priority queues 0, 1, 2, 3, 4, 5, 6, and 7. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 430 PROFILES traffic-shape class <1-4> max-latency <1-1000000> [msec|usec]
traffic-shape class <1-4>
max-latency
<1-1000000>
[msec|usec]
Configures the max-latency for different traffic-shaper class. Max latency specifies the time limit after which packets start dropping (maximum packet delay in the queue). The maximum number of entries is 8. class <1-4> Specify the traffic-shaper class from 1 - 4. max-latency <1-1000000> Configures the max-latency for packets of different priority queues, after which the queue starts to drop packets.
<1-1000000> Configure the max-latency from 1 - 100000 for packets of priority queues 0, 1, 2, 3, 4, 5, 6, and 7.
[msec|usec] Configures the unit for measuring latency as milliseconds
(msec) or microseconds (usec). The default setting is msec. traffic-shape class <1-4> rate [<1-250000> [Kbps|Mbps]|total-bandwidth-percent
<1-100>]
traffic-shape class <1-4> rate
<1-250000>
[Kbps|Mbps]
total-bandwidth-
percent <1-100>
Configures traffic rate, in either Kbps, Mbps or percentage, for the different traffic shaper class. Specify rates for different traffic shaper class to control the maximum traffic rate sent or received on an interface. Consider this form of rate limiting on interfaces at the edge of a network to limit traffic into or out of the network. Traffic within the set limit is sent and traffic exceeding the set limit is dropped or sent with a different priority. class <1-4> Specify the traffic-shaper class from 1 - 4. Configures the traffic rate, in Kbps, Mbps, for the class specified in the previous step
<1-250000> Specify the rate from 1 - 250000.
[Kbps|Mbps] Configures the unit for measuring bandwidth as Kbps or Mbps. The default setting is Kbps. Note: The range varies depending on the unit selected. It is 1 - 250 Mbps, or 250 -
250000 Kbps. Configures the traffic rate, as a percentage of the total available bandwidth, for the class specified in the previous first step
<1-100> Specify the traffic rate from 1 - 100% of the total bandwidth. traffic-shape priority-map <0-7>
traffic-shape priority-map <0-7>
Configures the traffic-shaper queues, within a class, having different priority values
(0, 1, 2, 3, 4, 5, 6, and 7). There are 8 queues (0 - 7), and traffic is queued in each based on the incoming packets 802.1p 3-bit priority markings. priority-map <0-7> Specify the priority from 0 - 7 for priority levels 0, 1, 2, 3, 4, 5, 6, and 7. The IEEE 802.1p standards sets a 3-bit value in the MAC header to indicate prioritization. This 3-bit value provides priority levels ranging from 0 to 7 (i.e., a total of 8 levels), with level 7 representing the highest priority. This permits packets to cluster and form different traffic classes. In case of network congestion, packets with higher priority receive preferential treatment while low priority packets are kept on hold. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 431 PROFILES traffic-shape total-bandwidth <1-1000000> [Kbps|Mbps]
traffic-shape total-bandwidth
<1-1000000>
[Kbps|Mbps]
Configures the total-bandwidth for traffic shaping
<1-1000000> Specify the value from 1 - 1000000 Kbps/Mbps. The default value is 10 Mbps.
[Kbps|Mbps] Configures the unit for measuring bandwidth as Kbps or Mbps. The default setting is Mbps. Note: The range varies depending on the unit selected. It is 1 - 1000 Mbps, or 250 - 1000000 Kbps. traffic-shape enable traffic-shape enable Enables traffic shaping using the defined bandwidth, rate and class mappings configured using this command Note: Traffic shaping is disabled by default. Usage Guidelines Following are the default max-buffers set for the traffic shaper classes:
traffic-shape class 1 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape class 2 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape class 3 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape class 4 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 Following is the default priority-map settings:
traffic-shape priority-map 2 0 1 3 4 5 6 7 Example nx9500-6C8809(config-profile-ProfileNX5500)#show context include-factory |
include traffic-shape traffic-shape priority-map 2 0 1 3 4 5 6 7 traffic-shape class 1 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape class 2 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape class 3 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape class 4 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape activation-criteria always traffic-shape total-bandwidth 10 Mbps no traffic-shape enable nx9500-6C8809(config-profile-ProfileNX5500)#
nx9500-6C8809(config-profile-ProfileNX5500)#traffic-shape enable nx9500-6C8809(config-profile-ProfileNX5500)#traffic-shape class 1 rate 250 Mbps nx9500-6C8809(config-profile-ProfileNX5500)#traffic-shape application Bing class 1 nx9500-6C8809(config-profile-ProfileNX5500)#traffic-shape total-bandwidth 200 Mbps Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 432 PROFILES nx9500-6C8809(config-profile-ProfileNX5500)#show context include-factory |
include traffic-shape traffic-shape priority-map 2 0 1 3 4 5 6 7 traffic-shape class 1 rate 250 Mbps traffic-shape class 1 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape class 2 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape class 3 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape class 4 max-buffers 35 35 35 30 25 20 15 10 red-level 27 27 27 23 25 20 15 10 traffic-shape activation-criteria always traffic-shape application Bing class 1 traffic-shape total-bandwidth 200 Mbps traffic-shape enable nx9500-6C8809(config-profile-ProfileNX5500)#
Related Commands no Removes traffic shaping configuration or reverts them to the default values Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 433 PROFILES 7.1.74 trustpoint (profile-config-mode) Profile Config Commands Configures the trustpoint assigned for validating a CMP auth Operator A certificate links identity information with a public key enclosed in the certificate. A CA is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate. A browser must contain the CA certificate in its Trusted Root Library so it can trust certificates signed by the CA's private key. Depending on the public key infrastructure, the digital certificate includes the owner's public key, the certificate expiration date, the owner's name and other public key owner information. Each certificate is digitally signed by a trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate. NOTE: Certificates/trustpoints used in this command should be verifiable as existing on the device. NOTE: For information on configuring trustpoints on a device, see trustpoint
(device-config-mode). Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax trustpoint [cmp-auth-operator|https|radius-ca|radius-server] <TRUSTPOINT-NAME>
Parameters trustpoint [cmp-auth-operator|https|radius-ca|radius-server] <TRUSTPOINT-NAME>
Assigns an existing trustpoint to validate CMP auth operator, client certificates, and RADIUS server certificate Assigns an existing trustpoint to validate HTTPS requests trustpoint https Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 434 PROFILES cmp-auth-operator Assigns an existing trustpoint to validate CMP auth operator Once validated, CMP is used to obtain and manage digital certificates in a PKI network. Digital certificates link identity information with a public key enclosed within the certificate, and are issued by the CA. Use this command to specify the CMP-assigned trustpoint. When specified, devices send a certificate request to the CMP supported CA server, and download the certificate directly from the CA server. CMP supports multiple request options through for device communicating to a CMP supported CA server. The device can initiate a request for getting the certificates from the server. It can also auto update the certificates which are about to expire. Assigns an existing trustpoint to validate client certificates in EAP radius-ca radius-server Assigns an existing trustpoint to validate RADIUS server certificate
<TRUSTPOINT-NAME> The following keyword is common to all of the above parameters:
<TRUSTPOINT-NAME> After selecting the service to validate, specify the trustpoint name (should be existing and stored on the device). Example nx9500-6C8809(config-profile-testNX9500)#trustpoint cmp-auth-operator test nx9500-6C8809(config-profile-testNX9500)#show context profile nx9000 testNX9500 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha
........................................................... service pm sys-restart router bgp trustpoint cmp-auth-operator test nx9500-6C8809(config-profile-testNX9500)#
Related Commands no Removes trustpoint-related configurations Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 435 PROFILES 7.1.75 tunnel-controller Profile Config Commands Configures the tunneled WLAN (extended VLAN) wireless controller or service platforms name Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax tunnel-controller <NAME>
Parameters tunnel-controller <NAME>
tunnel-controller
<NAME>
Configures the tunneled WLAN (extended VLAN) wireless controller or service platforms name
<NAME> Specify the name. Example rfs7000-37FABE(config-profile-default-rfs7000)#tunnel-controller testgroup Related Commands no Removes the configured the tunneled WLAN (extended VLAN) wireless controller or service platforms name Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 436 PROFILES 7.1.76 use Profile Config Commands Associates existing policies with this profile. This command is also applicable to the device configuration mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax Profiles Mode use [auto-provisioning-policy|bonjour-gw-forwarding-policy|bonjour-gw-query-
forwarding-policy|captive-portal|client-identity-group|crypto-cmp-policy|
database-client-policy|dhcp-server-policy|dhcpv6-server-policy|
event-system-policy|firewall-policy|global-association-list|guest-management|
ip-access-list|ipv6-access-list|management-policy|radius-server-policy|
role-policy|routing-policy|web-filter-policy] <POLICY-NAME>
use ip/ipv6-access-list <IP/IPv6-ACL-NAME> traffic-shape class <1-4>
Syntax Device Mode use [auto-provisioning-policy|bonjour-gw-forwarding-policy|bonjour-gw-query-
forwarding-policy|captive-portal|client-identity-group|crypto-cmp-policy|
database-client-policy|database-policy|dhcp-server-policy|dhcpv6-server-policy|
enterprise-ui|event-system-policy|firewall-policy|global-association-list|
guest-management|ip-access-list|ipv6-access-list|license|management-policy|
nsight-policy|profile|radius-server-policy|rf-domain|role-policy|routing-policy|
rtl-server-policy|sensor-policy|web-filter-policy||wips-policy] <POLICY-NAME>
NOTE: The following tables contain the use command parameters for the Profile and Device configuration modes. Parameters Profiles Mode use [auto-provisioning-policy|bonjour-gw-forwarding-policy|bonjour-gw-query-
forwarding-policy|captive-portal|client-identity-group|crypto-cmp-policy|
database-client-policy|dhcp-server-policy|dhcpv6-server-policy|event-system-
policy|firewall-policy|global-association-list|guest-management|ip-access-list|
ipv6-access-list|management-policy|radius-server-policy|role-policy|
routing-policy|web-filter-policy] <POLICY-NAME>
use auto-provisioning-
policy
<POLICY-NAME>
Associates the specified policies with this profile The specified policies should be existing and configured. Associates an auto provisioning policy
<POLICY-NAME> Specify the auto provisioning policy name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 437 PROFILES bonjour-gw-
forwarding-policy
<POLICY-NAME>
Uses an existing Bonjour GW Forwarding policy with a profile or device
<POLICY-NAME> Specify the Bonjour GW Forwarding policy name (should be existing and configured). bonjour-gw-query-
forwarding-policy
<POLICY-NAME>
captive-portal server
<CAPTIVE-PORTAL>
client-identity-identity-
group
<CLIENT-IDENTITY-
GROUP-NAME>
crypto-cmp-policy
<POLICY-NAME>
database-client-policy
<POLICY-NAME>
dhcp-server-policy
<DHCP-POLICY>
dhcpv6-server-policy
<DHCPv6-POLICY>
event-system-policy
<EVENT-SYSTEM-
POLICY>
firewall-policy
<FW-POLICY>
global-association-list server
<GLOBAL-ASSOC-LIST-
NAME>
guest-management
<GUEST-
MANAGEMENT-
POLICY-NAME>
For more information on Bonjour GW Forwarding policy, see bonjour-gw-
forwarding-policy. Uses an existing Bonjour GW Query Forwarding policy with a profile or device
<POLICY-NAME> Specify the Bonjour GW Query Forwarding policy name (should be existing and configured). Configures access to a specified captive portal with this profile
<CAPTIVE-PORTAL> Specify the captive portal name. Associates an existing client identity group with this profile
<CLIENT-IDENTITY-GROUP-NAME> Specify the client identity group name. For more information on the client-identity and client-identity-group commands, see client-identity and client-identity-group. Associates an existing crypto certificate management protocol (CMP) policy with this profile
<POLICY-NAME> Specify the CMP policy name. For more information on configuring a crypto CMP policy, see CRYPTO-CMP-
POLICY. Associates an existing database client policy with a profile
<POLICY-NAME> Specify the policy name (should be existing and configured). For more information on database client policy, see database-client-policy. Applicable only to the VX9000 model virtual machine platform. Associates a DHCP server policy
<DHCP-POLICY> Specify the DHCP server policy name. Associates a DHCPv6 server policy
<DHCPv6-POLICY> Specify the DHCPv6 server policy name. Associates an event system policy
<EVENT-SYSTEM-POLICY> Specify the event system policy name. Associates a firewall policy
<FW-POLICY> Specify the firewall policy name. Associates the specified global association list with the controller profile
<GLOBAL-ASSOC-LIST-NAME> Specify the global association list name. Once associated, the controller, using this profile, applies this association list to requests received from all adopted APs. For more information on global association list, see global-association-list. Associates the specified guest management policy with the controller profile
<GUEST-MANAGEMENT-POLICY-NAME> Specify the guest management policy name (should be existing and configured). Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 438 PROFILES ip/ipv6-access-list <IP/
IPv6-ACL-NAME>
traffic-shape class
<1-4>
Associates an IP and/or IPv6 ACL with this profile and applies it as a firewall for the selected traffic-shape class
<IP/IPv6-ACL-NAME> Specify the IP/IPv6 ACL name (should be existing and configured) traffic-shape class <1-4> Selects the traffic-shape class to apply the above spec-
ified IP/IPv6 ACL
<1-4> Select the traffic-shape class from 1 - 4. management-policy
<MNGT-POLICY>
radius-server-policy
<RADIUS-POLICY>
role-policy
<ROLE-POLICY>
routing-policy
<ROUTING-POLICY>
web-filter-policy
<POLICY-NAME>
Associates a management policy
<MNGT-POLICY> Specify the management policy name. Associates a device onboard RADIUS policy
<RADIUS-POLICY> Specify the RADIUS policy name. Associates a role policy
<ROLE-POLICY> Specify the role policy name. Associates a routing policy
<ROUTING-POLICY> Specify the routing policy name. Associates an existing Web Filter policy with a profile or device
<POLICY-NAME> Specify the policy name. Parameters Device Mode use [auto-provisioning-policy|bonjour-gw-forwarding-policy|bonjour-gw-query-
forwarding-policy|captive-portal|client-identity-group|crypto-cmp-policy|
database-client-policy|database-policy|dhcp-server-policy|dhcpv6-server-policy|
enterprise-ui|event-system-policy|firewall-policy|global-association-list|guest-
management|ip-access-list|ipv6-access-list|license|management-policy|nsight-
policy|profile|radius-server-policy|rf-domain|role-policy|routing-policy|rtl-
server-policy|sensor-policy|wips-policy|smart-rf-policy|web-filter-policy]
<POLICY-NAME>
use auto-provisioning-
policy
<POLICY-NAME>
bonjour-gw-
forwarding-policy
<POLICY-NAME>
bonjour-gw-query-
forwarding-policy
<POLICY-NAME>
Associates the following policies with this device:
Associates an auto provisioning policy
<POLICY-NAME> Specify the auto provisioning policy name. Uses an existing Bonjour GW Forwarding policy with a profile or device
<POLICY-NAME> Specify the Bonjour GW Forwarding policy name (should be existing and configured). For more information on Bonjour GW Forwarding policy, see bonjour-gw-
forwarding-policy. Uses an existing Bonjour GW Query Forwarding policy with a profile or device
<POLICY-NAME> Specify the Bonjour GW Query Forwarding policy name (should be existing and configured). captive-portal server
<CAPTIVE-PORTAL>
Configures access to a specified captive portal
<CAPTIVE-PORTAL> Specify the captive portal name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 439 PROFILES client-identity-identity-
group
<CLIENT-IDENTITY-
GROUP-NAME>
crypto-cmp-policy
<POLICY-NAME>
database-client-policy
<POLICY-NAME>
database-policy
<DATABASE-POLICY-
NAME>
dhcp-server-policy
<DHCP-POLICY>
dhcpv6-server-policy
<DHCPv6-POLICY>
enterprise-ui event-system-policy
<EVENT-SYSTEM-
POLICY>
firewall-policy
<FW-POLICY>
global-association-list server <GLOBAL-
ASSOC-LIST-NAME>
guest-management
<GUEST-
MANAGEMENT-
POLICY-NAME>
Associates an existing client identity group with this device
<CLIENT-IDENTITY-GROUP-NAME> Specify the client identity group name. For more information on the client-identity and client-identity-group commands, see client-identityand client-identity-group. Associates an existing crypto certificate management protocol (CMP) policy
<POLICY-NAME> Specify the CMP policy name. For more information on configuring a crypto CMP policy, see CRYPTO-CMP-
POLICY. Associates an existing database client policy with a device
<POLICY-NAME> Specify the policy name (should be existing and configured). For more information on database client policy, see database-client-policy. Applicable only to the NX95XX and VX9000 model service platforms. Associates an existing database policy with this device
<DATABASE-POLICY-NAME> Specify the database policy name. Note: For more information on configuring a database policy, see database-policy. Associates a DHCP server policy
<DHCP-POLICY> Specify the DHCP server policy name. Associates a DHCPv6 server policy
<DHCPv6-POLICY> Specify the DHCPv6 server policy name. Enables application of the site controllers Enterprise user interface (UI) on all management points (controllers and access points) For example, the site controller is NX5500 and a AP7532 is adopted to it. To enable the access point to also use the Enterprise UI:
On the AP7532s profile configuration mode execute: use > enterprise-ui On adoption and application of this profile, the AP7532 access point resets and reboots using the Enterprise UI. Once using the Enterprise UI, on all subsequent adoptions, the AP does not get reset. Associates an event system policy
<EVENT-SYSTEM-POLICY> Specify the event system policy name. Associates a firewall policy
<FW-POLICY> Specify the firewall policy name. Associates the specified global association list with the device (controller)
<GLOBAL-ASSOC-LIST-NAME> Specify the global association list name. Once associated, the controller applies this association list to requests received from all adopted APs. For more information on global association list, see global-
association-list. Associates the specified guest management policy with this device
<GUEST-MANAGEMENT-POLICY-NAME> Specify the guest management policy name (should be existing and configured). Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 440 PROFILES ip/ipv6-access-list <IP/
IPv6-ACL-NAME>
traffic-shape class
<1-4>
license <WORD>
Associates an IP and/or IPv6 ACL with this device and applies it as a firewall for a selected traffic-shape class
<IP/IPv6-ACL-NAME> Specify the IP/IPv6 ACL name (should be existing and configured) traffic-shape class <1-4> Selects the traffic-shape class to apply the above spec-
ified IP/IPv6 ACL
<1-4> Select the traffic-shape class from 1 - 4. Associates a Web filtering license with this device
<WORD> Provide a 256 character maximum license string for the Web filtering feature. Web filtering is used to restrict access to specific resources on the Internet. management-policy
<MNGT-POLICY>
nsight-policy <NSIGHT-
POLICY-NAME>
Associates a management policy
<MNGT-POLICY> Specify the management policy name. Associates a specified NSight policy with this device
<NSIGHT-POLICY-NAME> Specify the NSight policy name (should be existing and profile
<PROFILE-NAME>
radius-server-policy
<RADIUS-POLICY>
rf-domain
<RF-DOMAIN-NAME>
role-policy
<ROLE-POLICY>
routing-policy
<ROUTING-POLICY>
rtl-server-policy
<POLICY-NAME>
configured). Note: Use this command to associate an NSight policy to a controller to enable it to function as the NSight server. For more information, see nsight-policy. Associates a profile with this device
<PROFILE-NAME> Specify the profile name. Associates a device onboard RADIUS policy
<RADIUS-POLICY> Specify the RADIUS policy name. Associates an RF Domain
<RF-DOMAIN-NAME> Specify the RF Domain name. Associates a role policy
<ROLE-POLICY> Specify the role policy name. Associates a routing policy
<ROUTING-POLICY> Specify the routing policy name. Associates a Real TIme Locationing (RTL) server policy with an access point. When associated, enables the access point to directly send RSSI feeds to the third-party Euclid RTL server
<POLICY-NAME> Specify the RTL server policy name (should be existing and configured). sensor-policy <POLICY-
NAME>
Associates a sensor policy with an access point or controller. When associated, WiNG controllers and access points function as sensors.
<POLICY-NAME> Specify the sensor policy name (should be existing and configured). wips-policy
<WIPS-POLICY>
web-filter-policy
<POLICY-NAME>
Associates a WIPS policy
<WIPS-POLICY> Specify the WIPS policy name. Associates an existing Web Filter policy with a profile or device
<POLICY-NAME> Specify the policy name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 441 PROFILES Example rfs6000-37FABE(config-profile-default-rfs6000)#use event-system-policy TestEventSysPolicy rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 mint link ip 1.2.3.4 mint level 1 area-id 88
..................................................... interface ge3 ip dhcp trust qos trust dscp qos trust 802.1p interface ge4 ip dhcp trust qos trust dscp qos trust 802.1p interface pppoe1 use event-system-policy TestEventSysPolicy use firewall-policy default ntp server 172.16.10.10 prefer version 1
--More--
rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Disassociates a specified policy from this profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 442 PROFILES 7.1.77 vrrp Profile Config Commands Configures VRRP group settings A default gateway is a critical resource for connectivity. However, it is prone to a single point of failure. Thus, redundancy for the default gateway is required. If WAN backhaul is available, and a router failure occurs, then the controller should act as a router and forward traffic on to its WAN link. Define an external VRRP configuration when router redundancy is required in a network requiring high availability. Central to VRRP configuration is the election of a VRRP master. A VRRP master (once elected) performs the following functions:
Responds to ARP requests Forwards packets with a destination link layer MAC address equal to the virtual routers MAC address Rejects packets addressed to the IP address associated with the virtual router, if it is not the IP address owner Accepts packets addressed to the IP address associated with the virtual router, if it is the IP address owner or accept mode is true. The nodes that lose the election process enter a backup state. In the backup state they monitor the master for any failures, and in case of a failure one of the backups, in turn, becomes the master and assumes the management of the designated virtual IPs. A backup does not respond to an ARP request, and discards packets destined for a virtual IP resource. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax vrrp [<1-255>|version]
vrrp <1-255> [delta-priority|description|interface|ip|monitor|preempt|priority|
sync-group|timers]
vrrp <1-255> [delta-priority <1-253>|description <LINE>|ip <IP> {<IP>}|preempt
{delay <1-65535>}|priority <1-254>|sync-group]
vrrp <1-255> interface vlan <1-4094>
vrrp <1-255> monitor [<IF-NAME>|critical-resource|pppoe1|vlan|wwan1]
vrrp <1-255> monitor [<IF-NAME>|pppoe1|vlan <1-4094>|wwan1] {(<IF-NAME>|critical-
resource|pppoel|vlan|wwan1)}
vrrp <1-255> monitor critical-resource <CRM-NAME1> <CRM-NAME2> <CRM-NAME3> <CRM-
NAME4> (action [decrement-priority|increment-priority] {<IF-NAME>|pppoe1|
vlan|wwan1}) vrrp <1-255> timers advertise [<1-255>|centiseconds <25-4095>|msec <250-999>]
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 443 PROFILES vrrp version [2|3]
Parameters vrrp <1-255> [delta-priority <1-253>|description <LINE>|vrrp ip <IP> {<IP>}|
preempt {delay <1-65535>}|priority <1-254>|sync-group]
vrrp <1-255>
delta-priority <1-253>
description <LINE>
ip <IP-ADDRESSES>
preempt {delay <1-
65535>}
priority <1-254>
sync-group Configures the virtual router ID from 1- 255. Identifies the virtual router the packet is reporting status for. Configures the priority to decrement (local link monitoring and critical resource monitoring) or increment (critical resource monitoring). When the monitored interface is down, the configured priority decrements by a value defined by the delta-priority option. When monitoring critical resources, the value increments by the delta-priority option.
<1-253> Specify the delta priority level from 1- 253. Configures a text description for the virtual router to further distinguish it from other routers with similar configuration
<LINE> Provide a description (a string from 1- 64 characters in length) Identifies the IP address(es) backed by the virtual router. These are IP addresses of Ethernet switches, routers, and security appliances defined as virtual router resources.
<IP-ADDRESSES> Specify the IP address(es) in the A.B.C.D format. This configuration triggers VRRP operation. Controls whether a high priority backup router preempts a lower priority master. This field determines if a node with higher priority can takeover all virtual IPs from a node with lower priority. This feature is disabled by default. delay Optional. Configures the pre-emption delay timer from 1 - 65535 seconds
(default is 0 seconds). This option can be used to delay sending out the master advertisement or, in case of monitored link coming up, adjusting the VRRP priority by priority delta. Configures the priority level of the router within a VRRP group. This value determines which node is elected as the Master. Higher values imply higher priority, value 254 has the highest precedence (default is 100). Adds this VRRP group to a synchronized group. To trigger VRRP failover, it is essential all individual groups within a synchronized group have failover. VRRP failover is triggered if an advertisement is not received from the virtual masters that are part of this VRRP sync group. This feature is disabled by default. vrrp <1-255> interface vlan <1-4094>
vrrp <1-255>
interface vlan <1-4094>
Configures the virtual router ID from 1- 255. Identifies the virtual router the packet is reporting status for. Enables VRRP on the specified switch VLAN interface (SVI) vlan <1-4094> Specify the VLAN interface ID from 1 - 4094. vrrp <1-255> monitor critical-resource <CRM-NAME1> <CRM-NAME2> <CRM-NAME3> <CRM-
NAME4> (action [decrement-priority|increment-priority] {<IF-NAME>|pppoe1|vlan|
wwan1}) vrrp <1-255>
monitor Configures the virtual router ID from 1- 255. Identifies the virtual router the packet is reporting status for. Enables link monitoring or Critical Resource Monitoring (CRM) Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 444 PROFILES critical-resource
<CRM-NAME1>
action
[decrement-priority|
increment-priority]
<IF-NAME>
pppoe1 vlan <1-4094>
wwan1 Specifies the name of the critical resource to monitor. VRRP can be configured to monitor maximum of four critical resources. Use the <CRM-NAME2>, <CRM-
NAME3>, and <CRM-NAME4> to provide names of the remaining three critical resources. By default VRRP is configured to monitor all critical resources on the device. Sets the action on critical resource down event. It is a recursive parameter that sets the action for each of the four critical resources being monitored. decrement-priority Decrements the priority of virtual router on critical resource down event increment-priority Increments the priority of virtual router on critical resource down event Optional. Enables interface monitoring
<IF-NAME> Specify the interface name to monitor Optional. Enables Point-to-Point Protocol (PPP) over Ethernet interface monitoring Optional. Enables VLAN (switched virtual interface) interface monitoring
<1-4094> Specify the VLAN interface ID from 1- 4094. Optional. Enables Wireless WAN interface monitoring vrrp <1-255> timers advertise [<1-255>|centiseconds <25-4095>|msec <250-999>]
Configures the virtual router ID from 1- 255. Identifies the virtual router the packet is reporting status for. Configures the timer that runs every interval Configures the VRRP advertisements time interval. This is the interval at which a master sends out advertisements on each of its configured VLANs.
<1-255> Configures the timer interval from 1- 255 seconds. (applicable for VRRP vrrp <1-255>
timers advertise
[<1-255>|
centiseconds <25-
4095>|
msec <250-999>]
version 2 only) centiseconds <25-4095> Configures the timer interval in centiseconds (1/100th of a second). Specify a value between 25 - 4095 centiseconds (applicable for VRRP version 3 only). msec <250-999> Configures the timer interval in milliseconds (1/1000th of a second). Specify a value between 250 - 999 msec (applicable for VRRP version 2 only). Default is 1 second. vrrp version [2|3]
vrrp version [2|3]
Configures one of the following VRRP versions:
2 VRRP version 2 (RFC 3768). This is the default setting. 3 VRRP version 3 (RFC 5798 only IPV4) The VRRP version determines the router redundancy. Version 3 supports sub-
second (centisecond) VRRP failover and support services over virtual IP. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 445 PROFILES Example rfs6000-37FABE(config-profile-default-rfs6000)#vrrp version 3 rfs6000-37FABE(config-profile-default-rfs6000)#vrrp 1 sync-group rfs6000-37FABE(config-profile-default-rfs6000)#vrrp 1 delta-priority 100 rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1
...................................................... vrrp 1 timers advertise 1 vrrp 1 preempt vrrp 1 sync-group vrrp 1 delta-priority 100 vrrp version 3 rfs6000-37FABE(config-profile-default-rfs7000)#
Related Commands no Reverts VRRP settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 446 PROFILES 7.1.78 vrrp-state-check Profile Config Commands Publishes interface via OSPF or BGP based on Virtual Router Redundancy Protocol (VRRP) status VRRP allows automatic assignment of available IP routers to participating hosts. This increases the availability and reliability of routing paths via automatic default gateway selections on an IP subnetwork. This option is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax vrrp-state-check Parameters None Example nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#vrrp-state-check nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context nx9000 B4-C7-99-6C-88-09 use profile default-nx9000 use rf-domain default
....................................................................... no weight no timers bgp ip default-gateway priority 7500 bgp-route-limit num-routes 10 retry-count 5 retry-timeout 60 reset-time 360 vrrp-state-check controller adopted-devices controllers alias string $SN B4C7996C8809 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#
Related Commands no Disables the publishing of an interface via OSPF/BGP based on VRRP status Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 447 PROFILES 7.1.79 virtual-controller Profile Config Commands Enables an access point as a virtual-controller (VC) or a dynamic virtual controller (DVC) When configured without the auto option, this command manually enables an AP as a VC. The auto option allows dynamic enabling of APs as VCs. When DVC is enabled on an APs device or profile context, the AP is dynamically enabled as the VC on being elected as the RF-Domain manager. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 NOTE: The DVC feature is supported only on the AP7522, AP7532, AP7562, AP8432, and AP8533 model access points. Syntax virtual-controller {auto|management-interface}
virtual-controller auto virtual-controller {management-interface [ip address <IP/M>|vlan <1-4094>]}
Parameters virtual-controller auto virtual-controller auto Enables an AP as a virtual-controller auto Enables AP as a DVC. When enabled, the AP on being elected as the RF Domain manager takes on the role of the virtual controller. In an RF-Domain, DVC can be enabled on multiple access points. However, only the current RF-Domain manager AP has a running instance of the DVC. This option is applicable only if enabling DVC. Note: MLCP discovery does not function on APs enabled as VC or DVCs. Do an explicit mint link vlan X on the APs device/profile context, or control-vlan X in the APs RF-
Domain context, to establish MiNT links between the VC and its adopted APs. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 448 PROFILES virtual-controller {management-interface [ip address <IP/M>|vlan <1-4094>]}
virtual-controller
{management-interface
[ip address <IP/M>|vlan
<1-4094>]}
Enables an AP as a virtual-controller. If enabling DVC, use this option to configure management interface details. management-interface Configures the management interface for the DVC. Configuring the management interface ensures failover in case the RF Domain manager is unreachable. ip address <IP/M> Specify the management interface IP address. Due to the ran-
dom nature of DVC, specifying an explicit management interface IP address makes it easier to manage VCs. In case of fail over, this IP address is installed as the second-
ary IP address on the new VC. vlan <1-4094> Optional. Specifies the VLAN from 1 - 4094 on which the man-
agement interface IP address is configured. Note: For DVC, configuring management-interface ip address is mandatory. However, VLAN configuration is optional. If you configure the ip address without specifying the VLAN, the system configures the specified ip address as secondary ip on VLAN 1. Example ap8533-9A1529(config-device-74-67-F7-9A-15-29)#virtual-controller auto ap8533-9A1529(config-device-74-67-F7-9A-15-29)#virtual-controller management-
interface ip address 110.110.110.120/24 ap8533-9A1529(config-device-74-67-F7-9A-15-29)#virtual-controller management-
interface vlan 100 ap8533-9A1529(config-device-74-67-F7-9A-15-29)#show context | include virtual-
controller virtual-controller auto virtual-controller management-interface ip address 110.110.110.120/24 virtual-controller management-interface vlan 100 ap8533-9A1529(config-device-74-67-F7-9A-15-29)#
The following example shows the management interface VLAN IP address being configured as the secondary IP address. ap8533-9A1529(config-device-74-67-F7-9A-15-29)#show ip interface brief
-------------------------------------------------------------------------------
INTERFACE IP-ADDRESS/MASK TYPE STATUS PROTOCOL
-------------------------------------------------------------------------------
vlan1 10.1.1.11/24 primary UP up vlan100 110.110.110.110/24 primary UP up vlan100 110.110.110.120/24 secondary UP up
-------------------------------------------------------------------------------
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 449 PROFILES 7.1.80 wep-shared-key-auth Profile Config Commands Enables support for 802.11 WEP shared key authentication When enabled, devices, using this profile, use a WEP key to access the network. The controller or service platform use the key algorithm to convert an ASCII string to the same hexadecimal number. Clients without the recommended adapters need to use WEP keys manually configured as hexadecimal numbers. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wep-shared-key-auth Parameters None Example rfs6000-37FABE(config-profile-default-rfs6000)#wep-shared-key-auth rfs6000-37FABE(config-profile-default-rfs6000)#show context profile rfs6000 default-rfs6000 bridge vlan 1 bridging-mode isolated-tunnel ip igmp snooping ip igmp snooping querier wep-shared-key-auth autoinstall configuration autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn crypto auto-ipsec-secure interface me1 interface ge1 ip dhcp trust qos trust dscp qos trust 802.1p interface ge2 ip dhcp trust
--More--
rfs6000-37FABE(config-profile-default-rfs6000)#
Related Commands no Disables support for 802.11 WEP shared key authentication Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 450 PROFILES 7.1.81 service Profile Config Commands Service commands are used to view and manage configurations. The service commands and their corresponding parameters vary from mode to mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax service [captive-portal-server|cluster|critical-resource|fast-switching|enable|
global-association-list|lldp|memory|meshpoint|pm|power-config|radius|remote-
config|rss-timeout|watchdog|wireless|show]
service captive-portal-server connections-per-ip <3-64>
service cluster master-election immediate service critical-resource port-mode-source-ip <IP>
service enable [l2tpv3|pppoe|radiusd]
service global-association-list blacklist-interval <1-65535>
service lldp loop-detection service memory kernel decrease service meshpoint loop-prevention-port [<L2-INTERFACE-NAME>|ge <1-5>|port-channel
<1-2>|up1]
service pm sys-restart service power-config [3af-out|force-3at]
service radius dynamic-authorization additional-port <1-65535>
service remote-config apply-delay <0-600>
service rss-timeout <0-86400>
service watchdog service wireless [anqp-frag-always|anqp-frag-size|ap650|client|cred-cache-sync|
inter-ap-key|noise-immunity|reconfig-on-tx-stall|test|wispe-controller-port]
service wireless anqp-frag-always service wireless anqp-frag-size <100-1500>
service wireless ap650 legacy-auto-update-image <FILE>
service wireless client tx-deauth on-radar-detect service wireless cred-cache-sync [full|interval <30-864000>|never|partial]
service wireless test [max-rate|max-retries|min-rate]
service wireless test [max-rate|min-rate] [1,2,5.5,6,11,12,18,24,36,48,54,mcs0, mcs1,............mcs23]
service wireless inter-ap-key [0 <WORD>|2 <WORD>|<WORD>]
service wireless noise-immunity service wireless reconfig-on-rx-stall service wireless test max-retries <0-15>
service wireless wispe-controller-port <1-65535>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 451 PROFILES service show cli Parameters service captive-portal-server connections-per-ip <3-64>
captive-portal-server connections-per-ip
<3-64>
Configures the maximum number of simultaneous captive portal connection allowed per IP address
<3-64> Specify the maximum number of connections per IP address from 3 - 64. The default is 3. Note: This command is applicable only to the NX9XXX and NX9600 service platform profiles. service cluster master-election immediate cluster master-election immediate Initiates and completes cluster master election as soon as just one cluster member comes on and is active. This option is disabled by default. service critical-resource port-mode-source-ip <IP>
critical-resource port-
mode-source-ip <IP>
Hard codes a source IP for critical resource management The default is 0.0.0.0 Use this option to define the IP address used as the source address in ARP packets used to detect a critical resource on a layer 2 interface. By default, the source address used in ARP packets to detect critical resources is 0.0.0.0. However, some devices do not support the above IP address and drop the ARP packets. Use this field to provide an IP address specifically used for this purpose. The IP address used for port-mode-source-ip monitoring must be different from the IP address configured on the device. service enable [l2tpv3|pppoe|radiusd]
service enable l2tpv3 service enable pppoe Enables L2TPv3 on this profile The L2TPV3 enable/disable option is not supported on AP6522, AP6532, AP6562, AP7161, AP81XX, AP8232, AP8432, AP8533, RFS4000, RFS6000, and NX95XX model devices. It is supported only on AP6521. Enables PPPoE features. When executed on a device, enables PPPoE on the logged device. When executed on a profile, enables PPPoE on all devices using that profile. service enable radiusd Enables RADIUSD features. When executed on a device, enables RADIUSD on the logged device. When executed on a profile, enables RADIUSD on all devices using that profile. service global-association-list blacklist-interval <1-65535>
service global-association-list blacklist-interval
<1-65535>
Configures global association list related parameters Configures the period for which a client is blacklisted. A client is considered blacklisted after being denied access by the server.
<1-65535> Specify a value from 1 - 65535 seconds. The default is 60 seconds. service lldp loop-detection lldp loop-detection Enables network loop detection via LLDP. This option is disabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 452 PROFILES service memory kernel decrease service memory kernel decrease Enables reduction in kernel memory usage. When enabled, firewall flows are reduced by 75% resulting in reduced kernel memory usage. A reboot is required for the option to take effect. This option is disabled by default. service meshpoint loop-prevention-port [<L2-INTERFACE-NAME>|ge <1-4>|
port-channel <1-2>]
meshpoint loop-
prevention-port
<L2-INTERFACE-
NAME>
ge <1-4>
port-channel <1-2>
Limits meshpoint loop prevention to a single port Limits meshpoint loop prevention on a specified Ethernet interface
<L2-INTERFACE-NAME> Specify the layer 2 Ethernet interface name. Limits meshpoint loop prevention on a specified GigabitEthernet interface ge <1-4> Specify the GigabitEthernet interface index from 1 - 4. Limits meshpoint loop prevention on a specified port-channel interface port-channel <1-2> Specify the port-channel interface index from 1 - 2. service pm sys-restart pm sys-restart Enables the process monitor (PM) to restart the system when a process fails. This option is enabled by default. service power-config [3af-out|force-3at]
power-config 3af-out Enables LLDP power negotiation, but uses 3af power. This option is disabled by default. power-config force-3at Disables LLDP negotiation and forces 802.3at power configuration. This option is disabled by default. service radius dynamic-authorization additional-port <1-65535>
radius dynamic-authorization additional-port
<1-65535>
Configures an additional UDP port used by the device to listen for dynamic authorization messages
<1-65535> Specify a value from 1 - 65535. The default is 3799. The Cisco Identity Services Engine (ISE) server uses port 1700. service remote-config apply-delay <0-600>
remote-config apply-
delay <0-600>
Delays configuration of a remote device (after it becomes active) by the specified time period
<0-600> Specify a value from 0 - 600 seconds. The default is 0 seconds. service rss-timeout <0-86400>
rss-timeout
<0-86400>
Configures the duration, in seconds, for which an adopted access point will continue to provide wireless functions even after loosing controller adoption.
<0-86400> Specify a value from 0 - 86400 seconds. The default is 300 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 453 PROFILES service watchdog watchdog Enables the watchdog. This feature is enabled by default. Enabling the watchdog option implements heartbeat messages to ensure other associated devices are up and running and capable of effectively inter-operating with the controller. service wireless anqp-frag-always wireless anqp-frag-
always Enables fragmentation of all ANQP packets. This option is disabled by default. service wireless anqp-frag-size <100-1500>
wireless anqp-frag-size
<100-1500>
Configures the ANQP packet fragment size
<100-1500> Specify a value from 100 - 1500. The default is 1200. service wireless client tx-deauth on-radar-detection wireless client tx-deauth on-radar-
detection Configures wireless client and stations related settings Enables access points to transmit deauth to clients when changing channels on radar detection. This option is enabled by default. service wireless cred-cache-sync [full|interval <30-864000>|never|partial]
wireless cred-cache-sync full interval <30-864000>
Configures the credential caches synchronization parameters. The parameters are:
full, interval, never, and partial. Enables synchronization of all credential cache entries Sets the interval, in seconds, at which the credential cache is synchronized
<30-864000> Specify a value from 30 - 864000 seconds. The default is 1200 seconds. never partial Disables credential cache entry synchronization for all associated clients other than roaming clients. This is the default setting. Enables partial synchronization of parameters for associated clients, with credential cache close to aging out service wireless inter-ap-key [0 <WORD>|2 <WORD>|<WORD>]
wireless inter-ap-key
[0<WORD>|
2<WORD>|<WORD>]
Configure encryption key used for securing inter-ap messages. This option is disabled by default. Specify a clear text or encrypted key. service wireless noise-immunity wireless noise-immunity Polls for status and reconfigures radio in case of receive stall. This option is enabled by default. service wireless reconfig-on-rx-stall wireless reconfig-on-rx-stall Enables noise immunity on the radio Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 454 PROFILES service wireless test [max-rate|min-rate] [1,2,5.5,6,11,12,18,24,36,48, 54,mcs0,mcs1,............mcs23]
wireless test
[max-rate|min-rate]
[1,2,5.5,....mcs23]
Configures the serviceability parameters used for testing Configures the maximum and minimum data rates for clients using rate-scaling. The max-rate and min-rate options are disabled by default. Select the maximum and minimum data rates applicable. service wireless test max-retries <0-15>
wireless test max-retries <0-15>
Configures the serviceability parameters used for testing Configures the maximum number of retries per packet from 0 - 15. The default is 0. service wireless wispe-controller-port <1-65535>
wispe-controller-port
<1-65535>
Resets the WIreless Switch Protocol Enhanced (WISPe) controller port. This is the UDP port used to listen for WISPe.
<1-65535> Specify a value from 1 - 65535. The default is 24756. service show cli show cli Displays running system configuration details cli Displays the CLI tree of the current mode Example rfs6000-37FABE(config-profile-testrfs6000)#service radius dynamic-authorization additional-port 1700 rfs6000-37FABE(config-profile-testrfs6000)#show context profile rfs6000 testrfs6000 service radius dynamic-authorization additional-port 1700 no autoinstall configuration no autoinstall firmware crypto ikev1 policy ikev1-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ikev2 policy ikev2-default isakmp-proposal default encryption aes-256 group 2 hash sha crypto ipsec transform-set default esp-aes-256 esp-sha-hmac crypto ikev1 remote-vpn crypto ikev2 remote-vpn
--More--
rfs6000-37FABE(config-profile-testrfs6000)#
Related Commands no Removes or resets service command parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 455 PROFILES 7.1.82 zone Profile Config Commands Configures the zone for devices using this profile. The zone can also be configured on the devices self context. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax zone <NAME>
Parameters zone <NAME>
zone <NAME>
Configures the devices zone/area
<NAME> Specify the zone/areaname. Example nx9500-6C8809(config-profile-testNX9000)#szone Ecospace nx9500-6C8809(config-profile-testNX9000)#show context include-factory | include zone zone Ecospace nx9500-6C8809(config-profile-testNX9000)#
Related Commands no Removes the zone configured on this profile or device Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 456 PROFILES 7.2 Device Config Commands PROFILES Use the (config) instance to configure device specific parameters To navigate to this instance, use the following commands:
<DEVICE>(config)#<DEVICE-TYPE> <MAC>
<DEVICE>(config-device-<MAC>)#?
Device Mode commands:
adopter-auto-provisioning-policy-lookup Use centralized auto-provisioning policy when adopted by another controller adoption Adoption configuration adoption-mode Configure the adoption mode for the access-points in this RF-Domain adoption-site Set system's adoption site alias Alias application-policy Application Policy configuration area Set name of area where the system is located?
arp Address Resolution Protocol (ARP) auto-learn Auto learning autogen-uniqueid Autogenerate a unique id autoinstall Autoinstall settings bridge Ethernet bridge captive-portal Captive portal cdp Cisco Discovery Protocol channel-list Configure channel list to be advertised to wireless clients cluster Cluster configuration configuration-persistence Enable persistence of configuration across reloads (startup config file) contact Configure the contact controller WLAN controller configuration country-code Configure the country of operation critical-resource Critical Resource crypto Encryption related commands database Database command device-upgrade Device firmware upgrade device-onboard Device-onboarding configuration dot1x 802.1X dpi Enable Deep-Packet-Inspection
(Application Assurance) dscp-mapping Configure IP DSCP to 802.1p priority mapping for untagged eguest-server Enable EGuest Server functionality frames email-notification Email notification configuration enforce-version Check the firmware versions of devices before interoperating environmental-sensor Environmental Sensors Configuration events System event messages export Export a file file-sync File sync between controller and adoptees floor Set the floor within a area where the system is located geo-coordinates Configure geo coordinates for this device gre GRE protocol hostname Set system's network name http-analyze Specify HTTP-Analysis configuration interface Select an interface to configure Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 457 PROFILES ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) l2tpv3 L2tpv3 protocol l3e-lite-table L3e lite Table lacp LACP commands layout-coordinates Configure layout coordinates for this device led Turn LEDs on/off on the device led-timeout Configure the time for the led to turn off after the last radio state change legacy-auto-downgrade Enable device firmware to auto downgrade when other legacy devices are detected legacy-auto-update Auto upgrade of legacy devices license License management command lldp Link Layer Discovery Protocol load-balancing Configure load balancing parameter location Configure the location logging Modify message logging facilities mac-address-table MAC Address Table mac-auth 802.1X mac-name Configure MAC address to name mappingss management-server Configure management server address memory-profile Memory profile to be used on the device meshpoint-device Configure meshpoint device parameters meshpoint-monitor-interval Configure meshpoint monitoring interval min-misconfiguration-recovery-time Check controller connectivity after configuration is received mint MiNT protocol mirror Mirroring misconfiguration-recovery-time Check controller connectivity after configuration is received mpact-server MPACT server configuration neighbor-inactivity-timeout Configure neighbor inactivity timeout neighbor-info-interval Configure neighbor information exchange interval no Negate a command or set its defaults noc Configure the noc related setting nsight NSight nsight-sensor Enable sensor for Nsight ntp Ntp server A.B.C.D offline-duration Set duration for which a device remains unadopted before it generates offline event otls Omnitrail Location Server override-wlan Configure RF Domain level overrides for wlan power-config Configure power mode preferred-controller-group Controller group this system will prefer for adoption preferred-tunnel-controller Tunnel Controller Name this system will prefer for tunneling extended vlan traffic radius Configure device-level radius authentication parameters raid RAID remove-override Remove configuration item override from the device (so profile value takes effect) rf-domain-manager RF Domain Manager router Dynamic routing Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 458 PROFILES rsa-key Assign a RSA key to a service sensor-server AirDefense sensor server configuration slot PCI expansion Slot spanning-tree Spanning tree timezone Configure the timezone traffic-class-mapping Configure IPv6 traffic class to 802.1p priority mapping for untagged frames traffic-shape Traffic shaping trustpoint Assign a trustpoint to a service tunnel-controller Tunnel Controller group this controller belongs to use Set setting to use vrrp VRRP configuration vrrp-state-check Publish interface via OSPF/BGP only if the interface VRRP state is not BACKUP wep-shared-key-auth Enable support for 802.11 WEP shared key authentication zone Configure Zone name clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-device-<MAC>)#
The following table summarizes device configuration mode commands:
Command adopter-auto-
provisioning-
policy-lookup adoption Description Enables the use of a centralized auto provisioning policy on this device Configures a minimum and maximum delay time in the initiation of the device adoption process Sets the devices adoption site name Configures network, VLAN, and service aliases on a device adoption-site alias application-policy Associates a RADIUS server provided application policy with this device. When associated, the application policy allows wireless clients
(MUs) to always find the RADIUS-supplied application policy in the dataplane. Sets the name of area where the system is deployed Configures ARP parameters area arp Reference page 7-11 page 7-13 page 7-464 page 7-15 page 7-22 page 7-465 page 7-25 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 459 PROFILES Command auto-learn Description Enables controllers or service platforms to maintain a local configuration record of devices requesting adoption and provisioning. The command also enables learning of a devices host name via DHCP options. Reference page 7-27 autogen-uniqueid When executed in the device configuration mode, this command autoinstall bridge captive-portal cdp channel-list cluster configuration-
persistence contact controller country-code critical-resource crypto database device-upgrade diag dot1x dpi dscp-mapping eguest-server
(VX9000 only) eguest-server
(NOC Only) email-notification enforce-version environmental-
sensor events export file-sync floor generates a unique ID for the logged device Autoinstalls firmware image and configuration setup parameters Configures Ethernet Bridging parameters Configures captive portal advanced Web page upload on this profile Operates CDP on the device Configures channel list advertised to wireless clients Sets cluster configuration Enables configuration persistence across reloads page 7-28 page 7-30 page 7-31 page 7-62 page 7-63 page 7-466 page 7-64 page 7-67 page 7-467 page 7-68 page 7-468 page 7-72 page 7-80 page 7-143 Sets contact information Configures a WLANs wireless controller or service platform Configures wireless controller or service platforms country code Monitors user configured IP addresses and logs their status Configures data encryption protocols and settings Backs up captive-portal and/or NSight database to a specified location and file and configures a low-disk-space threshold value Configures device firmware upgrade settings on this device Enables looped packet logging Configures 802.1x standard authentication controls Enables Deep Packet Inspection (DPI) on this device Configures IP Differentiated Services Code Point (DSCP) to 802.1p priority mapping for untagged frames Enables the EGuest daemon when executed without the host option page 7-154 page 7-145 page 7-147 page 7-148 page 7-150 page 7-153 Points to the EGuest server, when executed along with the host option Configures e-mail notification settings Checks the device firmware version before attempting connection Configures the environmental sensor device settings. If the device is an environmental sensor, use this command to configure its settings. Enables system event message generation and forwarding Enables export of startup.log file after every boot Configures parameters enabling syncing of trustpoint/wireless-bridge certificate between the staging-controller and its adopted access points Sets the floor name where the system is located page 7-155 page 7-156 page 7-158 page 7-159 page 7-161 page 7-162 page 7-163 page 7-164 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 460 Command geo-coordinates gre hostname http-analyze interface ip ipv6 l2tpv3 l3e-lite-table lacp Description Configures the geographic coordinates for this device Enables GRE tunneling on this device Sets a system's network name Enables HTTP analysis on this device Selects an interface to configure Configures IPv4 components Configures IPv6 components Defines the Layer 2 Tunnel Protocol (L2TP) protocol for tunneling Layer 2 payloads using Virtual Private Networks (VPNs) Configures L3e Lite Table with this profile Configures an LACP-enabled peers system-priority value. LACP uses this system-priority value along with the peers MAC address to form the peers system ID. layout-coordinates Configures layout coordinates led led-timeout Turns LEDs on or off Configures the LED-timeout timer in the device or profile configuration mode Enables legacy device firmware to auto downgrade legacy-auto-
downgrade legacy-auto-
update license lldp Auto updates AP7161 legacy device firmware Adds device feature licenses Configures Link Layer Discovery Protocol (LLDP) settings for this device Configures load balancing parameters. Configures the systems location (place of deployment) Enables message logging Enables 802.1x authentication of hosts on this device Configures MAC address to device name mappings Configures a management server with this profile load-balancing location logging mac-address-table Configures the MAC address table mac-auth mac-name management-
server memory-profile meshpoint-device Configures meshpoint device parameters meshpoint-
Configures meshpoint monitoring interval monitor-interval min-
misconfiguration-
recovery-time mint Configures MiNT protocol settings Configures memory profile used on the device Configures the minimum device connectivity verification time PROFILES Reference page 7-470 page 7-166 page 7-471 page 7-177 page 7-180 page 7-348 page 7-358 page 7-362 page 7-364 page 7-472 page 7-473 page 7-365 page 7-366 page 7-368 page 7-369 page 7-474 page 7-370 page 7-372 page 7-477 page 7-377 page 7-379 page 7-381 page 7-478 page 7-384 page 7-385 page 7-386 page 7-388 page 7-389 page 7-390 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 461 PROFILES Description Verifies device connectivity after a configuration is received Configures neighbor inactivity timeout value Configures the neighbor information exchange interval Negates a command or resets values to their default settings Configures NOC settings Configures NSight database statistics related parameters. Use this command to set the interval at which data is updated by the RF Domain managers to the NSight server. This command is applicable only on the NX95XX series and NX9600 service platforms and is configured on the NSight server. Configures NTP server settings Sets the duration, in minutes, for which a device remains unadopted before it generates offline event Configures WLAN RF Domain level overrides on the logged device Configures power mode features Specifies the wireless controller or service platform group the system prefers for adoption Configures the tunnel wireless controller or service platform preferred by the system for tunneling extended VLAN traffic Configures device-level RADIUS authentication parameters Removes device overrides Enables the RF Domain manager Reference page 7-397 page 7-398 page 7-399 page 7-479 page 7-402 page 7-480 page 7-408 page 7-414 page 7-484 page 7-415 page 7-417 page 7-418 page 7-419 page 7-486 page 7-420 page 7-421 page 7-488 page 7-489 page 7-423 page 7-426 Configures dynamic router protocol settings. Assigns a RSA key to SSH Configures an AirDefense sensor server Enables spanning tree commands on the logged device Maps the IPv6 traffic class value of incoming IPv6 untagged packets to 802.1p priority Enables traffic shaping and configures traffic shaping parameters on this device Assigns trustpoints to validate various services, such as HTTPS, RADIUS CA, RADIUS server, external LDAP server, etc. Configures wireless controller or service platforms time zone settings page 7-490 page 7-436 Configures the tunneled WLAN (extended VLAN) wireless controller or service platforms name Associates different policies and settings with this device Configures VRRP group settings page 7-437 page 7-443 page 7-428 page 7-491 Command misconfiguration-
recovery-time neighbor-
inactivity-timeout neighbor-info-
interval no noc nsight ntp offline-duration override-wlan power-config preferred-
controller-group preferred-tunnel-
controller radius remove-override rf-domain-
manager router rsa-key sensor-server spanning-tree traffic-class-
mapping traffic-shape trustpoint (device-
config-mode) timezone tunnel-controller use vrrp Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 462 Command vrrp-state-check wep-shared-key-
auth raid Description Publishes interface via OSPF or BGP based on Virtual Router Redundancy Protocol (VRRP) status Enables support for 802.11 WEP shared key authentication Enables alarm on the array. This command is supported only on the NX9500 series service platform. PROFILES Reference page 7-447 page 7-450 page 7-493 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 463 PROFILES 7.2.1 adoption-site Device Config Commands Sets the devices adoption site name Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax adoption-site <SITE-NAME>
Parameters adoption-site <SITE-NAME>
adoption-site
<SITE-NAME>
Sets the devices adoption site name Example rfs4000-229D58(config-device-00-23-68-22-9D-58)#adoption-site SanJoseMainOffice Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 464 PROFILES 7.2.2 area Device Config Commands Sets the physical area where the device (controller, service platform, or access point) is deployed. This can be a building, region, campus or other area that describes the deployment location of the device. Assigning an area name is helpful when grouping devices in RF Domains and profiles, as devices in the same physical deployment location may need to share specific configuration parameters in respect to radio transmission and interference requirements specific to that location. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax area <AREA-NAME>
Parameters area <AREA-NAME>
area <AREA-NAME>
Sets the physical area where the device is deployed
<AREA-NAME> Specify the area name (should not 64 characters in length). Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#area RMZEcoSpace rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context ap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname ap7131-4AA708 area RMZEcospace rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#
Related Commands no Disables or reverts settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 465 PROFILES 7.2.3 channel-list Device Config Commands Configures the channel list advertised to wireless clients Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax channel-list [2.4GHz|5GHz|dynamic]
channel-list [2.4GHz <CHANNEL-LIST>|5GHz <CHANNEL-LIST>|dynamic]
Parameters channel-list [2.4GHz <CHANNEL-LIST>|5GHz <CHANNEL-LIST>|dynamic]
channel-list 2.4GHz
<CHANNEL-LIST>
5GHz <CHANNEL-
LIST>
dynamic Configures the channel list advertised to wireless clients Configures the channel list advertised by radios operating in 2.4 GHz
<CHANNEL-LIST> Specify a list of channels separated by commas or hyphens. Configures the channel list advertised by radios operating in 5.0 GHz
<CHANNEL-LIST> Specify a list of channels separated by commas or hyphens. Enables dynamic (neighboring access point based) update of configured channel list Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#channel-list 2.4GHz 1,2 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context ap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname ap7131-4AA708 area RMZEcospace channel-list 2.4GHz 1,2 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#
Related Commands no Resets the channel list configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 466 PROFILES 7.2.4 contact Device Config Commands Defines an administrative contact for a deployed device (controller, service platform, or access point) Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax contact <WORD>
Parameters contact <WORD>
contact <WORD>
Specify the administrative contact name (should not exceed 64 characters in length) Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#contact Bob+1-631-738-5200 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context ap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname ap7131-4AA708 area RMZEcospace contact Bob+1-631-738-5200 channel-list 2.4GHz 1,2 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#
Related Commands no Resets the administrative contact name Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 467 PROFILES 7.2.5 country-code Device Config Commands Defines the two digit country code for legal device deployment Configuring the correct country is central to legal operation. Each country has its own regulatory restrictions concerning electromagnetic emissions and the maximum RF signal strength that can be transmitted. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax country-code <WORD>
Parameters country-code <COUNTRY-CODE>
country-code
<COUNTRY-CODE>
Defines the two digit country code for legal device deployment
<COUNTRY-CODE> Specify the two letter ISO-3166 country code. Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#country-code us rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context ap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname ap7131-4AA708 area RMZEcospace contact Bob+1-631-738-5200 country-code us channel-list 2.4GHz 1,2 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#
Related Commands no Removes the configured country code Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 468 PROFILES 7.2.6 floor Device Config Commands Sets the building floor name representative of the location within the area or building the device
(controller, service platform, or access point) is physically deployed. Assigning a building floor name is helpful when grouping devices in RF Domains and profiles, as devices on the same physical building floor may need to share specific configuration parameters in respect to radio transmission and interference requirements specific to that location. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax floor <FLOOR-NAME> <1-4094>
Parameters floor <FLOOR-NAME> <1-4094>
floor
<FLOOR-NAME>
<1-4094>
Sets the building floor name where the device is deployed
<1-4094> Sets a numerical floor designation in respect to the floors actual location within a building. Specify a value from 1 - 4094. The default setting is the 1st floor. Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#floor 5thfloor rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context ap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname ap7131-4AA708 area RMZEcospace floor 5thfloor contact Bob+1-631-738-5200 country-code us channel-list 2.4GHz 1,2 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#
Related Commands no Removes devices location floor name Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 469 PROFILES 7.2.7 geo-coordinates Device Config Commands Configures the geographic coordinates for this device. Specifies the exact location of this device in terms of latitude and longitude coordinates. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax geographic coordinates <-90.0000-90.0000> <-180.0000-180.0000>
Parameters geographic coordinates <-90.0000-90.0000> <-180.0000-180.0000>
geographic coordinates Configures the geographic coordinates for this device
<-90.0000-90.0000> Specify the devices latitude coordinate from -90.0000 to 90.0000. When looking at a floor map, latitude lines specify the east-west position of a point on the Earth's surface.
<-180.0000-180.0000> Specify the devices longitude coordinate from -180.0000 to 180.0000. When looking at a floor map, longitude lines specify the north-south position of a point on the Earth's surface. Example rfs4000-229D58(config-device-00-23-68-22-9D-58)#geo-coordinates -90.0000 166.0000 rfs4000-229D58(config-device-00-23-68-22-9D-58)#show context rfs4000 00-23-68-22-9D-58 use profile default-rfs4000 use rf-domain default hostname rfs4000-229D58 geo-coordinates -90.0000 166.0000 license AP DEFAULT-6AP-LICENSE license ADSEC DEFAULT-ADV-SEC-LICENSE ip default-gateway 192.168.13.2 ip default-gateway priority static-route 20 interface ge1 switchport mode access switchport access vlan 1 interface vlan1 ip address 192.168.13.9/24 ip address 192.168.0.1/24 secondary ip dhcp client request options all use client-identity-group ClientIdentityGroup logging on logging console warnings logging buffered warnings rfs4000-229D58(config-device-00-23-68-22-9D-58)#
Related Commands no Removes devices geographic coordinates Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 470 PROFILES 7.2.8 hostname Device Config Commands Sets the system's network name Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax hostname <WORD>
Parameters hostname <WORD>
hostname <WORD>
Sets the name of the managing wireless controller, service platform, or access point. This name is displayed when accessed from any network. Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#hostname TechPubAP7131 The hostname has changed from ap7131-4AA708 to TechPubAP7131 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context ap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname TechPubAP7131 area RMZEcospace floor 5thfloor contact Bob+1-631-738-5200 country-code us channel-list 2.4GHz 1,2 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#
Related Commands no Removes devices hostname Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 471 PROFILES 7.2.9 lacp Device Config Commands Configures an LACP-enabled peers system priority value. LACP uses this system priority value along with the peers MAC address to form the system ID. In a LAG, the peer with the lower system ID initiates LACP negotiations with another peer. In scenarios, where both peers have the same system-priority value assigned, the peer with the lower MAC gets precedence. NOTE: For more information on enabling link aggregation, see lacp and lacp-channel-group. Supported in the following platforms:
Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax lacp system-priority <1-65535>
Parameters lacp system-priority <1-65535>
lacp system-priority
<1-65535>
Configures the LACP system priority value
<1-65535> Specify a value from 1 - 65535. Lower the value, higher is the priority. Therefore, 1 and 65535 indicate highest and lowest system-priority values respectively. The default value is 32768. Example nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#lacp system-priority 1 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory |
include lacp lacp system-priority 1 lacp-channel-group 1 mode active lacp port-priority 2 lacp-channel-group 1 mode active lacp port-priority 2 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#
Related Commands no Removes this devices configured system-priority value Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 472 PROFILES 7.2.10 layout-coordinates Device Config Commands Configures X and Y layout coordinates for the device Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax layout-coordinates <-4096.0-4096.0> <-4096.0-4096.0>
Parameters layout-coordinates <-4096.0-4096.0> <-4096.0-4096.0>
layout-coordinates
<-4096.0-4096.0>
<-4096.0-4096.0>
Configures X and Y layout coordinates for the device Specify the X coordinate from -4096 - 4096.0 Specify the Y coordinate from -4096 - 4096.0 Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#layout-coordinates 1.0 2.0 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context ap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname TechPubAP7131 area RMZEcospace floor 5thfloor layout-coordinates 1.0 2.0 contact Bob+1-631-738-5200 country-code us channel-list 2.4GHz 1,2 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#
Related Commands no Removes devices layout co-ordinates Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 473 PROFILES 7.2.11 license Device Config Commands Adds a license pack on the device for the specified feature (AP/AAP/ADSEC/HTANLT/WEBF/NSIGHT/
NSIGHT-PER/EGUEST-DEV) The WiNG HM network defines a three-tier structure, consisting of multiple wireless sites managed by a single Network Operations Center (NOC) controller, The NOC controller constitutes the first and the site controllers constitute the second tier of the hierarchy. The site controllers may or may not be grouped to form clusters. The site controllers in turn adopt and manage access points that form the third tier of the hierarchy. The NOC controllers and/or site controllers can both have license packs installed. Adoption of APs by the NOC and site controllers depends on the number of licenses available on each of these controllers. The NOC controllers and/or site controllers can both have license packs installed. When a AP is adopted by a site controller, the site controller pushes a license on to the AP. The various possible scenarios are:
AP licenses installed on site controller:
AP licenses installed only on NOC controller:
The NOC controller provides the site controllers with AP licenses, ensuring that per platform limits are not exceeded. The site controller uses its installed licenses, and then asks the NOC controller for additional licenses in case of a shortage. In a hierarchical and centrally managed network, the NOC controller can pull unused AP licenses from site controllers and relocate to other site controllers when required. The site controller shares installed and borrowed (from the NOC) licenses with other controllers within a site cluster. AP licenses installed on any member of a site cluster:
Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax license <WORD> <LICENSE-KEY>
Parameters license <WORD> <LICENSE-KEY>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 474 PROFILES Specify the feature name (AP/AAP/ADSEC/HTANLT/WEBF/NSIGHT/NSIGHT-PER/
EGUEST-DEV) for which license is added AP License: This is the license key required for AP adoptions. The number of APs that can be adopted depends on the installed license count. If the installed license count is 10 APs and the number of AP adoptions is 5, 5 additional APs can still be adopted under the terms of the license. AAP License: This is the license key required for AAP adoptions. The number of AAPs that can be adopted depends on the installed license count. If the installed license count is 10 APs and the number of AAP adoptions is 5, 5 additional AAPs can still be adopted under the terms of the license. ADSEC License: This is the license key required to install the Role Based Firewall feature and increase the number of IPSec VPN tunnels. The number of IPSec tunnels varies by platform. HTANLT: This is the license key required to install Analytics (an enhanced statistical management tool) for NX95XX series service platforms. WEBF License: This is the license key required to install the Web filtering feature. Web filtering is used to restrict access to specific resources on the Internet. NSIGHT/NSIGHT-PER Licenses: This is the license key required to install NSight on a supported service platform. The NSight UI displays a comprehensive, day-to-day overview of the network in a graphical, visually interactive, and easy-to-use format. However, NSight being a licensed service, on expiration of the first 120 days grace period, the NSight servers NSight UI can be launched only on the application of the NSight or NSight-Per (NSight Perpetual) license. The difference between the NSight and NSight-Per licenses is that the first one has an expiration date, whereas the latter doesnt have an expiration date. Once purchased and applied, the NSight-Per license is active forever, and is therefore ideally suited for a Replica-set, NSight deployment, where it is essential that the license is perpetually active and synched across the NSight servers and their primary and secondary databases. Note: NSight is supported only on NX9500, NX9510, NX9600 model service platforms, and the VX9000 virtual controller. EGUEST-DEV License - This is the per-device license key installed on the EGuest server. Once installed the EGuest feature is activated. The EGuest-DEV license defines the number of APs supported by each EGuest server. The maximum limit for per-device license is 100,000. The EGuest server is supported only on the VX9000 platform. Specify the license key.
<WORD>
<LICENSE-KEY>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 475 PROFILES Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#license ap aplicensekey@1234 aplicensekey@123 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context ap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname TechPubAP7131 floor 5thfloor layout-coordinates 1.0 2.0 license AP aplicensekey@1234 aplicensekey@123 location SanJose no contact country-code us channel-list 2.4GHz 1,2 mac-name 00-04-96-4A-A7-08 5.8TestAP neighbor-info-interval 50 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#license NSIGHT 62e512ae6cb74689df 253a03efe493f375597b67c70ee0b7c30655256b1322d064ca8dfaecedc450 VX-EGuest-DB(config-device-14-A0-19-06-AB-10)#license EGUEST-DEV 5f06f09e8209cba1fc7db70681fe78ba2707bbcd6ca2e8f8a31fe5b7e2e778c8b0d0ee3994f800ad VX-EGuest-DB(config-device-14-A0-19-06-AB-10)#commit write VX-EGuest-DB(config-device-14-A0-19-06-AB-10)#show context include-factory |
include license license EGUEST-DEV 5f06f09e8209cba1fc7db70681fe78ba2707bbcd6ca2e8f8a31fe5b7e2e778c8b0d0ee3994f800ad VX-EGuest-DB(config-device-14-A0-19-06-AB-10)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 476 PROFILES 7.2.12 location Device Config Commands Sets the location where a managed device (controller, service platform, or access point) is deployed. This is the location of the device with respect to the RF Domain it belongs. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax location <WORD>
Parameters location <WORD>
<WORD>
Specify the managed devices location as part of its RF Domain configuration Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#location SanJose rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context ap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname TechPubAP7131 area RMZEcospace floor 5thfloor layout-coordinates 1.0 2.0 location SanJose contact Bob+1-631-738-5200 country-code us channel-list 2.4GHz 1,2 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#
Related Commands no Removes a managed devices location Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 477 PROFILES 7.2.13 mac-name Device Config Commands Configures a client name to MAC address mapping. Use this command to assign a user-friendly name to the device (controller, service platform, or access point) and map it to the devices MAC address. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mac-name <MAC> <NAME>
Parameters mac-name <MAC> <NAME>
mac-name <MAC>
<NAME>
Maps a user-friendly name to the devices MAC address
<MAC> Specify the devices MAC address.
<NAME> Specify the 'friendly' name used for the specified MAC address. This is the name used in events and statistics logs. Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#mac-name 00-04-96-4A-A7-08 5.8TestAP rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context ap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname TechPubAP7131 area RMZEcospace floor 5thfloor layout-coordinates 1.0 2.0 location SanJose contact Bob+1-631-738-5200 country-code us channel-list 2.4GHz 1,2 mac-name 00-04-96-4A-A7-08 5.8TestAP rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#
Related Commands no Removes the devices friendly name to MAC address mapping Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 478 PROFILES 7.2.14 no Device Config Commands Negates a command or resets values to their default Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [adopter-auto-provisioning-policy-lookup|adoption-site|alias|application-
policy|area|arp|auto-learn-staging-config|autoinstall|bridge|captive-portal|
cdp|channel-list|cluster|configuration-persistence|contact|controller|
country-code|critical-resource|crypto|database-backup|device-upgrade|dot1x|
dpi|dscp-mapping|email-notification|environmental-sensor|events|export|
file-sync|floor|geo-coordinates|gre|hostname|http-analyze|interface|ip|ipv6|
l2tpv3|l3-lite-table|lacp|layout-coordinates|led|led-timeout|
legacy-auto-downgrade|legacy-auto-update|license|lldp|load-balancing|location|
logging|mac-address-table|mac-auth|mac-name|management-server|memory-profile|
meshpoint-device|meshpoint-monitor-interval|min-misconfiguration-recovery-time|
mint|mirror|misconfiguration-recovery-time|mpact-server|noc|nsight||ntp|
offline-duration|override-wlan|power-config|preferred-controller-group|
preferred-tunnel-controller|radius|raid|rf-domain-manager|router|rsa-key|
sensor-server|slot|spanning-tree|timezone|traffic-class-mapping|traffic-shape|
trustpoint|tunnel-controller|use|vrrp|vrrp-state-check|wep-shared-key-auth|
service]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or resets the logged devices settings based on the parameters passed Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#no area rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#no contact Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 479 PROFILES 7.2.15 nsight Device Config Commands Configures NSight database related parameters. Use this command to configure the data-update periodicity, number of applications posted to the NSight server for a wireless client, and the duration for which data is stored in the NSight databases buckets. These parameters impact the amount of data stored in the NSight DB and interval at which data is aggregated and expired within the NSight DB. For more information on data aggregation and expiration, see (Data Aggregation and Expiration). Configure these parameters in the NSight servers device configuration mode. Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax nsight database [statistics|summary]
nsight database statistics [avc-update-interval|max-apps-per-client|update-
interval|wireless-clients-update-interval]
nsight database statistics [avc-update-interval|update-interval|wireless-clients-
update-interval] [120|30|300|60|600]
nsight database statistics max-apps-per-client <1-1000>
nsight database summary duration <1-24> <1-168> <1-2160> <24-26280>
Parameters nsight database statistics [avc-update-interval|update-interval|wireless-
clients-update-interval] [120|30|300|60|600]
nsight database statistics avc-update-interval update-interval Configures NSight database statistics related parameters Configures the interval, in seconds, at which Application Visibility and Control (AVC) statistics is updated to the NSight database. This interval represents the rate at which AVC-related data is inserted in the NSight databases first bucket. This first bucket data is referred to as the RAW records. A bucket is a database collection that holds statistical data on a per RF Domain basis. For more information, see (Data Aggregation and Expiration). When configured, RF Domain managers posting AVC-related data to the NSight server receive a reply from the NSight server intimating the next update time. The NSight server calculates the next update time based on the avc-update-interval configured here. Configures the interval, in seconds, at which data is updated to the NSIght server. This interval represents the rate at which data (excluding AVC and wireless-clients related statistics) is inserted in the NSight databases first bucket. This first bucket data is referred to as the RAW records. A bucket is a database collection that holds statistical data on a per RF Domain basis. For more information, see (Data Aggregation and Expiration). When configured, RF Domain managers posting data to the NSight server receive a reply from the NSight server intimating the next update time. The NSight server calculates the next update time based on the update-interval configured here. Note: Use the avc-update-interval and wireless-clients-update-interval keywords to configure update interval for AVC-related and wireless-clients related information respectively. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 480 PROFILES wireless-clients-
update-interval
[120|30|300|60|600]
Configures the interval, in seconds, at which wireless-client statistics is updated to the NSIght server. This interval represents the rate at which wireless-clients related statistics is inserted in the NSight databases first bucket. This first bucket data is referred to as the RAW records. A bucket is a database collection that holds statistical data on a per RF Domain basis. For more information, see (Data Aggregation and Expiration). When configured, RF Domain managers posting wireless-client related data to the NSight server receive a reply from the NSight server intimating the next update time. The NSight server calculates the next update time based on the wireless-
clients-update-interval configured here. The following keywords are common to all of the above parameters:
120 Sets the data-update periodicity as 120 seconds (2 minutes) 30 Sets the data-update periodicity as 30 seconds 300 Sets the data-update periodicity as 300 seconds (5 minutes). This is the default setting for the avc-update-interval and wireless-clients-update-interval parameters. 60 Sets the data-update periodicity as 60 seconds (1 minute). This is the default setting for the update-interval parameter. 600 Sets the data-update periodicity as 600 seconds (10 minutes) nsight database statistics max-apps-per-client <1-1000>
nsight database statistics max-apps-per-client
<1-1000>
Configures NSight database statistics related parameters Configures the maximum number of applications per wireless-client to be posted to the NSight server within the configured data-update interval. This information is included in the AVC statistics posted by RF Domain managers to the NSIght server. Specify the number of applications posted from 1 - 1000. The default is 10 applications per wireless client. nsight database summary duration <1-24> <1-168> <1-2160> <24-26280>
nsight database summary duration <1-24>
<1-168> <1-2160> <24-
26280>
Configures the NSight databases per-bucket data storage duration Configures the duration for which data is stored on a per-bucket basis
<1-24> Specify the bucket 1 duration from 1 - 24 hours (i.e. 1 hour to 1 day). The default is 8 hours.
<1-168> Specify the bucket 2 duration from 1 - 168 hours (i.e. 1 hour to 7 days). The default is 24 hours.
<1-2160> Specify the bucket 3 duration from 1 - 2160 hours (i.e. 1 hour to 90 days). The default is 7 days (168 hours).
<24-26280> Specify the bucket 4 duration from 24 - 26280 hours (i.e. 1 day to 3 years). The default is 365 days (1 year). Note: A bucket is a database collection that holds statistical data for each RF Domain within the network. (Note, only those RF Domains that are using an NSight policy with the NSight server host configured will post data to the NSight server. For more information, see use in the RF Domain configuration mode.) NSight database has four
(4) buckets. The data from each bucket is aggregated and pushed to the next bucket once the data storage duration, specified for the bucket, has exceeded. For more information on data aggregation, see (Data Aggregation and Expiration). Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 481 PROFILES Usage Guidelines (Data Aggregation and Expiration) Data Aggregation:
The NSight functionality, a data analytics tool, analyzes data that is generated periodically by the nodes within the managed wireless LAN. For large WLAN networks, generating significantly large amount of data, storing data forever is neither feasible nor beneficial. Therefore, older statistics are summarized into aggregated (averaged) records. All records, for a fixed time period in past, are summarized into one record by taking an average of them. Although this causes a loss in the datas granularity, average numbers for any given time period is still available. Statistical data periodically posted by RF Domain managers to the NSight server are stored in buckets
(database collections) within the NSight database. There are four buckets in total. These are:
First bucket (termed as the RAW bucket) - B1 Second bucket - B2 Third bucket - B3 Fourth bucket - B4 On completion of the data storage duration, records from a bucket are aggregated (at a fixed rate) and inserted into the next bucket. The rate at which records are aggregated into the next bucket becomes the next buckets granularity. For example, the B1 records (that have exceeded the data storage duration configured for B1) are aggregated (at the rate specified) and inserted into B2. Similarly, data from B2 are aggregated into B3, and from B3 to B4. The fixed rate of aggregation (or granularity) AND default storage duration for each bucket is as follows:
B1: storage duration 8 hours B2: granularity 10 minutes / storage duration 24 hours B3: granularity 1 hour / storage duration 7 days B4: granularity 1 day / storage duration 1 year Let us consider (with default update-interval settings) the growth of any one of the statistical buckets. Since B1s default data storage duration is 8 hours, B1 will hold a maximum of 960 records per RF Domain after 8 hours (updated at the rate of 30 seconds). Since B2s granularity is 10 minutes, every 10 minutes 20 records from the B1 will be aggregated into a single record and inserted into B2. Since B2s default storage duration is 24 hours, it will contain a maximum of 144 records per RF Domain after 24 hours. Since B3s granularity is 1 hour, every hour 6 records from B2 will be aggregated into a single record and inserted into B3. Since B3s default storage duration is 7 days, it will contain a maximum of 168 records per RF Domain after 7 days. Since B4s granularity is 1 day, every day 24 records from B3 will be aggregated into a single record and inserted into B4. Since B4s default storage duration is 365 days, it will contain a maximum of 365 records per RF Domain after 1 year. Data Expiration:
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 482 PROFILES The expiration of older records (also referred to as purging or deleting of records) occurs along with data aggregation for each bucket. Let us consider (with default data storage-duration settings) the expiration of data for any one of the statistical buckets. As stated earlier, at the end of 8 hours B1 will have 960 records per RF Domain. After a period of 8 hours and 10 minutes, all 960 records are aggregated into 144 records and inserted into B2. To enable B1 to hold exactly 8 hours worth of data, 20 of the oldest records (corresponding to the first 10 minutes) are purged from B1 at the end of 8 hours and 10 minutes. This expiration cycle is triggered every 10 minutes. At the end of 24 hours B2 will have 144 records per RF Domain. After a period of 24 hours and 10 minutes, one of the oldest record (corresponding to the first 10 minutes) is purged from B2. This expiration cycle is triggered every 10 minutes to enable B2 to maintain exactly 24 hours worth of data. At the end of 7 days B3 will have 168 records per RF Domain. After a period of 7 days and one hour one of the oldest record (corresponding to the first hour) is purged from B3. This expiration cycle is triggered every 1 hour to enable B3 to maintain exactly 7 days worth of data. At the end of 365 days B4 will have 365 records per RF Domain. After 365 days, the oldest records
(corresponding to the first day) are purged from B4. This expiration cycle is triggered every 1 day to enable B4 to maintain exactly 365 days worth of data. Example nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database statistics avc-update-interval 120 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database statistics update-interval 30 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database statistics wireless-clients-update-interval 600 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database statistics max-apps-per-client 20 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#nsight database summary duration 12 30 200 500 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory |
include nsight use nsight-policy nsight-noc nsight database statistics update-interval 30 nsight database statistics wireless-clients-update-interval 600 nsight database summary duration 12 30 200 500 nsight database statistics avc-update-interval 120 nsight database statistics max-apps-per-mu 20 nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#
Related Commands no Reverts the NSight database related parameters configured to default values Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 483 PROFILES 7.2.16 override-wlan Device Config Commands Configures WLANs RF Domain level overrides Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax override-wlan <WLAN> [shutdown|ssid|vlan-pool|wep128|wpa-wpa2-psk]
override-wlan <WLAN> [shutdown|ssid <SSID>|vlan-pool <1-4094> {limit <0-8192>}|
wpa-wpa2-psk <WORD>]
override-wlan <WLAN> wep128 [key <1-4> hex [0<WORD>|2 <WORD>]|transmit-key <1-4>]
Parameters override-wlan <WLAN> [shutdown|ssid <SSID>|vlan-pool <1-4094> {limit <0-8192>}|
wpa-wpa2-psk <WORD>]
<WLAN>
shutdown SSID <SSID>
vlan-pool <1-4094>
{limit <0-8192>}
wpa-wpa2-psk
<WORD>
Specify the WLAN name. Configure the following WLAN parameters: SSID, VLAN pool, and WPA-WPA2 key. Shuts down the WLANs (identified by the <WLAN> keyword) operations on all mapped radios Configures the WLANs Service Set Identifier (SSID)
<SSID> Specify an SSID ID. Configures a pool of VLANs for the selected WLAN
<1-4094> Specifies a VLAN pool ID from 1 - 4094. limit Optional. Limits the number of users on this VLAN pool
<0-8192> Specify the user limit from 0 - 8192. Note: The VLAN pool configuration overrides the VLAN configuration. Configures the WLAN WPA-WPA2 key or passphrase for the selected WLAN
<WORD> Specify a WPA-WPA2 key or passphrase. override-wlan <WLAN> wep128 [key <1-4> hex [0<WORD>|2 <WORD>]|transmit-key <1-
4>]
<WLAN>
wep128
[key <1-4> hex
[0<WORD>|
2 <WORD>]|
transmit-key <1-4>
Specify the WLAN name. Configures the WEP128 key for this WLAN, and also enables key transmission Wired Equivalent Privacy (WEP) is a security protocol specified in the IEEE Wireless Fidelity (Wi -Fi) standard. WEP 128 uses a 104 bit key, which is concatenated with a 24-bit initialization vector (IV) to form the RC4 traffic key. This results in a level of security and privacy comparable to that of a wired LAN. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 484 PROFILES key <1-4> hex Configures a hexadecimal key (clear text or encrypted) and specifies the keys index. 0 <WORD> Configures a clear text key. Specify a 4 - 32 character pass key. 2 <WORD> Configures an encrypted key. Specify a 4 - 32 character pass key. transmit-key <1-4> Enables transmission of key index. Specify the key index. Wireless devices and their connected clients use the algorithm to convert an ASCII string to the same hexadecimal number. Clients without the required adapters need to use WEP keys manually configured as hexadecimal numbers. Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#override-wlan test vlan-pool 8 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context ap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname TechPubAP7131 floor 5thfloor layout-coordinates 1.0 2.0 license AP aplicenseley@1234 aplicensekey@123 location SanJose no contact country-code us channel-list 2.4GHz 1,2 override-wlan test vlan-pool 8 mac-name 00-04-96-4A-A7-08 5.8TestAP neighbor-info-interval 50 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#
Related Commands no Removes RF Domain level WLAN overrides Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 485 PROFILES 7.2.17 remove-override Device Config Commands Removes device overrides in order to enable profile settings to take effect Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax remove-override <PARAMETERS>
Parameters remove-override <PARAMETERS>
remove-override
<PARAMETERS>
Removes settings configured at the device level based on the parameters passed. The profile (applied to the device) settings take effect once the device-level overrides are removed. Example rfs4000-229D58(config-device-00-23-68-22-9D-58)#remove-override ?
adopter-auto-provisioning-policy-lookup Use centralized auto-provisioning policy when adopted by another controller adoption Adoption configuration adoption-mode Configure the adoption mode for the access-points in this RF-Domain alias Alias all Remove all overrides for the device application-policy Application Policy configuration area Reset name of area where the system is located arp Address Resolution Protocol (ARP) auto-learn Auto learning autogen-uniqueid Autogenerate a unique id autoinstall Autoinstall settings bridge Bridge group commands captive-portal Captive portal cdp Cisco Discovery Protocol channel-list Configure a channel list to be advertised to wireless clients cluster Cluster configuration configuration-persistence Automatic write of startup configuration file contact The contact controller WLAN controller configuration country-code The country of operation critical-resource Critical Resource crypto Encryption related commands device-upgrade Device firmware upgrade dot1x 802.1X dpi Deep-Packet-Inspection (Application Assurance) dscp-mapping IP DSCP to 802.1p priority mapping for untagged frames email-notification Email notification configuration enforce-version Check the firmware versions of devices before interoperating environmental-sensor Environmental Sensors Configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 486 PROFILES events System event messages export Export a file file-sync File sync between controller and adoptees firewall Enable/Disable firewall floor Reset name of floor where the system is located geo-coordinates Geo co-ordinates for this device global Remove global overrides for the device but keeps per-interface overrides gre GRE protocol interface Select an interface to configure ip Internet Protocol (IP) ipv6 Internet Protocol version 6 (IPv6) l2tpv3 L2tpv3 protocol l3e-lite-table L3e lite Table led LED on the device lldp Link Layer Discovery Protocol location The location logging Modify message logging facilities mac-address-table MAC Address Table mac-auth 802.1X memory-profile Memory-profile mint MiNT protocol mpact-server MPACT server configuration noc Noc related configuration ntp Configure NTP offline-duration Duration to mark adopted device as offline override-wlan Overrides for wlans power-config Configure power mode preferred-controller-group Controller group this system will prefer for adoption preferred-tunnel-controller Tunnel Controller Name this system will prefer for tunneling extended vlan traffic rf-domain-manager RF Domain Manager router Dynamic routing routing-policy Policy Based Routing Configuration sensor-server AirDefense WIPS sensor server configuration spanning-tree Spanning tree timezone The timezone traffic-class-mapping IPv6 traffic-class to 802.1p priority mapping for untagged frames traffic-shape Traffic shaping trustpoint Assign a trustpoint to a service tunnel-controller Tunnel Controller group this controller belongs to use Set setting to use vrrp VRRP configuration service Service Commands rfs4000-229D58(config-device-00-23-68-22-9D-58)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 487 PROFILES 7.2.18 rsa-key Device Config Commands Assigns an SSH RSA key SSH keys are a pair of cryptographic keys used to authenticate users instead of, or in addition to, a username/password. One key is private and the other is public key. Secure Shell (SSH) public key authentication can be used by a requesting client to access resources, if properly configured. The RSA key pair must be generated on the client. The public portion of the key pair resides with the controller, service platform, or access point locally, while the private portion remains on a secure area of the client. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rsa-key ssh <RSA-KEY-NAME>
Parameters rsa-key ssh <RSA-KEY-NAME>
rsa-key ssh
<RSA-KEY-NAME>
Assigns RSA key to SSH
<RSA-KEY-NAME> Specifies the RSA key name. The key should be installed using PKI commands in the enable mode. Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#rsa-key ssh rsa-key1 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context ap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname TechPubAP7131 floor 5thfloor layout-coordinates 1.0 2.0 license AP aplicenseley@1234 aplicensekey@123 rsa-key ssh rsa-key1 location SanJose no contact country-code us channel-list 2.4GHz 1,2 override-wlan test vlan-pool 8 mac-name 00-04-96-4A-A7-08 5.8TestAP neighbor-info-interval 50 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#
Related Commands no Removes RSA key from service Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 488 PROFILES 7.2.19 sensor-server Device Config Commands Configures an AirDefense sensor server resource for client terminations and WIPS event logging. This is the server that supports WIPS events on behalf of the controller or service platform. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax sensor-server <1-3> ip <IP/HOSTNAME> {port [443|<1-65535>]}
Parameters sensor-server <1-3> ip <IP/HOSTNAME> {port [443|<1-65535>]}
sensor-server <1-3>
ip <IP/HOSTNAME>
Sets a numerical index to differentiate this AirDefense sensor server from other servers. A maximum of 3 (three) sensor server resources can be defined. Configures the AirDefense sensor servers IP address or hostname
<IP/HOSTNAME> Specify the IP address. port [443|<1-65535>] Optional. Configures the port. The options are:
443 The default port used by the AirDefense server. This is the default setting.
<1-65535> Manually sets the port number of the AirDefense server from 1 - 65535 Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#sensor-server 1 ip 172.16.10.7 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context ap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname TechPubAP7131 floor 5thfloor layout-coordinates 1.0 2.0 license AP aplicenseley@1234 aplicensekey@123 rsa-key ssh rsa-key1 location SanJose no contact country-code us sensor-server 1 ip 172.16.10.7 channel-list 2.4GHz 1,2 override-wlan test vlan-pool 8 mac-name 00-04-96-4A-A7-08 5.8TestAP neighbor-info-interval 50 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#
Related Commands no Removes configured sensor server settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 489 PROFILES 7.2.20 timezone Device Config Commands Configures devices timezone Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax timezone <TIMEZONE>
Parameters timezone <TIMEZONE>
timezone
<TIMEZONE>
Configures the devices timezone Example rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#timezone Etc/UTC rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#show context ap71xx 00-04-96-4A-A7-08 use profile default-ap71xx use rf-domain default hostname TechPubAP7131 floor 5thfloor layout-coordinates 1.0 2.0 license AP aplicenseley@1234 aplicensekey@123 rsa-key ssh rsa-key1 location SanJose no contact timezone Etc/UTC stats open-window 2 sample-interval 77 size 10 country-code us sensor-server 1 ip 172.16.10.7 channel-list 2.4GHz 1,2 override-wlan test vlan-pool 8 mac-name 00-04-96-4A-A7-08 5.8TestAP neighbor-info-interval 50 rfs7000-37FABE(config-device-00-04-96-4A-A7-08)#
Related Commands no Removes devices configured timezone Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 490 PROFILES 7.2.21 trustpoint (device-config-mode) Device Config Commands Assigns trustpoints to validate various services, such as HTTPS, RADIUS CA, RADIUS server, external LDAP server, etc. For more information on digital certificates and certificate authorities, see trustpoint (profile-config-mode). NOTE: Certificates/trustpoints used in this command should be verifiable as existing on the device. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8232, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax trustpoint [cloud-client|cmp-auth-operator|https|radius-ca|radius-ca-ldaps|
radius-server|radius-server-ldaps] <TRUSTPOINT-NAME>
Parameters trustpoint [cloud-client|cmp-auth-operator|https|radius-ca|radius-ca-ldaps|
radius-server|radius-server-ldaps] <TRUSTPOINT-NAME>
trustpoint cloud-client cmp-auth-operator https radius-ca Assigns trustpoints to validate various services. The assigned trustpoint is used as the CA for validating the services. Assigns trustpoint to validate cloud client. The trustpoint should be existing and installed on the device. Use this option on cloud-enabled access points and cloud-adopted, to secure the communication between the cloud AP and cloud client. The trustpoint should be existing and installed on the AP. The cloud-enabled access points are AP7502, AP7522, AP7532, and AP7562. For local-controller adopted APs, this configuration is not required, Assigns an existing trustpoint to validate CMP auth operator. Once validated, CMP is used to obtain and manage digital certificates in a PKI network. Digital certificates link identity information with a public key enclosed within the certificate, and are issued by the CA. Use this command to specify the CMP-assigned trustpoint. When specified, devices send a certificate request to the CMP supported CA server, and download the certificate directly from the CA server. CMP supports multiple request options through for device communicating to a CMP supported CA server. The device can initiate a request for getting the certificates from the server. It can also auto update the certificates which are about to expire. Note: When configured, this cmp-auth-operator trustpoint setting overrides the profile-level configuration. Assigns an existing trustpoint to validate HTTPS Assigns an existing trustpoint to validate client certificates in EAP Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 491 PROFILES radius-ca-ldaps radius-server radius-server-ldaps
<TRUSTPOINT-NAME> The following keyword is common to all of the above parameters:
Assigns an existing trustpoint to validate external LDAP server Assigns an existing trustpoint to validate RADIUS server certificate Assigns an existing trustpoint to RADIUS server certificate to validate LDAP server
<TRUSTPOINT-NAME> After selecting the service to validate, specify the trustpoint name (should be existing and stored on the device). Note: By default, the system assigns the default-trustpoint to validate the following:
https, radius-server, and radius-server-ldaps. Example A devices default HTTPS, RADIUS, and CMP certificate/trustpoint configuration is as follows:
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory |
include trustpoint trustpoint https default-trustpoint no trustpoint radius-ca trustpoint radius-server default-trustpoint no trustpoint radius-ca-ldaps trustpoint radius-server-ldaps default-trustpoint no trustpoint cmp-auth-operator nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#
nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#trustpoint https test nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context include-factory |
include trustpoint trustpoint https test no trustpoint radius-ca trustpoint radius-server default-trustpoint no trustpoint radius-ca-ldaps trustpoint radius-server-ldaps default-trustpoint no trustpoint cmp-auth-operator nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 492 PROFILES 7.2.22 raid Device Config Commands Enables chassis alarm that sounds when events are detected that degrade RAID support (drive content mirroring) on a service platform The NX95XX (NX9500 and NX9510) series service platforms include a single Intel MegaRAID controller
(virtual drive) with RAID-1 mirroring support enabled. The online virtual drive supports up to two physical drives that could require hot spare substitution if a drive were to fail. The WiNG software allows you to manage the RAID controller event alarm and syslogs supporting the array hardware from the service platform user interface without rebooting the service platform BIOS. Although RAID controller drive arrays are available only on the NX95XX series service platforms, they can be administrated on behalf of a NX95XX profile by a different model service platform or wireless controller. Supported in the following platforms:
Service Platforms NX7530, NX9500, NX9510, NX9600 Syntax raid alarm enable Parameters raid alarm enable alarm enable Enables audible alarm, which is triggered a RAID drives fails. When triggered the alarm can be disabled by executing the raid > silence command in the devices Priv Exec mode. Example nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#raid alarm enable nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#show context nx9000 B4-C7-99-6C-88-09 use profile default-nx9000 use rf-domain default hostname nx9500-6C8809 ip default-gateway 192.168.13.2 interface ge1 switchport mode access switchport access vlan 1 interface vlan1 ip address 192.168.13.13/24 logging on logging console warnings logging buffered warnings raid alarm enable nx9500-6C8809(config-device-B4-C7-99-6C-88-09)#
Related Commands no Disables RAID alarm Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 493 PROFILES 7.3 T5 Profile Config Commands PROFILES A T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating used by RFS wireless controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. The Customer Premises Equipment (CPEs) are the T5 controller managed radio devices using the IPX operating system. These CPEs use a DSL as their high speed Internet access mechanism using the CPEs physical wallplate connection and phone jack. To navigate to this instance, use the following commands:
<DEVICE>(config-profile-<PROFILE-NAME>)#?
T5 Profile Mode commands:
cpe T5 CPE configuration interface Select an interface to configure ip Internet Protocol (IP) no Negate a command or set its defaults ntp Configure NTP override-wlan Configure RF Domain level overrides for wlan t5 T5 configuration t5-logging Modify message logging facilities use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-profile-<PROFILE-NAME>)#
The following table summarizes T5 profile configuration mode commands:
Command cpe interface ip no ntp override-wlan t5 t5-logging use Description Configures T5 CPE related settings (IP address range and VLAN) Configures the T5 controllers interfaces Configures the default gateways IP address Removes or reverts this T5 controller profile settings Configures the NTP server associated with this T5 profile Configures the RF Domain level overrides for applied on a WLAN on this T5 profile Configures the logged T5 controllers country of operation Configures a maximum of 5 (five) remote hosts capable of receiving syslog messages from this selected T5 controller Defines this T5 profiles management settings Reference page 7-495 page 7-497 page 7-499 page 7-500 page 7-501 page 7-502 page 7-503 page 7-504 page 7-505 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 494 7.3.1 cpe T5 Profile Config Commands Configures T5 CPE related settings. This command is available both in the T5 profile and T5 device contexts PROFILES Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510 Syntax T5 Profile & T5 Device Context cpe [address led]
cpe address vlan <1-4094> <START-IP> <END-IP>
cpe led cpe <cpe1-24>
The following commands are specific to the T5 device context:
cpe [boot|reload|upgrade]
cpe boot system <cpe1-24> <primary|secondary>
cpe reload <cpe1-24>
cpe <cpe1-24> upgrade <IMAGE-LOCATION>
Parameters cpe address vlan <1-4094> <START-IP> <END-IP>
cpe address vlan <1-4094>
<START-IP>
<END-IP>
Configures the range of addresses that can be assigned to adopted CPEs Configures the VLAN assigned to the CPEs managed by this T5 controller Configures the range of IP addresses that can be assigned to the CPEs managed by this T5 controller
<START-IP> Specify the first IP address in the range.
<END-IP> Specify the last IP address in the range. cpe led cpe <cpe1-24>
cpe led cpe <cpe1-24>
Enables flashing of LEDs on specified CPEs Identifies the CPE(s) on which the operation is performed
<cpe1-24> Configures the CPEs ID from cpe1 - cpe24. To enable led flashing on all adopted CPEs, enter cpe1-X, where X is the total number of adopted CPEs. For example, if CPEs 1, 2, 3, 4, & 5 are adopted and ready, then enter this value as cpe1-5. cpe boot system <cpe1-24> <primary|secondary>
cpe boot system
<cpe1-24>
Changes the image used by a CPE to boot. When reloading, the CPE uses the specified image. Identifies the CPE(s) on which the operation is performed
<cpe1-24> Configures the CPEs ID from cpe1 - cpe24. To enable led flashing on all adopted CPEs, enter cpe1-X, where X is the total number of adopted CPEs. For example, if CPEs 1, 2, 3, 4, & 5 are adopted and ready, then enter this value as cpe1-5. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 495 PROFILES
<primary|secondary>
Select the next boot image primary Uses the primary image when reloading secondary Uses the secondary image when reloading cpe reload <cpe1-24>
cpe reload
<cpe1-24>
Reloads all or specified CPEs. Identifies the CPE(s) to reload
<cpe1-24> Configures the CPEs ID from cpe1 - cpe24. To enable led flashing on all adopted CPEs, enter cpe1-X, where X is the total number of adopted CPEs. For example, if CPEs 1, 2, 3, 4, & 5 are adopted and ready, then enter this value as cpe1-5. cpe <cpe1-24> upgrade <IMAGE-LOCATION>
cpe <cpe1-24>
upgrade
<IMAGE-LOCATION>
Upgrades all or specified CPEs
<cpe1-24> Identifies the CPE(s) to upgrade. Specify the CPEs ID from cpe1 - cpe24. To enable led flashing on all adopted CPEs, enter cpe1-X, where X is the total number of adopted CPEs. For example, if CPEs 1, 2, 3, 4, & 5 are adopted and ready, then enter this value as cpe1-5. upgrade <IMAGE-LOCATION> Uses the image specified here to upgrade identified CEPs.
<IMAGE-LOCATION> Specify the firmware image location using one of the fol-
lowing options:
path/file tftp://<IP>/path/file ftp://<user>:<passwd>@<IP>/path/file Example nx9500-6C8809(config-profile-T5TestProfile)#cpe address vlan 200 192.168.13.26 192.168.13.30 nx9500-6C8809(config-profile-T5TestProfile)#show context profile t5 T5TestProfile no autoinstall configuration no autoinstall firmware interface vlan1 interface vlan4090 interface fe 5 2
.......................................................................... interface radio 11 1 interface fe 9 2 interface radio 18 1 interface fe 9 1 use firewall-policy default service pm sys-restart cpe address vlan 200 192.168.13.26 192.168.13.30 nx9500-6C8809(config-profile-T5TestProfile)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 496 PROFILES 7.3.2 interface T5 Profile Config Commands Configures the T5 controllers interfaces Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510 Syntax interface [<WORD>|dsl|fe|ge|radio|vlan]
interface [<WORD>|dsl <1-24>|fe <1-24> <1-2>|ge <1-2>|radio <1-24> <1-2>|vlan <1-
4094>]
Parameters interface [<WORD>|dsl <1-24>|fe <1-24> <1-2>|ge <1-2>|radio <1-24> <1-2>|vlan
<1-4094>]
<WORD>
dsl <1-24>
fe <1-24> <1-2>
ge <1-2>
radio <1-24> <1-2>
Configures the interface identified by the <WORD> keyword Configures the specified DSL interface. A T5 controller uses the IPX operating system to manage its connected radio devices, as opposed to the WiNG operating used by controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. The CPEs are the T5 controller managed radio devices using the IPX operating system. These CPEs use DSL as their high speed Internet access mechanism using the CPEs physical wallplate connection and phone jack.
<1-24> Specify the DSL port index from 1 - 24. Configures the specified FastEthernet interface. The T5 controller has the following FastEthernet port designations: fe1-fe2 (fe1-fe2 are for up to 24 CPE devices managed by a T5 controller).
<1-24> Specify the DSL port index from 1 - 24.
<1-2> Specify the FastEthernet interface to configure. In the FastEthernet interface configuration mode, specify the interface settings. Configures the specified GigabitEthernet interface. T5 controllers have two Ethernet port designations, These are ge1 and ge2. The GE ports can be RJ-45 or fiber ports supporting 10/100/1000Mbps.
<1-2> Specify the interface index from 1 - 2. In the GigabitEthernet interface configuration mode, specify the interface settings. Configures the specified radio interface. T5 controller managed CPE device radios can have their radio configurations overridden once their radios have successfully associated and have been provisioned by the adopting controller, service platform, or peer model AP controller access point.
<1-24> Specify the radio interface index from 1 - 24.
<1-2> Allows the second radio to be specified as a radio interface. For example, this is interface radio X Y where X is the DSL line number and Y is the radio interface (number). Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 497 PROFILES vlan <1-4094>
Configures the specified VLAN interface. Once configured, the VLAN interface provides layer 3 (IP) T5 controller access or provides layer 3 service on a VLAN. The VLAN interface defines which IP address is associated with each VLAN ID a T5 controller is connected to. A VLAN interface is created for the default VLAN (VLAN 1) to enable remote administration. This interface is also used to map VLANs to IP4 and IPv6 formatted IP address ranges. This mapping determines the destination for routing.
<1-4094> Specify the VLAN interface index from 1 - 4094. In the VLAN configuration mode, specify the interfaces primary IP address in the A.B.C.D/M format. Optionally specify the secondary IP address. Example rfs7000-37FABE(config-profile-t5Profile)#interface dsl 1 rfs7000-37FABE(config-profile-t5Profile-if-dsl1)#?
Interface configuration commands:
description Port description ds-interleaver Enable impulse noise protection in the downstream direction ds-max-datarate Configure maximum allowed downstream rate for the interface ds-min-margin Configure the minimum downstream signal-to-noise(SNR) ratio margin ds-target-margin Configure the desired downstream signal-to-noise (SNR) ratio margin duplex Set duplex to interface flowcontrol Set flowcontrol to interface line-power Use the line-power command to apply power to the interface no Negate a command or set its defaults qos QOS settings shutdown Shutdown the selected interface speed Configure speed switchport Set switching mode characteristics us-interleaver Enable impulse noise protection in the upstream direction us-max-datarate Configure maximum allowed upstream rate for the interface us-min-margin Configure the minimum upstream signal-to-noise (SNR) ratio margin us-target-margin Configure the desired upstream signal-to-noise (SNR) ratio margin clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands
--More--
rfs7000-37FABE(config-profile-t5Profile-if-dsl1)#
Related Commands no Removes the selected interface configuration on the T5 device Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 498 PROFILES 7.3.3 ip T5 Profile Config Commands Configures the default gateways IP address Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510 Syntax ip default-gateway <IP>
Parameters ip default-gateway <IP>
ip default-gateway
<IP>
Enter the default gateways IP address in the A.B.C.D format. Example nx9500-6C8809(config-profile-t5Profile)#ip default-gateway 192.168.13.7 nx9500-6C8809(config-profile-t5Profile)#show context profile t5 t5Profile ip default-gateway 192.168.13.7 no autoinstall configuration no autoinstall firmware interface vlan1 interface vlan4090 interface fe 5 2 interface ge 2 interface ge 1 interface fe 5 1
--More--
nx9500-6C8809(config-profile-t5Profile)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 499 PROFILES 7.3.4 no T5 Profile Config Commands Removes or reverts this T5 controller profile settings Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510 Syntax no [cpe|interface|ntp|override-wlan|t5-logging|use]
no cpe led cpe <1-24>
no interface vlan <2-4094>
no ntp server <IP>
no override-wlan <WLAN-NAME> vlan no t5-logging host <IP>
no use management-policy Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts to default the selected T5 profiles or devices settings Example nx9500-6C8809(config-profile-t5Profile)#show context profile t5 t5Profile ip default-gateway 192.168.13.7 no autoinstall configuration no autoinstall firmware interface vlan1 interface vlan4090
.................................................... use firewall-policy default ntp server 192.168.13.2 service pm sys-restart nx9500-6C8809(config-profile-t5Profile)#
nx9500-6C8809(config-profile-t5Profile)#no ntp server 192.168.13.2 nx9500-6C8809(config-profile-t5Profile)#show context profile t5 t5Profile ip default-gateway 192.168.13.7 no autoinstall configuration no autoinstall firmware interface vlan1 interface vlan4090
.................................................... use firewall-policy default service pm sys-restart nx9500-6C8809(config-profile-t5Profile)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 500 PROFILES 7.3.5 ntp T5 Profile Config Commands Configures the NTP server associated with this T5 profile. T5 controllers, using this profile, will obtain their system time from the specified NTP server resources. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510 Syntax ntp server <IP>
Parameters ntp server <IP>
ntp server <IP>
Specify the NTP servers IP address. You can specify a maximum of 3 (three) NTP server resources. Example nx9500-6C8809(config-profile-t5Profile)#ntp server 192.168.13.2 nx9500-6C8809(config-profile-t5Profile)#show context profile t5 t5Profile ip default-gateway 192.168.13.7 no autoinstall configuration no autoinstall firmware interface dsl 5
..................................................... use firewall-policy default ntp server 192.168.13.2 service pm sys-restart nx9500-6C8809(config-profile-t5Profile)#
Related Commands no Removes the NTP servers IP address Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 501 PROFILES 7.3.6 override-wlan T5 Profile Config Commands Use this option to configure RF Domain level configuration for WLAN. The override configured here are applied to all T5 devices using this T5 profile. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510 Syntax override-wlan <WLAN-NAME> vlan <1-4094>
Parameters override-wlan <WLAN-NAME> vlan <1-4094>
override-wlan
<WLAN-NAME>
vlan <1-4094>
Example Overrides the specified WLANs VLAN configuration
<WLAN-NAME> Specify the WLANs name. Specify the new VLAN option
<1-4094> Specify the VLAN from 1 - 4094. The following example displays the WLAN SJOffWLan configuration:
nx9500-6C8809(config-wlan-SJOffWLan)#show context wlan SJOffWLan description "SJ Office WLAN"
ssid SJOffWLan vlan 468 bridging-mode local encryption-type ccmp authentication-type eap-psk use aaa-policy test nx9500-6C8809(config-wlan-SJOffWLan)#
The following example overrides the SJOffWLan WLANs VLAN configuration on the T5 profile:
nx9500-6C8809(config-profile-testT5)#override-wlan SJOffWLan vlan 30 nx9500-6C8809(config-profile-testT5)#show context include-factory | include override-wlan override-wlan SJOffWLan vlan 30 nx9500-6C8809(config-profile-testT5)#
Related Commands no Removes the RF Domain level overrides for applied on a WLAN on this T5 profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 502 PROFILES 7.3.7 t5 T5 Profile Config Commands Configures this T5 controllers country of operation Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510 Syntax t5 country-code <WORD>
Parameters t5 country-code <WORD>
country-code
<WORD>
Configures the 2 letter ISO-3166 country code for this T5 controller Example nx9500-6C8809(config-profile-T5TestProfile)#t5 country-code us nx9500-6C8809(config-profile-T5TestProfile)#show context profile t5 T5TestProfile no autoinstall configuration no autoinstall firmware interface vlan1 interface vlan4090 interface fe 5 2
.......................................................................... interface fe 9 1 use firewall-policy default service pm sys-restart t5 country-code US cpe address vlan 200 192.168.13.26 192.168.13.30 nx9500-6C8809(config-profile-T5TestProfile)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 503 PROFILES 7.3.8 t5-logging T5 Profile Config Commands Configures a maximum of 5 (five) remote hosts capable of receiving syslog messages from this selected T5 controller Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510 Syntax t5-logging host <IP> severity [error|info|notice|trace|warning] facility
[local0|local1|local2|local3|local4|local5|local6|local7]
Parameters t5-logging host <IP> severity [error|info|notice|trace|warning] facility
[local0|local1|local2|local3|local4|local5|local6|local7]
t5-logging host <IP>
Configures syslog message logging settings host <IP> Configures the external syslog remote host resources IP address. This is the host dedicated to receive T5 syslog messages. severity
[error|info|notice|
trace|warning]
facility [local0|local1|
local2|local3|local4|
local5|local6|local7]
Configures the syslog message filtering severity level. The options are:
Error Only forwards error and above syslog event messages. Info Only forwards informational and above syslog event messages. notice Only forwards syslog notices relating to general device operational events. These are events that are of more interest than the info events. trace Only forwards trace routing event messages warning Only forwards warnings and above syslog event messages Configures the facility level for log messages sent to the syslog server. The facility level specifies the type of program logging the message. Specifying the facility level allows the configuration file to specify that message handling will vary with varying facility type. The options are: local0, local1, local2, local3, local4, local5, local5, local6, local7. The default value is local7. Example nx9500-6C8809(config-profile-T5TestProfile)#t5-logging host 192.168.13.10 severity warning facility local6 nx9500-6C8809(config-profile-T5TestProfile)#show context profile t5 T5TestProfile t5-logging host 192.168.13.10 severity warning facility local6 no autoinstall configuration
............................................................................. no autoinstall firmware t5 country-code US cpe address vlan 200 192.168.13.26 192.168.13.30 nx9500-6C8809(config-profile-T5TestProfile)#
Related Commands no Modifies message logging severity level and facilities Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 504 PROFILES 7.3.9 use T5 Profile Config Commands Associates a management policy with this T5 profile. The specified policy is applied to all T5 controllers using this profile. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510 Syntax use management-policy <POLICY-NAME>
Parameters use management-policy <POLICY-NAME>
use management-
policy
<POLICY-NAME>
Associates a management policy with this T5 profile (should be existing and configured)
<POLICY-NAME> Specify the management policys name. Example nx9500-6C8809(config-profile-t5Profile)#use management-policy default Trustpoints HTTPS Server and RSA keys for SSH can be configured with 'trustpoint'
and 'rsa-key' commands in device context nx9500-6C8809(config-profile-t5Profile)#
Related Commands no Removes the management policy used with this T5 profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 505 7.4 EX3524 & EX3548 Profile/Device Config Commands PROFILES PROFILES Creates a new EX3524 and EX3548 profile and enters its configuration mode. To navigate to this instance, use the following commands:
<DEVICE>(config)#profile ex35xx <EX35XX-PROFILE-NAME>
Where ex35xx can be a EX3524 or a EX3548 device type.
<DEVICE>(config-profile-<EX35XX-PROFILE-NAME>)#?
EX35XX Profile Mode commands:
interface Select an interface to configure ip Internet Protocol (IP) no Negate a command or set its defaults power EX3500 Power over Ethernet Command upgrade Configures upgrade option for ex3500 system use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-profile-<EX35XX-PROFILE-NAME>)#
The following table summarizes EX3524 and EX3548 profile/device configuration mode commands:
Command interface ip power upgrade use no Description Selects an interface type and enters the selected interfaces configuration mode Configures the default gateway through which this EX35XX switch can reach other subnets Enables power inline compatibility mode on this EX35XX profile Configures adopted EX35XX switch upgrade settings Applies an EX3500 management policy to this EX35XX profile Removes or reverts this EX35XX profiles settings Reference page 7-507 page 7-527 page 7-528 page 7-529 page 7-530 page 7-531 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 506 PROFILES 7.4.1 interface EX3524 & EX3548 Profile/Device Config Commands This command selects an interface type and enters the selected interfaces configuration mode. The EX35XX switch has GE and VLAN interfaces. Select the interface type and provide the interface ID to enter its configuration mode. Command interface interface-ge-
config commands interface-vlan-
config commands Description Selects an interface type and enters the selected interfaces configuration mode Summarizes GE interface configuration mode commands Summarizes VLAN interface configuration mode commands Reference page 7-508 page 7-510 page 7-523 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 507 7.4.1.1 interface interface Selects the EX35XX interface type and enters the selected interfaces configuration mode PROFILES Supported in the following platforms:
Switches EX3524, EX3548 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax interface [ge 1 <1-48>|vlan <1-4094>]
Parameters interface [ge 1 <1-48>|vlan <1-4094>]
interface ge 1 <1-48>
vlan <1-4094>
Selects the EX35XX interface type and enters its configuration mode. The interface options available are: GE and VLAN Selects a GE interface to configure 1 Configures the GE interface unit identifier as 1
<1-48> Configures the physical port number from 1 - 24/48 Note: For the EX3524 model switch the GE port range is 1-24, and for the EX3548 it is 1-
48. Selects a VLAN interface to configure
<1-4094> Specify the VLAN interface ID from 1 - 4094. Example nx4500-5CFA8E(config-profile-testEX35XX)#interface vlan 1 nx4500-5CFA8E(config-profile-testEX35XX-if-vlan1)#?
commands:
ip Internet Protocol (IP) no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx4500-5CFA8E(config-profile-testEX35XX-if-vlan1)#
nx4500-5CFA8E(config-profile-testEX35XX)#interface ge 1 1 nx4500-5CFA8E(config-profile-testEX35XX-if-ge1-1)#?
commands:
access-group Access group to bind a port to an ACL name no Negate a command or set its defaults port Configures the characteristics of the port power EX3500 Power over Ethernet Command shutdown Shutdown the selected interface speed-duplex Configures speed and duplex operation switchport Configures switch mode characteristics use Set setting to use Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 508 PROFILES clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx4500-5CFA8E(config-profile-testEX35XX-if-ge1-1)#
Related Commands no interface-ge-config commands interface-vlan-config commands Removes this interface (GE/VLAN) settings from the EX35XX profile or device Summarizes GE interface configuration mode commands Summarizes VLAN interface configuration mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 509 PROFILES 7.4.1.2 interface-ge-config commands interface The following table lists the EX35XX GE interface configuration mode commands:
Command access-group port power shutdown speed-duplex switch-port use no Description Binds an EX3500 ACL to the selected port Enables port monitoring on the selected port Turns power on or off for the selected port Shuts down the selected port Configures the speed and duplex mode of the selected port when auto-negotiation is disabled. Auto-negotiation is enabled by default. Configures the switch mode characteristics of the selected port Applies a EX3500 QoS policy map with the selected port Removes or reverts the selected ports settings Reference page 7-511 page 7-512 page 7-514 page 7-516 page 7-517 page 7-518 page 7-520 page 7-521 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 510 PROFILES 7.4.1.2.1 access-group interface-ge-config commands Binds an EX3500 ACL to the selected port When applied to the port, the ACL takes effect. Only one ACL can be bound to a port at a time. In case you bind a new ACL to a port with an existing ACL binding, the old binding is replaced with the new one. Supported in the following platforms:
Switches EX3524, EX3548 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax access-group [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list]
<ACL-NAME> in {time-range <TIME-RANGE-NAME>}
Parameters access-group [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list]
<ACL-NAME> in {time-range <TIME-RANGE-NAME>}
access-group ex3500-ext-access-
list <ACL-NAME>
ex3500-std-access-
list <ACL-NAME>
mac-access-list
<ACL-NAME>
in time-range
<TIME-RANGE-
NAME>
Binds a EX3500 ACL with this GE port. Select ACL type and specify the ACL name. The ACL should be existing and configured. Binds an existing and configured EX3500 extended ACL
<ACL-NAME> Specify the ACL name. Binds an existing and configured EX3500 standard ACL
<ACL-NAME> Specify the ACL name. Binds an existing and configured EX3500 MAC ACL
<ACL-NAME> Specify the MAC ACL name. Applies the specified ACL to all incoming packets Optional. Associates a EX3500 absolute or periodic time range with this access group. The specified ACL is bound to the port during the time period specified by the associated time range.
<TIME-RANGE-NAME> Specify the time range name (should be existing and configured). Example nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#access-group ex3500-ext-
access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01 nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20 access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01 nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#
Related Commands no Removes the GE port EX3500 ACL binding Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 511 PROFILES 7.4.1.2.2 port interface-ge-config commands Enables port monitoring on the selected port. This allows the port to monitor specified ports and/or MAC address(es). When enabled, the switch sends a copy of the network packets seen on the specified switch port (or VLAN interface) to the monitoring switch port. These packets are analyzed and debugged to provide vital information, such as network performance, intrusion alerts, etc. Supported in the following platforms:
Switches EX3524, EX3548 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax port monitor [ethernet|ex3500-ext-access-list|ex3500-std-access-list|mac-access-
list|mac-address|vlan]
port monitor ethernet 1 <1-52> {both|rx|tx}
port monitor [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list]
<ACL-NAME>
port monitor mac-address <MAC>
port monitor vlan <1-4094>
Parameters port monitor ethernet 1 <1-52> {both|rx|tx}
port monitor ethernet 1 <1-52>
Configures the characteristics of this GE port monitor Enables monitoring of another port ethernet 1 Selects Ethernet interface and configures the port identifier as 1
<1-52> Configures the Ethernet unit number from 1 - 52
{both|rx|tx}
After specifying the port, optionally configure the following:
both Optional. Monitors both incoming and outgoing traffic rx Optional. Monitors only incoming traffic tx Optional. Monitors only outgoing traffic port monitor [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list]
<ACL-NAME>
port monitor
[ex3500-ext-access-
list|ex3500-std-
access-list|mac-
access-list]
<ACL-NAME>
Configures the characteristics of this GE port monitor Enables monitoring of another port After specifying the port, apply one of the following ACLs:
ex3500-ext-access-list Applies a EX3500 extended ACL ex3500-std-access-list Applies a EX3500 standard ACL mac-access-list Applies a MAC ACL with EX3500 deny or permit rules
<ACL-NAME> Specify the ACL name (should be existing and configured). port monitor mac-address <MAC>
port monitor Configures the characteristics of this GE port monitor Enables monitoring of another port Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 512 PROFILES mac-address <MAC> Configures the MAC address to monitor
<MAC> Specify the MAC address in the AA-BB-CC-DD-EE-FF format. port monitor vlan <1-4094>
port monitor vlan <1-4094>
Configures the characteristics of this GE port monitor Enables monitoring of another port Configures the VLAN interface to monitor
<1-4094> Specify the VLAN ID from 1 - 4094. Example nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#port monitor vlan 20 nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20 access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01 port monitor vlan 20 nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#
Related Commands no Disables port monitoring on the selected port and removes the settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 513 PROFILES 7.4.1.2.3 power interface-ge-config commands Enables power allocation to the selected port. When enabled, the power is allocated to this port. Use the command to configure the power allocation settings, such as maximum power allocated, priority level of this port in connection with power allocation, and the time range within which these power settings are applied. This option is enabled by default. Supported in the following platforms:
Switches EX3524, EX3548 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax power inline {maximum|priority|time-range}
power inline {maximum allocation milliwatts <3000-34200>}
power inline {priority [critical|high|low]}
power inline {time-range <TIME-RANGE-NAME>}
Parameters power inline {maximum allocation milliwatts <3000-34200>}
power inline maximum allocation milliwatts
<3000-34200>
Turns power on or off for the selected port. This option is enabled by default. Optional. Configures the maximum power allocation, in milliwatts, for this port
<3000-34200> Specify a value from 3000 - 34200 milliwatts. The default is 34200 milliwatts. power inline {priority [critical|high|low]}
power inline priority
[critical|high|low]
Turns power on or off for the selected port. This option is enabled by default. Optional. Configures the PoE power priority as:
critical Configures the PoE power priority as critical high Configures the PoE power priority as high low - Configures the PoE power priority as low (this is the default setting) power inline {time-range <TIME-RANGE-NAME>}
power inline time-range
<TIME-RANGE-
NAME>
Turns power on or off for the selected port. This option is enabled by default. Optional. Binds a EX3500 time range to this port
<TIME-RANGE-NAME> Specify the time range name (should be existing and configured). Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 514 PROFILES Example nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#power inline maximum allocation milliwatts 30000 nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#power inline priority critical nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#power inline time-range EX3500_TimeRange_01 nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20 power inline maximum allocation milliwatts 30000 power inline priority critical power inline time-range EX3500_TimeRange_01 access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01 port monitor vlan 20 nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#
Related Commands no Disables power allocation to the selected port Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 515 7.4.1.2.4 shutdown interface-ge-config commands Shuts down the selected port PROFILES Supported in the following platforms:
Switches EX3524, EX3548 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax shutdown Parameters None Example nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#shutdown nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20 shutdown power inline maximum allocation milliwatts 30000 power inline priority critical power inline time-range EX3500_TimeRange_01 access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01 port monitor vlan 20 nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#
Related Commands no Brings up a shutdown port Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 516 PROFILES 7.4.1.2.5 speed-duplex interface-ge-config commands Configures the speed and duplex mode of the selected port when auto-negotiation is disabled. Auto-
negotiation is enabled by default. This option is disabled by default. Supported in the following platforms:
Switches EX3524, EX3548 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax speed-duplex [100full|100half|10full|10half]
Parameters speed-duplex [100full|100half|10full|10half]
speed-duplex
[100full|100half|
10full|10half]
Configures the speed and duplex mode of the selected port to one of the following modes:
100full Forces 100 Mbps full-duplex operation 100half Forces 100 Mbps half-duplex operation 10full Force 10 Mbps full-duplex operation 10half Force 10 Mbps half-duplex operation When configured, forces the switch to operate at the specified speed and mode. Example nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#speed-duplex 100half nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20 shutdown speed-duplex 100half power inline maximum allocation milliwatts 30000 power inline priority critical power inline time-range EX3500_TimeRange_01 access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01 port monitor vlan 20 nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#
Related Commands no Removes the speed and duplex settings configured for this EX35XX profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 517 7.4.1.2.6 switch-port interface-ge-config commands Configures the switch mode characteristics of the selected port PROFILES Supported in the following platforms:
Switches EX3524, EX3548 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax switchport [allowed|l2protocol-tunnel|mode|native]
switchport allowed [add <VLAN-ID>|none|remove <VLAN-ID>]
switchport l2protocol-tunnel [cdp|lldp|pvst+|spanning-tree|vtp]
switchport mode [access|hybrid|trunk]
switchport native Parameters switchport allowed [add <VLAN-ID>|none|remove <VLAN-ID>]
switchport allowed
[add <VLAN-ID>|
none|
remove <VLAN-ID>]
Configures VLAN groups on the selected interface. add <VLAN-ID> Configures the list of VLAN identifiers to add. When the add option is used, the interface is assigned to the specified VLANs, and membership in all previous VLANs is retained.
<VLAN-ID> Specify the list of VLANs to add. none Removes all VLANs from the current list remove <VLAN-ID> Configures the list of VLAN identifiers to remove. When the remove option is used, the specified VLANs are removed from the current list.
<VLAN-ID> Specify the list of VLANs to remove. switchport l2protocol-tunnel [cdp|lldp|pvst+|spanning-tree|vtp]
switchport l2protocol-tunnel
[cdp|lldp|pvst+|
spanning-tree|vtp]
Enables layer 2 protocol tunneling (L2PT) for the specified protocol. Specify the protocol:
cdp Cisco Discovery Protocol lldp Link Layer Discovery Protocol pvst+ Cisco Per VLAN Spanning Tree Plus spanning-tree Spanning Tree (STP, RSTP, MSTP) vtp Cisco VLAN Trunking Protocol L2PT is disabled for all of the above specified protocols by default. switchport mode [access|hybrid|trunk]
switchport mode
[access|hybrid|
trunk]
Configures the VLAN membership mode for this port access The port is configured as an access VLAN interface. It transmits and receives packets untagged frames on a single VLAN. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 518 PROFILES trunk Configures the selected port as an end-point for a VLAN trunk. A trunk link is configured between two switches, and it carries frames on more than one VLANs. These frames are tagged in order to identify the source VLAN. Frames belonging to the ports default VLAN are also transmitted as tagged frames. hybrid Configures the selected port as a hybrid VLAN interface. When configured as hybrid, the port can transmit either tagged or untagged frames. This is the default setting. switchport native vlan <1-4094>
switchport native vlan <1-4094> in Configures the VLAN membership mode for this port native vlan <1-4094> Configures the ports VLAN ID (PVID) (this is the ports default VLAN ID). Frames from the specified VLAN ingress untagged at this port. The default value is 1. When using access mode, and an interface is assigned to a new VLAN, the ports VLAN ID (PVID) is automatically set to the identifier for that VLAN. When using hybrid mode, the PVID for an interface can be set to any VLAN for which it is an untagged member. Example nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#switchport mode access nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20 shutdown speed-duplex 100half switchport mode access power inline maximum allocation milliwatts 30000 power inline priority critical power inline time-range EX3500_TimeRange_01 access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01 port monitor vlan 20 nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#
Related Commands no Removes the selected ports switchport characteristics Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 519 7.4.1.2.7 use interface-ge-config commands Applies a EX3500 QoS policy map with the selected port PROFILES Supported in the following platforms:
Switches EX3524, EX3548 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax use ex3500-policy-map <EX3500-QoS-POLICY-MAP-NAME> in Parameters use ex3500-policy-map <EX3500-QoS-POLICY-MAP-NAME> in use ex3500-policy-
map <EX3500-QoS-
POLICY-MAP-NAME>
Applies a EX3500 QoS policy map with the selected port
<EX3500-QoS-POLICY-MAP-NAME> Specify the EX3500 QoS policy map name
(should be existing and configured) in Applies the specified policy to traffic ingressing at the selected port. Example nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#use ex3500-policy-map in test nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20 shutdown speed-duplex 100half switchport mode access use ex3500-policy-map in test power inline maximum allocation milliwatts 30000 power inline priority critical power inline time-range EX3500_TimeRange_01 access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01 port monitor vlan 20 nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#
Related Commands no Disassociates the EX3500 QoS policy map linked to this EX3500 profile Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 520 PROFILES 7.4.1.2.8 no interface-ge-config commands Removes or reverts the selected ports settings Supported in the following platforms:
Switches EX3524, EX3548 Syntax no [access-group|port|power|shutdown|speed-duplex|switchport|use]
no access-group [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list]
<ACL-NAME> in no port monitor [ethernet|ex3500-ext-access-list|ex3500-std-access-list|mac-
access-list|mac-address|vlan]
no port monitor ethernet 1 <1-52>
no port monitor [ex3500-ext-access-list|ex3500-std-access-list|mac-access-list]
<ACL-NAME>
no port monitor mac-address <MAC>
no port monitor vlan <1-4094>
no power inline {maximum allocation|priority|time-range}
no shutdown no speed-duplex no switchport [l2protocol-tunnel [cdp|lldp|pvst+|spanning-tree|vtp]|native vlan]
no use ex3500-policy-map in Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts the selected ports settings based on the parameters passed Example The following example shows the EX3524 profiles GE port 20s settings before the no commands are executed:
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20 shutdown speed-duplex 100half switchport mode access use ex3500-policy-map in test power inline maximum allocation milliwatts 30000 power inline priority critical power inline time-range EX3500_TimeRange_01 access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01 port monitor vlan 20 nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#no shutdown nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#no power inline maximum allocation nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#no use ex3500-policy-map in Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 521 PROFILES The following example shows the EX3524 profiles GE port 20s settings after the no commands are executed:
nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#show context interface ge 1 20 speed-duplex 100half switchport mode access power inline maximum allocation milliwatts 32400 power inline priority critical power inline time-range EX3500_TimeRange_01 access-group ex3500-ext-access-list EX3500_ACL_EXT_1 in time-range EX3500_TimeRange_01 port monitor vlan 20 nx9500-6C8809(config-profile-testEX3524-if-ge1-20)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 522 PROFILES 7.4.1.3 interface-vlan-config commands interface The following table lists the VLAN interface configuration mode commands:
Command ip no Description Configures IP related settings for this VLAN interface Removes the IP related settings configured for this VLAN interface Reference page 7-524 page 7-526 Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 523 7.4.1.3.1 ip interface-vlan-config commands Configures IP related settings for this VLAN interface PROFILES Supported in the following platforms:
Switches EX3524, EX3548 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax ip address [<IP/M>|bootp|dhcp]
ip address <IP/M> {default-gateway <IP>|secondary <IP>}
ip address [bootp|dhcp]
Parameters ip address <IP/M> {default-gateway <IP>|secondary <IP>}
ip address <IP/M>
{default-gateway
<IP>|secondary <IP>}
Manually configures the selected VLAN interfaces primary and secondary IPv4 addresses. It also allows to optionally configure the default gateway.
<IP/M> Manually configures this VLAN interfaces IP address in the A.B.C.D/M format. Network mask for the associated IP subnet. This mask identifies the host address bits used for routing to specific subnets. The network mask can be either in the traditional format xxx.xxx.xxx.xxx or use classless format with the range /5 to /32. For example the subnet 255.255.224.0 would be /19. default-gateway <IP> Optional. Configures the default gateways IP address. This is the gateway through which this switch can reach other subnets not found in the lo-
cal routing table. Before specifying the default gateway, ensure that the network in-
terface directly connecting to the gateway is configured on the route. By default no gateway is specified.
<IP> Specify the IP address in the A.B.C.D address. secondary <IP> Optional. Configures this VLAN interfaces secondary IP address
<IP> Specify the secondary IP address in the A.B.C.D address ip address [bootp|dhcp]
ip address
[bootp|dhcp]
Enables a DHCP or Bootp server to provide the primary IPv4 address for the selected VLAN interface bootp Enables the VLAN interface to get its IP address from a Bootp server dhcp Enables the VLAN interface to get its IP address from a DHCP server If selecting DHCP/Bootp, ensure that a server on the network has been configured to provide the necessary configuration to the switch. Using DHCP or Bootp results in frequent connectivity loss between the browser interface and the switch. Further, DHCP and Bootp cannot configure secondary IP addresses needed for multinetting. Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 524 PROFILES Example nx9500-6C8809(config-profile-testEX3524-if-vlan20)#ip address 192.168.13.28/24 default-gateway 192.168.13.13 nx9500-6C8809(config-profile-testEX3524-if-vlan20)#show context interface vlan 20 ip address 192.168.13.28/24 default-gateway 192.168.13.13 nx9500-6C8809(config-profile-testEX3524-if-vlan20)#
Related Commands no Removes the IP address configured for this VLAN interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 525 7.4.1.3.2 no interface-vlan-config commands Removes the IP related settings configured for this VLAN interface PROFILES Supported in the following platforms:
Switches EX3524, EX3548 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax no ip address [<IP/M>|bootp|dhcp]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes this EX3500s selected VLANs settings based on the parameters passed Example The following example shows the interface VLAN 20 setting before the no command is executed:
nx9500-6C8809(config-profile-testEX3524-if-vlan20)#show context interface vlan 20 ip address 192.168.13.28/24 default-gateway 192.168.13.13 nx9500-6C8809(config-profile-testEX3524-if-vlan20)#
nx9500-6C8809(config-profile-testEX3524-if-vlan20)#no ip address 192.168.13.28/24 The following example shows the interface VLAN 20 setting after the no command is executed:
nx9500-6C8809(config-profile-testEX3524-if-vlan20)#show context interface vlan 20 nx9500-6C8809(config-profile-testEX3524-if-vlan20)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 526 7.4.2 ip EX3524 & EX3548 Profile/Device Config Commands Configures the default gateway through which this EX35XX switch can reach other subnets PROFILES Supported in the following platforms:
Switches EX3524, EX3548 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax ip default-gateway <IP>
Parameters ip default-gateway <IP>
ip default-gateway
<IP>
Configures the default gateways IP address in the A.B.C.D format
<IP> Specify the IP address. Example nx9500-6C8809(config-profile-testEX3524)#ip default-gateway 192.168.13.13 nx9500-6C8809(config-profile-testEX3524)#show context profile ex3524 testEX3524 ip default-gateway 192.168.13.13 no autoinstall configuration no autoinstall firmware interface ge 1 17 interface ge 1 16 interface ge 1 15 interface ge 1 14 interface ge 1 13 interface ge 1 12 interface ge 1 11
--More--
interface ge 1 21 use firewall-policy default service pm sys-restart nx9500-6C8809(config-profile-testEX3524)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 527 7.4.3 power EX3524 & EX3548 Profile/Device Config Commands Enables power inline compatibility mode on this EX35XX profile. This option is disabled by default. PROFILES Supported in the following platforms:
Switches EX3524, EX3548 Wireless Controllers RFS4000, RFS6000, RFS7000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax power inline compatible Parameters power inline compatible power inline compatible Enables power inline compatibility mode Example nx9500-6C8809(config-profile-testEX3524)#power inline compatible nx9500-6C8809(config-profile-testEX3524)#show context profile ex3524 testEX3524 ip default-gateway 192.168.13.13 power inline compatible no autoinstall configuration no autoinstall firmware interface ge 1 17 interface ge 1 16 interface ge 1 15 interface ge 1 14 interface ge 1 13 interface ge 1 12
--More--
nx9500-6C8809(config-profile-testEX3524)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 528 PROFILES 7.4.4 upgrade EX3524 & EX3548 Profile/Device Config Commands Configures adopted EX35XX switch upgrade settings For a EX35XX switch to adopt to and be managed by a WiNG controller, you need to upload two images on the switch. An operation code (opcode) image and an adopted image. The opcode image functions as an operating system that enables the WiNG controller to communicate with the EX35XX switch. This command allows you to configure the EX35XXs opcode image upgrade settings. Supported in the following platforms:
Switches EX3524, EX3548 Wireless Controllers RFS4000, RFS6000, RFS7000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax upgrade opcode [auto|path <LINE>|reload]
Parameters upgrade opcode [auto|path <LINE>|reload]
upgrade opcode auto path <LINE>
reload Configures the opcode image upgrade settings Enables automatic upgrade Configures the location of the opcode image Enables automatic reload after successful loading of the opcode image Example
<EX35XX-DEVICE>#show versions Unit 1 Serial Number : 14136520900352 Hardware Version : R01 EPLD Version : 0.00 Number of Ports : 28 Main Power Status : Up Role : Master Loader Version : 5.0.0.1-01A Linux Kernel Version : 2.6.22.18 Boot ROM Version : 0.0.0.1 Operation Code Version : 5.0.0.0-03D Adoptd Version : 5.8.3.0-024D
<EX35XX-DEVICE>#
nx9500-6C8809(config-profile-testEX3524)#upgrade auto nx9500-6C8809(config-profile-testEX3524)#upgrade reload nx9500-6C8809(config-profile-testEX3524)#upgrade opcode path ftp://
anonymous:anonymous@192.168.13.10/ex35xx/EX3524.img nx9500-6C8809(config-profile-testEX3524)#show context profile ex3524 testEX3524 ip default-gateway 192.168.13.13 power inline compatible
............................................. use firewall-policy default service pm sys-restart upgrade opcode auto upgrade opcode path ftp://anonymous:anonymous@192.168.13.10/ex35xx/EX3524.img upgrade opcode reload nx9500-6C8809(config-profile-testEX3524)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 529 7.4.5 use EX3524 & EX3548 Profile/Device Config Commands Applies an EX3500 management policy to this EX35XX profile PROFILES Supported in the following platforms:
Switches EX3524, EX3548 Wireless Controllers RFS4000, RFS6000, RFS7000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax use ex3500-management-policy <POLICY-NAME>
Parameters use ex3500-management-policy <POLICY-NAME>
use ex3500-
management-policy
<POLICY-NAME>
Applies an EX3500 management policy to this EX35XX profile
<POLICY-NAME> Specify the EX3500 management policy name (should be existing and configured). Example nx9500-6C8809(config-profile-testEX3524)#use ex3500-management-policy test Trustpoints HTTPS Server and RSA keys for SSH can be configured with 'trustpoint'
and 'rsa-key' commands in device context nx9500-6C8809(config-profile-testEX3524)#
nx9500-6C8809(config-profile-testEX3524)#show context profile ex3524 testEX3524 ip default-gateway 192.168.13.13 power inline compatible no autoinstall configuration no autoinstall firmware interface ge 1 17 interface ge 1 16 interface ge 1 15
--More--
use ex3500-management-policy test use firewall-policy default service pm sys-restart upgrade opcode auto upgrade opcode path ftp://anonymous:anonymous@192.168.13.10/ex35xx/EX3524.img upgrade opcode reload nx9500-6C8809(config-profile-testEX3524)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 530 7.4.6 no EX3524 & EX3548 Profile/Device Config Commands Removes or reverts this EX3500 profiles settings PROFILES Supported in the following platforms:
Switches EX3524, EX3548 Wireless Controllers RFS4000, RFS6000, RFS7000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600 Syntax no [interface vlan <1-4094>|default-gateway {<IP>}|power inline compatible|
upgrade opcode [auto|path|reload]|use ex3500-management-policy]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts this EX3500 profile settings based on the parameters passed Example nx9500-6C8809(config-profile-testEX3524)#show context profile ex3524 testEX3524 ip default-gateway 192.168.13.13 power inline compatible no autoinstall configuration no autoinstall firmware interface ge 1 17 interface ge 1 16 interface ge 1 15 interface ge 1 14 interface ge 1 13 interface ge 1 12 interface ge 1 11 interface ge 1 10 interface ge 1 24 interface ge 1 22 interface vlan 20 interface ge 1 23
--More--
use ex3500-management-policy test use firewall-policy default service pm sys-restart upgrade opcode auto upgrade opcode path ftp://anonymous:anonymous@192.168.13.10/ex35xx/EX3524.img upgrade opcode reload nx9500-6C8809(config-profile-testEX3524)#
nx9500-6C8809(config-profile-testEX3524)#no use ex3500-management-policy nx9500-6C8809(config-profile-testEX3524)#no upgrade opcode reload nx9500-6C8809(config-profile-testEX3524)#no interface vlan 20 nx9500-6C8809(config-profile-testEX3524)#show context profile ex3524 testEX3524 ip default-gateway 192.168.13.13 power inline compatible no autoinstall configuration
--More--
use firewall-policy default service pm sys-restart upgrade opcode auto upgrade opcode path ftp://anonymous:anonymous@192.168.13.10/ex35xx/EX3524.img nx9500-6C8809(config-profile-testEX3524)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 7 - 531 8 AAA-POLICY This chapter summarizes the Authentication, Authorization, and Accounting (AAA) policy commands in the CLI command structure. A AAA policy enables administrators to define access control settings governing network permissions. External RADIUS and LDAP servers (AAA servers) also provide user database information and user authentication data. Each WLAN maintains its own unique AAA configuration. AAA provides a modular way of performing the following services:
Authentication Provides a means for identifying users, including login and password dialog, challenge and response, messaging support and (depending on the security protocol), encryption. Authentication is the technique by which a user is identified before allowed access to the network. Configure AAA authentication by defining a list of authentication methods, and then applying the list to various interfaces. The list defines the authentication schemes performed and their sequence. The list must be applied to an interface before the defined authentication technique is conducted. Authorization Authorization occurs immediately after authentication. Authorization is a method for remote access control, including authorization for services and individual user accounts and profiles. Authorization functions through the assembly of attribute sets describing what the user is authorized to perform. These attributes are compared to information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions. The database could be located locally or be hosted remotely on a RADIUS server. Remote RADIUS servers authorize users by associating attribute-value (AV) pairs with the appropriate user. Each authorization method must be defined through AAA. When AAA authorization is enabled its applied equally to all interfaces. Accounting Collects and sends security server information for billing, auditing, and reporting user data;
such as start and stop times, executed commands (such as PPP), number of packets, and number of bytes. Accounting enables wireless network administrators to track the services users are accessing and the network resources they are consuming. When accounting is enabled, the network access server reports user activity to a RADIUS security server in the form of accounting records. Each accounting record is comprised of AV pairs and is stored locally on the access control server. The data can be analyzed for network management, client billing, and/or auditing. Accounting methods must be defined through AAA. When AAA accounting is activated, it is applied equally to all interfaces on the access servers. Use the (config) instance to configure AAA policy commands. To navigate to the config-aaa-policy instance, use the following commands:
<DEVICE>(config)#aaa-policy <POLICY-NAME>
rfs6000-37FABE(config)#aaa-policy test rfs6000-37FABE(config-aaa-policy-test)#?
AAA Policy Mode commands:
accounting Configure accounting parameters attribute Configure RADIUS attributes in access and accounting requests authentication Configure authentication parameters health-check Configure server health-check parameters mac-address-format Configure the format in which the MAC address must be filled in the Radius-Request frames no Negate a command or set its defaults proxy-attribute Configure radius attribute behavior when proxying through controller or rf-domain-manager server-pooling-mode Configure the method of selecting a server from the Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 1 AAA-POLICY pool of configured AAA servers use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-aaa-policy-test)#
NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 2 AAA-POLICY 8.1 aaa-policy AAA-POLICY The following table summarizes AAA policy configuration commands:
Command accounting attribute authentication health-check mac-address-
format no proxy-attribute server-pooling-
mode use Table 8.1 AAA-Policy-Config Commands Description Configures accounting parameters Configure RADIUS attributes in access and accounting requests Configures authentication parameters Configures health check parameters Configures the MAC address format Negates a command or sets its default Configures the RADIUS servers attribute behavior when proxying through the wireless controller or the RF Domain manager Defines the method for selecting a server from the pool of configured AAA servers Defines the AAA command settings Reference page 8-4 page 8-8 page 8-11 page 8-16 page 8-17 page 8-19 page 8-21 page 8-22 page 8-23 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 3 AAA-POLICY 8.1.1 accounting aaa-policy Configures the server type and interval at which interim accounting updates are sent to the server. A maximum of 6 accounting servers can be configured. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax accounting [interim|server|type]
accounting interim interval <60-3600>
accounting server [<1-6>|preference]
accounting server preference [auth-server-host|auth-server-number|none]
accounting server <1-6> [dscp|host|nai-routing|onboard|proxy-mode|retry-timeout-
factor|timeout]
accounting server <1-6> [dscp <0-63>|retry-timeout-factor <50-200>]
accounting server <1-6> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|2
<SECRET>|<SECRET>] {port <1-65535>}
accounting server <1-6> nai-routing realm-type [prefix|suffix] realm <REALM-TEXT>
{strip}
accounting server <1-6> onboard [centralized-controller|self|controller]
accounting server <1-6> proxy-mode [none|through-centralized-controller|through-
controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-manager]
accounting server <1-6> timeout <1-60> {attempts <1-10>}
accounting type [start-interim-stop|start-stop|stop-only]
Parameters accounting interim interval <60-3600>
interim interval <60-3000>
Configures the interim accounting interval. This is the interval at which interim accounting updates are posted to the accounting server. Specify the interim interval from 60 - 3600 seconds. The default is 1800 seconds. accounting server preference [auth-server-host|auth-server-number|none]
server preference auth-server-host Configures a RADIUS accounting servers settings Configures the accounting servers preference mode. Authentication requests are forwarded to a accounting server, from the pool, based on the preference mode selected. Sets the authentication server as the accounting server. This is the default setting. This parameter indicates the same server is used for authentication and accounting. The server is identified by its hostname. Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 4 AAA-POLICY auth-server-number Sets the authentication server as the accounting server none This parameter indicates the same server is used for authentication and accounting. The server is identified by its index or number. Indicates the accounting server is independent of the authentication server accounting server <1-6> [dscp <0-63>|retry-timeout-factor <50-200>]
server <1-6>
dscp <0-63>
retry-timeout-factor
<50-200>
Configures an accounting server. Up to 6 accounting servers can be configured. Sets the Differentiated Services Code Point (DSCP) value for Quality of Service (QOS) monitoring. This value is used in generated RADIUS packets.
<0-63> Sets the DSCP value from 0 - 63. The default value is 34. Sets the scaling factor for retransmission timeouts. The timeout at each attempt is a function of this retry-timeout factor and the attempt number.
<50-200> Specify a value from 50 - 200. The default is 100. If the scaling factor is 100, the interval between two consecutive retries remains the same, irrespective of the number of retries. If the scaling factor is less than 100, the interval between two consecutive retires reduces with subsequent retries. If this scaling factor is greater than 100, the interval between two consecutive retries increases with subsequent retries. accounting server <1-6> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|2
<SECRET>|<SECRET>] {port <1-65535>}
server <1-6>
host <IP/
HOSTNAME/HOST-
ALIAS>
secret
[0 <SECRET>|
2 <SECRET>|
<SECRET>]
port <1-65535>
Configures an accounting server. Up to 6 accounting servers can be configured. Configures the accounting servers hostname IP address, or host-alias The host alias should be existing and configured. Configures a common secret key used to authenticate with the accounting server 0 <SECRET> Configures a clear text secret key 2 <SECRET> Configures an encrypted secret key
<SECRET> Specify the secret key. This shared secret should not exceed 127 characters. Optional. Configures the accounting servers UDP port (the port used to connect to the accounting server)
<1-65535> Sets the port number from 1 - 65535 (default port is 1813) accounting server <1-6> nai-routing realm-type [prefix|suffix] realm <REALM-
TEXT> {strip}
server <1-6>
Configures an accounting server. Up to 6 accounting servers can be configured. Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 5 AAA-POLICY nai-routing realm-type
[prefix|suffix]
realm
<REALM-TEXT>
Enables Network Access Identifier (NAI) routing. This option is disabled by default. The NAI is a character string in the format of an e-mail address as either user or user@realm but it need not be a valid e-mail address or a fully qualified domain name. AAA servers identify clients using the NAI. The NAI can be used either in a specific or generic form. The specific form, which must contain the user portion and may contain the @realm portion, identifies a single user. Using the generic form allows all users to be configured on a single command line, irrespective of whether the users are within a realm or not. Each user still needs a unique security association, but these associations can be stored on a AAA server. The original purpose of the NAI was to support roaming between dial up ISPs. With NAI, an ISP does not have the accounts for all of its roaming partners in a single RADIUS database. RADIUS servers can proxy requests to remote servers as need be. Specifies whether the prefix or suffix of the username is used as the match criteria. For example, if the option selected is prefix, the usernames prefix is matched to the realm. Select one of the following options:
prefix Matches the prefix of the username (For example, username is of type DOMAIN/user1, DOMAIN/user2). This is the default setting. suffix Matches the suffix of the username (For example, user1@DOMAIN, user2)@DOMAIN) Configures the text matched against the username. Enter the realm name (should not exceed 50 characters). When the RADIUS accounting server receives a request for a user name, the server references a table of user names. If the user name is known, the server proxies the request to the RADIUS server.
<REALM-TEXT> Specifies the matching text including the delimiter (a delimiter is typically '' or '@') strip Optional. When enabled, strips the realm from the username before forwarding the request to the RADIUS server. This option is disabled by default. accounting server <1-6> onboard [centralized-controller|self|controller]
Configures an accounting server. Up to 6 accounting servers can be configured. Selects an onboard server instead of an external host Configures the server on the centralized controller managing the network server <1-6>
onboard centralized-
controller self controller Configures the onboard server on a AP, wireless controller, or service platform (where the client is associated) Configures local RADIUS server settings accounting server <1-6> proxy-mode [none|through-centralized-controller|
through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-
manager]
server <1-6>
proxy-mode none through-centralized-
controller Configures an accounting server. Up to 6 accounting servers can be configured. Select the mode used to proxy requests. The options are: none, through-controller, and through-rf-domain-manager. No proxy required. Sends the request directly using the IP address of the device. This is the default setting. Proxy requests through the centralized controller that is configuring and managing the network Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 6 AAA-POLICY through-controller through-mint-host
<HOSTNAME/MINT-
ID>
through-rf-domain-
manager Proxies requests through the controller (access point, wireless controller, or service platform) configuring the device Proxies requests through a neighboring MiNT device. Provide the devices MiNT ID or hostname. Proxies requests through the local RF Domain Manager accounting server <1-6> timeout <1-60> {attempts <1-10>}
server <1-6>
timeout <1-60>
attempts <1-10>
Configures an accounting server. Up to 6 accounting servers can be configured. Configures the timeout for each request sent to the RADIUS server
<1-60> Specify a value from 1 - 60 seconds. The default is 5 seconds. Optional. Specifies the number of times a transmission request is attempted
<1-10> Specify a value from 1 - 10. The default is 3. accounting type [start-interim-stop|start-stop|stop-only]
type start-interim-stop start-stop stop-only Configures the type of RADIUS accounting packets sent. The options are: start-interim-
stop, start-stop, and stop-only. Sends accounting-start and accounting-stop messages when the session starts and stops. This parameter also sends interim accounting updates. Sends accounting-start and accounting-stop messages when the session starts and stops. This is the default setting. Sends an accounting-stop message when the session ends Example rfs6000-37FABE(config-aaa-policy-test)#accounting interim interval 65 rfs6000-37FABE(config-aaa-policy-test)#accounting server 2 host 172.16.10.10 secret test1 port 1 rfs6000-37FABE(config-aaa-policy-test)#accounting server 2 timeout 2 attempts 2 rfs6000-37FABE(config-aaa-policy-test)#accounting type start-stop rfs6000-37FABE(config-aaa-policy-test)#accounting server preference auth-server-
number rfs6000-37FABE(config-aaa-policy-test)#show context aaa-policy test accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 accounting interim interval 65 accounting server preference auth-server-number rfs6000-37FABE(config-aaa-policy-test)#
Related Commands no Removes or resets accounting server parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 7 AAA-POLICY 8.1.2 attribute aaa-policy Configures RADIUS Framed-MTU attribute used in access and accounting requests. The Framed-MTU attribute reduces the Extensible Authentication Protocol (EAP) packet size of the RADIUS server. This command is useful in networks where routers and firewalls do not perform fragmentation. To ensure network security, some firewall software drop UDP fragments from RADIUS server EAP packets. Consequently, the packets are large. Using Framed MTU reduces the packet size. EAP authentication uses Framed MTU to notify the RADIUS server about the Maximum Transmission Unit (MTU) negotiation with the client. The RADIUS server communications with the client do not include EAP messages that cannot be delivered over the network. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622,, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax attribute [acct-delay-time|acct-multi-session-id|chargeable-user-identity|cisco-
vsa|framed-ip-address|framed-mtu|location-information|nas-ip-address|nas-ipv6-
address|operator-name|service-type]
attribute acct-delay-time attribute acct-multi-session-id attribute chargeable-user-identity attribute cisco-vsa audit-session-id attribute framed-ip-address attribute framed-mtu <100-1500>
attribute location-information [include-always|none|server-requested]
attribute nas-ip-address <WORD>
attribute nas-ipv6-address attribute operator-name <OPERATOR-NAME>
attribute service-type [framed|login]
Parameters attribute acct-delay-time acct-delay-time Enables support for accounting-delay-time attribute in accounting requests. When enabled, this attribute indicates the number of seconds the client has been trying to send a request to the accounting server. By subtracting this value from the time the packet is received by the server, the system is able to calculate the time of a request-generating event. Note, the network transit time is ignored. This option is disabled by default. Including the acct-delay-time attribute in accounting requests updates the acct-delay-time value whenever the packet is retransmitted, This changes the content of the attributes field, requiring a new identifier and request authenticator. attribute acct-multi-session-id acct-multi-session-id Enables support for accounting-multi-session-id attribute. When enabled, it allows linking of multiple related sessions of a roaming client. This option is useful in scenarios where a client roaming between access points sends multiple RADIUS accounting requests to different access points. This option is disabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 8 AAA-POLICY attribute chargeable-user-identity chargeable-user-
identity Enables support for chargeable-user-identity attribute. This option is disabled by default. attribute cisco-vsa audit-session-id cisco-vsa audit-session-id Configures the CISCO Vendor Specific Attribute (VSA) attribute included in access requests. This feature s disabled by default. This VSA allows CISCOs Identity Services Engine (ISE) to validate a requesting clients network compliance, such as the validity of virus definition files (anti virus software or definition files for an anti-spyware software application). audit-session-id Includes the audit session ID attribute in access requests The audit session ID is included in access requests when Cisco ISE is configured as an authentication server. Note: If the Cisco VSA attribute is enabled, configure an additional UDP port to listen for dynamic authorization messages from the Cisco ISE server. For more information, see service. attribute framed-ip-address framed-ip-address Enables inclusion of framed IP address attribute in access requests. This option is disabled by default. attribute framed-mtu <100-1500>
framed-mtu
<100-1500>
Configures Framed-MTU attribute used in access requests
<100-1500> Specify the Framed-MTU attribute from 100 - 1500. The default value is 1400. attribute location-information [include-always|none|server-requested]
location-information
[include-always|
none|server-requested]
Enables support for RFC5580 location information attribute, based on the option selected. The various options are:
include-always Always includes location information in RADIUS authentication and accounting messages none Disables sending of location information in RADIUS authentication and accounting messages. This is the default setting. server-requested Includes location information in RADIUS authentication and accounting messages only when requested by the server When enabled, location information is exchanged in authentication and accounting messages. attribute nas-ip-address <WORD>
nas-ip-address
<WORD>
Enables configuration of an IP address, which is used as the RADIUS attribute 4, NAS-IP-Address, without changing the source IP address in the IP header of the RADIUS packets. If you are using a cluster of small network access servers (NASs) to simulate a large NAS, use this option to improve scalability. The IP address configured using this option allows the NASs to behave as a single RADIUS client from the perspective of the RADIUS server.
<WORD> Provide the IPv4 address. Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 9 AAA-POLICY attribute nas-ipv6-address nas-ipv6-address Enables support for NAS IPv6 address. This option is disabled by default. When enabled, IPv6 addresses are assigned to hosts. The length of IPv4 and IPv6 addresses is 32-bit and 128-bit respectively. Consequently, an IPv6 address requires a larger address space. attribute operator-name <OPERATOR-NAME>
operator-name
<OPERATOR-NAME>
Enables support for RFC5580 operator name attribute. When enabled, the network operators name is included in all RADIUS authentication and accounting messages and uniquely identifies the access network owner. This option is disabled by default.
<OPERATOR-NAME> Specify the network operators name (should not exceed 63 characters in length). attribute service-type [framed|login]
service-type
[framed|login]
Configures the service-type (6) attribute value. This attribute identifies the following: the type of service requested and the type of service to be provided. framed Sets service-type to framed (2) in the authentication packets. When enabled, a framed protocol, Point-to-Point Protocol (PPP) or Serial Line Internet Protocol (SLIP), is started for the client. This is the default setting. login Sets service-type to login (1) in the authentication packets. When enabled, the client is connected to the host. Example rfs6000-37FABE(config-aaa-policy-test)#attribute framed-mtu 110 rfs6000-37FABE(config-aaa-policy-test)#show context aaa-policy test accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 accounting interim interval 65 accounting server preference auth-server-number attribute framed-mtu 110 rfs6000-37FABE(config-aaa-policy-test)#
rfs6000-37FABE(config-aaa-policy-test1)#attribute cisco-vsa audit-session-id rfs6000-37FABE(config-aaa-policy-test1)#show context aaa-policy test attribute cisco-vsa audit-session-id rfs6000-37FABE(config-aaa-policy-test)#
Related Commands no Resets values or disables commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 10 AAA-POLICY 8.1.3 authentication aaa-policy Configures user authentication parameters Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax authentication [eap|protocol|server]
authentication eap wireless-client [attempts <1-10>|identity-request-retry-
timeout <10-5000>|identity-request-timeout <1-60>|retry-timeout-factor <50-200>|
timeout <1-60>]
authentication protocol [chap|mschap|mschapv2|pap]
authentication server <1-6> [dscp|host|nac|nai-routing|onboard|proxy-mode|retry-
timeout-factor|timeout]
authentication server <1-6> dscp <0-63>
authentication server <1-6> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|2
<SECRET>|<SECRET>] {port <1-65535>}
authentication server <1-6> nac authentication server <1-6> nai-routing realm-type [prefix|suffix] realm <REALM-
NAME>{strip}
authentication server <1-6> onboard [centralized-controller|controller|self]
authentication server <1-6> proxy-mode [none|through-centralized-controller|
through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-
manager]
authentication server <1-6> retry-timeout-factor <50-200>
authentication server <1-6> timeout <1-60> {attempts <1-10>}
Parameters authentication eap wireless-client [attempts <1-10>|identity-request-retry-
timeout <10-5000>|identity-request-timeout <1-60>|retry-timeout-factor <50-
200>|timeout <1-60>]
eap wireless-client attempts <1-10>
identity-request-retry-
timeout <10-5000>
Configures EAP authentication parameters Configures wireless clients EAP parameters Configures the maximum number of attempts allowed to authenticate a wireless client
<1-10> Specify a value from 1 - 10. The default is 3. Configures the interval, in milliseconds, after which an EAP-identity request to the wireless client is retried
<10-5000> Specify a value from 10 - 5000 milliseconds. The default is 1000 milliseconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 11 AAA-POLICY identity-request-
timeout <1-60>
retry-timeout-factor
<50-200>
timeout <1-60>
Configures the timeout, in seconds, after the last EAP-identity request message retry attempt (to allow time to manually enter user credentials)
<1-60> Specify a value from 1 - 60 seconds. The default is 30 seconds. Configures the spacing between successive EAP retries
<50-200> Specify a value from 50 - 200. The default is 100. A value of 100 indicates the interval between two consecutive retires remains the same irrespective of the number of retries. A value lesser than 100 indicates the interval between two consecutive retries reduces with each successive retry. A value greater than 100 indicates the interval between two consecutive retries increases with each successive retry. Configures the interval, in seconds, between successive EAP-identity request sent to a wireless client
<1-60> Specify a value from 1 - 60 seconds. The default is 3 seconds. authentication protocol [chap|mschap|mschapv2|pap]
protocol
[chap|mschap|
mschapv2|pap]
Configures one of the following protocols for non-EAP authentication:
chap Uses Challenge Handshake Authentication Protocol (CHAP) mschap Uses Microsoft Challenge Handshake Authentication Protocol (MS-CHAP) mschapv2 Uses MS-CHAP version 2 pap Uses Password Authentication Protocol (PAP) (default authentication protocol used) authentication server <1-6> dscp <0-63>
server <1-6>
dscp <0-63>
Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.
<1-6> Specify the RADIUS server index from 1 - 6. Configures the Differentiated Service Code Point (DSCP) quality of service parameter generated in RADIUS packets. The DSCP value specifies the class of service provided to a packet, and is represented by a 6-bit parameter in the header of every IP packet.
<0-63> Specify the value from 0 - 63. The default is 46. authentication server <1-6> host <IP/HOSTNAME/HOST-ALIAS> secret [0 <SECRET>|
2 <SECRET>|<SECRET>] {port <1-65535>}
server <1-6>
host <IP/HOSTNAME/
HOST-ALIAS>
Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.
<1-6> Specify the RADIUS server index from 1 - 6. Sets the RADIUS authentication servers IP address, hostname, or host-alias The host alias should be existing and configured. Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 12 AAA-POLICY secret
[0 <SECRET>|
2 <SECRET>|
<SECRET>]
port <1-65535>
Configures the RADIUS authentication servers secret. This key is used to authenticate with the RADIUS server. 0 <SECRET> Configures a clear text secret 2 <SECRET> Configures an encrypted secret
<SECRET> Specify the secret key. The shared key should not exceed 127 characters in length. Optional. Specifies the RADIUS authentication servers UDP port (this port is used to connect to the RADIUS server)
<1-65535> Specify a value from 1 - 65535. The default port is 1812. authentication server <1-6> nac server <1-6>
nac Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.
<1-6> Specify the RADIUS server index from 1 - 6. Enables Network Access Control (NAC) on the RADIUS authentication server identified by the <1-6> parameter. Using NAC, the controller hardware and software grant access to specific network resources. NAC performs a user and client authorization check for resources that do not have a NAC agent. NAC verifies the clients compliance with the controllers security policy. The controller supports only the EAP/802.1x type of NAC. However, the controller also provides a means to bypass NAC authentication for clients that do not have NAC 802.1x support (printers, phones, PDAs, etc.). accounting server <1-6> nai-routing realm-type [prefix|suffix] realm <REALM-
NAME> {strip}
server <1-6>
nai-routing realm-type
[prefix|suffix]
Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.
<1-6> Specifies the RADIUS server index from 1 - 6. Enables NAI routing. When enabled, AAA servers identify clients using NAI. This option is disabled by default. The NAI is a character string in the format of an e-mail address as either user or user@realm but it need not be a valid e-mail address or a fully qualified domain name. AAA servers identify clients using the NAI. The NAI can be used either in a specific or generic form. The specific form, which must contain the user portion and may contain the @realm portion, identifies a single user. Using the generic form allows all users to be configured on a single command line, irrespective of whether the users are within a realm or not. Each user still needs a unique security association, but these associations can be stored on a AAA server. The original purpose of the NAI was to support roaming between dial up ISPs. With NAI, an ISP does not have the accounts for all of its roaming partners in a single RADIUS database. RADIUS servers can proxy requests to remote servers as need be. Configures the realm-type used for NAI authentication prefix Sets the realm prefix. For example, in the realm name AC\JohnTalbot, the prefix is AC and the user name JohnTalbot. suffix Sets the realm suffix. For example, in the realm name JohnTalbot@AC.org the suffix is AC.org and the user name is JohnTalbot. Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 13 AAA-POLICY realm
<REALM-NAME>
strip Sets the realm information used for RADIUS authentication. The realm name should not exceed 64 characters in length. When the wireless controller or access points RADIUS server receives a request for a user name the server references a table of usernames. If the user name is known, the server proxies the request to the RADIUS server.
<REALM-NAME> Sets the realm used for authentication. This value is matched against the user name provided for RADIUS authentication. Example:
Prefix - AC\JohnTalbot Suffix - JohnTalbot@AC.org Optional. Indicates the realm name must be stripped from the user name before sending it to the RADIUS server for authentication. For example, if the complete username is AC\JohnTalbot, then with the strip parameter enabled, only the JohnTalbot part of the complete username is sent for authentication. This option is disabled by default. authentication server <1-6> onboard [centralized-controller|controller|self]
server <1-6>
onboard
[centralized-
controller|
controller|self]
Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.
<1-6> Specify the RADIUS server index from 1 - 6. Selects the onboard RADIUS server for authentication instead of an external host centralized-controller Configures the server on the centralized controller managing the network controller Configures the wireless controller, to which the AP is adopted, as the onboard wireless controller self Configures the onboard server on the device (AP or wireless controller) where the client is associated as the onboard wireless controller authentication server <1-6> proxy-mode [none|through-centralized-controller|
through-controller|through-mint-host <HOSTNAME/MINT-ID>|through-rf-domain-
manager]
server <1-6>
proxy-mode
[none|
through-centralized-
controller|
through-controller|
through-mint-host
<HOSTNAME/MINT-
ID>|
through-rf-domain-
manager]
Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.
<1-6> Specify the RADIUS server index from 1 - 6. Configures the mode for proxying a request none Proxying is not done. The packets are sent directly using the IP address of the device. This is the default setting. through-centralized-controller The traffic is proxied through the centralized controller that is configuring and managing the network. through-controller The traffic is proxied through the wireless controller configuring this device. through-mint-host <HOSTNAME/MINT-ID> The traffic is proxied through a neighboring MiNT device. Provide the devices hostname or MiNT ID. through-rf-domain-manager The traffic is proxied through the local RF Domain manager. Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 14 AAA-POLICY authentication server <1-6> retry-timeout-factor <50-200>
server <1-6>
retry-timeout-factor
<50-200>
Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.
<1-6> Specify the RADIUS server index from 1 - 6. Configures the scaling of timeouts between two consecutive RADIUS authentication retries
<50-200> Specify the scaling factor from 50 - 200. The default is 100. A value of 100 indicates the interval between two consecutive retires remains the same irrespective of the number of retries. A value lesser than 100 indicates the interval between two consecutive retries reduces with each successive retry. A value greater than 100 indicates the interval between two consecutive retries increases with each successive retry. authentication server <1-6> timeout <1-60> {attempts <1-10>}
server <1-6>
timeout <1-60>
attempts <1-10>
Configures a RADIUS authentication server. Up to 6 RADIUS servers can be configured.
<1-6> Specify the RADIUS server index from 1 - 6. Configures the timeout, in seconds, for each request sent to the RADIUS server. This is the time allowed to elapse before another request is sent to the RADIUS server. If a response is received from the RADIUS server within this time, no retry is attempted.
<1-60> Specify a value from 1 - 60 seconds. The default is 3 seconds. Optional. Indicates the number of retry attempts to make before giving up
<1-10> Specify a value from 1 -10. The default is 3. Example rfs6000-37FABE(config-aaa-policy-test)#authentication server 5 host 172.16.10.10 secret 0 test1 port 1 rfs6000-37FABE(config-aaa-policy-test)#authentication server 5 timeout 10 attempts 3 rfs6000-37FABE(config-aaa-policy-test)#authentication protocol chap rfs6000-37FABE(config-aaa-policy-test)#show context aaa-policy test authentication server 5 host 172.16.10.10 secret 0 test1 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 authentication protocol chap accounting interim interval 65 accounting server preference auth-server-number attribute framed-mtu 110 rfs6000-37FABE(config-aaa-policy-test)#
Related Commands no Resets authentication parameters on this AAA policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 15 AAA-POLICY 8.1.4 health-check aaa-policy An AAA server could go offline. When a server goes offline, it is marked as down. This command configures the interval after which a server marked as down is checked to see if it has come back online and is reachable. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax health-check interval <60-86400>
Parameters health-check interval <60-86400>
interval <60-86400>
Configures an interval (in seconds) after which a down server is checked to see if it is reachable again
<60-86400> Specify a value from 60 - 86400 seconds. The default is 3600 seconds. Example rfs6000-37FABE(config-aaa-policy-test)#health-check interval 4000 rfs6000-37FABE(config-aaa-policy-test)#show context aaa-policy test authentication server 5 host 172.16.10.10 secret 0 test1 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 authentication protocol chap accounting interim interval 65 accounting server preference auth-server-number health-check interval 4000 attribute framed-mtu 110 rfs6000-37FABE(config-aaa-policy-test)#
Related Commands no Resets the health-check interval for AAA servers Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 16 AAA-POLICY 8.1.5 mac-address-format aaa-policy Configures the format MAC addresses are filled in RADIUS request frames Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mac-address-format [middle-hyphen|no-delim|pair-colon|pair-hyphen|quad-dot]
mac-address-format [middle-hyphen|no-delim|pair-colon|pair-hyphen|quad-dot] case
[lower|upper] attributes [all|username-password]
Parameters]
mac-address-format [middle-hyphen|no-delim|pair-colon|pair-hyphen|quad-dot]
case [lower|upper] attributes [all|username-password]
middle-hyphen no-delim pair-colon pair-hyphen quad-dot case [lower|upper]
attributes
[all|username-
password]
Configures the MAC address format as AABBCC-DDEEFF Configures the MAC address format as AABBCCDDEEFF (without delimiters) Configures the MAC address format as AA:BB:CC:DD:EE:FF Configures the MAC address display format as AA-BB-CC-DD-EE-FF (default setting) Configures the MAC address display format as AABB.CCDD.EEFF Indicates the case the MAC address is formatted lower Indicates MAC address is in lower case. For example, aa:bb:cc:dd:ee:ff upper Indicates MAC address is in upper case. For example, AA:BB:CC:DD:EE:FF
(default setting) Configures RADIUS attributes to which this MAC format is applicable all Applies to all attributes with MAC addresses such as username, password, calling-station-id, and called-station-id username-password Applies only to the username and password fields (default setting) Example rfs6000-37FABE(config-aaa-policy-test)#mac-address-format quad-dot case upper attributes username-password rfs6000-37FABE(config-aaa-policy-test)#show context aaa-policy test authentication server 5 host 172.16.10.10 secret 0 test1 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 mac-address-format quad-dot case upper attributes username-password authentication protocol chap
--More--
rfs6000-37FABE(config-aaa-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 17 Related Commands no Resets the MAC address format to default (pair-hyphen) AAA-POLICY Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 18 AAA-POLICY 8.1.6 no aaa-policy Negates a AAA policy command or sets its default Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [accounting|attribute|authentication|health-check|mac-address-format|proxy-
attribute|server-pooling-mode|use]
no accounting interim interval no accounting server preference no accounting server <1-6> {dscp|nai-routing|proxy-mode|retry-timeout-factor|
timeout}
no accounting type no attribute [acct-delay-time|acct-multi-session-id|chargeable-user-identity|
cisco-vsa audit-session-id|framed-ip-address|framed-mtu|location-information|nas-
ipv6-address|operator-name|service-type]
no authentication [eap|protocol|server]
no authentication eap wireless-client [attempts|identity-request-retry-timeout|
identity-request-timeout|retry-timeout-factor|timeout]
no authentication protocol no authentication server <1-6> {dscp|nac|nai-routing|proxy-mode|retry-timeout-
factor|timeout}
no health-check interval no mac-address-format no proxy-attribute [nas-identifier|nas-ip-address]
no server-pooling-mode no use nac-list Parameters no <PARAMETERS>
no <PARAMETERS>
Negates a AAA policy command or sets its default Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 19 AAA-POLICY Example The following example shows the AAA policy test settings before the no commands are executed:
rfs6000-37FABE(config-aaa-policy-test)#show context aaa-policy test authentication server 5 host 172.16.10.10 secret 0 test1 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 accounting server 2 timeout 2 attempts 2 mac-address-format quad-dot case upper attributes username-password authentication protocol chap accounting interim interval 65 accounting server preference auth-server-number health-check interval 4000 attribute framed-mtu 110 rfs6000-37FABE(config-aaa-policy-test)#
rfs6000-37FABE(config-aaa-policy-test)#no accounting server 2 timeout 2 rfs6000-37FABE(config-aaa-policy-test)#no accounting interim interval rfs6000-37FABE(config-aaa-policy-test)#no health-check interval rfs6000-37FABE(config-aaa-policy-test)#no attribute framed-mtu rfs6000-37FABE(config-aaa-policy-test)#no authentication protocol The following example shows the AAA policy test settings after the no commands are executed:
rfs6000-37FABE(config-aaa-policy-test)#show context aaa-policy test authentication server 5 host 172.16.10.10 secret 0 test1 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 mac-address-format quad-dot case upper attributes username-password accounting server preference auth-server-number health-check interval 4000 rfs6000-37FABE(config-aaa-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 20 AAA-POLICY 8.1.7 proxy-attribute aaa-policy Configures RADIUS servers attribute behavior when proxying through a wireless controller or a RF Domain manager Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax proxy-attribute [nas-identifier|nas-ip-address]
proxy-attribute [nas-identifier [originator|proxier]|nas-ip-address
[none|proxier]]
Parameters proxy-attribute [nas-identifier [originator|proxier]|nas-ip-address
[none|proxier]]
nas-identifier
[originator|proxier]
nas-ip-address
[none|proxier]
Uses NAS identifier originator Configures the NAS identifier as the originator of the RADIUS request. The originator could be an AP, or a wireless controller with radio. This is the default setting. proxier Configures the proxying device as the NAS identifier. The device could be a controller or a RF Domain manager. Uses NAS IP address none NAS IP address attribute is not filled proxier NAS IP address is filled by the proxying device.The device could be a controller or a RF Domain manager. This is the default setting. Example rfs6000-37FABE(config-aaa-policy-test)#proxy-attribute nas-ip-address proxier rfs6000-37FABE(config-aaa-policy-test)#proxy-attribute nas-identifier originator Related Commands no Resets RADIUS servers proxying attributes Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 21 AAA-POLICY 8.1.8 server-pooling-mode Configures the server selection method from a pool of AAA servers. The available methods are failover and load-balance. In the failover scenario, when a configured AAA server goes down, the server with the next higher index takes over for the failed server. In the load-balance scenario, when a configured AAA server goes down, the remaining servers distribute the load amongst themselves. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax server-pooling-mode [failover|load-balance]
Parameters server-pooling-mode [failover|load-balance]
failover load-balance Sets the pooling mode to failover. This is the default setting. When a configured AAA server fails, the server with the next higher index takes over the failed servers load. Sets the pooling mode to load balancing When a configured AAA server fails, all servers in the pool share the failed servers load transmitting requests in a round-robin fashion. Example rfs6000-37FABE(config-aaa-policy-test)#server-pooling-mode load-balance rfs6000-37FABE(config-aaa-policy-test)#show context aaa-policy test authentication server 5 host 172.16.10.10 secret 0 test2 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 server-pooling-mode load-balance mac-address-format quad-dot case upper attributes username-password accounting server preference auth-server-number health-check interval 4000 rfs6000-37FABE(config-aaa-policy-test)#
Related Commands no Resets the method of selecting a server, from the pool of configured AAA servers Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 22 AAA-POLICY 8.1.9 use aaa-policy Associates a Network Access Control (NAC) with this AAA policy. This allows only the set of configured devices to use the configured AAA servers. For more information on creating a NAC list, see nac-list. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use nac-list <NAC-LIST-NAME>
Parameters use nac-list <NAC-LIST-NAME>
nac-list
<NAC-LIST-NAME>
Associates a NAC list with this AAA policy
<NAC-LIST-NAME> Specify the NAC list name (should be existing and configured). Example rfs6000-37FABE(config-aaa-policy-test)#use nac-list test1 rfs6000-37FABE(config-aaa-policy-test)#show context aaa-policy test authentication server 5 host 172.16.10.10 secret 0 test1 port 1 authentication server 5 timeout 10 accounting server 2 host 172.16.10.10 secret 0 test1 port 1 server-pooling-mode load-balance mac-address-format quad-dot case upper attributes username-password accounting server preference auth-server-number health-check interval 4000 use nac-list test1 rfs6000-37FABE(config-aaa-policy-test)#
Related Commands no nac-list Resets set values or disables commands Creates a NAC list Access Point, Wireless Controller and Service Platform CLI Reference Guide 8 - 23 9 AUTO-PROVISIONING-POLICY This chapter summarizes the auto provisioning policy commands in the CLI command structure. Wireless devices can adopt and manage other wireless devices. For example, a wireless controller can adopt multiple access points. When a device is adopted, the device configuration is provisioned by the adopting device. Since multiple configuration policies are supported, an adopting device uses auto provisioning policies to determine which configuration policies are applied to an adoptee based on its properties. For example, a configuration policy could be assigned based on MAC address, IP address, CDP snoop strings, etc. Auto provisioning or adoption is the process by which an access point discovers controllers in the network, identifies the most desirable controller, associates with the identified controller, and optionally obtains an image upgrade, obtains its configuration and considers itself provisioned. At adoption, an access point solicits and receives multiple adoption responses from controllers available on the network. These adoption responses contain loading policy information the access point uses to select the optimum controller for adoption. An auto-provisioning policy maps a new AP to a profile and RF Domain based on various parameters related to the AP and where it is connected. By default a new AP will be mapped to the default profile and default RF Domain. Modify existing auto-provisioning policies or create a new one as needed to meet the configuration requirements of a device. An auto-provisioning policy enables an administrator to define rules for the supported access points capable of being adopted by a controller. The policy determines which configuration policies are applied to an adoptee based on its properties. For example, a configuration policy could be assigned based on MAC address, IP address, CISCO Discovery Protocol (CDP) snoop strings, etc. Once created an auto provisioning policy can be used in profiles or device configuration objects. The policy contains a set of rules (ordered by precedence) that either deny or allow adoption based on potential adoptee properties and a catch-all variable that determines if the adoption should be allowed when none of the rules is matched. All rules
(both deny and allow) are evaluated sequentially starting with the rule with the lowest precedence. The evaluation stops as soon as a rule has been matched, no attempt is made to find a better match further down in the set. For example, rule #1 adopt ap7161 10 profile default vlan 10 rule #2 adopt ap6562 20 profile default vlan 20 rule #3 adopt ap7161 30 profile default serial-number rule #4 adopt ap7161 40 p d mac aa bb AP7161 L2 adoption, VLAN 10 - will use rule #1 AP7161 L2 adoption, VLAN 20 - will not use rule #2 (wrong type), may use rule #3 if the serial number matched, or rule #4 If aa<= MAC <= bb, or else default. With the implementation of the hierarchically managed (HM) network, the auto-provisioning policy has been modified to enable controllers to adopt other controllers in addition to access points. The new WiNG HM network defines a three-tier structure, consisting of multiple wireless sites managed by a single Network Operations Center (NOC) controller, The NOC controller constitutes the first and the site controllers constitute the second tier of the hierarchy. The site controllers in turn adopt and manage access points that form the third tier of the hierarchy. Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 1 AUTO-PROVISIONING-POLICY All adopted devices (access points and second-level controllers) are referred to as the adoptee. The adopting devices are the adopters. A controller cannot be configured as an adoptee and an adopter simultaneously. In other words, a controller can either be an adopter (adopts another controller) or an adoptee (is adopted by another controller). Therefore, a site controller, which has been adopted by a NOC controller, cannot adopt another controller. A controller should be configured to specify the device types (APs and/or controllers) that it can adopt. For more information on configuring the adopted-device types for a controller, see controller. NOTE: The adoption capabilities of a controller depends on:
Whether the controller is deployed at the NOC or site A NOC controller can adopt site controllers and access points A site controller can only adopt access points The controller device type, which determines the number and type of devices it can adopt NOTE: Some access points can be configured as virtual controllers. When configured as a virtual controller, an AP can only adopt another AP of the same type. In such a scenario, an auto provisioning policy is required to enable adoption of a specific device identified by its MAC address, IP address, serial number, model number, etc. Use the (config) instance to configure an auto-provisioning policy. To navigate to the auto-provisioning-
policy configuration instance, use the following command:
<DEVICE>(config)#auto-provisioning-policy <POLICY-NAME>
nx9500-6C8809((config)#auto-provisioning-policy test nx9500-6C8809((config-auto-provisioning-policy-test)#?
Auto-Provisioning Policy Mode commands:
adopt Add rule for device adoption auto-create-rfd-template When RF Domain specified by the matching rule template does not exist create new RF Domain automatically default-adoption Adopt devices even when no matching rules are found. Assign default profile and default rf-domain deny Add rule to deny device adoption evaluate-always Set the flag to evaluate the policy everytime, regardless of previous adoption status no Negate a command or set its defaults redirect Add rule to redirect device adoption upgrade Add rule for device upgrade clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809((config-auto-provisioning-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 2 AUTO-PROVISIONING-POLICY NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 3 AUTO-PROVISIONING-POLICY 9.1 auto-provisioning-policy AUTO-PROVISIONING-POLICY The following table summarizes auto provisioning policy configuration commands:
Table 9.1 Auto-Provisioning-Policy-Config Commands Command Description adopt Adds a permit adoption rule auto-create-
rfd-template Enables auto creation of a new RF Domain based on an existing RF Domain template specified using this command default-
adoption deny evaluate-
always redirect upgrade no Adopts devices even when no matching rules are found. Assigns default profile and default RF Domain Adds a deny adoption rule Runs this policy every time a device is adopted Adds a rule redirecting device adoption to a specified controller within the system Adds a device upgrade rue to this auto provisioning policy Negates a command or reverts settings to their default Reference page 9-5 page 9-10 page 9-12 page 9-13 page 9-16 page 9-17 page 9-21 page 9-24 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 4 AUTO-PROVISIONING-POLICY 9.1.1 adopt auto-provisioning-policy Adds device adoption rules Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax adopt [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600]
adopt [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000>
[profile|rf-domain]
adopt [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7632|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000>
[profile <DEVICE-PROFILE-NAME>|rf-domain <RF-DOMAIN-NAME>] [any|area|cdp-match|
dhcp-option|floor|fqdn|ip|ipv6|lldp-match|mac|model-number|rf-domain|
serial-number|vlan]
adopt [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000>
[profile <DEVICE-PROFILE-NAME>|rf-domain <RF-DOMAIN-NAME>] any adopt [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000>
[profile <DEVICE-PROFILE-NAME>|rf-domain <RF-DOMAIN-NAME>] [area <AREA-NAME>|
cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|floor <FLOOR-NAME>|fqdn
<FQDN>|ip [<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]
|lldp-match <LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-
NUMBER>|serial-number <SERIAL-NUMBER>|rf-domain <RF-DOMAIN-NAME>|vlan <VLAN-ID>]
Parameters adopt [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000>
[profile <DEVICE-PROFILE-NAME>|rf-domain <RF-DOMAIN-NAME>] any adopt Adds an adopt device rule. The rule applies to the selected device types. Specify the device type and assign a precedence to the rule. The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX7500, NX7510, NX7520, NX7530 NX95XX, VX9000, and NX9600. Note: anyap is used in auto provisioning policies to create rules that are applicable to any AP regardless of the model type. Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 5 AUTO-PROVISIONING-POLICY precedence
<1-10000>
Sets the rule precedence from 1 - 10000. A rule with a lower value has a higher precedence. profile
<DEVICE-PROFILE-
NAME>
rf-domain
<RF-DOMAIN-
NAME>
Sets the device profile for this provisioning policy. The selected device profile must be appropriate for the device being provisioned. For example, use an AP7502 device profile for an AP7502. Using an inappropriate device profile can result in unpredictable results. Provide a device profile name. Provide a device profile name (should be existing and configured). Or a template with appropriate substitution tokens, such as 'campus-$MODEL[1:6]', 'FQDN[1:4]-indoor'. Please see the Usage Guidelines section Built-in Tokens & Alias for the different types of built in tokens available in the system. Sets the RF Domain for this auto provisioning policy. The provisioning policy is only applicable to devices that try to become a part of the specified RF Domain. Provide the full RF Domain name OR use a string alias to identify the RF Domain. Provide the full RF Domain name or an alias (should be existing and configured). Or a template with appropriate substitution tokens, such as '$CDP[1:7]', '$DNS-SUFFIX[1:5]'
Please see the Usage Guidelines section Built-in Tokens & Alias for the different types of built in tokens available in the system. Note: Use the built-in string alias or a user-defined string alias. String aliases allow you to configure APs in the same RF Domain as the adopting controller. A string alias maps a name to an arbitrary string value, for example, alias string $DOMAIN test.example_company.com. In this example, the string-alias $DOMAIN is mapped to the string: test.example_company.com. For more information, see alias. any Indicates any device. Any device seeking adoption is adopted. adopt[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx9000|vx9000|nx9600] precedence <1-10000> [profile <DEVICE-PROFILE-NAME>|
rf-domain <RF-DOMAIN-NAME>] [area <AREA-NAME>|cdp-match <LOCATION-SUBSTRING>|
dhcp-option <DHCP-OPTION>|floor <FLOOR-NAME>|fqdn <FQDN>|ip [<START-IP> <END-IP>|
<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac
<START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-
NUMBER>|rf-domain <RF-DOMAIN-NAME>|vlan <VLAN-ID>]
adopt precedence
<1-10000>
Adds an adopt device rule. The rule applies to the selected device types. Specify the device type and assign a precedence to the rule. The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7502, AP7522, AP7532, AP7562, AP7161, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX7500, NX7510, NX7520, NX7530, NX95XX, VX9000, and NX9600. Note: anyap is used in auto provisioning policies to create rules that are applicable to any AP regardless of the model type. Sets the rule precedence. A rule with a lower value has a higher precedence. Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 6 AUTO-PROVISIONING-POLICY profile
<DEVICE-PROFILE-
NAME>
rf-domain
<RF-DOMAIN-
NAME>
Sets the device profile for this provisioning policy. The selected device profile must be AP7502 for the device being provisioned. For example, use an AP7502 device profile for an AP7502. Using an inappropriate device profile can result in unpredictable results. Provide a device profile name (should be existing and configured). Or a template with appropriate substitution tokens, such as 'campus-$MODEL[1:6]', 'FQDN[1:4]-indoor'
Please see the Usage Guidelines section Built-in Tokens & Alias for the different types of built in tokens available in the system. Sets the RF Domain for this auto provisioning policy. The provisioning policy is only applicable to devices that try to become a part of the specified RF Domain. Provide the full RF Domain name or an alias (should be existing and configured). Or a template with appropriate substitution tokens, such as '$CDP[1:7]', '$DNS-
SUFFIX[1:5]'. Please see the Usage Guidelines section Built-in Tokens & Alias for the different types of built in tokens available in the system. Note: Use the built-in string alias or a user-defined string alias. String aliases allow you to configure APs in the same RF Domain as the adopting controller. A string alias maps a name to an arbitrary string value, for example, alias string $DOMAIN test.example_company.com. In this example, the string-alias $DOMAIN is mapped to the string: test.example_company.com. For more information, see alias. area <AREA-NAME> Matches the area of deployment. This option is not applicable to the rf-domain cdp-match
<LOCATION-
SUBSTRING>
dhcp-option
<DHCP-OPTION>
parameter.
<AREA-NAME> Enter a 64 character maximum deployment area name assigned to this policy. Devices with matching area names are adopted. Matches a substring in a list of CDP snoop strings (case insensitive). For example, if an access point snooped 3 devices: controller1.example.com, controller2.example.com, and controller3.example.com, 'controller1', example, 'example.com', are examples of the substrings that will match.
<LOCATION-SUBSTRING> Specify the value to match. Devices matching the specified value are adopted. Matches the value found in DHCP vendor option 191 (case insensitive). DHCP vendor option 191 can be setup to communicate various configuration parameters to an AP. The value of the option in a string in the form of tag=value separated by a semicolon, for example 'tag1=value1;tag2=value2;tag3=value3'. The access point includes the value of tag 'rf-domain', if present.
<DHCP-OPTION> Specify the DHCP option. Devices matching the specified value are adopted. floor
<FLOOR-NAME>
Matches the floor name. This option is not applicable to the rf-domain parameter.
<FLOOR-NAME> Enter a 32 character maximum deployment floor name assigned to this policy. Devices with matching floor names are adopted. fqdn <FQDN>
Matches a substring to the Fully Qualified Domain Name (FQDN) of a device (case insensitive) FQDN is a domain name that specifies its exact location in the DNS hierarchy. It specifies all domain levels, including its top-level domain and the root domain. This parameter allows a device to adopt based on its FQDN value.
<FQDN> Specify the FQDN. Devices matching the specified value are adopted. Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 7 AUTO-PROVISIONING-POLICY ip
[<START-IP>
<END-IP>|
<IP/MASK>]
ipv6
[<START-IP>
<END-IP>|
<IP/MASK>]
lldp-match
<LLDP-STRING>
Adopts a device if its IP address matches the specified IPv4 address or is within the specified IP address range. Or if the device is a part of the specified subnet.
<START-IP> Specify the first IPv4 address in the range.
<END-IP> Specify the last IPv4 address in the range.
<IP/MASK> Specify the IPv4 subnet and mask to match against the devices IP address. Adopts a device if its IP v6 address matches the specified IPv6 address or is within the specified IP address range. Or if the device is a part of the specified subnet.
<START-IP> Specify the first IPv6 address in the range.
<END-IP> Specify the last IPv6 address in the range.
<IP/MASK> Specify the IPv6 subnet and mask to match against the devices IPv6 address. Matches a substring in a list of Link Layer Discovery Protocol (LLDP) snoop strings (case insensitive). For example, if an access point snooped 3 devices:
controller1.example.com, controller2.example.com, and controller3.example.com,'controller1', 'example', 'example.com', are examples of the substrings that will match. LLDP is a vendor neutral link layer protocol that advertises a network devices identity, capabilities, and neighbors on a local area network.
<LLDP-STRING> Specify the LLDP string. Devices matching the specified value are adopted. mac
<START-MAC>
{<END-MAC>}
Adopts a device if its MAC address matches the specified MAC address or is within the specified MAC address range
<START-MAC> Specify the first MAC address in the range. Provide this MAC address if you want to match for a single device.
<END-MAC> Optional. Specify the last MAC address in the range. model-number
<MODEL-NUMBER>
Adopts a device if its model number matches <MODEL-NUMBER>
<MODEL-NUMBER> Specify the model number. rf-domain
<RF-DOMAIN-
NAME>
Adopts a device if its RF Domain matches <RF-DOMAIN-NAME>
<RF-DOMAIN-NAME> Specify the RF Domain name. You can use a string alias to specify a RF Domain. Provide the full RF Domain name or an alias (should be existing and configured). Or a template with appropriate substitution tokens, such as '$CDP[1:7]', '$DNS-SUFFIX[1:5]'
Please see the Usage Guidelines section Built-in Tokens & Alias for the different types of built in tokens available in the system. Note: Use the built-in string alias or a user-defined string alias. String aliases allow you to configure APs in the same RF Domain as the adopting controller. A string alias maps a name to an arbitrary string value, for example, alias string $DOMAIN test.example_company.com. In this example, the string-alias $DOMAIN is mapped to the string: test.example_company.com. For more information, see alias. serial-number
<SERIAL-NUMBER>
Adopts a device if its serial number matches <SERIAL-NUMBER>
<SERIAL-NUMBER> Specify the serial number. vlan <VLAN-ID>
Adopts a device if its VLAN matches <VLAN-ID>
<VLAN-ID> Specify the VLAN ID. Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 8 AUTO-PROVISIONING-POLICY Usage Guidelines Built-in Tokens & Alias Following are the built-in tokens that can be used to identify the devices to adopt:
$FQDN - references FQDN of adopting device
$CDP - references CDP Device Id of the wired switch to which adopting device is connected
$LLDP - references LLDP System Name of wired switch to which adopting device is connected
$DHCP - references DHCP Option Value received by the adopting device
$SN - references SERIAL NUMBER of adopting device
$MODEL - references MODEL NUMBER of adopting device
$DNS-SUFFIX - references FQDN excluding the hostname of the adopting device
$CDP-SUFFIX - references CDP excluding the hostname of the adopting device
$LLDP-SUFFIX - references LLDP excluding the hostname of the adopting device Following is the built-in alias that can be used to identify the RF Domain of devices to adopt:
$AUTO-RF-DOMAIN - rf-domain of adopting device Example rfs4000-229D58(config-auto-provisioning-policy-test)#adopt ap81xx precedence 1 profile default-ap81xx vlan 1 rfs4000-229D58(config-auto-provisioning-policy-test)#show context auto-provisioning-policy test adopt ap81xx precedence 1 profile default-ap81xx vlan 1 rfs4000-229D58(config-auto-provisioning-policy-test)#
rfs4000-229D58(config-auto-provisioning-policy-test)#show wireless ap configured
--------------------------------------------------------------------------------
-------
IDX NAME MAC PROFILE RF-DOMAIN ADOPTED-BY
--------------------------------------------------------------------------------
-------
1 ap81xx-711728 B4-C7-99-71-17-28 default-ap81xx default 00-23-68-22-
9D-58 2 rfs4000-229D58 00-23-68-22-9D-58 default-rfs4000 default
--------------------------------------------------------------------------------
-------
rfs4000-229D58(config-auto-provisioning-policy-test)#
rfs6000-6DCD4B(config-auto-provisioning-policy-test)#adopt anyap precedence 1 profile rfs6000 any rfs6000-6DCD4B(config-auto-provisioning-policy-test)#show context auto-provisioning-policy test adopt anyap precedence 1 profile rfs6000 any rfs6000-6DCD4B(config-auto-provisioning-policy-test)#
Related Commands no Removes an adopt rule Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 9 AUTO-PROVISIONING-POLICY 9.1.2 auto-create-rfd-template auto-provisioning-policy Enables auto creation of an RF Domain:
when tokens are used to select the RF Domain to apply to devices matching the adoption criteria, and the token-specified RF Domain does not exist. During device adoption, if the token-specified RF Domain (configured using the adopt rule) is not found, the system auto creates a new RF Domain based on an existing RF Domain template specified using this command. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax auto-create-rfd-template <RF-DOMAIN-NAME>
Parameters auto-create-rfd-template <RF-DOMAIN-NAME>
auto-creates-rfd-
template
<RF-DOMAIN-NAME>
Auto creates a new RF Domain based on an existing RF Domain template
<RF-DOMAIN-NAME> Specify the RF Domain name (should be existing and configured). The new RF Domain created is saved with the token name specified in the adopt command. Note: For more information on configuring tokens, see adopt. Example The following example configures an adopt rule for adopting any AP7532 and applying an RF Domain matching the token $MODEL[1:5] to the adopted AP:
nx9500-6C8809(config-auto-provisioning-policy-test)#adopt ap7532 precedence 20 rf-domain $MODEL[1:5] any nx9500-6C8809(config-auto-provisioning-policy-test)#show context auto-provisioning-policy test adopt ap7532 precedence 20 rf-domain $MODEL[1:5] any nx9500-6C8809(config-auto-provisioning-policy-test)#
The following example enables auto creation of the following RF Domain using an existing RF Domain rfd-AP as template:
RF Domain name AP-75: Applicable to any AP7532 nx9500-6C8809(config-auto-provisioning-policy-test)#auto-create-rfd-template rfd-
AP nx9500-6C8809(config-auto-provisioning-policy-test)#show context auto-provisioning-policy test adopt ap7532 precedence 20 rf-domain $MODEL[1:5] any auto-create-rfd-template rfd-AP nx9500-6C8809(config-auto-provisioning-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 10 AUTO-PROVISIONING-POLICY As per the above configurations, when an AP7532 comes up for first-time adoption, the system:
Checks for an RF Domain matching the options provided in the adopt rule, and if not found auto creates the RF Domain only if:
- A token is specified in the adopt rule. For example, $MODEL[1:5], and
-
the auto-create-rfd-template option is configured Uses the RF Domain specified in the auto-create-rfd-template command as a template. Therefore, the specified RF Domain should be existing and configured. Applies the new RF Domain to the AP. Related Commands no Disables auto creation of an RF Domain Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 11 AUTO-PROVISIONING-POLICY 9.1.3 default-adoption auto-provisioning-policy Adopts devices, even when no matching rules are defined, and assigns a default profile and default RF Domain to the adopted device Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax default-adoption Parameters None Example rfs4000-229D58(config-auto-provisioning-policy-test)#default-adoption rfs4000-229D58(config-auto-provisioning-policy-test)#show context auto-provisioning-policy test default-adoption adopt ap81xx precedence 1 profile default-ap81xx vlan 1 rfs4000-229D58(config-auto-provisioning-policy-test)#
Related Commands no Disables adoption of devices when matching rules are not found Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 12 AUTO-PROVISIONING-POLICY 9.1.4 deny auto-provisioning-policy Defines a deny device adoption rule Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax deny [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600]
deny [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000>
[any|cdp-match|dhcp-option|fqdn|ip|ipv6|lldp-match|mac|model-number|serial-
number|vlan]
deny [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> any deny
[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|ap7602|
ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|nx5500|
nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> [cdp-match
<LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-
IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac
<START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-number <SERIAL-
NUMBER>|vlan <VLAN-ID>]
Parameters deny[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|aap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> any deny Adds a deny adoption rule. The rule applies to the selected device types. Specify the device type and assign a precedence to the rule. The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, VX9000, and NX9600 series. Note: anyap is used in auto provisioning policies to create rules that are applicable to any AP regardless of the model type. precedence <1-10000> Sets the rule precedence. A rule with a lower value has a higher precedence. any Indicates any device. Any device seeking adoption is denied adoption. Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 13 AUTO-PROVISIONING-POLICY deny[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-1000>
[cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-
IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-
STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-number
<SERIAL-NUMBER>|vlan <VLAN-ID>]
deny precedence
<1-10000>
cdp-match
<LOCATION-
SUBSTRING>
dhcp-option
<DHCP-OPTION>
fqdn <FQDN>
ip
[<START-IP>
<END-IP>|
<IP/MASK>]
ipv6
[<START-IP>
<END-IP>|
<IP/MASK>]
Adds a deny adoption rule. The rule applies to the selected device types. Specify the device type and assign a precedence to the rule. The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, VX9000, and NX9600. Sets the rule precedence. A rule with a lower value has a higher precedence. After specifying the rule precedence, specify the match criteria. Devices matching the specified criteria are denied adoption. Matches a substring in a list of CDP snoop strings (case insensitive). For example, if an access point snooped 3 devices: controller1.example.com, controller2.example.com and controller3.example.com, 'controller1', example, 'example.com', are examples of the substrings that will match.
<LOCATION-SUBSTRING> Specify the value to match. Devices matching the specified value are denied adoption. Matches the value found in DHCP vendor option 191 (case insensitive). DHCP vendor option 191 can be setup to communicate various configuration parameters to an AP. The value of the option in a string in the form of tag=value separated by a semicolon, for example 'tag1=value1;tag2=value2;tag3=value3'. The access point includes the value of tag 'rf-domain', if present.
<DHCP-OPTION> Specify the DHCP option value to match. Devices matching the specified value are denied adoption. Matches a substring to the FQDN of a device (case insensitive) FQDN is a domain name that specifies its exact location in the DNS hierarchy. It specifies all domain levels, including its top-level domain and the root domain.
<FQDN> Specify the FQDN. Devices matching the specified value are denied adoption. Denies adoption if a device's IP address matches the specified IPv4 address or is within the specified IP address range
<START-IP> Specify the first IPv4 address in the range.
<END-IP> Specify the last IPv4 address in the range.
<IP/MASK> Specify the IPv4 subnet and mask to match against the devices IP address. Denies adoption if a device's IPv6 address matches the specified IP address or is within the specified IP address range
<START-IP> Specify the first IPv6 address in the range.
<END-IP> Specify the last IPv6 address in the range.
<IP/MASK> Specify the IPv6 subnet and mask to match against the devices IP address. Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 14 AUTO-PROVISIONING-POLICY lldp-match
<LLDP-STRING>
mac
<START-MAC>
{<END-MAC>}
Matches a substring in a list of LLDP snoop strings (case insensitive). For example, if an access point snooped 3 devices: controller1.example.com, controller2.example.com and controller3.example.com,'controller1', 'example', 'example.com', are examples of the substrings that will match. LLDP is a vendor neutral link layer protocol used to advertise a network devices identity, capabilities, and neighbors on a local area network.
<LLDP-STRING> Specify the LLDP string. Devices matching the specified values are denied adoption. Denies adoption if a device's MAC address matches the specified MAC address or is within the specified MAC address range
<START-MAC> Specify the first MAC address in the range. Provide this MAC address if you want to match for a single device.
<END-MAC> Optional. Specify the last MAC address in the range. model-number
<MODEL-NUMBER>
Denies adoption if a devices model number matches <MODEL-NUMBER>
<MODEL-NUMBER> Specify the model number. serial-number
<SERIAL-NUMBER>
Denies adoption if a devices serial number matches <SERIAL-NUMBER>
<SERIAL-NUMBER> Specify the serial number. vlan <VLAN-ID>
Denies adoption if a devices VLAN matches <VLAN-ID>
<VLAN-ID> Specify the VLAN ID. Example rfs4000-229D58(config-auto-provisioning-policy-test)#deny ap71xx precedence 2 model-number AP7131N rfs4000-229D58(config-auto-provisioning-policy-test)#deny ap71xx precedence 3 ip 192.168.13.23 192.168.13.23 rfs4000-229D58(config-auto-provisioning-policy-test)#show context auto-provisioning-policy test adopt ap81xx precedence 1 profile default-ap81xx vlan 1 deny ap71xx precedence 2 model-number AP7131N deny ap71xx precedence 3 ip 192.168.13.23 192.168.13.23 rfs4000-229D58(config-auto-provisioning-policy-test)#
Related Commands no Removes a deny adoption rule Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 15 AUTO-PROVISIONING-POLICY 9.1.5 evaluate-always auto-provisioning-policy Sets flag to run this auto-provisioning policy every time an access point is adopted. The access points previous adoption status is not taken into consideration. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax evaluate-always Parameters None Example rfs4000-229D58(config-auto-provisioning-policy-test)#evaluate-always rfs4000-229D58(config-auto-provisioning-policy-test)#show context auto-provisioning-policy test evaluate-always rfs4000-229D58(config-auto-provisioning-policy-test)#
Related Commands no Disables the running of this policy every time an AP is adopted Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 16 AUTO-PROVISIONING-POLICY 9.1.6 redirect auto-provisioning-policy Adds a rule redirecting device adoption to another controller within the system. Devices seeking adoption are redirected to a specified controller based on the redirection parameters specified. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax redirect[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600]
redirect [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-
10000> controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>] [any|cdp-match|dhcp-
option|fqdn|ip|ipv6|level|lldp-match|mac|model-number|pool|serial-number|vlan]
redirect [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-
10000> controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>|ipv6] any redirect[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-
10000> controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>|ipv6] [cdp-match
<LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-
IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|level [1|2]|lldp-match <LLDP-
STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|pool <1-2>|
serial-number <SERIAL-NUMBER>|vlan <VLAN-ID>] {upgrade}
Parameters redirect[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000>
controller [<CONTROLLER-IP>|<CONTROLLER-HOSTNAME>|ipv6] any redirect Adds a redirect adoption rule. The rule applies to the device type selected. Specify the device type and assign a precedence to the rule. The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, VX9000, AP7632, AP7662, NX9600 series. Note: anyap is used in auto provisioning policies to create rules that are applicable to any AP regardless of the model type. Note: An adoptee controller, such as RFS4000 and RFS6000 can be redirected to another controller (configured to adopt controllers) with a capacity equal to or higher than its own. For more information, see controller. Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 17 AUTO-PROVISIONING-POLICY precedence
<1-10000>
Sets the rule precedence. Rules with lower values get precedence over rules with higher values. controller
[<CONTROLLER-IP>|
<CONTROLLER-
HOSTNAME>|ipv6]
Configures the controller to which the adopting devices are redirected. Specify the controllers IP address or hostname.
<CONTROLLER-IP> Specifies the controllers IP address
<CONTROLLER-HOSTNAME> Specifies the controllers hostname ipv6 Specify the controllers IPv6 address any Indicates any device. Any device seeking adoption is redirected. redirect [ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-1000>
controller [<CONTROLLER-IP>| <CONTROLLER-HOSTNAME>|ipv6] [cdp-match <LOCATION-
SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip [<START-IP> <END-IP>|<IP/
MASK>]|ipv6[<START-IP> <END-IP>|<IP/MASK>]|lldp-match <LLDP-STRING>|mac <START-
MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|pool <1-2>|serial-number <SERIAL-
NUMBER>|vlan <VLAN-ID>] {upgrade}
redirect Adds a redirect adoption rule. The rule applies to the device type selected. Specify the device type and assign a precedence to the rule. The different device type options are: anyap, AP6521, AP6522, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, VX9000, and NX9600. Note: An adoptee controller, such as RFS4000, RFS6000, and RFS7000, can be redirected to another controller (configured to adopt controllers) with a capacity equal to or higher than its own. For more information, see controller. precedence
<1-10000>
Sets the rule precedence. Rules with lower values get precedence over rules with higher values. controller
[<CONTROLLER-IP>|
<CONTROLLER-
HOSTNAME>|ipv6]
cdp-match
<LOCATION-
SUBSTRING>
dhcp-option
<DHCP-OPTION>
Configures the controller to which the adopting devices are redirected. Specify the controllers IP address or hostname.
<CONTROLLER-IP> Specifies the controllers IP address
<CONTROLLER-HOSTNAME> Specifies the controllers hostname ipv6 Specify the controllers IPV6 address. After specifying the rule precedence and the controller, specify the match criteria. Configures the device location to match, based on CDP snoop strings
<LOCATION-SUBSTRING> Specify the location. Devices matching the specified string are redirected. Configures the DHCP options to match DHCP options identify the vendor and DHCP client functionalities. This information is used by the client to convey to the DHCP server that the client requires extra information in a DHCP response.
<DHCP-OPTION> Specify the DHCP option value. Devices matching the specified value are redirected. Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 18 AUTO-PROVISIONING-POLICY fqdn <FQDN>
ip
[<START-IP>
<END-IP>|
<IP/MASK>]
level[1|2]
ipv6
[<START-IP>
<END-IP>|
<IP/MASK>]
lldp-match
<LLDP-STRING>
mac
<START-MAC>
{<END-MAC>}
Configures the FQDN to match FQDN is a domain name that specifies its exact location in the DNS hierarchy. It specifies all domain levels, including its top-level domain and the root domain.
<FQDN> Specify the FQDN. Devices matching the specified value are redirected. Configures a range of IP addresses and subnet address. Devices having IPv4 addresses within the specified range or are part of the specified subnet are redirected.
<START-IP> Specify the first IPv4 address in the range.
<END-IP> Specify the last IPv4 address in the range.
<IP/MASK> Specify the IPv4 subnet and mask to match against the devices IP address. Configures the routing level level1 Specifies level 1 as local routing level2 Specifies level2 as inter-site routing Redirects if a device's IPv6 address matches the specified IP address or is within the specified IP address range
<START-IP> Specify the first IPv6 address in the range.
<END-IP> Specify the last IPv6 address in the range.
<IP/MASK> Specify the IPv6 subnet and mask to match against the devices IP address. Configures the device location to match, based on LLDP snoop strings LLDP is a vendor neutral link layer protocol used to advertise a network devices identity, capabilities, and neighbors on a local area network.
<LLDP-STRING> Specify the location. Devices matching the specified string are redirected. Configures a single or a range of MAC addresses. Devices matching the specified values are redirected.
<START-MAC> Specify the first MAC address in the range. Provide only this MAC address to filter a single device.
<END-MAC> Optional. Specify the last MAC address in the range. model-number
<MODEL-NUMBER>
Configures the device model number
<MODEL-NUMBER> Specify the model number. Devices matching the specified model number are redirected. pool <1-2>
Configures the controller pool
<1-2> Configures the pool to which the specified controller belongs to. The default pool value is 1. serial-number
<SERIAL-NUMBER>
Configures the devices serial number
<SERIAL-NUMBER> Specify the serial number. Devices matching the specified serial number are redirected. vlan <VLAN-ID>
Configures the VLAN ID
<VLAN-ID> Specify the VLAN ID. Devices assigned to the specified VLAN are redirected. upgrade Optional. Upgrades APs before redirecting the device for adoption within the system Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 19 AUTO-PROVISIONING-POLICY Example rfs4000-229D58(config-auto-provisioning-policy-test)#redirect ap81xx precedence 4 controller 192.168.13.10 ip 192.168.13.25 192.168.13.25 rfs4000-229D58(config-auto-provisioning-policy-test)#redirect ap81xx precedence 5 controller 192.168.13.10 model-number AP-8132-66040-US rfs4000-229D58(config-auto-provisioning-policy-test)#show context auto-provisioning-policy test default-adoption adopt ap81xx precedence 1 profile default-ap81xx vlan 1 deny ap71xx precedence 2 model-number AP7131N deny ap71xx precedence 3 ip 192.168.13.23 192.168.13.23 redirect ap81xx precedence 4 controller 192.168.13.10 ip 192.168.13.25 192.168.13.25 redirect ap81xx precedence 5 controller 192.168.13.10 model-number AP-8132-66040-
US rfs4000-229D58(config-auto-provisioning-policy-test)#
Related Commands no Removes a redirect rule Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 20 AUTO-PROVISIONING-POLICY 9.1.7 upgrade auto-provisioning-policy Adds a device upgrade rule to this auto provisioning policy. When applied to a controller, the upgrade rule ensures adopted devices, of the specified type, are upgraded automatically. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax upgrade[anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|r fs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600]
upgrade [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-
10000> [any|cdp-match|dhcp-option|fqdn|ip|ipv6|lldp-match|mac|model-number|
serial-number|vlan]
upgrade [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|rfs7000|
nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-10000> any upgrade [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|ap7562|
ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|rfs6000|
rfs7000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-
10000> [cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip
[<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match
<LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-
number <SERIAL-NUMBER>|vlan <VLAN-ID>]
Parameters upgrade [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|
ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|
rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-
10000> any upgrade precedence
<1-10000>
any Adds a device upgrade rule. The rule applies to the device type selected. Specify the device type and assign a precedence to the rule. The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, VX9000, and NX9600 series. Sets the rule precedence. Rules with lower values get precedence over rules with higher values. Indicates any device. Any device, of the selected type, is upgraded. Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 21 AUTO-PROVISIONING-POLICY upgrade [anyap|ap6521|ap6522|ap6532|ap6562|ap71xx|ap7502|ap7522|ap7532|
ap7562|ap7602|ap7612|ap7622|ap7632|ap7662|ap81xx|ap82xx|ap8432|ap8533|rfs4000|
rfs6000|nx5500|nx7500|nx7510|nx7520|nx7530|nx9000|vx9000|nx9600] precedence <1-
10000> [cdp-match <LOCATION-SUBSTRING>|dhcp-option <DHCP-OPTION>|fqdn <FQDN>|ip
[<START-IP> <END-IP>|<IP/MASK>]|ipv6 [<START-IP> <END-IP>|<IP/MASK>]|lldp-match
<LLDP-STRING>|mac <START-MAC> {<END-MAC>}|model-number <MODEL-NUMBER>|serial-
number <SERIAL-NUMBER>|vlan <VLAN-ID>]
redirect precedence
<1-10000>
cdp-match
<LOCATION-
SUBSTRING>
dhcp-option
<DHCP-OPTION>
fqdn <FQDN>
ip
[<START-IP>
<END-IP>|
<IP/MASK>]
ipv6
[<START-IP>
<END-IP>|
<IP/MASK>]
Adds a device upgrade rule. The rule applies to the device type selected. Specify the device type and assign a precedence to the rule. The different device types are: anyap, AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533, RFS4000, RFS6000, NX5500, NX75XX, NX95XX, VX9000, and NX9600 series. Note: anyap is used in auto provisioning policies to create rules that are applicable to any AP regardless of the model type. Sets the rule precedence. Rules with lower values get precedence over rules with higher values. Configures the device location to match, based on CDP snoop strings
<LOCATION-SUBSTRING> Specify the location. Devices matching the specified string are upgraded. Configures the DHCP options to match DHCP options identify the vendor and DHCP client functionalities. This information is used by the client to convey to the DHCP server that the client requires extra information in a DHCP response.
<DHCP-OPTION> Specify the DHCP option value. Devices matching the specified value are upgraded. Configures the FQDN to match FQDN is a domain name that specifies its exact location in the DNS hierarchy. It specifies all domain levels, including its top-level domain and the root domain.
<FQDN> Specify the FQDN. Devices matching the specified value are upgraded. Configures a range of IP addresses and subnet address. Devices having IPv4 addresses within the specified range or are part of the specified subnet are upgraded.
<START-IP> Specify the first IPv4 address in the range.
<END-IP> Specify the last IPv4 address in the range.
<IP/MASK> Specify the IPv4 subnet and mask to match against the devices IP address. Upgrades if a device's IPv6 address matches the specified IP address or is within the specified IP address range
<START-IP> Specify the first IPv6 address in the range.
<END-IP> Specify the last IPv6 address in the range.
<IP/MASK> Specify the IPv6 subnet and mask to match against the devices IP address. Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 22 AUTO-PROVISIONING-POLICY lldp-match
<LLDP-STRING>
mac
<START-MAC>
{<END-MAC>}
Configures the device location to match, based on LLDP snoop strings LLDP is a vendor neutral link layer protocol used to advertise a network devices identity, capabilities, and neighbors on a local area network.
<LLDP-STRING> Specify the location. Devices matching the specified string are upgraded. Configures a single or a range of MAC addresses. Devices matching the specified values are upgraded.
<START-MAC> Specify the first MAC address in the range. Provide only this MAC address to filter a single device.
<END-MAC> Optional. Specify the last MAC address in the range. model-number
<MODEL-NUMBER>
Configures the device model number
<MODEL-NUMBER> Specify the model number. Devices matching the specified model number are upgraded. serial-number
<SERIAL-NUMBER>
Configures the devices serial number
<SERIAL-NUMBER> Specify the serial number. Devices matching the specified serial number are upgraded. vlan <VLAN-ID>
Configures the VLAN ID
<VLAN-ID> Specify the VLAN ID. Devices assigned to the specified VLAN are upgraded. Example rfs4000-229D58(config-auto-provisioning-policy-test)#upgrade ap6521 precedence 1 any rfs4000-229D58(config-auto-provisioning-policy-test)#upgrade rfs4000 precedence 2 ip 192.168.13.1 192.168.13.5 rfs4000-229D58(config-auto-provisioning-policy-test)#show context auto-provisioning-policy test upgrade ap6521 precedence 1 any upgrade rfs4000 precedence 2 ip 192.168.13.1 192.168.13.5 rfs4000-229D58(config-auto-provisioning-policy-test)#
Related Commands no Removes an upgrade rule Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 23 AUTO-PROVISIONING-POLICY 9.1.8 no auto-provisioning-policy Removes a deny, permit, or redirect rule from the specified auto provisioning policy Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [adopt|auto-create-rfd-template|default-adoption|deny|evaluate-always|
redirect|upgrade]
no adopt precedence <1-10000>
no auto-create-rfd-template no deny precedence <1-10000>
no evaluate-always no default-adoption no redirect precedence <1-10000>
no upgrade precedence <1-10000>
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes a deny, permit, or redirect rule from the specified auto provisioning policy Example The following example shows the auto-provisioning-policy test settings before the no commands are executed:
rfs4000-229D58(config-auto-provisioning-policy-test)#show context auto-provisioning-policy test default-adoption adopt ap81xx precedence 1 profile default-ap81xx vlan 1 deny ap71xx precedence 2 model-number AP7131N deny ap71xx precedence 3 ip 192.168.13.23 192.168.13.23 redirect ap81xx precedence 4 controller 192.168.13.10 ip 192.168.13.25 192.168.13.25 redirect ap81xx precedence 5 controller 192.168.13.10 model-number AP-8132-66040-
US rfs4000-229D58(config-auto-provisioning-policy-test)#
rfs4000-229D58(config-auto-provisioning-policy-test)#no default-adoption rfs4000-229D58(config-auto-provisioning-policy-test)#no deny precedence 2 rfs4000-229D58(config-auto-provisioning-policy-test)#no deny precedence 3 rfs4000-229D58(config-auto-provisioning-policy-test)#no deny precedence 5 The following example shows the auto-provisioning-policy test settings after the no commands are executed:
rfs4000-229D58(config-auto-provisioning-policy-test)#show context auto-provisioning-policy test adopt ap81xx precedence 1 rf-domain TechPubs vlan 1 redirect ap81xx precedence 4 controller 192.168.13.10 ip 192.168.13.25 192.168.13.25 rfs4000-229D58(config-auto-provisioning-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 24 AUTO-PROVISIONING-POLICY rfs4000-229D58(config-auto-provisioning-policy-test)#show context auto-provisioning-policy test upgrade ap6521 precedence 1 any upgrade rfs4000 precedence 2 ip 192.168.13.1 192.168.13.5 rfs4000-229D58(config-auto-provisioning-policy-test)#
rfs4000-229D58(config-auto-provisioning-policy-test)#no upgrade precedence 1 rfs4000-229D58(config-auto-provisioning-policy-test)#show context auto-provisioning-policy test upgrade rfs4000 precedence 2 ip 192.168.13.1 192.168.13.5 rfs4000-229D58(config-auto-provisioning-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 9 - 25 10 ASSOCIATION-ACL-POLICY This chapter summarizes the association ACL policy commands in the CLI command structure. An association ACL is a policy-based Access Control List (ACL) that either allows or denies wireless clients from connecting to a wireless controller, service platform, or access point managed WLAN. System administrators can use an association ACL to grant or restrict wireless clients access to the WLAN by specifying a clients MAC address or a range of MAC addresses to either include or exclude from WLAN connectivity. Association ACLs are applied to WLANs as an additional access control mechanism. Use the (config) instance to configure the association ACL policy. To navigate to the association-acl-policy instance, use the following commands:
<DEVICE>(config)#association-acl-policy <POLICY-NAME>
rfs6000-37FABE(config)#association-acl-policy test rfs6000-37FABE(config-assoc-acl-test)#
rfs6000-37FABE(config-assoc-acl-test)#?
Association ACL Mode commands:
deny Specify MAC addresses to be denied no Negate a command or set its defaults permit Specify MAC addresses to be permitted clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-assoc-acl-test)#
NOTE: If creating an new association ACL policy, provide a name specific to its function. Avoid naming it after a WLAN it may support. The name cannot exceed 32 characters. Before defining an association ACL policy and applying it to a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective:
The name and configuration of an association ACL policy should meet the requirements of the WLANs it may map to. However, be careful not to name ACLs after specific WLANs, as individual ACL policies can be used by more than one WLAN. You cannot apply more than one MAC based ACL to a layer 2 interface. If a MAC ACL is already configured on a layer 2 interface, and a new MAC ACL is applied to the interface, the new ACL replaces the previously configured one. NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 10 - 1 ASSOCIATION-ACL-POLICY 10.1 association-acl-policy ASSOCIATION-ACL-POLICY The following table summarizes association ACL policy configuration commands:
Table 10.1 Association-ACL-Policy-Config Commands Command Description deny no permit Specifies a range of MAC addresses denied access to the WLAN Removes a deny or permit rule from this association ACL policy Specifies a range of MAC addresses allowed access to the WLAN Reference page 10-3 page 10-5 page 10-6 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 10 - 2 ASSOCIATION-ACL-POLICY 10.1.1 deny association-acl-policy Creates a list of devices denied access to the managed network. Devices are identified by their MAC address. A single MAC address or a range of MAC addresses can be denied access. This command also sets the precedence on how deny rules are applied. Up to a thousand (1000) deny rules can be defined for every association ACL policy. Each rule has a unique sequential precedence value assigned, and is applied to packets on the basis of the precedence value. Lower the precedence, higher is the priority. This results in the rule with the lowest precedence being applied first. No two rules can have the same precedence. The default precedence is 1, prioritize ACLs accordingly as they are added. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax deny <STARTING-MAC> [<ENDING-MAC>|precedence]
deny <STARTING-MAC> precedence <1-1000>
deny <STARTING-MAC> <ENDING-MAC> precedence <1-1000>
Parameters deny <STARTING-MAC> precedence <1-1000>
deny Adds a single device or a set of devices to the deny list
<STARTING-MAC>
To add a single device, enter its MAC address in the <STARTING-MAC> parameter. precedence
<1-1000>
Sets a precedence rule. Rules are applied in an increasing order of precedence.
<1-1000> Specify a precedence value from 1 - 1000. deny <STARTING-MAC> <ENDING-MAC> precedence <1-1000>
deny Adds a single device or a set of devices to the deny list To add a set of devices, provide the range of MAC addresses.
<STARTING-MAC>
Specify the first MAC address in the range.
<ENDING-MAC>
Specify the last MAC address in the range. precedence
<1-1000>
Sets a precedence rule. Rules are applied in an increasing order of precedence.
<1-1000> Specify a value from 1 - 1000. Usage Guidelines Every rule has a unique sequential precedence value. You cannot add two rules with the same precedence. Rules are applied in an increasing order of precedence. That means the rule with precedence 1 is applied first, then the rule with precedence 2 and so on. Access Point, Wireless Controller and Service Platform CLI Reference Guide 10 - 3 ASSOCIATION-ACL-POLICY Example rfs6000-37FABE(config-assoc-acl-test)#deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150 rfs6000-37FABE(config-assoc-acl-test)#deny 11-22-33-44-56-01 11-22-33-44-56-01 precedence 160 rfs6000-37FABE(config-assoc-acl-test)#show context association-acl-policy test deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150 deny 11-22-33-44-56-01 11-22-33-44-56-01 precedence 160 rfs6000-37FABE(config-assoc-acl-test)#
Related Commands no Removes a deny rule based on its precedence value Access Point, Wireless Controller and Service Platform CLI Reference Guide 10 - 4 ASSOCIATION-ACL-POLICY 10.1.2 no association-acl-policy Removes a deny or permit rule from this association ACL policy Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [deny|permit]
no deny <STARTING-MAC> precedence <1-1000>
no deny <STARTING-MAC> <ENDING-MAC> precedence <1-1000>
no permit <STARTING-MAC> precedence <1-1000>
no permit <STARTING-MAC> <ENDING-MAC> precedence <1-1000>
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes a deny or permit rule from this association ACL policy Example The following example shows the association ACL policy test settings before the no commands is executed:
rfs6000-37FABE(config-assoc-acl-test)#show context association-acl-policy test deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150 deny 11-22-33-44-56-01 11-22-33-44-56-01 precedence 160 rfs6000-37FABE(config-assoc-acl-test)#
rfs6000-37FABE(config-assoc-acl-test)#no deny 11-22-33-44-56-01 11-22-33-44-56-FF precedence 160 The following example shows the association ACL policy test settings after the no commands is executed:
rfs6000-37FABE(config-assoc-acl-test)#show context association-acl-policy test deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150 rfs6000-37FABE(config-assoc-acl-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 10 - 5 ASSOCIATION-ACL-POLICY 10.1.3 permit association-acl-policy Creates a list of devices allowed access to the managed network. Devices are permitted access based on their MAC address. A single MAC address or a range of MAC addresses can be specified. This command also sets the precedence on how permit list rules are applied. Up to a thousand (1000) permit rules can be defined for every association ACL policy. Each rule has a unique sequential precedence value assigned, and are applied to packets on the basis of this precedence value. Lower the precedence of a rule, higher is its priority. This results in the rule with the lowest precedence being applied first. No two rules can have the same precedence. The default precedence is 1, so be careful to prioritize ACLs accordingly as they are added. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax permit <STARTING-MAC> [<ENDING-MAC>|precedence]
permit <STARTING-MAC> precedence <1-1000>
permit <STARTING-MAC> <ENDING-MAC> precedence <1-1000>
Parameters permit <STARTING-MAC> precedence <1-1000>
permit Adds a single device or a set of devices to the permit list
<STARTING-MAC>
To add a single device, enter its MAC address in the <STARTING-MAC> parameter. precedence
<1-1000>
Specifies a rule precedence. Rules are applied in an increasing order of precedence.
<1-1000> Specify a value from 1 - 1000. permit <STARTING-MAC> <ENDING-MAC> precedence <1-1000>
permit Adds a single device or a set of devices to the permit list To add a set of devices, provide the MAC address range.
<STARTING-MAC>
Specify the first MAC address of the range.
<ENDING-MAC>
Specify the last MAC address of the range. precedence
<1-1000>
Usage Guidelines Specifies a rule precedence. Rules are applied in an increasing order of precedence.
<1-1000> Specify a value from 1 - 1000. Every rule has a unique sequential precedence value. You cannot add two rules with the same precedence. Rules are applied to packets in an increasing order of precedence. That means the rule with precedence 1 is applied first, then the rule with precedence 2 and so on. Access Point, Wireless Controller and Service Platform CLI Reference Guide 10 - 6 ASSOCIATION-ACL-POLICY Example rfs6000-37FABE(config-assoc-acl-test)# permit 11-22-33-44-66-01 11-22-33-44-66-FF precedence 170 rfs6000-37FABE(config-assoc-acl-test)# permit 11-22-33-44-67-01 precedence 180 rfs6000-37FABE(config-assoc-acl-test)#show context association-acl-policy test deny 11-22-33-44-55-01 11-22-33-44-55-FF precedence 150 permit 11-22-33-44-66-01 11-22-33-44-66-FF precedence 170 permit 11-22-33-44-67-01 11-22-33-44-67-01 precedence 180 rfs6000-37FABE(config-assoc-acl-test)#
Related Commands no Removes a permit rule based on its precedence Access Point, Wireless Controller and Service Platform CLI Reference Guide 10 - 7 11 ACCESS-LIST This chapter summarizes IPv4, IPv6, and MAC access list commands in the CLI command structure. Access lists control access to the managed network using a set of rules also known as Access Control Entries (ACEs). Each rule specifies an action taken when a packet matches that rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed. A set of deny and/or permit rules based on IP (IPv4 and IPv6) addresses constitutes a IP Access Control List (ACL). Similarly, a set of deny and/or permit rules based on MAC addresses constitutes a MAC ACL. Within a managed network, IP ACLs are used as firewalls to filter packets and also mark packets. IP based firewall rules are specific to the source and destination IP addresses and have unique precedence orders assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by applying an IP ACL. With either IPv4 or IPv6, create access rules for traffic entering a controller, service platform, or access point interface, because if you are going to deny specific types of packets, its recommended you do it before the controller, service platform, or access point spends time processing them, since access rules are given priority over other types of firewall rules. MAC ACLs are firewalls that filter or mark packets based on the MAC address which they arrive, as opposed to filtering packets on layer 2 ports. Optionally filter layer 2 traffic on a physical layer 2 interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to controller managed packet traffic. Once defined, an IP and/or MAC ACL (consisting of a set of firewall rules) must be applied to an interface to be a functional filtering tool. Firewall supported devices (access points, wireless controllers, and service platforms) process firewall rules
(within an IP/MAC ACL) sequentially, in ascending order of their precedence value. When a packet matches a rule, the firewall applies the action specified in the rule to determine whether the traffic is allowed or denied. Once a match is made, the firewall does not process subsequent rules in the ACL. The WiNG software enables the configuration of IP SNMP ACLs. These ACLs control access by combining IP ACLs with SNMP server community strings. The following ACLs are supported:
ip-access-list mac-access-list ipv6-access-list ip-snmp-access-list ex3500-ext-access-list ex3500-std-access-list Use IP and MAC commands under the global configuration to create an access list. When the access list is applied on an Ethernet port, it becomes a port ACL. When the access list is applied on a VLAN interface, it becomes a router ACL. Use the (config) instance to configure a new ACL or modify an existing ACL. To navigate to the (config-
access-list) instance, use the following commands:
Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 1 ACCESS-LIST
<DEVICE>(config)#ip access-list <IP-ACCESS-LIST-NAME>
<DEVICE>(config)#mac access-list <MAC-ACCESS-LIST-NAME>
<DEVICE>(config)#ipv6 access-list <IPv6-ACCESS-LIST-NAME>
<DEVICE>(config)#ip snmp-access-list <SNMP-ACCESS-LIST-NAME>
<DEVICE>(config)#ex3500-ext-access-list <EX3500-EXT-ACCESS-LIST-NAME>
<DEVICE>(config)#ex3500-std-access-list <EX3500-STD-ACCESS-LIST-NAME>
NOTE: If creating an new ACL policy, provide a name that uniquely identifies its purpose. The name cannot exceed 32 characters. ip-access-list rfs6000-37FABE(config)#ip access-list test rfs6000-37FABE(config-ip-acl-test)#?
ACL Configuration commands:
deny Specify packets to reject disable Disable rule if not needed insert Insert this rule (instead of overwriting a existing rule) no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-ip-acl-test)#
mac-access-list rfs6000-37FABE(config)#mac access-list test rfs6000-37FABE(config-mac-acl-test)#?
MAC Extended ACL Configuration commands:
deny Specify packets to reject disable Disable rule if not needed ex3500 EX3500 device insert Insert this rule (instead of overwriting a existing rule) no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen do Run commands from Exec mode commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 2 ACCESS-LIST rfs6000-37FABE(config-mac-acl-test)#
ipv6-access-list rfs6000-37FABE(config-ipv6-acl-test)#?
IPv6 Access Control Mode commands:
deny Specify packets to reject no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-ipv6-acl-test)#
ip-snmp-access-list nx9500-6C8809(config-ip-snmp-acl-test)#?
SNMP ACL Configuration commands:
deny Specify packets to reject no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-ip-snmp-acl-test)#
The WiNG NOC controller also has the capabilities of adopting and managing EX3500 series switch. These switches are Gigabit Ethernet layer 2 switches with either 24 or 48 10/100/1000-BASE-T ports, and four Small Form Factor Pluggable (SFP) transceiver slots for fiber connectivity. Once adopted to the NOC, various ACLs specifically defined for a EX3500 switch can be used to either prevent or allow specific clients from using it. The following EX3500 ACLs are supported:
ex3500-ext-access-list ex3500-std-access-list ex3500: This configures a EX3500 deny or permit rule in a MAC ACL. NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 3 ACCESS-LIST 11.1 ip-access-list ACCESS-LIST The following table summarizes IP access list configuration commands:
Table 11.1 IP-Access-List-Config Commands Command deny disable insert no permit Description Creates a deny access rule or modifies an existing rule. A deny access rule rejects packets from specified address(es) and/or destined for specified address(es). Disables an existing deny or permit rule without removing it from the ACL page 11-17 Reference page 11-5 Inserts a rule in an IP ACL without overwriting or replacing an existing rule having the same precedence page 11-20 Removes a deny and/or a permit access rule from a IP ACL Creates a permit access rule or modifies an existing rule. A permit access rule accepts packets from specified address(es) and/or destined for specified address(es). page 11-22 page 11-23 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 4 ACCESS-LIST 11.1.1 deny ip-access-list Creates a deny rule that rejects packets from a specified source IP and/or to a specified destination IP. You can also use this command to modify an existing deny rule. NOTE: Use a decimal value representation to implement a permit/deny designation for a packet. The command set for IP ACLs provides the hexadecimal values for each listed EtherType. Use the decimal equivalent of the EtherType listed for any other EtherType. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax deny [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|icmp|ip|proto|tcp|udp]
deny <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|
any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host <DEST-
HOST-IP>|<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>], rule-precedence <1-5000>) {(rule-description <LINE>)}
deny dns-name [contains|exact|suffix]
deny dns-name [contains|exact|suffix] <WORD> (log,rule-precedence <1-5000>)
{(rule-description <LINE>)}
deny icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-
HOST-IP>] (<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-
description <LINE>)}
deny ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host
<SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-
IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp]
[<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host
<SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-
IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
deny [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-
ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|eq
<SOURCE-PORT>|host <DEST-HOST-IP>|range <START-PORT> <END-PORT>] [eq [<1-65535>|
<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|sip|smtp|
ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence <1-
5000>) {(rule-description <LINE>)}
Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 5 ACCESS-LIST Parameters deny <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-
NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host
<DEST-HOST-IP>|<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>], rule-precedence <1-5000>) {(rule-description <LINE>)}
<NETWORK-
SERVICE-ALIAS-
NAME>
Applies this deny rule to packets based on service protocols and ports specified in the network-service alias
<NETWORK-SERVICE-ALIAS-NAME> Specify the network-service alias name
(should be existing and configured). A network-service alias defines service protocols and ports to match. When used with an ACL, the network-service alias defines the service-specific components of the ACL deny rule. Note: For more information on configuring network-service alias, see alias. Specifies the source IP address and mask (A.B.C.D/M) to match. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified network are dropped. Applies a network-group alias to identify the source IP addresses. Packets, matching the service protocols and ports specified in the network-service alias, received from the addresses identified by the network-group alias are dropped.
<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name (should be existing and configured). A network-group alias defines a single or a range of addresses of devices, hosts, and networks. When used with an ACL, the network-group alias defines the network-specific component of the ACL rule (permit/deny). Specifies the source as any source IP address. Packets, matching the service protocols and ports specified in the network-service alias, received from any source are dropped. Specifies a single VLAN or a range of VLANs as the match criteria. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified VLAN(s) are dropped.
<VLAN-ID> Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20). Note: Use this option with WLANs and port ACLs. Identifies a specific host (as the source to match) by its IP address. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified host are dropped.
<SOURCE-HOST-IP> Specify the source hosts exact IP address in the A.B.C.D format. Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets, matching the service protocols and ports specified in the network-service alias, addressed to the specified network are dropped. Specifies the destination as any destination IP address. Packets, matching the service protocols and ports specified in the network-service alias, addressed to any destination are dropped.
<SOURCE-IP/
MASK>
<NETWORK-
GROUP-ALIAS-
NAME>
any from-vlan
<VLAN-ID>
host
<SOURCE-HOST-
IP>
<DEST-IP/MASK>
any Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 6 ACCESS-LIST host
<DEST-HOST-IP>
Identifies a specific host (as the destination to match) by its IP address. Packets, matching the service protocols and ports specified in the network-service alias, addressed to the specified host are dropped.
<DEST-HOST-IP> Specify the destination hosts exact IP address in the A.B.C.D format.
<NETWORK-
GROUP-ALIAS-
NAME>
Applies a network-group alias to identify the destination IP addresses. Packets, matching the service protocols and ports specified in the network-service alias, destined for the addresses identified by the network-group alias are dropped.
<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name (should be existing and configured). log Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. if any specified type of packet is received from a specified IP address and/
or is destined for a specified IP address), an event is logged. mark [8021p <0-7>|
dscp <0-63>]
Specifies packets to mark 8021p <0-7> Marks packets by modifying 802.1.p VLAN user priority dscp <0-63> Marks packets by modifying DSCP TOS bits in the header rule-precedence
<1-5000>
rule-description
<LINE>
The following keywords are recursive and common to all of the above parameters:
rule-precedence Assigns a precedence for this deny rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). deny dns-name [contains|exact|suffix] <WORD> (log,rule-precedence <1-5000>)
{(rule-description <LINE>)}
dns-name contains exact suffix
<WORD>
log Applies this deny rule to packets based on dns-names specified in the network-service Matches any hostname which has this DNS label. (for example, *.test.*) Matches an exact hostname as specified in the network-service Matches any hostname as suffix (for example, *.test) Identifies a specific host (as the source to match) by its domain name. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified host are dropped. Logs all deny events matching this dns entry. If a dns-name is matched an event is logged. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 7 ACCESS-LIST rule-precedence
<1-5000>
rule-description
<LINE>
The following keywords are recursive and common to all of the above parameters:
rule-precedence Assigns a precedence for this deny rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). deny icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-NAME>|any|from-vlan <VLAN-ID>|host
<SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-NAME>|any|host <DEST-HOST-IP>]
(<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description
<LINE>)}
icmp Applies this deny rule to Internet Control Message Protocol (ICMP) packets only
<SOURCE-IP/
MASK>
<NETWORK-
GROUP-ALIAS-
NAME>
any from-vlan
<VLAN-ID>
host
<SOURCE-HOST-
IP>
<DEST-IP/MASK>
Specifies the source IP address and mask (A.B.C.D/M) to match. ICMP packets received from the specified sources are dropped. Applies a network-group alias to identify the source IP addresses. ICMP packets received from the addresses identified by the network-group alias are dropped.
<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name (should be existing and configured). Specifies the source as any IP address. ICMP packets received from any source are dropped. Specifies a single VLAN or a range of VLANs as the match criteria. ICMP packets received from the VLANs identified here are dropped.
<VLAN-ID> Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20). Note: Use this option with WLANs and port ACLs. Identifies a specific host (as the source to match) by its IP address. ICMP packets received from the specified host are dropped.
<SOURCE-HOST-IP> Specify the source hosts exact IP address in the A.B.C.D format. Specifies the destination IP address and mask (A.B.C.D/M) to match. ICMP packets addressed to specified destinations are dropped.
<NETWORK-
GROUP-ALIAS-
NAME>
Applies a network-group alias to identify the destination IP addresses. ICMP packets destined for addresses identified by the network-group alias are dropped.
<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name (should be existing and configured). any Specifies the destination as any IP address. ICMP packets addressed to any destination are dropped. host <DEST-HOST-
IP>
Identifies a specific host (as the destination to match) by its IP address. ICMP packets addressed to the specified host are dropped.
<DEST-HOST-IP> Specify the destination hosts exact IP address in the A.B.C.D format. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 8 ACCESS-LIST
<ICMP-TYPE>
<ICMP-CODE>
log rule-precedence
<1-5000>
rule-description
<LINE>
Defines the ICMP packet type For example, an ICMP type 0 indicates it is an ECHO REPLY, and type 8 indicates it is an ECHO. Defines the ICMP message type For example, an ICMP code 3 indicates Destination Unreachable, code 1 indicates Host Unreachable, and code 3 indicates Port Unreachable. Note: After specifying the source and destination IP address(es), the ICMP message type, and the ICMP code, specify the action taken in case of a match. Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a ICMP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged. The following keywords are recursive and common to all of the above parameters:
rule-precedence Assigns a precedence for this deny rule
<1-5000> Specify a value from 1 - 5000. rule-description Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). deny ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-
HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
ip Applies this deny rule to IP packets only
<SOURCE-IP/
MASK>
<NETWORK-
GROUP-ALIAS-
NAME>
any from-vlan
<VLAN-ID>
host
<SOURCE-HOST-
IP>
<DEST-IP/MASK>
Specifies the source IP address and mask (A.B.C.D/M) to match. IP packets received from the specified networks are dropped. Applies a network-group alias to identify the source IP addresses. IP packets received from the addresses identified by the network-group alias are dropped.
<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name (should be existing and configured). Specifies the source as any IP address. IP packets received from any source are dropped. Specifies a single VLAN or a range of VLANs as the match criteria. IP packets received from the specified VLANs are dropped.
<VLAN-ID> Specify the VLAN ID. To configure a range of VLAN IDs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20). Note: Use this option with WLANs and port ACLs. Identifies a specific host (as the source to match) by its IP address. IP packets received from the specified host are dropped.
<SOURCE-HOST-IP> Specify the source hosts exact IP address in the A.B.C.D format. Specifies the destination IP address and mask (A.B.C.D/M) to match. IP packets addressed to the specified networks are dropped. any Specifies the destination as any IP address. IP packets addressed to any destination are dropped. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 9 ACCESS-LIST host <DEST-HOST-
IP>
Identifies a specific host (as the destination to match) by its IP address. IP packets addressed to the specified host are dropped.
<DEST-HOST-IP> Specify the destination hosts exact IP address in the A.B.C.D format.
<NETWORK-
GROUP-ALIAS-
NAME>
Applies a network-group alias to identify the source IP addresses. IP packets destined for addresses identified by the network-group alias are dropped.
<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name (should be existing and configured). log rule-precedence
<1-5000>
rule-description
<LINE>
Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a IP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged. The following keywords are recursive and common to all of the above parameters:
rule-precedence Assigns a precedence for this deny rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp]
[<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|
host <DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
proto
<PROTOCOL-
NUMBER>
<PROTOCOL-
NAME>
eigrp gre Configures the ACL for additional protocols Additional protocols (other than IP, ICMP, TCP, and UDP) must be configured using this parameter Filters protocols using their Internet Assigned Numbers Authority (IANA) protocol number
<PROTOCOL-NUMBER> Specify the protocol number. Filters protocols using their IANA protocol name
<PROTOCOL-NAME> Specify the protocol name. Identifies the Enhanced Internet Gateway Routing Protocol (EIGRP) protocol (number 88) EIGRP enables routers to maintain copies of neighbors routing tables. Routers use this information to determine the fastest route to a destination. When a router fails to find a route in its stored route tables, it sends a query to neighbors who in turn query their neighbors till a route is found. EIGRP also enables routers to inform neighbors of changes in their routing tables. Identifies the General Routing Encapsulation (GRE) protocol (number 47) GRE is a tunneling protocol that enables transportation of protocols (IP, IPX, DEC net, etc.) over an IP network. GRE encapsulates the packet at the source and removes the encapsulation at the destination. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 10 ACCESS-LIST igmp igp ospf vrrp
<SOURCE-IP/
MASK>
<NETWORK-
GROUP-ALIAS-
NAME>
any from-vlan
<VLAN-ID>
Identifies the Internet Group Management Protocol (IGMP) protocol (number 2) IGMP establishes and maintains multicast group memberships to interested members. Multicasting allows a networked computer to send content to multiple computers who have registered to receive the content. IGMP snooping is for listening to IGMP traffic between an IGMP host and routers in the network to maintain a map of the links that require multicast streams. Multicast traffic is filtered out for those links which do not require them. Identifies any private internal gateway (primarily used by CISCO for their IGRP) (number 9) IGP enables exchange of information between hosts and routers within a managed network. The most commonly used interior gateway protocol (IGP) protocols are:
Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) Identifies the OSPF protocol (number 89) OSPF is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets. Identifies the Virtual Router Redundancy Protocol (VRRP) protocol (number 112) VRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address. Specifies the source IP address and mask (A.B.C.D/M) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified sources are dropped. Applies a network-group alias to identify the source IP addresses. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the sources defined in the network-group alias are dropped.
<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name (should be existing and configured). Specifies the source as any IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source are dropped. Specifies a single VLAN or a range of VLANs as the match criteria. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the VLANs identified here are dropped.
<VLAN-ID> Specify the VLAN ID. A range of VLANs is represented by the start and end VLAN IDs separated by a hyphen (for example, 12-20). Note: Use this option with WLANs and port ACLs. host
<SOURCE-HOST-IP>
Identifies a specific host (as the source to match) by its IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified host are dropped.
<SOURCE-HOST-IP> Specify the source hosts exact IP address in the A.B.C.D format.
<DEST-IP/MASK>
Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the specified destinations are dropped. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 11 ACCESS-LIST any Specifies the destination as any IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination are dropped. host <DEST-HOST-
IP>
Identifies a specific host (as the destination to match) by its IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addresses to the specified host are dropped.
<SOURCE-HOST-IP> Specify the destination hosts exact IP address in the A.B.C.D format.
<NETWORK-
GROUP-ALIAS-
NAME>
Applies a network-group alias to identify the destination IP addresses. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the destinations identified in the network-
group alias are dropped.
<NETWORK-ALIAS-NAME> Specify the network-group alias name (should be log rule-precedence
<1-5000>
rule-description
<LINE>
existing and configured). Note: After specifying the source and destination IP address(es), specify the action taken in case of a match. Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a packet (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) is received from a specified IP address and/or is destined for a specified IP address), an event is logged. The following keywords are recursive and common to all of the above parameters:
rule-precedence Assigns a precedence for this deny rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). deny [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan
<VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|
any|eq <SOURCE-PORT>|host <DEST-HOST-IP>|range <START-PORT> <END-PORT>] [eq [<1-
65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|
sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence
<1-5000>) {(rule-description <LINE>)}
tcp udp
<SOURCE-IP/
MASK>
<NETWORK-
GROUP-ALIAS-
NAME>
Applies this deny rule to TCP packets only Applies this deny rule to UDP packets only This keyword is common to the tcp and udp parameters. Specifies the source IP address and mask (A.B.C.D/M) to match. TCP/UDP packets received from the specified sources are dropped. This keyword is common to the tcp and udp parameters. Applies a network-group alias to identify the source IP addresses. TCP/UDP packets received from the VLANs identified here are dropped.
<NETWORK-ALIAS-GROUP-NAME> Specify the network-group alias name (should be existing and configured). After specifying the source and destination IP address(es), specify the action taken in case of a match. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 12 ACCESS-LIST any from-vlan
<VLAN-ID>
This keyword is common to the tcp and udp parameters. Specifies the source as any IP address. TCP/UDP packets received from any source are dropped. This keyword is common to the tcp and udp parameters. Specifies a single VLAN or a range of VLANs as the match criteria. TCP/UDP packets received from the VLANs identified here are dropped.
<VLAN-ID> Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20). Note: Use this option with WLANs and port ACLs. host
<SOURCE-HOST-IP>
Identifies a specific host (as the source to match) by its IP address. TCP/UDP packets received from the specified host are dropped.
<SOURCE-HOST-IP> Specify the source hosts exact IP address in the A.B.C.D format.
<DEST-IP/MASK>
This keyword is common to the tcp and udp parameters. Sets the destination IP address and mask (A.B.C.D/M) to match. TCP/UDP packets addressed to the specified destinations are dropped. any This keyword is common to the tcp and udp parameters. Specifies the destination as any destination IP address. TCP/UDP packets received from any destination are dropped. eq
<SOURCE-PORT>
Identifies a specific source port
<SOURCE-PORT> Specify the exact source port. host
<DEST-HOST-IP>
Identifies a specific host (as the destination to match) by its IP address. TCP/UDP packets addressed to the specified host are dropped.
<DEST-HOST-IP> Specify the destination hosts exact IP address in the A.B.C.D format.
<NETWORK-
GROUP-ALIAS-
NAME>
This keyword is common to the tcp and udp parameters. Applies a network-group alias to identify the destination IP addresses. TCP/UDP packets destined to the addresses identified in the network-group alias are dropped.
<NETWORK-ALIAS-GROUP-NAME> Specify the network-group alias name (should be existing and configured). range
<START-PORT>
<END-PORT>
Specifies a range of source ports
<START-PORT> Specify the first port in the range.
<END-PORT> Specify the last port in the range. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 13 ACCESS-LIST eq
[<1-65535>|
<SERVICE-NAME>|
|bgp|dns|ftp|
ftp-data|gropher|
https|ldap|nntp|ntp|
pop3|sip|smtp|
ssh|telnet|
tftp|www]
Identifies a specific destination or protocol port to match
<1-65535> The destination port is designated by its number
<SERVICE-NAME> Specifies the service name bgp The designated Border Gateway Protocol (BGP) protocol port (179) dns The designated Domain Name System (DNS) protocol port (53) ftp The designated File Transfer Protocol (FTP) protocol port (21) ftp-data The designated FTP data port (20) gropher The designated GROPHER protocol port (70) https The designated HTTPS protocol port (443) ldap The designated Lightweight Directory Access Protocol (LDAP) protocol port
(389) nntp The designated Network News Transfer Protocol (NNTP) protocol port (119) ntp The designated Network Time Protocol (NTP) protocol port (123) pop3 The designated POP3 protocol port (110) sip The designated Session Initiation Protocol (SIP) protocol port (5060) smtp The designated Simple Mail Transfer Protocol (SMTP) protocol port (25) ssh The designated Secure Shell (SSH) protocol port (22) telnet The designated Telnet protocol port (23) tftp The designated Trivial File Transfer Protocol (TFTP) protocol port (69) www The designated www protocol port (80) range
<START-PORT>
<END-PORT>
Specifies a range of destination ports
<START-PORT> Specify the first port in the range.
<END-PORT> Specify the last port in the range. log rule-precedence
<1-5000>
rule-description
<LINE>
Usage Guidelines Logs all deny events matching this entry. If a source and/or destination IP address or port is matched (i.e. a TCP/UDP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged. The following keywords are recursive and common to all of the above:
rule-precedence Assigns a precedence for this deny rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). Use this command to deny traffic between networks/hosts based on the protocol type selected in the access list configuration. The following protocols are supported:
IP ICMP TCP UDP PROTO (any Internet protocol other than TCP, UDP, and ICMP) Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 14 ACCESS-LIST The last access control entry (ACE) in the access list is an implicit deny statement. Whenever the interface receives the packet, its content is checked against the ACEs in the ACL. It is allowed or denied based on the ACL configuration. Filtering TCP/UDP allows you to specify port numbers as filtering criteria Select ICMP as the protocol to allow or deny ICMP packets. Selecting ICMP filters ICMP packets based on ICMP type and code. NOTE: The log option is functional only for router ACLs. The log option displays an informational logging message about the packet that matches the entry sent to the console. Example rfs6000-37FABE(config-ip-acl-test)#deny proto vrrp any any log rule-precedence 600 rfs6000-37FABE(config-ip-acl-test)#deny proto ospf any any log rule-precedence 650 rfs6000-37FABE(config-ip-acl-test)#show context ip access-list test deny proto vrrp any any log rule-precedence 600 deny proto ospf any any log rule-precedence 650 rfs6000-37FABE(config-ip-acl-test)#
Using aliases in IP access list. The following examples show the usage of network-group aliases:
Example 1:
Example 2 Example 3 rfs4000-229D58(config)#ip access-list bar rfs4000-229D58(config-ip-acl-bar)#permit ip $foo any rule-precedence 10 rfs4000-229D58(config-ip-acl-bar)#permit tcp 192.168.100.0/24 $foobar eq ftp rule-
precedence 20 rfs4000-229D58(config-ip-acl-bar)#deny ip $guest $lab rule-precedence 30 In example1, network-group alias $foo is used as a source In example 2, network-group alias $foobar is used as a destination In example 3, network-group aliases $guest and $lab are used as source and destination respectively.
-
-
-
The following examples show the usage of network-service aliases:
Example 4 Example 5 rfs4000-229D58(config-ip-acl-bar)# permit $kerberos 10.60.20.0/24 $kerberos-
servers log rule-precedence 40 rfs4000-229D58(config-ip-acl-bar)#permit $Tandem 10.60.20.0/24 $Tandem-servers log rule-precedence 50 In examples 4, and 5:
- The network-service aliases ($kerberos and $Tandem) define the destination protocol-port combinations
- The source network is 10.60.20.0/24
- The destination network-address combinations are defined by the network-group aliases ($kerberos-
servers and $Tandem-servers) Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 15 Related Commands no alias Removes a specified IP deny access rule Creates and configures aliases (network, VLAN, and service) ACCESS-LIST Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 16 ACCESS-LIST 11.1.2 disable ip-access-list Disables an existing deny or permit rule without removing it from the ACL. A disabled rule is inactive and is not used to filter packets. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax disable [deny|insert|permit]
disable [deny|insert [deny|permit]|permit] [<NETWORK-SERVICE-ALIAS-NAME>|dns-
name|icmp|ip|proto|tcp|udp]
disable [deny|insert [deny|permit]|permit] [<NETWORK-SERVICE-ALIAS-NAME>|dns-name
[contains|exact|suffix]|icmp|ip|proto <PROTOCOL-OPTIONS>|tcp|udp] [<SOURCE-IP/
MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>]
[<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-IP>] (log,mark
[8021p <0-7>|dscp <0-63>],rule-precedence) Parameters disable [deny|insert [deny|permit]|permit] [<NETWORK-SERVICE-ALIAS-NAME>|
dns-name [contains|exact|suffix]|icmp|ip|proto <PROTOCOL-OPTIONS>|tcp|udp]
[<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host
<SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-
IP>] (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence) disable [deny|
insert
[deny|permit]|
permit]
<NETWORK-
SERVICE-ALIAS-
NAME>
dns-name
[contains|
exact|suffix]
icmp ip Disables a deny or permit access rule without removing it from the ACL This command also enables the insertion of a disable deny or permit rule without overwriting an existing rule in the IP ACL. Note: To disable an existing deny/permit rule, provide the exact values used to configure the deny or permit rule. Specifies the network-service alias, identified by the <NETWORK-SERVICE-ALIAS-
NAME> keyword, associated with the deny/permit rule Specifies the packets to reject based on the dns-name match. Applies this deny rule to packets based on dns-names specified in the network-service Disables a rule applicable to ICMP packets only Disables a rule applicable to IP packets only proto <PROTOCOL-
OPTIONS>
Disables a rule applicable to any Internet protocol other than TCP, UDP, or ICMP packets
<PROTOCOL-OPTIONS> Identify the Internet protocol using the options available. tcp Disables a rule applicable to TCP packets only Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 17 ACCESS-LIST udp
<SOURCE-IP/
MASK>
<NETWORK-
GROUP-ALIAS-
NAME>
any from-vlan
<VLAN-ID>
host <SOURCE-
HOST-IP>
Disables a rule applicable to UDP packets only Note: After specifying the packet type, specify the source and destination devices and network address(es) to match. Specify the source IP address and mask in the A.B.C.D/M format. Specifies the network-group alias, identified by the <NETWORK-GROUP-ALIAS-NAME>
keyword, associated with this deny/permit rule Select any if the rule is applicable to any source IP address. Specify the VLAN IDs. Specify the source hosts exact IP address.
<DEST-IP/MASK>
Specify the destination IP address and mask in the A.B.C.D/M format.
<NETWORK-
GROUP-ALIAS-
NAME>
Specifies the network-group alias, identified by the <NETWORK-GROUP-ALIAS-NAME>
keyword, associated with this deny/permit rule any Select any if the rule is applicable to any destination IP address. host
<DEST-HOST-IP>
Specify the destination hosts exact IP address. log Select log, if the rule has been configured to log records in case of a match. mark [8021p <0-7>|
dscp <0-63>]
Specifies packets to mark 8021p <0-7> Marks packets by modifying 802.1.p VLAN user priority dscp <0-63> Marks packets by modifying DSCP TOS bits in the header rule-precedence
<1-5000>
Specify the rule precedence. The deny or permit rule with the specified precedence is disabled. Note: To enable a disabled rule, enter the rule again without the disable keyword. Note: The no > disable command removes a disabled rule from the ACL. Example The following example shows the auto-tunnel-acl settings before the disable command is executed:
rfs6000-37FABE(config-ip-acl-auto-tunnel-acl)#show context ip access-list auto-tunnel-acl permit ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2 permit ip host 200.200.200.99 any rule-precedence 3 rfs6000-37FABE(config-ip-acl-auto-tunnel-acl)#
rfs6000-37FABE(config-ip-acl-auto-tunnel-acl)#disable permit ip host 200.200.200.99 any rule-precedence 3 rfs6000-37FABE(config-ip-acl-auto-tunnel-acl)#
The following example shows the auto-tunnel-acl settings after the disable command is executed:
rfs6000-37FABE(config-ip-acl-auto-tunnel-acl)#show context ip access-list auto-tunnel-acl permit ip host 200.200.200.99 30.30.30.1/24 rule-precedence 2 Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 18 ACCESS-LIST disable permit ip host 200.200.200.99 any rule-precedence 3 rfs6000-37FABE(config-ip-acl-auto-tunnel-acl)#
rfs4000-229D58(config-ip-acl-test)#deny icmp any any log rule-precedence 1 rfs4000-229D58(config-ip-acl-test)#show context ip access-list test deny icmp any any rule-precedence 1 rfs4000-229D58(config-ip-acl-test)#
rfs4000-229D58(config-ip-acl-test)#disable deny icmp any any rule-precedence 1 rfs4000-229D58(config-ip-acl-test)#show context ip access-list test disable deny icmp any any rule-precedence 1 rfs4000-229D58(config-ip-acl-test)#
In the following example a disable deny rule has been inserted in the IP ACL test:
rfs4000-229D58(config-ip-acl-test)#show context ip access-list test deny tcp from-vlan 1 any any rule-precedence 1 permit icmp any host 192.168.13.7 1 1 rule-precedence 2 rfs4000-229D58(config-ip-acl-test)#
rfs4000-229D58(config-ip-acl-test)#disable insert deny ip any any log rule-
precedence 2 rfs4000-229D58(config-ip-acl-test)#show context ip access-list test deny tcp from-vlan 1 any any rule-precedence 1 disable deny ip any any log rule-precedence 2 permit icmp any host 192.168.13.7 1 1 rule-precedence 3 rfs4000-229D58(config-ip-acl-test)#
Related Commands no deny permit alias Enables a disabled deny or permit rule Creates a new deny access rule or modifies an existing rule Creates a new permit access rule or modifies an existing rule Creates and configures a aliases (network, VLAN, and service) Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 19 ACCESS-LIST 11.1.3 insert ip-access-list Enables the insertion of a rule in an IP ACL without overwriting or replacing an existing rule having the same precedence The insert option allows a new rule to be inserted within a IP access list. Consider an IP ACL consisting of rules having precedences 1, 2, 3, 4, 5, and 6. You want to insert a new rule with precedence 4, without overwriting the existing precedence 4 rule. Using the insert option inserts the new rule prior to the existing one. The existing precedence 4 rules precedence changes to 5, and the change cascades down the list of rules within the ACL. That means rule 5 becomes rule 6, and rule 6 becomes rule 7. NOTE: NOT using insert when creating a new rule having the same precedence as an existing rule, overwrites the existing rule. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax insert [deny|permit] <PARAMETERS> (log,mark [8021p <0-7>|dscp <0-63>],rule-
precedence <1-5000>) {(rule-description <LINE>)}
Parameters insert [deny|permit] <PARAMETERS> (log,mark [8021p <0-7>|dscp <0-63>],rule-
precedence <1-5000>) {(rule-description <LINE>)}
[deny|permit]
Inserts a deny or a permit rule within an IP ACL
<PARMETERS>
log Provide the match criteria for this deny/permit rule. Packets will be filtered based on the criteria set here. For more information on the deny rule, see deny. For more information on the permit rule, see permit. After specifying the match criteria, specify the action taken for filtered packets Logs all deny/permit events matching this entry. If a source and/or destination IP address is matched an event is logged. mark [8021p <0-7>|
dscp <0-63>]
Specifies packets to mark 8021p <0-7> Marks packets by modifying 802.1.p VLAN user priority dscp <0-63> Marks packets by modifying DSCP TOS bits in the header Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 20 ACCESS-LIST rule-precedence
<1-5000>
rule-description
<LINE>
Assigns a precedence for this deny/permit rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description Optional. Configures a description for this new rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). NOTE: The log option is functional only for router ACLs. The log option displays an informational logging message about the packet that matches the entry sent to the console. Example rfs4000-229D58(config-ip-acl-test)#deny tcp from-vlan 1 any any rule-precedence 1 rfs4000-229D58(config-ip-acl-test)#permit icmp any host 192.168.13.7 1 1 rule-
precedence 2 rfs4000-229D58(config-ip-acl-test)#show context ip access-list test deny tcp from-vlan 1 any any rule-precedence 1 permit icmp any host 192.168.13.7 1 1 rule-precedence 2 rfs4000-229D58(config-ip-acl-test)#
In the following example a new rule is inserted between the rules having precedences 1 and 2. The precedence of the existing precedence 2 rule changes to precedence 3. rfs4000-229D58(config-ip-acl-test)#insert deny ip any any rule-precedence 2 rfs4000-229D58(config-ip-acl-test)#show context ip access-list test deny tcp from-vlan 1 any any rule-precedence 1 deny ip any any rule-precedence 2 permit icmp any host 192.168.13.7 1 1 rule-precedence 3 rfs4000-229D58(config-ip-acl-test)#
Related Commands alias Creates and configures aliases (network, VLAN, and service) Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 21 ACCESS-LIST 11.1.4 no ip-access-list Removes a deny, permit, or disable rule Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [deny|disable|permit]
no [deny|permit] [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|icmp|ip|proto|tcp|udp]
<RULE-PARAMETERS>
no disable [deny|permit] [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|icmp|ip|proto|
tcp|udp] <RULE-PARAMETERS>
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes a deny, permit, or disable rule Usage Guidelines Removes an access list control entry. Provide the rule-precedence value when using the no command. Example The following example shows the ACL test settings before the no commands are executed:
rfs6000-37FABE(config-ip-acl-test)#show context ip access-list test deny proto vrrp any any log rule-precedence 600 deny proto ospf any any log rule-precedence 650 rfs6000-37FABE(config-ip-acl-test)#
rfs6000-37FABE(config-ip-acl-test)#no deny proto vrrp any any rule-precedence 600 rfs6000-37FABE(config-ip-acl-test)#no deny proto ospf any any rule-precedence 650 The following example shows the ACL test settings after the no commands are executed:
rfs6000-37FABE(config-ip-acl-test)#show context ip access-list test rfs6000-37FABE(config-ip-acl-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 22 ACCESS-LIST 11.1.5 permit ip-access-list Creates a permit rule that marks packets (from a specified source IP and/or to a specified destination IP) for forwarding. You can also use this command to modify an existing permit rule. NOTE: Use a decimal value representation to implement a permit/deny designation for a packet. The command set for IP ACLs provides the hexadecimal values for each listed EtherType. Use the decimal equivalent of the EtherType listed for any other EtherType. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax permit [<NETWORK-SERVICE-ALIAS-NAME>|dns-name|icmp|ip|proto|tcp|udp]
permit <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|
any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host <DEST-
HOST-IP>|<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>], rule-precedence <1-5000>) {(rule-description <LINE>)}
permit dns-name [contains|exact|suffix]
permit dns-name [contains|exact|suffix] <WORD> (log,rule-precedence <1-5000>)
{(rule-description <LINE>)}
permit dns-name exact <WORD> (log,mark [8021p <0-7>|dscp <0-63>],rule-precedence
<1-5000>) {(rule-description <LINE>)}
permit icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-
HOST-IP>] (<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-
description <LINE>)}
permit ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-
HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
permit proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp]
[<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host
<SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-
IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
permit [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan
<VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-
NAME>|any|eq <SOURCE-PORT>|host <DEST-HOST-IP>|range <START-PORT> <END-PORT>] [eq
[<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|
sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence
<1-5000>) {(rule-description <LINE>)}
Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 23 ACCESS-LIST Parameters permit <NETWORK-SERVICE-ALIAS-NAME> [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-
NAME>|any|from-vlan <VLAN-ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|any|host
<DEST-HOST-IP>|<NETWORK-GROUP-ALIAS-NAME>] (log,mark [8021p <0-7>|dscp <0-63>], rule-precedence <1-5000>) {(rule-description <LINE>)}
<NETWORK-
SERVICE-ALIAS-
NAME>
Applies this permit rule to packets based on service protocols and ports specified in the network-service alias
<NETWORK-SERVICE-ALIAS-NAME> Specify the network-service alias name
(should be existing and configured). A network-service alias defines service protocols and ports to match. When used with an ACL, the network-service alias defines the service-specific components of the ACL permit rule. Note: For more information on configuring network-service alias, see alias. Specifies the source IP address and mask (A.B.C.D/M) to match. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified network are permitted. Applies a network-group alias to identify the source IP addresses. Packets, matching the service protocols and ports specified in the network-service alias, received from the addresses identified by the network-group alias are permitted.
<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name (should be existing and configured). A network-group alias defines a single or a range of addresses of devices, hosts, and networks. When used with an ACL, the network-group alias defines the network-specific component of the ACL rule (permit/deny). Specifies the source as any source IP address. Packets, matching the service protocols and ports specified in the network-service alias, received from any source are permitted. Specifies a single VLAN or a range of VLANs as the match criteria. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified VLAN(s) are permitted.
<VLAN-ID> Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20). Note: Use this option with WLANs and port ACLs. Identifies a specific host (as the source to match) by its IP address. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified host are permitted.
<SOURCE-HOST-IP> Specify the source hosts exact IP address in the A.B.C.D format. Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets, matching the service protocols and ports specified in the network-service alias, addressed to the specified network are permitted. Specifies the destination as any destination IP address. Packets, matching the service protocols and ports specified in the network-service alias, addressed to any destination are permitted.
<SOURCE-IP/
MASK>
<NETWORK-
GROUP-ALIAS-
NAME>
any from-vlan
<VLAN-ID>
host
<SOURCE-HOST-
IP>
<DEST-IP/MASK>
any Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 24 ACCESS-LIST host <DEST-HOST-
IP>
Identifies a specific host (as the destination to match) by its IP address. Packets, matching the service protocols and ports specified in the network-service alias, addressed to the specified host are permitted.
<DEST-HOST-IP> Specify the destination hosts exact IP address in the A.B.C.D format.
<NETWORK-
GROUP-ALIAS-
NAME>
Applies a network-group alias to identify the destination IP addresses. Packets, matching the service protocols and ports specified in the network-service alias, destined for the addresses identified by the network-group alias are permitted.
<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name (should be existing and configured). log Logs all permit events matching this entry. If a source and/or destination IP address is matched (i.e. if any specified type of packet is received from a specified IP address and/
or is destined for a specified IP address), an event is logged. mark [8021p <0-7>|
dscp <0-63>]
Specifies packets to mark 8021p <0-7> Marks packets by modifying 802.1.p VLAN user priority dscp <0-63> Marks packets by modifying DSCP TOS bits in the header rule-precedence
<1-5000>
rule-description
<LINE>
The following keywords are recursive and common to all of the above parameters:
rule-precedence Assigns a precedence for this permit rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). permit dns-name [contains|exact (mark)|suffix] <WORD> (log,rule-precedence <1-
5000>) {(rule-description <LINE>)}
dns-name contains exact suffix
<WORD>
log Applies this permit rule to packets based on dns-names specified in the network-service Matches any hostname which has this DNS label. (for example, *.test.*) Matches an exact hostname as specified in the network-service Matches any hostname as suffix (for example, *.test) Identifies a specific host (as the source to match) by its domain name. Packets, matching the service protocols and ports specified in the network-service alias, received from the specified host are forwarded. Logs all permit events matching this dns entry. If a dns-name is matched an event is logged. mark [8021p <0-7>|
dscp <0-63>]
Specifies packets to mark 8021p <0-7> Marks packets by modifying 802.1.p VLAN user priority dscp <0-63> Marks packets by modifying DSCP TOS bits in the header Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 25 ACCESS-LIST rule-precedence
<1-5000>
rule-description
<LINE>
The following keywords are recursive and common to all of the above parameters:
rule-precedence Assigns a precedence for this deny rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). permit icmp [<SOURCE-IP/MASK>|<NETWORK-GROUP-NAME>|any|from-vlan <VLAN-ID>|
host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-NAME>|any|host <DEST-HOST-
IP>] (<ICMP-TYPE> <ICMP-CODE>,log,rule-precedence <1-5000>) {(rule-description
<LINE>)}
icmp Applies this permit rule to ICMP packets only
<SOURCE-IP/
MASK>
<NETWORK-
GROUP-ALIAS-
NAME>
any Specifies the source IP address and mask (A.B.C.D/M) to match. ICMP packets received from the specified sources are permitted. Applies a network-group alias to identify the source IP addresses. ICMP packets received from the addresses identified by the network-group alias are permitted.
<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name (should be existing and configured). Specifies the source as any source IP address. ICMP packets received from any source are permitted. from-vlan <VLAN-
ID>
Specifies a single VLAN or a range of VLANs as the match criteria. ICMP packets received from the VLANs identified here are permitted.
<VLAN-ID> Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20). Note: Use this option with WLANs and port ACLs. host <SOURCE-
HOST-IP>
Identifies a specific host (as the source to match) by its IP address. ICMP packets received from the specified host are permitted.
<SOURCE-HOST-IP> Specify the source hosts exact IP address in the A.B.C.D format.
<DEST-IP/MASK>
Specifies the destination IP address and mask (A.B.C.D/M) to match. ICMP packets addressed to specified destinations are permitted.
<NETWORK-
GROUP-ALIAS-
NAME>
Applies a network-group alias to identify the destination IP addresses. ICMP packets destined for addresses identified by the network-group alias are permitted.
<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name (should be existing and configured). any Specifies the destination as any destination IP address. ICMP packets addressed to any destination are permitted. host <DEST-HOST-
IP>
Identifies a specific host (as the destination to match) by its IP address. ICMP packets addressed to the specified host are permitted.
<DEST-HOST-IP> Specify the destination hosts exact IP address in the A.B.C.D format. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 26 ACCESS-LIST
<ICMP-TYPE>
<ICMP-CODE>
log Defines the ICMP packet type For example, an ICMP type 0 indicates it is an ECHO REPLY, and type 8 indicates it is an ECHO. Defines the ICMP message type For example, an ICMP code 3 indicates Destination Unreachable, code 1 indicates Host Unreachable, and code 3 indicates Port Unreachable. Note: After specifying the source and destination IP address(es), the ICMP message type, and the ICMP code, specify the action taken in case of a match. Logs all permit events matching this entry. If a source and/or destination IP address is matched (i.e. a ICMP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged. rule-precedence <1-
5000> rule-
description <LINE>
The following keywords are recursive and common to all of the above parameters:
rule-precedence Assigns a precedence for this permit rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). permit ip [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-
ID>|host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host
<DEST-HOST-IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
ip Applies this permit rule to IP packets only
<SOURCE-IP/
MASK>
<NETWORK-
GROUP-ALIAS-
NAME>
any from-vlan
<VLAN-ID>
host
<SOURCE-HOST-
IP>
<DEST-IP/MASK>
Specifies the source IP address and mask (A.B.C.D/M) to match. IP packets received from the specified networks are permitted. Applies a network-group alias to identify the source IP addresses. IP packets received from the addresses identified by the network-group alias are permitted.
<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name (should be existing and configured). Specifies the source as any source IP address. IP packets received from any source are permitted. Specifies a single VLAN or a range of VLANs as the match criteria. IP packets received from the specified VLANs are permitted.
<VLAN-ID> Specify the VLAN ID. To configure a range of VLAN IDs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20). Note: Use this option with WLANs and port ACLs. Identifies a specific host (as the source to match) by its IP address. IP packets received from the specified host are permitted.
<SOURCE-HOST-IP> Specify the source hosts exact IP address in the A.B.C.D format. Specifies the destination IP address and mask (A.B.C.D/M) to match. IP packets addressed to the specified networks are permitted. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 27 ACCESS-LIST any Specifies the destination as any destination IP address. IP packets addressed to any destination are permitted. host
<DEST-HOST-IP>
Identifies a specific host (as the destination to match) by its IP address. IP packets addressed to the specified host are permitted.
<DEST-HOST-IP> Specify the destination hosts exact IP address in the A.B.C.D format.
<NETWORK-
GROUP-ALIAS-
NAME>
Applies a network-group alias to identify the source IP addresses. IP packets destined for addresses identified by the network-group alias are permitted.
<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name (should be existing and configured). log rule-precedence
<1-5000>
rule-description
<LINE>
Logs all permit events matching this entry. If a source and/or destination IP address is matched (i.e. a IP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged. The following keywords are recursive and common to all of the above parameters:
rule-precedence Assigns a precedence for this permit rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). permit proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igmp|igp|ospf|vrrp]
[<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan <VLAN-ID>|host
<SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|host <DEST-HOST-
IP>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
proto
<PROTOCOL-
NUMBER>
<PROTOCOL-
NAME>
eigrp gre Configures the ACL for additional protocols Additional protocols (other than IP, ICMP, TCP, and UDP) must be configured using this parameter. Filters protocols using their IANA protocol number
<PROTOCOL-NUMBER> Specify the protocol number. Filters protocols using their IANA protocol name
<PROTOCOL-NAME> Specify the protocol name. Identifies the EIGRP protocol (number 88) EIGRP enables routers to maintain copies of neighbors routing tables. Routers use this information to determine the fastest route to a destination. When a router fails to find a route in its stored route tables, it sends a query to neighbors who in turn query their neighbors till a route is found. EIGRP also enables routers to inform neighbors of changes in their routing tables. Identifies the GRE protocol (number 47) GRE is a tunneling protocol that enables transportation of protocols (IP, IPX, DEC net, etc.) over an IP network. GRE encapsulates the packet at the source and removes the encapsulation at the destination. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 28 ACCESS-LIST igmp igp ospf vrrp
<SOURCE-IP/
MASK>
<NETWORK-
GROUP-ALIAS-
NAME>
Identifies the IGMP protocol (number 2) IGMP establishes and maintains multicast group memberships to interested members. Multicasting allows a networked computer to send content to multiple computers who have registered to receive the content. IGMP snooping is for listening to IGMP traffic between an IGMP host and routers in the network to maintain a map of the links that require multicast streams. Multicast traffic is filtered out for those links which do not require them. Identifies any private internal gateway (primarily used by CISCO for their IGRP) (number 9) IGP enables exchange of information between hosts and routers within a managed network. The most commonly used interior gateway protocol (IGP) protocols are:
Routing Information Protocol (RIP) and Open Shortest Path First (OSPF) Identifies the OSPF protocol (number 89) OSPF is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets. Identifies the VRRP protocol (number 112) VRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address. Specifies the source IP address and mask (A.B.C.D/M) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified sources are permitted. Applies a network-group alias to identify the source IP addresses. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the sources defined in the network-group alias are permitted.
<NETWORK-GROUP-ALIAS-NAME> Specify the network-group alias name (should be existing and configured). any Specifies the source as any IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source are permitted. from-vlan <VLAN-
ID>
Specifies a single VLAN or a range of VLANs as the match criteria. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the VLANs identified here are permitted.
<VLAN-ID> Specify the VLAN ID. A range of VLANs is represented by the start and end VLAN IDs separated by a hyphen (for example, 12-20). Note: Use this option with WLANs and port ACLs. host <SOURCE-
HOST-IP>
Identifies a specific host (as the source to match) by its IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified host are permitted.
<SOURCE-HOST-IP> Specify the source hosts exact IP address in the A.B.C.D format.
<DEST-IP/MASK>
Specifies the destination IP address and mask (A.B.C.D/M) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the specified destinations are permitted. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 29 ACCESS-LIST any Specifies the destination as any destination IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination are permitted. host
<DEST-HOST-IP>
Identifies a specific host (as the destination to match) by its IP address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addresses to the specified host are permitted.
<SOURCE-HOST-IP> Specify the destination hosts exact IP address in the A.B.C.D format.
<NETWORK-
GROUP-ALIAS-
NAME>
Applies a network-group alias to identify the destination IP addresses. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the destinations identified in the network-
group alias are permitted.
<NETWORK-ALIAS-NAME> Specify the network-group alias name (should be log existing and configured). Note: After specifying the source and destination IP address(es), specify the action taken in case of a match. Logs all deny events matching this entry. If a source and/or destination IP address is matched (i.e. a packet (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) is received from a specified IP address and/or is destined for a specified IP address), an event is logged. rule-precedence <1-
5000> rule-
description <LINE>
The following keywords are recursive and common to all of the above parameters:
rule-precedence Assigns a precedence for this permit rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). permit [tcp|udp] [<SOURCE-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|any|from-vlan
<VLAN-ID> |host <SOURCE-HOST-IP>] [<DEST-IP/MASK>|<NETWORK-GROUP-ALIAS-NAME>|
any|eq <SOURCE-PORT> |host <DEST-HOST-IP>|range <START-PORT> <END-PORT>] [eq [<1-
65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|pop3|
sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-precedence
<1-5000>) {(rule-description <LINE>)}
tcp udp
<SOURCE-IP/
MASK>
<NETWORK-
GROUP-ALIAS-
NAME>
Applies this permit rule to TCP packets only Applies this deny rule to UDP packets only This keyword is common to the tcp and udp parameters. Specifies the source IP address and mask (A.B.C.D/M) to match. TCP/UDP packets received from the specified sources are permitted. This keyword is common to the tcp and udp parameters. Applies a network-group alias to identify the source IP addresses. TCP/UDP packets received from the VLANs identified here are permitted.
<NETWORK-ALIAS-GROUP-NAME> Specify the network-group alias name (should be existing and configured). After specifying the source and destination IP address(es), specify the action taken in case of a match. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 30 ACCESS-LIST any from-vlan <VLAN-
ID>
This keyword is common to the tcp and udp parameters. Specifies the source as any source IP address. TCP/UDP packets received from any source are permitted. This keyword is common to the tcp and udp parameters. Specifies a single VLAN or a range of VLANs as the match criteria. TCP/UDP packets received from the VLANs identified here are permitted.
<VLAN-ID> Specify the VLAN ID. To configure a range of VLANs, enter the start and end VLAN IDs separated by a hyphen (for example, 12-20). Note: Use this option with WLANs and port ACLs. host <SOURCE-
HOST-IP>
Identifies a specific host (as the source to match) by its IP address. TCP/UDP packets received from the specified host are permitted.
<SOURCE-HOST-IP> Specify the source hosts exact IP address in the A.B.C.D format.
<DEST-IP/MASK>
This keyword is common to the tcp and udp parameters. Sets the destination IP address and mask (A.B.C.D/M) to match. TCP/UDP packets addressed to the specified destinations are permitted. any This keyword is common to the tcp and udp parameters. Specifies the destination as any destination IP address. TCP/UDP packets received from any destination are permitted. eq
<SOURCE-PORT>
Identifies a specific source port
<SOURCE-PORT> Specify the exact source port. host
<DEST-HOST-IP>
Identifies a specific host (as the destination to match) by its IP address. TCP/UDP packets addressed to the specified host are permitted.
<DEST-HOST-IP> Specify the destination hosts exact IP address in the A.B.C.D format.
<NETWORK-
GROUP-ALIAS-
NAME>
This keyword is common to the tcp and udp parameters. Applies a network-group alias to identify the destination IP addresses. TCP/UDP packets destined to the addresses identified in the network-group alias are permitted.
<NETWORK-ALIAS-GROUP-NAME> Specify the network-group alias name (should be existing and configured). range
<START-PORT>
<END-PORT>
Specifies a range of source ports
<START-PORT> Specify the first port in the range.
<END-PORT> Specify the last port in the range. eq
[<1-65535>|
<SERVICE-NAME>|
|bgp|dns|ftp|
ftp-data|gropher|
https|ldap|nntp|ntp|
pop3|sip|smtp|
ssh|telnet|
tftp|www]
Identifies a specific destination or protocol port to match
<1-65535> The destination port is designated by its number
<SERVICE-NAME> Specifies the service name bgp The designated Border Gateway Protocol (BGP) protocol port (179) dns The designated Domain Name System (DNS) protocol port (53) ftp The designated File Transfer Protocol (FTP) protocol port (21) Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 31 ACCESS-LIST ftp-data The designated FTP data port (20) gropher The designated GROPHER protocol port (70) https The designated HTTPS protocol port (443) ldap The designated Lightweight Directory Access Protocol (LDAP) protocol port
(389) nntp The designated Network News Transfer Protocol (NNTP) protocol port (119) ntp The designated Network Time Protocol (NTP) protocol port (123) pop3 The designated POP3 protocol port (110) sip The designated Session Initiation Protocol (SIP) protocol port (5060) smtp The designated Simple Mail Transfer Protocol (SMTP) protocol port (25) ssh The designated Secure Shell (SSH) protocol port (22) telnet The designated Telnet protocol port (23) tftp The designated Trivial File Transfer Protocol (TFTP) protocol port (69) www The designated www protocol port (80) Specifies a range of destination ports
<START-PORT> Specify the first port in the range.
<END-PORT> Specify the last port in the range. Logs all permit events matching this entry. If a source and/or destination IP address or port is matched (i.e. a TCP/UDP packet is received from a specified IP address and/or is destined for a specified IP address), an event is logged. The following keywords are recursive and common to all of the above:
rule-precedence Assigns a precedence for this permit rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). range
<START-PORT>
<END-PORT>
log rule-precedence
<1-5000>
rule-description
<LINE>
Usage Guidelines Use this command to permit traffic between networks/hosts based on the protocol type selected in the access list. The following protocols are supported:
IP ICMP ICP UDP PROTO (any Internet protocol other than TCP, UDP, and ICMP) The last ACE in the access list is an implicit deny statement. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 32 ACCESS-LIST Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. The packet is allowed or denied based on the ACL configuration. Filtering on TCP or UDP allows you to specify port numbers as filtering criteria. Select ICMP to allow/deny packets. Selecting ICMP filters ICMP packets based on ICMP type and code. NOTE: The log option is functional only for router ACLs. The log option displays an informational logging message about the packet matching the entry sent to the console. Example rfs6000-37FABE(config-ip-acl-test)#show context ip access-list test rfs6000-37FABE(config-ip-acl-test)#
rfs6000-37FABE(config-ip-acl-test)#permit ip 172.16.10.0/24 any log rule-
precedence 750 rfs6000-37FABE(config-ip-acl-test)#permit tcp 172.16.10.0/24 any log rule-
precedence 800 rfs6000-37FABE(config-ip-acl-test)#show context ip access-list test permit ip 172.16.10.0/24 any log rule-precedence 750 permit tcp 172.16.10.0/24 any log rule-precedence 800 rfs6000-37FABE(config-ip-acl-test)#
Related Commands no alias Removes a specified IP permit access rule Creates and configures aliases (network, VLAN, and service) Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 33 ACCESS-LIST 11.2 mac-access-list ACCESS-LIST The following table summarizes MAC Access list configuration commands:
Table 11.2 MAC-Access-List-Config Commands Command deny Description Creates a new deny access rule or modifies an existing rule. A deny access rule marks packets for rejection. Reference page 11-35 disable ex3500 insert no permit Disables a MAC deny or permit rule without removing it from the ACL Creates a MAC ACL deny and/or permit rule applicable only to the EX3500 switch Inserts a rule in an MAC ACL without overwriting or replacing an exciting rule having the same precedence Removes a deny and/or a permit access rule from a MAC ACL Creates a new permit access rule or modifies an existing rule. A deny access rule marks packets for forwarding. page 11-38 page 11-40 page 11-43 page 11-45 page 11-46 Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 34 ACCESS-LIST 11.2.1 deny mac-access-list Creates a deny rule that marks packets (from a specified source MAC and/or to a specified destination MAC) for rejection. You can also use this command to modify an existing deny rule. NOTE: Use a decimal value representation to implement a permit/deny designation for a packet. The command set for MAC ACLs provide the hexadecimal values for each listed EtherType. Use the decimal equivalent of the EtherType listed for any other EtherType. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax deny [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC>
<DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,type [8021q|<1-65535>|
aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,log,rule-precedence
<1-5000>) {(rule-description <LINE>)}
Parameters deny [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC>
<DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,type [8021q|<1-65535>|
aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-4095>,log,rule-precedence
<1-5000>) {(rule-description <LINE>)}
<SOURCE-MAC>
<SOURCE-MAC-
MASK>
Configures the source MAC address and mask to match
<SOURCE-MAC> Specify the source MAC address to match.
<SOURCE-MAC-MASK> Specify the source MAC address mask. Packets received from the specified MAC addresses are dropped. any Identifies all devices as the source to deny access. Packets received from any source are dropped. host
<SOURCE-HOST-
MAC>
<DEST-MAC>
<DEST-MAC-
MASK>
Identifies a specific host as the source to deny access
<SOURCE-HOST-MAC> Specify the source hosts exact MAC address to match. Packets received from the specified host are dropped. Configures the destination MAC address and mask to match
<DEST-MAC> Specify the destination MAC address to match.
<DEST-MAC-MASK> Specify the destination MAC address mask to match. Packets addressed to the specified MAC addresses are dropped. any Identifies all devices as the destination to deny access. Packets addressed to any destination are dropped. host
<DEST-HOST-
MAC>
Identifies a specific host as the destination to deny access
<DEST-HOST-MAC> Specify the destination hosts exact MAC address to match. Packets addressed to the specified host are dropped. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 35 ACCESS-LIST dotp1p <0-7>
Configures the 802.1p priority value. Sets the service classes for traffic handling
<0-7> Specify 802.1p priority from 0 - 7. type
[8021q|<1-65535>|
aarp|appletalk|
arp|ip|ipv6|ipx|mint
|
rarp|wisp]
Configures the EtherType value An EtherType is a two-octet field in an Ethernet frame that indicates the protocol encapsulated in the payload of the frame. The EtherType values are:
8021q Indicates a 802.1q payload (0x8100)
<1-65535> Indicates the EtherType protocol number aarp Indicates the Appletalk Address Resolution Protocol (ARP) payload (0x80F3) appletalk Indicates the Appletalk Protocol payload (0x809B) arp Indicates the ARP payload (0x0806) ip Indicates the Internet Protocol, Version 4 (IPv4) payload (0x0800) ipv6 Indicates the Internet Protocol, Version 6 (IPv6) payload (0x86DD) ipx Indicates the Novells IPX payload (0x8137) mint Indicates the MiNT protocol payload (0x8783) rarp Indicates the reverse Address Resolution Protocol (ARP) payload (0x8035) wisp Indicates the Wireless Internet Service Provider (WISP) payload (0x8783) vlan <1-4095>
Configures the VLAN where the traffic is received
<1-4095> Specify the VLAN ID from 1 - 4095. log rule-precedence
<1-5000>
rule-description
<LINE>
Usage Guidelines Logs all deny events matching this entry. If a source and/or destination MAC address is matched (i.e. a packet is received from a specified MAC address or is destined for a specified MAC address), an event is logged. The following keywords are recursive and common to all of the above parameters:
rule-precedence Assigns a precedence for this deny rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). The deny command disallows traffic based on layer 2 (data-link layer) data. The MAC access list denies traffic from a particular source MAC address or any MAC address. It can also disallow traffic from a list of MAC addresses based on the source mask. The MAC access list can disallow traffic based on the VLAN and EtherType. ARP WISP IP 802.1q NOTE: MAC ACLs always take precedence over IP based ACLs. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 36 ACCESS-LIST The last ACE in the access list is an implicit deny statement. Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. It is allowed or denied based on the ACLs configuration. Example rfs4000-229D58(config-mac-acl-test)#deny 41-85-45-89-66-77 ff-ff-ff-00-00-00 any vlan 1 rule-precedence 1 rfs4000-229D58(config-mac-acl-test)#deny host 00-01-ae-00-22-11 any rule-
precedence 2 rfs4000-229D58(config-mac-acl-test)#show context mac access-list test deny 41-85-45-89-66-77 FF-FF-FF-00-00-00 any vlan 1 rule-precedence 1 deny host 00-01-AE-00-22-11 any rule-precedence 2 rfs4000-229D58(config-mac-acl-test)#
The MAC ACL (in the example below) denies traffic from any source MAC address to a particular host MAC address:
rfs6000-37FABE(config-mac-acl-test)#deny any host 00:01:ae:00:22:11 The following example denies traffic between two hosts based on MAC addresses:
rfs6000-37FABE(config-mac-acl-test)#deny host 01:02:fe:45:76:89 host 01:02:89:78:78:45 Related Commands no Removes a specified MAC deny access rule Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 37 ACCESS-LIST 11.2.2 disable mac-access-list Disables a MAC deny or permit rule without removing it from the ACL. A disabled rule is inactive and is not used to filter packets. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax disable [deny|insert|permit]
disable [deny|permit] [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>]
[<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-
7>|dscp <0-63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|
wisp],vlan <1-4095>) log (rule-precedence <1-5000>) {(rule-description <LINE>)}
disable insert [deny|permit]
Parameters disable [deny|permit] [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-
MAC>] [<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark
[8021p <0-7>|dscp <0-63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|
mint|rarp|wisp],vlan <1-4095>) log (rule-precedence <1-5000>) {(rule-description
<LINE>)}
disable
[deny|insert|permit]
Disables a deny, insert or permit access rule without removing it from the MAC ACL Note: Provide the exact values used to configure the deny or permit rule that is to be disabled.
<SOURCE-MAC>
<SOURCE-MAC-
MASK>
Specifies the source MAC address and mask to match
<SOURCE-MAC> Specify the source MAC address to match.
<SOURCE-MAC-MASK> Specify the source MAC address mask. any Select any if the rule is applicable to any source MAC address host <SOURCE-
HOST-MAC>
<DEST-MAC>
<DEST-MAC-MASK>
Specify the source hosts exact MAC address Specifies the destination MAC address and mask to match
<DEST-MAC> Specify the destination MAC address.
<DEST-MAC-MASK> Specify the destination MAC address mask. any Select any if the rule is applicable to any destination MAC address host <DEST-HOST-
MAC>
log Specify the destination hosts exact MAC address The following keyword defines the action taken when a packet matches any or all of the above specified criteria log Logs a record. when a packet matches the specified criteria Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 38 ACCESS-LIST dotp1p <0-7>
Specify the 802.1p priority from 0 - 7. Marks/modifies packets that match the criteria specified here 8021p <0-7> Modifies 802.1p VLAN user priority from 0 - 7 dscp <0-63> Modifies DSCP TOS bits in the IP header from 0 - 63 Note: This option is applicable only to the disable > permit MAC ACL rule. Use the available options to specify the EtherType value. mark
[8021p <0-7>|
dscp <0-63>]
type [8021q|
<1-65535>|aarp|
appletalk|arp|ip|
ipv6|ipx|mint|rarp|
wisp]
vlan <1-4095>
Specify the VLAN ID(s) log Select log, if the rule has been configured to log records in case of a match. rule-precedence
<1-5000>
{(rule-description
<LINE>)}
The following keywords are recursive and common to all of the above parameters:
rule-precedence Provide the precedence assigned to this deny or permit rule.
<1-5000> Specify a value from 1 - 5000. The rule with the specified precedence is removed form the MAC ACL. rule-description <LINE> Optional. Enter the description configured for this deny or permit rule. Example The following example shows the MAC access list test settings before the disable command is executed:
rfs4000-229D58(config-mac-acl-test)#show context mac access-list test deny 41-85-45-89-66-77 FF-FF-FF-00-00-00 any vlan 1 rule-precedence 1 deny host 00-01-AE-00-22-11 any rule-precedence 2 rfs4000-229D58(config-mac-acl-test)#
rfs4000-229D58(config-mac-acl-test)#disable deny host 00-01-AE-00-22-11 any rule-
precedence 2 The following example shows the MAC access list test settings after the disable command is executed:
rfs4000-229D58(config-mac-acl-test)#show context mac access-list test deny 41-85-45-89-66-77 FF-FF-FF-00-00-00 any vlan 1 rule-precedence 1 disable deny host 00-01-AE-00-22-11 any rule-precedence 2 rfs4000-229D58(config-mac-acl-test)#
Related Commands no deny permit Enables a disabled deny or permit rule Creates a new deny access rule or modifies an existing rule Creates a new permit access rule or modifies an existing rule Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 39 ACCESS-LIST 11.2.3 ex3500 mac-access-list Creates a MAC ACL deny and/or permit rule, applicable only to the EX3500 switch Each deny or permit rule consists of a set of match criteria and an associated action, which is deny access for the deny rule and allow access for the permit rule. When applied to layer 2 traffic (between a EX3500 switch and the WiNG managed service platform or a WiNG VM interface) every packet is matched against the configured match criteria and in case of a match the packet is dropped or forwarded depending on the rule type. EX3500 devices (EX3524 and EX3548) are layer 2 Gigabit Ethernet switches with either 24 or 48 10/100/
1000-BASE-T ports, and four SFP transceiver slots for fiber connectivity. Each 10/100/1000 Mbps port supports both the IEEE 802.3af and IEEE 802.3at-2009 PoE standards. An EX3500 switch has an SNMP-
based management agent that provides both in-band and out-of-band management access. The EX3500 switch utilizes an embedded HTTP Web agent and command line interface (CLI), which in spite of being different from that of the WiNG operating system provides WiNG controllers PoE and port management resources. NOTE: To implement the EX3500 MAC ACL rule, apply the MAC ACL directly to a EX3500 device, or to an EX35XX profile. For more information, see access-group. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ex3500 [deny|permit] [all|tagged-eth2|untagged-eth2]
ex3500 [deny|permit] [all|tagged-eth2|untagged-eth2] [any |host <SOURCE-MAC>|
network <SOURCE-MAC> <SOURCE-MAC-MASK>] [any|host <DEST-MAC>|network <DEST-MAC>
<DEST-MAC-MASK>] [ethertype <0-65535|ethertype-mask <0-65535>|ex3500-time-range
<TIME-RANGE-NAME>|rule-precedence <1-128>|vlan <1-4094>|vlan-mask <1-4095>]
Parameters ex3500 [deny|permit] [all|tagged-eth2|untagged-eth2] [any|host <SOURCE-MAC>|
network <SOURCE-MAC> <SOURCE-MAC-MASK>] [any|host <DEST-MAC>|network <DEST-MAC>
<DEST-MAC-MASK>] [ethertype <0-65535|ethertype-mask <0-65535>|ex3500-time-range
<TIME-RANGE-NAME>|rule-precedence <1-128>|vlan <1-4094>|vlan-mask <1-4095>]
[deny|permit]
Creates a deny or permit MAC ACL rule and configures the rule parameters Every EX3500 MAC ACL rule provides a set of match criteria against which incoming and outgoing packets (to and from an EX3500 device) are matched. In case of a match, the packet is dropped or forwarded depending on the rule type. The packet is dropped in case of a deny rule, and forwarded for an permit rule. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 40 ACCESS-LIST
[all|tagged-eth2|
untagged-eth2]
Specifies the packet type all Applies this deny/permit rule to all packets tagged-eth2 Applies this deny/permit rule only to tagged Ethernet-2 packets untagged-eth2 Applies this deny/permit rule only to untagged Ethernet-2 packets After specifying the packet type, configure the source and/or EX3500 MAC addresses to match.
[any|
host <SOURCE-MAC>|
network <SOURCE-
MAC> <SOURCE-
MAC-MASK>]
Enter the Source MAC addresses any Identifies all EX3500 devices as a source to match host <SOURCE-MAC> Identifies a specific EX3500 host as the source to match
<SOURCE-MAC> Specify the source hosts exact MAC address network <SOURCE-MAC> <SOURCE-MAC-MASK> Configures a range of MAC addresses as the source to match. Packets received from any of these MAC addresses are dropped.
<SOURCE-MAC> Specify the source MAC address to match.
<SOURCE-MAC-MASK> Specify the source MAC bit mask. For a deny rule, packets received from EX3500 device(s) matching the specified MAC address(es) are dropped. For a permit rule, packets received from EX3500 device(s) matching the specified MAC address(es) are forwarded. Enter the Destination MAC addresses any Identifies all EX3500 devices as a destination to match host <SOURCE-MAC> Identifies a specific EX3500 host as the destination to match
<SOURCE-MAC> Specify the destination hosts exact MAC address network <SOURCE-MAC> <SOURCE-MAC-MASK> Configures a range of MAC addresses as the destination to match. Packets addressed to any of these MAC addresses are dropped.
<SOURCE-MAC> Specify the destination MAC address to match.
<SOURCE-MAC-MASK> Specify the destination MAC bit mask. For a deny rule, packets addressed to EX3500 device(s) matching the specified MAC address(es) are dropped. For a permit rule, packets addressed to EX3500 device(s) matching the specified MAC address(es) are forwarded. Configures the Ethertype protocol number. The ether type is a two-octet field within an Ethernet frame. It indicates the protocol encapsulated in the payload of an Ethernet frame.
<0-65535> Specify the value from 0 - 65535. The default value is 1.
[any|host
<DEST-MAC>|
network
<DEST-MAC>
<DEST-MAC-MASK>]
ether-type
<0-65535>
ethertype-mask
<0-65535>
Configures the Ethertype mask
<0-65535> Specify the value from 0 - 65535. The default value is 1. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 41 ACCESS-LIST ex3500-time-range
<TIME-RANGE-
NAME>
Applies a specified EX3500 time range (should be existing and configured). The deny or permit rule is applied during the time period specified in the EX3500 time range.
<TIME-RANGE-NAME> Specify the time range name. An EX3500 time range list consists of a set of periodic and absolute time range rules. Periodic time ranges recur periodically at specified time periods, such as daily, weekly, weekends, weekdays, and on specific week days, for example on every successive Mondays. Absolute time ranges are not periodic and do not recur. They consist of a range of days during a particular time period (the starting and ending days and time are fixed). Note: For information on configuring EX3500 time-range, see ex3500. vlan <1-4094>
Configures a VLAN ID representative of the shared SSID each user employs to interoperate within the network (once authenticated by the local RADIUS server)
<1-4094> Specify the VLAN ID from 1 - 4094. vlan-mask <1-4095>
Configures the VLAN ID bit mask value
<1-4095> Specify the VLAN bit mask from 1 - 4095. rule-precedence
<1-128>
Configures a precedence for this EX3500 MAC ACL
<1 - 128> Specify a value from 1 - 128. ACLs with lower precedence are applied first to packets. Example nx9500-6C8809(config-mac-acl-ex3500MacACL)#ex3500 deny tagged-eth2 any any vlan 20 rule-precedence 1 nx9500-6C8809(config-mac-acl-ex3500MacACL)#show context mac access-list ex3500MacACL ex3500 deny tagged-eth2 any any vlan 20 rule-precedence 1 nx9500-6C8809(config-mac-acl-ex3500MacACL)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 42 ACCESS-LIST 11.2.4 insert mac-access-list Enables the insertion of a rule in an MAC ACL without overwriting or replacing an existing rule having the same precedence The insert option allows a new rule to be inserted within a MAC ACL. Consider an MAC ACL consisting of rules having precedences 1, 2, 3, 4, 5, and 6. You want to insert a new rule with precedence 4, without overwriting the existing precedence 4 rule. Using the insert option inserts the new rule prior to the existing one. The existing precedence 4 rules precedence changes to 5, and the change cascades down the list of rules within the ACL. That means rule 5 becomes rule 6, and rule 6 becomes rule 7. NOTE: NOT using insert when creating a new rule having the same precedence as an existing rule, overwrites the existing rule. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax insert [deny|permit] <PARAMETERS> (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>], type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-
4095>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}
Parameters insert [deny|permit] <PARAMETERS> (dot1p <0-7>,mark [8021p <0-7>|dscp <0-63>], type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan <1-
4095>,log,rule-precedence <1-5000>) {(rule-description <LINE>)}
insert [deny|permit]
Inserts a deny or permit rule within an MAC ACL
<PARAMETERS>
Provide the match criteria for this deny/permit rule. Packets will be filtered based on the criteria set here. For more information on the deny rule, see deny. For more information on the permit rule, see permit. dot1p <0-7>
Configures the 802.1p priority value. Sets the service classes for traffic handling
<0-7> Specify 802.1p priority from 0 - 7. mark [8021p <0-7>|
dscp <0-63>]
Marks/modifies packets that match the criteria specified here 8021p <0-7> Modifies 802.1p VLAN user priority from 0 - 7 dscp <0-63> Modifies DSCP TOS bits in the IP header from 0 - 63 Note: This option is applicable only to the insert > permit MAC ACL rule. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 43 ACCESS-LIST type
[8021q|<1-65535>|
aarp|appletalk|
arp|ip|ipv6|ipx|mint|
rarp|wisp]
Configures the EtherType value An EtherType is a two-octet field in an Ethernet frame that indicates the protocol encapsulated in the payload of the frame. The EtherType values are:
8021q Indicates a 802.1q payload (0x8100)
<1-65535> Indicates the EtherType protocol number aarp Indicates the Appletalk ARP payload (0x80F3) appletalk Indicates the Appletalk Protocol payload (0x809B) arp Indicates the ARP payload (0x0806) ip Indicates the IPv4 payload (0x0800) ipv6 Indicates the IPv6 payload (0x86DD) ipx Indicates the Novells IPX payload (0x8137) mint Indicates the MiNT protocol payload (0x8783) rarp Indicates the reverse ARP payload (0x8035) wisp Indicates the WISP payload (0x8783) vlan <1-4095>
Configures the VLAN where the traffic is received
<1-4095> Specify the VLAN ID from 1 - 4095. log rule-precedence
<1-5000>
rule-description
<LINE>
Logs all deny/permit events matching this entry. If a source and/or destination MAC address is matched (i.e. a packet is received from a specified MAC address or is destined for a specified MAC address), an event is logged. The following keywords are recursive and common to all of the above parameters:
rule-precedence Assigns a precedence for this deny rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). Example rfs4000-229D58(config-mac-acl-test1)#deny 11-22-33-44-55-66 11-22-33-44-55-77 any rule-precedence 1 rfs4000-229D58(config-mac-acl-test1)#deny host B4-C7-99-6D-CD-9B any rule-
precedence 2 rfs4000-229D58(config-mac-acl-test1)#show context mac access-list test1 deny 11-22-33-44-55-66 11-22-33-44-55-77 any rule-precedence 1 deny host B4-C7-99-6D-CD-9B any rule-precedence 2 rfs4000-229D58(config-mac-acl-test1)#
In the following example a new rule is inserted between the rules having precedences 1 and 2. The precedence of the existing precedence 2 rule changes to precedence 3. rfs4000-229D58(config-mac-acl-test1)#insert permit host B4-C7-99-6D-B5-D6 host B4-
C7-99-6D-CD-9B rule-precedence 2 rfs4000-229D58(config-mac-acl-test1)#show context mac access-list test1 deny 11-22-33-44-55-66 11-22-33-44-55-77 any rule-precedence 1 permit host B4-C7-99-6D-B5-D6 host B4-C7-99-6D-CD-9B rule-precedence 2 deny host B4-C7-99-6D-CD-9B any rule-precedence 3 rfs4000-229D58(config-mac-acl-test1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 44 ACCESS-LIST 11.2.5 no mac-access-list Negates a command or sets its default Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [deny|disable|permit]
no [deny|permit] [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>]
[<DEST-MAC> <DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-
7>|dscp <0-63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|
wisp],vlan <1-4095>) log (rule-precedence <1-5000>) {(rule-description <LINE>)}
no disable [deny|permit] <RULE-PARAMETERS>
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes a deny or permit rule from the MAC ACL Example rfs6000-37FABE(config-mac-acl-test)#show context mac access-list test permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600 permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610deny any host 33-44-55-66-77-88 log rule-precedence 700 rfs6000-37FABE(config-mac-acl-test)#no deny any host 33-44-55-66-77-88 log rule-precedence 700 rfs6000-37FABE(config-mac-acl-test)#show context mac access-list test permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600 permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610 Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 45 ACCESS-LIST 11.2.6 permit mac-access-list Creates a permit rule that marks packets (from a specified source MAC and/or to a specified destination MAC) for forwarding. You can also use this command to modify an existing permit rule. NOTE: Use a decimal value representation to implement a permit/deny designation for a packet. The command set for MAC ACLs provide the hexadecimal values for each listed EtherType. Use the decimal equivalent of the EtherType listed for any other EtherType. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax permit [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC>
<DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>,dscp <0-
63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan
<1-4095>) log (rule-precedence <1-5000>) {(rule-description <LINE>)}
Parameters permit [<SOURCE-MAC> <SOURCE-MAC-MASK>|any|host <SOURCE-HOST-MAC>] [<DEST-MAC>
<DEST-MAC-MASK>|any|host <DEST-HOST-MAC>] (dot1p <0-7>,mark [8021p <0-7>,dscp <0-
63>],type [8021q|<1-65535>|aarp|appletalk|arp|ip|ipv6|ipx|mint|rarp|wisp],vlan
<1-4095>) log (rule-precedence <1-5000>) {(rule-description <LINE>)}
<SOURCE-MAC>
<SOURCE-MAC-
MASK>
Configures the source MAC address and mask to match
<SOURCE-MAC> Specify the source MAC address to match.
<SOURCE-MAC-MASK> Specify the source MAC address mask. Packets addressed to the specified MAC addresses are forwarded. any Identifies all devices as the source to permit access. Packets addressed from any source are forwarded. host
<SOURCE-HOST-
MAC>
<DEST-MAC>
<DEST-MAC-
MASK>
Identifies a specific host as the source to permit access
<SOURCE-HOST-MAC> Specify the source hosts exact MAC address to match. Packets addressed to the specified host are forwarded. Configures the destination MAC address and mask to match
<DEST-MAC> Specify the destination MAC address to match.
<DEST-MAC-MASK> Specify the destination MAC address mask to match. Packets addressed to the specified MAC addresses are forwarded. DEST-MAC-MASK Specifies the destination MAC address mask to match any Identifies all devices as the destination to permit access. Packets addressed to any destination are forwarded. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 46 ACCESS-LIST host
<DEST-HOST-
MAC>
dotp1p <0-7>
Identifies a specific host as the destination to permit access
<DEST-HOST-MAC> Specify the destination hosts exact MAC address to match. Packets addressed to the specified host are forwarded. Configures the 802.1p priority value. Sets the service classes for traffic handling
<0-7> Specify 802.1p priority from 0 - 7. mark [8021p <0-7>, dscp <0-63>]
Marks/modifies packets that match the criteria specified here 8021p <0-7> Modifies 802.1p VLAN user priority from 0 - 7 dscp <0-63> Modifies DSCP TOS bits in the IP header from 0 - 63 Note: This option is applicable only to the MAC ACL permit rule. type
[8021q|<1-65535>|
aarp|appletalk|
arp|ip|ipv6|ipx|mint
|
rarp|wisp]
Configures the EtherType value An EtherType is a two-octet field in an Ethernet frame that indicates the protocol encapsulated in the payload of the frame. The EtherType values are:
8021q Indicates a 802.1q payload (0x8100)
<1-65535> Indicates the EtherType protocol number aarp Indicates the Appletalk Address Resolution Protocol (ARP) payload (0x80F3) appletalk Indicates the Appletalk Protocol payload (0x809B) arp Indicates the ARP payload (0x0806) ip Indicates the Internet Protocol, Version 4 (IPv4) payload (0x0800) ipv6 Indicates the Internet Protocol, Version 6 (IPv6) payload (0x86DD) ipx Indicates the Novells IPX payload (0x8137) mint Indicates the MiNT protocol payload (0x8783) rarp Indicates the reverse Address Resolution Protocol (ARP) payload (0x8035) wisp Indicates the Wireless Internet Service Provider (WISP) payload (0x8783) vlan <1-4095>
Configures the VLAN ID
<1-4095> Specify the VLAN ID from 1 - 4095. log rule-precedence
<1-5000>
rule-description
<LINE>
Logs all permit events matching this entry. If a source and/or destination MAC address is matched (i.e. a packet is addressed to a specified MAC address or is destined for a specified MAC address), an event is logged. The following keywords are recursive and common to all of the above parameters:
rule-precedence Assigns a precedence for this permit rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 47 ACCESS-LIST Usage Guidelines The permit command in the MAC ACL allows traffic based on layer 2 (data-link layer) information. A MAC access list permits traffic from a source MAC address or any MAC address. It also has an option to allow traffic from a list of MAC addresses (based on the source mask). The MAC access list can be configured to allow traffic based on VLAN information, or Ethernet type. Common types include:
ARP WISP IP 802.1q Layer 2 traffic is not allowed by default. To adopt an access point through an interface, configure an ACL to allow an Ethernet WISP. Use the mark option to specify the type of service (tos) and priority value. The tos value is marked in the IP header and the 802.1p priority value is marked in the dot1q frame. Whenever the interface receives the packet, its content is checked against all the ACEs in the ACL. It is marked based on the ACLs configuration. NOTE: To apply an IP based ACL to an interface, a MAC access list entry is mandatory to allow ARP. A MAC ACL always takes precedence over IP based ACLs. Example rfs6000-37FABE(config-mac-acl-test)#permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600 rfs6000-37FABE(config-mac-acl-test)#permit host 22-33-44-55-66-77 host 11-22-33-
44-55-66 type ip log rule-precedence 610 rfs6000-37FABE(config-mac-acl-test)#show context mac access-list testPF permit host 11-22-33-44-55-66 any log mark 8021p 3 rule-precedence 600 permit host 22-33-44-55-66-77 host 11-22-33-44-55-66 type ip log rule-precedence 610 rfs6000-37FABE(config-mac-acl-test)#
Related Commands no Removes or resets a specified MAC ACL permit rule Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 48 ACCESS-LIST 11.3 ipv6-access-list ACCESS-LIST Configures a IPv6 ACL An IPv6 ACL defines a set of rules that filter IPv6 packets flowing through a port or interface. Each rule specifies the action taken when a packet matches the rule. If the action is deny, the packet is dropped. If the action is permit, the packet is allowed. The WiNG software supports IPv6 only on VLAN interfaces. Therefore, IPv6 ACLs can be applied only on the VLAN interface. The following table summarizes IPv6 access list configuration commands:
Table 11.3 IPv6-Access-List-Config Commands Command deny no permit Description Creates a deny access rule or modifies an existing rule. A deny access rule rejects IPv6 packets from specified address(es) and/or destined for specified address(es). Reference page 11-50 Removes a deny and/or a access rule from a IPv6 ACL Creates a permit access rule or modifies an existing rule. A permit access rule accepts IPv6 packets from specified address(es) and/or destined for specified address(es). page 11-56 page 11-57 Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 49 ACCESS-LIST 11.3.1 deny ipv6-access-list Creates a deny rule that rejects packets from a specified IPv6 source and/or to a specified IPv6 destination. You can also use this command to modify an existing deny rule. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax deny [icmpv6|ipv6|proto|tcp|udp]
deny icmpv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|
any|host <DEST-HOST-IPv6>] [code [eq <ICMPv6-CODE>|range <STARTING-ICMPv6-CODE>
<ENDING-ICMPv6-CODE>]|type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE>
<ENDING-ICMPv6-TYPE>]] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
deny ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/
MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-
description <LINE>)}
deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp]
[<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
deny [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/
MASK>|any|eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>]
[eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|
pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-
precedence <1-5000>) {(rule-description <LINE>)}
Parameters deny icmpv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/
MASK>|any|host <DEST-HOST-IPv6>] [code [eq <ICMPv6-CODE>|range <STARTING-ICMPv6-
CODE> <ENDING-ICMPv6-CODE>]|type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE>
<ENDING-ICMPv6-TYPE>]] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
icmpv6 Applies this deny rule to ICMPv6 packets only
<SOURCE-IPv6/
MASK>
Specifies a range of IPv6 source address (network) to match. ICMPv6 packets received from any source in the specified network are dropped. any Specifies the source as any IPv6 address. ICMPv6 packets received from any source are dropped. host
<SOURCE-HOST-
IPv6>
Identifies a specific host (as the source to match) by its IPv6 address. ICMPv6 packets received from the specified host are dropped.
<SOURCE-HOST-IPv6> Specify the source hosts exact IPv6 address.
<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. ICMPv6 packets addressed to any destination within the specified network are dropped. any Specifies the destination as any IPv6 address. ICMPv6 packets addressed to any destination are dropped. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 50 ACCESS-LIST host
<DEST-HOST-IPv6>
Identifies a specific host (as the destination to match) by its IPv6 address. ICMPv6 packets addressed to the specified host are dropped.
<DEST-HOST-IPv6> Specify the destination hosts exact IPv6 address.
<ICMPv6-TYPE>
[eq|range]
Defines the ICMPv6 type field filter eq Configures a specific ICMPv6 type. Specify the ICMPv6 type value. range Configures a range of ICMPv6 types. Specify the starting and ending ICMPv6 type values. Note: ICMPv6 packets with type field value matching the values specified here are dropped.
<ICMPv6-CODE>
Defines the ICMPv6 code field filter eq Configures a specific ICMPv6 code. Specify the ICMPv6 code value. range Configures a range of ICMPv6 code. Specify the starting and ending ICMPv6 code values. Note: ICMPv6 packets with code field value matching the values specified here are dropped. log Logs all deny events matching this entry rule-precedence
<1-5000>
Assigns a precedence for this deny rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description
<LINE>
Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). deny ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/
MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-
description <LINE>)}
ipv6 Applies this deny rule to IPv6 packets only
<SOURCE-IPv6/
MASK>
Specifies a range of IPv6 source address (network) to match. IPv6 packets received from any source in the specified network are dropped. any Specifies the source as any IPv6 address. IPv6 packets received from any source are dropped. host
<SOURCE-HOST-
IPv6>
Identifies a specific host (as the source to match) by its IPv6 address. IPv6 packets received from the specified host are dropped.
<SOURCE-HOST-IPv6> Specify the source hosts exact IPv6 address.
<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. IPv6 packets addressed to any destination within the specified network are dropped. any Specifies the destination as any IPv6 address. IPv6 packets addressed to any destination are dropped. host
<DEST-HOST-IPv6>
Identifies a specific host (as the destination to match) by its IPv6 address. IPv6 packets addressed to the specified host are dropped.
<DEST-HOST-IPv6> Specify the destination hosts exact IPv6 address. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 51 ACCESS-LIST log Logs all deny events matching this entry rule-precedence
<1-5000>
Assigns a precedence for this deny rule
<1-5000> Specify a value from 1 - 5000 Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description
<LINE>
Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). deny proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp]
[<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
proto
<PROTOCOL-
NUMBER>
<PROTOCOL-
NAME>
eigrp gre igp ospf Configures the ACL for additional protocols Additional protocols (other than IP, ICMP, TCP, and UDP) must be configured using this parameter. Filters protocols using their Internet Assigned Numbers Authority (IANA) protocol number
<PROTOCOL-NUMBER> Specify the protocol number. Filters protocols using their IANA protocol name
<PROTOCOL-NAME> Specify the protocol name. Identifies the EIGRP protocol (number 88) EIGRP enables routers to maintain copies of neighbors routing tables. Routers use this information to determine the fastest route to a destination. When a router fails to find a route in its stored route tables, it sends a query to neighbors who in turn query their neighbors till a route is found. EIGRP also enables routers to inform neighbors of changes in their routing tables. Identifies the GRE protocol (number 47) GRE is a tunneling protocol that enables transportation of protocols (IP, IPX, DEC net, etc.) over an IP network. GRE encapsulates the packet at the source and removes the encapsulation at the destination. Identifies any private internal gateway (primarily used by CISCO for their IGRP) (number 9) IGP enables exchange of information between hosts and routers within a managed network. The most commonly used IGP protocols are: RIP and OSPF. Identifies the OSPF protocol (number 89) OSPF is a link-state IGP. OSPF routes IP packets within a single routing domain
(autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 52 ACCESS-LIST vrrp Identifies the VRRP protocol (number 112) VRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address.
<SOURCE-IPv6/
MASK>
Specifies a range of IPv6 source address (network) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source in the specified network are dropped. any Specifies the source as any IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source are dropped. host
<SOURCE-HOST-
IPv6>
Identifies a specific host (as the source to match) by its IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified host are dropped.
<SOURCE-HOST-IP> Specify the source hosts exact IPv6 address.
<DEST-IPv6/MASK>
Specifies a range of IPv6 destination address (network) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination within the specified network are dropped. any Specifies the destination as any IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination are dropped. host
<DEST-HOST-IPv6>
Identifies a specific host (as the destination to match) by its IPv6 address. Packets
(EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the specified host are dropped.
<DEST-HOST-IPv6> Specify the destination hosts exact IPv6 address. log Logs all deny events matching this entry rule-precedence
<1-5000>
Assigns a precedence for this deny rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description
<LINE>
Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). deny [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/
MASK>|any|eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>]
[eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|
pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-
precedence <1-5000>) {(rule-description <LINE>)}
tcp udp Applies this deny rule to TCP packets only Applies this deny rule to UDP packets only
<SOURCE-IPv6/
MASK>
This keyword is common to the tcp and udp parameters. Specifies a range of IPv6 source address (network) to match. TCP/UDP packets received from any source in the specified network are dropped. any This keyword is common to the tcp and udp parameters. Specifies the source as any IPv6 address. TCP/UDP packets received from any source are dropped. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 53 ACCESS-LIST host
<SOURCE-HOST-
IPv6>
Identifies a specific host (as the source to match) by its IPv6 address. TCP/UDP packets received from the specified host are dropped.
<SOURCE-HOST-IP> Specify the source hosts exact IPv6 address.
<DEST-IPv6/MASK>
This keyword is common to the tcp and udp parameters. Specifies a range of IPv6 destination address (network) to match. TCP/UDP packets addressed to any destination within the specified network are dropped. any This keyword is common to the tcp and udp parameters. Specifies the destination as any destination IPv6 address. TCP/UDP packets received from any destination are dropped. eq
<SOURCE-PORT>
Identifies a specific source port
<SOURCE-PORT> Specify the exact source port. host
<DEST-HOST-IP>
Identifies a specific host (as the destination to match) by its IPv6 address. TCP/UDP packets addressed to the specified host are dropped.
<DEST-HOST-IP> Specify the destination hosts exact IP address. range
<START-PORT>
<END-PORT>
Specifies a range of source ports
<START-PORT> Specify the first port in the range.
<END-PORT> Specify the last port in the range. eq
[<1-65535>|
<SERVICE-NAME>|
|bgp|dns|ftp|
ftp-data|gropher|
https|ldap|nntp|ntp|
pop3|sip|smtp|
ssh|telnet|
tftp|www]
Identifies a specific destination or protocol port to match
<1-65535> The destination port is designated by its number
<SERVICE-NAME> Specifies the service name bgp The designated BGP protocol port (179) dns The designated DNS protocol port (53) ftp The designated FTP protocol port (21) ftp-data The designated FTP data port (20) gropher The designated GROPHER protocol port (70) https The designated HTTPS protocol port (443) ldap The designated LDAP protocol port (389) nntp The designated NNTP protocol port (119) ntp The designated NTP protocol port (123) pop3 The designated POP3 protocol port (110) sip The designated SIP protocol port (5060) smtp The designated SMTP protocol port (25) ssh The designated SSH protocol port (22) telnet The designated Telnet protocol port (23) tftp The designated TFTP protocol port (69) www The designated www protocol port (80) range
<START-PORT>
<END-PORT>
Specifies a range of destination ports
<START-PORT> Specify the first port in the range.
<END-PORT> Specify the last port in the range. log Logs all deny events matching this entry Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 54 ACCESS-LIST rule-precedence
<1-5000>
Assigns a precedence for this deny rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description
<LINE>
Optional. Configures a description for this deny rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). Example rfs6000-81742D(config-ipv6-acl-test)#deny icmpv6 any any type eq 1 code eq 0 log rule-precedence 1 rfs6000-81742D(config-ipv6-acl-test)#show context ipv6 access-list test deny icmpv6 any any type eq destination-unreachable code eq router-renumbering-
command log rule-precedence 1 rfs6000-81742D(config-ipv6-acl-test)#
Related Commands no Removes a specified deny access rule Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 55 ACCESS-LIST 11.3.2 no ipv6-access-list Removes a deny or permit rule Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [deny|permit]
no [deny|permit] [icmpv6|ipv6|proto|tcp|udp] <RULE-PARAMETERS> {(rule-
description <LINE>)}
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes a deny or permit rule from the selected IPv6 access list Example The following example shows the ACL test settings before the no commands are executed:
rfs6000-81742D(config-ipv6-acl-test)#show context ipv6 access-list test deny icmpv6 any any type eq destination-unreachable code eq router-renumbering-
command log rule-precedence 1 permit proto gre any any log rule-precedence 2 rfs6000-81742D(config-ipv6-acl-test)#
rfs6000-81742D(config-ipv6-acl-test)#no deny icmpv6 any any type eq 1 log rule-precedence 1 rfs6000-81742D(config-ipv6-acl-test)#show context ipv6 access-list test permit proto gre any any log rule-precedence 2 rfs6000-81742D(config-ipv6-acl-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 56 ACCESS-LIST 11.3.3 permit ipv6-access-list Creates a permit rule that accepts packets from a specified IPv6 source and/or to a specified IPv6 destination. You can also use this command to modify an existing permit rule. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax permit [icmpv6|ipv6|proto|tcp|udp]
permit icmpv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/
MASK>|any|host <DEST-HOST-IPv6>] [code [eq <ICMPv6-CODE>|range <STARTING-ICMPv6-
CODE> <ENDING-ICMPv6-CODE>]|type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE>
<ENDING-ICMPv6-TYPE>]] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
permit ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/
MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-
description <LINE>)}
permit proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp]
[<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|host
<DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
permit [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/
MASK>|any|eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>]
[eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|ntp|
pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-
precedence <1-5000>) {(rule-description <LINE>)}
Parameters permit icmpv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/
MASK>|any|host <DEST-HOST-IPv6>] [code [eq <ICMPv6-CODE>|range <STARTING-ICMPv6-
CODE> <ENDING-ICMPv6-CODE>]|type [eq <ICMPV6-TYPE>|range <STARTING-ICMPv6-TYPE>
<ENDING-ICMPv6-TYPE>]] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
icmpv6 Applies this permit rule to ICMPv6 packets only
<SOURCE-IPv6/
MASK>
Specifies a range of IPv6 source address (network) to match. ICMPv6 packets received from any source in the specified network are accepted. any Specifies the source as any IPv6 address. ICMPv6 packets received from any source are accepted. host
<SOURCE-HOST-
IPv6>
Identifies a specific host (as the source to match) by its IPv6 address. ICMPv6 packets received from the specified host are accepted.
<SOURCE-HOST-IPv6> Specify the source hosts exact IPv6 address.
<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. ICMPv6 packets addressed to any destination within the specified network are accepted. any Specifies the destination as any IPv6 address. ICMPv6 packets addressed to any destination are accepted. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 57 ACCESS-LIST host
<DEST-HOST-IPv6>
Identifies a specific host (as the destination to match) by its IPv6 address. ICMPv6 packets addressed to the specified host are accepted.
<DEST-HOST-IPv6> Specify the destination hosts exact IPv6 address.
<ICMPv6-TYPE>
[eq|range]
Defines the ICMPv6 type field filter eq Configures a specific ICMPv6 type. Specify the ICMPv6 type value. range Configures a range of ICMPv6 types. Specify the starting and ending ICMPv6 type values. Note: ICMPv6 packets with type field value matching the values specified here are forwarded.
<ICMPv6-CODE>
Defines the ICMPv6 code field filter eq Configures a specific ICMPv6 code. Specify the ICMPv6 code value. range Configures a range of ICMPv6 code. Specify the starting and ending ICMPv6 code values. Note: ICMPv6 packets with code field value matching the values specified here are forwarded. log Logs all permit events matching this entry rule-precedence
<1-5000>
Assigns a precedence for this permit rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description
<LINE>
Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). permit ipv6 [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/
MASK>|any|host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-
description <LINE>)}
ipv6 Applies this permit rule to IPv6 packets only
<SOURCE-IPv6/
MASK>
Specifies a range of IPv6 source address (network) to match. IPv6 packets received from any source in the specified network are forwarded. any Specifies the source as any IPv6 address. IPv6 packets received from any source are forwarded. host
<SOURCE-HOST-
IPv6>
Identifies a specific host (as the source to match) by its IPv6 address. IPv6 packets received from the specified host are forwarded.
<SOURCE-HOST-IPv6> Specify the source hosts exact IPv6 address.
<DEST-IPv6/MASK> Specifies a range of IPv6 destination address (network) to match. IPv6 packets addressed to any destination within the specified network are forwarded. any Specifies the destination as any IPv6 address. IPv6 packets addressed to any destination are forwarded. host
<DEST-HOST-IPv6>
Identifies a specific host (as the destination to match) by its IPv6 address. IPv6 packets addressed to the specified host are forwarded.
<DEST-HOST-IPv6> Specify the destination hosts exact IPv6 address. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 58 ACCESS-LIST log Logs all permit events matching this entry rule-precedence
<1-5000>
Assigns a precedence for this permit rule
<1-5000> Specify a value from 1 - 5000 Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description
<LINE>
Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). permit proto [<PROTOCOL-NUMBER>|<PROTOCOL-NAME>|eigrp|gre|igp|ospf|vrrp]
[<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/MASK>|any|
host <DEST-HOST-IPv6>] (log,rule-precedence <1-5000>) {(rule-description <LINE>)}
proto
<PROTOCOL-
NUMBER>
<PROTOCOL-
NAME>
eigrp gre igp ospf Configures the ACL for additional protocols Additional protocols (other than IP, ICMP, TCP, and UDP) must be configured using this parameter. Filters protocols using their Internet Assigned Numbers Authority (IANA) protocol number
<PROTOCOL-NUMBER> Specify the protocol number. Filters protocols using their IANA protocol name
<PROTOCOL-NAME> Specify the protocol name. Identifies the EIGRP protocol (number 88) EIGRP enables routers to maintain copies of neighbors routing tables. Routers use this information to determine the fastest route to a destination. When a router fails to find a route in its stored route tables, it sends a query to neighbors who in turn query their neighbors till a route is found. EIGRP also enables routers to inform neighbors of changes in their routing tables. Identifies the GRE protocol (number 47) GRE is a tunneling protocol that enables transportation of protocols (IP, IPX, DEC net, etc.) over an IP network. GRE encapsulates the packet at the source and removes the encapsulation at the destination. Identifies any private internal gateway (primarily used by CISCO for their IGRP) (number 9) IGP enables exchange of information between hosts and routers within a managed network. The most commonly used IGP protocols are: RIP and OSPF. Identifies the OSPF protocol (number 89) OSPF is a link-state IGP. OSPF routes IP packets within a single routing domain
(autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 59 ACCESS-LIST vrrp Identifies the VRRP protocol (number 112) VRRP allows a pool of routers to be advertized as a single virtual router. This virtual router is configured by hosts as their default gateway. VRRP elects a master router, from this pool, and assigns it a virtual IP address. The master router routes and forwards packets to hosts on the same subnet. When the master router fails, one of the backup routers is elected as the master and its IP address is mapped to the virtual IP address.
<SOURCE-IPv6/
MASK>
Specifies a range of IPv6 source address (network) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source in the specified network are forwarded. any Specifies the source as any IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from any source are forwarded. host
<SOURCE-HOST-
IPv6>
Identifies a specific host (as the source to match) by its IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) received from the specified host are forwarded.
<SOURCE-HOST-IPv6> Specify the source hosts exact IPv6 address.
<DEST-IPv6/MASK>
Specifies a range of IPv6 destination address (network) to match. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination within the specified network are forwarded. any Specifies the destination as any IPv6 address. Packets (EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to any destination are forwarded. host
<DEST-HOST-IPv6>
Identifies a specific host (as the destination to match) by its IPv6 address. Packets
(EIGRP, GRE, IGMP, IGP, OSPF, or VRRP) addressed to the specified host are forwarded.
<DEST-HOST-IPv6> Specify the destination hosts exact IPv6 address. log Logs all permit events matching this entry rule-precedence
<1-5000>
Assigns a precedence for this permit rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description
<LINE>
Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). permit [tcp|udp] [<SOURCE-IPv6/MASK>|any|host <SOURCE-HOST-IPv6>] [<DEST-IPv6/
MASK>|any|eq <SOURCE-PORT>|host <DEST-HOST-IPv6>|range <START-PORT> <END-PORT>]
[eq [<1-65535>|<SERVICE-NAME>|bgp|dns|ftp|ftp-data|gopher|https|ldap|nntp|
ntp|pop3|sip|smtp|ssh|telnet|tftp|www]|range <START-PORT> <END-PORT>] (log,rule-
precedence <1-5000>) {(rule-description <LINE>)}
tcp udp Applies this permit rule to TCP packets only Applies this permit rule to UDP packets only
<SOURCE-IPv6/
MASK>
This keyword is common to the tcp and udp parameters. Specifies a range of IPv6 source address (network) to match. TCP/UDP packets received from any source in the specified network are forwarded. any This keyword is common to the tcp and udp parameters. Specifies the source as any IPv6 address. TCP/UDP packets received from any source are forwarded. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 60 ACCESS-LIST host
<SOURCE-HOST-
IPv6>
Identifies a specific host (as the source to match) by its IPv6 address. TCP/UDP packets received from the specified host are forwarded.
<SOURCE-HOST-IPv6> Specify the source hosts exact IPv6 address.
<DEST-IPv6/MASK>
This keyword is common to the tcp and udp parameters. Specifies a range of IPv6 destination address (network) to match. TCP/UDP packets addressed to any destination within the specified network are forwarded. any This keyword is common to the tcp and udp parameters. Specifies the destination as any destination IPv6 address. TCP/UDP packets received from any destination are forwarded. eq
<SOURCE-PORT>
Identifies a specific source port
<SOURCE-PORT> Specify the exact source port. host
<DEST-HOST-IPv6>
Identifies a specific host (as the destination to match) by its IPv6 address. TCP/UDP packets addressed to the specified host are forwarded.
<DEST-HOST-IPv6> Specify the destination hosts exact IP address. range
<START-PORT>
<END-PORT>
Specifies a range of source ports
<START-PORT> Specify the first port in the range.
<END-PORT> Specify the last port in the range. eq
[<1-65535>|
<SERVICE-NAME>|
|bgp|dns|ftp|
ftp-data|gropher|
https|ldap|nntp|ntp|
pop3|sip|smtp|
ssh|telnet|
tftp|www]
Identifies a specific destination or protocol port to match
<1-65535> The destination port is designated by its number
<SERVICE-NAME> Specifies the service name bgp The designated BGP protocol port (179) dns The designated DNS protocol port (53) ftp The designated FTP protocol port (21) ftp-data The designated FTP data port (20) gropher The designated GROPHER protocol port (70) https The designated HTTPS protocol port (443) ldap The designated LDAP protocol port (389) nntp The designated NNTP protocol port (119) ntp The designated NTP protocol port (123) pop3 The designated POP3 protocol port (110) sip The designated SIP protocol port (5060) smtp The designated SMTP protocol port (25) ssh The designated SSH protocol port (22) telnet The designated Telnet protocol port (23) tftp The designated TFTP protocol port (69) www The designated www protocol port (80) range
<START-PORT>
<END-PORT>
Specifies a range of destination ports
<START-PORT> Specify the first port in the range.
<END-PORT> Specify the last port in the range. log Logs all permit events matching this entry Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 61 ACCESS-LIST rule-precedence
<1-5000>
Assigns a precedence for this permit rule
<1-5000> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 10. rule-description
<LINE>
Optional. Configures a description for this permit rule. Provide a description that uniquely identifies the purpose of this rule (should not exceed 128 characters in length). Example rfs6000-81742D(config-ipv6-acl-test)#permit proto gre any any log rule-precedence 2 rfs6000-81742D(config-ipv6-acl-test)#show context ipv6 access-list test deny icmpv6 any any type eq destination-unreachable code eq router-renumbering-
command log rule-precedence 1 permit proto gre any any log rule-precedence 2 rfs6000-81742D(config-ipv6-acl-test)#
Related Commands no Removes a specified permit access rule Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 62 ACCESS-LIST 11.4 ip-snmp-access-list ACCESS-LIST SNMP performs network management functions using a data structure called a Management Information Base (MIB). SNMP is widely implemented but not very secure, since it uses only text community strings for accessing controller or service platform configuration files. Use SNMP ACLs to help reduce SNMPs vulnerabilities, as SNMP traffic can be exploited to produce a denial of service (DoS). The following table summarizes SNMP access list configuration commands:
Table 11.4 SNMP-Access-List-Config Commands Command deny permit no Description Creates a deny SNMP MIB object traffic rule Creates a permit SNMP MIB object traffic rule Removes a deny or permit SNMP MIB object traffic rule Reference page 11-64 page 11-65 page 11-66 Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 63 ACCESS-LIST 11.4.1 deny ip-snmp-access-list Creates a deny SNMP MIB object traffic rule. Use this command to specify the match criteria based on which SNMP traffic is denied Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax deny [<IP/M>|any|host <IP>]
Parameters deny [<IP/M>|any|host <IP>]
deny [<IP/M>|
any|host <IP>]
Configures the match criteria for this deny rule
<IP/M> Specifies a network address and mask in the A.B.C.D/M format. Packets received or destined for this network are dropped any Specifies the match criteria as any. Packets received or destined from any address are dropped host <IP> Identifies a host by its IP address. Packets received or destined for this host are dropped Example rfs6000-81742D(config-ip-snmp-acl-test)#deny 192.168.13.0/24 rfs6000-81742D(config-ip-snmp-acl-test)#show context ip snmp-access-list test deny 192.168.13.0/24 rfs6000-81742D(config-ip-snmp-acl-test)#
Related Commands no Removes this deny rule form the IP SNMP ACL Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 64 ACCESS-LIST 11.4.2 permit ip-snmp-access-list Creates a permit SNMP MIB object traffic rule. Use this command to specify the match criteria based on which SNMP traffic is permitted. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax permit [<IP/M>|any|host <IP>]
Parameters permit [<IP/M>|any|host <IP>]
permit [<IP/M>|
any|host <IP>]
Configures the match criteria for this permit rule
<IP/M> Specifies a network address and mask in the A.B.C.D/M format. Packets received or destined for this network are forwarded any Specifies the match criteria as any. Packets received or destined from any address are forwarded host <IP> Identifies a host by its IP address. Packets received or destined for this host are forwarded Example rfs6000-81742D(config-ip-snmp-acl-test)#permit host 192.168.13.13 rfs6000-81742D(config-ip-snmp-acl-test)#show context ip snmp-access-list test permit host 192.168.13.13 deny 192.168.13.0/24 rfs6000-81742D(config-ip-snmp-acl-test)#
Related Commands no Removes this permit rule form the IP SNMP ACL Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 65 ACCESS-LIST 11.4.3 no ip-snmp-access-list Removes a deny or permit rule from the IP SNMP ACL. Use this command to remove IP SNMP ACL as they become obsolete for filtering network access permissions. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [deny|permit] [<IP/M>|any|host <IP>]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes deny and/or permit access rule from this IP SNMP ACL Example rfs6000-81742D(config-ip-snmp-acl-test)#show context ip snmp-access-list test permit host 192.168.13.13 deny 192.168.13.0/24 rfs6000-81742D(config-ip-snmp-acl-test)#
rfs6000-81742D(config-ip-snmp-acl-test)#no permit host 192.168.13.13 rfs6000-81742D(config-ip-snmp-acl-test)#show context ip snmp-access-list test deny 192.168.13.0/24 rfs6000-81742D(config-ip-snmp-acl-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 66 ACCESS-LIST 11.5 ex3500-ext-access-list ACCESS-LIST IP ACLs function as firewalls that filter or mark packets on layer 3 ports as opposed to MAC ACLs that filter traffic on layer 2 ports. An IPv4 EX3500 extended ACL is a policy-based ACL that either prevents or allows specific clients from using the EX3500 switch. It allows you to permit or deny client access by specifying that the traffic from a specific host or network and/or the traffic to a specific host or network be either denied or permitted. An EX3500 extended ACL consists of a set of deny /permit rules that filter packets based on both source and destination IPv4 addresses. Each rule specifies a set of match criteria (the source and destination IP addresses) and has a unique precedence value assigned. These ACL rules are applied sequentially to the traffic at a port, by a firewall-supported device, in an increasing order of their precedence. When a packet matches the criteria specified in a rule the packet is either forwarded or dropped based on the rule type. The following table summarizes IPv4 EX3500 extended ACL configuration commands:
NOTE: To implement the EX3500 extended ACL, apply it directly to a EX3500 device, or to an EX35XX profile. For more information, see access-
group. Command deny permit no Table 11.5 EX3500-Extended-Access-List-Config Commands Description Creates a deny access rule or modifies an existing rule. A deny access rule rejects packets from specified address(es) and/or destined to specified address(es). Reference page 11-68 Creates a permit access rule or modifies an existing rule. A permit access rule accepts packets from specified address(es) and/or destined to specified address(es). Removes a deny and/or a permit access rule from this IPv4 EX3500 extended ACL page 11-71 page 11-74 Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 67 ACCESS-LIST 11.5.1 deny ex3500-ext-access-list Creates a deny ACL rule that filters packets based on the source and/or destination IPv4 address, and other specified criteria. You can also use this command to modify an existing deny rule. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510 Syntax deny [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>]
[<DEST-NETWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|
destination-port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|
ex3500-time-range <TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|
source-port <0-65535>|source-port-bitmark <0-65535>]
Parameters deny [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>]
[<DEST-NETWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|
destination-port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|
ex3500-time-range <TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|
source-port <0-65535>|source-port-bitmark <0-65535>]
deny [<0-255>|
tcp|udp]
Creates a deny rule and identifies the protocol type. This deny rule is applied only to packets matching the protocol specified here.
<0-255> Identifies the protocol from its number. Specify the protocol number from 0 - 255. tcp Configures the protocol as TCP udp Configures the protocol as UDP
[<SOURCE-
NETWORK-IP/
MASK>|
any|
host <SOURCE-
HOST-IP>]
[<DEST-NETWORK-
IP/MASK>|
any|
host <DEST-HOST-
IP>]
control-flag <0-63>
Specifies the source IP address as any, host, or network
<SOURCE-NETWORK-IP/MASK> Configures a network as the source. Provide the networks IPv4 address along with the mask. host <SOURCE-HOST-IP> Configures a single device as the source. Provide the host devices IPv4 address. any Specifies that the source can be any device Specifies the destination IP address as any, host, or network.
<DEST-NETWORK-IP/MASK> Configures a network as the destination. Provide the networks IPv4 address along with the mask host <DEST-HOST-IP> Configures a single device as the destination. Provide the host devices IPv4 address any Specifies that the destination can be any device Configures the decimal number (representing a bit string) that specifies the control flag bits in byte 14 of the TCP header
<0-63> Specify a value from 0 - 63. Note: Control flags can be used only in ACLs designed to filter TCP traffic. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 68 ACCESS-LIST The TCP header contains several one-bit boolean fields known as flags that influence flow of data across a TCP connection. Ignoring the CWR and ECE flags added for congestion notification by RFC 3168, there are six TCP control flags. URG flag - Marks incoming packet as urgent. ACK flag - Acknowledges receipt of packet PUSH flag - Ensures that the packet is given appropriate priority. Often used at the beginning and end of data transfer. RST flag - Resets the connection. Happens when remote host receives a establish connection packet, but does not have a service waiting to answer and sends a reply with reset flag. SYN flag - Establishes the 3-way handshake between two hosts FIN flag - Tears down the connection established between two hosts via the 3-way SYN process destination-port
<0-65535>
Configures the protocol destination port to match. The destination protocol can be TCP, UDP or any other protocol identified by its number (<0-255>).
<0-65535> Specify the destination port from 0 - 65535. destination-port-
bitmark <0-65535>
Configures the decimal number representing the protocol destination port bits to match
<0-65535> Specify the destination port bits from 0 - 65535. dscp <0-63>
Configures the DSCP priority level
<0-63> Specify a value from 0 - 63. Note: If specifying DSCP priority, ip-precedence cannot be specified. ex3500-time-range
<TIME-RANGE-
NAME>
Applies a periodic or absolute time range to this rule
<TIME-RANGE-NAME> Specify the time range name (should be existing and configured). For information on configuring EX3500 time-range, see ex3500. ip-precedence
<0-7>
source-port
<0-65535>
Configures the IP header precedence
<0-7> Specify a value from 0 - 7. Configures the protocol source port to match. The source protocol can be TCP, UDP or any other protocol identified by its number (<0-255>).
<0-65535> Specify the source port from 0 - 65535. source-port-
bitmark <0-65535>
Configures the decimal number representing the protocol source port bits to match
<0-65535> Specify the source port bits from 0 - 65535. rule-precedence
<1-128>
The following keywords are recursive and common to all of the above parameters:
rule-precedence Assigns a precedence to this deny rule
<1-128> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 4 and is applied first to packets. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 69 ACCESS-LIST Usage Guidelines Use this command to deny traffic between networks/hosts based on the protocol type selected in the access list configuration. The following protocols are supported:
TCP UDP
<0-255> (any Internet protocol other than TCP, UDP, and ICMP) Packet content is checked against the ACEs in the ACL, and are allowed or denied access based on the ACL configuration. Filtering TCP/UDP allows you to specify port numbers as filtering criteria Example The following example denies TCP outgoing packets from all sources p indentwithin the 192.168.14.0 network to a specific host 192.168.13.13:
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1#
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#show context ip ex3500-ext-access-list test deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1 nx9500-6C8809(config-ip-ex3500-ext-acl-test)#
Related Commands no Removes a specified deny access rule from this IPv4 EX3500 extended ACL Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 70 ACCESS-LIST 11.5.2 permit ex3500-ext-access-list Creates a permit ACL rule that filters packets based on the source and/or destination IPv4 address, and other specified criteria. You can also use this command to modify an existing permit rule. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510 Syntax permit [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>]
[<DEST-NEWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|destination-
port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|ex3500-time-range
<TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|source-port <0-
65535>|source-port-bitmark <0-65535>]
Parameters permit [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>]
[<DEST-NEWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|destination-
port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|ex3500-time-range
<TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|source-port <0-
65535>|source-port-bitmark <0-65535>]
permit
[<0-255>|tcp|udp]
Creates a permit rule and identifies the protocol type. This permit rule is applied only to packets matching the protocol specified here.
<0-255> Identifies the protocol from its number. Specify the protocol number from 0 - 255. tcp Configures the protocol as TCP udp Configures the protocol as UDP
[<SOURCE-
NETWORK-IP/
MASK>|
any|
host <SOURCE-
HOST-IP>]
[<DEST-NETWORK-
IP/MASK>|
any|
host <DEST-HOST-
IP>]
Specifies the source IP address as any, host, or network.
<SOURCE-NETWORK-IP/MASK> Configures a network as the source. Provide the networks IPv4 address along with the mask. host <SOURCE-HOST-IP> Configures a single device as the source. Provide the host devices IPv4 address. any Specifies that the source can be any device Specifies the destination IP address as any, host, or network.
<DEST-NETWORK-IP/MASK> Configures a network as the destination. Provide the networks IPv4 address along with the mask. host <DEST-HOST-IP> Configures a single device as the destination. Provide the host devices IPv4 address. any Specifies that the destination can be any device Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 71 ACCESS-LIST control-flag <0-63>
Configures the decimal number (representing a bit string) that specifies the control flag bits in byte 14 of the TCP header
<0-63> Specify a value from 0 - 63. Note: Control flags can be used only in ACLs designed to filter TCP traffic. The TCP header contains several one-bit boolean fields known as flags that influence flow of data across a TCP connection. Ignoring the CWR and ECE flags added for congestion notification by RFC 3168, there are six TCP control flags. URG flag - Marks incoming packet as urgent. ACK flag - Acknowledges receipt of packet PUSH flag - Ensures that the packet is given appropriate priority. Often used at the beginning and end of data transfer. RST flag - Resets the connection. Happens when remote host receives a establish connection packet, but does not have a service waiting to answer and sends a reply with reset flag. SYN flag - Establishes the 3-way handshake between two hosts FIN flag - Tears down the connection established between two hosts via the 3-way SYN process destination-port
<0-65535>
Configures the protocol destination port to match. The destination protocol can be TCP, UDP or any other protocol identified by its number (<0-255>).
<0-65535> Specify the destination port from 0 - 65535. destination-port-
bitmark <0-65535>
Configures the decimal number representing the protocol destination port bits to match
<0-65535> Specify the destination port bits from 0 - 65535. dscp <0-63>
Configures the DSCP priority level
<0-63> Specify a value from 0 - 63. Note: If specifying DSCP priority, ip-precedence cannot be specified. ex3500-time-range
<TIME-RANGE-
NAME>
Applies a periodic or absolute time range to this rule
<TIME-RANGE-NAME> Specify the time range name (should be existing and configured). For information on configuring EX3500 time-range, see ex3500. ip-precedence
<0-7>
source-port
<0-65535>
Configures the IP header precedence
<0-7> Specify a value from 0 - 7. Configures the protocol source port to match. The source protocol can be TCP, UDP or any other protocol identified by its number (<0-255>).
<0-65535> Specify the source port from 0 - 65535. source-port-
bitmark <0-65535>
Configures the decimal number representing the protocol source port bits to match
<0-65535> Specify the source port bits from 0 - 65535. rule-precedence
<1-128>
The following keywords are recursive and common to all of the above parameters:
rule-precedence Assigns a precedence to this permit rule
<1-128> Specify a value from 1 - 5000. Note: Lower the precedence higher is the priority. A rule with precedence 3 gets priority over a rule with precedence 4 and is applied first to packets. Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 72 ACCESS-LIST Usage Guidelines Use this command to permit traffic between networks/hosts based on the protocol type selected in the access list configuration. The following protocols are supported:
TCP UDP
<0-255> (any Internet protocol other than TCP, UDP, and ICMP) Whenever the interface receives the packet, its content is checked against the ACEs in the ACL. It is allowed or denied based on the ACL configuration. Filtering TCP/UDP allows you to specify port numbers as filtering criteria Example The following example permits outgoing TCP packets from all sources within the 192.168.14.0 network to any destination, with the TCP control flag set to 16 (acknowledge):
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#permit tcp 192.168.14.0/24 any control-flag 16 rule-precedence 2 nx9500-6C8809(config-ip-ex3500-ext-acl-test)#show context ip ex3500-ext-access-list test deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1 permit tcp 192.168.14.0/24 any control-flag 16 rule-precedence 2 nx9500-6C8809(config-ip-ex3500-ext-acl-test)#
Related Commands no Removes a specified permit access rule from this IPv4 EX3500 extended ACL Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 73 ACCESS-LIST 11.5.3 no ex3500-ext-access-list Removes a deny or permit access rule from this IPv4 EX3500 extended ACL Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510 Syntax no [deny|permit] [<0-255>|tcp|udp] [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-
HOST-IP>] [<DEST-NETWORK-IP/MASK>|any|host <DEST-HOST-IP>] [control-flag <0-63>|
destination-port <0-65535>|destination-port-bitmark <0-65535>|dscp <0-63>|ex3500-
time-range <TIME-RANGE-NAME>|ip-precedence <0-63>|rule-precedence <1-128>|
source-port <0-65535>|source-port-bitmark <0-65535>]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes a deny or permit access rule based on the parameters passed Usage Guidelines The keyword control-flag <0-63> is only applicable to ACL rules filtering TCP traffic. Example The following example shows the IPv4 EX3500 extended ACL test settings before the no commands are executed:
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#show context ip ex3500-ext-access-list test deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1 permit tcp 192.168.14.0/24 any control-flag 16 rule-precedence 2 nx9500-6C8809(config-ip-ex3500-ext-acl-test)#
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#no permit tcp 192.168.14.0/24 any control-flag 16 rule-precedence 2 The following example shows the IPv4 EX3500 extended ACL test settings after the no commands are executed:
nx9500-6C8809(config-ip-ex3500-ext-acl-test)#show context ip ex3500-ext-access-list test deny tcp 192.168.14.0/24 host 192.168.13.13 rule-precedence 1 nx9500-6C8809(config-ip-ex3500-ext-acl-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 74 ACCESS-LIST 11.6 ex3500-std-access-list ACCESS-LIST A EX3500 standard ACL is a policy-based ACL that contains a set of filter criteria and action that is applied to traffic originating from a specified source. The following table summarizes IPv4 EX3500 standard ACL configuration commands:
NOTE: To implement the EX3500 standard ACL, apply it directly to a EX3500 device, or to an EX35XX profile. For more information, see access-
group. Command deny permit no Table 11.6 EX3500-Standard-Access-List-Config Commands Description Creates a deny rule that rejects packets from a specified source or sources. The source can be a single device or a range of devices within a specified network. Use this command to also edit an existing deny rule. Reference page 11-76 Creates a permit rule that allows packets from a specified source or sources. The source can be a single device or a range of devices within a specified network. Use this command to also edit an existing permit rule. Removes a deny and/or a permit access rule from this IPv4 EX3500 extended ACL page 11-77 page 11-78 Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 75 ACCESS-LIST 11.6.1 deny ex3500-std-access-list Creates a deny rule that rejects packets from a specified source or sources. The source can be a single device or a range of devices within a specified network. Use this command to also edit an existing deny rule. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510 Syntax deny [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] {ex3500-time-range
<TIME-RANGE-NAME>}
Parameters deny [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] {ex3500-time-range
<TIME-RANGE-NAME>}
deny
[<SOURCE-
NETWORK-IP/
MASK>|
any|
host <SOURCE-
HOST-IP>]
Creates a deny rule that rejects packets from a specified source or a network. Use one of the following options to specify the source: any, host, or network.
<SOURCE-NETWORK-IP/MASK> Configures a network as the source. Provide the networks IPv4 address along with the mask. host <SOURCE-HOST-IP> Configures a single device as the source. Provide the host devices IPv4 address. any Specifies that the source can be any device ex3500-time-range
<TIME-RANGE-
NAME>
Optional. Applies a periodic or absolute time range to this deny rule
<TIME-RANGE-NAME> Specify the time range name (should be existing and configured). The ACL is triggered during the time period configured in the specified EX3500 time range. For information on configuring EX3500 time-range, see ex3500. Example nx9500-6C8809(config-ip-ex3500-std-acl-test)#deny 192.168.14.0/24 nx9500-6C8809(config-ip-ex3500-std-acl-test)#show context ip ex3500-std-access-list test deny 192.168.13.0/24 nx9500-6C8809(config-ip-ex3500-std-acl-test)#
Related Commands no Removes a specified deny access rule from this IPv4 EX3500 standard ACL Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 76 ACCESS-LIST 11.6.2 permit ex3500-std-access-list Creates a permit rule that allows packets from a specified source or sources. The source can be a single device or a range of devices within a specified network. Use this command to also edit an existing permit rule. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510 Syntax permit [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] {ex3500-time-range
<TIME-RANGE-NAME>}
Parameters permit [<SOURCE-NETWORK-IP/MASK>|any|host <SOURCE-HOST-IP>] {ex3500-time-range
<TIME-RANGE-NAME>}
permit
[<SOURCE-
NETWORK-IP/
MASK>|
any|
host <SOURCE-
HOST-IP>]
Creates a permit rule that allows packets from a specified source or a network. Use one of the following options to specify the source: any, host, or network.
<SOURCE-NETWORK-IP/MASK> Configures a network as the source. Provide the networks IPv4 address along with the mask. host <SOURCE-HOST-IP> Configures a single device as the source. Provide the host devices IPv4 address. any Specifies that the source can be any device ex3500-time-range
<TIME-RANGE-
NAME>
Optional. Applies a periodic or absolute time range to this deny rule
<TIME-RANGE-NAME> Specify the time range name (should be existing and configured). The ACL is triggered during the time period configured in the specified EX3500 time range. For information on configuring EX3500 time-range, see ex3500. Example nx9500-6C8809(config-ip-ex3500-std-acl-test)#permit host 192.168.13.13 ex3500-
time-range EX3500_TimeRange_01 nx9500-6C8809(config-ip-ex3500-std-acl-test)#show context ip ex3500-std-access-list test deny 192.168.14.0/24 permit host 192.168.13.13 ex3500-time-range EX3500_TimeRange_01 nx9500-6C8809(config-ip-ex3500-std-acl-test)#
Related Commands no Removes a specified permit access rule from this IPv4 EX3500 standard ACL Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 77 ACCESS-LIST 11.6.3 no ex3500-std-access-list Removes a deny or permit access rule from this IPv4 EX3500 standard ACL Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510 Syntax no [deny|permit] [<SOURCE-IP/MASK>|any|host <IP>] {ex3500-time-range <TIME-RANGE-
NAME>}
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes a deny or permit access rule based on the parameters passed Example The following example shows the IPv4 EX3500 standard ACL test settings before the no commands are executed:
nx9500-6C8809(config-ip-ex3500-std-acl-test)#show context ip ex3500-std-access-list test deny 192.168.14.0/24 permit host 192.168.13.13 ex3500-time-range EX3500_TimeRange_01 nx9500-6C8809(config-ip-ex3500-std-acl-test)#
nx9500-6C8809(config-ip-ex3500-std-acl-test)#no deny 192.168.14.0/24 The following example shows the IPv4 EX3500 standard ACL test settings after the no commands are executed:
nx9500-6C8809(config-ip-ex3500-std-acl-test)#show context ip ex3500-std-access-list test permit host 192.168.13.13 ex3500-time-range EX3500_TimeRange_01 nx9500-6C8809(config-ip-ex3500-std-acl-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 11 - 78 12 DHCP-SERVER-POLICY This chapter summarizes Dynamic Host Control Protocols (DHCP) server policy commands in the CLI command structure. DHCP automatically assigns network IP addresses to requesting clients to enable them access to network resources. DHCP tracks IP address assignments, their lease times and their availability. Each subnet can be configured with its own address pool. Whenever a DHCP client requests an IP address, the DHCP server assigns an IP address from that subnets address pool. When the controller's (wireless controller, service platform, or access point) onboard DHCP server allocates an address to a DHCP client, the client is assigned a lease, which expires after a pre-determined interval. Before a lease expires, wireless clients (with assigned leases) are expected to renew them to continue using the addresses. Once the lease expires, the client is no longer permitted to use the leased IP address. The controller's DHCP server policy ensures all IP addresses are unique, and no IP address is assigned to a second client while the first client's assignment is valid (its lease has not expired). IP address management is conducted by a controllers DHCP server and not by an administrator. The controllers internal DHCP server groups wireless clients based on defined user-class options. Clients with a defined set of user-class values are segregated by class. A DHCP server can associate multiple classes to each pool. Each class in a pool is assigned an exclusive range of IP addresses. DHCP clients are compared against classes. If the client matches one of the classes assigned to the pool, it receives an IP address from the range assigned to the class. If the client doesn't match any of the classes in the pool, it receives an IP address from a default pool range (if defined). Multiple IP addresses for a single VLAN allow the configuration of multiple IP addresses, each belonging to different subnets. Class configuration allows a DHCP client to obtain an address from the first pool to which the class is assigned. Use the (config) instance to configure DHCP/DHCPv6 server policy parameters. To navigate to the config DHCP server policy instance, use the following commands:
<DEVICE>(config)#dhcp-server-policy <POLICY-NAME>
rfs6000-37FABE(config)#dhcp-server-policy test rfs6000-37FABE(config-dhcp-server-policy-test)#
rfs6000-37FABE(config-dhcp-policy-test)#?
DHCP policy Mode commands:
bootp BOOTP specific configuration dhcp-class Configure DHCP class (for address allocation using DHCP user-class options) dhcp-pool Configure DHCP server address pool dhcp-server Activating dhcp server based on criteria no Negate a command or set its defaults option Define DHCP server option ping Specify ping parameters used by DHCP Server clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-dhcp-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 1 DHCP-SERVER-POLICY To navigate to the config DHCPv6 server policy instance, use the following commands:
<DEVICE>(config)#dhcpv6-server-policy <POLICY-NAME>
rfs6000-37FABE(config)#dhcpv6-server-policy test rfs6000-37FABE(config-dhcpv6-server-policy-test)#
rfs6000-37FABE(config-dhcpv6-server-policy-test)#?
DHCPv6 server policy Mode commands:
dhcpv6-pool Configure DHCPV6 server address pool no Negate a command or set its defaults option Define DHCPv6 server option restrict-vendor-options Restrict vendor specific options to be sent in server reply server-preference Server preference value sent in the reply, by the server to client clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-dhcpv6-server-policy-test)#
This chapter is organized as follows:
dhcp-server-policy dhcpv6-server-policy NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 2 DHCP-SERVER-POLICY 12.1 dhcp-server-policy DHCP-SERVER-POLICY The following table summarizes DHCP server policy configuration commands:
Command bootp dhcp-class dhcp-pool dhcp-server no option ping Table 12.1 DHCP-Server-Policy-Config Commands Description Configures a BOOTP specific configuration Configures a DHCP server class Configures a DHCP server address pool Configures the activation-criteria that triggers dynamic activation of DHCP service running on a redundancy device Negates a command or sets its default Defines the DHCP option used in DHCP pools Specifies ping parameters used by a DHCP server Reference page 12-4 page 12-5 page 12-11 page 12-56 page 12-58 page 12-59 page 12-60 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 3 DHCP-SERVER-POLICY 12.1.1 bootp dhcp-server-policy Configures a BOOTP specific configuration Bootstrap Protocol (BOOTP) requests are used by UNIX diskless workstations to obtain the location of their boot image and IP address within the managed network. A BOOTP configuration server provides this information and also assigns an IP address from a configured pool of IP addresses. By default, all BOOTP requests are forwarded to the BOOTP configuration server by the controller. When enabled, this feature allows controllers, using this DHCP server policy, to ignore BOOTP requests. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bootp ignore Parameters bootp ignore bootp ignore Enables controllers to ignore BOOTP requests Example rfs6000-37FABE(config-dhcp-policy-test)#bootp ignore rfs6000-37FABE(config-dhcp-policy-test)#show context dhcp-server-policy test bootp ignore rfs6000-37FABE(config-dhcp-policy-test)#
Related Commands no Disables the ignore BOOTP requests option Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 4 DHCP-SERVER-POLICY 12.1.2 dhcp-class dhcp-server-policy A controller, service platform, or access points local DHCP server assigns IP addresses to requesting DHCP clients based on user class option names. The DHCP server can assign IP addresses from as many IP address ranges as defined by an administrator. The DHCP user class associates a particular range of IP addresses to a device in such a way that all devices of that type are assigned IP addresses from the defined range. A DHCP user class applies different DHCP settings to a set of wireless clients. Wireless clients using the same DHCP settings are grouped under one DHCP class. Grouping users into classes facilitates the provision of differentiated service. The following table summarizes DHCP class configuration commands:
Table 12.2 DHCP-Class Config Commands Command dhcp-class dhcp-class-
mode commands Description Creates a DHCP class and enters its configuration mode Invokes DHCP class configuration commands Reference page 12-6 page 12-7 Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 5 DHCP-SERVER-POLICY 12.1.2.1 dhcp-class dhcp-class Creates a DHCP server class and enters its configuration mode. Use this command to configure user class option values. Once defined, the controllers internal DHCP server uses the configured values to group wireless clients into DHCP classes. Therefore, each user class consists of wireless clients sharing the same set of user class values. You can also use this command to modify an existing DHCP user class settings. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dhcp-class <DHCP-CLASS-NAME>
Parameters dhcp-class <DHCP-CLASS-NAME>
<DHCP-CLASS-NAME> Creates a DHCP user class
<DHCP-CLASS-NAME> Specify a name that appropriately identifies this class of wireless clients. If the class does not exist, it is created. The class name should not exceed 32 characters in length. Example rfs6000-37FABE(config-dhcp-policy-test)#dhcp-class dhcpclass1 rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#?
DHCP class Mode commands:
multiple-user-class Enable multiple user class option no Negate a command or set its defaults option Configure DHCP Server options clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#
Related Commands no Removes a configured DHCP user class policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 6 DHCP-SERVER-POLICY 12.1.2.2 dhcp-class-mode commands dhcp-class Use DHCP class mode commands to configure the parameters of the DHCP user class. The following table summarizes DHCP user class configuration commands:
Table 12.3 DHCP-Class-Config-Mode Commands Description Command multiple-user-class Enables multiple user class option for this DHCP user class policy no option Negates a command or sets its default Configures DHCP user class options for this DHCP user class policy Reference page 12-8 page 12-9 page 12-10 Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 7 DHCP-SERVER-POLICY 12.1.2.2.1 multiple-user-class dhcp-class-mode commands Enables multiple user class option for this DHCP user class policy. Enabling this option allows this user class to transmit multiple option values to other DHCP servers also supporting multiple user class options. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax multiple-user-class Parameters None Example rfs6000-37FABE(config-dhcp-policy-test-class-class1)#multiple-user-class rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#show context dhcp-class dhcpclass1 multiple-user-class rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#
Related Commands no Disables the multiple user class option for the selected DHCP user class policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 8 DHCP-SERVER-POLICY 12.1.2.2.2 no dhcp-class-mode commands Removes this DHCP user class policys settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [multiple-user-class|option]
no option user-class <VALUE>
Parameters no <PARAMETERS>
no <PARAMETERS>
Disables multiple user class options on this DHCP user class policy Example The following example shows the DHCP class settings before the no commands are executed:
rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#show context dhcp-class dhcpclass1 option user-class hex multiple-user-class rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#
rfs6000-37FABE(config-dhcp-policy-test-class-class1)#no multiple-user-class rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#no option user-class hex The following example shows the DHCP class settings after the no commands are executed:
rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#show context dhcp-class dhcpclass1 rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 9 DHCP-SERVER-POLICY 12.1.2.2.3 option dhcp-class-mode commands Configures DHCP user class options for this DHCP user class policy Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax option user-class <VALUE>
Parameters option user-class <VALUE>
user-class <VALUE>
Configures DHCP user class options
<VALUE> Specify the DHCP user class options ASCII value. Example rfs6000-37FABE(config-dhcp-policy-test-class-class1)#option user-class hex rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#show context dhcp-class dhcpclass1 option user-class hex multiple-user-class rfs6000-37FABE(config-dhcp-policy-test-class-dhcpclass1)#
Related Commands no Removes the configured DHCP user class option Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 10 DHCP-SERVER-POLICY 12.1.3 dhcp-pool dhcp-server-policy The DHCP pool command creates and manages a pool of IP addresses. These IP addresses are assigned to devices using the DHCP protocol. IP addresses have to be unique for each device in the network. Since IP addresses are finite, DHCP ensures that every device, in the network, is issued a unique IP address by tracking the issue, release, and reissue of IP addresses. The DHCP pool command configures a finite set of IP addresses that can be assigned whenever a device joins a network. The following table summarizes DHCP pool configuration mode commands:
Table 12.4 DHCP-Pool-Config Commands Command dhcp-pool dhcp-pool-mode commands Description Creates a DHCP pool and enters its configuration mode Summarizes DHCP pool configuration mode commands Reference page 12-12 page 12-14 Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 11 DHCP-SERVER-POLICY 12.1.3.1 dhcp-pool dhcp-pool Configures a DHCP server address pool DHCP services are available for specific IP interfaces. A pool (or range) of IP network addresses and DHCP options can be created for each IP interface defined. This range of addresses is available to DHCP enabled wireless devices on either a permanent or leased basis. This enables the reuse of limited IP address resources for deployment in any network. DHCP options are provided to each DHCP client with a DHCP response and provides DHCP clients information required to access network resources (default gateway, domain name, DNS server and WINS server configuration). An option exists to identify the vendor and functionality of a DHCP client. The information is a variable-length string of characters (or octets) with a meaning specified by the vendor of the DHCP client. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dhcp-pool <POOL-NAME>
Parameters dhcp-pool <POOL-NAME>
<POOL-NAME>
Creates a DHCP server address pool
<POOL-NAME> Specify a name that appropriately identifies this DHCP address pool. If the pool does not exist, it is created. The pool name cannot be modified as part of the edit process. However, an obsolete address pool can be deleted. Example rfs6000-37FABE(config-dhcp-policy-test)#dhcp-pool pool1 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1)#?
DHCP pool Mode commands:
address Configure network pool's included addresses bootfile Boot file name ddns Dynamic DNS Configuration default-router Default routers dns-server DNS Servers domain-name Configure domain-name excluded-address Prevent DHCP Server from assigning certain addresses lease Address lease time netbios-name-server NetBIOS (WINS) name servers netbios-node-type NetBIOS node type network Network on which DHCP server will be deployed next-server Next server in boot process no Negate a command or set its defaults option Raw DHCP options respond-via-unicast Send DHCP offer and DHCP Ack as unicast messages static-binding Configure static address bindings static-route Add static routes to be installed on dhcp clients update Control the usage of DDNS service Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 12 DHCP-SERVER-POLICY clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-dhcp-policy-test-pool-pool1)#
Related Commands no Removes a specified DHCP address pool Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 13 DHCP-SERVER-POLICY 12.1.3.2 dhcp-pool-mode commands dhcp-pool Configures the DHCP pool parameters The following table summarizes DHCP pool configuration commands:
Table 12.5 DHCP-Pool-Config-Mode Commands Command address bootfile ddns default-router dns-server domain-name excluded-address lease Description Specifies a range of addresses for a DHCP address pool Assigns a bootfile name. The bootfile name can contain letters, numbers, dots and hyphens. Consecutive dots and hyphens are not permitted. Configures dynamic DNS parameters Configures a default router or gateway IP address for the network pool Sets a DNS servers IP address available to all DHCP clients connected to the DHCP pool Sets the domain name for the network pool Prevents a DHCP server from assigning certain addresses to the DHCP pool Sets a valid lease for the IP address used by DHCP clients in the DHCP pool Configures a NetBIOS (WINS) name servers IP address netbios-name-
server netbios-node-type Defines the NetBIOS node type network next-server no option respond-via-
unicast static-route update static-binding Configures a static route for a DHCP pool Controls the usage of the DDNS service Configures static address bindings Configures the network on which the DHCP server is deployed Configures the next server in the boot process Negates a command or sets its default Configures RAW DHCP options Sends a DHCP offer and DHCP Ack as unicast messages Reference page 12-15 page 12-17 page 12-18 page 12-20 page 12-22 page 12-24 page 12-25 page 12-27 page 12-29 page 12-30 page 12-31 page 12-32 page 12-9 page 12-10 page 12-37 page 12-36 page 12-38 page 12-39 Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 14 DHCP-SERVER-POLICY 12.1.3.2.1 address dhcp-pool-mode commands Adds IP addresses to the DHCP address pool. These IP addresses are assigned to each device joining the network. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax address [<IP>|<HOST-ALIAS-NAME>|range]
address [<IP>|<HOST-ALIAS-NAME>|range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-
IP>|<END-HOST-ALIAS-NAME>]] {class <DHCP-CLASS-NAME>}
Parameters address [<IP>|<HOST-ALIAS-NAME>|range [<START-IP>|<START-HOST-ALIAS-NAME>]
[<END-IP>|<END-HOST-ALIAS-NAME>]] {class <DHCP-CLASS-NAME>}
<IP>
<HOST-ALIAS-NAME>
range [<START-IP>|
<START-HOST-ALIAS-
NAME>] [<END-IP>|<END-
HOST-ALIAS-NAME>]
class
<DHCP-CLASS-NAME>
Adds a single IP address to the DHCP address pool Adds a single host mapped to the specified host alias. The host alias should be existing and configured. A network host alias maps a name to a single network host. For example, alias host $HOST 1.1.1.100. In this example the host alias is $HOST and it maps to a single host 1.1.1.100. For more information, see alias. Adds a range of IP addresses to the DHCP address pool. Use one of the following options to provide the first IP address in the range:
<START-IP> Specifies the first IP address in the range
<START-HOST-ALIAS-NAME> Specifies a host alias, mapped to the first IP address in the range Use one of the following options to provide the last IP address in the range:
<END-IP> Specifies the last IP address in the range
<END-HOST-ALIAS-NAME> Specifies a host alias, mapped to the last IP ad-
dress in the range The host aliases should be existing and configured. Optional. Applies additional DHCP options, or a modified set of options to those available to wireless clients. For more information, see dhcp-class.
<DHCP-CLASS-NAME> Sets the DHCP class. Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 15 DHCP-SERVER-POLICY Example rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#address 192.168.13.4 class dhcpclass1 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
Related Commands no dhcp-class alias Removes the DHCP pools configured IP addresses Creates and configures the DHCP class parameters Creates and configures a network, VLAN, host, string, and network-service aliases Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 16 DHCP-SERVER-POLICY 12.1.3.2.2 bootfile dhcp-pool-mode commands The Bootfile command provides a diskless node path to the image file while booting up. Only one file can be configured for each DHCP pool. For more information on the BOOTP protocol with reference to the DHCP policy, see bootp. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bootfile <IMAGE-FILE-PATH>
Parameters bootfile <IMAGE-FILE-PATH>
<IMAGE-FILE-PATH>
Sets the path to the boot image for BOOTP clients. The file name can contain letters, numbers, dots and hyphens. Consecutive dots and hyphens are not permitted. Example rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#bootfile test.txt rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 bootfile test.txt rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
Related Commands no bootp Resets the boot image path for BOOTP clients Configures BOOTP protocol parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 17 DHCP-SERVER-POLICY 12.1.3.2.3 ddns dhcp-pool-mode commands Configures Dynamic Domain Name Service (DDNS) parameters. Dynamic DNS provides a way to access an individual device in a DHCP serviced network using a static device name. Depending on the DHCP servers configuration, the IP address of a device changes periodically. To ensure continuous accessibility to a device (having a dynamic IP address), the devices current IP address is published to a DDNS server that resolves the static device name (used to access the device) with a changing IP address. The DDNS server must be accessible from outside the network and must be configured as an address resolver. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ddns [domainname|multiple-user-class|server|ttl]
ddns domainname <DDNS-DOMAIN-NAME>
ddns multiple-user-class ddns server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}
ddns ttl <1-864000>
Parameters ddns domainname <DDNS-DOMAIN-NAME>
domainname
<DDNS-DOMAIN-
NAME>
Sets the domain name used for DNS updates The controller uses DNS to convert human readable host names into IP addresses. Host names are not case sensitive and can contain alphabetic or numeric letters or a hyphen. A Fully Qualified Domain Name (FQDN) consists of a host name plus a domain name. For example, computername.domain.com. ddns multiple-user-class multiple-user-class Enables the multiple user class options with this DDNS domain ddns server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}
server
[<IP>|<HOST-ALIAS-
NAME>]
Configures the DDNS server used by this DHCP profile Configures the primary DDNS server. This is the default server. Use one of the following options to specify the primary DDNS server:
<IP> Specifies the primary DDNS servers IP address
<HOST-ALIAS-NAME> Specifies a host alias, mapped to the primary DDNS servers IP address. The host alias should be existing and configured. A network host alias maps a name to a single network host. For example, alias host $HOST 1.1.1.100. In this example the host alias is $HOST and it maps to a single host 1.1.1.100. For more information, see alias. Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 18 DHCP-SERVER-POLICY
{<IP1>|<HOST-ALIAS-
NAME1>}
Optional. Configures the secondary DDNS server. If the primary server is not reachable, this server is used. Use one of the following options to identify the secondary DDNS server:
<IP> Specifies the secondary DDNS servers IP address
<HOST-ALIAS-NAME> Specifies a host alias, mapped to the secondary DDNS servers IP address. The host alias should be existing and configured. ddns ttl <1-864000>
ttl <1-864000>
Configures the Time To Live (TTL) value for DDNS updates
<1-86400> Specify a value from 1 - 864000 seconds. Example rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#ddns domainname WID rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#ddns multiple-user-class rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#ddns server 192.168.13.9 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class bootfile test.txt rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
Related Commands no Resets or disables a DHCP pools DDNS settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 19 DHCP-SERVER-POLICY 12.1.3.2.4 default-router dhcp-pool-mode commands Configures a default router or gateway IP address for a network pool After a DHCP client has booted, the client begins sending packets to its default router. Set the IP address of one or a group of routers the controller uses to map host names into IP addresses available to DHCP supported clients. Up to 8 default router IP addresses are supported. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax default-router [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}
Parameters default-router [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}
[<IP>|<HOST-ALIAS-
NAME>]
Configures the primary default router, using one of the following options:
<IP> Specifies the primary default routers IP address
<HOST-ALIAS-NAME> Specifies a host alias, mapped to the primary default routers IP address
{<IP1>|<HOST-ALIAS-
NAME1>}
Optional. Configures the secondary default router, using one of the following options:
<IP1> Specifies the secondary default routers IP address
<HOST-ALIAS-NAME1> Specifies a host alias, mapped to the secondary default routers IP address. If the primary default router is unavailable, the secondary router is used. A network host alias maps a name to a single network host. For example, alias host $HOST 1.1.1.100. In this example the host alias is $HOST and it maps to a single host 1.1.1.100. For more information, see alias. A maximum of 8 default routers can be configured. Usage Guidelines The IP address of the router should be on the same subnet as the client subnet. Example rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#default-router 192.168.13.8 192.168.13.9 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class bootfile test.txt default-router 192.168.13.8 192.168.13.9 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 20 Related Commands no Removes the default router settings DHCP-SERVER-POLICY Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 21 DHCP-SERVER-POLICY 12.1.3.2.5 dns-server dhcp-pool-mode commands Configures a networks DNS server. The DNS server supports all clients connected to networks supported by the DHCP server. For DHCP clients, the DNS servers IP address maps the hostname to an IP address. DHCP clients use the DNS servers IP address based on the order (sequence) configured. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dns-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}
Parameters dns-server [<IP>|<HOST-ALIAS-NAME>] {<IP1> <HOST-ALIAS-NAME1>}
[<IP>|
<HOST-ALIAS-NAME>]
Configures the primary DNS server, using one of the following options:
<IP> Specifies the primary DNS servers IP address
<HOST-ALIAS-NAME> Specifies a host alias, mapped to the primary DNS servers IP address A maximum of 8 DNS servers can be configured. To enable redirection of DNS queries to OpenDNS it is necessary that the DNS server IP addresses provided here should point to the OpenDNS resolver
(208.67.220.220 or 208.67.222.222). OpenDNS is a proxy DNS server that provides additional functionality, such as Web filtering, reporting, and performance enhancements in addition to DNS services. When configured on a WLAN, DNS queries from wireless clients are redirected to OpenDNS. The following example illustrates the configuration:
dhcp-server-policy dhcppolicy dhcp-pool dhcppool network 192.168.1.0/24 address range 192.168.1.160 192.168.1.200 default-router 192.168.1.105 dns-server 208.67.220.220 Note, the above example shows the OpenDNS server as being 208.67.2202.220. The alternative IP address 208.67.222.222 can also be used. For more information on the entire configuration that needs to be done to integrate WiNG access point, controllers, and service platform with OpenDNS , see opendns. Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 22 DHCP-SERVER-POLICY
{<IP1>|<HOST-ALIAS-
NAME1>}
Optional. Configures the secondary DNS server, using one of the following options:
<IP1> Specifies the secondary DNS servers IP address
<HOST-ALIAS-NAME1> Specifies a host alias, mapped to the secondary DNS servers IP address. If the primary DNS server is unavailable, the secondary server is used. A network host alias maps a name to a single network host. For example, alias host $HOST 1.1.1.100. In this example the host alias is $HOST and it maps to a single host 1.1.1.100. For more information, see alias. A maximum of 8 DNS servers can be configured. Example rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#dns-server 192.168.13.19 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
Related Commands no Removes DNS server settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 23 DHCP-SERVER-POLICY 12.1.3.2.6 domain-name dhcp-pool-mode commands Sets the domain name for the DHCP pool. This is the domain name used by the controller with this pool. Domain names are not case sensitive and can contain alphabetic or numeric letters or a hyphen. The FQDN consists of the host name and the domain name. For example, computername.domain.com. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax domain-name <DOMAIN-NAME>
Parameters domain-name <DOMAIN-NAME>
<DOMAIN-NAME>
Defines the DHCP pools domain name Example rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#domain-name documentation rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class domain-name documentation bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
Related Commands no Removes a DHCP pools domain name Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 24 DHCP-SERVER-POLICY 12.1.3.2.7 excluded-address dhcp-pool-mode commands Identifies a single IP address or a range of IP addresses, included in the DHCP address pool, that cannot be assigned to clients by the DHCP server Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax excluded-address [<IP>|<HOST-ALIAS-NAME>|range]
excluded-address <IP>
excluded-address <HOST-ALIAS-NAME>
excluded-address range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-HOST-
ALIAS-NAME>]
Parameters excluded-address <IP>
<IP>
Adds a single IP address to the excluded address list excluded-address <HOST-ALIAS-NAME>
<HOST-ALIAS-NAME>
Adds a host alias. The host alias is mapped to a hosts IP address. The host identified by the host alias is added to the excluded address list. The host alias should be existing and configured. A network host alias maps a name to a single network host. For example, alias host $HOST 1.1.1.100. In this example the host alias is $HOST and it maps to a single host 1.1.1.100. For more information, see alias. excluded-address range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-
HOST-ALIAS-NAME>]
range [<START-IP>|
<START-HOST-ALIAS-
NAME>] [<END-IP>|
<END-HOST-ALIAS-
NAME>]
Adds a range of IP addresses to the excluded address list. Use one of the following options to provide the first IP address in the range:
<START-IP> Specifies the first IP address in the range
<START-HOST-ALIAS-NAME> Specifies a host alias, mapped to the first IP address in the range Use one of the following options to provide the last IP address in the range:
<END-IP> Specifies the last IP address in the range
<END-HOST-ALIAS-NAME> Specifies a host alias, mapped to the last IP ad-
dress in the range The host aliases should be existing and configured. Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 25 DHCP-SERVER-POLICY Example rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#excluded-address range 192.168.13.25 192.168.13.28 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool network 192.168.13.0/24 address 192.168.13.4 class dhcpclass1 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 domain-name documentation bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
Related Commands no Removes the exclude IP addresses settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 26 DHCP-SERVER-POLICY 12.1.3.2.8 lease dhcp-pool-mode commands A lease is the duration a DHCP issued IP address is valid. Once a lease expires, and if the lease is not renewed, the IP address is revoked and is available for reuse. Generally, before an IP lease expires, the client tries to get the same IP address issued for the next lease period. This feature is enabled by default, with a lease period of 24 hours (1 day). Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax lease [<0-365>|infinite]
lease infinite lease <0-365> {0-23} {0-59} {0-59}
Parameters lease infinite infinite The lease never expires (equal to a static IP address assignment) lease <0-365> {<0-23>} {<0-59>} {<0-59>}
Configures the lease duration in days Note: Days may be 0 only when hours and/or minutes are greater than 0. Optional. Sets the lease duration in hours Optional. Sets the lease duration in minutes Optional. Sets the lease duration in seconds
<0-365>
<0-23>
<0-59>
<0-59>
Usage Guidelines If lease parameter is not configured on the DHCP pool, the default is used. The default is 24 hours. Example rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#lease 100 23 59 59 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool network 192.168.13.0/24 address 192.168.13.4 class dhcpclass1 lease 100 23 59 59 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 domain-name documentation bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 27 Related Commands no Resets values or disables the DHCP pool lease settings DHCP-SERVER-POLICY Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 28 DHCP-SERVER-POLICY 12.1.3.2.9 netbios-name-server dhcp-pool-mode commands Configures the NetBIOS (WINS) name servers IP address. This server is used to resolve NetBIOS host names. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax netbios-name-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}
Parameters netbios-name-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}
[<IP>|<HOST-ALIAS-
NAME>]
Configures the primary NetBIOS name server, using one of the following options:
<IP> Specifies the primary NetBIOS name servers IP address
<HOST-ALIAS-NAME> Specifies a host alias, mapped to the primary NetBIOS name servers IP address
{<IP1>|<HOST-ALIAS-
NAME1>}
Optional. Configures the secondary NetBIOS name server, using one of the following options:
<IP1> Specifies the secondary NetBIOS name servers IP address
<HOST-ALIAS-NAME1> Specifies a host alias, mapped to the secondary NetBIOS name servers IP address. If the primary NetBIOS name server is unavailable, the secondary server is used. A network host alias maps a name to a single network host. For example, alias host $HOST 1.1.1.100. In this example the host alias is $HOST and it maps to a single host 1.1.1.100. For more information, see alias. Example rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#netbios-name-server 192.168.13.25 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool network 192.168.13.0/24 address 192.168.13.4 class dhcpclass1 lease 100 23 59 59 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 domain-name documentation bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 netbios-name-server 192.168.13.25 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
Related Commands no Removes the NetBIOS name server settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 29 DHCP-SERVER-POLICY 12.1.3.2.10 netbios-node-type dhcp-pool-mode commands Defines the predefined NetBIOS node type. The NetBIOS node type resolves NetBIOS names to IP addresses. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax netbios-node-type [b-node|h-node|m-node|p-node]
Parameters netbios-node-type [b-node|h-node|m-node|p-node]
[b-node|h-node|
m-node|p-node]
Defines the netbios node type b-node Sets the node type as broadcast. Uses broadcasts to query nodes on the network for the owner of a NetBIOS name. h-node Sets the node type as hybrid. Uses a combination of two or more nodes. m-node Sets the node type as mixed. A mixed node uses broadcast queries to find a node, and failing that, queries a known p-node name server for the address. p-node Sets the node type as peer-to-peer. Uses directed calls to communicate with a known NetBIOS name server (such as a WINS server), for the IP address of a NetBIOS machine. Example rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#netbios-node-type b-node rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool network 192.168.13.0/24 address 192.168.13.4 class dhcpclass1 lease 100 23 59 59 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 domain-name documentation netbios-node-type b-node bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 netbios-name-server 192.168.13.25 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
Related Commands no Removes the NetBIOS node type settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 30 DHCP-SERVER-POLICY 12.1.3.2.11 network dhcp-pool-mode commands Configures the DHCP servers network settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax network [<IP/M>|<NETWORK-ALIAS-NAME>]
Parameters network [<IP/M>|<NETWORK-ALIAS-NAME>]
<IP/M>
<NETWORK-ALIAS-
NAME>
Configures the network number and mask (for example, 192.168.13.0/24) Configures a network alias to identify the network number and mask
<NETWORK-ALIAS-NAME> Specify the network alias name. It should be existing and configured. A network alias defines a single network address. For example, alias network $NET 1.1.1.0/24. In this example, the network alias name is: $NET and the network it is mapped to is: 1.1.1.0/24. For more information, see alias. Example rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#network 192.168.13.0/24 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool network 192.168.13.0/24 address 192.168.13.4 class dhcpclass1 lease 100 23 59 59 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 domain-name documentation netbios-node-type b-node bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 netbios-name-server 192.168.13.25 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
Related Commands no Removes the network number and mask configured for this DHCP pool Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 31 DHCP-SERVER-POLICY 12.1.3.2.12 next-server dhcp-pool-mode commands Configures the next server in the boot process Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax next-server [<IP>|<HOST-ALIAS-NAME>]
Parameters next-server [<IP>|<HOST-ALIAS-NAME>]
<IP>
<HOST-ALIAS-NAME>
Configures the next servers (the first server in the boot process) IP address Configures a host alias, mapped to the next servers IP address
<HOST-ALIAS-NAME> Specify the host alias name. It should be existing and configured. A host alias maps a name to a single network host. For example, alias host $HOST 1.1.1.100. In this example the host alias is $HOST and it maps to a single host 1.1.1.100. For more information, see alias. Example rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#next-server 192.168.13.26 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool network 192.168.13.0/24 address 192.168.13.4 class dhcpclass1 lease 100 23 59 59 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 domain-name documentation netbios-node-type b-node bootfile test.txt default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 netbios-name-server 192.168.13.25 next-server 192.168.13.26 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
Related Commands no Removes the next server configuration settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 32 DHCP-SERVER-POLICY 12.1.3.2.13 no dhcp-pool-mode commands Removes or resets this DHCP user pools settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [address|bootfile|ddns|default-router|dns-server|domain-name|excluded-
address|lease|netbios-name-server|netbios-node-type|network|next-server|option|
respond-via-unicast|static-binding|static-route|update]
no [bootfile|default-router|dns-server|domain-name|lease|netbios-name-server|
netbios-node-type|next-server|network|respond-via-unicast]
no address [<IP>|<HOST-ALIAS-NAME>|all]
no address range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-HOST-ALIAS-
NAME>]
no ddns [domainname|multiple-user-class|server|ttl]
no excluded-address [<IP>|<HOST-ALIAS-NAME>]
no excluded-address range [<START-IP>|<START-HOST-ALIAS-NAME>] [<END-IP>|<END-
HOST-ALIAS-NAME>]
no option <OPTION-NAME>
no static-binding client-identifier <CLIENT-IDENTIFIER>
no static-binding hardware-address <MAC>
no static-route <IP/MASK> <GATEWAY-IP>
no update dns {override}
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or resets this DHCP user pools settings Example The following example shows the DHCP pool settings before the no commands are executed:
rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool network 192.168.13.0/24 address 192.168.13.4 class dhcpclass1 lease 100 23 59 59 ddns server 192.168.13.9 ddns domainname WID ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 domain-name documentation netbios-node-type b-node bootfile test.txt Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 33 DHCP-SERVER-POLICY default-router 192.168.13.8 192.168.13.9 dns-server 192.168.13.19 netbios-name-server 192.168.13.25 next-server 192.168.13.26 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no bootfile rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no network rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no default-router rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no next-server rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no domain-name rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no ddns domainname rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#no lease The following example shows the DHCP pool settings after the no commands are executed:
rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 ddns server 192.168.13.9 ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 netbios-node-type b-node dns-server 192.168.13.19 netbios-name-server 192.168.13.25 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 34 DHCP-SERVER-POLICY 12.1.3.2.14 option dhcp-pool-mode commands Configures raw DHCP options. The DHCP option must be configured under the DHCP server policy. The options configured under the DHCP pool/DHCP server policy can also be used in static-bindings. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax option <OPTION-NAME> [<DHCP-OPTION-IP>|<DHCP-OPTION-ASCII>]
Parameters option <OPTION-NAME> [<DHCP-OPTION-IP>|<DHCP-OPTION-ASCII>]
<OPTION-NAME>
<DHCP-OPTION-IP>
<DHCP-OPTION-ASCII>
Sets the name of the DHCP option Sets DHCP option as an IP address Sets DHCP option as an ASCII string NOTE: An option name in ASCII format accepts backslash (\) as an input but is not displayed in the output (Use show runnig config to view the output). Use a double backslash to represent a single backslash. Example rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#option option1 157.235.208.80 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 ddns server 192.168.13.9 ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 netbios-node-type b-node dns-server 192.168.13.19 netbios-name-server 192.168.13.25 option option1 157.235.208.80 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
Related Commands no Resets values or disables the DHCP pool option settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 35 DHCP-SERVER-POLICY 12.1.3.2.15 static-route dhcp-pool-mode commands Configures a static route for a DHCP pool. Static routes define a gateway for traffic intended for other networks. This gateway is always used when an IP address does not match any route in the network. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax static-route <IP/M> <IP>
Parameters static-route <IP/M> <IP>
<IP/M>
<IP>
Example Specifies the IP destination prefix (for example, 10.0.0.0/8) Specifies the gateway IP address rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#static-route 192.168.13.0/
24 192.168.13.7 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 ddns server 192.168.13.9 ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 netbios-node-type b-node dns-server 192.168.13.19 netbios-name-server 192.168.13.25 option option1 157.235.208.80 respond-via-unicast static-route 192.168.13.0/24 192.168.13.7 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
Related Commands no Removes static route settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 36 DHCP-SERVER-POLICY 12.1.3.2.16 respond-via-unicast dhcp-pool-mode commands Sends DHCP offer and acknowledgement as unicast messages Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax respond-via-unicast Parameters None Example rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#respond-via-unicast rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 ddns server 192.168.13.9 ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 netbios-node-type b-node dns-server 192.168.13.19 netbios-name-server 192.168.13.25 option option1 157.235.208.80 respond-via-unicast rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
Related Commands no Disables sending of a DHCP offer and DHCP Ack as unicast messages. When disabled, sends offer and acknowledgement as broadcast messages. Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 37 DHCP-SERVER-POLICY 12.1.3.2.17 update dhcp-pool-mode commands Controls the use of the DDNS service Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax update dns {override}
Parameters update dns {override}
dns {override}
Configures Dynamic DNS parameters override Optional. Enables Dynamic DNS updates on an onboard DHCP server Usage Guidelines A DHCP client cannot perform updates for RRs A, TXT and PTR resource records. Use update
(dns)(override)to enable the internal DHCP server to send DDNS updates for resource records. The DHCP server can override the client, even if the client is configured to perform the updates. In the DHCP servers DHCP pool, FQDN is configured as the DDNS domain name. This is used internally in DHCP packets between the DHCP server and the DNS server. Example rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#update dns override rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 update dns override ddns server 192.168.13.9 ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 netbios-node-type b-node dns-server 192.168.13.19 netbios-name-server 192.168.13.25 option option1 157.235.208.80 respond-via-unicast static-route 192.168.13.0/24 192.168.13.7 rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
Related Commands no Removes dynamic DNS service control Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 38 DHCP-SERVER-POLICY 12.1.3.3 static-binding dhcp-pool-mode commands Configures static IP address information for a particular device. Static address binding is executed on the devices hostname, client identifier, or MAC address. Static bindings allow the configuration of client parameters, such as DHCP server, DNS server, default routers, fixed IP address etc. The following table summarizes static binding configuration commands:
Table 12.6 Static-Binding-Config Commands Command static-binding static-binding-
mode commands Description Creates a static binding policy and enters its configuration mode Invokes static binding configuration commands Reference page 12-40 page 12-42 Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 39 DHCP-SERVER-POLICY 12.1.3.3.1 static-binding static-binding Configures static address bindings A static address binding is a collection of configuration parameters, including an IP address, associated with, or bound to, a DHCP client. Bindings are managed by DHCP servers. DHCP bindings automatically map a device MAC address to an IP address using a pool of DHCP supplied addresses. Static bindings assign IP addresses without creating numerous host pools with manual bindings. Static host bindings use a text file the DHCP server reads. It eliminates the need for a lengthy configuration file and reduces the space required to maintain address pools. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax static-binding [client-identifier <CLIENT>|hardware-address <MAC>]
Parameters static-binding [client-identifier <CLIENT>|hardware-address <MAC>]
client-identifier
<CLIENT>
hardware-address
<MAC>
Enables a static binding configuration for a client based on its client identifier (as provided by DHCP option 61 and its key value)
<CLIENT> Specify the client identifier (DHCP option 61). Enables a static binding configuration for a client based on its MAC address
<MAC> Specify the MAC address of the client. Example rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#static-binding client-
identifier test rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#show context dhcp-pool testPool address 192.168.13.4 class dhcpclass1 update dns override ddns server 192.168.13.9 ddns multiple-user-class excluded-address range 192.168.13.25 192.168.13.28 netbios-node-type b-node dns-server 192.168.13.19 netbios-name-server 192.168.13.25 option option1 157.235.208.80 respond-via-unicast static-route 192.168.13.0/24 192.168.13.7 static-binding client-identifier test rfs4000-229D58(config-dhcp-policy-test-pool-testPool)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 40 DHCP-SERVER-POLICY rfs4000-229D58(config-dhcp-policy-test-pool-testPool-binding-test)#?
DHCP static binding Mode commands:
bootfile Boot file name client-name Client name default-router Default routers dns-server DNS Servers domain-name Configure domain-name ip-address Fixed IP address for host netbios-name-server NetBIOS (WINS) name servers netbios-node-type NetBIOS node type next-server Next server in boot process no Negate a command or set its defaults option Raw DHCP options respond-via-unicast Send DHCP offer and DHCP Ack as unicast messages static-route Add static routes to be installed on dhcp clients clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-dhcp-policy-test-pool-testPool-binding-test)#
rfs6000-37FABE(config-dhcp-policy-test-pool-pool1)#static-binding hardware-
address 11-22-33-44-55-66 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-11-22-33-44-55-66)#?
DHCP static binding Mode commands:
bootfile Boot file name client-name Client name default-router Default routers dns-server DNS Servers domain-name Configure domain-name ip-address Fixed IP address for host netbios-name-server NetBIOS (WINS) name servers netbios-node-type NetBIOS node type next-server Next server in boot process no Negate a command or set its defaults option Raw DHCP options respond-via-unicast Send DHCP offer and DHCP Ack as unicast messages static-route Add static routes to be installed on dhcp clients clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-11-22-33-44-55-66)#
Related Commands no static-binding-mode commands Resets values or disables the DHCP policy static binding settings Invokes static binding configuration commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 41 DHCP-SERVER-POLICY 12.1.3.3.2 static-binding-mode commands static-binding The following table summarizes static binding configuration mode commands:
Table 12.7 Static-Binding-Config-Mode Commands Command bootfile client-name default-router dns-server Description Assigns a Bootfile name for the DHCP configuration on the network pool Configures a client name Configures default router or gateway IP address Sets the DNS servers IP address available to all DHCP clients connected to the DHCP pool Sets the network pools domain name Configures a hosts fixed IP address Configures a NetBIOS (WINS) name server IP address domain-name ip-address netbios-name-
server netbios-node-type Defines the NetBIOS node type next-server no option respond-via-unicast Sends a DHCP offer and DHCP Ack as unicast messages static-route Specifies the next server used in the boot process Negates a command or sets its default Configures raw DHCP options Adds static routes installed on DHCP clients Reference page 12-43 page 12-44 page 12-45 page 12-46 page 12-47 page 12-48 page 12-49 page 12-50 page 12-51 page 12-52 page 12-53 page 12-54 page 12-55 Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 42 DHCP-SERVER-POLICY 12.1.3.3.3 bootfile static-binding-mode commands The Bootfile command provides a diskless node the path to the image file used while booting up. Only one file can be configured for each static IP binding. For more information on the BOOTP protocol with reference to static binding, see bootp. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bootfile <IMAGE-FILE-PATH>
Parameters bootfile <IMAGE-FILE-PATH>
<IMAGE-FILE-PATH>
Sets the path to the boot image for BOOTP clients. The file name can contain letters, numbers, dots and hyphens. Consecutive dots and hyphens are not permitted. Example rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#bootfile test.txt rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test bootfile test.txt rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#
Related Commands no bootp Resets values or disables DHCP pool static binding settings Configures BOOTP protocol parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 43 DHCP-SERVER-POLICY 12.1.3.3.4 client-name static-binding-mode commands Configures the clients name Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax client-name <NAME>
Parameters client-name <NAME>
<NAME>
Specify the name of the client using this static IP address host pool. Do not include the domain name. Example rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#client-name RFID rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test client-name RFID bootfile test.txt rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#
Related Commands no Resets values or disables DHCP pool static binding settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 44 DHCP-SERVER-POLICY 12.1.3.3.5 default-router static-binding-mode commands Configures a default router or gateway IP address for the static binding configuration Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax default-router [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}
Parameters default-router [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}
[<IP>|<HOST-ALIAS-
NAME>]
Configures the primary default router, using one of the following options:
<IP> Specifies the primary default routers IP address
<HOST-ALIAS-NAME> Specifies a host alias, mapped to the primary default routers IP address
{<IP1>|<HOST-ALIAS-
NAME1>}
Optional. Configures the secondary default router, using one of the following options:
<IP1> Specifies the secondary default routers IP address
<HOST-ALIAS-NAME1> Specifies a host alias, mapped to the secondary default routers IP address. If the primary default router is unavailable, the secondary router is used. A network host alias maps a name to a single network host. For example, alias host
$HOST 1.1.1.100. In this example the host alias is $HOST and it maps to a single host 1.1.1.100. For more information, see alias. Usage Guidelines The IP address of the router should be on the same subnet as the client subnet. Example rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#default-router 172.16.10.8 172.16.10.9 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test client-name RFID bootfile test.txt default-router 172.16.10.8 172.16.10.9 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#
Related Commands no Resets values or disables DHCP pool static binding settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 45 DHCP-SERVER-POLICY 12.1.3.3.6 dns-server static-binding-mode commands Configures the DNS server for this static binding configuration. This DNS server supports the client for which the static binding has been configured. For this client, the DNS servers IP address maps the host name to an IP address. DHCP clients use the DNS servers IP address based on the order (sequence) configured. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dns-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}
Parameters dns-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}
[<IP>|<HOST-ALIAS-
NAME>]
Configures the primary DNS server, using one of the following options:
<IP> Specifies the primary DNS servers IP address
<HOST-ALIAS-NAME> Specifies a host alias, mapped to the primary DNS servers IP address
{<IP1>|<HOST-ALIAS-
NAME1>}
Optional. Configures the secondary DNS server, using one of the following options:
<IP1> Specifies the secondary DNS servers IP address
<HOST-ALIAS-NAME1> Specifies a host alias, mapped to the secondary DNS servers IP address. If the primary DNS server is unavailable, the secondary DNS server is used. A network host alias maps a name to a single network host. For example, alias host
$HOST 1.1.1.100. In this example the host alias is $HOST and it maps to a single host 1.1.1.100. For more information, see alias. Example rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#dns-server 172.16.10.7 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test client-name RFID bootfile test.txt default-router 172.16.10.8 172.16.10.9 dns-server 172.16.10.7 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#
Related Commands no Resets values or disables DHCP pool static binding settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 46 DHCP-SERVER-POLICY 12.1.3.3.7 domain-name static-binding-mode commands Sets the domain name for the static binding configuration Domain names are not case sensitive and contain alphabetic or numeric letters (or a hyphen). A fully qualified domain name (FQDN) consists of a host name plus a domain name. For example, computername.domain.com Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax domain-name <DOMAIN-NAME>
Parameters domain-name <DOMAIN-NAME>
<DOMAIN-NAME>
Defines the domain name for the static binding configuration Example rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#domain-name documentation rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test client-name RFID domain-name documentation bootfile test.txt default-router 172.16.10.8 172.16.10.9 dns-server 172.16.10.7 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#
Related Commands no Resets values or disables the DHCP pool static binding settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 47 DHCP-SERVER-POLICY 12.1.3.3.8 ip-address static-binding-mode commands Configures a fixed IP address for a host Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip-address [<IP>|<HOST-ALIAS-NAME>]
Parameters ip-address [<IP>|<HOST-ALIAS-NAME>]
<IP>
<HOST-ALIAS-NAME>
Configures a fixed IP address (in dotted decimal format) of the client using this host pool Configures a host alias identifying the fixed IP address of the client using this host pool A network host alias maps a name to a single network host. For example, alias host $HOST 1.1.1.100. In this example the host alias is $HOST and it maps to a single host 1.1.1.100. For more information, see alias. Example rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#ip-address 172.16.10.9 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test ip-address 172.16.10.9 client-name RFID domain-name documentation bootfile test.txt default-router 172.16.10.8 172.16.10.9 dns-server 172.16.10.7 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#
Related Commands no Resets values or disables DHCP pool static binding settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 48 DHCP-SERVER-POLICY 12.1.3.3.9 netbios-name-server static-binding-mode commands Configures the NetBIOS (WINS) name servers IP address. This server is used to resolve NetBIOS host names. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax netbios-name-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}
Parameters
[<IP>|<HOST-ALIAS-
NAME>]
netbios-name-server [<IP>|<HOST-ALIAS-NAME>] {<IP1>|<HOST-ALIAS-NAME1>}
Configures the primary NetBIOS server, using one of the following options:
<IP> Specifies the primary NetBIOS name servers IP address
<HOST-ALIAS-NAME> Specifies a host alias, mapped to the primary NetBIOS
{<IP1>|<HOST-ALIAS-
NAME1>}
name servers IP address Optional. Configures the secondary NetBIOS name server, using one of the following options:
<IP1> Specifies the secondary NetBIOS name servers IP address
<HOST-ALIAS-NAME1> Specifies a host alias, mapped to the secondary NetBIOS name servers IP address. If the primary NetBIOS name server is unavailable, the secondary server is used. A network host alias maps a name to a single network host. For example, alias host $HOST 1.1.1.100. In this example the host alias is $HOST and it maps to a single host 1.1.1.100. For more information, see alias. Example rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#netbios-name-
server 172.16.10.23 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test ip-address 172.16.10.9 client-name RFID domain-name documentation bootfile test.txt default-router 172.16.10.8 172.16.10.9 dns-server 172.16.10.7 netbios-name-server 172.16.10.23 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#
Related Commands no Resets values or disables DHCP pool static binding settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 49 DHCP-SERVER-POLICY 12.1.3.3.10 netbios-node-type static-binding-mode commands Configures different predefined NetBIOS node types. The NetBIOS node defines the way a device resolves NetBIOS names to IP addresses. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax netbios-node-type [b-node|h-mode|m-node|p-node]
Parameters netbios-node-type [b-node|h-node|m-node|p-node]
[b-node|h-mode|
m-node|p-node]
Defines the netbios node type b-node Sets the node type as broadcast. Uses broadcasts to query nodes on the network for the owner of a NetBIOS name. h-node Sets the node type as hybrid. Uses a combination of two or more nodes. m-node Sets the node type as mixed. A mixed node uses broadcast queries to find a node, and failing that, queries a known p-node name server for the address. p-node Sets the node type as peer-to-peer. Uses directed calls to communicate with a known NetBIOS name server (such as a WINS server), for the IP address of a NetBIOS machine. Example rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#netbios-node-
type b-node rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test ip-address 172.16.10.9 client-name RFID domain-name documentation netbios-node-type b-node bootfile test.txt default-router 172.16.10.8 172.16.10.9 dns-server 172.16.10.7 netbios-name-server 172.16.10.23 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#
Related Commands no Resets values or disables DHCP pool static binding settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 50 DHCP-SERVER-POLICY 12.1.3.3.11 next-server static-binding-mode commands Configures the next server utilized in the boot process Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax next-server [<IP>|<HOST-ALIAS-NAME>]
Parameters next-server [<IP>|<HOST-ALIAS-NAME>]
<IP>
<HOST-ALIAS-NAME>
Configures the next servers (the first server in the boot process) IP address Configures a host alias, mapped to the next servers IP address
<HOST-ALIAS-NAME> Specify the host alias name. It should be existing and configured. A network host alias maps a name to a single network host. For example, alias host $HOST 1.1.1.100. In this example the host alias is $HOST and it maps to a single host 1.1.1.100. For more information, see alias. Example rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#next-server 172.16.10.24 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test ip-address 172.16.10.9 client-name RFID domain-name documentation netbios-node-type b-node bootfile test.txt default-router 172.16.10.8 172.16.10.9 dns-server 172.16.10.7 netbios-name-server 172.16.10.23 next-server 172.16.10.24 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#
Related Commands no Resets values or disables DHCP pool static binding settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 51 DHCP-SERVER-POLICY 12.1.3.3.12 no static-binding-mode commands Negates or reverts static binding settings for the selected DHCP server policy Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [bootfile|client-name|default-router|dns-server|domain-name|ip-address|
netbios-name-server|netbios-node-type|next-server|option|respond-via-unicast|
static-route]
no option <OPTION-NAME>
no static-route <IP/MASK> <GATEWAY-IP>
Parameters no <PARAMETERS>
no <PARAMETERS>
Negates or reverts static binding settings for the selected DHCP server policy Example The following example shows the DHCP pool static binding settings before the no commands are executed:
rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test ip-address 172.16.10.9 client-name RFID domain-name documentation netbios-node-type b-node bootfile test.txt default-router 172.16.10.8 172.16.10.9 dns-server 172.16.10.7 netbios-name-server 172.16.10.23 next-server 172.16.10.24 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#
rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#no bootfile rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#no ip-address rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#no default-router rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#no dns-server The following example shows the DHCP pool static binding settings after the no commands are executed:
rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test client-name RFID domain-name documentation netbios-node-type b-node netbios-name-server 172.16.10.23 next-server 172.16.10.24 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 52 DHCP-SERVER-POLICY 12.1.3.3.13 option static-binding-mode commands Configures the raw DHCP options in the DHCP policy. The DHCP options can be used only in static bindings. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax option <OPTION-NAME> [<DHCP-OPTION-IP>|<DHCP-OPTION-ASCII>]
Parameters option <OPTION-NAME> [<DHCP-OPTION-IP>|<DHCP-OPTION-ASCII>]
<OPTION-NAME>
<DHCP-OPTION-IP>
<DHCP-OPTION-ASCII>
Usage Guidelines Sets the DHCP option name Sets the DHCP option as an IP address Sets the DHCP option as an ASCII string Defines non standard DHCP option codes (0-254) NOTE: An option name in ASCII format accepts a backslash (\) as an input, but is not displayed in the output (Use show running config to view the output). Use a double backslash to represent a single backslash. Example rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#option option1 172.16.10.10 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test client-name RFID domain-name documentation netbios-node-type b-node netbios-name-server 172.16.10.23 next-server 172.16.10.24 option option1 172.16.10.10 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 53 DHCP-SERVER-POLICY 12.1.3.3.14 respond-via-unicast static-binding-mode commands Sends a DHCP offer and DHCP acknowledge as unicast messages Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax respond-via-unicast Parameters None Example rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#respond-via-
unicast rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test client-name RFID domain-name documentation netbios-node-type b-node netbios-name-server 172.16.10.23 next-server 172.16.10.24 option option1 172.16.10.10 respond-via-unicast rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#
Related Commands no Resets values or disables DHCP pool static binding settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 54 DHCP-SERVER-POLICY 12.1.3.3.15 static-route static-binding-mode commands Adds static routes to the static binding configuration Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax static-route <IP/MASK> <GATEWAY-IP>
Parameters static-route <IP/MASK> <GATEWAY-IP>
<IP/MASK>
<GATEWAY-IP>
Sets the subnet for which the static route is configured Specify the gateways IP address Example rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-1)#static-route 10.0.0.0/10 157.235.208.235 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#show context static-binding client-identifier test client-name RFID domain-name documentation netbios-node-type b-node netbios-name-server 172.16.10.23 next-server 172.16.10.24 option option1 172.16.10.10 respond-via-unicast static-route 10.0.0.0/10 157.235.208.235 rfs6000-37FABE(config-dhcp-policy-test-pool-pool1-binding-test)#
Related Commands no Resets values or disables DHCP pool static route settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 55 DHCP-SERVER-POLICY 12.1.4 dhcp-server dhcp-server-policy Configures the activation-criteria (run-criteria) that triggers dynamic activation of DHCP service running on a redundancy device In a managed wireless network, when the primary, active DHCP server fails (is unreachable), network clients are unable to access DHCP services, such as new IP address leasing and renewal of existing IP address leases. In such a scenario, the activation-criteria, when configured, triggers dynamic activation of the secondary DHCP server, allowing network clients to continue accessing DHCP services. The WiNG implementation provides activation-criteria options specific to a RF Domain, cluster setup, and a Virtual Router Redundancy Protocol (VRRP) master/client setup. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dhcp-server activation-criteria [cluster-master|rf-domain-manager|vrrp-master]
Parameters dhcp-server activation-criteria [cluster-master|rf-domain-manager|vrrp-master]
dhcp-server activation-criteria
[cluster-master|
rf-domain-manager|
vrrp-master]
Enables dynamic activation of the DHCP server, running on a redundancy device, based on the activation criteria specified Configures the activation criteria. Specify one of the following options as the activation criteria:
cluster-master Configures the cluster-master criteria in a cluster setup. Within a cluster, DHCP service is enabled on the cluster master. While it remains disabled on the other cluster members. In case of the cluster master failing, the cluster-master activation criteria, when configured, triggers dynamic activation of DHCP service on the new cluster master. rf-domain-manger Configures the rf-domain-manager criteria on an RF Domain. Within a RF Domain, DHCP service is enabled on the RF Domain manager. While it remains disabled on the other devices within the RF Domain. In case of the RF Domain manager failing, the rf-domain-manager activation criteria, when configured, triggers dynamic activation of DHCP service on the new RF Domain manager. vrrp-master Configures the vrrp-master criteria within a VRRP master/client setup. In such a setup, the DHCP service is enabled on the VRRP master. While it remains disabled on the other members. In case of the VRRP master failing, the vrrp-master activation criteria, when configured, triggers dynamic activation of DHCP service on the new VRRP master. Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 56 DHCP-SERVER-POLICY Example rfs4000-229D58(config-dhcp-policy-test)#dhcp-server activation-criteria rf-
domain-manager rfs4000-229D58(config-dhcp-policy-test)#show context dhcp-server-policy test dhcp-server activation-criteria rf-domain-manager rfs4000-229D58(config-dhcp-policy-test)#
rfs4000-229D58(config-dhcp-policy-test)#no dhcp-server activation-criteria rfs4000-229D58(config-dhcp-policy-test)#show context dhcp-server-policy test rfs4000-229D58(config-dhcp-policy-test)#
Related Commands no Removes the DHCP service activation criteria configured on this DHCP server policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 57 DHCP-SERVER-POLICY 12.1.5 no dhcp-server-policy Negates a command or sets its default. When used in the DHCP server configuration context, the no command resets or reverts the DHCP server policy settings. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [bootp|dhcp-class|dhcp-pool|dhcp-server|option|ping]
no bootp ignore no dhcp-class <DHCP-CLASS-NAME>
no dhcp-pool <DHCP-POOL-NAME>
no dhcp-server activation-criteria no option <DHCP-OPTION>
no ping timeout Parameters no <PARAMETERS>
no <PARAMETERS>
Negates a command or sets its default. When used in the DHCP server configuration context, the no command resets or reverts the DHCP server policy settings Example The following example shows the DHCP policy test settings before the no commands are executed:
rfs6000-37FABE(config-dhcp-policy-test)#show context dhcp-server-policy test bootp ignore dhcp-class dhcpclass1 dhcp-pool pool1 address 1.2.3.4 class dhcpclass1 update dns override
--More--
rfs6000-37FABE(config-dhcp-policy-test)#
rfs6000-37FABE(config-dhcp-policy-test)#no bootp ignore rfs6000-37FABE(config-dhcp-policy-test)#no dhcp-class dhcpclass1 rfs6000-37FABE(config-dhcp-policy-test)#no dhcp-pool pool1 The following example shows the DHCP policy test settings after the no commands are executed:
rfs6000-37FABE(config-dhcp-policy-test)#show context dhcp-server-policy test rfs6000-37FABE(config-dhcp-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 58 DHCP-SERVER-POLICY 12.1.6 option dhcp-server-policy Configures raw DHCP options. The DHCP option has to be configured in the DHCP server policy. The options configured in the DHCP pool/DHCP server policy can also be used in static bindings. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax option <OPTION-NAME> <0-254> [ascii|hexstring|ip]
Parameters option <OPTION-NAME> <0-254> [ascii|hexstring|ip]
<OPTION-NAME>
<0-254>
ascii hexstring ip Usage Guidelines Configures the option name Configures the DHCP option code from 0 - 254 Configures the DHCP option as an ASCII string Configures the DHCP option as a hexadecimal string Configures the DHCP option as an IP address Defines non standard DHCP option codes (0-254) NOTE: An option name in ASCII format accepts a backslash (\) as an input, but is not displayed in the output (Use show running config to view the output). Use a double backslash to represent a single backslash. Example rfs6000-37FABE(config-dhcp-policy-test)#option option1 200 ascii rfs6000-37FABE(config-dhcp-policy-test)#show context dhcp-server-policy test option option1 200 ascii rfs6000-37FABE(config-dhcp-policy-test)#
Related Commands no Removes DHCP server options Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 59 DHCP-SERVER-POLICY 12.1.7 ping dhcp-server-policy Configures the DHCP servers ping timeout interval. The controller uses the timeout to intermittently ping and discover whether a client requested IP address is available or in use. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ping timeout <1-10>
Parameters ping timeout <1-10>
timeout <1-10>
Sets the ping timeout from 1 - 10 seconds. The default is 1 second. Example rfs6000-37FABE(config-dhcp-policy-test)#ping timeout 2 rfs6000-37FABE(config-dhcp-policy-test)#show context dhcp-server-policy test ping timeout 2 option option1 200 ascii rfs6000-37FABE(config-dhcp-policy-test)#
Related Commands no Resets the ping interval to 1 second Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 60 DHCP-SERVER-POLICY 12.2 dhcpv6-server-policy DHCP-SERVER-POLICY DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. DHCPv6 servers pass IPv6 network addresses to IPv6 clients. The DHCPv6 address assignment feature manages non duplicate addresses in the correct prefix based on the network where the host is connected. Assigned addresses can be from one or multiple pools. Additional options, such as the default domain and DNS name-server address, can be passed back to the client. Address pools can be assigned for use on a specific interface or on multiple interfaces, or the server can automatically find the appropriate pool. The following table summarizes DHCPv6 server policy configuration commands:
Table 12.8 DHCPv6-Server-Policy-Config Commands Command dhcpv6-pool option restrict-vendor-
options server-
preference no Description Creates a DHCPv6 pool and enters its configuration mode Configures this DHCPv6 server policys DHCP option settings, such as enterprise (vendor ID) Restricts the use of vendor-specific DHCP options on this DHCPv6 server policy Configures this DHCP servers preference value. This value is sent in DHCP server replies to the IPv6 client. Negates or reverts this DHCPv6 server policys settings Reference page 12-62 page 12-73 page 12-75 page 12-76 page 12-77 Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 61 DHCP-SERVER-POLICY 12.2.1 dhcpv6-pool dhcpv6-server-policy The following table summarizes DHCPv6 pool configuration mode commands:
Table 12.9 DHCPv6-Pool-Config Commands Command dhcpv6-pool dhcpv6-pool-
mode commands Description Creates a DHCPv6 pool and enters its configuration mode Summarizes DHCPv6 pool configuration mode commands Reference page 12-63 page 12-65 Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 62 DHCP-SERVER-POLICY 12.2.1.1 dhcpv6-pool dhcpv6-pool Configures a DHCPv6 server address pool and enters its configuration mode A DHCPv6 IPv6 pool is a resource from which IPv6 formatted addresses can be issued on DHCPv6 client requests. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dhcpv6-pool <POOL-NAME>
Parameters dhcpv6-pool <POOL-NAME>
<POOL-NAME>
Creates a DHCPv6 server address pool
<POOL-NAME> Specify a name that appropriately identifies this DHCPv6 address pool. If the pool does not exist, it is created. The pool name cannot be modified as part of the edit process. However, an obsolete address pool can be deleted. Example rfs6000-37FABE(config-dhcpv6-server-policy-test)#dhcpv6-pool DHCPv6Pool1 rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#?
DHCPv6 pool Mode commands:
dns-server DNS Servers domain-name Configure domain-name network Network on which DHCPv6 server will be deployed no Negate a command or set its defaults option Raw DHCPv6 options refresh-time Upper limit specifying the timer for which client should wait before refreshing information sip SIP server options clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 63 DHCP-SERVER-POLICY rfs6000-37FABE(config-dhcpv6-server-policy-test)#show context dhcpv6-server-policy test dhcpv6-pool DHCPv6Pool1 network 2002::/64 domain-name TechPubs sip domain-name TechPubsSIP dns-server 2002::1 rfs6000-37FABE(config-dhcpv6-server-policy-test)#
Related Commands no Removes the DHCPv6 pool identified by the <POOL-NAME> keyword Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 64 DHCP-SERVER-POLICY 12.2.1.2 dhcpv6-pool-mode commands dhcpv6-pool Configures the DHCPv6 pool parameters The following table summarizes DHCPv6 pool configuration commands:
Table 12.10 DHCPv6-Pool-Config-Mode Commands Command dns-server domain-name network option refresh-time sip no Description Configures this DHCPv6 pools DNS server Configures this DHCPv6 pools domain name Configures this DHCPv6 pools network Configures this DHCPv6 pools raw DHCPv6 options. This is the vendor-specific option used in this DHCPv6 pool. Configures this DHCPv6 pools refresh time in seconds Configures this DHCPv6 pools Session Initiation Protocol (SIP) server setting Negates or reverts this DHCPv6 pools settings Reference page 12-66 page 12-67 page 12-68 page 12-70 page 12-71 page 12-72 page 12-69 Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 65 DHCP-SERVER-POLICY 12.2.1.2.1 dns-server dhcpv6-pool-mode commands Configures this DHCPv6 pools DNS server. The DNS server supports all clients connected to networks supported by the DHCPv6 server. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dns-server <IPv6> {<SECONDARY-IPv6>}
Parameters dns-server <IPv6> {<SECONDARY-IPv6>}
<IPv6>
Configures the primary DNS servers IPv6 address
<IPv6> Specify the DNS servers IPv6 address (the server associated with this DHCP pool).
<SECONDARY-IPv6>
Configures the secondary DNS servers IPv6 address
<SECONDARY-IPv6> Specify the secondary DNS servers IPv6 address (the server associated with this DHCP pool). Example rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#dns-server 2002::1 rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1 dns-server 2002::1 rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#
Related Commands no Removes this DHCPv6 pools configured DNS server settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 66 DHCP-SERVER-POLICY 12.2.1.2.2 domain-name dhcpv6-pool-mode commands Configures this DHCPv6 pools domain name Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax domain-name <DOMAIN-NAME>
Parameters domain-name <DOMAIN-NAME>
<DOMAIN-NAME>
Specify the DHCP pools hostname or hostnames of the domain or domains Example rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#domain-name TechPubs rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1 domain-name TechPubs dns-server 2002::1 rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#
Related Commands no Removes this DHCPv6 pools domain name Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 67 DHCP-SERVER-POLICY 12.2.1.2.3 network dhcpv6-pool-mode commands Configures this DHCPv6 pools network. Use this command to configure the address of the network on which this DHCP server is deployed. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax network [<IPv6/M>|<NETWORK-ALIAS-NAME>]
Parameters network [<IPv6/M>|<NETWORK-ALIAS-NAME>]
<IPv6/M>
<NETWORK-ALIAS-
NAME>
Specify this DHCPv6 pool networks IPv6 address and mask (for example, 1:2::1:0/
96) Specify this DHCPv6 pool networks alias name Example rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#network 2002::0/64 rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1 network 2002::/64 domain-name TechPubs dns-server 2002::1 rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#
Related Commands no Removes the network IPv6 address and mask configured for this DHCPv6 pool Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 68 DHCP-SERVER-POLICY 12.2.1.2.4 no dhcpv6-pool-mode commands Negates a command or sets its default. When used in the DHCPv6 pool configuration context, the no command resets or reverts the DHCPv6 pools settings. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [dns-server|domain-name|network|option|refresh-time|sip]
Parameters no <PARAMETERS>
no <PARAMETERS>
Negates a command or sets its default. When used in the DHCPv6 pool configuration context, the no command resets or reverts the DHCPv6 pools settings. Example rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1 network 2002::/64 refresh-time 1000 domain-name TechPubs sip domain-name TechPubsSIP dns-server 2002::1 option DHCPv6Pool1Option 60 rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#
rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#no option DHCPv6Pool1Option rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#no refresh-time rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1 network 2002::/64 domain-name TechPubs sip domain-name TechPubsSIP dns-server 2002::1 rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 69 DHCP-SERVER-POLICY 12.2.1.2.5 option dhcpv6-pool-mode commands Configures this DHCPv6 pools raw DHCPv6 options. This is the vendor-specific option used in this DHCPv6 pool. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax option <OPTION-NAME> [<DHCPv6-OPTION-IP>|<DHCPv6-OPTION-ASCII>]
Parameters option <OPTION-NAME> [<DHCPv6-OPTION-IP>|<DHCPv6-OPTION-ASCII>]
Sets the name of the DHCPv6 option
<OPTION-NAME>
<DHCPv6-OPTION-IP>
Sets DHCPv6 option as an IPv6 address
<DHCPv6-OPTION-ASCII> Sets DHCPv6 option as an ASCII string NOTE: An option name in ASCII format accepts backslash (\) as an input but is not displayed in the output (Use show running config to view the output). Use a double backslash to represent a single backslash. Example rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#option DHCPv6Pool1Option 60 rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1 network 2002::/64 domain-name TechPubs dns-server 2002::1 option DHCPv6Pool1Option 60 rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#
Related Commands no Removes this DHCPv6 pools DHCP option settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 70 DHCP-SERVER-POLICY 12.2.1.2.6 refresh-time dhcpv6-pool-mode commands Configures this DHCPv6 pools refresh time in seconds. This is the interval between two successive DHCP pool refreshes. The DHCP refresh process refreshes IPv6 client information. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax refresh-time <600-4294967295>
Parameters refresh-time <600-4294967295>
refresh-time
<600-4294967295>
Specify this DHCPv6 pools refresh time from 600 -4294967295 seconds. Example rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#refresh-time 1000 rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1 network 2002::/64 refresh-time 1000 domain-name TechPubs dns-server 2002::1 option DHCPv6Pool1Option 60 rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#
Related Commands no Removes or reverts the configured DHCPv6 pools refresh time Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 71 DHCP-SERVER-POLICY 12.2.1.2.7 sip dhcpv6-pool-mode commands Configures this DHCPv6 pools Session Initiation Protocol (SIP) server setting Configures the domain name or domain names associated with the SIP servers. The SIP server is used to prioritize voice and video traffic on the network. SIP is an application-layer control protocol that can establish, modify and terminate multimedia sessions or calls. A SIP system has several components (user agents, proxy servers, redirect servers, and registrars). User agents can contain SIP clients; proxy servers always contain SIP clients. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax sip [address <IPv6>|domain-name <DOMAIN-NAME>]
Parameters sip [address <IPv6>|domain-name <DOMAIN-NAME>]
sip [address
<IPv6>|domain-name
<DOMAIN-NAME>]
Configures the SIP servers setting, such as address and/or domain name Example rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#sip domain-name TechPubsSIP rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#show context dhcpv6-pool DHCPv6Pool1 network 2002::/64 refresh-time 1000 domain-name TechPubs sip domain-name TechPubsSIP dns-server 2002::1 option DHCPv6Pool1Option 60 rfs6000-37FABE(config-dhcpv6-server-policy-test-pool-DHCPv6Pool1)#
Related Commands no Removes this DHCPv6 pools SIP server setting Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 72 DHCP-SERVER-POLICY 12.2.2 option dhcpv6-server-policy Configures this DHCPv6 server policys DHCP option settings, such enterprise (vendor) ID DHCPv6 services are available for specific IP interfaces. A pool (or range) of IPv6 network addresses and DHCPv6 options can be created for each IPv6 interface defined. This range of addresses can be made available to DHCPv6 enabled devices on either a permanent or leased basis. DHCPv6 options are provided to each client with a DHCPv6 response and provide DHCPv6 clients information required to access network resources (default gateway, domain name, DNS server and WINS server configuration). An option exists to identify the vendor and functionality of a DHCPv6 client. The information is a variable-length string of characters (or octets) with a meaning specified by the vendor of the DHCPv6 client. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax option <OPTION-NAME> <0-254> [ascii|hexstring|ipv6] <1-4294967295>
Parameters option <OPTION-NAME> <0-254> [ascii|hexstring|ipv6] <1-4294967295>
option
<OPTION-NAME>
<0-254>
ascii hexstring ipv6
<1-4294967295>
Specify a unique name for this DHCP option. The name should describe option's function. Specify a DHCP option code for this option.
<0-254> Specify a value from 0 -254. The system allows only one code, of the same value, for each DHCP option used in each DHCPv6 server policy. Specifies the option type as ASCII (sends an ASCII compliant string to the client) Specifies the option type as a string of hexadecimal characters (sends a hexadecimal string to the client) Specifies the option type as IPv6 address (sends an IPv6 compatible address to the client) This parameter is common to all option types.
<1-4294967295> Specifies the enterprise (vendor) ID. Specify a value from 1 - 4294967295. The option code (1) is reserved for subnet-mask and cannot be used. Each vendor should have a unique vendor ID used by the DHCP server to issue vendor-
specific DHCP options. Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 73 DHCP-SERVER-POLICY Example rfs6000-37FABE(config-dhcpv6-server-policy-test)#option DHCPServerOption1 10 ascii 50 rfs6000-37FABE(config-dhcpv6-server-policy-test)#show context dhcpv6-server-policy test option DHCPServerOption1 10 ascii 50 dhcpv6-pool DHCPv6Pool1 network 2002::/64 domain-name TechPubs sip domain-name TechPubsSIP dns-server 2002::1 rfs6000-37FABE(config-dhcpv6-server-policy-test)#
Related Commands no Removes the DHCPv6 server option settings configured for this DHCPv6 server policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 74 DHCP-SERVER-POLICY 12.2.3 restrict-vendor-options dhcpv6-server-policy Restricts the use of vendor-specific DHCP options on this DHCPv6 server policy. When restricted, vendor-
specific DHCP options, configured on this DHCPv6 server policy, are not included in the DHCPv6 server replies to IPv6 clients. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax restrict-vendor-options Parameters None Example rfs6000-37FABE(config-dhcpv6-server-policy-test)#restrict-vendor-options rfs6000-37FABE(config-dhcpv6-server-policy-test)#show context dhcpv6-server-policy test option DHCPServerOption1 10 ascii 50 dhcpv6-pool DHCPv6Pool1 network 2002::/64 domain-name TechPubs sip domain-name TechPubsSIP dns-server 2002::1 restrict-vendor-options rfs6000-37FABE(config-dhcpv6-server-policy-test)#
Related Commands no Removes restriction on sending of vendor-specific options in DHCPv6 server replies to IPv6 clients Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 75 DHCP-SERVER-POLICY 12.2.4 server-preference dhcpv6-server-policy Configures this DHCPv6 servers preference value. When configured, the server preference value is included in the DHCPv6 servers replies to IPv6 clients. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax server-preference <0-255>
Parameters server-preference <0-255>
server-preference
<0-255>
Configures this DHCP servers preference value
<0-255> Specify a value from 0 - 255. Example rfs6000-37FABE(config-dhcpv6-server-policy-test)#server-preference 1 rfs6000-37FABE(config-dhcpv6-server-policy-test)#show context dhcpv6-server-policy test option DHCPServerOption1 10 ascii 50 dhcpv6-pool DHCPv6Pool1 network 2002::/64 domain-name TechPubs sip domain-name TechPubsSIP dns-server 2002::1 server-preference 1 restrict-vendor-options rfs6000-37FABE(config-dhcpv6-server-policy-test)#
Related Commands no Removes this DHCPv6 servers preference value Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 76 DHCP-SERVER-POLICY 12.2.5 no dhcpv6-server-policy Negates or reverts this DHCPv6 server policys settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [dhcpv6-pool|option|restrict-vendor-options|server-preference]
Parameters no <PARAMETERS>
no <PARAMETERS>
Negates or reverts this DHCPv6 server policys settings Example rfs6000-37FABE(config-dhcpv6-server-policy-test)#show context dhcpv6-server-policy test option DHCPServerOption1 10 ascii 50 dhcpv6-pool DHCPv6Pool1 network 2002::/64 domain-name TechPubs sip domain-name TechPubsSIP dns-server 2002::1 server-preference 1 restrict-vendor-options rfs6000-37FABE(config-dhcpv6-server-policy-test)#
rfs6000-37FABE(config-dhcpv6-server-policy-test)#no restrict-vendor-options rfs6000-37FABE(config-dhcpv6-server-policy-test)#no server-preference rfs6000-37FABE(config-dhcpv6-server-policy-test)#show context dhcpv6-server-policy test option DHCPServerOption1 10 ascii 50 dhcpv6-pool DHCPv6Pool1 network 2002::/64 domain-name TechPubs sip domain-name TechPubsSIP dns-server 2002::1 rfs6000-37FABE(config-dhcpv6-server-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 12 - 77 13 FIREWALL-POLICY This chapter summarizes the firewall policy commands in the CLI command structure. A firewall protects a network from attacks and unauthorized access from outside the network. Simultaneously, it allows authorized users to access required resources. Firewalls work on multiple levels. Some work at layers 1, 2 and 3 to inspect each packet. The packet is either passed, dropped or rejected based on rules configured on the firewall. Firewalls use application layer filtering to enforce compliance. These firewalls can understand applications and protocols and can detect if an unauthorized protocol is being used, or an authorized protocol is being abused in any malicious way. The third set of firewalls, Stateful Firewalls, consider the placement of individual packets within each packet in the series of packets being transmitted. If there is a packet that does not fit into the sequence, it is automatically identified and dropped. Use (config) instance to configure firewall policy commands. To navigate to the config-fw-policy instance, use the following commands:
<DEVICE>(config)#firewall-policy <POLICY-NAME>
rfs6000-37FABE(config)#firewall-policy test rfs6000-37FABE(config-fw-policy-test)#?
Firewall policy Mode commands:
acl-logging Log on flow creating traffic alg Enable ALG clamp Clamp value dhcp-offer-convert Enable conversion of broadcast dhcp offers to unicast dns-snoop DNS Snooping firewall Wireless firewall flow Firewall flow ip Internet Protocol (IP) ip-mac Action based on ip-mac table ipv6 Internet Protocol version 6 (IPv6) ipv6-mac Action based on ipv6-mac table logging Firewall enhanced logging no Negate a command or set its defaults proxy-arp Enable generation of ARP responses on behalf of another device proxy-nd Enable generation of ND responses (for IPv6) on behalf of another device stateful-packet-inspection-l2 Enable stateful packet inspection in layer2 firewall storm-control Storm-control virtual-defragmentation Enable virtual defragmentation for IPv4 packets (recommended for proper functioning of firewall) clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-fw-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 1 FIREWALL-POLICY NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 2 FIREWALL-POLICY 13.1 firewall-policy FIREWALL-POLICY The following table summarizes default firewall policy configuration commands:
Table 13.1 Firewall-Policy-Config Commands Command acl-logging alg clamp Description Enables logging on flow creating traffic Enables an algorithm Sets a clamp value to limit TCP MSS to inner path-MTU for tunnelled packets Reference page 13-4 page 13-5 page 13-7 dhcp-offer-convert Enables the conversion of broadcast DHCP offers to unicast dns-snoop firewall flow ip ip-mac ipv6 ipv6-mac logging no proxy-arp proxy-nd page 13-8 page 13-9 Sets the timeout value for DNS entries page 13-10 Configures the wireless firewall page 13-11 Defines a session flow timeout page 13-13 Configures Internet Protocol (IP) components on this firewall policy page 13-20 Defines an action based on IP-MAC table page 13-22 Configures IPv6 components on this firewall policy page 13-26 Defines an action based on IPv6-MAC table page 13-28 Enables enhanced firewall logging page 13-30 Negates a command or reverts settings to their default Enables the generation of ARP responses on behalf of another device page 13-32 page 13-33 Enables the generation of ND responses (for IPv6) on behalf of another device Enables stateful packets-inspection in layer 2 firewall page 13-34 stateful-packet-
inspection-12 storm-control virtual-
defragmentation Defines storm control and logging settings Enables virtual defragmentation of IPv4 packets page 13-35 page 13-37 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 3 FIREWALL-POLICY 13.1.1 acl-logging firewall-policy Enables logging on flow creating traffic. This option is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax acl-logging Parameters None Example rfs4000-229D58(config-fw-policy-test)#acl-logging rfs4000-229D58(config-fw-policy-test)#no acl-logging rfs4000-229D58(config-fw-policy-test)#show context firewall-policy test no ip dos tcp-sequence-past-window no acl-logging rfs4000-229D58(config-fw-policy-test)#
Related Commands no Disables logging on flow creating traffic Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 4 FIREWALL-POLICY 13.1.2 alg firewall-policy Enables traffic filtering at the application layer using the Application Layer Gateway (ALG) feature Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax alg [dns|facetime|ftp|pptp|sccp|sip|tftp]
Parameters alg [dns|facetime|ftp|pptp|sccp|sip|tftp]
alg dns facetime ftp pptp sccp sip tftp Enables traffic filtering at the application layer. The ALG provides filters for the following common protocols: DNS, Facetime, FTP, PPTP, SCCP, SIP, and TFTP. Allows Domain Name System (DNS) traffic through the firewall using its default ports. This option is enabled by default. When enabled, you can easily permit or deny traffic based on a packets DNS name, instead of the IP address. Use this option when configuring ACLs allowing or denying traffic for Web sites that have a single domain name resolving to any one of multiple IP addresses. Allows Apples FaceTime video calling traffic through the firewall using its default ports. This option is disabled by default. Allows File Transfer Protocol (FTP) traffic through the firewall using its default ports. This option is enabled by default. Allows Point-to-Point Tunneling Protocol (PPTP) traffic through the firewall using its default ports. PPTP, a network protocol, enables secure transfer of data from a remote client to an enterprise server by encapsulating PPP packets into IP datagrams for transmission over the Internet or other public TCP/IP-based networks. This option is enabled by default Allows Signalling Connection Control Part (SCCP) traffic through the firewall using its default ports. This option is disabled by default. SCCP is a network protocol that provides routing, flow control and error correction in telecommunication networks. Allows Session Initiation Protocol (SIP) traffic through the firewall using its default ports. This option is enabled by default. Enables the Trivial File Transfer Protocol (TFTP) algorithm. When enabled, allows TFTP traffic through the firewall using its default ports. This option is enabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 5 FIREWALL-POLICY Example nx4500-5CFA2B(config-fw-policy-test)#alg facetime nx4500-5CFA2B(config-fw-policy-test)#show context firewall-policy test no ip dos tcp-sequence-past-window alg facetime nx4500-5CFA2B(config-fw-policy-test)#
Related Commands no Removes or reverts ALG related settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 6 FIREWALL-POLICY 13.1.3 clamp firewall-policy This option limits the TCP Maximum Segment Size (MSS) to the size of the Maximum Transmission Unit
(MTU) discovered by path MTU discovery for the inner protocol. This ensures the packet traverses through the inner protocol without fragmentation. This option is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax clamp tcp-mss Parameters clamp tcp-mss tcp-mss Limits the TCP MSS size to the MTU value of the inner protocol for tunneled packets Example rfs6000-37FABE(config-fw-policy-test)#clamp tcp-mss Related Commands no Disables limiting of the TCP MSS Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 7 FIREWALL-POLICY 13.1.4 dhcp-offer-convert firewall-policy Enables the conversion of broadcast DHCP offers to unicast. Converting DHCP broadcast traffic to unicast traffic can help reduce network traffic loads. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dhcp-offer-convert Parameters None Example rfs6000-37FABE(config-fw-policy-test)#dhcp-offer-convert rfs6000-37FABE(config-fw-policy-test)#show context firewall-policy test no ip dos tcp-sequence-past-window dhcp-offer-convert rfs6000-37FABE(config-fw-policy-test)#
Related Commands no Disables the conversion of broadcast DHCP offers to unicast Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 8 FIREWALL-POLICY 13.1.5 dns-snoop firewall-policy Sets the timeout interval for DNS snoop table entries. DNS snoop entries provide information, such as client to IP address and client to default gateway(s) mappings. This information is used to detect if the client is sending routed packets to a wrong MAC address. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dns-snoop entry-timeout <30-86400>
Parameters dns-snoop entry-timeout <30-86400>
entry-timeout
<30-86400>
Sets the DNS snoop table entry timeout interval from 30 - 86400 seconds. An entry is retained in the DNS snoop table only for the specified time, and is deleted once this time is exceeded. The default is 1,800 seconds. Example rfs6000-37FABE(config-fw-policy-test)#dns-snoop entry-timeout 35 rfs6000-37FABE(config-fw-policy-test)#show context firewall-policy test no ip dos tcp-sequence-past-window dhcp-offer-convert dns-snoop entry-timeout 35 rfs6000-37FABE(config-fw-policy-test)#
Related Commands no Removes the DNS snoop table entry timeout interval Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 9 FIREWALL-POLICY 13.1.6 firewall firewall-policy Enables a devices firewall Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax firewall enable Parameters firewall enable firewall enable Enables wireless firewalls Example rfs6000-37FABE(config-fw-policy-default)#firewall enable rfs6000-37FABE(config-fw-policy-default)#
Related Commands no Disables a devices firewall Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 10 FIREWALL-POLICY 13.1.7 flow firewall-policy Defines the session flow timeout interval for different packet types Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax flow [dhcp|timeout]
flow dhcp stateful flow timeout [icmp|other|tcp|udp]
flow timeout [icmp|other] <1-32400>
flow timeout udp <15-32400>
flow timeout tcp [close-wait|reset|setup|stateless-fin-or-reset|stateless-
general] <1-32400>
flow timeout tcp established <15-32400>
Parameters flow dhcp stateful dhcp stateful Configures DHCP packet flow Performs a stateful check on DHCP packets. This feature is enabled by default. flow timeout [icmp|other] <1-32400>
Configures a packet timeout Configures the timeout for ICMP packets. The default is 30 seconds. Configures the timeout for packets other than ICMP, TCP, or UDP. The default is 30 seconds. Configures the timeout from 1 - 32400 seconds timeout icmp other
<1-32400>
flow timeout udp <15-32400>
timeout udp
<15-32400>
Configures a packet timeout Configures the timeout for UDP packets. The default is 30 seconds. Configures the timeout from 15 - 32400 seconds flow timeout tcp [close-wait|reset|setup|stateless-fin-or-reset|stateless-
general] <1-32400>
timeout tcp close-wait reset Configures a packet timeout Configures the timeout for TCP packets Configures the closed TCP flow timeout. The default is 10 seconds. Configures the reset TCP flow timeout. The default is 10 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 11 FIREWALL-POLICY setup stateless-fin-or-reset stateless-general
<1-32400>
Configures the opening TCP flow timeout. The default is 10 seconds. Configures stateless TCP flow timeout created with the FIN or RESET packets. The default is 10 seconds. Configures the stateless TCP flow timeout. The default is 90 seconds (1m 30 s). Configures the timeout from 1 - 32400 seconds flow timeout tcp established <15-32400>
timeout tcp established
<15-32400>
Configures the packet timeout Configures the timeout for TCP packets Configures the established TCP flow timeout. The default is 5400 seconds. Configures the timeout from 15 - 32400 seconds Example rfs6000-37FABE(config-rw-policy-test)#flow timeout udp 10000 rfs6000-37FABE(config-rw-policy-test)#flow timeout icmp 16000 rfs6000-37FABE(config-rw-policy-test)#flow timeout other 16000 rfs6000-37FABE(config-rw-policy-test)#flow timeout tcp established 1500 rfs6000-37FABE(config-fw-policy-test)#show context firewall-policy test no ip dos tcp-sequence-past-window flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert dns-snoop entry-timeout 35 rfs6000-37FABE(config-fw-policy-test)#
Related Commands no Removes session timeout intervals configured for different packet types Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 12 FIREWALL-POLICY 13.1.8 ip firewall-policy Configures Internet Protocol (IP) components Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip [dos|tcp]
ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-
protocol|ip-ttl-zero|ipspoof|land|option-route|router-advt|router-solicit|
smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-max-incomplete|
tcp-null-scan|tcp-post-syn|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|
twinge|udp-short-hdr|winnuke}
ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-
protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-solicit|
smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|
tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|
udp-short-hdr|winnuke} [log-and-drop|log-only] log-level [<0-7>|alerts|critical|
debugging|emergencies|errors|informational|notifications|warnings]
ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-
protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-solicit|
smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|
tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-
short-hdr|winnuke} [drop-only]
ip dos tcp-max-incomplete [high|low] <1-1000>
ip tcp [adjust-mss|optimize-unnecessary-resends|recreate-flow-on-out-of-state-
syn|validate-icmp-unreachable|validate-rst-ack-number|validate-rst-seq-number]
ip tcp adjust-mss <472-1460>
ip tcp [optimize-unnecessary-resends|recreate-flow-on-out-of-state-syn|validate-
icmp-unreachable|validate-rst-ack-number|validate-rst-seq-number]
Parameters ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-
protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-solicit|
smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|tcp-post-
scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|
winnuke} [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug|
emergencies|errors|informational|notifications|warnings]
dos ascend Identifies IP events as DoS events Optional. Detects ASCEND DoS attacks Ascend DoS attacks target known vulnerabilities in various versions of Ascend routers. Ascend routers listen on UDP port 9 for packets from Ascend's Java Configurator. Sending a formatted packet to this port can cause an Ascend router to crash. Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 13 FIREWALL-POLICY broadcast-multicast-
icmp chargen fraggle ftp-bounce invalid-protocol ip-ttl-zero ipsproof land option-route Optional. Detects broadcast or multicast ICMP Dos attacks Broadcast or multicast ICMP DoS attacks take advantage of ICMP behavior in response to echo replies. These attacks spoof the source address of the target and send ICMP broadcast or multicast echo requests to the rest of the network, flooding the target machine with replies. Optional. Detects Chargen attacks The Character Generation Protocol (chargen) is an IP suite service primarily used for testing and debugging networks. It is also used as a source of generic payload for bandwidth and QoS measurements. The Chargen attack establishes a Telnet connection to port 19 and attempts to use the character generator service to create a string of characters which is then directed to the DNS service on port 53 to disrupt DNS services. Optional. Detects Fraggle DoS attacks The Fraggle DoS attack uses a list of broadcast addresses to send spoofed UDP packets to each broadcast address' echo port (port 7). Each of those addresses that have port 7 open will respond to the request generating a lot of traffic on the network. For those that do not have port 7 open they will send an unreachable message back to the originator, further clogging the network with more traffic. Optional. Detects FTP bounce attacks A FTP bounce attack is a MIM attack that enables an attacker to open a port on a different machine using FTP. FTP requires that when a connection is requested by a client on the FTP port (21), another connection must open between the server and the client. To confirm, the PORT command has the client specify an arbitrary destination machine and port for the data connection. This is exploited by the attacker to gain access to a device that may not be the originating client. Optional. Enables a check for an invalid protocol number Attackers may use vulnerability in the endpoint implementation by sending invalid protocol fields, or may misuse the misinterpretation of endpoint software. This can lead to inadvertent leakage of sensitive network topology information, call hijacking, or a DoS attack. Optional. Enables a check for the TCP/IP TTL field having a value of zero (0) The TCP IP TTL Zero DoS attack sends spoofed multicast packets onto the network which have a Time to Live (TTL) of 0. This causes packets to loop back to the spoofed originating machine, and can cause the network to overload. Optional. Enables a check for the IP spoofing DoS attacks IP Spoof is a category of DoS attack that sends IP packets with forged source addresses. This can hide the identity of the attacker. Optional. Detects LAND DoS attacks A Local Area Network Denial (LAND) is a DoS attack where IP packets are spoofed and sent to a device where the source IP and destination IP of the packet are the target devices IP, and similarly, the source port and destination port are open ports on the same device. This causes the attacked device to reply to itself continuously. Optional. Enables an IP Option Record Route DoS check Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 14 router-advt router-solicit smurf snork tcp-bad-sequence tcp-fin-scan FIREWALL-POLICY Optional. Detects router-advertisement attacks This attack uses ICMP to redirect the network router function to some other host. If that host can not provide router services, a DoS of network communications occurs as routing stops. This can also be modified to single out a specific system, so that only that system is subject to attack (because only that system sees the 'false'
router). By providing router services from a compromised host, the attacker can also place themselves in a man-in-the-middle situation and take control of any open channel at will (as mentioned earlier, this is often used with TCP packet forgery and spoofing to intercept and change open TELNET sessions). Optional. Detects router solicitation attacks The ICMP router solicitation scan is used to actively find routers on a network. A hacker could set up a protocol analyzer to detect routers as they broadcast routing information on the network. In some instances, however, routers may not send updates. For example, if the local network does not have other routers, the router may be configured to not send routing information packets onto the local network. ICMP offers a method for router discovery. Clients send ICMP router solicitation multicasts onto the network, and routers must respond (as defined in RFC 1122). By sending ICMP router solicitation packets (ICMP type 9) on the network and listening for ICMP router discovery replies (ICMP type 10), hackers can build a list of all of the routers that exist on a network segment. Hackers often use this scan to locate routers that do not reply to ICMP echo requests Optional. In this attack, a large number of ICMP echo packets are sent with a spoofed source address. This causes the device with the spoofed source address to be flooded with a large number of replies. Optional. This attack causes a remote Windows NT to consume 100% of the CPUs resources. This attack uses a UDP packet with a destination port of 135 and a source port of 7, 9, or 135. This attack can also be exploited as a bandwidth consuming attack. Optional. A DoS attack that uses a specially crafted TCP packet to cause the targeted device to drop all subsequent network traffic for a specific TCP connection Optional. Detects TCP FIN scan attacks Hackers use the TCP FIN scan to identify listening TCP port numbers based on how the target device reacts to a transaction close request for a TCP port (even though no connection may exist before these close requests are made). This type of scan can get through basic firewalls and boundary routers that filter on incoming TCP packets with the Finish (FIN) and ACK flag combination. The TCP packets used in this scan include only the TCP FIN flag setting. If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target device discards the FIN and sends no reply. Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 15 FIREWALL-POLICY Optional. Prevents TCP intercept attacks by using TCP SYN cookies A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a Web site, accessing e-
mail, using FTP service, and so on. The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server. The software continues to intercept and forward packets throughout the duration of the connection. The number of SYNs per second and the number of concurrent connections proxied depends on the platform, memory, processor, and other factors. In the case of illegitimate requests, the software's aggressive timeouts on half-open connections and its thresholds on TCP connection requests protect destination servers while still allowing valid requests. When establishing a security policy using TCP intercept, you can choose to intercept all requests or only those coming from specific networks or destined for specific servers. You can also configure the connection rate and threshold of outstanding connections. Optionally operate TCP intercept in watch mode, as opposed to intercept mode. In watch mode, the software passively watches the connection requests flowing through the router. If a connection fails to get established in a configurable interval, the software intervenes and terminates the connection attempt. Optional. Detects TCP NULL scan attacks Hackers use the TCP NULL scan to identify listening TCP ports. This scan also uses a series of strangely configured TCP packets, which contain a sequence number of 0 and no flags. Again, this type of scan can get through some firewalls and boundary routers that filter incoming TCP packets with standard flag settings. If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target discards the TCP NULL scan, sending no reply. Optional. Detects TCP post SYN DoS attacks A remote attacker may be attempting to avoid detection by sending a SYN frame with a different sequence number than the original SYN. This can cause an Intrusion Detection System (IDS) to become unsynchronized with the data in a connection. Subsequent frames sent during the connection are ignored by the IDS. Optional. Enables a TCP SEQUENCE PAST WINDOW DoS attack check. Disable this check to work around a bug in Windows XP's TCP stack which sends data past the window when conducting a selective ACK. Optional. A TCP XMAS scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open ports. Optional. A DoS attack where the TCP header spans IP fragments Optional. A twinge attack is a flood of false ICMP packets to try and slow down a system tcp-intercept tcp-null-scan tcp-post-syn tcp-sequence-past-
window tcp-xmas-scan tcphdrfrag twinge Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 16 FIREWALL-POLICY udp-short-hdr winnuke log-and-drop log-only log-level
<0-7>
emergencies alerts critical errors warnings notification informational debugging Optional. Enables the identification of truncated UDP headers and UDP header length fields Optional. This DoS attack is specific to Windows 95 and Windows NT. The WINNUKE DoS attack sends a large amount of data to UDP port 137 to crash the NETBIOS service on windows and results in high CPU utilization on the target machine. Logs the event and drops the packet Logs the event only, the packet is not dropped Configures the log level Sets the numeric logging level Numerical severity 0. System is unusable Numerical severity 1. Indicates a condition where immediate action is required Numerical severity 2. Indicates a critical condition Numerical severity 3. Indicates an error condition Numerical severity 4. Indicates a warning condition Numerical severity 5. Indicates a normal but significant condition Numerical severity 6. Indicates a informational condition Numerical severity 7. Debugging messages ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|
invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-
solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|
tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|
udp-short-hdr|winnuke} [drop-only]
dos ascend broacast-multicast-
icmp chargen fraggle ftp-bounce invalid-protocol ip-ttl-zero ipsproof Identifies IP events as DoS events Optional. Enables an ASCEND DoS check. Ascend routers listen on UDP port 9 for packets from Ascend's Java Configurator. Sending a formatted packet to this port can cause an Ascend router to crash. Optional. Detects broadcast or multicast ICMP packets as an attack Optional. The Character Generation Protocol (chargen) is an IP suite service primarily used for testing and debugging networks. It is also used as a source of generic payload for bandwidth and QoS measurements. Optional. A Fraggle DoS attack checks for UDP packets to or from port 7 or 19 Optional. A FTP bounce attack is a MIM attack that enables an attacker to open a port on a different machine using FTP. FTP requires that when a connection is requested by a client on the FTP port (21), another connection must open between the server and the client. To confirm, the PORT command has the client specify an arbitrary destination machine and port for the data connection. This is exploited by the attacker to gain access to a device that may not be the originating client. Optional. Enables a check for invalid protocol number Optional. Enables a check for the TCP/IP TTL field having a value of zero (0) Optional. Enables a check for IP spoofing DoS attack Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 17 FIREWALL-POLICY land option-route router-advt router-solicit smurf snork Optional. A Local Area Network Denial (LAND) is a DoS attack where IP packets are spoofed and sent to a device where the source IP and destination IP of the packet are the target devices IP, and similarly, the source port and destination port are open ports on the same device. This causes the attacked device to reply to itself continuously. Optional. Enables an IP Option Record Route DoS check Optional. This is an attack, where a default route entry is added remotely to a device. This route entry is given preference, and thereby exposes an attack vector. Optional. Router solicitation messages are sent to locate routers as a form of network scanning. This information can then be used to attack a device. Optional. In this attack, a large number of ICMP echo packets are sent with a spoofed source address. This causes the device with the spoofed source address to be flooded with a large number of replies. Optional. This attack causes a remote Windows NT to consume 100% of the CPUs resources. This attack uses a UDP packtet with a destination port of 135 and a source port of 7, 9, or 135. This attack can also be exploited as a bandwidth consuming attack. Optional. A DoS attack that uses a specially crafted TCP packet to cause the targeted device to drop all subsequent network traffic for a specific TCP connection Optional. A FIN scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open ports. Optional. Prevents TCP intercept attacks by using TCP SYN cookies Optional. A TCP null scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open ports Optional. Enables a TCP post SYN DoS attack Optional. Enables a TCP SEQUENCE PAST WINDOW DoS attack check. Disable this check to work around a bug in Windows XP's TCP stack which sends data past the window when conducting a selective ACK. Optional. A TCP XMAS scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open ports. Optional. A DoS attack where the TCP header spans IP fragments Optional. A twinge attack is a flood of false ICMP packets to try and slow down a system Optional. Enables the identification of truncated UDP headers and UDP header length fields Optional. This DoS attack is specific to Windows 95 and Windows NT, causing devices to crash with a blue screen Optional. Drops a packet without logging ip dos tcp-max-incomplete [high|low] <1-1000>
tcp-bad-sequence tcp-fin-scan tcp-intercept tcp-null-scan tcp-post-syn tcp-sequence-past-
window tcp-xmas-scan tcphdrfrag twinge udp-short-hdr winnuke drop-only dos tcp-max-incomplete high low
<1-1000>
Identifies IP events as DoS events Sets the limits for the maximum number of incomplete TCP connections Sets the upper limit for the maximum number of incomplete TCP connections Sets the lower limit for the maximum number of incomplete TCP connections Sets the range limit from 1 - 1000 connections Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 18 FIREWALL-POLICY ip tcp adjust-mss <472-1460>
tcp adjust-mss
<472-1460>
Identifies and configures TCP events and configuration items Adjusts the TCP Maximum Segment Size (MSS). Use this option to adjust the MSS for TCP segments on the router. Sets the TCP MSS value from 472 - 1460 bytes. The default is 472 bytes. ip tcp [optimize-unnecessary-resends|recreate-flow-on-out-of-state-syn|
validate-icmp-unreachable|validate-rst-ack-number|validate-rst-seq-number]
Identifies and configures TCP events and configuration items Enables the validation of unnecessary TCP packets tcp optimize-unnecessary-
resends recreate-flow-on-out-
of-state-sync validate-icmp-
unreachable validate-rst-ack-number Enables the validation of the acknowledgment number in RST packets, which abort Allows a TCP SYN packet to delete an old flow in TCP_FIN_FIN_STATE, and TCP_CLOSED_STATE states and create a new flow Enables the validation of the sequence number in ICMP unreachable error packets, which abort an established TCP flow a TCP flow validate-rst-seq-number Enables the validation of the sequence number in RST packets, which abort an established TCP flow Example rfs6000-37FABE(config-rw-policy-test)#ip dos fraggle drop-only rfs6000-37FABE(config-rw-policy-test)#ip dos tcp-max-incomplete high 600 rfs6000-37FABE(config-rw-policy-test)#ip dos tcp-max-incomplete low 60 rfs6000-37FABE(config-fw-policy-test)#ip dos tcp-sequence-past-window drop-only rfs6000-37FABE(config-fw-policy-test)#show context firewall-policy test ip dos fraggle drop-only ip dos tcp-sequence-past-window drop-only ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert dns-snoop entry-timeout 35 rfs6000-37FABE(config-fw-policy-test)#
Related Commands no Resets firewall policy IP components Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 19 FIREWALL-POLICY 13.1.9 ip-mac firewall-policy Defines an action based on the device IP MAC table, and also detects conflicts between IP addresses and MAC addresses Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ip-mac [conflict|routing]
ip-mac conflict drop-only ip-mac conflict [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug|
emergencies|errors|informational|notifications|warnings]
ip-mac routing conflict drop-only ip-mac routing [log-and-drop|log-only] log-level [<0-7>|alerts|critical|debug|
emergencies|errors|informational|notifications|warnings]
Parameters ip-mac conflict drop-only conflict drop-only Action performed when a conflict exists between the IP address and MAC address. This option is enabled by default. Drops a packet without logging ip-mac conflict [log-and-drop|log-only] log-level [<0-7>|alerts|critical|
debug|emergencies|errors|informational|notifications|warnings]
conflict log-and-drop log-only log-level
<0-7>
alerts critical debugging emergencies errors informational notification warnings Action performed when a conflict exists between the IP address and MAC address. This option is enabled by default. Logs the event and drops the packet. This is the default setting. Logs the event only, the packet is not dropped Configures the log level Sets the numeric logging level Numerical severity 1. Indicates a condition where immediate action is required Numerical severity 2. Indicates a critical condition Numerical severity 7. Debugging messages Numerical severity 0. System is unusable Numerical severity 3. Indicates an error condition Numerical severity 6. Indicates a informational condition Numerical severity 5. Indicates a normal but significant condition Numerical severity 4. Indicates a warning condition. This is the default setting Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 20 FIREWALL-POLICY ip-mac routing conflict drop-only routing conflict drop-only Enables IPMAC routing conflict detection. This is also known as a Hole-196 attack in the network. This feature helps to detect if the client is sending routed packets to the correct router-mac-address. Defines the action performed when a routing table conflict is detected. This option is enabled by default. Drops a packet without logging ip-mac routing [log-and-drop|log-only] log-level [<0-7>|alerts|critical|
debug|emergencies|errors|informational|notifications|warnings]
routing conflict log-and-drop log-only log-level
<0-7>
alerts critical debugging emergencies errors informational notification warnings Defines a routing table based action Action performed when a conflict exists in the routing table. This option is enabled by default. Logs the event and drops the packet. This is the default setting. Logs the event only, the packet is not dropped Configures the log level to log this event under Sets the numeric logging level Numerical severity 1. Indicates a condition where immediate action is required Numerical severity 2. Indicates a critical condition Numerical severity 7. Debugging messages Numerical severity 0. System is unusable Numerical severity 3. Indicates an error condition Numerical severity 6. Indicates a informational condition Numerical severity 5. Indicates a normal but significant condition Numerical severity 4. Indicates a warning condition. This is the default setting. Example rfs6000-37FABE(config-rw-policy-test)#ip-mac conflict drop-only rfs6000-37FABE(config-rw-policy-test)#ip-mac routing conflict log-and-drop log-
level notifications rfs6000-37FABE(config-fw-policy-test)#show context firewall-policy test ip dos fraggle drop-only ip dos tcp-sequence-past-window drop-only ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 ip-mac conflict drop-only ip-mac routing conflict log-only log-level notifications flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert dns-snoop entry-timeout 35 rfs6000-37FABE(config-fw-policy-test)#
Related Commands no Disables actions based on device IP MAC table, IP address, and MAC address conflict detection Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 21 FIREWALL-POLICY 13.1.10 ipv6 firewall-policy Configures IPv6 components on this firewall policy Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ipv6 [dos|duplicate-options|firewall|option|rewrite-flow-label|routing-type|
strict-ext-hdr-check|unknown-options]
ipv6 dos {hop-limit-zero|multicast-icmpv6|tcp-intercept-mobility} [drop-only|
log-and-drop|log-only]
ipv6 [duplicate-options|routing-type [one|two]|strict-ext-hdr-check|unknown-
options] [drop-only|log-and-drop|log-only]
ipv6 option {endpoint-identification|network-service-access-point|router-alert|
strict-hao-opt-alert|strict-padding} [drop-only|log-and-drop|log-only]
ipv6 [firewall enable|rewrite-flow-label]
Parameters ipv6 dos {hop-limit-zero|multicast-icmpv6|tcp-intercept-mobility} [drop-
only|log-and-drop|log-only]
dos hop-limit-zero multicast-icmpv6 tcp-intercept-mobility drop-only log-and-drop log-only Identifies IPv6 events as DoS events Optional. Enables checking of IPv6 hop limit field. If the IPv6 hop limit field is ZERO
(0) it is considered as attack. This option is enabled by default. Optional. Enables detection of multicast ICMPv6 traffic as attack. This option is applicable only to ICMPv6 Echo request or reply packets. This option is enabled by default. Optional. Enables detection of IPv6 TCP packets with mobility option "HAO(Home-
Address-Option)" or "RH(Routing Header) type two". When enabled, this option also detects the don't generate TCP syn cookies for such packets. This option is enabled by default. This parameter is common to all of the above keywords. Drops all packets. Drops the specified packet type (hop-limit-zero, multicast-
icmpv6, and tcp-intercept-mobility). Logs the event and drops the packet. Drops the specified packet type (hop-limit-
zero, multicast-icmpv6, and tcp-intercept-mobility) and logs an event. Logs the event only, the packet is not dropped. Does not drop the specified packet type (hop-limit-zero, multicast-icmpv6, and tcp-intercept-mobility). But, an event is logged. Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 22 FIREWALL-POLICY log-level If selecting the log-and-drop and log-only action type, specify the log level. The options are:
<0-7> Sets the numeric logging level alerts Numerical severity 1. Indicates a condition where immediate action is required critical Numerical severity 2. Indicates a critical condition debugging Numerical severity 7. Debugging messages emergencies Numerical severity 0. System is unusable errors Numerical severity 3. Indicates an error condition informational Numerical severity 6. Indicates a informational condition notifications Numerical severity 5. Indicates a normal but significant condition warnings Numerical severity 4. Indicates a warning condition. This is the default setting. ipv6 [duplicate-options|routing-type [one|two]|strict-ext-hdr-check|
unknown-options] [drop-only|log-and-drop|log-only]
duplicate-options Enables handling of duplicate options in hop-by-hop and destination option extension headers. This configuration excludes HAO handling. This option is enabled by default. routing-type [one|two] Enables checking of the following IPv6 routing types:
strict-ext-hdr-check unknown-options drop-only log-and-drop log-only log-level one Routing Type 1(Nimrod routing). This option is disabled by default. two Routing Type 2(Mobile IP). This option is disabled by default. Enables strict checking for out of order and number of occurrences of extension header. This option is enabled by default. Enables handling unknown options in hop-by-hop and destination option extension headers. This option is enabled by default. This parameter is common to all of the above keywords. Drops all packets. Drops the packet if matching any of the above specified types. Logs the event and drops the packet. Drops the packet, if matching any of the above specified types, and logs an event. Logs the event only, the packet is not dropped. Does not drop the packet, if matching any of the above specified types. But an event is logged. If selecting the log-and-drop and log-only action type, specify the log level. The options are:
<0-7> Sets the numeric logging level alerts Numerical severity 1. Indicates a condition where immediate action is required critical Numerical severity 2. Indicates a critical condition debugging Numerical severity 7. Debugging messages emergencies Numerical severity 0. System is unusable errors Numerical severity 3. Indicates an error condition informational Numerical severity 6. Indicates a informational condition notifications Numerical severity 5. Indicates a normal but significant condition warnings Numerical severity 4. Indicates a warning condition. This is the default setting. Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 23 ipv6 option {endpoint-identification|network-service-access-point|router-
alert|strict-hao-opt-alert|strict-padding} [drop-only|log-and-drop|log-only]
FIREWALL-POLICY option drop-only log-and-drop log-only log-level Enables checking for the following ipv6 extension header options:
End point identification option (disabled by default) Network service access point address option (disabled by default) Router alert option (disabled by default) Home address option in destination option extension header (enabled by default) Pad1 and PadN options validating (enabled by default) All of these are optional parameters. If no option is specified, the system enables checks as per the default values. This parameter is common to all of the above keywords. Drops all packets. Drops the packet if matching any of the above specified option types. Logs the event and drops the packet. Drops the packet, if matching any of the above specified option types, and logs an event. Logs the event only, the packet is not dropped. Does not drop the packet, if matching any of the above specified option types. But an event is logged. If selecting the log-and-drop and log-only action type, specify the log level. The options are:
<0-7> Sets the numeric logging level alerts Numerical severity 1. Indicates a condition where immediate action is required critical Numerical severity 2. Indicates a critical condition debugging Numerical severity 7. Debugging messages emergencies Numerical severity 0. System is unusable errors Numerical severity 3. Indicates an error condition informational Numerical severity 6. Indicates a informational condition notifications Numerical severity 5. Indicates a normal but significant condition warnings Numerical severity 4. Indicates a warning condition. This is the default setting. ipv6 [firewall enable|rewrite-flow-label]
firewall enable rewrite-flow-label Enables IPv6 firewall. This option is enabled by default. Rewrites the IPv6 flow label field of every packet. This option is disabled by default. Example nx4500-5CFA2B(config-fw-policy-test)#ipv6 dos hop-limit-zero drop-only nx4500-5CFA2B(config-fw-policy-test)#ipv6 routing-type two log-and-drop log-level warnings nx4500-5CFA2B(config-fw-policy-test)#show context firewall-policy test no ip dos tcp-sequence-past-window ipv6 routing-type two log-and-drop log-level warnings ipv6 dos hop-limit-zero drop-only nx4500-5CFA2B(config-fw-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 24 Related Commands no Resets this firewall policys IPv6 components FIREWALL-POLICY Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 25 FIREWALL-POLICY 13.1.11 ipv6-mac firewall-policy Defines an action based on conflicts detected in a devices IPv6 and MAC addresses Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ipv6-mac [conflict|routing]
ipv6-mac conflict [drop-only|log-and-drop|log-only]
ipv6-mac routing conflict [drop-only|log-and-drop|log-only]
Parameters ipv6-mac conflict [drop-only|log-and-drop|log-only]
conflict drop-only log-and-drop log-only log-level Enables detection of conflict between a devices IPv6 and MAC addresses. This option is enabled by default. This command also specifies the action to be performed when a such a conflict is detected. The options are: drop-only, log-and-drop, and log-only Drops a packet (with conflicting IPv6 and MAC address) without logging Logs the event and drops the packet. This is the default setting. Logs the event only, the packet is not dropped If selecting the log-and-drop and log-only action type, specify the log level. The options are:
<0-7> Sets the numeric logging level alerts Numerical severity 1. Indicates a condition where immediate action is required critical Numerical severity 2. Indicates a critical condition debugging Numerical severity 7. Debugging messages emergencies Numerical severity 0. System is unusable errors Numerical severity 3. Indicates an error condition informational Numerical severity 6. Indicates a informational condition notifications Numerical severity 5. Indicates a normal but significant condition warnings Numerical severity 4. Indicates a warning condition. This is the default setting. ipv6-mac routing conflict [drop-only|log-and-drop|log-only]
routing conflict Enables detection of conflict between the next-hops IPv6 and MAC addresses. This option is enabled by default. This command also specifies the action to be performed when a such a conflict is detected. The options are: drop-only, log-and-drop, and log-only Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 26 drop-only log-and-drop log-only log-level FIREWALL-POLICY Drops a packet (with conflicting next-hop IPv6 and MAC addresses) without logging Logs the event and drops the packet. This is the default setting. Logs the event only, the packet is not dropped If selecting the log-and-drop and log-only action type, specify the log level. The options are:
<0-7> Sets the numeric logging level alerts Numerical severity 1. Indicates a condition where immediate action is required critical Numerical severity 2. Indicates a critical condition debugging Numerical severity 7. Debugging messages emergencies Numerical severity 0. System is unusable errors Numerical severity 3. Indicates an error condition informational Numerical severity 6. Indicates a informational condition notifications Numerical severity 5. Indicates a normal but significant condition warnings Numerical severity 4. Indicates a warning condition. This is the default setting. Example nx4500-5CFA2B(config-fw-policy-test)#ipv6-mac routing conflict drop-only nx4500-5CFA2B(config-fw-policy-test)#show context firewall-policy test no ip dos tcp-sequence-past-window ipv6 routing-type two log-and-drop log-level warnings ipv6 dos hop-limit-zero drop-only ipv6-mac routing conflict drop-only nx4500-5CFA2B(config-fw-policy-test)#
Related Commands no Disables actions based on device IPv6 MAC table, next-hops IPv6 and MAC address conflict detection Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 27 FIREWALL-POLICY 13.1.12 logging firewall-policy Configures enhanced firewall logging Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax logging [icmp-all|icmp-packet-drop|malformed-packet-drop|verbose]
logging icmp-all logging verbose logging [icmp-packet-drop|malformed-packet-drop] [all|rate-limited]
Parameters logging icmp-all logging icmp-all Configures enhanced firewall logging parameters Enables logging of all ICMPv4/v6 packets allowed by the firewall. This option is disabled by default. logging verbose logging verbose Configures enhanced firewall logging parameters. This option is disabled by default. Enables verbose logging logging [icmp-packet-drop|malformed-packet-drop] [all|rate-limited]
logging icmp-packet-drop Configures enhanced firewall logging parameters Drops ICMP (ICMPv4 and ICMPv6) packets that do not pass sanity checks. The default is none. malformed-packet-drop Drops raw IP (IPv4 and IPv6) packets that do not pass sanity checks. The default is all rate-limited none. Logs all messages Enables rate-limited logging. This option sets the rate limit for log messages to one message every 20 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 28 FIREWALL-POLICY Example rfs6000-37FABE(config-rw-policy-test)#logging verbose rfs6000-37FABE(config-rw-policy-test)#logging icmp-packet-drop rate-limited rfs6000-37FABE(config-rw-policy-test)#logging malformed-packet-drop all rfs6000-37FABE(config-fw-policy-test)#show context firewall-policy test ip dos fraggle drop-only ip dos tcp-sequence-past-window drop-only ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 ip-mac conflict drop-only ip-mac routing conflict log-only log-level notifications flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert logging icmp-packet-drop rate-limited logging malformed-packet-drop all logging verbose dns-snoop entry-timeout 35 rfs6000-37FABE(config-fw-policy-test)#
nx9500-6C8809(config-fw-policy-test2)#show context firewall-policy test2 no ip dos tcp-sequence-past-window nx9500-6C8809(config-fw-policy-test2)#
nx9500-6C8809(config-fw-policy-test2)#logging icmp-all nx9500-6C8809(config-fw-policy-test2)#show context firewall-policy test2 no ip dos tcp-sequence-past-window logging icmp-all nx9500-6C8809(config-fw-policy-test2) Related Commands no Disables enhanced firewall logging Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 29 FIREWALL-POLICY 13.1.13 no firewall-policy Negates a command or sets the default for firewall policy commands Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [acl-logging|alg|clamp|dhcp-offer-convert|dns-snoop|firewall|flow|ip|ip-mac|
ipv6|ipv6-mac|logging|proxy-arp|proxy-nd|stateful-packet-inspection-l2|
storm-control|virtual-defragmentation]
no [acl-logging|dhcp-offer-convert|proxy-arp|proxy-nd|stateful-packet-inspection-
l2]
no alg [dns|facetime|ftp|pptp|sccp|sip|tftp]
no clamp tcp-mss no dns-snoop entry-timeout no firewall enable no flow dhcp stateful no flow timeout [icmp|other|udp]
no flow timeout tcp [closed-wait|established|reset|setup|stateless-fin-or-reset|
stateless-general]
no ip dos {ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-
protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-solicit|
smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|tcp-post-
syn|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|
winnuke}
no ip tcp [adjust-mss|optimize-unnecessary-resends|recreate-flow-on-out-of-state-
syn|validate-icmp-unreachable|validate-rst-ack-number|validate-rst-seq-number]
no ip-mac conflict no ip-mac routing conflict no ipv6 [dos|duplicate-options|firewall|option|rewrite-flow-label|routing-type|
strict-ext-hdr-check|unknown-options]
no ipv6 dos {hop-limit-zero|multicast-icmpv6|tcp-intercept-mobility}
no ipv6 [duplicate-options|routing-type [one|two]|strict-ext-hdr-check|unknown-
options]
no ipv6 option {endpoint-identification|network-service-access-point|router-
alert|strict-hao-opt-alert|strict-padding}
no ipv6 [firewall enable|rewrite-flow-label]
no logging [icmp-all|icmp-packet-drop|verbose|malformed-packet-drop]
Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 30 FIREWALL-POLICY no storm-control [arp|broadcast|multicast|unicast] {fe <1-4>|ge <1-8>|log|port-
channel <1-8>|up1|wlan <WLAN-NAME>}
no virtual-defragmentation {maximum-fragments-per-datagram|minimum-first-
fragment-length|maximum-defragmentation-per-host|timeout}
Parameters no <PARAMETERS>
no <PARAMETERS>
Negates a command or sets the default for firewall policy commands. Example rfs6000-37FABE(config-fw-policy-test)#show context firewall-policy test ip dos fraggle drop-only no ip dos tcp-sequence-past-window ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 storm-control broadcast level 20000 ge 4 storm-control arp log warnings ip-mac conflict drop-only ip-mac routing conflict log-and-drop log-level notifications flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert logging icmp-packet-drop rate-limited logging malformed-packet-drop all logging verbose dns-snoop entry-timeout 35 rfs6000-37FABE(config-fw-policy-test)#
rfs6000-37FABE(config-fw-policy-test)#no ip dos fraggle rfs6000-37FABE(config-fw-policy-test)#no storm-control arp log rfs6000-37FABE(config-fw-policy-test)#no dhcp-offer-convert rfs6000-37FABE(config-fw-policy-test)#no logging malformed-packet-drop rfs6000-37FABE(config-fw-policy-test)#show context firewall-policy test no ip dos fraggle no ip dos tcp-sequence-past-window ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 storm-control broadcast level 20000 ge 4 storm-control arp log none ip-mac conflict drop-only ip-mac routing conflict log-and-drop log-level notifications flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 logging icmp-packet-drop rate-limited logging verbose dns-snoop entry-timeout 35 rfs6000-37FABE(config-fw-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 31 FIREWALL-POLICY 13.1.14 proxy-arp firewall-policy Enables the generation of ARP responses on behalf of another device. Proxy ARP allows the Firewall to handle ARP routing requests for devices behind the firewall. This option is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax proxy-arp Parameters None Example rfs6000-37FABE(config-fw-policy-test)#proxy-arp rfs6000-37FABE(config-fw-policy-test)#
Related Commands no Disables the generation of ARP responses on behalf of another device Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 32 FIREWALL-POLICY 13.1.15 proxy-nd firewall-policy Enables generation of ND responses (for IPv6) on behalf of another device Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax proxy-nd Parameters None Example nx9500-6C8809(config-fw-policy-fw1)#proxy-nd nx9500-6C8809(config-fw-policy-fw1)#
Related Commands no Disables the generation of ND responses on behalf of another device Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 33 FIREWALL-POLICY 13.1.16 stateful-packet-inspection-12 firewall-policy Enables layer 2 firewall stateful packet inspection. When enabled, allows stateful packet inspection for RF Domain manager routed interfaces within the layer 2 firewall. This option is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax stateful-packet-inspection-l2 Parameters None Example rfs6000-37FABE(config-fw-policy-test)#stateful-packet-inspection-l2 rfs6000-37FABE(config-fw-policy-test)#
Related Commands no Disables stateful packet inspection in a layer 2 firewall Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 34 FIREWALL-POLICY 13.1.17 storm-control firewall-policy Enables storm control on the firewall policy Storms are packet bombardments that exceed the high threshold value configured for an interface. During a storm, packets are throttled until the rate falls below the configured rate, severely impacting performance for the RF Domain manager interface. Storm control limits multicast, unicast and broadcast frames accepted and forwarded by a device. Messages are logged based on their severity level. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax storm-control [arp|broadcast|multicast|unicast]
storm-control [arp|broadcast|multicast|unicast] [level|log]
storm-control [arp|broadcast|multicast|unicast] level <1-1000000> [fe <1-4>|ge <1-
8>|port-channel <1-8>|up1|wlan <WLAN-NAME>]
storm-control [arp|broadcast|multicast|unicast] log [<0-7>|alerts|critical|
debugging|emergencies|errors|informational|none|notifications|warnings]
Parameters storm-control [arp|broadcast|multicast|unicast] level <1-1000000> [fe <1-4>|
ge <1-8>|port-channel <1-8>|up1|wlan <WLAN-NAME>]
arp broadcast multicast unicast level <1-1000000>
fe <1-4>
ge <1-8>
port-channel <1-8>
up1 wlan <WLAN-NAME>
Configures storm control for ARP packets Configures storm control for broadcast packets Configures storm control for multicast packets Configures storm control for unicast packets Configures the allowed number of packets received per second before storm control begins
<1-1000000> Sets the number of packets received per second Sets the FastEthernet port for storm control from 1 - 4 Sets the GigabitEthernet port for storm control from 1 - 8 Sets the port channel for storm control from 1- 8 Sets the uplink interface Configures the WLAN
<WLAN-NAME> Sets the WLAN ID for the storm control configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 35 FIREWALL-POLICY storm-control [arp|bcast|multicast|unicast] log [<0-7>|alerts|critical|
debugging|emergencies|errors|informational|none|notifications|warnings]
arp broadcast multicast unicast log
<0-7>
alerts critical debugging emergencies errors informational none notification warnings Configures storm control for ARP packets Configures storm control for broadcast packets Configures storm control for multicast packets Configures storm control for unicast packets Configures the storm control log level for storm control events Sets the numeric logging level from 0 - 7 Numerical severity 1. Indicates a condition where immediate action is required Numerical severity 2. Indicates a critical condition Numerical severity 7. Debugging messages Numerical severity 0. System is unusable Numerical severity 3. Indicates an error condition Numerical severity 6. Indicates a informational condition Disables storm control logging Numerical severity 5. Indicates a normal but significant condition Numerical severity 4. Indicates a warning condition. This is the default setting. Example rfs6000-37FABE(config-fw-policy-test)#storm-control arp log warning rfs6000-37FABE(config-fw-policy-test)#storm-control broadcast level 20000 ge 4 rfs6000-37FABE(config-fw-policy-test)#show context firewall-policy test ip dos fraggle drop-only no ip dos tcp-sequence-past-window ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 storm-control broadcast level 20000 ge 4 storm-control arp log warnings ip-mac conflict drop-only ip-mac routing conflict log-and-drop log-level notifications flow timeout icmp 16000 flow timeout udp 10000 flow timeout tcp established 1500 flow timeout other 16000 dhcp-offer-convert logging icmp-packet-drop rate-limited logging malformed-packet-drop all logging verbose dns-snoop entry-timeout 35 rfs6000-37FABE(config-fw-policy-test)#
Related Commands no Disables storm control limits on multicast, unicast, and broadcast frames accepted and forwarded by a device Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 36 FIREWALL-POLICY 13.1.18 virtual-defragmentation firewall-policy Enables the virtual de-fragmentation of IPv4 and IPv6 packets. This parameter is required for optimal firewall functionality and is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax virtual-defragmentation {maximum-defragmentation-per-host <1-16384>|maximum-
fragments-per-datagram <2-8129>|minimum-first-fragment-length <8-1500>|timeout
<1-60>}
Parameters virtual-defragmentation {maximum-defragmentation-per-host <1-16384>|maximum-
fragments-per-datagram <2-8129>|minimum-first-fragment-length <8-1500>|timeout
<1-60>}
maximum-
defragmentation-per-
host <1-16384>
maximum-fragments-
per-datagram
<2-8129>
minimum-first-
fragment-length
<8-1500>
timeout <1-60>
Optional. Configures the maximum number of active defragmentations allowed per host before it is dropped (applicable to IPv4 and IPV6 packets)
<1-16384> Sets a value from 1 - 16384. The default is 8. Optional. Configures the maximum number of fragments allowed in a datagram before it is dropped (applicable to IPv4 and IPV6 packets)
<2-8129> Sets a value from 2 - 8129. The default is 140. Optional. Defines the minimum length required for the first fragment (applicable to IPv4 and IPV6 packets)
<8-1500> Sets a value from 8 - 1500 bytes. The default is 8 bytes. Optional. Configures a virtual defragmentation timeout, in seconds, applicable to both IPv4 and IPv6 packets
<1-60> Specify a value from 1 - 60 seconds. The default is 1 second. Example rfs6000-37FABE(config-fw-policy-test)#virtual-defragmentation maximum-fragments-
per-datagram 10 rfs6000-37FABE(config-fw-policy-test)#virtual-defragmentation minimum-first-
fragment-length 100 Related Commands no Resets values or disables virtual defragmentation settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 13 - 37 14 MINT-POLICY This chapter summarizes MiNT policy commands in the CLI command structure. All communication using the MiNT transport layer can be optionally secured. This includes confidentiality, integrity and authentication of all communications. In addition, a device can be configured to communicate over MiNT with other devices authorized by an administrator. Use the (config) instance to configure mint-policy related configuration commands. To navigate to the config MiNT policy instance, use the following command:
<DEVICE>(config)#mint-policy global-default rfs6000-37FABE(config-mint-policy-global-default)#?
Mint Policy Mode commands:
level Mint routing level lsp LSP mtu Configure the global Mint MTU no Negate a command or set its defaults router Mint router udp Configure mint UDP/IP encapsulation clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-mint-policy-global-default)#
NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 14 - 1 MINT-POLICY 14.1 mint-policy MINT-POLICY The following table summarizes MiNT policy configuration commands:
Table 14.1 MiNT-Policy-Config Commands Command level lsp mtu no router udp Description Configures the MiNT routing level Enables adding of checksum to LSP messages forwarded across MiNT links Configures the global MiNT MTU Negates a command or sets its default Configures the priority for MiNT router packets (HELLO, LSP, PSNP, and EXTVLAN) Configures the MiNT UDP/IP encapsulation parameters Reference page 14-3 page 14-4 page 14-5 page 14-8 page 14-6 page 14-7 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 14 - 2 MINT-POLICY 14.1.1 level mint-policy Configures the global MiNT routing level Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax level 2 area-id <1-16777215>
Parameters level 2 area-id <1-16777215>
level 2 area-id
<1-16777215>
Configures level 2 inter-site MiNT routing Configures the routing area identifier
<1-16777215> Specify a value from 1 - 16777215. The level 2 area ID is the global MiNT area identifier. This area identifier separates two overlapping MiNT networks. Configure the level 2 area ID only if there are two MiNT networks sharing the same packet broadcast domain. Example rfs6000-37FABE(config-mint-policy-global-default)#level 2 area-id 2000 rfs6000-37FABE(config-mint-policy-global-default)#show context mint-policy global-default level 2 area-id 2000 rfs6000-37FABE(config-mint-policy-global-default)#
Related Commands no Disables level 2 MiNT packet routing (inter-site packet routing) Access Point, Wireless Controller and Service Platform CLI Reference Guide 14 - 3 MINT-POLICY 14.1.2 lsp mint-policy Enables adding of checksum to label-switched path (LSP) messages forwarded across MiNT links. When enabled, this option helps to verify integrity of LSP messages. LSP messages exchanged over MiNT links are often corrupted. These LSP corruptions cause inaccuracies in the Shortest Path First (SPF) calculation process, leading to access point adoption related issues. Enabling LSP checksum helps troubleshooting adoption-related issues. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax lsp checksum Parameters lsp checksum lsp checksum Enables adding of checksum to LSP messages forwarded across MiNT links. When enabled, the integrity of LSP messages is verified by matching the LSP message checksum at the MiNT link end nodes. In case of a match the message is uncorrupted. Example nx4500-5CFA2B(config-mint-policy-global-default)#lsp checksum nx4500-5CFA2B(config-mint-policy-global-default)#show context mint-policy global-default lsp checksum nx4500-5CFA2B(config-mint-policy-global-default)#
Related Commands no Disables adding of checksum to LSP messages forwarded across MiNT links Access Point, Wireless Controller and Service Platform CLI Reference Guide 14 - 4 MINT-POLICY 14.1.3 mtu mint-policy Configures global MiNT Multiple Transmission Unit (MTU). Use this command to specify the maximum packet size, in bytes, for MiNT routing. Higher the MTU values, greater is the network efficiency. The user data per packet increases, while protocol overheads, such as headers or underlying per-packet delays remain the same. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mtu <900-1500>
Parameters mtu <900-1500>
<900-1500>
Specifies the maximum packet size from 900 - 1500 bytes The maximum packet size specified is rounded down to a value using the following formula: 4 + a multiple of 8. The MTU setting specifies the maximum packet size used for MiNT packets. Larger packets are fragmented to fit within the specified packet size limit. You may want to configure this parameter if the MiNT backhaul network requires or recommends smaller packet sizes. The default value is 1500 bytes. Example rfs6000-37FABE(config-mint-policy-global-default)#mtu 1000 rfs6000-37FABE(config-mint-policy-global-default)#show context mint-policy global-default mtu 996 level 2 area-id 2 rfs6000-37FABE(config-mint-policy-global-default)#
Related Commands no Reverts the configured MiNT MTU value to its default (1500 bytes) Negates the configured maximum packet size for MiNT routing Access Point, Wireless Controller and Service Platform CLI Reference Guide 14 - 5 MINT-POLICY 14.1.4 router mint-policy Configures the priority for MiNT router packets (HELLO, LSP, PSNP, and EXTVLAN) Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax router packet priority <0-7>
Parameters router packet priority <0-7>
router packet priority
<0-7>
Allows you to configure the priority for MiNT router packets from 0 - 7. The default is 5. Higher the value higher is the priority. Therefore, seven (7) represents highest priority. Example rfs4000-229D58(config-mint-policy-global-default)#router packet priority 4 rfs4000-229D58(config-mint-policy-global-default)#show context mint-policy global-default router packet priority 4 rfs4000-229D58(config-mint-policy-global-default)#
Related Commands no Reverts the MiNT router packet priority to default (5) Access Point, Wireless Controller and Service Platform CLI Reference Guide 14 - 6 MINT-POLICY 14.1.5 udp mint-policy Configures MiNT UDP/IP encapsulation parameters. Use this command to configure the default UDP port used for MiNT control packet encapsulation. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax udp port <2-65534>
Parameters udp port <2-65534>
port <2-65534>
Configures default UDP port used for MiNT control packet encapsulation
<2-65534> Enter a value from 2 - 65534. This value specifies an alternate UDP port used by MiNT control packets and must be an even number. The specified port number plus 1 is used to carry MiNT data packets. The default value is 24576. Example rfs6000-37FABE(config-mint-policy-global-default)#udp port 1024 rfs6000-37FABE(config-mint-policy-global-default)#show context mint-policy global-default udp port 1024 mtu 996 level 2 area-id 2000 sign-unknown-device security-level control-and-data rejoin-timeout 1000 rfs6000-37FABE(config-mint-policy-global-default)#
Related Commands no Reverts MiNT UDP/IP encapsulation to its default Access Point, Wireless Controller and Service Platform CLI Reference Guide 14 - 7 MINT-POLICY 14.1.6 no mint-policy Negates a command or reverts values to their default. When used in the config MiNT policy mode, the no command resets or reverts the following global MiNT policy parameters: routing level, MTU, router packet priority, and UDP or IP encapsulation settings. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [level|lsp|mtu|router|udp]
no level 2 area-id no lsp checksum no mtu no router packet priority no udp port <LINE-SINK>
Parameters no <PARAMETERS>
no <PARAMETERS>
The no command resets or reverts the following global MiNT policy parameters:
routing level, MTU, router packet priority, and UDP or IP encapsulation settings. Example The following example shows the global Mint Policy parameters before the no commands are executed:
rfs6000-37FABE(config-mint-policy-global-default)#show context mint-policy global-default udp port 1024 mtu 996 level 2 area-id 2000 sign-unknown-device security-level control-and-data rejoin-timeout 1000 rfs6000-37FABE(config-mint-policy-global-default)#
rfs6000-37FABE(config-mint-policy-global-default)#no level 2 area-id rfs6000-37FABE(config-mint-policy-global-default)#no mtu rfs6000-37FABE(config-mint-policy-global-default)#no udp port The following example shows the global Mint Policy parameters after the no commands are executed:
rfs6000-37FABE(config-mint-policy-global-default)#show context mint-policy global-default sign-unknown-device security-level control-and-data rejoin-timeout 1000 rfs6000-37FABE(config-mint-policy-global-default)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 14 - 8 15 MANAGEMENT-POLICY This chapter summarizes management policy commands in the CLI command structure. A management policy contains configuration elements for managing a device, such as access control, SNMP, admin user credentials, and roles. A controller (wireless controller, access point, or service platform) uses mechanisms to allow or deny device access to separate interfaces and protocols (HTTP, HTTPS, FTP, Telnet, SSH or SNMP). Management access can be enabled or disabled as required for unique policies. The management access functionality is not meant to function as an ACL (in routers or other firewalls), where administrators specify and customize specific IPs to access specific interfaces. Controllers and service platforms can be managed using multiple interfaces (SNMP, CLI and Web UI). By default, management access is unrestricted, allowing management access to any enabled IP interface from any host using any enabled management service. To enhance security, administrators can do the following:
Restrict SNMP, CLI and Web UI access to specific hosts or subnets. Disable un-used and insecure interfaces as required within managed access profiles. Disabling un-
used management services can dramatically reduce an attack footprint and free resources on managed devices. Provide authentication for management users. Apply access restrictions and permissions to management users. Management restrictions can be applied to meet specific policies or industry requirements requiring only certain devices or users be granted access to critical infrastructure devices. Management restrictions can also be applied to reduce the attack footprint of the device when guest services are deployed. Access Points utilize a single management access policy, so ensure all the intended administrative roles, permissions, authentication and SNMP settings are correctly set. If an access point is functioning as a virtual controller AP, these are the access settings used by adopted access points of the same model as the virtual controller AP. It is recommended to disable un-used and insecure interfaces as required within managed access profiles. Disabling un-used management services can dramatically reduce an attack footprint and free resources on managed devices. Use the (config) instance to configure a management policy. To navigate to the config management policy instance, use the following commands:
<DEVICE>(config)#management-policy <POLICY-NAME>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 1 MANAGEMENT-POLICY To commit a management-policy, the policy must have at least one admin user account configured.
<DEVICE>(config-management-policy-<POLICY-NAME>)#user admin password 0 test role superuser access all
<DEVICE>(config-management-policy-<POLICY-NAME>)#
<DEVICE>(config-management-policy-<POLICY-NAME>)#?
Management Mode commands:
aaa-login Set authentication for logins allowed-locations Add allowed locations banner Define a login banner ftp Enable FTP server http Hyper Text Terminal Protocol (HTTP) https Secure HTTP idle-session-timeout Configure idle timeout for a configuration session
(GUI or CLI) ipv6 IPv6 Protocol no Negate a command or set its defaults passwd-retry Lockout user if too many consecutive login failures privilege-mode-password Set the password for entering CLI privilege mode rest-server Enable rest server for device on-boarding functionality restrict-access Restrict management access to the device snmp-server SNMP ssh Enable ssh t5 T5 configuration telnet Enable telnet user Add a user account clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-management-policy-<POLICY-NAME>)#
NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 2 MANAGEMENT-POLICY 15.1 management-policy MANAGEMENT-POLICY The following table summarizes management policy configuration commands:
Table 15.1 Management-Policy-Config Commands Command aaa-login Configures login authentication settings Description Reference page 15-5 allowed-locations Configures a user-role based access control to RF Domains and locations page 15-7 banner ftp http https idle-session-
timeout ipv6 no with respect to the NSight user interface (UI) Configures the message of the day (motd) text Enables FTP on this management policy Enables HTTP on this management policy Enables HTTPS on this management policy Sets the interval after which an idle session is terminated Restricts management access to specified hosts and/or subnets based on their IPv6 addresses and prefixes respectively Removes or resets this management policys settings passwd-entry Configures user-account lockout and unlock parameters privilege-mode-
password rest-server Configures the CLIs privilege mode access password Enables the Representational State Transfer (REST) server to facilitate device on-boarding restrict-access Restricts management access to a set of hosts or subnets snmp-server Sets the SNMP server settings on this management policy ssh t5 telnet user service Enables SSH on this management policy Configures SNMP server settings for T5 devices on this management policy. This command is available only RFS4000, RFS6000, and NX95XX platforms. Enables Telnet on this management policy Creates a new user account Invokes service commands to troubleshoot or debug (config-if) instance configurations page 15-9 page 15-10 page 15-12 page 15-13 page 15-15 page 15-16 page 15-18 page 15-20 page 15-22 page 15-24 page 15-25 page 15-28 page 15-33 page 15-34 page 15-36 page 15-37 page 15-41 Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 3 MANAGEMENT-POLICY NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 4 MANAGEMENT-POLICY 15.1.1 aaa-login management-policy Configures Authentication, Authorization and Accounting (AAA) authentication mode used with this management policy. The different modes are: local authentication and external RADIUS server authentication. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax aaa-login [local|radius|tacacs]
aaa-login local aaa-login radius [external|fallback|policy]
aaa-login radius [external|fallback|policy <AAA-POLICY-NAME>]
aaa-login tacacs [accounting|authentication|authorization|fallback|policy]
aaa-login tacacs [accounting|authentication|authorization|fallback|policy <AAA-
TACACS-POLICY-NAME>]
Parameters aaa-login local local Sets local as the preferred authentication mode. Local authentication uses the local username database to authenticate a user. Note: The AP6511 and AP6521 platforms do not support local RADIUS resource. aaa-login radius [external|fallback|policy <AAA-POLICY-NAME>]
radius external fallback Configures the RADIUS server parameters Note: If local authentication is disabled, use this command to specify if the RADIUS server used is external, fallback, or specified by a AAA policy. Configures external RADIUS server as the preferred authentication mode Configures RADIUS server authentication as the primary authentication mode When RADIUS server authentication fails, the system uses local authentication. This command configures local authentication as a backup mode. policy
<AAA-POLICY-NAME>
Associates a specified AAA policy with this management policy. The AAA policy determines if a client is granted access to the network.
<AAA-POLICY-NAME> Specify the AAA policy name (should be existing and configured). Note: For more information on configuring AAA policy, see AAA-POLICY. Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 5 MANAGEMENT-POLICY aaa-login tacacs [accounting|authentication|authorization|fallback|policy <AAA-
TACACS-POLICY-NAME>]
tacacs accounting authentication authorization fallback policy
<AAA-TACACS-
POLICY-NAME>
Usage Guidelines Configures Terminal Access Control Access-Control System (TACACS) server parameters Configures TACACS accounting Configures TACACS authentication Configures TACACS authorization Configures TACACS as the primary authentication mode. When TACACS authentication fails, the system uses local authentication. This command configures local authentication as a backup mode. Associates a specified AAA TACACS policy with this management policy. TACACS policies control user access to devices and network resources while providing separate accounting, authentication, and authorization services.
<AAA-TACACS-POLICY-NAME> Specify the TACACS policy name (should be existing and configured). Note: For more information on configuring AAA TACACS policy, see AAA-TACACS-
POLICY. Use AAA login to determine whether management user authentication must be performed against a local user database or an external RADIUS server. Example rfs6000-37FABE(config-management-policy-test)#aaa-login radius external rfs6000-37FABE(config-management-policy-test)#aaa-login radius policy test rfs6000-37FABE(config-management-policy-test)#show context management-policy test http server no ssh aaa-login radius external aaa-login radius policy test rfs6000-37FABE(config-management-policy-test)#
Related Commands no Removes the TACACS server settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 6 MANAGEMENT-POLICY 15.1.2 allowed-locations management-policy Configures a user-role based access control to RF Domains and locations with respect to the NSight user interface (UI). When configured, this access control is enforced only on the NSight UI. The WiNG and NSight applications may have the same users with different permissions defined in each application. Various user roles are supported in WiNG (superuser, system-admin, network-admin, security-admin, device-provisioning-admin, helpdesk and monitor). With NSight, a user logging into the NSight UI should also have an access control restriction based on the role theyre assigned. For example, a WiNG user with helpdesk privileges should have access to only the site (RF Domain) in which the helpdesk is situated, and the location tree should contain only one RF Domain. Similarly, when a user responsible for a set of sites logs in NSight, their location tree needs to contain the RF Domains for which theyre responsible. NOTE: For more information on NSight-policy configuration, see nsight-
policy. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax allowed-locations <WORD> locations [NONE|ALL|<LIST-OF-LOCATIONS>]
Parameters allowed-locations <WORD> locations [NONE|ALL|<LIST-OF-LOCATIONS>]
allowed-locations
<WORD>
Configures a location tag and associates a list locations with the tag
<WORD> Provide a location tag not exceeding 32 characters in length. locations [NONE|ALL|
<LIST-OF-
LOCATIONS>]
Associates locations with the above created location tag NONE When specified, states that none of the locations are to be allowed access. ALL When specified, states that all the locations are to be allowed access.
<LIST-OF-LOCATIONS> Specifies a list of locations or individual RF Domains. When specified, states that the specified list of locations or RF Domain are allowed access. Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 7 MANAGEMENT-POLICY Example nx9500-6C8809(config-management-policy-test)#allowed-locations Ecospace locations TechPubs ALL nx9500-6C8809(config-management-policy-test)#allowed-locations TEST locations NONE nx9500-6C8809(config-management-policy-test)#show context management-policy test no telnet no http server https server ssh allowed-location TEST locations NONE allowed-location Ecospace locations TechPubs ALL nx9500-6C8809(config-management-policy-test)##
Related Commands no Removes the allowed-locations configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 8 MANAGEMENT-POLICY 15.1.3 banner management-policy Configures the message of the day (motd) text. This text is displayed at login to clients connecting through Telnet or SSH. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax banner motd <LINE>
Parameters banner motd <LINE>
motd <LINE>
Sets the motd banner
<LINE> Enter the message string. The message string should not exceed 255 characters. Example rfs6000-37FABE(config-management-policy-test)#banner motd Have a Good Day rfs6000-37FABE(config-management-policy-test)#show context management-policy test http server no ssh aaa-login radius external aaa-login radius policy test banner motd Have a Good Day rfs6000-37FABE(config-management-policy-test)#
Related Commands no Removes the motd banner Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 9 MANAGEMENT-POLICY 15.1.4 ftp management-policy Enables File Transfer Protocol (FTP) on this management policy. FTP is the standard protocol for transferring files over a TCP/IP network. FTP requires administrators enter a valid username and password authenticated locally. FTP access is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ftp {password|rootdir|username}
ftp {password [1 <ENCRYPTED-PASSWORD>|<PASSWORD>]}
ftp {rootdir <DIR>}
ftp {username <USERNAME> password [1 <ENCRYPTED-PASSWORD>|<PASSWORD>] rootdir
<DIR>}
Parameters ftp {password [1 <ENCRYPTED-PASSWORD>|<PASSWORD>]}
ftp password Optional. Configures the FTP server password 1 <ENCRYPTED-
PASSWORD>
Configures an encrypted password. Use this option when copy pasting the password from another device.
<ENCRYPTED-PASSWORD> Specify the password. The password should not exceed 63 characters in length.
<PASSWORD>
Configures a clear text password ftp {rootdir <DIR>}
ftp rootdir <DIR>
Optional. Configures the root directory for FTP logins
<DIR> Specify the root directory path. By default the root directory is set to flash:/
ftp {username <USERNAME> password [1 <ENCRYPTED-PASSWORD>|<PASSWORD>] rootdir
<DIR>}
ftp username
<USERNAME>
Optional. Configures a new user account on the FTP server. The FTP user file lists users with FTP server access.
<USERNAME> Specify the username. The username should not exceed 32 characters in length. Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 10 MANAGEMENT-POLICY password 1
[<ENCRYPTED-
PASSWORD>|
<PASSWORD>]
rootdir <DIR>
Usage Guidelines Configures an encrypted password
<ENCRYPTED-PASSWORD> Specifies an encrypted password (use this option if copy pasting from another device). The password should not exceed 63 characters in length.
<PASSWORD> Configures a clear text password After specifying the password, configure the FTP root directory. rootdir <DIR> Configures the root directory for FTP logins. Specify the root directory path. The string size of an encrypted password (option 1, password is encrypted with a SHA1 algorithm) must be exactly 40 characters. Example rfs6000-37FABE(config-management-policy-test)#ftp username superuser password test@123 rootdir dir rfs6000-37FABE(config-management-policy-test)#show context management-policy test http server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test banner motd "Have a Good Day"
rfs6000-37FABE(config-management-policy-test)#
Related Commands no Disables FTP and its settings, such as the server password, root directory, and users Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 11 MANAGEMENT-POLICY 15.1.5 http management-policy Enables Hyper Text Transport Protocol (HTTP) on this management policy Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax http server Parameters http server http server Enables HTTP on this management policy. HTTP provides limited authentication and no encryption. Example rfs6000-37FABE(config-management-policy-test)#http server rfs6000-37FABE(config-management-policy-test)#show context management-policy test http server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test banner motd "Have a Good Day"
rfs6000-37FABE(config-management-policy-test)#
Related Commands no Disables HTTP on this management policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 12 MANAGEMENT-POLICY 15.1.6 https management-policy Enables Hyper Text Transport Protocol Secure (HTTPS) on this management policy NOTE: If the a RADIUS server is not reachable, HTTPS management access to the controller or access point may be denied. RADIUS support is available locally on controllers and access points, with the exception of AP6511 and AP6522 models, which require an external RADIUS resource. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax https [server|sslv3|use-secure-ciphers-only]
Parameters https [server|sslv3|use-secure-ciphers-only]
https server sslv3 Configures secure HTTP related parameters on this management policy Enables HTTPS on this management policy. HTTPS provides both authentication and data encryption as opposed to just authentication. This option is enabled by default. Enables the use of SSLv3 protocol to connect to a Web page. When enabled, SSLv2 Web authentication is disabled, and enforces the use of Web browsers supporting SSLv3, which is a more secure protocol. This option is disabled by default. use-secure-ciphers-
only Enables the use of TLS v1.2 ciphers to secure client-server network communications. When enabled, for HTTPS connections the TLS v1.2 protocol is used, instead of the less secure TLS v1.0 or TLS v1.1 protocols. This option is enabled by default. Example rfs6000-37FABE(config-management-policy-test)#https server rfs6000-37FABE(config-management-policy-test)#show context management-policy test http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test banner motd "Have a Good Day"
rfs6000-37FABE(config-management-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 13 MANAGEMENT-POLICY The following example shows that the use-secure-ciphers-only option is enabled by default:
rfs6000-817379(config-management-policy-default)#show context include-factory |
incl https https server no https sslv3 https use-secure-ciphers-only rfs6000-817379(config-management-policy-default)#
Related Commands no Disables HTTPS on this management policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 14 MANAGEMENT-POLICY 15.1.7 idle-session-timeout management-policy Configures a sessions idle timeout. An idle session is automatically terminated after the specified interval is exceeded. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax idle-session-timeout <1-4320>
Parameters idle-session-timeout <1-4320>
<1-4320>
Sets the interval, in minutes, after which an idle session is timed out. Specify a value from 1 - 4320 minutes. The default is 30 minutes. Example rfs6000-37FABE(config-management-policy-test)#idle-session-timeout 100 rfs6000-37FABE(config-management-policy-test)#show context management-policy test http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test idle-session-timeout 100 banner motd "Have a Good Day"
rfs6000-37FABE(config-management-policy-test)#
Related Commands no Removes the configured idle session timeout value Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 15 MANAGEMENT-POLICY 15.1.8 ipv6 management-policy Restricts management access to specified hosts and/or subnets based on their IPv6 addresses and prefixes respectively Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ipv6 restrict-access [host|ipv6-access-list|subnet]
ipv6 restrict-access host <IPv6> {log|subnet}
ipv6 restrict-access host <IPv6> {log [all|denied-only]}
ipv6 restrict-access host <IPv6> {subnet <IPv6-PREFIX> {log [all|denied-only]}}
ipv6 restrict-access ipv6-access-list <IPv6-ACCESS-LIST-NAME>
ipv6 restrict-access subnet <IPv6-PREFIX> {host|log}
ipv6 restrict-access subnet <IPv6-PREFIX> {log [all|denied-only]}
ipv6 restrict-access subnet <IPv6-PREFIX> {host <IPv6> {log [all|denied-only]}}
Parameters ipv6 restrict-access host <IPv6> {log [all|denied-only]}
host <IPv6>
Restricts management access to a specified host, based on the hosts IPv6 address
<IPv6> Specify the hosts IPv6 address. log [all|denied-only]
Optional. Configures a logging policy for access requests all Logs all access requests, both denied and permitted denied-only Logs only denied access events (when a host is denied access) ipv6 restrict-access host <IPv6> {subnet <IPv6-PREFIX> {log [all|denied-only]}}
host <IPv6>
Restricts management access to a specified host, based on the hosts IPv6 address.
<IPv6> Specify the hosts IPv6 address. subnet <IPv6-PREFIX> Optional. Restricts access to the host on a specified IPv6 subnet log [all|denied-only]
<IPv6-PREFIX> Specify the subnets IPv6 prefix in the X:X::X:X/M format. Optional. Configures a logging policy for access requests all Logs all access requests, both denied and permitted denied-only Logs only denied access events (when a host/subnet is denied access) Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 16 MANAGEMENT-POLICY ipv6 restrict-access ipv6-access-list <IPv6-ACCESS-LIST-NAME>
ipv6-access-list
<IPv6-ACCESS-LIST-
NAME>
Uses an IPv6 Access Control List (ACL) to filter access requests. IPv6 ACLs filter/mark packets based on the IPv6 address from which they arrive. IPv6 hosts configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. These hosts require firewall packet protection unique to IPv6 traffic, as IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. An existing IPv6 ACL can be created and used in the management policy context to permit or deny access to specific hosts and/or subnets.
<IPv6-ACCESS-LIST-NAME> Specify the IPv6 ACL name. ipv6 restrict-access subnet <IPv6-PREFIX> {log [all|denied-only]}
subnet
<IPv6-PREFIX>
Restricts management access to a specified IPv6 subnet
<IPv6-PREFIX> Specify the subnets IPv6 prefix in the X:X::X:X/M format. log [all|denied-only]
Optional. Configures a logging policy for access requests all Logs all access requests, both denied and permitted denied-only Logs only denied access events (when a host/subnet is denied access) ipv6 restrict-access subnet <IPv6-PREFIX> {host <IPv6> {log [all|denied-only]}}
subnet
<IPv6-PREFIX>
host <IPv6>
log [all|denied-only]
Restricts management access to a specified IPv6 subnet
<IPv6-PREFIX> Specify the subnets IPv6 prefix in the X:X::X:X/M format. Optional. Restricts management access to a specific host within the specified subnet
<IPv6> Specify the hosts IPv6 address. Optional. Configures a logging policy for access requests all Logs all access requests, both denied and permitted denied-only Logs only denied access events (when a host/subnet is denied access) Example rfs6000-37FABE(config-management-policy-test)#ipv6 restrict-access host 2001:fdbc:06cf:0011::13 subnet 2001:fdbc:06cf:0011::0/64 log all rfs6000-37FABE(config-management-policy-test)#show context management-policy test http server no ssh ipv6 restrict-access host 2001:fdbc:06cf:0011::13 subnet 2001:fdbc:06cf:0011::0/
64 log all rfs6000-37FABE(config-management-policy-test)#
Related Commands no Removes management access restriction settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 17 MANAGEMENT-POLICY 15.1.9 no management-policy Negates a command or reverts values to their default. When used in the config management policy mode, the no command negates or reverts management policy settings. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [aaa-login|allowed-locations|banner|ftp|http|https|idle-session-timeout|ipv6|
passwd-entry|privilege-mode-password|rest-server|restrict-access|snmp-server|
ssh|t5|telnet|user|service]
no aaa-login tacacs [accounting|authentication|authorization|fallback|policy]
no allowed-location <LOCATION-TAG>
no banner motd no ftp {password|rootdir}
no http server no https [server|sslv3|use-secure-ciphers-only]
no passwd-entry role [device-provisioning-admin|helpdesk|monitor|network-admin|
security-admin|superuser|system-admin|vendor-admin|web-user-admin]
no [idle-session-timeout|privilege-mode-password|rest-server|restrict-access]
no ipv6 restrict-access no snmp-server [community|display-vlan-info-per-radio|enable|host|manager|
max-pending-requests|request-timeout|suppress-security-configuration-level|
throttle|user]
no snmp-server [community <WORD>|display-vlan-info-per-radio|enable traps|
host <IP> {<1-65535>}|manager [all|v1|v2|v3]|max-pending-requests|request-
timeout|suppress-security-configuration-level|throttle|user [snmpmanager|
snmpoperator|snmptrap]]
no ssh {login-grace-time|port|use-key}
no t5 snmp-server [community|enable|host]
no [telnet|user <USERNAME>]
no service prompt crash-info Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts this Management policy settings based on the parameters passed Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 18 MANAGEMENT-POLICY Example The following example shows the management policy test settings before the no commands are executed:
rfs6000-37FABE(config-management-policy-test)#show context management-policy test http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test idle-session-timeout 100 banner motd "Have a Good Day"
rfs6000-37FABE(config-management-policy-test)#
rfs6000-37FABE(config-management-policy-test)#no banner motd rfs6000-37FABE(config-management-policy-test)#no idle-session-timeout rfs6000-37FABE(config-management-policy-test)#no http server The following example shows the management policy test settings after the no commands are executed:
rfs6000-37FABE(config-management-policy-test)#show context management-policy test no http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test idle-session-timeout 0 rfs6000-37FABE(config-management-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 19 MANAGEMENT-POLICY 15.1.10 passwd-entry management-policy Configures user-account lockout and unlock parameters. Use this option to configure the maximum number of consecutive, failed login attempts allowed before an account is locked out, and the duration of lockout. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax passwd-entry role [device-provisioning-admin|helpdesk|monitor|network-admin|
security-admin|superuser|system-admin|vendor-admin|web-user-admin] max-fail <1-
100> lockout-time <<0-600>
Parameters passwd-entry role [device-provisioning-admin|helpdesk|monitor|network-admin|
security-admin|superuser|system-admin|vendor-admin|web-user-admin] max-fail <1-
100> lockout-time <0-600>
passwd-entry role
[device-provisioning-
admin|helpdesk|
monitor|
network-admin|
security-admin|
superuser|system-
admin|vendor-admin|
web-user-admin] max-
fail <1-100>
lockout-time <<0-
600>
Configures user-role based account lockout criteria role Select the user-role. The options are:
device-provisioning-admin helpdesk monitor network-admin security-admin system-admin vendor-admin web-user-admin]
max-fail <1-100> Specify the maximum number of consecutive, failed at-
tempts allowed before an account is locked. Specify a value from 1 - 100. lockout-time <<0-600> Specify the maximum time, in minutes, for which an account remains locked. The value 0 indicates that the ac-
count is permanently locked. Specify a value from 0 - 600 minutes. When configured, the lockout is individually applied to each account within the specified role/roles. For example, consider the monitor role having two users: user1 and user2. The max-fail and lockout-time is set at 5 attempts and 10 minutes respectively. In this scenario, user2 makes 5 consecutive, failed login attempts, and the user2 account is locked out for 10 minutes. However, during this lockout time the user1 account remains active. Note: Note, in the event-system-policy context, enable login-lockout and login-
unlocked event notification to trigger e-mail or syslog notification to users on occurrence of the login-lockout and login-unlock events. For more information, see event. Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 20 MANAGEMENT-POLICY Example rfs6000-817379(config-management-policy-default)#passwd-retry role monitor max-
fail 5 lockout-time 10 rfs6000-817379(config-management-policy-default)#show con management-policy default no telnet no http server https server ssh user admin password 1 979cfb9288837ee26d74d07b5ea328fd0e9a2b55cf5104649c2b496cc94e7003 role superuser access all passwd-retry role monitor max-fail 2 lockout-time 5 snmp-server community 0 private rw snmp-server community 0 public ro snmp-server user snmptrap v3 encrypted des auth md5 0 admin123 snmp-server user snmpmanager v3 encrypted des auth md5 0 admin123 rfs6000-817379(config-management-policy-default)#
Related Commands no Removes the user-account lockout and unlock parameters configured here Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 21 MANAGEMENT-POLICY 15.1.11 privilege-mode-password management-policy Configures the CLIs privilege mode access password. Use this option to strengthen security by enforcing a second level authentication to access the privilege configuration mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax privilege-mode-password <PASSWORD/HASHED-STRING-ALIAS-NAME>
Parameters privilege-mode-password <PASSWORD/HASHED-STRING-ALIAS-NAME>
privilege-mode-
password
<PASSWORD/
HASHED-STRING-
ALIAS-NAME>
Configures the password required to enter the privilege configuration mode. When configured, users are prompted to provide the password when enabling the privilege configuration mode.
<PASSWORD/HASHED-STRING-ALIAS-NAME> Enter the password as a clear text, or provide a hashed-string alias. Enter the password as a clear text, or provide a hashed-string alias. If using a hashed-string alias, ensure that the alias is existing and configured. Note, the clear text password is saved and displayed as a hashed string. Hashing is a means of establishing the integrity of transmitted messages. Before transmission, a hash of the message is generated, encrypted and sent along with the message. At the receiving end, the message and the hash are both decrypted, and another hash is generated from the received message. The two hashes are compared. If both are identical the message is considered to have been transmitted intact. Note: For more information on configuring a hashed-string alias, see alias. Example The following example shows the privilege mode password being configured as a hashed string:
rfs6000-37FABE(config-management-policy-test)#privilege-mode-password 1 2e9f038ac2ed27f919ed5a4dceb3d30e32f356f2ceff6fbf26a153d0339c734f rfs6000-37FABE(config-management-policy-test)#show context management-policy test http server no ssh privilege-mode-password 1 2e9f038ac2ed27f919ed5a4dceb3d30e32f356f2ceff6fbf26a153d0339c734f rfs6000-37FABE(config-management-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 22 MANAGEMENT-POLICY 1 Follow the steps below to configure a hashed-string alias and use it as a privilege mode password:
In the global-configuration context, create a hashed-string alias. nx9500-6C8809(config)#alias hashed-string $PriMode Test12345 nx9500-6C8809(config)#show context | include alias alias vlan $BLR-01 1 alias string $IN-Blr-EcoSpace-Floor-4 IBEF4 alias encrypted-string $READ 0 public alias encrypted-string $WRITE 0 private alias hashed-string $PriMode 1 faffdde27cb49ad634ea20df4f7c8ef2685894d10ffcb1b2efba054112ecfc75 nx9500-6C8809(config)#
2 In the management-policy context, configure the hashed-string alias created in step 1 as the privilege mode password. nx9500-6C8809(config-management-policy-test)#privilege-mode-password $PrivMode nx9500-6C8809(config-management-policy-default)#show context management-policy default https server rest-server ssh user admin password 1 ad4d8797f007444ccdda3788b9ee0e8b46f3facb4308e045239eb7771e127ed5 role superuser access all snmp-server community 0 $WRITE rw snmp-server community 0 $READ ro snmp-server user snmptrap v3 encrypted des auth md5 2 yqr96yyVzmD4ZbU2I7Eh/
QAAAAjWNKa4KXF95pruUCSnhOiT snmp-server user snmpmanager v3 encrypted des auth md5 2 NOf8+2+AY2r4ZbU2I7Eh/
QAAAAgc0l8ahJYo3AjHo9wXzYGo t5 snmp-server community public ro 192.168.0.1 t5 snmp-server community private rw 192.168.0.1 privilege-mode-password $PriMode nx9500-6C8809(config-management-policy-default)#
3 Confirm, if the privilege mode is password protected. nx9500-6C8809 login: admin Password:
Feb 07 14:40:47 2017: %AUTH-6-INFO: login[28768]: user 'admin' on 'ttyS0' from
'Console' logged in Feb 07 14:40:47 2017: nx9500-6C8809 : %SYSTEM-5-LOGIN: Successfully logged in user 'admin' with privilege 'superuser' from 'ttyS0'
nx9500-6C8809>en Password:
Related Commands no Removes the configured CLI privilege mode access password Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 23 MANAGEMENT-POLICY 15.1.12 rest-server management-policy Enables the Representational State Transfer (REST) server. When enabled, the REST server allows vendor users access to the online device registration portal. All requests and responses to and from the on-
boarding portal are handled by the REST server through restful Application Programming Interface (API) transactions. The REST server serves the Web pages used to associate a devices MAC address with a specific vendor group. Each vendor has a vendor-admin user who is assigned a unique, username/password credential for RADIUS server validation. Successfully validated vendor-admins can access the online device registration portal to on-board devices. For more information on vendor-admin user configuration, see user. The REST server is enabled by default. Supported in the following platforms:
Service Platforms NX9500, NX9510, NX9600, VX9000 Syntax rest-server Parameters None Example nx9500-6C8809(config-management-policy-testMNGTPolicy)#show context management-policy testMNGTPolicy no telnet no http server https server rest-server ssh nx9500-6C8809(config-management-policy-testMNGTPolicy)#
nx9500-6C8809(config-management-policy-testMNTPolicy)#no rest-server nx9500-6C8809(config-management-policy-testMNGTPolicy)#show context management-policy testMNGTPolicy no telnet no http server https server no rest-server ssh nx9500-6C8809(config-management-policy-testMNGTPolicy)#
Related Commands no Disables the REST server Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 24 MANAGEMENT-POLICY 15.1.13 restrict-access management-policy Restricts management access to a set of hosts or subnets Restricting remote access to a controller or service platform ensures only trusted hosts can communicate with enabled management services. This ensures only trusted hosts can perform management tasks and provide protection from brute force attacks from hosts attempting to break into the controller or service platform managed network. Administrators can permit management connections to be established on any IP interface on the controller or service platform (including IP interfaces used to provide captive portal guest access). Administrators can restrict management access by limiting access to a specific host (IP address), subnet, or ACL on the controller or service platform. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax restrict-access [host|ip-access-list|subnet]
restrict-access host <IP> {log|subnet}
restrict-access host <IP> {log [all|denied-only]}
restrict-access host <IP> {subnet <IP/M> {log [all|denied-only]}}
restrict-access ip-access-list <IP-ACCESS-LIST-NAME>
restrict-access subnet <IP/M> {host|log}
restrict-access subnet <IP/M> {log [all|denied-only]}
restrict-access subnet <IP/M> {host <IP> {log [all|denied-only]}}
Parameters restrict-access host <IP> {log [all|denied-only]}
host <IP>
Restricts management access to a specified host, based on the hosts IPv4 address
<IP> Specify the hosts IPv4 address. log [all|denied-only]
Optional. Configures a logging policy for access requests all Logs all access requests, both denied and permitted denied-only Logs only denied access (when an access request is received from a host denied access, a record is logged) restrict-access host <IP> {subnet <IP/M> {log [all|denied-only]}}
host <IP>
subnet <IP/M>
Restricts management access to a specified host, based on the hosts IPv4 address
<IP> Specify the hosts IPv4 address. Optional. Restricts access to the host on a specified subnet
<IP/M> Specify the subnets IPv4 address and mask in the A.B.C.D/M format. Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 25 MANAGEMENT-POLICY log [all|denied-only]
Optional. Configures a logging policy for access requests. all Logs all access requests, both denied and permitted denied-only Logs only denied access events (when access request received from a host is denied) restrict-access ip-access-list <IP-ACCESS-LIST-NAME>
ip-access-list Uses an IPv4 ACL to filter access requests IPv4 ACLs filter/mark packets based on the IPv4 address from which they arrive. IP and non-IP traffic, on the same layer 2 interface, can be filtered by applying an IPv4 ACL. Each IPv4 ACL contains a set of deny and/or permit rules. Each rule is specific to source and destination IPv4 addresses and the unique rules and precedence definitions assigned. When the network traffic matches the criteria specified in one of these rules, the action defined in that rule is used to determine whether the traffic is allowed or denied.
<IP-ACCESS-LIST-
NAME>
Specify the IPv4 ACL name. restrict-access subnet <IP/M> {log [all|denied-only]}
subnet <IP/M>
Restricts management access to a specified subnet
<IP/M> Specify the subnets IPv4 address and mask in the A.B.C.D/M format. log [all|denied-only]
Optional. Configures a logging policy for access requests. Sets the log type generated for access requests all Logs all access requests, both denied and permitted denied-only Logs only denied access events (when access request received from a subnet is denied) restrict-access subnet <IP/M> {host <IP> {log [all|denied-only]}}
subnet <IP/M>
host <IP>
log [all|denied-only]
Restricts management access to a specified subnet
<IP/M> Specify the subnets IPv4 address and mask in the A.B.C.D/M format Optional. Uses the host IP address as a second filter
<IP> Specify the hosts IPv4 address. Optional. Configures a logging policy for access requests. Sets the log type generated for access requests all Logs all access requests, both denied and permitted denied-only Logs only denied access events (when access request received from a host within the specified subnet is denied) Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 26 MANAGEMENT-POLICY Example rfs6000-37FABE(config-management-policy-test)#restrict-access host 172.16.10.4 log denied-only rfs6000-37FABE(config-management-policy-test)#show context management-policy test no http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh aaa-login radius external aaa-login radius policy test idle-session-timeout 0 restrict-access host 172.16.10.4 log denied-only rfs6000-37FABE(config-management-policy-test)#
Related Commands no Removes device access restrictions Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 27 MANAGEMENT-POLICY 15.1.14 snmp-server management-policy Configures the Simple Network Management Protocol (SNMP) engine settings. SNMP is an application layer protocol that facilitates the exchange of management information between the controller and a managed device. SNMP enabled devices listen on port 162 (by default) for SNMP packets from the controllers management server. SNMP uses read-only and read-write community strings as an authentication mechanism to monitor and configure supported devices. The read-only community string gathers statistics and configuration parameters from a supported wireless device. The read-write community string is used by a management server to set device parameters. SNMP is generally used to monitor a systems performance and other parameters. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax snmp-server [community|enable|display-vlan-info-per-radio|host|manager|max-
pending-requests|request-timeout|suppress-security-configuration-level|
throttle|user]
snmp-server community [0 <WORD>|2 <WORD>|<WORD>] [ro|rw] {ip-snmp-access-list <IP-
SNMP-ACL-NAME>}
snmp-server enable traps snmp-server host <IP> [v1|v2c|v3] {<1-65535>}
snmp-server manager [all|v1|v2|v3]
snmp-server [max-pending-requests {<64-1024>}|request-timeout {<2-720>}]
snmp-server [display-vlan-info-per-radio|throttle <1-100>|suppress-security-
configuration-level [0|1]]
snmp-server user [snmpmanager|snmpoperator|snmptrap]
snmp-server user [snmpmanager|snmpoperator|snmptrap] v3 [auth|encrypted]
snmp-server user [snmpmanager|snmpoperator|snmptrap] v3 auth md5 [0 <PASSWORD>|2
<ENCRYPTED-PASSWORD>|<PASSWORD>]
snmp-server user [snmpmanager|snmpoperator|snmptrap] v3 encrypted [auth md5|des auth md5] [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]
Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 28 MANAGEMENT-POLICY Parameters snmp-server community [0 <WORD>|2 <WORD>|<WORD>] [ro|rw] {ip-snmp-access-list
<IP-SNMP-ACL-NAME>}
community
[0 <WORD>|
2 <WORD>|
<WORD>]
[ro|rw]
Sets the community string and associated access privileges. Define a public or private community designation. By default, SNMPv2 community strings on most devices are set to public for the read-only community string, and private for the read-write community string. 0 <WORD> Sets a clear text SNMP community string 2 <WORD> Sets an encrypted SNMP community string
<WORD> Sets the SNMP community string After configuring the SNMP community string, set the access permission for each community string used by devices to retrieve or modify information. Available options include ro Assigns read-only access to the specified SNMP community (allows a remote device to retrieve information) rw Assigns read and write access to the specified SNMP community (allows a remote device to modify settings) ip-snmp-access-list
<IP-SNMP-ACL-
NAME>
Optional. Associates an IP SNMP access list (should be existing and configured). The IP SNMP ACL sets the SNMP management stations IP address. SNMP trap information is received at this address. snmp-server enable traps enable traps Enables trap generation (using the trap receiver configuration defined). This feature is disabled by default. Enabling this feature ensures the dispatch of SNMP notifications to all hosts. In a managed network, the controller uses SNMP trap receivers to notify faults. SNMP traps are unsolicited notifications triggered by thresholds (or actions) on devices and are therefore an important fault management tool. A SNMP trap receiver is the destination of SNMP messages (external to the controller). A trap is like a Syslog message, just over another protocol (SNMP). A trap is generated when a device consolidates event information and transmits the information to an external repository. The trap contains several standard items, such as the SNMP version, community, etc. SNMP trap notifications exist for most controller operations, but not all are necessary for day-to-day operation. snmp-server host <IP> [v1|v2c|v3] {<1-65535>}
host <IP>
[v1|v2c|v3]
Configures a hosts IP address. This is the external server resource dedicated to receiving SNMP traps on behalf of the controller. Configures the SNMP version used to send the traps v1 Uses SNMP version 1. This option is disabled by default. v2c Uses SNMP version 2c. This option is disabled by default. v3 Uses SNMP version 3. This option is enabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 29 MANAGEMENT-POLICY
<1-65535>
Optional. Configures the virtual port of the server resource dedicated to receiving SNMP traps
<1-65535> Optional. Specify a value from 1 - 65535. The default port is 162. snmp-server manager [all|v1|v2|v3]
manager [all|v2|v3]
Enables SNMP manager and specifies the SNMP version all Enables SNMP manager version v2 and v3 v1 Enables SNMP manager version v1 only. SNMPv1 uses a simple password
(community string). Data is unencrypted (clear text). Consequently it provides limited security, and should be used only inside LANs behind firewalls, not in WANs. v2 Enables SNMP manager version v2 only. SNMPv2 provides device management using a hierarchical set of variables. SNMPv2 uses Get, GetNext, and Set operations for data management. SNMPv2 is enabled by default. v3 Enables SNMP manager version v3 only. SNMPv3 adds security and remote configuration capabilities to previous versions. The SNMPv3 architecture introduces the User-based Security Model (USM) for message security and the View-based Access Control Model (VACM) for access control. The architecture supports the concurrent use of different security, access control and message processing techniques. SNMPv3 is enabled by default. snmp-server [max-pending-requests {<64-1024>}|request-timeout {<2-720>}]
max-pending-requests
{<64-1024>}
Sets the maximum number of requests that can be pending at any given time
<64-1024> Optional. Specify a value from 64 - 1024. The default is 128. request-timeout
{<2-720>}
Sets the interval, in seconds, after which an error message is returned for a pending request
<2-720> Optional. Specify a value from 2 - 720 seconds. The default is 240 seconds. snmp-server [display-vlan-info-per-radio|throttle <1-100>|suppress-security-
configuration-level [0|1]]
display-vlan-info-per-
radio throttle <1-100>
Enables the display of the VLAN ID along with the radio interface ID Sets CPU usage for SNMP activities. Use this command to set the CPU usage from 1 -
100. Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 30 MANAGEMENT-POLICY suppress-security-
configuration-level
[0|1]
Sets the level of suppression of SNMP security configuration information 0 If this option is selected, an empty string is returned for the SNMP request for security configuration information. Security configuration information consists of:
Passwords Keys Shared secrets The default setting is 0. 1 Suppresses the display of the policy, IP ACL, passwords, keys and shared secrets. If this option is selected, in addition to suppression from Level 0, an empty string is returned for a SNMP request on following items:
Management policies IP ACL Tables containing user names and community strings snmp-server user [snmpmanager|snmpoperator|snmptrap] v3 auth md5
[0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]
user [snmpmanager|
snmpoperator|
snmptrap]
Defines user access to the SNMP engine snmpmanager Sets user as a SNMP manager snmpoperator Sets user as a SNMP operator snmptrap Sets user as a SNMP trap user v3 auth md5 Uses SNMP version 3 as the security model auth Uses an authentication protocol md5 Uses HMAC-MD5 algorithm for authentication
[0 <PASSWORD>|
2 <ENCRYPTED-
PASSWORD>|
<PASSWORD>]
Configures password using one of the following options:
0 <PASSWORD> Configures clear text password 2 <ENCRYPTED - PASSWORD> Configures encrypted password
<PASSWORD> Specifies a password for authentication and privacy protocols snmp-server user [snmpmanager|snmpoperator|snmptrap] v3 encrypted
[auth md5|des auth md5] [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|<PASSWORD>]
user
[snmpmanager|
snmpoperator|
snmptrap]
v3 encrypted auth md5 des auth md5 Defines user access to the SNMP engine snmpmanager Sets user as a SNMP manager snmpoperator Sets user as a SNMP operator snmptrap Sets user as a SNMP trap user Uses SNMP version 3 as the security model encrypted Uses encrypted privacy protocol Uses authentication protocol auth Sets authentication parameters md5 Uses HMAC-MD5 algorithm for authentication Uses privacy protocol for user privacy des Uses CBC-DES for privacy After specifying the privacy protocol, specify the authentication mode. auth Sets user authentication parameters md5 Uses HMAC-MD5 algorithm for authentication Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 31 MANAGEMENT-POLICY
[0 <PASSWORD>|
2 <ENCRYPTED-
PASSWORD>|
<PASSWORD>]
The following are common to both the auth and des parameters:
Configures password using one of the following options:
0 <PASSWORD> Configures a clear text password 2 <ENCRYPTED - PASSWORD> Configures an encrypted password
<PASSWORD> Specifies a password for authentication and privacy protocols Example rfs6000-37FABE(config-management-policy-test)#snmp-server community snmp1 ro rfs6000-37FABE(config-management-policy-test)#snmp-server host 172.16.10.23 v3 162 rfs6000-37FABE(config-management-policy-test)#commit rfs6000-37FABE(config-management-policy-test)#snmp-server user snmpmanager v3 auth md5 test@123 rfs6000-37FABE(config-management-policy-test)#show context management-policy test no http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir no ssh snmp-server community snmp1 ro snmp-server user snmpmanager v3 encrypted des auth md5 0 test@123 snmp-server host 172.16.10.23 v3 162 aaa-login radius external aaa-login radius policy test idle-session-timeout 0 restrict-access host 172.16.10.2 log all rfs6000-37FABE(config-management-policy-test)#
Related Commands no Disables or resets the SNMP server settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 32 MANAGEMENT-POLICY 15.1.15 ssh management-policy Enables Secure Shell (SSH) for this management policy SSH, like Telnet, provides a command line interface to a remote host. SSH transmissions are encrypted and authenticated, increasing the security of transmission. SSH access is disabled by default. NOTE: If the a RADIUS server is not reachable, SSH management access to the controller or access point may be denied. RADIUS support is available locally on controllers and access points, with the exception of AP6511 and AP6522 models, which require an external RADIUS resource. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ssh {login-grace-time <60-300>|port <1-65535>}
Parameters ssh {login-grace-time <60-300>|port <1-65535>}
ssh Enables SSH communication between client and server login-grace-time
<60-300>
port <1-65535>
Optional. Configures the login grace time. This is the interval, in seconds, after which an unsuccessful login is disconnected.
<60-300> Specify a value from 60 - 300 seconds. The default is 60 seconds. Optional. Configures the SSH port. This is the port used for SSH connections.
<1-65535> Specify a value from 1 - 165535. The default port is 22. Example rfs6000-37FABE(config-management-policy-test)#ssh port 162 rfs6000-37FABE(config-management-policy-test)#show context management-policy test no http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir ssh port 162 snmp-server community snmp1 ro snmp-server user snmpmanager v3 encrypted des auth md5 0 test@123 snmp-server host 172.16.10.23 v3 162 aaa-login radius external aaa-login radius policy test idle-session-timeout 0 restrict-access host 172.16.10.2 log all rfs6000-37FABE(config-management-policy-test)#
Related Commands no Resets SSH access port to factory default (port 22) Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 33 MANAGEMENT-POLICY 15.1.16 t5 management-policy Configures SNMP server settings for T5 devices on this management policy A T5 controller is an external device that can be adopted and managed by a WiNG controller. When enabled as a supported external device, a T5 controller can provide data to WiNG to assist in its management within a WiNG supported subnet. This command enables SNMP to communicate with T5 devices within the network. SNMP facilitates the exchange of management information between the controller or service platform and the T5 device. For more information, see snmp-server. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510 Syntax t5 snmp-server [community|contact|enable|host|location]
t5 snmp-server community <COMMUNITY-NAME> [ro|rw] <SNMP-STATION-IP>
t5 snmp-server contact <LINE>
t5 snmp-server enable [server|traps]
t5 snmp-server host <IP>
t5 snmp-server location <LINE>
Parameters t5 snmp-server community <COMMUNITY-NAME> [ro|rw] <SNMP-STATION-IP>
community
<COMMUNITY-NAME>
[ro|rw]
Defines a public or private community designation. By default, SNMPv2 community strings on most devices are set to public, for the read-only community string, and private for the read-write community string.
<COMMUNITY-NAME> Specify the SNMP community name, and configure the access permission for this community string (used by devices to retrieve or modify information). ro Allows a remote device to retrieve information only rw Allows a remote device to retrieve information and modify settings
<SNMP-STATION-IP>
Specify the SNMP management station IP address for receiving trap information t5 snmp-server contact <LINE>
contact <LINE>
Configures the administrator of SNMP trap events for the T5 controller.
<LINE> Specify the administrators name (should not exceed 64 characters). Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 34 MANAGEMENT-POLICY t5 snmp-server enable [server|traps]
enable [server|traps]
Enables the following:
server Enables the SNMP server. When enabled, the system accepts SNMP management data. This is enabled by default. traps Enables SNMP traps. When enabled, the system generates SNMP traps. This is enabled by default. t5 snmp-server host <IP>
host <IP>
Configures the T5 SNMP hosts IP address. The SNMP host receives the SNMP notifications.
<IP> Specify the SNMP hosts IP address. t5 snmp-server location <LINE>
location <LINE>
Configures the system location for SNMP traps.
<LINE> Specify the SNMP trap location (should not exceed 64 characters). Example nx9500-6C8809(config-management-policy-test)#t5 snmp-server community lab rw 192.168.13.7 nx9500-6C8809(config-management-policy-test)#show context management-policy test http server no ssh t5 snmp-server community lab rw 192.168.13.7 nx9500-6C8809(config-management-policy-test)#
Related Commands no Removes or reverts SNMP server configuration for T5 devices Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 35 MANAGEMENT-POLICY 15.1.17 telnet management-policy Enables Telnet. Telnet provides a command line interface to a remote host over TCP. Telnet provides no encryption, but it does provide a measure of authentication. Telnet access is disabled by default. By default Telnet, when enabled, uses Transmission Control Protocol (TCP) port 23. Use this command to change the TCP port. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax telnet {port <1-65535>}
Parameters telnet {port <1-65535>}
telnet port <1-65535>
Enables Telnet Optional. Configures the Telnet port. This is the port used for Telnet connections.
<1-65535> Sets a value from 1 - 65535. The default port is 23. Example rfs6000-37FABE(config-management-policy-test)#telnet port 200 rfs6000-37FABE(config-management-policy-test)#show context management-policy test telnet port 200 no http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir ssh port 162 snmp-server community snmp1 ro snmp-server user snmpmanager v3 encrypted des auth md5 0 test@123 snmp-server host 172.16.10.23 v3 162 aaa-login radius external aaa-login radius policy test idle-session-timeout 0 restrict-access host 172.16.10.2 log all rfs6000-37FABE(config-management-policy-test)#
Related Commands no Disables Telnet Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 36 MANAGEMENT-POLICY 15.1.18 user management-policy Adds new user account. Use this option to add a new user, and define the role, access type, and allowed locations assigned to the user. Management services like Telnet, SSHv2, HTTP, HTTPs and FTP require users (administrators) enter a valid username and password, which is authenticated locally or centrally on a RADIUS server. SNMPv3 also requires a valid username and password, which is authenticated by the SNMPv3 module. For CLI users, the controller or service platform also requires user role information to know what permissions to assign. If local authentication is used, associated role information is defined on the controller or service platform when the user account is created. If RADIUS is used, role information is supplied by RADIUS using vendor-specific return attributes. If no role information is supplied by RADIUS, the controller or service platform applies default read-
only permissions. Administrators can limit users to specific management interfaces. During authentication, the controller or service platform looks at the users access assignment to determine if the user has permissions to access an interface:
If local authentication is used, role information is defined on the controller or service platform when the user account is created. If RADIUS is used, role information is supplied by RADIUS using vendor-specific return attributes. The controller or service platform authenticates users using the integrated local database. When user credentials are presented the controller or service platform validates the username and password against the local database and assigns permissions based on the associated roles assigned. The controller or service platform can also deny the authentication request if the user is attempting to access a management interface not specified in the accounts access mode list. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role [device-
provisioning-admin|helpdesk|monitor|network-admin|security-admin|
superuser|system-admin|vendor-admin|web-user-admin]
user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role [device-
provisioning-admin|helpdesk|monitor|network-admin|security-admin|
superuser|system-admin|web-user-admin] access [all|console|ssh|telnet|web]
({allowed-locations <ALLOWED-LOCATIONS>}) user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role vendor-
admin group <VENDOR-GROUP-NAME>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 37 MANAGEMENT-POLICY Parameters user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role
[device-provisioning-admin|helpdesk|monitor|network-admin|security-admin|
superuser|system-admin|web-user-admin] access [all|console|ssh|telnet|web]
({allowed-locations <ALLOWED-LOCATIONS>}) user <USERNAME>
Adds a new user account to this management policy
<USERNAME> Sets the username. This is a mandatory field and cannot exceed 32 characters. Assign a name representative of the user and the intended role. password
[0 <PASSWORD>|
1 <SHA1-PASSWORD>|
<PASSWORD>]
Configures a password 0 <PASSWORD> Sets a clear text password 1 <SHA1-PASSWORD> Sets the SHA1 hash of the password
<PASSWORD> Sets the password role access
[all|console|ssh|
telnet|web]
allowed-locations
<ALLOWED-
LOCATIONS>
Configures the user role. The options are:
device-provisioning-admin Device provisioning administrator. Has privileges to update (provision) device configuration files or firmware. Such updates run the risk of overwriting and losing a devices existing configuration unless the configuration is properly archived. helpdesk Helpdesk administrator. Performs troubleshooting tasks, such as run troubleshooting utilities (like a sniffer), view/retrieve logs, clear statistics, reboot, create and copy technical support dumps. The helpdesk administrator can also create a guest user account and password for registration. However, the helpdesk admin cannot execute controller or service platform reloads. monitor Monitor. Has read-only access to the system. Can view configuration and statistics except for secret information. network-admin Network administrator. Manages layer 2, layer 3, Wireless, RADIUS server, DHCP server, and Smart RF security-admin Security administrator. Modifies WLAN keys and passphrases superuser Superuser. Has full access, including halt and delete startup-config system-admin System administrator. Upgrades image, boot partition, time, and manages admin access web-user-admin Web user administrator. This role is used to create guest users and credentials. The Web user admin can access only the custom GUI screen and does not have access to the normal CLI and GUI. Configures the access type all Allows all types of access: console, SSH, Telnet, and Web console Allows console access only ssh Allows SSH access only telnet Allows Telnet access only web Allows Web access only Optional. This keyword is recursive and optional. It configures a list of locations (either as a path or a RF Domain) to which this user is allowed access.
<ALLOWED-LOCATIONS> Specify the allowed locations. Note: Use this option to configure a list of RF Domains or its tree nodes to which this user is allowed access with respect to the Nsight policy. Note: This option is not applicable to the user role web-user-admin. Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 38 MANAGEMENT-POLICY user <USERNAME> password [0 <PASSWORD>|1 <SHA1-PASSWORD>|<PASSWORD>] role vendor-admin group <VENDOR-GROUP-NAME>
user <USERNAME>
Adds a new user account to this management policy
<USERNAME> Sets the username. This is a mandatory field and cannot exceed 32 characters. Assign a name representative of the user and the intended role. password
[0 <PASSWORD>|
1 <SHA1-PASSWORD>|
<PASSWORD>]
Configures a password 0 <PASSWORD> Sets a clear text password 1 <SHA1-PASSWORD> Sets the SHA1 hash of the password
<PASSWORD> Sets the password role vendor-admin group
<VENDOR-GROUP-
NAME>
Configures this users role as vendor-admin. Once created, the vendor-admin can access the online device-registration portal to add devices to the RADIUS vendor group to which he/she belongs. Vendor-admins have only Web access to the device registration portal. The WiNG software allows multiple vendors to securely on-board their devices through a single SSID. Each vendor has a vendor-admin user who is assigned a unique, username/password credential for RADIUS server validation. Successfully validated vendor-admins can on-board their devices, which are, on completion of the on-boarding process, immediately placed on the vendor-allowed VLAN. On subsequent associations with this SSID, registered devices are dynamically placed into the vendor-allowed VLAN. If assigning the vendor-admin role, provide the vendor's group name for RADIUS authentication. The vendor's group takes precedence over the statically configured group for device registration. Note: Use the service > show > wireless > credential-cache command to view on-
boarded devices VLAN assignment. Note: Ensure that the REST server is enabled, to allow vendor users access to the online device registration portal. Note, by default the REST server is enabled. For more information, see rest-server. Associates this vendor-admin user with a vendor group, required for RADIUS authentication. The vendor group should be existing and configured in the RADIUS group policy. For more information on configuring RADIUS groups, see radius-group.
<VENDOR-GROUP-NAME> Provide the vendor group name. In case of multiple allowed groups, provide a list of comma-separated group names. Example rfs6000-37FABE(config-management-policy-test)#user TESTER password test123 role superuser access all rfs6000-37FABE(config-management-policy-test)#show context management-policy test telnet port 200 no http server https server ftp username superuser password 1 f617ca50c59fb47028f96db4baab5f3d8f03c03ab257960b0fd127c69f02cd7e rootdir dir ssh port 162 user TESTER password 1 b6b37c51405f4e93c67fe8af82d450c9fd6af69324cd56a55055cefe695b6a14 role superuser access all snmp-server community snmp1 ro snmp-server user snmpmanager v3 encrypted des auth md5 0 test@123 snmp-server host 172.16.10.23 v3 162 Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 39 MANAGEMENT-POLICY aaa-login radius external aaa-login radius policy test idle-session-timeout 0 restrict-access host 172.16.10.2 log all rfs6000-37FABE(config-management-policy-test)#
nx9500-6C8809(config-management-policy-OB)#user test password 0 test123 role vendor-admin group Apple,Sony,Samsung nx9500-6C8809(config-management-policy-OB)#user Samsung password 0 samsung role vendor-admin group Samsung nx9500-6C8809(config-management-policy-OB)#show context management-policy OB no telnet no http server https server rest-server ssh user admin password 1 d9849649218dcaa79109fbd47bbf1a24ecdf1edda220d21f76ce4c15a4e7e696 role superuser access all user test password 1 62fca173a1ffc0e9cc4eef782b1978a5e0c47f66bc57a32992f03e3e00fe0bc4 role vendor-
admin group Apple,Sony,Samsung user Samsung password 1 39cb036b8e09c2ec625ebcda6e4001f4584263ed86fa69fc1f6b284113772eb0 role vendor-
admin group Samsung nx9500-6C8809(config-management-policy-OB)#
Related Commands no Removes a user account Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 40 MANAGEMENT-POLICY 15.1.19 service management-policy Invokes service commands Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax service [prompt|show]
service [prompt crash-info|show cli]
Parameters service [prompt crash-info|show cli]
service prompt crash-info Updates CLI prompt settings crash-info Includes an asterix at the end of the prompt if the device has crash files in the flash:/crashinfo folder service show cli Displays running system information cli Displays the current modes CLI tree Example rfs6000-37FABE(config-management-policy-test)#service show cli Management Mode mode:
+-help [help]
+-search
+-WORD [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-detailed [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-only-show [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-skip-show [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-skip-no [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-show
+-commands [show commands]
+-simulate
+-stats [show simulate stats]
+-eval
+-WORD [show eval WORD]
+-debugging [show debugging (|(on DEVICE-OR-DOMAIN-NAME))]
+-cfgd [show debugging cfgd]
+-on
+-DEVICE-OR-DOMAIN-NAME [show debugging (|(on DEVICE-OR-DOMAIN-NAME))]
+-fib [show debugging fib(|(on DEVICE-NAME))]
+-on
+-DEVICE-NAME [show debugging fib(|(on DEVICE-NAME))]
+-wireless [show debugging wireless (|(on DEVICE-OR-DOMAIN-NAME))]
+-on
--More--
Related Commands no Disables the inclusion of an asterix indicator notifying the presence of crash files Access Point, Wireless Controller and Service Platform CLI Reference Guide 15 - 41 16 RADIUS-POLICY This chapter summarizes the RADIUS group, server, and user policy commands in the CLI command structure. Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software that enables remote access servers to authenticate users and authorize their access to the network. RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients send authentication requests to the local RADIUS server containing user authentication and network service access information. RADIUS enables centralized management of authentication data (usernames and passwords). When a client attempts to associate to a network, the authentication request is sent to the local RADIUS server. The authentication and encryption of communications takes place through the use of a shared secret password
(not transmitted over the network). The local RADIUS server stores the user database locally, and can optionally use a remote user database. It ensures higher accounting performance. It allows the configuration of multiple users, and assigns policies for group authorization. Controllers and access points allow enforcement of user-based policies. User policies include dynamic VLAN assignment and access based on time of day. A certificate is required for EAP TTLS, PEAP, and TLS RADIUS authentication (configured with the RADIUS service). Dynamic VLAN assignment is achieved based on the RADIUS server response. A user who associates to WLAN1 (mapped to VLAN1) can be assigned a different VLAN after RADIUS server authentication. This dynamic VLAN assignment overrides the WLAN's VLAN ID to which the user associates. The chapter is organized into the following sections:
radius-group radius-server-policy radius-user-pool-policy NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 1 RADIUS-POLICY 16.1 radius-group RADIUS-POLICY This section describes RADIUS user group configuration commands. The local RADIUS server allows the configuration of user groups with common user policies. User group names and associated users are stored in the local database. The user ID in the received access request is mapped to the associated wireless group for authentication. The configuration of groups allows enforcement of the following policies that control user access:
Assign a VLAN to the user upon successful authentication Define start and end of time (HH:MM) when the user is allowed to authenticate Define the SSID list to which a user, belonging to this group, is allowed to associate Define the days of the week the user is allowed to login Rate limit traffic (for non-management users) RADIUS users are categorized into three groups: normal user, management user, and guest user. A RADIUS group not configured as management or guest is a normal user group. User access and role settings depends on the RADIUS group the user belongs. Use the (config) instance to configure RADIUS group commands. This command creates a group within the existing RADIUS group. To navigate to the RADIUS group instance, use the following commands:
<DEVICE>(config)#radius-group <GROUP-NAME>
rfs6000-37FABE(config)#radius-group test rfs6000-37FABE(config-radius-group-test)#?
Radius user group configuration commands:
guest Make this group a Guest group no Negate a command or set its defaults policy Radius group access policy configuration rate-limit Set rate limit for group clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-radius-group-test)#
NOTE: The RADIUS group name cannot exceed 32 characters, and cannot be modified as part of the group edit process. The following table summarizes RADIUS group configuration commands:
Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 2 RADIUS-POLICY Table 16.1 RADIUS-Group-Config Commands Command guest no policy rate-limit Description Enables guest access for the newly created group Negates a command or reverts settings to their default Configures RADIUS group access policy parameters Sets the default rate limit per user in Kbps, and applies it to all enabled WLANs Reference page 16-4 page 16-10 page 16-5 page 16-9 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 3 RADIUS-POLICY 16.1.1 guest radius-group Configures this group as a guest (non-management) group. A guest user group has temporary permissions to the controllers local RADIUS server. You can configure multiple guest user groups, each having a unique set of settings. Guest user groups cannot be made management groups with access and role permissions. Guest users and policies are used for captive portal authorization to the network. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax guest Parameters None Example rfs6000-37FABE(config-radius-group-test)#guest rfs6000-37FABE(config-radius-group-test)#show context radius-group test guest rfs6000-37FABE(config-radius-group-test)#
Related Commands no Makes this group a non-guest group Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 4 RADIUS-POLICY 16.1.2 policy radius-group Sets a RADIUS groups authorization settings, such as access day/time, WLANs, etc. NOTE: A user-based VLAN is effective only if dynamic VLAN authorization is enabled for the WLAN. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax policy [access|day|inactivity-timeout|role|session-time|ssid|time|vlan]
policy vlan <1-4094>
policy access [all|console|ssh|telnet|web]
policy access [all|console|ssh|telnet|web] {(all|console|ssh|telnet|web)}
policy day [all|fr|mo|sa|su|th|tu|we|weekdays] {(fr|mo|sa|su|th|tu|we|
weekdays)}
policy inactivity-timeout <60-86400>
policy role [device-provisioning-admin|helpdesk|monitor|network-admin|security-
admin|superuser|system-admin|web-user-admin]
policy session-time <5-144000>
policy ssid <SSID>
policy time start <HH:MM> end <HH:MM>
NOTE: Access and role settings are applicable only to a management group. They cannot be configured for a RADIUS non-management group. Parameters policy vlan <1-4094>
vlan <1-4094>
Sets the guest RADIUS groups VLAN ID from 1 - 4094. The VLAN ID is representative of the shared SSID each group member (user) employs to interoperate within the network (once authenticated by the local RADIUS server). This option applicable to a guest user group, which has guest access and temporary permissions to the local RADIUS server. The terms of the guest access can be set uniquely for each group. Guest user groups cannot be made management groups with unique access and role permissions. Enable dynamic VLAN assignment for the WLAN for the VLAN assignment to take effect. Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 5 RADIUS-POLICY access policy access [all|console|ssh|telnet|web] {(all|console|ssh|telnet|web)}
Configures access type for a management group. Management groups can be assigned unique access and role permissions. all Allows all access. Wireless client access to the console, ssh, telnet, and/or Web console Allows console access only ssh Allows SSH access only telnet Allows Telnet access only web Allows Web access only These parameters are recursive, and you can provide access to more than one component. policy role [device-provisioning-admin|helpdesk|monitor|network-admin|
security-admin|superuser|system-admin|web-user-admin]
role
[device-provisioning-
admin|helpdesk|
monitor|
network-admin|
security-admin|
superuser|
system-admin|
web-user-admin]
Configures the role assigned to a management RADIUS group. If a group is listed as a management group, it may also have a unique role assigned. Available roles include:
device-provisioning-admin Device provisioning administrator. Has privileges to update (provision) device configuration files or firmware. Such updates run the risk of overwriting and losing a devices existing configuration unless the configuration is properly archived. helpdesk Helpdesk administrator. Performs troubleshooting tasks, such as clear statistics, reboot, create and copy tech support dumps. The helpdesk administrator can also create a guest user account and password for registration. These details can be e-mailed or sent as SMS to a mobile phone. monitor Monitor. Has read-only access to the network. Can view configuration and statistics except for secret information network-admin Network administrator. has wired and wireless access to the network. Manages layer 2, layer 3, Wireless, RADIUS server, DHCP server, and Smart RF security-admin Security administrator. Has full read/write access to the network. Modifies WLAN keys and passphrases superuser Superuser. Has full access, including halt and delete startup config system-admin System administrator. Upgrades image, boot partition, time, and manages admin access web-user-admin Web user administrator. This role is used to create guest users and credentials. The web-user-admin can access only the custom GUI screen and does not have access to the normal CLI and GUI. policy inactivity-timeout <60-86400>
inactivity-timeout
<60-86400>
Configures the inactivity time for this RADIUS group users. If a frame is not received from a client for the specified period, then the clients session is removed. When defined, this value is used instead of the captive-portal inactivity timeout. If the inactivity timeout is not configured in the radius-group context or the captive-portal context, the default timeout (60 seconds) is applied.
<60-86400> Specify a value from 60 - 86400 seconds. This option is disabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 6 RADIUS-POLICY policy session-time <5-144000>
session-time
<5-144000>
Configures the session duration for clients belonging to a specific vendor group. Once configured, this is the duration for which over-the-air, on-boarded, successfully authenticated devices, belonging to a vendor group, get online access. The session is removed on completion of this duration. The vendors RADIUS group takes precedence over statically configured group for device registration.
<5-144000> Specify a value from 5 - 144000 minutes. This option is disabled by default. For more information, see configuring device registration with dynamic VLAN assignment. policy ssid <SSID>
ssid <SSID>
Sets the Service Set Identifier (SSID) for this guest RADIUS group. Use this command to assign SSIDs that users within this RADIUS group are allowed to associate. Assign SSIDs of those WLANs only that the guest users need to access. This option is not available for a management group.
<SSID> Specify a case-sensitive alphanumeric SSID, not exceeding 32 characters. policy day [all|fr|mo|sa|su|th|tu|we|weekdays] {(fr|mo|sa|su|th|tu|we|
weekdays)}
day [all|fr|mo|sa|
su|th|tu|we|weekdays]
Configures the days on which this guest RADIUS group members can access the local RADIUS resources. The options are recursive, and you can provide access on multiple days. fr Allows access on Friday only mo Allows access on Mondays only sa Allows access on Saturdays only su Allows access on Sundays only th Allows access on Thursdays only tu Allows access on Tuesdays only we Allows access on Wednesdays only weekdays Allows access on weekdays only (Monday to Friday) policy time start <HH:MM> end <HH:MM>
time start<HH:MM>
end <HH:MM>
Configures the time when this RADIUS group can access the network start <HH:MM> Sets the start time in the HH:MM format (for example, 13:30 means the user can login only after 1:30 PM). Specifies the time users, within each listed group, can access the local RADIUS resources. end <HH:MM> Sets the end time in the HH:MM format (for example, 17:30 means the user is allowed to remain logged in until 5:30 PM). Specifies the time users, within each listed group, lose access to the local RADIUS resources. Usage Guidelines A management group access policy provides:
access details user roles policys start and end time The SSID, day, and VLAN settings are not applicable to a management user group. Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 7 RADIUS-POLICY Example The following example shows a RADIUS guest group settings:
rfs6000-37FABE(config-radius-group-test)#policy time start 13:30 end 17:30 rfs6000-37FABE(config-radius-group-test)#policy day all rfs6000-37FABE(config-radius-group-test)#policy vlan 1 rfs6000-37FABE(config-radius-group-test)#policy ssid test rfs6000-37FABE(config-radius-group-test)#show context radius-group test guest policy vlan 1 policy ssid test policy day mo policy day tu policy day we policy day th policy day fr policy day sa policy day su policy time start 13:30 end 17:30 rfs6000-37FABE(config-radius-group-test)#
The following example shows a RADIUS management group settings:
rfs6000-37FABE(config-radius-group-management)#policy access console ssh telnet rfs6000-37FABE(config-radius-group-management)#policy role network-admin rfs6000-37FABE(config-radius-group-management)#policy time start 9:30 end 20:30 rfs6000-37FABE(config-radius-group-management)#show context radius-group management policy time start 9:30 end 20:30 policy access console ssh telnet web policy role network-admin rfs6000-37FABE(config-radius-group-management)#
Related Commands no Removes or modifies a RADIUS groups access settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 8 RADIUS-POLICY 16.1.3 rate-limit radius-group Sets the rate limit for the guest RADIUS server group Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rate-limit [from-air|to-air] <100-1000000>
NOTE: The rate-limit setting is not applicable to a management group. Parameters rate-limit [from-air|to-air] <100-1000000>
to-air <100-1000000> Sets the rate limit in the downlink direction, from the network to the wireless client from-air
<100-1000000>
<100-1000000> Specify the rate from 100 - 1000000 Kbps. Sets the rate limit in the uplink direction, from the wireless client to the network
<100-1000000> Specify the rate from 100 - 1000000 Kbps. Example rfs6000-37FABE(config-radius-group-test)#rate-limit to-air 200 rfs6000-37FABE(config-radius-group-test)#show context radius-group test guest policy vlan 1 policy ssid test policy day mo policy day tu policy day we policy day th policy day fr policy day sa policy day su rate-limit to-air 200 policy time start 13:30 end 17:30 rfs6000-37FABE(config-radius-group-test)#
Related Commands no Removes the RADIUS guest groups rate limits Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 9 RADIUS-POLICY 16.1.4 no radius-group Negates a command or sets its default. Removes or modifies the RADIUS group policy settings. When used in the config RADIUS group mode, the no command removes or modifies the following settings:
access type, access days, role type, VLAN ID, and SSID. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [guest|policy|rate-limit]
no policy [access|day|inactivity-timeout|role|session-time|ssid|time|vlan]
no policy access [all|console|ssh|telnet|web]
no policy day [all|fr|mo|sa|su|th|tu|we|weekdays]
no policy session-time no policy ssid [<SSID>|all]
no policy [inactivity-timeout|role|time|vlan]
no rate-limit [from-air|to-air]
Parameters no <PARAMETERS>
no <PARAMETERS>
Negates a command or sets its default. Removes or modifies the RADIUS group policy settings. When used in the config RADIUS group mode, the no command removes or modifies the following settings: access type, access days, role type, VLAN ID, and SSID. Example The following example shows the RADIUS guest group test settings before the no commands are executed:
rfs6000-37FABE(config-radius-group-test)#show context radius-group test guest policy vlan 1 policy ssid test policy day mo policy day tu policy day we policy day th policy day fr policy day sa policy day su rate-limit to-air 200 policy time start 13:30 end 17:30 rfs6000-37FABE(config-radius-group-test)#
rfs6000-37FABE(config-radius-group-test)#no guest rfs6000-37FABE(config-radius-group-test)#no rate-limit to-air rfs6000-37FABE(config-radius-group-test)#no policy day all Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 10 RADIUS-POLICY The following example shows the RADIUS guest group test settings after the no commands are executed:
rfs6000-37FABE(config-radius-group-test)#show context radius-group test policy vlan 1 policy ssid test policy time start 13:30 end 17:30 rfs6000-37FABE(config-radius-group-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 11 RADIUS-POLICY 16.2 radius-server-policy RADIUS-POLICY Creates an onboard device RADIUS server policy and enters its configuration mode A RADIUS server policy is a unique authentication and authorization configuration that receives user connection requests, authenticates users, and returns configuration information necessary for the RADIUS client to deliver service to the user. The client is the entity with authentication information requiring validation. The local RADIUS server has access to a database of authentication information used to validate the client's authentication request. The local RADIUS server uses authentication schemes like PAP, CHAP, or EAP to verify and confirm information provided by a user. The user's proof of identification is verified, along with, optionally, other information. A local RADIUS server policy can also be configured to refer to an external Lightweight Directory Access Protocol (LDAP) resource to verify a user's credentials. Use the (config) instance to configure RADIUS-Server-Policy related parameters. To navigate to the RADIUS-Server-Policy instance, use the following commands:
<DEVICE>(config)#radius-server-policy <POLICY-NAME>
rfs6000-37FABE(config)#radius-server-policy test rfs6000-37FABE(config-radius-server-policy-test)#?
Radius Configuration commands:
authentication Radius authentication bypass Bypass Certificate Revocation List( CRL ) check chase-referral Enable chasing referrals from LDAP server crl-check Enable Certificate Revocation List( CRL ) check ldap-agent LDAP Agent configuration parameters ldap-group-verification Enable LDAP Group Verification setting ldap-server LDAP server parameters local RADIUS local realm nas RADIUS client no Negate a command or set its defaults proxy RADIUS proxy server session-resumption Enable session resumption/fast reauthentication by using cached attributes termination Enable Eap termination for proxy requests use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-radius-server-policy-test)#
The following table summarizes RADIUS server policy configuration commands:
Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 12 Commands authentication bypass chase-referral crl-check ldap-agent ldap-group-
verification ldap-server local nas no proxy session-
resumption termination use Table 16.2 RADIUS-Server-Policy-Config Commands Description Configures RADIUS authentication settings Enables bypassing of CRL check Enables LDAP server referral chasing Enables a certificate revocation list (CRL) check Configures the LDAP agents settings Enables LDAP group verification Configures the LDAP servers settings Configures a local RADIUS realm Configures the key sent to a RADIUS client Removes or resets the RADIUS server policys settings Configures the RADIUS proxy servers settings Enables session resumption Enables EAP termination on this current RADIUS server policy. When enabled, EAP authentication is terminated at the controller level. Defines settings used with the RADIUS server policy RADIUS-POLICY Reference page 16-14 page 16-16 page 16-17 page 16-18 page 16-19 page 16-21 page 16-22 page 16-25 page 16-26 page 16-28 page 16-30 page 16-32 page 16-33 page 16-34 Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 13 RADIUS-POLICY 16.2.1 authentication radius-server-policy Specifies the RADIUS datasource used for user authentication. Options include local for the local user database or LDAP for a remote LDAP resource. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax authentication [data-source|eap-auth-type]
authentication data-source [ldap|local]
authentication data-source [ldap {fallack}|local] {(ssid <SSID> precedence <1-
5000>)}
authentication eap-auth-type [all|peap-gtc|peap-mschapv2|tls|ttls-md5|ttls-
mschapv2|ttls-pap]
Parameters authentication data-source [ldap {fallback}|local] {(ssid <SSID> precedence <1-
5000>)}
data-source ldap fallback local ssid <SSID>
precedence
<1-5000>
The RADIUS sever can either use the local database or an external LDAP server to authenticate a user. It is necessary to specify the data source. The options are: LDAP and local. Uses a remote LDAP server as the data source fallback Optional. Enables fallback to local authentication. This feature ensures that if the designated external LDAP resource were to fail or become unavailable, the client is authenticated against the local RADIUS resource. This option is disabled by default. When using LDAP as the authentication external source, PEAP-MSCHAPv2 authentication type can be used only if the LDAP server returns the password as plain-text. PEAP-MSCHAPv2 authentication is not supported if the LDAP server returns encrypted passwords. This restriction does not apply for Microsoft's Active Directory server. Uses the local user database to authenticate a user. This is the default setting. The following keywords are recursive and common to both ldap and local parameters:
ssid Optional. Associates the data source, selected in the previous step, with a SSID
<SSID> Specify the SSID for this authentication data source. The SSID is case sen-
sitive and should not exceed 32 characters in length. Do not use any of the following characters (< > | " & \ ? ,). Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 14 RADIUS-POLICY precedence <SSID> Sets the precedence for this authentication rule. The pre-
cedence value allows systematic evaluation and application of rules. Rules with the lowest precedence receive the highest priority.
<1-5000> Specify a precedence from 1- 5000. Specifying the SSID allows the RADIUS server to use the SSID attribute in access requests to determine the data source to use. This option is applicable to onboard RADIUS servers only. authentication eap-auth-type [all|peap-gtc|peap-mschapv2|tls|ttls-md5|ttls-
mschapv2|ttls-pap]
eap-auth-type all peap-gtc peap-mschapv2 tls ttls-md5 ttls-mschapv2 ttls-pap Uses Extensible Authentication Protocol (EAP), with this RADIUS server policy, for user authentication The EAP authentication types supported by the local RADIUS server are: all, peap-
gtc, peap-mschapv2, tls, ttls-md5, ttls-mschapv2, ttls-pap. Enables both TTLS and PEAP authentication. This is the default setting. Enables PEAP with default authentication using GTC Enables PEAP with default authentication using MSCHAPv2 When using LDAP as the authentication external source, PEAP-MSCHAPv2 authentication type can be used only if the LDAP server returns the password as plain-text. PEAP-MSCHAPv2 authentication is not supported if the LDAP server returns encrypted passwords. This restriction does not apply for Microsoft's Active Directory server. Enables TLS as the EAP type Enables TTLS with default authentication using md5 Enables TTLS with default authentication using MSCHAPv2 Enables TTLS with default authentication using PAP Example rfs6000-37FABE(config-radius-server-policy-test)#authentication eap-auth-type tls rfs6000-37FABE(config-radius-server-policy-test)#show context radius-server-policy test authentication eap-auth-type tls rfs6000-37FABE(config-radius-server-policy-test)#
Related Commands no Removes the RADIUS authentication settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 15 RADIUS-POLICY 16.2.2 bypass radius-server-policy Enables bypassing a CRL check. When enabled, this feature bypasses checks for missing and expired CRLs. This option is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bypass [crl-check|expired-crl]
Parameters bypass [crl-check|expired-crl]
bypass
[crl-check|expired-crl]
Bypasses CRL check based on the parameters passed crl-check Bypasses CRL check of missing CRLs expired-crl Bypasses CRL check of expired CRLs Note: A CRL is a list of certificates that have been revoked or are no longer valid. Example nx9500-6C8809(config-radius-server-policy-test)#bypass crl-check nx9500-6C8809(config-radius-server-policy-test)#no bypass crl-check nx9500-6C8809(config-radius-server-policy-test)#show context radius-server-policy test no bypass crl-check nx9500-6C8809(config-radius-server-policy-test)#
Related Commands no Disables bypassing of checking for missing CRLs or expired CRLs Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 16 RADIUS-POLICY 16.2.3 chase-referral radius-server-policy Enables chasing of referrals from an external LDAP server resource An LDAP referral is a controller or service platforms way of indicating to a client it does not hold the section of the directory tree where a requested content object resides. The referral is the controller or service platforms direction to the client a different location is more likely to hold the object, which the client uses as the basis for a DNS search for a domain controller. Ideally, referrals always reference a domain controller that indeed holds the object. However, it is possible for the domain controller to generate another referral, although it usually does not take long to discover the object does not exist and inform the client. This feature is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax chase-referral Parameters None Example rfs6000-37FABE(config-radius-server-policy-test)#chase-referral Related Commands no Disables LDAP server referral chasing Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 17 RADIUS-POLICY 16.2.4 crl-check radius-server-policy Enables a certificate revocation list (CRL) check on this RADIUS server policy A CRL is a list of revoked certificates issued and subsequently revoked by a Certification Authority (CA). Certificates can be revoked for a number of reasons including failure or compromise of a device using a certificate, a compromise of a certificate key pair or errors within an issued certificate. The mechanism used for certificate revocation depends on the CA. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax crl-check Parameters None Example rfs6000-37FABE(config-radius-server-policy-test)#crl-check rfs6000-37FABE(config-radius-server-policy-test)#show context radius-server-policy test authentication eap-auth-type tls crl-check rfs6000-37FABE(config-radius-server-policy-test)#
Related Commands no Disables CRL check on a RADIUS server policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 18 RADIUS-POLICY 16.2.5 ldap-agent radius-server-policy Configures the LDAP agents settings in the RADIUS server policy context When a user's credentials are stored on an external LDAP server, the local RADIUS server cannot successfully conduct PEAP-MSCHAPv2 authentication, since it is not aware of the user's credentials maintained on the external LDAP server resource. Therefore, up to two LDAP agents can be provided locally so remote LDAP authentication can be successfully accomplished on the remote LDAP resource
(using credentials maintained locally). This feature is available to all controller, service platforms and access point models, with the exception of AP6511 and AP6521 models running in standalone AP or virtual controller AP mode. However, this feature is supported by dependent mode AP6511 and AP6521 model access points when adopted and managed by a controller or service platform. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ldap-agent [join|join-retry-timeout|primary|secondary]
ldap-agent [join {on <DEVICE-NAME>}|join-retry-timeout <60-300>]
ldap-agent [primary|secondary] domain-name <LDAP-DOMAIN-NAME> domain-admin-user
<ADMIN-USER-NAME> domain-admin-password [0 <WORD>|2 <WORD>]
Parameters ldap-agent [join {on <DEVICE-NAME>}|join-retry-timeout <60-300>]
ldap-agent join
{on <DEVICE-NAME>}
join-retry-timeout
<60-300>
Configures the LDAP agents settings Initiates the join process, which binds the RADIUS server with the LDAP servers
(Windows) domain. When successful, the hostname (name of the AP, wireless controller, or service platform) is added to the LDAP servers Active Directory. on <DEVICE-NAME> Optional. Specifies the device name
<DEVICE-NAME> Specify the name of the AP, wireless controller, or service platform. To confirm the join status of a controller, use the show > ldap-agent > join-status command. If the join process fails (i.e. the RADIUS server fails to join the LADP servers domain), the process is retried after a specified interval. This command configures the interval (in seconds) between two successive join attempts.
<60-300> Set the timeout value from 60 - 300 seconds. The default is 60 seconds. A retry timer is initiated as soon as the join process starts, which tracks the time lapse in case of a failure. Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 19 RADIUS-POLICY ldap-agent [primary|secondary] domain-name <LDAP-DOMAIN-NAME> domain-admin-user
<ADMIN-USER-NAME> domain-admin-password [0 <WORD>|2 <WORD>]
ldap-agent primary secondary domain-name
<LDAP-DOMAIN-
NAME>
domain-admin-user
<ADMIN-USER-
NAME>
domain-admin-
password
[0 <WORD>|
2 <WORD>]
Configures the LDAP agents settings Configures the primary LDAP server details, such as domain name, user name, and password. The RADIUS server uses these credentials to bind with the primary LDAP server. Configures the secondary LDAP server details, such as domain name, user name, and password. The RADIUS server uses these credentials to bind with the secondary LDAP server. This keyword is common to both the primary and secondary parameters. domain-name Configures the primary or secondary LDAP servers domain name
<LDAP-DOMAIN-NAME> Specify the domain name. This keyword is common to both the primary and secondary parameters. domain-admin-user Configures the primary or secondary LDAP servers admin user name
<ADMIN-USER-NAME> Specify the admin users name. This keyword is common to both the primary and secondary parameters. domain-admin-password Configures the primary or secondary LDAP servers admin user password 0 <WORD> Specifies the password in the unencrypted format 2 <WORD> Specifies the password in the encrypted format Example rfs4000-229D58(config-radius-server-policy-test)#ldap-agent primary domain-name test domain-admin-user Administrator domain-admin-password 0 test@123 rfs4000-229D58(config-radius-server-policy-test)#
rfs4000-229D58(config-radius-server-policy-test)#show context radius-server-policy test ldap-agent primary domain-name test domain-admin-user Administrator domain-admin-
password 0 test@123 rfs4000-229D58(config-radius-server-policy-test)#
Related Commands no Removes LDAP agent settings from this RADIUS server policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 20 RADIUS-POLICY 16.2.6 ldap-group-verification radius-server-policy Enables LDAP group verification settings on this RADIUS server policy. This option is enabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ldap-group-verification Parameters None Example rfs6000-37FABE(config-radius-server-policy-test)#ldap-group-verification rfs6000-37FABE(config-radius-server-policy-test)#
Related Commands no Disables LDAP group verification settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 21 RADIUS-POLICY 16.2.7 ldap-server radius-server-policy Configures the LDAP servers settings. Configuring LDAP server allows users to login and authenticate from anywhere on the network. Administrators have the option of using the local RADIUS server to authenticate users against an external LDAP server resource. Using an external LDAP user database allows the centralization of user information and reduces administrative user management overhead making RADIUS authorization more secure and efficient. RADIUS is not just a database. It is a protocol for asking intelligent questions to a user database (like LDAP). LDAP however is just a database of user credentials used optionally with the local RADIUS server to free up resources and manage user credentials from a secure remote location. It is the local RADIUS resources that provide the tools to perform user authentication and authorize users based on complex checks and logic. A LDAP user database alone cannot perform such complex authorization checks. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ldap-server [dead-period|primary|secondary]
ldap-server dead-period <0-600>
ldap-server [primary|secondary] host <IP> port <1-65535> login <LOGIN-NAME> bind-
dn <BIND-DN> base-dn <BASE-DN> passwd [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|
<PASSWORD>] passwd-attr <ATTR> group-attr <ATTR> group-filter <FILTER>
group-membership <WORD> {net-timeout <1-10>|start-tls net-timeout <1-10>|tls-mode net-timeout <1-10>}
Parameters ldap-server dead-period <0-600>
dead-period <0-600>
Sets an interval, in seconds, during which the local server will not contact its LDAP server resource once its been defined as unavailable. A dead period is only implemented when additional LDAP servers are configured and available.
<0-600> Specify a value from 0 - 600 seconds. The default is 300 seconds. ldap-server [primary|secondary] host <IP> port <1-65535> login <LOGIN-NAME>
bind-dn <BIND-DN> base-dn <BASE-DN> passwd [0 <PASSWORD>|2 <ENCRYPTED-PASSWORD>|
<PASSWORD>] passwd-attr <ATTR> group-attr <ATTR> group-filter <FILTER> group-
membership <WORD> {net-timeout <1-10>|start-tls net-timeout <1-10>|tls-mode net-
timeout <1-10>}}
ldap primary ldap secondary host <IP>
Configures the primary LDAP server settings Configures the secondary LDAP server settings Specifies the LDAP hosts IP address
<IP> Specify the LDAP servers IP address. Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 22 RADIUS-POLICY port <1-65535>
login <LOGIN-NAME>
bind-dn <BIND-DN>
base-dn <BASE-DN>
passwd [0
<PASSWORD>|
2 <ENCRYPTED-
PASSWORD>|
<PASSWORD>]
passwd-attr <ATTR>
group-attr <ATTR>
group-filter <FILTER>
group-membership
<WORD>
net-time <1-10>
start-tls net-timeout
<1-10>
tls-mode net-timeout
<1-10>
Configures the LDAP server port
<1-65535> Specify a port between 1 - 65535. Configures the login name of a user to access the LDAP server
<LOGIN-NAME> Specify a login ID (should not exceed 127 characters). Configures a distinguished bind name. This is the distinguished name (DN) used to bind with the LDAP server. The DN is the name that uniquely identifies an entry in the LDAP directory. A DN is made up of attribute value pairs, separated by commas.
<BIND-DN> Specify a bind name (should not exceed 127 characters). Configures a distinguished base name. This is the DN that establishes the base object for the search. The base object is the point in the LDAP tree at which to start searching. LDAP DNs begin with a specific attribute (usually some sort of name), and continue with progressively broader attributes, often ending with a country attribute. The first component of the DN is referred to as the Relative Distinguished Name (RDN). It identifies an entry distinctly from any other entries that have the same parent
<BASE-DN> Specify a base name (should not exceed 127 characters). Sets a valid password for the LDAP server. 0 <PASSWORD> Sets an UNENCRYPTED password 2 <ENCRYPTED-PASSWORD> Sets an ENCRYPTED password
<PASSWORD> Sets the LDAP server bind password, specified UNENCRYPTED, with a maximum size of 31 characters Specify the LDAP server password attribute (should not exceed 63 characters). Specify a name to configure group attributes (should not exceed 31 characters). LDAP systems have the facility to poll dynamic groups. In an LDAP dynamic group an administrator can specify search criteria. All users matching the search criteria are considered a member of this dynamic group. Specify a group attribute used by the LDAP server. An attribute could be a group name, group ID, password or group membership name. Specify a name for the group filter attribute (should not exceed 255 characters). This filter is typically used for security role-to-group assignments and specifies the property to look up groups in the directory service. Specify a name for the group membership attribute (should not exceed 63 characters). This attribute is sent to the LDAP server when authenticating users. Optional. Select a value from 1 - 10 to configure the network timeout (number of seconds to wait for a response from the target primary or secondary LDAP server). The default is 10 seconds. Optional. Select a value from 1 - 10 to configure the network timeout for secure communication using start_tls support on the external LDAP server. Optional. Select a value from 1 - 10 to configure the network timeout for secure communication using tls_mode support on the external LDAP server. Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 23 RADIUS-POLICY Example rfs6000-37FABE(config-radius-server-policy-test)#ldap-server dead-period 100 rfs6000-37FABE(config-radius-server-policy-test)#ldap-server primary host 172.16
.10.19 port 162 login test bind-dn bind-dn1 base-dn base-dn1 passwd 0 test@123 passwd-attr test123 group-attr group1 group-filter groupfilter1 group-membership groupmembership1 net-timeout 2 rfs6000-37FABE(config-radius-server-policy-test)#
rfs6000-37FABE(config-radius-server-policy-test)#show context radius-server-policy test authentication eap-auth-type tls crl-check ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1"
base-dn "base-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-
filter "groupfilter1" group-membership groupmembership1 net-timeout 2 ldap-server dead-period 100 rfs6000-37FABE(config-radius-server-policy-test)#
Related Commands no Disables the LDAP server parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 24 RADIUS-POLICY 16.2.8 local radius-server-policy Configures a local RADIUS realm on this RADIUS server policy When the local RADIUS server receives a request for a user name with a realm, the server references a table of realms. If the realm is known, the server proxies the request to the RADIUS server. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax local realm <RADIUS-REALM>
Parameters local realm <RADIUS-REALM>
realm
<RADIUS-REALM>
Configures a local RADIUS realm
<RADIUS-REALM> Sets a local RADIUS realm name (a string not exceeding 50 characters) Example rfs6000-37FABE(config-radius-server-policy-test)#local realm realm1 rfs6000-37FABE(config-radius-server-policy-test)#show context radius-server-policy test authentication eap-auth-type tls crl-check local realm realm1 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1"
base-dn "base-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-
filter "groupfilter1" group-membership groupmembership1 net-timeout 2 ldap-server dead-period 100 rfs6000-37FABE(config-radius-server-policy-test)#
Related Commands no Removes the RADIUS local realm Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 25 RADIUS-POLICY 16.2.9 nas radius-server-policy Configures the key sent to a RADIUS client A RADIUS client is a mechanism to communicate with a central server to authenticate users and authorize access to the controller, service platform or Access Point managed network. The client and server share a secret (a password). That shared secret followed by the request authenticator is put through a MD5 hash algorithm to create a 16 octet value which is XORed with the password entered by the user. If the user password is greater than 16 octets, additional MD5 calculations are performed, using the previous ciphertext instead of the request authenticator. The server receives a RADIUS access request packet and verifies the server possesses a shared secret for the client. If the server does not possess a shared secret for the client, the request is dropped. If the client received a verified access accept packet, the username and password are considered correct, and the user is authenticated. If the client receives a verified access reject message, the username and password are considered to be incorrect, and the user is not authenticated. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax nas <IP/M> secret [0|2|<LINE>]
nas <IP/M> secret [0 <LINE>|2 <LINE>|<LINE>]
Parameters nas <IP/M> secret [0 <LINE>|2<LINE>]
<IP/M>
secret
[0 <LINE>|2 <LINE>|
<LINE>]
Sets the RADIUS clients IP address
<IP/M> Sets the RADIUS clients IP address in the A.B.C.D/M format Sets the RADIUS clients shared secret. Use one of the following options:
0 <LINE> Sets an UNENCRYPTED secret 2 <LINE> Sets an ENCRYPTED secret
<LINE> Defines the secret (client shared secret) up to 64 characters Example rfs6000-37FABE(config-radius-server-policy-test)#nas 172.16.10.10/24 secret 0 wirelesswell rfs6000-37FABE(config-radius-server-policy-test)#show context radius-server-policy test authentication eap-auth-type tls crl-check nas 172.16.10.10/24 secret 0 wirelesswell local realm realm1 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1"
base-dn "base-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-
filter "groupfilter1" group-membership groupmembership1 net-timeout 2 ldap-server dead-period 100 rfs6000-37FABE(config-radius-server-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 26 Related Commands no Removes a RADIUS servers client on a RADIUS server policy RADIUS-POLICY Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 27 RADIUS-POLICY 16.2.10 no radius-server-policy Negates a command or reverts back to default settings. When used with in the config RADIUS server policy mode, the no command removes settings, such as crl-check, LDAP group verification, RADIUS client, etc. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [authentication|bypass|chase-referral|clr-check|ldap-agent|ldap-group-
verification|ldap-server|local|nas|proxy|session-resumption|termination|use]
no bypass [crl-check|expired-crl]
no authentication [data-source|eap]
no authentication [data-source {ldap {fallback}|local|ssid}|eap configuration]
no [chase-referral|clr-check|ldap-group-verification|nas <IP/M>|session-
resumption]
no ldap-agent [join-retry-timeout|primary|secondary]
no local realm [<REALM-NAME>|all]
no proxy [realm <REALM-NAME>|retry-count|retry-delay]
no ldap-server [dead-period|primary|secondary]
no termination no use [radius-group [<RAD-GROUP-NAME>|all]|radius-user-pool-policy [<RAD-USER-
POOL-NAME>|all]]
Parameters no <PARAMETERS>
no <PARAMETERS>
Negates a command or reverts back to default settings. When used with in the config RADIUS server policy mode, the no command removes settings, such as crl-
check, LDAP group verification, RADIUS client etc Example The following example shows the RADIUS server policy test settings before the no commands are executed:
rfs6000-37FABE(config-radius-server-policy-test)#show context radius-server-policy test authentication eap-auth-type tls crl-check nas 172.16.10.10/24 secret 0 wirelesswell local realm realm1 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1"
base-dn "bas-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-
filter "groupfilter1" group-membership groupmembership1 net-timeout 2 ldap-server dead-period 100 Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 28 RADIUS-POLICY rfs6000-37FABE(config-radius-server-policy-test)#
rfs6000-37FABE(config-radius-server-policy-test)#no authentication eap configuration rfs6000-37FABE(config-radius-server-policy-test)#no crl-check rfs6000-37FABE(config-radius-server-policy-test)#no local realm realm1 rfs6000-37FABE(config-radius-server-policy-test)#no nas 172.16.10.10/24 rfs6000-37FABE(config-radius-server-policy-test)#no ldap-server dead-period The following example shows the RADIUS server policy test settings after the no commands are executed:
rfs6000-37FABE(config-radius-server-policy-test)#show context radius-server-policy test ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1"
base-dn "bas-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-
filter "groupfilter1" group-membership groupmembership1 net-timeout 2 rfs6000-37FABE(config-radius-server-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 29 RADIUS-POLICY 16.2.11 proxy radius-server-policy Configures a proxy RADIUS server based on the realm/suffix. The realm identifies where the RADIUS server forwards AAA requests for processing. A users access request is sent to a proxy RADIUS server if it cannot be authenticated by the local RADIUS resources. The proxy server checks the information in the user access request and either accepts or rejects the request. If the proxy server accepts the request, it returns configuration information specifying the type of connection service required to authenticate the user. The RADIUS proxy appears to act as a RADIUS server to NAS, whereas the proxy appears to act as a RADIUS client to the RADIUS server. When the proxy server receives a request for a user name with a realm, the server references a table of realms. If the realm is known, the server proxies the request to the RADIUS server. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax proxy [realm|retry-count|retry-delay]
proxy realm <REALM-NAME> server <IP> port <1024-65535> secret [0 <PASSWORD>|2
<ENCRYPTED-PASSWORD>|<PASSWORD>]
proxy retry-count <3-6>
proxy retry-delay <5-10>
Parameters proxy realm <REALM-NAME> server <IP> port <1024-65535> secret [0 <PASSWORD>|2
<ENCRYPTED-PASSWORD>|<PASSWORD>]
proxy realm
<REALM-NAME>
Configures the realm name
<REALM-NAME> Specify the realm name. The name should not exceed 50 characters. server <IP>
port <1024-65535>
secret [0 <PASSWORD>|
2 <ENCRYPTED-
PASSWORD>|
<PASSWORD>
Configures the proxy servers IP address. This is the address of server checking the information in the user access request and either accepting or rejecting the request on behalf of the local RADIUS server.
<IP> Sets the proxy servers IP address Configures the proxy servers port. This is the TCP/IP port number for the server that acts as a data source for the proxy server.
<1024-65535> Sets the proxy servers port from 1024 - 65535 (default port is 1812) Sets the proxy server secret string. The options are:
0 <PASSWORD> Sets an UNENCRYPTED password 2 <ENCRYPTED-PASSWORD> Sets an ENCRYPTED password
<PASSWORD> Sets the proxy server shared secret value Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 30 RADIUS-POLICY proxy retry-count <3-6>
retry-count <3-6>
Sets the proxy servers retry count. This is the maximum number attempts made by a controllers RADIUS server to connect to the proxy server.
<3-6> Sets a value from 3 - 6 (default is 3 counts) proxy retry-delay <5-10>
retry-delay <5-10>
Usage Guidelines Sets the proxy servers retry delay count. This is the interval the controllers RADIUS server waits before making an additional connection attempt.
<5-10> Sets a value from 5 - 10 seconds (default is 5 seconds) A maximum of five RADIUS proxy servers can be configured. The proxy server attempts six retries before it times out. The retry count defines the number of times RADIUS requests are transmitted before giving up. The timeout value is the defines the interval between successive retransmission of a RADIUS request (in case of no reply). Example rfs6000-37FABE(config-radius-server-policy-test)#proxy realm test1 server 172.16
.10.7 port 1025 secret 0 test1123 rfs6000-37FABE(config-radius-server-policy-test)#proxy retry-count 4 rfs6000-37FABE(config-radius-server-policy-test)#proxy retry-delay 8 rfs6000-37FABE(config-radius-server-policy-test)#show context radius-server-policy test proxy retry-delay 8 proxy retry-count 4 proxy realm test1 server 172.16.10.7 port 1025 secret 0 test1123 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1"
base-dn "bas-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-
filter "groupfilter1" group-membership groupmembership1 net-timeout 2 rfs6000-37FABE(config-radius-server-policy-test)#
Related Commands no Removes or resets the RADIUS proxy servers settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 31 RADIUS-POLICY 16.2.12 session-resumption radius-server-policy Enables session resumption or fast re-authentication by using cached attributes. This feature controls the volume and duration cached data is maintained by the server policy, upon termination of a server policy session. The availability and quick retrieval of the cached data speeds up session resumption. This feature is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax session-resumption {lifetime|max-entries}
session-resumption {lifetime <1-24> {max-entries <10-1024>}|max-entries <10-1024>}
Parameters session-resumption {lifetime <1-24> {max-entries <10-1024>}|max-entries <10-
1024>}
lifetime <1-24>
{max-entries <10-
1024>}
Optional. Sets the lifetime of cached entries
<1-24> Specify the lifetime period from 1 - 24 hours (default is 1 hour) max-entries Optional. Configures the maximum number of entries in the cache
<10-1024> Sets the maximum number of entries in the cache from 10 - 1024
(default is 128 entries) max-entries <10-1024> Optional. Configures the maximum number of entries in the cache
<10-1024> Sets the maximum number of entries in the cache from 10 - 1024
(default is 128 entries) Example rfs6000-37FABE(config-radius-server-policy-test)#session-resumption lifetime 10 max-entries 11 rfs6000-37FABE(config-radius-server-policy-test)#show context radius-server-policy test proxy retry-delay 8 proxy retry-count 4 proxy realm test1 server 172.16.10.7 port 1025 secret 0 test1123 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1"
base-dn "bas-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-
filter "groupfilter1" group-membership groupmembership1 net-timeout 2 session-resumption lifetime 10 max-entries 11 rfs6000-37FABE(config-radius-server-policy-test)#
Related Commands no Disables session resumption on this RADIUS server policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 32 RADIUS-POLICY 16.2.13 termination radius-server-policy Enables EAP termination on this RADIUS server policy. When enabled, EAP authentication is terminated at the controller level. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax termination Parameters None Example nx9500-6C8809(config-radius-server-policy-test)#termination nx9500-6C8809(config-radius-server-policy-test)#show context radius-server-policy test termination no bypass crl-check nx9500-6C8809(config-radius-server-policy-test)#
Related Commands no Disables EAP termination on this RADIUS server policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 33 RADIUS-POLICY 16.2.14 use radius-server-policy Defines settings used with the RADIUS server policy Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use [radius-group <RAD-GROUP-NAME1> {RAD-GROUP-NAME2}|radius-user-pool-policy
<RAD-USER-POOL-NAME>]
Parameters use [radius-group <RAD-GROUP-NAME1> {RAD-GROUP-NAME2}|radius-user-pool-policy
<RAD-USER-POOL-NAME>]
radius-group
<RAD-GROUP-NAME1>
{RAD-GROUP-NAME2}
radius-user-pool-policy
<RAD-USER-POOL-
NAME>
Associates a specified RADIUS group (for LDAP users) with this RADIUS server policy You can optionally associate two RADIUS groups with one RADIUS server policy. Associates a specified RADIUS user pool with this RADIUS server policy. Specify a user pool name. Example rfs6000-37FABE(config-radius-server-policy-test)#use radius-group test rfs6000-37FABE(config-radius-server-policy-test)#show context radius-server-policy test proxy retry-delay 8 proxy retry-count 4 proxy realm test1 server 172.16.10.7 port 1025 secret 0 test1123 ldap-server primary host 172.16.10.19 port 162 login "test" bind-dn "bind-dn1"
base-dn "bas-dn1" passwd 0 test@123 passwd-attr test123 group-attr group1 group-
filter "groupfilter1" group-membership groupmembership1 net-timeout 2 use radius-group test session-resumption lifetime 10 max-entries 11 rfs6000-37FABE(config-radius-server-policy-test)#
Related Commands no Disassociates a RADIUS group or a RADIUS user pool policy from this RADIUS server policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 34 RADIUS-POLICY 16.3 radius-user-pool-policy RADIUS-POLICY Configures a RADIUS user pool policy and enters its configuration mode A user pool defines policies for individual user access to the internal RADIUS resources. User pool policies define unique permissions (either temporary or permanent) that control user access to the local RADIUS resources. A pool can contain a single user or multiple users. Use the (config) instance to configure RADIUS user pool policy commands. To navigate to the radius-user-pool-policy instance, use the following commands:
<DEVICE>(config)#radius-user-pool-policy <POOL-NAME>
rfs6000-37FABE(config)#radius-user-pool-policy testuser rfs6000-37FABE(config-radius-user-pool-testuser)#
rfs6000-37FABE(config-radius-user-pool-testuser)#?
Radius User Pool Mode commands:
duration Set a guest user's access duration no Negate a command or set its defaults user Radius user configuration clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-radius-user-pool-testuser)#
The following table summarizes RADIUS user pool policy configuration commands:
Table 16.3 RADIUS-User-Pool-Policy-Config Commands Commands duration user no Description Modifies a guest users duration of captive-portal access Configures the RADIUS user parameters Negates a command or sets its default Reference page 16-36 page 16-37 page 16-40 Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 35 RADIUS-POLICY 16.3.1 duration radius-user-pool-policy Modifies the duration, in minutes, that a guest user can access the captive portal Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax duration <GUEST-USER-NAME> <0-525600>
Parameters duration <GUEST-USER-NAME> <0-525600>
duration
<GUEST-USER-NAME>
<0-525600>
Modifies the duration of captive-portal access (in minutes) for the guest user identified by the
<GUEST-USER-NAME> keyword
<GUEST-USER-NAME> Specify the guest users name.
<0-525600> Specify the access duration from 0 - 525600 minutes. A value of 0 indicates unlimited access. The default is 1440 minutes. Example rfs4000-229D58(config-radius-user-pool-wdws)#show context radius-user-pool-policy wdws user guestuser1 password 0 guestuser@1 group wdws guest expiry-time 12:30 expiry-
date 12/15/2014 access-duration 500 rfs4000-229D58(config-radius-user-pool-wdws)#
rfs4000-229D58(config-radius-user-pool-wdws)#duration guestuser1 200 rfs4000-229D58(config-radius-user-pool-wdws)#show context radius-user-pool-policy wdws user guestuser1 password 0 guestuser@1 group wdws guest expiry-time 12:30 expiry-
date 12/15/2014 access-duration 200 rfs4000-229D58(config-radius-user-pool-wdws)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 36 RADIUS-POLICY 16.3.2 user radius-user-pool-policy Configures RADIUS user parameters Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax user <USERNAME> password [0 <UNECRYPTED-PASSWORD>|2 <ENCRYPTED-PASSWORD>|
<PASSWORD>] {group <RAD-GROUP-NAME>} {guest}
user <USERNAME> password [0 <UNECRYPTED-PASSWORD>|2 <ENCRYPTED-
PASSWORD>|<PASSWORD>] {group <RAD-GROUP-NAME>} {guest expiry-time <HH:MM> expiry-
date <MM/DD/YYYY> {access-duration <0-525600>|data-limit|email-id <EMAIL-ID>|
start-time <HH:MM> start-date <MM/DD/YYY>|telephone <TELEPHONE-NUMBER>}}
user <USERNAME> password [0 <UNECRYPTED-PASSWORD>|2 <ENCRYPTED-PASSWORD>|
<PASSWORD>] {group <RAD-GROUP-NAME>} {guest expiry-time <HH:MM> expiry-date <MM/
DD/YYYY> {access-duration <0-525600>|data-limit <1-102400> committed-downlink
<100-1000000> committed-uplink <100-1000000> reduced-downlink <100-1000000>
reduced-uplink <100-1000000>|email-id <EMAIL-ID>|start-time <HH:MM> start-date
<MM/DD/YYY>|telephone <TELEPHONE-NUMBER>}}
Parameters user <USERNAME> password [0 <UNECRYPTED-PASSWORD>|2 <ENCRYPTED-PASSWORD>|
<PASSWORD>] {group <RAD-GROUP-NAME>} {guest expiry-time <HH:MM> expiry-date
<MM:DD:YYY> {access-duration <0-525600>|data-limit <1-102400> committed-downlink
<100-1000000> committed-uplink <100-1000000> reduced-downlink <100-1000000>
reduced-uplink <100-1000000>|email-id <EMAIL-ID>|start-time <HH:MM> start-date
<MM/DD/YYY>|telephone <TELEPHONE-NUMBER>}}
user <USERNAME>
Adds a new RADIUS user to the RADIUS user pool
<USERNAME> Specify the name of the user. The username should not exceed 64 passwd
[0 <UNENCRYPTED-
PASSWORD>|
2 <ENCRYPTED-
PASSWORD>|
<PASSWORD>]
group
<RAD-GROUP-NAME>
guest characters. Note: The username is a unique alphanumeric string identifying this user, and cannot be modified with the rest of the configuration. Configures the user password (provide a password unique to this user) 0 <UNENCRYPTED-PASSWORD> Sets an unencrypted password 2 <ENCRYPTED-PASSWORD> Sets an encrypted password
<PASSWORD> Sets a password (specified unencrypted) up to 21 characters Optional. Configures the RADIUS server group of which this user is a member
<RAD-GROUP-NAME> Specify the group name in the local database. If the user is a guest, assign the user a group with temporary access privileges. Optional. Specifies that this user is a guest user. Guest users have restricted access. After enabling a guest user account, specify the expiry time and date for this account. A guest user can be assigned only to a guest user group. Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 37 expiry-time <HH:MM>
expiry-date
<MM:DD:YYYY>
{access-duration
<0-525600>|data-limit
<1-102400>
committed-downlink
<100-1000000>
committed-uplink
<100-1000000>
reduced-downlink
<100-1000000>
reduced-uplink
<100-1000000>|
email-id <EMAIL-ID>|
start-time <HH:MM>
start-date
<MM:DD:YYY>|
telephone
<TELEPHONE-
NUMBER>}
RADIUS-POLICY Specify the user account expiry time in the HH:MM format (for example, 12:30 means 30 minutes after 12:00 the user login will expire). Specify the user account expiry date in the MM:DD:YYYY format (for example. 02:15:2014). After configuring the above user details, optionally configure the following user information:
access-duration <0-525600> Configures the duration, in minutes, for which this guest user can access the captive portal.
<0-525600> Specify a value from 0 - 525600 minutes. data-limit <1-102400> Configures the data limit for which this guest user can access the captive portal. Specify a value from 1 - 102400 bytes. committed-downlink <100-1000000> Configures committed downlink bandwidth until data limit is reached. This value represents the download speed (in kilobits per second) allocated to the guest user. When bandwidth is available, the user can download data at the specified rate. If a guest user has a bandwidth based policy and exceeds the specified data limit, the speed is throttled to the reduced downlink rate (specified using this command). Specify a value from 100 - 1000000 Kbps. committed-uplink <100-1000000> Configures committed uplink bandwidth until data limit is reached. This value represents the upload speed (in kilobits per second) allocated to the guest user. When bandwidth is available, the user can upload data at the specified rate. If a guest user has a bandwidth based policy and exceeds the specified data limit, the speed is throttled to the re-
duced uplink rate (specified using this command). Specify a value from 100 -
1000000 Kbps. reduced-downlink <100-1000000> Configures reduced downlink bandwidth after data Limit is reached. This value represents the reduced speed the guest utilizes (in kilobits per second) when exceeding the specified data limit, if applicable. If a guest user has a bandwidth based policy and exceeds the specified data limit, the speed is throttled to the reduced downlink rate specified here. Specify a value from 100-
1000000 Kbps. reduced-uplink <100-1000000> Configures reduced uplink band-
width after data Limit is reached. This value represents the reduced speed the guest utilizes (in kilobits per second) when exceeding the specified data limit, if applicable. If a guest user has a bandwidth based policy and exceeds the specified data limit, the speed is throttled to the reduced uplink rate specified here. Specify a value from 100 - 1000000 Kbps. email-id Optional. Users e-mail ID start-time Optional. Users account activation time. After specifying the activation time, specify the activation date. start-date Users account activation date telephone Optional. Users telephone number (should include the area code) Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 38 RADIUS-POLICY To view access details of guest users on a RADIUS server, in the Priv Executable Configuration mode, use the following command:
show > radius > guest-users rfs6000-37FABE#show radius guest-users time TIME (min:sec) USED REMAINING GUEST USER 0:00 500:00 user1 Current time: 09:03:07 rfs6000-37FABE#
Example rfs4000-229D58(config-radius-user-pool-wdws)#user guestuser1 password 0 guestuser@1 group wdws guest expiry-time 12:30 expiry-date 12/15/2014 access-
duration 500 rfs4000-229D58(config-radius-user-pool-wdws)#
rfs4000-229D58(config-radius-user-pool-wdws)#show context radius-user-pool-policy wdws user guestuser1 password 0 guestuser@1 group wdws guest expiry-time 12:30 expiry-
date 12/15/2014 access-duration 500 rfs4000-229D58(config-radius-user-pool-wdws)#
nx4500-5CFA2B(config-radius-user-pool-pool1)#user word password 0 word group gro up1 guest expiry-time 11:10 expiry-date 12/12/2014 data-limit 10 committed-downl ink 103 committed-uplink 100 reduced-downlink 102 reduced-uplink 101 nx4500-5CFA2B(config-radius-user-pool-pool1)#
Related Commands no Deletes a user from a RADIUS user pool Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 39 RADIUS-POLICY 16.3.3 no radius-user-pool-policy Negates a command or sets its default. When used in the RADIUS user pool policy mode, the no command deletes a user from a RADIUS user pool Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no user <USERNAME>
Parameters no user <USERNAME>
no user <USERNAME>
Deletes a RADIUS user
<USERNAME> Specify the user name. Example The following example shows the RADIUS user pool wdws settings before the no command is executed:
rfs4000-229D58(config-radius-user-pool-wdws)#show context radius-user-pool-policy wdws user guestuser1 password 0 guestuser@1 group wdws guest expiry-time 12:30 expiry-
date 12/15/2014 access-duration 500 rfs4000-229D58(config-radius-user-pool-wdws)#
rfs4000-229D58(config-radius-user-pool-wdws)#no user guestuser1 The following example shows the RADIUS user pool wdws settings after the no command is executed:
rfs4000-229D58(config-radius-user-pool-wdws)#show context radius-user-pool-policy wdws rfs4000-229D58(config-radius-user-pool-wdws)#
Related Commands user Configures the RADIUS user parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 16 - 40 17 RADIO-QOS-POLICY This chapter summarizes the radio QoS policy in the CLI command structure. Configuring and implementing a radio QoS policy is essential for WLANs with heavy traffic and less bandwidth. The policy enables you to provide preferential service to selected network traffic by controlling bandwidth allocation. The radio QoS policy can be applied to VLANs configured on an access point. In case no VLANs are configured, the radio QoS policy can be applied to an access points Ethernet and radio ports. Without a dedicated QoS policy, a network operates on a best-effort delivery basis, meaning all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped!
When configuring a QoS policy for a radio, select specific network traffic, prioritize it, and use congestion-
management and congestion-avoidance techniques to provide deployment customizations best suited to each QoS policys intended wireless client base. A well designed QoS policy should:
Classify and mark data traffic to accurately prioritize and segregate it (by access category) throughout the network. Minimize network delay and jitter for latency sensitive traffic. Ensure higher priority traffic has a better likelihood of delivery in the event of network congestion. Prevent ineffective utilization of access points degrading session quality by configuring admission control mechanisms within each radio QoS policy. Within a managed wireless network, wireless clients supporting low and high priority traffic contend with one another for access and data resources. The IEEE 802.11e amendment has defined Enhanced Distributed Channel Access (EDCA) mechanisms stating high priority traffic can access the network sooner then lower priority traffic. The EDCA defines four traffic classes (or access categories); voice (highest), video (next highest), best effort, and background (lowest). The EDCA has defined a time interval for each traffic class, known as the Transmit Opportunity (TXOP). The TXOP prevents traffic of a higher priority from completely dominating the wireless medium, thus ensuring lower priority traffic is still supported. IEEE 802.11e includes an advanced power saving technique called Unscheduled Automatic Power Save Delivery (U-APSD) that provides a mechanism for wireless clients to retrieve packets buffered by an access point. U-APSD reduces the amount of signaling frames sent from a client to retrieve buffered data from an access point. U-APSD also allows access points to deliver buffered data frames as bursts, without backing-
off between data frames. These improvements are useful for voice clients, as they provide improved battery life and call quality. The Wi-Fi alliance has created Wireless Multimedia (WMM) and WMM Power Save (WMM-PS) certification programs to ensure interoperability between 802.11e WLAN infrastructure implementations and wireless clients. A managed wireless network supports both WMM and WMM-Power Save techniques. WMM and WMM-PS (U-APSD) are enabled by default in each WLAN profile. Enabling WMM support on a WLAN just advertises the WLANs WMM capability and radio configuration to wireless clients. The wireless clients must also support WMM and use the values correctly while accessing the WLAN to benefit. Access Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 1 RADIO-QOS-POLICY WMM includes advanced parameters (CWMin, CWMax, AIFSN and TXOP) specifying back-off duration and inter-frame spacing when accessing the network. These parameters are relevant to both connected access point radios and their wireless clients. Parameters impacting access point transmissions to their clients are controlled using per radio WMM settings, while parameters used by wireless clients are controlled by a WLANs WMM settings. Wireless network controllers (access points, controllers, and service platforms) include a Session Initiation Protocol (SIP), Skinny Call Control Protocol (SCCP) and Application Layer Gateway (ALG) enabling devices to identify voice streams and dynamically set voice call bandwidth. Wireless network controllers also support static QoS mechanisms per WLAN to provide prioritization of WLAN traffic when legacy (non WMM) clients are deployed. When enabled on a WLAN, traffic forwarded to a client is prioritized and forwarded based on the WLANs WMM access control setting. NOTE: Statistically setting a WLAN WMM access category value only prioritizes traffic to the client. Wireless network administrators can also assign weights to each WLAN in relation to user priority levels. The lower the weight, the lower the priority. Use a weighted technique to achieve different QoS levels across WLANs. All devices rate-limit bandwidth for WLAN sessions. This form of per-user rate limiting enables administrators to define uplink and downlink bandwidth limits for users and clients. This sets the level of traffic a user or client can forward and receive over the WLAN. If the user or client exceeds the limit, excessive traffic is dropped. Rate limits can be applied to WLANs using groups defined locally or externally from a RADIUS server using Vendor Specific Attributes (VSAs). Rate limits can be applied to users authenticating using 802.1X, captive portal authentication, and devices using MAC authentication. Use the (config) instance to configure radios QoS policy related configuration commands. To navigate to the radio QoS policy instance, use the following commands:
<DEVICE>(config)#radio-qos-policy <POLICY-NAME>
rfs6000-37FABE(config)#radio-qos-policy test rfs6000-37FABE(config-radio-qos-test)#?
Radio QoS Mode commands:
accelerated-multicast Configure multicast streams for acceleration admission-control Configure admission-control on this radio for one or more access categories no Negate a command or set its defaults smart-aggregation Configure smart aggregation parameters wmm Configure 802.11e/Wireless MultiMedia parameters clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-radio-qos-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 2 RADIO-QOS-POLICY NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 3 RADIO-QOS-POLICY 17.1 radio-qos-policy RADIO-QOS-POLICY The following table summarizes radio QoS policy configuration commands:
Table 17.1 Radio-QoS-Policy-Config Commands Command accelerated-
multicast admission-
control no smart-
aggregation service wmm Description Configures multicast streams for acceleration Enables admission control across all radios for one or more access categories Negates a command or resets configured settings to their default Configures smart aggregation parameters Invokes service commands in the radio QoS configuration mode Configures 802.11e/wireless multimedia parameters Reference page 17-5 page 17-6 page 17-10 page 17-12 page 17-14 page 17-16 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 4 RADIO-QOS-POLICY 17.1.1 accelerated-multicast radio-qos-policy Configures multicast streams for acceleration. Multicasting allows group transmission of data streams. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax accelerated-multicast [client-timeout|max-client-streams|max-streams|overflow-
policy|stream-threshold]
accelerated-multicast [client-timeout <5-6000>|max-client-streams <1-4>|max-
streams <0-256>|overflow-policy [reject|revert]|stream-threshold <1-500>]
Parameters accelerated-multicast [client-timeout <5-6000>|max-client-streams <1-4>|
max-streams <0-256>|overflow-policy [reject|revert]|stream-threshold <1-500>]
client-timeout <5-
6000>
max-client-streams <1-
4>
Configures a timeout period in seconds for wireless clients
<5-6000> Specify a value from 5 - 6000 seconds. The default is 60 seconds. Configures the maximum number of accelerated multicast streams per client
<1-4> Specify a value from 1 - 4. The default is 2. max-streams <0-256> Configures the maximum number of accelerated multicast streams per radio overflow-policy
[reject|revert]
stream-threshold <1-
500>
<0-256> Specify a value from 0 - 256. The default is 25. Specifies the policy in case too many clients register simultaneously. The radio QOS policy can be configured to follow one of the following courses of action:
reject Rejects new clients. The default overflow policy is reject. revert Reverts to regular multicast delivery When the number of wireless clients using accelerated multicast exceeds the configured value (max-streams), the radio can either reject new wireless clients or revert existing clients to a non-accelerated state. Configures the number of multicast packets per second threshold value. Once this threshold is crossed, the system triggers streams to accelerate.
<1-500> Specify a value from 1 - 500. The default is 25 packets per second. Example rfs6000-37FABE(config-radio-qos-test)#accelerated-multicast client-timeout 500 rfs6000-37FABE(config-radio-qos-test)#accelerated-multicast stream-threshold 15 rfs6000-37FABE(config-radio-qos-test)#show context radio-qos-policy test accelerated-multicast stream-threshold 15 accelerated-multicast client-timeout 500 rfs6000-37FABE(config-radio-qos-test)#
Related Commands no Reverts accelerated multicasting settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 5 RADIO-QOS-POLICY 17.1.2 admission-control radio-qos-policy Enables admission control across all radios for one or more access categories. Enabling admission control for an access category, ensures clients associated to an access point and complete WMM admission control before using that access category. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax admission-control [background|best-effort|firewall-detected-traffic|implicit-
tspec|video|voice]
admission-control [firewall-detected-traffic|implicit-tspec]
admission-control [background|best-effort|video|voice] {max-airtime-percent|max-
clients|max-roamed-clients|reserved-for-roam-percent}
admission-control [background|best-effort|video|voice] {max-airtime-percent <0-
150>|max-clients <0-256>|max-roamed-clients <0-256>|reserved-for-roam-percent <0-
150>}
Parameters admission-control [firewall-detected-traffic|implicit-tspec]
admission-control firewall-detected-traffic admission-control implicit-tspec Enforces admission control for traffic whose access category is detected by the firewall ALG. For example, SIP voice calls. This feature is enabled by default. When enabled, the firewall simulates reception of frames for voice traffic when the voice traffic was originated via SIP or SCCP control traffic. If a client exceeds configured values, the call is stopped and/or received voice frames are forwarded at the next non admission controlled traffic class priority. This applies to clients that do not send TSPEC frames only. Enables implicit traffic specifiers for clients that do not support WMM TSPEC, but are accessing admission-controlled access categories. This feature is enabled by default. This feature requires wireless clients to send their traffic specifications to an access point before they can transmit or receive data. If enabled, this setting applies to this radio QoS policy. When enabled, the access point simulates the reception of frames for any traffic class by looking at the amount of traffic the client is receiving and sending. If the client sends more traffic than has been configured for an admission controlled traffic class, the traffic is forwarded at the priority of the next non admission controlled traffic class. This applies to clients that do not send TSPEC frames only. admission-control [background|best-effort|video|voice] {max-airtime-percent <0-
150>|max-clients <0-256>|max-roamed-clients <0-256>|reserved-for-roam-percent <0-
150>}
admission-control background Configures background access category admission control parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 6 RADIO-QOS-POLICY Configures best effort access category admission control parameters admission-control best-
effort admission-control video Configures video access category admission control parameters admission-control voice Configures voice access category admission control parameters max-airtime-percent
<0-150>
Optional. Specifies the maximum percentage of airtime, including oversubscription, for the following access category:
background Sets the maximum airtime (in the form of a percentage of the radios bandwidth) allotted to admission control for low (background) client traffic. Background traffic only needs a short radio airtime to process, so set an intermediate airtime value if this radio QoS policy is reserved to support background data. best-effort Sets the maximum airtime (in the form of a percentage of the radios bandwidth) allotted to admission control for normal (best-effort) client traffic. Normal best effort traffic needs a short radio airtime to process, so set an intermediate airtime value if this radio QoS policy is reserved for best effort data support. video Sets the maximum airtime (in the form of a percentage of the radios bandwidth) allotted to admission control for voice supported client traffic. Video traffic requires longer radio airtime to process, so set a longer airtime value if this radio QoS policy is intended to support video. voice Sets the maximum airtime (in the form of a percentage of the radios bandwidth) allotted to admission control for voice supported client traffic. Voice traffic requires longer radio airtime to process, so set a longer airtime value if this radio QoS policy is intended to support voice. The following keyword is common to all of the above traffic types:
<0-150> Specify a value from 0 - 150. This is the maximum percentage of air-
time, including oversubscription, for the selected access category. The default is 75%. Optional. Specifies the maximum number of wireless clients admitted to the following access categories:
background Sets the number of wireless clients supporting low (background) traffic allowed to exist (and consume bandwidth) within the radios QoS policy best-effort Sets the number of wireless clients supporting normal (best-effort) traffic allowed to exist (and consume bandwidth) within the radios QoS policy video Sets the number of video supported wireless clients allowed to exist (and consume bandwidth) within the radios QoS policy. voice Sets the number of voice supported wireless clients allowed to exist (and consume bandwidth) within the radios QoS policy. Since voice and video supported wireless clients use a greater portion of a controllers resources than lower bandwidth traffic (like low and best effort categories), consider setting the max-client value proportionally to the number of other QoS policies supporting voice access category clients. The following keyword is common to all of the above traffic types:
<0-256> Specify a value from 0 - 256. This is the maximum number of wireless clients admitted to the selected access category. The default is 100 clients. max-clients <0-256>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 7 max-roamed-clients <0-
256>
reserved-for-roam-
percent <0-150>
RADIO-QOS-POLICY Optional. Specifies the maximum number of roaming wireless clients admitted to the selected access category background Sets the number of low (background) supported wireless clients allowed to roam to a different access point radio best-effort Sets the number of normal (best-effort) supported wireless clients allowed to roam to a different access point radio video Sets the number of video supported wireless clients allowed to roam to a different access point radio voice Sets the number of voice supported wireless clients allowed to roam to a different access point radio The following keyword is common to all of the above traffic types:
<0-256> Specify a value from 0 - 256. This is the maximum number of roaming wireless clients admitted to the selected access category. The default is 10 roamed clients. Optional. Calculates the percentage of air time, including oversubscription, allocated exclusively for roaming clients. This value is calculated relative to the configured max air time for this access category. background Sets the roam utilization (in the form of a percentage of the radios bandwidth) allotted to admission control for low (background) supported clients who have roamed to a different radio. best-effort Sets the roam utilization (in the form of a percentage of the radios bandwidth) allotted to admission control for normal (best-effort) supported clients who have roamed to a different radio. video Sets the roam utilization (in the form of a percentage of the radios bandwidth) allotted to admission control for video supported clients who have roamed to a different radio. voice Sets the roam utilization (in the form of a percentage of the radios bandwidth) allotted to admission control for voice supported clients who have roamed to a different radio. The following keyword is common to all of the above traffic types:
<0-150> Specify a value from 0 - 150. This is the percentage of air time, includ-
ing oversubscription, allocated exclusively for roaming clients associated with the selected access category. The default is 10%. Example rfs6000-37FABE(config-radio-qos-test)#admission-control best-effort max-clients 200 rfs6000-37FABE(config-radio-qos-test)#admission-control voice reserved-for-roam-
percent 8 rfs6000-37FABE(config-radio-qos-test)#admission-control voice max-airtime-percent 9 rfs6000-37FABE(config-radio-qos-test)#show context radio-qos-policy test admission-control voice max-airtime-percent 9 admission-control voice reserved-for-roam-percent 8 admission-control best-effort max-clients 200 accelerated-multicast stream-threshold 15 accelerated-multicast client-timeout 500 rfs6000-37FABE(config-radio-qos-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 8 Related Commands no Reverts or resets admission control settings to their default RADIO-QOS-POLICY Access Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 9 RADIO-QOS-POLICY 17.1.3 no radio-qos-policy Negates a command or resets configured settings to their default. When used in the radio QOS policy mode, the no command enables the resetting of accelerated multicast parameters, admission control parameters, and MultiMedia parameters. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [accelerated-multicast|admission-control|smart-aggregation|wmm|service]
no accelerated-multicast [client-timeout|max-client-streams|max-streams|
overflow-policy|stream-threshold]
no admission-control [firewall-detected-traffic|implicit-tspec|background|
best-effort|video|voice]
no admission-control [firewall-detected-traffic|implicit-tspec]
no admission-control [background|best-effort|video|voice] {max-airtime-percent|
max-clients|max-roamed-clients|reserved-for-roam-percent}
no smart-aggregation {delay|max-mesh-hops|min-aggregation-limit}
no smart-aggregation {delay [background|best-effort|streaming-video|
video-conferencing|voice]|max-mesh-hops|min-aggregation-limit}
no wmm [background|best-effort|video|voice] [aifsn|cw-max|cw-min|txop-limit]
no service admission-control across-reassoc Parameters no <PARAMETERS>
no <PARAMETERS>
Negates a command or resets configured settings to their default. When used in the radio QOS policy mode, the no command enables the resetting of accelerated multicast parameters, admission control parameters, and MultiMedia parameters. Example The following example shows the Radio-qos-policy test settings before the no commands are executed:
rfs6000-37FABE(config-radio-qos-test)#show context radio-qos-policy test admission-control voice max-airtime-percent 9 admission-control voice reserved-for-roam-percent 8 admission-control best-effort max-clients 200 accelerated-multicast stream-threshold 15 accelerated-multicast client-timeout 500 rfs6000-37FABE(config-radio-qos-test)#
rfs6000-37FABE(config-radio-qos-test)#no admission-control best-effort max-
clients rfs6000-37FABE(config-radio-qos-test)#no accelerated-multicast client-timeout Access Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 10 RADIO-QOS-POLICY The following example shows the Radio-qos-policy test settings after the no commands are executed:
rfs6000-37FABE(config-radio-qos-test)#show context radio-qos-policy test admission-control voice max-airtime-percent 9 admission-control voice reserved-for-roam-percent 8 accelerated-multicast stream-threshold 15 rfs6000-37FABE(config-radio-qos-test)#
rfs4000-229D58(config-radio-qos-test)#show context radio-qos-policy test service admission-control across-reassoc rfs4000-229D58(config-radio-qos-test)#
rfs4000-229D58(config-radio-qos-test)#no service admission-control across-reassoc rfs4000-229D58(config-radio-qos-test)#show context radio-qos-policy test rfs4000-229D58(config-radio-qos-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 11 RADIO-QOS-POLICY 17.1.4 smart-aggregation radio-qos-policy Configures smart aggregation parameters on this Radio QoS policy. Smart aggregation is disabled by default. Smart aggregation enhances frame aggregation by dynamically selecting the time when the aggregated frame is transmitted. In a frames typical aggregation, an aggregated frame is sent when:
A pre-configured number of aggregated frames is reached An administrator-defined interval has elapsed since the first frame (of a set of frames to be aggregated) was received An administrator-defined interval has elapsed since the last frame (not necessarily the final frame) of a set of frames to be aggregated was received With this enhancement, an aggregation delay is set uniquely for each traffic class. For example, voice traffic might not be aggregated, but sent immediately. Whereas, background data traffic is set a delay for aggregating frames, and these aggregated frames are sent. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax smart-aggregation {delay|max-mesh-hops|min-aggregation-limit}
smart-aggregation {delay [background|best-effort|streaming-video|video-
conferencing|voice] <0-1000>}
smart-aggregation {max-mesh-hops <1-10>}
smart-aggregation {min-aggregation-limit <0-64>}
Parameters smart-aggregation {delay [background|best-effort|streaming-video|video-
conferencing|voice] <0-1000>}
delay background best-effort streaming-video video-conferencing Optional. Configures the maximum delay parameter for each traffic type This is the maximum delay, in milliseconds, in the transmission of the first frame received. Configures the maximum delay parameter, in milliseconds, for background traffic
(250 msec) Configures the maximum delay parameter, in milliseconds, for best effort traffic
(150 msec) Configures the maximum delay parameter, in milliseconds, for streaming video traffic (150 msec) Configures the maximum delay parameter, in milliseconds, for video conference traffic (40 msec) Access Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 12 RADIO-QOS-POLICY voice
<0-1000>
Configures the maximum delay parameter, in milliseconds, for voice traffic (0 msec) This parameter is common to all of the above traffic types.
<0-1000> Specify a value from 0 - 1000 msec. smart-aggregation {max-mesh-hops <1-10>}
max-mesh-hops <1-10> Optional. Sets the maximum number of expected hops to the destination within a mesh
<1-10> Specify a value from 1 - 10. The default is 3 hops. smart-aggregation {min-aggregation-limit <0-64>}
min-aggregation-limit
<0-64>
Optional. Sets the minimum number of aggregates buffered before an aggregate is sent
<0-64> Specify a value from 0 - 64. The default is 8 frames. Example rfs6000-37FABE(config-radio-qos-test)#smart-aggregation delay voice 50 rfs6000-37FABE(config-radio-qos-test)#smart-aggregation delay background 100 rfs6000-37FABE(config-radio-qos-test)#show context radio-qos-policy test smart-aggregation delay voice 50 smart-aggregation delay background 100 rfs6000-37FABE(config-radio-qos-test)#
Related Commands no Resets the minimum aggregation limit Access Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 13 RADIO-QOS-POLICY 17.1.5 service radio-qos-policy Invokes service commands in the radio QoS configuration mode Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax service [admission-control|show]
service admission-control across-reassoc service show cli Parameters service admission-control across-reassoc service admission-control across-reassoc Invokes service commands Retains previously negotiated TSPEC parameters across re-associations on the radio For more information on admission-control parameters, see admission-control. service show cli service show cli Displays running system information cli Displays the Radio QoS modes CLI tree Example rfs4000-229D58(config-radio-qos-test)#service admission-control across-reassoc rfs4000-229D58(config-radio-qos-test)#show context radio-qos-policy test service admission-control across-reassoc rfs4000-229D58(config-radio-qos-test)#
rfs4000-229D58(config-radio-qos-test)#service show cli Radio QoS Mode mode:
+-help [help]
+-search
+-WORD [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-detailed [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-only-show [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-skip-show [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-skip-no [help search WORD (|detailed|only-show|skip-show|skip-no)]
+-show
+-commands [show commands]
+-adoption
+-log
--More--]
Access Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 14 Related Commands no Disables retention of previously negotiated TSPEC parameters across re-
associations on the radio RADIO-QOS-POLICY Access Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 15 RADIO-QOS-POLICY 17.1.6 wmm radio-qos-policy Configures 802.11e wireless multimedia (wmm) parameters Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wmm [background|best-effort|video|voice]
wmm [background|best-effort|video|voice] [aifsn <1-15>|cw-max <0-15>|cw-min <0-
15>|txop-limit <0-65535>]
Parameters wmm [background|best-effort|video|voice] [aifsn <1-15>|cw-max <0-15>|cw-min <0-
15>|txop-limit <0-65535>]
wmm background wmm best-effort wmm video wmm voice aifsn <1-15>
cw-max <0-15>
Configures background access category wireless multimedia settings Configures best effort access category wireless multimedia settings Configures video access category wireless multimedia settings Configures voice access category wireless multimedia settings Configures Arbitrary Inter-Frame Space Number (AIFSN) as the wait time between data frames derived from the AIFSN and slot time background Sets the current AIFSN for low (background) traffic. The default is 7. best-effort Sets the current AIFSN for normal (best-effort) traffic. The default is 3. video Set the current AIFSN for video traffic. Higher-priority traffic video categories should have lower AIFSNs than lower-priority traffic categories. This causes lower-priority traffic to wait longer before attempting access. The default is 1. voice Sets the current AIFSN for voice traffic. Higher-priority traffic voice categories should have lower AIFSNs than lower-priority traffic categories. This causes lower-priority traffic to wait longer before attempting access. The default is 1. The following keyword is common to all of the above traffic types:
<1-15> Sets a value from 1 - 15 Clients pick a number between 0 and the min contention window to wait before retransmission. Clients then double their wait time on a collision, until it reaches the maximum contention window. background Sets CW Max for low (background) traffic. The default is 10. best-effort Sets CW Max for normal (best effort) traffic. The default is 6. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 16 cw-min <0-15>
txop-limit
<0-65535>
RADIO-QOS-POLICY voice Sets CW Max for voice traffic. The default is 3. video Sets CW Max for video traffic. The default is 4 The following keyword is common to all of the above traffic types:
<0-15> ECW: the contention window. The actual value used is (2^ECW - 1). Note: Lower values are used for higher priority traffic (like video and voice) and higher values are used for lower priority traffic (like background and best-effort). Clients select a number between 0 and the min contention window to wait before retransmission. Clients then double their wait time on a collision, until it reaches the maximum contention window. background Sets CW Min for low (background) traffic. The default is 4. best-effort Sets CW Min for normal (best effort) traffic. The default is 4. voice Sets CW Min for voice traffic. The default is 2. video Sets CW Min for video traffic. The default is 3. The following keyword is common to all of the above traffic types:
<0-15> ECW: the contention window. The actual value used is (2^ECW - 1). Note: Lower values are used for higher priority traffic (like video and voice) and higher values are used for lower priority traffic (like background and best-effort). Set the interval, in microseconds, during which a particular client has the right to initiate transmissions background Sets TXOP for low (background) traffic. The default is 0. best-effort Sets TXOP for normal (best effort) traffic. The default is 4. voice Sets TXOP for voice traffic. The default is 47. video Sets TXOP for video traffic. The default is 94. The following keyword is common to all of the above traffic types:
<0-65535> Specify a value from 0 - 65535 to configure the transmit opportu-
nity limit in 32 microsecond units. Note: Lower values are used for higher priority traffic (like video and voice) and higher values are used for lower priority traffic (like background and best-effort). Usage Guidelines Before defining a radio QoS policy, refer to the following deployment guidelines to ensure the configuration is optimally effective:
To support QoS, each multimedia application, wireless client, and WLAN is required to support WMM. WMM enabled clients can co-exist with non-WMM clients on the same WLAN. Non-WMM clients are always assigned a Best Effort access category. Default WMM values are recommended for all deployments. Changing these values can lead to unexpected traffic blockages, and the blockages might be difficult to diagnose. Overloading an access point radio with too much high priority traffic (especially voice) degrades overall service quality for all users. TSPEC admission control is only available with newer voice over WLAN phones. Many legacy voice devices do not support TSPEC or even support WMM traffic prioritization. Access Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 17 RADIO-QOS-POLICY Example rfs6000-37FABE(config-radio-qos-test)#wmm best-effort aifsn 7 rfs6000-37FABE(config-radio-qos-test)#wmm voice txop-limit 1 rfs6000-37FABE(config-radio-qos-test)#show context radio-qos-policy test wmm best-effort aifsn 7 wmm voice txop-limit 1 admission-control voice max-airtime-percent 9 admission-control voice reserved-for-roam-percent 8 accelerated-multicast stream-threshold 15 rfs6000-37FABE(config-radio-qos-test)#
Related Commands no Reverts or resets 802.11e/wireless multimedia settings to their default Access Point, Wireless Controller and Service Platform CLI Reference Guide 17 - 18 18 ROLE-POLICY This chapter summarizes the role policy commands in the CLI command structure. A well defined role policy simplifies user management, and is a significant aspect of WLAN management. It acts as a role based firewall (much like ACLs) consisting of user-defined roles. Each role has a set of match criteria (filters) used to filter wireless clients. The action taken when a client matches the defined filters, is determined by the IP or MAC ACL associated with the user-defined role. Based on the conditions specified in the IP and/or MAC ACL, clients are granted or denied access to the controller managed network. The role policy also defines the VLAN and data rates assigned to clients provided network access. A role policy also enables LDAP service, allowing controllers and access points to retrieve user information from the LDAP server. This information is matched with the user-defined role filters to determine if a client matches the role or not, and should be allowed or denied access to the controller managed network. Use the (config-role-policy) instance to configure role policy related configuration commands. To navigate to the config-role instance, use the following commands:
<DEVICE>(config)#role-policy <POLICY-NAME>
rfs6000-37FABE(config)#role-policy test rfs6000-37FABE(config-role-policy-test)#?
Role Policy Mode commands:
default-role Configuration for Wireless Clients not matching any role ldap-deadperiod Ldap dead period interval ldap-query Set the ldap query mode ldap-server Add a ldap server ldap-timeout Ldap query timeout interval no Negate a command or set its defaults user-role Create a role clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-role-policy-test)#
NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 1 18.1 role-policy ROLE-POLICY The following table summarizes role policy configuration commands:
Table 18.1 Role-Policy-Config Commands Command default-role Description Assigns the default role to clients not matching any of the user-defined roles defined in the role policy ldap-deadperiod Configures the Lightweight Directory Access Protocol (LDAP) ldap-query ldap-server ldap-timeout no user-role deadperiod interval Enables LDAP service and specifies the LDAP server query mode Configures the LDAP server settings Configures the LDAP query timeout interval Negates a command or reverts settings to their default Creates a role and associates it to the newly created role policy ROLE-POLICY Reference page 18-3 page 18-5 page 18-6 page 18-7 page 18-9 page 18-10 page 18-11 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 2 ROLE-POLICY 18.1.1 default-role role-policy Assigns a default role to a wireless client that fails to match any of the user-defined roles When a wireless client accesses a network, the clients details, retrieved from the LDAP server, are matched against all user-defined roles within the role policy. If the client fails to match any of these user-defined role filters, the client is assigned the default role. The action taken (permit or deny access) is determined by the IP and/or MAC ACL associated with the default role. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax default-role use [ip-access-list|ipv6-access-list|mac-access-list]
default-role use [ip-access-list|ipv6-access-list|mac-access-list] [in|out]
<IP/IPv6/MAC-ACCESS-LIST-NAME> precedence <1-100>
Parameters default-role use [ip-access-list|ipv6-access-list|mac-access-list] [in|out]
<IP/IPv6/MAC-ACCESS-LIST-NAME> precedence <1-100>
default-role use
[ip-access-list|
ipv6-access-list|
mac-access-list] [in|out]
<IP/IPv6/MAC-ACCESS-
LIST-NAME>
precedence
<1-100>
Enables default role configuration. This role is applied to a wireless client not matching any of the user-defined roles. Use Associates an IP, IPv6, or MAC access list with the default role Associates an IP access list, IPv6 access list, or a MAC access list with this default role in Applies the rule (IP, IPv6, or MAC) to incoming packets out Applies the rule (IP, IPv6, or MAC) to outgoing packets IP and MAC access control lists (ACLs) act as firewalls by blocking and/or permitting data traffic in both directions (inbound and outbound) within a managed network. IP ACLs use IP addresses for matching operations. Whereas, MAC ACLs use MAC addresses for matching operations, In case of a match (i.e. if a packet is received from or is destined for a specified IP or MAC address), an action is taken. This action is a typical allow, deny or mark designation to controller packet traffic. For more information on ACLs, see AAA-POLICY.
<IP/IPv6/MAC-ACCESS-LIST-NAME> Specify the access list name. The ACL applied determines the action applied to a client assigned the default role. The following keyword is common to the all of the above parameters:
precedence Assigns a precedence value to the ACL identified in the previous step.
<1-100> Specify a precedence from 1 - 100. ACLs are applied in increasing order of their precedence. Rules with lower precedence are given priority. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 3 ROLE-POLICY Example rfs6000-37FABE(config-role-policy-test)#default-role use ip-access-list in test precedence 1 rfs6000-37FABE(config-role-policy-test)#show context role-policy test default-role use ip-access-list in test precedence 1 rfs6000-37FABE(config-role-policy-test)#
Related Commands no Removes or resets the default role configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 4 ROLE-POLICY 18.1.2 ldap-deadperiod role-policy Configures the LDAP deadperiod interval Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ldap-deadperiod <60-300>
Parameters ldap-deadperiod <60-300>
ldap-deadperiod
<60-300>
Configures a LDAP dead period. When enabled, LDAP service allows the AP or controller to bind with the LDAP server and retrieve user details to match with user-
defined role filters. The LDAP deadperiod is the interval between two consecutive attempts to bind with the LDAP server. To enable LDAP service, use the ldap-query command.
<60-300> Specify the interval from 60 - 300 seconds. The default is 120 seconds. Example rfs6000-37FABE(config-role-policy-test)#ldap-deadperiod 100 rfs6000-37FABE(config-role-policy-test)#show context role-policy test default-role use ip-access-list in test precedence 1 ldap-deadperiod 100 rfs6000-37FABE(config-role-policy-test)#
Related Commands no Removes or resets the LDAP deadperiod interval Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 5 ROLE-POLICY 18.1.3 ldap-query role-policy Enables LDAP service and specifies the LDAP server query mode Configuring the LDAP server query mode automatically enables LDAP service on this role policy. By default LDAP service is disabled. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ldap-query [self|through-controller]
Parameters ldap-query [self|through-controller]
self through-controller Configures LDAP query mode as self. The AP directly queries the LDAP server for user information. Select self to use local LDAP server resources configured using the ldap-server command. Configures LDAP query mode as through-controller. The AP queries the LDAP server, for user information, through the controller. Use this option when the AP is layer 2 adopted to the controller. Example rfs6000-37FABE(config-role-policy-test)#ldap-query self rfs6000-37FABE(config-role-policy-test)#show context role-policy test default-role use ip-access-list in test precedence 1 ldap-query self ldap-deadperiod 100 rfs6000-37FABE(config-role-policy-test)#
Related Commands no Disables LDAP service on this role policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 6 ROLE-POLICY 18.1.4 ldap-server role-policy Associates a specified LDAP server with this role policy. Use this command to configure the credentials needed to bind with the LDAP server. When enabled, LDAP service allows the AP or controller to bind with the LDAP server and retrieve user details. This information is matched with the user-defined roles within the role policy. If a match is made, the user is assigned the role and allowed or denied access to the controller managed network. You can associate two LDAP servers with a role policy, allowing failover in case the primary server is unreachable. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ldap-server <1-2> host [<IP>|<FQDN>] bind-dn <BIND-DN> base-dn <BASE-DN>
bind-password <PASSWORD> {port <1-65535>} {(server-type [active-directory|
openldap])}
Parameters ldap-server <1-2> host [<IP>|<HOSTNAME>] bind-dn <BIND-DN> base-dn <BASE-DN>
bind-password <PASSWORD> {port <1-65535>} {(server-type [active-directory|
openldap])}
ldap-server <1-2>
host [<IP>|<FQDN>]
bind-dn <BIND-DN>
base-dn <BASE-DN>
bind-password
<PASSWORD>
port <1-65535>
server-type
[active-directory|
openldap]
Usage Guidelines Specify the LDAP server ID from 1 - 2. The primary LDAP server (ID 1) is used to bind and query. The secondary LDAP server (ID 2) is for failover. Specify the LDAP servers IP address or Fully Qualified Domain Name (FQDN). Specify the bind distinguished name (used for binding with the server). Specify the base distinguished name (used for searching). This should not exceed 127 characters. Specify the LDAP server password associated with the bind DN. Optional. Specify the LDAP server port from 1 - 65535. (default is 389). The following keywords are common to the port parameter:
server-type Optional. Specifies the LDAP server type active-directory Enables support for active directory attribute search. This is the default setting. openldap Enables support for openLDAP attribute search Use the ldap-query command to enable LDAP service on a role policy. Use the show > role > ldap-stats command to view LDAP server status and state. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 7 ROLE-POLICY Example rfs6000-37FABE(config-role-policy-test)#ldap-server 1 host 192.168.13.7 bind-dn
"CN=Administrator,CN=Users,DC=TechPub,DC=com" base-dn "CN=Administrator,CN=Users, DC=TechPub,DC=com" bind-password 0 superuser port 2 rfs6000-37FABE(config-role-policy-test)#
rfs6000-37FABE(config-role-policy-test)#show context role-policy test default-role use ip-access-list in test precedence 1 ldap-query self ldap-deadperiod 100 ldap-server 1 host 192.168.13.7 bind-dn CN=Administrator,CN=Users,DC=TechPub,DC=com base-dn CN=Administrator,CN=Users,DC=com bind-password 0 superuser port 2 rfs6000-37FABE(config-role-policy-test)#
Related Commands no Removes or resets the LDAP server settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 8 ROLE-POLICY 18.1.5 ldap-timeout role-policy Configures the LDAP timeout interval. This is the interval after which a LDAP query is timed out. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ldap-timeout <1-5>
Parameters ldap-timeout <1-5>
ldap-timeout <1-5>
Configures the LDAP query timeout interval from 1 - 5 seconds (default is 2 seconds) When enabled, LDAP service allows the AP or controller to bind with the LDAP server and query it for user details. The LDAP query timeout is the interval between a request to and the response from the LDAP server. Once this interval is exceeded, the LDAP bind and query is timed out. Example rfs6000-37FABE(config-role-policy-test)#ldap-timeout 1 rfs6000-37FABE(config-role-policy-test)#show context role-policy test default-role use ip-access-list in test precedence 1 ldap-query self ldap-timeout 1 ldap-deadperiod 100 ldap-server 1 host 192.168.13.7 bind-dn CN=Adminstrator,CN=Users,DC=TechPub,DC=com base-dn CN=Administrator,CN=Users,DC=com bind-password 0 superuser port 2 rfs6000-37FABE(config-role-policy-test)#
Related Commands no Removes or resets the LDAP query timeout to default (2 seconds) Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 9 ROLE-POLICY 18.1.6 no role-policy Negates a command or resets settings to their default. When used in the config role policy mode, the no command removes or resets the role policy settings. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [default-role|ldap-deadperiod|ldap-query|ldap-server <1-2>|ldap-timeout|user-
role]
no [ldap-deadperiod|ldap-query|ldap-server <1-2>|ldap-timeout]
no default-role use [ip-access-list|ipv6-access-list|mac-access-list]
no default-role use [ip-access-list|ipv6-access-list|mac-access-list] [in|out]
<IP/IPv6/MAC-ACCESS-LIST-NAME> precedence <1-100>
no user-role <ROLE-NAME>
Parameters no <PARAMETERS>
no <PARAMETERS>
Negates a command or resets settings to their default. When used in the config role policy mode, the no command removes or resets the role policy settings. Example The following example shows the role policy test setting before the no commands are executed:
rfs6000-37FABE(config-role-policy-test)#show context role-policy test default-role use ip-access-list in test precedence 1 ldap-query self ldap-timeout 1 ldap-deadperiod 100 ldap-server 1 host 192.168.13.7 bind-dn CN=Adminstrator,CN=Users,DC=TechPub,DC=com base-dn CN=Administrator,CN=Users,DC=com bind-password 0 superuser port 2 rfs6000-37FABE(config-role-policy-test)#
rfs6000-37FABE(config-role-policy-test)#no ldap-deadperiod rfs6000-37FABE(config-role-policy-test)#no ldap-timeout rfs6000-37FABE(config-role-policy-test)#no ldap-server 1 The following example shows the role policy test setting after the no commands are executed:
rfs6000-37FABE(config-role-policy-test)#show context role-policy test default-role use ip-access-list in test precedence 1 ldap-query self rfs6000-37FABE(config-role-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 10 ROLE-POLICY 18.1.7 user-role role-policy This command creates a user-defined role. Each user-defined role has a set of Active Directory attributes. Each attribute is matched against the information returned by the LDAP server, until a complete match of role is found. The following table summarizes user role configuration commands:
user-role user-role commands Table 18.2 User-Role-Config Commands Creates a new user role and enters its configuration mode Summarizes user role configuration mode commands page 18-12 page 18-14 Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 11 ROLE-POLICY 18.1.7.1 user-role user-role Creates a user-defined role. Each role consists of a set of filters and action. The filters are match criteria used to filter wireless clients. And the action defines the action taken when a client matches the specified filters. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax user-role <ROLE-NAME> precedence <1-10000>
Parameters user-role <ROLE-NAME> precedence <1-10000>
user-role <ROLE-NAME> Configures the user role name precedence <1-10000>
<ROLE-NAME> Specify a name for this user role. Sets the precedence for this role Lower the precedence, higher is the role priority. Precedence determines the order in which a role is applied. If a wireless client matches multiple roles, the role with the lower precedence is applied before those with higher precedence. While there is no default precedence for a role, two or more roles can share the same precedence. Example rfs6000-37FABE(config-role-policy-test)#user-role testing precedence 10 rfs6000-37FABE(config-role-policy-test)#show context role-policy test user-role testing precedence 10 default-role use ip-access-list in test precedence 1 rfs6000-37FABE(config-role-policy-test)#
rfs6000-37FABE(config-role-policy-test-user-role-testing)#?
Role Mode commands:
ap-location AP Location configuration assign Assign parameters to the role authentication-type Type of Authentication captive-portal Captive-portal based Role Filter city City configuration client-identity Client identity company Company configuration country Country configuration department Department configuration emailid Emailid configuration employee-type Employee-type configuration employeeid Employeeid configuration encryption-type Type of encryption group Group configuration memberOf MemberOf configuration mu-mac MU MAC address configuration no Negate a command or set its defaults radius-user Radius-user configuration ssid SSID configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 12 ROLE-POLICY state State configuration title Title configuration use Set setting to use user-defined User-defined configuration clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-role-policy-test-user-role-testing)#
Related Commands no Removes an existing user role Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 13 18.1.7.2 user-role commands user-role The following table summarizes user role configuration mode commands:
Table 18.3 User-Role-Mode Commands Commands ap-location assign Description Configures an AP deployment location based filter Configures upstream/downstream rate limits and VLAN ID assigned to clients matching the filters defined in the user-defined role Configures an authentication type based filter Configures a captive portal based filter Configures a city name based filter Associates a client-identity (device fingerprinting) based filter Configures a company name based filter Configures a country name based filter Configures a department name based filter Configures a e-mail ID based filter authentication-
type captive-portal city client-identity company country department emailid employee-type Configures a employee type ID based filter employeeid encryption-
type group memberOf mu-mac no radius-user ssid state title use Configures a employee ID based filter Configures an encryption type filter Configures a RADIUS group based filter Assigns an Active Directory (AD) group to this user-defined role Configures MAC address and mask based filter Removes or resets the filters configured on this user-defined role Configures a wireless client filter based on the RADIUS user name Configures a SSID based filter Configures a user role state to match Configures a title string to match Associates a IP and/or MAC ACL with this role. These ACLs specify the action taken when a client matches this user-defined role. Defines a filter based on an attribute defined in the Active Directory or the OpenLDAP server user-defined ROLE-POLICY Reference page 18-15 page 18-16 page 18-18 page 18-20 page 18-21 page 18-22 page 18-23 page 18-25 page 18-27 page 18-29 page 18-31 page 18-32 page 18-34 page 18-36 page 18-38 page 18-39 page 18-40 page 18-42 page 18-44 page 18-46 page 18-48 page 18-49 page 18-52 Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 14 ROLE-POLICY 18.1.7.2.1 ap-location user-role commands Configures an APs deployment location based filter for this user-defined role Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap-location [any|contains|exact|not-contains]
ap-location any ap-location [contains|exact|not-contains] <WORD>
Parameters ap-location any ap-location any Specifies the AP location to match (in a RF Domain) or the APs resident configuration any Defines an APs location as any ap-location [contains|exact|not-contains] <WORD>
ap-location contains <WORD>
exact <WORD>
not-contains <WORD>
Specifies the AP location to match (in a RF Domain) or the APs resident configuration. Select one of the following filter options: contains, exact, or not-
contains. Applies role if the associating APs location contains the location string specified in the role.
<WORD> Specify the location string to match. Applies role if the associating APs location exactly matches the string specified in the role.
<WORD> Specify the exact location string to match. Applies role if the associating APs location does not contain the location string specified in the role.
<WORD> Specify the location string not to match. Example rfs6000-37FABE(config-role-policy-test-user-role-testing)#ap-location contains office rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 ap-location contains office rfs6000-37FABE(config-role-policy-test-user-role-testing)#
Related Commands no Removes an APs deployment location string from this user-defined role Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 15 ROLE-POLICY 18.1.7.2.2 assign user-role commands Configures upstream/downstream rate limits and VLAN ID. Clients matching this user-defined role filters are associated with the specified VLAN, and assigned the specified data rates. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax assign [rate-limit|VLAN]
assign rate-limit [from-client|to-client] <1-65536>
assign vlan <1-4094>
Parameters assign rate-limit [from-client|to-client] <1-65536>
assign rate-limit
[from-client|to-client]
<1-65536>
Assigns an upstream and downstream traffic rate limit from-client Assigns a rate limit, in Kbps, for the upstream (from client) traffic to-client Assigns a rate limit, in Kbps, for the downstream (to client) traffic
<1-65536> Specify upstream and/or downstream rate limits from 1 - 65536 Kbps. Wireless clients matching this user-defined role are assigned the configured rate limits. assign vlan <1-4094>
assign vlan <1-4094>
Assigns a VLAN (identified by VLANs ID). Clients matching this user-defined role are associated with the specified VLAN. The VLAN ID represents the shared SSID each user employs to interoperate within the network (once authenticated by the local RADIUS server). This feature is disabled by default.
<1-4094> Specify the VLAN ID from 1 - 4094. A wireless client that fails to match any user-defined role is assigned to the default role (configured as a role policy setting) and is mapped to the default VLAN under the WLAN. Usage Guidelines ACLs can only be used with tunnel or isolated-tunnel modes. They do not work with the local and automatic modes. In case of bridge VLAN, the default bridging mode is auto. Change the bridging mode to tunnel. This extends the controllers existing VLAN onto the AP and ensures that wireless clients are served IP addresses. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 16 ROLE-POLICY The VLAN configured under the user-defined role need not exist under the WLAN. But, when using tunneled VLAN bridges, configure an additional bridge VLAN. If the VLAN bridging mode is local, no additional VLAN configuration is required. Example rfs4000-229D58(config-role-policy-test-user-role-test)#assign rate-limit to-
client 200 rfs4000-229D58(config-role-policy-test-user-role-test)#commit rfs4000-229D58(config-role-policy-test-user-role-test)#show context user-role test precedence 1 assign vlan 1 assign rate-limit to-client 200 rfs4000-229D58(config-role-policy-test-user-role-test)#
The following examples define a role used to forward the IP traffic from all engineers in Test_Company, Santa Clara, USA onto VLAN 2. 1 Create a new role policy with name test-policy.
<DEVICE>(config)#role-policy test-policy 2 Specify the LDAP server used for this role policy.
<DEVICE>(config-role-policy-test-policy)#ldap-query self
<DEVICE>(config-role-policy-test-policy)#ldap-server 1 host 192.160.1.1 bind-dn CN=Administrator,CN=Users,DC=testtest,DC=com base-dn CN=Administrator,CN=Users,DC=com bind-password 0 test port 389
<DEVICE>(config-role-policy-test-policy)#ldap-timeout 2 3 Create a user defined role.
<DEVICE>(config-role-policy-test-policy)#user-role SCEngineer precedence 100 4 Define the role by adding appropriate values and match operators.
<DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#city exact santa-
clara
<DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#company exact ExampleCompany
<DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#country exact usa
<DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#title contains engineer
<DEVICE>(config-role-policy-test-policy-user-role-SCEngineer)#assign vlan-id 2 5 Apply role policy to an access point. ap7131-99BFA8(config-device-ap7131)# use role-policy test-policy Related Commands no Removes the upstream and/or downstream rate limits applied to this user-
defined role. Also removes the VLAN ID. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 17 ROLE-POLICY 18.1.7.2.3 authentication-type user-role commands Configures the authentication type based filter for this user-defined role Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax authentication-type [any|eq|neq]
authentication-type any authentication-type [eq|neq] [eap|kerberos|mac-auth|none]
{(eap|kerberos|mac-auth|none)}
Parameters authentication-type any any The authentication type is any (eq or neq). This is the default setting. authentication-type [eq|neq] [eap|kerberos|mac-auth|none] {(eap|kerberos|mac-
auth|none)}
eq
[eap|kerberos|
mac-auth|none]
neq
[eap|kerberos|
mac-auth|none]
The role is applied only when the authentication type matches (equals) one or more than one of the following types:
eap Extensible authentication protocol kerberos Kerberos authentication mac-auth MAC authentication protocol none no authentication used These parameters are recursive, and you can configure more than one unique authentication type for this user-defined role. The role is applied only when the authentication type does not match (not equals) any of the following types:
eap Extensible authentication protocol kerberos Kerberos authentication mac-auth MAC authentication protocol none no authentication used These parameters are recursive, and you can configure more than one unique not equal to authentication type for this user-defined role. Example rfs6000-37FABE(config-role-policy-test-user-role-testing)#authentication-type eq kerberos rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos ap-location contains office rfs6000-37FABE(config-role-policy-test-user-role-testing)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 18 Related Commands no Removes the authentication type filter configured for this user-defined role ROLE-POLICY Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 19 ROLE-POLICY 18.1.7.2.4 captive-portal user-role commands Configures a captive portal based filter for this user-defined role. A captive portal is a guest access policy that provides temporary and restrictive access to the wireless network. When applied to a WLAN, a captive portal policy ensures secure guest access. This command defines user-defined role filters based on a wireless clients state of authentication. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax captive-portal authentication-state [any|post-login|pre-login]
Parameters captive-portal authentication-state [any|post-login|pre-login]
authentication-state any post-login pre-login Defines the authentication state of a client connecting to a captive portal Specifies any authentication state (authenticated and pending authentication). This is the default setting. This option makes no distinction on whether authentication is conducted before or after the wireless client has logged in. Specifies authentication is completed successfully This option requires the wireless client to share authentication credentials after logging into the managed network. Specifies authentication is pending This option enables captive portal client authentication before the client is logged into the controller. Example rfs6000-37FABE(config-role-policy-test-user-role-testing)#captive-portal authentication-state pre-login rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos ap-location contains office captive-portal authentication-state pre-login rfs6000-37FABE(config-role-policy-test-user-role-testing)#
Related Commands no Removes the captive portal based role filter settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 20 ROLE-POLICY 18.1.7.2.5 city user-role commands Configures a wireless client filter based on the city name Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax city [any|contains|exact|not-contains]
city [any|exact <WORD>|contains <WORD>|not-contains <WORD>]
Parameters city [any|exact <WORD>|contains <WORD>|not-contains <WORD>]
city any contains <WORD>
exact not-contains <WORD>
Specifies a wireless client filter based on how the city name, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contain. No specific city associated with this user-defined role. This role can be applied to any wireless client from any city. The role is applied only when the city name, returned by the RADIUS server, contains the string specified in the role.
<WORD> Specify the string to match (this is case sensitive, and is compared against the city name returned by the RADIUS server). It should contain the provided expression. The role is applied only when the city name, returned by the RADIUS server, exactly matches the string specified in the role.
<WORD> Specify the exact string to match (this is case sensitive, and is compared against the city name returned by the RADIUS server). It should be an exact match. The role is applied only when the city name, returned by the RADIUS server, does not contain the string specified in the role.
<WORD> Specify the string not to match (this is case sensitive, and is compared against the city name returned by the RADIUS server). It should not contain the provided expression. Example rfs6000-37FABE(config-role-policy-test-user-role-testing)#city exact SanJose rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos ap-location contains office captive-portal authentication-state pre-login city exact SanJose rfs6000-37FABE(config-role-policy-test-user-role-testing)#
Related Commands no Removes the city name configured with this user-defined role Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 21 ROLE-POLICY 18.1.7.2.6 client-identity user-role commands Associates a client-identity (device fingerprinting) based filter. The role is assigned to a wireless client matching any of the defined client identities. For more information on configuring client identity fingerprints, see client-identity. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax client-identity <CLIENT-IDENTITY-NAME> {<CLIENT-IDENTITY-NAME>}
Parameters client-identity <CLIENT-IDENTITY-NAME> {<CLIENT-IDENTITY-NAME>}
client-identity
<CLIENT-IDENTITY-
NAME>
Specifies the client-identity fingerprint to match (should be existing and configured)
<CLIENT-IDENTITY-NAME> Specify the client identity signature name. Multiple client identities can be configured with a role policy. Usage Guidelines When associating a single or multiple client identities with a role policy, ensure that in a client identity group, all the client identities used by the role policy, is attached to the device or profile using the role policy. In other words, group all the client identities (used in this role policy) in a client identity group, and associate this group to the profile or device using this role policy. For more information on configuring client identities and client identity groups, see client-identity and client-identity-group. For more information on associating a client identity group and a role policy to a profile or a device, see use. Example rfs4000-229D58(config-role-policy-test-user-role-test)#client-identity TestClientIdentity rfs4000-229D58(config-role-policy-test-user-role-test)#commit rfs4000-229D58(config-role-policy-test-user-role-test)#client-identity ClientIdentityWindows rfs4000-229D58(config-role-policy-test-user-role-test)#
rfs4000-229D58(config-role-policy-test-user-role-test)#show context user-role test precedence 1 client-identity TestClientIdentity client-identity ClientIdentityWindows rfs4000-229D58(config-role-policy-test-user-role-test)#
Related Commands no Removes the client identities associated with this role policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 22 ROLE-POLICY 18.1.7.2.7 company user-role commands Configures a wireless client filter based on the company name Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax company [any|contains|exact|not-contains]
company [any|exact <WORD>|contains <WORD>|not-contains <WORD>]
Parameters company [any|exact <WORD>|contains <WORD>|not-contains <WORD>]
company any contains <WORD>
exact not-contains <WORD>
Specifies a wireless client filter based on how the company name, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contains No specific company associated with this user-defined role. This role is applied to any wireless client from any company (no strings to match). This is the default setting. The role is applied only when the company name, returned by the RADIUS server, contains the string specified in the role.
<WORD> Specify the string to match (this is case sensitive, and is compared against the company name returned by the RADIUS server). It should contain the provided expression. The role is applied only when the company name, returned by the RADIUS server, exactly matches the string specified in the role.
<WORD> Specify the exact string to match (this is case sensitive, and is compared against the company name returned by the RADIUS server). It should be an exact match. The role is applied only when the company name, returned by the RADIUS server, does not contain the string specified in the role.
<WORD> Specify the string not to match (this is case sensitive, and is compared against the company name returned by the RADIUS server). It should not contain the provided expression. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 23 ROLE-POLICY Example rfs6000-37FABE(config-role-policy-test-user-role-testing)#company exact ExampleCompany rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos ap-location contains office captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany rfs6000-37FABE(config-role-policy-test-user-role-testing)#
Related Commands no Removes the company name configured with this user-defined role Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 24 ROLE-POLICY 18.1.7.2.8 country user-role commands Configures a wireless client filter based on the country name Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax country [any|contains|exact|not-contains]
country [any|exact <WORD>|contains <WORD>|not-contains <WORD>]
Parameters country [any|exact <WORD>|contains <WORD>|not-contains <WORD>]
country any contains <WORD>
exact not-contains <WORD>
Specifies a wireless client filter based on how the country name, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contains No specific country associated with this user-defined role. This role is applied to any wireless client from any country (no strings to match). This is the default setting. The role is applied only when the country name, returned by the RADIUS server, contains the string specified in the role.
<WORD> Specify the string to match (this is case sensitive, and is compared against the country name returned by the RADIUS server). It should contain the provided expression. The role is applied only when the country name, returned by the RADIUS server, exactly matches the string specified in the role.
<WORD> Specify the exact string to match (this is case sensitive, and is compared against the country name returned by the RADIUS server). It should be an exact match. The role is applied only when the country name, returned by the RADIUS server, does not contain the string specified in the role.
<WORD> Specify the string not to match (this is case sensitive, and is compared against the country name returned by the RADIUS server). It should not contain the provided expression. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 25 ROLE-POLICY Example rfs6000-37FABE(config-role-policy-test-user-role-testing)#country exact America rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos ap-location contains office captive-portal authentication-state pre-login city exact SanJose company exact Examplecompany country exact America rfs6000-37FABE(config-role-policy-test-user-role-testing)#
Related Commands no Removes the country name configured with this user-defined role Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 26 ROLE-POLICY 18.1.7.2.9 department user-role commands Configures a wireless client filter based on the department name Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax department [any|contains|exact|not-contains]
department [any|exact <WORD>|contains <WORD>|not-contains <WORD>]
Parameters department [any|exact <WORD>|contains <WORD>|not-contains <WORD>]
department any contains <WORD>
exact not-contains <WORD>
Specifies a wireless client filter based on how the department name, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contains No specific department associated with this user-defined role. This role can be applied to any wireless client from any department (no strings to match). This is the default setting. The role is applied only when the department name, returned by the RADIUS server, contains the string specified in the role.
<WORD> Specify the string to match (this is case sensitive, and is compared against the department name returned by the RADIUS server). It should contain the provided expression. The role is applied only when the department name, returned by the RADIUS server, exactly matches the string specified in the role.
<WORD> Specify the exact string to match (this is case sensitive, and is compared against the department name returned by the RADIUS server). It should be an exact match. The role is applied only when the department name, returned by the RADIUS server, does not contain the string specified in the role.
<WORD> Specify the string not to match (this is case sensitive, and is compared against the department name returned by the RADIUS server). It should not contain the provided expression. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 27 ROLE-POLICY Example rfs6000-37FABE(config-role-policy-test-user-role-testing)#department exact TnV rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos ap-location contains office captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV rfs6000-37FABE(config-role-policy-test-user-role-testing)#
Related Commands no Removes the department name configured with this user-defined role Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 28 ROLE-POLICY 18.1.7.2.10 emailid user-role commands Configures a wireless client filter based on the e-mail ID Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax emailid [any|contains|exact|not-contains]
emailid [any|exact <WORD>|contains <WORD>|not-contains <WORD>]
Parameters emailid [any|exact <WORD>|contains <WORD>|not-contains <WORD>]
emailid any contains <WORD>
exact not-contains <WORD>
Specifies a wireless client filter based on how the e-mail ID, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contains No specific e-mail ID associated with this user-defined role. This role can be applied to any wireless client having any e-mail ID (no strings to match). This is the default setting. The role is applied only when the e-mail ID, returned by the RADIUS server, contains the string specified in the role.
<WORD> Specify the string to match (this is case sensitive, and is compared against the e-mail ID returned by the RADIUS server). It should contain the provided expression. The role is applied only when the e-mail ID, returned by the RADIUS server, exactly matches the string specified in the role.
<WORD> Specify the exact string to match (this is case sensitive, and is compared against the e-mail ID returned by the RADIUS server). It should be an exact match. The role is applied only when the e-mail ID, returned by the RADIUS server, does not contain the string specified in the role.
<WORD> Specify the string not to match (this is case sensitive, and is compared against the e-mail ID returned by the RADIUS server). It should not contain the provided expression. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 29 ROLE-POLICY Example rfs6000-37FABE(config-role-policy-test-user-role-testing)#emailid exact testing@
examplecompany.com rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos ap-location contains office captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV emailid exact testing@examplecompany.com rfs6000-37FABE(config-role-policy-test-user-role-testing)#
Related Commands no Removes the e-mail ID configured with this user-defined role Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 30 ROLE-POLICY 18.1.7.2.11 employee-type user-role commands Configures a wireless client filter based on the employee type Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax employee-type [any|contains|exact|not-contains]
employee-type [any|exact <WORD>|contains <WORD>|not-contains <WORD>]
Parameters employee-type [any|exact <WORD>|contains <WORD>|not-contains <WORD>]
employee-type any contains <WORD>
exact not-contains <WORD>
Specifies a wireless client filter based on how the employee type, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contains. No specific employee type associated with this user-defined role. This role can be applied to any wireless client having any employee type (no strings to match). This is the default setting. The role is applied only when the employee type, returned by the RADIUS server, contains the string specified in the role.
<WORD> Specify the string to match (this is case sensitive, and is compared against the employee type returned by the RADIUS server). It should contain the provided expression. The role is applied only when the employee type, returned by the RADIUS server, exactly matches the string specified in the role.
<WORD> Specify the exact string to match (this is case sensitive, and is compared against the employee type returned by the RADIUS server). It should be an exact match. The role is applied only when the employee type, returned by the RADIUS server, does not contain the string specified in the role.
<WORD> Specify the string not to match (this is case sensitive, and is compared against the employee type returned by the RADIUS server). It should not contain the provided expression. Example rfs4000-229D58(config-role-policy-test-user-role-test1)#employee-type exact consultant rfs4000-229D58(config-role-policy-test-user-role-user1)#show context user-role user1 precedence 1 employee-type exact consultant rfs4000-229D58(config-role-policy-test-user-role-user1)#
Related Commands no Removes the employee type filter configured with this user-defined role Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 31 ROLE-POLICY 18.1.7.2.12 employeeid user-role commands Configures a wireless client filter based on the employee ID Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax employeeid [any|contains|exact|not-contains]
employeeid [any|exact <WORD>|contains <WORD>|not-contains <WORD>]
Parameters employeeid [any|exact <WORD>|contains <WORD>|not-contains <WORD>]
employeeid any contains <WORD>
exact not-contains <WORD>
Specifies a wireless client filter based on how the employee ID, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contains. No specific employee ID associated with this user-defined role. This role can be applied to any wireless client having any employee ID (no strings to match). This is the default setting. The role is applied only when the employee ID, returned by the RADIUS server, contains the string specified in the role.
<WORD> Specify the string to match (this is case sensitive, and is compared against the employee ID returned by the RADIUS server). It should contain the provided expression. The role is applied only when the employee ID, returned by the RADIUS server, exactly matches the string specified in the role.
<WORD> Specify the exact string to match (this is case sensitive, and is compared against the employee ID returned by the RADIUS server). It should be an exact match. The role is applied only when the employee ID, returned by the RADIUS server, does not contain the string specified in the role.
<WORD> Specify the string not to match (this is case sensitive, and is compared against the employee ID returned by the RADIUS server). It should not contain the provided expression. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 32 ROLE-POLICY Example rfs6000-37FABE(config-role-policy-test-user-role-testing)#employeeid contains TnVTest1 rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos ap-location contains office captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV emailid exact testing@examplecompany.com employeeid contains TnVTest1 rfs6000-37FABE(config-role-policy-test-user-role-testing)#
Related Commands no Removes the employee ID configured with this user-defined role Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 33 ROLE-POLICY 18.1.7.2.13 encryption-type user-role commands Selects the encryption type for this user-defined role. Encryption ensures privacy between access points and wireless clients. There are various modes of encrypting communication on a WLAN, such as Counter-
model CBC-MAC Protocol (CCMP), Wired Equivalent Privacy (WEP), keyguard, Temporal Key Integrity Protocol (TKIP), etc. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax encryption-type [any|eq|neq]
encryption-type any encryption-type [eq|neq] [ccmp|keyguard|none|tkip|wep128|wep64]
(ccmp|keyguard|none|tkip|tkip-ccmp|wep128|wep64)}
Parameters encryption-type any any The encryption type can be any one of the listed options
(ccmp|keyguard|tkip|wep128|wep64). This is the default setting. encryption-type [eq|neq] [ccmp|keyguard|none|tkip|wep128|wep64]
{(ccmp|keyguard|none|tkip|tkip-ccmp|wep128|wep64)}
eq
[ccmp|keyguard|none|
tkip|wep128|wep64]
neq
[ccmp|keyguard|none|
tkip|wep128|wep64]
The role is applied only if the encryption type equals to one of the following options:
ccmp Encryption mode is CCMP keyguard Encryption mode is keyguard. Keyguard encryption shields the master encryption keys from being discovered. none No encryption mode specified tkip Encryption mode is TKIP wep128 Encryption mode is WEP128 wep64 Encryption mode is WEP64 These parameters are recursive, and you can configure more than one encryption type for this user-defined role. The role is applied only if encryption type is not equal to any of the following options:
ccmp Encryption mode is not equal to CCMP keyguard Encryption mode is not equal to keyguard none: Encryption mode is not equal to none tkip Encryption mode is not equal to TKIP Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 34 ROLE-POLICY wep128 Encryption mode is not equal to WEP128 wep64 Encryption mode is not equal to WEP64 These parameters are recursive, and you can configure more than one not equal to encryption type for this user-defined role. Example rfs6000-37FABE(config-role-policy-test-user-role-testing)#encryption-type eq wep128 rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos encryption-type eq wep128 ap-location contains office captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV emailid exact testing@examplecompany.com employeeid contains TnVTest1 rfs6000-37FABE(config-role-policy-test-user-role-testing)#
Related Commands no Removes the encryption type configured for this user-defined role Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 35 ROLE-POLICY 18.1.7.2.14 group user-role commands Configures a wireless client filter based on the RADIUS group name Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax group [any|contains|exact|not-contains]
group [any|contains <WORD>|exact <WORD>|not-contains <WORD>]
Parameters group [any|contains <WORD>|exact <WORD>|not-contains <WORD>]
group any Specifies a wireless client filter based on how the RADIUS group name matches the provided expression. Select one of the following options: any, contains, exact, or not-contains This user-defined role can fit into any group (no strings to match). This is the default setting. contains <WORD> The role is applied only when the RADIUS group name contains the string specified in the role.
<WORD> Specify the string to match (this is case sensitive, and is compared against exact <WORD>
not-contains
<WORD>
the group name returned by the RADIUS server). It should contain the provided expression. The role is applied only when the RADIUS group name exactly matches the string specified in the role.
<WORD> Specify the exact string to match (this is case sensitive, and is compared against the group name returned by the RADIUS server). It should be an exact match. The role is applied only when the RADIUS group name does not contain the string specified in the role.
<WORD> Specify the string not to match (this is case sensitive, and is compared against the group name returned by the RADIUS server). It should not contain the provided expression. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 36 ROLE-POLICY Example rfs6000-37FABE(config-role-policy-test-user-role-testing)#group contains testgroup rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos encryption-type eq wep128 ap-location contains office group contains testgroup captive-portal authentication-state pre-login city exact SanJose company exact Example_company country exact America department exact TnV emailid exact testing@examplecompany.com employeeid contains TnVTest1 rfs6000-37FABE(config-role-policy-test-user-role-testing)#
Related Commands no Removes the group configured for this user-defined role Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 37 ROLE-POLICY 18.1.7.2.15 memberOf user-role commands Applies an Active Directory (AD) group filter to this user-defined role. A wireless client can be a member of more than one group within the AD database. This command applies a AD group based firewall, which applies a role to a wireless client only if it belongs to the specified AD group. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax memberOf <AD-GROUP-NAME>
Parameters memberOf <AD-GROUP-NAME>
memberOf
<AD-GROUP-NAME>
Applies this user-defined role to a client only if the client belongs to the specified AD group
<AD-GROUP-NAME> Specify the AD group name. Example rfs4000-229D58(config-role-policy-test-user-role-test)#memberOf ADTestgroup rfs4000-229D58(config-role-policy-test-user-role-test)#show context user-role test precedence 1 assign vlan 1 assign rate-limit to-client 200 memberOf ADTestgroup rfs4000-229D58(config-role-policy-test-user-role-test)#
Related Commands no Removes the AD group assigned to this user-defined role Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 38 ROLE-POLICY 18.1.7.2.16 mu-mac user-role commands Configures a MAC address and mask based filter for this role policy Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mu-mac [<MAC>|any]
mu-mac any mu-mac <MAC> {mask <MAC>}
Parameters mu-mac any Applies role to any wireless client (no MAC address to match). This is the default setting. mu-mac <MAC> {mask <MAC>}
Applies role to the wireless client having specified MAC address
<MAC> Sets the MAC address in the AA-BB-CC-DD-EE-FF format Optional. After specifying the clients MAC address, specify the mask in the AA-BB-CC-DD-EE-FF format. The role is applied to the wireless client exactly matching the specified MAC address and MAC mask. any
<MAC>
mask <MAC>
Example rfs6000-37FABE(config-role-policy-test-user-role-testing)#mu-mac 11-22-33-44-55-
66 rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos encryption-type eq wep128 ap-location contains office mu-mac 11-22-33-44-55-66 group contains testgroup captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV emailid exact testing@examplecompany.com employeeid contains TnVTest1 rfs6000-37FABE(config-role-policy-test-user-role-testing)#
Related Commands no Removes the MAC address and mask for this user-defined role Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 39 ROLE-POLICY 18.1.7.2.17 no user-role commands Negates a command or resets configured settings to their default. When used in the config role policy user-defined role mode, the no command removes or resets settings, such as AP location, authentication type, encryption type, captive portal, etc. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [ap-location|assign|authentication-type|captive-portal|city|client-identity|
company|country|department|emailid|employee-type|employeeid|encryption-type|
group|memberOf|mu-mac|radius-user|ssid|state|title|use|user-defined]
no [ap-location|assign|authentication-type|city|client-identity|company|country|
mac|memberOf|
department|emailid|employee-type|employeeid|encryption-type|group|mu-
ssid|radius-user|state|title|user-defined]
no captive-portal authentication-state no use [application-policy|bonjour-gw-discovery-policy|ip-access-list|
ipv6-access-list|mac-access-list|url-filter]
no use [ip-access-list|ipv6-access-list|mac-access-list] [in|out]
<IP/IPv6/MAC-ACCESS-LIST-NAME> precedence <1-100>
no use [application-policy|bonjour-gw-discovery-policy|url-filter]
Parameters no <PARAMETERS>
no <PARAMETERS>
Negates a command or resets configured settings to their default. When used in the config role policy user-defined role mode, the no command removes or resets settings, such as AP location, authentication type, encryption type, captive portal, etc. Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 40 ROLE-POLICY Example The following example shows the Role Policy test User Role testing configuration before the no commands are executed:
rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 authentication-type eq kerberos encryption-type eq wep128 ap-location contains office mu-mac 11-22-33-44-55-66 group contains testgroup captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV emailid exact testing@examplecompany.com employeeid contains TnVTest1 rfs6000-37FABE(config-role-policy-test-user-role-testing)#
rfs6000-37FABE(config-role-policy-test-user-role-testing)#no authentication-type rfs6000-37FABE(config-role-policy-test-user-role-testing)#no encryption-type rfs6000-37FABE(config-role-policy-test-user-role-testing)#no group rfs6000-37FABE(config-role-policy-test-user-role-testing)#no mu-mac rfs6000-37FABE(config-role-policy-test-user-role-testing)#no ap-location rfs6000-37FABE(config-role-policy-test-user-role-testing)#no employeeid The following example shows the Role Policy test User Role testing configuration after the no commands are executed:
rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV emailid exact testing@examplecompany.com rfs6000-37FABE(config-role-policy-test-user-role-testing)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 41 ROLE-POLICY 18.1.7.2.18 radius-user user-role commands Configures a wireless client filter based on the RADIUS user name Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax radius-user [any|contains|ends-with|exact|not-contains|starts-with]
Parameters radius-user [any|contains|ends-with|exact|not-contains|starts-with]
radius-user any contains <WORD>
ends-with <WORD>
exact <WORD>
not-contains <WORD>
Specifies a wireless client filter based on how the radius-user name, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contains. No specific RADIUS user name associated with this user-defined role. This role can be applied to any wireless client (no strings to match). This is the default setting. The role is applied only when the radius-user name, returned by the RADIUS server, contains the string specified in the role.
<WORD> Specify the string to match (this is case sensitive, and is compared against the radius-user name returned by the RADIUS server). It should contain the provided expression. You can use the realm or any sub-string of the user name. Enables role assignment on the basis of the wireless clients department and/or group
<WORD> Specify the string (could be department/group code). For example:
1005000002. In this the last three digits represent the department/group code. The remaining digits represent users badge number. The role is applied only when the radius-user name, returned by the RADIUS server, ends with the string specified here. The role is applied only when the radius-user name, returned by the RADIUS server, exactly matches the string specified in the role.
<WORD> Specify the exact string to match (this is case sensitive, and is compared against the radius-user name returned by the RADIUS server). It should be an exact match. Provide the complete user name along with the realm. The role is applied only when the radius-user name, returned by the RADIUS server, does not contain the string specified in the role.
<WORD> Specify the string not to match (this is case sensitive, and is compared against the radius-user name returned by the RADIUS server). It should not contain the provided expression. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 42 ROLE-POLICY starts-with <WORD>
Enables role assignment on the basis of the wireless clients department and/or group code
<WORD> Specify the string (could be department/group code). For example:
0026100573. The first three digits represent the department/group code. The remaining digits represent users badge number. The role is applied only when the radius-user name, returned by the RADIUS server, starts with the string specified here. Example rfs6000-37FABE(config-role-policy-test-user-role-testing)#radius-user contains test.com rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 1 radius-user contains test.com company exact ExampleCompany emailid exact testing@examplecompany.com rfs6000-37FABE(config-role-policy-test-user-role-testing)#
Related Commands no Removes the radius-user filter Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 43 ROLE-POLICY 18.1.7.2.19 ssid user-role commands Configures a SSID based filter Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ssid [any|exact|contains|not-contains]
ssid any ssid [exact|contains|not-contains] <WORD>
Parameters ssid any ssid any Specifies a wireless client filter based on how the SSID is specified in a WLAN any The role is applied to any SSID location. This is the default setting. ssid [exact|contains|not-contains] <WORD>
ssid exact <WORD>
contains <WORD>
not-contains <WORD>
Specifies a wireless client filter based on how the SSID is specified in a WLAN. This options are: contains, exact, or not-contains The role is applied only when the SSID, returned by the RADIUS server, exactly matches the string specified in the role.
<WORD> Specify the SSID string to match. The SSID is case sensitive and is compared against the SSID configured for the WLAN. The role is applied only when the SSID, returned by the RADIUS server, contains the string specified in the role.
<WORD> Specify the SSID string to match. The SSID is case sensitive and is compared against the SSID configured for the WLAN. The role is applied only when the SSID, returned by the RADIUS server, does not contain the string specified in the role.
<WORD> Specify the SSID string not to match. The SSID is case sensitive and is compared against the SSID configured for the WLAN. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 44 ROLE-POLICY Example rfs6000-37FABE(config-role-policy-test-user-role-testing)#ssid not-contains DevUser rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 ssid not-contains DevUser captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV emailid exact testing@examplecompany.com rfs6000-37FABE(config-role-policy-test-user-role-testing)#]
Related Commands no Removes the SSID configured for a user-defined role Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 45 ROLE-POLICY 18.1.7.2.20 state user-role commands Configures a user role state to match with this user-defined role Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax state [any|contains|exact|not-contains]
state [any|contains <WORD>|exact <WORD>|not-contains <WORD>]
Parameters state [any|contains <WORD>|exact <WORD>|not-contains <WORD>]
state any contains <WORD>
exact <WORD>
not-contains <WORD>
Specifies a wireless client filter option based on how the RADIUS state matches the provided expression. Select one of the following options: any, contains, exact, or not-contains. This user role can fit any wireless client irrespective of the state (no strings to match). The user role is applied only when the RADIUS state contains the string specified in the role.
<WORD> Specify the string to match (this is case sensitive, and is compared against the state returned by the RADIUS server). It should contain the provided expression. The role is applied only when the RADIUS state exactly matches the string specified in the role.
<WORD> Specify the exact string to match (this is case sensitive, and is compared against the state returned by the RADIUS server). It should be an exact match. The role is applied only when the RADIUS state does not contain the string specified in the role.
<WORD> Specify the string not to match (this is case sensitive, and is compared against the state returned by the RADIUS server). It should not contain the provided expression. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 46 ROLE-POLICY Example rfs6000-37FABE(config-role-policy-test-user-role-testing)#state exact active rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 ssid not-contains DevUser captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV emailid exact testing@examplecompany.com state exact active rfs6000-37FABE(config-role-policy-test-user-role-testing)#
Related Commands no Removes the state filter string associated with a user role Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 47 ROLE-POLICY 18.1.7.2.21 title user-role commands Configures a title string to match Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax title [any|contains|exact|not-contains]
title [any|contains <WORD>|exact <WORD>|not-contains <WORD>]
Parameters title [any|contains <WORD>|exact <WORD>|not-contains <WORD>]
title any contains <WORD>
exact <WORD>
not-contains <WORD>
Specifies a wireless client filter based on how the title string, returned by the RADIUS server, matches the provided expression. Select one of the following options: any, contains, exact, or not-contains. This user role can fit any wireless client irrespective of the title (no strings to match). The user role is applied only when the title string, returned by the RADIUS server, contains the string specified in the role.
<WORD> Specify the string to match (this is case sensitive, and is compared against the title returned by the RADIUS server). It should contain the provided expression. The role is applied only when the title string, returned by the RADIUS server, exactly matches the string specified in the role.
<WORD> Specify the exact string to match (this is case sensitive, and is compared against the title returned by the RADIUS server). It should be an exact match. The role is applied only when the title string, returned by the RADIUS server, does not contain the string specified in the role.
<WORD> Specify the string not to match (this is case sensitive, and is compared against the title returned by the RADIUS server). It should not contain the provided expression. Example rfs6000-37FABE(config-role-policy-test-user-role-testing)#title any Related Commands no Removes the title filter string configured with a user role Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 48 ROLE-POLICY 18.1.7.2.22 use user-role commands Configures an access list based firewall with this user role A firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the network. The means by which this is accomplished varies, but in principle, firewalls are mechanisms both blocking and permitting data traffic based on inbound and outbound IP and MAC rules. IP based firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same layer 2 interface can be filtered by applying both an IP ACL and a MAC. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to packet traffic. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use [application-policy|bonjour-gw-discovery-policy|ip-access-list|ipv6-access-
list|mac-access-list|url-filter]
use bonjour-gw-discovery-policy <POLICY-NAME>
use [ip-access-list|ipv6-access-list] [in|out] <IP/ipv6-ACCESS-LIST-NAME>
precedence <1-100>
use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME> precedence <1-100>
use url-filter <URL-FILTER-NAME>
Parameters use application-policy|bonjour-gw-discovery-policy] <POLICY-NAME>
application-policy
<POLICY-NAME>
Uses an existing Application policy with a user role. When associated, the Application policy enforces application assurance for all users using this role.
<POLICY-NAME> Specify the Application policy name (should be existing and configured). bonjour-gw-discovery-
policy <POLICY-NAME>
For more information on Application policy, see application-policy. Uses an existing Bonjour GW Discovery policy with a user role. When associated, the Bonjour GW Discovery policy is applied for the Bonjour requests coming from this specific user roles.
<POLICY-NAME> Specify the Bonjour GW Discovery policy name (should be existing and configured). For more information on Bonjour GW Discovery policy, see bonjour-gw-discovery-
policy. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 49 ROLE-POLICY use [ip-access-list|ipv6-access-list] [in|out] <IP/IPv6-ACCESS-LIST-NAME>
precedence <1-100>
ip-access-list [in|out]
<IPv4/IPv6-ACCESS-
LIST-NAME>
precedence <1-100>
Uses an IPv4 or IPv6 ACL with this user role in Applies the rule to incoming packets out Applies the rule to outgoing packets Specify the IPv4/IPv6 access list name. After specifying the name of the access list, specify the precedence applied to it. Based on the packets received, a lower precedence value is evaluated first.
<1-100> Sets a precedence from 1 - 100 use mac-access-list [in|out] <MAC-ACCESS-LIST-NAME> precedence <1-100>
mac-access-list [in|out] Uses a MAC access list with this user role in Applies the rule to incoming packets out Applies the rule to outgoing packets Specify the MAC access list name.
<MAC-ACCESS-LIST-
NAME>
precedence <1-100>
After specifying the name of the access list, specify the precedence applied to it. Based on the packets received, a lower precedence value is evaluated first
<1-100> Sets a precedence from 1 - 100 use url-filter <URL-FILTER-NAME>
use url-filter
<URL-FILTER-NAME>
Uses an existing URL filter that acts as a Web content filter firewall rule.
<POLICY-NAME> Specify the URL filter name (should be existing and configured). Example rfs6000-37FABE(config-role-policy-test-user-role-testing)#use ip-access-list in test precedence 9 rfs6000-37FABE(config-role-policy-test-user-role-testing)#show context user-role testing precedence 10 ssid not-contains DevUser captive-portal authentication-state pre-login city exact SanJose company exact ExampleCompany country exact America department exact TnV emailid exact testing@examplecompany.com state exact active use ip-access-list in test precedence 9 rfs6000-37FABE(config-role-policy-test-user-role-testing)#
rfs6000-37FABE(config-role-policy-bonjour_test-user-role-bonjour_user1)#use bonjour-gw
-discovery-policy role2 rfs6000-37FABE(config-role-policy-bonjour_test-user-role-bonjour_user1)#show context user-role bonjour_user1 precedence 2 use bonjour-gw-discovery-policy role2 rfs6000-37FABE(config-role-policy-bonjour_test-user-role-bonjour_user1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 50 ROLE-POLICY rfs6000-37FABE(config-role-policy-bonjour_test)#show context role-policy bonjour_test user-role bonjour_user precedence 1 mu-mac A4-D1-D2-BF-3D-19 use bonjour-gw-discovery-policy role1 user-role bonjour_user1 precedence 2 mu-mac B0-65-BD-4B-BC-09 use bonjour-gw-discovery-policy role2
................................................ rfs6000-37FABE(config-role-policy-bonjour_test)#
Related Commands no Removes an IP, MAC access list, or a Bonjour GW Discovery policy from use with a user role Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 51 ROLE-POLICY 18.1.7.2.23 user-defined user-role commands Enables you to define a filter based on an attribute defined in the Active Directory or the OpenLDAP server Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax user-defined <ATTR-STRING> [any|contains|exact|not-contains]
user-defined <ATTR-STRING> [any|contains <WORD>|exact <WORD>|not-contains <WORD>]
Parameters user-defined <ATTR-STRING> [any|exact <WORD>|contains <WORD>|not-contains
<WORD>]
user-defined
<ATTR-STRING>
any contains <WORD>
exact <WORD>
not-contains <WORD>
Specify a filter based on an attribute defined in the AD or OpenLDAP server.
<ATTR-NAME> Specify the attribute string. After specifying the attribute name, specify the match type. No specific string to match. This role can be applied to any wireless client. This is the default setting. The role is applied only when the user-defined attribute value, returned by the RADIUS server, contains the string specified in the role.
<WORD> Specify the string to match (this is case sensitive, and is compared against the value returned by the RADIUS server). It should contain the provided expression. The role is applied only when the user-defined attribute value, returned by the RADIUS server, exactly matches the string specified in the role.
<WORD> Specify the exact string to match (this is case sensitive, and is compared against the value returned by the RADIUS server). It should be an exact match. The role is applied only when the user-defined attribute value, returned by the RADIUS server, does not contain the string specified in the role.
<WORD> Specify the string not to match (this is case sensitive, and is compared against the value returned by the RADIUS server). It should not contain the provided expression. Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 52 ROLE-POLICY Example rfs4000-229D58(config-role-policy-test-user-role-user1)#user-defined office-
location exact EcoSpace rfs4000-229D58(config-role-policy-test-user-role-user1)#show context user-role user1 precedence 1 employee-type exact consultant user-defined office-location exact EcoSpace rfs4000-229D58(config-role-policy-test-user-role-user1)#
Related Commands no Removes the user-defined filter configured with this user role Access Point, Wireless Controller and Service Platform CLI Reference Guide 18 - 53 19 SMART-RF-POLICY This chapter summarizes Self Monitoring at Run Time RF (Smart RF) management policy commands in the CLI command structure. A Smart RF management policy defines operating and recovery parameters that can be assigned to groups of access points. A Smart RF policy is designed to scan the network to identify the best channel and transmit power for each access point radio. A Smart RF policy reduces deployment costs by scanning the RF environment to determine the best channel and transmit power configuration for each managed radio. Smart RF policies when applied to specific RF Domains, apply site specific deployment configurations and self-healing values to groups of devices within pre-defined physical RF coverage areas. Smart RF centralizes the decision process and makes intelligent RF configuration decisions using information obtained from the RF environment. Smart RF helps reduce ongoing management and maintenance costs through the periodic re-calibration of the network. Re-calibration can be initiated manually or can be automatically scheduled to ensure the RF configuration is optimized to factor for RF environment changes (such as new sources of interference, or neighboring access points). Smart RF also provides self-healing functions by monitoring the network in real-time, and provides automatic mitigation from potentially problematic events such as radio interference, coverage holes and radio failures. Smart RF employs self-healing to enable a WLAN to better maintain wireless client performance and site coverage during dynamic RF environment changes, which typically require manual re-configuration to resolve. Smart RF is supported on any RF Domain manager. In standalone environments, an individual wireless controller manages the calibration and monitoring phases. In clustered environments, a single wireless controller is elected a Smart RF master and the remaining cluster members operate as Smart RF clients. In cluster operation, the Smart RF master co-ordinates the calibration and configuration and during the monitoring phase receives information from the Smart RF clients. Before defining a Smart RF policy, refer to the following deployment guidelines to ensure the configuration is optimally effective:
The Smart RF calibration process impacts associated users and should not be run during business or production hours. The calibration process should be performed during scheduled maintenance intervals or non-business hours. For Smart RF to provide effective recovery, RF planning must be performed to ensure overlapping coverage exists at the deployment site. Smart RF can only provide recovery when access points are deployed appropriately. Smart RF is not a solution, it's a temporary measure. Administrators need to determine the root cause of RF deterioration and fix it. Smart RF history/events can assist. Keep in mind that if a Smart RF managed radio is operating in WLAN mode on a channel requiring DFS, it will switch channels if radar is detected. If Smart RF is enabled, the radio picks a channel defined in the Smart RF policy. If Smart RF is disabled, but a Smart RF policy is mapped, the radio picks channels specified in the Smart RF policy If no SMART RF policy is mapped, the radio selects a random channel Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 1 SMART-RF-POLICY If the radio is a dedicated sensor, it stops termination on that channel if a neighboring access point detect radar. The access point attempts to come back to its original channel (statically configured or selected by Smart RF) after the channel evacuation period has expired. Change this behavior using the dfs-rehome command from the controller or service platform CLI. This keeps the radio on the newly selected channel and prevents the radio from coming back to the original channel, even after the channel evacuation period. NOTE: Perform RF planning to ensure overlapping coverage exists at a deployment site, for Smart RF to be a viable network performance tool. Smart RF can only provide recovery when access points are deployed appropriately. Smart RF is not a solution, it is a temporary measure. You need to determine the root cause of RF deterioration and fix it. Smart RF history/
events can assist in trouble shooting. Use the (config) instance to configure Smart RF Policy related configuration commands. To navigate to the Smart RF policy instance, use the following commands:
<DEVICE>(config)#smart-rf-policy <POLICY-NAME>
rfs6000-37FABE(config)#smart-rf-policy test rfs6000-37FABE(config-smart-rf-policy-test)#?
Smart RF Mode commands:
area Specify channel list/ power for an area assignable-power Specify the assignable power during power-assignment avoidance-time Time to avoid a channel once dfs/adaptivity avoidance is necessary channel-list Select channel list for smart-rf channel-width Select channel width for smart-rf coverage-hole-recovery Recover from coverage hole enable Enable this smart-rf policy group-by Configure grouping parameters interference-recovery Recover issues due to excessive noise and interference neighbor-recovery Recover issues due to faulty neighbor radios no Negate a command or set its defaults sensitivity Configure smart-rf sensitivity (Modifies various other smart-rf configuration items) smart-ocs-monitoring Smart off channel scanning clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-smart-rf-policy-test)#
NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 2 SMART-RF-POLICY 19.1 smart-rf-policy SMART-RF-POLICY The following table summarizes Smart RF policy configuration commands:
Table 19.1 Smart-RF-Policy-Config Commands Description Configures the channel list and power for a specified area Specifies the power range during power assignment Command area assignable-
power avoidance-time Allows Smart RF-enabled radios to avoid Dynamic Frequency Selection
(DFS) and/or adaptivity regulated channels on detection of interference or radar. This command configures the period for which the channel is avoided. Assigns the channel list for the selected frequency Selects the channel width for Smart RF configuration Enables recovery from errors channel-list channel-width coverage-hole-
recovery enable group-by interference-
recovery neighbor-
recovery no sensitivity smart-ocs-
monitoring Enables a Smart RF policy Configures grouping parameters Recovers issues due to excessive noise and interference Enables recovery from errors due to faulty neighbor radios Negates a command or reverts settings to their default Configures Smart RF sensitivity Applies smart off-channel scanning instead of dedicated detectors Reference page 19-4 page 19-5 page 19-5 page 19-8 page 19-9 page 19-11 page 19-13 page 19-14 page 19-15 page 19-17 page 19-19 page 19-21 page 19-23 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 3 SMART-RF-POLICY 19.1.1 area smart-rf-policy Configures the channel list and power for a specified area Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax area <AREA-NAME/STRING-ALIAS> channel-list [2.4GHz|5GHz] <CHANNEL-LIST>
Parameters area <AREA-NAME/STRING-ALIAS> channel-list [2.4GHz|5GHz] <CHANNEL-LIST>
area <AREA-NAME/
STRING-ALIAS>
channel-list
[2.4GHz|5GHZ]
<CHANNEL-LIST>
Specifies the area name
<AREA-NAME/STRING-ALIAS> Specify the area name as clear text. Alternately, use a string-alias to specify the area name. If using a string-alias, ensure that the string-alias is existing and configured. Selects the channels for the specified area in the 2.4 GHz or 5.0 GHz band 2.4GHz Selects the channels for the specified area in the 2.4 GHz band 5GHz Selects the channels for the specified area in the 5.0 GHz band The following keyword is common to the 2.4 GHz and 5.0 GHz bands:
<CHANNEL-LIST> Enter a comma-separated list of channels for the selected band. Example rfs6000-37FABE(config-smart-rf-policy-test)#area test channel-list 2.4GHz 1,2,3 rfs6000-37FABE(config-smart-rf-policy-test)#show context smart-rf-policy test area test channel-list 2.4GHz 1,2,3 rfs6000-37FABE(config-smart-rf-policy-test)#
nx9500-6C8809(config)#alias string $AREA Ecospace nx9500-6C8809(config)#commit nx9500-6C8809(config-smart-rf-policy-test)#exit nx9500-6C8809(config-smart-rf-policy-Ecospace)#area $AREA channel-list 5GHz 36,44 nx9500-6C8809(config-smart-rf-policy-Ecospace)#show context smart-rf-policy Ecospace area $AREA channel-list 5GHz 36,44 nx9500-6C8809(config-smart-rf-policy-Ecospace)#
Related Commands no Removes channel list/power configuration for an area Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 4 SMART-RF-POLICY 19.1.2 assignable-power smart-rf-policy Configures the Smart RF power settings over both 2.4 GHZ and 5.0 GHZ radios Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax assignable-power [2.4GHz|5GHz] [max|min] <1-20>
Parameters assignable-power [2.4GHz|5GHz] [max|min] <1-20>
Assigns a power range on the 2.4 GHz band max <1-20> Sets the upper limit in the range from 1 dBm - 20 dBm (default is 17 2.4GHz [max|min]
<1-20>
dBm) 5GHz [max|min]
<1-20>
min <1-20> Sets the lower limit in the range from 1 dBm - 20 dBm (default is 4 dBm) Assigns a power range on the 5.0 GHz band max <1-20> Sets the upper limit in the range from 1 dBm - 20 dBm (default is 17 dBm) min <1-20> Sets the lower limit in the range from 1 dBm - 20 dBm (default is 4 dBm) Example rfs6000-37FABE(config-smart-rf-policy-test)#assignable-power 5GHz max 20 rfs6000-37FABE(config-smart-rf-policy-test)#assignable-power 5GHz min 8 rfs6000-37FABE(config-smart-rf-policy-test)#show context smart-rf-policy test area test channel-list 2.4GHz 1,2,3 assignable-power 5GHz min 8 assignable-power 5GHz max 20 rfs6000-37FABE(config-smart-rf-policy-test)#
Related Commands no Resets assignable power to its default Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 5 SMART-RF-POLICY 19.1.3 avoidance-time smart-rf-policy Allows Smart-RF enabled radios to avoid channels with high levels of interference and channels where radar has been detected This command configures the interval for which a channel is avoided on detection of interference or radar, and is applicable only if the channel selection mode is set to Smart and a Smart-RF policy is applied to the access points RF Domain. For more information on configuring a radios channel of operation, see channel. Certain 5.0 GHz channels are subject to FCC / ETSI DFS regulations that require channels transmitting critical radar signals to be free of interference from radio signals. Consequently, DFS-enabled 5.0 GHz radios scan and switch channels if radar is detected on their current channel of operation. If radar-free channels are not available, the radio stops transmitting until it identifies a radar-free channel. Adaptivity is a new European Union (EU) stipulation that requires access points to monitor interference levels on their current channel of operation, and stop functioning on channels with interference levels exceeding ETSI-specified threshold values. When enabled, this feature ensures recovery by switching the radio to a new channel with less interference. Once adaptivity or DFS is triggered, the radios channel is switched based on the channel selection mode specified. If the channel is fixed, the radio attempts to come back to its specified channel of operation after the DFS/adaptivity channel evacuation period has expired. NOTE: To optionally disable the radio from switching back to its original channel of operation, execute the no > dfs-rehome command in the radio interface configuration mode of the access points profile or device. For more information, see dfs-rehome. NOTE: For radios having channel selection mode set to ACS, Random, or Fixed adaptivity timeout can be configured in the access points radio interface mode. For more information, see adaptivity. On the other hand, if the radios channel selection mode is set to Smart or ACS, once adaptivity or DFS is triggered, the channel is avoided until the avoidance-time, specified here, expires. Once the evacuation period has expired, the channel is free for use by both Smart-RF and ACS. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax avoidance-time [adaptivity|dfs] <30-3600>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 6 SMART-RF-POLICY Parameters avoidance-time [adaptivity|dfs] <30-3600>
avoidance-time
[adaptivity|dfs]
Configures the time for which a channel is avoided after dfs or adaptivity is triggered adaptivity Sets the time, in minutes, for which a radio avoids an adaptivity-regulated channel detected with interference dfs Sets the time, in minutes, for which a radio avoids a DFS-regulated channel detected with radar
<30-3600> Specify a value from 30 - 3600 minutes. The default for both parameters is 90 minutes. Example nx4500-5CFA2B(config-smart-rf-policy-test)#avoidance-time adaptivity 200 nx4500-5CFA2B(config-smart-rf-policy-test)#avoidance-time dfs 300 nx4500-5CFA2B(config-smart-rf-policy-test)#show context smart-rf-policy test avoidance-time dfs 300 avoidance-time adaptivity 200 nx4500-5CFA2B(config-smart-rf-policy-test)#
nx4500-5CFA2B(config-smart-rf-policy-test)#no avoidance-time adaptivity nx4500-5CFA2B(config-smart-rf-policy-test)#show context include-factory | include avoidance-time avoidance-time dfs 300 avoidance-time adaptivity 90 nx4500-5CFA2B(config-smart-rf-policy-test)#
Related Commands no Reverts the DFS/adaptivity regulated channel avoidance time to default (90 minutes) Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 7 SMART-RF-POLICY 19.1.4 channel-list smart-rf-policy Assigns a list of channels, for the selected frequency, used in Smart RF scans Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax channel-list [2.4GHz|5GHz] <WORD>
Parameters channel-list [2.4GHz|5GHz] <WORD>
2.4GHz <WORD>
5GHz <WORD>
Assigns a channel list for the 2.4 GHz band
<WORD> Specify a comma separated list of channels Assigns a channel list for the 5.0 GHz band
<WORD> Specify a comma separated list of channels Example rfs6000-37FABE(config-smart-rf-policy-test)#channel-list 2.4GHz 1,12 rfs6000-37FABE(config-smart-rf-policy-test)#show context smart-rf-policy test area test channel-list 2.4GHz 1,2,3 assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 rfs6000-37FABE(config-smart-rf-policy-test)#
Related Commands no Removes the channel list for the selected frequency Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 8 SMART-RF-POLICY 19.1.5 channel-width smart-rf-policy Selects the channel width for Smart RF configuration NOTE: In addition to 20 MHz and 40 MHz, AP82XX also provides support for 80 MHz channels. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax channel-width [2.4GHz|5GHz]
channel-width 2.4GHz [20MHz|40MHz|auto]
channel-width 5GHz [20MHz|40MHz|80MHz|auto]
Parameters channel-width 2.4GHz [20MHz|40MHz|auto]
2.4GHz
[20MHz|40MHz|
auto]
Assigns the channel width for the 2.4 GHz band 20MHz Assigns the 20 MHz channel width. This is the default setting. 40MHz Assigns the 40 MHz channel width auto Assigns the best possible channel in the 20 MHz or 40 MHz channel width channel-width 5GHz [20MHz|40MHz|auto]
5GHz
[20MHz|40MHz|80MHz|
auto]
Assigns the channel width for the 5.0 GHz band 20MHz Assigns the 20 MHz channel width 40MHz Assigns the 40 MHz channel width. This is the default setting. 80MHz Assigns the 80 MHz channel width (supported only on AP8232) auto Assigns the best possible channel in the 20 MHz, 40 MHz, or 80 MHz channel Usage Guidelines width The 20/40 MHz operation allows the access point to receive packets from clients using 20 MHz, and transmit using 40 MHz. This mode is supported for 802.11n users on both the 2.4 GHz and 5.0 GHz radios. If an 802.11n user selects two channels (a primary and secondary channel), the system is configured for dynamic 20/40 operation. When 20/40 is selected, clients can take advantage of wider channels. 802.11n clients experience improved throughput using 40 MHz while legacy clients (either 802.11a or 802.11b/g depending on the radio selected) can still be serviced without interruption using 20 MHz. Select auto to enable automatic assignment of channels to working radios to avoid channel overlap and avoid interference from external RF sources. Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 9 SMART-RF-POLICY Example rfs6000-37FABE(config-smart-rf-policy-test)#channel-width 5GHz auto rfs6000-37FABE(config-smart-rf-policy-test)#show context smart-rf-policy test area test channel-list 2.4GHz 1,2,3 assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 channel-width 5GHz auto rfs6000-37FABE(config-smart-rf-policy-test)#
Related Commands no Resets channel width for the selected frequency to its default Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 10 SMART-RF-POLICY 19.1.6 coverage-hole-recovery smart-rf-policy Enables recovery from coverage hole errors detected by Smart RF. Use this command to configure the coverage hole recovery settings. When coverage hole recovery is enabled, on detection of a coverage hole, Smart RF first determines the power increase needed based on the signal-to-noise ratio (SNR) for a client as seen by the access point radio. If a clients SNR is above the specified threshold, the transmit power is increased until the SNR falls below the threshold. NOTE: The coverage-hole-recovery parameters can be modified only if the sensitivity level is set to custom. For more information, see sensitivity. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax coverage-hole-recovery {client-threshold|coverage-interval|interval|snr-
threshold}
coverage-hole-recovery {client-threshold [2.4GHz|5GHz] <1-255>}
coverage-hole-recovery {coverage-interval|interval} [2.4GHz|5GHz] <1-120>
coverage-hole-recovery {snr-threshold [2.4Ghz|5Ghz] <1-75>}
Parameters coverage-hole-recovery {client-threshold [2.4GHz|5GHz] <1-255>}
client-threshold 2.4GHz <1-255>
5GHz <1-255>
Optional. Specifies the minimum number of clients associated to a radio in order to trigger coverage hole recovery. Specifies the minimum number of clients on the 2.4 GHz band
<1-255> Sets a value from 1 - 255. The default is 1. Specifies the minimum number of clients on the 5.0 GHz band
<1-255> Sets a value from 1 - 255. The default is 1. coverage-hole-recovery {coverage-interval|interval} [2.4GHz|5GHz] <1-120>
coverage-interval interval Optional. Specifies the interval between the discovery of a coverage hole and the initiation of coverage hole recovery Optional. Specifies the interval at which coverage hole recovery is performed even before a coverage hole is detected Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 11 SMART-RF-POLICY 2.4GHz <1-120>
5GHz <1-120>
The following keywords are common to the coverage-interval and interval parameters:
2.4GHz <1-120> Specifies the coverage hole recovery interval on the 2.4 GHz band
<1-120> Specify a value from 1 - 120 seconds. Note: coverage-interval The default is 10 seconds. Note: interval The default is 30 seconds. The following keywords are common to the coverage-interval and interval parameters:
5GHz <1-120> Specifies a coverage hole recovery interval on the 5.0 GHz band
<1-120> Specify a value from 1 - 120 seconds. Note: coverage-interval The default is 10 seconds. Note: interval The default is 30 seconds. coverage-hole-recovery {snr-threshold} [2.4Ghz|5Ghz] <1-75>
snr-threshold 2.4GHz <1-75>
5GHz <1-75>
Optional. Specifies the SNR threshold. This value is the SNR threshold for an associated client as seen by its associated AP radio. When the SNR threshold is exceeded, the radio increases its transmit power to increase coverage for the associated client. Specifies SNR threshold on the 2.4 GHz band
<1-75> Sets a value from 1 dB - 75 dB. The default is 20 dB. Specifies SNR threshold on the 5.0 GHz band
<1-75> Sets a value from 1 - 75. The default is 20 dB. Example rfs6000-37FABE(config-smart-rf-policy-test)#coverage-hole-recovery snr-threshold 5GHz 1 rfs6000-37FABE(config-smart-rf-policy-test)#show context smart-rf-policy test area test channel-list 2.4GHz 1,2,3 sensitivity custom assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 channel-width 5GHz auto coverage-hole-recovery snr-threshold 5GHz 1 rfs6000-37FABE(config-smart-rf-policy-test)#
Related Commands no Disables recovery from coverage hole errors Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 12 SMART-RF-POLICY 19.1.7 enable smart-rf-policy Enables a Smart RF policy Use this command to enable this Smart RF policy. Once enabled, the policy can be assigned to a RF Domain supporting a network. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax enable Parameters None Example rfs6000-37FABE(config-smart-rf-policy-test)#enable Related Commands no Disables a Smart RF policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 13 SMART-RF-POLICY 19.1.8 group-by smart-rf-policy Enables grouping of APs on the basis of their location in a building (floor) or an area Within a large RD Domain, grouping of APs (within an area or on the same floor in a building) facilitates statistics gathering and troubleshooting. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax group-by [area|floor]
Parameters group-by [area|floor]
area floor Example Groups radios based on their area of location Groups radios based on their floor location Both options are disabled by default. rfs6000-37FABE(config-smart-rf-policy-test)#group-by floor rfs6000-37FABE(config-smart-rf-policy-test)#show context smart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 channel-width 5GHz auto coverage-hole-recovery snr-threshold 5GHz 1 rfs6000-37FABE(config-smart-rf-policy-test)#
Related Commands no Removes Smart RF group settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 14 SMART-RF-POLICY 19.1.9 interference-recovery smart-rf-policy Enables interference recovery from neighboring radios and other sources of WiFi and non-WiFi interference. Interference is the excess noise detected within the Smart RF supported radio coverage area. Smart RF provides mitigation from interfering sources by monitoring the noise levels and other RF parameters on an access point radios current channel. When a noise threshold is exceeded, Smart RF selects an alternative channel with less interference. To avoid channel flapping a hold timer is defined, which disables interference avoidance for a specific period of time upon detection. Interference recovery is enabled by default. NOTE: The interference-recovery parameters can be modified only if the sensitivity level is set to custom. For more information, see sensitivity. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax interference-recovery {channel-hold-time|channel-switch-delta|client-threshold|
interference|neighbor-offset|noise|noise-factor}
interference-recovery {channel-switch-delta [2.4GHz|5GHZ] <5-35>}
interference-recovery {channel-hold-time <0-86400>|client-threshold <1-255>|
interference|neighbor-offset <3-10>|noise|noise-factor <1.0-3.0>}
Parameters interference-recovery {channel-switch-delta [2.4GHz|5GHZ] <5-35>}
channel-switch-delta
[2.4GHz|5GHz]
<5-35>
Optional. Configures a threshold value for the difference between interference levels on the current channel and the prospective channel needed to trigger a channel change. If the difference in noise levels on the current channel and the prospective channel is below the configured threshold, the channel is not changed. Selects the band 2.4GHz Selects the 2.4 GHz band 5GHz Selects the 5.0 GHz band Specifies the threshold value for the difference between the current and prospective channel interference levels
<5-35> Sets a value from 5 dBm - 35 dBm. The default setting is 20 dBm for both 2.4 GHz and 5.0 GHz bands. interference-recovery {channel-hold-time <0-86400>|client-threshold <1-255>|
interference|neighbor-offset <3-10>|noise|noise-factor <1.0-3.0>}
channel-hold-time
<0-86400>
Optional. Defines the minimum time between two channel change recoveries
<0-86400> Sets the time, in seconds, between channel change assignments based on interference or noise. The default is 7,200 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 15 SMART-RF-POLICY client-threshold <1-255> Optional. Specifies client thresholds needed to avoid channel change. If the specified threshold number of clients are connected to a radio, the radio avoids changing channels even if the Smart RF master determines that a channel change is required.
<1-255> Sets the number of clients from 1 - 255. The default is 50. Optional. Considers external interference values to perform interference recovery. This feature allows the Smart RF policy to scan for excess interference from supported radio devices. WLANs are susceptible to sources of interference, such as neighboring radios, cordless phones, microwave ovens and Bluetooth devices. When interference for WiFi sources is detected, Smart RF supported devices can change the channel and move to a cleaner channel. This feature is enabled by default. switching channels to avoid interference from neighboring access points. Smart RF enabled access points consider the difference in noise between candidate channels.
<3-10> Specify a noise factor value from 3 - 10. Optional. Considers noise values to perform interference recovery. This feature allows the Smart RF policy to scan for excess noise from WiFi devices. When detected, Smart RF supported devices can change their channel and move to a cleaner channel. This feature is enabled by default. Optional. Configures additional noise factor (the level of network interference detected) for non WiFi interference
<1.0-3.0> Specify the noise factor from 1.0 - 3.0. The default is 1.50. interference noise noise-factor
<1.0-3.0>
neighbor-offset <3-10> Optional. Configures a noise factor value, which is taken into consideration when Example rfs6000-37FABE(config-smart-rf-policy-test)#interference-recovery channel-switch-
delta 5GHz 5 rfs6000-37FABE(config-smart-rf-policy-test)#show context smart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 channel-width 5GHz auto interference-recovery channel-switch-delta 5GHz 5 coverage-hole-recovery snr-threshold 5GHz 1 rfs6000-37FABE(config-smart-rf-policy-test)#
Related Commands no Disables recovery from excessive noise and interference Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 16 SMART-RF-POLICY 19.1.10 neighbor-recovery smart-rf-policy Enables recovery from errors due to faulty neighboring radios. Enabling neighbor recovery ensures automatic recovery from failed radios within the radio coverage area. Smart RF instructs neighboring access points to increase their transmit power to compensate for the failed radio. Neighbor recovery is enabled by default when the sensitivity setting is medium. NOTE: The neighbor-recovery parameters can be modified only if the sensitivity level is set to custom. For more information, see sensitivity. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax neighbor-recovery {dynamic-sampling|power-hold-time|power-threshold}
neighbor-recovery {dynamic-sampling} {retries <1-10>|threshold <1-30>}
neighbor-recovery {power-hold-time <0-3600>}
neighbor-recovery {power-threshold [2.4Ghz|5Ghz] <-85--55>}
Parameters neighbor-recovery {dynamic-sampling} {retries <1-10>|threshold <1-30>}
dynamic-sampling retries <1-10>
threshold <1-30>
Optional. Enables dynamic sampling on this Smart RF policy. Dynamic sampling allows you to define how Smart RF adjustments are triggered by locking the retry and threshold values. Dynamic sampling is disabled by default. Optional. Specifies the number of retries before allowing a power level adjustments to compensate for a potential coverage hole.
<1-10> Sets the number of retries from 1 - 10. The default is 3. Optional. Specifies the minimum number of sample reports before which a power change requires dynamic sampling
<1-30> Sets the minimum number of reports from 1 - 30. The default is 5. neighbor-recovery {power-hold-time <0-3600>}
power-hold-time
<0-3600>
Optional. Specifies the minimum time, in seconds, between two power changes on a radio during neighbor-recovery Sets the time from 0 - 3600 sec. The default is 0 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 17 SMART-RF-POLICY neighbor-recovery {power-threshold [2.4Ghz|5Ghz] <-85--55>}
power-threshold
[2.4GHz|5GHz]
<-85--55>
Optional. Specifies the power threshold based on which recovery is performed The 2.4 GHz/5.0 GHz radio uses the value specified here as the maximum power increase threshold if the radio is required to increase its output power to compensate for a failed radio within its coverage area. Selects the band 2.4GHz Selects the 2.4 GHz band 5GHz Selects the 5.0 GHz band Specify the threshold value
<-85--55> Sets the power threshold from -85 dBm - -55 dBm. The default is -70 dBm for both the 2.4 GHz and 5.0 GHz bands. Example rfs6000-37FABE(config-smart-rf-policy-test)#neighbor-recovery power-threshold 2.4GHz
-82 rfs6000-37FABE(config-smart-rf-policy-test)#neighbor-recovery power-threshold 5GHz -65 rfs6000-37FABE(config-smart-rf-policy-test)#show context smart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 channel-width 5GHz auto interference-recovery channel-switch-delta 5GHz 5 neighbor-recovery power-threshold 5GHz -65 neighbor-recovery power-threshold 2.4GHz -82 coverage-hole-recovery snr-threshold 5GHz 1 rfs6000-37FABE(config-smart-rf-policy-test)#
Related Commands no Disables recovery from faulty neighbor radios Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 18 SMART-RF-POLICY 19.1.11 no smart-rf-policy Negates a command or sets its default. When used in the config Smart RF policy mode, the no command disables or resets Smart RF settings. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [area|assignable-power|avoidance-time|channel-list|channel-width|
coverage-hole-recovery|enable|group-by|interference-recovery|neighbor-recovery|
smart-ocs-monitoring]
no area <AREA-NAME> channel-list [2.4GHZ|5GHZ]
no assignable-power [2.4GHZ|5GHZ] [max|min]
no [channel-list|channel-width] [2.4GHZ|5GHZ]
no coverage-hole-recovery [client-threshold|coverage-interval|interval|snr-
threshold] [2.4GHZ|5GHZ]
no avoidance-time [adaptivity|dfs]
no enable no group-by [area|floor]
no interference-recovery {channel-hold-time|channel-switch-delta [2.4GHZ|5GHZ]|
client-threshold|interference|neighbor-offset|noise|noise-factor}
no neighbor-recovery {dynamic-sampling {retries|threshold}|power-hold-time|
power-threshold [2.4GHZ|5GHZ]}
no smart-rf-monitoring {awareness-override [schedule <1-3>|threshold]|client-
aware [2.4GHZ|5GHZ]|extended-scan-frequency [2.4GHZ|5GHZ]|frequency
[2.4GHZ|5GHZ]|off-channel-duration [2.4GHZ|5GHZ]|power-save-aware
[2.4GHZ|5GHZ]|sample-count [2.4GHZ|5GHZ]|voice-aware [2.4GHZ|5GHZ]}
Parameters no <PARAMETERS>
no <PARAMETERS>
Negates a command or sets its default. When used in the config Smart RF policy mode, the no command disables or resets the Smart RF policy settings. Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 19 SMART-RF-POLICY Example The following example shows the Smart RF policy test settings before the no commands are executed:
rfs6000-37FABE(config-smart-rf-policy-test)#show context smart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom assignable-power 5GHz min 8 assignable-power 5GHz max 20 channel-list 2.4GHz 1,12 channel-width 5GHz auto interference-recovery channel-switch-delta 5GHz 5 neighbor-recovery power-threshold 5GHz -65 neighbor-recovery power-threshold 2.4GHz -82 coverage-hole-recovery snr-threshold 5GHz 1 rfs6000-37FABE(config-smart-rf-policy-test)#
rfs6000-37FABE(config-smart-rf-policy-test)#no interference-recovery channel-
switch-delta 5GHz rfs6000-37FABE(config-smart-rf-policy-test)#no neighbor-recovery power-threshold 2.4GHz rfs6000-37FABE(config-smart-rf-policy-test)#no neighbor-recovery power-threshold 5GHz rfs6000-37FABE(config-smart-rf-policy-test)#no assignable-power 5GHz min rfs6000-37FABE(config-smart-rf-policy-test)#no assignable-power 5GHz max The following example shows the Smart RF policy test settings after the no commands are executed:
rfs6000-37FABE(config-smart-rf-policy-test)#show context smart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom channel-list 2.4GHz 1,12 channel-width 5GHz auto coverage-hole-recovery snr-threshold 5GHz 1 rfs6000-37FABE(config-smart-rf-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 20 SMART-RF-POLICY 19.1.12 sensitivity smart-rf-policy Configures Smart RF sensitivity level. The sensitivity level determines Smart RF scanning and sampling aggressiveness. For example, a low sensitivity level indicates a less aggressive Smart-RF policy. This translates to fewer samples taken during off-channel scanning and short off-channel durations. When the sensitivity level is set to high, Smart-RF collects more samples, and remains off-channel longer. The Smart RF sensitivity level options include low, medium, high, and custom. Medium, is the default setting. The custom option allows an administrator to adjust the parameters and thresholds for interference recovery, coverage hole recovery, and neighbor recovery. However, the low, medium, and high settings still allow utilization of these features. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax sensitivity [custom|high|low|medium]
Parameters sensitivity [custom|high|low|medium]
sensitivity custom high low medium Usage Guidelines Configures Smart RF sensitivity levels. The options available are: custom, high, low, and medium. Enables custom interference recovery, coverage hole recovery, and neighbor recovery as additional Smart RF options High sensitivity Low sensitivity Medium sensitivity. This is the default setting. To enable the power and channel setting parameters, set sensitivity to custom or medium. To enable the monitoring and scanning parameters, set sensitivity to custom. To enable the neighbor recovery, interference and coverage hole recovery parameters, set sensitivity to custom. Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 21 SMART-RF-POLICY Example rfs6000-37FABE(config-smart-rf-policy-test)#sensitivity high rfs6000-37FABE(config-smart-rf-policy-test)#show context smart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity high channel-list 2.4GHz 1,12 channel-width 5GHz auto smart-ocs-monitoring frequency 5GHz 3 smart-ocs-monitoring frequency 2.4GHz 3 smart-ocs-monitoring sample-count 5GHz 3 smart-ocs-monitoring sample-count 2.4GHz 3
--More--
rfs6000-37FABE(config-smart-rf-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 22 SMART-RF-POLICY 19.1.13 smart-ocs-monitoring smart-rf-policy Applies smart Off Channel Scanning (OCS) instead of dedicated detectors Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax smart-ocs-monitoring {awareness-override|client-aware|extended-scan-frequency|
frequency|off-channel-duration|power-save-aware|sample-count|tx-load-aware|
voice-aware}
smart-ocs-monitoring {awareness-override [schedule|threshold]}
smart-ocs-monitoring {awareness-override schedule <1-3> <START-TIME> <END-TIME>
<DAY>}
smart-ocs-monitoring {awareness-override threshold <10-10000>}
smart-ocs-monitoring {client-aware [2.4GHz|5GHz] <1-255>}
smart-ocs-monitoring {extended-scan-frequency [2.4GHz|5GHz] <0-50>}
smart-ocs-monitoring {frequency [2.4GHz|5GHz] <1-120>}
smart-ocs-monitoring {off-channel-duration [2.4GHz|5GHz] <20-150>}
smart-ocs-monitoring {power-save-aware [2.4GHz|5GHz] [disable|dynamic|strict]}
smart-ocs-monitoring {sample-count [2.4GHz|5GHz] <1-15>}
smart-ocs-monitoring {tx-load-aware [2.4GHz|5GHz] <1-100>}
smart-ocs-monitoring {voice-aware [2.4GHz|5GHz] [disable|dynamic|strict]}
Parameters smart-ocs-monitoring {awareness-override schedule <1-3> <START-TIME> <END-TIME>
<DAY>}
awareness-override schedule <1-3>
<START-TIME>
<END-TIME>
{<DAY>}
Optional. Use this parameter to configure client awareness settings overrides Configures a time and day schedule when awareness settings are overridden
<1-3> Sets the awareness override schedule index. A maximum of three overrides can be configured.
<START-TIME> Sets the override start time in HH:MM format
<END-TIME> Sets the override end time in HH:MM format DAY Optional. Set the day when the override is active. Use one of the follow-
ing formats:
all Override is active on all days sun Override is active only on Sundays mon Override is active only on Mondays Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 23 SMART-RF-POLICY tue Override is active only on Tuesdays wed Override is active only on Wednesdays thu Override is active only on Thursdays fri Override is active only on Fridays sat Override is active only on Saturdays smart-ocs-monitoring {awareness-override threshold <10-10000>}
awareness-override threshold <10-10000>
Optional. Use this parameter to configure client awareness settings overrides threshold Specifies the threshold after which client awareness settings are overridden. When the specified threshold is reached, awareness settings are overridden.
<10-10000> Specify a threshold value from 10 -10000. The default is 10. smart-ocs-monitoring {client-aware [2.4GHz|5GHz] <1-255>}
client-aware 2.4GHz <1-255>
5GHz <1-255>
Optional. Enables client aware scanning on this Smart RF policy Use this parameter to configure a client threshold number. When the number of clients connected to a radio equals this threshold number, the radio avoids channel scanning. This feature is disabled by default. Enables client aware scanning on the 2.4 GHz band Avoids radio scanning when a specified minimum number of clients are present
<1-255> Sets the minimum number of clients from 1 - 255. The default is 1 client. Enables client aware scanning on the 5.0 GHz band Avoids radio scanning when a specified minimum number of clients are present
<1-255> Sets the minimum number of clients from 1 - 255. The default is 1 client. smart-ocs-monitoring {extended-scan-frequency [2.4GHz|5GHz] <0-50>}
extended-scan-
frequency 2.4GHz <0-50>
5GHz <0-50>
Optional. Enables an extended scan, as opposed to a neighbor only scan, on this Smart RF policy. This is the frequency radios use to scan for non-peer radios. Enables extended scan on the 2.4 GHz band
<0-50> Sets the number of trails from 0 - 50. The default is 5. Enables extended scan on the 5.0 GHz band
<0-50> Sets the number of trails from 0 - 50. The default is 5. smart-ocs-monitoring {frequency [2.4GHz|5GHz] <1-120>}
frequency 2.4GHz <1-120>
5GHz <1-120>
Optional. Specifies the scan frequency. This is the frequency, in seconds, in which smart-ocs-monitoring changes channels for an off channel scan. Selects the 2.4 GHz band
<1-120> Sets a scan frequency from 1 - 120 sec. The default is 6 seconds. Selects the 5.0 GHz band
<1-120> Sets a scan frequency from 1 - 120 sec. The default is 6 seconds. Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 24 SMART-RF-POLICY smart-ocs-monitoring {off-channel-duration [2.4GHz|5GHz] <20-150>}
off-channel-duration 2.4GHz <20-150>
Optional. Specifies the duration to scan off channel This is the duration access point radios use to monitor devices within the network and, if necessary, perform self healing and neighbor recovery to compensate for coverage area losses within a RF Domain. Selects the 2.4 GHz band (in milliseconds)
<20-150> Sets the off channel duration from 20 - 150 msec. The default is 50 milliseconds. 5GHz <20-150>
Selects the 5.0 GHz band (in milliseconds)
<20-150> Sets the off channel duration from 20 - 150 msec. The default is 50 milliseconds. power-save-aware smart-ocs-monitoring {power-save-aware [2.4GHz|5GHz] [disable|dynamic|strict]}
Optional. Enables power save awareness scanning mode on this Smart RF policy. The options are: disable, dynamic, and strict. This setting allows Smart RF to detect power save clients and take them into consideration when performing off channel scans. Strict disables smart monitoring as long as a power save capable client is associated to a radio. Dynamic disables smart monitoring as long as there is data buffered for a power save client at the radio. Sets power save awareness scanning mode on the 2.4 GHz band disable Disables power save awareness scanning dynamic Dynamically avoids scanning based on traffic for power save (PSP) 2.4GHz
[disable|dynamic|strict]
5GHz
[disable|dynamic|strict]
clients strict Strictly avoids scanning when PSP clients are present The default is dynamic. Sets power save awareness scanning mode on the 5.0 GHz band disable Disables power save awareness scanning dynamic Dynamically avoids scanning based on traffic for PSP clients strict Strictly avoids scanning when PSP clients are present The default is dynamic. smart-ocs-monitoring {sample-count [2.4GHz|5GHz] <1-15>}
sample-count 2.4GHz <1-15>
5GHz <1-15>
Optional. Specifies the number of samples to collect before reporting an issue to the Smart RF master Selects the 2.4 GHz band
<1-15> Specifies the number of samples to collect from 1 - 15. The default is 10. Selects the 5.0 GHz band
<1-15> Specifies the number of samples to collect from 1 - 15. The default is 5. smart-ocs-monitoring {tx-load-aware [2.4GHz|5GHz] <1-100>}
tx-load-aware Optional. Specifies a transmit load percentage that serves as a threshold before scanning is avoided for an access points 2.4 GHz or 5.0 GHz band. This option is disabled for both 2.4 GHz and 5.0 GHz bands. Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 25 SMART-RF-POLICY 2.4GHz <1-100>
5GHz <1-100>
Selects the 2.4 GHz band
<1-100> Specify a transmit load percentage from 1 - 100%. When enabled, the default is 1%. Selects the 5.0 GHz band
<1-100> Specify a transmit load percentage from 1 - 100%. When enabled, the default is 1%. smart-ocs-monitoring {voice-aware [2.4GHz|5GHz] [disable|dynamic|strict]}
voice-aware 2.4GHz
[disable|dynamic|strict]
5GHz
[disable|dynamic|strict]
Optional. Enables voice awareness scanning mode on this Smart RF policy. The options are: disable, dynamic, and strict. Strict disables smart monitoring as long as a voice client is associated to a radio. Dynamic disables smart monitoring as long as there is data buffered for a voice client at the radio. Specifies the scanning mode on the 2.4 GHz band disable Disables voice awareness scanning dynamic Dynamically avoids scanning based on traffic for voice clients strict Strictly avoids scanning when voice clients are present Note: The default is dynamic. Specifies the scanning mode on the 5.0 GHz band disable Disables voice awareness scanning dynamic Dynamically avoids scanning based on traffic for voice clients strict Strictly avoids scanning when voice clients are present. Note: The default is dynamic. Example rfs6000-37FABE(config-smart-rf-policy-test)#smart-ocs-monitoring extended-scan-
frequency 2.4GHz 9 rfs6000-37FABE(config-smart-rf-policy-test)#smart-ocs-monitoring sample-count 2.4GHz 3 rfs6000-37FABE(config-smart-rf-policy-test)#show context smart-rf-policy test area test channel-list 2.4GHz 1,2,3 group-by floor sensitivity custom channel-list 2.4GHz 1,12 channel-width 5GHz auto smart-ocs-monitoring off-channel-duration 2.4GHz 25 smart-ocs-monitoring frequency 5GHz 3 smart-ocs-monitoring frequency 2.4GHz 3 smart-ocs-monitoring sample-count 5GHz 3 smart-ocs-monitoring sample-count 2.4GHz 3 smart-ocs-monitoring extended-scan-frequency 5GHz 0 smart-ocs-monitoring extended-scan-frequency 2.4GHz 9 root-recovery root-path-metric-threshold 800
--More--
rfs6000-37FABE(config-smart-rf-policy-test)#
Related Commands no Disables off channel monitoring Access Point, Wireless Controller and Service Platform CLI Reference Guide 19 - 26 20 WIPS-POLICY This chapter summarizes the Wireless Intrusion Protection Systems (WIPS) policy commands in the CLI command structure. WIPS is an additional measure of security designed to continuously monitor the network for threats and intrusions. Along with wireless VPNs, encryptions, and authentication policies WIPS enhances the security of a WLAN. The WIPS policy enables detection of intrusions and threats that a managed network is likely to encounter. However, the WIPS policy does not include threat mitigation configurations. These intrusions and threats are available within the WIPS policy configuration mode as pre configured, fixed events. Each event consists of a set of frames or anomalies that may be harmful to the managed network. You can enable/
disable various aspects of each individual event. Events are broadly grouped into the following three categories:
Excessive/Thresholdable events: These events detect DOS attacks, like excessive deauths, EAP floods, etc. Threshold limits for such events can be configured for mobile units (MU) and radios. Once these threshold limits are exceeded, an event is triggered. Stations triggering an event are usually filtered. You can configure a filter ageout specifying the time for which the station, triggering the event, is filtered. However, the filter ageout only applies when the MU-threshold is exceeded. When radio threshold is reached, the system raises a warning about the same and updates event history with event details. Station/MU anomalies: These events are triggered when a MU performs suspicious activities that can compromise the security and stability of the managed network. You can configure a filter ageout, similar to the above class of events, to filter the station triggering such events. AP/neighbor anomalies: These events are triggered when an AP or neighbor sends suspicious frames. The system cannot filter APs or neighbors triggering such events. However, the system warns you about such attacks, allowing you to take further actions against such APs and neighbors. In addition to event monitoring configuration, the WIPS policy allows you to configure a list of signatures. Unlike events, signatures are not fixed. You are free to define your own signatures based on a specific set of parameters. A signature is a rule, consisting of a set of fields to match and a corresponding set of actions in case of a match. By default, whenever a signature is matched an event log is triggered. This event log is similar to the one triggered upon an event. In addition to an event log, you can also configure other actions. Signatures have all the features supported by events. In fact most events are internally implemented as signatures. Signature rules are of the following three types:
ssid, ssid length rule: This signature matches a specified SSID or SSID length. It is mandatory to configure the frame type to match for this signature. When configured, only frame types allowed are beacons, probe requests, and probe responses. Example rule: ssid : AirJack and frame type beacon : Signature for AirJack attack. payload rule: This signature matches a particular payload at a particular frame offset. You can restrict these matches based on frame type. Example rule: Payload : 0x00601d Offset 3 :
Netstumbler address-match rule: This signature matches one or more address fields. The address fields supported are BSSID, source-MAC, and destination-MAC. You can also specify frame types to Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 1 WIPS-POLICY match. The frame types supported are assoc, auth, beacon, data, deauth, disassoc, mgmt, probe-
request, and probe-response. A WIPS policy, once configured, has to be attached to a RF Domain to take effect. Multiple WIPS policies can be configured at the same time, but only one policy can be attached to a given RF Domain at any time. NOTE: To attach a WIPS policy to a RF Domain, in the RF Domain configuration mode, execute the use > wips-policy <WIPS-POLICY-NAME>
command. For more information, see use. NOTE: With this most recent release, AP7522 and AP7532 model Access Points can provide enhanced sensor support. AP7522 and AP7532 sensors can send data from off-channel-scans while in radio-share promiscuous/
inline mode, in addition to the on-channel data captured in radio-share mode. ADSP uses the off-channel-scan data (in addition to the on-channel data) to monitor for rogue intrusions and trigger alarms. OTA Termination is triggered from ADSP to the appropriate radio-share AP to initiate termination. NOTE: AP7522 and AP7532 models also support shared part-time scanning using WIPS in WiNG (using off-channel-scans) and no ADSP. WIPS on WiNG was enhanced to add rogue detection/classification (wired side detection based of MAC Address Offset) and over-the-air (OTA) termination for AP7522 and AP7532 deployments. Use the (config) instance to configure WIPS policy commands. To navigate to the WIPS policy instance, use the following commands:
<DEVICE>(config)#wips-policy <POLICY-NAME>
rfs6000-37FABE(config)#wips-policy test rfs6000-37FABE(config-wips-policy-test)#?
Wips Policy Mode commands:
ap-detection Rogue AP detection enable Enable this wips policy event Configure an event history-throttle-duration Configure the duration for which event duplicates are not stored in history interference-event Specify events which will contribute to smart-rf wifi interference calculations no Negate a command or set its defaults signature Signature to configure use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 2 WIPS-POLICY rfs6000-37FABE(config-wips-policy-test)#
NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 3 WIPS-POLICY 20.1 wips-policy WIPS-POLICY The following table summarizes WIPS policy configuration commands:
Table 20.1 WIPS-Policy-Config Commands Command ap-detection enable event history-throttle-
duration interference-
event no signature use Description Defines the WIPS AP detection configuration Enables a WIPS policy Configures events Configures the duration event duplicates are omitted from the event history Specifies events contributing to the Smart RF WiFi interference calculations Negates a command or sets its default Configures a WIPS policy signature and enters its configuration mode Defines a WIPS policy settings Reference page 20-5 page 20-7 page 20-8 page 20-12 page 20-13 page 20-14 page 20-16 page 20-33 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 4 WIPS-POLICY 20.1.1 ap-detection wips-policy Enables the detection of unauthorized or unsanctioned APs. Unauthorized APs are untrusted access points connected to an access point managed network. These untrusted APs accept wireless client associations. It is important to detect such rogue APs and declare them unauthorized. Rogue AP detection is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ap-detection {ageout|air-termination|interferer-threshold|recurring-event-
interval|wait-time}
ap-detection {ageout <30-86400>|interferer-threshold <-100--10>|recurring-event-
interval <0-10000>|wait-time <10-600>}
ap-detection air-termination {allow-channel-switch|mode [auto|manual]}
Parameters ap-detection {ageout <30-86400>|interferer-threshold <-100--10>|recurring-
event-interval <0-10000>|wait-time <10-600>}
ap-detection ageout
<30-86400>
Enables detection of unauthorized or unsanctioned APs Optional. Configures the unauthorized AP ageout interval. The WIPS policy uses this value to ageout unauthorized APs.
<30-86400> Sets an ageout interval from 30 - 86400 seconds. The default is 5 minutes (300 seconds). recurring-event-interval
<0-10000>
Configures recurring event interval help of unauthorized APs
<0-10000> Configures the recurring interval between 0 - 10000 seconds. The default is 300 seconds. interferer-threshold
<-100--10>
Configures RSSI threshold value to determine if an unsanctioned ap is an interferer or not
<-100--10> Configures the rssi threshold between -100 - -10 dBm. The default is -75 dBm. wait-time
<10-600>
Optional. Configures the wait time before a detected AP is declared as unauthorized and potentially removed
<10-600> Sets a wait time from 10 - 600 seconds. The default is 1 minute (60 seconds). Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 5 WIPS-POLICY ap-detection air-termination {allow-channel-switch|mode [auto|manual]}
ap-detection air-termination
{allow-channel-switch|
mode [auto|manual]}
Enables detection of unauthorized or unsanctioned APs Enables air termination of unauthorized APs. This option is disabled by default. allow-channel-switch Optional. Allows channel switch of unauthorized APs based on the channel mode. This option is disabled by default. mode [auto|manual] Optional. Select the mode as auto or manual to configure. The default setting is manual. Example rfs6000-37FABE(config-wips-policy-test)#ap-detection wait-time 15 rfs6000-37FABE(config-wips-policy-test)#ap-detection age-out 50 rfs6000-37FABE(config-wips-policy-test)#show context wips-policy test ap-detection-age-out 50 ap-detection-wait-time 15 rfs6000-37FABE(config-wips-policy-test)#
nx9500-6C8809(config-wips-policy-test)#ap-detection recurring-event-interval 10 nx9500-6C8809(config-wips-policy-test)#show context wips-policy test ap-detection recurring-event-interval 10 nx9500-6C8809(config-wips-policy-test)#
Related Commands no Resets unauthorized or unsanctioned AP detection settings to default Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 6 WIPS-POLICY 20.1.2 enable wips-policy Enables this WIPS policy Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax enable Parameters None Example rfs6000-37FABE(config-wips-policy-test)#enable rfs6000-37FABE(config-wips-policy-test)#
Related Commands no Disables a WIPS policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 7 WIPS-POLICY 20.1.3 event wips-policy Configures events, filters and threshold values for this WIPS policy. Events are grouped into three categories, AP anomaly, client anomaly, and excessive. WLANs are baselined for matching criteria. Any deviation from this baseline is considered an anomaly and logged as an event. NOTE: By default all event monitoring is disabled. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax event [ap-anomaly|client-anomaly|enable-all-events|excessive]
event ap-anomaly [ad-hoc-violation|airjack|ap-ssid-broadcast-in-beacon|asleap|
impersonation-attack|null-probe-response|transmitting-device-using-invalid-mac|
unencrypted-wired-leakage|wireless-bridge]
event client-anomaly [dos-broadcast-deauth|fuzzing-all-zero-macs|
fuzzing-invalid-frame-type|fuzzing-invalid-mgmt-frames|fuzzing-invalid-seq-num|
identical-src-and-dest-addr|invalid-8021x-frames|netstumbler-generic|
non-conforming-data|wellenreiter] {filter-ageout <0-86400>}
event enable-all-events event excessive [80211-replay-check-failure|aggressive-scanning|auth-server-
failures|decryption-failures|dos-assoc-or-auth-flood|dos-eapol-start-storm|
dos-unicast-deauth-or-disassoc|eap-flood|eap-nak-flood|frames-from-unassoc-
station] {filter-ageout <0-86400>|threshold-client <0-65535>|threshold-radio <0-
65535>}
Parameters event ap-anomaly [ad-hoc-violation|airjack|ap-ssid-broadcast-in-beacon|asleap|
impersonation-attack|null-probe-response|transmitting-device-using-invalid-mac|
unencrypted-wired-leakage|wireless-bridge]
ap-anomaly ad-hoc-violation airjack ap-ssid-broadcast-in-
beacon asleap impersonation-attack Enables AP anomaly event tracking An AP anomaly event refers to suspicious frames sent by neighboring APs. An administrator enables the filtering of each listed event and sets the thresholds for the generation of event notification and filtering. Tracks ad-hoc network violations Tracks AirJack attacks Tracks AP SSID broadcasts in beacon events Tracks ASLEAP attacks. These attacks break Lightweight Extensible Authentication Protocol (LEAP) passwords Tracks impersonation attacks. These are also referred to as spoofing attacks, where the attacker assumes the address of an authorized device. Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 8 WIPS-POLICY null-probe-response transmitting-device-
using-invalid-mac unencrypted-wired-
leakage wireless-bridge Tracks null probe response attacks Tracks the transmitting device using an invalid MAC attacks Tracks unencrypted wired leakage Tracks wireless bridge (WDS) frames event client-anomaly [dos-broadcast-deauth|fuzzing-all-zero-macs|fuzzing-
invalid-frame-type|fuzzing-invalid-mgmt-frames|fuzzing-invalid-seq-num|
identical-src-and-dest-addr|invalid-8021x-frames|netstumbler-generic|non-
conforming-data|wellenreiter] {filter-ageout <0-86400>}
client-anomaly Enables client anomaly event tracking These are suspicious events performed by wireless clients compromising the security of the network. An administrator can enable or disable filtering of each listed event and set the thresholds required for the generation of the event notification and filtering action applied. Tracks DoS broadcast deauthentication events Tracks Fuzzing: All zero MAC addresses observed Tracks Fuzzing: Invalid frame type detected dos-broadcast-deauth fuzzing-all-zero-macs fuzzing-invalid-frame-
type fuzzing-invalid-mgmt-
frames fuzzing-invalid-seq-num Tracks Fuzzing: Invalid sequence number detected identical-src-and-dest-
addr invalid-8021x-frames netstumbler-generic non-conforming-data wellenreiter filter-ageout <0-86400> The following keywords are common to all of the above client anomaly events:
filter-ageout <0-86400> Optional. Configures the filter expiration interval in Tracks Fuzzing: Invalid 802.1x frames detected Tracks Netstumbler (v3.2.0, 3.2.3, 3.3.0) events Tracks non conforming data packets Tracks Wellenreiter events Tracks identical source and destination addresses detection Tracks Fuzzing: Invalid management frame detected seconds
<0-86400> Sets the filter ageout interval from 0 - 86400 seconds. The default is 0 seconds. Note: For each violation define a filter time in seconds, which determines how long the packets (received from an attacking device) are ignored once a violation has been triggered. Ignoring frames from an attacking device minimizes the effectiveness of the attack and the impact to the site until permanent mitigation can be performed. The filter ageout value is applicable across the entire RF Domain using this WIPS policy. If an MU is detected performing an attack and is filtered by one of the APs, the information is passed on to all APs and controllers within the RF Domain through the domain manager. Consequently the MU is filtered, for the specified period of time, across all devices. event enable-all-events enable-all-events Enables tracking of all intrusion events (client anomaly and excessive events) Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 9 event excessive [80211-replay-check-failure|aggressive-scanning|auth-server-
failures|decryption-failures|dos-assoc-or-auth-flood|dos-eapol-start-storm|dos-
unicast-deauth-or-disassoc|eap-flood|eap-nak-flood|frames-from-unassoc-station]
{filter-ageout [<0-86400>]|threshold-client [<0-5535>]|threshold-radio <0-65535>}
WIPS-POLICY excessive Enables the tracking of excessive events. Excessive events are actions performed continuously and repetitively. These events can impact the performance of the controller managed network. DoS attacks come under this category. Tracks 802.11replay check failure Tracks aggressive scanning events Tracks failures reported by authentication servers Tracks decryption failures Tracks DoS association or authentication floods Tracks DoS EAPOL start storms Tracks DoS dissociation or deauthentication floods 80211-replay-check-
failure aggressive-scanning auth-server-failures decryption-failures dos-assoc-or-auth-flood dos-eapol-start-storm dos-unicast-deauth-or-
disassoc eap-flood eap-nak-flood frames-from-unassoc-
station filter-ageout <0-86400> The following keywords are common to all excessive events:
Tracks EAP floods Tracks EAP NAK floods Tracks frames from unassociated clients filter-ageout <0-86400> Optional. Configures a filter expiration interval in seconds. It sets the duration for which the client is filtered. The client is added to a ACL as a special entry and frames received from this client are dropped.
<0-86400> Sets a filter ageout interval from 0 - 86400 seconds. The default is 0 seconds. Note: This value is applicable across the RF Domain. If a client is detected performing an attack and is filtered by one of the APs, the information is passed to the domain controller. The domain controller then propagates this information to all APs and wireless controllers in the RF Domain. The following keywords are common to all excessive events:
threshold-client <0-65535> Optional. Configures a client threshold value after which the filter is triggered and an event is recorded
<0-65535> Sets a wireless client threshold value from 0 - 65535 seconds The following keywords are common to all excessive events:
threshold-radio <0-65535> Optional. Configures a radio threshold value after which the filter is triggered and an event is recorded
<0-65535> Sets a radio threshold value from 0 - 65535 seconds threshold-client
<0-65535>
threshold-radio
<0-65535>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 10 WIPS-POLICY Example rfs6000-37FABE(config-wips-policy-test)#event excessive 80211-replay-check-
failure filter-ageout 9 threshold-client 8 threshold-radio 99 rfs6000-37FABE(config-wips-policy-test)#show context wips-policy test event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 event client-anomaly wellenreiter filter-ageout 99 ap-detection-ageout 50 ap-detection-wait-time 15 rfs6000-37FABE(config-wips-policy-test)#
Related Commands no Disables WIPS policy events tracking Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 11 WIPS-POLICY 20.1.4 history-throttle-duration wips-policy Configures the duration event duplicates are omitted from the event history The system maintains a history of all events that have occurred, on each device, within a RF Domain. Sometimes an event occurs for a prolonged period of time and tends to fill up the event history list. In such a scenario, duplicate information added to the event history list can be throttled for a specified period of time. Once this period is over, duplicate entries are once again allowed. Event history statistics are periodically sent to the domain manager, which can be queried to ascertain the general health of the domain. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax history-throttle-duration <30-86400>
Parameters history-throttle-duration <30-86400>
history-throttle-
duration
<30-86400>
Configures the duration event duplicates are omitted from the event history
<30-86400> Sets a value from 30 - 86400 seconds. The default is 120 seconds. Example rfs6000-37FABE(config-wips-policy-test)#history-throttle-duration 77 rfs6000-37FABE(config-wips-policy-test)#show context wips-policy test history-throttle-duration 77 event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 event client-anomaly wellenreiter filter-ageout 99 ap-detection-ageout 50 ap-detection-wait-time 15 rfs6000-37FABE(config-wips-policy-test)#
Related Commands no Resets the history throttle duration to its default (120 seconds) Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 12 WIPS-POLICY 20.1.5 interference-event wips-policy Specifies events contributing to the Smart RF WiFi interference calculations Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax interference-event [non-conforming-data|wireless-bridge]
Parameters interference-event [non-conforming-data|wireless-bridge]
non-conforming-data wireless-bridge Considers non conforming data packets when calculating Smart RF interference Considers Wireless Bridge (WDS) frames when calculating Smart RF interference Example rfs6000-37FABE(config-wips-policy-test)#interference-event non-conforming-data rfs6000-37FABE(config-wips-policy-test)#show context wips-policy test history-throttle-duration 77 event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 event client-anomaly wellenreiter filter-ageout 99 interference-event non-conforming-data ap-detection-ageout 50 ap-detection-wait-time 15 rfs6000-37FABE(config-wips-policy-test)#
Related Commands no Disables this WIPS policy signature as a Smart RF interference source Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 13 WIPS-POLICY 20.1.6 no wips-policy Negates a command or resets configured settings to their default. When used in the config WIPS policy mode, the no command negates or resets filters and thresholds. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [ap-detection|enable|event|history-throttle-duration|interference-event|
signature|use]
no [enable|history-throttle-duration]
no ap-detection {ageout {<LINE-SINK>}|air-termination|interferer-threshold <-100-
-10>|recurring-event-interval <0-10000>wait-time {<LINE-SINK>}}
no event [ap-anomaly|client-anomaly|enable-all-events|excessive]
no event ap-anomaly [ad-hoc-violation|airjack|ap-ssid-broadcast-in-beacon|asleap|
impersonation-attack|null-porbe-response|transmitting-device-using-invalid-mac|
unencrypted-wired-leakage|wireless-bridge]
no event client-anomaly [dos-broadcast-deauth|fuzzing-all-zero-macs|fuzzing-
invalid-frame-type|fuzzing-invalid-mgmt-frames|fuzzing-invalid-seq-num|
identical-src-and-dest-addr|invalid-8021x-frames|netstumbler-generic|
non-conforming-data|wellenreiter] {filter-ageout <0-86400>}
no event excessive [80211-replay-check-failure|aggressive-scanning|
auth-server-failures|decryption-failures|dos-assoc-or-auth-flood|
dos-eapol-start-storm|dos-unicast-deauth-or-disassoc|eap-flood|eap-nak-flood|
frames-from-unassoc-station] {filter-ageout <0-86400>|threshold-client <0-65535>|
threshold-radio <0-65535>}
no interference-event [non-conforming-data|wireless-bridge]
no signature <WIPS-SIGNATURE>
no use device-categorization Parameters no <PARAMETERS>
no <PARAMETERS>
Negates a command or resets configured settings to their default. When used in the config WIPS policy mode, the no command negates or resets filters and thresholds. Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 14 WIPS-POLICY Example The following example shows the WIPS Policy test settings before the no commands are executed:
rrfs6000-37FABE(config-wips-policy-test)#show context wips-policy test history-throttle-duration 77 event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 event client-anomaly wellenreiter filter-ageout 99 interference-event non-conforming-data ap-detection-ageout 50 ap-detection-wait-time 15 rfs6000-37FABE(config-wips-policy-test)#
rfs6000-37FABE(config-wips-policy-test)#no event client-anomaly wellenreiter filter-ageout 99 rfs6000-37FABE(config-wips-policy-test)#no interference-event non-conforming-data rfs6000-37FABE(config-wips-policy-test)#no history-throttle-duration The following example shows the WIPS Policy test settings after the no commands are executed:
rfs6000-37FABE(config-wips-policy-test)#show context wips-policy test event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 no event client-anomaly wellenreiter filter-ageout 99 ap-detection-ageout 50 ap-detection-wait-time 15 rfs6000-37FABE(config-wips-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 15 WIPS-POLICY 20.1.7 signature wips-policy Attack and intrusion patterns are identified and configured as signatures in a WIPS policy. The WIPS policy compares packets in the network with pre configured signatures to identify threats. The following table summarizes WIPS policy signature configuration commands:
Table 20.2 WIPS-Policy-Signature-Config Commands signature signature mode commands Configures a WIPS policy signature and enters its configuration mode page 20-17 page 20-19 Summarizes WIPS signature configuration mode commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 16 WIPS-POLICY 20.1.7.1 signature signature Configures a WIPS policy signature. A WIPS signature is the set of parameters or patterns used by WIPS to identify and categorize particular sets of attack behaviors in order to classify them. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax signature <SIGNATURE-NAME>
Parameters signature <SIGNATURE-NAME>
signature
<SIGNATURE-NAME>
Configures a WIPS policy signature
<SIGNATURE-NAME> Enter a name for the WIPS policy signature. The name should not exceed 64 characters. Example rfs6000-37FABE(config-wips-policy-test)#signature test rfs6000-37FABE(config-test-signature-test)#
rfs6000-37FABE(config-test-signature-test)#?
Wips Signature Mode commands:
bssid Bssid mac address dst-mac Destination mac address filter-ageout Configure filter ageout frame-type Configure frame-type to match interference-event Signature is a smart-rf interference source mode Enable/Disable signature no Negate a command or set its defaults payload Configure a payload src-mac Source mac address ssid-match Match based on ssid threshold-client Configure client threshold limit threshold-radio Configure radio threshold limit clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-test-signature-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 17 WIPS-POLICY rfs6000-37FABE(config-wips-policy-test)#show context wips-policy test event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 no event client-anomaly wellenreiter filter-ageout 99 signature test interference-event bssid 11-22-33-44-55-66 dst-mac 55-66-77-88-99-00 frame-type reassoc filter-ageout 8 threshold-client 88 payload 1 pattern test offset 1 ap-detection-ageout 50 ap-detection-wait-time 15 rfs6000-37FABE(config-wips-policy-test)#
Related Commands no Deletes a WIPS policy signature Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 18 WIPS-POLICY 20.1.7.2 signature mode commands signature The following table summarizes WIPS policy signature configuration mode commands:
Table 20.3 WIPS-Policy-Signature-Mode Commands Reference Description page 20-20 Configures the BSSID MAC address page 20-21 Configures the destination MAC address page 20-22 Configures the filter ageout interval page 20-23 Configures the frame type used for matching Configures this WIPS policy signature as the Smart RF interference source page 20-24 Commands bssid dst-mac filter-ageout frame-type interference-
event mode payload src-mac ssid-match threshold-client Configures the wireless client threshold limit threshold-radio Configures the radio threshold limit no Enables the signature mode Configures payload settings Configures the source MAC address Configures a match based on SSID Negates a command or sets its default page 20-25 page 20-26 page 20-27 page 20-28 page 20-29 page 20-30 page 20-31 Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 19 WIPS-POLICY 20.1.7.2.1 bssid signature mode commands Configures a BSSID MAC address with this WIPS signature for matching Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax bssid <MAC>
Parameters bssid <MAC>
bssid <MAC>
Configures a BSSID MAC address to match
<MAC> Specify the MAC address. Example rfs6000-37FABE(config-test-signature-test)#bssid 11-22-33-44-55-66 rfs6000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 rfs6000-37FABE(config-test-signature-test)#
Related Commands no Disables a WIPS signature BSS ID Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 20 WIPS-POLICY 20.1.7.2.2 dst-mac signature mode commands Configures a destination MAC address for the packet examined for matching Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax dst-mac <MAC>
Parameters dst-mac <MAC>
dst-mac <MAC>
Configures a destination MAC address to match
<MAC> Specify the destination MAC address. Example rfs6000-37FABE(config-test-signature-test)#dst-mac 55-66-77-88-99-00 rfs6000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 dst-mac 55-66-77-88-99-00 rfs6000-37FABE(config-test-signature-test)#
Related Commands no Disables a WIPS signature destination MAC address Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 21 WIPS-POLICY 20.1.7.2.3 filter-ageout signature mode commands Configures the filter ageout interval in seconds. This is the duration a client, triggering a WIPS event, is excluded from RF Domain manager radio association. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax filter-ageout <1-86400>
Parameters filter-ageout <1-86400>
filter-ageout
<1-86400>
Configures the filter ageout interval from 1 - 86400 seconds Example rfs6000-37FABE(config-test-signature-test)#filter-ageout 8 rfs6000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 dst-mac 55-66-77-88-99-00 filter-ageout 8 rfs6000-37FABE(config-test-signature-test)#
Related Commands no Removes the configured filter ageout interval Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 22 WIPS-POLICY 20.1.7.2.4 frame-type signature mode commands Configures the frame type used for matching with this WIPS policy signature Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax frame-type [all|assoc|auth|beacon|data|deauth|disassoc|mgmt|probe-req|probe-resp|
reassoc]
Parameters frame-type [all|assoc|auth|beacon|data|deauth|disassoc|mgmt|probe-req|probe-
resp|reassoc]
frame-type all assoc auth beacon data deauth disassoc mgmt probe-req probe-resp reassoc Usage Guidelines Configures the frame type used for matching Configures all frame type matching Configures association frame matching Configures authentication frame matching Configures beacon frame matching Configures data frame matching Configures deauthentication frame matching Configures disassociation frame matching Configures management frame matching Configures probe request frame matching Configures probe response frame matching Configures re-association frame matching The frame type configured determines the SSID match type configured. To configure the SSID match type as SSID, the frame type must be beacon, probe-req or probe-resp. Example rfs6000-37FABE(config-test-signature-test)#frame-type reassoc rfs6000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 dst-mac 55-66-77-88-99-00 frame-type reassoc filter-ageout 8 rfs6000-37FABE(config-test-signature-test)#
Related Commands no Resets a WIPS signature frame type Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 23 WIPS-POLICY 20.1.7.2.5 interference-event signature mode commands Configures this WIPS policy signature as Smart RF interference source Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax interference-event Parameters None Example rfs6000-37FABE(config-test-signature-test)#interference-event rfs6000-37FABE(config-test-signature-test)#show context signature test interference-event bssid 11-22-33-44-55-66 dst-mac 55-66-77-88-99-00 frame-type reassoc filter-ageout 8 rfs6000-37FABE(config-test-signature-test)#
Related Commands no Disables this WIPS policy signature as Smart RF interference source Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 24 WIPS-POLICY 20.1.7.2.6 mode signature mode commands Enables a WIPS policy signature Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mode enable Parameters mode enable mode enable Enables this WIPS signature Example rfs6000-37FABE(config-test-signature-test)#mode enable rfs6000-37FABE(config-test-signature-test)#
Related Commands no Disables a WIPS signature Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 25 WIPS-POLICY 20.1.7.2.7 payload signature mode commands Configures payload settings. The payload command sets a numerical index pattern and offset for this WIPS signature. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax payload <1-3> pattern <WORD> offset <0-255>
Parameters payload <1-3> pattern <WORD> offset <0-255>
payload <1-3>
pattern
<WORD>
offset <0-255>
Configures payload settings
<1-3> Sets the payload index from 1 - 3. Specifies the pattern to match: hex or string
<WORD> Sets the pattern name Specifies the payload offset to start the pattern match
<0-255> Sets the offset value from 0 - 255 Example rfs6000-37FABE(config-test-signature-test)#payload 1 pattern test offset 1 rfs6000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 dst-mac 55-66-77-88-99-00 frame-type assoc filter-ageout 8 payload 1 pattern test offset 1 rfs6000-37FABE(config-test-signature-test)#
Related Commands no Removes payload and associated settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 26 WIPS-POLICY 20.1.7.2.8 src-mac signature mode commands Configures a source MAC address for a packet examined for matching Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax src-mac <MAC>
Parameters src-mac <MAC>
src-mac <MAC>
Configures the source MAC address to match
<MAC> Specify the source MAC address. Example rfs6000-37FABE(config-test-signature-test)#src-mac 00-1E-E5-EA-1D-60 rfs6000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 src-mac 00-1E-E5-EA-1D-60 dst-mac 55-66-77-88-99-00 frame-type assoc filter-ageout 8 payload 1 pattern test offset 1 rfs6000-37FABE(config-test-signature-test)#
Related Commands no Removes a WIPS signature source MAC address Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 27 WIPS-POLICY 20.1.7.2.9 ssid-match signature mode commands Configures the SSID (and its character length) used for matching Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ssid-match [ssid|ssid-len]
ssid-match [ssid <SSID>|ssid-len <0-32>]
Parameters ssid-match [ssid <SSID>|ssid-len <0-32>]
ssid <SSID>
ssid-len <0-32>
Specifies the SSID match string
<SSID> Specify the SSID string. Note: Specify the correct SSID to ensure proper filtering. Specifies the length of the SSID
<0-32> Specify the SSID length from 0 - 32 characters. Example rfs6000-37FABE(config-test-signature-test)#ssid-match ssid PrinterLan rfs6000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 src-mac 00-1E-E5-EA-1D-60 dst-mac 55-66-77-88-99-00 frame-type beacon ssid-match ssid PrinterLan filter-ageout 8 payload 1 pattern test offset 1 rfs6000-37FABE(config-test-signature-test)#
Related Commands no Removes the configured SSID Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 28 WIPS-POLICY 20.1.7.2.10 threshold-client signature mode commands Configures the wireless client threshold limit. When the wireless client exceeds the specified limit, an event is triggered. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax threshold-client <1-65535>
Parameters threshold-client <1-65535>
threshold-client
<1-65535>
Configures the wireless client threshold limit
<1-65535> Sets the threshold limit for a 60 second window from 1 - 65535 Example rfs6000-37FABE(config-test-signature-test)#threshold-client 88 rfs6000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 src-mac 00-1E-E5-EA-1D-60 dst-mac 55-66-77-88-99-00 frame-type beacon ssid-match ssid PrinterLan filter-ageout 8 threshold-client 88 payload 1 pattern test offset 1 rfs6000-37FABE(config-test-signature-test)#
Related Commands no Removes the wireless client threshold limit configured with a WIPS policy signature Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 29 WIPS-POLICY 20.1.7.2.11 threshold-radio signature mode commands Configures the radios threshold limit. When the radio exceeds the specified limit, an event is triggered. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax threshold-radio <1-65535>
Parameters threshold-radio <1-65535>
threshold-radio
<1-65535>
Configures the radios threshold limit
<1-65535> Specify the threshold limit for a 60 second window from 1 - 65535. Example rfs6000-37FABE(config-test-signature-test)#threshold-radio 88 rfs6000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 src-mac 00-1E-E5-EA-1D-60 dst-mac 55-66-77-88-99-00 frame-type beacon ssid-match ssid PrinterLan filter-ageout 8 threshold-client 88 threshold-radio 88 payload 1 pattern test offset 1 rfs6000-37FABE(config-test-signature-test)#
Related Commands no Removes the radios threshold limit configured with a WIPS policy signature Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 30 WIPS-POLICY 20.1.7.2.12 no signature mode commands Negates a command or resets settings to their default. When used in the config WIPS policy signature mode, the no command resets or removes WIPS signature settings. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [bssid|dst-mac|filter-ageout|frame-type|interference-event|mode|payload|src-
mac|ssid-match|threshold-client|threshold-radio]
no [bssid|dts-mac|filter-ageout|frame-type|interference-event|mode enable|payload
<1-3>|src-mac|ssid-match [ssid|ssid-len]|threshold-client|threshold-radio]
Parameters no <PARAMETERS>
no <PARAMETERS>
Negates a command or resets settings to their default Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example The following is the WIPS signature test settings before the execution of the no command:
rfs6000-37FABE(config-test-signature-test)#show context signature test bssid 11-22-33-44-55-66 src-mac 00-1E-E5-EA-1D-60 dst-mac 55-66-77-88-99-00 frame-type beacon ssid-match ssid PrinterLan filter-ageout 8 threshold-client 88 threshold-radio 88 payload 1 pattern test offset 1 rfs6000-37FABE(config-test-signature-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 31 WIPS-POLICY The following is the WIPS signature test settings after the execution of the no command:
rfs6000-37FABE(config-test-signature-test)#no mode enable rfs6000-37FABE(config-test-signature-test)#no bssid rfs6000-37FABE(config-test-signature-test)#no dst-mac rfs6000-37FABE(config-test-signature-test)#no src-mac rfs6000-37FABE(config-test-signature-test)#no filter-ageout rfs6000-37FABE(config-test-signature-test)#no threshold-client rfs6000-37FABE(config-test-signature-test)#no threshold-radio rfs6000-37FABE(config-test-signature-test)#
signature test no mode enable frame-type beacon payload 1 pattern test offset 1 rfs6000-37FABE(config-test-signature-test) Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 32 WIPS-POLICY 20.1.8 use wips-policy Enables device categorization on this WIPS policy. This command uses an existing device categorization list. The list categorizes devices as authorized or unauthorized. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use device-categorization <DEVICE-CATEGORIZATION>
Parameters use device-categorization <DEVICE-CATEGORIZATION>
device-categorization
<DEVICE-
CATEGORIZATION>
Configures a device categorization list
<DEVICE-CATEGORIZATION> Specify the device categorization object name to associate with this profile Example rfs6000-37FABE(config-wips-policy-test)#use device-categorization test rfs6000-37FABE(config-wips-policy-test)#show context wips-policy test event excessive 80211-replay-check-failure threshold-client 10 threshold-radio 99 filter-ageout 9 no event client-anomaly wellenreiter filter-ageout 99 signature test interference-event bssid 11-22-33-44-55-66 dst-mac 55-66-77-88-99-00 frame-type reassoc filter-ageout 8 threshold-client 88 payload 1 pattern test offset 1 ap-detection-ageout 50 ap-detection-wait-time 15 use device-categorization test rfs6000-37FABE(config-wips-policy-test)#
Related Commands no Disables the use of a device categorization policy with a WIPS policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 20 - 33 21 WLAN-QOS-POLICY This chapter summarizes the WLAN QoS policy in the CLI command structure. A WLAN QoS policy increases network efficiency by prioritizing data traffic. Prioritization reduces congestion. This is essential because of the lack of bandwidth for all users and applications. QoS helps ensure each WLAN on the wireless controller receives a fair share of the overall bandwidth, either equally or as per the proportion configured. Packets directed towards clients are classified into categories such as Video, Voice and Data. Packets within each category are processed based on the weights defined for each WLAN Each WLAN QoS policy has a set of parameters which it groups into categories, such as management, voice and data. Packets within each category are processed based on the weights defined for each WLAN. Use the (config) instance to configure WLAN QoS policy commands. To navigate to the WLAN QoS policy instance, use the following commands:
<DEVICE>(config)#wlan-qos-policy <POLICY-NAME>
rfs6000-37FABE(config)#wlan-qos-policy test rfs6000-37FABE(config-wlan-qos-test)#?
WLAN QoS Mode commands:
accelerated-multicast Configure accelerated multicast streams address and forwarding QoS classification classification Select how traffic on this WLAN must be classified
(relative prioritization on the radio) multicast-mask Egress multicast mask (frames that match bypass the PSPqueue. This permits intercom mode operation without delay even in the presence of PSP clients) no Negate a command or set its defaults qos Quality of service rate-limit Configure traffic rate-limiting parameters on a per-wlan/per-client basis svp-prioritization Enable spectralink voice protocol support on this wlan voice-prioritization Prioritize voice client over other client (for non-WMM clients) wmm Configure 802.11e/Wireless MultiMedia parameters clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-wlan-qos-test)#
NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 1 WLAN-QOS-POLICY 21.1 wlan-qos-policy WLAN-QOS-POLICY WLAN QoS configurations differ significantly from QoS policies configured for radios. WLAN QoS configurations are designed to support the data requirements of wireless clients, including the data types they support and their network permissions. Radio QoS policies are specific to the transmit and receive characteristics of the connected radios themselves, independent from the wireless clients these access point radios support. The following table summarizes WLAN QoS policy configuration commands:
Command accelerated-
multicast classification multicast-mask no qos rate-limit svp-prioritization voice-
prioritization wmm Table 21.1 WLAN-QoS-Policy-Config Commands Description Configures accelerated multicast stream addresses and forwards QoS classifications Classifies WLAN traffic based on priority Configures the egress prioritization multicast mask Negates a command or sets its default Defines the QoS configuration Configures the WLAN traffic rate limit using a WLAN QoS policy Enables Spectralink voice protocol support on a WLAN Prioritizes voice client over other clients Configures 802.11e/wireless multimedia parameters Reference page 21-3 page 21-5 page 21-7 page 21-8 page 21-9 page 21-10 page 21-13 page 21-14 page 21-15 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 2 WLAN-QOS-POLICY 21.1.1 accelerated-multicast wlan-qos-policy Configures the accelerated multicast stream address and forwarding QoS classification settings Enabling this option allows the system to automatically detect and convert multicast streams to unicast streams. When a stream is converted and queued up for transmission, there are a number of classification mechanisms that can be applied to the stream. Use the classification options to specify the traffic type to prioritize. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax accelerated-multicast [<IP>|autodetect]
accelerated-multicast [<IP>|autodetect] {classification [background|best-effort|
trust|video|voice]}
Parameters accelerated-multicast [<IP>|autodetect] {classification [background|best-
effort|trust|video|voice]}
accelerated-multicast
<IP>
autodetect classification background best-effort trust video voice Configures the accelerated multicast stream address and forwarding QoS classification Configures a multicast IP address in the A.B.C.D format. The system can configure up to 32 IP addresses for each WLAN QoS policy Allows the system to automatically detect multicast streams to be accelerated. This parameter allows the system to convert multicast streams to unicast, or to specify multicast streams converted to unicast. Optional. Configures the QoS classification (traffic class) settings. When the stream is converted and queued for transmission, specify the type of classification applied to the stream. The options are: background, best-effort, trust, voice, and video. Forwards streams with background (low) priority. This parameter is common to both <IP> and auto detect. Forwards streams with best effort (normal) priority. This parameter is common to both <IP> and autodetect. No change to the streams forwarding traffic class. This parameter is common to both <IP> and autodetect. Forwards streams with video traffic priority. This parameter is common to both
<IP> and autodetect. Forwards streams with voice traffic priority. This parameter is common to both <IP>
and autodetect. Access Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 3 WLAN-QOS-POLICY Example rfs6000-37FABE(config-wlan-qos-test)#accelerated-multicast autodetect classification voice rfs6000-37FABE(config-wlan-qos-test)#show context wlan-qos-policy test qos trust dscp qos trust wmm accelerated-multicast autodetect classification voice rfs6000-37FABE(config-wlan-qos-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 4 WLAN-QOS-POLICY 21.1.2 classification wlan-qos-policy Specifies how traffic on this WLAN is classified. This classification is based on relative prioritization on the radio. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax classification [low|non-unicast|non-wmm|normal|video|voice|wmm]
classification [low|normal|video|voice|wmm]
classification non-unicast [voice|video|normal|low|default]
classification non-wmm [voice|video|normal|low]
Parameters classification [low|normal|video|voice|wmm]
low normal video voice wmm Optimized for background traffic. Implies all traffic on this WLAN is low priority on the radio Optimized for best effort traffic. Implies all traffic on this WLAN is prioritized as best effort traffic on the radio Optimized for video traffic. Implies all traffic on this WLAN is prioritized as video traffic on the radio Optimized for voice traffic. Implies all traffic on this WLAN is prioritized as voice traffic on the radio Uses WMM based classification, using DSCP or 802.1p tags, to classify traffic into different queues Implies WiFi Multimedia QoS extensions are enabled on this radio. This allows different traffic streams between the wireless client and the access point to be prioritized according to the type of traffic (voice, video etc). The WMM classification supports high throughput data rates required for 802.11n device support. This is the default setting. classification non-unicast [voice|video|normal|low|default]
non-unicast video voice normal Optimized for non-unicast traffic. Implies all traffic on this WLAN is designed for broadcast or multiple destinations Optimized for non-unicast video traffic. Implies all WLAN non-unicast traffic is classified and treated as video packets Optimized for non-unicast voice traffic. Implies all WLAN non-unicast traffic is classified and treated as voice packets Optimized for non-unicast best effort traffic. Implies all WLAN non-unicast traffic is classified and treated as normal priority packets (best effort). Access Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 5 WLAN-QOS-POLICY low default Optimized for non-unicast background traffic. Implies all WLAN non-unicast traffic is classified and treated as low priority packets (background) Uses the default classification mode (same as unicast classification if WMM is disabled, normal if unicast classification is WMM). This is the default setting. classification non-wmm [voice|video|normal|low]
non-wmm voice video normal low Example Specifies how traffic from non-WMM clients is classified Optimized for non-WMM voice traffic. Implies all WLAN non-WMM client traffic is classified and treated as voice packets Optimized for non-WMM video traffic. Implies all WLAN non-WMM client traffic is classified and treated as video packets Optimized for non-WMM best effort traffic. Implies all WLAN non-WMM client traffic is classified and treated as normal priority packets (best effort). This is the default setting. Optimized for non-WMM background traffic. Implies all WLAN non-WMM client traffic is classified and treated as low priority packets (background) rfs6000-37FABE(config-wlan-qos-test)#classification wmm rfs6000-37FABE(config-wlan-qos-test)#classification non-wmm video rfs6000-37FABE(config-wlan-qos-test)#classification non-unicast normal rfs6000-37FABE(config-wlan-qos-test)#show context wlan-qos-policy test classification non-wmm video classification non-unicast normal qos trust dscp qos trust wmm accelerated-multicast autodetect classification voice rfs6000-37FABE(config-wlan-qos-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 6 WLAN-QOS-POLICY 21.1.3 multicast-mask wlan-qos-policy Configures an egress prioritization multicast mask for this WLAN QoS policy Normally all multicast and broadcast packets are buffered until the periodic DTIM interval (indicated in the 802.11 beacon frame), when clients in power save mode wake to check for frames. However, for certain applications and traffic types, the administrator may want the frames transmitted immediately, without waiting for the DTIM interval. By configuring a primary or secondary prioritization multicast mask, the network administrator can indicate which packets are transmitted immediately. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax multicast-mask [primary|secondary] <MAC/MASK>
Parameters multicast-mask [primary|secondary] <MAC/MASK>
primary <MAC/MASK> Configures the primary egress prioritization multicast mask
<MAC/MASK> Provide the MAC address and the mask in the AA-BB-CC-DD-EE-FF
/XX-XX-XX-XX-XX-XX-XX format. The default value is 00-00-00-00-00-00/FF-FF-
FF-FF-FF-FF. Note: Setting masks is optional and only needed if there are traffic types requiring special handling. Configures the secondary egress prioritization multicast mask
<MAC/MASK> Provide the MAC address and the mask in the AA-BB-CC-DD-EE-FF
/XX-XX-XX-XX-XX-XX-XX format. The default value is 00-00-00-00-00-00/FF-FF-
FF-FF-FF-FF. secondary <MAC/
MASK>
Example rfs6000-37FABE(config-wlan-qos-test)#multicast-mask primary 11-22-33-44-55-66/22-
33-44-55-66-77 rfs6000-37FABE(config-wlan-qos-test)#show context wlan-qos-policy test classification non-wmm video multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal qos trust dscp qos trust wmm accelerated-multicast autodetect classification voice rfs6000-37FABE(config-wlan-qos-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 7 WLAN-QOS-POLICY 21.1.4 no wlan-qos-policy Negates a command or resets settings to their default Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [accelerated-multicast|classification|multicast-mask|qos|rate-limit|svp-
prioritization|voice-prioritization|wmm]
no [accelerated-multicast [<IP>|autodetect]|classification {non-unicast|non-wmm}|
multicast-mask [primary|secondary]|qos trust [dscp|wmm]|svp-prioritization|voice-
prioritization]
no rate-limit [client|wlan] [from-air|to-air] {max-burst-size|rate|red-threshold}
no rate-limit [client|wlan] [from-air|to-air] {max-burst-size|rate|red-threshold
[background|best-effort|video|voice]}
no wmm [background|best-effort|power-save|qbss-load-element|video|voice]
no wmm [power-save|qbss-load-element]
no wmm [backgorund|best-effort|video|voice] [aifsn|cw-max|cw-min|txop-limit]
Parameters no <PARAMETERS>
no <PARAMETERS>
Negates a command or resets settings to their default Example The following example shows the WLAN QoS Policy test settings before the no commands are executed:
rfs6000-37FABE(config-wlan-qos-test)#show context wlan-qos-policy test classification non-wmm video multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal qos trust dscp qos trust wmm accelerated-multicast autodetect classification voice rfs6000-37FABE(config-wlan-qos-test)#
rfs6000-37FABE(config-wlan-qos-test)#no classification non-wmm rfs6000-37FABE(config-wlan-qos-test)#no multicast-mask primary rfs6000-37FABE(config-wlan-qos-test)#no qos trust dscp The following example shows the WLAN QoS Policy test settings after the no commands are executed:
rfs6000-37FABE(config-wlan-qos-test)#show context wlan-qos-policy test classification non-unicast normal no qos trust dscp qos trust wmm accelerated-multicast autodetect classification voice rfs6000-37FABE(config-wlan-qos-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 8 WLAN-QOS-POLICY 21.1.5 qos wlan-qos-policy Enables QoS on this WLAN Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax qos trust [dscp|wmm]
Parameters qos trust [dscp|wmm]
trust [dscp|wmm]
Trusts the QoS values of ingressing packets. Both these options are enabled by default. dscp Trusts the IP DSCP values of ingressing packets wmm Trusts the 802.11 WMM QoS values of ingressing packets Example rfs6000-37FABE(config-wlan-qos-test)#qos trust wmm rfs6000-37FABE(config-wlan-qos-test)#qos trust dscp rfs6000-37FABE(config-wlan-qos-test)#show context wlan-qos-policy test classification non-unicast normal qos trust dscp qos trust wmm accelerated-multicast autodetect classification voice rfs6000-37FABE(config-wlan-qos-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 9 WLAN-QOS-POLICY 21.1.6 rate-limit wlan-qos-policy Configures the WLAN traffic rate limits using the WLAN QoS policy Excessive traffic causes performance issues or brings down the network entirely. Excessive traffic can be caused by numerous sources including network loops, faulty devices or malicious software such as a worm or virus that has infected one or more devices at the branch. Rate limiting limits the maximum rate sent to or received from the wireless network (and WLAN) per wireless client. It prevents any single user from overwhelming the wireless network. It can also provide differential service for service providers. The uplink and downlink rate limits are usually configured on a RADIUS server using vendor specific attributes. Rate limits are extracted from the RADIUS servers response. When such attributes are not present, settings defined on the controller (access point, wireless controller, or service platform) are applied. An administrator can set separate QoS rate limits for upstream (data transmitted from the managed network) and downstream (data transmitted to the managed network). Before defining rate limit thresholds for WLAN upstream and downstream traffic, it is recommended that you define the normal number of ARP, broadcast, multicast and unknown unicast packets that typically transmit and receive from each supported WMM access category. If thresholds are defined too low, normal network traffic (required by end-user devices) are dropped resulting in intermittent outages and performance problems. Connected wireless clients can also have QoS rate limit settings defined in both the upstream and downstream direction. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rate-limit [client|wlan] [from-air|to-air] {max-burst-size|rate|red-threshold}
rate-limit [client|wlan] [from-air|to-air] {max-burst-size <2-1024>|rate <50-
1000000>}
rate-limit [client|wlan] [from-air|to-air] {red-threshold [background <0-100>|
best-effort <0-100>|video <0-100>|voice <0-100>]}
Parameters rate-limit [client|wlan] [from-air|to-air] {max-burst-size <2-1024>|rate <50-
1000000>}
rate-limit client wlan from-air to-air Configures traffic rate limit parameters Configures traffic rate limiting parameters on a per-client basis Configures traffic rate limiting parameters on a per-WLAN basis Configures traffic rate limiting from a wireless client to the network Configures the traffic rate limit from the network to a wireless client Access Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 10 WLAN-QOS-POLICY max-burst-size
<2-1024>
rate <50-1000000>
Optional. Sets the maximum burst size from 2 - 1024 kbytes. The chances of the upstream or downstream packet transmission getting congested for the WLANs client destination are reduced for smaller burst sizes. The default values are:
- WLAN to-air and from-air: 320 kbytes
- Client to-air and from-air: 64 kbytes Smaller the burst, lesser are the chances of upstream packet transmission resulting in congestion for the WLANs client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, administrators should then add a 10% margin (minimally) to allow for traffic bursts at the site. Optional. Sets the traffic rate from 50 - 1000000 Kbps. This limit is the threshold value for the maximum number of packets received or transmitted over the WLAN from all access categories. Any traffic that exceeds the specified rate is dropped and a log message is generated. The default values are:
- WLAN to-air and from-air: 5000 kbytes
- Client to-air and from-air: 1000 kbytes rate-limit [client|wlan] [from-air|to-air] {red-threshold [background <0-100>|
best-effort <0-100>|video <0-100>|voice <0-100>]}
rate-limit client wlan from-air to-air red-threshold background <0-100>
best-effort <0-100>
Configures traffic rate limit parameters Configures traffic rate limiting parameters on a per-client basis Configures traffic rate limiting parameters on a per-WLAN basis Configures traffic rate limiting from a wireless client to the network Configures the traffic rate limit from the network to a wireless client Configures random early detection threshold values for a designated traffic class Optional. Sets the maximum burst size from 2 - 1024 kbytes. The chances of the upstream or downstream packet transmission getting congested for the WLANs client destination are reduced for smaller burst sizes. The default values are:
- WLAN to-air and from-air: 320 kbytes
- Client to-air and from-air: 64 kbytes Smaller the burst, lesser are the chances of upstream packet transmission resulting in congestion for the WLANs client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, administrators should then add a 10% margin (minimally) to allow for traffic bursts at the site. The following is common to the from-air and to-air parameters:
Optional. Sets a percentage value for best effort traffic in the upstream or downstream direction. Best effort traffic exceeding the defined threshold is dropped and a log message is generated. The default threshold values are:
- WLAN to-air and from-air: 50%
- Client to-air and from-air: 50%
Access Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 11 WLAN-QOS-POLICY video <0-100>
voice <0-100>
Usage Guidelines The following is common to the from-air and to-air parameters:
Optional. Sets a percentage value for video traffic in the upstream or downstream direction. Video traffic exceeding the defined threshold is dropped and a log message is generated. The default threshold values are:
- WLAN to-air and from-air: 25%
- Client to-air and from-air: 25%
The following is common to the from-air and to-air parameters:
Optional. Sets a percentage value for voice traffic in the upstream or downstream direction. Voice traffic exceeding the defined threshold is dropped and a log message is generated. The default threshold values are:.
- WLAN to-air and from-air: 0%
- Client to-air and from-air: 0%
Note: A value of 0% means no early random drops. The following information should be taken into account when configuring rate limits:
Background traffic consumes the least bandwidth, so this value can be set to a lower value once a general downstream rate is known by the network administrator (using a time trend analysis). Best effort traffic consumes little bandwidth, so this value can be set to a lower value once a general upstream rate is known by the network administrator (using a time trend analysis). Video traffic consumes significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis). Voice applications consume significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis). Example rfs6000-37FABE(config-wlan-qos-test)#rate-limit wlan from-air max-burst-size 6 rfs6000-37FABE(config-wlan-qos-test)#rate-limit wlan from-air rate 55 rfs6000-37FABE(config-wlan-qos-test)#rate-limit wlan from-air red-threshold best-
effort 10 rfs6000-37FABE(config-wlan-qos-test)#rate-limit client from-air red-threshold background 3 rfs6000-37FABE(config-wlan-qos-test)#show context wlan-qos-policy test classification non-wmm video multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal rate-limit wlan from-air rate 55 rate-limit wlan from-air max-burst-size 6 rate-limit wlan from-air red-threshold best-effort 10 rate-limit client from-air red-threshold background 3 qos trust dscp qos trust wmm accelerated-multicast autodetect classification voice rfs6000-37FABE(config-wlan-qos-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 12 WLAN-QOS-POLICY 21.1.7 svp-prioritization wlan-qos-policy Enables WLAN SVP support on this WLAN QoS policy. SVP support enables the identification and prioritization of traffic from Spectralink/Ploycomm phones. This gives priority to voice, with voice management packets supported only on certain legacy VOIP phones. If the wireless client classification is WMM, non-WMM devices recognized as voice devices have all their traffic transmitted at voice priority. Devices are classified as voice, when they emit SIP, SCCP, or H323 traffic. Thus, selecting this option has no effect on devices supporting WMM. This feature is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax svp-prioritization Parameters None Example rfs6000-37FABE(config-wlan-qos-test)#svp-prioritization rfs6000-37FABE(config-wlan-qos-test)#show context wlan-qos-policy test classification non-wmm video svp-prioritization multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal rate-limit wlan from-air rate 55 rate-limit wlan from-air max-burst-size 6 rate-limit wlan from-air red-threshold best-effort 10 rate-limit client from-air red-threshold background 3 qos trust dscp qos trust wmm accelerated-multicast autodetect classification voice rfs6000-37FABE(config-wlan-qos-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 13 WLAN-QOS-POLICY 21.1.8 voice-prioritization wlan-qos-policy Prioritizes voice clients over other clients (for non-WMM clients). This gives priority to voice and voice management packets and is supported only on certain legacy VOIP phones. This feature is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax voice-prioritization Parameters None Example rfs6000-37FABE(config-wlan-qos-test)#voice-prioritization rfs6000-37FABE(config-wlan-qos-test)#show context wlan-qos-policy test classification non-wmm video svp-prioritization voice-prioritization multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal rate-limit wlan from-air rate 55 rate-limit wlan from-air max-burst-size 6 rate-limit wlan from-air red-threshold best-effort 10 rate-limit client from-air red-threshold background 3 qos trust dscp qos trust wmm accelerated-multicast autodetect classification voice rfs6000-37FABE(config-wlan-qos-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 14 WLAN-QOS-POLICY 21.1.9 wmm wlan-qos-policy Configures 802.11e/Wireless Multimedia (WMM) parameters for this WLAN QoS policy WMM makes it possible for both home networks and Enterprises to decide which data streams are most important and assign them a higher traffic priority. WMMs prioritization capabilities are based on the four access categories (background, best-effort, video, and voice). Higher the Access Category (AC) higher is the transmission probability over the controller managed WLAN. ACs correspond to the 802.1d priorities, facilitating interoperability with QoS policy management mechanisms. WMM enabled controllers coexist with legacy devices (not WMM-enabled). Packets not assigned to a specific access category are categorized as best effort by default. Applications assign each data packet to a given access category. Categorized packets are added to one of four independent transmit queues (one per access category). The client has an internal collision resolution mechanism to address collision among different queues, which selects the frames with the highest priority to transmit. The same mechanism deals with external collision, to determine which client should be granted the Opportunity to Transmit (TXOP). The collision resolution algorithm responsible for traffic prioritization is probabilistic and depends on two timing parameters that vary for each access category. These parameters are:
The minimum interframe space, or Arbitrary Inter-Frame Space Number (AIFSN) The contention window, sometimes referred to as the random back off wait Both values are smaller for high-priority traffic. The value of the contention window varies through time. Initially the contention window is set to a value that depends on the AC. As frames with the highest AC tend to have the lowest back off values, they are more likely to get a TXOP. After each collision the contention window is doubled until a maximum value (also dependent on the AC) is reached. After successful transmission, the contention window is reset to its initial, AC dependant value. The AC with the lowest back off value gets the TXOP. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wmm [background|best-effort|power-save|qbss-load-element|video|voice]
wmm [power-save|qbss-load-element]
wmm [background|best-effort|video|voice] [aifsn <2-15>|cw-max <0-15>|cw-min <0-
15>|txop-limit <0-65535>]
Parameters wmm [power-save|qbss-load-element]
wmm Configures 802.11e/wireless multimedia parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 15 WLAN-QOS-POLICY power-save qbss-load-element Enables support for the WMM-Powersave mechanism. This mechanism, also known as Unscheduled Automatic Power Save Delivery (U-APSD), is specifically designed for WMM voice devices. This feature is enabled by default. Enables support for the QOS Basic Service Set (QBSS) load information element in beacons and probe response packets advertised by access packets. This feature is enabled by default. wmm [background|best-effort|video|voice] [aifsn <2-15>|cw-max <0-15>|
cw-min <0-15>|txop-limit <0-65535>]
wmm background best-effort video voice aifsn <2-15>
cw-max <0-15>
Configures 802.11e/wireless multimedia parameters. This parameter enables the configuration of four access categories. Applications assign each data packet to one of these four access categories and queues them for transmission. Configures background access category parameters Configures best effort access category parameters. Packets not assigned to any particular access category are categorized by default as having best effort priority Configures video access category parameters Configures voice access category parameters Configures Arbitrary Inter-Frame Space Number (AIFSN) from 2 - 15. AIFSN is the wait time between data frames. This parameter is common to background, best effort, video and voice. The default for traffic voice categories is 2 The default for traffic video categories is 2 The default for traffic best effort (normal) categories is 3 The default for traffic background (low) categories is 7
<2-15> Sets a value from 2 - 15 Configures the maximum contention window. Wireless clients pick a number between 0 and the minimum contention window to wait before retransmission. Wireless clients then double their wait time on a collision, until it reaches the maximum contention window. This parameter is common to background, best effort, video and voice. The default for traffic voice categories is 3 The default for traffic video categories is 4 The default for traffic best effort (normal) categories 10 The default for traffic background (low) categories is 10
<0-15> ECW: the contention window. The actual value used is (2^ECW - 1). Set a value from 0 - 15. Access Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 16 WLAN-QOS-POLICY cw-min <0-15>
txop-limit <0-65535>
Configures the minimum contention window. Wireless clients pick a number between 0 and the min contention window to wait before retransmission. Wireless clients then double their wait time on a collision, until it reaches the maximum contention window. This parameter is common to background, best effort, video and voice. The default for traffic voice categories is 2 The default for traffic video categories is 3 The default for traffic best effort (normal) categories is 4 The default for traffic background (low) categories is 4
<0-15> ECW: the contention window. The actual value used is (2^ECW - 1). Set a value from 0 - 15. Configures the transmit-opportunity (the interval of time during which a particular client has the right to initiate transmissions). This parameter is common to background, best effort, video and voice. The default for traffic voice categories is 47 The default for traffic video categories is 94 The default for traffic best effort (normal) categories is 0 The default for traffic background (low) categories is 0
<0-65535> Set a value from 0 - 65535 to configure the transmit-opportunity in 32 microsecond units. Example rfs6000-37FABE(config-wlan-qos-test)#wmm video txop-limit 9 rfs6000-37FABE(config-wlan-qos-test)#wmm voice cw-min 6 rfs6000-37FABE(config-wlan-qos-test)#show context wlan-qos-policy test classification non-wmm video svp-prioritization voice-prioritization wmm video txop-limit 9 wmm voice cw-min 6 multicast-mask primary 11-22-33-44-55-66/22-33-44-55-66-77 classification non-unicast normal rate-limit wlan from-air rate 55 rate-limit wlan from-air max-burst-size 6 rate-limit wlan from-air red-threshold best-effort 10 rate-limit client from-air red-threshold background 3 qos trust dscp qos trust wmm accelerated-multicast autodetect classification voice rfs6000-37FABE(config-wlan-qos-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 21 - 17 22 L2TPV3-POLICY This chapter summarizes Layer 2 Tunnel Protocol Version 3 (L2TPv3) policy commands in the CLI command structure. L2TPv3 is an IETF standard used for transporting different types of layer 2 frames over an intermediate IP network. L2TPv3 defines control and encapsulation protocols for tunneling layer 2 frames between two IP nodes. Use L2TPv3 to create tunnels for transporting layer 2 frames. L2TPv3 enables WING supported controllers and access points to create tunnels for transporting Ethernet frames to and from bridge VLANs and physical ports. L2TPv3 tunnels can be defined between WING devices and other vendor devices supporting the L2TPv3 protocol. Multiple pseudowires can be created within an L2TPv3 tunnel. WING supported devices support an Ethernet VLAN pseudowire type exclusively. A pseudowire is an emulation of a layer 2 point-to-point connection over a packet-switching network (PSN). A pseudowire was developed out of the necessity to encapsulate and tunnel layer 2 protocols across a layer 3 network. Ethernet VLAN pseudowires transport Ethernet frames to and from a specified VLAN. One or more L2TPv3 tunnels can be defined between tunnel end points. Each tunnel can have one or more L2TPv3 sessions. Each tunnel session corresponds to one pseudowire. An L2TPv3 control connection (an L2TPv3 tunnel) needs to be established between the tunneling entities before creating a session. NOTE: A pseudowire is an emulation of a layer 2 point-to-point connection over a packet-switching network (PSN). A pseudowire was developed out of the necessity to encapsulate and tunnel layer 2 protocols across a layer 3 network. Ethernet VLAN pseudowires transport Ethernet frames to and from a specified VLAN. One or more L2TPv3 tunnels can be defined between tunnel end points. Each tunnel can have one or more L2TPv3 sessions. Each tunnel session corresponds to one pseudowire. An L2TPv3 control connection (a L2TPv3 tunnel) needs to be established between the tunneling entities before creating a session. For optimal pseudowire operation, both the L2TPv3 session originator and responder need to know the psuedowire type and identifier. These two parameters are communicated during L2TPv3 session establishment. An L2TPv3 session created within an L2TPv3 connection also specifies multiplexing parameters for identifying a pseudowire type and ID. The working status of a pseudowire is reflected by the state of the L2TPv3 session. If a L2TPv3 session is down, the pseudowire associated with it must be shut down. The L2TPv3 control connection keep-alive mechanism can serve as a monitoring mechanism for the pseudowires associated with a control connection. NOTE: If connecting an Ethernet port to another Ethernet port, the pseudowire type must be Ethernet port, if connecting an Ethernet VLAN to another Ethernet VLAN, the pseudowire type must be Ethernet VLAN. Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 1 L2TPV3-POLICY This chapter is organized into the following sections:
l2tpv3-policy-commands l2tpv3-tunnel-commands l2tpv3-manual-session-commands NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 2 L2TPV3-POLICY 22.1 l2tpv3-policy-commands L2TPV3-POLICY Use the (config) instance to configure L2TPv3 policy parameters. To navigate to the L2TPv3 policy instance, use the following commands:
<DEVICE>(config)#l2tpv3 policy <L2TPV3-POLICY-NAME>
rfs6000-37FABE(config)#l2tpv3 policy L2TPV3Policy1 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#
rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#?
L2tpv3 Policy Mode commands:
cookie-size Size of the cookie field present in each l2tpv3 data message failover-delay Time interval for re-establishing the tunnel after the failover (RF-Domain manager/VRRP-master/Cluster-master failover) force-l2-path-recovery Enables force learning of servers, gateways etc., behind the l2tpv3 tunnel when the tunnel is established hello-interval Configure the time interval (in seconds) between l2tpv3 Hello keep-alive messages exchanged in l2tpv3 control connection no Negate a command or set its defaults reconnect-attempts Maximum number of attempts to reestablish the tunnel. reconnect-interval Time interval between the successive attempts to reestablish the l2tpv3 tunnel retry-attempts Configure the maximum number of retransmissions for signaling message retry-interval Time interval (in seconds) before the initiating a retransmission of any l2tpv3 signaling message rx-window-size Number of signaling messages that can be received without sending the acknowledgment tx-window-size Number of signaling messages that can be sent without receiving the acknowledgment clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#
The following table summarizes L2TPv3 policy configuration commands:
Table 22.1 L2TPV3-Tunnel-Policy-Config Commands Command cookie-size failover-delay force-l2-path-
recovery hello-interval Description Configures the cookie field size for each L2TPv3 data packet Configures the L2TPv3 tunnel failover delay in seconds Enables the forced detection of servers and gateways behind the L2TPv3 tunnel Configures the interval, in seconds, between L2TPv3 Hello keep-alive messages exchanged in the L2TPv3 control connection Reference page 22-5 page 22-6 page 22-7 page 22-8 Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 3 L2TPV3-POLICY Table 22.1 L2TPV3-Tunnel-Policy-Config Commands Command no reconnect-
attempts reconnect-
interval retry-attempts retry-interval rx-window-size tx-window-size Description Negates or reverts L2TPv3 tunnel commands Configures the maximum number of retransmissions for signalling messages Configures the interval, in seconds, between successive attempts to re-
establish a failed tunnel connection Configures the maximum number of retransmissions of signalling messages Configures the interval, in seconds, before initiating a retransmission of any L2TPv3 signalling message Configures the number of signalling messages received without sending an acknowledgment Configures the number of signalling messages transmitted without receiving an acknowledgment Reference page 22-9 page 22-10 page 22-11 page 22-12 page 22-13 page 22-14 page 22-15 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 4 L2TPV3-POLICY 22.1.1 cookie-size l2tpv3-policy-commands Configures the size of the cookie field present in each L2TPv3 data packet. L2TPv3 data packets contain a session cookie that identifies the session (pseudowire) corresponding to it. In a tunnel, the cookie is a 4-
byte or 8-byte signature shared between the two tunnel endpoints. This signature is configured at both the source and destination routers. If the signature at both ends do not match, the data is dropped. All sessions within a tunnel have the same session cookie size. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cookie-size [0|4|8]
Parameters cookie-size [0|4|8]
cookie-size [0|4|8]
Configures the cookie-field size for each data packet. Select one of the following options:
0 No cookie field present in each L2TPv3 data message (this is the default setting) 4 4 byte cookie field present in each L2TPv3 data message 8 8 byte cookie field present in each L2TPv3 data message Example rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#cookie-size 8 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show context l2tpv3 policy L2TPV3Policy1 cookie-size 8 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#
Related Commands no Resets the cookie-field size to its default (0 - no cookie field present in each L2TPv3 data packet) Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 5 L2TPV3-POLICY 22.1.2 failover-delay l2tpv3-policy-commands Configures the L2TPv3 tunnel failover delay in seconds. This is the interval after which a failed over tunnel is re-established. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax failover-delay <5-60>
Parameters failover-delay <5-60>
failover-delay <5-60>
Sets the delay interval to re-establish a failed L2TPv3 tunnel (RF-Domain manager/
VRRP-master/Cluster-master failover)
<5-60> Specify a failover delay from 5 - 60 seconds. The default is 5 seconds. Example rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#failover-delay 30 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show context l2tpv3 policy L2TPV3Policy1 hello-interval 200 failover-delay 30 retry-attempts 10 retry-interval 30 cookie-size 8 rx-window-size 9 tx-window-size 9 reconnect-interval 100 reconnect-attempts 8 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#
Related Commands no Resets the failover interval to its default (5 seconds) Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 6 L2TPV3-POLICY 22.1.3 force-l2-path-recovery l2tpv3-policy-commands Enables the forced detection of servers and gateways behind the L2TPv3 tunnel. This feature is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax force-l2-path-recovery Parameters None Example rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#force-l2-path-recovery rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show context l2tpv3 policy L2TPV3Policy1 hello-interval 200 failover-delay 30 retry-attempts 10 retry-interval 30 cookie-size 8 rx-window-size 9 tx-window-size 9 reconnect-interval 100 reconnect-attempts 8 force-l2-path-recovery rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#
Related Commands no Disables the forced detection of servers and gateways behind the L2TPv3 tunnel Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 7 L2TPV3-POLICY 22.1.4 hello-interval l2tpv3-policy-commands Configures the interval, in seconds, between L2TPv3 Hello keep-alive messages exchanged in a L2TPv3 control connection. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax hello-interval <1-3600>
Parameters hello-interval <1-3600>
hello-interval <1-3600> Configures the interval for L2TPv3 Hello keep-alive messages
<1-3600> Specify a value from 1 - 3600 seconds (default is 60 seconds). Example rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#hello-interval 200 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show context l2tpv3 policy L2TPV3Policy1 hello-interval 200 cookie-size 8 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#
Related Commands no Resets the Hello keep-alive message interval to its default of 60 seconds Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 8 L2TPV3-POLICY 22.1.5 no l2tpv3-policy-commands Negates or reverts L2TPv3 policy settings to default Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [cookie-size|failover-delay|force-l2-path-recovery|hello-interval|reconnect-
attempts|reconnect-interval|retry-attempts|retry-interval|rx-window-size|tx-
window-size]
Parameters no <PARAMETERS>
no <PARAMETERS>
Negates or reverts L2TPv3 policy settings to default Example The following example shows the l2tpv3 policy L2TPV3Policy1 settings before the no commands are executed:
rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show context l2tpv3 policy L2TPV3Policy1 hello-interval 200 retry-attempts 10 retry-interval 30 cookie-size 8 reconnect-interval 100 reconnect-attempts 50 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#
rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no hello-interval rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no reconnect-attempts rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no reconnect-interval rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no retry-attempts rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no retry-interval rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#no cookie-size The following example shows the l2tpv3 policy L2TPV3Policy1 settings after the no commands are executed:
rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show context l2tpv3 policy L2TPV3Policy1 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 9 L2TPV3-POLICY 22.1.6 reconnect-attempts l2tpv3-policy-commands Configures the maximum number of attempts made to re-establish a tunnel connection Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax reconnect-attempts <0-8>
Parameters reconnect-attempts <0-8>
reconnect-attempts
<0-8>
Configures the maximum number of attempts made to re-establish a tunnel connection
<0-8> Specify a value from 0 - 8 (default is 0: configures infinite reconnect attempts). Example rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#reconnect-attempts 8 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show context l2tpv3 policy L2TPV3Policy1 hello-interval 200 cookie-size 8 reconnect-attempts 8 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#
Related Commands no Resets the maximum number of reconnect attempts to default (0: configures infinite reconnect attempts) Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 10 L2TPV3-POLICY 22.1.7 reconnect-interval l2tpv3-policy-commands Configures the interval, in seconds, between two successive attempts to re-establish a failed tunnel connection Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax reconnect-interval <1-3600>
Parameters reconnect-interval <1-3600>
reconnect-interval
<1-3600>
Configures the interval between successive attempts to re-establish a failed tunnel connection
<1-3600> Specify a value from 1 - 3600 seconds (default is 120 seconds). Example rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#reconnect-interval 100 l2tpv3 policy L2TPV3Policy1 hello-interval 200 cookie-size 8 reconnect-interval 100 reconnect-attempts 8 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#
Related Commands no Resets the interval between successive attempts to re-establish a failed tunnel connection to default (120 seconds) Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 11 L2TPV3-POLICY 22.1.8 retry-attempts l2tpv3-policy-commands Configures the maximum number of attempts made to retransmit signalling messages. Use this command to specify how many retransmission cycles occur before determining the target tunnel peer is not reachable. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax retry-attempts <1-10>
Parameters retry-attempts <1-10>
retry-attempts <1-10>
Configures the maximum number of attempts made to retransmit signalling messages
<1-10> Specify a value from 1 - 10 (default is 5 attempts). Example rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#retry-attempts 10 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show context l2tpv3 policy L2TPV3Policy1 hello-interval 200 retry-attempts 10 cookie-size 8 reconnect-interval 100 reconnect-attempts 8 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#
Related Commands no Resets the maximum number of retransmissions of signalling messages to default
(5 attempts) Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 12 L2TPV3-POLICY 22.1.9 retry-interval l2tpv3-policy-commands Configures the interval, in seconds, between two successive attempts at retransmitting a L2TPv3 signalling message Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax retry-interval <1-250>
Parameters retry-interval <1-250>
retry-interval <1-250>
Configures the interval, in seconds, between two successive retransmission attempts
<1-250> Specify a value from 1 - 250 seconds (default is 5 seconds). Example rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#retry-interval 30 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show context l2tpv3 policy L2TPV3Policy1 hello-interval 200 retry-attempts 10 retry-interval 30 cookie-size 8 reconnect-interval 100 reconnect-attempts 8 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#
Related Commands no Resets the retry interval to default (5 seconds) Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 13 L2TPV3-POLICY 22.1.10 rx-window-size l2tpv3-policy-commands Configures the number of signalling packets received without sending an acknowledgment Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rx-window-size <1-15>
Parameters rx-window-size <1-15>
rx-window-size <1-15>
Configures the number of packets received without sending an acknowledgment
<1-15> Specify a value from 1 - 15 (default is 10 packets). Example rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#rx-window-size 9 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show context l2tpv3 policy L2TPV3Policy1 hello-interval 200 retry-attempts 10 retry-interval 30 cookie-size 8 rx-window-size 9 reconnect-interval 100 reconnect-attempts 8 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#
Related Commands no Resets the number of packets received without sending an acknowledgment to default (10 packets) Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 14 L2TPV3-POLICY 22.1.11 tx-window-size l2tpv3-policy-commands Configures the number of signalling packets transmitted without receiving an acknowledgment Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax tx-window-size <1-15>
Parameters tx-window-size <1-15>
tx-window-size <1-15>
Configures the number of packets transmitted without receiving an acknowledgment
<1-15> Specify a value from 1 - 15 (default is 10 packets). Example rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#tx-window-size 9 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#show context l2tpv3 policy L2TPV3Policy1 hello-interval 200 retry-attempts 10 retry-interval 30 cookie-size 8 rx-window-size 9 tx-window-size 9 reconnect-interval 100 reconnect-attempts 8 rfs6000-37FABE(config-l2tpv3-policy-L2TPV3Policy1)#
Related Commands no Resets the number of packets transmitted without receiving an acknowledgment to default (10 packets) Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 15 L2TPV3-POLICY 22.2 l2tpv3-tunnel-commands L2TPV3-POLICY Use the (profile or device context) instance to configure a L2TPv3 tunnel. To navigate to the tunnel configuration mode, use the following command in the profile context:
<DEVICE>(config-profile-default-rfs7000)#l2tpv3 tunnel <TUNNEL-NAME>
rfs6000-37FABE(config-profile-default-rfs7000)#l2tpv3 tunnel Tunnel1 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#
rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#?
L2tpv3 Tunnel Mode commands:
establishment-criteria Set tunnel establishment criteria fast-failover Configure fast failover for l2tpv3 tunnels hostname Tunnel specific local hostname local-ip-address Configure the IP address for tunnel. If not specified, tunnel source ip address would be chosen automatically based on the tunnel peer ip address mtu Configure the mtu size for the tunnel no Negate a command or set its defaults peer Configure the l2tpv3 tunnel peers. At least one peer must be specified router-id Tunnel specific local router ID session Create / modify the specified l2tpv3 session use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#
The following table summarizes L2TPv3 tunnel configuration commands:
Table 22.2 L2TPV3-Tunnel-Config Commands Command establishment-
criteria fast-failover hostname local-ip-address mtu no peer router-id session use Description Configures L2TPv3 tunnel establishment criteria Configures fast-failover support on the L2TPv3 tunnel Configures tunnel specific local hostname Configures the tunnels IP address Configures the tunnels Maximum Transmission Unit (MTU) size Negates or reverts L2TPv3 tunnel commands Configures the tunnels peers Configures the tunnels local router ID Creates/modifies specified L2TPv3 session Configures a tunnel to use a specified L2TPv3 tunnel policy Reference page 22-17 page 22-19 page 22-20 page 22-21 page 22-22 page 22-23 page 22-24 page 22-28 page 22-29 page 22-31 Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 16 L2TPV3-POLICY 22.2.1 establishment-criteria l2tpv3-tunnel-commands Configures L2TPv3 tunnel establishment criteria A L2TPv3 tunnel is established from the current device to the NOC controller when the current device becomes the VRRP master, cluster master, or RF Domain manager. Similarly, the L2TPv3 tunnel is closed when the current device switches to standby or backup mode. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax establishment-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-
255>]
Parameters establishment-criteria [always|cluster-master|rf-domain-manager|vrrp-master <1-
255>]
always cluster-master rf-domain-manager vrrp-master <1-255>
Always establishes a L2TPv3 tunnel from the current device to the NOC controller. This is the default setting. The always option indicates the device need not be a cluster-master, rf-domain-manager, or vrrp-master to establish a tunnel. Establishes a L2TPv3 tunnel from the current device to the NOC controller, only when the current device becomes the cluster master Note: The L2TPv3 tunnel is closed when the current device switches back the standby or backup mode. Establishes a L2TPv3 tunnel from the current device to the NOC controller, only when the current device becomes the RF Domain manager Note: The L2TPv3 tunnel is closed when the current device switches back the standby or backup mode. Establishes a L2TPv3 tunnel from the current device to the NOC controller, only when the current device becomes the VRRP master
<1-255> Specify the VRRP group number from 1 - 255. Note: The L2TPv3 tunnel is closed when the current device switches back the standby or backup mode. Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 17 L2TPV3-POLICY Example rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-
Tunnel1)#establishment-criteria cluster-master rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1 establishment-criteria cluster-master rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#
Related Commands no Resets to default (always) Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 18 L2TPV3-POLICY 22.2.2 fast-failover l2tpv3-tunnel-commands Configures fast-failover support on the L2TPv3 tunnel. When configured, devices, using this profile, send tunnel requests to both peers, and in turn, establish tunnels with both peers. If not configured, tunnel establishment occurs on one peer, with failover and other functionality the same as legacy behavior. In case fast failover is configured when an active tunnel, with one peer, already exists, the tunnel establishment process is re-initiated with both peers. Of the two tunnels established, one is marked active while the other is standby. The sessions and routes from the active tunnel are only pushed to the dataplane, resulting in creation of data sessions. However, if the active tunnel fails, sessions and routes from the standby tunnel are pushed to the dataplane thereby providing almost immediate fail over. Both tunnels individually perform connection health checkups through hello intervals. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax fast-failover {aggressive}
Parameters fast-failover {aggressive}
fast-failover aggressive Configures fast-failover support on the L2TPv3 tunnel Optional. When enabled, tunnel initiation hello requests are set to zero. For failure detections, hello attempts are not retried, regardless of the number of retry attempts configured. This option is disabled by default. Note: The hello-interval and retry-attempts parameters are defined in the L2TPv3 Policy context. For more information on configuring an L2TPv3 policy, see l2tpv3-policy-commands. For more information on associating an L2TPv3 policy to an L2TPv3 tunnel, see use. Example nx9500-6C8809(config-profile testNX9500-l2tpv3-tunnel-TestTunnel2)#show context include-factory | include fast-failover no fast-failover nx9500-6C8809(config-profile testNX9500-l2tpv3-tunnel-TestTunnel2)#
nx9500-6C8809(config-profile testNX9500-l2tpv3-tunnel-TestTunnel2)#fast-failover aggressive nx9500-6C8809(config-profile testNX9500-l2tpv3-tunnel-TestTunnel2)#show context l2tpv3 tunnel TestTunnel2 fast-failover aggressive nx9500-6C8809(config-profile testNX9500-l2tpv3-tunnel-TestTunnel2)#
Related Commands no Removes fast-failover support on the L2TPv3 tunnel Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 19 L2TPV3-POLICY 22.2.3 hostname l2tpv3-tunnel-commands Configures the tunnels local hostname Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax hostname <WORD>
Parameters hostname <WORD>
hostname <WORD>
Configures the tunnels local hostname
<WORD> Specify the tunnels local hostname. Example rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#hostname TunnelHost1 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1 hostname TunnelHost1 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#
Related Commands no Removes the tunnels local hostname Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 20 L2TPV3-POLICY 22.2.4 local-ip-address l2tpv3-tunnel-commands Configures the tunnels source IP address. If no IP address is specified, the tunnels source IP address is automatically configured based on the tunnels peer IP address. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax local-ip-address <IP>
Parameters local-ip-address <IP>
local-ip-address <IP>
Configures the L2TPv3 tunnels source IP address
<IP> Specify the tunnels IP address. Ensure the IP address is available (or will become available - virtual IP) on an interface. Modifying a tunnels local IP address re-establishes the tunnel. Example rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#local-ip-
address 172.16.10.2 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1 local-ip-address 172.16.10.2 hostname TunnelHost1 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#
Related Commands no Resets the tunnels local IP address and re-establishes the tunnel Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 21 L2TPV3-POLICY 22.2.5 mtu l2tpv3-tunnel-commands Configures the MTU size for this tunnel. This value determines the packet size transmitted over this tunnel. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mtu <128-1460>
Parameters mtu <128-1460>
mtu <128-1460>
Configures the MTU size for this tunnel
<128-1460> Specify a value from 128 - 1460 bytes (default is 1460 bytes). Example rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#mtu 1280 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1 local-ip-address 172.16.10.2 mtu 1280 hostname TunnelHost1 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#
Related Commands no Resets the MTU size for this tunnel to default (1460 bytes) Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 22 L2TPV3-POLICY 22.2.6 no l2tpv3-tunnel-commands Negates or reverts a L2TPv3 tunnel settings to default Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [establishment-criteria|fast-failover|hostname|local-ip-address|mtu|peer <1-
2>|router-id|session|use]
Parameters no <PARAMETERS>
no <PARAMETERS>
Negates or reverts a L2TPv3 tunnel settings to default Example The tunnel settings before the no command is executed:
rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1 local-ip-address 172.16.10.2 mtu 1280 hostname TunnelHost1 establishment-criteria cluster-master rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#
The tunnel settings after the no command is executed:
rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#no local-ip
-address rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#no mtu rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#no hostname rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1 establishment-criteria cluster-master rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 23 L2TPV3-POLICY 22.2.7 peer l2tpv3-tunnel-commands Configures the L2TPv3 tunnels peers. At least one peer must be specified. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax peer <1-2> {hostname|ip-address|ipsec-secure|router-id|udp}
peer <1-2> {hostname [<HOSTNAME>|any]} {ipsec-secure|router-id|udp}
peer <1-2> {ip-address <IP>} {hostname|ipsec-secure|router-id|udp}
peer <1-2> {ipsec-secure} {gw [<IP>|<WORD>]}
peer <1-2> {router-id [<IP>|<WORD>|any]} {ipsec-secure|udp}
peer <1-2> {udp} {ipsec-secure|port <1-65535>}
Parameters peer <1-2> {hostname [<HOSTNAME>|any]} {ipsec-secure|router-id|udp}
peer <1-2>
hostname
[<HOSTNAME>|any]
Configures the tunnels peer ID
<1-2> Specify the ID from 1 - 2. The peer ID identifies the primary (ID 1) secondary
(ID 2) peers. The L2TPv3 tunnel is established with the primary peer. The secondary peer is used for tunnel failover. If the peer is not specified, tunnel establishment does not occur. Note: At any time the tunnel is established with only one peer, unless fast-failover support is configured on the L2TPv3 tunnel. For more information, see fast-failover. Optional. Configures the peers hostname. The hostname options are:
<HOSTNAME> Specifies the hostname as Fully Qualified Domain Name (FQDN) or partial DN or any other name any Peer name is not specified. If the hostname is any this tunnel is considered as responder only and will allow incoming connection from any host. ipsec-secure {gw
[<IP>|<WORD>]}
After specifying the peer hostname, optionally specify the IPSec settings:
ipsec-secure Optional. Enables auto IPSec on the L2TPv3 tunnel router-id
[<IP>|<WORD>|any]
gw Optional. Configures the IPSec gateway. Use one of the following options to configure the IPSec gateway:
<IP> Configures IPSec gateways IP address
<WORD> Configures IPSec gateways hostname After specifying the peer hostname, optionally specify router ID settings:
router-id Optional. Configures the peers router ID in one of the following formats:
<IP> Peer router ID in the IP address (A.B.C.D) format
<WORD> Peer router ID range (for example, 100-120) any Peer router ID is not specified. This allows incoming connection from any router ID. Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 24 L2TPV3-POLICY udp {ipsec-secure gw|port <1-65535>
{ipsec-secure}}
After specifying the peer hostname, optionally specify UDP settings:
The UDP option configures the encapsulation mode for this tunnel. UDP Optional. Configures UDP encapsulation (default encapsulation is IP) ipsec-secure gw Optional. Enables auto IPSec port <1-65535> {ipsec-secure} Optional. Configures the peers UDP port run-
ning the L2TPv3 service from 1 - 65535. After specifying the peer UDP port, option-
ally configure the IPSec settings. peer <1-2> {ip-address <IP>} {hostname|ipsec-secure|router-id|udp}
peer <1-2>
ip-address <IP>
hostname
[<FQDN>|any]
Configures the tunnels peer ID from 1 - 2. At any time the tunnel is established with only one peer. Optional. Configures the peers IP address in the A.B.C.D format
<IP> Specify the peers IP address. After specifying the peer IP address, optionally specify the peers hostname:
hostname Optional. Configures the peers hostname. The hostname options are:
<FQDN> Specifies the hostname as FQDN or partial DN any Peer name is not specified. If the hostname is any this tunnel is considered as responder only and will allow incoming connection from any host. ipsec-secure {gw
[<IP>|<WORD>]}
After specifying the peer IP address, optionally specify the IPSec settings:
ipsec-secure Optional. Enables auto IPSec router-id
[<A.B.C.D>|<WORD>|
any]
udp {ipsec-secure gw|port <1-65535>
{ipsec-secure}}
gw Optional. Configures the IPSec gateway. Use one of the following options to configure the IPSec gateway:
<IP> Configures IPSec gateways IP address
<WORD> Configures IPSec gateways hostname After specifying the peer IP address, optionally specify the router ID using one of the following options:
router-id Optional. Configures the peers router-id in one of the following formats:
<A.B.C.D> Peer router ID in the IP address (A.B.C.D) format
<WORD> Peer router ID range (for example, 100-120) any Peer router ID is not specified. This allows incoming connection from any router ID. After specifying the peer IP address, optionally specify the peers UDP port settings:
The UDP option configures the encapsulation mode for this tunnel. UDP Optional. Configures UDP encapsulation (default encapsulation is IP) ipsec-secure gw Optional. Enables auto IPSec port <1-65535> Optional. Configures the peers UDP port running the L2TPv3 service from 1 - 65535. After specifying the peer UDP port, optionally configure the IPSec settings. peer <1-2> {ipsec-secure} {gw [<IP>|<WORD>]}
peer <1-2>
Configures the tunnels peer ID from 1 - 2. At any time the tunnel is established with only one peer. Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 25 L2TPV3-POLICY ipsec-secure {gw
[<IP>|<WORD>]}
Optional. Enables auto IPSec for this peer gw Optional. Configures the IPSec gateway. Use one of the following options to configure the IPSec gateway:
<IP> Configures IPSec gateways IP address
<WORD> Configures IPSec gateways hostname peer <1-2> {router-id [<IP>|<WORD>|any]} {ipsec-secure|udp}
peer <1-2>
router-id
[<A.B.C.D>|<WORD>|
any]
Configures the tunnel peer ID from 1 - 2. At any time the tunnel is established with only one peer. Optional. Configures the peers router-id in one of the following formats:
<A.B.C.D> Peer router ID in the IP address (A.B.C.D) format
<WORD> Peer router ID range (for example, 100-120) any Peer router ID is not specified. This allows incoming connection from any ipsec-secure {gw
[<IP>|<WORD>]}
udp
{ipsec-secure gw|
port <1-65535>
{ipsec-secure}}
router ID. After specifying the peers router ID, optionally specify the IPSec settings. ipsec-secure Optional. Enables auto IPSec gw Optional. Configures the IPSec gateway. Use one of the following options to configure the IPSec gateway:
<IP> Configures IPSec gateways IP address
<WORD> Configures IPSec gateways hostname After specifying the peers router ID, optionally specify the IPSec settings. The UDP option configures the encapsulation mode for this tunnel. UDP Optional. Configures UDP encapsulation (default encapsulation is IP) ipsec-secure gw Optional. Enables auto IPSec port <1-65535> Optional. Configures the peers UDP port running the L2TPv3 service from 1 - 65535. After specifying the peer UDP port, optionally configure the IPSec settings. peer <1-2> {udp} {ipsec-secure|port <1-65535>}
peer <1-2>
udp
{ipsec-secure|
port <1-65535>
{ipsec-secure}}
Configures the tunnel peer ID from 1 - 2. At any time the tunnel is established with only one peer. Optional. Configures UDP encapsulation for this tunnels pee (default encapsulation is IP) ipsec-secure Optional. Configures IPSec gateway on this peer UDP port port <1-65535> Optional. Configures the peers UDP port running the L2TPv3 service from 1 - 65535. After specifying the peer UDP port, optionally configure the IPSec settings. Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 26 L2TPV3-POLICY Example rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#peer 2 hostname tunnel1peer1 udp port 100 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1 peer 2 hostname tunnel1peer1 udp port 100 establishment-criteria cluster-master rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#
Related Commands no Removes the peer configured for this tunnel Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 27 L2TPV3-POLICY 22.2.8 router-id l2tpv3-tunnel-commands Configures the tunnels local router ID Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax router-id [<1-4294967295>|<IP>]
Parameters router-id [<1-4294967295>|<IP>]
router-id
[<1-4294967295>|<IP>]
Configures the tunnels local router ID in one of the following formats:
<1-4294967295> Router ID in the number format (from1 - 4294967295)
<IP> Router ID in IP address format (A.B.C.D) Example rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#router-id 2000 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1 peer 2 hostname tunnel1peer1 udp port 100 router-id 2000 establishment-criteria cluster-master rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#
Related Commands no Removes the tunnels router ID Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 28 L2TPV3-POLICY 22.2.9 session l2tpv3-tunnel-commands Configures a sessions pseudowire ID, which describes the sessions purpose. The session established message sends this pseudowire ID to the L2TPv3 peer. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax session <L2TPV3-SESSION-NAME> [pseudowire-id|rate-limit]
session <L2TPV3-SESSION-NAME> pseudowire-id <1-4294967295> traffic-source session <L2TPV3-SESSION-NAME> rate-limit [egress|ingress] rate <50-1000000>
vlan <VLAN-ID-RANGE> {native-vlan <1-4094>}
max-burst-size <2-1024>
Parameters session <L2TPV3-SESSION-NAME> pseudowire-id <1-4294967295> traffic-source vlan <VLAN-ID-RANGE> {native-vlan <1-4094>}
session <L2TPV3-
SESSION-NAME>
pseudowire-id <1-
4294967295>
traffic-source vlan
<VLAN-ID-RANGE>
native-vlan <1-4094>
Configures this sessions name
<L2TPV3-SESSION-NAME> Specify the L2TPV3 session name (should not exceed 31 characters in length). A tunnel is usable only if it has one or more session(s)
(having specific session names) configured. The L2TPv3 tunnel has no idle timeout, it closes when the last tunnel session is closed. Configures the pseudowire ID for this session from 1- 4204067295 A pseudowire is an emulation of a layer 2 point-to-point connection over a packet-
switching network (PSN). A pseudowire is needed to encapsulate and tunnel layer 2 protocols across a layer 3 network. Configures VLAN as the traffic source for this tunnel
<VLAN-ID-RANGE> Configures VLAN range list of traffic source. Specify the VLAN IDs as a range (for example, 10-20, 25, 30-35). Optional Configures the native VLAN ID for this session, which is not tagged
<1-4094> Specify the native VLAN ID from 1- 4094. session <L2TPV3-SESSION-NAME> rate-limit [egress|ingress] rate <50-1000000> max-
burst-size <2-1024>
session <L2TPV3-
SESSION-NAME>
Configures this sessions name
<L2TPV3-SESSION-NAME> Specify the L2TPV3 session name (should not exceed 31 characters in length). A tunnel is usable only if it has one or more session(s)
(having specific session names) configured. The L2TPv3 tunnel has no idle timeout, it closes when the last tunnel session is closed. Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 29 L2TPV3-POLICY rate-limit
[egress|ingress]
rate <50-1000000>
Configures a rate for incoming and/or outgoing traffic on this L2TPv3 tunnel. When configured, this option limits the rate at which data is sent to or received from L2TPv3 tunnel members. egress Applies the specified rate to outbound traffic, from the L2TPv3 tunnel
(going out from access points, wireless controllers, and service platforms) to the network ingress Applies the specified rate to inbound traffic, from the network to the L2TPV3 tunnel (coming in to access points, wireless controllers, and service platforms) Specify the data rate, in kilobits per second, for the incoming and/or outgoing traffic
<50-1000000> Specify a value from 50 - 1000000 kbps. The default is 5000 Kbps. max-burst-size <2-1024> Configures the maximum burst size, in kilobytes, for incoming/outgoing traffic rate limiting (depending on the direction selected) on a L2TPv3 tunnel.
<2-1024> Specify the maximum burst size from 2 - 1024 kbytes. Smaller the burst size, lesser are the chances of the upstream packet transmission resulting in congestion of the L2TPv3 tunnel traffic. The default setting is 320 kbytes. Usage Guidelines The working status of a pseudowire is reflected by the state of the L2TPv3 session. If the corresponding session is L2TPv3 down, the pseudowire associated with it must be shut down. Example rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#session tunnel1peer1session1 pseudowire-id 5000 traffic-source vlan 10-20 native-vlan 1 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1 peer 2 hostname tunnel1peer1 udp port 100 session tunnel1peer1session1 pseudowire-id 5000 traffic-source vlan 10-20 native-
vlan 1 router-id 2000 establishment-criteria cluster-master rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#
Related Commands no Removes a session Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 30 L2TPV3-POLICY 22.2.10 use l2tpv3-tunnel-commands Configures a tunnel to use a specified L2TPv3 tunnel policy and specified critical resources Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use [critical-resource|l2tpv3-policy]
use critical-resource <CRM-NAME1> {<CRM-NAME2>} <CRM-NAME3>} <CRM-NAME4>}
use l2tpv3-policy <L2TPV3-POLICY-NAME>
Parameters use critical-resource <CRM-NAME1> {<CRM-NAME2>} {<CRM-NAME3>} {<CRM-NAME4>}
use critical-resource
<CRM-NAME1>
{<CRM-NAME2>}
{<CRM-NAME3>}
{<CRM-NAME4>}
Specifies the critical resource(s) to use with this tunnel
<CRM1-NAME> Specify the first critical resource name (should be existing).
<CRM-NAME2/3/4> Optional. Specify the second/third/fourth critical resource names. Maximum of four critical resources can be monitored. Note: In case of tunnel initiator, L2TPv3 tunnel is established only if the critical resources identified by the <CRM-NAME1>.................. <CRM-NAME4> arguments are available at the time of tunnel establishment. Note: In case of L2TPv3 tunnel termination, all incoming tunnel establishment requests are rejected if the critical resources specified by the <CRM-NAME1>..............
<CRM-NAME4> arguments are not available. use l2tpv3-policy <L2TPV3-POLICY-NAME>
use l2tpv3-policy
<L2TPV3-POLICY-
NAME>
Associates a specified L2TPv3 policy with this tunnel
<L2TPV3-POLICY-NAME> Specify the policy name (should be existing and configured). Example rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#use l2tpv3-
policy L2TPV3Policy1 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#show context l2tpv3 tunnel Tunnel1 peer 2 hostname tunnel1peer1 udp port 100 use l2tpv3-policy L2TPV3Policy1 session tunnel1peer1session1 pseudowire-id 5000 traffic-source vlan 10-20 native-
vlan 1 router-id 2000 establishment-criteria cluster-master rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-tunnel-Tunnel1)#
Related Commands no Removes the L2TPv3 policy configured with a tunnel and reverts to the default tunnel policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 31 L2TPV3-POLICY 22.3 l2tpv3-manual-session-commands L2TPV3-POLICY After a successful tunnel connection and establishment, individual sessions can be created. Each session is a single data stream. After successful session establishment, data corresponding to that session
(pseudowire) can be transferred. If a session is down, the pseudowire associated with it is shut down as well. Use the (profile-context) instance to manually configure a L2TPv3 session. To navigate to the L2TPv3 manual session configuration mode, use the following command in the profile context:
<DEVICE>(config-profile-default-rfs7000)#l2tpv3 manual-session <SESSION-NAME>
rfs6000-37FABE(config-profile-default-rfs7000)#l2tpv3 manual-session test rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#
rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#?
L2tpv3 Manual Session Mode commands:
local-cookie The local cookie for the session local-ip-address Configure the IP address for tunnel. If not specified, tunnel source ip address would be chosen automatically based on the tunnel peer ip address local-session-id Local session id for the session mtu Configure the mtu size for the tunnel no Negate a command or set its defaults peer Configure L2TPv3 manual session peer remote-cookie The remote cookie for the session remote-session-id Remote session id for the session traffic-source Traffic that is tunneled clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#
The following table summarizes L2TPv3 manual session configuration commands:
Table 22.3 L2TPV3-Manual-Session-Config Commands Description Configures the manual sessions local cookie field size Command local-cookie local-ip-address Configures the manual sessions local source IP address local-session-id Configures the manual sessions local session ID mtu no peer remote-cookie Configures the MTU size for the manual session tunnel Negates or reverts L2TPv3 manual session commands to default Configures the manual sessions peers Configures the remote cookie for the manual session Reference page 22-34 page 22-35 page 22-36 page 22-37 page 22-23 page 22-39 page 22-40 Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 32 L2TPV3-POLICY Table 22.3 L2TPV3-Manual-Session-Config Commands Command remote-session-
id traffic-source Description Configures the manual sessions remote session ID Configures the traffic source tunneled by the manual session Reference page 22-41 page 22-42 Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 33 L2TPV3-POLICY 22.3.1 local-cookie l2tpv3-manual-session-commands Configures the local cookie field size for the manual session Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax local-cookie size [4|8] <1-4294967295> {<1-4294967295>}
Parameters local-cookie size [4|8] <1-4294967295> {<1-4294967295>}
local-cookie size [4|8] Configures the local cookie field size for this manual session. The options are:
<1-4294967295>
<1-4294967295>
4 4 byte local cookie field 8 8 byte local cookie field Configures the local cookie value first word. Applies to both the 4 byte and 8 byte local cookies Optional Configures the local cookie value second word. Applicable to only 8 byte cookies. This parameter is ignored for 4 byte cookies. Example rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#local-
cookie size 8 200 300 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test local-cookie size 8 200 300 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#
Related Commands no Removes the local cookie size configured for a manual session Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 34 L2TPV3-POLICY 22.3.2 local-ip-address l2tpv3-manual-session-commands Configures the manual sessions source IP address. If no IP address is specified, the tunnels source IP address is automatically configured based on the tunnel peer IP address. This parameter is applicable when establishing the session and responding to incoming requests. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax local-ip-address <IP>
Parameters local-ip-address <IP>
local-ip-address <IP>
Configures the manual sessions source IP
<IP> Specify the IP address in the A.B.C.D format. Example rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test#local-
ip-address 1.2.3.4 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test local-cookie size 8 200 300 local-ip-address 1.2.3.4 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#
Related Commands no Resets the manual sessions local source IP address. This re-establishes the session. Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 35 L2TPV3-POLICY 22.3.3 local-session-id l2tpv3-manual-session-commands Configures the manual sessions local session ID Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax local-session-id <1-63>
Parameters local-session-id <1-63>
local-session-id <1-63> Configures this manual sessions local session ID
<1-63> Specify the ID from 1 - 63. This is the pseudowire ID for the session. This pseudowire ID is sent in a session establishment message to the L2TP peer. Example rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#local-
session-id 1 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test local-cookie size 8 200 300 local-ip-address 1.2.3.4 local-session-id 1 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#
Related Commands no Removes the manual sessions local session ID Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 36 L2TPV3-POLICY 22.3.4 mtu l2tpv3-manual-session-commands Configures the MTU size for the manual session tunnel. The MTU is the size (in bytes) of the largest protocol data unit the layer can pass between tunnel peers in this session. A larger MTU means processing fewer packets for the same amount of data. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mtu <128-1460>
Parameters mtu <128-1460>
mtu <128-1460>
Configures the MTU size for this manual session tunnel
<128-1460> Specify a value from 128 - 1460 bytes (default is 1460 bytes). Example rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#mtu 200 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test local-cookie size 8 200 300 local-ip-address 1.2.3.4 mtu 200 local-session-id 1 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#
Related Commands no Resets the MTU size for this manual session to default (1460 bytes) Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 37 L2TPV3-POLICY 22.3.5 no l2tpv3-manual-session-commands Negates or reverts L2TPv3 manual session settings to default Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [local-cookie|local-ip-address|local-session-id|mtu|peer|remote-cookie|remote-
session-id|traffic-source]
Parameters no <PARAMETERS>
no <PARAMETERS>
Negates or reverts L2TPv3 manual session settings to default Example The following example shows the manual session test settings before the no commands are executed:
rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test local-ip-address 1.2.3.4 peer ip-address 5.6.7.8 udp port 150 traffic-source vlan 50-60 native-vlan 2 local-session-id 1 remote-session-id 200 remote-cookie size 8 400 700 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#
rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#no local-ip-address rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#no local-session-id rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#no remote-session-id The following example shows the manual session test settings after the no commands are executed:
rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test peer ip-address 5.6.7.8 udp port 150 traffic-source vlan 50-60 native-vlan 2 remote-cookie size 8 400 700 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 38 L2TPV3-POLICY 22.3.6 peer l2tpv3-manual-session-commands Configures peer(s) allowed to establish the manual session tunnel. The peers are identified by their IP addresses. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax peer ip-address <IP> {udp {port <1-65535>}}
Parameters peer ip-address <IP> {udp {port <1-65535>}}
peer ip-address <IP>
udp {port <1-65335>}
Configures the tunnels peer IP address in the A.B.C.D format Optional. Configures the UDP encapsulation mode for this tunnel (default encapsulation is IP) port <1-65535> Optional. Configures the peers UDP port running the L2TPv3 service.
<1-65335> Specify a value from 1 - 65535. Example rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#peer ip-address 5.6.7.8 udp port 150 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test local-cookie size 8 200 300 local-ip-address 1.2.3.4 peer ip-address 5.6.7.8 udp port 150 mtu 200 local-session-id 1 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#
Related Commands no Removes the manual sessions peer Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 39 L2TPV3-POLICY 22.3.7 remote-cookie l2tpv3-manual-session-commands Configures the manual sessions remote cookie field size Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax remote-cookie size [4|8] <1-4294967295> {<1-4294967295>}
Parameters remote-cookie size [4|8] <1-4294967295> {<1-4294967295>}
remote-cookie size
[4|8]
<1-4294967295>
<1-4294967295>
Configures the remote cookie field size for this manual session. The options are:
4 4 byte remote cookie field 8 8 byte remote cookie field Configures the remote cookie value first word. Applies to both the 4 byte and 8 byte local cookies Optional Configures the remote cookie value second word. Applicable to only 8 byte cookies. This parameter is ignored for 4 byte cookies. Example rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#remote-
cookie size 8 400 700 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test local-ip-address 1.2.3.4 peer ip-address 5.6.7.8 udp port 150 mtu 200 local-session-id 1 remote-cookie size 8 400 700 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#
Related Commands no Removes the manual sessions remote cookie field size Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 40 L2TPV3-POLICY 22.3.8 remote-session-id l2tpv3-manual-session-commands Configures the manual sessions remote ID. This ID is passed in the establishment of the tunnel session. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax remote-session-id <1-4294967295>
Parameters remote-session-id <1-4294967295>
remote-session-id
<1-4294967295>
Configures this manual sessions remote ID
<1-4294967295> Specify a value from 1 - 4294967295. Example rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#remote-
session-id 200 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test local-ip-address 1.2.3.4 peer ip-address 5.6.7.8 udp port 150 local-session-id 1 remote-session-id 200 remote-cookie size 8 400 700 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#
Related Commands no Removes the manual sessions remote ID Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 41 L2TPV3-POLICY 22.3.9 traffic-source l2tpv3-manual-session-commands Configures the traffic source tunneled by this session Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax traffic-source vlan <VLAN-ID-RANGE> {native-vlan <1-4094>}
Parameters traffic-source vlan <VLAN-ID-RANGE> {native-vlan <1-4094>}
traffic-source vlan
<VLAN-ID-RANGE>
Configures VLAN as the traffic source for this tunnel
<VLAN-ID-RANGE> Configures VLAN range list of traffic source. Specify the VLAN IDs as a range (for example, 10-20, 25, 30-35) native-vlan <1-4094>
Optional Configures the native VLAN ID for this session, which is not tagged
<1-4094> Specify the native VLAN ID from 1- 4094. Example rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-
test)#traffic-source vlan 50-60 native-vlan 2 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#show context l2tpv3 manual-session test local-ip-address 1.2.3.4 peer ip-address 5.6.7.8 udp port 150 traffic-source vlan 50-60 native-vlan 2 local-session-id 1 remote-session-id 200 remote-cookie size 8 400 700 rfs6000-37FABE(config-profile default-rfs7000-l2tpv3-manual-session-test)#
Related Commands no Removes the traffic source configured for a tunnel Access Point, Wireless Controller and Service Platform CLI Reference Guide 22 - 42 23 ROUTER-MODE COMMANDS This chapter summarizes Open Shortest Path First (OSPF) router mode commands in the CLI command structure. All router-mode commands are available on both device and profile modes. OSPF is an interior gateway protocol (IGP) used within large autonomous systems to distribute routing information. OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer, which makes routing decisions based solely on the destination IP address found in IP packets. OSPF detects changes in the topology, like a link failure, and plots a new loop-free routing structure. It computes the shortest path for each route using a shortest path first algorithm. Link state data is maintained on each router and is periodically updated on all OSPF member routers. This enables routers to synchronize routing tables. OSPF uses a route table managed by the link cost (external metrics) defined for each routing interface. The cost could be the distance of a router (round-trip time), link throughput or link availability. Use the (config) instance to configure router commands. To navigate to the (config-router-mode) instance, use the following command:
<DEVICE>(config-profile-<PROFILE-NAME>)#router ospf
<DEVICE>(config-profile <PROFILE-NAME>-router-ospf)#
rfs6000-37FABE(config-profile-default-rfs7000)#router ospf rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#
rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#?
Router OSPF Mode commands:
area OSPF area auto-cost OSPF auto-cost default-information Distribution of default information ip Internet Protocol (IP) network OSPF network no Negate a command or set its defaults ospf OSPF passive Make OSPF Interface as passive redistribute Route types redistributed by OSPF route-limit Limit for number of routes handled OSPF process router-id Router ID clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#
NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 1 ROUTER-MODE COMMANDS 23.1 router-mode ROUTER-MODE COMMANDS The following table summarizes router configuration commands:
Command area auto-cost default-
information ip network ospf passive redistribute route-limit router-id no Table 23.1 OSPF-Router Config Commands Description Specifies OSPF enabled interfaces Specifies the reference bandwidth in terms of Mbits per second Controls the distribution of default information Configures Internet Protocol (IP) default gateway priority Defines OSPF network settings Enables OSPF Specifies the configured OSPF interface as passive interface Specifies the route types redistributed by OSPF Specifies the limit for the number of routes managed by OSPF Specifies the router ID for OSPF Negates a command or sets its defaults Reference page 23-3 page 23-12 page 23-13 page 23-14 page 23-15 page 23-16 page 23-17 page 23-18 page 23-19 page 23-21 page 23-22 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 2 ROUTER-MODE COMMANDS 23.1.1 area router-mode Configures OSPF network area (OSPF enabled interfaces) settings The following table lists the OSPF Area configuration mode commands:
Table 23.2 OSPF Area Config Commands Command area OSPF-area-
mode Description Creates a new OSPF area and enters its configuration mode Summarizes OSPF area configuration commands Reference page 23-4 page 23-6 Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 3 ROUTER-MODE COMMANDS 23.1.1.1 area area Configures OSPF network areas (OSPF enables interfaces) An OSPF network can be subdivided into routing areas to simplify administration and optimize traffic utilization. Areas are logical groupings of hosts and networks, including routers having interfaces connected to an included network. Each area maintains a separate link state database whose information may be summarized towards the rest of the network by the connecting router. Areas are identified by 32-
bit IDs, expressed either in decimal, or octet-based dot-decimal notation. Areas can defined as: stub area, totally-stub, non-stub, nssa, totally nssa. Each of these area types have been discussed further in the area-
type section of this chapter. At least one default area, bearing number 0, should be configured for every OSPF network. In case of multiple areas, the default area 0 forms the backbone of the network. The default area 0 is used as a link to the other areas. Each area has its own link-state database. A router running OSPF sends hello packets to discover neighbors and elect a designated router. The hello packet includes link state information and list of neighbors. OSPF is savvy with layer 2 topologies. If on a point-to-point link, OSPF knows it is sufficient, and the link stays up. If on a broadcast link, the router waits for election before determining if the link is functional. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Syntax area [<0-4294967295>|<IP>]
Parameters area [<0-4294967295>|<IP>]
area
<0-4294967295>
<IP>
Example Defines an OSPF area Defines an OSPF area in the form of a 32 bit integer
<0-4294967295> Specify the value from 0 - 4294967295. Defines an OSPF area in the form of an IP address
<IP> Specify the IP address. rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#area 4 ?
rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.4)#?
Router OSPF Area Mode commands:
area-type OSPF area type authentication Authentication scheme for OSPF area no Negate a command or set its defaults range Routes matching this range are considered for summarization
(ABR only) clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 4 ROUTER-MODE COMMANDS help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.4)#
rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.4)#show context area 0.0.0.4 rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.4)#
Related Commands no Removes area configuration settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 5 ROUTER-MODE COMMANDS 23.1.1.2 OSPF-area-mode area The following table summarizes OSPF area mode configuration commands:
Table 23.3 OSPF-Area-Mode Commands Command area-type authentication range no Description Configures a particular OSPF area as STUB or NSSA Specifies the authentication scheme used for the OSPF area Specifies the routes matching address/mask for summarization Negates a command or sets its defaults Reference page 23-7 page 23-9 page 23-10 page 23-11 Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 6 ROUTER-MODE COMMANDS 23.1.1.2.1 area-type OSPF-area-mode Configures a particular OSPF area type as STUB, Totally STUB, NSSA or Totally NSSA Areas can be defined as:
stub area - Is an area that does not receive route advertisements external to the autonomous system (AS), and routing from within the area is based entirely on a default route. totally-stub - Is an area that does not allow summary routes and external routes. A default route is the only way to route traffic outside of the area. When there is only one route out of the area, fewer routing decisions are needed, lowering system resource utilization. non-stub - Is an area that imports autonomous system external routes and forwards to other areas. However. it still cannot receive external routes from other areas. nssa - A Not-So-Stubby Area (NSSA) is an extension of a stub that allows the injection of limited external routes into a stub area. If selecting NSSA, no external routes, except a default route, enter the area. totally-nssa - Is a NSSA using 3 and 4 summary routes are not flooded into this type of area. It is also possible to declare an area both totally stubby and not-so-stubby, which means that the area will receive only the default route from area 0.0.0.0, but can also contain an Autonomous System Boundary Router (ASBR) that accepts external routing information and injects it into the local area, and from the local area into area 0.0.0.0. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Syntax area-type [nssa|stub]
area-type nssa {default-cost|no-summary|translate-always|translate-candidate|
translate-never}
area-type nssa {default-cost <0-16777215> {no-summary}|no-summary {default-cost
<0-16777215>}}
area-type nssa {translate-always|translate-candidate|translate-never} {(default-
cost <0-16777215>|no-summary)}
area-type stub {default-cost <0-16777215> {no-summary}|no-summary {default-cost
<0-16777215>}}
Parameters area-type [nssa|stub]{default-cost|no-summary|translate-always|translate-
candidate|translate-never}
area-type nssa stub default-cost
<0-16777215>
Configures a particular OSPF area type as STUB, Totally STUB, NSSA or Totally NSSA Configures the OSPF area as NSSA Configures the OSPF area as Stubby Area (STUB) Specifies the default summary cost that will be advertised, if the OSPF area is a STUB or NSSA
<0-16777215> Specify the default summary cost value from 0 - 16777215. Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 7 ROUTER-MODE COMMANDS no-summary translate-always translate-candidate translate-never Configures the OSPF area as totally STUB if the area-type is STUB or totally NSSA if the area-type is NSSA Always translates type-7 Link State Advertisements (LSAs) into type-5 LSAs Defines it as default behavior Never translates type-7 LSAs into type-5 LSAs Example rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#area-type stub default-cost 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#show context area 0.0.0.1 area-type stub default-cost 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#
Related Commands no Removes configured area-type settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 8 ROUTER-MODE COMMANDS 23.1.1.2.2 authentication OSPF-area-mode Specifies an authentication scheme used for an OSPF area used with the OSPF dynamic route Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Syntax authentication [message-digest|simple-password]
Parameters authentication [message-digest|simple-password]
message-digest simple-password Usage Guidelines Configures the message-digest (MD-5) authentication scheme Configures the simple password authentication scheme OSPF packet authentication enables routers to use predefined passwords and participate within a routing domain. The two authentication modes are:
MD-5 MD-5 authentication is a cryptographic authentication mode, where every router has a key
(password) and key-id configured on it. This key and key-id together form the message digest that is appended to the OSPF packet. Simple Password Simple password authentication allows a password (key) to be configured per area. Routers in the same area and participating in the routing domain have to be configured with the same key. Example rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-
0.0.0.1)#authentication simple-password rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#show context area 0.0.0.1 authentication simple-password area-type stub default-cost 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#
Related Commands no Removes the authentication scheme Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 9 ROUTER-MODE COMMANDS 23.1.1.2.3 range OSPF-area-mode Specifies a range of addresses for routes matching address/mask for OSPF summarization Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Syntax range <IP/M>
Parameters range <IP/M>
<IP/M>
Example Specifies the routes matching address/mask for summarization. Note: This command is applicable for a Area Border Router (ABR) only. rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#range 172.16.10.0/24 rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#show context area 0.0.0.1 authentication simple-password range 172.16.10.0/24 area-type stub default-cost 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#
Related Commands no Removes the configured network IP range Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 10 ROUTER-MODE COMMANDS 23.1.1.2.4 no OSPF-area-mode Negates a command or set its defaults Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Syntax no [area-type|authentication|range]
Parameters no <PARAMETERS>
no <PARAMETERS>
Negates a command or set its defaults Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example The following example shows the OSPF router settings before the no commands are executed:
rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#show context area 0.0.0.1 authentication simple-password range 172.16.10.0/24 area-type stub default-cost 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#
rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#no authentication rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#no range 172.16.10.0/24 The following example shows the OSPF router settings after the no commands are executed:
rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#show context area 0.0.0.1 area-type stub default-cost 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf-area-0.0.0.1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 11 ROUTER-MODE COMMANDS 23.1.2 auto-cost router-mode Configures the reference bandwidth in terms of megabits per second. Specifying the reference bandwidth allows you to control the default metrics for an interface, which is calculated by OSPF. The formula used to calculate default metrics is: ref-bw divided by the bandwidth. Use the no > auto-cost > reference-bandwidth command to configure default metrics calculation based on interface type. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602. AP7622, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Syntax auto-cost reference-bandwidth <1-4294967>
Parameters auto-cost reference-bandwidth <1-4294967>
reference-bandwidth
<1-4294967>
Defines the reference bandwidth in Mbps
<1-4294967> Specify the reference bandwidth value from1 - 4294967. Example rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#auto-cost reference-
bandwidth 1 Ensure that the auto-cost reference-bandwidth is configured uniformly on all routers. rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#
rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf area 0.0.0.4 auto-cost reference-bandwidth 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#
Related Commands no Removes auto-cost reference bandwidth settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 12 ROUTER-MODE COMMANDS 23.1.3 default-information router-mode Controls the distribution of default route information. Use the default-information > originate command to advertise a default route in the routing table. This option is disabled by default. When enabled, the default route becomes a distributed route. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Syntax default-information originate {always|metric|metric-type}
default-information originate {always|metric <0-16777214>|metric-type [1|2]}
{(metric <0-16777214>|metric-type [1|2])}
Parameters default-information originate {always|metric <0-16777214>|metric-type [1|2]}
{(metric <0-16777214>|metric-type [1|2])}
originate always metric <0-16777214>
Originates default route information. Enabling this feature makes the default route a distributed route. This option is disabled by default. Optional. Always distributes default route information (will continue to advertise default route information even if that information has been removed from the routing table for some reason). This option is disabled by default. This is a recursive parameter and can be optionally configured along with the metric-type option. metric <0-16777214> Optional. Specifies OSPF metric value for redistributed routes
(this value is used to generate the default route)
<0-16777214> Specify a value from 0 - 16777214. metric-type [1|2]
This is a recursive parameter and can be optionally configured along with the metric option. metric-type [1|2] Optional. Sets OSPF exterior metric type for redistributed routes
(this information is advertised with the OSPF routing domain) 1 Sets OSPF external type 1 metrics 2 Sets OSPF external type 2 metrics Example rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#default-information originate metric-type 2 metric 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf area 0.0.0.4 auto-cost reference-bandwidth 1 default-information originate metric 1 metric-type 2 rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#
Related Commands no Disables advertising of default route information available in the routing table Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 13 ROUTER-MODE COMMANDS 23.1.4 ip router-mode Configures IP default gateway priority Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Syntax ip default-gateway priority <1-8000>
Parameters ip default-gateway priority <1-8000>
default-gateway priority <1-8000>
Configures the default gateway Sets the priority for the default gateway acquired via OSPF
<1-8000> Specify an integer from 1 - 8000. The default is 7000. Note: Lower the value, higher is the priority. Example rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#ip default-gateway priority 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf area 0.0.0.4 auto-cost reference-bandwidth 1 default-information originate metric 1 metric-type 2 ip default-gateway priority 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#
Related Commands no Removes default gateway priority settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 14 ROUTER-MODE COMMANDS 23.1.5 network router-mode Assigns networks to specified areas (defines the OSPF interfaces and their associated area IDs) Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Syntax network <IP/M> area [<0-4294967295>|<IP>]
Parameters network <IP/M> area [<0-4294967295>|<IP>]
<IP/M>
area
[<0-4294967295>|<IP>]
Specifies an OSPF network address/mask value. Defines networks (IP addresses and mask) participating in OSPF. Specifies an OSPF area, associated with the OSPF address range, in one of the following formats:
<0-4294967295> Specifies a 32 bit OSPF area ID from 0 - 4294967295
<IP> Defines an OSPF area ID in the form of an IPv4 address Example rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#network 1.2.3.0/24 area 4.5.6.7 rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf network 1.2.3.0/24 area 4.5.6.7 area 0.0.0.4 auto-cost reference-bandwidth 1 default-information originate metric 1 metric-type 2 ip default-gateway priority 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#
Related Commands no Removes the OSPF network to area ID association Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 15 ROUTER-MODE COMMANDS 23.1.6 ospf router-mode Enables OSPF routing on a profile or device Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Syntax ospf enable Parameters ospf enable ospf enable Enables OSPF routing on devices using this profile. This option is disabled by default. Example rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#ospf enable rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf ospf enable network 1.2.3.0/24 area 4.5.6.7 area 0.0.0.4 auto-cost reference-bandwidth 1 default-information originate metric 1 metric-type 2 ip default-gateway priority 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#
Related Commands no Disables OSPF routing on a profile or device Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 16 ROUTER-MODE COMMANDS 23.1.7 passive router-mode Configures specified OSPF interface as passive. This option is disabled by default. A passive interface receives routing updates, but does not transmit them. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Syntax passive [<WORD>|all|vlan <1-4094>]
Parameters passive [<WORD>|all|vlan <1-4094>]
<WORD>
all vlan <1-4094>
Enables the OSPF passive mode on the interface specified by the <WORD>
parameter Enables the OSPF passive mode on all the L3 interfaces Enables the OSPF passive mode on the specified VLAN interface
<1-4094> Specify the VLAN interface ID from 1 - 4094. Example rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#passive vlan 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf ospf enable network 1.2.3.0/24 area 4.5.6.7 area 0.0.0.4 auto-cost reference-bandwidth 1 default-information originate metric 1 metric-type 2 passive vlan1 ip default-gateway priority 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#
Related Commands no Disables the OSPF passive mode on a specified interface Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 17 ROUTER-MODE COMMANDS 23.1.8 redistribute router-mode Specifies the route types redistributed by OSPF Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Syntax redistribute [bgp|connected|kernel|static] {metric <0-16777214>|metric-type
[1|2]}
Parameters redistribute [connected|kernel|static] {metric <0-16777214>|metric-type [1|2]}
bgp connected kernel static metric <0-16777214>
metric-type [1|2]
Redistributes all BGP routes by OSPF Redistributes all connected interface routes by OSPF Redistributes all routes that are neither connected, static, dynamic, nor bgp Redistributes static routes by OSPF The following keywords are common to the bgp, connected, kernel, and static parameters:
metric <0-16777214> Optional. Specifies the OSPF metric value for redistributed routes.
<0-16777214> Specify a value from 0 - 16777214. The following keywords are common to the connected, kernel, and static parameters:
metric-type [1|2] Optional. Sets the OSPF exterior metric type for redistributed routes 1 Sets the OSPF external type 1 metrics 2 Sets the OSPF external type 2 metrics Example rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#redistribute static metric-type 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf ospf enable network 1.2.3.0/24 area 4.5.6.7 area 0.0.0.4 auto-cost reference-bandwidth 1 default-information originate metric 1 metric-type 2 redistribute static metric-type 1 passive vlan1 ip default-gateway priority 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#
Related Commands no Removes the OSPF redistribution of various route types Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 18 ROUTER-MODE COMMANDS 23.1.9 route-limit router-mode Limits the number of routes managed by OSPF. The maximum limit supported by the platform is the default configuration defined under the router-ospf context. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Syntax route-limit [num-routes|reset-time|retry-count|retry-timeout]
route-limit [num-routes <DYNAMIC-ROUTE-LIMIT>|reset-time <1-86400>|retry-count
<1-32>|retry-timeout <1-3600>] {(num-routes|reset-time|retry-count|retry-
timeout)}
Parameters route-limit [num-routes <DYNAMIC-ROUTE-LIMIT>|reset-time <1-86400>|retry-count
<1-32>|retry-timeout <1-3600>] {(num-routes|reset-time|retry-count|retry-
timeout)}
num-routes <DYNAMIC-
ROUTE-LIMIT>
reset-time <1-86400>
retry-count <1-32>
retry-timeout <1-3600>
Specifies the maximum number of non self-generated LSAs this process can receive
<DYNAMIC-ROUTE-LIMIT> Specify the dynamic route limit. Specifies the time, in seconds, after which the retry-count is reset to zero
<1-86400> Specify a value from 1 - 86400 seconds. The default is 360 seconds. Specifies the maximum number of times adjacencies can be suppressed. Each time OSPF gets into an ignore state, a counter increments. If the counter exceeds the timeout configured by the retry-count parameter, OSPF stays in the same ignore state. Manual intervention is required to get OSPF out of the ignore state.
<1-32> Specify a value from 1 - 32. The default is 5. Specifies the retry time in seconds. During this time, OSPF remains in ignore state and all adjacencies are suppressed.
<1-3600> Specify a value from 1 - 3600 seconds. The default is 60 seconds. Example rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#route-limit num-routes 10 retry-count 5 retry-timeout 60 reset-time 10 rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf ospf enable network 1.2.3.0/24 area 4.5.6.7 area 0.0.0.4 auto-cost reference-bandwidth 1 default-information originate metric 1 metric-type 2 redistribute static metric-type 1 passive vlan1 route-limit num-routes 10 retry-count 5 retry-timeout 60 reset-time 10 ip default-gateway priority 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 19 ROUTER-MODE COMMANDS Related Commands no Removes the limit on the number of routes managed by OSPF Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 20 ROUTER-MODE COMMANDS 23.1.10 router-id router-mode Specifies the OSPF router ID This ID must be established in every OSPF instance. If not explicitly configured, the highest logical IP address is duplicated as the router identifier. However, since the router identifier is not an IP address, it does not have to be a part of any routable subnet in the network. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Syntax router-id <IP>
Parameters router-id <IP>
<IP>
Example Identifies the OSPF router by its IP address
<IP> Specify the router ID in the IP <A.B.C.D> format rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#router-id 172.16.10.8 Reload, or execute "clear ip ospf process" command, for this to take effect rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#
Related Commands no Removes the configured OSPF router ID Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 21 ROUTER-MODE COMMANDS 23.1.11 no router-mode Negates a command or reverts settings to their default Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7622, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Syntax no [area|auto-cost|default-information|ip|network|ospf|passive|redistribute|
route-limit|router-id]
Parameters no <PARAMETERS>
no <PARAMETERS>
Negates a command or set its defaults Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example The following example shows the OSPF router interface settings before the no commands are executed:
rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf network 1.2.3.0/24 area 4.5.6.7 area 0.0.0.4 auto-cost reference-bandwidth 1 default-information originate metric 1 metric-type 2 redistribute static metric-type 1 passive vlan1 route-limit num-routes 10 reset-time 10 ip default-gateway priority 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#
rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#no area 4 rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#no auto-cost reference-bandwidth rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#no network 1.2.3.0/24 area 4.5.6.7 The following example shows the OSPF router interface settings after the no commands are executed:
rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#show context router ospf default-information originate metric 1 metric-type 2 redistribute static metric-type 1 passive vlan1 route-limit num-routes 10 reset-time 10 ip default-gateway priority 1 rfs6000-37FABE(config-profile default-rfs7000-router-ospf)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 23 - 22 24 ROUTING-POLICY This chapter summarizes routing-policy commands in the CLI command structure. Routing policies enable network administrators to control data packet routing and forwarding. Policy-based routing (PBR) always overrides protocol-based routing. Network administrators can define routing policies based on parameters, such as access lists, packet size, etc. For example, a routing policy can be configured to route packets along user-defined routes. In addition to the above, PBR facilitates the provisioning of preferential service to specific traffic. PBR minimally provides the following:
A means to use source address, protocol, application, and traffic class as traffic routing criteria A means to load balance multiple WAN uplinks A means to selectively mark traffic for Quality of Service (QoS) optimization Use the (config) instance to configure router-policy commands. To navigate to the (config-routing-policy mode) instance, use the following commands:
<DEVICE>(config)#routing-policy <ROUTING-POLICY-NAME>
rfs6000-37FABE(config)#routing-policy testpolicy rfs6000-37FABE(config-routing-policy-testpolicy)#?
Routing Policy Mode commands:
apply-to-local-packets Use Policy Based Routing for packets generated by the device logging Enable logging for this Route Map no Negate a command or set its defaults route-map Create a Route Map use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-routing-policy-testpolicy)#
NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 1 ROUTING-POLICY 24.1 routing-policy-commands ROUTING-POLICY The following table summarizes routing policy configuration commands:
Table 24.1 Routing-Policy-Config Commands Command apply-to-local-
packets logging route-map use no Description Enables PBR for locally generated packets Enables logging for a specified route map Creates a route map entry Defines default settings to use Negates a command or sets its defaults Reference page 24-3 page 24-4 page 24-5 page 24-18 page 24-19 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 2 ROUTING-POLICY 24.1.1 apply-to-local-packets routing-policy-commands Enables PBR for locally generated packets (packets generated by the device). When enabled, this option implements the match and action clauses defined within route maps. This option is enabled by default. To disable PBR, use the no > apply-to-local-packets command. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax apply-to-local-packets Parameters None Example rfs6000-37FABE(config-routing-policy-testpolicy)#apply-to-local-packets rfs6000-37FABE(config-routing-policy-testpolicy)#
Related Commands no Disables PBR for locally generated packets Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 3 ROUTING-POLICY 24.1.2 logging routing-policy-commands Enables logging for a specified route map. When enabled, this option logs events generated by the enforcement of route-maps. This option is disabled by default. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax logging Parameters None Example rfs6000-37FABE(config-routing-policy-testpolicy)#logging rfs6000-37FABE(config-routing-policy-testpolicy)#show context routing-policy testpolicy logging rfs6000-37FABE(config-routing-policy-testpolicy)#
Related Commands no Disables route map logging Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 4 ROUTING-POLICY 24.1.3 route-map routing-policy-commands Creates a route map entry and enters the route map configuration mode In policy-based routing (PBR), route maps control the flow of traffic within the network. They override route tables and direct traffic along a specific path. Route-maps contain a set of filters that select traffic (match clauses) and associated actions (mark clauses) for routing. Every route-map entry has a precedence value. Lower the precedence, higher is the route-
maps priority. All incoming packets are matched against these route-maps entries. The route-map entry with highest precedence (lowest numerical value) is applied first. In case of a match, action is taken based on the mark clause specified in the route-map. In case of no match, the route-map entry with the next highest precedence is applied. If the incoming packet does not match any of the route-map entries, it is subjected to typical destination-based routing. Each route-map entry can optionally enable/disable logging. The following criteria can optionally be used as traffic selection segregation criteria:
IP Access List - A typical IP ACL can be used for routing traffic. The mark and log actions in ACL rules however are neglected. Route-map entries have separate logging. Only one ACL can be configured per route map entry. ACL rules configured under route map entries merge to create a single ACL. Route map precedence values determine the prioritization of the rules in this merged ACL. An IP DSCP value is also added to the ACL rules.
-
-
IP DSCP - Packet filtering can be performed by traffic class, as determined from the IP Differentiated Services Code Point (DSCP) field. One DSCP value can be configured per route map entry. If IP ACLs on a WLAN, ports or SVI mark packets, the new/marked DSCP value is used for matching. Incoming WLAN - Packets can be filtered on the basis of the incoming WLAN. Depending on whether the receiving device has an onboard radio or not, the following two scenarios are possible:
Device with an onboard radio: If a device having an onboard radio and capable of PBR receives a packet on a local WLAN, this WLAN is used for selection. Device without an onboard radio: If a device, without an onboard radio, capable of PBR receives a packet from an extended VLAN, it passes the WLAN information in the MiNT packet to the PBR router. The PBR router uses this information as match criteria.
- Client role - The client role can be used as match criteria, similar to a WLAN. Each device has to agree
-
on a unique identifier for role definition and pass the same MINT tunneled packets. Incoming SVI - A source IP address qualifier in an ACL typically satisfies filter requirements. But if the source host (where the packet originates) is multiple hops away, the incoming SVI can be used as match criteria. In this context the SVI refers to the device interface performing PBR, and not to the source device. Mark (or action) clauses determine the routing function when a packet satisfies match criteria. If no mark clauses are defined, the default is to fallback to destination-based routing for packets satisfying the match criteria. If no mark clause is configured and fallback to destination-based routing is disabled, then the packet is dropped. The mark clause defines one of following actions:
Next hop - The IP address of the next hop or the outgoing interface through which the packet should be routed. Up to two next hops can be specified. The outgoing interface should be a PPP, a tunnel interface or a SVI which has DHCP client configured. The first reachable hop should be used. But if all next hops are unreachable, typical destination-based route lookup is performed. Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 5 ROUTING-POLICY Default next hop - If a packet subjected to PBR does not have an explicit route to the destination, the configured default next hop is used. This can be either the IP address of the next hop or the outgoing interface. Only one default next hop can be defined. The difference between the next hop and the default next-hop is: in case of the former, PBR occurs first, then destination-based routing. In case of the latter, the order is reversed. In both cases:
a If a defined next hop is reachable, it is used. If fallback is configured refer to (b). b Perform normal destination-based route lookup. If a next hop is found, it is used, if not refer to (c). c If default next hop is configured and reachable, it is used, if not, packet is dropped.
- Fallback - Enables fallback to destination-based routing if none of the configured next hops are reachable (or not configured). This is enabled by default.
- Mark IP DSCP - Configures IP DSCP bits for QoS using an ACL. The mark action of the route maps takes precedence over the mark action of an ACL. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax route-map <1-100>
Parameters route-map <1-100>
route-map <1-100>
Creates a route map entry, sets a precedence value for the route map, and enters the route map configuration mode
<1-100> Specify a precedence value from 1 - 100. Note: Lower the sequence number, higher is the precedence. Example rfs6000-37FABE(config-routing-policy-testpolicy)#route-map 1 rfs6000-37FABE(config-routing-policy-testpolicy)#show context routing-policy testpolicy logging route-map 1 rfs6000-37FABE(config-routing-policy-testpolicy)#
rfs6000-37FABE(config-routing-policy-testpolicy)#route-map 1 rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#?
Route Map Mode commands:
default-next-hop Default next-hop configuration (aka gateway-of-last-resort) fallback Fallback to destination based routing if no next-hop is configured or all are unreachable mark Mark action for route map match Match clause configuration for Route Map next-hop Next-hop configuration no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 6 ROUTING-POLICY revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#
Related Commands no Removes a route map Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 7 24.1.4 route-map-mode route-map The following table summarizes route-map configuration commands:
Table 24.2 Route-Map-Config Commands Description Command default-next-hop Sets the default next hop for packets satisfying match criteria fallback mark match next-hop no Configures a fallback to the next destination Marks action clause for packets satisfying match criteria Sets match clauses for the route map Sets the next hop for packets satisfying match criteria Negates a command or sets its default ROUTING-POLICY Reference page 24-9 page 24-10 page 24-11 page 24-12 page 24-15 page 24-17 Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 8 ROUTING-POLICY 24.1.4.1 default-next-hop route-map-mode Sets the default next hop for packets satisfying match criteria If a packet, subjected to PBR, does not have an explicit route to the destination, the configured default next hop is used. This value is set as either the IP address of the next hop or the outgoing interface. Only one default next hop can be defined. The difference between the next hop and the default next-hop is: in case of the former, PBR occurs first, then destination-based routing. In case of the latter, the order is reverse. Use this command to set either the default next hop IP address or define either a WWAN1, PPPoE1, or VLAN interface. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7562, AP7602, AP7612, AP7622, AP7632, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax default-next-hop [<IP>|<ROUTER-IF-NAME>|pppoe1|serial <SLOT-ID> <PORT-ID>
<CHANNEL-GROUP-ID>|vlan <1-4094>|wwan1]
Parameters default-next-hop [<IP>|<ROUTER-IF-NAME>|serial <SLOT-ID> <PORT-ID> <CHANNEL-
GROUP-ID>|pppoe1|vlan <1-4094>|wwan1]
default-next-hop
<IP>
<ROUTER-IF-NAME>
pppoe1 serial <SLOT-ID>
<PORT-ID>
<CHANNEL-GROUP-
ID>
vlan <1-4094>
Sets the next hop router to which packets are sent in case the next hop is not the adjacent router Specifies next hop routers IP address Specifies the outgoing interface name (router interface name) Specifies the PPPoE interface Specifies the serial interfaces slot, port, and channel group IDs Specifies a VLAN interface ID
<1-4094> Specify a value from 1 - 4094. Specifies the WAN interface wwan1 Example rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#default-next-hop wwan1 rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#show context route-map 1 default-next-hop wwan1 rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#
Related Commands no Removes default next hop router settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 9 ROUTING-POLICY 24.1.4.2 fallback route-map-mode Enables fallback to destination-based routing. This option is enabled by default. To disable fallback, use the no > fallback command. The action taken for packets satisfying the match criteria is determined by the mark (action) clauses. If no action is defined, the default is to fallback to destination-based routing. NOTE: If no mark clause is configured and fallback to destination-based routing is disabled, then the packet is dropped. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax fallback Parameters None Example rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#fallback rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#
Related Commands no Disables fallback to destination-based routing, if no next hop is configured or are unreachable Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 10 ROUTING-POLICY 24.1.4.3 mark route-map-mode Enables the marking of the DSCP field in the IP header Use this command to set the IP DSCP bits for QoS using an ACL. The mark action of the route maps takes precedence over the mark action of an ACL. The DSCP field in an IP header enables packet classification. Packet filtering can be done based on traffic class, determined from the IP DSCP field. One DSCP value can be configured per route map entry. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax mark ip dscp <0-63>
Parameters mark ip dscp <0-63>
ip dscp <0-63>
Marks the DSCP field in the IP header
<0-63> Specify a DSCP value from 0 - 63. Example rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#mark ip dscp 7 rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#show context route-map 1 default-next-hop wwan1 mark ip dscp 7 rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#
Related Commands no Disables marking of IP packets Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 11 ROUTING-POLICY 24.1.4.4 match route-map-mode Sets the match clauses Each route map entry has a set of match clauses used to segregate and filter packets. Packets can be segregated using any one of the following criteria:
IP Access List - A typical IP ACL can be used for routing traffic. The mark and log actions in ACL rules however are neglected. Route-map entries have separate logging. Only one ACL can be configured per route map entry. ACL rules configured under route map entries merge to create a single ACL. Route map precedence values determine the prioritization of the rules in this merged ACL. An IP DSCP value is also added to the ACL rules.
-
-
IP DSCP - Packet filtering can be performed by traffic class, as determined from the IP Differentiated Services Code Point (DSCP) field. One DSCP value can be configured per route map entry. If IP ACLs on a WLAN, ports or SVI mark packets, the new/marked DSCP value is used for matching. Incoming WLAN - Packets can be filtered on the basis of the incoming WLAN. Depending on whether the receiving device has an onboard radio or not, the following two scenarios are possible:
Device with an onboard radio: If a device having an onboard radio and capable of PBR receives a packet on a local WLAN, this WLAN is used for selection. Device without an onboard radio: If a device, without an onboard radio, capable of PBR receives a packet from an extended VLAN, it passes the WLAN information in the MiNT packet to the PBR router. The PBR router uses this information as match criteria.
- Client role - The client role can be used as match criteria, similar to a WLAN. Each device has to agree
-
on a unique identifier for role definition and pass the same MINT tunneled packets. Incoming SVI - A source IP address qualifier in an ACL typically satisfies filter requirements. But if the source host (where the packet originates) is multiple hops away, the incoming SVI can be used as match criteria. In this context the SVI refers to the device interface performing PBR, and not to the source device. The action taken for filtered packets is determined by the mark (action) clauses. If no action is defined, the default is to fallback to destination-based routing for packets satisfying the match criteria. For more information on configuring mark clauses, see mark. And for more information on fallback action, see fallback. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax match [incoming-interface|ip|ip-access-list|wireless-client-role|wlan]
match incoming-interface [<ROUTER-IF-NAME>|pppoe1|serial <SLOT-ID> <PORT-ID>
<CHANNEL-GROUP-ID>|vlan <1-4094>|wwan1]
match ip dscp <0-63>
Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 12 ROUTING-POLICY match ip-access-list <IP-ACCESS-LIST-NAME>
match wireless-client-role <ROLE-POLICY-NAME> <ROLE-NAME>
match wlan <WLAN-NAME>
Parameters match incoming-interface [<ROUTER-IF-NAME>|pppoe1|serial<SLOT-ID> <PORT-ID>
<CHANNEL-GROUP-ID>|vlan <1-4094>|wwan1]
incoming-interface
<ROUTER-IF-NAME>
pppoe1 serial <SLOT-ID>
<PORT-ID>
<CHANNEL-GROUP-
ID>
vlan <1-4094>
wwan1 Sets the incoming SVI match clause. Specify an interface name. Specifies the layer 3 interface name (route interface) Specifies the PPP over Ethernet interface Specifies the serial interfaces slot, port, and channel group IDs. Specifies the VLAN interface ID
<1-4094> Specify a VLAN ID from 1 - 4094. Specifies the WAN interface name match ip dscp <0-63>
ip dscp <0-63>
Sets the DSCP match clause
<0-63> Specify a value from 0 - 63. The defined DSCP value is used as a matching clause for this route map. match ip-access-list <IP-ACCESS-LIST-NAME>
ip-access-list <IP-
ACCESS-LIST-NAME>
Sets the match clause using a pre-configured IP access list
<IP-ACCESS-LIST-NAME> Specify a pre-configured IP access list name. match wireless-client-role <ROLE-POLICY-NAME> <ROLE-NAME>
wireless-client-role
<ROLE-POLICY-NAME>
<ROLE-NAME>
Sets the wireless client role match clause
<ROLE-POLICY-NAME> Specify a pre-configured role policy.
<ROLE-NAME> Specify a pre-configured role within it. match wlan <WLAN-NAME>
wlan <WLAN-NAME>
Sets the incoming WLAN match clause
<WLAN-NAME> Specify a WLAN name. Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 13 ROUTING-POLICY Example rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#match incoming-
interface pppoe1 rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#show context route-map 1 match incoming-interface pppoe1 default-next-hop wwan1 mark ip dscp 7 rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#
Related Commands no Disables match clause settings for this route map Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 14 ROUTING-POLICY 24.1.4.5 next-hop route-map-mode Sets the next hop for packets satisfying match criteria This command allows you to configure the primary and secondary hop priority requests. Define the primary and secondary hop settings. When defined, the primary hop resource is used with no additional considerations when ever it is available. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax next-hop [<IP>|<ROUTER-IF-NAME>|pppoe1|serial <SLOT-ID> <PORT-ID> <CHANNEL-GROUP-
ID>|vlan <1-4094>|wwlan1] {<IP>|<ROUTER-IF-NAME>|pppoe1|serial <SLOT-ID> <PORT-
ID> <CHANNEL-GROUP-ID>|vlan <1-4094>|wwlan1}
Parameters next-hop [<IP>|<ROUTER-IF-NAME>|pppoe1|serial <SLOT-ID> <PORT-ID> <CHANNEL-
GROUP-ID>|vlan <1-4094>|wwlan1] {<IP>|<ROUTER-IF-NAME>|pppoe1|serial <SLOT-ID>
<PORT-ID> <CHANNEL-GROUP-ID>|vlan <1-4094>|wwlan1}
next-hop
<IP>
<WORD>
pppoe1 serial <SLOT-ID>
<PORT-ID>
<CHANNEL-GROUP-
ID>
vlan <1-4094>
Sets the next hop (primary and secondary) for packets satisfying match criteria It is not mandatory to define the secondary hop interface. The secondary hop is used in case the primary hop is unavailable. Specifies the primary and secondary next hop routers IP address Specifies the layer 3 Interface name (router interface) Specifies the PPP over Ethernet interface Specifies the serial interfaces slot, port, and channel group IDs. Specifies the VLAN interface ID
<1-4094> Specify a VLAN ID from 1 - 4094. The VLAN interface should be a DHCP wwan1 Specifies the WAN interface client. Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 15 ROUTING-POLICY Example rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#next-hop vlan 1 rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#show context route-map 1 match incoming-interface pppoe1 next-hop vlan1 default-next-hop wwan1 mark ip dscp 7 rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#
Related Commands no Disables the next hop router settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 16 ROUTING-POLICY 24.1.4.6 no route-map-mode Negates a command or sets its defaults Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [default-next-hop|fallback|mark|match|next-hop]
Parameters no <PARAMETERS>
no <PARAMETERS>
Negates a command or set its defaults Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example The following example shows the route-map 1 settings before the no commands are executed:
rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#show context route-map 1 match incoming-interface pppoe1 next-hop vlan1 default-next-hop wwan1 mark ip dscp 7 rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#
rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#no default-next-hop rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#no next-hop The following example shows the route-map 1 settings after the no commands are executed:
rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#show context route-map 1 match incoming-interface pppoe1 mark ip dscp 7 rfs6000-37FABE(config-routing-policy-testpolicy-route-map-1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 17 ROUTING-POLICY 24.1.5 use routing-policy-commands Uses Critical Resource Management (CRM) to monitor link status Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use critical-resource-monitoring Parameters use critical-resource-monitoring use critical-resource-
monitoring Uses CRM to monitor the status of a link. Selecting this option determines the disposition of the route-map next hop via monitored critical resources. Link monitoring is the function used to determine a potential fail over to the secondary next hop. This option is enabled by default. Example rfs6000-37FABE(config-routing-policy-testpolicy)#use critical-resource-monitoring rfs6000-37FABE(config-routing-policy-testpolicy)#
Related Commands no Disables CRM link status monitoring Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 18 ROUTING-POLICY 24.1.6 no routing-policy-commands Negates a command or sets its defaults Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [apply-to-local-packets|logging|route-map|use]
Parameters no <PARAMETERS>
no <PARAMETERS>
Negates a command or set its defaults Usage Guidelines The no command negates any command associated with it. Wherever required, use the same parameters associated with the command getting negated. Example The following example shows the routing policy testpolicy settings before the no commands are executed:
rfs6000-37FABE(config-routing-policy-testpolicy)#show context routing-policy testpolicy logging route-map 1 match incoming-interface pppoe1 default-next-hop wwan1 mark ip dscp 7 rfs6000-37FABE(config-routing-policy-testpolicy)#
rfs6000-37FABE(config-routing-policy-testpolicy)#no logging rfs6000-37FABE(config-routing-policy-testpolicy)#no route-map 1 rfs6000-37FABE(config-routing-policy-testpolicy)#no apply-to-local-packets The following example shows the routing policy testpolicy settings after the no commands are executed:
rfs6000-37FABE(config-routing-policy-testpolicy)#show context routing-policy testpolicy no apply-to-local-packets rfs6000-37FABE(config-routing-policy-testpolicy)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 24 - 19 25 AAA-TACACS-POLICY This chapter summarizes the accounting, authentication, and authorization (AAA) Terminal Access Control Access-Control System (TACACS) policy commands in the CLI command structure. TACACS is a network security application that provides additional network security by providing a centralized authentication, authorization, and accounting platform. TACACS implementation requires configuration of the TACACS authentication server and database. Use the (config) instance to configure AAA-TACACS policy commands. To navigate to the config-aaa-
tacacs-policy instance, use the following commands:
<DEVICE>(config)#aaa-tacacs-policy <POLICY-NAME>
rfs6000-37FABE(config)#aaa-tacacs-policy test rfs6000-37FABE(config-aaa-tacacs-policy-test)#?
AAA TACACS Policy Mode commands:
accounting Configure accounting parameters authentication Configure authentication parameters authorization Configure authorization parameters no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-aaa-tacacs-policy-test)#
NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 1 AAA-TACACS-POLICY 25.1 aaa-tacacs-policy AAA-TACACS-POLICY The following table summarizes AAA-TACACS policy configuration commands:
Table 25.1 AAA-TACACS-Policy-Config Commands Command accounting authentication authorization no Description Configures TACACS accounting parameters Configures TACACS authentication parameters Configures TACACS authorization parameters Negates a command or sets its default Reference page 25-3 page 25-6 page 25-9 page 25-12 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 2 AAA-TACACS-POLICY 25.1.1 accounting aaa-tacacs-policy Configures the server type and interval at which interim accounting updates are sent to the server. Up to 2 accounting servers can be configured. This feature tracks user activities on the network, and provides information such as, resources used and usage time. This information can be used for audit and billing purposes. TACACS accounting tracks user activity and is useful for security audit purposes. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax accounting [access-method|auth-fail|commands|server|session]
accounting access-method [all|console|ssh|telnet] {(console|ssh|telnet)}
accounting [auth-fail|commands|session]
accounting server [<1-2>|preference]
accounting server preference [authenticated-server-host|authenticated-server-
number|authorized-server-host|authorized-server-number|none]
accounting server <1-2> [host|retry-timeout-factor <50-200>|timeout]
accounting server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|
<SECRET>]} {port <1-65535>}
accounting server <1-2> timeout <3-5> {attempts <1-3>}
Parameters accounting access-method [all|console|ssh|telnet] {(console|ssh|telnet)}
access-method all console ssh telnet Configures TACACS accounting access mode. The options are: console, SSH, Telnet, and all. Configures TACACS accounting for all access modes Configures TACACS accounting for console access only Configures TACACS accounting for SSH access only Configures TACACS accounting for Telnet access only accounting [auth-fail|commands|session]
auth-fail commands session Enables accounting for authentication fail details. This option is disabled by default. Enables accounting of commands executed. This option is disabled by default. Enables accounting for session start and stop details. This option is disabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 3 AAA-TACACS-POLICY accounting server preference [authenticated-server-host|authenticated-server-
number|authorized-server-host|authorized-server-number|none]
server preference authenticated-server-
host authenticated-server-
number authorized-server-host authorized-server-
number none Configures a TACACS accounting server Configures the accounting server preference (specifies the method of selecting a server, from the pool, to send the request) Sets the authentication server as the accounting server. This is the default setting. This parameter indicates the same server is used for authentication and accounting. The server is referred to by its hostname. Sets the authentication server as the accounting server This parameter indicates the same server is used for authentication and accounting. The server is referred to by its index or number. Sets the authorization server as the accounting server This parameter indicates the same server is used for authorization and accounting. The server is referred to by its hostname. Sets the authorized server as the accounting server This parameter indicates the same server is used for authorization and accounting. The server is referred to by its index number. Indicates the accounting server is independent of the authentication and authorization servers accounting server <1-2> retry-timeout-factor <50-200>
server <1-2>
retry-timeout-factor
<50-200>
Configures an accounting server. Up to 2 accounting servers can be configured Sets the scaling factor for retry timeouts
<50-200> Specify a value from 50 - 200. The default is 100. A value of 100 indicates the time gap between two consecutive retires remains the same irrespective of the number of retries. A value lesser than 100 indicates the time gap between two consecutive retries reduces with each successive retry. A value greater than 100 indicates the time gap between two consecutive retries increases with each successive retry. accounting server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|
<SECRET>]} {port <1-65535>}
server <1-2>
host <IP/HOSTNAME>
secret [0 <SECRET>|
2 <SECRET>|
<SECRET>]
port <1-65535>
Configures an accounting server. Up to 2 accounting servers can be configured Configures the accounting servers IP address or hostname Optional. Configures a common secret key used to authenticate with the accounting server 0 <SECRET> Configures a clear text secret key 2 <SECRET> Configures an encrypted secret key
<SECRET> Specify the secret key. This shared secret should not exceed 127 characters. Optional. Configures the accounting server port (the port used to connect to the accounting server)
<1-65535> Specify the TCP accounting port number from 1 - 65535. The default port is 49. Access Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 4 AAA-TACACS-POLICY accounting server <1-2> timeout <3-5> {attempts <1-3>}
server <1-2>
timeout <3-5>
attempts <1-3>
Configures an accounting server. Up to 2 accounting servers can be configured Configures the timeout for each request sent to the TACACS accounting server. This is the time allowed to elapse before another request is sent to the TACACS accounting server. If a response is received from the server within this time, no retry is attempted.
<3-5> Specify a value from 3 - 5 seconds. The default is 3 seconds. Optional. Specifies the number of times a transmission request is attempted. This is the maximum number of times a request is sent to the TACACS accounting server before getting discarded.
<1-3> Specify a value from 1 - 3. The default is 3. Example rfs6000-37FABE(config-aaa-tacacs-policy-test)#accounting auth-fail rfs6000-37FABE(config-aaa-tacacs-policy-test)#accounting commands rfs6000-37FABE(config-aaa-tacacs-policy-test)#accounting server preference authorized-server-number rfs6000-37FABE(config-aaa-tacacs-policy-test)#show context aaa-tacacs-policy test accounting server preference authorized-server-number accounting auth-fail accounting commands rfs6000-37FABE(config-aaa-tacacs-policy-test)#
Related Commands no Resets values or disables commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 5 AAA-TACACS-POLICY 25.1.2 authentication aaa-tacacs-policy Configures user authentication parameters. Users are allowed or denied access to the network based on the authentication parameters set. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax authentication [access-method|directed-request|server|service]
authentication access-method [all|console|ssh|telnet|web] {(console|ssh|telnet|
web)}
authentication directed-request authentication server <1-2> [host|retry-timeout-factor|timeout]
authentication server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|
<SECRET>]} {port <1-65535>}
authentication server <1-2> retry-timeout-factor <50-200>
authentication server <1-2> timeout <3-60> {attempts <1-10>}
authentication service <SERVICE-NAME> {protocol <AUTHENTICATION-PROTO-NAME>}
Parameters authentication access-method [all|console|ssh|telnet|web]
{(console|ssh|telnet)}
access-method all console ssh telnet web Configures access modes for TACACS authentication. The options are: console, SSH, Telnet, Web, and all. Authenticates users using all access modes (console, SSH, and Telnet) Authenticates users using console access only Authenticates users using SSH access only Authenticates users using Telnet access only Authenticates users using Web interface only authentication directed-request directed-request Enables user to specify TACACS server to use with `@server'. This option is disabled by default. The specified server should be present in the configured servers list. authentication server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|
<SECRET>]} {port <1-65535>}
server <1-2>
Configures a TACACS authentication server. Up to 2 TACACS servers can be configured
<1-2> Specify the TACACS server index from 1 - 2. Access Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 6 AAA-TACACS-POLICY host <IP/HOSTNAME>
secret [0 <SECRET>|
2 <SECRET>|
<SECRET>]
Sets the TACACS servers IP address or hostname Configures the secret key used to authenticate with the TACACS server 0 <SECRET> Configures a clear text secret 2 <SECRET> Configures an encrypted secret
<SECRET> Specify the secret key. The shared key should not exceed 127 characters. port <1-65535>
Optional. Specifies the port used to connect to the TACACS server
<1-65535> Specify a value for the TCP authentication port from 1 - 65535. The default port is 49. authentication server <1-2> retry-timeout-factor <50-200>
server <1-2>
retry-timeout-factor
<50-200>
Configures a TACACS authentication server. Up to 2 TACACS servers can be configured
<1-2> Specify the TACACS server index from 1 - 2. Configures timeout scaling between two consecutive TACACS authentication retries
<50-200> Specify the scaling factor from 50 - 200. The default is 100. A value of 100 indicates the interval between consecutive retires remains the same irrespective of the number of retries. A value lesser than 100 indicates the interval between consecutive retries reduces with each successive retry. A value greater than 100 indicates the interval between consecutive retries increases with each successive retry. authentication server <1-2> timeout <3-60> {attempts <1-10>}
server <1-2>
timeout <3-60>
attempts <1-10>
Configures a TACACS authentication server. Up to 2 TACACS servers can be configured
<1-2> Specify the TACACS server index from 1- 2. Configures the timeout, in seconds, for each request sent to the TACACS server. This is the time allowed to elapse before another request is sent to the TACACS server. If a response is received from the TACACS server within this time, no retry is attempted.
<3-60> Specify a value from 3- 60 seconds. The default is 3 seconds. Optional. Indicates the number of retry attempts to make before giving up
<1-10> Specify a value from 1 -10. The default is 3. authentication service <SERVICE-NAME> {protocol <AUTHENTICATION-PROTO-NAME>}
service
<SERVICE-NAME>
protocol
<AUTHENTICATION-
PROTO-NAME>
Configures the TACACS authentication service name Optional. Specify the authentication protocol used with this TACACS policy. A maximum of five entries is allowed. Access Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 7 AAA-TACACS-POLICY Example rfs6000-37FABE(config-aaa-tacacs-policy-test)#authentication directed-request rfs6000-37FABE(config-aaa-tacacs-policy-test)#show context aaa-tacacs-policy test authentication directed-request accounting server preference authorized-server-number accounting auth-fail accounting commands rfs6000-37FABE(config-aaa-tacacs-policy-test)#
Related Commands no Resets values or disables commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 8 AAA-TACACS-POLICY 25.1.3 authorization aaa-tacacs-policy Configures authorization parameters This feature allows network administrators to limit user accessibility and configure varying levels of accessibility for different users. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax authorization [access-method|allow-privileged-commands|server]
authorization access-method [all|console|telnet|ssh] {(console|ssh|telnet)}
authorization server [<1-2>|preference]
authorization server <1-2> [host|retry-timeout-factor|timeout]
authorizationserver <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|
<SECRET>]} {port <1-65535>}
authorization server <1-2> retry-timeout-factor <50-200>
authorization server <1-2> timeout <3-5> {attempts <1-3>}
authorization server preference [authenticated-server-host|authenticated-server-
number|none]
Parameters authorization access-method [all|console|telnet|ssh] {(console|ssh|telnet)}
access-method all console telnet ssh
{console|ssh|telnet}
Configures the access method for command authorization Authorizes commands from all access methods Authorizes commands from the console only Authorizes commands from Telnet only Authorizes commands from SSH only Optional. Configures more than one access method for command authorization authorization allow-privileged-commands allow-privileged-
commands Allows privileged commands execution without command authorization. This option is disabled by default. authorization server <1-2> host <IP/HOSTNAME> {secret [0 <SECRET>|2 <SECRET>|
<SECRET>]} {port <1-65535>}
server <1-2>
Configures a TACACS authorization server. Up to 2 TACACS servers can be configured
<1-2> Specify the TACACS server index from 1 - 2. Access Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 9 AAA-TACACS-POLICY host <IP/HOSTNAME>
secret [0 <SECRET>|
2 <SECRET>|<SECRET>]
Sets the TACACS servers IP address or hostname Optional. Configures the secret used to authorize with the TACACS server 0 <SECRET> Configures a clear text secret 2 <SECRET> Configures an encrypted secret
<SECRET> Specify the secret key. The shared key should not exceed 127 characters. port <1-65535>
Optional. Specifies the port used to connect to the TACACS server
<1-65535> Specify a value for the TCP authorization port from 1 - 65535. The default port is 49. authorization server <1-2> retry-timeout-factor <50-200>
server <1-2>
retry-timeout-factor
<50-200>
Configures a TACACS authorization server. Up to 2 TACACS servers can be configured
<1-2> Specify the TACACS server index from 1 - 2. Configures the scaling of timeouts between consecutive TACACS authorization retries
<50-200> Specify the scaling factor from 50 - 200. The default is 100. A value of 100 indicates the interval between consecutive retires remains the same irrespective of the number of retries. A value lesser than 100 indicates the interval between consecutive retries reduces with each successive retry. A value greater than 100 indicates the interval between consecutive retries increases with each successive retry. authorization server <1-2> timeout <3-5> {attempts <1-3>}
server <1-2>
timeout <3-5>
attempts <1-3>
Configures a TACACS authorization server. Up to 2 TACACS servers can be configured
<1-2> Specify the TACACS servers index from 1- 2. Configures the timeout, in seconds, for each request sent to the TACACS server. This is the time allowed to elapse before another request is sent to the TACACS server. If a response is received from the TACACS server within this time, no retry is attempted.
<3-5> Specify a value from 3 - 5 seconds. The default is 3 seconds. Optional. Indicates the number of retry attempts to make before giving up
<1-3> Specify a value from 1 - 3. The default is 3. authorization server preference [authenticated-server-host|authenticated-
server-number|none]
preference authenticated-server-
host Configures the authorization server preference Sets the authentication server as the authorization server This parameter indicates the same server is used for authentication and authorization. The server is referred to by its hostname. Access Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 10 AAA-TACACS-POLICY Sets the authentication server as the authorization server This parameter indicates the same server is used for authentication and authorization. The server is referred to by its index or number. Indicates the authorization server is independent of the authentication authenticated-server-
number none Example rfs6000-37FABE(config-aaa-tacacs-policy-test)#authorization allow-privileged-
commands rfs6000-37FABE(config-aaa-tacacs-policy-test)#show context aaa-tacacs-policy test authentication directed-request accounting server preference authorized-server-number authorization allow-privileged-commands accounting auth-fail accounting commands rfs6000-37FABE(config-aaa-tacacs-policy-test)#
Related Commands no Resets values or disables commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 11 AAA-TACACS-POLICY 25.1.4 no aaa-tacacs-policy Negates a AAA TACACS policy command or sets its default Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622,, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [accounting|authentication|authorization]
Parameters no <PARAMETERS>
no <PARAMETERS>
Provide the parameters needed to reset or disable the desired AAA-TACACS policy setting. Example The following example shows the AAA-TACACS policy test settings before the no commands are executed:
rfs6000-37FABE(config-aaa-tacacs-policy-test)#show context aaa-tacacs-policy test authentication directed-request accounting server preference authorized-server-number authorization allow-privileged-commands accounting auth-fail accounting commands rfs6000-37FABE(config-aaa-tacacs-policy-test)#
rfs6000-37FABE(config-aaa-tacacs-policy-test)#no authentication directed-request rfs6000-37FABE(config-aaa-tacacs-policy-test)#no accounting auth-fail rfs6000-37FABE(config-aaa-tacacs-policy-test)#no authorization allow-privileged-
commands The following example shows the AAA-TACACS policy test settings after the no commands are executed:
rfs6000-37FABE(config-aaa-tacacs-policy-test)#show context aaa-tacacs-policy test accounting server preference authorized-server-number accounting commands rfs6000-37FABE(config-aaa-tacacs-policy-test)#
Related Commands accounting authentication authorization Configures TACACS accounting parameters Configures TACACS authentication parameters Configures TACACS authorization parameters Access Point, Wireless Controller and Service Platform CLI Reference Guide 25 - 12 26 MESHPOINT This chapter summarizes the Meshpoint commands in the CLI command structure. Meshpoints are detector radios that monitor their coverage areas for potential failed peers or coverage area holes requiring transmission adjustments for coverage compensation. This chapter is organized as follows:
meshpoint-config-instance meshpoint-qos-policy-config-instance meshpoint-device-config-instance NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 1 MESHPOINT 26.1 meshpoint-config-instance MESHPOINT MeshConnex (MCX) is a mesh networking technology that is comparable to the 802.11s mesh networking specification. MCX meshing uses a hybrid proactive/on-demand path selection protocol, similar to Ad hoc On Demand Distance Vector (AODV) routing protocols. This allows it to form efficient paths using multiple attachment points to a distribution WAN, or form purely ad-hoc peer-to-peer mesh networks in the absence of a WAN. Each device in the MCX mesh proactively manages its own path to the distribution WAN, but can also form peer-to-peer paths on demand to improve forwarding efficiency. MCX is not compatible with MiNT Based meshing, though the two technologies can be enabled simultaneously in certain circumstances. MCX is designed for large-scale, high-mobility outdoor mesh deployments. MCX continually gathers data from beacons and transmission attempts to estimate the efficiency and throughput of each MP-to-MP link. MCX uses this data to dynamically form and continually maintain paths for forwarding network frames. In MCX systems, a meshpoint (MP) is a virtual mesh networking instance on a device, similar to a WLAN AP. On each device, up to 4 MPs can be created and 2 can be created per radio. MPs can be configured to use one or both radios in the device. If the MP is configured to use both radios, the path selection protocols will continually select the best radio to reach each destination. Each MP participates in a single Mesh Network, defined by the MeshID. The MeshID is typically a descriptive network name, similar to the SSID of a WLAN. All MPs configured to use the same MeshID attempt to form a mesh and interoperate. The MeshID allows overlapping mesh networks to discriminate and disregard MPs belonging to different networks. Use the (config) instance to configure a meshpoint. To navigate to the meshpoint configuration instance, use the following command:
<DEVICE>(config)#meshpoint <MESHPOINT-NAME>
rfs6000-37FABE(config)#meshpoint test rfs6000-37FABE(config-meshpoint-test)#?
Mesh Point Mode commands:
allowed-vlans Set the allowed VLANs beacon-format The beacon format of this meshpoint control-vlan VLAN for meshpoint control traffic data-rates Specify the 802.11 rates to be supported on this meshpoint description Configure a description of the usage of this meshpoint force Force suboptimal paths meshid Configure the Service Set Identifier for this meshpoint neighbor Configure neighbor specific parameters no Negate a command or set its defaults root Set this meshpoint as root security-mode The security mode of this meshpoint shutdown Shutdown this meshpoint use Set setting to use wpa2 Modify ccmp wpa2 related parameters clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 2 MESHPOINT write Write running configuration to memory or terminal rfs6000-37FABE(config-meshpoint-test)#
The following table summarizes meshpoint configuration commands:
Table 26.1 Meshpoint-Config commands Command allowed-vlans beacon-format control-vlan data-rates description force meshid neighbor no root security-mode service shutdown use wpa2 Description Configures VLANs allowed on the meshpoint Configures the beacon format for the meshpoint AP Configures the VLAN where meshpoint control traffic traverses Configures the data rates supported per frequency band Configures a human friendly description for this meshpoint Forces formation of sub-optimal paths through the meshpoints root node Configures a unique ID for this meshpoint Configures the neighbor inactivity time out for this meshpoint Negates a command or reverts settings to their default Configures a meshpoint as the root meshpoint Configures the security mode on the meshpoint. Allows only 802.11n capable neighbors to create a mesh connection Shuts down the meshpoint Configures a QoS policy for use with this meshpoint Configures WPA2 encryption settings Reference page 26-4 page 26-5 page 26-6 page 26-7 page 26-11 page 26-12 page 26-13 page 26-14 page 26-15 page 26-17 page 26-19 page 26-20 page 26-21 page 26-22 page 26-23 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 3 MESHPOINT 26.1.1 allowed-vlans meshpoint-config-instance Defines VLANs allowed to pass traffic on the mesh network. Use this command to add and remove VLANs from the list of allowed VLANs. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax allowed-vlans [<VLAN-ID>|add <VLAN-ID>|remove <VLAN-ID>]
Parameters allowed-vlans [<VLAN-ID>|add <VLAN-ID>|remove <VLAN-ID>]
allowed-vlans
<VLAN-ID>
add <VLAN-ID>
remove <VLAN-ID>
Defines VLANs allowed access on the mesh network The VLAN ID or the range of IDs to be managed. A single VLAN or multiple VLANs can be added to the list of allowed VLANs. When adding multiple VLANs, specify the range (for example, 10-20, 25, 30-35). Use this command to create a VLAN list on a new meshpoint. Adds a single VLAN or a range of VLANs to the list of allowed VLANs. To specify a range of VLANs, specify the first and last VLAN ID in the range separated by a hyphen (for example, 1-10).
<VLAN-ID> Specify the VLAN ID or the range of IDs to add. Removes a single VLAN or a range of VLANs from the list of allowed VLANs
<VLAN-ID> Specify the VLAN ID or the range of IDs to remove. Example rfs6000-37FABE(config-meshpoint-test)#allowed-vlans 1 rfs6000-37FABE(config-meshpoint-test)#allowed-vlans add 10-23 rfs6000-37FABE(config-meshpoint-test)#allowed-vlans remove 17 rfs6000-37FABE(config-meshpoint-test)#show context meshpoint test meshid test beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 security-mode none no root rfs6000-37FABE(config-meshpoint-test)#
Related Commands no Clears the list of VLANs allowed access to the mesh network Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 4 MESHPOINT 26.1.2 beacon-format meshpoint-config-instance Configures the beacon transmission format for this meshpoint. Beacons are transmitted periodically to advertise that a wireless network is available. It contains all the required information for a device to connect to the network. The beacon format advertises how a mesh capable AP7161 acts. APs can act either as an access point or a meshpoint. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax beacon-format [access-point|mesh-point]
Parameters beacon-format [access-point|mesh-point]
beacon-format access-point mesh-point Configures how a mesh capable AP71XX acts in a mesh network Uses access point style beacons Uses meshpoint style beacons (this is the default setting) Example rfs6000-37FABE(config-meshpoint-test)#beacon-format mesh-point rfs6000-37FABE(config-meshpoint-test)#show context meshpoint test meshid test beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 security-mode none no root rfs6000-37FABE(config-meshpoint-test)#
Related Commands no Resets the beacon format for this meshpoint to its default (mesh-point) Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 5 MESHPOINT 26.1.3 control-vlan meshpoint-config-instance Configures a VLAN as the dedicated control VLAN Mesh management traffic can be sent over a dedicated VLAN. This dedicated VLAN is known as the control VLAN, and should be configured in the backhaul port of all the access points configured as meshpont roots. Once configured, the control VLAN enables communication between meshpoints root APs. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax control-vlan [<1-4094>|<VLAN-ALIAS-NAME>]
Parameters control-vlan [<1-4094>|<VLAN-ALIAS-NAME>]
control-vlan
[<1-4094>|
<VLAN-ALIAS-NAME>]
Configures a VLAN as a dedicated carrier of mesh management traffic Configures the control VLAN
<1-4094> Specify the control VLAN from 1 - 4094. The default is VLAN 1.
<VLAN-ALIAS-NAME> Uses a vlan-alias to specify the control vlan. If using a vlan-
alias, ensure that it is existing and configured. If VLAN 1 is configured as the control VLAN, ensure that the VLAN is configured in the wired port of all access points belonging to same meshpoint. Note: Control VLAN need not necessarily be added in the allowed VLAN list. Example rfs6000-37FABE(config-meshpoint-test)#control-vlan 1 rfs6000-37FABE(config-meshpoint-test)#show context meshpoint test meshid test beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 security-mode none no root rfs6000-37FABE(config-meshpoint-test)#
Related Commands no Resets the control VLAN for this meshpoint to its default of 1 Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 6 MESHPOINT 26.1.4 data-rates meshpoint-config-instance Configures individual data rates for the 2.4 GHz and 5.0 GHz frequency bands. In Mesh network, a mesh point is a virtual mesh networking instance on a device, similar to a WLAN AP. On each device, up to 4 mesh points can be created and 2 can be created per radio. Each mesh point radio can have carefully administrated radio rates specific to the 2.4 or 5 GHz band. Use this command to configure these radio rates. NOTE: Ensure that the basic data rates configured on a meshpoints root and non-root access points is the same. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax data-rates [2.4GHz|5GHz]
data-rates 2.4GHz [b-only|bg|bgn|default|g-only|gn]
data-rates 2.4GHz custom (1|11|12|18|2|24|36|48|5.5|54|6|9|basic-1|basic-11|
basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|
basic-9|mcs0-15|mcs0-7|mcs8-15|basic-mcs0-7) data-rates 5GHz [a-only|an|default]
data-rates 5GHz custom (12|18|24|36|48|54|6|9|basic-1|basic-11|basic-12|basic-
18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|mcs0-
15|mcs0-7|mcs8-15|basic-mcs0-7) Parameters data-rates 2.4GHz [b-only|bg|bgn|default|g-only|gn]
data-rates 2.4GHz b-only bg default g-only gn Configures preset data rates for the 2.4 GHz frequency. Configures data rate for the meshpoint using 802.11b only rates. Configures data rate for the meshpoint using 802.11b and 802.11g rates. Configures data rate for the meshpoint at a pre-configured default rate for this frequency. Configures data rate for the meshpoint using 802.11g only rates. Configures data rate for the meshpoint using 802.11g and 802.11n rates. data-rates 2.4GHz custom (1|11|12|18|2|24|36|48|5.5|54|6|9|basic-1|basic-11|
basic-12|basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|
basic-9|mcs0-15|mcs0-7|mcs8-15|basic-mcs0-7) data-rates 2.4GHz Configures the preset data rates for the 2.4 GHz frequency Define both minimum Basic and optimal Supported rates as required for the 802.11b rates, 802.11g rates and 802.11n rates supported by the 2.4 GHz band. Contd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 7 custom
(1|11|12|18|2|24|36|
48|5.5|54|6|9|
basic-1|basic-11|
basic-12|basic-18|
basic-2|basic-24|
basic-36|basic-48|
basic-5.5|basic-54|
basic-6|basic-9|
mcs0-15|mcs0-7|
mcs8-15|
basic-mcs0-7) MESHPOINT These are the rates wireless client traffic is supported within this mesh point. If supporting 802.11n, select a supported MCS index.Set a Modulation and Coding Scheme (MCS) in respect to the radio's channel width and guard interval. A MCS defines (based on RF channel conditions) an optimal combination of 8 data rates, bonded channels, multiple spatial streams, different guard intervals and modulation types. Meshpoints can communicate as long as they support the same basic MCS (as well as non-802.11n basic rates). The selected rates apply to associated client traffic within this mesh point only. Configures custom rates 1 Configures the available rate at 1 Mbps 2 Configures the available rate at 2 Mbps 5.5 Configures the available rate at 5.5 Mbps 6 Configures the available rate at 6 Mbps 9 Configures the available rate at 9 Mbps 11 Configures the available rate at 11 Mbps 12 Configures the available rate at 12 Mbps 18 Configures the available rate at 18 Mbps 24 Configures the available rate at 24 Mbps 36 Configures the available rate at 36 Mbps 48 Configures the available rate at 48 Mbps 54 Configures the available rate at 54 Mbps basic-1 Configures the available rate at a basic rate of 1 Mbps basic-2 Configures the available rate at a basic rate of 2 Mbps basic-5.5 Configures the available rate at a basic rate of 5.5 Mbps basic-6 Configures the available rate at a basic rate of 6 Mbps basic-9 Configures the available rate at a basic rate of 9 Mbps basic-11 Configures the available rate at a basic rate of 11 Mbps basic-12 Configures the available rate at a basic rate of 12 Mbps basic-18 Configures the available rate at a basic rate of 18 Mbps basic-24 Configures the available rate at a basic rate of 24 Mbps basic-36 Configures the available rate at a basic rate of 36 Mbps basic-48 Configures the available rate at a basic rate of 48 Mbps basic-54 Configures the available rate at a basic rate of 54 Mbps basic-mcs0-7 Configures the MCS index range of 0 - 7 for basic rate mcs0-7 Configures the MCS index range of 0-7 as the data rate mcs0-15 Configures the MCS index range of 0-15 as the data rate msc8-15 Configures the MCS index range of 8-15 as the data rate Multiple choices can be made from the above list of rates. data-rates 5GHz [a-only|an|default]
data-rates 5GHz a-only bn Configures the preset data rates for the 5.0 GHz frequency Configures the data rate for the meshpoint using 802.11a only rates Configures the data rate for the meshpoint using 802.11a and 802.11n rates Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 8 MESHPOINT default g-only gn Configures the data rate for the meshpoint at a pre-configured default rate for this frequency Configures the data rate for the meshpoint using 802.11g only rates Configures the data rate for the meshpoint using 802.11g and 802.11n rates data-rates 5GHz custom (12|18|24|36|48|54|6|9|basic-1|basic-11|basic-12|
basic-18|basic-2|basic-24|basic-36|basic-48|basic-5.5|basic-54|basic-6|basic-9|
mcs0-15|mcs0-7|mcs8-15|basic-mcs0-7) data-rates 5GHz custom (12|18|24|36|
48|54|6|9|basic-1|
basic-11|basic-12|
basic-18|basic-2|
basic-24|basic-36|
basic-48|basic-5.5|
basic-54|basic-6|
basic-9|mcs0-15|
mcs0-7|mcs8-15|
basic-mcs0-7) Configures the preset data rates for the 5.0 GHz frequency Define both minimum Basic and optimal Supported rates as required for 802.11a and 802.11n rates supported by the 5.0 GHz radio band. These are the rates wireless client traffic is supported within this mesh point. If supporting 802.11n, select a supported MCS index. Set a MCS in respect to the radio's channel width and guard interval. A MCS defines (based on RF channel conditions) an optimal combination of 8 data rates, bonded channels, multiple spatial streams, different guard intervals and modulation types. Mesh points can communicate as long as they support the same basic MCS (as well as non-802.11n basic rates). The selected rates apply to associated client traffic within this mesh point only. Configures custom rates 6 Configures the available rate at 6 Mbps 9 Configures the available rate at 9 Mbps 12 Configures the available rate at 12 Mbps 18 Configures the available rate at 18 Mbps 24 Configures the available rate at 24 Mbps 36 Configures the available rate at 36 Mbps 48 Configures the available rate at 48 Mbps 54 Configures the available rate at 54 Mbps basic-1 Configures the available rate at a basic rate of 1 Mbps basic-2 Configures the available rate at a basic rate of 2 Mbps basic-5.5 Configures the available rate at a basic rate of 5.5 Mbps basic-6 Configures the available rate at a basic rate of 6 Mbps basic-9 Configures the available rate at a basic rate of 9 Mbps basic-11 Configures the available rate at a basic rate of 11 Mbps basic-12 Configures the available rate at a basic rate of 12 Mbps basic-18 Configures the available rate at a basic rate of 18 Mbps basic-24 Configures the available rate at a basic rate of 24 Mbps basic-36 Configures the available rate at a basic rate of 36 Mbps basic-48 Configures the available rate at a basic rate of 48 Mbps basic-54 Configures the available rate at a basic rate of 54 Mbps Cotnd.. Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 9 MESHPOINT basic-mcs0-7 Configures the MCS index range of 0-7 for basic rate mcs0-7 Configures the MCS index range of 0-7 as the data rate mcs0-15 Configures the MCS index range of 0-15 as the data rate msc8-15 Configures the MCS index range of 8-15 as the data rate Multiple choices can be made from the above list of rates. Example rfs6000-37FABE(config-meshpoint-test)#data-rates 2.4GHz bgn rfs6000-37FABE(config-meshpoint-test)#data-rates 5GHz an rfs6000-37FABE(config-meshpoint-test)#show context meshpoint test meshid test beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 data-rates 2.4GHz bgn data-rates 5GHz an security-mode none no root rfs6000-37FABE(config-meshpoint-test)#
Related Commands no Resets data rates for each frequency band for this meshpoint Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 10 MESHPOINT 26.1.5 description meshpoint-config-instance Configures a brief description for this meshpoint. Use this command to describe this meshpoint and its features. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax description <DESCRIPTION>
Parameters description <DESCRIPTION>
description
<DESCRIPTION>
Configures a description for this meshpoint The text describing this meshpoint Example rfs6000-37FABE(config-meshpoint-test)#description "This is an example of a meshpoint description"
rfs6000-37FABE(config-meshpoint-test)#show context meshpoint test description "This is an example of a meshpoint description"
meshid test beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 data-rates 2.4GHz bgn data-rates 5GHz an security-mode none no root rfs6000-37FABE(config-meshpoint-test)#
Related Commands no Removes the human friendly description provided for this meshpoint Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 11 MESHPOINT 26.1.6 force meshpoint-config-instance Forces formation of sub-optimal paths through the meshpoints root node. As per legacy behavior, non-
root devices under the same root, communicated by forming direct paths through the network. This option allows non-root devices, within the meshpoint, to communicate by forming paths through the root node. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax force peer-paths-through-root Parameters force peer-paths-through-root force peer-paths-through-
root Enables formation of sub-optimal paths through the meshpoint root node. This option is disabled by default Enables non-root devices to communicate by forming sub-optimal paths through the root node Example nx9500-6C8809(config-meshpoint-test)#force peer-paths-through-root nx9500-6C8809(config-meshpoint-test)#show context meshpoint test meshid test beacon-format mesh-point control-vlan 1 security-mode none no root force peer-paths-through-root nx9500-6C8809(config-meshpoint-test)#
Related Commands no Disables formation of sub-optimal paths through the meshpoints root node Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 12 MESHPOINT 26.1.7 meshid meshpoint-config-instance Configures a unique Service Set Identifier (SSID) for this meshpoint. This ID is used to uniquely identify this meshpoint. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax meshid <MESH-SSID>
Parameters meshid <MESH-SSID>
meshid
<MESH-SSID>
Configures a unique SSID for the meshpoint The unique SSID configured for this meshpoint Note: The mesh SSID is case sensitive and should not exceed 32 characters. Example rfs6000-37FABE(config-meshpoint-test)#meshid TestingMeshPoint rfs6000-37FABE(config-meshpoint-test)#show context meshpoint test description "This is an example of a meshpoint description"
meshid TestingMeshPoint beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 data-rates 2.4GHz bgn data-rates 5GHz an security-mode none no root rfs6000-37FABE(config-meshpoint-test)#
Related Commands no Removes the SSID configured for this meshpoint Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 13 MESHPOINT 26.1.8 neighbor meshpoint-config-instance This command configures the inactivity time out value for neighboring devices. If a frame is not received from the neighbor device for the configured time, then client resources are removed. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax neighbor inactivity-timeout <60-86400>
Parameters neighbor inactivity-timeout <60-86400>
neighbor inactivity-
timeout <60-86400>
Configures the neighbor inactivity timeout in seconds. This represents the allowed interval between frames received from a neighbor before their client privileges are revoked.
<60-86400> Specify a value from 60 - 86400 seconds. The default is 120 seconds. Example rfs6000-37FABE(config-meshpoint-test)#neighbor inactivity-timeout 300 rfs6000-37FABE(config-meshpoint-test)#show context meshpoint test description "This is an example of a meshpoint description"
meshid TestingMeshPoint beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode none no root rfs6000-37FABE(config-meshpoint-test)#
Related Commands no Removes the configured neighbor inactivity time out value for this meshpoint Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 14 MESHPOINT 26.1.9 no meshpoint-config-instance Negates meshpoint commands or resets their values to default Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [allowed-vlans|beacon-format|control-vlan|description|force|meshid|root|
security-mode|shutdown]
no data-rates [2.4GHz|5GHz]
no force peer-paths-through-root no neighbor inactivity-timeout no use [aaa-policy|meshpoint-qos-policy]
no wpa2 [eap|key-rotation|psk]
no wpa2 eap [auth-type|identity|peap-mschapv2|tls trustpoint]
no wpa2 key-rotation [broadcast|unicast]
no wpa2 psk no service allow-ht-only Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts this meshpoint settings to default based on the parameters passed Example rfs6000-37FABE(config-meshpoint-test)#show context meshpoint test description "This is an example of a meshpoint description"
meshid TestingMeshPoint shutdown beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode psk wpa2 psk 0 Test Company wpa2 key-rotation unicast 1200 wpa2 key-rotation broadcast 600 root rfs6000-37FABE(config-meshpoint-test)#
rfs6000-37FABE(config-meshpoint-test)#no allowed-vlans rfs6000-37FABE(config-meshpoint-test)#no beacon-format rfs6000-37FABE(config-meshpoint-test)#no control-vlan rfs6000-37FABE(config-meshpoint-test)#no description rfs6000-37FABE(config-meshpoint-test)#no meshid rfs6000-37FABE(config-meshpoint-test)#no root rfs6000-37FABE(config-meshpoint-test)#no security-mode Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 15 MESHPOINT rfs6000-37FABE(config-meshpoint-test)#show context meshpoint test beacon-format mesh-point control-vlan 1 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode none wpa2 psk 0 Test Company wpa2 key-rotation unicast 1200 wpa2 key-rotation broadcast 600 no root rfs6000-37FABE(config-meshpoint-test)#no data-rates 2.4GHz rfs6000-37FABE(config-meshpoint-test)#no data-rates 5GHz rfs6000-37FABE(config-meshpoint-test)#show context meshpoint test beacon-format mesh-point control-vlan 1 neighbor inactivity-timeout 300 security-mode none wpa2 psk 0 Test Company wpa2 key-rotation unicast 1200 wpa2 key-rotation broadcast 600 no root rfs6000-37FABE(config-meshpoint-test)#
nx9500-6C8809(config-meshpoint-test)#show context meshpoint test meshid test beacon-format mesh-point control-vlan 1 security-mode none no root force peer-paths-through-root nx9500-6C8809(config-meshpoint-test)#
nx9500-6C8809(config-meshpoint-test)#no force peer-paths-through-root nx9500-6C8809(config-meshpoint-test)#show context meshpoint test meshid test beacon-format mesh-point control-vlan 1 security-mode none no root nx9500-6C8809(config-meshpoint-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 16 MESHPOINT 26.1.10 root meshpoint-config-instance Configures this meshpoint as the root meshpoint. Root meshpoints are generally tied to an Ethernet backhaul for wired connectivity. By default this option is disabled. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax root Parameters None Example There are two ways of configuring root access points within a meshpoint. 1 First method:
Configure two meshpoints, having the same meshid, one with the root option enabled and the other configured as no root:
Apply the root meshpoint to the root access point and the no-root meshpoint to the non-root access points. The following examples show the configuration of a meshpoint for the root access point:
rfs6000-37FABE(config)#meshpoint root rfs6000-37FABE(config-meshpoint-root)#
rfs6000-37FABE(config-meshpoint-root)#meshid test rfs6000-37FABE(config-meshpoint-root)#root rfs6000-37FABE(config-meshpoint-root)#security-mode eap rfs6000-37FABE(config-meshpoint-root)#commit rfs6000-37FABE(config-meshpoint-root)#show context meshpoint test-root meshid test beacon-format mesh-point control-vlan 1 security-mode eap root rfs6000-37FABE(config-meshpoint-root)#
rfs6000-37FABE(config)#meshpoint no-root rfs6000-37FABE(config-meshpoint-no-root)#
rfs6000-37FABE(config-meshpoint-no-root)#meshid test rfs6000-37FABE(config-meshpoint-no-root)#security-mode eap rfs6000-37FABE(config-meshpoint-no-root)#show context meshpoint no-root meshid test beacon-format mesh-point control-vlan 1 security-mode eap no root rfs6000-37FABE(config-meshpoint-no-root)#
The following examples show the configuration of a meshpoint for non-root access points:
Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 17 2 Second method:
MESHPOINT Configure a no-root meshpoint and apply to all access points in the meshpoint. Log into the meshpoint-device > no-root configuration mode of the root access point and enable root. rfs6000-37FABE(config-meshpoint-no-root)#show context meshpoint no-root meshid test beacon-format mesh-point control-vlan 1 security-mode eap no root rfs6000-37FABE(config-meshpoint-no-root)#
rfs6000-37FABE(config)#ap81xx B4-C7-99-71-17-28 rfs6000-37FABE(config-device-B4-C7-99-71-17-28)#meshpoint-device no-root rfs6000-37FABE(config-device-B4-C7-99-71-17-28-meshpoint-no-root)#
rfs6000-37FABE(config-device-B4-C7-99-71-17-28-meshpoint-no-root)#show context meshpoint no-root meshid test beacon-format mesh-point control-vlan 1 security-mode eap no root rfs6000-37FABE(config-device-B4-C7-99-71-17-28-meshpoint-no-root)#
rfs6000-37FABE(config-device-B4-C7-99-71-17-28-meshpoint-no-root)#root rfs6000-37FABE(config-device-B4-C7-99-71-17-28-meshpoint-no-root)#show context meshpoint no-root meshid test beacon-format mesh-point control-vlan 1 security-mode eap root rfs6000-37FABE(config-device-B4-C7-99-71-17-28-meshpoint-no-root)#
Related Commands no Removes the configuration of this meshpoint as a root meshpoint Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 18 MESHPOINT 26.1.11 security-mode meshpoint-config-instance Configures the security mode for this meshpoint Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax security-mode [eap|none|psk]
Parameters security-mode [eap|none|psk]
security-mode eap none psk Example Configures the security mode for this meshpoint Uses 802.1X/EAP as the security mode. When using this option, use the wpa2 command to specify the EAP authentication type and related parameters. No security is configured for this meshpoint Uses Pre Shared Key (PSK) as the security mode. When using this option, use the wpa2 command to enter a 64 character HEX or an 8-63 ASCII character passphrase used for authentication on the mesh point. The following example shows root meshpoint configuration with PSK authentication enabled:
rfs6000-37FABE(config-meshpoint-test)#security-mode psk rfs6000-37FABE(config-meshpoint-test)#show context meshpoint test description "This is an example of a meshpoint description"
meshid TestingMeshPoint beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode psk root rfs6000-37FABE(config-meshpoint-test)#
rfs6000-37FABE(config-meshpoint-root)#show context meshpoint test meshid test beacon-format mesh-point control-vlan 101 allowed-vlans 101,103 use aaa-policy test security-mode eap root rfs6000-37FABE(config-meshpoint-test)#
The following example shows root meshpoint configuration with EAP authentication enabled:
Related Commands no Resets the security configuration for this meshpoint to none. This indicates that no security is configured for this meshpoint. Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 19 MESHPOINT 26.1.12 service meshpoint-config-instance Use this command to allow only those neighbors who are capable of 802.11n data rates to associate with this meshpoint. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax service [allow-ht-only|show cli]
Parameters service [allow-ht-only|show cli]
service allow-ht-only service show cli Allows only those neighbors who are capable of high throughput data rates
(802.11n data rates) to associate with the meshpoint Displays running system configuration Example rfs6000-37FABE(config-meshpoint-test)#service allow-ht-only rfs6000-37FABE(config-meshpoint-test)#show context meshpoint test description "This is an example of a meshpoint description"
meshid TestingMeshPoint shutdown beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode psk wpa2 psk 0 Test Company wpa2 key-rotation unicast 1200 wpa2 key-rotation broadcast 600 root service allow-ht-only rfs6000-37FABE(config-meshpoint-test)#
Related Commands no service Removes the restriction that only 802.11n capable neighbor devices can associate with this meshpoint Invokes service commands to troubleshoot or debug Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 20 MESHPOINT 26.1.13 shutdown meshpoint-config-instance Shuts down this meshpoint. Use this command to prevent an AP from participating in a mesh network. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax shutdown Parameters None Example rfs6000-37FABE(config-meshpoint-test)#shutdown rfs6000-37FABE(config) Related Commands no Enables an AP as a meshpoint Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 21 MESHPOINT 26.1.14 use meshpoint-config-instance Uses a Quality of Service (QoS) policy defined specifically for meshpoints. To use this QoS policy, it must be defined. To define a meshpoint QoS policy, see meshpoint-qos-policy-config-instance. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use [aaa-policy <AAA-POLICY-NAME>|meshpoint-qos-policy <MESHPOINT-QOS-POLICY-
NAME>]
Parameters use [aaa-policy <AAA-POLICY-NAME>|meshpoint-qos-policy <MESHPOINT-QOS-POLICY-
NAME>]
use meshpoint-qos-policy
<MESHPOINT-QOS-POLICY-
NAME>
Configures this meshpoint to use a predefined meshpoint QoS policy
<MESHPOINT-QOS-POLICY-NAME> Specify the meshpoint QoS policy name
(should be existing and configured). use aaa-policy <AAA-
POLICY-NAME>
Configures this meshpoint to use a predefined aaa-policy
<AAA-POLICY-NAME> Specify the aaa-policy name (should be existing and configured). Example rfs6000-37FABE(config-meshpoint-test)#use meshpoint-qos-policy test rfs6000-37FABE(config-meshpoint-test)#show context meshpoint test description "This is an example of a meshpoint description"
meshid TestingMeshPoint shutdown beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode psk root use meshpoint-qos-policy test rfs6000-37FABE(config-meshpoint-test)#
Related Commands no meshpoint-qos-policy-
config-instance Removes the meshpoint QoS policy associated with this meshpoint Creates and configures a meshpoint QoS policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 22 MESHPOINT 26.1.15 wpa2 meshpoint-config-instance Use this command to configure the parameters of authentication mode specified using the security-mode keyword. This command also allows you to set a unicast and broadcast key rotation interval. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax wpa2 [eap|psk|key-rotation]
wpa2 key-rotation [broadcast|unicast] <30-86400>
wpa2 psk [0 <SECRET>|2 <SECRET>|<SECRET>]
wpa2 eap [auth-type|identity|peap-mschapv2|tls]
wpa2 eap [auth-type [peap-mschapv2|tls]|identity <WORD>]
wpa2 eap peap-mschapv2 user <USER-NAME> password [0 <WORD>|2 <WORD>|<WORD>]
{trustpoint <TRUSTPOINT-NAME>}
wpa2 eap tls trustpoint <TRUSTPOINT-NAME>
Parameters wpa2 key-rotation [broadcast|unicast] <30-86400>
wpa2 key-rotation broadcast unicast
<30-86400>
Enables periodic rotation of encryption keys used for broadcast and unicast traffic Configures key rotation interval for broadcast and multicast traffic. This option is disabled by default. When enabled, the key indices used for encrypting/decrypting broadcast traffic is alternatively rotated based on the defined interval. Key rotation enhances the broadcast traffic security on the WLAN. Configures key rotation interval for unicast traffic. This option is disabled by default. Configures key rotation interval from 30 - 86400 seconds for unicast or broadcast transmission wpa2 psk [0 <SECRET>|2 <SECRET>|<SECRET>]
wpa2 psk secret [0 <SECRET>|
2 <SECRET>|<SECRET>]
Configures the shared key for authentication mode PSK. If the security mode is set as psk using the security-mode keyword, use this command to configure the pre-shared key. Configures the PSK used to authenticate this meshpoint with other meshpoints in the network 0 <SECRET> Configures a clear text secret 2 <SECRET> Configures an encrypted secret
<SECRET> Specify the secret key. The pre-shared key can be in ASCII (8 to 63 characters in length) or Hexadecimal (not exceeding 64 characters in length) formats. Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 23 MESHPOINT wpa2 eap [auth-type [peap-mschapv2|tls]|identity <WORD>]
wpa2 eap auth-type
[peap-mschapv2|tls]
identity <WORD>
Configures the 802.1X/EAP based authentication type for this meshpoint. If the security mode is set as eap using the security-mode keyword, use this command to specify the EAP type. The options are: peap-mschapv2 and tls. Specifies the EAP authentication type. The options are:
peap-mschapv2 Configures EAP authentication type as Protected Extensible Authentication Protocol (PEAP) with default auth type MSCHAPv2. This is the default setting. If using auth-type as peap-mschapv2, use the peap-mschapv2 keyword to configure user credentials and trustpoint details. tls Configures EAP authentication type as Transport Layer Security (TLS) If using auth-type as tls, use the tls keyword to configure trustpoint details. Note: The certificate should be issued from an Enterprise or public certificate authority to allow 802.1X clients to validate the identity of the authentication server prior to forwarding credentials. Configures identity to be used during phase1 authentication
<WORD> Enter a string up to 256 characters in length (this should not be actual identity of user but some anonymous/bogus username) wpa2 eap peap-mschapv2 user <USER-NAME> password [0 <WORD>|2 <WORD>|<WORD>]
{trustpoint <TRUSTPOINT-NAME>}
wpa2 eap peap-mschapv2 Configures PEAP-related user credentials and trustpoint details user <USER-NAME>
password [0 <WORD>|2
<WORD>|<WORD>]
Specify the user credentials used for authentication user <USER-NAME> Specify the user name. password [0 <WORD>|2 <WORD>|<WORD>] Specify the password associated with the specified user. trustpoint <TRUSTPOINT-
NAME>
Optional. Associates a trustpoint used for installing CA certificate and verifying server certificate
<TRUSTPOINT-NAME> Specify the trustpoint name (should be existing and configured). wpa2 eap tls trustpoint <TRUSTPOINT-NAME>
wpa2 eap tls trustpoint
<TRUSTPOINT-NAME>
Configures TLS client related parameters Configures trustpoint details trustpoint <TRUSTPOINT-NAME> Assigns a trustpoint to be used for installing TLS client certificate, client private key, and CA certificate
<TRUSTPOINT-NAME> Specify the trustpoint name (should be existing and configured) Example rfs6000-37FABE(config-meshpoint-test)#wpa2 key-rotation broadcast 600 rfs6000-37FABE(config-meshpoint-test)#wpa2 key-rotation unicast 1200 rfs6000-37FABE(config-meshpoint-test)#wpa2 psk Test Company rfs6000-37FABE(config-meshpoint-test)#show context meshpoint test description "This is an example of a meshpoint description"
meshid TestingMeshPoint Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 24 MESHPOINT shutdown beacon-format mesh-point control-vlan 1 allowed-vlans 1,10-16,18-23 neighbor inactivity-timeout 300 data-rates 2.4GHz bgn data-rates 5GHz an security-mode psk wpa2 psk 0 Test Company wpa2 key-rotation unicast 1200 wpa2 key-rotation broadcast 600 root rfs6000-37FABE(config-meshpoint-test)#
The following example shows root meshpoint configuration with EAP authentication enabled:
rfs6000-37FABE(config-meshpoint-root)#show context meshpoint test meshid test beacon-format mesh-point control-vlan 101 allowed-vlans 101,103 use aaa-policy test security-mode eap root rfs6000-37FABE(config-meshpoint-test)#
The following example shows non-root meshpoint configuration with EAP PEAP-MSCHAPv2 authentication:
rfs6000-37FABE(config-meshpoint-testNoRoot)#show context meshpoint testNoRoot meshid test beacon-format mesh-point control-vlan 101 allowed-vlans 101,103 security-mode eap wpa2 eap peap-mschapv2 user tester123 password 0 testing1234 trustpoint mesh1 wpa2 eap identity tester123 no root rfs6000-37FABE(config-meshpoint-testNoRoot)#
The following example shows non-root meshpoint configuration with EAP TLS authentication:
rfs6000-37FABE(config-meshpoint-testNoRoot)#show context meshpoint testNoRoot meshid test beacon-format mesh-point control-vlan 101 allowed-vlans 101,103 security-mode eap wpa2 eap peap-mschapv2 user tester123 password 0 testing1234 trustpoint mesh1 wpa2 eap tls trustpoint mesh1 wpa2 eap identity tester123 no root rfs6000-37FABE(config-meshpoint-testNoRoot)#
Related Commands no Resets PSK configuration and key rotation duration Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 25 MESHPOINT 26.2 meshpoint-qos-policy-config-instance MESHPOINT Mesh QoS provides a data traffic prioritization scheme. QoS reduces congestion from excessive traffic. If there is enough bandwidth for all users and applications (unlikely because excessive bandwidth comes at a very high cost), then applying QoS has very little value. QoS provides policy enforcement for mission-
critical applications and/or users that have critical bandwidth requirements when bandwidth is shared by different users and applications. Mesh QoS helps ensure each mesh point on the mesh network receives a fair share of the overall bandwidth, either equally or as per the proportion configured. Packets directed towards clients are classified into categories such as video, voice and data.packets within each category are processed based on the weights defined for each mesh point. To create a meshpoint, see meshpoint-config-instance. A meshpoint QoS policy is created from the (config) instance. To create a meshpoint QoS policy use the following command:
<DEVICE>(config)#meshpoint-qos-policy <POLICYNAME>
rfs6000-37FABE(config)#meshpoint-qos-policy test rfs6000-37FABE(config-meshpoint-qos-test)#
rfs6000-37FABE(config-meshpoint-qos-test)#?
Mesh Point QoS Mode commands:
accelerated-multicast Configure accelerated multicast streams address and forwarding QoS classification no Negate a command or set its defaults rate-limit Configure traffic rate-limiting parameters on a per-meshpoint/per-neighbor basis clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-meshpoint-qos-test)#
The following table summarizes the meshpoint-qos-policy configuration commands:
Table 26.2 Meshpoint-QoS-Policy Config Commands Command accelerated-
multicast no rate-limit Description Configures accelerated multicast parameters Negates a command or reverts settings to their default Configures the rate limits for this QoS policy Reference page 26-27 page 26-29 page 26-30 Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 26 MESHPOINT 26.2.1 accelerated-multicast meshpoint-qos-policy-config-instance Configures the accelerated multicast streams address and forwarding QoS classification NOTE: For accelerated multicast feature to work, IGMP querier must be enabled. When a user joins a multicast stream, an entry is created in the devices (AP or wireless controller) snoop table and the entry is set to expire after a set time period. Multicast packets are forwarded to the appropriate wireless LAN or mesh until this entry is available in the snoop table. Snoop querier keeps the snoop table current by updating entries that are set to expire. It also keeps an entry for each multicast stream till there are users registered for the stream. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax accelerated-multicast [<MULTICAST-IP>|autodetect] {classification [background|
best-effort|trust|video|voice]}
Parameters accelerated-multicast [<MULTICAST-IP>|autodetect] {classification
[background|best-effort|trust|video|voice]}
accelerated-multicast
<MULTICAST-IP>
autodetect classification Configures the accelerated multicast stream address and forwarding QoS classification Specify a list of multicast addresses and classifications. Packets are accelerated when the destination address matches. Lets the system to automatically detect multicast streams to be accelerated This option allows the administrator to convert multicast packets to unicast in order to provide better overall airtime utilization and performance. The system can be configured to automatically detect multicast streams and convert them to unicast, or specify which multicast streams are to be converted to unicast. When the stream is converted and being queued up for transmission, there are a number of classification mechanisms applied to the stream and the administrator can select what type of classification they would want. Classification types are trust, voice, video, best effort, and background. Optional. Defines the QoS classification to apply to a multicast stream. The following options are available:
background best effort trust video voice Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 27 MESHPOINT Example rfs6000-37FABE(config-meshpoint-qos-test)#accelerated-multicast 224.0.0.1 classification video rfs6000-37FABE(config-meshpoint-qos-test)#show context meshpoint-qos-policy test accelerated-multicast 224.0.0.1 classification video rfs6000-37FABE(config-meshpoint-qos-test)#
Related Commands no Resets accelerated multicast configurations for this meshpoint QoS policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 28 MESHPOINT 26.2.2 no meshpoint-qos-policy-config-instance Negates the commands for meshpoint QoS policy or resets their values to their default Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [accelerated-multicast|rate-limit]
no accelerated-multicast [<MULTICAST-IP>|autodetect]
no rate-limit [meshpoint|neighbor] [from-air|to-air] {max-burst-size|rate}
no rate-limit [meshpoint|neighbor] [from-air|to-air] {red-threshold [background|
best-effort|video|voice]}
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts this meshpoint QoS policy settings to default based on the parameters passed Example rfs6000-37FABE(config-meshpoint-qos-test)#show context meshpoint-qos-policy test rate-limit meshpoint from-air rate 80000 rate-limit meshpoint from-air red-threshold video 80 rate-limit meshpoint from-air red-threshold voice 70 accelerated-multicast 224.0.0.1 classification video rfs6000-37FABE(config-meshpoint-qos-test)#no rate-limit meshpoint from-air rate rfs6000-37FABE(config-meshpoint-qos-test)#no rate-limit meshpoint from-air red-
threshold video 80 rfs6000-37FABE(config-meshpoint-qos-test)#no rate-limit meshpoint from-air red-
threshold voice 70 rfs6000-37FABE(config-meshpoint-qos-test)#show context meshpoint-qos-policy test accelerated-multicast 224.0.0.1 classification video rfs6000-37FABE(config-meshpoint-qos-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 29 MESHPOINT 26.2.3 rate-limit meshpoint-qos-policy-config-instance Configures the rate limiting of traffic on a per meshpoint or per neighbor basis Excessive traffic can cause performance issues or bring down the network entirely. Excessive traffic, bombardments and interference are caused by numerous sources, such as network loops, faulty devices, or malicious software (such as a worm or virus) that has infected one or more branch-level devices. Rate limiting limits the maximum rate sent to or received from the wireless network (and meshpoint) per neighbor. It prevents any single user from overwhelming the wireless network. It also provides differential service for service providers. An administrator can set separate QoS rate limit configurations for data transmitted from the network and data transmitted from a mesh point's neighbor. Before defining rate limit thresholds for meshpoint transmit and receive traffic, it is recommended that you define the normal number of ARP, broadcast, multicast, and unknown unicast packets that typically transmit and receive from each supported WMM access category. If thresholds are defined too low, normal network traffic (required by end-user devices) is dropped, resulting in intermittent outages and performance problems. A connected neighbor can also have QoS rate limit settings defined in both the transmit and receive direction. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Wireless Controllers RFS6000 Service Platforms NX6524, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax rate-limit [meshpoint|neighbor]
rate-limit [meshpoint|neighbor] [from-air|to-air] {max-burst-size <2-1024>|rate
<50-1000000>}
rate-limit [meshpoint|neighbor] [from-air|to-air] {red-threshold [background <0-
100>|best-effort <0-100>|video <0-100>|voice <0-100>]}
Parameters rate-limit [meshpoint|neighbor] [from-air|to-air] {max-burst-size <2-1024>|
rate <50-1000000>}
meshpoint neighbor from-air to-air Configures rate limit parameters for all data received from any meshpoint in the mesh network. This option is disabled by default. Configures rate limit parameters for neighboring meshpoint devices. Enables rate limiting for data transmitted from the client to its associated access point radio and connected controller. This option is disabled by default. Configures rate limits for traffic from the wireless neighbor to the network. Configures rate limits for traffic from the network to the wireless neighbor. Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 30 max-burst-size <2-1024> Optional. Configures the maximum burst size in kilobytes. MESHPOINT rate <50-1000000>
<2-1024> Set a value from 2 - 1024 kbytes. For a meshpoint: The smaller the burst, the less likely that the transmit packet transmission results in congestion for the meshpoint's client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, administrators should then add a 10%
margin (minimally) to allow for traffic bursts at the site. The default burst size is 320 kbytes. For a neighbor: The smaller the burst, the less likely the transmit packet transmission will result in congestion for the wireless client. The default burst size is 64 kbytes. Optional. Defines a receive or transmit rate limit in kilobytes per second
<50-1000000> Set a value from 50 - 1000000 kbps. For a meshpoint: This limit constitutes a threshold for the maximum number of packets transmitted or received over the meshpoint (from all access categories). Traffic that exceeds the defined rate is dropped and a log message is generated. The default setting is 5000 kbps. For a neighbor: This limit constitutes a threshold for the maximum the number of packets transmitted or received (from all access categories). Traffic that exceeds the defined rate is dropped by the client and a log message is generated. The default rate is 1,000 kbps. rate-limit [meshpoint|neighbor] [from-air|to-air] {red-threshold [background <0-
100>|best-effort <0-100>|video <0-100>|voice <0-100>]}
meshpoint neighbor from-air to-air red-threshold background <0-100>
Configures rate limit parameters for a meshpoint Configures rate limit parameters for neighboring meshpoint devices Configures rate limits for traffic from the wireless neighbor to the network Configures rate limit value for traffic from the network to the wireless neighbor Optional. Configures random early detection threshold (RED threshold) for traffic class The following keyword is applicable to the from-air and to-air traffics. background <0-100> Configures the threshold for low priority (background) traffic
<0-100> Specify a value from 0 - 100. For a meshpoint: This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped and a log message is generated. Background traffic consumes the least bandwidth of any access category, so this value can be set to a lower value once a general transmit rate is known by the network administrator (using a time trend analysis). The default threshold is 50%. For a neighbor: This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 50%. Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 31 best-effort <0-100>
video <0-100>
voice <0-100>
MESHPOINT The following keyword is applicable to the from-air and to-air traffics. best-effort <0-100> Configures the threshold for best effort traffic
<0-100> Specify a value from 0 - 100. For a meshpoint: This is a percentage of the maximum burst size for normal priority traffic. Best effort traffic exceeding the defined threshold is dropped and a log message is generated. Best effort traffic consumes little bandwidth, so this value can be set to a lower value once a general transmit rate is known by the network administrator (using a time trend analysis). The default threshold is 50%. For a neighbor: This is a percentage of the maximum burst size for normal traffic. Best effort traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 50%. The following keyword is applicable to the from-air and to-air traffics. video <0-100> Configures the threshold for video traffic
<0-100> Specify a value from 0 - 100. For a meshpoint: This is a percentage of the maximum burst size for video traffic. Video traffic exceeding the defined threshold is dropped and a log message is generated. Video traffic consumes significant bandwidth, so this value can be set to a higher value once a general transmit rate is known by the network administrator (using a time trend analysis). The default threshold is 25%. For a neighbor: This is a percentage of the maximum burst size for video traffic. Video traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 25%. The following keyword is applicable to the from-air and to-air traffics. voice <0-100> Configures the threshold for voice traffic
<0-100> Specify a value from 0 - 100. For a meshpoint: This is a percentage of the maximum burst size for voice traffic. Voice traffic exceeding the defined threshold is dropped and a log message is generated. Voice applications consume significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis). The default threshold is 0%. For a neighbor: This is a percentage of the maximum burst size for voice traffic. Voice traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 0% and implies no early random drops will occur. Example rfs6000-37FABE(config-meshpoint-qos-test)#rate-limit meshpoint from-air max-
burst-size 800 rfs6000-37FABE(config-meshpoint-qos-test)#show context meshpoint-qos-policy test rate-limit meshpoint from-air max-burst-size 800 accelerated-multicast 224.0.0.1 classification video rfs6000-37FABE(config-meshpoint-qos-test)#rate-limit meshpoint from-air rate 80000 rfs6000-37FABE(config-meshpoint-qos-test)#rate-limit meshpoint from-air red-
threshold video 80 rfs6000-37FABE(config-meshpoint-qos-test)#rate-limit meshpoint from-air red-
threshold voice 70 Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 32 MESHPOINT rfs6000-37FABE(config-meshpoint-qos-test)#show context meshpoint-qos-policy test rate-limit meshpoint from-air rate 80000 rate-limit meshpoint from-air max-burst-size 800 rate-limit meshpoint from-air red-threshold video 80 rate-limit meshpoint from-air red-threshold voice 70 accelerated-multicast 224.0.0.1 classification video rfs6000-37FABE(config-meshpoint-qos-test)#
Related Commands no Resets traffic rate limit settings for this meshpoint QoS policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 33 26.3 meshpoint-device-config-instance MESHPOINT The following table lists the meshpoint device configuration commands:
Table 26.3 Other meshpoint-related commands Command meshpoint-device Configures an access point as a meshpoint device and enters its Description configuration mode Invokes the meshpoint-device configuration commands meshpoint-device-
commands MESHPOINT Reference page 26-35 page 26-37 Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 34 MESHPOINT 26.3.1 meshpoint-device meshpoint-device-config-instance This command configures an access point to use a defined meshpoint. To configure this feature use one of the following options:
navigate to the device profile config context (used when configuring access point profile on a controller) navigate to the devices config context using the self command (used when configuring a logged on access point) Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Syntax meshpoint-device <MESHPOINT-NAME>
Parameters meshpoint-device <MESHPOINT-NAME>
meshpoint-device
<MESHPOINT-NAME>
Configures the AP as a meshpoint device and sets its parameters The meshpoint to configure the AP with (should be existing and configured) Example rfs6000-37FABE(config)#profile ap71xx AP71XXTestProfile rfs6000-37FABE(config-profile-AP71XXTestProfile)#meshpoint-device test rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#
rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#?
Mesh Point Device Mode commands:
Mesh Point Device Mode commands:
acs Configure auto channel selection parameters exclude Exclude neighboring Mesh Devices hysteresis Configure path selection SNR hysteresis values monitor Event Monitoring no Negate a command or set its defaults path-method Path selection method used to find a root node preferred Configure preferred path parameters root Set this meshpoint as root root-select Root selection method parameters clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 35 MESHPOINT ap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#meshpoint-device test ap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#?
Mesh Point Device Mode commands:
acs Configure auto channel selection parameters exclude Exclude neighboring Mesh Devices hysteresis Configure path selection SNR hysteresis values monitor Event Monitoring no Negate a command or set its defaults path-method Path selection method used to find a root node preferred Configure preferred path parameters root Set this meshpoint as root root-select Root selection method parameters clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal ap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#?
Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 36 MESHPOINT 26.3.2 meshpoint-device-commands meshpoint-device-config-instance The following table lists the meshpoint-device configuration mode commands:
Table 26.4 Meshpoint-Device Config Commands Command acs exclude hysteresis monitor path-method preferred root root-select no Reference page 26-38 Description Enables Automatic Channel Selection (ACS) on this meshpoint device (access point) Excludes neighboring mesh devices Configures path selection SNR hysteresis values on this meshpoint-device (access point) Enables monitoring of critical resource and primary port links on a meshpoint device Configures the method used to select the path to the root node in a mesh network Configures the preferred path parameters for a meshpoint device page 26-48 page 26-49 Configures a meshpoint device as the root meshpoint page 26-51 Configures this meshpoint device as the cost root page 26-52 Negates the commands for a meshpoint device or resets values to default page 26-43 page 26-44 page 26-46 page 26-47 Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 37 MESHPOINT 26.3.2.1 acs meshpoint-device-commands Enables Automatic Channel Selection (ACS) on this meshpoint device (access point). When enabled, this feature automatically selects the best channel for a meshpoint-device radio based on the device configuration, channel conditions, and network layout. In a wireless network deployment, it is advantageous for network devices to have the ability to operate in multiple channels and not be limited to only a single channel. Multiple channels increase the bandwidth and throughput of the wireless network. In such a scenario, each network device must have a mechanism to dynamically select a suitable channel of operation. ACS provides the required mechanism for a MCX enabled device. Use this command to configure the ACS settings and override the default meshpoint configurations. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Syntax acs [channel-hold-time|channel-switch-delta|channel-width|ocs-duration|ocs-
frequency|path-min|path-threshold|preferred-interface-tolerance-period|
preferred-radio-interface|priority-meshpoint|sample-count|snr-delta|signal-
threshold|tolerance-period]
acs channel-hold-time [2.4GHz|5GHz] <0-86400>
acs channel-switch-delta [2.4GHz|5GHz] <5-35>
acs channel-width [2.4GHz|5GHz] [20MHz|40MHz|80MHz|auto]
acs ocs-duration [2.4GHz|5GHz] <20-250>
acs ocs-frequency [2.4GHz|5GHz] <1-60>
acs path-min [2.4GHz|5GHz] <100-20000>
acs path-threshold [2.4GHz|5GHz] <800-65535>
acs preferred-interface-tolerance-period [2.4GHz|5GHz] <10-600>
acs preferred-radio-interface [2.4GHz|5GHz] <0-2>
acs priority-meshpoint [2.4GHz|5GHz] <MESHPOINT-NAME>
acs sample-count [2.4GHz|5GHz] <1-10>
acs snr-delta [2.4GHz|5GHz] <1-100>
acs signal-threshold [2.4GHz|5GHz] <-100-0>
acs tolerance-period [2.4GHz|5GHz] <10-600>
Parameters acs channel-hold-time [2.4GHz|5GHz] <0-86400>
acs Configures ACS settings and overrides on the selected meshpoint-device Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 38 MESHPOINT channel-hold-time
[2.4GHz|5GHz] <0-86400>
Configures the minimum time, in seconds, before a periodic scan, to assess channel conditions for a meshpoint root, is triggered. 2.4GHz Configures the channel hold interval for the 2.4GHz radio band 5.0GHz Configures the channel hold interval for the 5.0GHz radio band The following keyword is common to the 2.4GHz and 5.0GHz bands:
<0-86400> Specify a value from 0 - 86400 seconds. The default is 1800 seconds. A value of 0 disables periodic channel assessment. acs channel-switch-delta [2.4GHz|5GHz] <5-35>
acs channel-switch-delta
[2.4GHz|5GHz] <5-35>
Configures ACS settings and overrides on the selected meshpoint-device Configures the difference in interference between the current and best channel needed to trigger a channel change. Once the difference in the current channel and the best channel interference equals the configured value, a channel change is triggered. 2.4GHz Configures the channel switch delta for the 2.4GHz radio band 5.0GHz Configures the channel switch delta for the 5.0GHz radio band The following keyword is common to the 2.4GHz and 5.0GHz bands:
<5-35> Specify a value from 5 - 35 dBm. The default is 10 dBm. acs channel-width [2.4GHz|5GHz] [20MHz|40MHz|80MHz|auto]
acs channel-width
[2.4GHz|5GHz]
[20MHz|40MHz|80MHz|
auto]
Configures ACS settings and overrides on the selected meshpoint-device Configures the channel width that meshpoint auto channel selection assigns to the radio 2.4 GHz Configures the operating channel width for the 2.4 GHz radio band 5.0 GHz Configures the operating channel width for the 5.0 GHz radio band The following keywords are common to the 2.4 GHz and 5.0 GHz bands:
20 MHz Assigns the 20 MHz channel width to the radio 40 MHz Assigns the 40 MHz channel width to the radio 80 MHz Assigns the 80 MHz channel width to the radio auto Selects and assigns the best possible channel from the 20/40/80 MHz width. This is the default setting. acs ocs-duration [2.4GHz|5GHz] <20-250>
acs ocs-duration
[2.4GHz|5GHz] <20-250>
Configures ACS settings and overrides on the selected meshpoint-device Configures the duration, in milliseconds, of off -channel scans (OCSs) 2.4 GHz Configures the ocs-duration for the 2.4 GHz radio band 5.0 GHz Configures the ocs-duration for the 5.0 GHz radio band The following keyword is common to the 2.4 GHz and 5.0 GHz bands:
<20-250> Specify a value from 20 - 250 milliseconds. The default value is 50 milliseconds. acs ocs-frequency [2.4GHz|5GHz] <1-60>
acs Configures ACS settings and overrides on the selected meshpoint-device Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 39 MESHPOINT ocs-frequency
[2.4GHz|5GHz] <1-60>
Configures the interval, in seconds, at which off-channel scan is performed. An ocs-frequency of 10 seconds means that an off-channel scan will be performed once every 10 seconds. 2.4 GHz Configures the ocs-frequency for the 2.4 GHz radio band 5.0 GHz Configures the ocs-frequency for the 5.0 GHz radio band The following keyword is common to the 2.4 GHz and 5.0 GHz bands:
<1-60> Specify a value form 1 - 60 seconds. The default is 6 seconds. acs path-min [2.4GHz|5GHz] <100-20000>
acs path-min [2.4GHz|5GHz]
<100-20000>
Configures ACS settings and overrides on the selected meshpoint-device Configures the minimum root path metric needed for auto channel selection. This is the acceptance root path metric value to consider a root as a possible candidate mesh node. 2.4 GHz Configures the minimum root path metric for the 2.4 GHz radio band 5.0 GHz Configures the minimum root path metric for the 5.0 GHz radio band The following keyword is common to the 2.4 GHz and 5.0 GHz bands:
<100-20000> Specify a value from 100 - 20000. The default is 1000. acs path-threshold [2.4GHz|5GHz] <800-65535>
acs path-threshold
[2.4GHz|5GHz] <800-
65535>
Configures ACS settings and overrides on the selected meshpoint-device Configures the root path metric threshold for auto channel selection. This is the acceptance root path metric threshold beyond which the root bound to is considered as bad. 2.4 GHz Configures the root path metric threshold for the 2.4 GHz radio band 5.0 GHz Configures the root path metric threshold for the 5.0 GHz radio band The following keyword is common to the 2.4 GHz and 5.0 GHz bands:
<800-65535> Specify a value from 800 - 65535. The default is 1500. acs preferred-interface-tolerance-period [2.4GHz|5GHz] <10-600>
acs preferred-interface-
tolerance-period
[2.4GHz|5GHz] <10-600>
Configures ACS settings and overrides on the selected meshpoint-device Configures the maximum tolerance period, in seconds, for low root metrics on the preferred interface. This is the duration to wait before triggering an automatic channel selection for the next mesh-hop on the preferred interface. 2.4 GHz Configures the maximum tolerance period for the 2.4 GHz radio band 5.0 GHz Configures the maximum tolerance period for the 5.0 GHz radio band The following keyword is common to the 2.4 GHz and 5.0 GHz bands:
<800-65535> Specify a value from 10 - 600 seconds. acs preferred-radio-interface [2.4GHz|5GHz] <0-2>
acs Configures ACS settings and overrides on the selected meshpoint-device Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 40 MESHPOINT preferred-radio-interface
[2.4GHz|5GHz] <0-2>
Configures the preferred radio interface on dual band APs 2.4 GHz Configures the preferred radio interface for the 2.4 GHz radio band 5.0 GHz Configures the preferred radio interface for the 5.0 GHz radio band The following keyword is common to the 2.4 GHz and 5.0 GHz bands:
<0-2> Specify a value form 0 - 2. A value of 0 (zero) indicates no preferred radio. acs priority-meshpoint [2.4GHz|5GHz] <MESHPOINT-NAME>
acs priority-meshpoint
[2.4GHz|5GHz]
<MESHPOINT-NAME>
Configures ACS settings and overrides on the selected meshpoint-device Configures the priority meshpoint. Configuring a priority meshpoint overrides automatic meshpoint configuration. 2.4 GHz Configures the priority meshpoint for the 2.4 GHz radio band 5.0 GHz Configures the priority meshpoint for the 5.0 GHz radio band The following keyword is common to the 2.4 GHz and 5.0 GHz bands:
<MESHPOINT-NAME> Specify the meshpoint name for the selected radio band. acs sample-count [2.4GHz|5GHz] <1-10>
acs sample-count
[2.4GHz|5GHz] <1-10>
Configures ACS settings and overrides on the selected meshpoint-device Configures the minimum number of scan cycle samples to consider for auto channel selection 2.4 GHz Configures the sample count for the 2.4 GHz radio band 5.0 GHz Configures the sample count for the 5.0 GHz radio band The following keyword is common to the 2.4 GHz and 5.0 GHz bands:
<1-10> Specify a value from 1 -10. The default is 5 samples. acs snr-delta [2.4GHz|5GHz] <1-100>
acs snr-delta [2.4GHz|5GHz]
<1-100>
Configures ACS settings and overrides on the selected meshpoint-device Configures the channel SNR delta. A meshpoint on a candidate channel must have a SNR of a greater delta than the next hop on the current channel. 2.4 GHz Configures the snr-delta for the 2.4 GHz radio band 5.0 GHz Configures the snr-delta for the 5.0 GHz radio band The following keyword is common to the 2.4 GHz and 5.0 GHz bands:
<1-100> Specify a value from 1 - 100 dB. The default is 5 dB. acs signal-threshold [2.4GHz|5GHz] <-100-0>
acs signal-threshold
[2.4GHz|5GHz] <-100-0>
Configures ACS settings and overrides on the selected meshpoint-device Configures the signal strength threshold. If the signal strength of the next hop drops below the configured signal-threshold, a scan is triggered. 2.4 GHz Configures the signal-threshold for the 2.4 GHz radio band 5.0 GHz Configures the signal-threshold for the 5.0 GHz radio band The following keyword is common to the 2.4 GHz and 5.0 GHz bands:
<-100-0> Specify a value from -100 - 0 dB. The default is -65 dB. Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 41 MESHPOINT acs tolerance-period [2.4GHz|5GHz] <10-600>
acs tolerance-period
[2.4GHz|5GHz] <10-600>
Configures ACS settings and overrides on the selected meshpoint-device Configures the maximum tolerance period in seconds. This is the interval to wait for the root bound to recovery from a bad link. 2.4 GHz Configures the tolerance-period for the 2.4 GHz radio band 5.0 GHz Configures the tolerance-period for the 5.0 GHz radio band The following keyword is common to the 2.4 GHz and 5.0 GHz bands:
<10-600> Specify a value from 10 - 600 seconds. the default is 60 seconds. Example rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#acs channel-hold-time 2.4GHz 2500 rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#acs ocs-duration 2.4GHz 30 rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#acs ocs-frequency 2.4GHz 1 rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#show context meshpoint-device test acs ocs-frequency 2.4GHz 1 acs osc-duration 2.4GHz 30 acs channel-hold-time 2.4GHz 2500 rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#
Related Commands no Reverts the configured ACS settings to default Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 42 MESHPOINT 26.3.2.2 exclude meshpoint-device-commands Enables wired-peer (that are wired MiNT level-1 neighbors) exclusion Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Syntax exclude wired-peer mint-level-1 Parameters exclude wired-peer mint-level-1 exclude wired-peer wired-peer mint-level-1 Excludes neighboring wired mesh devices with MiNTlevel-1 link Excludes neighboring mesh devices When enabled, all neighboring wired mesh devices are excluded from mesh links. Example rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#exclude wired-peer mint-
level-1 rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#show context meshpoint-device test exclude wired-peer mint-level-1 rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#
Related Commands no Disables wired-peer exclusion on this meshpoint Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 43 MESHPOINT 26.3.2.3 hysteresis meshpoint-device-commands Configures path selection SNR hysteresis values on this meshpoint-device (access point). These are settings that facilitate dynamic path selection. Configuring hysteresis prevents frequent re-ranking of the shortest path cost. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Syntax hysteresis [min-threshold|period|root-sel-snr-delta|snr-delta]
hysteresis [min-threshold <-100-0>|period <0-600>|root-sel-snr-delta <1-100>|
snr-delta <1-100>]
Parameters hysteresis [min-threshold <-100-0>|period <0-600>|root-sel-snr-delta <1-
100>|snr-delta <1-100>]
min-threshold <-100-0>
period <0-600>
root-sel-snr-delta
<1-100>
snr-delta <1-100>
Configures the minimum signal strength that a device should have to be considered a likely candidate in the mesh route (to the mesh root node) selection process.
<-100-0> Specify a value from -100 - 0 dB. The default is 0 dB. Configures the interval, in seconds, for which a likely candidates path method hysteresis is sustained. In other words a device capable of sustaining the signal strength for the specified period of time is a likely candidate in the mesh route
(to the mesh root node) selection process.
<0-600> Specify a value from 0 - 600 seconds. The default is 1 second. Configures the signal strength, in dB, that a device has to sustain, within the delta range, to be considered a likely candidate in the mesh route (to the mesh root node) selection process.
<1-100> Specify a value from 1 - 100 dB. Configures the SNR delta. The device with must have a SNR of a greater delta than its current neighbor to be considered a likely candidate in the mesh route
(to the mesh root) selection process.
<1-100> Specify a value from 1 - 100 dB. The default is 1 dB. Example rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#hysteresis period 15 rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#hysteresis root-sel-snr
-delta 12 rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#hysteresis snr-delta 3 rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#hysteresis min-threshold
-65 rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#show context meshpoint-device test hysteresis period 15 hysteresis snr-delta 3 hysteresis min-threshold -65 hysteresis root-sel-snr-delta 12 rfs4000-229D58(config-profile-testAP71XX-meshpoint-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 44 Related Commands no Removes the configured path selection SNR hysteresis values MESHPOINT Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 45 MESHPOINT 26.3.2.4 monitor meshpoint-device-commands Enables monitoring of critical resource and primary port links. It also configures the action taken in case a critical resource goes down or a primary port link is lost. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Syntax monitor [critical-resource|primary-port-link-loss] action no-root Parameters monitor [critical-resource|primary-port-link-loss] action no-root critical-resource primary-port-link-loss action no-root Enables critical resource down event monitoring Enables primary port link loss event monitoring The following are common to all of the above:
action Sets the action taken if a critical resource goes down or if a primary port link is lost no-root Changes the meshpoint to be non root (this is the action taken in case any of the above mentioned two events occur) Example rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#monitor critical-
resource action no-root rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#show context meshpoint-device test name test monitor critical-resource action no-root rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#
Related Commands no Disables monitoring of critical resource and primary port links. Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 46 MESHPOINT 26.3.2.5 path-method meshpoint-device-commands Configures the path selection method used on a meshpoint device. This is the method used to select the route to the root node within a mesh network. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Syntax path-method [bound-pair|mobile-snr-leaf|snr-leaf|uniform]
Parameters path-method [bound-pair|mobile-snr-leaf|snr-leaf|uniform]
path-method bound-pair mobile-snr-leaf snr-leaf uniform Sets the method used to select the path to the root node in a mesh network Enables a meshpoint to form an exclusive path with only one other meshpoint. Select this option to bind one mesh point connection at a time. Once established, other mesh point connenction requests are denied. Configures the path selection method as mobile-snr-leaf. When selected, the path to the root node is selected based on the Signal-to-Noise Ratio (SNR) to a neighboring device. This option allows meshpoint devices to select a neighbor with the strongest SNR. Meshpoint devices using the mobile-snr-leaf method are non-forwarding nodes in the meshpoint traffic. Note: Select this option for Vehicular Mounted Modem (VMM) access points or other mobile devices. Note: VMM is supported only on the AP7161 model access point. This option allows meshpoints to select a neighbor with the strongest SNR. It is similar to the mobile-snr-leaf option, but is not applicable to mobile devices, such as VMMs. Indicates the path selection method is uniform. When selected, two paths will be considered equivalent if the average goodput is the same for both paths. This is the default setting. Note: Select this option for infrastructure devices. Example rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#path-method mobile-snr-leaf rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#show context meshpoint-device TEST name TEST path-method mobile-snr-leaf rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#
Related Commands no Resets the path selection method on a meshpoint device Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 47 MESHPOINT 26.3.2.6 preferred meshpoint-device-commands Configures the preferred path parameters for this meshpoint device Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Syntax preferred [neighbor <MAC>|root <MAC>|interface [2.4GHz|4.9GHz|5GHz]]
Parameters preferred [neighbor <MAC>|root <MAC>|interface [2.4GHz|4.9GHz|5GHz]]
preferred neighbor <MAC>
root <MAC>
interface
[2.4GHz|4.9GHz|5GHz]
Configures the preferred path parameters Adds the MAC address of a neighbor meshpoint as a preferred neighbor Adds the MAC address of a root meshpoint as a preferred root Sets the preferred interface Example rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#preferred neighbor 11-22-33-44-55-66 rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#preferred root 22-33-44-55-66-77 rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#preferred interface 5GHz rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#show context meshpoint-device test name test preferred root 22-33-44-55-66-77 preferred neighbor 11-22-33-44-55-66 preferred interface 5GHz monitor critical-resource action no-root rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#
Related Commands no Removes the configuration of preferred paths for this meshpoint device Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 48 MESHPOINT 26.3.2.7 root meshpoint-device-commands Configures this meshpoint device as the root meshpoint You can optionally use the select-method option to enable dynamic mesh selection. When enabled, this option overrides root or no-root configuration and uses the selection method. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Syntax root {select-method [auto-mint|auto-proximity]}
Parameters root {select-method [auto-mint|auto-proximity]}
root select-method auto-
mint Configures this meshpoint device as the root meshpoint Optional. Enables dynamic mesh selection. When enabled, this option overrides root or no-root configuration and chooses the selection method. auto-mint Enables dynamic root selection using Auto-MiNT (based on path cost) The Auto-Mint or Cost Method dynamically determines the root/non-root configuration of a meshpoint by:
Monitoring and ranking the signal strength and path cost of neighboring mesh points. Setting the configuration to:
non-root: If the link with the shortest path to the cost-root mesh device is a MCX meshpoint link root: If the link with the shortest path to the cost-root mesh device is a non MCX meshpoint link (wired link). This requires that the meshpoint device, in the brain car, be configured as the cost root and the cost root meshpoint-device be the l2 gateway to the controller. Use the root-select > cost-root command to configure a meshpoint-device as cost-
root. Using signal strength of neighboring meshpoint as the sole metric to determine the next mesh hop to the root. Loop detection with both meshpoints in a car select non-root and form a mesh link with the same root auto-proximity Enables dynamic root selection using meshpoint proximity. When auto-proximity is selected, root selection is based on signal strength of candidate roots. Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 49 MESHPOINT Example rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#root rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#show context meshpoint-device test name test root preferred root 22-33-44-55-66-77 preferred neighbor 11-22-33-44-55-66 preferred interface 5GHz monitor critical-resource action no-root rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#
ap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#root select-method auto-mint ap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#show context meshpoint-device test root select-method auto-mint ap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#
Related Commands no Removes the configuration of this meshpoint device as a root meshpoint. Also allows you to disable dynamic mesh selection (if enabled). Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 50 MESHPOINT 26.3.2.8 root-select meshpoint-device-commands Configures this meshpoint device as the cost root Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Syntax root-select cost-root Parameters root-select cost-root root-select cost-root Configures this meshpoint device as the cost root. This is necessary for dynamic root selection process. Select this option to set the meshpoint as the cost root for meshpoint root selection. This setting is disabled by default. Example ap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#root-select cost-
root ap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#show context meshpoint-device test root select-method auto-mint root-select cost-root ap7131-11E6C4(config-device-00-23-68-11-E6-C4-meshpoint-test)#
Related Commands no Removes this meshpoint-device as the cost-root Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 51 MESHPOINT 26.3.2.9 no meshpoint-device-commands Negates the commands for a meshpoint device or resets values to default Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7522, AP7532, AP7562, AP81XX Syntax no [acs|exclude|hysteresis|monitor|path-method|preferred|root|root-select]
no acs [channel-hold-time|channel-switch-delta|channel-width|ocs-duration|
ocs-frequency|path-min|path-threshold|preferred-interface-tolerance-period|
preferred-radio-interface|priority-meshpoint|sample-count|snr-delta|signal-
threshold|tolerance-period] [2.4GHZ|5GHz]
no exclude wired-peer mint-level-1 no hysteresis [min-threshold|period|root-sel-snr-delta|snr-delta]
no monitor [critical-resource|primary-port-link-loss]
no [path-method|root {select-method}]
no root-select cost-root no preferred [interface|root|neighbor]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts this meshpoint device settings to default based on the parameters passed Example rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#show context meshpoint-device test name test root preferred root 22-33-44-55-66-77 preferred neighbor 11-22-33-44-55-66 preferred interface 5GHz monitor critical-resource action no-root rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#
rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#no monitor critical-resource rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#no preferred neighbor rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#no root rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#no preferred interface rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#show context meshpoint-device test name test no root preferred root 22-33-44-55-66-77 rfs6000-37FABE(config-profile-AP71XXTestProfile-meshpoint-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 26 - 52 27 PASSPOINT POLICY A passpoint policy provides an interoperable platform for streamlining Wi-Fi access to access points deployed as public hotspots. Passpoint is supported across a wide range of wireless network deployment scenarios and client devices. Passpoint makes connecting to Wi-Fi networks easier by authenticating the user with an account based on an existing relationship, such as the user's mobile carrier or broadband ISP. To migrate to the Passpoint policy configuration mode, use the following command:
<DEVICE>(config)#passpoint-policy <POLICY-NAME>
rfs4000-229D58(config)#passpoint-policy test rfs4000-229D58(config-passpoint-policy-test)#
rfs4000-229D58(config-passpoint-policy-test)#?
Passpoint Policy Mode commands:
3gpp Configure a 3gpp plmn (public land mobile network) id access-network-type Set the access network type for the hotspot connection-capability Configure the connection capability for the hotspot domain-name Add a domain-name for the hotspot hessid Set a homogeneous ESSID value for the hotspot internet Advertise the hotspot having internet access ip-address-type Configure the advertised ip-address-type nai-realm Configure a NAI realm for the hotspot net-auth-type Add a network authentication type to the hotspot no Negate a command or set its defaults operator Add configuration related to the operator of the hotspot osu Online signup roam-consortium Add a roam consortium for the hotspot venue Set the venue parameters of the hotspot wan-metrics Set the wan-metrics of the hotspot clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-passpoint-policy-test)#
NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 1 PASSPOINT POLICY 27.1 passpoint-policy PASSPOINT POLICY The following table summarizes passpoint policy configuration mode commands:
Table 27.1 Hotspot-Policy-Config Commands Description Configures a 3rd Generation Partnership Project (3gpp) Public Land Mobile Network (PLMN) ID Configures the access network type element in this hotspot Reference page 27-3 page 27-4 Configures the connection capability element in this passpoint policy page 27-5 Command 3gpp access-network-
type connection-
capability domain-name hessid Configures the RF Domains to which this hotspot is applicable Configures the Homogeneous Extended Service Set Identifier (HESSID) for a specified hotspot zone Advertises the availability of Internet access in this hotspot internet ip-address-type Advertises the IP address type used in this hotspot. nai-realm Configures a Network Access Identifier (NAI) realm name and enters its configuration mode Configures the network authentication type used in this hotspot Removes or reverts passpoint policy configuration Configures the operator friendly name for this hotspot Configures an online sign up (OSU) SSID/provider and enters its configuration mode net-auth-type no operator osu roam-consortium Configures the list of Roaming Consortium Organization Identifiers (OIs) venue wan-metrics supported on this hotspot Configures the venue group and type for this passpoint policy Configures the WAN performance metrics for this hotspot page 27-7 page 27-8 page 27-9 page 27-10 page 27-12 page 27-18 page 27-19 page 27-20 page 27-21 page 27-31 page 27-32 page 27-36 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 2 PASSPOINT POLICY 27.1.1 3gpp passpoint-policy Configures a 3rd Generation Partnership Project (3GPP) Public Land Mobile Network (PLMN) information. The 3GPP PLMN information is a combination of the Mobile Country Code (MCC) and Mobile Network Code
(MNC). This MCC and MNC combination uniquely identifies a cellular operator. For example, Telstar Corporation Ltd. in Australia is identified by MCC 505 and MNC 001. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax 3gpp mcc <MOBILE-COUNTRY-CODE> mnc <MOBILE-NETWORK-CODE> {description <LINE>}
Parameters 3gpp mcc <MOBILE-
COUNTRY-CODE>
mnc <MOBILE-
NETWORK-CODE>
3gpp mcc <MOBILE-COUNTRY-CODE> mnc <MOBILE-NETWORK-CODE> {description <LINE>}
Configures the 3GPP PLMN information that is returned in response to an ANQP query Specifies the MCC. The MCC is a two or three digit decimal value. For example, the MCC for Australia is 505. Specifies the MNC. The MNC is a two or three decimal value used in combination with the MCC to uniquely identify a mobile network operator. The MNC and MCC combination (also known as the MCC/MNC tuple) forms the first five or six digits of the International Mobile Subscribers Identity (IMSI). If the MCC and MNC values are not configured, the hotspot will not return the element in an ANQP capability request and ignores any ANQP query for the element. Optional. Configures a description that uniquely identifies this PLMN. Provide a description not exceeding 64 characters in length. description <LINE>
Example rfs4000-229D58(config-passpoint-policy-test)#3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)#3gpp mcc 310 mnc 970 rfs4000-229D58(config-passpoint-policy-test)#show context hotspot2-policy test 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)#
Related Commands no Removes the specified 3gpp PLMN information and its corresponding MCC/MNC settings Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 3 PASSPOINT POLICY 27.1.2 access-network-type passpoint-policy Configures the access network type for this hotspot. The beacons and probe responses communicate the type of hotspot (public, private, guest-use, emergency, etc.) to clients seeking access. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax access-network-type [chargeable-public|emergency-services|experimental|free-
public|personal-device|private|private-guest|wildcard]
Parameters access-network-type [chargeable-public|emergency-services|experimental|free-
public|personal-device|private|private-guest|wildcard]
access-network-type Select the access network type for this hotspot. The options are:
chargeable-public The network type is a chargeable public network emergency-services The network is used to provide emergency services only experimental The network is used for test or experimental purposes only free-public The network type is a free public personal-device The network is used for personal devices only private The network is a private network private-guest The network is a private network with guest access (default setting) wildcard Includes all access network types If the network type is set to chargeable-public, probe responses advertise this hotspot as a chargeable-public hotspot. Example rfs4000-229D58(config-passpoint-policy-test)#access-network-type chargeable-
public rfs4000-229D58(config-passpoint-policy-test)#show context hotspot2-policy test access-network-type chargeable-public 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)#
Related Commands no Reverts to the default access network type setting (private) Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 4 PASSPOINT POLICY 27.1.3 connection-capability passpoint-policy Configures the connection capability element in this passpoint policy. When configured, it communicates which ports are open or closed on the Hotspot, in response to an ANQP query. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax connection-capability [ftp|http|icmp|ip-protocol|ipsec-vpn|pptp-vpn|sip|ssh|tls-
vpn]
connection-capability [ftp|http|icmp|ipsec-vpn|pptp-vpn|sip|ssh|tls-vpn]
[closed|open|unknown]
connection-capability ip-protocol <0-255> port <0-65535> [closed|open|unknown]
Parameters connection-capability [ftp|http|icmp|ipsec-vpn|pptp-vpn|sip|ssh|tls-vpn]
[closed|open|unknown]
connection-capability ftp http icmp ipsec-vpn pptp-vpn sip ssh tls-vpn port <0-65535>
[closed|open|unknown Configures the connection capability element in this passpoint policy Specifies the protocol type as FTP. Configures TCP port 20. Specifies the protocol type as HTTP. Configures TCP port 80. Specifies the protocol type as ICMP Specifies the protocol type as IPSEC VPN. Configures ESP and UDP ports 500 and 4500. Specifies the protocol type as PPTP VPN. Configures TCP port 1723. Specifies the protocol type as SIP. Configures TCP port 5060 and UDP port 5060. Specifies the protocol type as SSH. Configures TCP port 20 Specifies the protocol type as TLS VPN. Configures TCP port 443. After specifying the protocol type, specify the port (associated with the selected protocol) and its status. closed Specifies that the port(s) is/are closed open Specifies that the port(s) is/are open unknown Specifies that the port(s) status is not known When the connection capability element is not configured, the hotspot does not return the element in an ANQP capability request and ignores any ANQP query for the element. connection-capability ip-protocol <0-255> port <0-65535> [closed|open|unknown]
connection-capability ip-protocol <0-255>
Configures the connection capability element in this passpoint policy Identifies the IP protocol by the protocols number. For example, for simple message protocol (SMP) specify 121. Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 5 PASSPOINT POLICY port <0-65535>
[closed|open|unknown After specifying the IP protocol type, specify the port number. port <0-65535> Select a port for the IP protocol identified. After specifying the port number, specify the port status. closed Specifies that the port(s) is/are closed open Specifies that the port(s) is/are open unknown Specifies that the port(s) status is not known When the connection capability element is not configured, the hotspot does not return the element in an ANQP capability request and ignores any ANQP query for the element. Example rfs4000-229D58(config-passpoint-policy-test)#connection-capability 1 ip-protocol 2 port 10 closed rfs4000-229D58(config-passpoint-policy-test)#show context hotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)#
Related Commands no Removes the configured connection capability element on the passpoint policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 6 PASSPOINT POLICY 27.1.4 domain-name passpoint-policy Configures the RF Domain(s) that are returned in response to an ANQP query Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax domain-name <DOMAIN-NAME>
Parameters domain-name <DOMAIN-NAME>
domain-name
<DOMAIN-NAME>
Specify the RF Domain name An hotspot can be applied across multiple RF Domains. Example rfs4000-229D58(config-passpoint-policy-test)#domain-name TechPubs rfs4000-229D58(config-passpoint-policy-test)#show context hotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)#
Related Commands no Removes the RF Domain mapped to this passpoint policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 7 PASSPOINT POLICY 27.1.5 hessid passpoint-policy Configures the Homogeneous Extended Service Set Identifier (HESSID) for the hotspot. The HESSID uniquely identifies a hotspot provider within a zone. This is essential in zones (such as an airport or shopping mall) having multiple hotspot service providers with overlapping coverage. An HESSID is a 6 (six) byte identifier that uniquely identifies a set of APs belonging to the same network and exhibiting same network behavior. It is the BSSID (MAC address) of one of the devices (AP) in the zone. When not configured, the radios BSSID is used as the HESSID. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax hessid <MAC>
Parameters hessid <MAC>
hessid <MAC>
Specify a unique 6 (six) byte identifier for this passpoint policy. Example rfs4000-229D58(config-passpoint-policy-test)#hessid 00-23-68-88-0D-A7 rfs4000-229D58(config-passpoint-policy-test)#show context hotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs hessid 00-23-68-88-0D-A7 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)#
Related Commands no Removes the HESSID configured with this passpoint policy and reverts back to using the radios BSSID Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 8 PASSPOINT POLICY 27.1.6 internet passpoint-policy Advertises the availability of Internet access on this hotspot. The Internet bit in the hotspots beacon and probe responses indicates if Internet access is available or not. By default this feature is enabled. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax internet Parameters None Example rfs4000-229D58(config-passpoint-policy-test)#internet rfs4000-229D58(config-passpoint-policy-test)#
Related Commands no Removes Internet access on this passpoint policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 9 PASSPOINT POLICY 27.1.7 ip-address-type passpoint-policy Advertises the IP address type used in this hotspot. This information is returned in response to ANQP queries. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax ip-address-type [ipv4|ipv6]
ip-address-type ipv4 [double-nat|not-available|port-restricted|port-restricted-
double-nat|port-restricted-single-nat|public|single-nat|unknown]
ip-address-type ipv6 [available|not-available|unknown]
Parameters ip-address-type ipv4 [double-nat|not-available|port-restricted|port-restricted-
double-nat|port-restricted-single-nat|public|single-nat|unknown]
ip-address-type ipv4 double-nat not-available port-restricted port-restricted-double-
nat port-restricted-single-
nat public single-nat unknown Configures the as IPv4 address type availability information Specifies double NATed private IPv4 address is available Specifies IPv4 address is not available Specifies port-restricted IPV4 address is available Specifies port-restricted IPv4 address and double NATed IPv4 address is available Specifies port-restricted IPv4 address and single NATed IPv4 address is available Specifies public IPv4 address is available Specifies single NATed IPv4 address is available Specifies no information configured regarding the IPv4 address availability ip-address-type ipv6 [available|not-available|unknown]
ip-address-type ipv6 available not-available unknown Configures the IPv6 address type availability information Specifies IPv6 address is available Specifies IPv6 address is not available Specifies no information configured regarding the IPv6 address availability Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 10 PASSPOINT POLICY Example rfs4000-229D58(config-passpoint-policy-test)#ip-address-type ipv6 available rfs4000-229D58(config-passpoint-policy-test)#show context hotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs hessid 00-23-68-88-0D-A7 ip-address-type ipv6 available 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)#
Related Commands no Removes the IP address type configured for this passpoint policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 11 PASSPOINT POLICY 27.1.8 nai-realm passpoint-policy A Network Access Identifier (NAI) realm element in the passpoint policy identifies a hotspot service provider by the unique NAI realm name. The following table lists NAI realm configuration mode commands:
Table 27.2 NAI-Realm-Config Commands Command nai-realm nai-realm-config-
mode commands Description Creates a NAI realm name for this hotspot and enters its configuration mode Invokes the NAI realm configuration mode commands Reference page 27-13 page 27-15 Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 12 PASSPOINT POLICY 27.1.8.1 nai-realm nai-realm Configures a NAI realm name and enters its configuration mode. The NAI realm name identifies the accessible hotspot service providers. You can configure a list of NAI realm names of service providers operating within a specific hotpsot zone.This NAI realm name list is presented in ANQP response to a NAI realm and NAI home realm query. The configured NAI realm name list is presented in ANQP response to a NAI realm and NAI home realm query. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax nai-realm <HOTSPOT2-NAI-REALM-NAME>
Parameters nai-realm <HOTSPOT2-NAI-REALM-NAME>
nai-realm <HOTSPOT2-
NAI-REALM-NAME>
Configures the NAI realm name for this passpoint policy
<HOTSPOT2-NAI-REALM-NAME> Specify the NAI realm name for this passpoint policy. Example rfs4000-229D58(config-passpoint-policy-test)#nai-realm mail.example.com rfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#
rfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#?
Hotspot2 NAI Realm Mode commands:
eap-method Set an eap method no Negate a command or set its defaults clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal rfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#exit Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 13 PASSPOINT POLICY rfs4000-229D58(config-passpoint-policy-test)#show context hotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs hessid 00-23-68-88-0D-A7 ip-address-type ipv6 available nai-realm mail.example.com nai-realm mail.testrealm.com 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)#
Related Commands no Removes the NAI realm name configured for this passpoint policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 14 PASSPOINT POLICY 27.1.8.2 nai-realm-config-mode commands nai-realm The following table summarizes NAI realm configuration mode commands:
Table 27.3 NAI-Realm-Config-Mode Commands Command eap-method Description Specifies the Extensible Authentication Protocol (EAP) authentication mechanisms supported by each of the service providers associated with this passpoint policy Reference page 27-16 Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 15 PASSPOINT POLICY 27.1.8.2.1 eap-method nai-realm-config-mode commands Specifies the EAP authentication mechanisms supported by each of the service providers associated with this passpoint policy Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax eap-method <1-10> [<1-255>|fast|gtc|identity|ikev2|ms-auth|mschapv2|otp|peap|
psk|rsa-public-key|sim|tls|ttls] auth-param [credential|expanded-eap|
expanded-inner-eap|inner-eap|non-eap-inner|tunn-eap-credential|vendor] [cert|hw-
token|nfc-secure-elem|none|sim|soft-token|username-password|usim|vendor]
Parameters eap-method <1-10> [<1-255>|fast|gtc|identity|ikev2|ms-auth|mschapv2|otp|peap|
psk|rsa-public-key|sim|tls|ttls] auth-param [credential|expanded-eap|expanded-
inner-eap|inner-eap|non-eap-inner|tunn-eap-credential|vendor][cert|hw-token|nfc-
secure-elem|none|sim|soft-token|username-password|usim|vendor]
eap-method <1-10>
<1-255>
fast gtc identity ikev2 ms-auth mschapv2 opt peap psk rsa-public-key sim Creates an EAP authentication method and assigns it an index number
<1-10> Specify a identifier for this EAP method from 1 - 10. A maximum of 10 (ten) authentication methods can be specified for every NAI realm. After creating the EAP authentication method, specify the associated authentication mechanisms (method types). Identifies the EAP authentication method type from the corresponding Internet Assigned Numbers Authority (IANA) number
<1-255> Specify the IANA identity number for the authentication protocol from 1 -
255. Specifies the EAP authentication method type as Flexible Authentication via Secure Tunneling (FAST) Specifies the EAP authentication method type as Generic Token Card (GTC) Specifies the EAP authentication method type as Identification Specifies the EAP authentication method type as Internet Key Exchange Protocol version 2 (IKEv2) Specifies the EAP authentication method type as Microsoft Authentication (MS-Auth) Specifies the EAP authentication method type as Microsoft Challenge Handshake Authentication Protocol version 2(MSCHAPv2) Specifies the EAP authentication method type as One Time Password (OTP) Specifies the EAP authentication method type as Protected Extensible Authentication Protocol (PEAP) Specifies the EAP authentication method type as Pre-shared Key (PSK) Specifies the EAP authentication method type as RSA public key protocol Specifies the EAP authentication method type as GSM Subscriber Identity Module
(SIM) Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 16 PASSPOINT POLICY tls ttls auth-param
[cert|hw-token|
nfc-secure-elem|
none|sim|soft-token|
username-password|
usim|vendor]
Specifies the EAP authentication method type as Transport Layer Security (TLS) Specifies the EAP authentication method type as Tunneled Transport Layer Security
(TTLS) After specifying the EAP authentication method type, specify the authentication parameters. These parameters depend on the EAP authentication mechanism selected. The following parameters are common to all the above authentication parameters:
cert Certificate hw-token Hardware token nfc-secure-elem NFC secure element none No credential sim Subscriber identity module soft-token Soft token username-password Username and password usim Universal subscriber identity module vendor Vendor specific credential Example The following examples show four EAP authentication methods associated with the NAI realm mail.example.com. Each method supports a different EAP authentication mechanism:
rfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#eap-
method 1 ttls auth-param vendor hex 00001E rfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#eap-
method 2 rsa-public-key auth-param credential cert rfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#eap-
method 4 peap auth-param credential cert rfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#show context nai-realm mail.example.com eap-method 1 ttls auth-param vendor hex 00121F eap-method 2 rsa-public-key auth-param credential cert eap-method 3 otp auth-param credential username-password eap-method 4 peap auth-param credential cert rfs4000-229D58(config-passpoint-policy-test-nai-realm-mail.example.com)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 17 PASSPOINT POLICY 27.1.9 net-auth-type passpoint-policy Configures the network authentication type used in this hotspot. The details configured are returned in response to an ANQP query. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax net-auth-type [accept-terms|dns-redirect|http-redirect|online-enroll] {url <URL>}
Parameters net-authtype [accept-terms|dns-redirect|http-redirect|online-enroll] {url
<URL>}
net-auth-type accept-terms dns-redirect http-redirect online-enroll url <URL>
Specifies the network authentication type used with this passpoint policy. The options are: accept-terms, dns-redirect, http-redirect, and online-enroll Enables user acceptance of terms and conditions Enables DNS redirection of user Enables HTTP redirection of user Enables online user enrolment Optional. Specify the location for each of above network authentication types. Example rfs4000-229D58(config-passpoint-policy-test)#net-auth-type accept-terms url
"www.test.com"
rfs4000-229D58(config-passpoint-policy-test)#
rfs4000-229D58(config-passpoint-policy-test)#show context hotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs hessid 00-23-68-88-0D-A7 ip-address-type ipv6 available nai-realm mail.example.com eap-method 1 ttls auth-param vendor hex 00001E eap-method 2 rsa-public-key auth-param credential cert eap-method 3 otp auth-param credential username-password eap-method 4 peap auth-param credential cert nai-realm mail.testrealm.com net-auth-type accept-terms url www.test.com 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)#
Related Commands no Removes the network authentication type configured with this passpoint policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 18 PASSPOINT POLICY 27.1.10 no passpoint-policy Removes or reverts the passpoint policy settings Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax no [3gpp|access-network-type|connection-capability|domain-name|hessid|internet|
ip-address-type|nai-realm|net-auth-type|operator|osu|roam-consortium|venue|wan-
metrics]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts the passpoint policy settings Example The following example shows the passpoint policy test settings before the no commands are executed:
rfs4000-229D58(config-passpoint-policy-test)#show context hotspot2-policy test access-network-type chargeable-public connection-capability ip-protocol 2 port 10 closed domain-name TechPubs hessid 00-23-68-88-0D-A7 ip-address-type ipv6 available nai-realm mail.example.com eap-method 1 ttls auth-param vendor hex 00001E eap-method 2 rsa-public-key auth-param credential cert eap-method 3 otp auth-param credential username-password eap-method 4 peap auth-param credential cert nai-realm mail.testrealm.com net-auth-type accept-terms url www.test.com 3gpp mcc 310 mnc 970 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)#
rfs4000-229D58(config-passpoint-policy-test)#no access-network-type rfs4000-229D58(config-passpoint-policy-test)#no hessid rfs4000-229D58(config-passpoint-policy-test)#no nai-realm mail.example.com rfs4000-229D58(config-passpoint-policy-test)#no 3gpp mcc 310 mnc 970 rfs4000-229D58(config-passpoint-policy-test)#no internet rfs4000-229D58(config-passpoint-policy-test)#show context hotspot2-policy test connection-capability ip-protocol 2 port 10 closed domain-name TechPubs no internet ip-address-type ipv6 available nai-realm mai.testrealm.com net-auth-type accept-terms url www.test.com 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 19 PASSPOINT POLICY 27.1.11 operator passpoint-policy Configures the operator friendly name for this hotspot. The name can be configured in English or in any language other than English. When the name is specified in English, the system allows an ASCII input. If you are using a language other than English, first specify the ISO-639 language code, and then specify the name as an hexadecimal code. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax operator name <OPERATOR-NAME>
Parameters operator name <OPERATOR-NAME>
name <OPERATOR-
NAME>
Configures the operators name in English
<OPERATOR-NAME> Specify the operator friendly name in ASCII format. Example rfs4000-229D58(config-passpoint-policy-test)#operator name emergencyservices rfs4000-229D58(config-passpoint-policy-test)#show context hotspot2-policy test connection-capability ip-protocol 2 port 10 closed domain-name TechPubs no internet ip-address-type ipv6 available nai-realm mai.testrealm.com net-auth-type accept-terms url www.test.com operator name emergencyservices 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)#
Related Commands no Removes the operator friendly name configured for this passpoint policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 20 PASSPOINT POLICY 27.1.12 osu passpoint-policy The following table lists the OSU SSID/provider configuration commands:
Table 27.4 OSU-SSID/Provider Config Commands Command osu osu-config-mode commands Description Configures an online sign up (OSU) SSID/provider and enters its configuration mode Summarizes the OSU SSID/provider configuration mode commands page 27-23 Reference page 27-22 Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 21 PASSPOINT POLICY 27.1.12.1 osu osu Adds an online sign up (OSU) SSID (WLAN)/OSU provider and enters its configuration mode Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax osu [provider <PASSPOINT-OSU-PROVIDER>|ssid <SSID>]
Parameters osu [provider <PASSPOINT-OSU-PROVIDER>|ssid <SSID>]
osu provider
<PASSPOINT-OSU-
PROVIDER>
ssid <SSID>
Use this command to configure an online sign up (OSU) SSID/OSU provider. In the OSU SSID/provider configuration mode, specify OSU details, such as names, descriptions, servers, methods, and icons available. This information is returned in response to a stations Hotspot 2.0 query. When configured, this option enables a station to obtain credentials for an Hotspot 2.0 enabled SSID. Creates an OSU provider for this passpoint and enters its configuration mode
<PASSPOINT-OSU-PROVIDER> Specify an identification for this OSU passpoint provider. Configures an OSU WLANs SSID. This is the open authentication SSID that a user can use to obtain credentials for the passpoint SSID.
<SSID> Specify the SSID. Example nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#
nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#?
Passpoint OSU Provider Mode commands:
description Configure the english description of the online signup provider icon Add an icon for the online signup provider method Specify the online signup method supported by provider nai Configure the NAI for the online signup provider name Configure the english name of the online signup provider no Negate a command or set its defaults server-url Configure the signup url for the online signup provider clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#
Related Commands no Removes the OSU WLAN/provider configured with this passpoint policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 22 PASSPOINT POLICY 27.1.12.2 osu-config-mode commands osu The following table summarizes OSU SSID/provider configuration mode commands:
Table 27.5 OSU-SSID/Provider-Config-Mode Commands Command description icon method nai name no server-url Description Configures the OSU providers description Adds the OSU providers icon Configures the open sign up methods available on this OSU provider Configures the OSU providers NAI Configures the OSU providers name Removes the settings configured for this OSU provider Configures the OSU provider servers URL Reference page 27-24 page 27-25 page 27-26 page 27-27 page 27-28 page 27-29 page 27-30 Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 23 PASSPOINT POLICY 27.1.12.2.2 description osu-config-mode commands Configures the OSU SSID/providers description. This value is returned in the ANQP OSU providers list. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax description [<DESCRIPTION>|iso-lang <ISO-LANG-CODE>]
Parameters description [<DESCRIPTION>|iso-lang <ISO-LANG-CODE>]
<DESCRIPTION>
Provides a description for the OSU provider. It should not exceed 253 characters in length.
<DESCRIPTION> Specify the description in one or more languages. By default the system configures the name in English. iso-lang
<ISO-LANG-CODE>
Identifies the language by its ISO 639 language code (for example, chi-chinese or spa-spanish). By default the language is set to English. If specifying the description in any language other than English, specify the ISO language code. Example nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#description
"Provides free service for testing purposes"
nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi description "Provides free service for testing purposes"
nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#
Related Commands no Removes this OSU providers description Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 24 PASSPOINT POLICY 27.1.12.2.3 icon osu-config-mode commands Adds the OSU providers icon. This value is returned in the ANQP OSU providers list. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax icon iso-lang <ISO-LANG-CODE> width <0-65535> height <0-65535> mime-type <FILE-
MIME-TYPE> file [<IMAGE-FILE-NAME/PATH>|<FILE-NAME>]
Parameters icon iso-lang <ISO-LANG-CODE> width <0-65535> height <0-65535> mime-type <FILE-
MIME-TYPE> file [<IMAGE-FILE-NAME/PATH>|<FILE-NAME>]
Configures an icon representing the OSU provider iso-lang <ISO-LANG-CODE> Identifies the language by its ISO 639 language code (for icon iso-lang
<ISO-LANG-CODE>
width <0-65535>
height <0-65535>
mime-type <FILE-
MIME-TYPE>
file [<IMAGE-FILE-
NAME/
PATH>|<FILE-
NAME>]
example, chi-chinese or spa-spanish). By default the language is set to English. If specifying the image file name and path in any language other than English, specify the ISO language code. Configures the icons width in pixels
<0-65535> Specify a value from 0 - 65535 pixels. Configures the icons height in pixels
<0-65535> Specify a value from 0 - 65535 pixels. Configures a string describing the icons standard mime type. For example, image/png
<FILE-MIME-TYPE> Specify the icons mime type. Configures the location and name of the image file
<IMAGE-FILE-NAME/PATH> Specify the path and filename. For example, flash:/
icon.png
<FILE-NAME> Use this option to specify the filename in the flash:/ directory Example nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#icon iso-lang eng width 128 height 128 mime-type image/png file flash:/wifi_icon nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi description "Provides free service for testing purposes"
icon iso-lang eng width 128 height 128 mime-type image/png file flash:/wifi_icon nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#
Related Commands no Removes this OSU providers icon Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 25 PASSPOINT POLICY 27.1.12.2.4 method osu-config-mode commands Configures the open sign up methods available on this OSU provider. This value is returned, in the specified order of precedence, in the ANQP OSU providers list. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax method [oma-dm|soap-xml-spp] priority <1-2>
Parameters method [oma-dm|soap-xml-spp] priority <1-2>
method [oma-
dm|soap-xml-spp]
priority <1-2>
Configures the online sign up methods supported by this OSU provider oma-dm Configures the OSU method used as Open Mobile Alliance (OMA) device management soap-xml-spp Configures the OSU method used as Soap-xml subscription provisioning protocol priority <1-2> Sets the priority of the specified method. Select a value from 1 - 2. The default is one (1). Example nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#method soap-xml-spp priority 1 nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi description "Provides free service for testing purposes"
icon iso-lang eng width 128 height 128 mime-type image/png file flash:/wifi_icon method soap-xml-spp priority 1 nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#
Related Commands no Removes the online sign up methods configured on this OSU provider Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 26 PASSPOINT POLICY 27.1.12.2.5 nai osu-config-mode commands Configures the OSU providers NAI. This value is returned in the ANQP OSU providers list. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax nai <WORD>
Parameters nai <WORD>
nai <WORD>
Configures the OSU providers NAI
<WORD> Specify the NAI. Example nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#nai wifi.org nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi description "Provides free service for testing purposes"
icon iso-lang eng width 128 height 128 mime-type image/png file flash:/wifi_icon method soap-xml-spp priority 1 nai wifi.org nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#
Related Commands no Removes this OSU providers NAI Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 27 PASSPOINT POLICY 27.1.12.2.6 name osu-config-mode commands Configures the OSU providers name. This value is returned in the ANQP OSU providers list. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax name [<NAME>|iso-lang <ISO-LANG-CODE>]
Parameters name [<NAME>|iso-lang <ISO-LANG-CODE>]
<NAME>
Configures the OSU providers name. It should not exceed 253 characters in length.
<NAME> Specify the name in one or more languages. By default the system configures the name in English. iso-lang
<ISO-LANG-CODE>
Identifies the language by its ISO 639 language code (for example, chi-chinese or spa-spanish). By default the language is set to English. If specifying the name in any language other than English, specify the ISO language code. Example nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#name "WIFI Alliance OSU"
nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFI name "WIFI Alliance OSU"
description "Provides free service for testing purposes"
icon iso-lang eng width 128 height 128 mime-type image/png file flash:/wifi_icon method soap-xml-spp priority 1 nai wifi.org nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#
Related Commands no Removes this OSU providers name Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 28 PASSPOINT POLICY 27.1.12.2.7 no osu-config-mode commands Removes the settings configured for this OSU provider. Once removed the information is not included in the ANQP providers list. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax no [description|icon|method|nai|name|server-url]
no [description|icon|name] {iso-lang <ISO-LANG-CODE>}
no [nai|server-url]
no method [oma-dm|soap-xml-spp]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes the settings configured for this OSU provider Example nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi name "WIFI Alliance OSU"
description "Provides free service for testing purposes"
icon iso-lang eng width 128 height 128 mime-type image/png file flash:/wifi_icon method soap-xml-spp priority 1 nai wifi.org server-url osu-server.wifi.org nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#
nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#no description nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#no icon iso-lang eng nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#no name nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi method soap-xml-spp priority 1 nai wifi.org server-url osu-server.wifi.org nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 29 PASSPOINT POLICY 27.1.12.2.8 server-url osu-config-mode commands Configures the OSU provider servers URL. This value is returned in the ANQP OSU providers list. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax server-url <URL>
Parameters server-url <URL>
server-url <URL>
Configures the OSU provider servers URL
<URL> Specify the servers url. Example nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#server-url osu-server.wifi.org nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#show context osu provider WiFi name "WIFI Alliance OSU"
description "Provides free service for testing purposes"
icon iso-lang eng width 128 height 128 mime-type image/png file flash:/wifi_icon method soap-xml-spp priority 1 nai wifi.org server-url osu-server.wifi.org nx9500-6C8809(config-passpoint-policy-test-osu-provider-WiFi)#
Related Commands no Removes this OSU providers servers URL Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 30 PASSPOINT POLICY 27.1.13 roam-consortium passpoint-policy Configures a list of Roaming Consortium (RC) Organization Identifiers (OIs) supported on this hotspot. The beacons and probe responses communicate this Roaming Consortium list to devices. This information enables a device to identify the networks available through this AP. Each OI identifies a either a group of Subscription Service Providers (SSPs) or a single SSP. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax roam-consortium hex <WORD>
Parameters roam-consortium hex <WORD>
roam-consortium hex
<WORD>
Adds a Roaming Consortium OI to this hotspot in hexadecimal format
<WORD> Specify the Roaming Consortium OI in hexadecimal format (should not exceed 128 characters) hex <WORD>
Configures a hexadecimal input
<WORD> Specify the Roaming Consortium OI in hexadecimal format (should not exceed 128 characters) Example rfs4000-229D58(config-passpoint-policy-test)#roam-consortium hex 223344 rfs4000-229D58(config-passpoint-policy-test)#show context hotspot2-policy test connection-capability ip-protocol 2 port 10 closed domain-name TechPubs no internet ip-address-type ipv6 available nai-realm mai.testrealm.com net-auth-type accept-terms url www.test.com operator name emergencyservices roam-consortium hex 223344 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)#
Related Commands no Removes the Roaming Consortium OIs supported on this passpoint policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 31 PASSPOINT POLICY 27.1.14 venue passpoint-policy Configures the venue where this hotspot is located. The hotspot venue configuration informs prospective clients about the hotspots nature of activity, such as educational, institutional, residential, etc. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax venue [group|name]
venue group [assembly|business|educational|industrial|institutional|mercantile|
outdoor|residential|storage|unspecified|utility-and-misc|vehicular] type venue name [<VENUE-NAME>|iso-lang]
venue name <VENUE-NAME>
venue name iso-lang <ISO-LANG-CODE> <VENUE-NAME>
Parameters venue group
[assembly|business|educational|industrial|institutional|mercantile|outdoor|resid ential|storageunspecified|utility-and-misc|vehicular] type Configures the venue group associated with this hotspot Configures the venue group as assembly (1). This hotspot type is applicable to public assembly venues. type Specifies the venue type for this group. The options are:
venue group assembly type
<0-255> Specifies an unlisted venue type number from 0 -255 amphitheater Specifies the venue type as amphitheater (4) amusement-park Specifies the venue type as amusement park (5) arena Specifies the venue type as arena (1) bar Specifies the venue type as bar (12) coffee-shop Specifies the venue type as a coffee shop (13) convention-centre Specifies the venue type as a convention center (7) emergency-coordination-center Specifies the venue type as a emergency coordination center (15) library Specifies the venue type as a library (8) museum Specifies the venue type as a museum (9) passenger-terminal Specifies the venue type as a passenger terminal (3) place-of-worship Specifies the venue type as a place of worship (6) restaurant Specifies the venue type as a restaurant (10) stadium Specifies the venue type as a stadium (2) theater Specifies the venue type as a theater (11) unspecified Specifies the venue type as not specified (0) zoo Specifies the venue type as a zoo (14) Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 32 business type educational industrial institutional mercantile PASSPOINT POLICY Configures the venue group as business (2). This hotspot type is applicable to business venues. type Specifies the venue type for this group. The options are:
<0-255> Specifies an unlisted venue type number from 0 -255 attorney Specifies the venue type as the attorneys office (9) bank Specifies the venue type as a bank (2) doctor Specifies the venue type as a doctor or dentists office (1) fire-station Specifies the venue type as a fire station (3) police-station Specifies the venue type as a police station (4) post-office Specifies the venue type as a post office (5) professional-office Specifies the venue type as a professional office (7) research-and-development-facility Specifies the venue type as a research facility (8) unspecified Specifies the venue type as not specified (0) Configures the venue group as educational (3). This hotspot type is applicable to educational institutions. type Specifies the venue type for this group. The options are:
<0-255> Specifies an unlisted venue type number from 0 -255 school-primary Specifies the venue type as a primary school (1) school-secondary Specifies the venue type as a secondary school (2) university Specifies the venue type as a university or college (3) unspecified Specifies the venue type as not specified (0) Configures the venue group as industrial (4). This hotspot type is applicable to industrial venues. type Specifies the venue type for this group. The options are:
<0-255> Specifies an unlisted venue type number from 0 -255 factory Specifies the venue type as a factory (1) unspecified Specifies the venue type as not specified (0) Configures the venue group as institutional (4). This hotspot type is applicable to public health and other institutions. type Specifies the venue type for this group. The options are:
<0-255> Specifies an unlisted venue type number from 0 -255 group-home Specifies the venue type as a group-home (4) hospital Specifies the venue type as a hospital (1) long-term-care Specifies the venue type as a long term care facility (2) prison Specifies the venue type as a prison or jail (5) rehab Specifies the venue type as a rehabilitation facility (3) unspecified Specifies the venue type as not specified (0) Configures the venue group as mercantile (6). This hotspot type is applicable to public mercantile venues. type Specifies the venue type for this group. The options are:
<0-255> Specifies an unlisted venue type number from 0 -255 automotive Specifies the venue type as a automotive service center (3) gas-station Specifies the venue type as a gas station (5) grocery Specifies the venue type as a grocery store (2) mall Specifies the venue type as a shopping mall (4) retail Specifies the venue type as a retail store (1) unspecified Specifies the venue type as not specified (0) Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 33 outdoor residential storage unspecified utility-and-misc vehicular PASSPOINT POLICY Configures the venue group as outdoor (11). This hotspot type is applicable to public outdoor venues. type Specifies the venue type for this group. The options are:
<0-255> Specifies an unlisted venue type number from 0 -255 bus-stop Specifies the venue type as a bus stop (5) city-park Specifies the venue type as a city park (2) kiosk Specifies the venue type as a kiosk (6) muni-mesh Specifies the venue type as a muni-mesh (municipal wireless Wi-Fi) (1) rest-area Specifies the venue type as a rest area (3) traffic-control Specifies the venue type as a traffic control area (4) unspecified Specifies the venue type as not specified (0) Configures the venue group as residential (7). This hotspot type is applicable to residential complexes. type Specifies the venue type for this group. The options are:
<0-255> Specifies an unlisted venue type number from 0 -255 boarding-house Specifies the venue type as a boarding-house (4) dorm Specifies the venue type as a dormitory (3) hotel Specifies the venue type as a hotel or motel (2) private Specifies the venue type as a private residence (1) unspecified Specifies the venue type as not specified (0) Configures the venue group as storage (8). This hotspot type is applicable to storage groups. type Specifies the venue type for this group. The options are:
<0-255> Specifies an unlisted venue type number from 0 -255 unspecified Specifies the venue type as not specified (0) Configures the venue group as unspecified (0) type Specifies the venue type for this group. The options are:
<0-255> Specifies an unlisted venue type number from 0 -255 unspecified Specifies the venue type as not specified (0) Configures the venue group as utility and miscellaneous (8) type Specifies the venue type for this group. The options are:
<0-255> Specifies an unlisted venue type number from 0 -255 unspecified Specifies the venue type as not specified (0) Configures the venue group as vehicular (7). This hotspot type is applicable to mobile venues. type Specifies the venue type for this group. The options are:
<0-255> Specifies an unlisted venue type number from 0 -255 airplane Specifies the venue type as an airplane (2) auto Specifies the venue type as an automobile or truck (1) bus Specifies the venue type as a bus (3) ferry Specifies the venue type as a ferry (5) motor-bike Specifies the venue type as a motor bike (7) ship Specifies the venue type as a ship or boat (5) train Specifies the venue type as a train (6) unspecified Specifies the venue type as not specified (0) Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 34 PASSPOINT POLICY operator name <VENUE-NAME>
name <WORD>
Configures the venue name in English
<WORD> Specify the venue name in ASCII format. operator name iso-lang <ISO-LANG-CODE> <VENUE-NAME>
name iso-lang
<ISO-LANG-CODE>
<VENUE-NAME>
Configures a non-English venue name iso-lang <ISO-LANG-CODE> Identifies the language by its ISO 639 language code
(for example, chi-chinese or spa-spanish).
<ISO-LANG-CODE> Specify the 3 character iso-639 language code
(for example, chi-chinese or spa-spanish).
<VENUE-NAME> Specifies the venue name as a hexadecimal code Example rfs4000-229D58(config-passpoint-policy-test)#venue name PublicSchool rfs4000-229D58(config-passpoint-policy-test)#venue group assembly type coffee-
shop rfs4000-229D58(config-passpoint-policy-test)#show context hotspot2-policy test connection-capability ip-protocol 2 port 10 closed domain-name TechPubs no internet ip-address-type ipv6 available nai-realm mai.testrealm.com net-auth-type accept-terms url www.test.com operator name emergencyservices roam-consortium hex 223344 venue group assembly type coffee-shop venue name PublicSchool 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)#
Related Commands no Removes the venue group and type configured with this passpoint policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 35 PASSPOINT POLICY 27.1.15 wan-metrics passpoint-policy Configures the WAN performance metrics for this hotspot. This command configures the upstream and downstream speeds associated with this hotspot. The upstream and downstream speed values (in Kbps) are estimates of the bandwidth available on the WAN. This information is returned in response to client ANQP query, and is useful for clients having a minimum and/or large bandwidth requirement. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX7500, NX7510, NX7520, NX7530, NX95XX, NX9600, VX9000 Syntax wan-metrics down-speed <0-4294967295> up-speed <0-4294967295>
Parameters wan-metrics down-speed <0-4294967295> up-speed <0-4294967295>
wan-metrics down-speed <0-
4294967295>
up-speed <0-
4294967295>
Specifies the WAN metrics for the up and down traffic Configures the down stream traffic speed
<0-4294967295> Specify a value from 0 - 4294967295 Kbps. Configures the up stream traffic speed
<0-4294967295> Specify a value from 0 - 4294967295 Kbps. Example rfs4000-229D58(config-passpoint-policy-test)#wan-metrics down-speed 2000 up-speed 2000 rfs4000-229D58(config-passpoint-policy-test)#show context hotspot2-policy test connection-capability ip-protocol 2 port 10 closed domain-name TechPubs no internet ip-address-type ipv6 available nai-realm mai.testrealm.com net-auth-type accept-terms url www.test.com operator name emergencyservices roam-consortium hex 223344 venue group assembly type coffee-shop venue name PublicSchool wan-metrics down-speed 2000 up-speed 2000 3gpp mcc 505 mnc 14 rfs4000-229D58(config-passpoint-policy-test)#
Related Commands no Removes the WAN metrics configuration on this passpoint policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 27 - 36 28 BORDER GATEWAY PROTOCOL This chapter summarizes the Border Gateway Protocol (BGP) related configuration commands in the CLI command structure. BGP is a routing protocol, which establishes routing between ISPs. ISPs use BGP to exchange routing information between Autonomous Systems (ASs) on the Internet. The routing information shared includes details, such as ASs traversed to a particular destination, reachable ASs, best paths available, network policies and rules applied on a route, etc. These details appear as BGP attributes carried in routing update packets. BGP uses this information to make routing decisions. Therefore, the primary role of a BGP system is to exchange routing information with other BGP peers. BGP uses TCP as its transport protocol. This eliminates the need to implement explicit update fragmentation, retransmission, acknowledgement, and sequencing. BGP listens on TCP port 179. The error notification mechanism used in BGP assumes that TCP supports a graceful close (all outstanding data is delivered before the connection is closed). Routing information exchanged through BGP supports only destination-based forwarding (it assumes a router forwards packets based on the destination address carried in the IP header of the packet). An AS is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packets within the AS. There are two types of BGP systems:
external BGP (eBGP) and internal BGP (iBGP). iBGP represents the exchange of routing information between BGP peers within an AS. Whereas, when two BGP peers, belonging to different ASs, are connected you have an eBGP setup. BGP peers (also referred to as neighbors) are BGP enabled devices that are directly connected through an established TCP connection. When two BGP enabled peers establish a TCP connection the first time, they exchange their BGP routing tables. All subsequent route table modifications are exchanged as route updates. BGP tracks these route updates by maintaining route table version numbers. With every update the version number changes. At any given point in time, all BGP peers should have the same route table version. The peer-to-peer TCP connections are kept alive through keepalive packets exchanged at specified intervals. Errors and special events are communicated between peers as notification packets. This chapter is organized as follows:
bgp-ip-prefix-list-config commands bgp-ip-access-list-config commands bgp-as-path-list-config commands bgp-community-list-config commands bgp-extcommunity-list-config commands bgp-route-map-config commands bgp-router-config commands bgp-neighbor-config commands NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 1 BORDER GATEWAY PROTOCOL 28.1 bgp-ip-prefix-list-config commands BORDER GATEWAY PROTOCOL IP prefix lists are a convenient way to filter prefixes (contained in route update packets) transmitted to (or received from) other BGP supported routers. IP prefix lists are similar to access lists. They contain ordered entries (deny or permit prefix rules), identified by their sequence numbers. Each rule specifies match criteria (network and subnet prefixes and prefix masks) to match. When a prefix (received or transmitted) matches the prefix specified in one of the rules, it is filtered and an action is applied depending on where the IP prefix list is used. For example, when used in the BGP neighbor context, the prefixes received from the neighbor are filtered and the filtered prefixes are either rejected or accepted depending on the rule type (deny or permit). IP prefix lists are also used in the BGP route map context to filter prefixes. The action applied, on filtered prefixes is set within the route map. Another use case for IP prefix lists is to filter prefixes before redistribution of local OSPF routes to eBGP enabled ASs. Like in access lists, these deny and permit prefix rules are processed sequentially, in ascending order of their sequence number. Once a match is made, the BGP enabled router stops processing all subsequent rules in the ip-prefix-list. IP prefix lists are used as match criteria in the following contexts:
BGP neighbor. For more information, see use. BGP route-map context. For more information, see match. To navigate to the ip-prefix-list configuration instance, use the following command:
<DEVICE>(config)#bgp ip-prefix-list <IP-PREFIX-LIST-NAME>
<DEVICE>(config-bgp-ip-prefix-list-test)#?
BGP IP Prefix List Mode commands:
deny IP Prefix deny rule to specify packets to reject no Negate a command or set its defaults permit IP Prefix permit rule to specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-bgp-ip-prefix-list-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 2 BORDER GATEWAY PROTOCOL The following table summarizes the BGP IP prefix list configuration commands:
Table 28.1 BGP-IP-Prefix-List-Config Commands Command deny permit no Description Creates and configures a deny prefix-list rule Creates and configures a permit prefix-list rule Removes the specified deny or permit prefix-list rule from this IP prefix list Reference page 28-4 page 28-5 page 28-6 Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 3 BORDER GATEWAY PROTOCOL 28.1.1 deny bgp-ip-prefix-list-config commands Creates and configures a deny prefix-list rule. The deny rule specifies match criteria based on which prefixes received from (or transmitted to) a BGP neighbor are filtered. A deny action is applied on these filtered prefixes. For example, in the BGP router neighbor context a filter is applied using a IP prefix list. The list contains a deny rule with a prefix to match as 192.168.13.0/24. All prefixes received from the neighbor matching this prefix are denied. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax deny prefix-list <1-4292967294> [<PREFIX-TO-MATCH/MASK>|any]
deny prefix-list <1-4292967294> [<PREFIX-TO-MATCH/MASK> {ge <0-32>|le <0-32>}|
any]
Parameters deny prefix-list <1-4292967294> [<PREFIX-TO-MATCH/MASK> {ge <0-32>|le <0-32>}|
any]
deny prefix-list <1-
4294967295>
[<PREFIX-TO-
MATCH/MASK>|any]
Creates and configures a deny prefix-list rule
<1-4294967295> Configures a sequence number for this deny rule. Specify a value from 1 - 4294967295. Within a prefix list, rules are applied in an ascending order of their sequence number. Rules with lower sequence number are applied first.
<PREFIX-TO-MATCH/MASK> Specify the prefix to match. For example 10.0.0.0/8 or 192.168.13.0/24. Routes matching the specified prefix are filtered. ge <0-32> Optional. Specifies a greater than or equal to value for the IP prefix length (subnet mask) le <0-32> Optional. Specifies a less than or equal to value for the IP prefix length The ge and le options specify a IP prefix length range. Use these options to specify a more specific (granular) prefix match criteria. any Sets the prefix match criteria to any. When selected, all routes are filtered, and the action applied is deny. At the backend, this option sets the match criteria to 0.0.0.0/0 le 32. Example nx9500-6C8809(config-bgp-ip-prefix-list-test)#deny prefix-list 1 168.192.13.0/24 nx9500-6C8809(config-bgp-ip-prefix-list-test)#show context bgp ip-prefix-list test deny prefix-list 1 168.192.13.0/24 nx9500-6C8809(config-bgp-ip-prefix-list-test)#
Related Commands no Removes a deny prefix-list rule from this IP prefix list Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 4 BORDER GATEWAY PROTOCOL 28.1.2 permit bgp-ip-prefix-list-config commands Creates and configures a permit prefix-list rule. The permit rule specifies match criteria based on which prefixes received from (or transmitted to) a BGP neighbor are filtered. A permit action is applied on these filtered prefixes. For example, in the BGP router neighbor context a filter is applied using a IP prefix list. The list contains a permit rule with a prefix to match as 172.168.10.0/24. All prefixes received from the neighbor matching this prefix are permitted. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax permit prefix-list <1-4294967295> [<PREFIX-TO-MATCH/MASK>|any]
Parameters permit prefix-list <1-4294967295> [<PREFIX-TO-MATCH/MASK>|any]
deny prefix-list <1-
4294967295>
[<PREFIX-TO-
MATCH/MASK>|any]
Creates and configures a permit prefix-list rule
<1-4294967295> Configures a sequence number for this permit rule. Specify a value from 1 - 4294967295. Within a prefix list, rules are applied in an ascending order of their sequence number. Rules with lower sequence number are applied first.
<PREFIX-TO-MATCH/MASK> Specify the prefix to match. For example 10.0.0.0/8 or 192.168.13.0/24. Routes matching the specified prefix are filtered. ge Optional. Specifies a greater than or equal to value for the IP prefix length
(subnet mask) le Optional. Specifies a less than or equal to value for the IP prefix length Use the ge and le options to specify a IP prefix length range. Use these options to specify a more specific (granular) prefix match criteria. any Sets the prefix match criteria to any. When selected, all routes are filtered, and the action applied is permit. At the backend, this option sets the match criteria to 0.0.0.0/0 le 32. Example nx9500-6C8809(config-bgp-ip-prefix-list-test)#permit prefix-list 2 172.122.10.0/
24 nx9500-6C8809(config-bgp-ip-prefix-list-test)#show context bgp ip-prefix-list test deny prefix-list 1 168.192.13.0/24 permit prefix-list 2 172.122.10.0/24 nx9500-6C8809(config-bgp-ip-prefix-list-test)#
Related Commands no Removes a permit prefix rule from this IP prefix list Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 5 BORDER GATEWAY PROTOCOL 28.1.3 no bgp-ip-prefix-list-config commands Removes the specified deny or permit prefix-list rule from this IP prefix list Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax no [deny|permit]
no [deny|permit] prefix-list <1-4294967295> {<PREFIX-TO-MATCH/MASK>|any}
Parameters no <PARATMETERS>
no <PARAMETERS>
Removes a deny or permit rule from this IP prefix list Example The following example shows the IP prefix list test settings before the no command is executed:
nx9500-6C8809(config-bgp-ip-prefix-list-test)#show context bgp ip-prefix-list test deny prefix-list 1 168.192.13.0/24 permit prefix-list 2 172.122.10.0/24 nx9500-6C8809(config-bgp-ip-prefix-list-test)#
The following example shows the IP prefix list test settings after the no command is executed:
nx9500-6C8809(config-bgp-ip-prefix-list-test)#no deny prefix-list 1 168.192.13.0/
24 nx9500-6C8809(config-bgp-ip-prefix-list-test)#show context bgp ip-prefix-list test permit prefix-list 2 172.122.10.0/24 nx9500-6C8809(config-bgp-ip-prefix-list-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 6 BORDER GATEWAY PROTOCOL 28.2 bgp-ip-access-list-config commands BORDER GATEWAY PROTOCOL BGP peers and route maps can reference a single IP based access control list (ACL). Apply IP ACLs to both inbound and outbound route updates. When applied to a BGP enabled router, every route update is passed through the ACL. Each ACL contains deny and permit entries that are applied sequentially, in the order they appear within the list. When a route matches an entry, the decision to permit or deny the route is applied. Once a match is made the remaining entries in the ACL are not processed. BGP IP ACLs are used as match criteria in the following contexts:
BGP neighbor. For more information, see use. BGP route-map context. For more information, see match. To navigate to the BGP IP ACL configuration instance, use the following command:
<DEVICE>(config)#bgp ip-access-list <IP-ACL-NAME>
<DEVICE>(config-bgp-ip-access-list-<IP-ACL-NAME>)#?
BGP IP Access List Mode commands:
deny Specify packets to reject no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-bgp-ip-access-list-<IP-ACL-NAME>)#
The following table summarizes the BGP IP access list configuration commands:
Table 28.2 BGP-IP-ACL-Config Commands Command deny permit no Description Creates and configures a deny entry rule for this BGP IP ACL Creates and configures a permit entry for this BGP IP ACL Removes a deny or permit entry from this BGP IP ACL Reference page 28-8 page 28-9 page 28-10 Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 7 BORDER GATEWAY PROTOCOL 28.2.1 deny bgp-ip-access-list-config commands Creates and configures a deny entry for this BGP IP ACL Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax deny access-list [<PREFIX-TO-MATCH/MASK> {exact-match}|any]
Parameters deny access-list [<PREFIX-TO-MATCH/MASK> {exact-match}|any]
deny access-list
[<PREFIX-TO-
MATCH/MASK>
{exact-match}|
any]
Creates and configures a deny entry for this BGP IP ACL
<PREFIX-TO-MATCH/MASK> Specify the prefix to match. exact-match Optional. Enables an exact match of the prefix provided in the pre-
vious step. When configured, the route is denied only in case of an exact match. any Specifies the prefix to match as any. Example nx9500-6C8809(config-bgp-ip-access-list-test)#deny access-list 192.168.13.0/24 exact-match nx9500-6C8809(config-bgp-ip-access-list-test)#show context bgp ip-access-list test deny access-list 192.168.13.0/24 exact-match nx9500-6C8809(config-bgp-ip-access-list-test)#
Related Commands no Removes the specified the deny entry in this IP BGP ACL Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 8 BORDER GATEWAY PROTOCOL 28.2.2 permit bgp-ip-access-list-config commands Creates and configures a permit entry for this BGP IP ACL Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax permit access-list [<PREFIX-TO-MATCH/MASK> {exact-match}|any]
Parameters permit access-list [<PREFIX-TO-MATCH/MASK> {exact-match}|any]
permit access-list
[<PREFIX-TO-
MATCH/MASK>
{exact-match}|any]
Creates and configures a permit entry for this BGP IP ACL
<PREFIX-TO-MATCH/MASK> Specify the prefix to match. exact-match Optional. Enables an exact match of the prefix provided in the pre-
vious step. When configured, the route is permitted only in case of an exact match. any Specifies the prefix to match as any. Example nx9500-6C8809(config-bgp-ip-access-list-test)#permit access-list 172.168.10.0/24 nx9500-6C8809(config-bgp-ip-access-list-test)#show context bgp ip-access-list test permit access-list 172.168.10.0/24 deny access-list 192.168.13.0/24 exact-match nx9500-6C8809(config-bgp-ip-access-list-test)#
Related Commands no Removes the specified the permit entry in this IP BGP ACL Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 9 BORDER GATEWAY PROTOCOL 28.2.3 no bgp-ip-access-list-config commands Removes a deny or permit entry from this BGP IP ACL Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax no [deny|permit]
no [deny|permit] access-list [<PREFIX-TO-MATCH/MASK>|any]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes a deny or permit entry from this BGP IP ACL Example The following example shows the BGP IP ACL test settings before the no command is executed:
nx9500-6C8809(config-bgp-ip-access-list-test)#show context bgp ip-access-list test permit access-list 172.168.10.0/24 deny access-list 192.168.13.0/24 exact-match nx9500-6C8809(config-bgp-ip-access-list-test)#
nx9500-6C8809(config-bgp-ip-access-list-test)#no permit access-list 172.168.10.0/
24 The following example shows the BGP IP ACL test settings after the no command is executed:
nx9500-6C8809(config-bgp-ip-access-list-test)#show context bgp ip-access-list test deny access-list 192.168.13.0/24 exact-match nx9500-6C8809(config-bgp-ip-access-list-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 10 BORDER GATEWAY PROTOCOL 28.3 bgp-as-path-list-config commands BORDER GATEWAY PROTOCOL BGP enabled devices use routing updates to exchange network routing information with each other. This information includes route details, such as the network number, path specific attributes, and the list of Autonomous System Numbers (ASNs) that a route traverses to reach a destination. This list is contained in the AS path. An AS path access control list (ACL) filters AS paths (routes) included in routing updates. Each AS path access list consists of deny and/or permit rules that define regular expressions (match criteria). When configured and applied on inbound and outbound routing updates, the BGP AS path attributes are matched against the regular expressions specified in the AS path ACL. In case of a match, the route is filtered and an action (deny or permit) is applied. Once a match is made subsequent rules in the AS path access list are not processed. AS path access lists also help prevent looping within an AS. Routing loops are prevented by rejecting routing updates containing local ASNs. Since local ASNs indicate that the route has already traveled through that autonomous system, by rejecting them looping is avoided. AS path access lists are used as match criteria in the following contexts:
BGP neighbor. For more information, see use. BGP route map context. For more information, see match. To navigate to the AS path configuration instance, use the following command:
<DEVICE>(config)#bgp as-path <AS-PATH-LIST-NAME>
<DEVICE>(config-bgp-as-path-list-<AS-PATH-LIST-NAME>)#?
BGP AS Path List Mode commands:
deny Specify packets to reject no Negate a command or set its defaults permit Specify packets to forward clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-bgp-as-path-list-<AS-PATH-LIST-NAME>)#
The following table summarizes the BGP AS path list configuration commands:
Table 28.3 BGP-AS-Path-List-Config Commands Command deny permit no Description Creates and configures a deny as-path-list rule Creates and configures a permit as-path-list rule Removes a deny or permit rule from this AS path ACL Reference page 28-12 page 28-13 page 28-14 Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 11 BORDER GATEWAY PROTOCOL 28.3.1 deny bgp-as-path-list-config commands Creates and configures a deny as-path-list rule. The deny rule specifies a regular expression to match. This regular expression, a string against the BGP AS paths contained in routing updates. AS paths matching the provided string are filtered and a deny action is applied. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax deny as-path <REG-EXP>
Parameters deny as-path <REG-EXP>
deny as-path <REG-
EXP>
Configures a match criteria (regular expression).
<REG-EXP> Specify the regular expression to match (should not exceed 64 characters and should be unique to the AS path list rule) Regular expressions are treated as a ASCII string and not as a sequence of numbers. Create a regular expression ideally suited to filter the required AS paths. Usage Guidelines The following table lists some of the characters used in forming regular expressions:
Character to use
^
$
_ (underscore) Description Indicates the start of a string Indicates the end of a string Indicates a comma, left brace, right brace, start and end of an input string, or a space. For example, _ _. Example nx9500-6C8809(config-bgp-as-path-list-test)#deny as-path ^100$
nx9500-6C8809(config-bgp-as-path-list-test)#show context bgp as-path-list test deny as-path ^100$
nx9500-6C8809(config-bgp-as-path-list-test)#
Related Commands no Removes the specified deny as-path ACL rule Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 12 BORDER GATEWAY PROTOCOL 28.3.2 permit bgp-as-path-list-config commands Creates and configures a permit as-path-list rule. The permit rule specifies a regular expression to match. This regular expression is matched against the BGP AS paths contained in routing updates. AS paths matching the provided string are filtered and a permit action is applied. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax permit as-path <REG-EXP>
Parameters permit as-path <REG-EXP>
permit as-path
<REG-EXP>
Configures a match criteria (regular expression).
<REG-EXP> Specify the regular expression to match (should not exceed 64 characters and should be unique to the AS path list rule) Regular expressions are treated as a ASCII string and not as a sequence of numbers. Create a regular expression which is ideally suited to filter the required AS paths. Usage Guidelines The following table lists some of the characters used in forming regular expressions:
Character to use
^
$
_ (underscore) Description Indicates the start of a string Indicates the end of a string Indicates a comma, left brace, right brace, start and end of an input string, or a space. For example, _ _. Example nx9500-6C8809(config-bgp-as-path-list-test)#permit as-path _200_ nx9500-6C8809(config-bgp-as-path-list-test)#permit as-path _323_ nx9500-6C8809(config-bgp-as-path-list-test)#show context bgp as-path-list test deny as-path ^100$
permit as-path _323_ permit as-path _200_ nx9500-6C8809(config-bgp-as-path-list-test)#
Related Commands no Removes the specified permit as-path ACL rule Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 13 BORDER GATEWAY PROTOCOL 28.3.3 no bgp-as-path-list-config commands Removes a deny or permit rule from this AS path ACL Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax no as-path-list [deny|permit] <REG-EXP>
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes a deny or permit rule from this AS path ACL Example nx9500-6C8809(config-bgp-as-path-list-test)#show context bgp as-path-list test deny as-path ^100$
permit as-path _323_ permit as-path _200_ nx9500-6C8809(config-bgp-as-path-list-test)#
nx9500-6C8809(config-bgp-as-path-list-test)#no permit as-path _323_ nx9500-6C8809(config-bgp-as-path-list-test)#show context bgp as-path-list test deny as-path ^100$
permit as-path _200_ nx9500-6C8809(config-bgp-as-path-list-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 14 BORDER GATEWAY PROTOCOL 28.4 bgp-community-list-config commands BORDER GATEWAY PROTOCOL Creates and configures a named community list IP BGP routes have a set of attributes, mandatory and optional. The community and extended community attributes are optional. Optional attributes are specified by network administrators to mark (color) routes received in updates containing these attributes. These marked routes are filtered and special actions applied (accepted, preferred, distributed, or advertised). For example, the NO_EXPORT community, indicates that routes attached to it are local and not to be advertised to external ASs. Similarly, a set of routes using a common routing policy can be tagged to a community, and the policy applied to the community. A BGP community is a group of routes sharing common attributes. Route updates contain community information in the form of path attributes. These attributes help identify community members. A BGP community list is a list of deny or permit entries. It is either assigned a name (regular expressions, predefined community names) or a number. Assigning names to communities increases the number of configurable community lists. All rules applicable to numbered communities apply to named communities too. The only difference being in the number of attributes configurable for a named community list. Since the community attribute is optional, it is shared only between devices that understand communities and are configured to handle communities. By default the community attribute is not sent to neighbors unless the send-community command option is enabled in the BGP neighbor context. For more information, see send-community. Some of the predefined, globally used communities are:
no-export Routes tagged to this community are not advertised to external BGP peers no-advertise Routes tagged to this community are not advertised to any BGP peers local-as Routes tagged to this community are not advertised outside the local AS internet Routes tagged to this community are advertised to the internet community. By default all BGP enabled devices belong to this community. BGP community lists are used in the following context as match clauses:
BGP route map context. For more information, see match. To navigate to the BGP community configuration instance, use the following command:
<DEVICE>(config)#bgp community-list <COMMUNITY-LIST-NAME>
<DEVICE>(config-bgp-community-list-<COMMUNITY-LIST-NAME>)#?
BGP Community List Mode commands:
deny Add a BGP Community List deny rule to Specify community to reject no Negate a command or set its defaults permit Add a BGP Community List permit rule to Specify community to accept clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 15 BORDER GATEWAY PROTOCOL show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-bgp-community-list-<COMMUNITY-LIST-NAME>)#
The following table summarizes the BGP community list configuration commands:
Table 28.4 BGP-Community-List-Config Commands Command deny permit no Description Reference Creates and configures a deny community (expanded or standard) rule page 28-17 page 28-19 Creates and configures a permit community (expanded or standard) rule Removes an existing deny or permit community rule from this community list page 28-21 Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 16 BORDER GATEWAY PROTOCOL 28.4.1 deny bgp-community-list-config commands Creates and configures a deny community (expanded or standard) rule Standard community lists specify known communities and community numbers. Expanded community lists filter communities using a regular expression that specifies patterns to match the attributes of different communities. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax deny community [expanded|standard]
deny community expanded <LINE>
deny community standard [AA:NN|internet|local-AS|no-advertise|no-export]
Parameters deny community expanded <LINE>
deny community expanded <LINE>
Configures a deny expanded community list entry and associates it with a regular expression to match. The regular expression represents the patterns to match in the community attributes.
<LINE> Provide the regular expression. deny community standard [AA:NN|internet|local-AS|no-advertise|no-export]
deny community standard
[AA:NN|internet|
local-AS|no-
advertise|
no-export]
Configures a deny standard community list entry and associates it with a predefined, globally used, known community or community number. The options are:
aa:nn - Configures the community number. The first part (aa) represents the AS number. The second part (nn) represents a 2-byte number. internet Advertises this route to the internet community local-AS Prevents transmission of this route outside the local AS no-advertise Prevents advertisement of this route to any peer (internal or external no-export Prevents advertisement of this route to external BGP peers (keeping this route within an AS) Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 17 BORDER GATEWAY PROTOCOL Example nx9500-6C8809(config-bgp-community-list-test)#deny community expanded 100 nx9500-6C8809(config-bgp-community-list-test)#show context bgp community-list test deny community expanded 100 nx9500-6C8809(config-bgp-community-list-test)#
nx9500-6C8809(config)#show context
!
! Configuration of NX9500 version 5.9.0.0-029R
!
!
version 2.5
!
!
.......................................................
!
bgp ip-prefix-list PrefixList_01 deny prefix-list 1 192.163.0.0/16 ge 17 le 17
!
bgp ip-prefix-list test deny prefix-list 1 168.192.13.0/24 permit prefix-list 2 172.122.10.0/24
!bgp community-list test deny community expanded 100
!
--More--
nx9500-6C8809(config)#
Related Commands no Removes the specified deny community rule from this community list Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 18 BORDER GATEWAY PROTOCOL 28.4.2 permit bgp-community-list-config commands Creates and configures a permit community (expanded or standard) rule Standard community lists specify known communities and community numbers. Expanded community lists filter communities using a regular expression that specifies patterns to match the attributes of different communities. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax permit community [expanded|standard]
permit community expanded <LINE>
permit community standard [AA:NN|internet|local-AS|no-advertise|no-export]
Parameters permit community expanded <LINE>
permit community expanded <LINE>
Configures a permit expanded community list entry and associates it with a regular expression to match. The regular expression represents the patterns to match in the community attributes.
<LINE> Provide the regular expression. permit community standard [AA:NN|internet|local-AS|no-advertise|no-export]
permit community standard
[AA:NN|internet|
local-AS|
no-advertise|
no-export]
Configures a permit standard community list entry and associates it with a predefined, globally used, known community or community number. The options are:
aa:nn Configures the community number. The first part (aa) represents the AS number. The second part (nn) represents a 2-byte number. internet Advertises this route to the internet community local-AS Prevents transmission of this route outside the local AS no-advertise Prevents advertisement of this route to any peer (internal or external no-export Prevents advertisement of this route to external BGP peers (keeping this route within an AS) Example nx9500-6C8809(config-bgp-community-list-test)#permit community expanded 300 nx9500-6C8809(config-bgp-community-list-test)# show context bgp community-list test permit community expanded 300 deny community expanded 100 nx9500-6C8809(config-bgp-community-list-test)#
nx9500-6C8809(config-bgp-community-list-test1)#permit community standard no-
export nx9500-6C8809(config-bgp-community-list-test1)#show context bgp community-list test1 permit community standard no-export nx9500-6C8809(config-bgp-community-list-test1)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 19 BORDER GATEWAY PROTOCOL nx9500-6C8809(config)#show context
!
! Configuration of NX9500 version 5.9.1.0-026R
!
version 2.5
!
!
........................................................
!
bgp ip-prefix-list PrefixList_01 deny prefix-list 1 192.163.0.0/16 ge 17 le 17
!
bgp ip-prefix-list test deny prefix-list 1 168.192.13.0/24 permit prefix-list 2 172.122.10.0/24
!bgp community-list test permit community expanded 300 deny community expanded 100
!bgp community-list test1 permit community standard no-export
!
--More--
nx9500-6C8809(config)#
Related Commands no Removes the specified permit community rule from this community list Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 20 BORDER GATEWAY PROTOCOL 28.4.3 no bgp-community-list-config commands Removes a deny or permit community rule from this community list Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax no [deny|permit] community expanded <LINE>
no [deny|permit] community standard [AA:NN|internet|local-AS|no-advertise|no-
export]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes a deny or permit expanded community rule from this community list
<LINE> Specify the regular expression associated with the rule. Example The following example shows the settings of the community list test before the no command is executed:
nx9500-6C8809(config-bgp-community-list-test)#show context bgp community-list test permit community expanded 300 deny community expanded 100 nx9500-6C8809(config-bgp-community-list-test)#
nx9500-6C8809(config-bgp-community-list-test)#no deny community expanded 100 The following example shows the settings of the community list test after the no command is executed:
nx9500-6C8809(config-bgp-community-list-test)#show context bgp community-list test permit community expanded 300 nx9500-6C8809(config-bgp-community-list-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 21 BORDER GATEWAY PROTOCOL 28.5 bgp-extcommunity-list-config commands BORDER GATEWAY PROTOCOL Creates an configures a named extended community list A BGP extended community is a group of routes sharing a common attribute, regardless of their network or physical boundary. By using a BGP extended community attribute, routing policies can implement inbound or outbound route filters based on the extended community tag, rather than a long list of individual permit or deny rules. A BGP extended community list is used to create groups of communities to use in a match clause of a route map. An extended community list is used to control which routes are accepted, preferred, distributed, or advertised. The BGP extended community and standard community attributes are identical in function and structure, except that the former is an eight octet and the latter is a four octet attribute. BGP extended community lists are used as match clauses in the following context:
BGP route map context. For more information, see match. To navigate to the extended community configuration instance, use the following command:
<DEVICE>(config)#bgp extcommunity-list <EXTCOMMUNITY-LIST-NAME>
<DEVICE>(config-bgp-extcommunity-list-<EXTCOMMUNITY-LIST-NAME>)#?
BGP Extcommunity List Mode commands:
deny Add a BGP Community List deny rule to specify extcommunity to reject no Negate a command or set its defaults permit Add a BGP Community List permit rule to specify extcommunity to accept clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-bgp-excommunity-list-<EXTCOMMUNITY-LIST-NAME>)#
The following table summarizes the BGP extended community list configuration commands:
Table 28.5 BGP-Extcommunity-List-Config Commands Command deny permit no Description Creates and configures a deny extended community (expanded or standard) rule Creates and configures a permit extended community (expanded or standard) rule Removes an existing deny or permit extended community rule from this extcommunity list Reference page 28-23 page 28-25 page 28-27 Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 22 BORDER GATEWAY PROTOCOL 28.5.1 deny bgp-extcommunity-list-config commands Creates and configures a deny extended community (expanded or standard) rule Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax deny extcommunity [expanded|standard]
deny extcommunity expanded <LINE>
deny extcommunity standard [rt|soo] <COMMUNITY-NUMBER>
Parameters deny extcommunity expanded <LINE>
deny extcommunity expanded <LINE>
Configures a deny expanded named extended community list entry and associates it with a regular expression to match. The regular expression represents the patterns to match in the extended community attributes.
<LINE> Provide the regular expression. deny extcommunity standard [rt|soo] <COMMUNITY-NUMBER>
deny extcommunity standard [rt|soo]
<COMMUNITY-
NUMBER>
Configures a deny standard named extended community list entry. and associates it with the target or origin community attributes. rt Configures the route target (RT) extended community attribute soo Configures the site-of-origin (SOO) extended community attribute
<COMMUNITY-NUMBER> Specify the community number in one of the following formats: AA:NN or A.B.C.D:NN Example nx9500-6C8809(config-bgp-extcommunity-list-test)#deny extcommunity standard rt 200:12 nx9500-6C8809(config-bgp-extcommunity-list-test)#show context bgp extcommunity-list test deny extcommunity standard rt 200:12 nx9500-6C8809(config-bgp-extcommunity-list-test)#
nx9500-6C8809(config)#show context
!
! Configuration of NX9500 version 5.9.1.0-026R
!
!
version 2.5
!
......................................................
!
bgp community-list test1 permit community standard no-export
!bgp extcommunity-list test deny extcommunity standard rt 200:12
!
--More--
nx9500-6C8809(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 23 BORDER GATEWAY PROTOCOL Related Commands no Removes the specified deny extended community rule from this extcommunity list Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 24 BORDER GATEWAY PROTOCOL 28.5.2 permit bgp-extcommunity-list-config commands Creates and configures a permit extended community (expanded or standard) rule Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax permit extcommunity [expanded|standard]
permit extcommunity expanded <LINE>
permit extcommunity standard [rt|soo] <COMMUNITY-NUMBER>
Parameters permit extcommunity expanded <LINE>
permit extcommunity expanded <LINE>
Configures a permit expanded named extended community list entry and associates it with a regular expression to match. The regular expression represents the patterns to match in the extended community attributes.
<LINE> Provide the regular expression. permit extcommunity standard [rt|soo] <COMMUNITY-NUMBER>
permit extcommunity standard [rt|soo]
<COMMUNITY-
NUMBER>
Configures a permit standard named extended community list entry. and associates it with the target or origin community attributes. rt Configures the RT extended community attribute soo Configures the SOO extended community attribute
<COMMUNITY-NUMBER> Specify the community number in one of the following formats: AA:NN or A.B.C.D:NN Example nx9500-6C8809(config-bgp-extcommunity-list-test)#permit extcommunity standard rt 192.168.13.13:12 nx9500-6C8809(config-bgp-extcommunity-list-test)#show context bgp extcommunity-list test permit extcommunity standard rt 192.168.13.13:12 deny extcommunity standard rt 200:12 nx9500-6C8809(config-bgp-extcommunity-list-test)#
nx9500-6C8809(config)#show context
!
! Configuration of NX9500 version 5.9.1.0-026R
!
!
version 2.5
!
......................................................
!
bgp community-list test1 permit community standard no-export
!bgp extcommunity-list test permit extcommunity standard rt 192.168.13.13:12 deny extcommunity standard rt 200:12
!
Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 25 BORDER GATEWAY PROTOCOL
--More--
nx9500-6C8809(config)#
Related Commands no Removes the specified permit extended community rule from this extcommunity list Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 26 BORDER GATEWAY PROTOCOL 28.5.3 no bgp-extcommunity-list-config commands Removes an existing deny or permit extended community rule from this extcommunity list Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax no [deny|permit] extcommunity expanded <LINE>
no [deny|permit] extcommunity standard [rt|soo] <COMMUNITY-NUMBER>
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes a deny or permit expanded extended community rule from this community list Example The following example shows the extended community test settings before the no command is executed:
nx9500-6C8809(config-bgp-extcommunity-list-test)#show context bgp extcommunity-list test permit extcommunity standard rt 192.168.13.13:12 deny extcommunity standard rt 200:12 nx9500-6C8809(config-bgp-extcommunity-list-test)#
nx9500-6C8809(config-bgp-extcommunity-list-test)#no permit extcommunity standard 192.168.13.13:12 The following example shows the extended community test settings after the no command is executed:
nx9500-6C8809(config-bgp-extcommunity-list-test)#show context bgp extcommunity-list test deny extcommunity standard rt 200:12 nx9500-6C8809(config-bgp-extcommunity-list-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 27 BORDER GATEWAY PROTOCOL 28.6 bgp-route-map-config commands BORDER GATEWAY PROTOCOL BGP route maps are used to control and modify routing information. A BGP route map is a collection of deny and/or permit route rules that define and control redistribution of routes between routers and routing processes. Each rule consists of match criteria and set lines. If a route matches a criteria, the corresponding set line is applied, and the route is passed to the BGP table or to the neighbor, depending on whether the route map is set for incoming or outgoing route updates. Use the (config) instance to configure BGP route map related parameters. To navigate to this instance, use the following command:
<DEVICE>(config)#route-map <ROUTE-MAP-NAME>
<DEVICE>(config)#route-map test
<DEVICE>(config-dr-route-map-test)#?
Route Map Mode commands:
deny Add a deny route map rule to deny set operations no Negate a command or set its defaults permit Add a permit route map rule to permit set operations clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-dr-route-map-test)#
In the route-map configuration mode, use the following commands to create and configure a deny or permit route map rule:
<DEVICE>(config-dr-route-map-test)#deny route-map <1-65535>
<DEVICE>(config-dr-route-map-test)#permit route-map <1-65535>
For example:
<DEVICE>(config-dr-route-map-test)#permit route-map 1
<DEVICE>(config-dr-route-map-test)#deny route-map 2
<DEVICE>(config-dr-route-map-test)#show context route-map test permit route-map 1 deny route-map 2
<DEVICE>(config-dr-route-map-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 28 BORDER GATEWAY PROTOCOL
<DEVICE>(config-dr-route-map-test-dr-route-map-rule-1)#?
Route Map Rule Mode commands:
description Configure comment for this route map match Match values from routing table no Negate a command or set its defaults set Set values in destination routing protocol clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-dr-route-map-test-dr-route-map-rule-1)#
The following table summarizes BGP deny/permit route map rules configuration mode commands:
Table 28.6 BGP-Route-Map-Config-Mode Commands Command description match no set Description Configures a description for this route-map rule (deny or permit) that uniquely distinguishes it from others with similar access permissions Configures the match criteria associated with this deny or permit BGP route map Removes or reverts the settings defined for a deny or permit route-map rule Configures the values attributed to a route matching the match criteria specified in the BGP deny or permit route-map rules Reference page 28-30 page 28-31 page 28-34 page 28-35 Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 29 BORDER GATEWAY PROTOCOL 28.6.1 description bgp-route-map-config commands Configures a description for this route map rule (deny or permit) that uniquely distinguishes it from others with similar access permissions Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax description <LINE>
Parameters description <LINE>
description <LINE>
Provide a description for the route map rule (should not exceed 64 characters in length) Example nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#description "This is a deny route map rule"
nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#show context deny route-map 1 description "This is a deny route map rule"
nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#
Related Commands no Removes this deny/permit route-map rules description Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 30 BORDER GATEWAY PROTOCOL 28.6.2 match bgp-route-map-config commands Configures the match criteria associated with this deny or permit BGP route map Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax match [as-path|community|extcommunity|ip-address|ip-next-hop|ip-route-source|
metric|origin|tag]
match [as-path <AS-PATH-LIST-NAME>|community <COMMUNITY-LIST-NAME> {exact-
match}|extcommunity <EXTCOMMUNITY-LIST-NAME>]
match [ip-address|ip-next-hop|ip-route-source] [BGP-IP-ACCESS-LIST <BGP-ACL-
NAME>|prefix-list <PREFIX-LIST-NAME>]
match metric <0-4294967295>
match origin [egp|igp|incomplete]
match tag <0-65535>
Parameters match [as-path <AS-PATH-LIST-NAME>|community <COMMUNITY-LIST-NAME> {exact-
match}|extcommunity <EXTCOMMUNITY-LIST-NAME>]
Configures a BGP AS path list to match An AS path is a list of ASs a packet traverses to reach its destination.
<AS-PATH-LIST-NAME> Specify the AS path list name (should be existing and as-path
<AS-PATH-LIST-
NAME>
configured) community
<COMMUNITY-LIST-
NAME> {exact-
match}
extcommunity
<EXTCOMMUNITY-
LIST-NAME>
Configures the AS community list string to match
<COMMUNITY-LIST-NAME> Specify the AS community list name (should be existing and configured). exact-match Optional. Does an exact match when matching the specified AS community string. This option is disabled by default. Configures the external community list string to match
<EXTCOMMUNITY-LIST-NAME> Specify the external community list name (should be existing and configured). match [ip-address|ip-next-hop|ip-route-source] [BGP-IP-ACCESS-LIST <BGP-ACL-
NAME>|prefix-list <PREFIX-LIST-NAME>]
match ip-address
[BGP-IP-ACCESS-
LIST <BGP-ACL-
NAME>|
prefix-list
<PREFIX-LIST-
NAME>]
Configures match criteria used to filter BGP routes when forwarding packets Configures a string of IP addresses, in the route, to match The IP Address is a list of IP addresses in the route used to filter the route. Use one of the following options to provide a list of IP addresses:
BGP-IP-ACCESS-LIST <BGP-ACL-NAME> Associates an existing BGP ACL with this BGP route map. Specify the BGP ACL name (should be existing and configured). prefix-list <PREFIX-LIST-NAME> Associates an existing IP address prefix list with this BGP route map. The IP Address Prefix List is a list of prefixes in the route used to filter route. Specify the prefix list name (should be existing and configured). Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 31 BORDER GATEWAY PROTOCOL ip-next-hop
[BGP-IP-ACCESS-
LIST <BGP-ACL-
NAME>|
prefix-list <PREFIX-
LIST-NAME>]
ip-route-source
[BGP-IP-ACCESS-
LIST <BGP-ACL-
NAME>|
prefix-list <PREFIX-
LIST-NAME>]
Configures the next-hops IP address to match The IP Next Hop is a list of IP addresses used to filter routes based on the IP address of the next-hop in the route. Use one of the following options to provide next-hops IP addresses:
BGP-IP-ACCESS-LIST <BGP-ACL-NAME> Associates an existing BGP ACL with this BGP route map. Specify the BGP ACL name (should be existing and configured). prefix-list <PREFIX-LIST-NAME> Associates an existing IP next-hop prefix list with this BGP route map. The IP Next Hop Prefix List is a list of prefixes for the routes next-
hop determining how the route is filtered. Specify the prefix list name (should be existing and configured). Configures the advertised route source IP address to match The IP Route Source is a list of IP addresses used to filter routes based on the advertised IP address of the source. Use one of the following options to provide route-
source IP addresses:
BGP-IP-ACCESS-LIST <BGP-ACL-NAME> Associates an existing BGP ACL with this BGP route map. Specify the BGP ACL name (should be existing and configured). prefix-list <PREFIX-LIST-NAME> Associates an existing IP route source prefix list with this BGP route map. The IP Route Source Prefix List is a list of prefixes used to filter routes based on the prefix list used for the source. Specify the prefix list name (should be existing and configured). match metric <0-4294967295>
match metric
<0-4294967295>
Defines the exterior metric, used for route map distribution, to match BGP uses a route table managed by the external metric defined. Setting a metric provides a dynamic way to load balance between routes of equal cost.
<0-4294967295> Specify the external metric value from 0 - 4294967295. match origin [egp|igp|incomplete]
match origin
[gp|igp|incomplete]
Configures the source of the BGP route to match. Options include:
egp Matches if the origin of the route is from the exterior gateway protocol (eBGP). eBGP exchanges routing table information between hosts outside an autonomous system. igp Matches if the origin of the route is from the interior gateway protocol (iBGP). iBGP exchanges routing table information between routers within an autonomous system. incomplete Matches if the origin of the route is not identifiable match tag <0-65535>
match tag <0-65535> Configures the BGP route tag to match The Tag is a way to preserve a routes AS path information for routers in iBGP. This option is disabled by default.
<0-65535> Specify the iBGP routes tag from 0 - 65535. Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 32 BORDER GATEWAY PROTOCOL Example The following examples show the configuration of match criteria for the deny route-map rule 1:
nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#match as-path Filter List_01 nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#match ip-route-source prefix-list PrefixList_01 nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#show context deny route-map 1 description "This is a deny route map rule"
match as-path FilterList_01 match ip-route-source prefix-list PrefixList_01 nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#
A permit route-map rule 2 is added to the BGP route-map test. nx9500-6C8809(config-dr-route-map-test)#permit route-map 2 A match criteria is added for the permit route-map rule 2. nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-2)#match ip-next-hop DL_01 nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-2)#show context permit route-map 2 match ip-next-hop DL_01 nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-2)#
The following example displays the BGP route-map test settings:
nx9500-6C8809(config-dr-route-map-test)#show context route-map test deny route-map 1 description "This is a deny route map rule"
match as-path FilterList_01 match ip-route-source prefix-list PrefixList_01 permit route-map 2 match ip-next-hop DL_01 nx9500-6C8809(config-dr-route-map-test)#
Related Commands no Removes match criteria associated with a deny or permit route-map rule Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 33 BORDER GATEWAY PROTOCOL 28.6.3 no bgp-route-map-config commands Removes or reverts the settings defined for a deny or permit route-map rule Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax no [description|match <PARAMETERS>|set <PARAMETERS>]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes the description configured for a deny or permit route-map rule Example The following example shows the deny route-map rule-1 settings before the no commands are executed:
nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#show context deny route-map 1 description "This is a deny route map rule"
match as-path FilterList_01 match ip-route-source prefix-list PrefixList_01 set aggregator-as 1 192.168.13.7 set as-path exclude 20 set ip next-hop peer-address set metric 300 set local-preference 30 set community internet nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#
nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#no match as-path nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#no set aggregator-as nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#no set metric The following example shows the deny route-map rule-1 settings after the no commands are executed:
nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#show context deny route-map 1 description "This is a deny route map rule"
match ip-route-source prefix-list PrefixList_01 set as-path exclude 20 set ip next-hop peer-address set local-preference 30 set community internet nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#
The following example shows the route-map test settings:
nx9500-6C8809(config-dr-route-map-test)#show context route-map test deny route-map 1 description "This is a deny route map rule"
match ip-route-source prefix-list PrefixList_01 set as-path exclude 20 set ip next-hop peer-address set local-preference 30 set community internet permit route-map 2 match ip-next-hop DL_01 nx9500-6C8809(config-dr-route-map-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 34 BORDER GATEWAY PROTOCOL 28.6.4 set bgp-route-map-config commands Configures the values attributed to a route matching the match criteria specified in the BGP deny or permit route-map rules. These attributes are applied before the route is sent out. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax set [aggregator-as|as-path|atomic-aggregate|comm-list|community|extcommunity|ip|
local-preference|metric|origin|originator-id|source-ip|tag|weight]
set aggregator-as <1-4294967295> <IP>
set as-path [exclude|prepend] <1-4294967295> {<1-4294967295>}
set atomic-aggregate set comm-list delete <COMMUNITY-LIST-NAME>
set community [<COMMUNITY-NUMBER>|none]
set extcommunity [rt|soo] <EXTCOMMUNITY-NUMBER>
set ip next-hop [<IP>|peer-address]
set local-preference <0-4294967295>
set metric <0-4294967295>
set origin [egp|igp|incomplete]
set originatorid <IP>
set source-ip <IP>
set tag <0-65535>
set weight <0-4294967295>
Parameters set aggregator-as <1-4294967295> <IP>
set aggregator-as <1-
4294967295> <IP>
Configures the BGP aggregators ASN and IP address. Aggregates minimize the size of routing tables. Aggregation combines the characteristics of multiple routes and advertises them as a single route. The configured BGP aggregator settings are applied to filtered routes.
<1-4294967295> Specify the route aggregators ASN from 1- 4294967295. This option is disabled by default.
<IP> Specify the route aggregators IP address. BGP allows the aggregation of specific routes into one route using an aggregate IP address. Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 35 BORDER GATEWAY PROTOCOL set as-path [exclude|prepend] <1-4294967295> {<1-4294967295>}
set as-path
[exclude|prepend] <1-
4294967295> {<1-
4294967295>}
Configures the BGP transform AS path attribute to be applied to filtered routes exclude Configures a single AS, or a list of ASs, excluded from the AS path prepend Configures a single AS, or a list of ASs, prepended to the AS path
<1-4294967295> This keyword is common to the exclude and prepend param-
eters. Use it to specify the AS number. The ASs identified here are excluded or pre-
pended depending on the option selected. You can configure multiple ASNs. set atomic-aggregate set atomic-aggregate Enables BGP atomic aggregate attributes When a BGP enabled wireless controller or service platform receives a set of overlapping routes from a peer, or if the set of routes selects a less specific route, then the local device must set this value when propagating the route to its neighbors. This option is disabled by default. set comm-list delete <COMMUNITY-LIST-NAME>
set comm-list delete
<COMMUNITY-LIST-
NAME>
Deletes specified BGP communities. All communities matching the community list name string are deleted from the route. A BGP community is a group of routes sharing a common attribute.
<COMMUNITY-LIST-NAME> Specify the community list name. set community [<COMMUNITY-NUMBER>|none]
set community
[<COMMUNITY-
NUMBER>|none]
Configures a community attribute for this route
<COMMUNITY-NUMBER> Specify a community attribute. Use one of the following formats:
internet - Advertises this route to the Internet. This is a global community. local-AS - Prevents the transmit of packets outside the local AS no-advertise - Prevents advertisement of this route to any peer, either internal or external no-export - Prevents advertisement of this route to BGP peers, keeping this route within an AS. aa:nn - Configures the first part (aa) representing the AS number. The second part
(nn) represents a 2-byte number. none Specifies community attribute as none set extcommunity [rt|soo] <EXTCOMMUNITY-NUMBER>
set extcommunity
[rt|soo]
<EXTCOMMUNITY-
NUMBER>
Configures a extended community attribute for this route rt Identifies the route target (rt) extended community soo Identifies the site-of-origin (soo) community. This is the origin community associated with the route reflector.
<EXTCOMMUNITY-NUMBER> This keyword is common to the rt and soo param-
eters. Use it to specify the extended community number. Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 36 BORDER GATEWAY PROTOCOL set ip next-hop [<IP>|peer-address]
set ip next-hop
[<IP>|peer-address]
Configures the next hop for this route. Use one of the following options to identify the next hop:
<IP> Specify the nest hops IP address peer-address Enables the identification of the next-hop address for peer devices. This option is disabled by default set local-preference <0-4294967295>
set local-preference
<0-4294967295>
Configures the BGP local preference path attribute for this route map. When configured, enables the communication of preferred routes out of the AS between peers. This option is disabled by default
<0-4294967295> Specify the preference value from 0 - 4294967295. set metric <0-4294967295>
set metric <0-
4294967295>
Configures a metric for the route BGP uses a route table managed by the external metric defined. Setting a metric provides a dynamic way to load balance between routes of equal cost.
<0-4294967295> Specify the metric from 0 - 4294967295. set origin [egp|igp|incomplete]
set origin
[egp|igp|incomplete]
Configures the origin code for this BGP route map egp - Sets the origin of the route to eBGP igp - Sets the origin of the route to iBGP incomplete - Sets the origin of the route as not identifiable. Use this option if the route is from a source other than eBGP or iBGP. set originatorid <IP>
set originatorid <IP>
Configures this route maps originator IP address set source-ip <IP>
set source-ip <IP>
Configures this route maps source IP address
<IP> Specify the IP address in the A.B.C.D format. set tag <0-65535>
set tag <0-65535>
Configures this route maps tag value The Tag is a way to preserve a routes AS path information for routers in iBGP.
<0-65335> Specify a tag value from 0 - 65535. set weight <0-4294967295>
set weight <0-
4294967295>
Enables assignment of a weighted priority to the aggregate route
<0-4292967295> Specify a value from 0 - 4294967295. Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 37 BORDER GATEWAY PROTOCOL Example nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#set aggregator-as 1 192.168.13.7 nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#set as-path exclude 20 nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#set community internet nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#set ip next-hop peer-
address nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#set local-preference 30 nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#set metric 300 nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#show context deny route-map 1 description "This is a deny route map rule"
match as-path FilterList_01 match ip-route-source prefix-list PrefixList_01 set aggregator-as 1 192.168.13.7 set as-path exclude 20 set ip next-hop peer-address set metric 300 set local-preference 30 set community internet nx9500-6C8809(config-dr-route-map-test-dr-route-map-rule-1)#
Related Commands no Removes the attributes configured for this route map Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 38 BORDER GATEWAY PROTOCOL 28.7 bgp-router-config commands BORDER GATEWAY PROTOCOL Use the (device-config) or (profile-config) instance to configure BGP router related parameters. To navigate to the BGP router configuration instance, in the device-config mode, use the following commands:
<DEVICE>(config)#self
<DEVICE>(config-device-<MAC>)#router bgp
<DEVICE>config-device <MAC>-router-bgp)#
<DEVICE>config-device <MAC>-router-bgp)#?
Router BGP Mode commands:
aggregate-address Configure aggregate address asn Configure local Autonomous System Number bgp Border Gateway Protocol bgp-route-limit Limit for number of routes handled by BGP process distance Configure administrative distance ip Internet Protocol (IP) network Configure a local network no Negate a command or set its defaults route-redistribute Redistribute information from another routing protocol timers Adjust routing timers clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>config-device <MAC>-router-bgp)#
When configured as a profile, the router settings are applied to all devices using the profile. To navigate to the BGP router configuration instance, in the profile-config mode, use the following commands:
<DEVICE>(config)#profile <DEVICE-TYPE> <PROFILE-NAME>
<DEVICE>(config-profile-<PROFILE-NAME>)#router bgp
<DEVICE>(config-profile <PROFILE-NAME>-router-bgp)#
<DEVICE>(config-profile <PROFILE-NAME>-router-bgp)#?
Router BGP Mode commands:
aggregate-address Configure aggregate address asn Configure local Autonomous System Number bgp Border Gateway Protocol bgp-route-limit Limit for number of routes handled by BGP process distance Configure administrative distance ip Internet Protocol (IP) network Configure a local network no Negate a command or set its defaults route-redistribute Redistribute information from another routing protocol timers Adjust routing timers clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 39 BORDER GATEWAY PROTOCOL end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-profile <PROFILE-NAME>-router-bgp)#
The following table summarizes BGP router configuration mode commands:
Table 28.7 BGP-Router-Config-Mode Commands Reference Description Creates and configures an aggregate address entry in the BGP database page 28-41 Command aggregate-
address asn bgp bgp-route-limit distance ip network no route-redistribute Enables redistribution of routes learnt from other routing protocols into Configures this BGP routers ASN Configures BGP router parameters Configures the BGP route limit parameters Configures administrative distance parameters Configures the BGP default gateways priority Configures the local network IP addresses and masks Removes the BGP router settings timers BGP Enables adjustment of keepalive and holdtime intervals page 28-42 page 28-43 page 28-48 page 28-49 page 28-50 page 28-51 page 28-52 page 28-53 page 28-55 Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 40 BORDER GATEWAY PROTOCOL 28.7.1 aggregate-address bgp-router-config commands Creates and configures an aggregate address entry in the BGP database Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax aggregate-address <IP/M> {as-set {summary-only}|summary-only}
Parameters aggregate-address <IP/M> {as-set {summary-only}|summary-only}
aggregate-address
<IP/M>
as-set {summary-
only}
Specify the aggregate IP address and mask Optional. Summarizes the AS_PATH attributes of the individual routes aggregated summary-only Optional. Filters more specific routes from updates Example nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#aggregate-address 192.168.13.10/32 as-set summary-only nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#show context router bgp bgp enable asn 1 aggregate-address 192.168.13.10/32 as-set summary-only bgp neighbor 192.168.13.199 remote-as 1 use route-map UnSupMap_01 in bgp neighbor 192.168.13.99 remote-as 199 timers connect 10 timers 20 40 maximum-prefix 9999 80 restart 50 bgp neighbor 1.1.1.1 remote-as 2 timers connect 10 timers 20 40 maximum-prefix 1000000 bgp-route-limit num-routes 10 reset-time 360 nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#
Related Commands no Removes the aggregate address entry Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 41 BORDER GATEWAY PROTOCOL 28.7.2 asn bgp-router-config commands Configures the ASN. The ASN represents a group of routers under the same administration and using IGP and common metrics to define how to route packets. In short the ASN represents all routers within an AS. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax asn <1-4294967295>
Parameters asn <1-4294967295>
asn <1-4294967295>
Specify the ASN from 1 - 4294967295. Example nx9500-6C8809(config-profile NX9500Profile-router-bgp)#asn 1 nx9500-6C8809(config-profile NX9500Profile-router-bgp)#show context router bgp asn 1 nx9500-6C8809(config-profile NX9500Profile-router-bgp)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 42 BORDER GATEWAY PROTOCOL 28.7.3 bgp bgp-router-config commands Configures BGP router parameters Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax bgp [always-compare-med|bestpath|client-to-client|cluster-id|confederation|
dampening|default|deterministic-med|enable|enforce-first-as|fast-external-
failover|graceful-restart|log-neighbor-changes|neighbor|network|router-id|scan-
time]
bgp [always-compare-med|deterministic-med|enable|enforce-first-as|fast-external-
failover|log-neighbor-changes]
bgp best-path [as-path [confed|ignore]|compare-router-id|med {confed {missing-as-
worst}|missing-as-worst}]
bgp client-to-client reflection bgp cluster <IP>
bgp confederation [identifier|peers] <1-4294967295>
bgp dampening {<1-45>} {<1-20000>} <1-20000> <1-255>
bgp default [ipv4-unicast|local-preference <0-4294967295>]
bgp graceful-restart {stalepath-time <1-3600>}
bgp neighbor <IP>
bgp network import-check bgp router-id <IP>
bgp scan-time <5-60>
Parameters bgp [always-compare-med|deterministic-med|enable|enforce-first-as|fast-
external-failover|log-neighbor-changes]
always-compare-med Enables comparison of Multi-exit Discriminators (MEDs) received from neighbors. This option is disabled by default. MED is a value used by BGP peers to select the best route among multiple routes. When enabled, the MED value encoded in the route is always compared when selecting the best route to the host network. A route with a lower MED value is preferred over a route with a higher MED value. BGP does not discriminate between iBGP and eBGP when using MED for route selection. This option is mutually exclusive to the deterministic-med option. Enables selection of the best MED path from amongst all paths advertised by neighboring ASs. This option is disabled by default. MED is used by BGP peers to select the best route among multiple routes. When enabled, MED route values (from the same AS) are compared to select the best route. This best route is then compared with other routes in the BGP route table to select the best overall route. This option is mutually exclusive to the always-compare-med option. Starts the BGP daemon on the device (wireless controller or service platform). BGP is disabled by default. Enforces the first AS for all BGP routes. This option is disabled by default. When enforced, devices deny updates received from an external neighbor that does not have the neighbors configured AS at the beginning of the received AS path parameter. This enhances security by not allowing traffic from an unauthorized AS. deterministic-med enable enforce-first-as Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 43 BORDER GATEWAY PROTOCOL fast-external-failover Enables immediate resetting of BGP session on the interface once the BGP connection goes down. This option is enabled by default. When enabled, a session is reset as soon as the direct link to an external peer goes down. Normally, when a BGP connection goes down, the device waits for the expiry of the duration specified in holdtime parameter before bringing down the interface. To configure the holdtime, use the timers > bgp > <keepalive-time> > <holdtime>
command in this (BGP router) configuration mode. log-neighbor-changes Enables logging of a BGP neighbors status change (active or not active) events. It also enables the logging of the reason for such change in status. bgp best-path [as-path [confed|ignore]|compare-router-id|med {confed {missing-
as-worst}|missing-as-worst}]
best-path as-path
[confed|ignore]
compare-router-id med {confed
{missing-as-worst}|
missing-as-worst}
Modifies the bestpath selection algorithm. The route selection algorithm uses the following criteria when selecting the preferred route: as-path, router-id, and med. Enables an AS path from being considered as a criteria for selecting the preferred route confed Enables comparison of path lengths (including confederation sets and sequences) when selecting a route (EXPERIMENTAL). This option is disabled by default. ignores Disables an AS path length from being considered as a criteria for selecting a preferred route. When, disabled the AS path length is ignored. This option is disabled by default. Enables the use of router ID as a selection criteria when selecting the preferred route. When enabled, the router ID is used to select the best path between two identical BGP routes. The route with the lower router ID is selected over a route with a higher router ID. This option is disabled by default. Enables comparison of AS path MED value when selecting the preferred route MED is a value used by BGP peers to select the best route among multiple routes. When enabled, the MED value encoded in the route is always compared to determine the best route to the host network. A route with a lower MED value is preferred over a route with a higher MED value. confed Optional. Enables comparison of MED value among confederation paths
(EXPERIMENTAL). When enabled, you can optionally enable the treatment of AS paths without the MED value as the least preferable route. This option is disabled by default. missing-as-worst Optional. Enables the treatment of AS paths without the MED value as the least preferable route. This option is disabled by default. bgp client-to-client reflection client-to-client reflection Enables client-to-client route reflection (EXPERIMENTAL) Route reflectors are used when all iBGP speakers are not fully meshed. If the clients are fully meshed, the route-reflectors are not required. This option is enabled by default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 44 BORDER GATEWAY PROTOCOL bgp cluster <IP>
cluster <IP>
Enables and sets a cluster ID, in case the BGP cluster has more than one route-
reflector A cluster generally consists of a single route-reflector and its clients. The cluster is usually identified by the router ID of this single route-reflector. Sometimes, to increase redundancy, a cluster might have more than one route-reflector configured. In this case, all route-reflectors in the cluster are identified by the cluster ID (configured in the IP format). bgp confederation [identifier|peers] <1-4294967295>
confederation
[identifier|peers] <1-
4294967295>
Configures AS confederation (group of ASs) parameters (identifier and peers) identifier Enables and sets a BGP confederation identifier to allow an AS to be divided into several ASs. In other words an AS is divided into multiple ASs, and together they form a confederation. This confederation is visible to external routers as a single AS. The ASN is usually the confederation ID. Specify a value from 1 -
4294967295. Forming AS confederation reduces iBGP mesh inside an AS. peers Configures the maximum number of the ASs constituting this BGP confederation. Specify the AS number from 1 - 4294967295. Multiple ASs can be added to the list of confederation members. bgp dampening {<1-45>} {<1-20000>} <1-20000> <1-255>
bgp dampening
{<1-45>} {<1-
20000>} <1-20000>
<1-255>
Enables dampening and configures dampening parameters. This option is disabled by default. Dampening minimizes the instability caused by route flapping. A penalty is added for every flap in the flapping route. As soon as the total penalty reaches the specified Route Suppress Limit value, the advertisement of this route is suppressed. This penalty is delayed when the time specified in Half Lifetime occurs. Once the penalty becomes lower than the value specified in Start Route Reuse, the advertisement of the route is un-suppressed.
<1-45> Optional. Configures the half lifetime (in minutes). A penalty is imposed on a route that flaps. This is the time for the penalty to decrease to half its current value. Specify a value from 1 - 45 minutes. The default is 1 minute.
<1-20000> Optional. Configures the route reuse value. When the penalty for a suppressed route decays below the value specified here, the route is un-suppressed
(reused). Specify a value from 1 - 20000.
<1-20000> Configures the route suppress value. When a route flaps, a penalty is added to the route. When the penalty reaches or exceeds the value specified as the maximum duration to suppress a stable route. Specify a value from 1 - 20000. The maximum duration to suppress a stable route, is the next set of value configured in this command from 1 - 255.
<1-255> Configures the maximum duration, in minutes, a suppressed route is suppressed. This is the maximum duration for which a route remains suppressed before it is reused. Specify a value from 1 - 255 minutes. bgp default [ipv4-unicast|local-preference <0-4294967295>]
default Configures the following defaults for BGP neighbor-related parameters: IPv4 unicast and local preference Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 45 BORDER GATEWAY PROTOCOL ipv4-unicast local-preference <0-
4294967295>
Enable IPv4 unicast traffic for neighbors. This option is enabled by default. Configures a local preference for the neighbor. Higher the value higher is the preference.
<0-4294967295> Specify a value from 10 - 4294967295. bgp graceful-restart {stalepath-time <1-3600>}
default graceful-
restart {stalepath-
time
<1-3600>}
Enables graceful restart on this BGP router. This option is disabled by default stalepath-time <1-3600> Optional. Configures the maximum time, in seconds, to retain stale paths from restarting neighbor. This is the time the paths from a restarting neighbor are preserved. All stale paths, unless reinstated by the neighbor after re-
establishment, are deleted at the expiry of the time specified here.
<1-3600> Specify a value from 1 - 3600 seconds. bgp neighbor <IP>
neighbor <IP>
Configures the BGP neighbors IP address and enters its configuration mode. Use this command to configure a BGP neighbors parameters.
<IP> Specify the IP address in the A.B.C.D format. For BGP neighbor configuration parameters, see bgp-neighbor-config commands. bgp network import-check network import-
check Enables checking of the existence of BGP network route in IGP before importing bgp router-id <IP>
router <IP>
Enables the device (BGP supported wireless controller or service platform) identified by the <IP> parameter as a router. The routers IP address is configured as its ID, and uniquely identifies it. When not specified, the IP address of the interface is configured as the router ID. This option is disabled by default. bgp scan-time <5-60>
scan-time <5-60>
Configures the scanning interval, in seconds, for updating BGP routes. This is the interval between two consecutive scans the BGP device performs in order to validate routes in its routing table. To disable scanning, set the value to Zero (0).
<5-60> Specify a value from 5 - 60 seconds. The default is 60 seconds. Example nx9500-6C8809(config-profile testNX9000-router-bgp)#bgp router-id 192.168.13.13 nx9500-6C8809(config-profile testNX9000-router-bgp)#aggregate-address 116.117.118.0/24 as-set summary-only nx9500-6C8809(config-profile testNX9000-router-bgp)#bgp neighbor 192.168.13.99 nx9500-6C8809(config-profile testNX9000-router-bgpp)#show context router bgp aggregate-address 116.117.118.0/24 as-set summary-only bgp router-id 192.168.13.13 bgp neighbor 192.168.13.99 remote-as 199 maximum-prefix 9999 80 restart 50 nx9500-6C8809(config-profile testNX9000-router-bgp)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 46 BORDER GATEWAY PROTOCOL Related Commands no Removes the BGP router parameters. The no > bgp > enable command disabled BGP. Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 47 BORDER GATEWAY PROTOCOL 28.7.4 bgp-route-limit bgp-router-config commands Configures the BGP route limit parameters Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax bgp-route-limit [num-routes <VALUE>|reset-time <1-86400>|retry-count <1-32>|
retry-timeout <1-3600>]
Parameters bgp-route-limit [num-routes <VALUE>|reset-time <1-86400>|retry-count <1-32>|
retry-timeout <1-3600>]
num-routes <VALUE> Configures the number of routes that can be stored on this BGP router. Set this value based on the available memory on this BGP router (wireless controller or service platform).
<VALUE> Specify a value from 1 - 4,294,967,295. The default is 9216 routes. reset-time <1-86400> Configures the reset time in seconds. This is the time after which the retry count value retry-count <1-32>
retry-timeout <1-
3600>
is set to Zero (0).
<1-86400> Specify a value from 1- 86,400 seconds. The default is 360 seconds. Configures the maximum number of times the BGP process is reset before being permanently shut down. Once shut down, the BGP process has to be started manually. The BGP process is reset if it is flooded with route entries that exceed the maximum number of routes configured for this device.
<1-32> Specify a value from 1 - 32. The default is 5 routes. Configures the duration, in seconds, the BGP process is temporarily shut down, before a reset of the process is attempted.
<1-3600> Specify a value from 1 - 3600 seconds. The default is 60 seconds. Example nx9500-6C8809(config-profile NX9500Profile-router-bgp)#bgp-route-limit num-routes 10 nx9500-6C8809(config-profile NX9500Profile-router-bgp)#show context router bgp bgp enable asn 1 aggregate-address 116.117.118.0/24 as-set summary-only bgp neighbor 192.168.13.99 remote-as 199 maximum-prefix 9999 80 restart 50 bgp-route-limit num-routes 10 nx9500-6C8809(config-profile NX9500Profile-router-bgp)#
Related Commands no Removes BGP route limitations configured. Use the no command to revert back to default. Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 48 BORDER GATEWAY PROTOCOL 28.7.5 distance bgp-router-config commands Configures administrative distance parameters. The distance parameter is a rating of the trustworthiness of a route. The higher the distance, lower is the trust rating. The distance can be set for each type of route indicating its trust rating. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax distance [<IP/M> <1-255> <BGP-ACL-NAME>|bgp <1-255> <1-255> <1-255>]
Parameters distance [<IP/M> <1-255> <BGP-ACL-NAME>|bgp <1-255> <1-255> <1-255>]
distance <IP/M> <1-
255> <BGP-ACL-
NAME>
Configures the default administrative distance, specified by the <1-255> parameter, when the routes source IP address matches the specified IP prefix
<IP/M> Specify the IP source prefix and prefix length. bgp <1-255> <1-255>
<1-255>
<1-255> Specify the distance from 1 - 255.
<BGP-ACL-NAME> Optional. Specify the BGP access list name. Configures the default administrative distance for different route types
<1-255> Configures the default administrative distance for routes external to this AS. Specify a value from 1 - 255.
<1-255> Configures the default administrative distance for routes internal to this AS. Specify a value from 1 - 255.
<1-255> Configures the default administrative distance for local routes. Specify a value from 1 - 255. Example nx9500-6C8809(config-profile testNX9000-router-bgp)#distance bgp 200 100 200 nx9500-6C8809(config-profile testNX9000-router-bgp)#show context router bgp bgp enable asn 1 aggregate-address 116.117.118.0/24 as-set summary-only distance bgp 200 100 200 bgp neighbor 192.168.13.99 remote-as 199 maximum-prefix 9999 80 restart 50 bgp-route-limit num-routes 10 nx9500-6C8809(config-profile testNX9000-router-bgp)#
Related Commands no Removes the administrative distance related configurations Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 49 BORDER GATEWAY PROTOCOL 28.7.6 ip bgp-router-config commands Configures the BGP default gateways priority Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax ip default-gateway priority <1-8000>
Parameters ip default-gateway priority <1-8000>
default-gateway priority <1-8000>
Configures the default gateways (acquired through BGP) priority
<1-8000> Specify a value from 1 - 8000. The default is 7500. Lower the value, higher is the priority. Example nx9500-6C8809(config-profile testNX9000-router-bgp)#ip default-gateway priority 1 nx9500-6C8809(config-profile testNX9000-router-bgp)#show context router bgp bgp enable asn 1 ip default-gateway priority 1 bgp-route-limit num-routes 10 nx9500-6C8809(config-profile testNX9000-router-bgpp)#
Related Commands no Removes the BGP default gateway configuration Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 50 BORDER GATEWAY PROTOCOL 28.7.7 network bgp-router-config commands Configures the local network IP addresses and masks. These network addresses are broadcasted to neighboring BGP peers. You can configure a single IP address or a range of IP addresses in the A.B.C.D/M notation. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax network <IP/M> {backdoor|pathlimit|route-map}
network <IP/M> {backdoor pathlimit <1-255>
network <IP/M> {pathlimit <1-255>}
network <IP/M> {route-map <ROUTE-MAP-NAME>}
Parameters network <IP/M> {backdoor pathlimit <1-255>|pathlimit <1-255>|route-map <ROUTE-
MAP-NAME>}
network <IP/M>
backdoor pathlimit
<1-255>
pathlimit <1-255>
route-map <ROUTE-
MAP-NAME>
Configures the local networks address in the A.B.C.D/M format
<IP/M> Specify the network address. Optional. Configures a BGP backdoor route. After configuring the backdoor route, you can optionally configure the as-path hop count limit attribute for this backdoor route. pathlimit <1-255> Specify the hop count limit from 1 - 255. Optional. Configures the maximum path limit for this AS
<1-255> Specify the hop count limit from 1 - 255. Optional. Associates a BGP route map with this local network. When applied, the route-map values take precedence
<ROUTE-MAP-NAME> Specify the route map name. Example nx9500-6C8809(config-profile testNX9000-router-bgp)#network 192.168.13.0/24 backdoor pathlimit 200 nx9500-6C8809(config-profile testNX9000-router-bgp)#show context router bgp bgp enable asn 1 aggregate-address 116.117.118.0/24 as-set summary-only distance bgp 200 100 200 bgp neighbor 192.168.13.99 remote-as 199 maximum-prefix 9999 80 restart 50 network 1.2.3.0/24 network 192.168.13.0/24 backdoor pathlimit 200 bgp-route-limit num-routes 10 nx9500-6C8809(config-profile testNX9000-router-bgp)#
Related Commands no Removes the list of local networks configured Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 51 BORDER GATEWAY PROTOCOL 28.7.8 no bgp-router-config commands Removes the BGP router settings Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax no [aggregate-address|bgp|bgp-route-limit|distance|ip|network|route-redistribute|
timers]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes the BGP router settings Example The following example shows the BGP router settings before the no commands have been executed:
nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#show context router bgp bgp enable asn 1 aggregate-address 116.117.118.0/24 as-set summary-only bgp neighbor 192.168.13.199 remote-as 1 use route-map UnSupMap_01 in bgp neighbor 192.168.13.99 remote-as 199 maximum-prefix 9999 80 restart 50 bgp-route-limit num-routes 10 reset-time 360 nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#
nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#no bgp neighbor 192.168.13.99 nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#no aggregate-address 116.117.118.0/24 nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#no bgp-route-limit The following example shows the BGP router settings after the no commands have been executed:
nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#show context router bgp bgp enable asn 1 bgp neighbor 192.168.13.199 remote-as 1 use route-map UnSupMap_01 in nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 52 BORDER GATEWAY PROTOCOL 28.7.9 route-redistribute bgp-router-config commands Enables redistribution of routes learnt from other routing protocols into BGP Large ISP networks using multiple routing protocols, need to enable redistribution of routes across routing protocols. Routing protocols differ in their basic characteristics, such as metrics, administrative distance, classful and classless capabilities, etc. When enabling redistribution, these differences have to be taken into consideration. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax route-redistribute [connected|kernel|ospf|static] {metric <0-4294967295>|route-
map <ROUTE-MAP-NAME>}
Parameters route-redistribute [connected|kernel|ospf|static] {metric <0-4294967295>|
route-map <ROUTE-MAP-NAME>}
route-redistribute connected kernel ospf static Redistributes routes learnt from other protocols Redistributes directly connected routes metric <0-4294967295> Optional. Specify the metric for the redistributed routes. route-map <ROUTE-MAP-NAME> Optional. Specifies the route map name. The route map defines the match criteria based on which routes are filtered before redistribution. For more information on route maps, see match. Redistributes kernel routes. These are routes that are neither connected, nor static, nor dynamic. metric <0-4294967295> Optional. Specify the metric for the redistributed routes. route-map <ROUTE-MAP-NAME> Optional. Specifies the route map name. The route map defines the match criteria based on which routes are filtered before redistribution. For more information on route maps, see match. Redistributes OSPF routes metric <0-4294967295> Optional. Specify the metric for the redistributed routes. route-map <ROUTE-MAP-NAME> Optional. Specifies the route map name. The route map defines the match criteria based on which routes are filtered before redistribution. For more information on route maps, see match. Redistributes static routes metric <0-4294967295> Optional. Specify the metric for the redistributed routes. route-map <ROUTE-MAP-NAME> Optional. Specifies the route map name. The route map defines the match criteria based on which routes are filtered before redistribution. For more information on route maps, see match. Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 53 BORDER GATEWAY PROTOCOL Example nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#route-redistribute connected metric 200 nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#show context router bgp bgp enable asn 1 aggregate-address 116.117.118.0/24 as-set summary-only bgp neighbor 192.168.13.99 remote-as 199 maximum-prefix 9999 80 restart 50 bgp neighbor 192.168.13.199 remote-as 1 use route-map UnSupMap_01 in route-redistribute connected metric 200 bgp-route-limit num-routes 10 reset-time 360 nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#
Related Commands no Disables redistribution of routes learnt from other routing protocols into BGP Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 54 BORDER GATEWAY PROTOCOL 28.7.10 timers bgp-router-config commands Enables adjustment of keepalive and holdtime intervals Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax timers bgp <0-65535> <0-65535>
Parameters timers bgp <0-65535> <0-65535>
timers bgp <0-
65535> <0-65535>
Configures the keepalive and holdtime interval in seconds
<0-65535> Specify a keepalive interval from 0 - 65535 seconds. It is the interval, in seconds, between two successive keepalive packets exchanged with this router and its neighbor to keep the TCP connection alive.
<0-65535> Specify a holdtime value from 0 - 65535 seconds. This is the time this router will wait without receiving a keepalive packet from its neighbor before declaring it dead. If the time since the last keepalive packet received (from its neighbor) exceeds the value set here, the neighbor is declared dead. Example nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#timers bgp 100 100 nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#show context router bgp bgp enable asn 1 aggregate-address 116.117.118.0/24 as-set summary-only bgp neighbor 192.168.13.199 remote-as 1 use route-map UnSupMap_01 in bgp neighbor 192.168.13.99 remote-as 199 maximum-prefix 9999 80 restart 50 timers bgp 100 100 bgp-route-limit num-routes 10 reset-time 360 nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp)#
Related Commands no Reverts BGP timers to default Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 55 BORDER GATEWAY PROTOCOL 28.8 bgp-neighbor-config commands BORDER GATEWAY PROTOCOL BGP enabled devices connected through an established TCP connection are referred to as BGP peers or neighbors. To establish a TCP connection, BGP routers exchange open messages containing the following information: AS number, BGP version running, BGP router ID, and timer values (keepalive and holdtime). Once these values are accepted by both devices, the connection is established and the routers become neighbors. With the TCP connection established the BGP neighbors begin sharing routing information and updates. A failure in the establishment of the TCP connection indicates that the routers are not neighbors and cannot exchange routing information. Use the (profile/device-config) instance to configure BGP neighbors. To navigate to the BGP neighbor configuration instance, use the following commands:
<DEVICE>(config)#profile <PROFILE-NAME>
<DEVICE>(config-profile <PROFILE-NAME>)#router bgp
<DEVICE>(config-profile <PROFILE-NAME>-router-bgp)#?
<DEVICE>(config-profile <PROFILE-NAME>-router-bgp)#bgp neighbor ?
A.B.C.D IP address of the bgp neighbor
<DEVICE>(config-profile <PROFILE-NAME>-router-bgp)#
<DEVICE>(config-profile <PROFILE-NAME>-router-bgp)#bgp neighbor <IP>
<DEVICE>(config-profile <PROFILE-NAME>-router--bgp-neighbor-<IP>)#?
Router BGP Neighbor Mode commands:
activate Enable the Address Family for this Neighbor
(EXPERIMENTAL) advertisement-interval Minimum interval between BGP routing updates allowas-in Accept as-path with my AS present in it
(EXPERIMENTAL) attribute-unchanged BGP attribute is propagated unchanged to this neighbor (EXPERIMENTAL) capability Advertise capability to the peer default-originate Originate default route to this neighbor description Neighbor specific description disable-connected-check One-hop away EBGP peer using loopback address
(EXPERIMENTAL) dont-capability-negotiate Do not perform capability negotiation
(EXPERIMENTAL) ebgp-multihop Allow EBGP neighbors not on directly connected networks enforce-multihop Enforce EBGP neighbors perform multihop
(EXPERIMENTAL) local-as Specify a local-as number (EXPERIMENTAL) maximum-prefix Maximum number of prefix accept from this peer next-hop-self Disable the next hop calculation for this neighbor no Negate a command or set its defaults override-capability Override capability negotiation result passive Don't send open messages to this neighbor password Set a password peer-group Set peer-group for this neighbor (EXPERIMENTAL) port Neighbor's BGP port (EXPERIMENTAL) remote-as Specify a BGP neighbor remove-private-as Remove private AS number from outbound updates
(EXPERIMENTAL) route-server-client Configure a neighbor as Route Server client
(EXPERIMENTAL) send-community Send Community attribute to this neighbor Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 56 BORDER GATEWAY PROTOCOL shutdown Administratively shut down this neighbor soft-reconfiguration Per neighbor soft reconfiguration strict-capability-match Strict capability negotiation match
(EXPERIMENTAL) timers BGP per neighbor timers unsuppress-map Route-map to selectively unsuppress suppressed routes update-source Source of routing updates use Set setting to use weight Set default weight for routes from this neighbor clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal
<DEVICE>(config-profile <PROFILE-NAME>-router--bgp-neighbor-<IP>)#
The following table summarizes BGP deny/permit route map rules configuration mode commands:
Command activate advertisement-
interval allowas-in attribute-
unchanged capability default-originate description disable-
connected-check dont-capability-
negotiate ebgp-multihop Table 28.8 BGP-Neighbor-Config-Mode Commands Description Enables an address family for this neighbor (EXPERIMENTAL) Configures the minimum interval between two consecutive BGP router updates Enables re-advertisement of all prefixes containing duplicate ASNs
(EXPERIMENTAL) Enables the propagation of BGP attribute values unchanged to this neighbor BGP device (EXPERIMENTAL) Enables the advertisement of capability (dynamic and ORF) to BGP peers Enables the sending of the default route to BGP neighbors. It also allows the configuration of the default route. Configures a description for a BGP neighbor device Enables one-hop away EBGP peer using loop back address
(EXPERIMENTAL) Disables capability negotiation with BGP neighbors (EXPERIMENTAL) Enables eBGP Multihop on this BGP neighbor, and configures the maximum number of hops that can be between eBGP neighbors not directly connected to each other. Reference page 28-59 page 28-60 page 28-61 page 28-62 page 28-63 page 28-64 page 28-65 page 28-66 page 28-67 page 28-68 enforce-multihop Forces EBGP neighbors to perform multi-hop checks (EXPERIMENTAL) page 28-69 page 28-70 local-as maximum-prefix next-hop-self Configures this neighbors local AS number. Also enables the prepending of this AS number in route updates. (EXPERIMENTAL) Configures the maximum number of prefixes that can be received from a BGP neighbor Enables next-hop calculation for this neighbor page 28-71 page 28-72 28 - 57 Access Point, Wireless Controller and Service Platform CLI Reference Guide BORDER GATEWAY PROTOCOL Table 28.8 BGP-Neighbor-Config-Mode Commands Description Removes this BGP neighbors settings, or reverts them back to default Enables the overriding of capability negotiation results Reference page 28-73 page 28-74 Command no override-
capability passive password peer-group port remote-as Enables this BGP neighbor device (or devices using this profile) as passive Sets a password for this BGP neighbor device (or devices using this profile) Sets the peer group for this BGP neighbor device (or devices using this profile) (EXPERIMENTAL) Configures a non-standard BGP port for this BGP neighbor
(EXPERIMENTAL) Configures the ASN for this neighbor BGP device (or devices using this profile) remove-private-as Removes the private ASN from outbound updates (EXPERIMENTAL) route-server-client Enables this BGP neighbor device (or devices using this profile) to act send-community shutdown soft-
reconfiguration strict-capability-
match timers unsuppress-map update-source use weight as a route server client (EXPERIMENTAL) Enables sending of the community attribute to the BGP neighbor Shuts down this BGP neighbor device (or devices using this profile) Enables storing of updates for inbound soft reconfiguration Enables a strict capability match before allowing a neighbor BGP peer to open a connection (EXPERIMENTAL) Configures this BGP neighbors keepalive and holdtime durations Uses a route-map that selectively un suppresses routes that have been suppressed using the aggregate-address command Allows BGP sessions to use any operational interface to establish the TCP connection with this neighbor Configures filters for this neighbor. These filters are BGP IP ACL, IP prefix list, AS path list, and route map. Based on the filters used, updates received from this neighbor are filtered. Configures a weight for all routes learned from this BGP neighbor page 28-75 page 28-76 page 28-77 page 28-78 page 28-79 page 28-80 page 28-81 page 28-82 page 28-83 page 28-84 page 28-85 page 28-86 page 28-88 page 28-89 page 28-90 page 28-91 Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 58 BORDER GATEWAY PROTOCOL 28.8.1 activate bgp-neighbor-config commands Enables an address family for this neighbor. This option is enabled by default. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax activate Parameters None Example nx9500-6C8809(config-profile testNX9500-router-bgp-neighbor-
192.168.13.99)#activate Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 59 BORDER GATEWAY PROTOCOL 28.8.2 advertisement-interval bgp-neighbor-config commands Configures the minimum interval, in seconds, between two consecutive BGP router updates Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax advertisement-interval <0-600>
Parameters advertisement-interval <0-600>
advertisement-
interval <0-600>
Configures the minimum interval, in seconds, between two consecutive BGP router updates. Sending too many router updates creates flapping of routes leading to possible disruptions. Specify a minimum interval so that the BGP routing updates are sent after the set interval.
<0-600> Specify a value from 0 - 600 seconds. The default is 5 seconds. Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
advertisement-interval 100 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 advertisement-interval 100 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Reverts the advertisement interval to default (5 seconds) Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 60 BORDER GATEWAY PROTOCOL 28.8.3 allowas-in bgp-neighbor-config commands Enables re-advertisement of all prefixes containing duplicate ASNs. Use this command to configure the maximum number of times an ASN is advertised. This option is disabled by default. When enabled, Provider Edge (PE) routers can re-advertise all prefixes containing duplicate ASNs. This creates a pair of VPN Routing/Forwarding (VRF) instances on each PE router to receive and re-advertise prefixes. The PE router receives prefixes with ASNs from all PE routers and advertises to its neighbor PE routers on one VRF. The other VRF receives prefixes with ASNs from the Customer Edge (CE) routers and re-advertises them to all PE routers in the configuration. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax allowas-in <1-10>
Parameters allowas-in <1-10>
allowas-in <1-10>
Enables and configures the maximum number of times an ASN is advertised.
<1-10> Specify a value from 1 - 10. Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
allowas-in 10 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 advertisement-interval 100 allowas-in 10 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Disables re-advertisement of all prefixes containing duplicate ASNs Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 61 BORDER GATEWAY PROTOCOL 28.8.4 attribute-unchanged bgp-neighbor-config commands Enables propagation of BGP attribute values unchanged to this neighbor BGP device. The BGP attributes are: as-path, med, and next-hop. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax attribute-unchanged {(as-path|med|next-hop)}
Parameters attribute-unchanged {(as-path|med|next-hop)}
attribute-unchanged Enables the propagation of the following BGP attribute values unchanged:
as-path Optional. Enables propagation of AS path BGP attribute unchanged to this neighbor BGP device. This option is disabled by default. med Optional. Enables propagation of MED BGP attribute unchanged to this neighbor BGP device. This option is disabled by default next-hop Optional. Enables propagation of the next-hop BGP attribute value unchanged to this neighbor BGP device. This option is disabled by default. Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
attribute-unchanged as-path nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 advertisement-interval 100 allowas-in 10 attribute-unchanged as-path nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Disables propagation of BGP attribute values unchanged to this neighbor BGP device Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 62 BORDER GATEWAY PROTOCOL 28.8.5 capability bgp-neighbor-config commands Enables the advertisement of capability (dynamic and ORF) to BGP peers Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax capability [dynamic|orf]
capability dynamic capability orf prefix-list [both|receive|send]
Parameters capability dynamic capability dynamic Enables the advertisement of dynamic capability Enable this option to show a neighbor devices capability to advertise or withdraw and address capability to other peers in a non-disruptive manner. This option is disabled by default. capability orf prefix-list [both|receive|send]
capability dynamic
[both|receive|send]
Enables the advertisement of Outbound Router Filtering (ORF) capability. This option is disabled by default. Enable this option to enable ORF, and advertise this capability to peer devices. ORFs send and receive capabilities to lessen the number of updates exchanged between BGP peers. By filtering updates, ORF minimizes update generation and exchange overhead. The local BGP device advertises ORF in the send mode. The peer BGP device receives the ORF capability in the receive mode. The two devices exchange updates to maintain the ORF for each router. Only a peer group or an individual BGP router can be configured to be in receive or send mode. A a peer group member cannot be configured. both Advertises the capability to send and receive the ORF to/from this neighbor receive Advertises the capability to receive the ORF from this neighbor send Advertises the capability to send the ORF to this neighbor Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
capability orf prefix-list both nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 advertisement-interval 100 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Disables advertisement of capability (dynamic and ORF) to BGP peers Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 63 BORDER GATEWAY PROTOCOL 28.8.6 default-originate bgp-neighbor-config commands Enables the sending of the default route to BGP neighbors. It also allows the configuration of the default route. When enabled and configured, local BGP routers send the default route 0.0.0.0 (or a route map specified route) to its neighbor for use as the default route. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax default-originate {route-map <BGP-ROUTE-MAP-NAME>}
Parameters default-originate {route-map <BGP-ROUTE-MAP-NAME>}
default-originate
{route-map <BGP-
ROUTE-MAP-
NAME>}
Enables default originate on this BGP neighbor. This option is disabled by default. route-map <BGP-ROUTE-MAP> Optional. Use this keyword to specify a route map to use as the default originate route If no route-map is specified, the default route 0.0.0.0 is sent. Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-
192.168.13.99)#default-originate nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 advertisement-interval 100 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Disables the sending of the default route to BGP neighbors Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 64 BORDER GATEWAY PROTOCOL 28.8.7 description bgp-neighbor-config commands Configures a description for this BGP neighbor device Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax description neighbor <LINE>
Parameters description neighbor <LINE>
neighbor <LINE>
Specify a description for this BGP neighbor device (should not exceed 80 characters). Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-
192.168.13.99)#description neighbor "This neighbor is an external AS neighbor"
nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 advertisement-interval 100 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Removes this BGP neighbors description Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 65 BORDER GATEWAY PROTOCOL 28.8.8 disable-connected-check bgp-neighbor-config commands Enables one-hop away eBGP peer using loop back address. This option is disabled by default. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax disable-connected-check Parameters None Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-
192.168.13.99)#disable-connected-check nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 advertisement-interval 100 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Disables one-hop away eBGP peer using loop back address Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 66 BORDER GATEWAY PROTOCOL 28.8.9 dont-capability-negotiate bgp-neighbor-config commands Disables capability negotiation with BGP neighbors. This is to allow compatibility with older BGP versions that have no capability parameters used in the open messages between peers. Capability negotiation is enabled by default. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax dont-capability-negotiate Parameters None Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
dont-capability-negotiate nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 advertisement-interval 100 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Enables capability negotiation with BGP neighbors Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 67 BORDER GATEWAY PROTOCOL 28.8.10 ebgp-multihop bgp-neighbor-config commands Enables eBGP Multihop on this BGP neighbor. When enabled, allows neighbor connection to be established between two eBGP neighbors that are not directly connected to each other. Use this command to configure the maximum number of hops possible between two such eBGP neighbors. This option is disabled by default. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax ebgp-multihop <1-255>
Parameters ebgp-multihop <1-255>
ebgp-multihop
<1-255>
Configures the maximum number of hops that can be between eBGP neighbors not directly connected to each other.
<1-255> Specify a value from 1 - 255. The default is 255. Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#ebgp-
multihop 20 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 advertisement-interval 100 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate ebgp-multihop 20 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Disables eBGP Multihop on this BGP neighbor Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 68 BORDER GATEWAY PROTOCOL 28.8.11 enforce-multihop bgp-neighbor-config commands Forces eBGP neighbors to perform multi-hop checks A multihop route is a route to external peers on indirectly connected networks. When enforced, eBGP neighbors perform multi-hop check. This option is disabled by default. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax enforce-multihop Parameters None Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-
192.168.13.99)#enforce-multihop nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 advertisement-interval 100 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate ebgp-multihop 20 enforce-multihop nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Disables enforcement of multihop route checks Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 69 BORDER GATEWAY PROTOCOL 28.8.12 local-as bgp-neighbor-config commands Configures this neighbors local AS number Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax local-as <1-4294967295> {no-prepend}
Parameters local-as <1-4294967295> {no-prepend}
Configures the local AS number
<1-4292967295> Specify a value from 1 - 4294967295. local-as <1-
4294967295> {no-
prepend}
no-prepend Optional. Select to enable. When enabled, the local AS number is not prepended to route updates from eBGP peers. AS numbers are prepended to route updates by default. Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#local-
as 20 no-prepend nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 advertisement-interval 100 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate ebgp-multihop 20 enforce-multihop local-as 20 no-prepend nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Removes the local AS number. And also reverts prepending of AS numbers to default
(allows prepending). Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 70 BORDER GATEWAY PROTOCOL 28.8.13 maximum-prefix bgp-neighbor-config commands Configures the maximum number of prefixes that can be received from a BGP neighbor. This option is disabled by default. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax maximum-prefix <1-4294967295> {(<1-100>|restart <1-65535>|warning-only)}
Parameters maximum-prefix <1-4294967295> {(<1-100>|restart|warning-only)}
maximum-prefix
<1-4294967295>
Configures the maximum number of prefixes that can be received from a BGP neighbor
<1-4294967295> Specify a value for 1 - 4294967295.
<1-100> Optional. Sets the threshold limit for generating a log message. This value represents a percentage of the maximum-prefix configured in the preceding step. When this value is reached, a log entry is generated. For example if the maximum-pre-
fix is set to 100 and threshold limit is set to 65, then after receiving 65 prefixes, a log entry is generated. This option is disabled by default. restart <1-65535> Optional. Restarts BGP peer connection once the maximum-
prefix limit specified is exceeded. For example, If the value specified is 10, then after re-
ceiving 10 prefixes from the neighbor, the system restarts the connection with that neighbor. Specify a value from 1 - 65535. This option is disabled by default. warning-only Configure to enable. When the maximum-prefix limit is exceeded, the connection is restarted. However, when this option is enabled, the connection is not restarted and an event is generated instead. This option is disabled by default. Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-
192.168.13.99)#maximum-prefix 400 50 warning-only nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show con bgp neighbor 192.168.13.99 advertisement-interval 100 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate ebgp-multihop 20 enforce-multihop local-as 20 no-prepend maximum-prefix 400 50 warning-only nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Removes the maximum prefix settings configured for this neighbor Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 71 BORDER GATEWAY PROTOCOL 28.8.14 next-hop-self bgp-neighbor-config commands Enables next-hop calculation for this neighbor. This option is disabled by default. When enabled, this device (or devices using this profile) are configured as the next hop for the BGP speaking neighbor or peer group. This allows the BGP device to change the next hop information that is sent to iBGP peers. The next hop address is set to the IP address of the interface used to communicate with the eBGP neighbor. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax next-hop-self Parameters None Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
next-hop-self nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 advertisement-interval 100 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate ebgp-multihop 20 enforce-multihop local-as 20 no-prepend maximum-prefix 400 50 warning-only next-hop-self nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Disables next-hop calculation for this neighbor (this is the default) Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 72 BORDER GATEWAY PROTOCOL 28.8.15 no bgp-neighbor-config commands Removes this BGP neighbors settings, or reverts them back to default Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax no <PARAMETER>
Parameters no <PARAMETER>
no <PARAMETER>
Specify the parameter details to remove or revert to default Example The following example shows the neighbor 192.168.13.99 settings before the no commands are executed:
nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 advertisement-interval 100 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate ebgp-multihop 20 enforce-multihop local-as 20 no-prepend maximum-prefix 400 50 warning-only next-hop-self nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#no advertisement-interval nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#no disable-connected-check nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#no default-originate nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#no local-as nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both description neighbor "This neighbor is an external AS neighbor"
dont-capability-negotiate ebgp-multihop 20 maximum-prefix 400 50 warning-only next-hop-self nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 73 BORDER GATEWAY PROTOCOL 28.8.16 override-capability bgp-neighbor-config commands Enables the overriding of capability negotiation results. This option is disabled by default. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax override-capability Parameters None Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
override-capability nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 advertisement-interval 100 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate ebgp-multihop 20 enforce-multihop local-as 20 no-prepend maximum-prefix 400 50 warning-only next-hop-self override-capability nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Disables the overriding of capability negotiation results Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 74 BORDER GATEWAY PROTOCOL 28.8.17 passive bgp-neighbor-config commands Enables this BGP neighbor device (or devices using this profile) as passive. When enabled, local devices do not attempt to open a connection to passive BGP neighbors. This option is disabled by default. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax passive Parameters None Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-
192.168.13.99)#passive nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 advertisement-interval 100 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate ebgp-multihop 20 enforce-multihop local-as 20 no-prepend maximum-prefix 400 50 warning-only next-hop-self override-capability passive nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Disables this BGP neighbor device (or devices using this profile) as passive Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 75 BORDER GATEWAY PROTOCOL 28.8.18 password bgp-neighbor-config commands Sets a password for this BGP neighbor device (or devices using this profile). When configured, this password is used for Message Digest 5 (MD5) authentication between two BGP peers connected over TCP. To enable MD5 authentication between two BGP peers, configure both with the same password. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax password neighbor <LINE>
Parameters password neighbor <LINE>
password neighbor
<LINE>
Specify the password. Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-
192.168.13.99)#password neighbor eBGPneighbor@300 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)# show context bgp neighbor 192.168.13.99 advertisement-interval 100 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate ebgp-multihop 20 enforce-multihop local-as 20 no-prepend maximum-prefix 400 50 warning-only next-hop-self override-capability passive password neighbor eBGPneighbor@300 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Removes the password configured for this neighbor Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 76 BORDER GATEWAY PROTOCOL 28.8.19 peer-group bgp-neighbor-config commands Sets the peer group for this BGP neighbor device (or devices using this profile). Peer groups are a set of BGP neighbors with the same update policies. This facilitates the updates of various policies, such as, distribute lists and filter lists. The peer group can be configured as a single entity. Any changes made to the peer group is propagated to all members. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax peer-group <PEER-GROUP-NAME>
Parameters peer-group <PEER-GROUP-NAME>
peer-group
<PEER-GROUP-
NAME>
Specify the peer group name. Once specified, this neighbor device becomes a member of the peer group identified by the <PEER-GROUP-NAME> keyword.
<PEER-GROUP-NAME> Specify the peer group name. Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#peer-
group eBGPPeerGrp1 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 advertisement-interval 100 peer-group eBGPPeerGrp1 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate ebgp-multihop 20 enforce-multihop local-as 20 no-prepend maximum-prefix 400 50 warning-only next-hop-self override-capability passive password neighbor eBGPneighbor@300 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Removes the peer group configuration. This neighbor peer group setting is removed. Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 77 BORDER GATEWAY PROTOCOL 28.8.20 port bgp-neighbor-config commands Configures a non-standard BGP port for this BGP neighbor By default BGP uses port 179. Use this command to set a non standard port for this BGP neighbor. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax port <0-65535>
Parameters port <0-65535>
port <0-65535>
Specify a value from 0 - 65535. Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#port 21 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 advertisement-interval 100 peer-group eBGPPeerGrp1 port 21 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate ebgp-multihop 20 enforce-multihop local-as 20 no-prepend maximum-prefix 400 50 warning-only next-hop-self override-capability passive password neighbor eBGPneighbor@300 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Removes the non standard port configured for this neighbor Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 78 BORDER GATEWAY PROTOCOL 28.8.21 remote-as bgp-neighbor-config commands Configures the ASN for this neighbor BGP device (or devices using this profile). ASN is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packets within the AS. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax remote-as <1-4294967295>
Parameters remote-as <1-4294967295>
remote-as
<1-4294967295>
Specify the remote ASN from 1 - 4294967295. Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-
192.168.13.99)#remote-as 100 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 remote-as 100 advertisement-interval 100 peer-group eBGPPeerGrp1 port 21 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate ebgp-multihop 20 enforce-multihop local-as 20 no-prepend maximum-prefix 400 50 warning-only next-hop-self override-capability passive password neighbor eBGPneighbor@300 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 79 BORDER GATEWAY PROTOCOL 28.8.22 remove-private-as bgp-neighbor-config commands Removes the private ASN from outbound updates. By default private ASNs are included in outbound updates. Private AS numbers are not advertised to the Internet. This option is used with external BGP (eBGP) peers only. The router removes the AS numbers only if the update includes private AS numbers. If the update includes both private and public AS numbers, the system treats it as an error. This option is disabled by default. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax remove-private-as Parameters None Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
remove-private-as nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 remote-as 100 advertisement-interval 100 peer-group eBGPPeerGrp1 port 21 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate ebgp-multihop 20 enforce-multihop local-as 20 no-prepend maximum-prefix 400 50 warning-only next-hop-self override-capability passive password neighbor eBGPneighbor@300 remove-private-as nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Includes private ASNs in outbound updates (this is the default setting) Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 80 BORDER GATEWAY PROTOCOL 28.8.23 route-server-client bgp-neighbor-config commands Enables this BGP neighbor device (or devices using this profile) to act as a route server client. This option is disabled by default. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax route-server-client Parameters None Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
route-server-client nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 remote-as 100 advertisement-interval 100 peer-group eBGPPeerGrp1 port 21 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate ebgp-multihop 20 enforce-multihop local-as 20 no-prepend maximum-prefix 400 50 warning-only next-hop-self override-capability passive password neighbor eBGPneighbor@300 remove-private-as route-server-client nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Disables this BGP neighbor device (or devices using this profile) to act as a route server client Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 81 BORDER GATEWAY PROTOCOL 28.8.24 send-community bgp-neighbor-config commands Enables sending of the community attribute to the BGP neighbor. The community attribute groups destinations in a certain community and applies routing decisions based on the community. On receiving community attribute, the BGP router announces it to the neighbor. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax send-community [both|extended|standard]
Parameters send-community [both|extended|standard]
send-community
[both|extended|
standard]
Enables sending of the community attributes to the BGP neighbor both Sends extended and standard community attributes extended Sends extended community attributes only standard Sends standard community attributes only Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
send-community both nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 remote-as 100 advertisement-interval 100 peer-group eBGPPeerGrp1 port 21 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate ebgp-multihop 20 enforce-multihop local-as 20 no-prepend maximum-prefix 400 50 warning-only next-hop-self override-capability passive password neighbor eBGPneighbor@300 remove-private-as route-server-client send-community both nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Disables sending of the community attribute to the BGP neighbor Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 82 BORDER GATEWAY PROTOCOL 28.8.25 shutdown bgp-neighbor-config commands Shuts down this BGP neighbor device (or devices using this profile). When configured, this neighbor is administratively shut down. This option is disabled by default. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax shutdown Parameters None Example nx9500-6C8809(config-profile testNX500-router-bgp-neighbor-
192.168.13.99)#shutdown nx9500-6C8809(config-profile testNX500-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 remove-private-as route-server-client shutdown nx9500-6C8809(config-profile testNX500-router-bgp-neighbor-192.168.13.99)#
Related Commands no Removes the administrative shut down of this neighbor Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 83 BORDER GATEWAY PROTOCOL 28.8.26 soft-reconfiguration bgp-neighbor-config commands Enables storing of updates for inbound soft reconfiguration. This option is disabled by default. Soft-reconfiguration can be used in lieu of BGP route refresh capability. Enabling this option enables local storage of all received routes and their attributes. This requires additional memory on the BGP device. When a soft reset (inbound) is performed on the neighbor device, the locally stored routes are reprocessed according to the inbound policy. The BGP neighbor connection is not affected. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax soft-reconfiguration inbound Parameters soft-reconfiguration inbound soft-reconfiguration inbound Performs a soft reconfiguration (inbound) on the BGP neighbor device Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
soft-reconfiguration inbound Related Commands no Disables soft reconfiguration Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 84 BORDER GATEWAY PROTOCOL 28.8.27 strict-capability-match bgp-neighbor-config commands Enforces a strict capability match before allowing a TCP connection with this neighbor. In case capabilities do not match, the BGP connection is not established. This option is disabled by default. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax strict-capability-match Parameters None Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-
192.168.13.99)#strict-capability-match Related Commands no Disables a strict capability match before allowing a connection with this neighbor Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 85 BORDER GATEWAY PROTOCOL 28.8.28 timers bgp-neighbor-config commands Configures this BGP neighbors keepalive and holdtime durations NOTE: The keepalive and holdtime settings configured at the neighbor level override those configured on the BGP router. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax timers [<0-65535> <0-65535>|connect <0-65535>]
Parameters timers [<0-65535> <0-65535>|connect <0-65535>]
timers <0-65535> <0-
65535>
timers connect <0-
65535>
Sets the keepalive and holdtime intervals
<0-65535> Specifies the keepalive interval from 0 - 65535 seconds. It is the interval, in seconds, between two successive keepalive packets exchanged with this neighbor to keep the TCP connection alive.
<0-65535> Specifies the holdtime interval from 0 - 65535. This is the time this neighbor will wait without receiving a keepalive packet from its neighbor before declaring it dead. If the time since the last keepalive packet received (from its neighbor) exceeds the value set here, the neighbor is declared dead. Sets the BGP connect time. This is the interval, in seconds, after which BGP tries to connect to a dead peer.
<0-65535> Specify a value from 1 - 65535 seconds. Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#timers 20 40 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#timers connect 20 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 remote-as 100 advertisement-interval 100 peer-group eBGPPeerGrp1 port 21 strict-capability-match timers connect 20 timers 20 40 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate ebgp-multihop 20 enforce-multihop Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 86 BORDER GATEWAY PROTOCOL local-as 20 no-prepend maximum-prefix 400 50 warning-only next-hop-self override-capability passive password neighbor eBGPneighbor@300 remove-private-as route-server-client send-community both nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Removes the holdtime value set for this neighbor Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 87 BORDER GATEWAY PROTOCOL 28.8.29 unsuppress-map bgp-neighbor-config commands Unsuppresses map to selectively advertise routes that have been suppressed using the aggregate-address command The aggregate-address command creates a route map with a IP/mask address that consolidates subnets under it. This reduces the number of route maps on the BGP device to one consolidated entry. Use unsuppress-map to selectively allow/deny a subnet or a set of subnets from this consolidated entry. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax unsuppress-map <ROUTE-MAP-NAME>
Parameters unsuppress-map <ROUTE-MAP-NAME>
unsuppress-map
<ROUTE-MAP-
NAME>
Unsuppresses the specified route map
<ROUTE-MAP-NAME> Specify the route map name. Example nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-192.168.13.99#
unsuppress-map test nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-
192.168.13.99#show context bgp neighbor 192.168.13.99 remote-as 199 maximum-prefix 9999 80 restart 50 unsuppress-map test nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-192.168.13.99#
Related Commands no Removes the unsuppress flag applied on the specified route map Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 88 BORDER GATEWAY PROTOCOL 28.8.30 update-source bgp-neighbor-config commands Allows BGP sessions to use any operational interface to establish the TCP connection with this neighbor Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax update-source <IPv4>
Parameters update-source <IPv4>
update-source <IPv4> Specify the BGP enabled neighbors IPv4 address. Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-
192.168.13.99)#update-source 192.168.13.1 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 remote-as 100 advertisement-interval 100 peer-group eBGPPeerGrp1 port 21 strict-capability-match timers connect 20 timers 20 40 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate ebgp-multihop 20 enforce-multihop local-as 20 no-prepend maximum-prefix 400 50 warning-only next-hop-self override-capability passive password neighbor eBGPneighbor@300 remove-private-as route-server-client send-community both update-source 192.168.13.1 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Removes the source of routing updates Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 89 BORDER GATEWAY PROTOCOL 28.8.31 use bgp-neighbor-config commands Configures filters for this neighbor. These filters are BGP IP ACL, IP prefix list, AS path list, and route map. Based on the filters used, updates received from this neighbor are filtered. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax use [distribute-list <BGP-IP-ACL-NAME>|filter-list <AS-PATH-LIST-NAME>|prefix-
list <IP-PREFIX-LIST-NAME>|route-map <BGP-ROUTE-MAP-NAME>]
Parameters use [distribute-list <BGP-IP-ACL-NAME>|filter-list <AS-PATH-LIST-NAME>|
prefix-list <IP-PREFIX-LIST-NAME>|route-map <BGP-ROUTE-MAP-NAME>]
use [distribute-list
<BGP-IP-ACL-
NAME>|filter-list <AS-
PATH-LIST-
NAME>|prefix-list
<IP-PREFIX-LIST-
NAME>|route-map
<BGP-ROUTE-MAP-
NAME>]
Uses predefined and configured filters with this neighbor distribute-list <BGP-IP-ACL-NAME> Uses a BGP IP ACL
<BGP-IP-ACL-NAME> Specify the BGP IP ACL name. filter-list <AS-PATH-LIST-NAME> Uses an AS path list
<AS-PATH-LIST-NAME> Specify the AS path list name. prefix-list <IP-PREFIX-LIST-NAME> Uses a IP prefix list
<IP-PREFIX-LIST-NAME> Specify the IP prefix list name. route-map <BGP-ROUTE-MAP-NAME> Uses a route map
<BGP-ROUTE-MAP-NAME> Specify the route map name. Example nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-192.168.13.99)#
use filter-list FilterList_01 in nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-
192.168.13.99)#use route-map testBGPRouteMap out nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-
192.168.13.99)#show context bgp neighbor 192.168.13.99 remote-as 199 use filter-list FilterList_01 in maximum-prefix 9999 80 restart 50 use route-map testBGPRouteMap out unsuppress-map test nx9500-6C8809(config-device B4-C7-99-6C-88-09-router-bgp-neighbor-192.168.13.99)#
Related Commands no Removes the filters used to filter updates received from this neighbor Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 90 BORDER GATEWAY PROTOCOL 28.8.32 weight bgp-neighbor-config commands Configures a weight for all routes learned from this BGP neighbor. Weight is used to decide the preferred route when the same route is learned from multiple neighbors. The highest weight is always chosen. Supported in the following platforms:
Wireless Controllers RFS4000, RFS6000 Service Platforms NX9500, NX9510, NX9600 Syntax weight <0-65535>
Parameters weight <0-65535>
weight <0-65535>
Specifies a relative weightage for all routes learned from this neighbor
<0-65535> Specify a value from 0 - 65535. Example nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#weight 10 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#show context bgp neighbor 192.168.13.99 remote-as 100 advertisement-interval 100 peer-group eBGPPeerGrp1 port 21 strict-capability-match timers connect 20 timers 20 40 allowas-in 10 attribute-unchanged as-path capability orf prefix-list both default-originate description neighbor "This neighbor is an external AS neighbor"
disable-connected-check dont-capability-negotiate ebgp-multihop 20 enforce-multihop local-as 20 no-prepend maximum-prefix 400 50 warning-only next-hop-self override-capability passive password neighbor eBGPneighbor@300 remove-private-as route-server-client send-community both update-source 192.168.13.1 weight 10 nx9500-6C8809(config-profile testNX9000-router-bgp-neighbor-192.168.13.99)#
Related Commands no Reverts to default value Access Point, Wireless Controller and Service Platform CLI Reference Guide 28 - 91 29 CRYPTO-CMP-POLICY This chapter summarizes the crypto certificate management protocol (CMP) policy commands in the CLI command structure. CMP is an Internet protocol designed to enable devices (access point, wireless controller, or service platform) to obtain and manage digital certificates in a Public Key Infrastructure (PKI) network. A Certificate Authority (CA) issues the certificates using the defined CMP. WiNG CMP implementation allows you to configure a crypto CMP policy that enables auto installation and auto management of device certificates. When configured and implemented on a device, the crypto CMP policy allows the device to automatically trigger a certification request to a configured, CMP supported CA server. Once the certificate is validated and confirmed from the CA server it is saved on the device and becomes part of the trustpoint. During the creation of the CMP policy the trustpoint is assigned a name and client information. You can use a manually created trustpoint for one service (like HTTPS) and use the CMP generated trustpoint for RADIUS EAP certificate based authentication. Use the (config) instance to configure a crypto CMP policy. To navigate to the crypto CMP policy configuration instance, use the following commands:
<DEVICE>(config)#crypto-cmp-policy <CRYPTO-CMP-POLICY-NAME>
ap6522-D8273A(config)#crypto-cmp-policy CMP ap6522-D8273A(config-cmp-policy-CMP)#
ap6522-D8273A(config-cmp-policy-CMP)#?
CMP Policy Mode commands:
ca-server CMP CA Server configuration commands cert-key-size Set key size for certificate request cert-renewal-timeout Trigger a cert renewal request on timeout cross-cert-validate Validate cross-cert using factory-cert no Negate a command or set its defaults subjectAltName Configure subjectAltName value trustpoint Trustpoint for CMP use Set setting to use clrscr Clears the display screen commit Commit all changes made in this session do Run commands from Exec mode end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal ap6522-D8273A(config-cmp-policy-CMP)#
This chapter is organized as follows:
crypto-cmp-policy-instance other-cmp-related-commands NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 1 CRYPTO-CMP-POLICY 29.1 crypto-cmp-policy-instance CRYPTO-CMP-POLICY The following table summarizes crypto CMP policy configuration commands:
Command ca-server cert-key-size cert-renewal-
timeout cross-cert-
validate subjectAltName trustpoint use no Table 29.1 Crypto-CMP-Policy Commands Description Configures the CA server details Configures the size of the key associated with a certificate request Configures a certificate renewal timeout in days Reference page 29-3 page 29-5 page 29-6 Enables validation of the cross certificate with the factory certificate page 29-7 Configures an alternate subject name for this CMP policy Configures a trustpoint and its associated information, such as the subject name, the senders (device requesting certification) details, and the recipient's (CA) details Associates a devices autogen-uniqueid with this crypto CMP policy Removes the crypto CMP policy settings page 29-8 page 29-9 page 29-11 page 29-12 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 2 CRYPTO-CMP-POLICY 29.1.1 ca-server crypto-cmp-policy-instance Configures the primary and secondary CMP CA server details. The CA is an external network authority (usually a trusted third-party server) that generates and issues digital certificates in response to requests received from network devices. Use this command to configure the primary and secondary CA server details, such as name of the device hosting the CA server, the port used to access the CA server, and the path where the certificate is stored. Once defined, devices using this CMP policy automatically send requests to the specified primary CA server, and retrieve the certificate from the specified location. If the primary CA server is not reachable, the requests are sent to the secondary CA server. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax ca-server [primary|secondary] host <IP> port <1-65535> path <PATH>
Parameters ca-server [primary|secondary] host <IP> port <1-65535> path <PATH>
ca-server
[primary|secondary]
host <IP>
port <1-65535>
path <PATH>
Configures the primary and secondary CMP CA server details (IPv4 address, port, and path) primary Configures the primary CMP CA servers details secondary Configures the secondary CMP CA servers details The secondary CMP CA is used in case the primary CA server is not reachable. CA server settings are required to complete CMP requests. Configures IPv4 address of the device hosting the primary/secondary CA server
<IP/HOSTNAME> Specify the servers IPv4 address. Configures the port on which the primary/secondary CA server can be reached
<1-65535> Specify the port number from 1 - 65535. Configures the path or filename of the primary/secondary CMP CA certificate. Enter the complete relative path to the file on the server.
<PATH> Specify the path. Once specified, the certificate is downloaded from this location and installed on the device. Access Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 3 CRYPTO-CMP-POLICY Example ap6522-D8273A(config-cmp-policy-CMP)#ca-server primary host 192.168.8.74 port 8 path cmp ap6522-D8273A(config-cmp-policy-CMP)#show context crypto-cmp-policy CMP ca-server primary host 192.168.8.74 port 80 path cmp ap6522-D8273A(config-cmp-policy-CMP)#
Related Commands no Removes the configured primary/secondary CA server details Access Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 4 CRYPTO-CMP-POLICY 29.1.2 cert-key-size crypto-cmp-policy-instance Configures the size of the key associated with a certificate request Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cert-key-size [2048|3072|4096]
Parameters cert-key-size [2048|3072|4096]
cert-key-size
[2048|3072|4096]
Configures the certificate request key size. The options are:
2048 Sets the key size to 2048 bits. This is the default setting. 3072 Sets the key size to 3072 bits 4096 Sets the key size to 4096 bits Example nx9500-6C8809(config-cmp-policy-test)#cert-key-size 3072 nx9500-6C8809(config-cmp-policy-test)#show context crypto-cmp-policy test cert-key-size 3072 trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 2 osr2bwjR+0L+G64ny3wfuAAAAAtTFjeFnvOIixTHLDfgt7Bu reference-id 123456 sender-name
"CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com"
nx9500-6C8809(config-cmp-policy-test)#
Related Commands no Reverts the certificate request key size to default (2048 bits) Access Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 5 CRYPTO-CMP-POLICY 29.1.3 cert-renewal-timeout crypto-cmp-policy-instance Configures a certificate renewal timeout in days. This is the number of days, before the expiration of the devices certificate, that a certificate renewal is triggered. The expiration of devices certificate is checked once a day. When a certificate is about to expire a certificate renewal is initiated with the dedicated CMP CA server resource through an existing IPSec tunnel. If the tunnel is not established, the CMP renewal request is not sent. If a renewal succeeds the newly obtained certificate overwrites an existing certificate. If the renewal fails, an error is logged. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cert-renewal-timeout <1-60>
Parameters cert-renewal-timeout <1-60>
cert-renewal-timeout
<1-60>
Configures the certificate renewal timeout in days. This is the number of days, before the expiration of the devices certificate, that a certificate renewal is triggered. Once the configured time is completed, the device triggers a certificate renewal request.
<1-60> Specify a value from 1 - 60 days. The default is fourteen (14) days. Therefore, by default a device triggers certificate renewal request 14 days before its certificate expires. Example ap6522-D8273A(config-cmp-policy-CMP)#cert-renewal-timeout 60 ap6522-D8273A(config-cmp-policy-CMP)#show context crypto-cmp-policy CMP cert-renewal-timeout 60 ca-server primary host 192.168.8.74 port 8 path cmp ap6522-D8273A(config-cmp-policy-CMP)#
Related Commands no Reverts the certificate renewal timeout to default (14 days) Access Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 6 CRYPTO-CMP-POLICY 29.1.4 cross-cert-validate crypto-cmp-policy-instance Enables validation of the cross certificate using the factory certificate. When enabled, the obtained cross-
certificate is validated against the operators certificate configured using the trustpoint > cmp-auth-
operator command. An error message is displayed in case the cross-certificate is not obtained or if the cross-certificate is found to be invalid. This option is disabled by default. NOTE: To the operator certificate, in the device configuration mode execute the trustpoint > cmp-auth-operator command. For more information, see trustpoint (device-config-mode). Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax cross-cert-validate Parameters None Example nx9500-6C8809(config-cmp-policy-test)#cross-cert-validate nx9500-6C8809(config-cmp-policy-test)#show context crypto-cmp-policy test cert-key-size 3072 cross-cert-validate trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 2 9piulK/GqvD+G64ny3wfuAAAAAuqCi8WJkNJwryMD9IAPk4T reference-id 123456 sender-name
"CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com"
nx9500-6C8809(config-cmp-policy-test)#
Related Commands no Disables validation of the cross certificate with the factory certificate Access Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 7 CRYPTO-CMP-POLICY 29.1.5 subjectAltName crypto-cmp-policy-instance Configures the subjectAltName identity for this CMP policy Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax subjectAltName [address <IP>|dn <DISTINGUISHED-NAME>|email <EMAIL-ID>|fqdn
<FQDN>|string <USER-DEFINED-STRING>]
Parameters subjectAltName [address <IP>|dn <DISTINGUISHED-NAME>|email <EMAIL-ID>|fqdn
<FQDN>|string <USER-DEFINED-STRING>]
subjectAltName
[address <IP>|dn
<DISTINGUISHED-
NAME>|email
<EMAIL-ID>|fqdn
<FQDN>|string
<USER-DEFINED-
STRING>]
Configures the subjectAltName identity using one of the following options:
address <IP> Uses IP address as identity
<IP> Specify the IP address. dn <DISTINGUISHED-NAME> Uses distinguished name as identity
<DISTINGUISHED-NAME> Specify the DISTINGUISHED-NAME. email <EMAIL-ID> Uses e-mail address as identity
<EMAIL-ID> Specify the e-mail address. fqdn <FQDN> Uses FQDN as identity
<FQDN> Specify the FQDN. string <USER-DEFINED-STRING> Uses a user specified name as identity
<USER-DEFINED-STRING> Specify the string to use as identity. Example ap6522-D8273A(config-cmp-policy-CMP)#subjectAltName dn TechPubsCA ap6522-D8273A(config-cmp-policy-CMP)#show context crypto-cmp-policy CMP cert-update cert-renewal-timeout 60 ca-server primary host 192.168.8.74 port 8 path cmp subjectAltName dn TechPubsCA ap6522-D8273A(config-cmp-policy-CMP)#
Related Commands no Removes the subjectAltName identity configured with this CMP policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 8 CRYPTO-CMP-POLICY 29.1.6 trustpoint crypto-cmp-policy-instance Configures a trustpoint and its associated information, such as the subject name, the senders (device requesting certification) details, and the recipient's (CA) details. This information is needed to obtain the certificate from the CA server using CMP. Each certificate is digitally signed by a trustpoint and contains device-specific information, such as device name, IP address, serial number. It helps to uniquely identify a device. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax trustpoint <TRUSTPOINT-NAME> subject-name <WORD> secret [0 <WORD>|2 <WORD>]
reference-id <WORD> sender-name <WORD> [recipient-name <WORD>|ca-psk <CERT-PATH>]
Parameters trustpoint <TRUSTPOINT-NAME> subject-name <WORD> secret [0 <WORD>|2 <WORD>]
reference-id <WORD> sender-name <WORD> [recipient-name <WORD>|ca-psk <CERT-PATH>]
trustpoint
<TRUSTPOINT-
NAME>
subject-name
<WORD>
secret [0 <WORD>|2
<WORD>]
reference-id
<WORD>
sender-name
<WORD>
recipient-name Configures a trustpoint name (should not exceed 32 characters)
<TRUSTPOINT-NAME> Specify the trustpoints name. Configures a subject name for this trustpoint. The subject name should uniquely identify the certificate and should not exceed 512 characters in length. Configures the secret used to encrypt the trustpoint. The secret should not exceed 128 characters in length. 0 <WORD> Configures a clear text password 2 <WORD> Configures an encrypted password Configures the reference ID. The CA server uses this information to identify the shared secret key used.
<WORD> Specify the reference ID. Configures the senders name. The CA server uses this information to identify the shared secret key used. The senders name should not exceed 512 characters in length.
<WORD> Specify the sender name. Configures the recipients name. The CA server uses this information to validate the request. The recipient's name should not exceed 256 characters in length. ca-psk <CERT-PATH> Configures the certificate path for the server certificate
<CERT-PATH> Specify the certificate path. Access Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 9 CRYPTO-CMP-POLICY Example ap6522-D8273A(config-cmp-policy-CMP)#trustpoint cmp-test subject-name "CN=Examp leCompany, O=Example Company" secret 0 test-secret reference-id 123456 sender-na me "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com"
ap6522-D8273A(config-cmp-policy-CMP)#
ap6522-D8273A(config-cmp-policy-CMP)#show context crypto-cmp-policy CMP cert-update cert-renewal-timeout 60 ca-server primary host 192.168.8.74 port 8 path cmp trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 0 test-secret reference-id 123456 sender-name "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com"
subjectAltName dn TechPubsCA ap6522-D8273A(config-cmp-policy-CMP)#
Related Commands no Removes the trustpoint associated with this crypto CMP policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 10 CRYPTO-CMP-POLICY 29.1.7 use crypto-cmp-policy-instance Associates a devices autogen-uniqueid with this crypto CMP policy A devices autogen-uniqueid is a combination of a user-defined string (prefix or suffix) and a substitution token. The WiNG software implementation provides two built-in substitution tokens: $SN and $MiNT-ID that represent the devices serial number and MiNT ID respectively. These substitution tokens are internally retrieved and combined with the user-defined string to auto generate a unique identity for a device. To auto generate the devices unique ID, in the device configuration mode execute the following command:
autogen-uniqueid <WORD>
For more information on the autogen-uniqueid command, see autogen-uniqueid. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use autogen-uniqueid Parameters use autogen-uniqueid use autogen-
uniqueid Associates a devices autogen-uniqueid with this crypto CMP policy. The devices autogen-uniqueid should be existing and configured. Example ap6522-D8273A(config-cmp-policy-CMP)#use autogen-uniqueid ap6522-D8273A(config-cmp-policy-CMP)#show context crypto-cmp-policy CMP cert-update cert-renewal-timeout 60 use autogen-uniqueid ca-server primary host 192.168.8.74 port 8 path cmp trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 0 test-secret reference-id 123456 sender-name "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com"
subjectAltName dn TechPubsCA ap6522-D8273A(config-cmp-policy-CMP)#
Related Commands no Removes the devices autogen-uniqueid associated with this crypto CMP policy Access Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 11 CRYPTO-CMP-POLICY 29.1.8 no crypto-cmp-policy-instance Removes or reverts this crypto CMP policy settings Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP82XX, AP8432, AP8533, WiMod Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [ca-server <SERVER-NAME>|cert-key-size|cert-renewal-timeout|cross-cert-
validate|subjectAltName|trustpoint <TRUSTPOINT-NAME>|use autogen-uniqueid]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts this crypto CMP policy settings Example ap6522-D8273A(config-cmp-policy-CMP)#show context cert-update cert-renewal-timeout 60 use autogen-uniqueid ca-server primary host 192.168.8.74 port 8 path cmp trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 0 test-secret reference-id 123456 sender-name "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com"
subjectAltName dn TechPubsCA ap6522-D8273A(config-cmp-policy-CMP)#
ap6522-D8273A(config-cmp-policy-CMP)#no cert-renewal-timeout ap6522-D8273A(config-cmp-policy-CMP)#no subjectAltName ap6522-D8273A(config-cmp-policy-CMP)#show context cert-update use autogen-uniqueid ca-server primary host 192.168.8.74 port 8 path cmp trustpoint cmp-test subject-name "CN=ExampleCompany, O=Example Company" secret 0 test-secret reference-id 123456 sender-name "CN=ExampleCompany.com, O=Example Company" recipient-name "O=Example Company, CN=ExampleCompany.com"
ap6522-D8273A(config-cmp-policy-CMP)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 12 CRYPTO-CMP-POLICY 29.2 other-cmp-related-commands CRYPTO-CMP-POLICY The following table summarizes other commands associated with the implementation of the crypto CMP policy:
Table 29.2 Other-CMP-Related Commands Command use show Description Associates a crypto CMP policy with a device Displays current status of CMP requests in progress. This command also displays trustpoint details (CMP and non-CMP trustpoints). Reference page 29-14 page 29-15 Access Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 13 CRYPTO-CMP-POLICY 29.2.1 use other-cmp-related-commands Applies a crypto CMP policy to a device. Once CMP enabled, the device automatically requests for a certificate from the CA server and installs it. After applying the CMP policy, commit and write the change to memory. This is needed to apply this configuration across reboots. To apply a CMP policy on a device, navigate to the devices config-device mode and execute the use > crypto-cmp-policy> <CRYPTO-CMP-POLICY-NAME> command. Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax use crypto-cmp-policy <CRYPTO-CMP-POLICY-NAME>
Parameters use crypto-cmp-policy <CRYPTO-CMP-POLICY-NAME>
cmp-policy
<CRYPTO-CMP-
POLICY-NAME>
Applies an existing crypto CMP policy on this device. When associated with a profile, the crypto CMP policy is applied to all devices using the profile.
<CRYPTO-CMP-POLICY-NAME> Specify the crypto CMP policy name. Should be existing and configured. Example ap6522-D8273A(config-device-00-11-3F-D8-27-3A)#use crypto-cmp-policy CMP ap6522-D8273A(config-device-00-11-3F-D8-27-3A)#commit Access Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 14 CRYPTO-CMP-POLICY 29.2.2 show other-cmp-related-commands Displays current status of CMP requests in progress. This command also displays trustpoint details (CMP and non-CMP trustpoints). Supported in the following platforms:
Access Points AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP81XX, AP7602, AP7612, AP7622, AP7632, AP7662, AP82XX, AP8432, AP8533, WiMod Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax show crypto [cmp|pki]
show crypto cmp request status {on <DEVICE-NAME>}
show crypto pki trustpoints {<TRUSTPOINT-NAME>|all} {on <DEVICE-NAME>}
Parameters show crypto cmp request status {on <DEVICE-NAME>}
show crypto cmp request {on
<DEVICE-NAME>}
Displays the current status of all on-going CMP requests on <DEVICE-NAME> Optional. Optionally specify the name of the AP, wireless controller, or service platform to view CMP request status on a specified device. show crypto pki trustpoints {<TRUSTPOINT-NAME>|all} {on <DEVICE-NAME>}
show pki trustpoints
{<TRUSTPOINT-
NAME>|all} on
<DEVICE-NAME>
Displays all trustpoints including CMP generated trustpoints
<TRUSTPOINT-NAME> Optional. Specify a trustpoint name. Displays details of the trustpoint identified by the <TRUSTPOINT-NAME> parameter. all Optional. Displays details of all configured trustpoints on <DEVICE-NAME> Optional.Optionally specify the name of the AP, wireless con-
troller, or service platform to view trustpoints configured on a specified device. Example ap6522-D8273A#show crypto pki trustpoints
--------------------------------------------------------------------------------
-------
TRUSTPOINT KEY NAME VALID UNTIL
--------------------------------------------------------------------------------
-------
cmp-test cmp-test-key Fri May 9 09:44:22 2014 GMT default-trustpoint default_rsa_key Fri Dec 30 00:00:40 2022 GMT
--------------------------------------------------------------------------------
-------
ap6522-D8273A#
ap6522-D8273A(config)#show crypto cmp request status CMP Request Status: cmp-complete ap6522-D8273A#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 29 - 15 30 ROAMING ASSIST POLICY This chapter summarizes the Roaming Assist policy commands in the CLI command structure. By constantly monitoring a client's packets and the received signal strength indicator (RSSI) of a given client by a group of access points, decision can be made on the optimal access point to which the client needs to roam. Then forcefully direct the client to the optimal access point. The threshold intervals are configurable and can be adjusted based on the client load. Use the (config) instance to configure a Roaming Assist policy. To navigate to the Roaming Assist policy configuration instance, use the following commands:
<DEVICE> (config) roaming-assist-policy <ROAMING-ASSIST-POLICY-NAME>
nx9500-6C8809(config)roaming-assist-policy test nx9500-6C8809(config-roaming-assist-policy-test)#?
Roaming Assist Mode commands:
action Configure action - action is deauth / log /
assisted-roam aggressiveness Configure the roaming aggressiveness for a wireless client detection-threshold Configure the detection threshold - when exceeded, client monitoring starts disassoc-time Configure the disassociation time - time after which a disassociation is sent handoff-count Configure the handoff count - number of times client can exceed handoff threshold handoff-threshold Configure the handoff threshold - when exceeds an action is taken. monitoring-interval Configure the monitoring interval - interval at which client monitoring occurs no Negate a command or set its defaults sampling-interval Configure the sampling interval - interval at which client rssi values are checked clrscr Clears the display screen commit Commit all changes made in this session end End current mode and change to EXEC mode exit End current mode and down to previous mode help Description of the interactive help system revert Revert changes service Service Commands show Show running system information write Write running configuration to memory or terminal nx9500-6C8809(config-roaming-assist-policy-test)#
NOTE: The input parameter <HOSTNAME>, wherever used in syntaxes across this chapter, cannot include an underscore (_) character. In other words, the name of a device cannot contain an underscore. Access Point, Wireless Controller and Service Platform CLI Reference Guide 30 - 1 ROAMING ASSIST POLICY 30.1 roaming-assist-policy-instance ROAMING ASSIST POLICY The following table summarizes roaming assist policy configuration mode commands:
Command action aggressiveness detection-
threshold disassoc-time Table 30.1 Crypto-CMP-Policy Commands Description Specifies the action to be invoked on the client Configures a roaming aggressiveness value for wireless clients Configures the detection-threshold value Configures the disassociation interval handoff-count Configures the handoff-count value Configures the handoff-threshold value handoff-
threshold monitoring-
interval sampling-interval Configures the interval at which clients are sampled to determine their Configures the client monitoring interval no RSSI value Removes or reverts this roaming assist policy settings based on the parameters passed Reference page 30-3 page 30-4 page 30-5 page 30-6 page 30-7 page 30-8 page 30-9 page 30-10 page 30-11 NOTE: For more information on common commands (clrscr, commit, help, revert, service, show, write, and exit), see COMMON COMMANDS. Access Point, Wireless Controller and Service Platform CLI Reference Guide 30 - 2 ROAMING ASSIST POLICY 30.1.1 action roaming-assist-policy-instance Specifies the action invoked on the client once it reaches a specified threshold value. The threshold values are configured based on the client load. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax action [assisted-roam|deauth|log]
Parameters action [assisted-roam|deauth|log]
action
[assisted-roam|
deauth|log]
Configures the action invoked on the client once it reaches the specified threshold value. The options are:
assisted-roam Provides 802.11v assisted roaming facility to the client deauth De-authenticates the client. This is the default setting. log Generates a log In all three cases an event is generated. However, the message generated differs and is based on the action specified. Example rfs6000-81742D(config-roaming-assist-policy-test)#action log rfs6000-81742D(config-roaming-assist-policy-test)#
Related Commands no Removes the configured action details Access Point, Wireless Controller and Service Platform CLI Reference Guide 30 - 3 ROAMING ASSIST POLICY 30.1.2 aggressiveness roaming-assist-policy-instance Configures a roaming aggressiveness value for wireless clients. Configuring this value increases the clients roaming capabilities in scenarios where the clients location is likely to change drastically and suddenly. For example, when a client hops on to a train that speeds up quickly. In such a scenario, the access point receives a maximum of 2 (two) messages, from the client, having relatively low RSSI value. This results in a decaying-average, which is above the specified handover-threshold value. Consequently, the client is unable to roam. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax aggressiveness [highest|lowest|medium|medium-high|medium-low]
Parameters aggressiveness [highest|lowest|medium|medium-high|medium-low]
aggressiveness
[highest|lowest|
medium|
medium-
high|medium-low]
Configures a roaming aggressiveness value for wireless clients. The options are:
highest De-authenticates client in case of any degradation in the clients link quality. When selected, the access point considers only the RSSI value of the last message received from the client. lowest De-authenticates client only in case of significant degradation in the clients link quality. When selected, the access point uses a weighted average [80% of decaying average + 20% of last seen RSSI] as the final reported RSSI value. This is the default setting. medium This is an intermediate setting between not roaming and performance medium-high Allows roaming even if performance goes down. When selected, the access point calculates the clients signal strength based on average received signal as well as last received signal level, weighted towards the last received value. medium-low Allows roaming even if performance goes average. When selected, the access point calculates the clients signal strength based on average received signal as well as last received signal level, weighted towards the average value. Example nx9500-6C8809(config-roaming-assist-policy-test)#aggressiveness medium nx9500-6C8809(config-roaming-assist-policy-test)#show context roaming-assist-policy test aggressiveness medium nx9500-6C8809(config-roaming-assist-policy-test)#
Related Commands no Reverts the aggressiveness value to default (lowest) Access Point, Wireless Controller and Service Platform CLI Reference Guide 30 - 4 ROAMING ASSIST POLICY 30.1.3 detection-threshold roaming-assist-policy-instance Specifies the detection-threshold determining when a client is monitored Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax detection-threshold <-100--40>
Parameters detection-threshold <-100--40>
detection-threshold
<-100--40>
Configures the detection threshold value determining when a client is monitored. The clients with bad RSSI values are monitored more frequently.
<-100--40> Specify the RSSI value from -100 dBm - -40 dBm. The default is -75 dBm. Example rfs6000-81742D(config-roaming-assist-policy-test)#detection-threshold -90 rfs6000-81742D(config-roaming-assist-policy-test)#
Related Commands no Removes the configured detection threshold details Access Point, Wireless Controller and Service Platform CLI Reference Guide 30 - 5 ROAMING ASSIST POLICY 30.1.4 disassoc-time roaming-assist-policy-instance Configures the disassociation time. This is time period after which a disassociation message is sent. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax disassoc-time <1-10>
Parameters disassoc-time <1-10>
disassoc-time <1-10> Configures the disassociation time in seconds
<1-10> Specify a value from 1 - 10 seconds. The default is 5 seconds. Example nx9500-6C8809(config-roaming-assist-policy-test)#disassoc-time 7 nx9500-6C8809(config-roaming-assist-policy-test)#show context roaming-assist-policy test disassoc-time 7 nx9500-6C8809(config-roaming-assist-policy-test)#
Related Commands no Removes the configured disassociation time Access Point, Wireless Controller and Service Platform CLI Reference Guide 30 - 6 ROAMING ASSIST POLICY 30.1.5 handoff-count roaming-assist-policy-instance Specifies the number of times a client can exceed the specified handoff-threshold value before an action is invoked Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax handoff-count <1-10>
Parameters handoff-count <1-10>
handoff-count <1-10> Specifies the number of times a client can exceed the specified handoff-threshold value before an action is invoked
<1-10> Specify a value from 1 - 10. The default is 3. If the clients RSSI increases beyond the set handoff-threshold, it is removed from the queue for monitoring and action invocation. Example rfs6000-81742D(config-roaming-assist-policy-test)#handoff-count 1 rfs6000-81742D(config-roaming-assist-policy-test)#
Related Commands no Removes the configured handoff-count details Access Point, Wireless Controller and Service Platform CLI Reference Guide 30 - 7 ROAMING ASSIST POLICY 30.1.6 handoff-threshold roaming-assist-policy-instance Configures the handoff-threshold, which specifies client status for handoff-action. Once exceeded an action is invoked. Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax handoff-threshold <-100--40>
Parameters handoff-threshold <-100--40>
handoff-threshold <-
100--40>
Configures the handoff-threshold, which specifies client status for handoff-action. Once exceeded an action is invoked.
<-100--40> Specify the RSSI value from -100 dBm - -40 dBm. The default is -80 dBm. If the clients RSSI increases beyond the set handoff-threshold, it is removed from the queue for monitoring and action invocation. Example rfs6000-81742D(config-roaming-assist-policy-test)#handoff-threshold -78 rfs6000-81742D(config-roaming-assist-policy-test)#
Related Commands no Removes the configured handoff-threshold details Access Point, Wireless Controller and Service Platform CLI Reference Guide 30 - 8 ROAMING ASSIST POLICY 30.1.7 monitoring-interval roaming-assist-policy-instance Configures the interval, in seconds, at which clients are monitored to determine if their RSSI value is below the specified handoff-threshold value Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax monitoring-interval <1-60>
Parameters monitoring-interval <1-60>
monitoring interval
<1-60>
Specifies the interval, in seconds, at which clients are monitored to determine if their RSSI is below the specified handoff-threshold
<1-60> Specify the duration from 1 - 60 seconds. The default is 5 seconds. Example rfs6000-81742D(config-roaming-assist-policy-test)#monitoring-interval 10 rfs6000-81742D(config-roaming-assist-policy-test)#
Related Commands no Removes the configured monitoring interval details Access Point, Wireless Controller and Service Platform CLI Reference Guide 30 - 9 ROAMING ASSIST POLICY 30.1.8 sampling-interval roaming-assist-policy-instance Configures the interval, in seconds, at which clients are sampled to determine their RSSI value Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax sampling-interval <5-60>
Parameters sampling-interval <5-60>
sampling-interval <5-
60>
Configures the interval, in seconds, between two successive client samplings
<5-60> Specify a value from 5 - 60 seconds. The default value is 15 seconds. Higher the RSSI value, stronger is the signal. Example rfs6000-81742D(config-roaming-assist-policy-test)#sampling-interval 20 rfs6000-81742D(config-roaming-assist-policy-test)#
Related Commands no Removes the configured sampling interval details Access Point, Wireless Controller and Service Platform CLI Reference Guide 30 - 10 ROAMING ASSIST POLICY 30.1.9 no roaming-assist-policy-instance Removes or reverts this roaming assist policy settings based on the parameters passed Supported in the following platforms:
Access Points AP6521, AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP81XX, AP82XX, AP8432, AP8533 Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX7500, NX7510, NX7520, NX7530, NX9500, NX9510, NX9600, VX9000 Syntax no [action|aggressiveness|detection-threshold|disassoc-time|handoff-count|
handoff-threshold|monitoring-interval|sampling-interval]
Parameters no <PARAMETERS>
no <PARAMETERS>
Removes or reverts this roaming assist policy settings to default based on the parameters passed Example rfs6000-81742D(config-roaming-assist-policy-test)#no action rfs6000-81742D(config-roaming-assist-policy-test)#no detection-threshold rfs6000-81742D(config-roaming-assist-policy-test)#no handoff-threshold rfs6000-81742D(config-roaming-assist-policy-test)#show context roaming-assist-policy test sampling-interval 20 monitoring-interval 10 rfs6000-81742D(config-roaming-assist-policy-test)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide 30 - 11 A CONTROLLER MANAGED WLAN USE CASE This section describes the activities required to configure a WLAN. Instructions are provided using the wireless controller CLI. Creating a First Controller Managed WLAN
- Assumptions
- Design
- Using the Command Line Interface to Configure the WLAN A.1 Creating a First Controller Managed WLAN CONTROLLER MANAGED WLAN USE CASE This section describes the process of creating managed WLAN on an RFS4000 wireless controller. Upon completion, you will have created a WLAN on a RFS4000 model wireless controller using a DHCP server to allocate IP addresses to associated wireless clients. A.1.1 Assumptions Verify the following conditions have been satisfied before attempting the WLAN configuration activities described in this section:
It is assumed the RFS4000 wireless controller has the latest firmware version available. It is assumed the AP7161 access point also has the latest firmware version available. It is assumed there are no previous configurations on the wireless controller or access point and default factory configurations are running on the devices. It is assumed you have administrative access to the wireless controller and access point CLI. It is assumed the individual administrating the network is a professional network installer. Access Point, Wireless Controller and Service Platform CLI Reference Guide A - 1 CONTROLLER MANAGED WLAN USE CASE A.1.2 Design This section defines the network design being implemented. Figure A-1 Network Design This is a simple deployment scenario, with the access points connected directly to the wireless controller. One wireless controller port is connected to an external network. On the RFS4000 wireless controller, the GE1 interface is connected to an external network. Interfaces GE3 and GE4 are used by the access points. On the external network, the wireless controller is assigned an IP address of 192.168.10.188. The wireless controller acts as a DHCP server for the wireless clients connecting to it, and assigns IP addresses in the range of 172.16.11.11 to 172.16.11.200. The rest of IPs in the range are reserved for devices requiring static IP addresses. A.1.3 Using the Command Line Interface to Configure the WLAN Creating a First Controller Managed WLAN These instructions are for configuring your first WLAN using the wireless controller CLI. Use a serial console cable when connecting to the wireless controller for the first time. Set the following configuration when using the serial connection:
Bits per second:19200 Data Bit: 8 Parity: None Stop Bit: 1 Flow Control: None The steps involved in creating a WLAN on a wireless controller are:
1 2 Creating a RF Domain Logging Into the Controller for the First Time Access Point, Wireless Controller and Service Platform CLI Reference Guide A - 2 CONTROLLER MANAGED WLAN USE CASE 3 Creating a Wireless Controller Profile 4 Creating an AP Profile 5 Creating a DHCP Server Policy 6 Completing and Testing the Configuration A.1.3.1 Logging Into the Controller for the First Time Using the Command Line Interface to Configure the WLAN When powering on the wireless controller for the first time, you are prompted to replace the existing administrative password. The credentials for logging into the wireless controller for the first time are:
User Name: admin Password: admin123 Ensure the new password created is strong enough to provide adequate security for the wireless controller managed network. A.1.3.2 Creating a RF Domain Using the Command Line Interface to Configure the WLAN A RF Domain is a collection of configuration settings specific to devices located at the same physical deployment, such as a building or a floor. Create a RF Domain and assign the country code where the devices are deployed. This is a mandatory step, and the devices will not function as intended if this step is omitted. The instructions in this section must be performed from the Global Configuration mode of the wireless controller. To navigate to this mode:
rfs4000>enable rfs4000#
rfs4000#configure terminal Enter configuration commands, one per line. End with CNTL/Z. rfs4000(config)#
1 Create the RF Domain using the following commands:
rfs4000(config)#rf-domain RFDOMAIN_UseCase1 rfs4000(config-rf-domain-RFDOMAIN_UseCase1)#
This command creates a profile with the name RFDOMAIN_UseCase1. 2 Set the country code for the RF Domain. rfs4000(config-rf-domain-RFDOMAIN_UseCase1)#country-code us This sets the country code for this RF Domain. Save this change and exit the RF Domain profile context. rfs4000(config-rf-domain-RFDOMAIN_UseCase1)#commit write rfs4000(config-rf-domain-RFDOMAIN_UseCase1)#exit rfs4000(config)#
3 To define the wireless controllers physical location, use the same RF Domain configuration. rfs4000(config)#self rfs4000(config-device-03-14-28-57-14-28)#
rfs4000(config-device-03-14-28-57-14-28)#use rf-domain RFDOMAIN_UseCase1 4 Commit the changes and write to the running configuration. Exit this context. rfs4000(config-device-03-14-28-57-14-28)#commit write rfs4000(config-device-03-14-28-57-14-28)#exit rfs4000(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide A - 3 CONTROLLER MANAGED WLAN USE CASE A.1.3.3 Creating a Wireless Controller Profile Using the Command Line Interface to Configure the WLAN 1 The first step in creating a WLAN is to configure a profile defining the parameters applied to a wireless controller. To create a profile:
rfs4000(config)#profile rfs4000 RFS4000_UseCase1 rfs4000(config-profile-RFS4000_UseCase1)#
This creates a profile with the name RFS4000_UseCase1 and moves the cursor into its context. Any configuration made under this profile is available when it is applied to a device. Configure a VLAN 2 Create the VLAN to use with the WLAN configuration. This can be done using the following commands:
rfs4000(config-profile-RFS4000_UseCase1)#interface vlan 2 rfs4000(config-profile-RFS4000_UseCase1-if-vlan2)#ip address 172.16.11.1/24 The above command assigns the IP address 172.16.11.1 with the mask of 255.255.255.0 to VLAN 2. Exit the VLAN 2 context. rfs4000(config-profile-RFS4000_UseCase1-if-vlan2)#exit rfs4000(config-profile-RFS4000_UseCase1)#
3 The next step is to assign this newly created VLAN to a physical interface. In this case, VLAN 2 is mapped to GE3 and GE4 to support two access points, an AP6521 and an AP7161. The AP6521 is connected to the gigabit interface GE3 and the AP7161 to the GE4 interface. rfs4000(config-profile-RFS4000_UseCase1)#interface ge 3 rfs4000(config-profile-RFS4000_UseCase1-if-ge3)#
4 Map VLAN 2 to this interface. This assigns the IP address to the selected physical interface. rfs4000(config-profile-RFS4000_UseCase1-if-ge3)#switchport access vlan 2 rfs4000(config-profile-RFS4000_UseCase1-if-ge3)#exit rfs4000(config-profile-RFS4000_UseCase1)#
5 Similarly, map the defined VLAN 2 to the GE4 interface. rfs4000(config-profile-1_UseCase1)#interface ge 4 rfs4000(config-profile-RFS4000_UseCase1-if-ge4)#switchport access vlan 2 rfs4000(config-profile-RFS4000_UseCase1-if-ge4)#exit rfs4000(config-profile-RFS4000_UseCase1)#
6 Exit the profile and save it. rfs4000(config-profile-RFS4000_UseCase1)#exit rfs4000(config)#commit write Configure the Wireless Controller to use the Profile 7 Before the wireless controller can be further configured, the profile must be applied to the wireless controller. Create a WLAN rfs4000(config)#self rfs4000(config-device-03-14-28-57-14-28)#
rfs4000(config-device-03-14-28-57-14-28)#use profile RFS4000_UseCase1 rfs4000(config-device-03-14-28-57-14-28)#exit rfs4000(config)#commit write 8 Use the following commands to create a WLAN:
rfs4000(config)#wlan 1 rfs4000(config-wlan-1)#
9 Configure the SSID for the WLAN. This is the value that identifies and helps differentiate this WLAN. rfs4000(config-wlan-1)#ssid WLAN_USECASE_01 10 Enable the SSID to be broadcast so wireless clients can find it and associate. Access Point, Wireless Controller and Service Platform CLI Reference Guide A - 4 CONTROLLER MANAGED WLAN USE CASE rfs4000(config-wlan-1)#broadcast-ssid 11 Associate VLAN 2 to the WLAN and exit. rfs4000(config-wlan-1)#vlan 2 rfs4000(config-wlan-1)#exit 12 Commit the Changes Once these changes have been made, they have to be committed before proceeding. rfs4000(config)#commit write A.1.3.4 Creating an AP Profile Using the Command Line Interface to Configure the WLAN An AP profile provides a method of applying common settings to access points of the same model. The profile significantly reduces the time required to configure access points within a large deployment. For more information, see:
Creating an AP6521 Profile Creating an AP7161 Profile A.1.3.4.1 Creating an AP6521 Profile Creating an AP Profile An AP6521s firmware is updated directly by its associated wireless controller. The process is automatic, and no intervention is required. To create a profile for use with an AP6521:
rfs4000(config)#profile ap6521 AP6521_UseCase1 rfs4000(config-profile-AP6521_UseCase1)#
1 Assign the access point to be a member of the same VLAN defined in Creating an AP Profile on page A-5. In this section, the VLAN was defined as VLAN 2. Configure the access point to be a member of VLAN 2. rfs4000(config-profile-AP6521_UseCase1)#interface vlan 2 rfs4000(config-profile-AP6521_UseCase1-if-vlan2)#
2 Configure this VLAN to use DHCP, so any device that is associated using this access point is automatically assigned a unique IP address. Once completed, exit this context. rfs4000(config-profile-AP6521_UseCase1-if-vlan2)#ip address dhcp rfs4000(config-profile-AP6521_UseCase1-if-vlan2)#exit 3 The VLAN has to be mapped to a physical interface on the access point. Since the only available physical interface on the AP6521 is GE1, this VLAN is mapped to it. rfs4000(config-profile-AP6521_UseCase1)#interface ge 1 rfs4000(config-profile-AP6521_UseCase1-if-ge1)#switchport access vlan 2 rfs4000(config-profile-AP6521_UseCase1-if-ge1)#exit 4 Before a WLAN can be implemented, it has to be mapped to a radio on the access point. An AP6521 has 2 radios, in this scenario, both radios are utilized. rfs4000(config-profile-AP6521_UseCase1)#interface radio 1 rfs4000(config-profile-AP6521_UseCase1-if-radio1)#wlan 1 rfs4000(config-profile-AP6521_UseCase1-if-radio1)#exit rfs4000(config-profile-AP6521_UseCase1)#interface radio 2 rfs4000(config-profile-AP6521_UseCase1-if-radio2)#wlan 1 rfs4000(config-profile-AP6521_UseCase1-if-radio2)#exit rfs4000(config-profile-AP6521_UseCase1)#
5 Commit the changes made to this profile and exit. rfs4000(config-profile-AP6521_UseCase1)#commit write rfs4000(config-profile-AP6521_UseCase1)#exit rfs4000(config)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide A - 5 CONTROLLER MANAGED WLAN USE CASE 6 Apply this Profile to the discovered AP6521. 7 Access the discovered access point using the following command. The discovered devices MAC address is used to access its context. rfs4000(config)#ap6521 00-A0-F8-00-00-01 rfs4000(config-device-00-A0-F8-00-00-01)#
8 Assign the AP profile to this AP6521 access point. rfs4000(config-device-00-A0-F8-00-00-01)#use profile AP6521_UseCase1 rfs4000(config-device-00-A0-F8-00-00-01)#commit write 9 Apply the RF Domain profile to the AP. 10 Apply the previously created RF Domain to enable a country code to be assigned to the discovered access point. A discovered access point only works properly if its country code is the country code of its associated wireless controller. rfs4000(config-device-00-A0-F8-00-00-01)#use rf-domain RFDOMAIN_UseCase1 rfs4000(config-device-00-A0-F8-00-00-01)#commit write rfs4000(config-device-00-A0-F8-00-00-01)#exit rfs4000(config)#
A.1.3.4.2 Creating an AP7161 Profile Creating an AP Profile To create a profile for use with an AP7161:
rfs4000(config)#profile ap7161 AP7161_UseCase1 rfs4000(config-profile-AP7161_UseCase1)#
1 Set the access point to be a member of the same VLAN defined in Creating an AP Profile on page A-5. In this section, the VLAN was defined as VLAN 2. Configure the access point to be a member of the VLAN 2. rfs4000(config-profile-AP7161_UseCase1)#interface vlan 2 rfs4000(config-profile-AP7161_UseCase1-if-vlan2)#
2 Configure this VLAN to use DHCP, so any device associated using this access point is automatically assigned a unique IP address. Once completed, exit this context. rfs4000(config-profile-AP7161_UseCase1-if-vlan2)#ip address dhcp rfs4000(config-profile-AP7161_UseCase1-if-vlan2)#exit 3 The configured VLAN has to be mapped to a physical interface on the access point. Map VLAN 2 to the GE1 and GE2 interfaces on the AP7161. To configure the GE1 interface:
rfs4000(config-profile-AP7161_UseCase1)#interface ge 1 rfs4000(config-profile-AP7161_UseCase1-if-ge1)#switchport access vlan 2 rfs4000(config-profile-AP7161_UseCase1-if-ge1)#exit 4 Similarly configure the GE2 interface. rfs4000(config-profile-AP7161_UseCase1)#interface ge 2 rfs4000(config-profile-AP7161_UseCase1-if-ge2)#switchport access vlan 2 rfs4000(config-profile-AP7161_UseCase1-if-ge2)#exit 5 Before the WLAN can be implemented, it has to be mapped to the physical radio on the access point. An AP7161 has 3 radios (on certain models), two of which can be configured for WLAN support. In this scenario, two radios are used. rfs4000(config-profile-AP7161_UseCase1)#interface radio 1 rfs4000(config-profile-AP7161_UseCase1-if-radio1)#wlan 1 rfs4000(config-profile-AP7161_UseCase1-if-radio1)#exit rfs4000(config-profile-AP7161_UseCase1)#interface radio 2 rfs4000(config-profile-AP7161_UseCase1-if-radio2)#wlan 1 rfs4000(config-profile-AP7161_UseCase1-if-radio2)#exit rfs4000(config-profile-AP7161_UseCase1)#
6 Commit the changes made to the profile and exit this context. Access Point, Wireless Controller and Service Platform CLI Reference Guide A - 6 CONTROLLER MANAGED WLAN USE CASE rfs4000(config-profile-AP7161_UseCase1)#commit write rfs4000(config-profile-AP7161_UseCase1)#exit rfs4000(config)#
7 Apply this Profile to the Discovered AP7161. 8 Access the discovered access point using the following command. The discovered devices MAC address is used to access its context. rfs4000(config)#ap7161 00-23-68-16-C6-C4 rfs4000(config-device-00-23-68-16-C6-C4)#
9 Assign the AP profile to this access point. rfs4000(config-device-00-23-68-16-C6-C4)#use profile AP7161_UseCase1 rfs4000(config-device-00-23-68-16-C6-C4)#commit write 10 Apply the RF Domain profile to the AP. 11 Apply the previously created RF Domain to enable a country code to be assigned to the discovered access point. A discovered access point only works properly if its country code is the same as its associated wireless controller. rfs4000(config-device-00-23-68-16-C6-C4)#use rf-domain RFDOMAIN_UseCase1 rfs4000(config-device-00-23-68-16-C6-C4)#commit write rfs4000(config-device-00-23-68-16-C6-C4)#Exit rfs4000(config)#
A.1.3.5 Creating a DHCP Server Policy Using the Command Line Interface to Configure the WLAN The DHCP server policy defines the parameters required to run a DHCP server on the wireless controller and assign IP addresses automatically to devices that associate. Configuring DHCP enables the reuse of a limited set of IP addresses. To create a DHCP server policy:
rfs4000-37FABE(config)#dhcp-server-policy DHCP_POLICY_UseCase1 rfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1)#
The following table displays how IP addresses are used. Table A.1 IP Address Usage IP Range 172.16.11.1 till 172.16.11.10 172.16.11.11 till 172.16.11.200 172.16.11.201 till 172.16.11.254 Usage Reserved for devices that require a static IP address Range of IP addresses that can be assigned using the DHCP server. Reserved for devices that require a static IP address In the table, the IP address range of 172.16.11.11 to 172.16.11.200 is available using the DHCP server. To configure the DHCP server:
rfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1)#dhcp-pool DHCP_POOL_USECASE1_01 rfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1-pool-
DHCP_POOL_USECASE1_01)#
1 Configure the address range as follows:
rfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1-pool-
DHCP_POOL_USECASE1_01)#address range 172.16.11.11 172.16.11.200 rfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1-pool-
DHCP_POOL_USECASE1_01)#
Access Point, Wireless Controller and Service Platform CLI Reference Guide A - 7 CONTROLLER MANAGED WLAN USE CASE 2 Configure the IP pool used with a network segment. This starts the DHCP server on the specified interface. rfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1-pool-
DHCP_POOL_USECASE1_01)#network 172.16.11.0/24 rfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1-pool-
DHCP_POOL_USECASE1_01)#exit rfs4000-37FABE(config-dhcp-policy-DHCP_POLICY_UseCase1)#exit rfs4000-37FABE(config)#commit write Configure the RFS4000 to use the DHCP Policy 3 For the DHCP to work properly, the new DHCP Server Policy must be applied to the wireless controller. To apply the DHCP Server Policy to the wireless controller:
rfs4000-37FABE(config)#self rfs4000-37FABE(config-device-03-14-28-57-14-28)#use dhcp-server-policy DHCP_POLICY_UseCase1 rfs4000-37FABE(config-device-03-14-28-57-14-28)#commit write rfs4000-37FABE(config-device-03-14-28-57-14-28)#exit rfs4000-37FABE(config)#
A.1.3.6 Completing and Testing the Configuration Using the Command Line Interface to Configure the WLAN A wireless client must be configured to associate with the wireless controller managed WLAN. The following information must be defined:
SSID: WLAN_USECASE_01 Country: Same as the country configured in Creating a RF Domain on page A-3. In this scenario, the country code is set to US. Mode: Infrastructure With the WLAN set to beacon, use the wireless clients discovery client to discover the configured WLAN and associate. Access Point, Wireless Controller and Service Platform CLI Reference Guide A - 8 B PUBLICLY AVAILABLE SOFTWARE B.1 General Information This document contains information regarding licenses, acknowledgments and required copyright notices for open source packages used in the following products:
Access Points AP6521, AP6522, AP6522M, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP8122, AP8132, AP8163, AP8232, AP8432 and AP8533. Wireless Controllers and Service Platforms Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX5500E, NX7500, NX75XX, NX7510E, NX9500, NX9510, NX9600, NX9610, VX9000, VX9000E Access Point, Wireless Controller, and Service Platform System Reference Guide B - 1 PUBLICLY AVAILABLE SOFTWARE B.2 Open Source Software Used The Support site, located at www.extremenetworks.com/support provides information and online assistance including developer tools, software downloads, product manuals, support contact information and online repair requests. Name Apache Web Server Asterisk accepts advas Version 1.3.41 URL http://www.apache.org/
1.2.24 1.2.10 0.2.3 http://www.asterisk.org/
http://registry.npmjs.org/accepts/-/
accepts-1.2.10.tgz http://advas.sourceforge.net/
License Apache License, Version 2.0 GNU General Public License 2.0 MIT License GNU General Public License, version 2 https://code.google.com/p/alivepdf/
MIT License https://pypi.python.org/pypi/APScheduler/ MIT License http://registry.npmjs.org/async/-/async-
MIT License 1.3.0.tgz http://www.gnu.org/software/autoconf/
GNU General Public License, version 2 alivepdf 0.1.4.9 apscheduler async autoconf automake bash binutils bison bluez 3.0.1 1.3.0 2.69 1.11.6 4.2 2.23 2.3 5.7 http://www.gnu.org/software/automake/
http://www.gnu.org/software/bash/
http://www.gnu.org/software/binutils/
http://www.gnu.org/software/bison/
http://www.bluez.org/
body-parser 1.13.2 bridge 1.0.4 bridge-utils 1.0.4 http://registry.npmjs.org/body-parser/-/
body-parser-1.13.2.tgz http://www.linuxfoundation.org/
collaborate/workgroups/networking/
bridge/
http://sourceforge.net/projects/bridge/
buffer-crc32 0.2.5 busybox 1.14.4 http://registry.npmjs.org/buffer-crc32/-/
buffer-crc32-0.2.5.tgz http://www.busybox.net/
GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 MIT License GNU General Public License, version 2 GNU General Public License, version 2 MIT License GNU General Public License, version 2 Access Point, Wireless Controller, and Service Platform System Reference Guide B - 2 Name bytes colors compression Version 2.1.0 1.1.2 1.5.1 conect-mongo 0.8.2 cookie 0.1.3 cookie-parser 1.3.5 cookie-signature 1.0.6 cuint cycle czjson dash debug depd dfu-util dhcp diffutils dmalloc dmidecode dnsmasq dosfstools dropbear 0.2.0 1.0.3 1.0.8 0.5.7 2.2.0 1.0.1 0.8 3.0.3 2.8.1 5.5.2 2.11 2.47 2.11 0.55 e2fsprogs 1.41.13 PUBLICLY AVAILABLE SOFTWARE URL http://registry.npmjs.org/bytes/-/bytes-
2.1.0.tgz http://registry.npmjs.org/colors/-/colors-
1.1.2.tgz http://registry.npmjs.org/compression/-/
compression-1.5.1.tgz http://registry.npmjs.org/connect-mongo/-
/connect-mongo-0.8.2.tgz http://registry.npmjs.org/cookie/-/cookie-
0.1.3.tgz http://registry.npmjs.org/cookie-parser/-/
cookie-parser-1.3.5.tgz http://registry.npmjs.org/cookie-signature/
-/cookie-signature-1.0.6.tgz http://registry.npmjs.org/cuint/-/cuint-
0.2.0.tgz https://registry.npmjs.org/cycle/-/cycle-
1.0.3.tgz https://pypi.python.org/pypi/czjson/1.0.8 License MIT License MIT License MIT License MIT License MIT License MIT License MIT License MIT License MIT License GNU Lesser General Public License 2.1 http://gondor.apana.org.au/~herbert/dash/ The BSD License https://registry.npmjs.org/debug/-/debug-
2.2.0.tgz http://registry.npmjs.org/depd/-/depd-
1.0.1.tgz http://dfu-util.gnumonks.org/
MIT License MIT License GNU General Public License, version 2 http://www.isc.org/software/dhcp ISC License http://www.gnu.org/software/diffutils/
http://dmalloc.com/
http://savannah.nongnu.org/projects/
dmidecode/
http://www.thekelleys.org.uk/dnsmasq/
doc.html http://www.daniel-baumann.ch/software/
dosfstools/
http://matt.ucc.asn.au/dropbear/
dropbear.html http://e2fsprogs.sourceforge.net/
GNU General Public License, version 2 None GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 DropBear License GNU General Public License, version 2 Access Point, Wireless Controller, and Service Platform System Reference Guide B - 3 PUBLICLY AVAILABLE SOFTWARE Name ejs engine.io escape-html Version 2.3.3 1.5.2 1.0.2 ethtool 2.6.35 event-loop-lag 1.1.0 express 4.13.1 express-session 1.11.3 eyes finalhandler flashrom 0.1.8 0.4.0 0.9.4 License URL http://registry.npmjs.org/ejs/-/ejs-2.3.3.tgz Apache License, Version 2.0 http://registry.npmjs.org/engine.io/-/
engine.io-1.5.2.tgz http://registry.npmjs.org/escape-html/-/
escape-html-1.0.2.tgz http://www.kernel.org/pub/software/
network/ethtool/
GNU General Public License, version 2 MIT License MIT License http://registry.npmjs.org/event-loop-lag/-/
event-loop-lag-1.1.0.tgz http://registry.npmjs.org/express/-/
express-4.13.1.tgz http://registry.npmjs.org/express-session/-
/express-session-1.11.3.tgz http://github.com/cloudhead/eyes.js http://registry.npmjs.org/finalhandler/-/
finalhandler-0.4.0.tgz http://flashrom.org/Flashrom MIT License MIT License MIT License MIT License MIT License GNU General Public License, version 2 flex fluks 4.5.1.21328 http://flex.sourceforge.net/
The BSD License 0.2 https://github.com/markuspeloquin/fluks MIT License freedos 4.5.1.21328 http://www.freedos.org/download/
freeipmi 1.1 http://www.gnu.org/software/freeipmi/
fresh futures gcc gdb gdbm genext2fs glib2 glibc 0.3.0 2.2.0 4.1.2 7.2 1.8.3 1.4.1 http://registry.npmjs.org/fresh/-/fresh-
0.3.0.tgz https://github.com/agronholm/
pythonfutures http://gcc.gnu.org/
http://www.gnu.org/software/gdb/
http://www.gnu.org/s/gdbm/
http://genext2fs.sourceforge.net/
2.30.2 http://www.gtk.org/
2.7 http://www.gnu.org/software/libc/
GNU General Public License, version 2 GNU General Public License, version 3 MIT License The BSD License GNU General Public License, version 2 GNU General Public License, version 3 GNU General Public License, version 2 GNU General Public License, version 2 GNU Lesser General Public License 2.1 GNU General Public License, version 2 Access Point, Wireless Controller, and Service Platform System Reference Guide B - 4 PUBLICLY AVAILABLE SOFTWARE URL http://registry.npmjs.org/has-binary-data/-
/has-binary-data-0.1.5.tgz http://sourceforge.net/projects/hdparm/
http://registry.npmjs.org/hooks/-/hooks-
0.3.2.tgz http://hostap.epitest.fi/hostapd/
http://sourceforge.net/projects/linux-
hotplug/
http://isteve.bofh.cz/~isteve/hotplug2/
http://www.lm-sensors.org/wiki/I2CTools http://registry.npmjs.org/iconv-lite/-/
iconv-lite-0.4.11.tgz http://sourceforge.net/projects/e1000/
License MIT License GNU General Public License, version 2 MIT License GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 MIT License GNU General Public License, version 2 http://code.google.com/p/ipaddr-py/
Apache License, Version 2.0 http://www.handhelds.org/sources.html GNU General Public License, version 2 http://ipmitool.sourceforge.net/
The BSD License http://www.linuxfoundation.org/
collaborate/workgroups/networking/
iproute2 http://www.netfilter.org/projects/iptables/
index.html http://ipxe.org/
GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 https://registry.npmjs.org/isstream/-/
isstream-0.1.2.tgz http://registry.npmjs.org/js-yaml/-/js-
yaml-3.3.1.tgz http://web.mit.edu/Kerberos/
http://kernel.org/pub/linux/utils/kernel/
kexec/
http://github.com/mongodb/libbson http://c-ares.haxx.se/
MIT License MIT License GNU General Public License, version 2 GNU General Public License, version 2 Apache License, Version 2.0 The BSD License Name has-binary-data 0.1.5 Version hdparm hooks hostapd hotplug hotplug2 i2ctools iconv-lite igb ipaddr ipkg-utils ipmitool iproute2 iptables ipxe isstream js-yaml 9.38 0.3.2 0.6.9 1.3 0.9 3.0.3 0.4.11 5.2.9.4 2.1.0 1.7 1.8.11 050816 1.4.3 1.0.0 0.1.2 3.3.1 kerberos None kexec-tools 2.0.3 libbson libcares 1.1.0 1.7.1 Access Point, Wireless Controller, and Service Platform System Reference Guide B - 5 PUBLICLY AVAILABLE SOFTWARE Name libcurl Version 7.30.0 URL http://curl.haxx.se/libcurl/
libdevmapper 2.02.66 ftp://sources.redhat.com/pub/lvm2/old libexpat libffi libgcrypt libgmp 2.0.0 3.0.7 1.4.5 4.2.2 http://expat.sourceforge.net/
http://sourceware.org/libffi/
ftp://ftp.gnupg.org/GnuPG/libgcrypt/
http://gmplib.org/
libgnutls 3.2.12 ftp://ftp.gnupg.org/GnuPG/gnutls/v3.0/
libgpg-error 1.6 ftp://ftp.gnupg.org/GnuPG/libgpg-error/
License The BSD License GNU Lesser General Public License 2.1 MIT License MIT License GNU Lesser General Public License 2.1 GNU Lesser General Public License, version 3.0 GNU Lesser General Public License, version 3.0 GNU Lesser General Public License 2.1 MIT License libharu libhttp-parser libiconv libjson libkerberos libncurses libnettle 2.1.0 None 1.14 0.10 0.1 5.4 2.7 http://libharu.org/
None http://savannah.gnu.org/projects/libiconv/ GNU General Public License MIT License 2.0 http://sourceforge.net/projects/libjson/
http://web.mit.edu/kerberos/dist/
The BSD License The BSD License http://www.gnu.org/software/ncurses/
MIT License http://www.lysator.liu.se/~nisse/nettle/
libnuma 2.0.10 https://github.com/numactl/numactl/
GNU Lesser General Public License 2.1 GNU Lesser General Public License, version 2.0 libpam libpcap libpcre libpopt libraryopt libreadline libtool 1.1.1 1.0.0 8.21 1.14 1.01 4.3 2.4.2 http://www.kernel.org/pub/linux/libs/
pam/
http://www.tcpdump.org/
ftp://ftp.csx.cam.ac.uk/pub/software/
programming/pcre/
http://freecode.com/projects/popt The BSD License The BSD License The BSD License MIT License http://sourceforge.net/projects/libraryopt/ GNU General Public License, version 2 http://cnswww.cns.cwru.edu/php/chet/
readline/rltop.html http://www.gnu.org/software/libtool/
GNU General Public License, version 2 GNU General Public License, version 2 Access Point, Wireless Controller, and Service Platform System Reference Guide B - 6 Name libusb libusb libvirt libxml2 libxslt lighttpd lilo linux linux ltp lxml lzma lzma lzo M2Crypto m4 madwifi mdadm 1.0.18 0.9.11 2.8.0 1.1.26 1.4.37 22.6 4.32 4.57 2.03 0.21.1 1.4.16 Version 0.1.12 URL http://www.libusb.org/
http://www.libusb.org/
http://libvirt.org/sources/
http://xmlsoft.org/
http://xmlsoft.org/xslt/
http://www.lighttpd.net/
PUBLICLY AVAILABLE SOFTWARE License GNU Lesser General Public License, version 2.0 GNU Lesser General Public License, version 2.0 GNU Lesser General Public License 2.1 MIT License MIT License MIT License http://lilo.alioth.debian.org/
The BSD License 2.6.28.9 http://www.kernel.org/
2.6.35.9 http://www.kernel.org/
lodash 3.10.0 log-timestamp 0.1.2 http://registry.npmjs.org/lodash/-/lodash-
3.10.0.tgz http://registry.npmjs.org/log-timestamp/-/
log-timestamp-0.1.2.tgz https://github.com/linux-test-project/ltp 20130904 2.3beta1 http://lxml.de/
http://www.7-zip.org/sdk.html http://www.7-zip.org/sdk.html http://www.oberhumer.com/opensource/
lzo/
GNU General Public License, version 2 http://chandlerproject.org/bin/view/
Projects/MeTooCrypto http://www.gnu.org/software/m4/
The BSD License GNU General Public License, version 2 trunk-r3314 http://madwifi-project.org/
The BSD License 3.2.2 http://neil.brown.name/blog/mdadm media-typer 0.3.0 memtester 4.0.8 http://registry.npmjs.org/media-typer/-/
media-typer-0.3.0.tgz http://pyropus.ca/software/memtester/
Access Point, Wireless Controller, and Service Platform System Reference Guide B - 7 GNU General Public License, version 2 GNU General Public License, version 2 MIT License MIT License GNU General Public License, version 2 The BSD License GNU Lesser General Public License, version 2.0 GNU Lesser General Public License, version 2.0 GNU General Public License, version 2 MIT License GNU General Public License, version 2 PUBLICLY AVAILABLE SOFTWARE Version 1.0.0 Name merge-
descriptors method-override 2.3.4 methods mii-diag 1.1.1 2.09 URL http://registry.npmjs.org/merge-
descriptors/-/merge-descriptors-1.0.0.tgz http://registry.npmjs.org/method-override/
-/method-override-2.3.4.tgz http://registry.npmjs.org/methods/-/
methods-1.1.1.tgz http://freecode.com/projects/mii-diag mkyaffs None http://www.yaffs.net/
mod_ssl 2.8.3.1-1.3.41 http://www.modssl.org/
http://github.com/mongodb/mongo-c-
driver http://github.com/mongodb/mongo-
python-driver http://www.mongodb.org/
License MIT License MIT License MIT License GNU General Public License, version 2 GNU General Public License, version 2 The BSD License Apache License, Version 2.0 Apache License, Version 2.0 GNU Lesser General Public License, version 3.0 MIT License MIT License http://registry.npmjs.org/mongoose/-/
mongoose-4.0.7.tgz http://registry.npmjs.org/mpath/-/mpath-
0.2.1.tgz http://registry.npmjs.org/mpromise/-/
mpromise-0.5.5.tgz http://registry.npmjs.org/mquery/-/
mquery-1.6.2.tgz http://registry.npmjs.org/ms/-/ms-0.7.1.tgz MIT License http://www.linux-mtd.infradead.org/
MIT License MIT License GNU General Public License, version 2 mongo-c-driver 1.1.0 mongo-python-
driver mongodb mongoose mpath mpromise mquery ms mtd 2.7.1 3.0.5 4.0.7 0.2.1 0.5.5 1.6.2 0.7.1 2009-05-05 mtd-utils 1.4.4 http://www.linux-mtd.infradead.org/
mtd-utils 2009-05-05 http://www.linux-mtd.infradead.org/
muri nano net-snmp no-vnc 1.1.0 1.2.4 5.3.0.1 None http://registry.npmjs.org/muri/-/muri-
1.1.0.tgz http://www.nano-editor.org/
http://net-snmp.sourceforge.net/
The BSD License http://kanaka.github.io/noVNC/
Mozilla Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 MIT License GNU General Public License, version 2 Access Point, Wireless Controller, and Service Platform System Reference Guide B - 8 PUBLICLY AVAILABLE SOFTWARE Name node-mongodb-
native node.js ntp numactl Version 1.4.35 0.12.7 4.2.6p4 2.0.10 URL http://github.com/mongodb/node-
mongodb-native http://nodejs.org/
http://www.ntp.org/index.html https://github.com/numactl/numactl/
Open Scales 2.2 http://openscales.org/
OpenStreetMap http://www.openstreetmap.org/
on-headers 1.0.0 openldap 2.4.40 http://registry.npmjs.org/on-headers/-/on-
headers-1.0.0.tgz http://www.openldap.org/foundation/
openllpd 0.0.3alpha http://openlldp.sourceforge.net/
openssh openssl openssl openssl openssl-fips 6.6p1 0.9.8zg 1.0.0i 1.0.1g 1.2.3 http://www.openssh.com/
http://www.openssl.org/
http://www.openssl.org/
http://www.openssl.org/
http://www.openssl.org/
openwrt trunk-r15025 http://www.openwrt.org/
opkg trunk-r4564 http://code.google.com/p/opkg/
oprofile ProGuard PyPDF2 parseurl 0.9.2 4.8 1.23 1.3.0 path-to-regexp 1.2.0 pciutils 3.1.8 http://oprofile.sourceforge.net/news/
http://proguard.sourceforge.net/
http://mstamy2.github.com/PyPDF2 http://registry.npmjs.org/parseurl/-/
parseurl-1.3.0.tgz http://registry.npmjs.org/path-to-regexp/-
/path-to-regexp-1.2.0.tgz http://mj.ucw.cz/sw/pciutils/
License Apache License, Version 2.0 MIT License The BSD License GNU General Public License, version 2 GNU Lesser General Public License, version 3.0 Creative Commons Attribution-ShareAlike License, version 3.0 MIT License The Open LDAP Public License GNU General Public License, version 2 The BSD License OpenSSL License OpenSSL License OpenSSL License OpenSSL License GNU General Public License, version 2 GNU General Public License, version 2 GNU Lesser General Public License 2.1 GNU General Public License, version 2 The BSD License MIT License MIT License GNU General Public License, version 2 Access Point, Wireless Controller, and Service Platform System Reference Guide B - 9 Name pdnsd picocom pillow ping pkg-config portmap posix ppp ppp preppy procname procps proxy-addr psmisc pure-ftpd pychecker pyparsing pytz pyxapi pyyaml qdbm qs quagga quilt Version 1.2.5 1.6 2.8.1 1.0 0.22 6.0 2.0.1 2.4.5 2.4.3 2.3.1 0.2 3.2.8 1.0.8 22.8 1.0.22 0.8.18 1.5.1 2014.10 0.1 3.11 1.8.77 4.0.0 0.99.16 0.47 PUBLICLY AVAILABLE SOFTWARE URL http://members.home.nl/p.a.rombouts/
pdnsd/
http://code.google.com/p/picocom/
License GNU General Public License, version 2 GNU General Public License, version 2 http://python-pillow.github.io/
None MIT License The BSD License http://pkg-config.freedesktop.org/wiki/
GNU General Public License, version 2 http://neil.brown.name/portmap/
http://registry.npmjs.org/posix/-/posix-
2.0.1.tgz http://ppp.samba.org/ppp/
http://ppp.samba.org/ppp/
https://bitbucket.org/rptlab/preppy http://code.google.com/p/procname/
http://procps.sourceforge.net/
http://registry.npmjs.org/proxy-addr/-/
proxy-addr-1.0.8.tgz http://sourceforge.net/projects/psmisc/
The BSD License MIT License The BSD License The BSD License The BSD License GNU Lesser General Public License, version 2.0 GNU General Public License, version 2 MIT License GNU General Public License, version 2 http://www.pureftpd.org/project/pure-ftpd The BSD License http://pychecker.sourceforge.net/
The BSD License http://sourceforge.net/projects/pyparsing/ The BSD License http://pythonhosted.org/pytz http://www.pps.jussieu.fr/%7Eylg/PyXAPI/ GNU General Public License, MIT License version 2 http://pyyaml.org/
http://qdbm.sourceforge.net/
MIT License GNU General Public License, version 2 http://registry.npmjs.org/qs/-/qs-4.0.0.tgz The BSD License http://www.quagga.net GNU General Public License, version 2 http://savannah.nongnu.org/projects/quilt/ GNU General Public License, version 2 Access Point, Wireless Controller, and Service Platform System Reference Guide B - 10 PUBLICLY AVAILABLE SOFTWARE Name radius Version 2.2.3 URL http://freeradius.org/
License GNU General Public License, version 2 range-parser 1.0.2 raw-body redis redis 2.1.2 3.0.3 0.12.1 regexp-clone 0.0.1 report-lab rp-pppoe rsync safestr samba sed semaphore 3.1.44 3.1.0 3.0.6 1.0.3 3.5.1 4.1.2 1.0.3 send 0.13.0 serve-static 1.10.0 setproctitle setuptools sliced smarttools snmpagent socket.io socket.io-
adapter 1.1.8 11.3.1 1.0.1 6.2 5.0.9 1.3.6 0.3.1 http://registry.npmjs.org/range-parser/-/
range-parser-1.0.2.tgz http://registry.npmjs.org/raw-body/-/raw-
body-2.1.2.tgz http://redis.io/
http://registry.npmjs.org/redis/-/redis-
0.12.1.tgz http://registry.npmjs.org/regexp-clone/-/
regexp-clone-0.0.1.tgz http://www.reportlab.com MIT License MIT License The BSD License MIT License MIT License The BSD License http://www.roaringpenguin.com/products/
pppoe GNU General Public License, version 2 http://rsync.samba.org/
http://www.zork.org/
http://www.samba.org http://www.gnu.org/software/sed/
http://registry.npmjs.org/semaphore/-/
semaphore-1.0.3.tgz http://registry.npmjs.org/send/-/send-
0.13.0.tgz http://registry.npmjs.org/serve-static/-/
serve-static-1.10.0.tgz http://code.google.com/p/py-setproctitle https://bitbucket.org/pypa/setuptools http://registry.npmjs.org/sliced/-/sliced-
1.0.1.tgz http://smartmontools.sourceforge.net GNU General Public License, version 3 The BSD License GNU General Public License, version 3 GNU General Public License, version 2 MIT License MIT License MIT License The BSD License Python License, Version 2
(Python-2.0) MIT License GNU General Public License, version 2 http://sourceforge.net/
http://registry.npmjs.org/socket.io/-/
socket.io-1.3.6.tgz http://registry.npmjs.org/socket.io-
adapter/-/socket.io-adapter-0.3.1.tgz The BSD License MIT License MIT License Access Point, Wireless Controller, and Service Platform System Reference Guide B - 11 PUBLICLY AVAILABLE SOFTWARE Name socket.io-
adapter-mongo Version 0.1.4 socket.io-client 1.3.6 socket.io-parser 2.2.4 sqlite3 squashfs 3070900 3.0 URL http://registry.npmjs.org/socket.io-
adapter-mongo/-/socket.io-adapter-
mongo-0.1.4.tgz http://registry.npmjs.org/socket.io-client/-/
socket.io-client-1.3.6.tgz http://registry.npmjs.org/socket.io-parser/-
/socket.io-parser-2.2.4.tgz http://www.sqlite.org/
http://squashfs.sourceforge.net/
squid 2.7.STABLE9 http://www.squid-cache.org/
stack-trace 0.0.9 stackless python 2.7.5 https://registry.npmjs.org/stack-trace/-/
stack-trace-0.0.9.tgz http://www.stackless.com/
License MIT License MIT License MIT License None GNU General Public License, version 2 GNU General Public License, version 2 MIT License GNU General Public License, version 2 sticky-session 0.1.0 strace stress 4.5.20 1.0.4 http://registry.npmjs.org/sticky-session/-/
sticky-session-0.1.0.tgz http://sourceforge.net/projects/strace/
MIT License The BSD License http://people.seas.harvard.edu/~apw/
stress/
strongswan 4.4.0 http://www.strongswan.org GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 stunnel svg2rlg sysstat tar tcpdump tinyproxy type-is tz u-boot 4.31 0.3 9.0.5 1.17 4.0.0 1.8.3 1.6.4 2014b trunk-2010-
03-30 http://www.stunnel.org/
http://code.google.com/p/svg2rlg/
The BSD License http://sebastien.godard.pagesperso-
orange.fr/
http://www.gnu.org/software/tar/
http://www.tcpdump.org/
https://banu.com/tinyproxy/
http://registry.npmjs.org/type-is/-/type-is-
1.6.4.tgz http://www.iana.org/time-zones/
repository/releases/
http://www.denx.de/wiki/U-Boot/
GNU General Public License, version 2 GNU General Public License, version 2 The BSD License GNU General Public License, version 2 MIT License GNU General Public License, version 2 GNU General Public License, version 2 Access Point, Wireless Controller, and Service Platform System Reference Guide B - 12 PUBLICLY AVAILABLE SOFTWARE Version trunk-2010-
05-10 URL http://www.denx.de/wiki/U-Boot/
0.9.29 http://www.uclibc.org/
0.9.30.2 http://www.uclibc.org/
http://www.openwrt.org/
https://launchpad.net/udev http://www.kernel.org/pub/linux/utils/
kernel/hotplug/
http://www.linux-usb.org/
License GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 http://www.kernel.org/pub/linux/utils/util-
linux/
GNU General Public License, version 2 http://registry.npmjs.org/utils-merge/-/
utils-merge-1.0.0.tgz http://valgrind.org/
http://registry.npmjs.org/validator/-/
validator-3.41.2.tgz http://registry.npmjs.org/vary/-/vary-
1.0.1.tgz http://wiki.sangoma.com/wanpipe-linux-
drivers https://github.com/nori0428/
mod_websocket http://www.gnu.org/software/wget/
http://registry.npmjs.org/winston/-/
winston-1.0.1.tgz http://www.hpl.hp.com/personal/
Jean_Tourrilhes/Linux/Tools.html MIT License GNU General Public License, version 2 MIT License MIT License GNU General Public License, version 2 MIT License GNU General Public License, version 3 MIT License GNU General Public License, version 2 http://hostap.epitest.fi/wpa_supplicant/
http://registry.npmjs.org/ws/-/ws-0.7.2.tgz MIT License http://wu-ftpd.therockgarden.ca/
The BSD License WU-FTPD Software License http://docs.vmd.citrix.com/XenServer/4.0.1/
api/client-examples/python/index.html GNU General Public License, version 2 Name u-boot uClibc uClibc uci udev udev usbutils util-linux utils-merge valgrind validator vary wanpipe websocket wget winston 0.7.5 147 r147 0.73 2.20 1.0.0 3.5.0 3.41.2 1.0.1 3.5.18 2.4 1.14 1.0.1 wireless_tools r29 wpa_supplicant 2.0 ws wuftpd XenAPI 0.7.2 1.0.21 None Access Point, Wireless Controller, and Service Platform System Reference Guide B - 13 PUBLICLY AVAILABLE SOFTWARE Name xen Version 4.1.5 URL http://www.xen.org/
xen-crashdump-
analyser 20130505 http://xenbits.xen.org/people/
andrewcoop/
xen-tools xxhashjs z3c-rml zlib zope-event 4.2.1 0.1.1 2.7.2 1.2.8 4.0.3 http://xen-tools.org/software/xen-tools/
http://registry.npmjs.org/xxhashjs/-/
xxhashjs-0.1.1.tgz http://pypi.python.org/pypi/z3c.rml http://www.zlib.net/
http://pypi.python.org/pypi/zope.event License GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 MIT License Zope Public License (ZPL) Version 2.0 zlib License Zope Public License (ZPL) Version 2.0 zope-interface 4.1.1 http://pypi.python.org/pypi/zope.interface Zope Public License (ZPL) Version 2.1 zope-schema 4.4.2 http://pypi.python.org/pypi/zope.schema zwave 0.1 http://code.google.com/p/open-zwave/
Zope Public License (ZPL) Version 2.0 GNU Lesser General Public License, version 2.1 Access Point, Wireless Controller, and Service Platform System Reference Guide B - 14 PUBLICLY AVAILABLE SOFTWARE B.3 OSS Licenses B.3.1 Apache License, Version 2.0 Apache License Version 2.0, January 2004 http://www.apache.org/licenses TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION Definitions.
"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means
(i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files.
"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution."
Access Point, Wireless Controller, and Service Platform System Reference Guide B - 15 PUBLICLY AVAILABLE SOFTWARE
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity
(including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:
You must give any other recipients of the Work or Derivative Works a copy of this License; and You must cause any modified files to carry prominent notices stating that You changed the files; and You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 16 PUBLICLY AVAILABLE SOFTWARE Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS B.3.2 The BSD License Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, and the entire permission notice in its entirety, including the disclaimer of warranties. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, Access Point, Wireless Controller, and Service Platform System Reference Guide B - 17 PUBLICLY AVAILABLE SOFTWARE STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. B.3.3 Creative Commons Attribution-ShareAlike License, version 3.0 Creative Commons Attribution-ShareAlike 3.0 Unported CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL SERVICES. DISTRIBUTION OF THIS LICENSE DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. REATIVE COMMONS MAKES NO WARRANTIES REGARDING THE INFORMATION PROVIDED, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM ITS USE License THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. Definitions 1. "Adaptation" means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License. 2. "Collection" means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined below) for the purposes of this License. 3. "Creative Commons Compatible License" means a license that is listed at http://creativecommons.org/
compatiblelicenses that has been approved by Creative Commons as being essentially equivalent to this License, including, at a minimum, because that license: (i) contains terms that have the same purpose, meaning and effect as the License Elements of this License; and, (ii) explicitly permits the relicensing of adaptations of works made available under that license under this License or a Creative Commons jurisdiction license with the same License Elements as this License. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 18 PUBLICLY AVAILABLE SOFTWARE 4. "Distribute" means to make available to the public the original and copies of the Work or Adaptation, as appropriate, through sale or other transfer of ownership. 5. "License Elements" means the following high-level license attributes as selected by Licensor and indicated in the title of this License: Attribution, ShareAlike. 6. "Licensor" means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License. 7. "Original Author" means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition
(i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore;
(ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast. 8. "Work" means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work. 9. "You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation. 10. "Publicly Perform" means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images. 11. "Reproduce" means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium. 12. Fair Dealing Rights. Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 19 PUBLICLY AVAILABLE SOFTWARE 13. License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below:
a. to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections;
b. to create and Reproduce Adaptations provided that any such Adaptation, including any translation in any medium, takes reasonable steps to clearly label, demarcate or otherwise identify that changes were made to the original Work. For example, a translation could be marked "The original work was translated from English to Spanish," or a modification could indicate "The original work has been modified.";
c. to Distribute and Publicly Perform the Work including as incorporated in Collections; and, d. to Distribute and Publicly Perform Adaptations For the avoidance of doubt:
1. Non-waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License;
2. Waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor waives the exclusive right to collect such royalties for any exercise by You of the rights granted under this License; and, 3. Voluntary License Schemes. The Licensor waives the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this License. The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats. Subject to Section 8(f), all rights not expressly granted by Licensor are hereby reserved. 4. Restrictions. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions:
a. You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(c), as requested. If You create an Adaptation, upon notice from any Licensor You must, to the extent practicable, remove from the Adaptation any credit as required by Section 4(c), as requested. b. You may Distribute or Publicly Perform an Adaptation only under the terms of: (i) this License; (ii) a later version of this License with the same License Elements as this License; (iii) a Creative Commons jurisdiction Access Point, Wireless Controller, and Service Platform System Reference Guide B - 20 PUBLICLY AVAILABLE SOFTWARE license (either this or a later license version) that contains the same License Elements as this License (e.g., Attribution-ShareAlike 3.0 US)); (iv) a Creative Commons Compatible License. If you license the Adaptation under one of the licenses mentioned in (iv), you must comply with the terms of that license. If you license the Adaptation under the terms of any of the licenses mentioned in (i), (ii) or (iii) (the "Applicable License"), you must comply with the terms of the Applicable License generally and the following provisions: (I) You must include a copy of, or the URI for, the Applicable License with every copy of each Adaptation You Distribute or Publicly Perform; (II) You may not offer or impose any terms on the Adaptation that restrict the terms of the Applicable License or the ability of the recipient of the Adaptation to exercise the rights granted to that recipient under the terms of the Applicable License; (III) You must keep intact all notices that refer to the Applicable License and to the disclaimer of warranties with every copy of the ork as included in the Adaptation You Distribute or Publicly Perform; (IV) when You Distribute or Publicly Perform the Adaptation, You may not impose any effective technological measures on the Adaptation that restrict the ability of a recipient of the Adaptation from You to exercise the rights granted to that recipient under the terms of the Applicable License. This Section 4(b) applies to the Adaptation as incorporated in a Collection, but this does not require the Collection apart from the Adaptation itself to be made subject to the terms of the Applicable License. c. If You Distribute, or Publicly Perform the Work or any Adaptations or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work; and (iv) , consistent with Section 3(b), in the case of an Adaptation, a credit identifying the use of the Work in the Adaptation (e.g., "French translation of the Work by Original Author," or "Screenplay based on original Work by Original Author"). The credit required by this Section 4(c) may be implemented in any reasonable manner; provided, however, that in the case of a Adaptation or Collection, at a minimum such credit will appear, if a credit for all contributing authors of the Adaptation or Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties. d. Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Adaptations or Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation. Licensor agrees that in those jurisdictions (e.g. Japan), in which any exercise of the right granted in Section 3(b) of this License (the right to make Adaptations) would be deemed to be a distortion, mutilation, modification or other derogatory action prejudicial to the Original Author's honor and reputation, the Licensor will waive or not assert, as appropriate, this Section, to the fullest extent permitted by the applicable national law, to enable You to reasonably exercise Your right under Section 3(b) of this License (right to make Adaptations) but not otherwise. 5. Representations, Warranties and Disclaimer. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 21 PUBLICLY AVAILABLE SOFTWARE UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU. 6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 7. Termination. This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Adaptations or Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License. Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above. 8. Miscellaneous. Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License. Each time You Distribute or Publicly Perform an Adaptation, Licensor offers to the recipient a license to the original Work on the same terms and conditions as the license granted to You under this License. If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the emainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable. No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent. This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of he Licensor and You. The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO Access Point, Wireless Controller, and Service Platform System Reference Guide B - 22 PUBLICLY AVAILABLE SOFTWARE Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law. Creative Commons Notice Creative Commons is not a party to this License, and makes no warranty whatsoever in connection with the Work. Creative Commons will not be liable to You or any party on any legal theory for any damages whatsoever, including without limitation any general, special, incidental or consequential damages arising in connection to this license. Notwithstanding the foregoing two (2) sentences, if Creative Commons has expressly identified itself as the Licensor hereunder, it shall have all rights and obligations of Licensor. Except for the limited purpose of indicating to the public that the Work is licensed under the CCPL, Creative Commons does not authorize the use by either party of the trademark "Creative Commons" or any related trademark or logo of Creative Commons without the prior written consent of Creative Commons. Any permitted use will be in compliance with Creative Commons' then-current trademark usage guidelines, as may be published on its website or otherwise made available upon request from time to time. For the avoidance of doubt, this trademark restriction does not form part of the License. Creative Commons may be contacted at http://creativecommons.org/. B.3.4 DropBear License Dropbear contains a number of components from different sources, hence there are a few licenses and authors involved. All licenses are fairly non-restrictive. The majority of code is written by Matt Johnston, under the license below. Portions of the client-mode work are (c) 2004 Mihnea Stoenescu, under the same license:
Copyright (c) 2002-2004 Matt Johnston Portions copyright (c) 2004 Mihnea Stoenescu All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT Access Point, Wireless Controller, and Service Platform System Reference Guide B - 23 PUBLICLY AVAILABLE SOFTWARE HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. LibTomCrypt and LibTomMath are written by Tom St Denis, and are .
=====
sshpty.c is taken from OpenSSH 3.5p1, Copyright (c) 1995 Tatu Ylonen , Espoo, Finland All rights reserved
"As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than "ssh" or
"Secure Shell". "
=====
loginrec.c loginrec.h atomicio.h atomicio.c and strlcat() (included in util.c) are from OpenSSH 3.6.1p2, and are licensed under the 2 point license. loginrec is written primarily by Andre Lucas, atomicio.c by Theo de Raadt. strlcat() is (c) Todd C. Miller
=====
Import code in keyimport.c is modified from PuTTY's import.c, licensed as follows:
PuTTY is copyright 1997-2003 Simon Tatham. Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, and CORE SDI S.A. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 24 PUBLICLY AVAILABLE SOFTWARE THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-------------------------------------------------------------------------------
B.3.5 GNU General Public License, version 2 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-
1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it.
(Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program Access Point, Wireless Controller, and Service Platform System Reference Guide B - 25 PUBLICLY AVAILABLE SOFTWARE proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. B.3.6 GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
The modified work must itself be a software library. You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. IIf a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.
(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) Access Point, Wireless Controller, and Service Platform System Reference Guide B - 26 PUBLICLY AVAILABLE SOFTWARE These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, Access Point, Wireless Controller, and Service Platform System Reference Guide B - 27 PUBLICLY AVAILABLE SOFTWARE regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:
Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable
"work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided Access Point, Wireless Controller, and Service Platform System Reference Guide B - 28 PUBLICLY AVAILABLE SOFTWARE that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:
Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. Each time you redistribute the Library (or any work based on the library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only Access Point, Wireless Controller, and Service Platform System Reference Guide B - 29 PUBLICLY AVAILABLE SOFTWARE in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS B.3.7 GNU Lesser General Public License 2.1 GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 30 PUBLICLY AVAILABLE SOFTWARE
[This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.]
Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Lesser General Public License, applies to some specially designated software packages--
typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things. To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights. We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library. To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 31 PUBLICLY AVAILABLE SOFTWARE We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License. In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system. Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run. Creative Commons Legal Code CC0 1.0 Universal CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law:
that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)
"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 32 PUBLICLY AVAILABLE SOFTWARE Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
The modified work must itself be a software library. You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.
(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 33 PUBLICLY AVAILABLE SOFTWARE You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:
Access Point, Wireless Controller, and Service Platform System Reference Guide B - 34 PUBLICLY AVAILABLE SOFTWARE Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable
"work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:
Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if Access Point, Wireless Controller, and Service Platform System Reference Guide B - 35 PUBLICLY AVAILABLE SOFTWARE you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. Each time you redistribute the Library (or any work based on the library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 36 PUBLICLY AVAILABLE SOFTWARE NO WARRANTY BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. B.3.8 CCO 1.0 Universal Creative Commons Legal Code CC0 1.0 Universal CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDELEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER. Statement of Purpose The laws of most jurisdictions throughout the world automatically confer exclusive Copyright and Related Rights (defined below) upon the creator and subsequent owner(s) (each and all, an "owner") of an original work of authorship and/or a database (each, a "Work"). Certain owners wish to permanently relinquish those rights to a Work for the purpose of contributing to a commons of creative, cultural and scientific works ("Commons") that the public can reliably and without fear of later claims of infringement build upon, modify, incorporate in other works, reuse and redistribute as freely as possible in any form whatsoever and for any purposes, including without limitation commercial purposes. These owners may contribute to the Commons to promote the ideal of a free culture and the further production of creative, cultural and scientific works, or to gain reputation or greater distribution for their Work in part through the use and efforts of others. For these and/or other purposes and motivations, and without any expectation of additional consideration or compensation, the person associating CC0 with a Work (the "Affirmer"), to the extent that he or she is an owner of Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to the Work and publicly distribute the Work under its terms, with knowledge of his or her Copyright and Related Rights in the Work and the meaning and intended legal effect of CC0 on those rights. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 37 PUBLICLY AVAILABLE SOFTWARE Copyright and Related Rights. A Work made available under CC0 may be protected by copyright and related or neighboring rights ("Copyright and Related Rights"). Copyright and Related Rights include, but are not limited to, the following:
the right to reproduce, adapt, distribute, perform, display, communicate, and translate a Work;
moral rights retained by the original author(s) and/or performer(s);
publicity and privacy rights pertaining to a person's image or likeness depicted in a Work;
rights protecting against unfair competition in regards to a Work, subject to the limitations in paragraph 4(a), below;
rights protecting the extraction, dissemination, use and reuse of data in a Work;
database rights (such as those arising under Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, and under any national implementation thereof, including any amended or successor version of such directive); and other similar, equivalent or corresponding rights throughout the world based on applicable law or treaty, and any national implementations thereof. Waiver. To the greatest extent permitted by, but not in contravention of, applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and unconditionally waives, abandons, and surrenders all of Affirmer's Copyright and Related Rights and associated claims and causes of action, whether now known or unknown (including existing as well as future claims and causes of action), in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the
"Waiver"). Affirmer makes the Waiver for the benefit of each member of the public at large and to the detriment of Affirmer's heirs and successors, fully intending that such Waiver shall not be subject to revocation, rescission, cancellation, termination, or any other legal or equitable action to disrupt the quiet enjoyment of the Work by the public as contemplated by Affirmer's express Statement of Purpose. Public License Fallback. Should any part of the Waiver for any reason be judged legally invalid or ineffective under applicable law, then the Waiver shall be preserved to the maximum extent permitted taking into account Affirmer's express Statement of Purpose. In addition, to the extent the Waiver is so judged Affirmer hereby grants to each affected person a royalty-free, non transferable, non sublicensable, non exclusive, irrevocable and unconditional license to exercise Affirmer's Copyright and Related Rights in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty
(including future time extensions), (iii) in any current or future medium and for any number of copies, and
(iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the License"). The License shall be deemed effective as of the date CC0 was applied by Affirmer to the Work. Should any part of the License for any reason be judged legally invalid or ineffective under applicable law, such partial invalidity or ineffectiveness shall not invalidate the remainder of the License, and in such case Affirmer hereby affirms that he or she will not (i) exercise any of his or her remaining Copyright and Related Rights in the Work or (ii) assert any associated claims and causes of action with respect to the Work, in either case contrary to Affirmer's express Statement of Purpose. Limitations and Disclaimers. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 38 PUBLICLY AVAILABLE SOFTWARE No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document. Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non infringement, or the absence of latent or other defects, accuracy, or the present or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law. Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work. Affirmer understands and acknowledges that Creative Commons is not a party to this document and has no duty or obligation with respect to this CC0 or use of the Work. B.3.9 GNU General Public License, version 3 GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public License is a free, copyleft license for software and other kinds of works. The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others. For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 39 PUBLICLY AVAILABLE SOFTWARE For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions. Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users. Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free. The precise terms and conditions for copying, distribution andmodification follow. TERMS AND CONDITIONS Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as
"you". "Licensees" and "recipients" may be individuals or organizations. To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work. A "covered work" means either the unmodified Program or a work based on the Program. To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. 1. Source Code. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 40 PUBLICLY AVAILABLE SOFTWARE The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work. A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case o interfaces specified for a particular programming language, one that is widely used among developers working in that language. The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files forthe work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. The Corresponding Source for a work in source code form is that same work. 2. Basic Permissions. All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing i not allowed; section 10 makes it unnecessary. 3. Protecting Users' Legal Rights From Anti-Circumvention Law. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 41 PUBLICLY AVAILABLE SOFTWARE No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of echnological measures. 4. Conveying Verbatim Copies. You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. 5. Conveying Modified Source Versions. You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified it, and giving a relevant date. b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to "keep intact all notices". c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. 6. Conveying Non-Source Forms. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 42 PUBLICLY AVAILABLE SOFTWARE You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways:
a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product.
"Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 43 PUBLICLY AVAILABLE SOFTWARE If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules andprotocols for communication across the network. Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. 7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License;
or b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or d) Limiting the use for publicity purposes of names of licensors or authors of the material; or e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material
(or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 44 PUBLICLY AVAILABLE SOFTWARE All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. 8. Termination. You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. 9. Acceptance Not Required for Having Copies. You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives Access Point, Wireless Controller, and Service Platform System Reference Guide B - 45 PUBLICLY AVAILABLE SOFTWARE whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise ofights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. 11. Patents. A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version". A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any Access Point, Wireless Controller, and Service Platform System Reference Guide B - 46 PUBLICLY AVAILABLE SOFTWARE of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. 12. No Surrender of Others' Freedom. If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. 13. Use with the GNU Affero General Public License. Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. 14. Revised Versions of this License. The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation. If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. 15. Disclaimer of Warranty. THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE Access Point, Wireless Controller, and Service Platform System Reference Guide B - 47 PUBLICLY AVAILABLE SOFTWARE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. Limitation of Liability. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OFSUCH DAMAGES. 17. Interpretation of Sections 15 and 16. If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. END OF TERMS AND CONDITIONS B.3.10 ISC License Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OFTHIS SOFTWARE. B.3.11 GNU Lesser General Public License, version 3.0 GNU LESSER GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. This version of the GNU Lesser General Public License incorporates the terms and conditions of version 3 of the GNU General PublicLicense, supplemented by the additional permissions listed below. Additional Definitions. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 48 PUBLICLY AVAILABLE SOFTWARE As used herein, "this License" refers to version 3 of the GNU Lesser General Public License, and the "GNU GPL" refers to version 3 of the GNU General Public License.
"The Library" refers to a covered work governed by this License, other than an Application or a Combined Work as defined below. An "Application" is any work that makes use of an interface provided by the Library, but which is not otherwise based on the Library. Defining a subclass of a class defined by the Library is deemed a mode of using an interface provided by the Library. A "Combined Work" is a work produced by combining or linking an Application with the Library. The particular version of the Library with which the Combined Work was made is also called the "Linked Version". The "Minimal Corresponding Source" for a Combined Work means the Corresponding Source for the Combined Work, excluding any source code for portions of the Combined Work that, considered in isolation, are based on the Application, and not on the Linked Version. The "Corresponding Application Code" for a Combined Work means the object code and/or source code for the Application, including any data and utility programs needed for reproducing the Combined Work from the Application, but excluding the System Libraries of the Combined Work. 1. Exception to Section 3 of the GNU GPL. You may convey a covered work under sections 3 and 4 of this License without being bound by section 3 of the GNU GPL. 2. Conveying Modified Versions. If you modify a copy of the Library, and, in your modifications, a facility refers to a function or data to be supplied by an Application that uses the facility (other than as an argument passed when the facility is invoked), then you may convey a copy of the modified version:
a) under this License, provided that you make a good faith effort to ensure that, in the event an Application does not supply the function or data, the facility still operates, and performs whatever part of its purpose remains meaningful, or b) under the GNU GPL, with none of the additional permissions of this License applicable to that copy. 3. Object Code Incorporating Material from Library Header Files. The object code form of an Application may incorporate material from a header file that is part of the Library. You may convey such object code under terms of your choice, provided that, if the incorporated material is not limited to numerical parameters, data structure layouts and accessors, or small macros, inline functions and templates (ten or fewer lines in length), you do both of the following:
a) Give prominent notice with each copy of the object code that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the object code with a copy of the GNU GPL and this license document. 4. Combined Works. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 49 PUBLICLY AVAILABLE SOFTWARE You may convey a Combined Work under terms of your choice that, taken together, effectively do not restrict modification of the portions of the Library contained in the Combined Work and reverse engineering for debugging such modifications, if you also do each ofthe following:
a) Give prominent notice with each copy of the Combined Work that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the Combined Work with a copy of the GNU GPL and this license document. c) For a Combined Work that displays copyright notices during execution, include the copyright notice for the Library among these notices, as well as a reference directing the user to the copies of the GNU GPL and this license document. d) Do one of the following:
0) Convey the Minimal Corresponding Source under the terms of this License, and the Corresponding Application Code in a form suitable for, and under terms that permit, the user to recombine or relink the Application with a modified version of the Linked Version to produce a modified Combined Work, in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source. 1) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that
(a) uses at run time a copy of the Library already present on the user's computer system, and (b) will operate properly with a modified version of the Library that is interface-compatible with the Linked Version. e) Provide Installation Information, but only if you would otherwise be required to provide such information under section 6 of the GNU GPL, and only to the extent that such information is necessary to install and execute a modified version of the Combined Work produced by recombining or relinking the Application with a modified version of the Linked Version. (If you use option 4d0, the Installation Information must accompany the Minimal Corresponding Source and Corresponding Application Code. If you use option 4d1, you must provide the Installation Information in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source.) 5. Combined Libraries. You may place library facilities that are a work based on the Library side by side in a single library together with other library facilities that are not Applications and are not covered by this License, and convey such a combined library under terms of your choice, if you do both of the following:
a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities, conveyed under the terms of this License. b) Give prominent notice with the combined library that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 6. Revised Versions of the GNU Lesser General Public License. The Free Software Foundation may publish revised and/or new versions of the GNU Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library as you received it specifies that a certain numbered version of the GNU Lesser General Public License "or any later version" applies to it, you Access Point, Wireless Controller, and Service Platform System Reference Guide B - 50 PUBLICLY AVAILABLE SOFTWARE have the option of following the terms and conditions either of that published version or of any later version published by the Free Software Foundation. If the Library as you received it does not specify a version number of the GNU Lesser General Public License, you may choose any version of the GNU Lesser General Public License ever published by the Free Software Foundation. If the Library as you received it specifies that a proxy can decide whether future versions of the GNU Lesser General Public License shall apply, that proxy's public statement of acceptance of any version is permanent authorization for you to choose that version for the Library. B.3.12 GNU General Public License 2.0 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Library General Public License, applies to some specially designated Free Software Foundation software, and to any other libraries whose authors decide to use it. You can use it for your libraries, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 51 PUBLICLY AVAILABLE SOFTWARE Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, thus in effect making the program proprietary software. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License, which was designed for utility programs. This license, the GNU Library General Public License, applies to certain designated libraries. This license is quite different from the ordinary one; be sure to read it in full, and don't assume that anything in it is the same as in the ordinary license. The reason we have a separate public license for some libraries is that they blur the distinction we usually make between modifying or adding to a program and simply using it. Linking a program with a library, without changing the library, is in some sense simply using the library, and is analogous to running a utility program or application program. However, in a textual and legal sense, the linked executable is a combined work, a derivative of the original library,and the ordinary General Public License treats it as such. Because of this blurred distinction, using the ordinary General Public License for libraries did not effectively promote software sharing, because most developers did not use the libraries. We concluded that weaker conditions might promote sharing better. However, unrestricted linking of non-free programs would deprive the users of those programs of all benefit from the free status of the libraries themselves. This Library General Public License is intended to permit developers of non-free programs to use free libraries, while preserving your freedom as a user of such programs to change the free libraries that are incorporated in them. (We have not seen how to achieve this as regards changes in header files, but we have achieved it as regards changes in the actual functions of the Library.) The hope is that this will lead to faster development of free libraries. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, while the latter only works together with the library. Note that it is possible for a library to be covered by the ordinary General Public License rather than by this special one. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library which contains notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Library General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law:
that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)
"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 52 PUBLICLY AVAILABLE SOFTWARE Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1 You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2 You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
The modified work must itself be a software library. You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. IIf, a facility in the modified Library, refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.
(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3 You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer Access Point, Wireless Controller, and Service Platform System Reference Guide B - 53 PUBLICLY AVAILABLE SOFTWARE version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4 You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5 A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6 As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:
Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-
readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 54 PUBLICLY AVAILABLE SOFTWARE
(It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7 You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:
Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8 You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9 You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10 Each time you redistribute the Library (or any work based on the library), the recipient automatically 11 receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason
(not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who Access Point, Wireless Controller, and Service Platform System Reference Guide B - 55 PUBLICLY AVAILABLE SOFTWARE receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12 If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13 The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14 If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15 BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY Access Point, Wireless Controller, and Service Platform System Reference Guide B - 56 PUBLICLY AVAILABLE SOFTWARE TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS B.3.13 GNU Lesser General Public License, version 2.0 GNU LIBRARY GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1991 Free Software Foundation, Inc. 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
[This is the first released version of the library GPL. It is numbered 2 because it goes with version 2 of the ordinary GPL.]
Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Library General Public License, applies to some specially designated Free Software Foundation software, and to any other libraries whose authors decide to use it. You can use it for your libraries, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library, or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link a program with the library, you must provide complete object files to the recipients so that they can relink them with the library, after making changes to the library and recompiling it. And you must show them these terms so they know their rights. Our method of protecting your rights has two steps: (1) copyright the library, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the library. Also, for each distributor's protection, we want to make certain that everyone understands that there is no warranty for this free library. If the library is modified by someone else and passed on, we want its recipients to know that what they have is not the original version, so that any problems introduced by others will not reflect on the original authors' reputations. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 57 PUBLICLY AVAILABLE SOFTWARE Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that companies distributing free software will individually obtain patent licenses, thus in effect transforming the program into proprietary software. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License, which wa designed for utility programs. This license, the GNU Library General Public License, applies to certain designated libraries. This license is quite different from the ordinary one; be sure to read it in full, and don't assume that anything in it is the same as in the ordinary license. The reason we have a separate public license for some libraries is that they blur the distinction we usually make between modifying or adding to a program and simply using it. Linking a program with a library, without changing the library, is in some sense simply using the library, and is analogous to running a utility program or application program. However, in a textual and legal sense, the linked executable is a combined work, a derivative of the original library, and the ordinary General Public License treats it as such. Because of this blurred distinction, using the ordinary General Public License for libraries did not effectively promote software sharing, because most developers did not use the libraries. We concluded that weaker conditions might promote sharing better. However, unrestricted linking of non-free programs would deprive the users of those programs of all benefit from the free status of the libraries themselves. This Library General Public License is intended to permit developers of non-free programs to use free libraries, while preserving your freedom as a user of such programs to change the free libraries that are incorporated in them. (We have not seen how to achieve this as regards changes in header files, but we have achieved it as regards changes in the actual functions of the Library.) The hope is that this will lead to faster development of free libraries. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, while the latter only works together with the library. Note that it is possible for a library to be covered by the ordinary General Public License rather than by this special one. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Library General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law:
that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) Access Point, Wireless Controller, and Service Platform System Reference Guide B - 58 PUBLICLY AVAILABLE SOFTWARE
"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
* a) The modified work must itself be a software library.
* b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.
* c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.
* d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other han as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.
(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest you rights to work written entirely by you;
rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 59 PUBLICLY AVAILABLE SOFTWARE In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, s the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also compile or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 60 PUBLICLY AVAILABLE SOFTWARE You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:
* a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)
* b) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.
* c) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.
* d) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:
* a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above.
* b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by Access Point, Wireless Controller, and Service Platform System Reference Guide B - 61 PUBLICLY AVAILABLE SOFTWARE law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason
(not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose thatchoice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Library General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 62 PUBLICLY AVAILABLE SOFTWARE NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. B.3.14 GNU Lesser General Public License, version 2.1 GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1. Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Lesser General Public License, applies to some specially designated software packages--
typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 63 PUBLICLY AVAILABLE SOFTWARE To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights. We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library. To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library. We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License. In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 64 PUBLICLY AVAILABLE SOFTWARE Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run. B.3.15 GNU LESSER GENERAL PUBLIC LICENSE ERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law:
that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)
"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1 You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2 You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
a. The modified work must itself be a software library. b. You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c. You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 65 PUBLICLY AVAILABLE SOFTWARE d. If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.
(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3 You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4 You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5 A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 66 PUBLICLY AVAILABLE SOFTWARE When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6 As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:
a. Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable
"work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b. Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that
(1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. c. Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d. If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. e. Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 67 PUBLICLY AVAILABLE SOFTWARE It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7 You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:
a. Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b. Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8 You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9 You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10 Each time you redistribute the Library (or any work based on the library), the recipient automatically 11 receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason
(not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 68 PUBLICLY AVAILABLE SOFTWARE 12 If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13 The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14 If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15 BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. B.3.16 MIT License Permission is hereby granted, without written agreement and without icense or royalty fees, to use, copy, modify, and distribute this software and its documentation for any purpose, provided that the above copyright notice and the following two paragraphs appear in all copies of this software. IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF THE COPYRIGHT HOLDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 69 PUBLICLY AVAILABLE SOFTWARE THE COPYRIGHT HOLDER SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND THE COPYRIGHT HOLDER HAS NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. B.3.17 Mozilla Public License, version 2 Version 2.0 1. Definitions 1.1. Contributor means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software. 1.2. Contributor Version means the combination of the Contributions of others (if any) used by a Contributor and that particular Contribution. 1.3. Contribution means Covered Software of a particular Contributor. 1.4. Covered Software means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof. 1.5. Incompatible With Secondary Licenses means 1. that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or 2. that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License. 1.6. Executable Form means any form of the work other than Source Code Form. 1.7. Larger Work means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software. 1.8. License means this document. 1.9. Licensable means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License. 1.10. Modifications means any of the following:
1. any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or 2. any new file in Source Code Form that contains any Covered Software. 1.11. Patent Claims of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version. 1.12. Secondary License means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses. 1.13. Source Code Form means the form of the work preferred for making modifications. 1.14. You (orYour) means an individual or a legal entity exercising rights under this License. For legal entities, You includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, control means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 70 PUBLICLY AVAILABLE SOFTWARE 2. License Grants and Conditions 2.1. Grants Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license:
1. under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and 2. under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version. 2.2. Effective Date The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution. 2.3. Limitations on Grant Scope The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor:
1. for any code that a Contributor has removed from Covered Software; or 2. for infringements caused by: (i) Your and any other third partys modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or 3. under Patent Claims infringed by Covered Software in the absence of its Contributions. This License does not grant any rights in the trademarks, service marks, or logos of any Contributor
(except as may be necessary to comply with the notice requirements in Section 3.4). 2.4. Subsequent Licenses No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3). 2.5. Representation Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License. 2.6. Fair Use This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents. 2.7. Conditions Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1. 3. Responsibilities 3.1. Distribution of Source Form All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients rights in the Source Code Form. 3.2. Distribution of Executable Form If You distribute Covered Software in Executable Form then:
Access Point, Wireless Controller, and Service Platform System Reference Guide B - 71 PUBLICLY AVAILABLE SOFTWARE 1. such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and 2. You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients rights in the Source Code Form under this License. 3.3. Distribution of a Larger Work You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s). 3.4. Notices You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies. 3.5. Application of Additional Terms You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction. 4. Inability to Comply Due to Statute or Regulation If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it. 5. Termination 5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 72 PUBLICLY AVAILABLE SOFTWARE 5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate. 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements
(excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination. 6. Disclaimer of Warranty Covered Software is provided under this License on an as is? basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer. 7. Limitation of Liability Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such partys negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You. 8. Litigation Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a partys ability to bring cross-claims or counter-claims. 9. Miscellaneous This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor. 10. Versions of the License 10.1. New Versions Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number. 10.2. Effect of New Versions You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 73 PUBLICLY AVAILABLE SOFTWARE 10.3. Modified Versions If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License). 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached. Exhibit A - Source Code Form License Notice This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. You may add additional accurate notices of copyright ownership. Exhibit B - Incompatible With Secondary Licenses Notice This Source Code Form is Incompatible With Secondary Licenses, as defined by the Mozilla Public License, v. 2.0. B.3.18 The Open LDAP Public License The OpenLDAP Public License Version 2.8, 17 August 2003 Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met:
1. Redistributions in source form must retain copyright statements and notices, 2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and 3. Redistributions must contain a verbatim copy of this document. The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the license. THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 74 PUBLICLY AVAILABLE SOFTWARE The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation. Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. B.3.19 OpenSSL License OpenSSL License Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org) 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contac openssl-
core@openssl.org 5. Products derived from this software may not be called "OpenSSL" nor may OpenSSL" appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://
www.openssl.org)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes oftware written by Tim Hudson (tjh@cryptsoft.com). Access Point, Wireless Controller, and Service Platform System Reference Guide B - 75 PUBLICLY AVAILABLE SOFTWARE B.3.20 WU-FTPD Software License WU-FTPD SOFTWARE LICENSE Use, modification, or redistribution (including distribution of any modified or derived work) in any form, or on any medium, is permitted only if all the following conditions are met:
1. Redistributions qualify as "freeware" or "Open Source Software" under the following terms:
a. Redistributions are made at no charge beyond the reasonable cost of materials and delivery. Where redistribution of this software is as part of a larger package or combined work, this restriction applies only to the costs of materials and delivery of this software, not to any other costs associated with the larger package or combined work. b. Redistributions are accompanied by a copy of the Source Code or by an irrevocable offer to provide a copy of the Source Code for up to three years at the cost of materials and delivery. Such redistributions must allow further use, modification, and redistribution of the Source Code under substantially the same terms as this license. For the purposes of redistribution "Source Code" means all files included in the original distribution, including all modifications or additions, on a medium and in a form allowing fully working executable programs to be produced. 2. Redistributions of Source Code must retain the copyright notices as they appear in each Source Code file and the COPYRIGHT file, these license terms, and the disclaimer/limitation of liability set forth as paragraph 6 below. 3. Redistributions in binary form must reproduce the Copyright Notice, these license terms, and the disclaimer/limitation of liability set forth as paragraph 6 below, in the documentation and/or other materials provided with the distribution. For the purposes of binary distribution the"Copyright Notice"
refers to the following language:
Copyright (c) 1999,2000,2001 WU-FTPD Development Group. All rights reserved. Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 The Regents of the University of California. Portions Copyright (c) 1993, 1994 Washington University in Saint Louis. Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc. Portions Copyright (c) 1998 Sendmail, Inc. Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P. Allman. Portions Copyright (c) 1989 Massachusetts Institute of Technology. Portions Copyright (c) 1997 Stan Barber. Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997 Free Software Foundation, Inc. Portions Copyright (c) 1997 Kent Landfield. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 76 PUBLICLY AVAILABLE SOFTWARE Use and distribution of this software and its source code are governed by the terms and conditions of the WU-FTPD Software License ("LICENSE"). If you did not receive a copy of the license, it may be obtained online at http://www.wu-ftpd.org/
license.html 4. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes software developed by the WU-FTPD Development Group, the Washington University at Saint Louis, Berkeley Software Design, Inc., and their contributors."
5. Neither the name of the WU-FTPD Development Group, nor the names of any copyright holders, nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission. The names "wuftpd" and "wu-ftpd" are trademarks of the WU-
FTPD Development Group and the Washington University at Saint Louis. 6. Disclaimer/Limitation of Liability:
THIS SOFTWARE IS PROVIDED BY THE WU-FTPD DEVELOPMENT GROUP, THE COPYRIGHT HOLDERS, AND CONTRIBUTORS, "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE WU-FTPD DEVELOPMENT GROUP, THE COPYRIGHT HOLDERS, OR CONTRIBUTORS, BE LIABLE FOR ANY DIRECT, NDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 7. USE, MODIFICATION, OR REDISTRIBUTION, OF THIS SOFTWARE IMPLIES ACCEPTANCE OF ALL TERMS AND CONDITIONS OF THIS LICENSE. B.3.21 zlib License Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Jean-loup Gailly Mark Adler Access Point, Wireless Controller, and Service Platform System Reference Guide B - 77 PUBLICLY AVAILABLE SOFTWARE jloup@gzip.org, madler@alumni.caltech.edu B.3.22 Python License, Version 2 (Python-2.0) PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2
------ ---------------------------------------------------------------------------
This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and the Individual or Organization ("Licensee") accessing and otherwise using this software ("Python") in source or binary form and its associated documentation. Subject to the terms and conditions of this License Agreement, PSF hereby grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python alone or in any derivative version, provided, however, that PSF's License Agreement and PSF's notice of copyright, i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Python Software Foundation; All Rights Reserved" are retained in Python alone or in any derivative version prepared by Licensee. In the event Licensee prepares a derivative work that is based on or incorporates Python or any part thereof, and wants to make the derivative work available to others as provided herein, then Licensee hereby agrees to include in any such work a brief summary of the changes made to Python. PSF is making Python available to Licensee on an "AS IS" basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON,OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. This License Agreement will automatically terminate upon a material breach of its terms and conditions. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between PSF and Licensee. This License Agreement does not grant permission to use PSFtrademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party. By copying, installing or otherwise using Python, Licensee agrees to be bound by the terms and conditions of this License Agreement. B.3.23 BEOPEN.COM LICENSE AGREEMENT FOR PYTHON 2.0
------------------------------------------------------------------------------
BEOPEN PYTHON OPEN SOURCE LICENSE AGREEMENT VERSION 1 This LICENSE AGREEMENT is between BeOpen.com ("BeOpen"), having an office at 160 Saratoga Avenue, Santa Clara, CA 95051, and the Individual or Organization ("Licensee") accessing and otherwise using this software in source or binary form and its associated documentation ("the Software"). Access Point, Wireless Controller, and Service Platform System Reference Guide B - 78 PUBLICLY AVAILABLE SOFTWARE Subject to the terms and conditions of this BeOpen Python License Agreement, BeOpen hereby grants Licensee a non-exclusive,royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use the Software alone or in any derivative version, provided, however, that the BeOpen Python License is retained in the Software, alone or in any derivative version prepared by Licensee. BeOpen is making the Software available to Licensee on an "AS IS" basis. BEOPEN MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, BEOPEN MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. BEOPEN SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE SOFTWARE FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THE SOFTWARE, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. This License Agreement will automatically terminate upon a material breach of its terms and conditions. This License Agreement shall be governed by and interpreted in all respects by the law of the State of California, excluding conflict of law provisions. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between BeOpen and Licensee. This License Agreement does not grant permission to use BeOpen trademarks or trade names in a trademark sense to endorse or promote products or services of Licensee, or any third party. As an exception, the "BeOpen Python" logos available at http://www.pythonlabs.com/logos.html may be used according to the permissions granted on that web page. By copying, installing or otherwise using the software, Licensee agrees to be bound by the terms and conditions of this License Agreement. B.3.24 CNRI OPEN SOURCE LICENSE AGREEMENT (for Python 1.6b1)
-----------------------------------------------------------------------------------------
IMPORTANT: PLEASE READ THE FOLLOWING AGREEMENT CAREFULLY. BY CLICKING ON "ACCEPT" WHERE INDICATED BELOW, OR BY COPYING, INSTALLING OR OTHERWISE USING PYTHON 1.6, beta 1 SOFTWARE, YOU ARE DEEMED TO HAVE AGREED TO THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT. This LICENSE AGREEMENT is between the Corporation for National Research Initiatives, having an office at 1895 Preston White Drive, Reston, VA 20191 ("CNRI"), and the Individual or Organization ("Licensee") accessing and otherwise using Python 1.6, beta 1 software in source or binary form and its associated documentation,as released at the www.python.org Internet site on August 4, 2000 ("Python 1.6b1"). Subject to the terms and conditions of this License Agreement, CNRI hereby grants Licensee a non-
exclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python 1.6b1 alone or in any derivative version, provided, however, that CNRIs License Agreement is retained in Python 1.6b1, alone or in any derivative version prepared by Licensee. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 79 PUBLICLY AVAILABLE SOFTWARE Alternately, in lieu of CNRIs License Agreement, Licensee may substitute the following text (omitting the quotes): "Python 1.6, beta 1, is made available subject to the terms and conditions in CNR Is License Agreement. This Agreement may be located on the Internet using the following unique, persistent identifier
(known as a handle): 1895.22/1011. This Agreement may also be obtained from a proxy server on the Internet using the URL:http://hdl.handle.net/1895.22/1011". In the event Licensee prepares a derivative work that is based on or incorporates Python 1.6b1 or any part thereof, and wants to make the derivative work available to the public as provided herein, then Licensee hereby agrees to indicate in any such work the nature of the modifications made to Python 1.6b1. CNRI is making Python 1.6b1 available to Licensee on an "AS IS" basis. CNRI MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, CNRI MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 1.6b1 WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. CNRI SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE SOFTWARE FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF USING, MODIFYING OR DISTRIBUTING PYTHON 1.6b1, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. This License Agreement will automatically terminate upon a material breach of its terms and conditions. This License Agreement shall be governed by and interpreted in all respects by the law of the State of Virginia, excluding conflict of law provisions. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between CNRI and Licensee. This License Agreement does not grant permission to use CNRI trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party. By clicking on the "ACCEPT" button where indicated, or by copying, installing or otherwise using Python 1.6b1, Licensee agrees to be bound by the terms and conditions of this License Agreement. ACCEPT B.3.25 CWI LICENSE AGREEMENT FOR PYTHON 0.9.0 THROUGH 1.2
-----------------------------------------------------------------------------------------
Copyright (c) 1991 - 1995, Stichting Mathematisch Centrum Amsterdam, The Netherlands. All rights reserved. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stichting Mathematisch Centrum or CWI not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. STICHTING MATHEMATISCH CENTRUM DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL STICHTING MATHEMATISCH CENTRUM BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA Access Point, Wireless Controller, and Service Platform System Reference Guide B - 80 PUBLICLY AVAILABLE SOFTWARE OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. B.3.26 Zope Public License (ZPL) Version 2.0 Zope Public License (ZPL) Version 2.0
-----------------------------------------------
This software is Copyright (c) Zope Corporation (tm) and Contributors. All rights reserved. This license has been certified as open source. It has also been designated as GPL compatible by the Free Software Foundation (FSF). Redistribution and use in source and binary forms, with or without modification, are permitted provided that the, following conditions are met:
Redistributions in source code must retain the above copyright notice, this list of conditions, and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution. The name Zope Corporation (tm) must not be used to endorse or promote products derived from this software without prior written permission from Zope Corporation. The right to distribute this software or to use it for any purpose does not give you the right to use Servicemarks (sm) orTrademarks (tm) of Zope Corporation. Use of them is covered in a separate agreement (see http://www.zope.com/Marks). If any files are modified, you must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. Disclaimer THIS SOFTWARE IS PROVIDED BY ZOPE CORPORATION ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ZOPE CORPORATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This software consists of contributions made by Zope Corporation and many individuals on behalf of Zope Corporation. Specific attributions are listed in the accompanying credits file. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 81 PUBLICLY AVAILABLE SOFTWARE B.3.27 Zope Public License (ZPL) Version 2.1 Zope Public License (ZPL) Version 2.1
--------------------------------------------------
A copyright notice accompanies this license document that identifies the copyright holders. This license has been certified as open source. It has also been designated as GPL compatible by the Free Software Foundation (FSF). Redistribution and use in source and binary forms, with or without modification, are permitted provided that the, following conditions are met:
Redistributions in source code must retain the above copyright notice, this list of conditions, and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution. The name Zope Corporation (tm) must not be used to endorse or promote products derived from this software without prior written permission from Zope Corporation. The right to distribute this software or to use it for any purpose does not give you the right to use Servicemarks (sm) orTrademarks (tm) of Zope Corporation. Use of them is covered in a separate agreement (see http://www.zope.com/Marks). If any files are modified, you must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. Disclaimer THIS SOFTWARE IS PROVIDED BY ZOPE CORPORATION ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ZOPE CORPORATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Access Point, Wireless Controller, and Service Platform System Reference Guide B - 82
1 2 3 4 | WiNG 5.9.1 System Reference Guide Part 1 | Users Manual | 5.50 MiB |
WiNG 5.9.1 Wireless Controller and Service Platform System Reference Guide Published September 2017 9035204 Published September 2017 9035204 Copyright 2017 Extreme Networks, Inc. All Rights Reserved. 9035204 Legal Notices Extreme Networks, Inc. reserves the right to make changes in specifications and other information contained in this document and its website without prior notice. The reader should in all cases consult representatives of Extreme Networks to determine whether any such changes have been made. The hardware, firmware, software or any specifications described or referred to in this document are subject to change without notice. Trademarks Extreme Networks and the Extreme Networks logo are trademarks or registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names (including any product names) mentioned in this document are the property of their respective owners and may be trademarks or registered trademarks of their respective companies/owners. For additional information about Extreme Networks trademarks, go to:
www.extremenetworks.com/company/legal/trademarks/
Support For product support, including documentation, visit: www.extremenetworks.com/support/
Table of Contents About This Guide Chapter 1, Overview 1.1 Distributed Intelligence ................................................................................................................................................................................................1-2 1.2 High Availability Networks .........................................................................................................................................................................................1-2 1.3 Gap Free Security ..........................................................................................................................................................................................................1-2 1.4 Outdoor Wireless and Mesh Networking .............................................................................................................................................................1-2 1.5 Network Services, Routing and Switching ..........................................................................................................................................................1-3 1.6 Management, Deployment and Troubleshooting ............................................................................................................................................1-3 Chapter 2, Web UI Features 2.1 Accessing the Web UI ..................................................................................................................................................................................................2-1 2.1.1 Browser and System Requirements ...........................................................................................................................................................2-1 2.1.2 Connecting to the Web UI .............................................................................................................................................................................2-1 2.2 Glossary of Icons Used ..............................................................................................................................................................................................2-2 2.2.1 Global Icons .........................................................................................................................................................................................................2-3 2.2.2 Dialog Box Icons ..............................................................................................................................................................................................2-3 2.2.3 Table Icons ........................................................................................................................................................................................................ 2-4 2.2.4 Status Icons ...................................................................................................................................................................................................... 2-4 2.2.5 Configurable Objects .................................................................................................................................................................................... 2-5 2.2.6 Configuration Objects ...................................................................................................................................................................................2-7 2.2.7 Configuration Operation Icons .................................................................................................................................................................. 2-8 2.2.8 Access Type Icons .......................................................................................................................................................................................... 2-8 2.2.9 Administrative Role Icons ........................................................................................................................................................................... 2-9 2.2.10 Device Icons .................................................................................................................................................................................................... 2-9 Chapter 3, Quick Start 3.1 Using the Initial Setup Wizard ..................................................................................................................................................................................3-1 Chapter 4, Dashboard 4.1 Summary .......................................................................................................................................................................................................................... 4-1 4.1.1 Device Listing ..................................................................................................................................................................................................... 4-2 4.2 System Screen ............................................................................................................................................................................................................. 4-3 4.2.1 Health ................................................................................................................................................................................................................... 4-3 4.2.2 Inventory ............................................................................................................................................................................................................ 4-5 4.3 RF Domain Screen ..................................................................................................................................................................................................... 4-6 4.3.1 RF Domain Health ........................................................................................................................................................................................... 4-7 4.3.2 RF Domain Inventory .................................................................................................................................................................................... 4-9 4.4 Controller .......................................................................................................................................................................................................................4-11 4.4.1 Controller Health .............................................................................................................................................................................................4-11 4.4.2 Controller Inventory .....................................................................................................................................................................................4-13 4.4.3 T5 Controller Dashboard ..........................................................................................................................................................................4-15 4.4.4 EX3500 Switch Dashboard .....................................................................................................................................................................4-21 4.5 Access Point Screen ................................................................................................................................................................................................4-24 4.5.1 Access Point Health .....................................................................................................................................................................................4-24 4.5.2 Access Point Inventory ..............................................................................................................................................................................4-26 4.6 Network View ............................................................................................................................................................................................................4-27 4.7 Debug Wireless Clients ..........................................................................................................................................................................................4-29 Wireless Controller and Service Platform System Reference Guide i Table of Contents 4.8 Debug Captive Portal Clients ...............................................................................................................................................................................4-31 4.9 Packet Capture ..........................................................................................................................................................................................................4-32 Chapter 5, Device Configuration 5.1 Basic Configuration ..................................................................................................................................................................................................... 5-2 5.2 Basic Device Configuration ..................................................................................................................................................................................... 5-3 5.2.1 License Configuration .....................................................................................................................................................................................5-7 5.2.2 Assigning Certificates ..................................................................................................................................................................................5-10 5.2.3 Port Mirroring (NX4524 and NX6524 Service Platforms only) .................................................................................................5-29 5.2.4 Wired 802.1x Configuration .....................................................................................................................................................................5-30 5.2.5 RF Domain Overrides ..................................................................................................................................................................................5-32 5.2.6 Profile Overrides ...........................................................................................................................................................................................5-38 5.2.7 Profile Interface Override Configuration ..............................................................................................................................................5-51 5.2.8 Overriding a Profiles Network Configuration ................................................................................................................................. 5-114 5.2.9 Overriding a Profiles Security Configuration ................................................................................................................................ 5-202 5.3 Auto Provisioning Policies ................................................................................................................................................................................. 5-268 5.3.1 Configuring an Auto-Provisioning Policy ......................................................................................................................................... 5-270 5.4 Managing an Event Policy ...................................................................................................................................................................................5-275 5.5 Managing MINT Policies ...................................................................................................................................................................................... 5-276 Chapter 6, Wireless Configuration 6.1 Wireless LAN Policy .................................................................................................................................................................................................... 6-2 6.1.1 Basic WLAN Configuration........................................................................................................................................................................... 6-4 6.1.2 Configuring WLAN Security ....................................................................................................................................................................... 6-7 6.1.3 Configuring WLAN Firewall Support ....................................................................................................................................................6-27 6.1.4 Configuring Client Settings .......................................................................................................................................................................6-35 6.1.5 Configuring WLAN Accounting Settings ............................................................................................................................................6-39 6.1.6 Configuring WLAN Service Monitoring Settings ............................................................................................................................. 6-40 6.1.7 Configuring Client Load Balancing Settings .......................................................................................................................................6-42 6.1.8 Configuring Advanced WLAN Settings .............................................................................................................................................. 6-44 6.1.9 Configuring Auto Shutdown Settings ................................................................................................................................................. 6-49 6.2 Configuring WLAN QoS Policies .........................................................................................................................................................................6-51 6.2.1 Configuring a WLANs QoS WMM Settings ........................................................................................................................................6-53 6.2.2 Configuring Rate Limit Settings ............................................................................................................................................................6-58 6.2.3 Configuring Multimedia Optimization Settings .............................................................................................................................. 6-64 6.2.4 WLAN QoS Deployment Considerations .......................................................................................................................................... 6-66 6.3 Radio QoS Policy ..................................................................................................................................................................................................... 6-66 6.3.1 Configuring Radio QoS Policies ...............................................................................................................................................................6-68 6.3.2 Radio QoS Configuration and Deployment Considerations .......................................................................................................6-76 6.4 Association ACL ........................................................................................................................................................................................................6-77 6.4.1 Association ACL Deployment Considerations ..................................................................................................................................6-79 6.5 Smart RF Policy .........................................................................................................................................................................................................6-79 6.5.1 Smart RF Configuration and Deployment Considerations .......................................................................................................... 6-90 6.6 MeshConnex Policy ...................................................................................................................................................................................................6-91 6.7 Mesh QoS Policy ........................................................................................................................................................................................................6-97 6.8 Passpoint Policy ......................................................................................................................................................................................................6-104 6.9 Sensor Policy ............................................................................................................................................................................................................. 6-112 Chapter 7, Network Configuration 7.1 Policy Based Routing ...................................................................................................................................................................................................7-1 7.2 L2TP V3 Configuration ............................................................................................................................................................................................. 7-6 Wireless Controller and Service Platform System Reference Guide ii Table of Contents 7.3 Crypto CMP Policy ...................................................................................................................................................................................................... 7-9 7.4 AAA Policy ................................................................................................................................................................................................................... 7-12 7.5 AAA TACACS Policy ................................................................................................................................................................................................ 7-23 7.6 IPv6 Router Advertisement Policy ....................................................................................................................................................................7-29 7.7 BGP .................................................................................................................................................................................................................................7-33 7.7.1 IP Access List ...................................................................................................................................................................................................7-39 7.7.2 AS Path List ......................................................................................................................................................................................................7-41 7.7.3 IP Prefix List ....................................................................................................................................................................................................7-43 7.7.4 Community List .............................................................................................................................................................................................7-44 7.7.5 External Community List ...........................................................................................................................................................................7-46 7.8 Alias ................................................................................................................................................................................................................................7-47 7.8.1 Network Basic Alias ......................................................................................................................................................................................7-48 7.8.2 Network Group Alias .................................................................................................................................................................................... 7-51 7.8.3 Network Service Alias .................................................................................................................................................................................7-52 7.9 Application Policy .....................................................................................................................................................................................................7-54 7.10 Application ................................................................................................................................................................................................................7-58 7.11 Application Group ................................................................................................................................................................................................... 7-60 7.12 Schedule Policy ........................................................................................................................................................................................................7-62 7.13 URL Filtering ..............................................................................................................................................................................................................7-63 7.14 Web Filtering ............................................................................................................................................................................................................7-67 7.15 EX3500 QoS Class ..................................................................................................................................................................................................7-68 7.16 EX3500 QoS Policy Map ...................................................................................................................................................................................... 7-72 7.17 Network Deployment Considerations ............................................................................................................................................................ 7-77 Chapter 8, Profile Configuration 8.1 General Profile Configuration ................................................................................................................................................................................. 8-5 8.1.1 General Profile Configuration and Deployment Considerations ................................................................................................... 8-8 8.2 Profile Cluster Configuration (Controllers and Service Platforms) ........................................................................................................ 8-8 8.2.1 Cluster Profile Configuration and Deployment Considerations ...................................................................................................8-11 8.3 Profile Adoption Configuration (APs Only) .....................................................................................................................................................8-11 8.4 Profile Adoption Configuration (Controllers Only) .....................................................................................................................................8-13 8.5 Profile Radio Power (AP7161, AP81XX Only) ..................................................................................................................................................8-16 8.6 Profile 802.1x Configuration ..................................................................................................................................................................................8-18 8.7 Profile Interface Configuration .............................................................................................................................................................................8-19 8.7.1 Ethernet Port Configuration ......................................................................................................................................................................8-19 8.7.2 Virtual Interface Configuration .............................................................................................................................................................. 8-30 8.7.3 Port Channel Configuration ......................................................................................................................................................................8-43 8.7.4 VM Interface Configuration ..................................................................................................................................................................... 8-50 8.7.5 Access Point Radio Configuration .........................................................................................................................................................8-55 8.7.6 WAN Backhaul Configuration ..................................................................................................................................................................8-71 8.7.7 PPPoE Configuration ..................................................................................................................................................................................8-73 8.7.8 Bluetooth Configuration ............................................................................................................................................................................8-76 8.7.9 Profile Interface Deployment Considerations ..................................................................................................................................8-79 8.8 Profile Network Configuration ............................................................................................................................................................................8-79 8.8.1 Setting a Profiles DNS Configuration .................................................................................................................................................. 8-80 8.8.2 Setting a Profiles ARP Configuration ...................................................................................................................................................8-81 8.8.3 Setting a Profiles L2TPV3 Configuration ...........................................................................................................................................8-82 8.8.4 Setting a Profiles GRE Configuration ..................................................................................................................................................8-92 8.8.5 Setting a Profiles IGMP Snooping Configuration ...........................................................................................................................8-95 8.8.6 Setting a Profiles MLD Snooping Configuration .............................................................................................................................8-97 8.8.7 Setting a Profiles Quality of Service (QoS) Configuration .........................................................................................................8-99 8.8.8 Setting a Profiles Spanning Tree Configuration ...........................................................................................................................8-103 8.8.9 Setting a Profiles Routing Configuration ......................................................................................................................................8-106 Wireless Controller and Service Platform System Reference Guide iii Table of Contents 8.8.10 Setting a Profiles Dynamic Routing (OSPF) Configuration .................................................................................................... 8-110 8.8.11 Setting a Profiles Border Gateway Protocol (BGP) Configuration ....................................................................................... 8-129 8.8.12 Setting a Profiles Forwarding Database Configuration .......................................................................................................... 8-142 8.8.13 Setting a Profiles Bridge VLAN Configuration .............................................................................................................................8-144 8.8.14 Setting a Profiles Cisco Discovery Protocol Configuration .................................................................................................... 8-152 8.8.15 Setting a Profiles Link Layer Discovery Protocol Configuration .......................................................................................... 8-153 8.8.16 Setting a Profiles Miscellaneous Network Configuration ........................................................................................................ 8-154 8.8.17 Setting a Profiles Alias Configuration .............................................................................................................................................. 8-155 8.8.18 Setting a Profiles IPv6 Neighbor Configuration .......................................................................................................................... 8-162 8.8.19 Profile Network Configuration and Deployment Considerations .........................................................................................8-164 8.9 Profile Security Configuration ...........................................................................................................................................................................8-164 8.9.1 Setting the Profiles Security Settings ................................................................................................................................................8-164 8.9.2 Setting the Profiles Certificate Revocation List (CRL) Configuration ................................................................................. 8-166 8.9.3 Setting the Profiles Trustpoint Configuration ............................................................................................................................... 8-167 8.9.4 Setting the Profiles VPN Configuration ........................................................................................................................................... 8-168 8.9.5 Setting the Profiles Auto IPSec Tunnel Configuration ............................................................................................................... 8-184 8.9.6 Setting the Profiles NAT Configuration ........................................................................................................................................... 8-186 8.9.7 Setting the Profiles Bridge NAT Configuration ............................................................................................................................. 8-193 8.9.8 Setting the Profiles Application Visibility (AVC) Configuration ............................................................................................ 8-195 8.9.9 Profile Security Configuration and Deployment Considerations ........................................................................................... 8-197 8.10 Profile VRRP Configuration .............................................................................................................................................................................. 8-197 8.11 Profile Critical Resources Configuration .......................................................................................................................................................8-201 8.12 Profile Services Configuration ........................................................................................................................................................................8-205 8.12.1 Profile Services Configuration and Deployment Considerations ..........................................................................................8-207 8.13 Profile Management Configuration ...............................................................................................................................................................8-207 8.13.1 Profile Management Configuration and Deployment Considerations ................................................................................. 8-213 8.14 Profile Mesh Point Configuration .................................................................................................................................................................... 8-213 8.14.1 Vehicle Mounted Modem (VMM) Deployment Considerations .............................................................................................. 8-221 8.15 Profile Environmental Sensor Configuration (AP8132 Only) .............................................................................................................. 8-222 8.16 Advanced Profile Configuration .................................................................................................................................................................... 8-224 8.16.1 Client Load Balance Configuration .................................................................................................................................................... 8-224 8.16.2 Configuring MINT Protocol .................................................................................................................................................................. 8-227 8.16.3 Advanced Profile Miscellaneous Configuration ........................................................................................................................... 8-234 Chapter 9, RF Domains 9.1 Managing RF Domains .............................................................................................................................................................................................. 9-2 9.1.1 RF Domain Basic Configuration ................................................................................................................................................................. 9-3 9.1.2 RF Domain Sensor Configuration ............................................................................................................................................................. 9-6 9.1.3 RF Client Name Configuration ................................................................................................................................................................... 9-8 9.1.4 RF Domain Overrides .................................................................................................................................................................................... 9-9 9.1.5 RF Domain Network Alias ...........................................................................................................................................................................9-13 9.1.6 RF Domain Deployment Considerations ..............................................................................................................................................9-21 Chapter 10, Security 10.1 Wireless Firewall ........................................................................................................................................................................................................10-1 10.1.1 Configuring a Firewall Policy ....................................................................................................................................................................10-2 10.1.2 Configuring MAC Firewall Rules ........................................................................................................................................................... 10-15 10.1.3 Firewall Deployment Considerations ................................................................................................................................................10-20 10.2 Configuring IP Firewall Rules ...........................................................................................................................................................................10-20 10.2.1 Setting an IPv4 or IPv6 Firewall Policy .............................................................................................................................................. 10-21 10.2.2 Setting an IP SNMP ACL Policy ...........................................................................................................................................................10-24 10.2.3 Network Group Alias ...............................................................................................................................................................................10-26 Wireless Controller and Service Platform System Reference Guide iv Table of Contents 10.2.4 Network Service Alias ............................................................................................................................................................................. 10-27 10.2.5 EX3500 ACL Standard ...........................................................................................................................................................................10-29 10.2.6 EX3500 ACL Extended ........................................................................................................................................................................... 10-31 10.3 Wireless Client Roles ........................................................................................................................................................................................... 10-33 10.3.1 Configuring a Clients Role Policy .......................................................................................................................................................10-34 10.4 Device Fingerprinting .........................................................................................................................................................................................10-47 10.5 Intrusion Prevention ............................................................................................................................................................................................. 10-51 10.5.1 Configuring a WIPS Policy ..................................................................................................................................................................... 10-52 10.5.2 Configuring a WIPS Device Categorization Policy .......................................................................................................................10-61 10.5.3 Intrusion Detection Deployment Considerations ........................................................................................................................10-64 10.6 EX3500 Time Range ...........................................................................................................................................................................................10-64 Chapter 11, Services 11.1 Configuring Captive Portal Policies ...................................................................................................................................................................... 11-1 11.1.1 Configuring a Captive Portal Policy .......................................................................................................................................................... 11-2 11.1.2 Creating DNS Whitelists ..............................................................................................................................................................................11-13 11.1.3 Captive Portal Deployment Considerations ....................................................................................................................................... 11-14 11.2 Setting the Guest Management Configuration .............................................................................................................................................11-15 11.2.1 Email ....................................................................................................................................................................................................................11-17 11.2.2 SMS .....................................................................................................................................................................................................................11-18 11.2.3 SMS SMTP ...................................................................................................................................................................................................... 11-20 11.2.4 DB Export ........................................................................................................................................................................................................11-22 11.3 Setting the DHCP Configuration ....................................................................................................................................................................... 11-24 11.3.1 Defining DHCP Pools .................................................................................................................................................................................. 11-26 11.3.2 Defining DHCP Server Global Settings ................................................................................................................................................11-35 11.3.3 DHCP Class Policy Configuration ..........................................................................................................................................................11-37 11.3.4 DHCP Deployment Considerations ......................................................................................................................................................11-38 11.4 Setting the Bonjour Gateway Configuration ............................................................................................................................................... 11-39 11.4.1 Configuring a Bonjour Discovery Policy ............................................................................................................................................. 11-39 11.4.2 Configuring a Bonjour Forwarding Policy ......................................................................................................................................... 11-41 11.5 DHCPv6 Server Policy ........................................................................................................................................................................................... 11-43 11.5.1 Defining DHCPv6 Options ........................................................................................................................................................................ 11-45 11.5.2 DHCPv6 Pool Configuration ................................................................................................................................................................... 11-46 11.6 Setting the RADIUS Configuration ................................................................................................................................................................... 11-49 11.6.1 Creating RADIUS Groups .......................................................................................................................................................................... 11-50 11.6.2 Defining User Pools .....................................................................................................................................................................................11-53 11.6.3 Configuring RADIUS Server Policies ....................................................................................................................................................11-57 11.6.4 RADIUS Deployment Considerations ................................................................................................................................................. 11-68 11.7 URL Lists ..................................................................................................................................................................................................................... 11-69 11.7.1 Adding or Editing URL Lists ..................................................................................................................................................................... 11-69 Chapter 12, Management Access 12.1 Viewing Management Access Policies .............................................................................................................................................................. 12-1 12.1.1 Adding or Editing a Management Access Policy .............................................................................................................................. 12-3 12.2 EX3500 Management Policies ......................................................................................................................................................................... 12-19 12.2.1 EX3500 User Groups ................................................................................................................................................................................ 12-20 12.2.2 EX3500 Authentication ...........................................................................................................................................................................12-22 12.2.3 EX3500 Exec Password Management ..............................................................................................................................................12-23 12.2.4 EX3500 System Settings ........................................................................................................................................................................12-25 12.2.5 EX3500 SNMP Management ................................................................................................................................................................ 12-26 12.2.6 EX3500 SNMP Users ............................................................................................................................................................................... 12-30 12.3 Hierarchical Tree .....................................................................................................................................................................................................12-32 Wireless Controller and Service Platform System Reference Guide v Table of Contents 12.4 Management Access Deployment Considerations ................................................................................................................................. 12-36 Chapter 13, Diagnostics 13.1 Fault Management ..................................................................................................................................................................................................... 13-1 13.2 Crash Files ...................................................................................................................................................................................................................13-5 13.3 Advanced Diagnostics ...........................................................................................................................................................................................13-6 13.3.1 UI Debugging ..................................................................................................................................................................................................13-6 13.3.2 Viewing UI Logs ............................................................................................................................................................................................ 13-7 13.3.3 Viewing UI Sessions ....................................................................................................................................................................................13-8 Chapter 14, Operations 14.1 Device Operations .....................................................................................................................................................................................................14-1 14.1.1 Operations Summary ....................................................................................................................................................................................14-1 14.1.2 Adopted Device Upgrades .......................................................................................................................................................................14-4 14.1.3 Using the File Management Browser ..................................................................................................................................................14-10 14.1.4 Restarting Adopted Devices .................................................................................................................................................................. 14-13 14.1.5 Captive Portal Configuration ................................................................................................................................................................. 14-14 14.1.6 Crypto CMP Certificate ........................................................................................................................................................................... 14-18 14.1.7 RAID Operations ......................................................................................................................................................................................... 14-19 14.1.8 Re-elect Controller ..................................................................................................................................................................................... 14-21 14.2 Certificates ............................................................................................................................................................................................................... 14-22 14.2.1 Certificate Management .......................................................................................................................................................................... 14-23 14.2.2 RSA Key Management ............................................................................................................................................................................. 14-31 14.2.3 Certificate Creation .................................................................................................................................................................................. 14-36 14.2.4 Generating a Certificate Signing Request ...................................................................................................................................... 14-38 14.3 Smart RF ...................................................................................................................................................................................................................14-40 14.3.1 Managing Smart RF for an RF Domain .............................................................................................................................................. 14-41 Chapter 15, Statistics 15.1 System Statistics ....................................................................................................................................................................................................... 15-1 15.1.1 Health ..................................................................................................................................................................................................................15-2 15.1.2 Inventory ..........................................................................................................................................................................................................15-4 15.1.3 Adopted Devices ...........................................................................................................................................................................................15-5 15.1.4 Pending Adoptions ......................................................................................................................................................................................15-6 15.1.5 Offline Devices ............................................................................................................................................................................................... 15-7 15.1.6 Device Upgrade .............................................................................................................................................................................................15-9 15.1.7 Licenses ........................................................................................................................................................................................................... 15-10 15.1.8 WIPS Summary .............................................................................................................................................................................................15-12 15.2 RF Domain Statistics ............................................................................................................................................................................................. 15-14 15.2.1 Health ................................................................................................................................................................................................................15-15 15.2.2 Inventory ....................................................................................................................................................................................................... 15-18 15.2.3 Devices .......................................................................................................................................................................................................... 15-20 15.2.4 AP Detection .................................................................................................................................................................................................15-21 15.2.5 Wireless Clients ...........................................................................................................................................................................................15-23 15.2.6 Device Upgrade ..........................................................................................................................................................................................15-25 15.2.7 Wireless LANs ............................................................................................................................................................................................ 15-26 15.2.8 Radios ............................................................................................................................................................................................................ 15-28 15.2.9 Bluetooth ........................................................................................................................................................................................................15-31 15.2.10 Mesh ...............................................................................................................................................................................................................15-33 15.2.11 Mesh Point .................................................................................................................................................................................................. 15-34 15.2.12 SMART RF .................................................................................................................................................................................................. 15-49 Wireless Controller and Service Platform System Reference Guide vi Table of Contents 15.2.13 WIPS ............................................................................................................................................................................................................ 15-54 15.2.14 Captive Portal .......................................................................................................................................................................................... 15-56 15.2.15 Application Visibility (AVC) ............................................................................................................................................................... 15-58 15.2.16 Coverage Hole Summary ..................................................................................................................................................................... 15-61 15.2.17 Coverage Hole Details .......................................................................................................................................................................... 15-62 15.3 Controller Statistics .............................................................................................................................................................................................. 15-64 15.3.1 Health .............................................................................................................................................................................................................. 15-65 15.3.2 Device ............................................................................................................................................................................................................ 15-67 15.3.3 Cluster Peers ................................................................................................................................................................................................15-71 15.3.4 Web-Filtering ..............................................................................................................................................................................................15-72 15.3.5 Application Visibility (AVC) .................................................................................................................................................................. 15-74 15.3.6 Application Policy ......................................................................................................................................................................................15-77 15.3.7 Device Upgrade ......................................................................................................................................................................................... 15-79 15.3.8 Mirroring .......................................................................................................................................................................................................15-80 15.3.9 Adoption ........................................................................................................................................................................................................ 15-81 15.3.10 AP Detection ........................................................................................................................................................................................... 15-85 15.3.11 Guest User .................................................................................................................................................................................................. 15-86 15.3.12 Wireless LANs ......................................................................................................................................................................................... 15-87 15.3.13 Policy Based Routing ............................................................................................................................................................................ 15-88 15.3.14 Radios .........................................................................................................................................................................................................15-90 15.3.15 Mesh ............................................................................................................................................................................................................. 15-93 15.3.16 Interfaces ................................................................................................................................................................................................... 15-94 15.3.17 Border Gateway Protocol (BGP) Statistics .................................................................................................................................15-105 15.3.18 RAID Statistics .........................................................................................................................................................................................15-114 15.3.19 Power Status ............................................................................................................................................................................................15-116 15.3.20 PPPoE ........................................................................................................................................................................................................15-118 15.3.21 OSPF ...........................................................................................................................................................................................................15-120 15.3.22 L2TPv3 ....................................................................................................................................................................................................... 15-131 15.3.23 VRRP .......................................................................................................................................................................................................... 15-133 15.3.24 Critical Resources ................................................................................................................................................................................. 15-137 15.3.25 LDAP Agent Status ..............................................................................................................................................................................15-138 15.3.26 Mint Links .................................................................................................................................................................................................15-139 15.3.27 Guest Users ..............................................................................................................................................................................................15-141 15.3.28 GRE Tunnels ...........................................................................................................................................................................................15-143 15.3.29 Dot1x ..........................................................................................................................................................................................................15-144 15.3.30 Network ..................................................................................................................................................................................................15-146 15.3.31 DHCPv6 Relay & Client ........................................................................................................................................................................15-165 15.3.32 DHCP Server ...........................................................................................................................................................................................15-167 15.3.33 Firewall ....................................................................................................................................................................................................15-170 15.3.34 VPN ............................................................................................................................................................................................................15-180 15.3.35 Viewing Certificate Statistics ...........................................................................................................................................................15-183 15.3.36 WIPS Statistics ......................................................................................................................................................................................15-186 15.3.37 Sensor Server ........................................................................................................................................................................................15-188 15.3.38 Bonjour Services ...................................................................................................................................................................................15-189 15.3.39 Captive Portal Statistics ................................................................................................................................................................... 15-190 15.3.40 Network Time ........................................................................................................................................................................................15-192 15.4 Access Point Statistics .......................................................................................................................................................................................15-195 15.4.1 Health .............................................................................................................................................................................................................15-196 15.4.2 Device ...........................................................................................................................................................................................................15-197 15.4.3 Web-Filtering ............................................................................................................................................................................................15-201 15.4.4 Application Visibility (AVC) ...............................................................................................................................................................15-203 15.4.5 Device Upgrade ...................................................................................................................................................................................... 15-206 15.4.6 Adoption ................................................................................................................................................................................................... 15-208 15.4.7 AP Detection .............................................................................................................................................................................................. 15-212 Wireless Controller and Service Platform System Reference Guide vii Table of Contents 15.4.8 Guest User .................................................................................................................................................................................................. 15-213 15.4.9 Wireless LANs ...........................................................................................................................................................................................15-214 15.4.10 Policy Based Routing ..........................................................................................................................................................................15-216 15.4.11 Radios ......................................................................................................................................................................................................... 15-217 15.4.12 Mesh ............................................................................................................................................................................................................ 15-221 15.4.13 Interfaces ................................................................................................................................................................................................. 15-222 15.4.14 RTLS .......................................................................................................................................................................................................... 15-232 15.4.15 PPPoE ....................................................................................................................................................................................................... 15-233 15.4.16 Bluetooth .................................................................................................................................................................................................15-235 15.4.17 OSPF ..........................................................................................................................................................................................................15-236 15.4.18 L2TPv3 Tunnels .....................................................................................................................................................................................15-246 15.4.19 VRRP .........................................................................................................................................................................................................15-248 15.4.20 Critical Resources ...............................................................................................................................................................................15-250 15.4.21 LDAP Agent Status .............................................................................................................................................................................. 15-251 15.4.22 Mint Links ................................................................................................................................................................................................ 15-252 15.4.23 Guest Users .............................................................................................................................................................................................15-254 15.4.24 GRE Tunnels ..........................................................................................................................................................................................15-256 15.4.25 Dot1x ......................................................................................................................................................................................................... 15-257 15.4.26 Network ..................................................................................................................................................................................................15-259 15.4.27 DHCPv6 Relay & Client .....................................................................................................................................................................15-276 15.4.28 DHCP Server .........................................................................................................................................................................................15-278 15.4.29 Firewall .....................................................................................................................................................................................................15-281 15.4.30 VPN ............................................................................................................................................................................................................15-291 15.4.31 Certificates ..............................................................................................................................................................................................15-294 15.4.32 WIPS .........................................................................................................................................................................................................15-297 15.4.33 Sensor Servers ......................................................................................................................................................................................15-299 15.4.34 Bonjour Services ................................................................................................................................................................................ 15-300 15.4.35 Captive Portal ........................................................................................................................................................................................15-301 15.4.36 Network Time .......................................................................................................................................................................................15-302 15.4.37 Load Balancing .....................................................................................................................................................................................15-305 15.4.38 Environmental Sensors (AP8132 Models Only) ......................................................................................................................15-307 15.5 Wireless Client Statistics ...................................................................................................................................................................................15-310 15.5.1 Health .............................................................................................................................................................................................................. 15-311 15.5.2 Details ........................................................................................................................................................................................................... 15-313 15.5.3 Traffic ............................................................................................................................................................................................................ 15-317 15.5.4 WMM TSPEC ..............................................................................................................................................................................................15-319 15.5.5 Association History ................................................................................................................................................................................15-320 15.5.6 Graph ............................................................................................................................................................................................................ 15-321 15.6 Guest Access Statistics ..................................................................................................................................................................................... 15-322 15.6.1 Guest Access Cumulative Statistics ................................................................................................................................................. 15-323 15.6.2 Social Media Statistics ...........................................................................................................................................................................15-325 15.6.3 Reports ........................................................................................................................................................................................................15-326 15.6.4 Notifications .............................................................................................................................................................................................. 15-327 15.6.5 Guest Access Database ........................................................................................................................................................................15-329 15.7 Analytics Developer Interface ........................................................................................................................................................................ 15-332 15.7.1 Download REST API Toolkit ................................................................................................................................................................ 15-332 15.7.2 API Assessment .......................................................................................................................................................................................15-335 Chapter 16, Analytics 16.1 System Analytics ........................................................................................................................................................................................................16-1 16.2 RF Domain Analytics ..............................................................................................................................................................................................16-8 16.3 Wireless Controller Analytics ............................................................................................................................................................................ 16-12 16.4 Access Point Analytics ......................................................................................................................................................................................... 16-13 Wireless Controller and Service Platform System Reference Guide viii Table of Contents 16.5 Analytic Event Monitoring .................................................................................................................................................................................. 16-16 Chapter 17, WiNG Events 17.1 Event Messages ........................................................................................................................................................................................................... 17-1 Appendix A, PUBLICLY AVAILABLE SOFTWARE A.1 General Information ....................................................................................................................................................................................................A-1 A.2 Open Source Software Used .................................................................................................................................................................................A-2 A.3 OSS Licenses ............................................................................................................................................................................................................ A-15 A.3.1 Apache License, Version 2.0 .................................................................................................................................................................... A-15 A.3.2 The BSD License ........................................................................................................................................................................................... A-17 A.3.3 Creative Commons Attribution-ShareAlike License, version 3.0 ............................................................................................. A-18 A.3.4 DropBear License ....................................................................................................................................................................................... A-23 A.3.5 GNU General Public License, version 2 .............................................................................................................................................. A-25 A.3.6 GNU GENERAL PUBLIC LICENSE ........................................................................................................................................................ A-26 A.3.7 GNU Lesser General Public License 2.1 ..............................................................................................................................................A-30 A.3.8 CCO 1.0 Universal ........................................................................................................................................................................................ A-37 A.3.9 GNU General Public License, version 3 ..............................................................................................................................................A-39 A.3.10 ISC License ...................................................................................................................................................................................................A-48 A.3.11 GNU Lesser General Public License, version 3.0 ...........................................................................................................................A-48 A.3.12 GNU General Public License 2.0 .......................................................................................................................................................... A-51 A.3.13 GNU Lesser General Public License, version 2.0 .......................................................................................................................... A-57 A.3.14 GNU Lesser General Public License, version 2.1 ............................................................................................................................A-63 A.3.15 GNU LESSER GENERAL PUBLIC LICENSE .....................................................................................................................................A-65 A.3.16 MIT License ..................................................................................................................................................................................................A-69 A.3.17 Mozilla Public License, version 2 .........................................................................................................................................................A-70 A.3.18 The Open LDAP Public License ...........................................................................................................................................................A-74 A.3.19 OpenSSL License ....................................................................................................................................................................................... A-75 A.3.20 WU-FTPD Software License ................................................................................................................................................................ A-76 A.3.21 zlib License ................................................................................................................................................................................................... A-77 A.3.22 Python License, Version 2 (Python-2.0) ......................................................................................................................................... A-78 A.3.23 BEOPEN.COM LICENSE AGREEMENT FOR PYTHON 2.0 ....................................................................................................... A-78 A.3.24 CNRI OPEN SOURCE LICENSE AGREEMENT (for Python 1.6b1) ......................................................................................... A-79 A.3.25 CWI LICENSE AGREEMENT FOR PYTHON 0.9.0 THROUGH 1.2 ..........................................................................................A-80 A.3.26 Zope Public License (ZPL) Version 2.0 ............................................................................................................................................ A-81 A.3.27 Zope Public License (ZPL) Version 2.1 ............................................................................................................................................. A-82 Wireless Controller and Service Platform System Reference Guide ix About This Guide This manual supports the following Access Point, controller and service platform models:
Wireless Controllers RFS4000, RFS6000 Service Platforms - NX5500, NX5500E, NX7500, NX75XX, NX7510E, NX9500, NX9510, NX9600, NX9610, VX9000, VX9000E Access Points AP6522, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP8122, AP8132, AP8163, AP8232, AP8432 and AP8533. NOTE: Throughout this guide, unless specific model references are needed, AP8122, AP8132, AP8163 models are referred to as AP81XX. This section is organized into the following:
Document Convention Notational Conventions End-User Software License Agreement Wireless Controller and Service Platform System Reference Guide xi About This Guide Document Convention The following conventions are used in this manual to draw your attention to important information:
NOTE: Indicates tips or special requirements.
!
CAUTION: Indicates conditions that can cause equipment damage or data loss. WARNING! Indicates a condition or procedure that could result in personal injury or equipment damage. Switch Note: Indicates caveats unique to a particular RFS series controller or NX se-
ries service platform. Notational Conventions The following notational conventions are used in this document:
Italics are used to highlight specific items in the general text, and to identify chapters and sections in this and related documents Bullets () indicate:
-
-
-
lists of alternatives lists of required steps that are not necessarily sequential action items Sequential lists (those describing step-by-step procedures) appear as numbered lists Wireless Controller and Service Platform System Reference Guide xii About This Guide End-User Software License Agreement This document is an agreement (Agreement) between You, the end user, and Extreme Networks, Inc., on behalf of itself and its Affiliates (Extreme) that sets forth your rights and obligations with respect to the Licensed Materials. BY INSTALLING SOFTWARE AND/OR THE LICENSE KEY FOR THE SOFTWARE (License Key)
(collectively, Licensed Software), IF APPLICABLE, COPYING, OR OTHERWISE USING THE LICENSED SOFTWARE AND/OR ANY OF THE LICENSED MATERIALS UNDER THIS AGREEMENT, YOU ARE AGREEING TO BE BOUND BY THE TERMS OF THIS AGREEMENT, WHICH INCLUDES THE LICENSE(S) AND THE LIMITATION(S) OF WARRANTY AND DISCLAIMER(S)/LIMITATION(S) OF LIABILITY. IF YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, RETURN THE LICENSE KEY (IF APPLICABLE) TO EXTREME OR YOUR DEALER, IF ANY, OR DO NOT USE THE LICENSED SOFTWARE AND/OR LICENSED MATERIALS AND CONTACT EXTREME OR YOUR DEALER WITHIN TEN
(10) DAYS FOLLOWING THE DATE OF RECEIPT TO ARRANGE FOR A REFUND. IF YOU HAVE ANY QUESTIONS ABOUT THIS AGREEMENT, CONTACT EXTREME, Attn: LegalTeam@extremenetworks.com. 1 DEFINITIONS. Affiliates means any person, partnership, corporation, limited liability company, or other form of enterprise that directly or indirectly through one or more intermediaries, controls, or is controlled by, or is under common control with the party specified. Server Application means the software application associated to software authorized for installation (per License Key, if applicable) on one or more of Your servers as further defined in the Ordering Documentation. Client Application shall refer to the application to access the Server Application. Network Device for purposes of this Agreement shall mean a physical computer device, appliance, appliance component, controller, wireless access point, or virtual appliance as further described within the applicable product documentation, which includes the Order Documentation. Licensed Materials means the Licensed Software (including the Server Application and Client Application), Network Device (if applicable), Firmware, media embodying software, and the accompanying documentation. Concurrent User shall refer to any of Your individual employees who You provide access to the Server Application at any one time. Firmware refers to any software program or code embedded in chips or other media. Standalone software is software licensed for use independent of any hardware purchase as identified in the Ordering Documentation. Licensed Software collectively refers to the software, including Standalone software, Firmware, Server Application, Client Application or other application licensed with conditional use parameters as defined in the Ordering Documentation. Ordering Documentation shall mean the applicable price quotation, corresponding purchase order, relevant invoice, order acknowledgement, and accompanying documentation or specifications for the products and services purchased, acquired or licensed hereunder from Extreme either directly or indirectly. 2 TERM. This Agreement is effective from the date on which You accept the terms and conditions of this Agreement via click-through, commence using the products and services or upon delivery of the License Key if applicable, and shall be effective until terminated. In the case of Licensed Materials offered on a subscription basis, the term of licensed use shall be as defined within Your Ordering Documentation. 3 GRANT OF LICENSE. Extreme will grant You a non-transferable, non-sublicensable, non-exclusive license to use the Licensed Materials and the accompanying documentation for Your own business purposes subject to the terms and conditions of this Agreement, applicable licensing restrictions, and any term, user server networking device, field of use, or other restrictions as set forth in Your Ordering Documentation. If the Licensed Materials are being licensed on a subscription and/or capacity basis, the applicable term and/or capacity limit of the license shall be specified in Your Ordering Documentation. You may install and use the Licensed Materials as permitted by the license type purchased as described below in License Types. The license type purchased is specified on the invoice issued to You by Extreme or Your dealer, if any. YOU MAY NOT USE, COPY, OR MODIFY THE LICENSED MATERIALS, IN WHOLE OR IN PART, EXCEPT AS EXPRESSLY PROVIDED IN THIS AGREEMENT. 4 LICENSE TYPES. Wireless Controller and Service Platform System Reference Guide xiii About This Guide Single User, Single Network Device. Under the terms of this license type, the license granted to You by Extreme authorizes You to use the Licensed Materials as bundled with a single Network Device as identified by a unique serial number for the applicable Term, if and as specified in Your Ordering Documentation, or any replacement for that network device for that same Term, for internal use only. A separate license, under a separate License Agreement, is required for any other network device on which You or another individual, employee or other third party intend to use the Licensed Materials. A separate license under a separate License Agreement is also required if You wish to use a Client license (as described below). Single User, Multiple Network Device. Under the terms of this license type, the license granted to You by Extreme authorizes You to use the Licensed Materials with a defined amount of Network Devices as defined in the Ordering Documentation. Client. Under the terms of the Client license, the license granted to You by Extreme will authorize You to install the License Key for the Licensed Materials on your server and allow the specific number of Concurrent Users as ordered by you and is set forth in Your Ordering Documentation. A separate license is required for each additional Concurrent User. Standalone. Software or other Licensed Materials licensed to You for use independent of any Network Device. Subscription. Licensed Materials, and inclusive Software, Network Device or related appliance updates and maintenance services, licensed to You for use during a subscription period as defined in Your applicable Ordering Documentation. Capacity. Under the terms of this license, the license granted to You by Extreme authorizes You to use the Licensed Materials up to the amount of capacity or usage as defined in the Ordering Documentation. 5 AUDIT RIGHTS. You agree that Extreme may audit Your use of the Licensed Materials for compliance with these terms and Your License Type at any time, upon reasonable notice. In the event that such audit reveals any use of the Licensed Materials by You other than in full compliance with the license granted and the terms of this Agreement, Extreme reserves the right to charge You for all reasonable expenses related to such audit in addition to any other liabilities and overages applicable as a result of such non-compliance, including but not limited to additional fees for Concurrent Users, excess capacity or usage over and above those specifically granted to You. From time to time, the Licensed Materials may upload information about the Licensed Materials and the associated usage to Extreme. This is to verify the Licensed Materials are being used in accordance with a valid license and/or entitlement. By using the Licensed Materials, you consent to the transmission of this information. 6 RESTRICTION AGAINST COPYING OR MODIFYING LICENSED MATERIALS. Except as expressly permitted in this Agreement, You may not copy or otherwise reproduce the Licensed Materials. In no event does the limited copying or reproduction permitted under this Agreement include the right to decompile, disassemble, electronically transfer, or reverse engineer the Licensed Materials, including the Licensed Software, or to translate the Licensed Materials into another computer language. The media embodying the Licensed Materials may be copied by You, in whole or in part, into printed or machine readable form, in sufficient numbers only for backup or archival purposes, or to replace a worn or defective copy. However, You agree not to have more than two (2) copies of the Licensed Software in whole or in part, including the original media, in your possession for said purposes without Extreme prior written consent, and in no event shall You operate more copies of the Licensed Software than the specific licenses granted to You. You may not copy or reproduce the documentation. You agree to maintain appropriate records of the location of the original media and all copies of the Licensed Software, in whole or in part, made by You. Any portion of the Licensed Software included in any such modular work shall be used only on a single computer for internal purposes and shall remain subject to all the terms and conditions of this Agreement. You agree to include any copyright or other proprietary notice set forth on the label of the media embodying the Licensed Software on any copy of the Licensed Software in any form, in whole or in part, or on any modification of the Licensed Software or any such modular work containing the Licensed Software or any part thereof. 7 TITLE AND PROPRIETARY RIGHTS Wireless Controller and Service Platform System Reference Guide xiv About This Guide a The Licensed Materials are copyrighted works and are the sole and exclusive property of Extreme, any company or a division thereof which Extreme controls or is controlled by, or which may result from the merger or consolidation with Extreme (its Affiliates), and/or their suppliers. This Agreement conveys a limited right to operate the Licensed Materials and shall not be construed to convey title to the Licensed Materials to You. There are no implied rights. You shall not sell, lease, transfer, sublicense, dispose of, or otherwise make available the Licensed Materials or any portion thereof, to any other party. b You further acknowledge that in the event of a breach of this Agreement, Extreme shall suffer severe and irreparable damages for which monetary compensation alone will be inadequate. You therefore agree that in the event of a breach of this Agreement, Extreme shall be entitled to monetary damages and its reasonable attorneys fees and costs in enforcing this Agreement, as well as injunctive relief to restrain such breach, in addition to any other remedies available to Extreme. 8 PROTECTION AND SECURITY. In the performance of this Agreement or in contemplation thereof, You and your employees and agents may have access to private or confidential information owned or controlled by Extreme relating to the Licensed Materials supplied hereunder including, but not limited to, product specifications and schematics, and such information may contain proprietary details and disclosures. All information and data so acquired by You or your employees or agents under this Agreement or in contemplation hereof shall be and shall remain Extreme exclusive property, and You shall use all commercially reasonable efforts to keep, and have your employees and agents keep, any and all such information and data confidential, and shall not copy, publish, or disclose it to others, without Extreme prior written approval, and shall return such information and data to Extreme at its request. Nothing herein shall limit your use or dissemination of information not actually derived from Extreme or of information which has been or subsequently is made public by Extreme, or a third party having authority to do so You agree not to deliver or otherwise make available the Licensed Materials or any part thereof, including without limitation the object or source code (if provided) of the Licensed Software, to any party other than Extreme or its employees, except for purposes specifically related to your use of the Licensed Materials on a single computer as expressly provided in this Agreement, without the prior written consent of Extreme. You acknowledge that the Licensed Materials contain valuable confidential information and trade secrets, and that unauthorized use, copying and/or disclosure thereof are harmful to Extreme or its Affiliates and/or its/their software suppliers. 9 MAINTENANCE AND UPDATES. Except as otherwise defined below, updates and certain maintenance and support services, if any, shall be provided to You pursuant to the terms of an Extreme Service and Maintenance Agreement, if Extreme and You enter into such an agreement. Except as specifically set forth in such agreement, Extreme shall not be under any obligation to provide updates, modifications, or enhancements, or maintenance and support services for the Licensed Materials to You. If you have purchased Licensed Materials on a subscription basis then the applicable service terms for Your Licensed Materials are as provided in Your Ordering Documentation. Extreme will perform the maintenance and updates in a timely and professional manner, during the Term of Your subscription, using qualified and experienced personnel. You will cooperate in good faith with Extreme in the performance of the support services including, but not limited to, providing Extreme with: (a) access to the Extreme Licensed Materials (and related systems); and (b) reasonably requested assistance and information. Further information about the applicable maintenance and updates terms can be found on Extremes website at http://www.extremenetworks.com/company/legal/terms-of-support 10 DEFAULT AND TERMINATION. In the event that You shall fail to keep, observe, or perform any obligation under this Agreement, including a failure to pay any sums due to Extreme, or in the event that you become insolvent or seek protection, voluntarily or involuntarily, under any bankruptcy law, Extreme may, in addition to any other remedies it may have under law, terminate the License and any other agreements between Extreme and You. a Immediately after any termination of the Agreement, Your licensed subscription term, or if You have for any reason discontinued use of Licensed Materials, You shall return to Extreme the original and any copies of the Licensed Materials and remove the Licensed Materials, including an Licensed Software, from any modular Wireless Controller and Service Platform System Reference Guide xv About This Guide works made pursuant to Section 3, and certify in writing that through your best efforts and to the best of your knowledge the original and all copies of the terminated or discontinued Licensed Materials have been returned to Extreme b Sections 1, 7, 8, 10, 11, 12, 13, 14 and 15 shall survive termination of this Agreement for any reason. 11 EXPORT REQUIREMENTS. You are advised that the Licensed Materials, including the Licensed Software is of United States origin and subject to United States Export Administration Regulations; diversion contrary to United States law and regulation is prohibited. You agree not to directly or indirectly export, import or transmit the Licensed Materials, including the Licensed Software to any country, end user or for any Use that is prohibited by applicable United States regulation or statute (including but not limited to those countries embargoed from time to time by the United States government); or contrary to the laws or regulations of any other governmental entity that has jurisdiction over such export, import, transmission or Use 12 UNITED STATES GOVERNMENT RESTRICTED RIGHTS. The Licensed Materials (i) were developed solely at private expense; (ii) contain restricted computer software submitted with restricted rights in accordance with section 52.227-19 (a) through (d) of the Commercial Computer Software-Restricted Rights Clause and its successors, and (iii) in all respects is proprietary data belonging to Extreme and/or its suppliers. For Department of Defense units, the Licensed Materials are considered commercial computer software in accordance with DFARS section 227.7202-3 and its successors, and use, duplication, or disclosure by the U.S. Government is subject to restrictions set forth herein. 13 LIMITED WARRANTY AND LIMITATION OF LIABILITY. Extreme warrants to You that (a) the initially-shipped version of the Licensed Materials will materially conform to the Documentation; and (b) the media on which the Licensed Software is recorded will be free from material defects for a period of ninety (90) days from the date of delivery to You or such other minimum period required under applicable law. Extreme does not warrant that Your use of the Licensed Materials will be error-free or uninterrupted. NEITHER EXTREME NOR ITS AFFILIATES MAKE ANY OTHER WARRANTY OR REPRESENTATION, EXPRESS OR IMPLIED, WITH RESPECT TO THE LICENSED MATERIALS, WHICH ARE LICENSED "AS IS". THE LIMITED WARRANTY AND REMEDY PROVIDED ABOVE ARE EXCLUSIVE AND IN LIEU OF ALL OTHER WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, WHICH ARE EXPRESSLY DISCLAIMED, AND STATEMENTS OR REPRESENTATIONS MADE BY ANY OTHER PERSON OR FIRM ARE VOID. IN NO EVENT WILL EXTREME OR ANY OTHER PARTY WHO HAS BEEN INVOLVED IN THE CREATION, PRODUCTION OR DELIVERY OF THE LICENSED MATERIALS BE LIABLE FOR SPECIAL, DIRECT, INDIRECT, RELIANCE, INCIDENTAL OR CONSEQUENTIAL DAMAGES, INCLUDING LOSS OF DATA OR PROFITS OR FOR INABILITY TO USE THE LICENSED MATERIALS, TO ANY PARTY EVEN IF EXTREME OR SUCH OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT SHALL EXTREME OR SUCH OTHER PARTY'S LIABILITY FOR ANY DAMAGES OR LOSS TO YOU OR ANY OTHER PARTY EXCEED THE LICENSE FEE YOU PAID FOR THE LICENSED MATERIALS. Some states do not allow limitations on how long an implied warranty lasts and some states do not allow the exclusion or limitation of incidental or consequential damages, so the above limitation and exclusion may not apply to You. This limited warranty gives You specific legal rights, and You may also have other rights which vary from state to state. 14 JURISDICTION. The rights and obligations of the parties to this Agreement shall be governed and construed in accordance with the laws and in the State and Federal courts of the State of California, without regard to its rules with respect to choice of law. You waive any objections to the personal jurisdiction and venue of such courts. None of the 1980 United Nations Convention on the Limitation Period in the International Sale of Goods, and the Uniform Computer Information Transactions Act shall apply to this Agreement 15 FREE AND OPEN SOURCE SOFTWARE. Portions of the Software (Open Source Software) provided to you may be subject to a license that permits you to modify these portions and redistribute the modifications (an Open Source License). Your use, modification and redistribution of the Open Source Software are governed by the Wireless Controller and Service Platform System Reference Guide xvi About This Guide terms and conditions of the applicable Open Source License. More details regarding the Open Source Software and the applicable Open Source Licenses are available at www.extremenetworks.com/services/
SoftwareLicensing.aspx. Some of the Open Source software may be subject to the GNU General Public License v.x (GPL) or the Lesser General Public Library (LGPL), copies of which are provided with the Licensed Materials and are further available for review at www.extremenetworks.com/services/SoftwareLicensing.aspx, or upon request as directed herein. In accordance with the terms of the GPL and LGPL, you may request a copy of the relevant source code. See the Software Licensing web site for additional details. This offer is valid for up to three years from the date of original download of the software. 16 GENERAL. a This Agreement is the entire agreement between Extreme and You regarding the Licensed Materials, and all prior agreements, representations, statements, and undertakings, oral or written, are hereby expressly superseded and canceled. b This Agreement may not be changed or amended except in writing signed by both parties hereto. c You represent that You have full right and/or authorization to enter into this Agreement. d This Agreement shall not be assignable by You without the express written consent of Extreme. The rights of Extreme and Your obligations under this Agreement shall inure to the benefit of Extreme assignees, licensors, and licensees. e Section headings are for convenience only and shall not be considered in the interpretation of this Agreement f The provisions of the Agreement are severable and if any one or more of the provisions hereof are judicially determined to be illegal or otherwise unenforceable, in whole or in part, the remaining provisions of this Agreement shall nevertheless be binding on and enforceable by and between the parties hereto g Extremes waiver of any right shall not constitute waiver of that right in future. This Agreement constitutes the entire understanding between the parties with respect to the subject matter hereof, and all prior agreements, representations, statements and undertakings, oral or written, are hereby expressly superseded and canceled. No purchase order shall supersede this Agreement. h Should You have any questions regarding this Agreement, You may contact Extreme at the address set forth below. Any notice or other communication to be sent to Extreme must be mailed by certified mail to the following address:
Extreme Networks, Inc. 16480 Via Del San Jose, CA 95119 United States Tel: +1 408-579-2800 Toll-free: +1 888-257-3000 Wireless Controller and Service Platform System Reference Guide xvii 1 Overview Extreme Networks WiNG 5 operating system is the next generation in the evolution of WLAN architectures. WiNG 5 OS is designed to scale efficiently from the smallest networks to large, geographically dispersed deployments. The co-operative, distributed control plane innovation in the WiNG 5 architecture offers a software-defined networking (SDN)-ready operating system that can distribute controller functionality to every Access Point in your network. Now, every Access Point is network aware, providing the intelligence required to truly unleash optimal performance, all wireless LAN infrastructure can work together to ensure every transmission is routed through the most efficient path, every time. WiNG 5 brings you the resiliency of a standalone Access Point network without the vulnerability of a centralized controller, with advancements that take performance, reliability, security, scalability and manageability to a new level. The result? Maximum network uptime and security with minimal management. And true seamless and dependable mobility for your users. WiNG 5 advances the following technology:
Comprehensive Wi-Fi support - WiNG supports all Wi-Fi protocols, including 802.11a/b/g/n/ac, allowing you to create a cost-effective migration plan based on the needs of your business. Extraordinary scalability - With WiNG, you can build any size network, from a small WLAN network in a single location to a large multi-site network that reaches all around the globe. Extraordinary flexibility - No matter what type of infrastructure you deploy, WiNG 5 delivers intelligence to all: standalone independent Access Points or adaptive Access Points that can be adopted by a controller but can switch to independent mode; virtual controllers; physical controllers in branch offices, the network operating center (NOC) or the cloud. The power of distributed intelligence - WiNG distributes intelligence right to the network edge, empowering every controller and Access Point with the intelligence needed to be network-aware, able to identify and dynamically route traffic over the most efficient path available at that time. Extraordinary network flexibility and site survivability - WiNG provides the best of both worlds: true hierarchical management that delivers a new level of management simplicity and resiliency by enabling controllers to adopt and manage other controllers and Access Points, while allowing adopted infrastructure to also stand on its own. Gap-free security - When it comes to security, there can be no compromises. WiNGs comprehensive security capabilities keep your network and your data safe, ensuring compliance with PCI, HIPAA and other government and industry security regulations. Connectivity for the largest indoor and outdoor spaces - In addition to enabling a robust indoor WLAN, our patented MeshConnex technology enables the extension of Wi-Fi networks to the largest of outdoor spaces from an expansive outdoor campus environment to an entire city. Powerful centralized management - With WiNG you get complete control over every aspect of your WLAN. This single powerful windowpane enables zero touch infrastructure deployment, rich analytics that can help you recognize and correct brewing issues before they impact service quality and user connectivity, along with centralized and remote troubleshooting and issue resolution of the entire network. Application Visibility and Control - With WiNG you get visibility & control over Layer-7 applications with an embedded DPI engine at the Access Point. Extreme Networks NSight (an add-on module to WiNG) Wireless Controller and Service Platform System Reference Guide 1 - 1 Overview provides real-time visibility and in-depth insight into every dimension of the network including layer-7 application visibility, client devices, device & OS types and users. At a glance the administrator can discern the top applications by usage or by count at every level of the network from site level to Access Points and clients. This is achieved by Deep Packet Inspection (DPI) of every flow of every user at the Access Point. The embedded DPI engine in the WiNG OS can detect and identify thousands of applications real time and report to NSight. In addition to detection, firewall and QOS policies can leverage the application context to enforce policies. 1.1 Distributed Intelligence WiNG 5 enables all WLAN infrastructure with the intelligence required to work together to determine the most efficient path for every transmission. The need to route all traffic through a controller is eliminated, along with the resulting congestion and latency, resulting in higher throughput and superior network performance. Since all features are available at the access layer, they remain available even when the controller is offline, for example, due to a WAN outage, ensuring site survivability and extraordinary network resilience. In addition, you get unprecedented scalability, large networks can support as many as 10,000 nodes without impacting throughput or manageability, providing unprecedented scalability. 1.2 High Availability Networks WiNG 5 enables the creation of highly reliable networks, with several levels of redundancy and failover mechanisms to ensure continuous network service in case of outages. APs in remote sites coordinate with each other to provide optimized routing and self-healing, delivering a superior quality of experience for business critical applications. Even when WiNG 5 site survivable APs lose communication with the controller, they continue to function, able to bridge traffic while still enforcing QoS and security policies, including stateful inspection of Layer2 (locally bridged) or Layer 3 traffic. 1.3 Gap Free Security When it comes to wireless security, one size does not fit all. A variety of solutions are required to meet the varying needs and demands of different types of organizations. Regardless of the size of your WLAN or your security requirements, our tiered approach to security allows you to deploy the features you need to achieve the right level of security for your networks and your data. And where a hub-and-spoke architecture cant stop threats until they reach the controller inside your network, WiNG 5 distributes security features to every access point, including those at the very edge of your network, creating an around-the-clock constant network perimeter guard that prevents threats from entering your network for unprecedented gap free security. 1.4 Outdoor Wireless and Mesh Networking When you need to extend your wireless LAN to outdoor spaces, our patented MeshConnex technology combines with comprehensive mesh networking features to enable you to create secure, high performance, flexible and scalable mesh networks. With our mesh technology, you can cover virtually any area without installing cabling, enabling the creation of cost-effective outdoor wireless networks that can provide Wireless Controller and Service Platform System Reference Guide 1 - 2 Overview coverage to enterprise workers in vast campus-style environments as well as public safety personnel in patrol cars. 1.5 Network Services, Routing and Switching WiNG 5 integrates network services like built-in DHCP server, AAA server and routing protocols like policy based routing and OSPF, Layer 2 protocols like MSTP and Link Aggregation. Integration of services and routing/ switching protocols eliminates the need for additional servers or other networking gear in small offices thereby reducing Total Cost of Ownership (TCO). In large networks, where such services are deployed on a dedicated server/ router at the NOC, this provides a backup solution for remote sites when the WAN link to the NOC is temporarily lost. Integrating also provides the added benefit of coordination across these services on failover from primary to standby, assisting a more meaningful behavior, rather than when each fails over independently of the other for the same root cause. 1.6 Management, Deployment and Troubleshooting WiNGs comprehensive end-to-end management capabilities cover deployment through day-to-day management. You get true zero-touch deployment for access points located anywhere in the world, the simplicity of a single window into the entire network, plus the ability to remotely troubleshoot and resolve issues. And since our management technology is manufacturer-agnostic, you can manage your Extreme Networks WLAN infrastructure as well as any legacy equipment from other manufacturers, allowing you to take advantage of our advanced WLAN infrastructure without requiring a costly rip and replace of your existing WLAN. Wireless Controller and Service Platform System Reference Guide 1 - 3 2 Web UI Features The WiNG software contains a Web UI allowing network administrators to manage and view Access Point, controller and service platform settings, configuration data and status. This Graphical User Interface (GUI) allows full control of all administration features. Access Points, controllers and service platforms also share a Command Line Interface (CLI) for managing and viewing settings, configuration and status. For more information on the command line interface and a full list of available commands, refer to the Wireless Services CLI Reference Guide available at www.extremenetworks.com/support. For information on how to access and use the Web UI, see:
Accessing the Web UI Glossary of Icons Used 2.1 Accessing the Web UI Access Points, controllers and service platforms use a UI accessed using any supported Web browser on a client connected to the subnet the Web UI is configured on. 2.1.1 Browser and System Requirements To access the GUI, a browser supporting Flash Player 11 is recommended. The system accessing the GUI should have a minimum of 1 GB of RAM for the UI to display and function properly, with the exception of NX service platforms which require 4 GB of RAM. The Web UI is based on Flex, and does not use Java as the underlying UI framework. A resolution of 1280 x 1024 pixels for the GUI is recommended. The following browsers are required to access the WiNG Web UI:
Firefox 3.5 or higher Internet Explorer 7 or higher Google Chrome 2.0 or higher Safari 3 and higher Opera 9.5 and higher NOTE: Throughout the Web UI leading and trailing spaces are not allowed in any text fields. In addition, the ? character is also not supported in text fields. 2.1.2 Connecting to the Web UI 1 Connect one end of an Ethernet cable to a LAN port on the front of the controller or service platform and connect the other end to a computer with a working Web browser. 2 Set the computer to use an IP address between 192.168.0.10 and 192.168.0.250 on the connected port. Set a subnet/network mask of 255.255.255.0. Once the computer has an IP address, point the browser to: https://192.168.0.1/ and the following login screen will display. Wireless Controller and Service Platform System Reference Guide 2 - 1 Web UI Features 3 Enter the default username admin in the Username field. Enter the default password admin123 in the Password field. Figure 2-1 Web UI Login Screen 4 Click the Login button to load the management interface. 5 If this is the first time the UI has been accessed on RFS4011 model controllers, a dialogue displays to begin an initial setup wizard. For more information on using the initial setup wizard on these models see Using the Initial Setup Wizard. 2.2 Glossary of Icons Used The UI uses a number of icons used to interact with the system, gather information, and obtain status for the entities managed by the system. This chapter is a compendium of the icons used. This chapter is organized as follows:
Global Icons Dialog Box Icons Table Icons Status Icons Configurable Objects Configuration Objects Configuration Operation Icons Access Type Icons Administrative Role Icons Device Icons Wireless Controller and Service Platform System Reference Guide 2 -2 2.2.1 Global Icons Glossary of Icons Used This section lists global icons available throughout the interface. Web UI Features Logout Select this icon to log out of the system. This icon is always available and is located at the top right corner of the UI. Add Select this icon to add a row in a table. When selected, a new row is created in the table or a dialog box displays where you can enter values for a particular list. Delete Select this icon to remove a row from a table. When selected, the selected row is deleted. More Information Select this icon to display a pop up with supplementary information that may be available for an item. Trash Select this icon to remove a row from a table. When selected, the row is immediately deleted. Create new policy Select this icon to create a new policy. Policies define different configuration parameters that can be applied to individual device configurations, profiles and RF Domains. Edit policy Select this icon to edit an existing configuration item or policy. To edit a policy, select a policy and this icon. 2.2.2 Dialog Box Icons Glossary of Icons Used These icons indicate the current state of various controls in a dialog. These icons enables you to gather the status of all the controls in a dialog. The absence of any of these icons next to a control indicates the value in that control has not been modified from its last saved configuration. Entry Updated Indicates a value has been modified from its last saved configuration. Entry Update States that an override has been applied to a device profile configuration. Wireless Controller and Service Platform System Reference Guide 2 - 3 Web UI Features Mandatory Field Indicates this control value is a mandatory configuration item. You are not allowed to proceed further without providing all mandatory values in this dialog. Error in Entry Indicates there is an error in a supplied value. A small red popup provides a likely cause of the error. 2.2.3 Table Icons Glossary of Icons Used The following two override icons are status indicators for transactions:
Table Row Overridden Indicates a change (profile configuration override) has been made to a table row and the change will not be implemented until saved. This icon represents a change from this devices profile assigned configuration. Table Row Added Indicates a new row has been added to a table and the change is not implemented until saved. This icon represents a change from this devices profile assigned configuration. 2.2.4 Status Icons Glossary of Icons Used These icons indicate device status, operations, or any other action that requires a status returned to the user. Fatal Error States there is an error causing a managed device to stop functioning. Error Indicates an error exits requiring intervention. An action has failed, but the error is not system wide. Warning States a particular action has completed, but errors were detected that did not prevent the process from completing. Intervention might still be required to resolve subsequent warnings. Success Indicates everything is well within the network or a process has completed successfully without error. Information This icon always precedes information displayed to the user. This may either be a message displaying progress for a particular process, or just be a message from the system. Wireless Controller and Service Platform System Reference Guide 2 -4 2.2.5 Configurable Objects Glossary of Icons Used These icons represent configurable items within the UI. Web UI Features Device Configuration Represents a configuration file supporting a device category
(Access Point, wireless controller etc.). Auto Provisioning Policy Represents a provisioning policy. Provisioning policies are a set of configuration parameters that define how Access Points and wireless clients are adopted and their management configuration supplied. Critical Resource Policy States a critical resource policy has been applied. Critical resources are resources whose availability is essential to the network. If any of these resources is unavailable, an administrator is notified. Wireless LANs States an action impacting a managed WLAN has occurred. WLAN QoS Policy States a quality of service policy (QoS) configuration has been impacted. Radio QoS Policy Indicates a radios QoS configuration has been impacted. AAA Policy Indicates an Authentication, Authorization and Accounting (AAA) policy has been impacted. AAA policies define RADIUS authentication and accounting parameters. Association ACL Indicates an Access Control List (ACL) configuration has been impacted. An ACL is a set of configuration parameters either allowing or denying access to network resources. Smart RF Policy States a Smart RF policy has been impacted. Smart RF enables neighboring Access Point radios to take over for an Access Point radio if it becomes unavailable. This is accomplished by increasing the power of radios on nearby Access Points to compensate for the coverage hole created by the non-functioning Access Point. Profile States a device profile configuration has been impacted. A profile is a collection of configuration parameters used to configure a device or a feature. Wireless Controller and Service Platform System Reference Guide 2 - 5 Web UI Features Bridging Policy Indicates a bridging policy configuration has been impacted. A bridging policy defines which VLANs are bridged, and how local VLANs are bridged between the wired and wireless sides of the network. RF Domain States an RF Domain configuration has been impacted. Firewall Policy Indicates a firewall policy has been impacted. Firewalls provide a barrier that prevents unauthorized access to resources while allowing authorized access to external and internal resources. IP Firewall Rules Indicates an IP firewall rule has been applied. An IP based firewall rule implements restrictions based on the IP address in a received packet. MAC Firewall Rules States a MAC based firewall rule has been applied. A MAC based firewall rule implements network allowance restrictions based on the MAC address in a received data packet. Wireless Client Role Indicates a wireless client role has been applied to a managed client. The role could be either sensor or client. WIPS Policy States the conditions of a WIPS policy have been invoked. WIPS prevents unauthorized access to the network by checking for (and removing) rogue Access Points and wireless clients. Device Categorization Indicates a device categorization policy has been applied. This is used by the intrusion prevention system to categorize Access Points or wireless clients as either sanctioned or unsanctioned devices. This enables devices to bypass the intrusion prevention system. Captive Portals States a captive portal is being applied. Captive portal is used to provide temporary controller, service platform or Access Point access to requesting wireless clients. DNS Whitelist A DNS whitelist is used in conjunction with captive portal to provide access to requesting wireless clients. DHCP Server Policy Indicates a DHCP server policy is being applied. DHCP provides IP addresses to wireless clients. A DHCP server policy configures how DHCP provides IP addresses. RADIUS Group Indicates the configuration of RADIUS group has been defined and applied. A RADIUS group is a collection of RADIUS users with the same set of permissions. Wireless Controller and Service Platform System Reference Guide 2 -6 Web UI Features RADIUS User Pools States a RADIUS user pool has been applied. RADIUS user pools are a set of IP addresses that can be assigned to an authenticated RADIUS user. RADIUS Server Policy Indicates a RADIUS server policy has been applied. A RADIUS server policy is a set of configuration attributes used when a RADIUS server is configured for AAA. Management Policy Indicates a management policy has been applied. Management policies configure access control, authentication, traps and administrator permissions. BGP Border Gateway Protocol (BGP) is an inter-ISP routing protocol which establishes routing between ISPs. ISPs use BGP to exchange routing and reachability information between Autonomous Systems (AS) on the Internet. BGP makes routing decisions based on paths, network policies and/or rules configured by network administrators. 2.2.6 Configuration Objects Glossary of Icons Used These configuration icons are used to define the following:
Configuration Indicates an item capable of being configured by an interface. View Events / Event History Defines a list of events. Click this icon to view events or view the event history. Core Snapshots Indicates a core snapshot has been generated. A core snapshot is a file that records status events when a process fails on a wireless controller or Access Point. Panic Snapshots Indicates a panic snapshot has been generated. A panic snapshot is a file that records status when a wireless controller or Access Point fails without recovery. UI Debugging Select this icon/link to view current NETCONF messages. View UI Logs Select this icon/link to view the different logs generated by the UI, FLEX and the error logs. Wireless Controller and Service Platform System Reference Guide 2 - 7 Web UI Features 2.2.7 Configuration Operation Icons Glossary of Icons Used The following operations icons are used to define configuration operations:
Revert When selected, any unsaved changes are reverted to their last saved configuration settings. Commit When selected, all changes made to the configuration are written to the system. Once committed, changes cannot be reverted. Commit and Save When selected, changes are saved to the configuration. 2.2.8 Access Type Icons Glossary of Icons Used The following icons display a user access type:
Web UI Defines a Web UI access permission. A user with this permission is permitted to access an associated devices Web UI. Telnet Defines a TELNET access permission. A user with this permission is permitted to access an associated device using TELNET. SSH Indicates a SSH access permission. A user with this permission is permitted to access an associated device using SSH. Console Indicates a console access permission. A user with this permission is permitted to access an associated device using the devices serial console. Wireless Controller and Service Platform System Reference Guide 2 -8 Web UI Features 2.2.9 Administrative Role Icons Glossary of Icons Used The following icons identify the different administrative roles allowed on the system:
Superuser Indicates superuser privileges. A superuser has complete access to all configuration aspects of the connected device. System States system user privileges. A system user is allowed to configure general settings, such as boot parameters, licenses, auto install, image upgrades etc. Network Indicates network user privileges. A network user is allowed to configure wired and wireless parameters, such as IP configuration, VLANs, L2/L3 security, WLANs and radios. Security Indicates security user privileges. A security level user is allowed to configure all security related parameters. Monitor Defines a monitor role. This role provides no configuration privileges. A user with this role can view the system configuration but cannot modify it. Help Desk Indicates help desk privileges. A help desk user is allowed to use troubleshooting tools like sniffers, execute service commands, view or retrieve logs and reboot the controller or service platform. Web User Indicates a web user privilege. A Web user is allowed accessing the devices Web UI. 2.2.10 Device Icons Glossary of Icons Used The following icons represent the different device types managed by the system:
System This icon represents the entire WiNG supported system, and all of its member controller, service platform or Access Points that may be interacting at any one time. Cluster This icon represents a cluster. A cluster is a set of wireless controllers or service platforms working collectively to provide redundancy and load sharing amongst its members. Wireless Controller and Service Platform System Reference Guide 2 - 9 Web UI Features Service Platform This icon indicates an NX5500, NX7500, or NX9000 series service platform thats part of the managed network Wireless Controller This icon indicates a RFS6000 wireless controller thats part of the managed network. Wireless Controller This icon indicates a RFS6000 wireless controller thats part of the managed network. Access Point This icon lists any Access Point thats part of the managed network. Wireless Client This icon defines any wireless client connection within the network. Wireless Controller and Service Platform System Reference Guide 2 -10 3 Quick Start WiNG controllers and service platforms utilize an initial setup wizard to streamline getting on the network for the first time. This wizard configures location, network and WLAN settings and assists in the discovery of Access Points and their connected clients. 3.1 Using the Initial Setup Wizard Once deployed and powered on, complete the following to get the controller or service platform up and running and access more advanced user interface functions:
1 Connect one end of an Ethernet cable to a port on the front of the controller or service platform, and connect the other end to a computer with a working Web browser. 2 Set the computer to use an IP address between 192.168.0.10 and 192.168.0.250 on the connected port. Set a subnet/network mask of 255.255.255.0. 3 Once the computer has an IP address, point the Web browser to: https://192.168.0.1/. The following login screen displays. Figure 3-1 Web UI Login Screen 4 Enter the default username admin in the Username field. 5 Enter the default password admin123 in the Password field. 6 Select the preferred language to display for the graphical user interface (GUI). 7 Select the Login button to load the management interface. NOTE: When logging in for the first time, you are prompted to change the password to enhance device security in subsequent logins. NOTE: If you get disconnected when running the wizard, you can connect again and resume the wizard setup. Wireless Controller and Service Platform System Reference Guide 3 - 1 Quick Start Figure 3-2 Initial Setup Wizard - Introduction The Introduction screen displays first (on the right-hand side of the screen), and lists the various actions that can be performed using the setup wizard. The wizard displays a Navigation Panel on the left-hand side of each screen to assist the administrator in assessing which tasks still require completion before the controller or service-platform can be deployed. Wireless Controller and Service Platform System Reference Guide 3 - 2 Quick Start Figure 3-3 Initial Setup Wizard - Navigation Panel A green checkmark to the left of an item in the Navigation Panel defines the task as having its minimum required configuration set correctly. A red X defines a task as still requiring at least one parameter be defined correctly. 8 Select Save/Commit within each page to save the updates made to that page's configuration. 9 Select Next to proceed to the next page listed in the Navigation Panel. 10 Select Back to revert to the previous screen in the Navigation Panel without saving your updates. Selecting Cancel closes the wizard without committing any updates. NOTE: While you can scroll to any page in the Navigation Panel at any time, you cannot complete the wizard until each task in the Navigation Panel has a green checkmark displayed to the left of the task. 11 Select Next. The wizard displays the Networking Mode screen to define routing or bridging functionality. Wireless Controller and Service Platform System Reference Guide 3 - 3 Quick Start Figure 3-4 Initial Setup Wizard - Networking Mode 12 Select one of the following network mode options:
Router Mode - In Router Mode, connected Access Points route traffic between the local network
(LAN) and the Internet or external network (WAN). Router mode is recommended in a deployment supported by just a single Access Point. When Router Mode is selected, an additional WAN screen is available in wizard screen flow to configure interface settings for an Access Points WAN port. Bridge Mode - In Bridge Mode, connected Access Points depend on an external router for routing LAN and WAN traffic. Routing is generally used on one device, whereas bridging is typically used in a larger network. Thus, select Bridge Mode when deploying numerous peer Access Points supporting clients on both the 2.4 and 5GHz radio bands. 13 Select Next. The wizard displays the LAN Configuration screen to set the LAN interface configuration. Wireless Controller and Service Platform System Reference Guide 3 - 4 Quick Start 14 Set the following DHCP information for the LAN interface:
Figure 3-5 Initial Setup Wizard - LAN Configuration Use DHCP - Select Use DHCP to enable an automatic network address configuration using local DHCP server resources. Static IP Address/Subnet - Enter an IP Address and a subnet for the LAN interface. If Use DHCP is selected, this field is not available. When selecting this option, define the following DHCP Server and Domain Name Server (DNS) resources, as those fields are enabled on the bottom portion of the screen.
- Use on-board DHCP server to assign IP addresses to wireless clients - Select this option to enable the DHCP server to provide IP and DNS support to requesting clients on the LAN interface.
- Range - Enter a starting and ending IP Address range for client assignments on the LAN interface. Avoid assigning IP addresses from x.x.x.1 - x.x.x.10 and x.x.x.255, as they are often reserved for standard network services. This is a required parameter.
- Default Gateway - Define a default an address for use with the default gateway. This is a required parameter. DNS Forwarding - Select this option to allow a DNS server to translate domain names into IP addresses. If this option is not selected, a primary and secondary DNS resource must be specified. DNS forwarding is useful when a request for a domain name is made but the DNS server, responsible for converting the name into its corresponding IP address, cannot locate the matching IP address.
- Primary DNS - Enter an IP Address for the main Domain Name Server providing DNS services for the LAN interface.
- Secondary DNS - Enter an IP Address for the backup Domain Name Server providing DNS services for the LAN interface. Wireless Controller and Service Platform System Reference Guide 3 - 5 15 Select Next. If Router was selected as the Access Point mode the wizard displays the WAN Configuration screen. If Bridge was selected, the wizard proceeds to the Wireless LAN Setting screen. Quick Start 16 Set the following DHCP and Static IP Address/Subnet information to define how traffic is routed Figure 3-6 Initial Setup Wizard - WAN Configuration between the local network (LAN) and the Internet or external network (WAN). Use DHCP - Select Use DHCP to enable an automatic network address configuration using local DHCP server resources. Static IP Address/Subnet - Enter an IP Address/Subnet and gateway for the WAN interface. These are required fields
- Default Gateway -Enter an IP Address for the default gateway on the WAN interface. If Use DHCP is enabled, this field is not configurable.
- VLAN ID for the WAN Interface - Set the VLAN ID (virtual interface) to associate with the physical WAN Interface. The default setting is VLAN 2100.
- Port for External Network - Select the physical port connected to the WAN interface. The list of available ports varies based on the controller or service platform model.
- Enable NAT on the WAN Interface - Select the option to allow traffic to pass between WAN and LAN interfaces. 17 Select Next. The wizard displays the Wireless LAN Setting screen to define up to four WLAN configurations for the controller or service platform. Wireless Controller and Service Platform System Reference Guide 3 - 6 Quick Start 18 Set the following parameters for up to four WLAN configurations:
Figure 3-7 Initial Setup Wizard - Wireless LAN Settings SSID - Enter or modify the Services Set Identification (SSID) associated with the WLAN. The WLAN name is auto-generated using the SSID until changed by the administrator. The maximum number of characters is 32. Do not use any of these characters (< > | " & \ ? ,). WLAN Type - Select a basic authentication and encryption scheme for the WLAN. Available options include:
- No Authentication and No Encryption (provides no security at all)
- Captive Portal Authentication and No Encryption
- PSK authentication, WPA2 encryption
- EAP Authentication and WPA2 Encryption 19 Select Next. The wizard displays the System Information screen to set device deployment, administrative contact and system time information. The system time can either be set manually or be supplied by a dedicated Network Time Protocol (NTP) resource. Wireless Controller and Service Platform System Reference Guide 3 - 7 Quick Start 20 Refer to the Country and Time Zone field to set the following deployment information:
Figure 3-8 Initial Setup Wizard - System Information Password - Enter and confirm a system password used to login into the controller or service platform on subsequent login attempts.Changing the default system password is strongly recommended to secure the proprietary configuration data maintained on the controller or service platform. Location - Define the location of the controller or service platform deployment. Contact - Specify the contact information for the administrator. The credentials provided should accurately reflect the individual responding to service queries. Country - Select the country where the controller or service platform is deployed. The controller or service platform prompts for the correct country code on the first login. A warning message also displays stating an incorrect country setting may result in illegal radio operation. Selecting the correct country is central to legal operation. Each country has its own regulatory restrictions concerning electromagnetic emissions and the maximum RF signal strength that can be transmitted. Time Zone - Set the time zone where the controller or service platform is deployed. This is a required parameter. The setting should be complimentary with the selected deployment country. Refer to the Select protocols that will be enabled for device access area and enable those controller or service platform interfaces for accessing the controller or service platform. HTTP and Telnet are considered relatively insecure and only should be enabled is necessary. 21 Select Next. The wizard displays the Summary and Commit screen to summarize the screens (pages) and settings updated using the wizard. Wireless Controller and Service Platform System Reference Guide 3 - 8 Quick Start Figure 3-9 Initial Setup Wizard - Summary and Commit No user intervention or additional settings are required within this screen. Its an additional means of validating the Access Points updated configuration before its deployed. However, if a screen displays settings not intended as part of the initial configuration, the any screen can be selected again from within the Navigation Panel and its settings modified accordingly. 22 If the configuration displays as intended, select Save/Commit to implement these settings to the controller or service platform configuration. If additional changes are warranted based on the summary, either select the target page from the Navigational Panel, or use the Back and Next buttons to scroll to the target screen. Wireless Controller and Service Platform System Reference Guide 3 - 9 4 Dashboard The dashboard enables administrators to review and troubleshoot network device operation. Additionally, the dashboard allows an administrative review of the networks topology, an assessment of networks component health and a diagnostic review of device performance. By default, the Dashboard displays the System screen, which is the top level in the device hierarchy. To view information for Access Points, RF Domains or Controllers select the associated item in the tree. For more information, refer to the following:
Summary System Screen RF Domain Screen Controller Access Point Screen Network View Debug Wireless Clients Debug Captive Portal Clients Packet Capture 4.1 Summary The Dashboard displays information organized by device association and inter-connectivity between the connected Access Points and wireless clients. 1 To review dashboard information, select Dashboard. 2 Select Summary if its not already selected by default. The Dashboard displays the Health tab by default. Wireless Controller and Service Platform System Reference Guide 4 - 1 Dashboard Figure 4-1 System Dashboard screen - Health tab 4.1.1 Device Listing Summary The device menu displays information as a hierarchical tree, comprised of system, controller/service platform and Access Point connection relationships. Wireless Controller and Service Platform System Reference Guide 4 - 2 Dashboard Figure 4-2 Dashboard Menu Tree The Search option, at the bottom of the screen, enables you to filter (search amongst) RF Domains. The By drop-
down menu refines the search. You can further refine a search using the following:
Auto The search is automatically set to device type. Name The search is performed for the device name specified in the Search text box. WLAN The search is performed for the WLAN specified in the Search text box. MAC Address The search is performed for the MAC Address specified in the Search text box. IP Address The search is performed for the IP Address specified in the Search text box. 4.2 System Screen The System screen displays system-wide network status. The screen is partitioned into the following tabs:
Health The Health tab displays information about the state of the WiNG device managed system. Inventory The Inventory tab displays information on the physical devices managed within the WiNG wireless network. 4.2.1 Health Health The Health tab displays device performance status for managed devices, and includes their RF Domain memberships. To assess system health:
1 Select Dashboard. 2 Select Summary if its not already selected by default. 3 Select System. The Health tab displays by default. Wireless Controller and Service Platform System Reference Guide 4 - 3 Dashboard Figure 4-3 System Dashboard screen - Health tab The Health screen is partitioned into the following fields:
The Devices field displays a ratio of offline versus online devices within the system. The information is displayed in pie chart format to illustrate device support ratios. The Device Type field displays a numerical representation of the different controller, service platform and Access Point models in the current system. Their online and offline device connections are also displayed. Does this device distribution adequately support the number and types of Access Point radios and their client load requirements. The Offline Devices field displays a table of supported RF Domains within the system, with each RF Domain listing the number offline devices within that RF Domain. Listed RF Domains display as individual links that can be selected to RF Domain information in greater detail. The RF Quality Index displays RF quality per RF Domain. It's a measure of the overall effectiveness of the RF environment displayed in percentage. It's a function of the connect rate in both directions, retry rate and error rate. The RF Quality field displays an average quality index supporting each RF Domain. The table lists the bottom five (5) RF quality values for RF Domains. Listed RF Domains display as individual links that can be selected to RF Domain information in greater detail. Use this diagnostic information to determine what measures can be taken to improve radio performance in respect to wireless client load and the radio bands supported. The quality is measured as:
0-20 Very poor quality Wireless Controller and Service Platform System Reference Guide 4 - 4 Dashboard 20-40 Poor quality 40-60 Average quality 60-100 Good quality The System Security field displays RF intrusion prevention stats and their associated threat level. The greater the number of unauthorized devices, the greater the associated threat level. The System Security field displays a list of up to five RF Domains in relation to the number of associated wireless clients. The RF Domains appear as links that can be selected to display RF Domain information in greater detail. 4.2.2 Inventory System Screen The system screens Inventory tab displays granular data on specific devices supported within the network. The screen provides a complete overview of the number and state WiNG managed devices. Information is displayed in easy to read tables and graphs. This screen also provides links for more detailed information. To assess the system inventory:
1 Select Dashboard. 2 Select Summary if its not already selected by default. 3 Select System. 4 Select the Inventory tab. Wireless Controller and Service Platform System Reference Guide 4 - 5 Dashboard Figure 4-4 System screen - Inventory tab The information within the Inventory tab is partitioned into the following fields:
The Devices field displays a ratio of peer controllers and service platforms as well as their managed Access Point radios. The information is displayed in pie chart format. The Device Type field displays a numerical representation of the different controller models and connected Access Points in the current system. The Radios field displays top performing radios, their RF Domain memberships and a status time stamp. RF Domain information can be selected to review RF Domain membership information in greater detail. Information in the Radio area is presented in two tables. The first lists the total number of Radios managed by this system, the second lists the top five RF Domains in terms of the number of available radios. The wireless Clients field lists the top five RF Domains with the highest total number of clients managed by connected devices in this system. RF Domain information can be selected to review RF Domain membership information in greater detail. Select Refresh to update the screen to its latest values. 4.3 RF Domain Screen RF Domains allow administrators to assign configuration data to multiple devices deployed in a common coverage area, such as in a floor, building or site. Each RF Domain contains policies that can determine a Smart RF or WIPS configuration.RF Domains enable administrators to override WLAN SSID name and VLAN assignments. This enables the deployment of a global WLAN across multiple sites and unique SSID name or VLAN assignments to Wireless Controller and Service Platform System Reference Guide 4 - 6 Dashboard groups of Access Points servicing the global WLAN. This WLAN override technique eliminates the requirement for defining and managing a large number of individual WLANs and profiles. A configuration contains (at a minimum) one default RF Domain and can optionally use additional user defined RF Domains:
Default RF Domain - Automatically assigned to each controller or service platform and associated Access Point by default. User Defined RF Domains - Created by administrators and manually assigned to individual controller or service platforms, but can be automatically assigned to Access Points using adoption policies. Each controller and service platform is assigned to only one RF Domain at a time. However, a user defined RF Domain can be assigned to multiple controllers or service platforms as required. User defined RF Domains can be manually assigned or automatically assigned to Access Points using an AP provisioning policy. The RF Domain screen displays system-wide network status. The screen is partitioned into the following tabs:
RF Domain Health The Health tab displays information about the state of the RF Domain and network performance as tallied from its collective device members. RF Domain Inventory The Inventory tab displays information on the physical devices comprising the RF Domain. 4.3.1 RF Domain Health The Health tab displays the status of the RF Domains device membership. To assess the RF Domain health:
1 Select Dashboard. 2 Select Summary if its not already selected by default. 3 Expand the System node to display RF Domains. 4 Select a RF Domain. The Health tab displays by default. Wireless Controller and Service Platform System Reference Guide 4 - 7 Dashboard Figure 4-5 RF Domain screen - Health tab Refer to the following RF Domain health information for member devices:
The Domain field lists the RF Domain manager reporting utilization statistics. The MAC address displays as a link that can be selected to display RF Domain information in at more granular level. A RF Domain manager can retain and store new firmware images for RF Domain member Access Points. The Devices field displays the total number of devices and the status of the devices in the network as a graph. This area displays the total device count managed by this device and their status (online vs. offline) as a pie graph. The Radio Quality table displays a table of RF quality on a per radio basis. It is a measure of the overall effectiveness of the RF environment displayed in percentage. It is a function of the transmit retry rate in both directions and the error rate. This area of the screen displays the average quality index across all the defined RF Domain on the wireless controller. The table lists worst five of the RF quality values of all the radios defined on the wireless controller. The quality is measured as:
- 0-20 - Very poor quality
- 20-40 - Poor quality
- 40-60 - Average quality
- 60-100 - Good quality 5 Select a Radio Id to view all the statistics for the selected radio in detail. Wireless Controller and Service Platform System Reference Guide 4 - 8 Dashboard The Client Quality table displays RF quality for the worst five performing clients.It is a function of the transmit retry rate in both directions and the error rate. This area of the screen displays the average quality index across all the defined RF Domain on the wireless controller. The quality is measured as:
0-20 - Very poor quality 20-40 - Poor quality 40-60 - Average quality 60-100 - Good quality 6 Select a client to view its statistics in greater detail. WLAN Utilization displays how efficiently the WLANs are used. Traffic utilization is defined as the percentage of current throughput relative to the maximum possible throughput for the WLAN. The total number of WLANs is displayed above the table. The table displays a list of the top five WLANs in terms of overall traffic utilization. It displays the utilization level names, WLAN name and SSIDs for each of the top five WLANs. Radio Traffic Utilization displays how efficiently the RF medium is used. Traffic utilization is defined as the percentage of current throughput relative to the maximum possible throughput for the RF Domain. The Traffic Index area displays an overall quality level for radio traffic and the Max User Rate displays the maximum data rate of associated radios. The table displays a list of the top five radios in terms of overall traffic utilization quality. It displays the radio names, MAC Addresses and radio types for each of the top five radios. Client Traffic Utilization displays how efficiently the RF medium is utilized for connected clients. Traffic utilization is defined as the percentage of current throughput relative to the maximum possible throughput for the clients in the RF Domain. The table displays a list of the top five performing clients in respect to overall traffic utilization. It displays the client names, MAC Addresses and vendor for each of the top five clients. Wireless Security displays the overall threat index for the system. This index is based on the number of Rogue/Unsanctioned APs and Wireless Intrusion Protection System (WIPS) events detected. The index is in the range 0 - 5 where 0 indicates there are no detected threats. An index of 5 indicates a large number of intrusion detection events or rogue/unsanctioned APs detected. Traffic Statistics include transmit and receive values for Total Bytes, Total Packets, User Data Rate, Broadcast/Multicast Packets, Management Packets, Tx Dropped Packets and Rx Errors. 4.3.2 RF Domain Inventory Refer to the following RF Domain inventory data collected by member controllers, service platforms or Access Points:
To review the RF Domain inventory:
1 Select Dashboard. 2 Select Summary if its not already selected by default. 3 Expand the System node to display RF Domains. 4 Select a RF Domain. 5 Select the Inventory tab. Wireless Controller and Service Platform System Reference Guide 4 - 9 Dashboard Figure 4-6 RF Domain screen - Inventory tab The Inventory tab displays information on the devices managed by RF Domain member devices in the controller, service platform or Access Point managed network. The Inventory screen enables an administrator to overview of the number and state of the devices in the selected RF Domain. Information is displayed in easy to read tables and graphs. The Device Types table displays the devices types populating the RF Domain. The Device Type area displays an exploded pie chart that displays the type of device and their numbers in the RF Domain. The Radios by Band table displays a bar graph of RF Domain member device radios classified by their radio band or sensor dedication. Review this information to assess whether RF Domain member radios adequately support client device traffic requirements. The Radios by Channel table displays pie charts of the different channels utilized by RF Domain member radios. These dedicated channels should be as segregated as possible from one another to avoid interference. If too many radios are utilizing a single channel, consider off-loading radios to non utilized channels to improve RF Domain performance. The Top 5 Radios by Clients table displays a list of radios with the highest number of clients. This list displays the radio IDs as links that can be selected to display individual radio information in greater detail. The WLANs table displays a list of WLANs utilized by RF Domain member devices. The table is ordered by WLAN member device radio count and their number of connected clients. Use this information to assess whether the WLAN is overly populated by radios and clients contributing to congestion. Wireless Controller and Service Platform System Reference Guide 4 - 10 Dashboard The Clients by Band table displays the radio band utilization of connected RF Domain member clients. Assess whether the client band utilization adequately supports the intended radio deployment objectives of the connected RF Domain member Access Point radios. The Clients of Channel table displays a bar-graph of wireless clients classified by their frequency. Information for each channel is further classified by their 802.11x band. In the 5GHz channel, information is displayed classified under 802.11a and 802.11an bands. In the 2.4 GHz channel, information is displayed classified under 802.11b, 802.11bg, and 802.11bgn band. 4.4 Controller The Wireless Controller screen displays system collected network status for controllers and service platforms. The screen is partitioned into two tabs:
Controller Health The Health tab displays information about the state of the controller or service platform managed wireless network. Controller Inventory The Inventory tab displays information on the physical devices managed by the controller or service platform. NOTE: A T5 controller can also be selected from the dashboards controller level to display a set of unique T5 dashboard screens. A T5 controller uses a different operating system to manage its connected radio devices, as opposed to the WiNG operating used by RFS controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. For information on enabling controller adoption of external devices (for T5 support specifically) refer to, Adoption Overrides (Controllers Only) on page 5-48. 4.4.1 Controller Health To assess the controller or service platforms network health:
1 Select Dashboard. 2 Select Summary if its not already selected by default. 3 Expand the System node to display RF Domains. 4 Select and expand a RF Domain to expose its member controllers or service platforms. 5 Select a controller or service platform. The Health tab display by default. Wireless Controller and Service Platform System Reference Guide 4 - 11 Dashboard Figure 4-7 Wireless Controller screen - Health tab Refer to the Device Details table for information about the selected controller or service platform The following information is displayed:
Hostname - Lists the administrator assigned name of the controller or service platform. Device MAC - Lists the factory encoded MAC address of the controller or service platform. Type - Indicates the type of controller or service platform. An icon representing the RFS controller or NX service platform device type is displayed along with the model number. RF Domain Name - Lists the RF Domain to which the controller or service platform belongs. The RF Domain displays as a link thats selectable to display RF Domain data in greater detail. Model Number - Lists the model number and hardware SKU information of the selected controller or service platform to refine its intended deployment region. Version - Lists the firmware version currently running on the controller or service platform. Compare this version against the version currently on the support site to ensure the controller or service platform has the latest feature set available. Uptime - Displays the duration the controller or service platform has been running since it was last restarted. CPU - Displays the CPU installed on this controller or service platform. RAM - Displays the amount of RAM available for use in this system. System Clock - Displays the current time set on the controller or service platform. Wireless Controller and Service Platform System Reference Guide 4 - 12 Dashboard The Adopted Devices Health (w/ cluster members) displays a graph of Access Points in the system with the available Access Points in green and unavailable Access Points in red. The Radio RF Quality Index provides a table of RF quality on a per radio basis. It is a measure of the overall effectiveness of the RF environment displayed in percentage. It is a function of the connect rate in both directions, the retry rate and the error rate. The screen displays the average quality index within the Access Point single radio. The table lists bottom five (5) of the RF quality values by Access Point radio. The quality is measured as:
0-20 - Very poor quality 20-40 - Poor quality 40-60 - Average quality 60-100 - Good quality 6 Select a radio Id to view statistics in greater detail. The Radio Utilization table displays how efficiently the RF medium is used. Radio utilization is defined as the percentage of current throughput relative to the maximum possible throughput for the radio. The Radio Utilization table displays the Access Point radios in terms of the number of associated wireless clients and the percentage of utilization. It also displays a table of packets types transmitted and received. The Client RF Quality Index displays a table of RF quality on a per client basis. It is a measure of the overall effectiveness of the RF environment displayed in percentage. It is a function of the connect rate in both directions, the retry rate and the error rate. This area of the screen displays the average quality index for a client. The table lists bottom five (5) of the RF quality values by a client. Quality is measured as:
0-20 - Very poor quality 20-40 - Poor quality 40-60 - Average quality 60-100 - Good quality 7 Select a client MAC to view all the statistics for the selected client in greater detail. 4.4.2 Controller Inventory The Inventory tab displays information for the devices managed by the system. This screen enables a system administrator to have a complete overview of the number and state of managed devices. Information is displayed in easy to read tables and graphs. The Inventory screen also provides links for the system administrator to get more detailed information. To assess the controller or service platform inventory:
1 Select Dashboard. 2 Select Summary if its not already selected by default. 3 Expand the System node to display RF Domains. 4 Select and expand a RF Domain to expose its member controllers or service platforms. 5 Select a controller or service platform. 6 Select the Inventory tab. Wireless Controller and Service Platform System Reference Guide 4 - 13 Dashboard Figure 4-8 Wireless Controller screen - Inventory tab The Inventory tab displays information on the devices managed by the controller or service platform. The Inventory screen enables an administrator to overview of the number and state of controller or service platform managed devices and their utilization. Refer to the following Inventory data:
The Device Types field displays a ratio of devices managed by this controller or service platform in pie chart format. The Device Type area displays an exploded pie chart that displays the type of device and their numbers in the current system. The Radios Type field displays the total number of radios managed by this controller or service platform. The graph lists the number of radios in both the 2.4 GHz and 5 GHz radio bands. The Wireless Clients table lists clients managed by this controller or service platform by connected client count. Information is presented in two (2) tables and a graph. The first table lists the total number of clients managed by the listed controller or service platform. The second lists the top five (5) radios in terms of the number of connected clients. The graph just below the table lists the number of clients by radio type. The WLAN Utilization table displays utilization statistics for controller or service platform WLAN configurations. Information displays in two tables. The first table lists the total number of WLANs managed by this system. The second table lists the top five (5) WLANs in terms of the usage percentage along with the name and network identifying SSID. Wireless Controller and Service Platform System Reference Guide 4 - 14 Dashboard 4.4.3 T5 Controller Dashboard A T5 controller can be selected from the dashboards controller level to display a set of unique T5 dashboard screens. A T5 controller uses a different operating system to manage its connected radio devices, as opposed to the WiNG operating used by RFS controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. To review a T5s controller dashboard:
1 Select Dashboard. 2 Select Summary if its not already selected by default. 3 Expand the System node to display RF Domains. 4 Select and expand a RF Domain to expose its member controllers or service platforms. 5 Select a T5 controller from amongst the devices listed at the dashboards controller level. T5 devices will not appear at any other level in the dashboards device tree. 6 Refer to the following T5 specific dashboard stats to assess whether a CPEs DLS connection is problematic and has excessive device rests (rendering the T5 device temporarily offline). Figure 4-9 T5 Dashboard tab Wireless Controller and Service Platform System Reference Guide 4 - 15 Dashboard The Customer Premises Equipment (CPEs) are the T5 managed radio devices. These CPEs use Digital Subscriber Line (DSL) as their high speed Internet access mechanism using the CPEs physical wallplate connection and phone jack. DSL Average Response Time DSL Downstream Coding Violations DSL Utilization DSL Downstream Severely Eroded Seconds DSL Status CPE Reset Lists each CPEs DSL name and its average response time in microseconds. Use this data to assess whether a specific DSL is experiencing response latency negatively impacting performance. Displays each listed DSLs number of coding violations as a measure of erroneous data degrading the DSLs performance within the T5s network coverage area. Lists each CPEs DSL name and its transmit utilization by percentage of overall load. Displays each listed DSLs eroded seconds, as a negative measure of delivery latency degrading the DSLs performance within the T5s network coverage area. Lists the name of the DSL utilized on T5 managed CPE devices, and their downstream (transmit) data rate (in Mbps) and downstream throughput margin (in dB). The a selected CPEs number of resets. A reset renders the CPE offline until completed, and consequently should be carefully tracked to ensure consistent online availability amongst CPEs in the same radio coverage area. 7 Select a T5 device from amongst the devices listed in the dashboards controller level, and right click the arrow to the right to list an additional menu of diagnostic activities that can be administrated for the selected T5 device. Figure 4-10 T5 Dashboard Menu Path Use these additional T5 configuration items to optionally upgrade T5 managed device firmware, reload configurations, upgrade the T5 CPE and manage T5 managed device LED status. 8 Select Firmware Upgrade to conduct firmware updates for T5 managed devices. Wireless Controller and Service Platform System Reference Guide 4 - 16 Dashboard Figure 4-11 T5 Dashboard Firmware Upgrade By default, the Firmware Upgrade screen displays the tftp server parameters for the target T5 device firmware file. 9 Provide the following information to accurately define the location of the T5 device firmware file. Protocol Port Host User Name Password Path/File Select the FTP or TFTP protocol used for updating T5 device firmware. Use the spinner control, or manually set, the T5 device port used by the selected transfer protocol for firmware updates. Provide the numeric IP address of the resource used to update the firmware. Define the user name used to access either a FTP or TFTP resource. Specify the password for the user account to access a FTP or a TFTP resource. Specify the correct directory path to the firmware file. Enter the complete relative path to the file on the server. 10 Select Apply to save the T5 device firmware connection protocol settings. Select Close to exit the Firmware Upgrade popup. 11 Select Reload to administrate current and next boot version available to the selected T5 device. 12 Review the following Current and Next Boot Versions and optionally apply a primary or secondary designation to the next boot version used in pending T5 managed device updates:
Figure 4-12 T5 Dashboard Device Reload Current Boot Current Boot Version Lists whether the firmware image for a current T5 managed device boot is the primary or secondary firmware image. Lists the firmware version currently utilized with T5 managed device boots. Wireless Controller and Service Platform System Reference Guide 4 - 17 Dashboard Next Boot Next Boot Version Use the drop-down menu to specify whether the next boot is the primary or secondary firmware image. Lists this version used the next time the T5 managed radio device is booted. 13 Select Reload to apply the current and next boot settings to a T5 update. Select Close to exit the Reload popup. 14 Expand the CPE Management item from the T5 dashboard and select CPE Reload. Customer Premises Equipment (CPE) are the T5 managed radio devices. 15 Use the Reload screen to specify the CPEs to target for a T5 managed device firmware upgrade. Figure 4-13 T5 Dashboard CPE Management Reload Select all CPEs Enter CPE Number Primary Version Select this option to use the settings specified in the Firmware Upgrade and Reload screens to update all the selected T5s managed CPE devices. If wanting to administrate an update to a specific T5 managed CPE, use the spinner control to select a specific CPE (1 - 24) for update. This option is enabled only when Select all CPEs is disabled. Select Show Boot Data to supply display the Primary and Secondary firmware versions utilized in the update. When Show Boot Data is selected, this column lists the Primary Version utilized for the selected T5 managed CPE device update. Secondary Version When Show Boot Data is selected, this column lists the Secondary Version Next Boot utilized for the selected T5 managed CPE device update. Use the drop-down menu to specify whether the next boot is the primary or secondary firmware image utilized for the selected T5 managed CPE device update. 16 Select Reload to make available the selected firmware images(s) to the T5 in advance of initiating device upgrades. Select Close to exit the Reload popup. 17 Expand the CPE Management item from the T5 dashboard and select Firmware Upgrade to apply the defined upgrade settings to the selected T5s managed CPE devices. Wireless Controller and Service Platform System Reference Guide 4 - 18 Dashboard 18 Use the Reload screen to specify the CPEs to target for a T5 managed device firmware upgrade. Figure 4-14 T5 Dashboard CPE Reload Select all CPEs Enter CPE Number Protocol Port Host Path/File Select this option to use the settings specified in the Firmware Upgrade and Reload screens to update all T5s managed CPE devices. If wanting to administrate an update to a specific T5 managed CPE, use the spinner control to select a specific CPE (1 - 24) for update. This option is enabled only when Select all CPEs is disabled. Select Show Boot Data to supply display the Primary and Secondary firmware versions utilized in the update. Select the FTP or TFTP communication protocol used for updating T5 managed CPE device firmware. Use the spinner control, or manually set, the T5 device port used by the selected transfer protocol for CPE device firmware updates. Provide the numeric IP address of the resource used to update the CPE device firmware. Specify the correct directory path to the T5 managed CPE device firmware file. Enter the complete relative path to the file. 19 Select Upgrade to initiate the update from the T5 to the selected CPE device(s). Select Close to exit the Firmware Upgrade popup. 20 Expand the CPE Management item from the T5 dashboard and select Set LED State to administrate the LED behavior of the T5 managed CPE devices. Figure 4-15 T5 Dashboard Set LED State Wireless Controller and Service Platform System Reference Guide 4 - 19 Dashboard 21 Use the Set LED State screen to set the LED behavior T5 managed CPE devices. Select all CPEs Enter CPE Number Set LED State Select this option to apply the administrated LED state to each T5 managed CPE device. If wanting to set a specific T5 managed CPE LED, use the spinner control to set the CPE to be impacted by the ELD state setting. This setting could be quite useful in deployments where a specific CPEs LED illumination could be disruptive (such as a hospital etc.). This option is enabled only when Select all CPEs is disabled. Define whether the LEDs remain on or off for the selected T5 managed CPE devices. The default setting is On. 22 Select Start LED State to initiate the LED behavior updates to the selected T5 managed CPE device(s). Select Close to exit the Set LED State popup. 23 Select T5 File Management to set the Source and Destination addresses used for T5 device configuration file updates. Figure 4-16 T5 Dashboard T5 File Management NOTE: The configuration parameters displayed within the T5 File Management screen differ (increase or reduce) depending on whether Copy, Rename or Delete is selected as the management action. When Copy is selected, both source and destination protocols, ports, host addresses and paths are required for transfers. If the action is to Rename a configuration, both source and destination paths are required for name update. If the action is to Delete, only the path to the target file is required. All supplied paths and addresses must be set correctly for the selected action to be successful. Wireless Controller and Service Platform System Reference Guide 4 - 20 24 Set the following T5 File Management Source and/or Destination transfer protocols and address information. Options differ depending on selected Copy, Rename or Delete file management action. Dashboard Selected Action Protocol Port Host Path/File Source Destination Select Copy to enable parameters where the correct source and destination T5 device port, host IP address and directory path must be specified. Select Rename to correctly provide the source and destination directory paths of a renamed T5 configuration file. Select Delete to define the correct directory path of a target T5 configuration file to delete and remove. The default setting is Copy. Select the FTP or TFTP communication protocol used for updating T5 file transfers. This option is only available when Copy is the selected action. Use the spinner control, or manually set, the T5 device port used by the selected transfer protocol. This option is only available when Copy is the selected action. Provide the numeric IP address of the resource used to update the CPE device firmware. This option is only available when Copy is the selected action. Specify the correct directory path to the location(s) of the source and destination T5 device addresses. This option is only available when Copy is the selected action. If Renaming or Deleting a T5 configuration file, correctly enter the directory path of the target file to be renamed or deleted. If Renaming a T5 configuration file, correctly enter the directory path of the target file to be renamed. 25 Select OK to apply the selected file management action. Select Close to exit the T5 File Management popup. 4.4.4 EX3500 Switch Dashboard The EX3500 series switch is a Gigabit Ethernet Layer 2 switch with either 24 or 48 10/100/1000-BASE-T ports, and four small form factor pluggable (SFP) transceiver slots for fiber connectivity. Each 10/100/1000 Mbps port supports both the IEEE 802.3af and IEEE 802.3at-2009 PoE standards. Each EX3500 series switch includes an SNMP-based management agent, which provides both in-band and out-of-band access for management. An EX3500 series switch utilizes an embedded HTTP Web agent and command line interface (CLI) somewhat different from the WiNG operating system, while still enabling the EX3500 series switch to provide WiNG controllers PoE and port management resources. Going forward NX9600, NX9500, NX7500, NX5500 WiNG managed services platforms and WiNG VMs can discover, adopt and partially manage EX3500 series Ethernet switches, as DHCP option 193 has been added to support external device adoption. DHCP option 193 is a simplified form of DHCP options 191 and 192 used by WiNG devices currently. DHCP option 193 supports pool1, hello-interval and adjacency-hold-time parameters. Wireless Controller and Service Platform System Reference Guide 4 - 21 Dashboard When adopted to a managing controller or service platform, an EX3500 switch can display a unique dashboard helpful to administrators to better assess the interoperability of the selected EX3500 with its connected controller or service platform. NOTE: To enable the adoption of an EX3500 switch, the Allow Adoption of External Devices option must be enabled. For more information, refer to Adoption Overrides (Controllers Only) on page 5-48. To review an EX3500 switch dashboard:
1 Select Dashboard. 2 Select Summary if its not already selected by default. 3 Expand the System node to display RF Domains. 4 Select and expand a RF Domain to expose its member controllers or service platforms. 5 Select an EX3500 switch from amongst the devices listed. Figure 4-17 EX3500 Dashboard Wireless Controller and Service Platform System Reference Guide 4 - 22 6 Refer to the following System information to assess dashboard information for the selected EX3500 switch. Dashboard System Name System Object ID System Contact System Description System Location System Up Time MAC Address (Unit 1) Web Server Port Web Server Web Secure Server Port Web Secure Server Jumbo Frame Telnet Server Port Telnet Server Displays the administrator assigned system name of the selected EX3500 switch. Lists the numeric ID used to determine the monitoring capabilities of the EX3500 switch. Lists the EX3500 switch administrative contact assigned to respond to events created by, or impacting, this selected EX3500 switch and the RF Domain devices it helps support. Displays the administrator defined system description provided by the administrator upon initial deployment of this particular EX3500 switch. Lists a 255 character maximum EX3500 switch location reflecting the switchs physical deployment location. Displays the cumulative time since this EX3500 was last rebooted or lost power. Lists the factory encoded MAC address of the selected EX3500 as its hardware identifier. Displays the Web server port the EX3500 is using. Port 80 is the default port the Web server expects to listen to. Lists whether the Web server facility is enabled/disabled between this selected EX3500 switch and its connected controller or service platform. A Web server is a program using a client/server model and the Hypertext Transfer Protocol (HTTP) to serve files forming Web pages to Web resource requesting clients. Lists the numeric virtual server port providing secure Web resources with the selected EX3500. Any system with multiple open ports, multiple services and multiple scripting languages is vulnerable simply because it has so many points of entry to watch. The secure open port has been specifically designated and utilizes the latest security patches and updates. Lists whether the secure Web server functionality has been enabled or disabled for the selected EX3500s management session with the WiNG controller or service platform. Lists whether support for jumbo Ethernet frames with more than 1500 bytes of payload has been enabled or disabled. Jumbo frames support up to 9000 bytes, but variations must be accounted for. Many Gigabit Ethernet switches and Gigabit Ethernet network interface cards support jumbo frames. Some Fast Ethernet switches and Fast Ethernet network interface cards also support jumbo frames. Lists the numeric Telnet server port used with the selected EX3500s session with the WiNG controller or service platform to test for open ports. The listed port is the port number where the server is listening. Displays whether Telnet functionality is currently enabled or disabled for the selected EX3500 switch. 7 Refer to the Upgrade field to assess the EX3500s current firmware and upgrade configuration status. Filename Lists the target firmware file queued for subsequent uploads to the selected EX3500 switch. Wireless Controller and Service Platform System Reference Guide 4 - 23 Dashboard Path Status Reload Status Lists the complete relative path to the EX3500 switch firmware file defined for subsequent upgrades. Lists whether a device firmware upgrade is currently enabled and queued for the selected EX3500 or is currently disabled. Displays the selected EX3500s current firmware reload status. Periodically select Refresh to update the statistics counters to their latest values. 4.5 Access Point Screen The Access Point screen displays system-wide network status for standalone or controller connected Access Points. The screen is partitioned into the following tabs:
Access Point Health The Health tab displays information about the state of the Access Point managed network. Access Point Inventory The Inventory tab displays information on the physical devices managed within the Access Point managed network. 4.5.1 Access Point Health To assess Access Point network health:
1 Select Dashboard. 2 Select Summary if its not already selected by default. 3 Expand the System node to display RF Domains. 4 Select and expand a RF Domain to expose its member controllers or service platforms. 5 Select a controller or service platform and expand the menu item to display connected Access Points. 6 Select an Access Point. The Health tab display by default. Wireless Controller and Service Platform System Reference Guide 4 - 24 Dashboard Figure 4-18 Access Point screen - Health tab The Device Detail field displays the following information about the selected Access Point:
Hostname - Lists the administrator assigned name of the selected Access Point. Device MAC - Lists the factory encoded MAC address of the selected Access Point. Primary IP Address - Lists the IP address assigned to the Access Point as a network identifier. Type - Indicates the Access Point model type. An icon representing the Access Point is displayed along with the model number. RF Domain Name - Lists the RF Domain to which the Access Point belongs. The RF Domain displays as a link that can be selected to display Access Point RF Domain membership data in greater detail. Model Number - Lists the specific model number of the Access Point. Version - Lists the version of the firmware running on the Access Point. Compare this version against the version currently on the support site to ensure the Access Point has the latest feature set available. Uptime - Displays the duration the Access Point has been running from the time it was last restarted. CPU - Displays the CPU installed on this Access Point. RAM - Displays the amount of RAM available for use in this system. System Clock - Displays the current time on the Access Point. The Radio RF Quality Index displays a table of RF quality per radio. It is a measure of the overall effectiveness of the RF environment displayed in percentage. It is a function of the connect rate in both directions, the retry rate and error rate. The quality is measured as:
Wireless Controller and Service Platform System Reference Guide 4 - 25 Dashboard
- 0-20 - Very poor quality
- 20-40 - Poor quality
- 40-60 - Average quality
- 60-100 - Good quality The Radio Utilization Index area displays how efficiently the RF medium is used. Radio utilization is defined as the percentage of current throughput relative to the maximum possible throughput for the radio. The Radio Utilization displays radios in terms of the number of associated wireless clients and percentage of utilization. It also lists packets types transmitted and received. The Client RF Quality Index displays a table of RF quality on a per client basis. It is a measure of the overall effectiveness of the RF environment displayed in percentage. It is a function of the connect rate in both directions, the retry rate and the error rate. This area of the screen displays the average quality index for a client. The table lists bottom five (5) of the RF quality values by client. The quality is measured as:
- 0-20 - Very poor quality
- 20-40 - Poor quality
- 40-60 - Average quality
- 60-100 - Good quality 4.5.2 Access Point Inventory The Access Point Inventory tab displays granular data on devices managed by the selected Access Point. Information is displayed in easy to read tables and graphs. To assess Access Point network health:
1 Select Dashboard. 2 Select Summary if its not already selected by default. 3 Expand the System node to display RF Domains. 4 Select and expand a RF Domain to expose its member controllers or service platforms. 5 Select a controller or service platform and expand the menu item to display connected Access Points. 6 Select an Access Point. 7 Select the Inventory tab. Wireless Controller and Service Platform System Reference Guide 4 - 26 Dashboard Figure 4-19 Access Point screen - Inventory tab The information within the Inventory tab is partitioned into the following fields:
The Radios Type field displays the total number of radios utilized by this Access Point. The graph lists the number of radios in the 2.4 GHz and 5 GHz radio bands and funtioning as a sensor. The WLAN Utilization table displays utilization statistics for controller or service platform WLAN configurations. Information displays in two tables. The first table lists the total number of WLANs managed by this system. The second table lists the top five (5) WLANs in terms of the usage percentage along with their name and network identifying SSID. The Wireless Clients table lists clients managed by this Access Point by connected client count. Information is presented in two (2) tables and a graph. The first table lists the total number of clients managed by the listed Access Point. The second lists the top five (5) radios in terms of the number of connected clients. The graph just below the table lists the number of clients by radio type. 4.6 Network View The Network View functionality displays device association connectivity amongst controllers, service platforms, Access Point radios and wireless clients. This association is represented by a number of different graphs. To review the wireless controllers Network Topology, select Dashboard > Network View. Wireless Controller and Service Platform System Reference Guide 4 - 27 Dashboard Figure 4-20 Network View Topology The screen displays icons for the different views available to the system. Apart from device specific icons, the following three icons are available:
default Displays information about the default RF Domain. system Displays information about the current system. cluster Displays information about clusters managed by this system. Use the icons to navigate quickly within top level groupings. The middle field displays a Network View, or graphical representation of the network. Nodes display whether or not they are members of a cluster or mesh domain. Use this information to assess whether the topology of the network has changed in such a manner that devices need to be added or moved. This field changes to display a graphical network map. Use the Lock / Unlock icon in the upper right of the screen to prevent users from moving APs around within the specified area. Wireless Controller and Service Platform System Reference Guide 4 - 28 Dashboard 4.7 Debug Wireless Clients An administrator has the ability to select a RF Domain and capture connected client debug messages at an administrator assigned interval and location. Client debug information can either be collected historically or in real-
time. To troubleshoot issues with wireless client connectivity within a controller, service platform or Access Point managed RF Domain:
1 Select Dashboard. 2 Expand the System node to display controller, service platform or Access Point managed RF Domains. 3 Select and expand a RF Domain and click on the down arrow to the right of the RF Domains name 4 Select Troubleshooting. 5 Select Debug Wireless Clients. 6 Refer to the following remote debug information for RF Domain member connected wireless clients:
Figure 4-21 Debug Wireless Clients screen RF Domain Send Data To Displays the administrator assigned name of the selected RF Domain used for wireless client debugging. RF Domains allow administrators to assign configuration data to multiple devices deployed in a common coverage area, such as in a floor, building or site. Use the Send Data To drop-down menu to select where wireless client debug messages are collected. If Screen is selected the wireless client debug information is sent to the Live Wireless Debug Events window at the bottom of the dialog window. If File is selected, the file location must be specified in the File Location section of the window. Wireless Controller and Service Platform System Reference Guide 4 - 29 Dashboard Select Debug Messages Wireless Clients Duration of Message Capture Maximum Events Per Wireless Client File Location Select All Debug Messages, to display all wireless client debug information for the selected wireless clients on the current RF Domain. Choose Selected Debug Messages to specify which types of wireless client debug messages to display. If the Selected Debug Messages radio button is selected, you can display information for any combination of the following:
- 802.11 Management
- EAP
- Flow Migration
- RADIUS
- System Internal
- WPA/WPA2 Select All Wireless Clients to display debug information for all wireless clients currently associated to the current RF Domain. Choose Selected Wireless Clients to display information only for specific wireless clients
(between 1 and 3). If the Selected Wireless Clients radio button is selected enter the MAC address for up to three wireless clients. The information displayed or logged to the file will only be from the specified wireless clients. Use the spinner controls to select how long to capture wireless client debug information. This can range between 1 second and 24 hours, with the default value being 1 minute. Use the spinner controls to select the maximum number of debug messages displayed per wireless client. Set the number of messages from 1
- 9999 events with the default value being 100 events. When the Send Data To field is set to File, the File Location configuration displays below the configuration section. If Basic is selected, enter the URL in the following format:
URL Syntax:
tftp://<hostname|IP>[:port]/path/file ftp://<user>:<passwd>@<hostname|IP>[:port]/path/file IPv6 URL Syntax:
tftp://<hostname|[IPv6]>[:port]/path/file ftp://<user>:<passwd>@<hostname|[IPv6]>[:port]/path/file If Advanced is selected, configure the Target, Port, Host/IP, User, Password and optionally the path for the wireless client debug log file you wish to create. When the Send Data To field is set to Screen, this area displays live debug information for connected wireless clients in the selected RF Domain. Live Wireless Debug Events When all configuration fields are complete, select Start to start the wireless client debug capture. If information is being sent to the screen it displays in the Live Wireless Debug Events section. If the data is being sent to a file, Wireless Controller and Service Platform System Reference Guide 4 - 30 Dashboard that file populates with remote debug information. If you have set a long message capture duration and wish to end the capture early, select Stop. 4.8 Debug Captive Portal Clients An administrator can select a RF Domain and capture captive portal client and authentication debug messages at an administrator assigned interval and location. Captive portal debug information can either be collected historically or in real-time. To troubleshoot captive portal client debug messages:
1 Select Dashboard. 2 Expand the System node to display controller, service platform or Access Point managed RF Domains. 3 Select and expand a RF Domain and click on the down arrow to the right of the RF Domains name 4 Select Troubleshooting. 5 Select Captive Portal Clients. Figure 4-22 Debug Wireless Clients screen 6 Use the Send Data To drop-down menu to select where captive portal debug messages are collected. If Screen is selected, information is sent to the Live Wireless Debug Events window at the bottom of the screen. If File is selected, the file location must be specified in the File Location field. Wireless Controller and Service Platform System Reference Guide 4 - 31 7 Select Debug Message settings to refine how captive portal client debug messages are trended:
Dashboard All Debug Messages Select this option to capture all captive portal client and captive portal Select Debug Messages authentication request events collectively without filtering by type. Choose Selected Debug Messages to specify the type of captive portal event messages to display. Options include captive portal client events and events specific to captive portal authentication requests. 8 Set Captive Portal Clients filter options to refine which clients are included in the debug messages. All Captive Portal Clients Select Captive Portal Clients (up to 3) Select All Captive Portal Clients to display debug information for each client utilizing a captive portal for network access within the selected RF Domain. Optionally display captive portal debug messages for specific clients (1 - 3). Enter the MAC address for up to three wireless clients. The information displayed or logged to the file is only from the specified wireless clients. Change the client MAC addresses as needed when clients are no longer utilizing the RF Domains captive portal resources. 9 Define the following captive portal client Settings to determine how messages are trended:
Duration of Message Capture Maximum Events Per Captive Portal Client Use the spinner controls to set the message capture interval for captive portal debug information. This can range between 1 second and 24 hours. Use the spinner controls to select the maximum number of captive portal event messages displayed per RF Domain member client. Set the number of messages from 1 - 9999 events with the default value being 100 events. 10 When all configuration fields are complete, select Start to start the captive portal client debug message capture. Information sent to the screen displays in the Live Captive Portal Debug Events field. If you have set a long message capture duration and wish to end the capture early, select Stop. 4.9 Packet Capture An administrator can capture connected client packet data based on the packets address type or port on which received. Dropped client packets can also be trended to assess RF Domain client connectivity health. To administrate RF Domain packet captures:
1 Select Dashboard. 2 Expand the System node to display controller, service platform or Access Point managed RF Domains. 3 Select and expand a RF Domain and click on the down arrow to the right of the RF Domains name 4 Select Troubleshooting. 5 Select Packet Capture. Wireless Controller and Service Platform System Reference Guide 4 - 32 Dashboard 6 Refer to the following packet capture data for RF Domain member connected wireless clients:
Figure 4-23 Packet Capture screen RF Domain Send Data To Dropped Interface Displays the administrator assigned name of the selected RF Domain used for wireless client packet captures. RF Domains allow administrators to assign configuration data to multiple devices deployed in a common coverage area, such as in a floor, building or site. Use the Send Data To drop-down menu to select where wireless client packet capture messages are collected. If Screen is selected client packet capture data is sent to the Live Wireless Debug Events window at the bottom of the dialog window. If File is selected, the file location must be specified in the File Location section of the window. Select Dropped to create an event entry each time a packet is dropped from a client connected to a RF Domain member device. Use this information to assess whether a particular RF Domain is experiencing high levels of dropped packets that may require administration to distribute client connections more evenly. Select Interface to specify packet capture on a specific interface on the current RF Domain. If Interface is selected, specify the interface name and number and specify a Packet Direction On a Radio (802.11) Select On a Radio (802.11) to capture packets only on 802.11 radios. If selecting this option, specify which radios should be used and specify a Packet Direction. Wireless Controller and Service Platform System Reference Guide 4 - 33 Dashboard Filter (MAC, IP, Protocol, Port) Filter packet captures based on specific criteria. Select one or more of the following and specify the relevant information:
- Filter by MAC
- Filter By IP
- IP Protocol
- Port Set the Maximum Packet Count to limit the number of packets captured for trending. Set this value between 1 - 10000 packets, with a default value of 200. Maximum Packet Count 7 Select Start to begin the packet capture. Information sent to the screen displays in the lower portion of the window. If the data is being sent to a file, that file populates with the packet capture information. If you have set a long message capture duration and wish to end the capture early, select Stop. Wireless Controller and Service Platform System Reference Guide 4 - 34 5 Device Configuration Managed devices can either be assigned unique configurations or have existing RF Domain or Profile configurations modified (overridden) to support a requirement that dictates a devices configuration be customized from the configuration shared by its profiled peer devices. When a device is initially managed by the controller or service platform, it requires several basic configuration parameters be set (system name, deployment location etc.). Additionally, the number of permitted device licenses needs to be accessed to determine whether a new Access Point can be adopted. Refer to the following to set a devices basic configuration, license and certificate usage:
Basic Configuration Basic Device Configuration Auto Provisioning Policies Managing an Event Policy Managing MINT Policies RF Domains allow administrators to assign configuration data to multiple devices deployed in a common coverage area (floor, building or site). In such instances, theres many configuration attributes these devices share as their general client support roles are quite similar. However, device configurations may need periodic refinement
(overrides) from their original RF Domain administered design. For more information, see RF Domain Overrides on page 5-32. Profiles enable administrators to assign a common set of configuration parameters and policies to controller or service platforms and Access Points. Profiles can be used to assign shared or unique network, wireless and security parameters to wireless controllers and Access Points across a large, multi segment, site. The configuration parameters within a profile are based on the hardware model the profile was created to support. The controller and service platform supports both default and user defined profiles implementing new features or updating existing parameters to groups of controllers, service platforms or Access Points. However, device profile configurations may need periodic refinement from their original administered configuration. Consequently, a device profile could be applied an override from the configuration shared amongst numerous peer devices deployed within a particular site. For more information, see Profile Overrides on page 5-38. Adoption is the process an Access Point uses to discover controller or service platforms available in the network, pick the most desirable, establish an association, obtain its configuration and consider itself provisioned. At adoption, an Access Point solicits and receives multiple adoption responses from available controllers or service platforms on the network. Modify existing adoption policies or create a new one as needed to meet the adoption requirements of a device and its assigned profile. For more information, see Auto Provisioning Policies on page 5-
268. Lastly, use Configuration > Devices to define and manage a critical resource policy. A critical resource policy defines a list of device IP addresses on the network (gateways, routers etc.). The support of these IP address is interpreted as critical to the health of the network. These devices addresses are pinged regularly by the controller or service platform. If theres a connectivity issue, an event is generated stating a critical resource is unavailable. For more information, see Overriding a Profiles Critical Resource Configuration on page 5-233. Wireless Controller and Service Platform System Reference Guide 5 -1 Device Configuration 5.1 Basic Configuration Device Configuration To assign a Basic Configuration:
1 Select the Configuration tab from the Web UI. 2 Select Devices from the Configuration tab. The Device Configuration screen displays a list of devices. Refer to the following device settings to determine whether a configuration update or RF Domain or Profile change is warranted:
Figure 5-1 Device Configuration screen System Name Device Type Displays the name assigned to the device when the basic configuration was defined. This is also the device name that appears within the RF Domain or Profile the device supports. Displays the devices factory assigned MAC address used as hardware identifier. The MAC address cannot be revised with the devices configuration. Displays the device model for the listed controller, service platform or Access Point. Wireless Controller and Service Platform System Reference Guide 5 - 2 Device Configuration RF Domain Name Profile Name Area Floor Overrides Lists RF Domain memberships for each listed device. Devices can either belong to a default RF Domain based on model type, or be assigned a unique RF Domain supporting a specific configuration customized to that device model. Lists the profile each listed device is currently a member of. Devices can either belong to a default profile based on model type, or be assigned a unique profile supporting a specific configuration customized to that model. List the physical area where the controller or service platform is deployed. This can be a building, region, campus or other area that describes the deployment location. List the building Floor name representative of the location within the area or building the controller or service platform was physically deployed. Assigning a building Floor name is helpful when grouping devices in RF Domains and Profiles, as devices on the same physical building floor may need to share specific configuration parameters in respect to radio transmission and interference requirements specific to that location. The Overrides column contains an option to clear all profile overrides for any devices that contain overrides. To clear an override, select the clear button to the right of the device. 3 Select Add to create a new device, select Edit to modify an existing device or select Delete to remove an existing device.Optionally Copy or Rename a device as needed. 4 Use the Replace button to replace an existing access point with another Access Point. The Replace feature enable you to swap an existing Access Point with a new one without disrupting normal operations. The configuration of the old Access Point is automatically copied to the newly added Access Point. The following screen is displayed. Figure 5-2 Device Configuration screen - Replace 5 Enter the MAC address of the new Access Point in the New Name field and select the Replace button. The new Access Point is added to the list of devices and the configuration from the old Access Point is applied to it. The old Access Point is then removed from the device list. 5.2 Basic Device Configuration Device Configuration Setting a devices Basic Configuration is required to assign a device name, deployment location, and system time. Similarly, the Basic Configuration screen is where Profile and RF Domain assignments are made. RF Domains allow Wireless Controller and Service Platform System Reference Guide 5 - 3 Device Configuration administrators to assign configuration data to multiple devices deployed in a common coverage area, such as in a floor, building or site. Each RF Domain contains policies that can determine a Smart RF or WIPS configuration. Profiles enable administrators to assign a common set of configuration parameters and policies to controllers, service platforms and Access Points. Profiles can be used to assign common or unique network, wireless and security parameters to wireless controllers and Access Points across a large, multi segment, site. The configuration parameters within a profile are based on the hardware model the profile was created to support. A controller and service platform support both default and user defined profiles implementing new features or updating existing parameters to groups of peer devices and Access Points. The central benefit of a profile is its ability to update devices collectively without having to modify individual device configurations one at a time. NOTE: Once devices have been assigned membership in either a profile or RF Domain, an administrator must be careful not to assign the device a configuration update that removes it from membership from a RF Domain or profile. A RF Domain or profile configuration must be re-applied to a device once its configuration has been modified in a manner that differentiates it from the configuration shared by the devices comprising the RF Domain or profile. To assign a device a Basic Configuration:
1 Select the Configuration tab from the Web UI. 2 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 3 Select a target device (by double-clicking it) from amongst those displayed. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. The Basic Configuration screen displays by default. Wireless Controller and Service Platform System Reference Guide 5 - 4 Device Configuration 4 Set the following Configuration settings for the target device:
Figure 5-3 Basic Configuration screen System Name Area Floor Floor Number Provide the selected device a system name up to 64 characters. This is the device name that appears within the RF Domain or Profile the device supports. Assign the device an Area name representative of the location the controller or service platform was physically deployed. The name cannot exceed 64 characters. Assigning an area name is helpful when grouping devices in RF Domains and profiles, as devices in the same physical deployment location may need to share specific configuration parameters in respect to radio transmission and interference requirements specific to that location. Assign the target a device a building Floor name representative of the location the Access Point was physically deployed. The name cannot exceed 64 characters. Assigning a building Floor name is helpful when grouping devices within the same general coverage area. Use the spinner control to assign a numerical floor designation in respect to the floors actual location within a building. Set a value from 1 - 4094. The default setting is the 1st floor. Wireless Controller and Service Platform System Reference Guide 5 - 5 Device Configuration Latitude Coordinate Longitude Coordinate Set the latitude coordinate where devices are deployed within a floor. When looking at a floor map, latitude lines specify the east-west position of a point on the Earth's surface. The exact location of a device deployment can be ascertained by aligning the latitude and longitude points on the earths surface. Set the longitude coordinate where devices are deployed within a floor. When looking at a floor map, longitude lines specify the north-south position of a point on the Earth's surface. The exact location of a device deployment can be ascertained by aligning the longitude and latitude points on the earths surface. 5 Use the RF Domain drop-down menu to select an existing RF Domain for device membership. 6 If a RF Domain configuration does not exist suiting the deployment requirements of the target device, select the Create icon to create a new RF Domain configuration, or select the Edit icon to modify the configuration of a selected RF Domain. For more information, see About RF Domains on page 9-1 or Managing RF Domains on page 9-2. 7 Use the Profile drop-down menu to select an existing device profile for multiple device deployment uniformity. 8 If a profile configuration does not exist suiting the deployment requirements of the target device, select the Create icon to create a new profile configuration, or select the Edit icon to modify the configuration of a selected profile. For more information, see General Profile Configuration on page 8-5. 9 If necessary, select the Clear Overrides button to remove all existing overrides from the device. 10 Refer to the Set Clock parameter to update the system time of the target device. 11 Refer to the Device Time parameter to assess the devices current time, or whether the device time is unavailable. Select Refresh as required to update the devices reported system time. 12 Use the New Time parameter to set the calendar day, hour and minute for the target device. Use the AM and PM radio buttons to refine whether the updated time is for the morning or afternoon/evening. 13 When completed, select Update Clock to commit the updated time to the target device. 14 If a T5 controller is deployed, select it from the Type drop-down menu and configure CPE VLAN Settings, in addition to the other parameters described in this section. A T5 controller uses the a somewhat different operating system to manage its connected radio devices, as opposed to the WiNG operating used by RFS controllers and NX service platforms. However, a T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. The Customer Premises Equipment (CPEs) are the T5 controller managed radio devices. These CPEs use a Digital Subscriber Line (DSL) as their high speed Internet access mechanism using the CPEs physical wallplate connection and phone jack. VLAN Start IP End IP Set a VLAN from 1 - 4,094 used as a virtual interface for connections between the T5 controller and its managed CPE devices. Set a starting IP address used in a range of addresses available to T5 controller connecting CPE devices. Set an end IP address used in a range of addresses available to T5 controller connecting CPE devices. 15 Select OK to save the changes made to the screen. Selecting Reset reverts the screen to its last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 6 Device Configuration 5.2.1 License Configuration Basic Device Configuration Licenses are purchased directly for the number of permissible adoptions per controller, service platform or managed cluster. NOTE: The Licenses screen is only available to wireless controllers capable of sustaining device connections, and thus requires license support to set the maximum number of allowed device connections. The License screen is not available for Access Points. Managing infrastructure devices requires a license key to enable software functionality or define the number of adoptable devices permitted. My Licenses is a Web based online application enabling you to request a license key for license certificates for products. NOTE: For detailed instructions on using My Licenses to add hardware or software licenses and register certificates, refer to the My Licenses Users Guide, available at www.extremenetworks.com/support. The Licenses screen also contains a facility where new licenses can be applied to increase the number of device adoptions permitted, or to allow the use of the advanced security features. Each controller and service platform family has multiple models to choose from that range from zero licenses to the maximum number that can be loaded for that specific SKU. To configure a devices a license configuration:
1 Select the Configuration tab from the Web UI. 2 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 3 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 4 Select Licenses from the Device menu options. Wireless Controller and Service Platform System Reference Guide 5 - 7 Device Configuration The License screen displays the Device Serial Number of the controller or service platform generating the license key. Figure 5-4 Device Licenses screen NOTE: When assessing lent and borrowed license information, its important to distinguish between site controllers and NOC controllers. NOC controllers are NX9000, NX9500, NX9510, NX7500 and RFS6000. Site controllers are NX5500, NX7500, RFS4000 and RFS6000. Wireless Controller and Service Platform System Reference Guide 5 - 8 5 Review the AP Licenses table to assess the specific number of adoptions permitted, as dictated by the terms of the current license. The Native tab displays by default. Select the Guest tab to display guest licenses. Device Configuration AP Adoptions AP Licenses AP Lent Licenses AP Borrowed Licenses AP Total Licenses The Device column Lists the total number of AP adoptions made by the controller or service platform. If the installed license count is 10 APs and the number of AP adoptions is 5, 5 additional APs can still be adopted under the terms of the license. The total number of APs adoptions varies by platform, as well as the terms of the license. The Cluster column lists the total number of AP adoptions made by the cluster membership (all members). If the installed license count is 100 APs and the number of AP adoptions is 50, 50 additional APs can still be adopted under the terms of the AP licenses, pooled by the cluster members. The Device column lists the number of APs available for adoption under the restrictions of the license. This number applies to dependent mode adaptive APs only, and not independent mode APs. The Cluster column lists the number of APs available for adoption by cluster members under the restrictions of the licenses, as pooled amongst the cluster members. Lent licenses are the total number of AP licenses the NOC controller lends
(if needed) to its site controllers so site controllers can adopt APs in excess of its own installed AP license count. AP lent licenses can be non-
zero only in controllers currently configured as the NOC (NOC controller). Lent Licenses is always zero in controllers configured as the site (site controller). Borrowed licenses are the total number of AP licenses borrowed by the site controller from the NOC controller (NOC controllers if a NOC controller is in a cluster). AP borrowed licenses are always zero in the NOC controller. AAP borrowed licenses can be non-zero only on site controllers. Lists the cumulative number of both Device and Cluster AP licenses supported by the listed controller or service platform. NOTE: The following is a licensing example: Assume there are two site controllers
(S1 and S2) adopted to a NOC controller (N1). S1 has 3 installed AP licenses, and S2 has 4 installed AP licenses. Eight APs seek to adopt on S1, and ten APs seek to adopt on S2. N1 has 1024 installed licenses. N1 lends 5 (8-3) AP licenses to S1, and 6
(10-4) AP licenses to S2. N1 displays the following in the Device column: AP Adoptions: 2 (site controllers S1 and S2) AP Licenses: 1024 AP Lent Licenses: 11 (5 to S1 + 6 to S2) AP Borrowed Licenses: 0 AP Total Licenses: 1013 (1024 11 lent) S1 displays the following in the Device column: AP Adoptions: 8 AP Licenses: 3 AP Lent Licenses: 0 AP Borrowed Licenses: 5 AP Total Licenses: 8 (3 + 5 borrowed). S2 displays the following in the Device column: AP Adoptions: 10 AP Licenses: 4 AP Lent Licenses: 0 AP Borrowed Licenses: 6 AP Total Licenses: 10 (4 + 6 borrowed). Wireless Controller and Service Platform System Reference Guide 5 - 9 Device Configuration 6 Review the AAP Licenses table to assess the specific number of adoptions permitted, as dictated by the terms of the current license. AAP Adoptions AAP Licenses AAP Lent Licenses AAP Borrowed Licenses AAP Total Licenses The Device column Lists the total number of AAP adoptions made by the controller or service platform. If the installed license count is 10 APs and the number of AAP adoptions is 5, 5 additional AAPs can still be adopted under the terms of the license. The total number of AAPs adoptions varies by platform, as well as the terms of the license. The Cluster column lists the total number of AAP adoptions made by the cluster membership (all members). If the installed license count is 100 APs and the number of AAP adoptions is 50, 50 additional AAPs can still be adopted under the terms of the AAP licenses, pooled by the cluster members. The Device column lists the number of AAPs available for adoption under the restrictions of the license. This number applies to dependent mode adaptive AAPs only, and not independent mode AAPs. The Cluster column lists the number of AAPs available for adoption by cluster members under the restrictions of the licenses, as pooled amongst the cluster members. Lent licenses are the total number of AAP licenses the NOC controller lends (if needed) to its site controllers so site controllers can adopt adaptive APs in excess of its own installed AAP license count. AAP lent licenses can be non-zero only in controllers currently configured as the NOC (NOC controller). Lent Licenses is always zero in controllers configured as the site (site controller). Borrowed licenses are the total number of AAP licenses borrowed by the site controller from the NOC controller (NOC controllers if a NOC controller is in a cluster). AAP borrowed licenses are always zero in the NOC controller. AAP borrowed licenses can be non-zero only on site controllers. Lists the cumulative number of both Device and Cluster AAP licenses supported by the listed controller or service platform. 7 Refer to the Feature Licenses field to apply licenses and provision advanced security and analytics features:
Advanced Security Analytics Licenses Enter the provided license key required to install the Role Based Firewall feature and increase the number of IPSec VPN tunnels. The number of IPSec tunnels varies by platform. Enter the provided license key required to install Analytics (an enhanced statistical management tool) for NX7500 and NX9000 series service platforms. 8 Refer to the Web Filtering License field if required to provide a 256 character maximum license string for the Web filtering feature. Web filtering is used to restrict access to specific resources on the Internet. 9 Select OK to save the changes made to the applied licenses. Selecting Reset reverts the screen to its last saved configuration. 5.2.2 Assigning Certificates Basic Device Configuration A certificate links identity information with a public key enclosed in the certificate. A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the Wireless Controller and Service Platform System Reference Guide 5 - 10 Device Configuration certificate and is called a CA certificate. A browser must contain the CA certificate in its Trusted Root Library so it can trust certificates signed by the CA's private key. Depending on the public key infrastructure, the digital certificate includes the owner's public key, the certificate expiration date, the owner's name and other public key owner information. Each certificate is digitally signed by a trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate. SSH keys are a pair of cryptographic keys used to authenticate users instead of, or in addition to, a username/
password. One key is private and the other is public key. Secure Shell (SSH) public key authentication can be used by a requesting client to access resources, if properly configured. A RSA key pair must be generated on the client. The public portion of the key pair resides with the controller or service platform, while the private portion remains on a secure local area of the client. To configure certificate usage:
1 Select the Configuration tab from the Web UI. 2 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 3 Select Certificates from the Device menu. 4 Set the following Management Security certificate configurations:
Figure 5-5 Device Certificates screen SSH RSA Key Either use the default_rsa_key or select the Stored radio button to enable a drop-down menu where an existing certificate can be used. To leverage an existing key, select the Launch Manager button. For more information, see RSA Key Management on page 5-21. Wireless Controller and Service Platform System Reference Guide 5 - 11 Device Configuration NOTE: Pending trustpoints and RSA keys are typically not verified as existing on a device. 5 Set the following RADIUS Security certificate configurations:
RADIUS Certificate Authority RADIUS Server Certificate RADIUS Certificate Authority LDAPS Radius Server LDAPS Trustpoint Either use the default-trustpoint or select the Stored radio button to enable a drop-down menu where an existing certificate can be leveraged. To leverage an existing certificate, select the Launch Manager button. Either use the default-trustpoint or select the Stored radio button to enable a drop-down menu where an existing certificate/trustpoint can be used. To leverage an existing trustpoint, select the Launch Manager button. Either use the LDAP server default-trustpoint or select the Stored radio button to enable a drop-down menu where an existing certificate can be leveraged. To leverage an existing certificate, select the Launch Manager button. Either use the LDAP server default-trustpoint or select the Stored radio button to enable a drop-down menu where an existing certificate/
trustpoint can be used. To leverage an existing trustpoint, select the Launch Manager button. 6 Refer to the CMP Certificate field to optionally use Certificate Management Protocol (CMP) as an Internet protocol to obtain and manage digital certificates in a Public Key Infrastructure (PKI) network. A Certificate Authority (CA) issues the certificates using the defined CMP. Using CMP, a device can communicate to a CMP supported CA server, initiate a certificate request and download the required certificates from the CA server. CMP supports multiple request options through for device communicating to a CMP supported CA server. The device can initiate a request for getting the certificates from the server. It can also auto update the certificates which are about to expire. Either use the server default-trustpoint or select the Stored radio button to enable a drop-down menu where an existing certificate/trustpoint can be selected. To leverage an existing trustpoint, select the Launch Manager button. 7 Select OK to save the changes made to the certificate configurations. Selecting Reset reverts the screen to its last saved configuration. For more information on the certification activities supported, refer to the following:
Certificate Management RSA Key Management Certificate Creation Generating a Certificate Signing Request 5.2.2.1 Certificate Management Assigning Certificates A stored certificate can be leveraged from a different managed device if not wanting to use an existing certificate or key. Device certificates can be imported and exported to and from the controller or service platform to a secure remote location for archive and retrieval as required for other managed devices. To configure trustpoints for use with certificates:
Wireless Controller and Service Platform System Reference Guide 5 - 12 1 Select Launch Manager from either the HTTPS Trustpoint, SSH RSA Key, RADIUS Certificate Authority or RADIUS Server Certificate parameters. Device Configuration The Certificate Management screen displays with the Manage Certificates tab displayed by default. Figure 5-6 Certificate Management - Manage Certificates screen 2 Select a device from amongst those displayed to review its certificate information. 3 Refer to the All Certificates Details to review the certificates properties, self-signed credentials, validity duration and CA information. 4 To optionally import a certificate, select the Import button from the Certificate Management screen. Wireless Controller and Service Platform System Reference Guide 5 - 13 Device Configuration 5 Define the following configuration parameters required for the Import of the trustpoint. Figure 5-7 Certificate Management - Import New Trustpoint screen Trustpoint Name URL Protocol Port Enter the 32 character maximum name assigned to the target trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. Provide the complete URL to the location of the trustpoint. If needed, select Advanced to expand the dialog to display network address information to the location of the target trustpoint. The number of additional fields that populate the screen is also dependent on the selected protocol. Select the protocol used for importing the target trustpoint. Available options include:
tftp ftp sftp http cf usb1-4 Use the spinner control to set the port. This option is not valid for cf and usb1-4. Wireless Controller and Service Platform System Reference Guide 5 - 14 Device Configuration Host Path/File Provide the hostname string or numeric IP address of the server used to import the trustpoint. Hostnames cannot include an underscore character. This option is not valid for cf and usb1-4. Select IPv4 Address to use an IPv4 formatted address as the host. Select IPv6 Address to use an IPv6 formatted address as the host. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Specify the path to the trustpoint file. Enter the complete relative path to the file on the server. 6 Select OK to import the defined trustpoint. Select Cancel to revert the screen to its last saved configuration. 7 To optionally import a CA certificate, select the Import CA button from the Certificate Management screen. A CA is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate. Figure 5-8 Certificate Management - Import CA Certificate screen Wireless Controller and Service Platform System Reference Guide 5 - 15 8 Define the following configuration parameters required for the Import of the CA certificate:
Device Configuration Trustpoint Name URL Advanced / Basic Protocol Port Host Path/File Cut and Paste Enter the 32 character maximum name assigned to the target trustpoint signing the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA specific configuration parameters, and an association with an enrolled identity certificate. Provide the complete URL to the location of the trustpoint. If needed, select Advanced to expand the dialog to display network address information to the location of the target trustpoint. The number of additional fields populating the screen is dependent on the selected protocol. Click the Advanced or Basic link to switch between a basic URL and an advanced location to specify trustpoint location. Select the protocol used for importing the target CA certificate. Available options include:
tftp ftp sftp http cf usb1-4 Use the spinner control to set the port. This option is not valid for cf and usb1-4. Provide the hostname string or numeric IP address of the server used to import the CA. Hostnames cannot include an underscore character. This option is not valid for cf and usb1-4. Select IPv4 Address to use an IPv4 formatted address as the host. Select IPv6 Address to use an IPv6 formatted address as the host. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Specify the path to the CA file. Enter the complete relative path to the file on the server. Select the Cut and Paste radio button to simply copy an existing CA into the cut and paste field. When pasting, no additional network address information is required. 9 Select OK to import the defined CA certificate. Select Cancel to revert the screen to its last saved configuration. 10 Select the Import CRL button from the Certificate Management screen to optionally import a CRL to a controller or service platform. If a certificate displays within the Certificate Management screen with a CRL, that CRL can be imported. A certificate revocation list (CRL) is a list of certificates that have been revoked or are no longer valid. A certificate can be revoked if the CA had improperly issued a certificate, or if a private-key is compromised. The most common reason for revocation is the user no longer being in sole possession of the private key. For information on creating a CRL to use with a trustpoint, refer to Setting the Profiles Certificate Revocation List (CRL) Configuration on page 8-166. Wireless Controller and Service Platform System Reference Guide 5 - 16 Device Configuration Figure 5-9 Certificate Management - Import CRL screen 11 Define the following configuration parameters required for the Import of the CRL Trustpoint Name From Network URL Protocol Port Enter the 32 character maximum name assigned to the target trustpoint signing the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate. Select the From Network radio button to provide network address information to the location of the target CRL. The number of additional fields that populate the screen is also dependent on the selected protocol. This is the default setting. Provide the complete URL to the location of the CRL. If needed, select Advanced to expand the dialog to display network address information to the location of the CRL. The number of additional fields that populate the screen is also dependent on the selected protocol. Select the protocol used for importing the CRL. Available options include:
tftp ftp sftp http cf usb1-4 Use the spinner control to set the port. This option is not valid for cf and usb1-4. Wireless Controller and Service Platform System Reference Guide 5 - 17 Device Configuration Host Path/File Cut and Paste Provide the hostname string or numeric IP address of the server used to import the CRL. Hostnames cannot include an underscore character. This option is not valid for cf and usb1-4. Select IPv4 Address to use an IPv4 formatted address as the host. Select IPv6 Address to use an IPv6 formatted address as the host. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Specify the path to the CRL file. Enter the complete relative path to the file on the server. Select the Cut and Paste radio button to simply copy an existing CRL into the cut and paste field. When pasting, no additional network address information is required. 12 Select OK to import the CRL. Select Cancel to revert the screen to its last saved configuration. 13 To import a signed certificate, select the Import Signed Cert button from the Certificate Management screen. Signed certificates (or root certificates) avoid the use of public or private CAs. A self-signed certificate is an identity certificate signed by its own creator, thus the certificate creator also signs off on its legitimacy. The lack of mistakes or corruption in the issuance of self signed certificates is central. Self-signed certificates cannot be revoked which may allow an attacker who has already gained access to monitor and inject data into a connection to spoof an identity if a private key has been compromised. However, CAs have the ability to revoke a compromised certificate, preventing its further use. Figure 5-10 Certificate Management - Import Signed Cert screen Wireless Controller and Service Platform System Reference Guide 5 - 18 14 Define the following parameters required for the Import of the CA certificate:
Device Configuration Certificate Name From Network URL Protocol Port Host Path/File Cut and Paste Enter the 32 character maximum trustpoint name with which the certificate should be associated. Select the From Network radio button to provide network address information to the location of the signed certificate. The number of additional fields that populate the screen is dependent on the selected protocol. From Network is the default setting. Provide the complete URL to the location of the signed certificate. If needed, select Advanced to expand the dialog to display network address information to the location of the signed certificate. The number of additional fields populating the screen is dependent on the selected protocol. Select the protocol for importing the signed certificate. Available options include:
tftp ftp sftp http cf usb1-4 Use the spinner control to set the port. This option is not valid for cf and usb1-4. Provide the hostname string or numeric IP address of the server used to import the signed certificate. Hostnames cannot include an underscore character. This option is not valid for cf and usb1-4. Select IPv4 Address to use an IPv4 formatted address as the host. Select IPv6 Address to use an IPv6 formatted address as the host. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Specify the path to the signed certificate file. Enter the complete relative path to the file on the server. Select the Cut and Paste radio button to simply copy an existing certificate into the cut and paste field. When pasting, no additional network address information is required. 15 Select OK to import the signed certificate. Select Cancel to revert the screen to its last saved configuration. 16 To optionally export a trustpoint to a remote location, select the Export button from the Certificate Management screen. Once a certificate has been generated on the controller or service platforms authentication server, export the self signed certificate. A digital CA certificate is different from a self signed certificate. The CA certificate contains the public and private key pairs. The self certificate only contains a public key. Export the self certificate for publication on a Web server or file server for certificate deployment or export it in to an active directory group policy for automatic root certificate deployment. Wireless Controller and Service Platform System Reference Guide 5 - 19 17 Additionally export the key to a redundant RADIUS server so it can be imported without generating a second key. If theres more than one RADIUS authentication server, export the certificate and dont generate a second key unless you want to deploy two root certificates. Device Configuration 18 Define the following configuration parameters required for the Export of the trustpoint. Figure 5-11 Certificate Management - Export Trustpoint screen Trustpoint Name URL Protocol Port Enter the 32 character maximum name assigned to the trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. Provide the complete URL to the location of the trustpoint. If needed, select Advanced to expand the dialog to display network address information to the location of the trustpoint. The number of additional fields that populate the screen is dependent on the selected protocol. Select the protocol used for exporting the target trustpoint. Available options include:
tftp ftp sftp http cf usb1-4 Use the spinner control to set the port. This option is not valid for cf and usb1-4. Wireless Controller and Service Platform System Reference Guide 5 - 20 Device Configuration Host Path/File Cut and Paste Provide the hostname string or numeric IP address of the server used to export the trustpoint. Hostnames cannot include an underscore character. This option is not valid for cf and usb1-4. Select IPv4 Address to use an IPv4 formatted address as the host. Select IPv6 Address to use an IPv6 formatted address as the host. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Specify the path to the signed trustpoint file. Enter the complete relative path to the file on the server. Select the Cut and Paste radio button to simply copy an existing trustpoint into the cut and paste field. When pasting, no additional network address information is required. 19 Select OK to export the defined trustpoint. Select Cancel to revert the screen to its last saved configuration. 20 To optionally delete a trustpoint, select the Delete button from within the Certificate Management screen. Provide the trustpoint name within the Delete Trustpoint screen and optionally select Delete RSA Key to remove the RSA key along with the trustpoint. Select OK to proceed with the deletion, or Cancel to revert to the Certificate Management screen 5.2.2.2 RSA Key Management Assigning Certificates Refer to the RSA Keys screen to review existing RSA key configurations that have been applied to managed devices. If an existing key does not meet the needs of a pending certificate request, generate a new key or import/
export an existing key to and from a remote location. Rivest, Shamir, and Adleman (RSA) is an algorithm for public key cryptography. Its an algorithm that can be used for certificate signing and encryption. When a device trustpoint is created, the RSA key is the private key used with the trustpoint. To review existing device RSA key configurations, generate additional keys or import/export keys to and from remote locations:
1 Select the Launch Manager button from either the SSH RSA Key, RADIUS Certificate Authority or RADIUS Server Certificate parameters (within the Certificate Management screen). 2 Select RSA Keys from the Certificate Management screen. Wireless Controller and Service Platform System Reference Guide 5 - 21 Device Configuration Figure 5-12 Certificate Management - RSA Keys screen 3 Select a listed device to review its current RSA key configuration. Each key can have its size and character syntax displayed. Once reviewed, optionally generate a new RSA key, import a key from a selected device, export a key to a remote location or delete a key from a selected device. 4 Select Generate Key to create a new key with a defined size. 5 Define the following configuration parameters required for the Import of the key:
Figure 5-13 Certificate Management - Generate RSA Keys screen Key Name Key Size Enter the 32 character maximum name assigned to the RSA key. Set the size of the key as either 2048 (bits) or 4096 (bits). Leaving this value at the default setting of 2048 is recommended to ensure optimum functionality. 6 Select OK to generate the RSA key. Select Cancel to revert the screen to its last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 22 7 To optionally import a CA certificate, select the Import button from the Certificate Management > RSA Keys screen. Device Configuration 8 Define the following parameters required for the Import of the RSA key:
Figure 5-14 Certificate Management - Import New RSA Key screen Key Name Key Passphrase URL Advanced or Basic Protocol Port Enter the 32 character maximum name assigned to identify the RSA key. Define the key used by both the controller or service platform and the server (or repository) of the target RSA key. Select the Show to expose the actual characters used in the passphrase. Leaving the Show unselected displays the passphrase as a series of asterisks *. Provide the complete URL to the location of the RSA key. If needed, select Advanced to expand the dialog to display network address information to the location of the target key. The number of additional fields that populate the screen is dependent on the selected protocol. Select either the Advanced or Basic link to switch between a basic URL and an advanced location to specify key location. Select the protocol used for importing the target key. Available options include:
tftp ftp sftp http cf usb1-4 Use the spinner control to set the port. This option is not valid for cf and usb1-4. Wireless Controller and Service Platform System Reference Guide 5 - 23 Device Configuration Host Path/File Provide a text string hostname or numeric IP address of the server used to import the RSA key. Hostnames cannot include an underscore character. This option is not valid for cf and usb1-4. Select IPv4 Address to use an IPv4 formatted address as the host. Select IPv6 Address to use an IPv6 formatted address as the host. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Specify the path to the RSA key. Enter the complete relative path to the key on the server. 9 Select OK to import the defined RSA key. Select Cancel to revert the screen to its last saved configuration. 10 To optionally export a RSA key to a remote location, select the Export button from the Certificate Management
> RSA Keys screen. Export the key to a redundant RADIUS server to import it without generating a second key. If theres more than one RADIUS authentication server, export the certificate and dont generate a second key unless you want to deploy two root certificates. 11 Define the following configuration parameters required for the Export of the RSA key. Figure 5-15 Certificate Management - Export RSA Key screen Key Name Key Passphrase URL Enter the 32 character maximum name assigned to the RSA key. Define the key passphrase used by both the controller or service platform and the server. Select Show to expose the actual characters used in the passphrase. Leaving the Show unselected displays the passphrase as a series of asterisks *. Provide the complete URL to the location of the key. If needed, select Advanced to expand the dialog to display network address information to the location of the target key. The number of additional fields that populate the screen is dependent on the selected protocol. Wireless Controller and Service Platform System Reference Guide 5 - 24 Device Configuration Protocol Port Host Path / File Select the protocol used for exporting the RSA key. Available options include:
tftp ftp sftp http cf usb1-4 Use the spinner control to set the port. This option is not valid for cf and usb1-4. Provide a text string hostname or numeric IP address of the server used to export the RSA key. Hostnames cannot include an underscore character. This option is not valid for cf and usb1-4. Select IPv4 Address to use an IPv4 formatted address as the host. Select IPv6 Address to use an IPv6 formatted address as the host. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Specify the path to the key. Enter the complete relative path to the key on the server. 12 Select OK to export the defined RSA key. Select Cancel to revert the screen to its last saved configuration. 13 To optionally delete a key, select the Delete button from within the Certificate Management > RSA Keys screen. Provide the key name within the Delete RSA Key screen and select Delete Certificates to remove the certificate. Select OK to proceed with the deletion, or Cancel to revert back to the Certificate Management screen. 5.2.2.3 Certificate Creation Assigning Certificates The Certificate Management screen provides the facility for creating new self-signed certificates. Self signed certificates (often referred to as root certificates) do not use public or private CAs. A self signed certificate is a certificate signed by its own creator, with the certificate creator responsible for its legitimacy. To create a self-signed certificate that can be applied to a managed device:
1 Select the Launch Manager button from either the SSH RSA Key, RADIUS Certificate Authority or RADIUS Server Certificate parameters (within the Certificate Management screen). 2 Select Create Certificate from the upper, left-hand, side of the Certificate Management screen. Wireless Controller and Service Platform System Reference Guide 5 - 25 Device Configuration 3 Define the following configuration parameters required to Create New Self-Signed Certificate:
Figure 5-16 Certificate Management - Create Certificate screen Certificate Name RSA Key Enter the 32 character maximum name assigned to identify the name of the trustpoint associated with the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate. Select a radio button and use the drop-down menu to set the key used by both the controller or service platform and the server (or repository) of the target RSA key. Optionally select Create New and enter a 32 character name used to identify the RSA key. Set the size of the key to either 2,048 or 4,096 bits. Leaving this value at the default setting of 2,048 is recommended to ensure optimum functionality. Wireless Controller and Service Platform System Reference Guide 5 - 26 Device Configuration 4 Set the following Certificate Subject Name parameters required for the creation of the certificate:
Certificate Subject Name Country (C) State (ST) City (L) Organization (O) Organizational Unit
(OU) Common Name (CN) Select either auto-generate to automatically create the certificate's subject credentials or user-configurable to manually enter the credentials of the self signed certificate. The default setting is auto-generate. Define the Country used in the certificate. The field can be modified by the user to other values. This is a required field and must not exceed 2 characters. Enter a State/Prov. for the state or province name used in the certificate. This is a required field. Enter a City to represent the city used in the certificate. This is a required field. Define an Organization for the organization represented in the certificate. This is a required field. Enter an Org. Unit for the organization unit represented in the certificate. This is a required field. If theres a common name (IP address) for the organizational unit issuing the certificate, enter it here. 5 Select the following Additional Credentials required for the generation of the self signed certificate:
Email Address Domain Name IP Address Provide an Email Address used as the contact address for issues relating to this certificate request. Enter a fully qualified domain name (FQDN) is an unambiguous domain name that specifies the node's position in the DNS tree hierarchy absolutely. To distinguish an FQDN from a regular domain name, a trailing period is added. For example, somehost.example.com. An FQDN differs from a regular domain name by its absoluteness, since a suffix is not added. Specify the IP address used as the destination for certificate requests.Only IPv4 formatted IP addresses are permitted, not IPv6 formatted addresses. 6 Select the Generate Certificate button at the bottom of the Certificate Management > Create Certificate screen to produce the certificate. 5.2.2.4 Generating a Certificate Signing Request Assigning Certificates A certificate signing request (CSR) is a request to a certificate authority to apply for a digital identity certificate. The CSR is a block of encrypted text generated on the server the certificate is used on. It contains the organization name, common name (domain name), locality and country. A RSA key must be either created or applied to the certificate request before the certificate can be generated. A private key is not included in the CSR, but is used to digitally sign the completed request. The certificate created with a particular CSR only works with the private key generated with it. If the private key is lost, the certificate is no longer functional.The CSR can be accompanied by other identity credentials required by the certificate authority, and the certificate authority maintains the right to contact the applicant for additional information. If the request is successful, the CA sends an identity certificate digitally signed with the private key of the CA. To create a CSR:
Wireless Controller and Service Platform System Reference Guide 5 - 27 1 Select the Launch Manager button from either the SSH RSA Key, RADIUS Certificate Authority or RADIUS Server Certificate parameters (within the Certificate Management screen). 2 Select Create CSR from the upper, left-hand, side of the Certificate Management screen. Device Configuration 3 Define the following configuration parameters required to Create New Certificate Signing Request (CSR):
Figure 5-17 Certificate Management - Create CSR screen RSA Key Select a radio button and use the drop-down menu to set the key used by both the controller or service platform and the server (or repository) of the target RSA key. Optionally select Create New to use new RSA key and provide a 32 character name used to identify the RSA key. Set the size of the key to either 2,048 or 4,096 bits. Leaving this value at the default setting of 2,048 is recommended to ensure optimum functionality. 4 Set the following Certificate Subject Name parameters required for the creation of the certificate:
Certificate Subject Name Country (C) Select either the auto-generate radio button to automatically create the certificate's subject credentials or user-configurable to manually enter the credentials of the self signed certificate. The default setting is auto-
generate. Define the Country used in the CSR. The field can be modified by the user to other values. This is a required field and must not exceed 2 characters. Wireless Controller and Service Platform System Reference Guide 5 - 28 Device Configuration State (ST) City (L) Organization (O) Organizational Unit
(OU) Common Name (CN) Enter a State/Prov. for the state or province name represented in the CSR. This is a required field. Enter a City represented in the CSR. This is a required field. Define the Organization represented in the CSR. This is a required field. Enter the Org. Unit represented in the CSR. This is a required field. If theres a common name (IP address) for the organizational unit issuing the certificate, enter it here. 5 Select the following Additional Credentials required for the generation of the CSR:
Email Address Domain Name IP Address Provide an email address used as the contact address for issues relating to this CSR. Enter a fully qualified domain name (FQDN) is an unambiguous domain name that specifies the node's position in the DNS tree hierarchy absolutely. To distinguish an FQDN from a regular domain name, a trailing period is added. ex: somehost.example.com. An FQDN differs from a regular domain name by its absoluteness; as a suffix is not added. Specify the IP address used as the destination for certificate requests.Only IPv4 formatted IP addresses are permitted, not IPv6 formatted addresses. 6 Select the Generate CSR button to produce the CSR. 5.2.3 Port Mirroring (NX4524 and NX6524 Service Platforms only) Basic Device Configuration NX4524 and NX6524 model service platforms have the ability to mirror data packets transmitted or received on any of their GE ports (GE port 1 - 24). Both transmit and receive packets can be mirrored from a source to a destination port as needed to provide traditional spanning functionality on the 24 GE ports. NOTE: Port mirroring is not supported on NX4500 or NX6500 models, as they only utilize GE ports 1 - 2. Additionally, port mirroring is not supported on uplink (up) ports or wired ports on any controller or service platform model. To set a NX4524 or NX6524 service platform port mirror configuration:
1 Select the Configuration tab from the Web UI. 2 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 3 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 4 Select Mirroring from the Device menu options. Wireless Controller and Service Platform System Reference Guide 5 - 29 Device Configuration 5 Set the following Port Mirroring values to define the ports and directions data is spanned on the NX4524 or NX6524 model service platform:
Figure 5-18 Port Mirroring screen Source Destination Direction Select the GE port (1 - 24) used as the data source to span packets to the selected destination port. The packets spanned from the selected source to the destination depend on whether Inbound, Outbound or Any is selected as the direction. A source port cannot be a destination port. Select the GE port (1 - 24) used as the port destination to span packets from the selected source. The destination port serves as a duplicate image of the source port and can be used to send packets to a network diagnostic without disrupting the behavior on the original port. The destination port transmits only mirrored traffic and does not forward received traffic. Additionally, address learning is disabled on the destination port. Define the direction data packets are spanned from the selected source to the defined destination. Packets spanned from the source to the destination depend on whether Inbound (received packets only), Outbound (transmitted packets only) or Any (packets in either direction) is selected. 6 Select + Add Row to add different sources, destinations and directions for additional GE port spanning configurations. 7 Select OK to save the changes made to the NX4524 or NX6524 port mirroring configuration. Selecting Reset reverts the screen to its last saved configuration. 5.2.4 Wired 802.1x Configuration Basic Device Configuration 802.1X is an IEEE standard for media-level (Layer 2) access control, providing the capability to permit or deny connectivity based on user or device identity. 802.1X allows port based access using authentication. An 802.1X enabled port can be dynamically enabled or disabled depending on user identity or device connection. Wireless Controller and Service Platform System Reference Guide 5 - 30 Device Configuration Before authentication, the endpoint is unknown, and traffic is blocked. Upon authentication, the endpoint is known and traffic is allowed. The controller or service platform uses source MAC filtering to ensure only the authenticated endpoint is allowed to send traffic. To configure a devices wired 802.1x configuration:
1 Select the Configuration tab from the Web UI. 2 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 3 Select a device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 4 Select Wired 802.1x from the Device menu options. 5 Review the Wired 802.1x Settings area to configure the following parameters:
Figure 5-19 Device Wired 802.1x screen Dot1x Authentication Control Dot1x AAA Policy Dot1x Guest VLAN Control Dot1x Hold Time MAC Authentication AAA Policy Select this option to globally enable 802.1x authentication. 802.1x authentication is disabled by default. Use the drop-down menu to select a AAA policy to associate with wired 802.1x traffic. If a suitable AAA policy does not exist, select the Create icon to create a new policy or the Edit icon to modify an existing policy. Select this option to globally enable the use of 802.1x guest VLANs. Set a hold time value (after the last hello packet) in either Seconds (0 -
600) or Minutes (0 - 10). When exceeded, the controllers 802.1X enabled port and its destination end-point connection is defined as lost and the connection must be re-established. Use the drop-down menu to select an AAA authentication policy for MAC address authentication. If a suitable MAC AAA policy does not exist, click the Create icon to create a new policy or the Edit icon to modify an existing policy. Wireless Controller and Service Platform System Reference Guide 5 - 31 Device Configuration 6 Select OK to save the changes made to the 802.1x configurations. Selecting Reset reverts the screen to its last saved configuration. 5.2.5 RF Domain Overrides Basic Device Configuration Use RF Domain Overrides to define configurations overriding the configuration set by the target devices original RF Domain assignment. RF Domains allow administrators to assign configuration data to multiple devices deployed in a common coverage area (floor, building or site). In such instances, theres many configuration attributes these devices share, since their general client support roles are quite similar. However, device configurations may need periodic refinement from their original RF Domain administered design. A controller or service platform configuration contains (at a minimum) one default RF Domain, but can optionally use additional user defined RF Domains:
Default RF Domain - Automatically assigned to each controller, service platform and associated Access Points by default. A default RF Domain is unique to a specific model. User Defined RF Domains - Created by administrators and manually assigned to individual controllers, service platforms or Access Points, but can be automatically assigned to Access Points using adoption policies. Each controller, service platform and Access Point is assigned one RF Domain at a time. However, a user defined RF Domain can be assigned to multiple devices as required. User defined RF Domains can be manually assigned or automatically assigned to Access Points using an auto provisioning policy. The more devices assigned a single RF Domain, the greater the likelihood one of the devices configurations will require an override deviating that devices configuration from the original RF Domain assignment shared by the others. To review the RF Domains original configuration requirements and the options available for a target device, refer to Managing RF Domains on page 9-2. To define a devices RF Domain override configuration:
1 Select the Configuration tab from the Web UI. 2 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 3 Select a device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 4 Expand the RF Domain Overrides menu option to display its sub-menu options. 5 Select RF Domain. Wireless Controller and Service Platform System Reference Guide 5 - 32 Device Configuration Figure 5-20 RF Domain Overrides - Basic Configuration screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6 Refer to the Basic Configuration field to review the basic settings defined for the target devices RF Domain configuration, and optionally assign/remove overrides to and from specific parameters. Location Contact Time Zone Country Code Provide the 64 character maximum deployment location set for the controller or service platform as part of its RF Domain configuration. Enter the 64 character maximum administrative contact for the controller or service platform as part of its RF Domain configuration. Set the time zone utilized by the selected device as part of its RF Domain configuration. Set the country code utilized by the device as part of its RF Domain configuration. Selecting the correct country is central to legal operation. Each country has its own regulatory restrictions concerning electromagnetic emissions and the maximum RF signal strength that can be transmitted. Wireless Controller and Service Platform System Reference Guide 5 - 33 Device Configuration 7 Refer to the Smart RF section to configure Smart RF policy and dynamic channel settings. 2.4 GHz Radios 5 GHz Radios Select an override group of channels Smart RF can use for channel compensation adjustments in the 2.4 GHz band. Select an override group of channels Smart RF can use for channel compensation adjustments in the 5 GHz band. 8 Refer to the Smart Scan section to configure Smart RF policy and dynamic channel settings. Enable Dynamic Channel 2.4 GHz Channels 5 GHz Channels Select this option to enable dynamic channel switching for Smart RF radios. Select legal channels (device radios transmit in specific channels unique to their country of operation) from the drop-down menu for 2.4GHz Smart RF radios. Select legal channels (device radios transmit in specific channels unique to their country of operation) from the drop-down menu for 5GHz Smart RF radios. 9 Use the WIPS Policy drop-down menu to apply a WIPS policy to the RF Domain. The Wireless Intrusion Protection System (WIPS) provides continuous protection against wireless threats and act as an additional layer of security complementing wireless VPNs and encryption and authentication policies. Controllers and service platforms support WIPS through the use of dedicated sensor devices, designed to actively detect and locate unauthorized AP devices. After detection, they use mitigation techniques to block devices using manual termination, air lockdown or port suppression. Select the Create icon to define a new WIPS policy that can be applied to the RF Domain, or select the Edit icon to modify or override an existing WIPS policy. For an overview of WIPS and instructions on how to create a WIPS policy that can be used with a RF Domain, see Intrusion Prevention on page 10-51. 10 Use the Licenses drop-down menu to obtain and leverage feature licenses from RF Domain member devices. 11 Select OK to save the changes and overrides made to the RF Domain configuration. Selecting Reset reverts the screen to its last saved configuration. 12 Select Sensor from within the expanded RF Domain Overrides menu to define ADSP server credentials for WiNG controller or service platform data exchanges. Controllers and service platforms support dedicated sensor devices, designed to actively detect and locate unauthorized AP devices. After detection, they use mitigation techniques to block devices using manual termination, air lockdown or port suppression. Wireless Controller and Service Platform System Reference Guide 5 - 34 Device Configuration 13 Select the + Add Row button to populate the Server Appliance Configuration field with up to three rows for Figure 5-21 RF Domain - Sensor screen ADSP server credentials:
Server Id Use the spinner control to assign a numerical ID for up to three WIPS server resources. The server with the lowest defined ID is the first reached by the controller or service platform. The default ID is 1. IP Address/Hostname Provide the numerical (non DNS) IP address or hostname of each server Port used as a WIPS sensor server by RF Domain member devices. A hostname cannot exceed 64 characters or contain an underscore. Use the spinner control to specify the port of each WIPS sensor server utilized by RF member devices. The default port is 443. 14 Select OK to save the changes to the ADSP appliance sensor configuration, or select Reset to revert to the last saved configuration. 15 Select Client Name from within the expanded RF Domain Overrides:
Wireless Controller and Service Platform System Reference Guide 5 - 35 Device Configuration 16 Click + Add Row to add client name information to the table. Figure 5-22 Client Name screen MAC Address Name Enter the MAC address of the device assigned a client name for controller, service platform or Access Point management. Enter the name assigned to this client. 17 Select OK to save the changes and overrides made to the Client Name Configuration. Selecting Reset reverts the screen to its last saved configuration. 18 Select WLAN Override from within the expanded RF Domain Overrides menu. NOTE: The WLAN Override option does not appear as a sub menu option under RF Domain Overrides for either controllers or service platforms, just Access Points. Wireless Controller and Service Platform System Reference Guide 5 - 36 Device Configuration The WLAN Override screen displays with the Override SSID tab displayed by default. Figure 5-23 WLAN Override screen - Override SSID tab 19 Optionally define up to 3 overrides for the listed WLAN SSID assignment:
WLAN SSID Optionally use the drop-down menu to change the WLAN assignment for the listed Access Point. Select either the Create icon to define a new WLAN configuration, or select the Edit icon to modify an existing WLAN configuration. Optionally change the SSID associated with the WLAN. The WLAN name is auto-generated using the SSID until changed (overridden). The maximum number of characters used for the SSID is 32. 20 Select the Add Row button as needed to add additional WLAN SSID overrides. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 21 Select OK to save the changes and overrides. Selecting Reset reverts the screen to its last saved configuration. 22 Select the Override VLAN tab to review any VLAN assignment overrides that may have been or optionally add or edit override configurations. Wireless Controller and Service Platform System Reference Guide 5 - 37 Device Configuration Figure 5-24 WLAN Override screen - Override VLAN tab The Override VLAN tab displays VLANs assigned to the Access Points WLAN. Select Add to create a new client limit for a specific WLAN and VLAN or Edit to modify an existing configuration. 23 Optionally define a VLANs wireless client limit override configuration. VLANS Wireless Client Limit Use the spinner control to set the number of users permitted on the Use the spinner control to set a virtual interface ID (1 - 4094). VLAN. Set the value to 0 to have an unlimited number of users. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 24 Select OK to save the changes and overrides. Selecting Reset reverts the screen to its last saved configuration. 5.2.6 Profile Overrides Basic Device Configuration Profiles enable administrators to assign a common set of parameters and policies to controllers, service platforms and Access Points. Profiles can be used to assign shared or unique network, wireless and security parameters to wireless controllers and Access Points across a large, multi segment, site. The configuration parameters within a profile are based on the hardware model the profile was created to support. Controllers and service platforms support both default and user defined profiles implementing new features or updating existing parameters to groups of devices. The central benefit of a profile is its ability to update devices collectively without having to modify individual device configurations. Power and Adoption overrides apply specifically to Access Points, while Cluster configuration overrides apply to only controller or service platform configurations. Wireless Controller and Service Platform System Reference Guide 5 - 38 Device Configuration However, device profile configurations may need periodic refinement from their original administered design. Consequently, a device profile could require modification from a profile configuration shared amongst numerous devices deployed within a particular site. Use Profile Overrides to define configurations overriding the parameters set by the target devices original profile assignment. To review a profiles original configuration requirements and the options available for a target device, refer to General Profile Configuration on page 8-5. To define a devices general profile override configuration:
1 Select the Configuration tab from the Web UI. 2 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 3 Select a device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 4 Select Profile Overrides from the Device menu to expand it into sub menu options. 5 Select General if it doesnt display by default. Figure 5-25 Profile Overrides - General screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6 Select the IP Routing option (within the Settings field) to enable routing for the device. Wireless Controller and Service Platform System Reference Guide 5 - 39 Device Configuration 7 Set a NoC Update Interval of 0, or from 5-3600 seconds for updates from the RF Domain manager to the controller or service platform. 8 Select + Add Row below the Network Time Protocol (NTP) table to launch a screen used to define (or override) the configurations of NTP server resources the controller or service platform uses it obtain its system time. Set the following parameters to define the NTP configuration:
Server IP Key Number Key Preferred AutoKey Version Minimum Polling Interval Maximum Polling Interval Set the IP address of each server as a potential NTP resource. Provide either a hostname or an IPv4 formatted IP address. Hostnames cannot include an underscore character. Select the number of the associated Authentication Key for the NTP resource. If an autokey is not being used, manually enter a 64 character maximum key the controller or service platform and NTP resource share to securely interoperate. Select the radio button to designate this particular NTP resource as preferred. If using multiple NTP resources, preferred resources are given first opportunity to connect to the controller or service platform and provide NTP calibration. Select the radio button to enable an Autokey configuration for the controller or service platform and NTP resource. The default setting is disabled. Use the spinner control to specify the version number used by this NTP server resource. The default setting is 0. Use the drop-down menu to select the minimum polling interval. Once set, the NTP resource is polled no sooner then the defined interval. Options include 64, 128, 256, 512 or 1024 seconds. The default setting is 64 seconds. Use the drop-down menu to select the maximum polling interval. Once set, the NTP resource is polled no later then the defined interval. Options include 64, 128, 256, 512 or 1024 seconds. The default setting is 1024 seconds. 9 Refer to the RF Domain Manager field to elect RF Domain Manager devices and assign them a priority in the election process:
Capable Priority Select this option to elect this controller a RF Domain manager capable of storing and provisioning configuration and firmware images for other members of the RF Domain. The RF-domain-manager updates any state changes to the rest of the devices in the RF Domain. This setting is enabled by default. Select this option to set the priority of this device becoming the RF Domain Manager versus other capable RF Domain members. The higher the value (1 - 255) the higher priority assigned to the device in the RF Domain Manager election process. 10 Refer to the RAID Alarm field to either enable or disable the chassis alarm that sounds when events are detected that degrade RAID support (drive content mirroring) on a service platform. NOTE: RAID controller drive arrays are available within NX7530 and NX9000 series service platforms only. However, they can be administrated on behalf of a profile by a different model service platform or controller. Wireless Controller and Service Platform System Reference Guide 5 - 40 Device Configuration Service platforms include a single Intel MegaRAID controller (virtual drive) with RAID-1 mirroring support enabled. The online virtual drive supports up to two physical drives that could require hot spare substitution if a drive were to fail. An administrator can manage the RAID controller event alarm and syslogs supporting the array hardware from the service platform user interface and is not required to reboot the service platform BIOS. For information on setting the service platform drive array configuration and diagnostic behavior of its member drives, refer to RAID Operations. To view the service platforms current RAID array status, drive utilization and consistency check information, refer to RAID Statistics on page 15-114. 11 Select OK to save the changes and overrides made to the general profile configuration. Select Reset to revert to the last saved configuration. 5.2.6.1 Cluster Configuration Overrides (Controllers and Service Platforms Only) Profile Overrides A redundancy group (cluster) is a set of controllers or service platforms (nodes) uniquely defined by a profile configuration. Within the redundancy group, members discover and establish connections to other peers and provide wireless self-healing support in the event of cluster member failure. A clusters AP load balance is typically distributed evenly amongst the controllers or service platforms in the cluster. Define how often this profile is load balanced for AP radio distribution as often as you feel required, as radios can come and go and members can join and exit the cluster. For information on setting a profiles original cluster configuration (before applying an override), see Profile Cluster Configuration (Controllers and Service Platforms) on page 8-8. As cluster memberships increase or decrease and their load requirements change, a profile may need an override applied to best suit a sites cluster requirements. To apply an override (if required) to a profile cluster configuration:
1 Select the Configuration tab from the Web UI. 2 Select Devices from the Configuration tab. The Device Configuration screen displays a list of devices or peer controllers service platforms or Access Points. 3 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 4 Select Profile Overrides from the Device menu to expand it into sub menu options. 5 Select Cluster. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. Wireless Controller and Service Platform System Reference Guide 5 - 41 Device Configuration 6 Optionally define the following Cluster Settings and overrides:
Figure 5-26 Profile Overrides - Cluster screen Cluster Mode Cluster Name Master Priority A member can be in either an Active or Standby mode. All active member controllers or service platforms can adopt Access Points. Standby members only adopt Access Points when an active member has failed or sees an Access Point thats not yet adopted. The default cluster mode is Active and enabled for use with the profile. Define a name for the cluster name unique to its configuration or profile support requirements. The name cannot exceed 64 characters. Set a priority value from 1 and 255 with the higher value being given higher priority. This configuration is the devices priority to become cluster master. In cluster environment one device from cluster members is elected as cluster master. This configuration is the devices priority to become cluster master. The default is 128. Wireless Controller and Service Platform System Reference Guide 5 - 42 Device Configuration Handle STP Convergence Force Configured State Force Configured State Delay Radius Counter DB Sync Time Select the radio button to enable Spanning Tree Protocol (STP) convergence for the controller or service platform. In general, this protocol is enabled in layer 2 networks to prevent network looping. Spanning Tree is a network layer protocol that ensures a loop-free topology in a mesh network of inter-connected layer 2 controller or service platform. The spanning tree protocol disables redundant connections and uses the least costly path to maintain a connection between any two controllers or service platforms in the network. If enabled, the network forwards data only after STP convergence. Enabling STP convergence delays the redundancy state machine execution until the STP convergence is completed (the standard protocol value for STP convergence is 50 seconds). Delaying the state machine is important to load balance APs at startup. The default setting is disabled. Select the radio button to allow this controller or service platform to take over for an active member if it were to fail. A standby controller or service platform in the cluster takes over APs adopted by the failed active member. If the failed active member were to come back up, the active member starts a timer based on the Auto Revert Delay interval. At the expiration of the Auto Revert Delay, the standby member releases all adopted APs and goes back to a monitoring mode. The Auto Revert Delay timer is stopped and restarted if the active member goes down and comes up during the Auto Revert Delay interval. The default value is disabled. Specify a delay interval in minutes (3 - 1,800). This is the interval a standby member waits before releasing adopted APs and goes back to a monitoring mode when an active cluster member becomes active again after a failure. The default interval is 5 minutes. Specify a sync time (from 1 - 1,440 minutes) a RADIUS counter database uses as its synchronization interval with the dedicated NTP server resource. The default interval is 5 minutes. 7 Within the Cluster Member field, select Cluster VLAN to enable a spinner control to designate the VLAN where cluster members are reachable. Specify a VLAN from 1 - 4094. Specify the IP addresses of the VLANs cluster members using the Member IP Address table. 8 Select Restore Configured State to restore this cluster member back into role of taking over for an active member if it were to fail. 9 Select Force Active to revert this cluster member back into its default active state and provide the ability to adopt Access Points. 10 Select Force Standby to only adopt Access Points when an active member has failed or sees an Access Point thats not yet adopted. 11 Select OK to save the changes and overrides made to the profiles cluster configuration. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 43 Device Configuration 5.2.6.2 Access Point Radio Power Overrides (Access Points Only) Profile Overrides A profile can manage the transmit output power of the Access Point radios it supports within the network. NOTE: The Power option only appears within the Profile Overrides menu tree if an Access Point is selected from within the main Devices screen. Power management is configured differently for controllers or service platforms, so the Power screen only displays for Access Points. Use the Power screen to set or override one of two power modes (3af or Auto) for a managed Access Point. When automatic is selected, the Access Point safely operates within available power. Once the power configuration is determined, the Access Point configures its operating power characteristics based on its model and power configuration. An Access Point uses a complex programmable logic device (CPLD). The CPLD determines proper supply sequencing, the maximum power available and other status information. One of the primary functions of the CPLD is to determine the Access Points maximum power budget. When an Access Point is powered on (or performing a cold reset), the CPLD determines the maximum power provided by the POE device and the budget available to the Access Point. The CPLD also determines the access point hardware SKU and the number of radios. If the Access Points POE resource cannot provide sufficient power (with all intended interfaces enabled), some of the following interfaces could be disabled or modified:
The Access Points transmit and receive algorithms could be negatively impacted The Access Points transmit power could be reduced due to insufficient power The Access Points WAN port configuration could be changed (either enabled or disabled) To define an Access Points power configuration or apply an override to an existing parameter:
1 Select the Devices tab from the Web UI. 2 Select Profile Overrides to expand its sub menu items. 3 Select Power. A screen displays where an Access Points power configuration can be defined or overridden for a profile. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. Figure 5-27 Access Point Profile Power Override screen Wireless Controller and Service Platform System Reference Guide 5 - 44 Device Configuration 4 Use the Power Mode drop-down menu to set or override the Power Mode Configuration on this AP. NOTE: Single radio model Access Points always operate using a full power configuration. The power management configurations described in this section do not apply to single radio models. When an Access Point is powered on for the first time, the system determines the power budget available to the Access Point. Using the Automatic setting, the Access Point automatically determines the best power configuration based on the available power budget. Automatic is the default setting. If 802.3af is selected, the Access Point assumes 12.95 watts are available. If the mode is changed, the Access Point requires a reset to implement the change. If 802.3at is selected, the Access Point assumes 23 - 26 watts are available. 5 Set or override the Access Point radios 802.3af Power Mode and the radios 802.3at Power Mode. Use the drop-down menu to define a mode of either Range or Throughput. Select Throughput to transmit packets at the radios highest defined basic rate (based on the radios current basic rate settings). This option is optimal in environments where the transmission range is secondary to broadcast/multicast transmission performance. Select Range when range is preferred over performance for broadcast/multicast (group) traffic. The data rates used for range are the lowest defined basic rates. Throughput is the default setting for both 802.3af and 802.3at. 6 Select OK to save the changes and overrides made to the Access Point power configuration. Select Reset to revert to the last saved configuration. 5.2.6.3 Access Point Adoption Overrides (Access Points Only) Profile Overrides Adoption is the process an Access Point uses to discover available controllers or service platforms, pick the most desirable one, establish an association and optionally obtain an image upgrade and configuration. Adoption is configurable and supported within a device profile and applied to other Access Points supported by the profile. Individual attributes of an Access Points auto provisioning policy can be overridden as specific parameters require modification. At adoption, an Access Point solicits and receives multiple adoption responses from controllers and service platforms available on the network. These adoption responses contain loading policy information the Access Point uses to select the optimum controller or service platform for adoption. By default, an auto provisioning policy generally distributes AP adoption evenly amongst available controllers and service platforms. Modify existing adoption policies or create a new one as needed to meet the adoption requirements of a device and their assigned profile. NOTE: A device configuration does not need to be present for an auto provisioning policy to take effect. Once adopted, and the devices configuration is defined and applied by the controller or service platform, the auto provisioning policy mapping does not have impact on subsequent adoptions by the same device. An auto provisioning policy enables an administrator to define adoption rules for the supported Access Points capable of being adopted by a wireless controller. To define an Access Points adoption configuration or apply an override:
1 Select the Devices from the Web UI. 2 Select Profiles from the Configuration tab. Wireless Controller and Service Platform System Reference Guide 5 - 45 Device Configuration 3 Select Profile Overrides to expand its sub-menu items. 4 Select Adoption. A screen displays where an Access Points adoption configuration can be defined and overridden for a profile. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. Figure 5-28 Access Point Adoption Override screen 5 Define or override the Preferred Group used as optimal group for the Access Points adoption. The name of the preferred group cannot exceed 64 characters. 6 Set the following Auto-Provisioning Policy settings for Access Point adoptions:
Use NOC Auto-Provisioning Policy Select this option to use the NOC controllers auto provisioning policy and not the policy maintained locally. The NOC is an elected controller or service platform capable of provisioning all of its peer controllers, service platforms and adopted devices. This setting is disabled by default. NOC controllers are NX9000, NX9500, NX9510, NX7500, and RFS6000 models. Wireless Controller and Service Platform System Reference Guide 5 - 46 Device Configuration Auto-Provisioning Policy Learn and Save Network Configuration Select an auto provisioning policy from the drop-down menu. To create a new auto provisioning policy, select the Create icon or modify an existing one by selecting the Edit icon. Select this option to learn and save the configuration of any device requesting adoption. This setting is enabled by default. 7 Set the following Controller Hello Interval settings manage message exchanges and connection re-
establishments between adopting devices:
Hello Interval Adjacency Hold Time Define an interval (from 1 - 120 seconds) between hello keep alive messages exchanged with the adopting device. These messages serve as a connection validation mechanism to ensure the availability of the adopting resource. Set the time (from 2 - 600 seconds) after the last hello packet after which the connection between the controller and Access Point is defined as lost and their connection is re-established. When a hello interval is set, an adjacency hold time is mandatory and should be higher then the hello interval. 8 Use the spinner control to define an Offline Duration timeout (from 5 - 43,200 minutes) to detect whether an adopted device is offline. The default setting is 10 minutes. 9 Use the spinner control to define a Controller VLAN. Select to enable this field and select the VLAN on which the adopting controllers can be found by the Access Point. 10 Enter Controller Hostnames as needed to define or override resources for Access Point adoption. 11 Select + Add Row as needed to populate the table with IP Addresses or Hostnames used as Access Point adoption resources into the managed network. Host Pool Routing Level IPSec Secure IPSec GW Force Remote VPN Client Use the drop-down menu to specify whether the adoption resource is defined as a (non DNS) IP Address or a Hostname. Once defined, provide the numerical IP or Hostname. A Hostname cannot exceed 64 characters and cannot include an underscore character. Use the spinner control to set a pool of either 1 or 2. This is the pool the target controller or service platform belongs to. Define a routing level (either 1 or 2) for the link between adopting devices. The default setting is 1. Enable this option to provide IPSec secure peer authentication on the connection (link) between the adopting devices. This option is disabled by default. Select the numerical IP address or administrator defined hostname of the adopting controller resource. Enable this setting to create a forced link between an Access Point and adopting controller, even when not necessarily needed. This setting is disabled by default. Displays whether a secure controller link has been established using a remote VPN client. 12 Select OK to save the changes and overrides made to the Access Point profile adoption configuration. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 47 Device Configuration 5.2.6.4 Adoption Overrides (Controllers Only) Profile Overrides Adoption is the process an Access Point uses to discover available controllers, pick the most desirable controller, establish a controller association and optionally obtain an image upgrade and configuration. Adoption is configurable and supported within a device profile and applied to other Access Points supported by the profile. Individual attributes of an Access Points auto provisioning policy can be overridden as specific parameters require modification. At adoption, an Access Point solicits and receives multiple adoption responses from controllers and service platforms available on the network. These adoption responses contain loading policy information the Access Point uses to select the optimum controller or service platform for adoption. By default, an auto provisioning policy generally distributes AP adoption evenly amongst available controllers and service platforms. Modify existing adoption policies or create a new one as needed to meet the adoption requirements of a device and their assigned profile. NOTE: A device configuration does not need to be present for an auto provisioning policy to take effect. Once adopted, and the devices configuration is defined and applied by the controller or service platform, the auto provisioning policy mapping does not have impact on subsequent adoptions by the same device. To define a controller or service platforms adoption configuration:
1 Select the Devices from the Web UI. 2 Select Profiles. 3 Select Profile Overrides to expand its sub-menu items. 4 Select Adoption. A screen displays where a controller or service platforms adoption configuration can be set or overridden for a profile. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. Wireless Controller and Service Platform System Reference Guide 5 - 48 Device Configuration Figure 5-29 Controller Adoption Override screen 5 Within the Controller Group field, use the Group item to set provide the controller group this controller or service platform belongs to. A preferred group can also be selected for the adoption of this controller or service platform. The name of the preferred group cannot exceed 64 characters. 6 Set the following Auto Provisioning Policy parameters:
Use NOC Auto-Provisioning Policy Auto-Provisioning Policy Select this option to use the NOCs auto provisioning policy instead of the policy local to the controller or service platform. The NOC is an elected controller or service platform capable of provisioning all of its peer controllers, service platforms and adopted devices. This setting is disabled by default. Select an auto provisioning policy from the drop-down menu. To create a new auto provisioning policy, select the Create icon or modify an existing one by selecting the Edit icon. Wireless Controller and Service Platform System Reference Guide 5 - 49 Device Configuration Learn and Save Network Configuration Select this option to enable allow the controller tor service platform to maintain a local configuration records of devices requesting adoption and provisioning. This feature is enabled by default. Enabling this feature applies adoption rules on Access Points each time theyre subsequently adopted, not just the first time. This setting is disabled by default. 7 Set the following Controller Adoption Settings settings:
Rerun Policy Rules Every Time AP Adopted Allow Adoption of Devices Allow Adoption of External Devices Allow Monitoring of External Devices Allow Adoption of this Controller Preferred Group Hello Interval Adjacency Hold Time Offline Duration Select either Access Points or Controllers (or both) to refine whether this controller or service platform can adopt just networked Access Points or peer controller devices as well. Select this option to enable this controller or service platform to adopt T5 model devices or EX3500 model switches. Select this option to enable monitoring only of T5 model devices or EX3500 model switches by this controller or service platform. When enabled, WiNG does not configure EX3500 switches or a T5, it only monitors those devices for statistics and events. Select this option to enable this controller or service platform to be capable of adoption by other controllers or service platforms. This setting is disabled by default, and must be selected to allow peer adoptions and enable the four settings directly below it. If Allow Adoption of this Controller is selected, provide the controller group preferred as the adopting entity for this controller or service platform. If utilizing this feature, ensure the appropriate group is provided within the Controller Group field. Select this option to define the hello packet exchange interval (from 1 -
120 seconds) between the controller or service platform and an adoption requesting Access Point. Select this option to set a hold time interval (from 2 - 600 seconds) for the transmission of hello packets. Use the spinner control to define a timeout (from 5 - 43,200 minutes) to detect whether an adopted device is offline. The default setting is 10 minutes. 8 Enter Controller Hostnames as needed to define resources for adoption. 9 Select + Add Row as needed to populate the table with IP Addresses or Hostnames used as Access Point adoption resources into the managed network. Host Pool Routing Level IPSec Secure Use the drop-down menu to specify whether the adoption resource is defined as a (non DNS) IP Address or a Hostname. Once defined, provide the numerical IP or Hostname. A Hostname cannot exceed 64 characters or contain an underscore. Use the spinner control to set a pool of either 1 or 2. This is the pool the target controller or service platform belongs to. Define a routing level (either 1 or 2) for the link between adopting devices. The default setting is 1. Enable this option to provide IPSec secure peer authentication on the connection (link) between the adopting devices. This option is disabled by default. Wireless Controller and Service Platform System Reference Guide 5 - 50 Device Configuration IPSec GW Force Remote VPN Client Select the numerical IP address or administrator defined hostname of the adopting controller resource. Enable this setting to create a forced link between an Access Point and adopting controller, even when not necessarily needed. This setting is disabled by default. Displays whether a secure controller link has been established using a remote VPN client. 10 Select OK to save the changes and overrides made to the profiles adoption configuration. Select Reset to revert to the last saved configuration. 5.2.7 Profile Interface Override Configuration Profile Overrides A profiles interface configuration can be defined to support separate physical Ethernet configurations both unique and specific to RFS4000, RFS6000 controllers and NX5500, NX7500 and NX9000 series service platforms. Ports vary depending on platform, but controller or service platform models do have some of the same physical interfaces. A controller or service platform requires its Virtual Interface be configured for layer 3 (IP) access or layer 3 service on a VLAN. A Virtual Interface defines which IP address is associated with each VLAN ID the controller or service platform is connected to. If the profile is configured to support an Access Point radio, an additional Radios option is available, unique to the Access Points radio configuration. Each profile interface configuration can have overrides applied to customize the configuration to a unique controller or service platform deployment. However, once an override is applied to this configuration it becomes independent from the profile that may be shared by a group of devices in a specific deployment and my need careful administration until a profile can be re-applied to the target controller or service platform. For more information, refer to the following:
Ethernet Port Override Configuration Virtual Interface Override Configuration Port Channel Override Configuration VM Interface Override Configuration Radio Override Configuration WAN Backhaul Override Configuration PPPoE Override Configuration Bluetooth Configuration 5.2.7.1 Ethernet Port Override Configuration Profile Interface Override Configuration The ports available on controllers vary depending RFS controller model. The following ports are available to controllers:
RFS4000 - ge1, ge2, ge3, ge4, ge5, up1 RFS6000 - ge1, ge2, ge3, ge4, ge5, ge6, ge7, ge8, me1, up1 GE ports on RFS4000 and RFS6000 models are RJ-45 ports supporting 10/100/1000Mbps. Wireless Controller and Service Platform System Reference Guide 5 - 51 Device Configuration ME ports are available on RFS6000 and RFS7000 platforms. ME ports are out-of-band management ports used to manage the controller via CLI or Web UI, even when the other ports on the controller are unreachable. The following ports are available to NX series service platform models:
NX5500 - ge1, ge2 NX7500 - ge1-ge10, xge1-xge2 NX9000 series - ge1, ge2 NOTE: For a NX7500 model service platform, there are options for either a 2 port or 4 port network management card. Either card can be managed using WiNG. If the 4 port card is used, ports ge7-ge10 are available. If the 2 port card is used, ports xge1-xge2 are available. UP ports are available on RFS4000 and RFS6000 controller. An UP port supports either RJ-45 or fiber. The UP port is the preferred means to connect to the backbone as it has a non-blocking 1gbps connection unlike the GE ports. The following ports are available on Access Points:
AP6521 - GE1/POE (LAN) AP6522 - GE1/POE (LAN) AP6532 - GE1/POE AP6562 - GE1/POE AP7161 - GE1/POE (LAN), GE2 (WAN) AP7502 - GE1 (THRU), fe1, fe2, fe3, AP7522 - GE1/POE (LAN) AP7532 - GE1/POE (LAN) AP7602 - GE1/POE (LAN), GE2 (WAN) AP7612 - GE1/POE (LAN), GE2 (WAN) AP7622 - GE1/POE (LAN) AP7632 - GE1/POE (LAN) AP7662 - GE1/POE (LAN), GE2 (WAN) AP81XX - GE1/POE (LAN), GE2 (WAN) AP82XX - GE1/POE (LAN), GE2 (WAN) T5 controllers have the following Ethernet port designations:
T5- ge1-ge2 (T5 controller managed CPE devices have ports fe1 - fe2) To set a profiles Ethernet port configuration and potentially apply overrides to the profiles configuration:
1 Select the Configuration tab from the Web UI. 2 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 3 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 4 Select Profile Overrides from the Device menu to expand it into sub menu options. 5 Select Interface to expand its sub menu options. Wireless Controller and Service Platform System Reference Guide 5 - 52 Device Configuration 6 Select Ethernet Ports. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 7 Refer to the following to assess port status and performance:
Figure 5-30 Profiles Overrides - Ethernet Ports screen Name Type Description Admin Status Displays the physical port name reporting runtime data and statistics. Supported ports vary depending on controller or service platform model. RFS4000 - ge1, ge2, ge3, ge4, ge5, up1 RFS6000 - ge1, ge2, ge3, ge4, ge5, ge6, ge7, ge8, me1, up1 NX5500 - ge1, ge2 NX7500 - ge1-ge10, xge1-xge2 NX9000 series- ge1, ge2, xge1-xge4 Displays the physical controller or service platform port type. Cooper is used on RJ45 Ethernet ports and Optical materials are used on fiber optic gigabit Ethernet ports. Displays an administrator defined description for each listed controller or service platform port. A green check mark defines the port as active and currently enabled with the profile. A red X defines the port as currently shut down and not available for use. The interface status can be modified with the port configuration as needed. Wireless Controller and Service Platform System Reference Guide 5 - 53 Device Configuration Mode Native VLAN Tag Native VLAN Allowed VLANs Overrides Displays the profiles switching mode as either Access or Trunk (as defined within the Ethernet Port Basic Configuration screen). If Access is selected, the listed port accepts packets only from the native VLAN. Frames are forwarded untagged with no 802.1Q header. All frames received on the port are expected as untagged and mapped to the native VLAN. If set to Trunk, the port allows packets from a list of VLANs added to the trunk. A port configured as Trunk supports multiple 802.1Q tagged VLANs and one Native VLAN which can be tagged or untagged. Lists the numerical VLAN ID (1 - 4094) set for the native VLAN. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk mode. A green check mark defines the native VLAN as tagged. A red X defines the native VLAN as untagged. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so upstream Ethernet devices know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. A native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Displays those VLANs allowed to send packets over the listed controller or service platform port. Allowed VLANs are only listed when the mode has been set to Trunk. A Clear option appears for each Ethernet port configuration that has an override applied to the profiles configuration. Select Clear to revert this specific interface configuration to the profile configuration originally defined by the administrator for this interface. 8 To edit or override the configuration of an existing controller or service platform port, select it from amongst those displayed and select the Edit button. The Ethernet Port Basic Configuration screen displays by default. Wireless Controller and Service Platform System Reference Guide 5 - 54 Device Configuration 9 Set or override the following Ethernet port Properties:
Figure 5-31 Profile Overrides - Ethernet Ports Basic Configuration screen Description Admin Status Speed Duplex Enter a brief description for the controller or service platform port (64 characters maximum). The description should reflect the ports intended function to differentiate it from others with similar configurations, or perhaps just the name of the physical port. Select the Enabled radio button to define this port as active to the profile it supports. Select the Disabled radio button to disable this physical port in the profile. It can be activated at any future time when needed. Admin status is enabled by default. Select the speed at which the port can receive and transmit the data. Select either 10 Mbps, 100 Mbps or 1000 Mbps. Select either of these options to establish a 10, 100 or 1000 Mbps data transfer rate for the selected half duplex or full duplex transmission over the port. These options are not available if Auto is selected. Select Automatic to enable the port to automatically exchange information about data transmission speed and duplex capabilities. Auto negotiation is helpful when in an environment where different devices are connected and disconnected on a regular basis. Automatic is the default setting. Select either Half, Full or Automatic as the duplex option. Select Half duplex to send data over the port, then immediately receive data from the same direction in which the data was transmitted. Like a Full-duplex transmission, a Half-duplex transmission can carry data in both directions, just not at the same time. Select Full duplex to transmit data to and from the port at the same time. Using Full duplex, the port can send data while receiving data as well. Select Automatic to enable to the controller or service platform to dynamically duplex as port performance needs dictate. Automatic is the default setting. Wireless Controller and Service Platform System Reference Guide 5 - 55 Device Configuration 10 Enable or disable the following CDP/LLDP parameters used to configure Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) for this profiles Ethernet port configuration:
Cisco Discovery Protocol Receive Cisco Discovery Protocol Transmit Link Layer Discovery Protocol Receive Link Layer Discovery Protocol Transmit Select this option to allow the CDP to be received on this port. If enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors. This option is enabled by default. Select this option to allow the CDP to be transmitted on this port. If enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors. Select this option to allow the LLDP to be received on this port. If enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors. This option is enabled by default. Select this option to allow the LLDP to be transmitted on this port. If enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors. 11 If supported and applicable, set or override the following Power Over Ethernet (PoE) parameters used with this profiles Ethernet port configuration:
Enable POE Power Limit Power Priority Select this option to configure the selected controller or service platform port to use Power over Ethernet. To disable PoE on a port, uncheck this option. PoE is supported on RFS4000 and RFS6000 model controllers. When enabled, the controller or service platform supports 802.3af PoE on each of its ge ports. The PoE allows users to monitor port power consumption and configure power usage limits and priorities for each ge port. Use the spinner control to set the total watts available for PoE on the ge port. Set a value from 0 - 40 watts. Set the power priority for the listed port to either to either Critical, High or Low. This is the priority assigned to this port versus the power requirements of the other supports available on the controller or service platform. 12 Select Enforce Captive Portal to automatically apply captive portal access permission rules to data transmitted over this specific Ethernet port. This setting is disabled by default. A captive portal is an access policy for providing temporary and restrictive access using a standard Web browser. Captive portals provides authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the network. Once logged into the captive portal, additional Terms and Agreement, Welcome, Fail and No Service pages provide the administrator with a number of options on captive portal screen flow and user appearance. Captive portal enforcement allows wired network users to pass traffic through the captive portal without being redirected to an authentication page. Authentication instead takes place when the RADIUS server is queried against the wired user's MAC address. If the MAC address is in the RADIUS server's user database, the user can pass traffic on the captive portal. If None is selected, captive portal policies are not enforced on the wired interface. If Authentication Failure is selected, captive portal policies are enforced only when RADIUS authentication of the clients MAC address is not successful. If Always is selected, captive portal policies are enforced regardless of whether the client's MAC address is in the RADIUS server's user database. For information on configuring a captive portal policy, see Configuring Captive Portal Policies on page 11-1. Wireless Controller and Service Platform System Reference Guide 5 - 56 13 Define or override the following Switching Mode parameters applied to the Ethernet port configuration:
Device Configuration Mode Native VLAN Tag Native VLAN Allowed VLANs Select either the Access or Trunk radio button to set the VLAN switching mode over the port. If Access is selected, the port accepts packets only form the native VLANs. Frames are forwarded out the port untagged with no 802.1Q header. All frames received on the port are untagged and are mapped to the native VLAN. If the mode is set to Trunk, the port allows packets from a list of VLANs you add to the trunk. A port configured as Trunk supports multiple 802.1Q tagged VLANs and one Native VLAN which can be tagged or untagged. Access is the default mode. Use the spinner control to define a numerical Native VLAN ID from 1 -
4094. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN which untagged traffic will be directed over when using a port in trunk mode. The default VLAN is 1. Select this option to tag the native VLAN. Controller and service platforms support the IEEE 802.1Q specification for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs. If the upstream Ethernet device does not support IEEE 802.1Q tagging, it does not interpret the tagged frames. When VLAN tagging is required between devices, both devices must support tagging and be configured to accept tagged VLANs. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so upstream Ethernet devices know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. This feature is disabled by default. Selecting Trunk as the mode enables the Allowed VLANs parameter. Add VLANs that exclusively send packets over the listed port. 14 Optionally select the Port Channel check box from the Port Channel Membership area and define or override a setting from 1 - 8 using the spinner control. This sets the channel group for the port. 15 Select OK to save the changes and overrides made to the profiles Ethernet Port Basic Configuration. Select Reset to revert to the last saved configuration. 16 Select the Security tab. Wireless Controller and Service Platform System Reference Guide 5 - 57 Device Configuration Figure 5-32 Profile Overrides - Ethernet Ports Security screen 17 Refer to the Access Control field. As part of the Ethernet ports security configuration, Inbound IP and MAC address firewall rules are required. 18 Use the MAC Inbound Firewall Rules drop-down menus to select the firewall rules to apply to this profiles Ethernet port configuration. The firewall inspects MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances. Use the IPv4 Inbound Firewall Rules drop down menu to select the IPv4 specific firewall rules to apply to this profiles Ethernet port configuration. IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity. 19 Use the IPv6 Inbound Firewall Rules drop down menu to select the IPv6 specific firewall rules to apply to this profiles Ethernet port configuration. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. 20 If a firewall rule does not exist suiting the data protection needs of the target port configuration, select the Create icon to define a new rule configuration or the Edit icon to update or override an existing configuration. For more information, see Configuring IP Firewall Rules on page 10-20 or Wireless Firewall on page 10-1. Wireless Controller and Service Platform System Reference Guide 5 - 58 Device Configuration 21 Refer to the Trust field to define or override the following:
Trust ARP Responses Select this option to enable ARP trust on this port. ARP packets received on this port are considered trusted, and the information from these packets is used to identify rogue devices within the network. The default value is disabled. Trust DHCP Responses Select this option to enable DHCP trust on this port. If enabled, only DHCP responses are trusted and forwarded on this port, and a DHCP server can be connected only to a DHCP trusted port. The default value is enabled. Select this option to enable a mismatch check for the source MAC in both the ARP and Ethernet header. The default value is enabled. Select this option to enable 802.1p COS values on this port. The default value is enabled. Select this option to enable IP DSCP values on this port. The default value is enabled. ARP header Mismatch Validation Trust 802.1p COS values Trust IP DSCP NOTE: Some vendor solutions with VRRP enabled send ARP packets with Ethernet SMAC as a physical MAC and inner ARP SMAC as VRRP MAC. If this configuration is enabled, a packet is allowed, despite a conflict existing. 22 Set the following IPv6 Settings:
Trust ND Requests Trust DHCPv6 Responses ND Header Mismatch Validation RA Guard 23 Set the following 802.1X Settings:
Select this option to enable the trust of neighbor discovery requests required on an IPv6 network on this Ethernet port. This setting is disabled by default. Select this option to enable the trust all DHCPv6 responses on this Ethernet port. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. This setting is enabled by default. Select this option to enable a mismatch check for the source MAC within the ND header and Link Layer Option. This setting is disabled by default. Select this option to enable router advertisements or ICMPv6 redirects from this Ethernet port. This setting is disabled by default. Host Mode Guest VLAN Port Control Re Authenticate Max Reauthenticate Count Use the drop-down menu to select the host mode configuration to apply to this port. Options include single-host or multi-host. The default setting is single-host. Specify a guest VLAN for this port from 1 - 4094. This is the VLAN traffic is bridged on if this port is unauthorized and the guest VLAN is globally enabled. Use the drop-down menu to set the port control state to apply to this port. Options include force-authorized, force-unauthorized and automatic. The default setting is port-authorized. Select this setting to force clients to reauthenticate on this port. The default setting is disabled, thus clients do not need to reauthenticate for connection over this port until this setting is enabled. Set the maximum reauthentication attempts (1 - 10) before this port is moved to unauthorized. The default setting is 2. Wireless Controller and Service Platform System Reference Guide 5 - 59 Device Configuration Quiet Period Set the quiet period for this port from 1 - 65,535 seconds.This is the maximum wait time 802.1x waits upon a failed authentication attempt. The default setting is 60 seconds. Reauthenticate Period Use the spinner control to set the reauthentication period for this port from Port MAC Authentication 1 - 65,535 seconds. The default setting is 60 seconds. When enabled, a ports MAC address is authenticated, as only one MAC address is supported per wired port. When successfully authenticated, packets from the source are processed. Packets from all other sources are dropped. Port MAC authentication is supported on RFS4000, RFS6000 model controllers and NX9000 series service platforms. Port MAC authentication may be enabled on ports in conjunction with Wired 802.1x settings for a MAC Authentication AAA policy. 24 Select Enable within the 802.1x supplicant (client) feature field to enable a username and password pair used when authenticating users on this port. This setting is disabled by default. The password cannot exceed 32 characters. 25 Select OK to save the changes and overrides made to the Ethernet ports security configuration. Select Reset to revert to the last saved configuration. 26 Select the Spanning Tree tab. Figure 5-33 Profile Overrides - Ethernet Ports Spanning Tree screen Wireless Controller and Service Platform System Reference Guide 5 - 60 27 Set or override the following parameters for the ports MSTP Configuration:
Device Configuration Enable as Edge Port Link Type Cisco MSTP Interoperability Force Protocol Version Guard Enable PortFast Enable PortFast BPDU Filter Enable PortFast BPDU Guard Select this option to define this port as an edge port. Using an edge
(private) port, you can isolate devices to prevent connectivity over this port. Select either the Point-to-Point or Shared radio button. Selecting Point-
to-Point indicates the port should be treated as connected to a point-to-
point link. Selecting Shared indicates this port should be treated as having a shared connection. A port connected to a hub is on a shared link, while one connected to a controller or service platform is a point-to-point link. Select either the Enable or Disable radio buttons. This enables interoperability with Ciscos version of MSTP over the port, which is incompatible with standard MSTP. Sets the protocol version to either STP(0), Not Supported(1), RSTP(2) or MSTP(3). MSTP is the default setting. Determines whether the port enforces root bridge placement. Setting the guard to Root ensures the port is a designated port. Typically, each guard root port is a designated port, unless two or more ports (within the root bridge) are connected together. If the bridge receives superior BPDUs on a guard root-enabled port, the guard root moves the port to a root-
inconsistent STP state. This state is equivalent to a listening state. No data is forwarded across the port. Thus, the guard root enforces the root bridge position. Select this option to enable drop-down menus for both the Enable Portfast BPDU Filter and Enable Portfast BPDU guard options for the port. Enable PortFast to invoke a BPDU filter for this portfast enabled port. Enabling the BPDU filter feature ensures this PortFast enabled port does not transmit or receive BPDUs. Enable PortFast to invoke a BPDU guard for this portfast enabled port. Enabling the BPDU Guard feature means this portfast-enabled port will shutdown on receiving a BPDU. 28 Refer to the Spanning Tree Port Cost table. Define or override an Instance Index using the spinner control and set the Cost. The default path cost depends on the user defined speed of the port.The cost helps determine the role of the port in the MSTP network. The designated cost is the cost for a packet to travel from this port to the root in the MSTP configuration. The slower the media, the higher the cost. Default Path Cost Speed
<=100000 bits/sec
<=1000000 bits/sec
<=10000000 bits/sec
<=100000000 bits/sec
<=1000000000 bits/sec
<=10000000000 bits/sec 200000000 20000000 2000000 200000 20000 2000 Wireless Controller and Service Platform System Reference Guide 5 - 61 Device Configuration
<=100000000000 bits/sec
<=1000000000000 bits/sec
>1000000000000 bits/sec 200 20 2 29 Select + Add Row as needed to include additional indexes. 30 Refer to the Spanning Tree Port Priority table. Define or override an Instance Index using the spinner control and then set the Priority. The lower the priority, the greater likelihood of the port becoming a designated port. Applying a higher override value impacts the ports likelihood of becoming a designated port. 31 Select + Add Row needed to include additional indexes. 32 Select OK to save the changes and overrides made to the Ethernet Port Spanning Tree configuration. Select Reset to revert to the last saved configuration. 5.2.7.2 Virtual Interface Override Configuration Profile Interface Override Configuration A virtual interface is required for layer 3 (IP) access to the controller or service platform or to provide layer 3 service on a VLAN. The virtual interface defines which IP address is associated with each VLAN ID the controller is connected to. A virtual interface is created for the default VLAN (VLAN 1) to enable remote controller administration. A virtual interface is also used to map VLANs to IP address ranges. This mapping determines the destination for controller or service platform routing. To review existing virtual interface configurations and create a new virtual interface configuration, modify
(override) an existing configuration or delete an existing configuration:
1 Select the Configuration tab from the Web UI. 2 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 3 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 4 Select Profile Overrides from the Device menu to expand it into sub menu options. 5 Select Interface to expand its sub menu options. 6 Select Virtual Interfaces. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. Wireless Controller and Service Platform System Reference Guide 5 - 62 Device Configuration Figure 5-34 Profile Overrides - Virtual Interfaces screen 7 Review the following parameters unique to each virtual interface configuration to determine whether a parameter override is warranted:
Name Type Description Admin Status VLAN IP Address Displays the numeric ID of each listed virtual interface assigned when it was created. The name is between 1 - 4094, and cannot be modified as part of a virtual interface edit. Displays the type of virtual interface for each listed interface. Displays the description defined for the virtual interface when it was either initially created or edited. A green check mark defines the listed virtual interface configuration as active and enabled with its supported profile. A red X defines the virtual interface as currently shut down. The interface status can be modified when a new virtual interface is created or an existing one modified. Displays the numerical VLAN ID associated with each listed interface. Defines whether DHCP was used to obtain the primary IP address used by the virtual interface configuration. Once the configurations of existing virtual interfaces have been reviewed, determine whether a new interface requires creation, or an existing virtual interface requires edit (override) or deletion. 8 Select Add to define a new virtual interface configuration, Edit to modify or override the configuration of an existing virtual interface or Delete to permanently remove a selected virtual interface. Wireless Controller and Service Platform System Reference Guide 5 - 63 Device Configuration Figure 5-35 Profile Overrides - Virtual Interfaces Basic Configuration screen The Basic Configuration screen displays by default regardless of a whether a new virtual interface is being created or an existing one is being modified. Select the General tab if not selected by default. 9 If creating a new virtual interface, use the VLAN ID spinner control to define a numeric VLAN ID from 1 - 4094. 10 Define or override the following parameters from within the Properties field:
Description Admin Status Provide or edit a description (up to 64 characters) for the virtual interface that helps differentiate it from others with similar configurations. Either select the Disabled or Enabled radio button to define this interfaces current status within the managed network. When set to Enabled, the virtual interface is operational and available to the controller or service platform. The default value is enabled. 11 Define or override the Network Address Translation (NAT) direction. Select either the Inside, Outside or None radio buttons. Inside - The inside network is transmitting data over the network its intended destination. On the way out, the source IP address is changed in the header and replaced by the (public) IP address. Outside - Packets passing through the NAT on the way back to the managed LAN are searched against to the records kept by the NAT engine. There the destination IP address is changed back to the specific internal private class IP address in order to reach the LAN over the switch managed network. None - No NAT activity takes place. This is the default setting. NOTE: Refer to Setting the Profiles NAT Configuration on page 8-186 for instructions on creating a profiles NAT configuration. Wireless Controller and Service Platform System Reference Guide 5 - 64 Device Configuration 12 Set the following DHCPv6 Client Configuration. The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) provides a framework for passing configuration information. Stateless DHCPv6 Client Prefix Delegation Client Request DHCPv6 Options Select this option to request information from the DHCPv6 server using stateless DHCPv6. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. This setting is disabled by default. Specify a 32 character maximum request prefix for prefix delegation from a DHCPv6 server over this virtual interface. Devices use prefixes to distinguish destinations that reside on-link from those reachable using a router. Select this option to request DHCPv6 options on this virtual interface. DHCPv6 options provide configuration information for a node that must be booted using the network rather than locally. This setting is disabled by default. 13 Set the Bonjour Gateway settings for the virtual interface.Bonjour is Apples implementation of zero-
configuration networking (Zeroconf). Zeroconf is a group of technologies that include service discovery, address assignment and hostname resolution. Bonjour locates devices such as printers, other computers and services that these computers offer over a local network. Bonjour provides a general method to discover services on a local area network (LAN). It allows users to set up a network without any configuration. Services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with special DNS configuration, it can be extended to find services across broadcast domains. 14 Select the Bonjour Gateway discover policy from the drop-down menu. Select the Create icon to define a new Bonjour Gateway policy configuration or select the Edit icon to modify an existing Bonjour Gateway policy configuration. 15 Set the following MTU settings for the virtual interface:
Maximum Transmission Unit
(MTU) IPv6 MTU Set the PPPoE client maximum transmission unit (MTU) from 500 - 1,492. The MTU is the largest physical packet size in bytes a network can transmit. Any messages larger than the MTU are divided into smaller packets before being sent. A PPPoE client should be able to maintain its point-to-point connection for this defined MTU size. The default MTU is 1,492. Set an IPv6 MTU for this virtual interface from 1,280 - 1,500. A larger MTU provides greater efficiency because each packet carries more user data while protocol overheads, such as headers or underlying per-packet delays, remain fixed; the resulting higher efficiency means a slight improvement in bulk protocol throughput. A larger MTU results in the processing of fewer packets for the same amount of data. The default is 1,500. 16 Within the ICMP field, define whether ICMPv6 redirect messages are sent. Redirect requests data packets be sent on an alternative route. This setting is enabled by default. 17 Within the Address Autoconfiguration field, define whether to configure IPv6 addresses on this virtual interface based on the prefixes received in router advertisement messages. Router advertisements contain prefixes used for link determination, address configuration and maximum hop limits. This setting is enabled by default. Wireless Controller and Service Platform System Reference Guide 5 - 65 Device Configuration 18 Set the following Router Advertisement Processing settings for the virtual interface. Router advertisements are periodically sent to hosts or sent in response to solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. Accept RA No Default Router No MTU No Hop Count Enable this option to allow router advertisements over this virtual interface. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet layer configuration parameters.This setting is enabled by default. Select this option to consider routers unavailable on this interface for default router selection. This setting is disabled by default. Select this option to not use the existing MTU setting for router advertisements on this virtual interface. If the value is set to zero no MTU options are sent. This setting is disabled by default. Select this option to not use the hop count advertisement setting for router advertisements on this virtual interface. This setting is disabled by default. 19 Select OK to save the changes. Select Reset to revert to the last saved configuration. 20 Select the IPv4 tab to set IPv4 settings for this virtual interface. IPv4 is a connectionless protocol. It operates on a best effort delivery model that does not guarantee delivery or assures proper sequencing or avoidance of duplicate delivery (unlike TCP). Wireless Controller and Service Platform System Reference Guide 5 - 66 Device Configuration 21 Set the following network information from within the IPv4 Addresses field:
Figure 5-36 Virtual Interfaces - Basic Configuration screen - IPv4 tab Enable Zero Configuration Zero configuration can be a means of providing a primary or secondary IP addresses for the virtual interface. Zero configuration (or zero config) is a wireless connection utility included with Microsoft Windows XP and later as a service dynamically selecting a network to connect based on a user's preferences and various default settings. Zero config can be used instead of a wireless network utility from the manufacturer of a computer's wireless networking device. This value is set to None by default. Define the IP address for the VLAN associated Virtual Interface. Select this option to allow DHCP to provide the IP address for the Virtual Interface. Selecting this option disables the Primary IP address field. Select this option to allow DHCP to obtain a default gateway address and DNS resource for one virtual interface. This setting is disabled by default and only available when the Use DHCP to Obtain IP option is selected. Primary IP Address Use DHCP to Obtain IP Use DHCP to obtain Gateway/DNS Servers Secondary Addresses Use the Secondary Addresses parameter to define additional IP addresses to associate with VLAN IDs. The address provided in this field is used if the primary IP address is unreachable. Wireless Controller and Service Platform System Reference Guide 5 - 67 Device Configuration 22 Refer to the DHCP Relay field to set the DHCP relay server configuration used with the Virtual Interface. Respond to DHCP Relay Packets DHCP Relay Select this option to allow the onboard DHCP server to respond to relayed DHCP packets on this interface. This setting is disabled by default. Provide IP addresses for DHCP server relay resources. DHCP relays exchange messages between a DHCPv6 server and client. A client and relay agent exist on the same link. When A DHCP request is received from the client, the relay agent creates a relay forward message and sends it to a specified server address. If no addresses are specified, the relay agent forwards the message to all DHCP server relay multicast addresses. The server creates a relay reply and sends it back to the relay agent. The relay agent then sends back the response to the client. 23 Select OK to save the changes to the IPv4 configuration. Select Reset to revert to the last saved configuration. 24 Select the IPv6 tab to set IPv6 settings for this virtual interface. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet layer configuration parameters. Figure 5-37 Virtual Interfaces - Basic Configuration screen - IPv6 tab Wireless Controller and Service Platform System Reference Guide 5 - 68 Device Configuration 25 Refer to the IPv6 Addresses field to define how IP6 addresses are created and utilized. IPv6 Mode IPv6 Address Static IPv6 Address Static using EUI64 IPv6 Address Link Local Select this option to enable IPv6 support on this virtual interface. IPv6 is disabled by default. Define up to 15 global IPv6 IP addresses that can created statically. IPv6 addresses are represented as eight groups of four hexadecimal digits separated by colons. Optionally set up to 15 global IPv6 IP addresses (in the EUI-64 format) that can created statically. The IPv6 EUI-64 format address is obtained through a 48-bit MAC address. The MAC is initially separated into two 24-
bits, with one being an OUI (Organizationally Unique Identifier) and the other being client specific. A 16-bit 0xFFFE is then inserted between the two 24-bits for the 64-bit EUI address. IEEE has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an EUI-48 MAC address. Provide the IPv6 local link address. IPv6 requires a link local address assigned to every interface the IPv6 protocol is enabled, even when one or more routable addresses are assigned. 26 Enable the Enforce Duplicate Address option to enforce duplicate address protection when any wired port is connected and in a forwarding state. This option is enabled by default. 27 Refer to the IPv6 Address Prefix from Provider table to create IPv6 format prefix shortcuts as supplied by an ISP. 28 Select + Add Row to launch a sub screen wherein a new delegated prefix name and host ID can be defined. Figure 5-38 Virtual Interfaces - Basic Configuration screen - IPv6 tab - Add Address Prefix from Provider Delegated Prefix Name Host ID Enter a 32 character maximum name for the IPv6 address prefix from provider. Define the subnet ID, host ID and prefix length. Wireless Controller and Service Platform System Reference Guide 5 - 69 Device Configuration 29 Select OK to save the changes to the new IPv6 prefix from provider. Select Exit to close the screen without saving the updates. 30 Refer to the IPv6 Address Prefix from Provider EUI64 table to set an (abbreviated) IP address prefix in EUI64 format. 31 Select + Add Row to launch a sub screen wherein a new delegated prefix name and host ID can be defined in EUI64 format. Figure 5-39 Virtual Interfaces - Basic Configuration screen - IPv6 tab - Add Address Prefix from Provider EUI64 Delegated Prefix Name Host ID Enter a 32 character maximum name for the IPv6 prefix from provider in EUI format. Using EUI64, a host can automatically assign itself a unique 64-bit IPv6 interface identifier without manual configuration or DHCP. Define the subnet ID and prefix length. 32 Select OK to save the changes to the new IPv6 prefix from provider in EUI64 format. Select Exit to close the screen without saving the updates. 33 Refer to the DHCPv6 Relay table to set the address and interface of the DHCPv6 relay. The DHCPv6 relay enhances an extended DHCP relay agent by providing support in IPv6. DHCP relays exchange messages between a DHCPv6 server and client. A client and relay agent exist on the same link. When A DHCP request is received from the client, the relay agent creates a relay forward message and sends it to a specified server address. If no addresses are specified, the relay agent forwards the message to all DHCP server relay multicast addresses. The server creates a relay reply and sends it back to the relay agent. The relay agent then sends back the response to the client. 34 Select + Add Row to launch a sub screen wherein a new DHCPv6 relay address and interface VLAN ID can be set. Wireless Controller and Service Platform System Reference Guide 5 - 70 Device Configuration Figure 5-40 Virtual Interfaces - Basic Configuration screen - IPv6 tab - Add DHCPv6 Relay Address Interface Enter an address for the DHCPv6 relay. These DHCPv6 relay receive messages from DHCPv6 clients and forward them to DHCPv6 servers. The DHCPv6 server sends responses back to the relay, and the relay then sends these responses to the client on the local network. Select this option to enable a spinner control to define a VLAN ID from 1 -
4,094 used as the virtual interface for the DHCPv6 relay. The interface designation is only required for link local and multicast addresses. A local link address is a locally derived address designed for addressing on a single link for automatic address configuration, neighbor discovery or when no routing resources are available. 35 Select OK to save the changes to the DHCPv6 relay configuration. Select Exit to close the screen without saving the updates. 36 Select the IPv6 RA Prefixes tab. Wireless Controller and Service Platform System Reference Guide 5 - 71 Device Configuration Figure 5-41 Virtual Interfaces - Basic Configuration screen - IPv6 RA Prefixes tab 37 Use the Router Advertisement Policy drop-down menu to select and apply a policy to the virtual interface. Router advertisements are periodically sent to hosts or sent in response to solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. 38 Review the configurations of existing IPv6 advertisement policies. If needed select + Add Row to define the configuration of an additional IPv6 RA prefix. Wireless Controller and Service Platform System Reference Guide 5 - 72 Device Configuration Figure 5-42 Virtual Interfaces - Basic Configuration screen - Add IPv6 RA Prefix 39 Set the following IPv6 RA Prefix settings:
Prefix Type Prefix or ID Site Prefix Valid Lifetime Type Valid Lifetime Sec Valid Lifetime Date Set the prefix delegation type used with this configuration. Options include, Prefix, and prefix-from-provider. The default setting is Prefix. A prefix allows an administrator to associate a user defined name to an IPv6 prefix. A provider assigned prefix is made available from an Internet Service Provider (ISP) to automate the process of providing and informing the prefixes used. Set the actual prefix or ID used with the IPv6 router advertisement. The site prefix is added into a router advertisement prefix. The site address prefix signifies the address is only on the local link. Set the lifetime for the prefix's validity. Options include External (fixed), decrementing and infinite. If set to External (fixed), just the Valid Lifetime Sec setting is enabled to define the exact time interval for prefix validity. If set to decrementing, use the lifetime date and time settings to refine the prefix expiry period. If the value is set for infinite, no additional date or time settings are required for the prefix and the prefix will not expire. The default setting is External (fixed). If the lifetime type is set to External (fixed), set the Seconds, Minutes, Hours or Days value used to measurement criteria for the prefix's expiration. 30 days, 0 hours, 0 minutes and 0 seconds is the default lifetime. If the lifetime type is set to External (fixed), set the date in MM/DD/YYYY format for the expiration of the prefix. Wireless Controller and Service Platform System Reference Guide 5 - 73 Device Configuration Valid Lifetime Time Preferred Lifetime Type Preferred Lifetime Sec Preferred Lifetime Date Preferred Lifetime Time Autoconfig On Link If the lifetime type is set to decrementing, set the time for the prefix's validity. Set the administrator preferred lifetime for the prefix's validity. Options include External (fixed), decrementing and infinite. If set to External
(fixed), just the Valid Lifetime Sec setting is enabled to define the exact time interval for prefix validity. If set to decrementing, use the lifetime date and time settings to refine the prefix expiry period. If the value is set for infinite, no additional date or time settings are required for the prefix and the prefix will not expire. The default setting is External (fixed). If the administrator preferred lifetime type is set to External (fixed), set the Seconds, Minutes, Hours or Days value used to measurement criteria for the prefix's expiration. 30 days, 0 hours, 0 minutes and 0 seconds is the default lifetime. If the administrator preferred lifetime type is set to External (fixed), set the date in MM/DD/YYYY format for the expiration of the prefix. If the preferred lifetime type is set to decrementing, set the time for the prefix's validity. Autoconfiguration includes generating a link-local address, global addresses via stateless address autoconfiguration and duplicate address detection to verify the uniqueness of the addresses on a link. This setting is enabled by default. Select this option to keep the IPv6 RA prefix on the local link. The default setting is enabled. 40 Select OK to save the changes to the IPv6 RA prefix configuration. Select Exit to close the screen without saving the updates. 41 Select OK to save the changes and overrides. Select Reset to revert to the last saved configuration. 42 Select the Security tab. Wireless Controller and Service Platform System Reference Guide 5 - 74 Device Configuration Figure 5-43 Profile Overrides - Virtual Interfaces Security screen 43 Use the IPv4 Inbound Firewall Rules drop down menu to select the IPv4 specific inbound firewall rules to apply to this profiles virtual interface configuration. Select the Create icon to define a new IPv4 firewall rule configuration or select the Edit icon to modify an existing configuration. IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, since it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery
(unlike (TCP). IPv4 and IPv6 are different enough to warrant separate protocols. IPv6 devices can alternatively use stateless address autoconfiguration. IPv4 hosts can use link local addressing to provide local connectivity. 44 Use the IPv6 Inbound Firewall Rules drop down menu to select the IPv6 specific inbound firewall rules to apply to this profiles virtual interface configuration. Select the Create icon to define a new IPv6 firewall rule configuration or select the Edit icon to modify an existing configuration. IPv6 is the latest revision of the Internet Protocol (IP) replacing IPv4. IPV6 provides enhanced identification and location information for systems routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. 45 Use the VPN Crypto Map drop-down menu to select or override the Crypto Map configuration applied to this virtual interface. Crypto Map entries are sets of configuration parameters for encrypting packets that pass through the VPN Tunnel. If a Crypto Map configuration does not exist suiting the needs of this virtual interface, select the Create icon to define a new Crypto Map configuration or the Edit icon to modify an existing configuration. For more information, see Overriding a Profiles VPN Configuration on page 5-207. 46 Use the URL Filter drop-down menu to select or override the URL Filter configuration applied to this virtual interface. URL filtering is used to restrict access to undesirable resources on the Internet. 47 Select the Dynamic Routing tab (if available with your controller or service platform). Wireless Controller and Service Platform System Reference Guide 5 - 75 Device Configuration 48 Define or override the following parameters from within the OSPF Settings field:
Figure 5-44 Profile Overrides - Virtual Interfaces Security screen Priority Cost Bandwidth Select this option to set the OSPF priority used to select the network designated route. Use the spinner control to set the value from 0 - 255. Select this option to set the cost of the OSPF interface. Use the spinner control to set the value from 1 - 65,535. Set the OSPF interface bandwidth (in Kbps) from 1 - 10,000,000. 49 Select the authentication type from the Chosen Authentication Type drop-down used to validate credentials within the OSPF dynamic route. Options include simple-password, message-digest, null and None. The default value is None. 50 Select the + Add Row button at the bottom of the MD5 Authentication table to add the Key ID and Password used for an MD5 validation of authenticator credentials. Use the spinner control to set the OSPF message digest authentication key ID. The available range is from 1 - 255. The password is the OSPF key either displayed as series or asterisks or in plain text (by selecting Show). 51 Select the OK button located at the bottom right of the screen to save the changes and overrides to the Dynamic Routing screen. Select Reset to revert to the last saved configuration. 5.2.7.3 Port Channel Override Configuration Profile Interface Override Configuration Profiles can utilize customized port channel configurations as part of their interface settings. Existing port channel profile configurations can be overridden as the become obsolete for specific device deployments. To define or override a port channel configuration on a profile:
Wireless Controller and Service Platform System Reference Guide 5 - 76 Device Configuration 1 Select the Configuration tab from the Web UI. 2 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 3 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 4 Select Profile Overrides from the Device menu to expand it into sub menu options. 5 Select Interface to expand its sub menu options. 6 Select Port Channels. Figure 5-45 Profile Overrides - Port Channels screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 7 Refer to the following to review existing port channel configurations and status to determine whether a parameter requires an override:
Name Type Displays the port channels numerical identifier assigned when it was created. The numerical name cannot be modified as part of the edit process. Displays whether the type is port channel. Wireless Controller and Service Platform System Reference Guide 5 - 77 Device Configuration Description Admin Status Lists a a short description (64 characters maximum) describing the port channel or differentiating it from others with similar configurations. A green check mark defines the listed port channel as active and currently enabled with the profile. A red X defines the port channel as currently disabled and not available for use. The interface status can be modified with the port channel configuration as required. 8 To edit or override the configuration of an existing port channel, select it from amongst those displayed and select the Edit button. The port channel Basic Configuration screen displays by default. 9 Set or override the following port channel Properties:
Figure 5-46 Profile Overrides - Port Channels Basic Configuration screen Description Admin Status Enter a description for the controller or service platform port channel (64 characters maximum). Select the Enabled radio button to define this port channel as active to the profile it supports. Select the Disabled radio button to disable this port channel configuration in the profile. It can be activated at any future time when needed. The default setting is enabled. Wireless Controller and Service Platform System Reference Guide 5 - 78 Device Configuration Speed Duplex Select the speed at which the port channel can receive and transmit data. Select either 10 Mbps, 100 Mbps or 1000 Mbps to establish a 10, 100 or 1000 Mbps data transfer rate for the selected half duplex or full duplex transmission. These options are not available if Auto is selected. Select Automatic to allow the port channel to automatically exchange information about data transmission speeds and duplex capabilities. Auto negotiation is helpful in an environment where different devices are connected and disconnected on a regular basis. Automatic is the default setting. Select either half, full or automatic as the duplex option. Select Half duplex to send data over the port channel, then immediately receive data from the same direction in which the data was transmitted. Like a full-
duplex transmission, a half-duplex transmission can carry data in both directions, just not at the same time. Select Full duplex to transmit data to and from the port channel at the same time. Using full duplex, the port channel can send data while receiving data as well. Select Automatic to enable to the controller or service platform to dynamically duplex as port channel performance needs dictate. Automatic is the default setting. 10 Use the Port Channel Load Balance drop-down menu from the Client Load Balancing section to define whether port channel load balancing is conducted using a Source/Destination IP or a Source/Destination MAC. Source/
Destination IP is the default setting. 11 Define or override the following Switching Mode parameters to apply to the port channel configuration:
Mode Native VLAN Select either the Access or Trunk radio button to set the VLAN switching mode over the port channel. If Access is selected, the port channel accepts packets only from the native VLAN. Frames are forwarded untagged with no 802.1Q header. All frames received on the port are expected as untagged and are mapped to the native VLAN. If the mode is set to Trunk, the port channel allows packets from a list of VLANs you add to the trunk. A port channel configured as Trunk supports multiple 802.1Q tagged VLANs and one Native VLAN which can be tagged or untagged. Access is the default setting. Use the spinner control to define a numerical Native VLAN ID from 1 - 4094. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic will be directed over when using trunk mode. The default value is 1. Wireless Controller and Service Platform System Reference Guide 5 - 79 Device Configuration Tag the Native VLAN Select this option to tag the native VLAN. Controllers and service platforms support the IEEE 802.1Q specification for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs. If the upstream Ethernet device does not support IEEE 802.1Q tagging, it does not interpret the tagged frames. When VLAN tagging is required between devices, both devices must support tagging and be configured to accept tagged VLANs. When a frame is tagged, a 12 bit frame VLAN ID is added to the 802.1Q header, so upstream Ethernet devices know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. This setting is disabled by default. Selecting Trunk as the mode enables the Allowed VLANs parameter. Add VLANs that exclusively send packets over the port channel. Allowed VLANs 12 Select OK to save the changes and overrides to the port channel Basic Configuration. Select Reset to revert to the last saved configuration. 13 Select the Security tab. Figure 5-47 Profile Overrides - Port Channels Security screen 14 Refer to the Access Control section. As part of the port channels security configuration, Inbound IPv4 IP, IPv6 IP and MAC address firewall rules are required. Wireless Controller and Service Platform System Reference Guide 5 - 80 Device Configuration 15 Use the drop-down menus to select the firewall rules to apply to this profiles Ethernet port configuration. The firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances 16 Use the IPv4 Inbound Firewall Rules drop down menu to select the IPv4 specific firewall rules to apply to this profiles port channel configuration. IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity. 17 Use the IPv6 Inbound Firewall Rules drop down menu to select the IPv6 specific firewall rules to apply to this profiles port channel configuration. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. 18 If a firewall rule does not exist suiting the data protection needs of the target port channel configuration, select the Create icon to define a new rule configuration or the Edit icon to modify an existing firewall rule configuration. 19 Refer to the Trust section to define or override the following:
Trust ARP Responses Select this option to enable ARP trust on this port channel. ARP packets received on this port are considered trusted, and information from these packets is used to identify rogue devices. The default value is disabled. Trust DHCP Responses Select this option to enable DHCP trust. If enabled, only DHCP ARP header Mismatch Validation Trust 802.1p COS values Trust IP DSCP responses are trusted and forwarded on this port channel, and a DHCP server can be connected only to a DHCP trusted port. The default value is enabled. Select this option to enable a source MAC mismatch check in both the ARP and Ethernet header. The default value is enabled. Select this option to enable 802.1p COS values on this port channel. The default value is enabled. Select this option to enable IP DSCP values on this port channel. The default value is disabled. 20 Refer to the IPv6 Settings field to define the following:
Trust ND Requests Trust DHCPv6 Responses Select the check box to enable neighbor discovery (ND) request trust on this port channel (neighbor discovery requests received on this port are considered trusted). Neighbor discovery allows the discovery of an adjacent devices MAC addresses, similar to Address Resolution Protocol
(ARP) on Ethernet in IPv4. The default value is disabled. Select the check box to enable DHCPv6 trust. If enabled, only DHCPv6 responses are trusted and forwarded on this port channel, and a DHCPv6 server can be connected only to a trusted port. The default value is enabled. Wireless Controller and Service Platform System Reference Guide 5 - 81 Device Configuration ND header Mismatch Validation RA Guard Select the check box to enable a mismatch check for the source MAC in both the ND header and link layer option. The default value is disabled. Select this option to allow router advertisements or IPv6 redirects from this port. Router advertisements are periodically sent to hosts or sends in response to solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information.This setting is enabled by default. 21 Select OK to save the changes and overrides to the security configuration. Select Reset to revert to the last saved configuration. 22 Select the Spanning Tree tab. 23 Define or override the following PortFast parameters for the port channels MSTP configuration:
Figure 5-48 Profile Overrides - Port Channels Spanning Tree screen Enable PortFast Enable PortFast BPDU Filter Enable PortFast BPDU Guard Select this option to enable drop-down menus for both the Enable Portfast BPDU Filter and Enable Portfast BPDU guard options for the port. This setting is disabled by default. Enable PortFast to invoke a BPDU filter for this portfast enabled port channel. Enabling the BPDU filter feature ensures this port channel does not transmit or receive any BPDUs. Enable PortFast to invoke a BPDU guard for this portfast enabled port channel. Enabling the BPDU Guard feature means this port will shutdown on receiving a BPDU. Hence no BPDUs are processed. Wireless Controller and Service Platform System Reference Guide 5 - 82 Device Configuration 24 Set or override the following MSTP Configuration parameters for the port channel:
Enable as Edge Port Link Type Cisco MSTP Interoperability Select this option to define this port as an edge port. Using an edge
(private) port, you can isolate devices to prevent connectivity over this port channel. This setting is disabled by default. Select either the Point-to-Point or Shared radio button. Selecting Point-
to-Point indicates the port should be treated as connected to a point-to-
point link. Selecting Shared indicates this port should be treated as having a shared connection. A port connected to a hub is on a shared link, while one connected to a controller or service platform is a point-
to-point link. Point-to-Point is the default setting. Select either the Enable or Disable radio buttons. This enables interoperability with Ciscos version of MSTP, which is incompatible with standard MSTP. This setting is disabled by default. Force Protocol Version Sets the protocol version to either STP(0), Not Supported(1), RSTP(2) or Guard MSTP(3). MSTP is the default setting. Determines whether the port channel enforces root bridge placement. Setting the guard to Root ensures the port is a designated port. Typically, each guard root port is a designated port, unless two or more ports (within the root bridge) are connected together. If the bridge receives superior (BPDUs) on a guard root-enabled port, the guard root moves the port to a root-inconsistent STP state. This state is equivalent to a listening state. No data is forwarded across the port. Thus, the guard root enforces the root bridge position. 25 Refer to the Spanning Tree Port Cost table. 26 Define or override an Instance Index using the spinner control and then set the Cost. The default path cost depends on the user defined port speed. The cost helps determine the role of the port channel in the MSTP network. The designated cost is the cost for a packet to travel from this port to the root in the MSTP configuration. The slower the media, the higher the cost. Default Path Cost Speed
<=100000 bits/sec
<=1000000 bits/sec
<=10000000 bits/sec
<=100000000 bits/sec
<=1000000000 bits/sec
<=10000000000 bits/sec
<=100000000000 bits/
sec
<=1000000000000 bits/
sec
>1000000000000 bits/
sec 200000000 20000000 2000000 200000 20000 2000 200 20 2 27 Refer to the Spanning Tree Port Priority table. Define or override an Instance Index using the spinner control, then set the Priority. The lower the priority, the greater likelihood of the port becoming a designated port. Wireless Controller and Service Platform System Reference Guide 5 - 83 Device Configuration 28 Select + Add Row as needed to include additional indexes. 29 Select OK to save the changes and overrides made to the Ethernet Port Spanning Tree configuration. Select Reset to revert to the last saved configuration. 5.2.7.4 VM Interface Override Configuration Profile Interface Override Configuration WiNG provides a dataplane bridge for external network connectivity for Virtual Machines (VMs). VM Interfaces define which IP address is associated with each VLAN ID the service platform is connected to and enables remote service platform administration. Each custom VM can have up to a maximum of two VM interfaces. Each VM interface can be mapped to one of sixteen VMIF ports on the dataplane bridge. This mapping determines the destination for service platform routing. By default, VM interfaces are internally connected to the dataplane bridge via VMIF1. VMIF1 is an untagged port providing access to VLAN 1 to support the capability to connect the VM interfaces to any of the VMIF ports. This provides the flexibility to move a VM interface onto different VLANs as well as configure specific firewall and QOS rules. To define or override a VM interfaces configuration on a profile:
1 Select the Configuration tab from the Web UI. 2 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 3 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 4 Select Profile Overrides from the Device menu to expand it into sub menu options. 5 Select Interface to expand its sub menu options. 6 Select VM Interfaces. The VM Interfaces screen displays. Wireless Controller and Service Platform System Reference Guide 5 - 84 Device Configuration Figure 5-49 Profile Overrides - VM Interfaces screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 7 Refer to the following to review existing port channel configurations and status to determine whether a parameter requires an override:
Name Type Description Admin Status Mode Native VLAN Displays the VM interface numerical identifier assigned when it was created. The numerical name cannot be modified as part of the edit process. Displays whether the type is a VM interface. Lists a short description (64 characters maximum) describing the VM interface or differentiating it from others with similar configurations. A green check mark defines the listed VM interface as active and currently enabled with the profile. A red X defines the VM interface as currently disabled and not available for use. The interface status can be modified with the VM interface Basic Configuration screen as required. Displays the layer 3 mode of the VM interface as either Access or Trunk
(as defined within the VM Interfaces Basic Configuration screen). If Access is selected, the listed VM interface accepts packets only from the native VLAN. Frames are forwarded untagged with no 802.1Q header. All frames received on the port are expected as untagged and mapped to the native VLAN. If set to Trunk, the port allows packets from a list of VLANs added to the trunk. A VM interface configured as Trunk supports multiple 802.1Q tagged VLANs and one Native VLAN which can be tagged or untagged. Lists the numerical VLAN ID (1 - 4094) set for the native VLAN. The native VLAN allows a VM interface to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a VM interface in trunk mode. Wireless Controller and Service Platform System Reference Guide 5 - 85 Device Configuration Tag Native VLAN Allowed VLANs A green check mark defines the native VLAN as tagged. A red X defines the native VLAN as untagged. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so upstream VM interface ports know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream VM interface classifies the frame using the default or native VLAN assigned to the Trunk port. A native VLAN allows a VM interface to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Displays those VLANs allowed to send packets over the listed VM interface. Allowed VLANs are only listed when the mode has been set to Trunk. 8 To edit or override the configuration of an existing VM interface, select it from amongst those displayed and select the Edit button. The VM Interfaces Basic Configuration screen displays by default. 9 Set or override the following VM Interface Properties:
Figure 5-50 Profile Overrides - VM Interfaces Basic Configuration screen Description Admin Status Enter a description for the controller or service platform VM interface (64 characters maximum). Select the Enabled radio button to define this VM interface as active to the profile it supports. Select the Disabled radio button to disable this VM interface configuration in the profile. It can be activated at any future time when needed. The default setting is disabled. Wireless Controller and Service Platform System Reference Guide 5 - 86 Device Configuration 10 Define or override the following Switching Mode parameters to apply to the VM Interface configuration:
Mode Native VLAN Select either the Access or Trunk radio button to set the VLAN switching mode over the VM interface. If Access is selected, the VM interface accepts packets only from the native VLAN. Frames are forwarded untagged with no 802.1Q header. All frames received on the VMIF port are expected as untagged and are mapped to the native VLAN. If the mode is set to Trunk, the VM interface allows packets from a list of VLANs you add to the trunk. A VM interface configured as Trunk supports multiple 802.1Q tagged VLANs and one Native VLAN which can be tagged or untagged. Access is the default setting. Use the spinner control to define a numerical Native VLAN ID from 1 - 4094. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic will be directed over when using trunk mode. The default value is 1. Tag the Native VLAN Select this option to tag the native VLAN. Service platforms support the IEEE 802.1Q specification for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream VMIF that the frame belongs. If the upstream VMIF does not support IEEE 802.1Q tagging, it does not interpret the tagged frames. When VLAN tagging is required between VM interface ports, both VM interfaces must support tagging and be configured to accept tagged VLANs. When a frame is tagged, a 12 bit frame VLAN ID is added to the 802.1Q header, so upstream VM interfaces know which VLAN ID the frame belongs to. The 12 bit VLAN ID is read and the frame is forwarded to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream VMIF classifies the frame using the default or native VLAN assigned to the Trunk port. The native VLAN allows a VM interface to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. This setting is disabled by default. Selecting Trunk as the mode enables the Allowed VLANs parameter. Add VLANs that exclusively send packets over the VM interface. The available range is from 1 - 4094. The maximum number of entries is 256. Allowed VLANs 11 Select OK to save the changes and overrides to the VM interface basic configuration. Select Reset to revert to the last saved configuration. 12 Select the Security tab. Wireless Controller and Service Platform System Reference Guide 5 - 87 Device Configuration Figure 5-51 Profile Overrides - VM Interfaces Security screen 13 Refer to the Access Control field. As part of the VM interfaces security configuration, IPv4 and IPv6 Inbound and MAC Inbound address firewall rules are required. 14 Use the drop-down menus to select the firewall rules to apply to this profiles VM interface configuration. The firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances. 15 Use the IPv4 Inbound Firewall Rules drop down menu to select the IPv4 specific firewall rules to apply to this profiles VM interface configuration. IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity. 16 Use the IPv6 Inbound Firewall Rules drop down menu to select the IPv6 specific firewall rules to apply to this profiles VM interface configuration. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. 17 If a firewall rule does not exist suiting the data protection needs of the target VM interface configuration, select the Create icon to define a new rule configuration, or the Edit icon to modify an existing firewall rule configuration. Wireless Controller and Service Platform System Reference Guide 5 - 88 18 Refer to the Trust section to define or override the following:
Device Configuration Trust ARP Responses Select this option to enable ARP trust on this VM interface. ARP packets received on this port are considered trusted, and information from these packets is used to identify rogue devices. The default value is disabled. Trust DHCP Responses Select this option to enable DHCP trust on this VM interface. If enabled, ARP header Mismatch Validation Trust 802.1p COS values Trust IP DSCP 19 Set the following IPv6 Settings:
Trust ND Requests Trust DHCPv6 Responses ND Header Mismatch Validation RA Guard only DHCP responses are trusted and forwarded on this VM interface, and a DHCP server can be connected only to a DHCP trusted port. The default value is enabled. Select this option to enable a source MAC mismatch check in both the ARP and Ethernet header. The default value is enabled. Select this option to enable 802.1p COS values on this VM interface. The default value is enabled. Select this option to enable IP DSCP values on this VM interface. The default value is disabled. Select this option to enable the trust of neighbor discovery requests required on an IPv6 network on this VM interface. This setting is disabled by default. Select this option to enable the trust all DHCPv6 responses on this VM interface. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. DHCPv6 relay agents receive messages from clients and forward them a DHCPv6 server. The server sends responses back to the relay agent, and the relay agent sends the responses to the client on the local link. This setting is enabled by default. Select this option to enable a mismatch check for the source MAC within the ND header and link layer option. This setting is disabled by default. Select this option to enable router advertisements or ICMPv6 redirects from this VM interface. Router advertisements are periodically sent to hosts or sent in response to neighbor solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. This setting is disabled by default. 20 Select OK to save the changes and overrides to the security configuration. Select Reset to revert to the last saved configuration. 5.2.7.5 Radio Override Configuration Profile Interface Override Configuration Access Points can have their radio profile configurations overridden once their radios have successfully associated to the network. To define a radio configuration override from the Access Points associated controller or service platform:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select an Access Point (by double-clicking it) from amongst those displayed within the Device Configuration screen. Wireless Controller and Service Platform System Reference Guide 5 - 89 Device Configuration Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Interface to expand its sub menu options. 5 Select Radios. Figure 5-52 Profile Overrides - Radios screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6 Review the following radio configuration data to determine whether a radio configuration requires modification or override to better support the managed network:
Name Type Description Admin Status RF Mode Displays whether the reporting radio is the Access Points radio1, radio2 or radio3. Displays the type of radio housed by each listed Access Point. Displays a brief description of the radio provided by the administrator when the radios configuration was added or modified. A green check mark defines the listed radio configuration as active and enabled with its supported profile. A red X defines the Virtual Interface as currently disabled. The interface status can be modified when a new Virtual Interface is created or an existing one modified. Displays whether each listed radio is operating in the 802.11an or 802.11bgn radio band. If the radio is a dedicated sensor, it will be listed as a sensor to define the radio as not providing typical WLAN support. If the radio is a client-bridge, it provides a typical bridging function and does not provide WLAN support. The radio band is set from within the Radio Settings tab. Wireless Controller and Service Platform System Reference Guide 5 - 90 Device Configuration Channel Transmit Power Overrides Lists the channel setting for the radio. Smart is the default setting. If set to smart, the Access Point scans non-overlapping channels listening for beacons from other Access Points. After the channels are scanned, it selects the channel with the fewest Access Points. In the case of multiple access points on the same channel, it will select the channel with the lowest average power level. The column displays smart if set for dynamic Smart RF support. Lists the transmit power for each radio displayed as a value in milliwatts. Selecting smart allows the radio to perform power adjustments to compensate for failed neighboring radios A Clear link appears for each radio configuration that has an override applied to the profiles configuration. Select Clear to revert this specific radio configuration to the profile configuration originally defined by the administrator for this radio. 7 If required, select a radio configuration and select Edit to modify or override portions of its configuration. The Radio Settings tab displays by default. Figure 5-53 Profile Overrides - Access Point Radio Settings tab Wireless Controller and Service Platform System Reference Guide 5 - 91 Device Configuration 8 Define or override the following radio configuration parameters from within the Properties field:
Description Admin Status Radio QoS Policy Association ACL Provide or edit a description (1 - 64 characters in length) for the radio that helps differentiate it from others with similar configurations. Either select the Enabled or Disabled radio button to define this radios current status within the network. When enabled, the Access Point is operational and available for client support within the network. The radio is enabled by default and must be manually shutdown. Use the drop-down menu to specify an existing QoS policy to apply to the Access Point radio in respect to its intended radio traffic. If theres no existing suiting the radios intended operation, select the Create icon to define a new QoS policy that can be applied to this profile. For more information, see Radio QoS Policy on page 6-66. Use the drop-down menu to specify an existing Association ACL policy to apply to the Access Point radio. An Association ACL is a policy-based Access Control List (ACL) that either prevents or allows wireless clients from connecting to a managed Access Point radio. An ACL is a sequential collection of permit and deny conditions that apply to controller or service platform packets. When a packet is received on an interface, the controller or service platform compares the fields in the packet against any applied ACLs to verify the packet has the required permissions to be forwarded, based on the criteria specified in the access lists. If a packet does not meet any of the criteria specified in the ACL, the packet is dropped. Select the Create icon to define a new Association ACL that can be applied to this profile. 9 Set or override the following profile Radio Settings for the selected Access Point radio. RF Mode Lock RF Mode Channel DFS Revert Home Set the mode to either 2.4 GHz WLAN or 5 GHz WLAN depending on the radios intended client support requirement. Set the mode to Sensor if using the radio for rogue device detection. To set a radio as a detector, disable sensor support on the other Access Point radio. Set the mode to scan-ahead in DFS aware countries to allow a mesh points secondary radio to scan for an alternative channel for backhaul transmission in the event of a radar event on the principal radio. The secondary radio is continually monitoring the alternate channel, which means the principal radio can switch channels and transmit data immediately without waiting for the channel availability check. Select this option to lock Smart RF for this radio. The default setting is disabled. Use the drop-down menu to select the channel of operation for the radio. Only a trained installation professional should define the radio channel. Select Smart for the radio to scan non-overlapping channels listening for beacons from other Access Points. After channels are scanned, the radio selects the channel with the fewest Access Points. In the case of multiple Access Points on the same channel, it selects the channel with the lowest average power level. The default value is Smart. Channels with a w appended to them are unique to the 40 MHz band. Channels with a ww appended to them are 802.11ac specific, only appear when using an AP8232, and are unique to the 80 MHz band. Select this option to revert to the home channel after a DFS evacuation period. Wireless Controller and Service Platform System Reference Guide 5 - 92 Device Configuration DFS Duration Transmit Power Antenna Gain Antenna Mode Enable Antenna Diversity Set the DFS duration between 30 to 3,600 minutes. This is the duration for which the radio stays in the in the new channel. The default value is 90 minutes. Set the transmit power of the selected Access Point radio. If using a dual or three radio model Access Point, each radio should be configured with a unique transmit power in respect to its intended client support function. Select the Smart RF option to let Smart RF determine the transmit power. A setting of 0 defines the radio as using Smart RF to determine its output power. 20 dBm is the default value. Set the antenna between 0.00 - 15.00 dBm. The access points Power Management Antenna Configuration File (PMACF) automatically configures the access points radio transmit power based on the antenna type, its antenna gain (provided here) and the deployed countrys regulatory domain restrictions. Once provided, the access point calculates the power range. Antenna gain relates the intensity of an antenna in a given direction to the intensity that would be produced ideally by an antenna that radiates equally in all directions (isotropically), and has no losses. Although the gain of an antenna is directly related to its directivity, its gain is a measure that takes into account the efficiency of the antenna as well as its directional capabilities. Only a professional installer should set the antenna gain. The default value is 0.00. Set the number of transmit and receive antennas on the Access Point. 1x1 is used for transmissions over just the single A antenna, 1x3 is used for transmissions over the A antenna and all three antennas for receiving. 2x2 is used for transmissions and receipts over two antennas for dual antenna models. The default setting is dynamic based on the Access Point model deployed and its transmit power settings. Select this option to enable antenna diversity on supported antennas. Antenna diversity uses two or more antennas to increase signal quality and strength. This option is disabled by default. Adaptivity Recovery Select this option to switch channels when an Access Points radio is in adaptivity mode. In adaptivity mode, an Access Point monitors interference on its set channel and stops functioning when the radios defined interference tolerance level is exceeded. When the defined adaptivity timeout is exceeded, the radio resumes functionality on a different channel. This option is enabled by default. Set the adaptivity timeout from 30 to 3,600 minutes. The default setting is 90 minutes. Select this option to specify the transmit power on supported wireless clients. If this is enabled set a client power level between 0 to 20 dBm. This option is disabled by default. Select this option for the radio to dynamically change the number of transmit chains. This option is enabled by default. Adaptivity Timeout Wireless Client Power Dynamic Chain Selection Wireless Controller and Service Platform System Reference Guide 5 - 93 Device Configuration Rate Radio Placement Max Clients Rate Selection Methods Use the Select button to set rate options depending on the 802.11 protocols selected. If the radio band is set to Sensor or Detector, the Data Rates drop-down menu is not enabled, as the rates are fixed and not user configurable. If 2.4 GHz is selected as the radio band, select separate 802.11b, 802.11g and 802.11n rates and define how they are used in combination. If 5 GHz is selected as the radio band, select separate 802.11a and 802.11n rates then define how they are used together. When using 802.11n (in either the 2.4 or 5 GHz band), Set a MCS (modulation and coding scheme) in respect to the radios channel width and guard interval. A MCS defines (based on RF channel conditions) an optimal combination of 8 data rates, bonded channels, multiple spatial streams, different guard intervals and modulation types. Clients can associate as long as they support basic MCS (as well as non-11n basic rates). If dedicating an AP81XX model radio to either 2.4 or 5 Ghz support, a Custom Rates option is available to set a modulation and coding scheme
(MCS) in respect to the radios channel width and guard interval. A MCS defines (based on RF channel conditions) an optimal combination of rates, bonded channels, multiple spatial streams, different guard intervals and modulation types. Clients can associate as long as they support basic MCS
(as well as non-11n basic rates). If Basic is selected within the 802.11n Rates field, the MCS0-7 option is auto selected as a Supported rate and that option is greyed out. If Basic is not selected, any combination of MCS0-7, MCS8-15 and MCS16-23 can be supported, including a case where MCS0-7 and MCS16-23 are selected and not MCS8-15. The MCS0-7 and MCS8-15 options are available to each support Access Point. However, the MCS16-
23 option is only available to AP81XX model Access Points and its ability to provide 3x3x3 MIMO support. Use the drop-down menu to specify whether the radio is located Indoors or Outdoors. The placement should depend on the country of operation selected and its regulatory domain requirements for radio emissions. The default setting is Indoors. Use the spinner control to set a maximum permissible number of clients to connect with this radio. The available range is from 0 - 256 clients. The default is 256. Specify a radio selection method for the radio. The selection methods are:
Standard - standard monotonic radio selection method will be used. Opportunistic - sets opportunistic radio link adaptation (ORLA) as the radio selection method. This mode uses opportunistic data rate selection to provide the best throughput. The ORLA rate selection mode is supported only on the AP7161 and AP8163 model Access Points. Wireless Controller and Service Platform System Reference Guide 5 - 94 10 Set or override the following profile WLAN Properties for the selected Access Point radio:
Device Configuration Beacon Interval DTIM Interval RTS Threshold Short Preamble Set the interval between radio beacons in milliseconds (either 50, 100 or 200). A beacon is a packet broadcast by adopted radios to keep the network synchronized. Included in a beacon is the WLAN service area, radio address, broadcast destination addresses, a time stamp, and indicators about traffic and delivery (such as a DTIM). Increase the DTIM/
beacon settings (lengthening the time) to let nodes sleep longer and preserve battery life. Decrease these settings (shortening the time) to support streaming-multicast audio and video applications that are jitter-
sensitive. The default value is 100 milliseconds. Set a DTIM Interval to specify a period for Delivery Traffic Indication Messages (DTIM). A DTIM is periodically included in a beacon frame transmitted from adopted radios. The DTIM indicates broadcast and multicast frames (buffered at the Access Point) are soon to arrive. These are simple data frames that require no acknowledgment, so nodes sometimes miss them. Increase the DTIM/ beacon settings (lengthening the time) to let nodes sleep longer and preserve their battery life. Decrease these settings (shortening the time) to support streaming multicast audio and video applications that are jitter-sensitive. Specify a Request To Send (RTS) threshold (between 1 - 65,636 bytes) for use by the WLAN's adopted Access Point radios. RTS is a transmitting station's signal that requests a Clear To Send (CTS) response from a receiving client. This RTS/CTS procedure clears the air where clients are contending for transmission time. Benefits include fewer data collisions and better communication with nodes that are hard to find (or hidden) because of other active nodes in the transmission path. Control RTS/CTS by setting an RTS threshold. This setting initiates an RTS/CTS exchange for data frames larger than the threshold, and sends
(without RTS/CTS) any data frames smaller than the threshold. Consider the trade-offs when setting an appropriate RTS threshold for the WLAN's Access Point radios. A lower RTS threshold causes more frequent RTS/CTS exchanges. This consumes more bandwidth because of additional latency (RTS/CTS exchanges) before transmissions can commence. A disadvantage is the reduction in data-frame throughput. An advantage is quicker system recovery from electromagnetic interference and data collisions. Environments with more wireless traffic and contention for transmission make the best use of a lower RTS threshold. A higher RTS threshold minimizes RTS/CTS exchanges, consuming less bandwidth for data transmissions. A disadvantage is less help to nodes that encounter interference and collisions. An advantage is faster data-
frame throughput. Environments with less wireless traffic and contention for transmission make the best use of a higher RTS threshold. If using an 802.11bg radio, select this option to transmit using a short preamble. Short preambles improve throughput. However, some devices
(SpectraLink/Polycomm phones) require long preambles. The default value is disabled. Wireless Controller and Service Platform System Reference Guide 5 - 95 Device Configuration Guard Interval Use the drop-down menu to specify a Long or Any guard interval. The guard interval is the space between characters being transmitted. The guard interval eliminates inter-symbol interference (ISI). ISI occurs when echoes or reflections from one character interfere with another character. Adding time between transmissions allows echo's and reflections to settle before the next character is transmitted. A shorter guard interval results in shorter character times which reduces overhead and increases data rates by up to 10%. The default value is Long. Probe Response Rate Use the drop-down menu to specify the data rate used for the Probe Response Retry transmission of probe responses. Options include, highest-basic, lowest-
basic and follow-probe-request (default setting). Select this option to retry probe responses if they are not acknowledged by the target wireless client. The default value is enabled. 11 Select a mode from the Feed WLAN Packets to Sensor check box in the Radio Share section to enable this feature. Select either Inline or Promiscuous mode to allow the packets the radio is switching to also be used by the WIPS analysis module. This feature can be enabled in two modes: an inline mode where the WIPS sensor receives the packets from the radios with radio operating in normal mode. A promiscuous mode where the radio is configured to a mode where it receives all packets on the channel whether the destination address is the radio or not, and the WIPS module can analyze them. 12 Select the WLAN Mapping/Mesh Mapping tab. 13 Refer to the WLAN/BSS Mappings field to set or override WLAN BSSID assignments for an existing Access Figure 5-54 Profile Overrides - Access Point Radio WLAN Mapping tab Point deployment. Wireless Controller and Service Platform System Reference Guide 5 - 96 Device Configuration Administrators can assign each WLAN its own BSSID. If using a single-radio access point, there are 8 BSSIDs available. If using a dual-radio access point there are 8 BSSIDs for the 802.11b/g/n radio and 8 BSSIDs for the 802.11a/n radio. 14 Select Advanced Mapping to enable WLAN mapping to a specific BSS ID. 15 Select OK to save the changes and overrides to the WLAN Mapping. Select Reset to revert to the last saved configuration. 16 Select the Legacy Mesh tab. 17 Refer to the Settings field to define or override basic mesh settings for the Access Point radio. Figure 5-55 Profile Overrides - Access Point Legacy Mesh tab Mesh Use the drop-down to set the mesh mode for this radio. Available options include Disabled, Portal or Client. Setting the mesh mode to Disabled deactivates all mesh activity on this radio. Setting the mesh mode to Portal turns the radio into a mesh portal. This will start the radio beaconing immediately and will accept connections from other mesh nodes. Setting the mesh mode to client enables the radio to operate as a mesh client that scans and connects to mesh portals or nodes connected to portals. Wireless Controller and Service Platform System Reference Guide 5 - 97 Device Configuration Mesh Links Mesh PSK Specify the number of mesh links allowed by the radio. The radio can have from 1- 6 mesh links when the radio is configured as a Portal. Provide the encryption key in either ASCII or Hex format. Administrators must ensure this key is configured on the Access Point when staged for mesh, added to the mesh client and to the portal Access Points configuration on the controller or service platform. Select Show to expose the characters used in the PSK. NOTE: Only single hop mesh links are supported at this time. 18 Refer to the Preferred Peer Devices table to add mesh peers. For each peer being added enter its MAC Address and a Priority from 1 - 6. The lower the priority number assigned, the higher the priority its given when connecting to the mesh infrastructure. 19 Select the + Add Row button to add preferred peer devices for the radio to connect to in mesh mode. 20 Select the Client Bridge Settings tab to configure the selected radio as a client-bridge. Note, before configuring the client-bridge parameters, set the radio's rf-mode to bridge. An Access Point's radio can be configured to form a bridge between its wireless/wired clients and an infrastructure WLAN. The bridge radio authenticates and associates with an infrastructure WLAN Access Point. After successful association, the Access Point switches frames between its bridge radio and wired/wireless client(s) connected either to its GE port(s) or to the other radio, there by providing the clients access to the infrastructure WLAN resources. This feature is supported only on the AP6522, AP6562, AP7602, AP7532, AP7562, AP7602, and AP7622 model Access Points. Wireless Controller and Service Platform System Reference Guide 5 - 98 Device Configuration 21 Refer to the General field and define the following configurations:
Figure 5-56 Profile - Access Point Client Bridge Settings tab SSID VLAN Max Clients Connect through Bridges Set the infrastructure WLANs SSID the client-bridge Access Point associates with. Set the VLAN to which the bridged clients sessions are mapped after successful association with the infrastructure WLAN. Once mapped, the client bridge communicates with permitted hosts over the infrastructure WLAN. Specify the VLAN from 1 to 4095. Set the maximum number of client-bridge Access Points that can associate with the infrastructure WLAN. Specify a value from 1 to 64. The default value is 64. Select this option to enable the client-bridge access point radio to associate with the infrastructure WLAN through another client-bridge radio thereby forming a chain. This is referred to as daisy chaining of client-bridge radios. This option is disabled by default. Wireless Controller and Service Platform System Reference Guide 5 - 99 Device Configuration Channel Dwell Time Authentication Encryption Set the channel-dwell time from 50 to 2000 milliseconds. This is the time the client-bridge radio dwells on each channel (configured in the list of channels) when scanning for an infrastructure WLAN. The default is 150 milliseconds. Set the mode of authentication with the infrastructure WLAN. The authentication mode specified here should be the same as that configured on the infrastructure WLAN. The options are None and EAP. If selecting EAP, specify the EAP authentication parameters. The default setting in None. For information on WLAN authentication, see Configuring WLAN Security. Set the packet encryption mode. The encryption mode specified here should be the same as that configured on the infrastructure WLAN. The options are None, CCMP and TKIP. The default setting is None. For information on WLAN encryption, see Configuring WLAN Security. 22 Refer to the EAP Parameters field and define the following EAP authentication parameters:
Type Username Password Pre-shared Key Handshake Basic Rate Use the drop-down menu to select the EAP authentication method used by the supplicant. The options are TLS and PEAP-MS-CHAPv2. The default EAP type is PEAP-MS-CHAPv2. Set the 32 character maximum user name for an EAP authentication credential exchange. Set the 32 character maximum password for the EAP user name specified above. Set the pre-shared key (PSK) used with EAP. Note, the authenticating algorithm and PSK configured should be same as that on the infrastructure WLAN. Set the basic rate of exchange of handshake packets between the client-
bridge and infrastructure WLAN Access Points. The options are highest and normal. The default value is highest. 23 Refer to the Channel Lists field and define the list of channels the client-bridge radio scans when scanning for an infrastructure WLAN. Band A Band BG Define a list of channels for scanning across all the channels in the 5.0 GHz radio band. Define a list of channels for scanning across all the channels in the 2.4 GHz radio band. 24 Refer to the Keepalive Parameters field and define the following configurations:
Keepalive Type Set the keepalive frame type exchanged between the client-bridge and infrastructure Access Points. This is the type of packets exchanged between the client-bridge and infrastructure Access Points, at specified intervals, to keep the client-bridge link up and active. The options are null-
data and WNMP packets. The default value is null-data. Wireless Controller and Service Platform System Reference Guide 5 - 100 Device Configuration Keepalive Interval Inactivity Timeout Set the keepalive interval from 0 - 86,400 seconds. This is the interval between two successive keepalive frames exchanged between the client-
bridge and infrastructure Access Points. The default value is 300 seconds. Set the inactivity timeout for each bridge MAC address from 0 - 8,64,000 seconds. This is the time for which the client-bridge access point waits before deleting a wired/wireless clients MAC address from which a frame has not been received for more than the time specified here. For example, if the inactivity time is set at 120 seconds, and if no frames are received from a client (MAC address) for 120 seconds, it is deleted. The default value is 600 seconds. 25 Refer to the Radio Link Behaviour field and define the following configurations:
Shutdown Other Radio when Link Goes Down Refresh VLAN Interface when Link Comes Up Select this option to enable shutting down of the non-client bridge radio
(this is the radio to which wireless-clients associate) when the link between the client-bridge and infrastructure access points is lost. When enabled, wireless clients associated with the non-client bridge radio are pushed to search for and associate with other access points having backhaul connectivity. This option is disabled by default. If enabling this option, specify the time for which the non-client bridge radio is shut down. Use the spinner to specify a time from 1 - 1,800 seconds. Select this option to enable the SVI to refresh on re-establishing client bridge link to the infrastructure Access Point. And, if using a DHCP assigned IP address, it also causes a DHCP renew. This option is enabled by default. 26 Refer to the Roam Criteria field and define the following configuration:
Seconds for Missed Beacons Minimum Signal Strength Set this interval from 0 to 60 seconds. This is the time for which the client-bridge Access Point waits, after missing a beacon from the associated infrastructure WLAN Access Point, before roaming to another infrastructure Access Point. For example, if the Seconds for Missed Beacon is set to 30 seconds, and if more than 30 seconds have passed since the last beacon received from the infrastructure Access Point, the client-bridge Access Point resumes scanning for another infrastructure Access Point. The default value s 20 seconds. Set the minimum signal-strength threshold for signals received from the infrastructure Access Point. Specify a value from -128 to -40 dBm. If the RSSI value of signals received from the infrastructure access point falls below the value specified here, the client-bridge access point resumes scanning for another infrastructure access point. The default is -75 dBm. 27 Select OK to save or override the changes to the Client Bridge Settings screen. Select Reset to revert to the last saved configuration. 28 Select the Advanced Settings tab. Wireless Controller and Service Platform System Reference Guide 5 - 101 Device Configuration Figure 5-57 Profile Overrides - Access Point Radio Advanced Settings tab 29 Refer to the Aggregate MAC Protocol Data Unit (A-MPDU) field to define or override how MAC service frames are aggregated by the Access Point radio. A-MPDU Modes Minimum Gap Between Frames Received Frame Size Limit Transmit Frame Size Limit Use the drop-down menu to define the A-MPDU mode supported. Options include Transmit Only, Receive Only, Transmit and Receive and None. The default value is Transmit and Receive. Using the default value, long frames can be both sent and received (up to 64 KB). When enabled, define either a transmit or receive limit (or both). Use the drop-down menu to define the minimum gap between A-MPDU frames (in microseconds). The default value is 4 microseconds. A value of auto designates the gap is set by the system. If a support mode is enabled allowing A-MPDU frames to be received, define an advertised maximum limit for received A-MPDU aggregated frames. Options include 8191, 16383, 32767 or 65535 bytes. The default value is 65535 bytes. Use the spinner control to set a limit on transmitted A-MPDU aggregated frames. The available range is from 2,000 - 65,535 bytes. The default value is 65535 bytes. 30 Use the A-MSDU Modes drop-down menu in the Aggregate MAC Service Data Unit (A-MSDU) section to set or override the supported A-MSDU mode. Available modes include Receive Only and Transmit and Receive. Transmit and Receive is the default value. Using Transmit and Receive, frames up to 4 KB can be sent and received. The buffer limit is not configurable. Wireless Controller and Service Platform System Reference Guide 5 - 102 Device Configuration 31 Use the Airtime Fairness fields to optionally prioritize wireless access to devices. Select Enable Fair Access to enable this feature and provide equal access client access to radio resources. Select Prefer High Throughput Clients to prioritize clients with higher throughput (802.11n clients) over clients with slower throughput (802.11 a/b/g) clients. Use the spinner control to set a weight for the higher throughput clients. 32 Set or override the following Miscellaneous advanced radio settings:
RIFS Mode STBC Mode Transmit Beamforming Define a RIFS mode to determine whether interframe spacing is applied to Access Point transmissions or received packets, both, or neither The default mode is Transmit and Receive. Interframe spacing is an interval between two consecutive Ethernet frames to enable a brief recovery between packets and allow target devices to prepare for the reception of the next packet. Consider setting this value to None for high priority traffic to reduce packet delay. Select a spacetime block coding (STBC) option to transmit multiple data stream copies across Access Point antennas to improve signal reliability. An Access Points transmitted signal traverses a problematic environment, with scattering, reflection and refraction all prevalent. The signal can be further corrupted by noise at the receiver. Consequently, some of the received data copies are less corrupt and better than others. This redundancy means theres a greater chance of using one, or more, of the received copies to successfully decode the signal. STBC effectively combines all the signal copies to extract as much information from each as possible. Enable beamforming to steer signals to peers in a specific direction to enhance signal strength and improve throughput amongst meshed devices (not clients). Each Access Point radio support up to 16 beamforming capable mesh peers. When enabled, a beamformer steers its wireless signals to its peers. A beamformee device assists the beamformer with channel estimation by providing a feedback matrix. The feedback matrix is a set of values sent by the beamformee to assist the beamformer in computing a steering matrix. A steering matrix is an additional set of values used to steer wireless signals at the beamformer so constructive signals arrive at the beamformee for better SNR and throughput. Any beamforming capable mesh peer connecting to a radio whose capacity is exhausted cannot enable beamforming itself. Transmit beamforming is available on AP81XX (AP8122, AP8132 and AP8163) model Access Points only, and is disabled by default. 33 Set or override the following Aeroscout Properties:
Forwarding Host Forwarding Port Specify the Aeroscout engines IP address. When specified, the AP forwards Aeroscout beacons directly to the Aeroscout locationing engine without proxying through the controller or RF Domain manager. Note: Aeroscout beacon forwarding is supported only on the AP6532, AP7502, AP7522, AP7532, AP7562, AP8432, AP8533 model Access Points. Use the spinner control to set the port on which the Aeroscout engine is reachable. MAC to be forwarded Specify the MAC address to be forwarded. Wireless Controller and Service Platform System Reference Guide 5 - 103 Device Configuration 34 Set or override the following Ekahau Properties:
Forward Host Forwarding Port Specify the Ekahau engine IP address. Using Ekahau small, battery powered Wi-Fi tags are attached to tracked assets or carried by people. Ekahau processes locations, rules, messages and environmental data and turns the information into locationing maps, alerts and reports. Use the spinner control to set the Ekahau TZSP port used for processing information from locationing tags. MAC to be forwarded Specify the MAC address to be forwarded with location data requests. 35 Set or override the following Non-Unicast Traffic values for the profiles supported Access Point radio and its connected wireless clients:
Non-Unicast Transmit Rate Non-Unicast Forwarding Use the Select drop-down menu to launch a sub screen to define the data rate for broadcast and multicast frame transmissions. Seven different rates are available if the not using the same rate for each BSSID, each with a separate menu. Define whether client broadcast and multicast packets should always follow DTIM, or only follow DTIM when using Power Save Aware mode. The default setting is Follow DTIM. 36 Refer to the Sniffer Redirect (Packet Capture) field to define or override the radios captured packet configuration. Host for Redirected Packets Channel to Capture Packets If packets are re-directed from a controller or service platforms connected Access Point radio, define an IP address of a resource
(additional host system) used to capture the re- directed packets. This address is the numerical (non DNS) address of the host used to capture the re-directed packets. Use the drop-down menu to specify the channel used to capture re-
directed packets. The default value is channel 1. 37 Refer to the Channel Scanning field to define or override the radios captured packet configuration. Enable Off-Channel Scan Off Channel Scan list for 5GHz Off Channel Scan list for 2.4GHz Max Multicast Enable this option to scan across all channels using this radio. Channel scans use Access Point resources and can be time consuming, so only enable when your sure the radio can afford the bandwidth be directed towards to the channel scan and does not negatively impact client support. Define a list of channels for off channel scans using the 5GHz Access Point radio. Restricting off channel scans to specific channels frees bandwidth otherwise utilized for scanning across all the channels in the 5GHz radio band. Define a list of channels for off channel scans using the 2.4GHz Access Point radio. Restricting off channel scans to specific channels frees bandwidth otherwise utilized for scanning across all the channels in the 2.4GHz radio band. Set the maximum number (from 0 - 100) of multicast/broadcast messages used to perform off channel scanning. The default setting is four. Wireless Controller and Service Platform System Reference Guide 5 - 104 Device Configuration Scan Interval Sniffer Redirect Set the interval (from 2 - 100 dtims) off channel scans occur. The default setting is 20dtims. Specify the IP address of the host to which captured off channel scan packets are redirected. 38 If an AP7161 or AP7181 is deployed, refer to the following AP7161/AP7181 specific values to set outdoor antenna characteristics:
Enable Antenna Downlift Extended Range Enable this settings (on AP7181 models only) to allow the Access Point to physically transmit in a downward orientation (ADEPT mode). Set an extended range (from 1 - 25 kilometers) to allow AP7161 and AP7181 model Access Points to transmit and receive with their clients at greater distances without being timed out. 39 Select OK to save or override the changes to the Advanced Settings screen. Select Reset to revert to the last saved configuration. 5.2.7.6 WAN Backhaul Override Configuration Profile Interface Override Configuration A Wireless Wide Area Network (WWAN) card is a specialized network interface card that allows a device to connect, transmit and receive data over a Cellular Wide Area Network. The RFS4000 and RFS6000 each have a PCI Express card slot that supports 3G WWAN cards. The WWAN card uses point to point protocol (PPP) to connect to the Internet Service Provider (ISP) and gain access to the Internet. PPP is the protocol used for establishing internet links over dial-up modems, DSL connections, and many other types of point-to-point communications. PPP packages your systems TCP/IP packets and forwards them to the serial device where they can be put on the network. PPP is a full-duplex protocol that can be used on various physical media, including twisted pair or fiber optic lines or satellite transmission. It uses a variation of High Speed Data Link Control (HDLC) for packet encapsulation. To define a WAN Backhaul configuration override:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target Access Point (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Interface to expand its sub menu options. 5 Select WAN Backhaul. Wireless Controller and Service Platform System Reference Guide 5 - 105 Device Configuration Figure 5-58 Profile Overrides -WAN Backhaul screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6 Refer to the WAN (3G) Backhaul configuration to specify WAN card settings:
WAN Interface Name Displays the WAN Interface name for the WAN 3G Backhaul card. Reset WAN Card If the WAN Card becomes unresponsive or is experiencing other errors click the Reset WAN Card button to power cycle and reboot the WAN card. Check this box to enable 3G WAN card support on the device. A supported 3G card must be connected to the device for this feature to work properly. Enable WAN (3G) 7 Define or override the following authentication parameters from within the Basic Settings field:
Username Password Access Point Name
(APN) Provide a username for authentication support by the cellular data carrier. Provide a password for authentication support by the cellular data carrier. Enter the name of the cellular data provider if necessary. This setting is needed in areas with multiple cellular data providers using the same protocols, such as Europe and Asia. Authentication Type Use the drop-down menu to specify the authentication type used by the cellular data provider. Supported authentication types are None, PAP, CHAP, MSCHAP, and MSCHAP-v2. Wireless Controller and Service Platform System Reference Guide 5 - 106 Device Configuration 8 Define or override the following NAT parameters from within the Network Address Translation (NAT) field:
NAT Direction Define the Network Address Translation (NAT) direction. Options include:
Inside - The inside network is transmitting data over the network its intended destination. On the way out, the source IP address is changed in the header and replaced by the (public) IP address. Outside - Packets passing through the NAT on the way back to the controller or service platform managed LAN are searched against to the records kept by the NAT engine. There, the destination IP address is changed back to the specific internal private class IP address in order to reach the LAN over the network. None - No NAT activity takes place. This is the default setting. 9 Define or override the following security parameters from within the Security Settings field:
IPv4 Inbound Firewall Rules VPN Crypto Map Use the drop-down menu to select an inbound IPv4 ACL to associate with traffic on the WAN backhaul. This setting pertains to IPv4 inbound traffic only and not IPv6. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity. If an appropriate IP ACL does not exist, select the Add button to create a new one. If necessary, specify a crypto map for the wireless WAN. A crypto map can be up to 256 characters long. If a suitable crypto map is not available, click the Create button to configure a new one. Define or override the following route parameters from within the Default Route Priority field:
WWAN Default Route Priority Use the spinner control to define a priority from 1 - 8,000 for the default route learned by the wireless WAN. The default value is 3000. 10 Select OK to save or override the changes to the Advanced Settings screen. Select Reset to revert to the last saved configuration. 5.2.7.7 PPPoE Override Configuration Profile Interface Override Configuration PPP over Ethernet (PPPoE) is a data-link protocol for dialup connections. PPPoE allows the access point to use a broadband modem (DSL, cable modem, etc.) for access to high-speed data and broadband networks. Most DSL providers support (or deploy) the PPPoE protocol. PPPoE uses standard encryption, authentication, and compression methods as specified by the PPPoE protocol. PPPoE enables controllers, service platforms and Access Points to establish a point-to-point connection to an ISP over existing Ethernet interface. To provide this point-to-point connection, each PPPoE session learns the Ethernet address of a remote PPPoE client, and establishes a session. PPPoE uses both a discover and session phase to identify a client and establish a point-to-point connection. By using such a connection, a Wireless WAN fail over is available to maintain seamless network access if the access points Wired WAN were to fail. NOTE: Devices with PPPoE enabled continue to support VPN, NAT, PBR and 3G fail over on the PPPoE interface. Multiple PPPoE sessions are supported using a single user account user account if RADIUS is configured to allow simultaneous access. Wireless Controller and Service Platform System Reference Guide 5 - 107 Device Configuration When PPPoE client operation is enabled, it discovers an available server and establishes a PPPoE link for traffic slow. When a wired WAN connection failure is detected, traffic flows through the WWAN interface in fail-over mode (if the WWAN network is configured and available). When the PPPoE link becomes accessible again, traffic is redirected back through the access points wired WAN link. When the access point initiates a PPPoE session, it first performs a discovery to identify the Ethernet MAC address of the PPPoE client and establish a PPPoE session ID. In discovery, the PPPoE client discovers a server to host the PPPoE connection. To create a PPPoE point-to-point configuration:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target Access Point (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Interface to expand its sub menu options. 5 Select PPPoE. Wireless Controller and Service Platform System Reference Guide 5 - 108 Device Configuration Figure 5-59 Profile Overrides -PPPoE screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6 Use the Basic Settings field to enable PPPoE and define a PPPoE client Admin Status Service DSL Modem Network
(VLAN) Client IP Address Select Enable to support a high speed client mode point-to-point connection using the PPPoE protocol. The default setting is disabled. Enter the 128 character maximum PPPoE client service name provided by the service provider. Use the spinner control to set the PPPoE VLAN (client local network) connected to the DSL modem. This is the local network connected to DSL modem. The available range is 1 - 4,094. The default VLAN is VLAN1. Provide the numerical (non hostname) IP address of the PPPoE client. 7 Define the following Authentication parameters for PPPoE client interoperation:
Username Provide the 64 character maximum username used for authentication support by the PPPoE client. Wireless Controller and Service Platform System Reference Guide 5 - 109 Device Configuration Password Provide the 64 character maximum password used for authentication by the PPPoE client. Authentication Type Use the drop-down menu to specify the authentication type used by the PPPoE client, and whose credentials must be shared by its peer access point. Supported authentication options include None, PAP, CHAP, MSCHAP, and MSCHAP-v2. 8 Define the following Connection settings for the PPPoE point-to-point connection with the PPPoE client:
Maximum Transmission Unit
(MTU) Client Idle Timeout Keep Alive Set the PPPoE client maximum transmission unit (MTU) from 500 - 1,492. The MTU is the largest physical packet size in bytes a network can transmit. Any messages larger than the MTU are divided into smaller packets before being sent. A PPPoE client should be able to maintain its point-to-point connection for this defined MTU size. The default MTU is 1,492. Set a timeout in either Seconds (1 - 65,535), Minutes (1 - 1,092) or Hours. The Access Point uses the defined timeout so it does not sit idle waiting for input from the PPPoE client and server that may never come. The default setting is 10 minutes. Select this option to ensure the point-to-point connect to the PPPoE client is continuously maintained and not timed out. This setting is disabled by default. 9 Set the Network Address Translation (NAT) direction for the PPPoE configuration. Network Address Translation (NAT) converts an IP address in one network to a different IP address or set of IP addresses in another network. The access point router maps its local (Inside) network addresses to WAN
(Outside) IP addresses, and translates the WAN IP addresses on incoming packets to local IP addresses. NAT is useful because it allows the authentication of incoming and outgoing requests, and minimizes the number of WAN IP addresses needed when a range of local IP addresses is mapped to each WAN IP address. The default setting is None (neither inside or outside). 10 Define the following Security Settings for the PPPoE configuration:
IPV4 Inbound Firewall Rules VPN Crypto Map Use the drop-down menu to select a firewall (set of IPv4 formatted access connection rules) to apply to the PPPoE client connection. If a firewall rule does not exist suiting the data protection needs of the PPPoE client connection, select the Create icon to define a new rule configuration or the Edit icon to modify an existing rule. For more information, see Configuring IP Firewall Rules on page 10-20. Use the drop-down menu to apply an existing crypt map configuration to this PPPoE interface. 11 Use the spinner control to set the Default Route Priority for the default route obtained using PPPoE. Select from 1 - 8,000. The default setting is 2,000. 12 Select OK to save the changes to the PPPoE screen. Select Reset to revert to the last saved configuration. Saved configurations are persistent across reloads. Wireless Controller and Service Platform System Reference Guide 5 - 110 Device Configuration 5.2.7.8 Bluetooth Configuration Profile Interface Override Configuration AP-8432 and AP-8533 model Access Points utilize a built in Bluetooth chip for specific Bluetooth functional behaviors in a WiNG managed network. AP-8432 and AP-8533 models support both Bluetooth classic and Bluetooth low energy technology. These platforms can use their Bluetooth classic enabled radio to sense other Bluetooth enabled devices and report device data (MAC address, RSSI and device calls) to an ADSP server for intrusion detection. If the device presence varies in an unexpected manner, ADSP can raise an alarm. NOTE: AP-8132 model Access Points support an external USB Bluetooth radio providing ADSP Bluetooth classic sensing functionality only, not the Bluetooth low energy beaconing functionality available for AP-8432 and AP-8533 model Access Points described in this section. AP-8432 and AP-8533 model Access Points support Bluetooth beaconing to emit either iBeacon or Eddystone-
URL beacons. The Access Points Bluetooth radio sends non-connectable, undirected low-energy (LE) advertisement packets on a periodic basis. These advertisement packets are short, and sent on Bluetooth advertising channels that conform to already-established iBeacon and Eddystone-URL standards. Portions of the advertising packet are still customizable however. To define a Bluetooth radio interface configuration:
1 Select Devices from the Configuration tab. 2 The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 3 Select a target Access Point (by double-clicking it) from amongst those displayed within the Device Configuration screen. 4 Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 5 Select Profile Overrides from the Device menu to expand it into sub menu options. 6 Select Interface to expand its sub menu options. 7 Select Bluetooth. Wireless Controller and Service Platform System Reference Guide 5 - 111 Device Configuration 8 Set the following Bluetooth Radio Configuration parameters:
Figure 5-60 Profile Overrides - Bluetooth screen Admin Status Description Enable or Disable Bluetooth support capabilities for AP-8432 or AP-
8533 model Access Point Bluetooth radio transmissions. The default value is disabled. Define a 64 character maximum description for the Access Points Bluetooth radio to differentiate this radio interface from other Bluetooth supported radios that may be members of the same RF Domain. 9 Set the following Basic Settings:
Bluetooth Radio Functional Mode Beacon Transmission Period Set the Access Points Bluetooth radio functional mode to either bt-
sensor or le-beacon. Use bt-sensor mode for ADSP Bluetooth classic sensing. Use le-beacon mode to have the Access Point transmit both ibeacon and Eddystone-URL low energy beacons. le-beacon is the default setting. Set the Bluetooth radios beacon transmission period from 100 - 10,000 milliseconds. The default setting is 1,000 milliseconds. Wireless Controller and Service Platform System Reference Guide 5 - 112 Device Configuration Beacon Transmission Pattern When the Bluetooth radios mode is set to le-beacon, use the enabled drop-down menu to set the beacons emitted transmission pattern to either eddystone_url1, eddystone_url2 or ibeacon. An eddystone-URL frame broadcasts a URL using a compressed encoding scheme to better fit within a limited advertisement packet. Once decoded, the URL can be used by a client for Internet access. iBeacon was created by Apple for use in iOS devices (beginning with iOS version 7.0). There are three data fields Apple has made available to iOS applications, a UUID for device identification, a Major value for device class and a Minor value for more refined information like product category. 10 Define the following Eddystone_Settings if the Beacon Transmission Pattern has been set to either eddystone_url_1 or eddystone_url_2:
Eddystone Beacon Calibration Signal Strength URL-1 to Transmit Eddystone-URL URL-2 to Transmit Eddystone-URL Set the eddystone beacon measured calibration signal strength, from -
127 to 127 dBm, at 0 meters. Mobile devices can approximate their distance to beacons based on received signal strength. However, distance readings can fluctuate since they depend on several external factors. The closer you are to a beacon, the more accurate the reported distance. This setting is the projected calibration signal strength at 0 meters. The default setting is -19 dBm. Enter a 64 character maximum eddystone-URL1. The URL must be 18 characters or less once auto-encoding is applied. The encoding process is for getting the URL to fit within the beacons payload. Enter a 64 character maximum eddystone-URL2. The URL must be 18 characters or less once auto-encoding is applied. The encoding process is for getting the URL to fit within the beacons payload. 11 Define the following iBeacon_Settings if the Beacon Transmission Pattern has been set to iBeacon:
iBeacon Calibration Signal Strength iBeacon Major Number iBeacon Minor Number iBeacon UUID Set the ibeacon measured calibration signal strength, from -127 to 127 dBm, at 1 meter. Mobile devices can approximate their distance to beacons based on received signal strength. However, distance readings can fluctuate since they depend on several external factors. The closer you are to a beacon, the more accurate the reported distance. This setting is the projected calibration signal strength at 1 meter. The default setting is -60 dBm. Set the iBeacon Major value from 0 - 65,535. Major values identify and distinguish groups. For example, each beacon on a specific floor in a building could be assigned a unique major value. The default is 1,111. Set the iBeacon Minor value from 0 - 65,535. Minor values identify and distinguish individual beacons. Minor values help identify individual beacons within a group of beacons assigned a major value. The default setting is 2,222. Define a 32 hex character maximum UUID. The Universally Unique IDentifier (UUID) classification contains 32 hexadecimal digits. The UUID distinguishes iBeacons in the network from all other beacons in networks outside of your direct administration. 12 Select OK to save the changes to the Bluetooth configuration. Select Reset to revert to the last saved configuration. Saved configurations are persistent across reloads. Wireless Controller and Service Platform System Reference Guide 5 - 113 Device Configuration 5.2.8 Overriding a Profiles Network Configuration Profile Overrides Setting a profiles network configuration is a large task comprised of numerous administration activities. Each of the activities described below can have an override applied to the original profile configuration. Applying an override removes the device from the profile configuration that may be shared by other devices and requires careful administration to ensure this one device still supports the deployment requirements within the managed network. A profiles network configuration process consists of the following:
Overriding a Profiles DNS Configuration Overriding a Profiles ARP Configuration Overriding a Profiles L2TPV3 Configuration Overriding a Profiles GRE Configuration Overriding a Profiles IGMP Snooping Configuration Overriding a Profiles MLD Snooping Configuration Overriding a Profiles Quality of Service (QoS) Configuration Overriding a Profiles Spanning Tree Configuration Overriding a Profiles Routing Configuration Overriding a Profiles Dynamic Routing (OSPF) Configuration Overriding a Profiles Border Gateway Protocol (BGP) Configuration Overriding a Profiles Forwarding Database Configuration Overriding a Profiles Bridge VLAN Configuration Overriding a Profiles Cisco Discovery Protocol Configuration Overriding a Profiles Link Layer Discovery Protocol Configuration Overriding a Profiles Miscellaneous Network Configuration Overriding a Profiles Network Alias Configuration Overriding a Profiles IPv6 Neighbor Configuration 5.2.8.1 Overriding a Profiles DNS Configuration Overriding a Profiles Network Configuration Domain Naming System (DNS) DNS is a hierarchical naming system for resources connected to the Internet or a private network. Primarily, the controller or service platforms DNS resources translate domain names into IP addresses. If a DNS server doesn't know how to translate a particular domain name, it asks another one until the correct IP address is returned. DNS enables access to resources using human friendly notations. DNS converts human friendly domain names into notations used by networking equipment for locating resources. As a resource is accessed (using human-friendly hostnames), its possible to access the resource even if the underlying machine friendly notation name changes. Without DNS you need to remember a series of numbers
(123.123.123.123) instead of a domain name (www.domainname.com). Controllers and service platforms maintain their own DNS facility that can assist in domain name translation. A DNS assignment can be overridden as needed, but removes the device configuration from the managed profile that may be shared with other similar device models. To define the DNS configuration or apply overrides to an existing configuration:
Wireless Controller and Service Platform System Reference Guide 5 - 114 Device Configuration 1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Network to expand its sub menu options. 5 Select DNS. Figure 5-61 Profile Overrides - Network DNS screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6 Set or override the following Domain Name System (DNS) configuration data:
Domain Name Enable Domain Lookup Enable DNS Server Forwarding Provide or override the default Domain Name used to resolve DNS names. The name cannot exceed 64 characters. Select this option to enable DNS on the controller or service platform. When enabled, the controller or service platform can convert human friendly domain names into numerical IP destination addresses. This option is selected by default. Click to enable the forwarding of DNS queries to external DNS servers if a DNS query cannot be processed by the controller or service platforms own DNS resources. This feature is disabled by default. Wireless Controller and Service Platform System Reference Guide 5 - 115 Device Configuration 7 Set or override the following DNS Server configuration data:
Name Servers Provide a list of up to three DNS servers to forward DNS queries if the controller or service platforms DNS resources are unavailable. DNS name servers are used to resolve IP addresses. Use the Clear link next to each DNS server to clear the DNS name servers IP address from the list. 8 Set the following DNS Servers IPv6 configuration data when using IPv6:
IPv6 DNS Name Server IPv6 DNS Server Forward Provide the default domain name used to resolve IPv6 DNS names. When an IPv6 host is configured with the address of a DNS server, the host sends DNS name queries to the server for resolution. A maximum of three entries are permitted. Select the check box to enable IPv6 DNS domain names to be converted into numerical IP destination addresses. The setting is disabled by default. 9 Select OK to save the changes and overrides made to the DNS configuration. Select Reset to revert to the last saved configuration. 5.2.8.2 Overriding a Profiles ARP Configuration Overriding a Profiles Network Configuration Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a hardware MAC address recognized on the managed network. ARP provides rules for making this correlation and providing address conversion in both directions. ARP assignment s can be overridden as needed, but an override removes the device configuration from the managed profile that may be shared with other similar device models. When an incoming packet destined for a host arrives at the controller or service platform, the gateway uses ARP to find a physical host or MAC address that matches the IP address. ARP looks in its ARP cache and, if it finds the address, provides it so the packet can be converted to the right packet length and format and sent to the destination. If no entry is found for the IP address, ARP broadcasts a request packet in a special format to all the machines on the LAN to see if one machine knows that it has that IP address associated with it. A machine that recognizes the IP address as its own returns a reply so indicating. ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied. To define an ARP supported configuration on a controller or service platform:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Network to expand its sub menu options. Wireless Controller and Service Platform System Reference Guide 5 - 116 Device Configuration 5 Select ARP. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6 Set or override the following parameters to define the controller or service platforms ARP configuration:
Figure 5-62 Profile Overrides - Network ARP screen Switch VLAN Interface IP Address MAC Address Device Type Use the spinner control to select a VLAN interface (1 - 4094) for an address requiring resolution. Define the IP address used to fetch a MAC address. Displays the target MAC address thats subject to resolution. This is the MAC used for mapping an IP address to a MAC address thats recognized on the network. Specify the device type the ARP entry supports. Host is the default setting. 7 To add additional ARP overrides click on the + Add Row button and enter the configuration information in the table above. 8 Select the OK button to save the changes and overrides to the ARP configuration. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 117 Device Configuration 5.2.8.3 Overriding a Profiles L2TPV3 Configuration Overriding a Profiles Network Configuration L2TP V3 is a standard used for transporting different types of layer 2 frames in an IP network (and Access Point profile). L2TP V3 defines control and encapsulation protocols for tunneling layer 2 frames between two IP nodes. Use L2TP V3 to create tunnels for transporting layer 2 frames. L2TP V3 enables controllers, service platforms and Access Points to create tunnels for transporting Ethernet frames to and from bridge VLANs and physical ports. L2TP V3 tunnels can be defined between WING devices and other vendor devices supporting the L2TP V3 protocol. Multiple pseudowires can be created within an L2TP V3 tunnel. WING supported access points support an Ethernet VLAN pseudowire type exclusively. NOTE: A pseudowire is an emulation of a layer 2 point-to-point connection over a packet-switching network (PSN). A pseudowire was developed out of the necessity to encapsulate and tunnel layer 2 protocols across a layer 3 network. Ethernet VLAN pseudowires transport Ethernet frames to and from a specified VLAN. One or more L2TP V3 tunnels can be defined between tunnel end points. Each tunnel can have one or more L2TP V3 sessions. Each tunnel session corresponds to one pseudowire. An L2TP V3 control connection (a L2TP V3 tunnel) needs to be established between the tunneling entities before creating a session. For optimal pseudowire operation, both the L2TP V3 session originator and responder need to know the psuedowire type and identifier. These two parameters are communicated during L2TP V3 session establishment. An L2TP V3 session created within an L2TP V3 connection also specifies multiplexing parameters for identifying a pseudowire type and ID. The working status of a pseudowire is reflected by the state of the L2TP V3 session. If a L2TP V3 session is down, the pseudowire associated with it must be shut down. The L2TP V3 control connection keep-alive mechanism can serve as a monitoring mechanism for the pseudowires associated with a control connection. NOTE: If connecting an Ethernet port to another Ethernet port, the pseudowire type must be Ethernet port, if connecting an Ethernet VLAN to another Ethernet VLAN, the pseudowire type must be Ethernet VLAN. To define an L2TPV3 configuration for an Access Point profile:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Expand the Network menu and select L2TPv3. Wireless Controller and Service Platform System Reference Guide 5 - 118 5 The General tab displays by default with additional L2RPv3 Tunnel and Manual Session tabs available. Device Configuration 6 Set the following General Settings for an L2TPv3 profile configuration:
Figure 5-63 Network - L2TPv3 screen, General tab Hostname Router ID UDP Listen Port Tunnel Bridging Define a 64 character maximum host name to specify the name of the host thats sent tunnel messages. Tunnel establishment involves exchanging 3 message types (SCCRQ, SCCRP and SCCN) with the peer. Tunnel IDs and capabilities are exchanged during the tunnel establishment with the host. Set either the numeric IP address or the integer used as an identifier for tunnel AVP messages. AVP messages assist in the identification of a tunnelled peer. Select this option to set the port used for listening to incoming traffic. Select a port from 1,024 - 65,535. Select this option to enable or disable bridge packets between two tunnel end points. This setting is disabled by default. 7 Set the following Logging Settings for a L2TPv3 profile configuration:
Enable Logging IP Address Hostname Select this option to enable the logging of Ethernet frame events to and from bridge VLANs and physical ports on a defined IP address, host or router ID. This setting is disabled by default. Optionally use a peer tunnel ID address to capture and log L2TPv3 events. Use Any to log any IP address. If not using an IP address for event logging, optionally use a peer tunnel hostname to capture and log L2TPv3 events. Use Any to log any hostname. Hostnames cannot include an underscore character. Wireless Controller and Service Platform System Reference Guide 5 - 119 Device Configuration Router ID If not using an IP address or a hostname for event logging, use a router ID to capture and log L2TPv3 events. Use Any to log any router ID. 8 Select the L2TPV3 Tunnel tab. 9 Review the following L2TPv3 tunnel configuration data:
Figure 5-64 Network - L2TPv3 screen, T2TP tunnel tab Name Local IP Address MTU Use Tunnel Policy Local Hostname Local Router ID Establishment Criteria Displays the name of each listed L2TPv3 tunnel assigned upon creation. Lists the IP address assigned as the local tunnel end point address, not the interface IP address. This IP is used as the tunnel source IP address. If this parameter is not specified, the source IP address is chosen automatically based on the tunnel peer IP address. Displays the maximum transmission unit (MTU) size for each listed tunnel. The MTU is the size (in bytes) of the largest protocol data unit that the layer can pass between tunnel peers. Lists the L2TPv3 tunnel policy assigned to each listed tunnel. Lists the tunnel specific hostname used by each listed tunnel. This is the host name advertised in tunnel establishment messages. Specifies the router ID sent in tunnel establishment messages. Specifies the criteria required for a tunnel between two peers. Wireless Controller and Service Platform System Reference Guide 5 - 120 Device Configuration Critical Resource Peer IP Address Hostname Specifies the critical resource that should exist for a tunnel between two peers. Critical resources are device IP addresses or interface destinations interopreted as critical to the health of the network. Critical resources allow for the continuous monitoring of these defined addresses. A critical resource, if not available, can result in the network suffering performance degradation. A critical resource can be a gateway, AAA server, WAN interface or any hardware or service on which the stability of the network depends. Critical resources are pinged regularly. If theres a connectivity issue, an event is generated stating a critical resource is unavailable. Specifies the IP address of the tunnel destination peer device. Specifies the administrator assigned hostname of the tunnel. 10 Either select Add to create a new L2TPv3 tunnel configuration, Edit to modify an existing tunnel configuration or Delete to remove a tunnel from those available to this profile. If creating a new tunnel configuration, assign it a 31 character maximum Name. 11 12 Select + Add Row to populate the table with configurable session parameters for this tunnel configuration. 13 Define the following Session parameters required for the L2TPv3 tunnel configuration:
Figure 5-65 Network - L2TPv3 screen, Add L2TPv3 Tunnel Configuration Name Pseudowire ID Traffic Source Type Enter a 31 character maximum session name. There is no idle timeout for a tunnel. A tunnel is not usable without a session and a subsequent session name.The tunnel is closed when the last session tunnel session is closed. Define a psuedowire ID for this session. A pseudowire is an emulation of a layer 2 point-to-point connection over a packet-switching network (PSN). A pseudowire was developed out of the necessity to encapsulate and tunnel layer 2 protocols across a layer 3 network. Lists the type of traffic tunnelled in this session (VLAN etc). Wireless Controller and Service Platform System Reference Guide 5 - 121 Device Configuration Traffic Source Value Native VLAN Define a VLAN range to include in the tunnel session. Select this option to provide a VLAN ID that will not be tagged in tunnel establishment and packet transfer. Available VLAN ranges are from 1 -
4,094. 14 Select OK to save the updates to Exit to revert to the last configuration. 15 Select the Settings tab. 16 Define the following Settings required for the L2TPv3 tunnel configuration:
Figure 5-66 Network - L2TPv3 screen, Settings Local IP Address MTU Use Tunnel Policy Local Hostname Enter the IP address assigned as the local tunnel end point address, not the interface IP address. This IP is used as the tunnel source IP address. If this parameter is not specified, the source IP address is chosen automatically based on the tunnel peer IP address. This parameter is applicable when establishing the tunnel and responding to incoming tunnel create requests. Set the maximum transmission unit (MTU). The MTU is the size (in bytes) of the largest protocol data unit the layer can pass between tunnel peers. Define a MTU from 128 - 1,460 bytes. The default setting is 1,460. A larger MTU means processing fewer packets for the same amount of data. Select the L2TPv3 tunnel policy. The policy consists of user defined values for protocol specific parameters which can be used with different tunnels. If none is available, a new policy can be created or an existing one can be modified. Provide the tunnel specific hostname used by this tunnel. This is the host name advertised in tunnel establishment messages. Hostnames cannot include an underscore character. Wireless Controller and Service Platform System Reference Guide 5 - 122 Device Configuration Local Router ID Establishment Criteria VRRP Group Critical Resource Specify the router ID sent in tunnel establishment messages with a target peer device. Specify the establishment criteria for creating a tunnel. The tunnel is only created if this device is one of the following:
vrrp-master cluster-master rf-domain-manager The tunnel is always created if Always is selected. This indicates the device need not be any one of the above three (3) to establish a tunnel. Set the VRRP group ID. VRRP groups is only enabled when the Establishment Criteria is set to vrrp-master. The Critical Resources table lists important resources defined for this system. The tunnel is created and maintained only if these critical resources are available. The tunnel is removed if any one of the defined resources goes down or is unreachable. 17 Define the following Rate Limit settings for the L2TP tunnel configuration. Rate limiting manages the maximum rate sent to or received from L2TPv3 tunnel members. Session Name Direction Maximum Burst Size Rate Use the drop-down menu to select the tunnel session that will have the direction, burst size and traffic rate settings applied. Select the direction for L2TPv3 tunnel traffic rate limiting. Egress traffic is outbound L2TPv3 tunnel data coming to the controller, service platform or Access Point. Ingress traffic is inbound L2TPv3 tunnel data coming to the controller, service platform or Access Point. Set the maximum burst size for egress or ingress traffic rate limiting
(depending on which direction is selected) on a L2TPv3 tunnel. Set a maximum burst size between 2 - 1024 kbytes. The smaller the burst, the less likely the upstream packet transmission will result in congestion for L2TPv3 tunnel traffic. The default setting is 320 bytes. Set the data rate (from 50 - 1,000,000 kbps) for egress or ingress traffic rate limiting (depending on which direction is selected) for an L2TPv3 tunnel. The default setting is 5000 kbps. 18 Refer to the Peer table to review the configurations of the peers destinations for tunnel connection. 19 Select + Add Row to populate the table with a maximum of two peer configurations. Wireless Controller and Service Platform System Reference Guide 5 - 123 Device Configuration 20 Define the following Peer parameters:
Figure 5-67 Network - L2TPv3 screen, Add Peer Configuration Peer ID Peer IP Address Hostname Router ID Encapsulation IPSec Secure IPSec Gateway UDP Port Define the primary peer ID used to set the primary and secondary peer for tunnel fail over. If the peer is not specified, tunnel establishment does not occur. However, if a peer tries to establish a tunnel with this Access Point, it creates the tunnel if the hostname and/or Router ID matches. Select this option to enter the numeric IP address used as the destination peer address for tunnel establishment. Assign the peer a hostname that can be used as matching criteria in the tunnel establishment process. Hostnames cannot include an underscore character. Specify the router ID sent in tunnel establishment messages with this specific peer. Select either IP or UDP as the peer encapsulation protocol. The default setting is IP. UDP uses a simple transmission model without implicit handshakes. Enable this option to enable security on the connection between the Access Point and Virtual Controller. Specify the IP Address of the IPSec Secure Gateway. If UDP encapsulation is selected, use the spinner control to define the UDP encapsulation port. Wireless Controller and Service Platform System Reference Guide 5 - 124 Device Configuration 21 From back at the Settings tab, set the following Fast Failover parameters. Enable Enable Aggressive Mode When enabled, the device starts sending tunnel requests on both peers, and in turn, establishes the tunnel on both peers. If disabled, tunnel establishment only occurs on one peer, with failover and other functionality the same as legacy behavior. If fast failover is enabled after establishing a single tunnel the establishment is restarted with two peers. One tunnels defined as active and the other standby. Both tunnels perform connection health checkups with individual hello intervals. This setting is disabled by default. When enabled, tunnel initiation hello requests are set to zero. For failure detections, hello attempts are not retried, regardless of defined retry attempts. This setting is disabled by default. 22 Select OK to save the peer configuration. 23 Select OK to save the changes within the T2TP Tunnel screen. Select Reset to revert the screen to its last saved configuration. 24 Select the Manual Session tab. Individual sessions can be created after a successful tunnel connection and establishment. Each session is a single data stream. After successful session establishment, data corresponding to that session (pseudowire) can be transferred. If a session is down, the pseudowire associated with it is shut down as well. Figure 5-68 Network - L2TPv3 screen, Manual Session tab Wireless Controller and Service Platform System Reference Guide 5 - 125 Device Configuration 25 Refer to the following manual session configurations to determine whether one should be created or modified:
IP Address Local Session ID MTU Name Remote Session ID Lists the IP address assigned as the local tunnel end point address, not the interface IP address. This IP is used as the tunnel source IP address. If this parameter is not specified, the source IP address is chosen automatically based on the tunnel peer IP address. This parameter is applicable when establishing the session and responding to incoming requests. Displays the numeric identifier assigned to each listed tunnel session. This is the pseudowire ID for the session. This pseudowire ID is sent in a session establishment message to the L2TP peer. Displays each sessionss maximum transmission unit (MTU). The MTU is the size (in bytes) of the largest protocol data unit the layer can pass between tunnel peers in this session. A larger MTU means processing fewer packets for the same amount of data. Lists the name assigned to each listed manual session. Lists the remote session ID passed in the establishment of the tunnel, used a a unique identifier for this tunnel session. 26 Select Add to create a new manual session, Edit to modify an existing session configuration or Delete to remove a selected manual session. Figure 5-69 Network - L2TPv3 screen, Add T2TP Peer Configuration Wireless Controller and Service Platform System Reference Guide 5 - 126 27 Set the following session parameters:
Device Configuration Name IP Address Peer IP Local Session ID MTU Remote Session ID Encapsulation UDP Port Source Type Source Value Native VLAN Define a 31 character maximum name of this tunnel session. After a successful tunnel connection and establishment, the session is created. Each session name represents a single data stream. Specify the IP address used to be as tunnel source IP address. If not specified, the tunnel source IP address is selected automatically based on the tunnel peer IP address. This address is applicable only for initiating the tunnel. When responding to incoming tunnel create requests, it would use the IP address on which it had received the tunnel create request. Set the IP address of an L2TP tunnel destination peer. This is the peer allowed to establish the tunnel. Set the numeric identifier for the tunnel session. This is the pseudowire ID for the session. This pseudowire ID is sent in a session establishment message to the L2TP peer. Define the sessions maximum transmission unit (MTU) as the size (in bytes) of the largest protocol data unit the layer can pass between tunnel peers in this session. A larger MTU means processing fewer packets for the same amount of data. Use the spinner control to set the remote session ID passed in the establishment of the tunnel and sed a a unique identifier for this tunnel session. Assign an ID from 1 - 4,294,967,295. Select either IP or UDP as the peer encapsulation protocol. The default setting is IP. UDP uses a simple transmission model without implicit handshakes. If UDP encapsulation is selected, use the spinner control to define the UDP encapsulation port. This is the port where the L2TP service is running. Select a VLAN as the virtual interface source type. Define the Source Value range (1 - 4,094) to include in the tunnel. Tunnel session data includes VLAN tagged frames. Select this option to define the native VLAN thats not tagged. 28 Select the + Add Row button to set the following:
Cookie Size Value 1 Value 2 End Point Set the size of the cookie field within each L2TP data packet. Options include 0, 4 and 8. The default setting is 0. Set the cookie value first word. Set the cookie value second word. Define whether the tunnel end point is local or remote. 29 Select OK to save the changes to the session configuration. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 127 Device Configuration 5.2.8.4 Overriding a Profiles GRE Configuration Overriding a Profiles Network Configuration Generic routing encapsulation (GRE) tunneling can be configured to bridge Ethernet packets between WLANs and a remote WLAN gateway over a GRE tunnel. The tunneling of 802.3 packets using GRE is an alternative to MiNT or L2TPv3. Related features like ACLs for extended VLANs are still available using layer 2 tunneling over GRE. Using GRE, Access Points map one or more VLANs to a tunnel. The remote endpoint is a user-configured WLAN gateway IP address, with an optional secondary IP address should connectivity to the primary GRE peer be lost. VLAN traffic is expected in both directions in the GRE tunnel. A WLAN mapped to these VLANs can be either open or secure. Secure WLANs require authentication to a remote RADIUS server available within your deployment using standard RADIUS protocols. Access Points can reach both the GRE peer as well as the RADIUS. Previous releases supported only IPv4 tunnel end points, now support for both IPv4 or IPv6 tunnel endpoints is available. However, a tunnel needs to contain either IPv4 or IPv6 formatted device addresses and cannot be mixed. With the new IPv6 tunnel implementation, all outbound packets are encapsulated with the GRE header, then the IPv6 header. The header source IP address is the local address of the IPv6 address of tunnel interface, and the destination address peer address of the tunnel. All inbound packets are de-capsulated by removing the IPv6 and GRE header before sending it over to the IP stack. To define a profiles GRE settings:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Network to expand its sub menu options. 5 Select GRE. The screen displays existing GRE configurations. 6 Select the Add button to create a new GRE tunnel configuration or select an existing tunnel and select Edit to modify its current configuration. To remove an existing GRE tunnel, select it from amongst those displayed and select the Delete button. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. Wireless Controller and Service Platform System Reference Guide 5 - 128 Device Configuration Figure 5-70 Profile Overrides - Network GRE screen 7 If creating a new GRE configuration, assign it a 32 character maximum name to distinguish its configuration. 8 Define the following settings for the GRE configuration:
DSCP Options Tunneled VLANs Native VLAN Use the spinner control to set the tunnel DSCP / 802.1q priority value from encapsulated packets to the outer packet IPv4 header. Define the VLAN connected clients use to route GRE tunneled traffic within their respective WLANs. Set a numerical VLAN ID (1 - 4094) for the native VLAN. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk mode. Wireless Controller and Service Platform System Reference Guide 5 - 129 Device Configuration Tag Native VLAN MTU MTU6 Select this option to tag the native VLAN. The IEEE 802.1Q specification is supported for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs. If the upstream Ethernet device does not support IEEE 802.1Q tagging, it does not interpret the tagged frames. When VLAN tagging is required between devices, both devices must support tagging and be configured to accept tagged VLANs. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so upstream Ethernet devices know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. This feature is disabled by default. Set an IPv4 tunnels maximum transmission unit (MTU) from 128 - 1,476. The MTU is the largest physical packet size (in bytes) transmittable within the tunnel. Any messages larger than the MTU are divided into smaller packets before being sent. A larger MTU provides greater efficiency because each packet carries more user data while protocol overheads, such as headers or underlying per-packet delays, remain fixed; the resulting higher efficiency means a slight improvement in bulk protocol throughput. A larger MTU results in the processing of fewer packets for the same amount of data. For IPv4, the overhead is 24 bytes (20 bytes IPv4 header + 4 bytes GRE Header), thus the default setting for an IPv4 MTU is 1,476. Set an IPv6 tunnels MTU from 128 - 1,456. The MTU is the largest physical packet size (in bytes) transmit able within the tunnel. Any messages larger than the MTU are divided into smaller packets before being sent. A larger MTU provides greater efficiency because each packet carries more user data while protocol overheads, such as headers or underlying per-
packet delays, remain fixed; the resulting higher efficiency means a slight improvement in bulk protocol throughput. A larger MTU results in the processing of fewer packets for the same amount of data. For IPv6, the overhead is 44 bytes (40 bytes IPv6 header + 4 bytes GRE header), thus the default setting for an IPv6 MTU is 1,456. 9 The Peer table lists the credentials of the GRE tunnel end points. Add new table rows as needed to add additional GRE tunnel peers. Select + Add Row to populate the table with a maximum of two peer configurations. 10 Define the following Peer parameters:
Peer Index Assign a numeric index to each peer to help differentiate tunnel end points. Wireless Controller and Service Platform System Reference Guide 5 - 130 Device Configuration Peer IP Address Define the IP address of the added GRE peer to serve as a network address identifier. Designate whether the IP is formatted as an IPv4 or IPv6 address. IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike TCP). IPv4 hosts can use link local addressing to provide local connectivity. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are eight groups of four hexadecimal digits separated by colons. 11 Set the following Establishment Criteria for the GRE tunnel configuration:
Criteria VRRP Group Specify the establishment criteria for creating a GRE tunnel. In a multi-
controller within a RF domain, its always the master node with which the tunnel is established. The tunnel is only created if the tunnel device is designated one of the following:
vrrp-master cluster-master rf-domain-manager The tunnel is automatically created if Always (default setting) is selected. This indicates the device need not be any one of the above three (3) to establish a tunnel. Set the VRRP group ID only enabled when the Establishment Criteria is set to vrrp-master. A virtual router redundancy group (VRRP) enables the creation of a group of routers as a default gateway for redundancy. Clients can point to the IP address of the VRRP virtual router as their default gateway and utilize a different group member if a master becomes unavailable. 12 Define or override the following Failover parameters to apply to the GRE tunnel configuration:
Enable Failover Ping Interval Number of Retries Select this option to periodically ping the primary gateway to assess its availability. If the primary gateway is unreachable. Set the duration between two successive pings to the gateway. Define this value in seconds from 1 - 21,600. Set the number of ping retries (from 1 - 63) when no response is received before the session is terminated. 13 Select the OK button to save the changes and overrides to the GRE configuration. Select Reset to revert to the last saved configuration. 5.2.8.5 Overriding a Profiles IGMP Snooping Configuration Overriding a Profiles Network Configuration The Internet Group Management Protocol (IGMP) is used for managing IP multicast group members. The controller or service platform listens to IGMP network traffic and forwards the IGMP multicast packets to radios on which the Wireless Controller and Service Platform System Reference Guide 5 - 131 Device Configuration interested hosts are connected. On the wired side of the network, the controller or service platform floods all the wired interfaces. This feature reduces unnecessary flooding of multicast traffic in the network. To define a Profiles IGMP settings:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Network to expand its sub menu options. 5 Select IGMP Snooping. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override, go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6 Define or override the following General IGMP Snooping parameters for the bridge VLAN configuration:
Figure 5-71 Profile Overrides - Network IGMP Snooping Enable IGMP Snooping Select this option to enable IGMP snooping. If disabled, snooping on a per VLAN basis is also disabled. This feature is enabled by default. If disabled, the settings under the bridge configuration are overridden. For example, if IGMP snooping is disabled, but the bridge VLAN is enabled, the effective setting is disabled. Wireless Controller and Service Platform System Reference Guide 5 - 132 Device Configuration Forward Unknown Multicast Packets Enable Fast leave processing Select this option to enable the forwarding of multicast packets from unregistered multicast groups. If disabled (the default setting), the unknown multicast forward feature is also disabled for individual VLANs. Select this option to remove a Layer 2 LAN interface from the IGMP snooping forwarding table entry without initially sending IGMP group-
specific queries to the interface. When receiving a group-specific IGMPv2 leave message, IGMP snooping removes the interface from the Layer 2 forwarding table entry for that multicast group, unless a multicast router was learned on the port. Fast-leave processing enhances bandwidth management for all hosts on the network. 7 Set or override the following IGMP Querier parameters for the profiles bridge VLAN configuration:
Enable IGMP Querier IGMP Version IGMP Query Interval IGMP Robustness Variable Maximum Response Time Other Querier Timer Expiry Select this option to enable IGMP querier. IGMP snoop querier is used to keep host memberships alive. Its primarily used in a network where theres a multicast streaming server and hosts subscribed to the server and no IGMP querier present. An IGMP querier sends out periodic IGMP query packets. Interested hosts reply with an IGMP report packet. IGMP snooping is only conducted on wireless radios. IGMP multicast packets are flooded on wired ports. IGMP multicast packet are not flooded on the wired port. IGMP membership is also learnt on it and only if present, then it is forwarded on that port. Use the spinner control to set the IGMP version compatibility to either version 1, 2 or 3. IGMPv1 is defined by RFC 1112, IGMPv2 is defined by RFC 2236 and IGMPv3 defined by RFC 4604 which defines both IGMPv3 and MLDv2. IGMPv2 improves over IGMPv1 by adding the ability for a host to signal desire to leave a multicast group. IGMPv3 improves over IGMPv2 by adding the ability to listen to multicast traffic originating from a set of source IP addresses exclusively. The default setting is 3. Set the interval IGMP queries are made. Options include Seconds
(1 - 18,000), Minutes (1 - 300) and Hours (1 - 5). The default setting is one minute. IGMP utilizes a robustness value used by the sender of a query. Update the robustness variable to match the most recently received query unless the value is zero. Specify the maximum interval (from 1 - 25 seconds) before sending a responding report. When no reports are received from a radio, radio information is removed from the snooping table. The controller or service platform only forwards multicast packets to radios present in the snooping table. For IGMP reports from wired ports, the controller or service platform forwards these reports to the multicast router ports. The default setting is 10 seconds. Specify an interval in either Seconds (60 - 300) or Minutes
(1 - 5) used as a timeout interval for other querier resource connections. The default setting is 1 minute. 8 Select the OK button to save the changes and overrides to the IGMP Snooping tab. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 133 Device Configuration 5.2.8.6 Overriding a Profiles MLD Snooping Configuration Overriding a Profiles Network Configuration Multicast Listener Discovery (MLD) snooping enables a controller, service platform or Access Point to examine MLD packets and make forwarding decisions based on content. MLD is used by IPv6 devices to discover devices wanting to receive multicast packets destined for specific multicast addresses. MLD uses multicast listener queries and multicast listener reports to identify which multicast addresses have listeners and join multicast groups. MLD snooping caps the flooding of IPv6 multicast traffic on controller, service platform or Access Point VLANs. When enabled, MLD messages are examined between hosts and multicast routers and to discern which hosts are receiving multicast group traffic. The controller, service platform or Access Point then forwards multicast traffic only to those interfaces connected to interested receivers instead of flooding traffic to all interfaces. To set an IPv6 MLD snooping configuration for the profile:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select MLD Snooping. 4 Define the following General MLD snooping settings:
Figure 5-72 Profile - Network MLD Snooping screen Enable MLD Snooping Forward Unknown Multicast Packets Enable MLD snooping to examine MLD packets and make content forwarding for this profile. Packets delivered to group members are identified by a single multicast group address. Multicast packets are delivered to a group using best-effort reliability, just like IPv6 unicast. MLD snooping is disabled by default. Use this option to either enable or disable IPv6 unknown multicast forwarding. This setting is enabled by default. Wireless Controller and Service Platform System Reference Guide 5 - 134 Device Configuration 5 Define the following MLD Querier settings for the MLD snooping configuration:
Enable MLD Querier MLD Version MLD Query Interval MLD Robustness Variable Maximum Response Time Other Querier time Expiry Select the option to enable MLD querier on the controller, service platform or Access Point. When enabled, the device sends query messages to discover which network devices are members of a given multicast group. This setting is disabled by default. Define whether MLD version 1 or 2 is utilized as the MLD querier. MLD version 1 is based on IGMP version 2 for IPv4. MLD version 2 is based on IGMP version 3 for IPv4 and is fully backward compatible. IPv6 multicast uses MLD version 2. The default MLD version is 2. Set the interval in which query messages are sent to discover device multicast group memberships. Set an interval in either Seconds (1 -
18,000), Minutes (1 - 300) or Hours (1 - 5). The default interval is 1 minute. Set a MLD IGMP robustness value (1 - 7) used by the sender of a query. The MLD robustness variable enables refinements to account for expected packet loss on a subnet. Increasing the robust count allows for more packet loss, but increases the leave latency of the subnetwork unless the value is zero. The default variable is 2. Specify the maximum response time (from 1 - 25,000 milliseconds) before sending a responding report. Queriers use MLD reports to join and leave multicast groups and receive group traffic. The default setting is 10 milliseconds. Specify an interval in either Seconds (60 - 300) or Minutes
(1 - 5) used as a timeout interval for other querier resources. The default setting is 1 minute. 6 Select the OK button located to save the changes. Select Reset to revert to the last saved configuration. 5.2.8.7 Overriding a Profiles Quality of Service (QoS) Configuration Overriding a Profiles Network Configuration The controller or service platform use different Quality of Service (QoS) screens to define WLAN and device radio QoS and traffic shaping configurations for profiles. Traffic shaping regulates network data transfers to ensure a specific performance level. Traffic shaping delays the flow of packets defined as less important than prioritized traffic streams. Traffic shaping enables traffic control out an interface to match its flow to the speed of a remote targets interface and ensure traffic conforms applied policies. Traffic can be shaped to meet downstream requirements and eliminate network congestion when data rates are in conflict. QoS values are required to provide priority of service to some packets over others. For example, VoIP packets get higher priority than data packets to provide a better quality of service for high priority voice traffic. The profile QoS screen maps the 6-bit Differentiated Service Code Point (DSCP) code points to the older 3-bit IP Precedent field located in the Type of Service byte of an IP header. DSCP is a protocol for specifying and controlling network traffic by class so that certain traffic types get precedence. DSCP specifies a specific per-hop behavior that is applied to a packet. This QoS assignment can be overridden as needed, but removes the device configuration from the profile that may be shared with other similar device models. To define an QoS configuration:
Wireless Controller and Service Platform System Reference Guide 5 - 135 Device Configuration 1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Network to expand its sub menu options. 5 Select Quality of Service. The Traffic Shaping screen displays with the Basic Configuration tab displayed by default. Figure 5-73 Profile Overrides - Network QoS Traffic Shaping Basic Configuration screen Apply traffic shaping to specific applications to apply application categories. When application and ACL rules are conflicting, applications have priority, followed by application categories, then ACLs. 6 Select Enable to provide traffic shaping using the defined bandwidth, rate and class mappings. 7 Set the Total Bandwidth configurable for the traffic shaper. Set the value from either 1 - 1,000 Mbps, or from 250 - 1,000,000 Kbps. 8 Select + Add Row within the Rate Configuration table to set the Class Index and Rate (in either Kbps, Mbps or percentage) for the traffic shaper class. Use the rate configuration to control the maximum traffic rate sent or received on the device. Consider this form of rate limiting on interfaces at the edge of a network to limit traffic Wireless Controller and Service Platform System Reference Guide 5 - 136 Device Configuration into or out of the network. Traffic within the set limit is sent and traffic exceeding the set limit is dropped or sent with a different priority. 9 Refer to the IP ACL Class Mapping table and select + Add Row to apply an IPv4 formatted ACL to the shaper class mapping. Select + Add Row to add mappings. For more information on creating IP based firewall rules, refer to Configuring IP Firewall Rules on page 10-20 and Setting an IPv4 or IPv6 Firewall Policy on page 10-21. 10 Refer to the IPv6 ACL Class Mapping table and select + Add Row to apply an IPv6 formatted ACL to the shaper class mapping. Select + Add Row to add mappings. For more information on creating IP based firewall rules, refer to Configuring IP Firewall Rules on page 10-20 and Setting an IPv4 or IPv6 Firewall Policy on page 10-21. 11 Refer to the App-Category to Class Mapping table and select + Add Row to apply an application category to shaper class mapping. Select + Add Row to add mappings by selecting the application category and its traffic shaper class. For more information on creating an application category, refer to Application on page 7-58. 12 Refer to the Application to Class Mapping table and select + Add Row to apply an application to shaper class mapping. Select + Add Row to add mappings by selecting the application and its traffic shaper class. For more information on creating an application, refer to Application on page 7-58. 13 Select the OK button located to save the changes to the traffic shaping basic configuration. Select Reset to revert to the last saved configuration. 14 Select the Advanced Configuration tab. Figure 5-74 Profile Overrides - Network QoS Traffic Shaping Advanced Configuration screen Wireless Controller and Service Platform System Reference Guide 5 - 137 Device Configuration 15 Set the following Activation Criteria for traffic shaper activation:
Activation Criteria VRRP Group Use the drop-down menu to determine when the traffic shaper is invoked. Options include vrrp-master, cluster-master, rf-domain-manager and Always. A VRRP master responds to ARP requests, forwards packets with a destination link MAC layer address equal to the virtual router MAC layer address, rejects packets addressed to the IP associated with the virtual router and accepts packets addressed to the IP associated with the virtual router. The solitary cluster master is the cluster member elected, using a priority assignment scheme, to provide management configuration and Smart RF data to other cluster members. Cluster requests go through the elected master before dissemination to other cluster members. The RF Domain manager is the elected member capable of storing and provisioning configuration and firmware images for other members of the RF Domain. Set the VRRP group ID from 1 - 255. VRRP groups is only enabled when the Establishment Criteria is set to vrrp-master. 16 Select + Add Row within the Buffers Configuration table to set the following:
Class Index Max Buffers RED Level RED Percent Set a class index from 1 - 4. Se the Max Buffers to specify the queue length limit after which the queue starts to drop packets. Set the maximum queue lengths for packets. The upper length is 400 for Access Points. Set the packet queue length for RED. The upper limit is 400 for Access Points. The rate limiter uses the random early detection (RED) algorithm for rate limiting traffic. RED is a queueing technique for congestion avoidance. RED monitors the average queue size and drops or marks packets. If the buffer is near empty, all incoming packets are accepted. When the queue grows, the probability for dropping an incoming packet also grows. When the buffer is full, the probability has reached 1 and all incoming packets are dropped. Set a percentage (1 - 100) for RED rate limiting at a percentage of maximum buffers. 17 Select + Add Row within the Latency Configuration table to set the Class Index (1 - 4), Max Latency and latency measurement Unit. Max latency specifies the time limit after which packets start dropping (maximum packet delay in the queue). The maximum number of entries is 8. Select whether msec (default) or usec is unit for latency measurement. When a new packet arrives it knows how much time to wait in the queue. If a packet takes longer than the latency value its dropped. By default latency is not set, so packets remain in queue for long time. 18 Refer to the Que Priority Mapping table to set the traffic shaper queue priority and specify a particular queue inside a class. There are 8 queues (0 - 7), and traffic is queued in each based on incoming packets mark 802.1p markings. 19 Select the OK button located to save the changes to the traffic shaping advanced configuration. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 138 Device Configuration 20 Select the Priority Mapping tab. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 21 Set or override the following parameters for IP DSCP Mappings for untagged frames:
Figure 5-75 Profile Overrides - Network QoS screen DSCP 802.1p Priority Lists the DSCP value as a 6-bit parameter in the header of every IP packet used for packet classification. Assign a 802.1p priority as a 3-bit IP precedence value in the Type of Service field of the IP header used to set the priority. The valid values for this field are 0-7. Up to 64 entries are permitted. The priority values are:
0 Best Effort 1 Background 2 Spare 3 Excellent Effort 4 Controlled Load 5 Video 6 Voice 7 Network Control Wireless Controller and Service Platform System Reference Guide 5 - 139 Device Configuration 22 Set or override the following parameters for IPv6 Traffic Class Mapping for untagged frames:
Traffic Class 802.1p Priority Devices that originate a packet must identify different classes or priorities for IPv6 packets. Devices use the traffic class field in the IPv6 header to set this priority. Assign a 802.1p priority as a 3-bit IPv6 precedence value in the Type of Service field of the IPv6 header used to set the priority. The valid values for this field are 0-7. Up to 64 entries are permitted. The priority values are:
0 Best Effort 1 Background 2 Spare 3 Excellent Effort 4 Controlled Load 5 Video 6 Voice 7 Network Control 23 Use the spinner controls within the 802.1p Priority field for each DSCP row to change or override the assigned priority value. 24 Select the OK button located to save the changes and overrides. Select Reset to revert to the last saved configuration. 5.2.8.8 Overriding a Profiles Spanning Tree Configuration Overriding a Profiles Network Configuration The Multiple Spanning Tree Protocol (MSTP) provides an extension to RSTP to optimize the usefulness of VLANs. MSTP allows for a separate spanning tree for each VLAN group, and blocks all but one of the possible alternate paths within each spanning tree topology. If theres just one VLAN in the Access Point managed network, a single spanning tree works fine. However, if the network contains more than one VLAN, the network topology defined by single STP would work, but its possible to make better use of the alternate paths available by using an alternate spanning tree for different VLANs or groups of VLANs. A MSTP supported deployment uses multiple MST regions with multiple MST instances (MSTI). Multiple regions and other STP bridges are interconnected using one single common spanning tree (CST). MSTP includes all of its spanning tree information in a single Bridge Protocol Data Unit (BPDU) format. BPDUs are used to exchange information bridge IDs and root path costs. Not only does this reduce the number of BPDUs required to communicate spanning tree information for each VLAN, but it also ensures backward compatibility with RSTP. MSTP encodes additional region information after the standard RSTP BPDU as well as a number of MSTI messages. Each MSTI messages conveys spanning tree information for each instance. Each instance can be assigned a number of configured VLANs. The frames assigned to these VLANs operate in this spanning tree instance whenever they are inside the MST region. To avoid conveying their entire VLAN to spanning tree mapping in each BPDU, the Access Point encodes an MD5 digest of their VLAN to an instance table in the MSTP BPDU. This digest is used by other MSTP supported devices to determine if the neighboring device is in the same MST region as itself. Wireless Controller and Service Platform System Reference Guide 5 - 140 Device Configuration To create or override a profiles spanning tree configuration:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Network to expand its sub menu options. 5 Select Spanning Tree. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6 Set the following MSTP Configuration parameters:
Figure 5-76 Spanning Tree screen MSTP Enable Select this option to enable MSTP for this profile. MSTP is disabled by default, so if requiring different (groups) of VLANs with the profile supported network segment. Wireless Controller and Service Platform System Reference Guide 5 - 141 Device Configuration Max Hop Count MST Config Name MST Revision Level Cisco MSTP Interoperability Hello Time Forward Delay Maximum Age Define the maximum number of hops the BPDU will consider valid in the spanning tree topology. The available range is from 7 -127. The default setting is 20. Define a 64 character maximum name for the MST region as an identifier. Set a numeric revision value ID for MST configuration information. Set a value from 0 - 255. The default setting is 0. Select either the Enable or Disable radio buttons to enable/disable interoperability with Ciscos version of MSTP, which is incompatible with standard MSTP. This setting is disabled by default. Set a BPDU hello interval from 1 - 10 seconds. BPDUs are exchanged regularly (every 2 seconds by default) and enable supported devices to keep track of network changes and star/stop port forwarding as required. Set the forward delay time from 4 - 30 seconds. When a device is first attached to a port, it does not immediately forward data. It first processes BPDUs and determines the network topology. When a host is attached the port always goes into the forwarding state, after a delay of while it goes through the listening and learning states. The time spent in listening and learning states is set by the forward delay (15 seconds by default). Use the spinner control to set the maximum time (in seconds) to listen for the root bridge. The root bridge is the spanning tree bridge with the smallest (lowest) bridge ID. Each bridge has a unique ID and a configurable priority number, the bridge ID contains both. The available range is from 6 - 40 seconds. The default setting is 20 seconds. 7 Set the following PortFast parameters for the profile configuration:
PortFast BPDU Filter PortFast BPDU Guard Select Enable to invoke a BPDU filter for this portfast enabled port. Enabling the BPDU filter feature ensures this port channel does not transmit or receive any BPDUs. BPDUs are exchanged regularly and enable the Access Point to keep track of network changes and to start and stop port forwarding as required. The default setting is Disabled. Select Enable to invoke a BPDU guard for the portfast enabled port. Enabling the BPDU Guard feature means this port will shutdown on receiving a BPDU. Thus, no BPDUs are processed. BPDUs are exchanged regularly and enable the Access Point to keep track of network changes and to start and stop port forwarding as required. The default is Disabled. 8 Set the following Error Disable parameters for the profile configuration:
Enable Recovery Recovery Interval Select this option to enable a error disable timeout resulting from a BPDU guard. This setting is disabled by default. Define the recovery interval used to enable disabled ports. The available range is from 10 - 1,000,000 seconds with a default setting of 300. 9 Use the Spanning Tree Instance table to add indexes to the spanning tree topology. Wireless Controller and Service Platform System Reference Guide 5 - 142 Device Configuration 10 Add up to 16 indexes and use the Priority setting to define the bridge priority used to determine the root bridge. The lower the setting defined, the greater the likelihood of becoming the root bridge in the spanning tree topology. 11 Use the Spanning Tree Instance VLANs table to add up to 15 VLAN instance indexes (by numeric ID) and VLANs to the spanning tree topology as virtual route resources. 12 Select the OK button located at the bottom right of the screen to save the changes and overrides. Select Reset to revert to the last saved configuration. 5.2.8.9 Overriding a Profiles Routing Configuration Overriding a Profiles Network Configuration Routing is the process of selecting IP paths within the wireless network to route traffic. Use the Routing screen to set Destination IP and Gateway addresses enabling the assignment of static IP addresses for requesting clients without creating numerous host pools with manual bindings. This eliminates the need for a long configuration file and reduces the resource space required to maintain address pools. Both IPv4 and IPv6 routes are separately configurable using their appropriate tabs. For IPv6 networks, routing is the part of IPv6 that provides forwarding between hosts located on separate segments within a larger IPv6 network where IPv6 routers provide packet forwarding for other IPv6 hosts. To create or override a profiles static routes:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Network to expand its sub menu options. 5 Select Routing. The IPv4 Routing tab displays by default. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. Wireless Controller and Service Platform System Reference Guide 5 - 143 Device Configuration Figure 5-77 IPv4 Static Routes screen 6 Select IP Routing to enable static routes using IP addresses. This sets Destination IP and Gateway addresses enabling the assignment of static IP addresses for requesting clients. This option is enabled by default. 7 Use the drop-down menu to select a Policy Based Routing policy. If a suitable policy is not available, select the Create icon or modify an existing policy-based routing policy by selecting the Edit icon. Policy-based routing (PBR) is a means of expressing and forwarding (routing) data packets based on policies defined by administrators. PBR provides a flexible mechanism for routing packets through routers, complementing existing routing protocols. PBR is applied to incoming packets. Packets received on an interface with PBR enabled are considered are passed through enhanced packet filters (route maps). Based on the route maps, packets are forwarded/routed to their next hop. Refer to the Static Routes table to set Destination IP and Gateway addresses enabling the assignment of static IP addresses to requesting clients (without creating numerous host pools with manual bindings). Add IP addresses and network masks in the Network Address column. Provide the Gateway address used to route traffic. Provide an IP address for the Default Gateway used to route traffic. Note, when routing packets, the controller, by default, obtains Default Gateway and Name Servers IP addresses from the DHCP server policy. If manually configuring the Default Gateway for static routing, also configure the Name Servers IP address in the controllers device/profile config contexts. For more information on using the GUI to configure Name Servers, see Overriding a Profiles DNS Configuration. If using the CLI, in the device/
profile context, execute the following command: ip name-server <NAME-SERVER-IP-ADDRESS>. 8 Refer to the Default Route Priority field and set the following parameters:
Static Default Route Priority Use the spinner control to set the priority value (1 - 8,000) for the default static route. This is weight (priority) assigned to this route versus others that have been defined. The default setting is 100. Wireless Controller and Service Platform System Reference Guide 5 - 144 Device Configuration DHCP Client Default Route Priority Enable Routing Failure When selected, all default gateways are monitored for activity. The Use the spinner control to set the priority value (1 - 8,000) for the default route learnt from the DHCP client. The default setting is 1000. system will failover to a live gateway if the current gateway becomes unusable. This feature is enabled by default. 9 Select the OK button located at the bottom right of the screen to save the changes to IPv4 routing configuration. Select Reset to revert to the last saved configuration. 10 Select the IPv6 Routing tab. IPv6 networks are connected by IPv6 routers. IPv6 routers pass IPv6 packets from one network segment to another. Figure 5-78 Static Routes screen, IPv6 Routing tab 11 Select Unicast Routing to enable IPv6 unicast routing for this profile. Keeping unicast enabled allows the profiles neighbor advertisements and solicitations in unicast (as well as multicast) to provide better neighbor discovery. This setting is enabled by default. 12 Select Unique Local Address Reject Route to reject Unique Local Address (ULA). ULA is an IPv6 address block
(fc00::/7) that is an approximate IPv6 counterpart to IPv4 private addresses. When selected, a reject entry is added to the IPv6 routing table to reject packets with Unique Local Address. 13 Set a System NS Retransmit Interval (from 1,000 to 3,600,000 milliseconds) as the interval between neighbor solicitation (NS) messages. NS messages are sent by a node to determine the link layer address of a neighbor, or verify a neighbor is still reachable via a cached link-layer address. The default is 1,000 milliseconds. Wireless Controller and Service Platform System Reference Guide 5 - 145 Device Configuration 14 Set a System ND Reachable Time (from 5,000 to 3,600,000 milliseconds) as the time a neighbor is assumed to be reachable after receiving a receiving a neighbor discovery (ND) confirmation for their reachability. The default is 30,000 milliseconds. 15 Set an IPv6 Hop Count (from 1 - 255) as the maximum number of hops considered valid when sending IP packets. The default setting is 64. 16 Set the Router Advertisement Conversion to Unicast settings:
RA Convert Throttle Throttle Interval Max RAs Select this option to convert multicast router advertisements (RA) to unicast router advertisements at the dot11 layer. Unicast addresses identify a single network interface, whereas a multicast address is used by multiple hosts. This setting is disabled by default. Select this option to throttle RAs before converting to unicast. Once enabled, set the throttle interval and maximum number of RAs. This setting is disabled by default. Enable this setting to define the throttle interval (3 - 1,800 seconds). The default setting is 3 seconds. Enable this setting to define the maximum number of router advertisements per router (1 - 256) during the throttle interval. The default setting is 1. 17 Select + Add Row as needed within the IPv6 Routes table to add an additional 256 IPv6 route resources. Figure 5-79 Static Routes screen, Add IPv6 Route Network Address Set the IPv6 network address. Other than the length and slightly different look versus an IPv4 address, the IPv6 address concept is same as IPv4. Wireless Controller and Service Platform System Reference Guide 5 - 146 Device Configuration Gateway Interface Set the IPv6 route gateway. A network gateway in IPv6 is the same as in IPv4. A gateway address designates how traffic is routed out of the current subnet. If using a link local address, set the VLAN (1 - 4,094) used a virtual routing interface for the local address. 18 Select the OK button located at the bottom right of the screen to save the changes to the IPv6 routing configuration. Select Reset to revert to the last saved configuration. 5.2.8.10 Overriding a Profiles Dynamic Routing (OSPF) Configuration Overriding a Profiles Network Configuration Open Shortest Path First (OSPF) is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets. OSPF detects changes in the topology, like a link failure, and plots a new loop-free routing structure. It computes the shortest path for each route using a shortest path first algorithm. Link state data is maintained on each router and is periodically updated on all OSPF member routers. OSPF uses a route table managed by the link cost (external metrics) defined for each routing interface. The cost could be the distance of a router (round-trip time), link throughput or link availability. Setting a cost value provides a dynamic way to load balancing traffic between routes of equal cost. An OSPF network can be subdivided into routing areas to simplify administration and optimize traffic utilization. Areas are logical groupings of hosts and networks, including routers having interfaces connected to an included network. Each area maintains a separate link state database whose information may be summarized towards the rest of the network by the connecting router. Areas are identified by 32-bit IDs, expressed either in decimal, or octet-based dot-decimal notation. Areas can defined as:
stub area - A stub area is an area which does not receive route advertisements external to the autonomous system
(AS) and routing from within the area is based entirely on a default route. totally-stub - A totally stubby area does not allow summary routes and external routes. A default route is the only way to route traffic outside of the area. When theres only one route out of the area, fewer routing decisions are needed, lowering system resource utilization. non-stub - A non-stub area imports autonomous system external routes and send them to other areas. However. it still cannot receive external routes from other areas. nssa - NSSA is an extension of a stub that allows the injection of limited external routes into a stub area. If selecting NSSA, no external routes, except a default route, enter the area. totally nssa - Totally nssa is an NSSA using 3 and 4 summary routes are not flooded into this type of area. It is also possible to declare an area both totally stubby and not-so-stubby, which means that the area will receive only the default route from area 0.0.0.0, but can also contain an autonomous system boundary router (ASBR) that accepts external routing information and injects it into the local area, and from the local area into area 0.0.0.0. A router running OSPF sends hello packets to discover neighbors and elect a designated router. The hello packet includes link state information and list of neighbors. OSPF is savvy with layer 2 topologies. If on a point-to-point Wireless Controller and Service Platform System Reference Guide 5 - 147 Device Configuration link, OSPF knows it is sufficient, and the link stays up. If on a broadcast link, the router waits for election before determining if the link is functional. To define a dynamic routing configuration:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Expand the Network menu and select OSPF. The OSPF Settings tab displays by default, with additional Area Settings and Interface Settings tabs available. 5 Enable/disable OSPF and provide the following dynamic routing settings:
Figure 5-80 OSPF Settings screen Enable OSPF Select this option to enable OSPF. OSPF is disabled by default. Wireless Controller and Service Platform System Reference Guide 5 - 148 Device Configuration Router ID Auto-Cost Passive Mode on All Interfaces Passive Removed Passive Mode VRRP State Check Select this option to define a router ID (numeric IP address) for this OSPF configuration. This ID must be established in every OSPF instance. If not explicitly configured, the highest logical IP address is duplicated as the router identifier. However, since the router identifier is not an IP address, it does not have to be a part of any routable subnet in the network. Select this option to specify the reference bandwidth (in Mbps) used to calculate the OSPF interface cost if OSPF is either STUB or NSSA. The default setting is 1. When selected, all layer 3 interfaces are set as an OSPF passive interface. This setting is disabled by default. If enabling Passive Mode on All Interfaces, use the spinner control to select VLANs (by numeric ID) as OSPF non passive interfaces. Multiple VLANs can be added to the list. If disabling Passive Mode on All Interfaces, use the spinner control to select VLANs (by numeric ID) as OSPF passive interfaces. Multiple VLANs can be added to the list. Select this option to use OSPF only if the VRRP interface is not in a backup state. The Virtual Router Redundancy Protocol (VRRP) provides automatic assignments of available Internet Protocol (IP) routers to participating hosts. This increases the availability and reliability of routing paths via automatic default gateway selections on an IP subnetwork. This setting is enabled by default. 6 Set the following OSPF Overload Protection settings:
Number of Routes Retry Count Retry Time Out Reset Time Use the spinner control to set the maximum number of OSPN routes permitted. The available range is from 1 - 4,294,967,295. Set the maximum number of retries (OSPF resets) permitted before the OSPF process is shut down. The available range is from 1 - 32. The default setting is 5. Set the duration (in seconds) the OSPF process remains off before initiating its next retry. The available range is from 1 - 3,600 seconds. The default is 60 seconds. Set the reset time (in seconds) that, when exceeded, changes the retry count is zero. The available range is from 1 - 86,400. The default is 360 seconds. 7 Set the following Default Information:
Originate Always Metric Type Route Metric Select this option to make the default route a distributed route. This setting is disabled by default. Enabling this settings continuously maintains a default route, even when no routes appear in the routing table. This setting is disabled by default. Select this option to define the exterior metric type (1 or 2) used with the default route. Select this option to define route metric used with the default route. OSPF uses path cost as its routing metric. Its defined by the speed
(bandwidth) of the interface supporting given route. Wireless Controller and Service Platform System Reference Guide 5 - 149 Device Configuration Refer to the Route Redistribution table to set the types of routes that can be used by OSPF. Select the + Add Row button to populate the table. Set the Route Type used to define the redistributed route. Options include connected, kernal and static. 8 Select the Metric Type option to define the exterior metric type (1 or 2) used with the route redistribution. Select the Metric option to define route metric used with the redistributed route. 9 Use the OSPF Network table to define networks (IP addresses) to connect using dynamic routes. 10 Select the + Add Row button to populate the table. Add the IP address and mask of the Network(s) participating in OSPF. Additionally, define the OSPF area (IP address) to which the network belongs. 11 Set an OSPF Default Route Priority (1 - 8,000) as the priority of the default route learnt from OSPF. The default setting is 7,000. 12 Select the Area Settings tab. An OSPF Area contains a set of routers exchanging Link State Advertisements (LSAs) with others in the same area. Areas limit LSAs and encourage aggregate routes. 13 Review existing Area Settings configurations:
Figure 5-81 OSPF Area Settings screen Area ID Authentication Type Type Displays either the IP address or integer representing the OSPF area. Lists the authentication schemes used to validate the credentials of each dynamic route connection. Lists the OSPF area type for each listed configuration. 14 Select Add to create a new OSPF configuration, Edit to modify an existing configuration or Delete to remove a configuration. Wireless Controller and Service Platform System Reference Guide 5 - 150 Device Configuration 15 Set the OSPF Area configuration. Area ID Authentication Type Type Default Cost Translate Type Range Figure 5-82 OSPF Area Configuration screen Use the drop down menu and specify either an IP address or integer for the OSPF area. Select either None, simple-password or message-digest as credential validation scheme used with the OSPF dynamic route. The default setting is None. Set the OSPF area type as either stub, totally-stub, nssa, totally-nssa or non-stub. Select this option to set the default summary cost advertised if creating a stub. Set a value from 1 - 16, 777,215. Define how messages are translated. Options include translate-
candidate, translate always and translate-never. The default setting is translate-candidate. Specify a range of addresses for routes matching address/mask for OSPF summarization. 16 Select the OK button to save the changes to the area configuration. Select Reset to revert to the last saved configuration. 17 Select the Interface Settings tab. Wireless Controller and Service Platform System Reference Guide 5 - 151 Device Configuration 18 Review the following Interface Settings:
Figure 5-83 OSPF Interface Settings screen Name Type Description Admin Status VLAN IP Address Displays the name defined for the interface configuration. Displays the type of interface. Lists each interfaces 32 character maximum description. Displays whether admin status privileges have been enabled or disabled for the OSPF routes virtual interface connection. Lists the VLAN IDs set for each listed OSPF route virtual interface. Displays the IP addresses defined as virtual interfaces for dynamic OSPF routes. Zero config and DHCP can be used to generate route addresses, or a primary and secondary address can be manually provided. 19 Select the Add button to define a new set of virtual interface basic settings, or Edit to update the settings of an existing virtual interface configuration. Wireless Controller and Service Platform System Reference Guide 5 - 152 Device Configuration Figure 5-84 OSPF Virtual Interface - Basic Configuration screen - General tab 20 Within the Properties field, enter a 32 character maximum Description to help differentiate the virtual interface configuration used with this OSPF route. Enable/disable Admin Status as needed. Theyre enabled by default. 21 Define the NAT Direction as either Inside, Outside or None. Network Address Translation (NAT), is an Internet standard enabling a local area network (LAN) to use IP addresses for internal traffic (inside) and a second set of addresses for external (outside) traffic. 22 Set the following DHCPv6 Client Configuration. The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) provides a framework for passing configuration information. Stateless DHCPv6 Client Prefix Delegation Client Request DHCPv6 Options Select this option to request information from the DHCPv6 server using stateless DHCPv6. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. This setting is disabled by default. Specify a 32 character maximum request prefix for prefix delegation from a DHCPv6 server over this virtual interface. Select this option to request DHCPv6 options on this virtual interface. DHCPv6 options provide configuration information for a node that must be booted using the network rather than from locally. This setting is disabled by default. 23 Set the following Bonjour Gateway settings.Bonjour is Apples implementation of zero-configuration networking
(Zeroconf). Zeroconf is a group of technologies that include service discovery, address assignment and hostname resolution. Bonjour locates devices such as printers, other computers and services that these computers offer over a local network. Wireless Controller and Service Platform System Reference Guide 5 - 153 Device Configuration Bonjour provides a general method to discover services on a local area network (LAN). It allows users to set up a network without any configuration. Services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with special DNS configuration, it can be extended to find services across broadcast domains. From the drop-down, select the Bonjour Gateway discover policy. Select the Create icon to define a new Bonjour Gateway policy configuration or select the Edit icon to modify an existing Bonjour Gateway policy configuration. 24 Set the following MTU settings for the virtual interface:
Maximum Transmission Unit
(MTU) IPv6 MTU Set the PPPoE client maximum transmission unit (MTU) from 500 - 1,492. The MTU is the largest physical packet size in bytes a network can transmit. Any messages larger than the MTU are divided into smaller packets before being sent. A PPPoE client should be able to maintain its point-to-point connection for this defined MTU size. The default MTU is 1,492. Set an IPv6 MTU for this virtual interface from 1,280 - 1,500. A larger MTU provides greater efficiency because each packet carries more user data while protocol overheads, such as headers or underlying per-packet delays, remain fixed; the resulting higher efficiency means a slight improvement in bulk protocol throughput. A larger MTU results in the processing of fewer packets for the same amount of data. The default is 1,500. 25 Within the ICMP field, define whether ICMPv6 redirect messages are sent. Redirect requests data packets be sent on an alternative route. This setting is enabled by default. 26 Within the Address Autoconfiguration field, define whether to configure IPv6 addresses on this virtual interface based on the prefixes received in router advertisement messages. This setting is enabled by default. 27 Set the following Router Advertisement Processing settings for the virtual interface. Router advertisements are periodically sent to hosts or sent in response to solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. Accept RA No Default Router No MTU No Hop Count Enable this option to allow router advertisements over this virtual interface. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6)router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters.This setting is enabled by default. Select this option to not consider routers present on this interface for default router selection. This setting is disabled by default. Select this option to not use the set MTU value for router advertisements on this virtual interface. This setting is disabled by default. Select this option to not use the hop count advertisement setting for router advertisements on this virtual interface. This setting is disabled by default. 28 Select OK to save the changes. Select Reset to revert to the last saved configuration. 29 Select the IPv4 tab to set IPv4 settings for this virtual interface. Wireless Controller and Service Platform System Reference Guide 5 - 154 IPv4 is a connectionless protocol. It operates on a best effort delivery model that does not guarantee delivery or assures proper sequencing or avoidance of duplicate delivery (unlike TCP). Device Configuration 30 Set the following network information from within the IPv4 Addresses field:
Figure 5-85 Virtual Interfaces - Basic Configuration screen - IPv4 tab Enable Zero Configuration Zero Configuration can be a means of providing a primary or secondary IP addresses for the virtual interface. Zero configuration (or zero config) is a wireless connection utility included with Microsoft Windows XP and later as a service dynamically selecting a network to connect based on a user's preferences and various default settings. Zero config can be used instead of a wireless network utility from the manufacturer of a computer's wireless networking device. This value is set to None by default. Define the IP address for the VLAN associated Virtual Interface. Select this option to allow DHCP to provide the IP address for the Virtual Interface. Selecting this option disables the Primary IP address field. Select this option to allow DHCP to obtain a default gateway address, and DNS resource for one virtual interface. This setting is disabled by default and only available when the Use DHCP to Obtain IP option is selected. Primary IP Address Use DHCP to Obtain IP Use DHCP to obtain Gateway/DNS Servers Secondary Addresses Use the Secondary Addresses parameter to define additional IP addresses to associate with VLAN IDs. The address provided in this field is used if the primary IP address is unreachable. Wireless Controller and Service Platform System Reference Guide 5 - 155 Device Configuration 31 Refer to the DHCP Relay field to set the DHCP relay server configuration used with the Virtual Interface. Respond to DHCP Relay Packets DHCP Relays Select this option to allow the onboard DHCP server to respond to relayed DHCP packets on this interface. This setting is disabled by default. Provide IP addresses for DHCP server relay resources. DHCP relays exchange messages between a DHCPv6 server and client. A client and relay agent exist on the same link. When a DHCP request is received from the client, the relay agent creates a relay forward message and sends it to a specified server address. If no addresses are specified, the relay agent forwards the message to all DHCP server relay multicast addresses. The server creates a relay reply and sends it back to the relay agent. The relay agent then sends back the response to the client. 32 Select OK to save the changes to the IPv4 configuration. Select Reset to revert to the last saved configuration. 33 Select the IPv6 tab to set IPv6 settings for this virtual interface. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters. Figure 5-86 Virtual Interfaces - Basic Configuration screen - IPv6 tab Wireless Controller and Service Platform System Reference Guide 5 - 156 Device Configuration 34 Refer to the IPv6 Addresses field to define how IP6 addresses are created and utilized. IPv6 Mode IPv6 Address Static IPv6 Address Static using EU164 IPv6 Address Link Local Select this option to enable IPv6 support on this virtual interface. Define up to 15 global IPv6 IP addresses that can created statically. IPv6 addresses are represented as eight groups of four hexadecimal digits separated by colons. Optionally set up to 15 global IPv6 IP addresses (in the EUI-64 format) that can created statically. The IPv6 EUI-64 format address is obtained through a 48-bit MAC address. The MAC is initially separated into two 24-
bits, with one being an OUI (Organizationally Unique Identifier) and the other being client specific. A 16-bit 0xFFFE is then inserted between the two 24-bits for the 64-bit EUI address. IEEE has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an EUI-48 MAC address. Provide the IPv6 local link address. IPv6 requires a link local address assigned to every interface the IPv6 protocol is enabled, even when one or more routable addresses are assigned. 35 Enable the Enforce Duplicate Address option to enforce duplicate address protection when any wired port is connected and in a forwarding state. This option is enabled by default. 36 Refer to the IPv6 Address Prefix from Provider table use prefix abbreviations (in EUI64 format) as shortcuts of the entire character set comprising an IPv6 formatted IP address. 37 Select + Add Row to launch a sub screen wherein a new delegated prefix name and host ID can be defined. Figure 5-87 Virtual Interfaces - Basic Configuration screen - IPv6 tab - Add Address Prefix from Provider Delegated Prefix Name Host ID Enter a 32 character maximum name for the IPv6 address prefix from provider. Define the subnet ID, host ID and prefix length. Wireless Controller and Service Platform System Reference Guide 5 - 157 Device Configuration 38 Select OK to save the changes to the new IPv6 prefix from provider. Select Exit to close the screen without saving the updates. 39 Refer to the IPv6 Address Prefix from Provider EUI64 table to review ISP provided prefix abbreviations. 40 Select + Add Row to launch a sub screen wherein a new delegated prefix name and host ID can be defined in EUI64 format. Figure 5-88 Virtual Interfaces - Basic Configuration screen - IPv6 tab - Add Address Prefix from Provider EUI64 Delegated Prefix Name Host ID Enter a 32 character maximum name for the IPv6 address prefix from provider in EUI format. Define the subnet ID and prefix length. 41 Select OK to save the changes to the new IPv6 prefix from provider in EUI64 format. Select Exit to close the screen without saving the updates. 42 Refer to the DHCPv6 Relay table to set the address and interface of the DHCPv6 relay. The DHCPv6 relay enhances an extended DHCP relay agent by providing support in IPv6. DHCP relays exchange messages between a DHCPv6 server and client. A client and relay agent exist on the same link. When A DHCP request is received from the client, the relay agent creates a relay forward message and sends it to a specified server address. If no addresses are specified, the relay agent forwards the message to all DHCP server relay multicast addresses. The server creates a relay reply and sends it back to the relay agent. The relay agent then sends back the response to the client. 43 Select + Add Row to launch a sub screen wherein a new DHCPv6 relay address and interface VLAN ID can be set. Wireless Controller and Service Platform System Reference Guide 5 - 158 Device Configuration Figure 5-89 Virtual Interfaces - Basic Configuration screen - IPv6 tab - Add DHCPv6 Relay Address Interface Enter an address for the DHCPv6 relay. These DHCPv6 relay receive messages from DHCPv6 clients and forward them to DHCPv6 servers. The DHCPv6 server sends responses back to the relay, and the relay then sends these responses to the client on the local network link. Select this option to enable a spinner control to define a VLAN ID from 1 -
4,094 used as the virtual interface for the DHCPv6 relay. The interface designation is only required for link local and multicast addresses. A local link address is a locally derived address designed for addressing on a single link for automatic address configuration, neighbor discovery or when no routing resources are available. 44 Select OK to save the changes to the DHCPv6 relay configuration. Select Exit to close the screen without saving the updates. 45 Select the IPv6 RA Prefixes tab. Wireless Controller and Service Platform System Reference Guide 5 - 159 Device Configuration Figure 5-90 Virtual Interfaces - Basic Configuration screen - IPv6 RA Prefixes tab 46 Use the Router Advertisement Policy drop-down menu to select and apply a policy to the virtual interface. Router advertisements are periodically sent to hosts or sent in response to solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. Review the configurations of existing IPv6 advertisement policies. If needed select + Add Row to define the configuration of an additional IPv6 RA prefix. Wireless Controller and Service Platform System Reference Guide 5 - 160 Device Configuration Figure 5-91 Virtual Interfaces - Basic Configuration screen - Add IPv6 RA Prefix 47 Set the following IPv6 RA Prefix settings:
Prefix Type Prefix or ID Site Prefix Valid Lifetime Type Valid Lifetime Sec Valid Lifetime Date Set the prefix delegation type used with this configuration. Options include, Prefix, and prefix-from-provider. The default setting is Prefix. A prefix allows an administrator to associate a user defined name to an IPv6 prefix. A provider assigned prefix is made available from an Internet Service Provider (ISP) to automate the process of providing and informing the prefixes used. Set the actual prefix or ID used with the IPv6 router advertisement. The site prefix is added into a router advertisement prefix. The site address prefix signifies the address is only on the local link. Set the lifetime for the prefix's validity. Options include External (fixed), decrementing and infinite. If set to External (fixed), just the Valid Lifetime Sec setting is enabled to define the exact time interval for prefix validity. If set to decrementing, use the lifetime date and time settings to refine the prefix expiry period. If the value is set for infinite, no additional date or time settings are required for the prefix and the prefix will not expire. The default setting is External (fixed). If the lifetime type is set to External (fixed), set the Seconds, Minutes, Hours or Days value used to measurement criteria for the prefix's expiration. 30 days, 0 hours, 0 minutes and 0 seconds is the default lifetime. If the lifetime type is set to External (fixed), set the date in MM/DD/YYYY format for the expiration of the prefix. Wireless Controller and Service Platform System Reference Guide 5 - 161 Device Configuration Valid Lifetime Time Preferred Lifetime Type Preferred Lifetime Sec Preferred Lifetime Date Preferred Lifetime Time Autoconfig On Link If the lifetime type is set to decrementing, set the time for the prefix's validity. Set the administrator preferred lifetime for the prefix's validity. Options include External (fixed), decrementing and infinite. If set to External
(fixed), just the Valid Lifetime Sec setting is enabled to define the exact time interval for prefix validity. If set to decrementing, use the lifetime date and time settings to refine the prefix expiry period. If the value is set for infinite, no additional date or time settings are required for the prefix and the prefix will not expire. The default setting is External (fixed). If the administrator preferred lifetime type is set to External (fixed), set the Seconds, Minutes, Hours or Days value used to measurement criteria for the prefix's expiration. 30 days, 0 hours, 0 minutes and 0 seconds is the default lifetime. If the administrator preferred lifetime type is set to External (fixed), set the date in MM/DD/YYYY format for the expiration of the prefix. If the preferred lifetime type is set to decrementing, set the time for the prefix's validity. Autoconfiguration entails generating a link-local address, global addresses via stateless address autoconfiguration and duplicate address detection to verify the uniqueness of the addresses on a link. This setting is enabled by default. Select this option to keep the IPv6 RA prefix on the local link. The default setting is enabled. 48 Select OK to save the changes to the IPv6 RA prefix configuration. Select Exit to close the screen without saving the updates. 49 Select the Security tab. Figure 5-92 OSPF Virtual Interface - Security screen Wireless Controller and Service Platform System Reference Guide 5 - 162 Device Configuration 50 Use the IPv4 Inbound Firewall Rules drop down menu to select the IPv4 specific inbound firewall rules to apply to this profiles virtual interface configuration. Select the Create icon to define a new IPv4 firewall rule configuration or select the Edit icon to modify an existing configuration. IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, since it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery
(unlike (TCP). IPv4 and IPv6 are different enough to warrant separate protocols. IPv6 devices can alternatively use stateless address autoconfiguration. IPv4 hosts can use link local addressing to provide local connectivity. 51 Use the IPv6 Inbound Firewall Rules drop down menu to select the IPv6 specific inbound firewall rules to apply to this profiles virtual interface configuration. Select the Create icon to define a new IPv6 firewall rule configuration or select the Edit icon to modify an existing configuration. IPv6 is the latest revision of the Internet Protocol (IP) replacing IPv4. IPV6 provides enhanced identification and location information for systems routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. 52 Refer to the VPN Crypto Map drop down menu to attach an existing crypto map to this virtual interface. New crypto map configuration can be added by selecting the Create icon, or existing configurations can be modified by selecting the Edit icon. Crypto Map entries are sets of configuration parameters for encrypting packets that pass through the VPN Tunnel. If a Crypto Map configuration does not exist suiting the needs of this virtual interface, select the Create icon to define a new Crypto Map configuration or the Edit icon to modify an existing configuration. For more information, see Overriding a Profiles VPN Configuration on page 5-207. 53 Use the Web Filter drop-down menu to select or override the URL Filter configuration applied to this virtual interface. Web filtering is used to restrict access to resources on the Internet. 54 Select OK to save the changes to the configuration. Select Reset to revert to the last saved configuration. 55 Select the Dynamic Routing tab. Wireless Controller and Service Platform System Reference Guide 5 - 163 Device Configuration 56 Define or override the following parameters from within the OSPF Settings field Figure 5-93 OSPF Virtual Interface - Dynamic Routing screen Priority Cost Bandwidth Select this option to set the OSPF priority used to select the network designated route. Use the spinner control to set the value from 0 - 255. Select this option to set the cost of the OSPF interface. Use the spinner control to set the value from 1 - 65,535. Set the OSPF interface bandwidth (in Kbps) from 1 - 10,000,000. 57 Select the authentication type from the Chosen Authentication Type drop-down used to validate credentials within the OSPF dynamic route. Options include simple-password, message-digest, null and None. The default is None. 58 Select the + Add Row button at the bottom of the MD5 Authentication table to add the Key ID and Password used for an MD5 validation of authenticator credentials. Use the spinner control to set the OSPF message digest authentication key ID. The available range is from 1 - 255. The password is the OSPF key either displayed as series or asterisks or in plain text (by selecting Show). MD5 is a message digest algorithm using a cryptographic hash producing a 128-bit (16-byte) hash value, usually expressed in text as a 32 digit hexadecimal number. MD5 has been utilized in a wide variety of cryptographic applications, and is also commonly used to verify data integrity. 59 Select OK to save the changes to the configuration. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 164 Device Configuration 5.2.8.11 Overriding a Profiles Border Gateway Protocol (BGP) Configuration Overriding a Profiles Network Configuration Border Gateway Protocol (BGP) is an inter-ISP routing protocol which establishes routing between ISPs. ISPs use BGP to exchange routing and reachability information between Autonomous Systems (AS) on the Internet. BGP makes routing decisions based on paths, network policies and/or rules configured by network administrators. The primary role of a BGP system is to exchange network reachability information with other BGP peers. This information includes information on AS that the reachability information traverses. This information is sufficient to create a graph of AS connectivity from which routing decisions can be created and rules enforced. An Autonomous System (AS) is a set of routers under the same administration that use Interior Gateway Protocol
(IGP) and common metrics to define how to route packets within the AS. AS uses inter-AS routing to route packets to other ASs. For an external AS, an AS appears to have a single coherent interior routing plan and presents a consistent picture of the destinations reachable through it. Routing information exchanged through BGP supports only destination based forwarding (it assumes a router forwards packets based on the destination address carried in the IP header of the packet). BGP uses TCP as its transport protocol. This eliminates the need to implement explicit update fragmentation, retransmission, acknowledgement, and sequencing. BGP listens on TCP port 179. The error notification mechanism used in BGP assumes that TCP supports a graceful close (all outstanding data is delivered before the connection is closed). To define or override a profiles BGP configuration:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Network to expand its sub menu options. 5 Select BGP. NOTE: BGP is only supported on RFS4000, RFS6000 and NX9500 model controllers and service platforms. The General tab displays by default. Wireless Controller and Service Platform System Reference Guide 5 - 165 Device Configuration 6 Review the following BGP general configuration parameters to determine whether an override is warranted:
Figure 5-94 Border Gateway Protocol - General tab ASN Enable Define the Autonomous System Number (ASN). ASN is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packets. Select a value from 1 - 4,294,967,295. Enable to start BGP on this controller or service platform. BGP is only supported on RFS4000, RFS6000and NX9500 model controllers and service platforms. The default is disabled. Always Compare Med Multi-exit Discriminator (MED) is a value used by BGP peers to select the best route among multiple routes. When enabled, the MED value encoded in the route is always compared when selecting the best route to the host network. A route with a lower MED value is always selected over a route with a higher MED value. BGP does not discriminate between iBGP and eBGP when using MED for route selection. This option is mutually exclusive to the Deterministic MED option. Select this option to enable IPv4 unicast traffic for neighbors. This option is disabled by default. Select this option to enable a local preference for the neighbor. When enabled, set the local preference value (1 - 4,294,967,295). Set the default priority value for the IP Default Gateway. Set a value from 1 - 8000. The default is 7500. Default IPv4 Unicast Default Local Preference IP Default Gateway Priority Wireless Controller and Service Platform System Reference Guide 5 - 166 Device Configuration Deterministic Med Enforce First AS Multi-exit Discriminator (MED) is used by BGP peers to select the best route among multiple routes. When enabled, MED route values (from the same AS) are compared to select the best route. This best route is then compared with other routes in the BGP route table to select the best overall route. This option is mutually exclusive to the Always Compare MED option. Select this option to deny any updates received from an external neighbor that does not have the neighbors configured AS at the beginning of the received AS path parameter. This enhances security by not allowing traffic from an unauthorized AS. This setting is disabled by default. Log Neighbor Changes Fast External Failover Select this option to immediately reset the BGP session on the interface once the BGP connection goes down. Normally, when a BGP connection goes down, the device waits for the expiry of the duration specified in Holdtime parameter before bringing down the interface. This setting is enabled by default. Select this option to enable logging of changes in routes to neighbor BGP peers. This enables the logging of only the changes in neighbor routes. All other events must be explicitly turned on using debug commands. This setting is disabled by default. Select this option to enable a network import check to ensure consistency in advertisements. This setting is disabled by default. Select this option to manually configure the router ID for this BGP supported controller or service platform. The router ID identifies the device uniquely. When no router ID is specified, the IP address of the interface is considered the router ID. This setting is disabled by default. Select this option to set the scanning interval for updating BGP routes. This interval is the period between two consecutive scans the BGP device checks for the validity of routes in its routing table. To disable this setting, set the value to Zero (0). The default setting is 60 seconds. Network Import Check Router ID Scan Time 7 Optionally select the Missing AS Worst option to treat any path that does not contain a MED value as the least preferable route. This setting is disabled by default. 8 Review the following Bestpath parameters:
AS-Path Ignore Compare Router Id Select this option to prevent an AS path from being considered as a criteria for selecting a preferred route. The route selection algorithm uses the AS path as one of the criteria when selecting the best route. When this option is enabled, the AS path is ignored. Select this option to use the router ID as a selection criteria when determining a preferred route. The route selection algorithm uses various criteria when selecting the best route. When this option is enabled, the router ID is used to select the best path between two identical BGP routes. The route with the lower route ID is selected over a route with a higher route id. 9 Set or override the following Distance for Route Types. The distance parameter is a rating of route trustworthiness. The greater the distance, the lower the trust rating. The distance can be set for each type of route indicating its trust rating. External Routes External routes are those routes learned from a neighbor of this BGP device. Set a value from 1 - 255. Wireless Controller and Service Platform System Reference Guide 5 - 167 Device Configuration Internal Routes Local Routes Internal routes are those routes learned from another router within the same AS. Set a value from 1 - 255. Local routes are those routes being redistributed from other processes within this BGP router. Set a value from 1 - 255. 10 Set or override the following Route Limit parameters:
Number of Routes Reset Time Retry Count Retry Timeout Configures the number of routes that can be stored on this BGP router. Set this value based on the available memory on this BGP router. Configure a value from 1 - 4,294,967,295. The default value is 9,216 routes. Configures the reset time. This is the time limit after which the Retry Count value is set to Zero (0). Set a value from 1- 86,400 seconds. Configures the number of time the BGP process is reset before it is shut down. Once shut down, the BGP process has to be started manually. The BGP process is reset if it is flooded with route entries that exceed its number of routes. Set a value from 1 - 32. Configures the time duration in seconds the BGP process is shutdown temporarily before a reset of the process is attempted. Set a value from 1
- 3,600 seconds. 11 Set or override the following Timers:
Keepalive Holdtime Set the duration, in seconds, for the keep alive timer used to maintain connections between BGP neighbors. Set a value from 0 - 65,535 seconds. Set the time duration, in seconds, for the hold (delay) of packet transmissions. 12 Set the following Aggregate Address parameters:
Aggregate addresses are used to minimize the size of the routing tables. Aggregation combines the attributes of several different routes and advertises a single route. This creates an aggregation entry in the BGP routing table if more specific BGP routes are available in the specified address range. IP Prefix Summary Only As Set Enter an IP address and mask used as the aggregate address. Select this option to advertise the IP Prefix route to the BGP neighbor while suppressing the detailed and more specific routes. Generates AS set path information. Select to enable. When selected, it creates an aggregate entry advertising the path for this route, consisting of all elements contained in all the paths being summarized. Use this parameter to reduce the size of path information by listing the AS number only once, even if it was included in the multiple paths that were aggregated. 13 Set the following Distance for IP Source Prefix fields:
IP Source Prefix Admin Distance IP Access List Enter an IP address and mask used as the prefix source address. Use the spinner control to set the BGP routes admin distance from 1 -
255. Provide the IP address used to define the prefix list rule. Wireless Controller and Service Platform System Reference Guide 5 - 168 Device Configuration 14 Configure the following Network values. Network Pathlimit Backdoor Route Map Configure an IP address to broadcast to neighboring BGP peers. This network can be a single IP address or a range of IP addresses in A.B.C.D/
M format. Configure the maximum path limit for this AS. Set a value from 1 - 255 AS hops. Select this option to indicate to border devices this network is reachable using a backdoor route. A backdoor network is treated the same as a local network, except it is not advertised. This setting is disabled by default. Select an existing route map as a method of controlling and modifying routing information. The control of route information occurs using route redistribution keys. 15 Configure the following Route Redistribute values. Route Type Metric Route Map Use the drop-down menu to define the route type as either connected, kernal, ospf or static. Select this option to set a numeric route metric used for route matching and permit designations. Select an existing route map as a method of controlling and modifying routing information. The control of route information occurs using route redistribution keys. 16 Select OK to save the changes and overrides. Select Reset to revert to the last saved configuration. 17 Select the Neighbor tab. The Neighbor tab displays a list of configured BGP neighbor devices identified by their IP address. Figure 5-95 Border Gateway Protocol - Neighbor tab 18 Select Add to add a new BGP neighbor configuration or select an existing Identifier and select Edit to modify it. The following screen displays with the General tab displayed by default. Wireless Controller and Service Platform System Reference Guide 5 - 169 Device Configuration The General tab displays the different configuration parameters for the neighbor BGP device. Figure 5-96 Border Gateway Protocol - Neighbor tab - Add/Edit screen 19 Configure the following common parameters:
Remote AS Advertise Capability Dynamic Advertise Capability ORF Define the Autonomous System Number (ASN) for the neighbor BGP device. ASN is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packets within the AS. Set a value from 1 - 4,294,967,295. Select this option to show a neighbor devices capability to advertise or withdraw and address capability to other peers in a non-disruptive manner. This setting is disabled by default. Select this option to enable Outbound Router Filtering (ORF) and advertise this capability to peer devices. ORFs send and receive capabilities to lessen the number of updates exchanged between BGP peers. By filtering updates, ORF minimizes update generation and exchange overhead. The local BGP device advertises ORF in the send mode. The peer BGP device receives the ORF capability in receive mode. The two devices exchange updates to maintain the ORF for each router. Only a peer group or an individual BGP router can be configured to be in receive or send mode. A member of a peer group cannot be configured. Wireless Controller and Service Platform System Reference Guide 5 - 170 Device Configuration Advertisement Interval Disable Capability Negotiate Description Disable Connected Check Enforce Multihop Next Hop Self Override Capability Passive Reconnect Interval Send Community Shutdown Soft Reconfiguration Inbound Use the Advertisement Interval to set the minimum interval between sending BGP router updates. Sending too many router updates creates flapping of routes leading to possible disruptions. Set a minimum interval so that the BGP routing updates are sent after the set interval in seconds. The default is 5 seconds. Select to disable capability negotiation with BGP neighbors. This is to allow compatibility with older BGP versions that have no capability parameters used in the open messages between peers. This setting id disabled by default. Provide a 80 character maximum description for this BGP neighbor device. If utilizing loopback interfaces to connect single-hop BGP peers, enable the neighbor disable connected check before establishing a the BGP peering session.This setting is disabled by default. A multihop route is a route to external peers on indirectly connected networks. Select to enforce neighbors to perform multi-hop check. This setting is disabled by default. Select to enable Next Hop Self. Use this to configure this device as the next hop for a BGP speaking neighbor or peer group. This allows the BGP device to change the next hop information that is sent to iBGP peers. The next hop address is set to the IP address of the interface used to communicate with the eBGP neighbor. This setting is disabled by default. Select this to enable the ability to override capability negotiation result. This setting is disabled by default. Select this option to set this BGP neighbor as passive. When a neighbor is set as passive, the local device should not attempt to open a connection to this device. This setting is disabled by default Set a reconnection interval for peer BGP devices from 0 - 65,535 seconds. The default setting is 120 seconds. Select this option to ensure the community attribute is sent to the BGP neighbor. The community attribute groups destinations in a certain community and applies routing decisions based on the community. On receiving community attribute, the BGP router announces it to the neighbor. Select this option to administratively shutdown this BGP neighbor. This setting is disabled by default. Select this option to store updates for inbound soft reconfiguration. Soft-
reconfiguration can be used in lieu of BGP route refresh capability. Selecting this option enables local storage of all received routes and their attributes. This requires additional memory on the BGP device. When a soft reset (inbound) is performed on the neighbor device, the locally stored routes are reprocessed according to the inbound policy. The BGP neighbor connection is not affected. Wireless Controller and Service Platform System Reference Guide 5 - 171 Device Configuration Update Source Unsuppress Map Weight Select this option to allow internal BGP sessions to use any operational interface for TCP connections. Use Update Source in conjunction with any specified interface on the router. The loopback interface is the interface that is most commonly used with this command. The use of loopback interface eliminates a dependency and BGP does not have to rely on the availability of a particular interface for making TCP connections. This setting is disabled by default. Enable Unsuppress Map to selectively advertise more precise routing information to this neighbor. Use this in conjunction with the Route Aggregate command. The route aggregate command creates a route map with a IP/mask address that consolidates the subnets under it. This enables a reduction in number of route maps on the BGP device to one entry that encompasses all the different subnets. Use Unsuppress Map to selectively allow/deny a subnet or a set of subnets. Use the Create icon to create a new route map. Use the Edit icon to edit an existing route map list after selecting it. Select to set the weight of all routes learned from this BGP neighbor. Weight is used to decide the preferred route when the same route is learned from multiple neighbors. The highest weight is always chosen. 20 Configure or set the following Default Originate parameters. Default originate is used by the local BGP router to send the default route 0.0.0.0 to its neighbor for use as a default route. Enable Route Map Select to enable Default Originate on this BGP neighbor. This setting is disabled by default. Use the drop-down menu to select a route map (enhanced packet filter) to use as the Default Originate route. 21 Configure or set the following Route Map parameters. This configures how route maps are applied for this BGP neighbor. Direction Route Map Use the drop-down menu to configure the direction on which the selected route map is applied. Select one from in, out, export or import. Use the drop-down menu to select the route map to use with this BGP neighbor. Use the Create icon to create a new route map. Use the Edit icon to edit an existing route map after selecting it. 22 Configure or set the following Distribute List parameters. Up to 2 distribute list entries can be created. Direction Name Use the drop-down menu to configure the direction on which the selected IP access list is applied. Select either in or out. Use the drop-down menu to select the route map to use with this BGP neighbor. Use the Create icon to create a new IP Access list. Use the Edit icon to edit an existing IP Access list after selecting it. 23 Configure or set the following eBGP Multihop parameters. This configures the maximum number of hops that can be between eBGP neighbors not directly connected to each other. Enable Max Hops Select to enable eBGP Multihop on this BGP neighbor. Set the maximum number of hops between eBGP neighbors not connected directly. Select a value from 1 - 255. Wireless Controller and Service Platform System Reference Guide 5 - 172 Device Configuration 24 Configure or set the following Filter List parameters. Up to 2 filter list entries can be created. Direction Name Use the drop-down menu to configure the direction on which the selected AS Path list is applied. Select either in or out. Use the drop-down menu to select the AS Path list to use with this BGP neighbor. Use the Create icon to create a new AS Path list. Use the Edit icon to edit an existing AS Path list after selecting it. 25 Configure or set the following Local AS parameters.
!
CAUTION: This is an experimental feature and its actual operation may be unpredictable. AS Number No Prepend Specify the local Autonomous System (AS) number. Select from 1 -
4,294,967,295. Select to enable. When enabled, the local AS number is not prepended to route updates from eBGP peers. 26 Configure or set the following Maximum Prefix value. This configures the maximum number of prefix that can be received from a BGP neighbor. Prefix Limit Threshold Percent Restart Limit Warning Only Sets the maximum number of prefix that can be received from a BGP neighbor. Select from 1 - 4,294,967,295. Once this threshold is reached, the BGP peer connection is reset. Sets the threshold limit for generating a log message. When this percent of the Prefix Limit is reached, a log entry is generated. For example if the Prefix Limit is set to 100 and Threshold Percent is set to 65, then after receiving 65 prefixes, a log entry is created. Sets the number of times a reset BGP peer connection is restarted. Select a value from 1 - 65535. Select to enable. When the number of prefixes specified in Prefix Limit field is exceeded, the connection is reset. However, when this option is enabled, the connection is not reset and an event is generated instead. This setting is disabled by default. 27 Configure or set the following Prefix List parameters. Up to 2 prefix list entries can be created. Direction Name Use the drop-down menu to configure the direction on which the selected IP prefix list is applied. Select either in or out. Use the drop-down menu to select the IP prefix list to use with this BGP neighbor. Use the Create icon to create a new IP prefix list or select the Edit icon to edit an existing IP prefix list after selecting it. 28 Set or override the following Timers for this BGP neighbor:
Keepalive Holdtime Set the time duration in seconds for keepalive. The keep alive timer is used to maintain connections between BGP neighbors. Set a value from 1
- 65,535 seconds. Set the time duration in seconds for the hold time. 29 Select OK to save the changes and overrides. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 173 30 Select the Experimental tab.
!
CAUTION: This is an experimental feature and its actual operation may be unpredictable. Device Configuration 31 Set the following Experimental BGP parameters:
Figure 5-97 Border Gateway Protocol - Neighbor tab - Experimental tab Activate Attribute Unchanged AS-Path Attribute Unchanged Med Attribute Unchanged Next Hop Peer Group Enable an address family for this neighbor. This setting is enabled by default. Select to enable propagating AS path BGP attribute unchanged to this neighbor BGP device. This setting is enabled by default. Select to enable propagating MED BGP attribute unchanged to this neighbor BGP device. This setting is enabled by default. Select to enable propagating the next hop BGP attribute value unchanged to this neighbor BGP device. This setting is enabled by default. Set the peer group for this BGP neighbor device. Peer groups are a set of BGP neighbors with the same update policies. This facilitates the updates of various policies, such as, distribute lists and filter lists. The peer group can be configured as a single entity. Any changes made to the peer group is propagated to all members. Wireless Controller and Service Platform System Reference Guide 5 - 174 Device Configuration Remove Private AS Select this option to remove the private Autonomous System (AS) number from outbound updates. Private AS numbers are not advertised to the Internet. This option is used with external BGP (eBGP) peers only. The router removes the AS numbers only if the update includes private AS numbers. If the update includes both private and public AS numbers, the system treats it as an error. Route Reflector Client Select this option to enable this BGP neighbor as a route reflector client Route Server Client Strict Capability Match TCP Port for the local router. Route reflectors control large numbers of iBGP peering.Using route reflection, the number of iBGP peers is reduced. This option configures the local BGP device as a route reflector and the neighbor as its route reflector client. This setting is disabled by default. Select this option to enable this neighbor BGP device to act as a route server client. This setting is disabled by default. Select this option to enable a strict capability match before allowing a neighbor BGP peer to open a connection. When capabilities do not match, the BGP connection is closed. This setting is disabled by default. Select to enable configuration of non-standard BGP port for this BGP neighbor. By default the BGP port number is 179. To configure a non standard port for this BGP neighbor, use the control to set the port number. Select a value from 1 - 65,535. 32 Configure or set the following Allowas In parameters. This configures the Provider Edge (PE) routers to allow the re-advertisement of all prefixes containing duplicate Autonomous System Numbers (ASN). This creates a pair of VPN Routing/Forwarding (VRF) instances on each PE router to receive and re-advertise prefixes. The PE router receives prefixes with ASNs from all PE routers and advertises to its neighbor PE routers on one VRF. The other VRF receives prefixes with ASNs from the Customer Edge (CE) routers and re-advertises them to all PE routers in the configuration. Enable Allowed Occurrences Select this option to enable re-advertisement of all prefixes containing duplicate ASNs. Set the maximum number of times an ASN is advertised. Select a value in the rage 1 - 10. 33 Select OK to save the changes and overrides. Select Reset to revert to the last saved configuration. Select Exit to close this window and go back to the main screen. 34 Select the Experimental tab from the BGP main screen.
!
CAUTION: This is an experimental feature and its actual operation may be unpredictable. Wireless Controller and Service Platform System Reference Guide 5 - 175 Device Configuration 35 Set the following Experimental BGP features:
Figure 5-98 Border Gateway Protocol - Experimental tab Confederation Identifier Client to Client Reflection Cluster ID Confederation Peers Enable and set a confederation identifier to allow an AS to be divided into several ASs. This confederation is visible to external routers as a single AS. Select a value from 1 - 4,294,967,295. Select to enable client-to-client route reflection. Route reflectors are used when all iBGP speakers are not fully meshed. If the clients are fully meshed, the route-reflectors are not required. The default is enabled. Select to enable and set a Cluster ID if the BGP cluster has more than one route-reflectors. A cluster generally consists of a single route-
reflector and its clients. The cluster is usually identified by the router ID of this single route-reflector. Sometimes, to increase the redundancy, a cluster might have more than one route-reflectors configured. In this case, all route-reflectors in the cluster are identified by the Cluster ID. Select a value from 1 - 4,294,967,295. Use this spinner to select the confederation members. Once selected, select the Down Arrow button next to this control to add the AS as a confederation member. Multiple AS configurations can be added to the list of confederation members. To remove an AS as a confederation member, select the AS from the list and select the Up Arrow button next to the list. 36 Configure or set the following Bestpath parameter:
AS-Path Confed Select this option to allow the comparison of the confederation AS path length when selecting the best route. This indicates the AS confederation path length must be used, if available, in the BGP path when deciding the best path. Wireless Controller and Service Platform System Reference Guide 5 - 176 Device Configuration 37 Configure or set the following Bestpath Med parameter:
Confed Select to enable. Use this option to allow comparing MED when selecting the best route when learned from confederation peers. This indicates that MED must be used, when available, in the BGP best path when deciding the best path between routes from different confederation peers. 38 Configure or set the following Dampening parameters. Dampening minimizes the instability caused by route flapping. A penalty is added for every flap in the flapping route. As soon as the total penalty reaches the Route Suppress Limit value, the advertisement of this route is suppressed. This penalty is delayed when the time specified in Half Lifetime occurs. Once the penalty becomes lower than the value specified in Start Route Reuse, the advertisement of the route is un-suppressed. Enable Half Lifetime Start Route Reuse Route Suppress Limit Start Route Suppress Select to enable dampening on advertised routes. When this option is selected, other configuration fields in this Dampening field are enabled. This setting is disabled by default. Select to enable and configure the half lifetime value. A penalty is imposed on a route that flaps. This is the time for the penalty to decrease to half its current value. Set a value from 1 - 45 in minutes. The default is 1 second. Select to enable and configure the route reuse value. When the penalty for a suppressed route decays below the value specified in Start Route Reuse field, the route is un-suppressed. Set a value from 1 - 20000. Select to enable and configure the maximum duration in minutes a suppressed route is suppressed. This is the maximum duration for which a route remains suppressed before it is reused. Set a value from 1 - 255 minutes. Select to enable and configure the route suppress value. When a route flaps, a penalty is added to the route. When the penalty reaches or exceeds the value specified in Route Suppress Limit, the route is suppressed. Set a value from 1 - 20000. 39 Configure or set the Graceful Restart parameters. This provides a graceful restart mechanism for a BGP session reset in which the BGP daemon is not restarted, so that any changes in network configuration that caused the BGP reset does not affect packet forwarding. Enable Stalepath Time Select to enable a graceful restart on this BGP router. This section is disabled by default. Configure the maximum time to retain stale paths from restarting neighbor. This is the time the paths from a restarting neighbor is preserved. All stale paths, unless reinstated by the neighbor after re-
establishment, are deleted at the expiry of this timer value. Set a value from 1 - 3600 seconds. 40 Select OK to save the changes and overrides. Select Reset to revert to the last saved configuration. Select Exit to close this window and go back to the main screen. 5.2.8.12 Overriding a Profiles Forwarding Database Configuration Overriding a Profiles Network Configuration A Forwarding Database forwards or filter packets on behalf of the managing controller, service platform or Access Point. The bridge reads the packets destination MAC address and decides to either forward the packet or drop Wireless Controller and Service Platform System Reference Guide 5 - 177 Device Configuration
(filter) it. If its determined the destination MAC is on a different network segment, it forwards the packet to the segment. If the destination MAC is on the same network segment, the packet is dropped (filtered). As nodes transmit packets through the bridge, the bridge updates its forwarding database with known MAC addresses and their locations on the network. This information is then used to decide to filter or forward the packet. This forwarding database assignment can be overridden as needed, but removes the device configuration from the managed profile that may be shared with other similar device models. To define or override a profiles forwarding database configuration:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Network to expand its sub menu options. 5 Select Forwarding Database. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. Wireless Controller and Service Platform System Reference Guide 5 - 178 Device Configuration 6 Define or override a Bridge Aging Time between 0, 10-1,000,000 seconds. Figure 5-99 Profile Overrides - Network Forwarding Database screen The aging time defines the interval an entry remains in the a bridges forwarding table before being deleted due to lack of activity. If an entry replenishments a destination generating continuous traffic, this timeout value will never be invoked. However, if the destination becomes idle, the timeout value represents the length of time that must be exceeded before an entry is deleted from the forwarding table. The default setting is 300 seconds. 7 Define or override a L3e Lite Entry Aging Time between 10-1,000,000 seconds. The default setting is 300 seconds. This setting is not available on all device platforms. 8 Use the + Add Row button to create a new row within the Static Forwarding Table. 9 Set or override a destination MAC Address. The bridge reads the packets destination MAC address and decides to forward the packet or drop (filter) it. If its determined the destination MAC is on a different network, it forwards the packet to the segment. If the destination MAC is on the same network segment, the packet is dropped (filtered). 10 Define or override the target VLAN ID if the destination MAC is on a different network segment. 11 Provide an Interface Name used as the target destination interface for the target MAC address. 12 Select OK to save the changes and overrides. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 179 Device Configuration 5.2.8.13 Overriding a Profiles Bridge VLAN Configuration Overriding a Profiles Network Configuration A Virtual LAN (VLAN) is separately administrated virtual network within the same physical managed network. VLANs are broadcast domains defined within switches to allow control of broadcast, multicast, unicast, and unknown unicast within a Layer 2 device. Administrators often need to route traffic to interoperate between different VLANs. Bridging VLANs are only for non-routable traffic, like tagged VLAN frames destined to some other device which will untag it. When a data frame is received on a port, the VLAN bridge determines the associated VLAN based on the port of reception. Using forwarding database information, the Bridge VLAN forwards the data frame on the appropriate port(s). VLAN's are useful to set separate networks to isolate some computers from others, without actually having to have separate cabling and Ethernet switches. Controllers and service platforms can do this on their own, without need for the computer or other gear to know itself what VLAN it's on (this is called port-based VLAN, since it's assigned by port of the switch). Another common use is to put specialized devices like VoIP Phones on a separate network for easier configuration, administration, security, or quality of service. Two main VLAN bridging modes are available:
Tunnel Mode: In tunnel mode, the traffic at the Access Point is always forwarded through the best path. The Access Point decides the best path to use and appropriately forwards packets. Setting the VLAN to tunnel mode ensures packets are Bridge packets between local Ethernet ports, any local radios, and tunnels to other APs and wireless controller. Local Mode: Local mode is typically configured in remote branch offices where traffic on remote private LAN segment needs to be bridged locally. Local mode implies that the wired and the wireless traffic are to be bridged locally. To define a bridge VLAN configuration or override for a device profile:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Network to expand its sub menu options. 5 Select Bridge VLAN. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. Wireless Controller and Service Platform System Reference Guide 5 - 180 Device Configuration 6 Review the following VLAN configuration parameters to determine whether an override is warranted:
Figure 5-100 Profile Overrides - Network Bridge VLAN screen VLAN Description Edge VLAN Mode Trust ARP Responses Lists the numerical identifier defined for the Bridge VLAN when it was initially created. The available range is from 1 - 495. This value cannot be modified during the edit process. Lists a VLAN description assigned when the VLAN was created or modified. The description should be unique to the VLANs specific configuration and help differentiate it from other VLANs with similar configurations. Defines whether the VLAN is currently in edge VLAN mode. A green check mark defines the VLAN as extended. An edge VLAN is the VLAN where hosts are connected. For example, if VLAN 10 is defined with wireless clients, and VLAN 20 is where the default gateway resides, VLAN 10 should be marked as an edge VLAN and VLAN 20 shouldnt be marked as an edge VLAN. When defining a VLAN as edge VLAN, the firewall enforces additional checks on hosts in that VLAN. For example, a host cannot move from an edge VLAN to another VLAN and still keep firewall flows active. Trusted ARP packets are used to update the IP-MAC Table to prevent IP spoof and arp-cache poisoning attacks. When ARP trust is enabled, a green check mark displays. When disabled, a red X displays. Trust DHCP Responses When enabled, DHCP packets from a DHCP server are trusted and permissible. DHCP packets update the DHCP Snoop Table to prevent IP spoof attacks. When DHCP trust is enabled, a green check mark displays. When disabled, a red X displays. Wireless Controller and Service Platform System Reference Guide 5 - 181 Device Configuration IPv6 Firewall DHCPv6 Trust RA Guard Lists whether IPv6 is enabled on this bridge VLAN. A green checkmark defines this setting as enabled. A red X defines this setting as disabled. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters. Lists whether DHCPv6 responses are trusted on this bridge VLAN. A green checkmark defines this setting as enabled. A red X defines this setting as disabled. If enabled, only DHCPv6 responses are trusted and forwarded over the bridge VLAN. Lists whether router advertisements (RA) are allowed on this bridge VLAN. A green checkmark defines this setting as enabled. A red X defines this setting as disabled. RAs are periodically sent to hosts or sent in response to solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. 7 Select Add to define a new Bridge VLAN configuration, Edit to modify or override an existing Bridge VLAN configuration or Delete to remove a VLAN configuration. Wireless Controller and Service Platform System Reference Guide 5 - 182 Device Configuration The General tab displays by default. Figure 5-101 Profile Overrides - Network Bridge VLAN screen, General tab 8 If adding a new Bridge VLAN configuration, use the spinner control to define or override a VLAN ID between 1 -
4094. This value must be defined and saved before the General tab can become enabled and the remainder of the settings defined. VLAN IDs 0 and 4095 are reserved and unavailable. 9 Set or override the following General bridge VLAN parameters:
Description Per VLAN Firewall If creating a new Bridge VLAN, provide a description (up to 64 characters) unique to the VLANs specific configuration to help differentiate it from other VLANs with similar configurations. Enable this setting to provide firewall allow and deny conditions over the bridge VLAN. This setting is enabled by default. 10 Set or override the following URL Filter parameters. URL filters are used to control access to specific resources on the Internet. URL Filter Use the drop-down menu to select a URL filter to use with this Bridge VLAN. Wireless Controller and Service Platform System Reference Guide 5 - 183 11 Use the drop-down to select the appropriate Application Policy to use with this Bridge VLAN configuration. An application policy defines the rules or actions executed on recognized HTTP (Facebook), enterprise (Webex) and peer-to-peer (gaming) applications or application-categories. 12 Set or override the following Extended VLAN Tunnel parameters:
Device Configuration Bridging Mode IP Outbound Tunnel ACL IPv6 Outbound Tunnel ACL MAC Outbound Tunnel ACL Tunnel Over Level 2 Specify one of the following bridging mode for use on the VLAN. Automatic - Select automatic mode to let the controller or service platform determine the best bridging mode for the VLAN. Local - Select Local to use local bridging mode for bridging traffic on the VLAN. Tunnel - Select Tunnel to use a shared tunnel for bridging traffic on the VLAN. Isolated Tunnel - Select isolated-tunnel to use a dedicated tunnel for bridging traffic on the VLAN. Select an IP Outbound Tunnel ACL for outbound traffic from the drop-
down menu. If an appropriate outbound IP ACL is not available, select the Create button. Select an IPv6 Outbound Tunnel ACL for outbound IPv6 traffic from the drop-down menu. If an appropriate outbound IPv6 ACL is not available, select the Create button. Select a MAC Outbound Tunnel ACL for outbound traffic from the drop-
down menu. If an appropriate outbound MAC ACL is not available, select the Create button. Select this option to allow VLAN traffic to be tunneled over level 2 links. This setting is disabled by default. NOTE: Local and Automatic bridging modes do not work with ACLs. ACLs can only be used with tunnel or isolated-tunnel modes. 13 Select the Level 2 Tunnel Broadcast Optimization checkbox to enable broadcast optimization on this bridge VLAN. L2 Tunnel Broadcast Optimization prevents flooding of ARP packets over the virtual interface. Based on the learned information, ARP packets are filtered at the wireless controller level. This option is enabled by default. 14 If enabling L2 tunnel broadcast optimization, set the Level 2 Forward Additional Packet Types as None or WNMP to specify if additional packet types are forwarded or not across the L2 tunnel. By default, L2 tunnel broadcast optimization disables Wireless Network Management Protocol (WNMP) packet forwarding also across the L2 tunnel. Use this option to enable the forwarding of only WNMP packets. The default value is None. Wireless Controller and Service Platform System Reference Guide 5 - 184 Device Configuration 15 Set the following Tunnel Rate Limit parameters:
Mint Link Level Rate Maximum Burst Size Background Best-Effort Video Voice Select the MINT link level being rate limited for layer 2 from the drop-
down menu. Define a transmit rate limit between 50 - 1,000,000 kbps. This limit constitutes a threshold for the maximum the number of packets transmitted or received over the bridge VLAN. Traffic that exceeds the defined rate is dropped and a log message is generated. The default setting is 5,000 kbps. Set a maximum burst size between 0 - 1024 kbytes. The smaller the burst, the less likely the receive packet transmission will result in congestion. The default burst size is 320 kbytes. Set the random early detection threshold in % for low priority background traffic. Set a value from 1 - 100%. The default is 50%. Set the random early detection threshold in % for low priority best-
effort traffic. Set a value from 1 - 100%. The default is 50%. Set the random early detection threshold in % for high priority video traffic. Set a value from 1 - 100%. The default is 25%. Set the random early detection threshold in % for high priority voice traffic. Set a value from 1 - 100%. The default is 25%. 16 Set or override the following Layer 2 Firewall parameters:
Trust ARP Response Select the check box to use trusted ARP packets to update the DHCP Snoop Table to prevent IP spoof and ARP-cache poisoning attacks. This feature is disabled by default. Trust DHCP Responses Select the check box to use DHCP packets from a DHCP server as trusted and permissible within the managed network. DHCP packets are used to update the DHCP Snoop Table to prevent IP spoof attacks. This feature is disabled by default. Select the check box to enable edge VLAN mode. When selected, the edge controller or service platforms IP address in the VLAN is not used for normal operations, as its now designated to isolate devices and prevent connectivity. This feature is enabled by default. Edge VLAN Mode 17 Set the following IPv6 Settings:
IPv6 Firewall DHCPv6 Trust RA Guard Select this option to enable IPv6 on this bridge VLAN. This setting is enabled by default. Select this option to enable the trust all DHCPv6 responses on this bridge VLAN. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. This setting is enabled by default. Select this option to enable router advertisements or ICMPv6 redirects on this bridge VLAN. This setting is enabled by default. 18 Refer to the Captive Portal field to select an existing captive portal configuration to apply access restrictions to the bridge VLAN configuration. A captive portal is an access policy for providing temporary and restrictive access using a standard Web browser. Captive portals provides authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the Wireless Controller and Service Platform System Reference Guide 5 - 185 Device Configuration network. Once logged into the captive portal, additional Terms and Agreement, Welcome, Fail and No Service pages provide the administrator with a number of options on captive portal screen flow and user appearance. If an existing captive portal does not suite the bridge VLAN configuration, either select the Edit icon to modify an existing configuration or select the Create icon to define a new configuration that can be applied to the bridge VLAN. For information on configuring a captive portal policy, see Configuring Captive Portal Policies on page 11-1. 19 Refer to the Captive Portal Snoop IPv6 Subnet field to configure the subnet on which IPv6 snooping is enabled/
disabled for wired captive portal support. Up to 16 excluded addresses are permitted. 20 Select the IGMP Snooping tab. Figure 5-102 Profile Overrides - Network Bridge VLAN screen, IGMP Snooping tab 21 Define the following General settings:
Enable IGMP Snooping Select this option to enable IGMP snooping. If disabled, snooping on a per VLAN basis is also disabled. This feature is enabled by default. If disabled, the settings under the bridge configuration are overridden. For example, if IGMP snooping is disabled, but the bridge VLAN is enabled, the setting is disabled. Select this option to enable the forwarding of multicast packets from unregistered multicast groups. If disabled (the default setting), the unknown multicast forward feature is also disabled for individual VLANs. Forward Unknown Multicast Packets Wireless Controller and Service Platform System Reference Guide 5 - 186 Device Configuration Enable Fast leave processing Last Member Query Count Select this option to remove a Layer 2 LAN interface from the IGMP snooping forwarding table entry without initially sending IGMP group-
specific queries to the interface. When receiving a group specific IGMPv2 leave message, IGMP snooping removes the interface from the Layer 2 forwarding table entry for that multicast group, unless a multicast router was learned on the port. Fast-leave processing enhances bandwidth management for all hosts on the network. This setting is disabled by default. Specify the number (1 - 7) of group specific queries sent before removing an IGMP snooping entry. The default settings is 2. 22 Define the following Multicast Router settings Interface Names Multicast Router Learn Mode Select the ge1 or radio interfaces used to IGMP snooping over a multicast router. Set the pim-dvmrp or static multicast routing learn mode. DVMRP builds a parent-child database using a constrained multicast model to build a forwarding tree rooted at the source of the multicast packets. Multicast packets are initially flooded down this source tree. If redundant paths are on the source tree, packets are not forwarded along those paths. 23 Define the following IGMP Querier settings:
Enable IGMP Querier Source IP Address IGMP Version Maximum Response Time Other Querier Timer Expiry Select this option to enable IGMP querier. IGMP snoop querier is used to keep host memberships alive. Its primarily used in a network where theres a multicast streaming server and hosts subscribed to the server and no IGMP querier present. An IGMP querier sends out periodic IGMP query packets. Interested hosts reply with an IGMP report packet. IGMP snooping is only conducted on wireless radios. IGMP multicast packets are flooded on wired ports. IGMP multicast packet are not flooded on the wired port. IGMP membership is also learnt on it and only if present, then it is forwarded on that port. If enabling IGMP querier, set the source IP address used for IGMP snooping over a multicast router. Use the spinner control to set the IGMP version compatibility to either version 1, 2 or 3. IGMPv1 is defined by RFC 1112, IGMPv2 is defined by RFC 2236 and IGMPv3 defined by RFC 4604 which defines both IGMPv3 and MLDv2. IGMPv2 improves over IGMPv1 by adding the ability for a host to signal desire to leave a multicast group. IGMPv3 improves over IGMPv2 by adding the ability to listen to multicast traffic originating from a set of source IP addresses exclusively. Specify the maximum interval (from 1 - 25 seconds) before sending a responding report. When no reports are received from a radio, radio information is removed from the snooping table. The controller or service platform only forwards multicast packets to radios present in the snooping table. For IGMP reports from wired ports, the controller or service platform forwards these reports to the multicast router ports. The default setting is 1 seconds. Specify an interval (from 60 - 300 seconds) used as a timeout interval for other querier resources. 24 Select the OK button located at the bottom right of the screen to save the changes to the IGMP Snooping tab. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 187 25 Select the MLD Snooping tab. Device Configuration Figure 5-103 Profile Overrides - Network Bridge VLAN screen, MLD Snooping tab 26 Define the following General MLD snooping parameters for the bridge VLAN configuration:
Multicast Listener Discovery (MLD) snooping enables a controller, service platform or Access Point to examine MLD packets and make forwarding decisions based on content. MLD is used by IPv6 devices to discover devices wanting to receive multicast packets destined for specific multicast addresses. MLD uses multicast listener queries and multicast listener reports to identify which multicast addresses have listeners and join multicast groups. MLD snooping caps the flooding of IPv6 multicast traffic on controller, service platform or Access Point VLANs. When enabled, MLD messages are examined between hosts and multicast routers and to discern which hosts are receiving multicast group traffic. The controller, service platform or Access Point then forwards multicast traffic only to those interfaces connected to interested receivers instead of flooding traffic to all interfaces. Enable MLD Snooping Enable MLD snooping to examine MLD packets and support content forwarding on this bridge VLAN. Packets delivered are identified by a single multicast group address. Multicast packets are delivered using best-effort reliability, just like IPv6 unicast. MLD snooping is enabled by default. Use this option to either enable or disable IPv6 unknown unicast forwarding. This setting is enabled by default. Forward Unknown Unicast Packets Wireless Controller and Service Platform System Reference Guide 5 - 188 Device Configuration 27 Define the following Multicast Router settings Interface Names Multicast Router Learn Mode Select the ge or radio interfaces used for MLD snooping. Set the pim-dvmrp or static multicast routing learn mode. DVMRP builds a parent-child database using a constrained multicast model to build a forwarding tree rooted at the source of the multicast packets. Multicast packets are initially flooded down this source tree. If redundant paths are on the source tree, packets are not forwarded along those paths. 28 Set the following MLD Querier parameters for the profiles bridge VLAN configuration:
Enable MLD Querier MLD Version Maximum Response Time Other Querier Timer Expiry Select the option to enable MLD querier on the controller, service platform or Access Point. When enabled, the device sends query messages to discover which network devices are members of a given multicast group. This setting is enabled by default. Define whether MLD version 1 or 2 is utilized with the MLD querier. MLD version 1 is based on IGMP version 2 for IPv4. MLD version 2 is based on IGMP version 3 for IPv4 and is fully backward compatible. IPv6 multicast uses MLD version 2. The default MLD version is 2. Specify the maximum response time (from 1 - 25,000 milliseconds) before sending a responding report. Queriers use MLD reports to join and leave multicast groups and receive group traffic. The default setting is 1 milliseconds. Specify an interval in either Seconds (60 - 300) or Minutes (1 - 5) used as a timeout interval for other querier resources. The default setting is 60 seconds 29 Select the OK button to save the changes and overrides. Select Reset to revert to the last saved configuration. 5.2.8.14 Overriding a Profiles Cisco Discovery Protocol Configuration Overriding a Profiles Network Configuration The Cisco Discovery Protocol (CDP) is a proprietary data link layer network protocol implemented in Cisco networking equipment and used to share information about network devices. To override a CDP configuration:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Network to expand its sub menu options. 5 Select Cisco Discovery Protocol. Wireless Controller and Service Platform System Reference Guide 5 - 189 Device Configuration Figure 5-104 Profile Overrides - Network Cisco Discovery Protocol screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6 Check the Enable CDP box to enable CDP on the device. 7 Refer to the Hold Time field and use the spinner control to define a hold time between 10 - 1800 seconds for transmitted CDP Packets. The default value is 180 seconds. 8 Refer to the Timer field and use the spinner control to define a interval between 5 - 900 seconds to transmit CDP Packets. The default value is 60 seconds. 9 Select the OK button to save the changes and overrides. Select Reset to revert to the last saved configuration. 5.2.8.15 Overriding a Profiles Link Layer Discovery Protocol Configuration Overriding a Profiles Network Configuration The Link Layer Discovery Protocol (LLDP) or IEEE 802.1AB is a vendor-neutral data link layer protocol used by network devices for advertising (announcing) their identity, capabilities, and interconnections on a IEEE 802 LAN network. The protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity Discovery. Both LLDP snooping and ability to generate and transmit LLDP packets will be provided. Information obtained via CDP and LLDP snooping is available in the UI. In addition, information obtained via CDP /
LLDP snooping is provided by an AP during the adoption process, so the L2 switch device name detected by the AP can be used as a criteria in the auto provisioning policy. To override a LLDP configuration:
Wireless Controller and Service Platform System Reference Guide 5 - 190 Device Configuration 1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Network to expand its sub menu options. 5 Select Link Layer Discovery Protocol. Figure 5-105 Profile Overrides - Network Link Layer Discovery Protocol screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6 Check the Enable LLDP box to enable Link Layer Discovery Protocol on the device. 7 Refer to the Hold Time field and use the spinner control to define a hold time between 10 - 1800 seconds for transmitted LLDP Packets. The default value is 180 seconds. 8 Refer to the Timer field and use the spinner control to define the interval between 5 - 900 seconds to transmit LLDP packets. The default value is 60 seconds. 9 Check the Inventory Management Discovery box to enable this feature. Inventory Management Discovery is used to track and identify inventory attributes including manufacturer, model, or software version. 10 Extended Power via MDI Discovery provides detailed power information through end points and other connected devices. Select the Extended Power via MDI Discovery box to enable this feature. or select the Default for Type option to use a WiNG internal default value. 11 Select the OK button to save the changes and overrides. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 191 Device Configuration 5.2.8.16 Overriding a Profiles Miscellaneous Network Configuration Overriding a Profiles Network Configuration A profile can include a hostname within a DHCP lease for a requesting device. This helps an administrator track the leased DHCP IP address by hostname for the device profile. When numerous DHCP leases are assigned, an administrator can better track the leases when hostnames are used instead of devices. To include a hostnames in DHCP request:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Network to expand its sub menu options. 5 Select Miscellaneous. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6 Refer to the DHCP Settings section to configure miscellaneous DHCP Settings. Figure 5-106 Profile Overrides - Network Miscellaneous screen Include Hostname in DHCP Request Select the Include Hostname in DHCP Request option to include a hostname within a DHCP lease for a requesting device. This feature is enabled by default. DHCP Persistent Lease Check this option to enable a persistent DHCP lease for the device. A persistent DHCP lease assigns the same IP Address and other network information to the device each time it renews its DHCP lease. 7 Select the LACP System Priority value in the range of 1 - 65,535. The system with a lower number will have a higher priority when setting up a connection with a LACP peer. If a value is not set for this field, the default value of 32768 is used. Link Aggregation Control Protocol (LACP) enables combining and managing multiple physical connections like Ethernet ports as a single logical channel as defined in the IEEE 802.1ax standard. LACP provides redundancy Wireless Controller and Service Platform System Reference Guide 5 - 192 Device Configuration and increase in throughput for connections between two peers. LACP provides automatic recovery in cases where one or more of the physical links - making up the aggregation - fail. Similarly, LACP also provides a theoretical boost in speed compared to an individual physical link. NOTE: Disable or physically disconnect interfaces that do not use spanning tree to prevent loop formation until LACP is fully configured on both the local WiNG device and the remote device. 8 To enable critical resource monitoring for the device, select a Critical Resource Policy from the drop-down menu in the Critical Resource Monitoring section. If a new critical resource monitoring policy is needed click the Create button and specify the Ping Interval, IP Address, Ping Mode and VLAN for the devices being monitored. 9 Select the OK button to save the changes and overrides. Select Reset to revert to the last saved configuration. 5.2.8.17 Overriding a Profiles Network Alias Configuration Overriding a Profiles Network Configuration With large deployments, the configuration of remote sites utilizes a set of shared attributes, of which a small set of attributes are unique for each location. For such deployments, maintaining separate configuration (WLANs, profiles, policies and ACLs) for each remote site is complex. Migrating any global change to a particular configuration item to all the remote sites is a complex and time consuming operation. Also, this practice does not scale gracefully for quick growing deployments. An alias enables an administrator to define a configuration item, such as a hostname, as an alias once and use the defined alias across different configuration items such as multiple ACLs. Once a configuration item, such as an ACL, is utilized across remote locations, the Alias used in the configuration item (ACL) is modified to meet local deployment requirement. Any other ACL or other configuration items using the modified alias also get modified, simplifying maintenance at the remote deployment. Aliases have scope depending on where the Alias is defined. Alias are defined with the following scopes:
Global aliases are defined from the Configuration > Network > Alias screen. Global aliases are available for use globally across all devices, profiles and RF Domains in the system. Profiles aliases are defined from the Configuration > Devices > System Profile > Network > Alias screen. Profile aliases are available for use to a specific group of wireless controllers or Access Points. Alias values defined in a profile override the alias values defined within global aliases. RF Domain aliases are defined from the Configuration > Devices > RF Domain > Alias screen. RF Domain aliases are available for use for a site as a RF Domain is site specific. RF Domain alias values override alias values defined in a global alias or a profile alias configuration. Device aliases are defined from the Configuration > Devices > Device Overrides > Network > Alias screen. Device aliases are utilized by a singular device only. Device alias values override global, profile or RF Domain alias configurations. Using an alias, configuration changes made at a remote location override any updates at the management center. For example, if an network alias defines a network range as 192.168.10.0/24 for the entire network, and at a remote deployment location, the local network range is 172.16.10.0/24, the network alias can be overridden at the deployment location to suit the local requirement. For the remote deployment location, the network alias work Wireless Controller and Service Platform System Reference Guide 5 - 193 with the 172.16.10.0/24 network. Existing ACLs using this network alias need not be modified and will work with the local network for the deployment location. This simplifies ACL definition and management while taking care of specific local deployment requirements. Device Configuration For more information, refer to the following:
Basic Alias Network Group Alias Network Service Alias 5.2.8.17.1 Basic Alias A basic alias is a set of configurations consisting of VLAN, Host, Network and Address Range alias configurations. A VLAN alias is a configuration for optimal VLAN re-use and management for local and remote deployments. A host alias configuration is for a particular host devices IP address. A network alias configuration is utilized for an IP address on a particular network. An address range alias is a configuration for a range of IP addresses. To set a network basic alias configuration:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Network to expand its sub menu options. 5 Select Alias. The Alias screen displays with the Basic Alias tab displayed by default. Wireless Controller and Service Platform System Reference Guide 5 - 194 Device Configuration 6 Select + Add Row to define VLAN Alias settings:
Figure 5-107 Network Basic Alias screen Use the VLAN Alias field to create unique aliases for VLANs that can be utilized at different deployments. For example, if a VLAN ID is set as 10 for the central network, and the VLAN is set as 26 at a remote location, the VLAN can be overridden at the remote location using an alias. At the remote location, the network is functional with an ID of 26, but utilizes the name defined at the central local network. A new VLAN need not be created specifically at the remote location. Name Vlan If adding a new VLAN Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Use the spinner control to set a numeric VLAN ID from 1 - 4094. 7 Select + Add Row to define Address Range Alias settings:
Use the Address Range Alias field to create aliases for IP address ranges that can be utilized at different deployments. For example, if an ACL defines a pool of network addresses as 192.168.10.10 through 192.168.10.100 for an entire network, and a remote locations network range is 172.16.13.20 through 172.16.13.110, Wireless Controller and Service Platform System Reference Guide 5 - 195 Device Configuration the remote locations ACL can be overridden using an alias. At the remote location, the ACL works with the 172.16.13.20-110 address range. A new ACL need not be created specifically for the remote deployment location. Name Start IP End IP If adding a new Address Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Set a starting IP address used with a range of addresses utilized with the address range alias. Set an ending IP address used with a range of addresses utilized with the address range alias. 8 Select + Add Row to define String Alias settings:
Use the String Alias field to create aliases for hosts that can be utilized at different deployments. For example, if the main domain at a remote location is called loc1.domain.com and at another deployment location it is called loc2.domain.com, the alias can be overridden at the remote location to suit the local (but remote) requirement. At one remote location, the alias functions with the loc1.domain.com domain and at the other with the loc2.domain.com domain. Name Value If adding a new String Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Provide a string value to use in the alias. 9 Select + Add Row to define Host Alias settings:
Use the Host Alias field to create aliases for hosts that can be utilized at different deployments. For example, if a central network DNS server is set a static IP address, and a remote locations local DNS server is defined, this host can be overridden at the remote location. At the remote location, the network is functional with a local DNS server, but uses the name set at the central network. A new host need not be created at the remote location. This simplifies creating and managing hosts and allows an administrator to better manage specific local requirements. Name Host If adding a new Host Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Set the IP address of the host machine. 10 Select + Add Row to define Network Alias settings:
Use the Network Alias field to create aliases for IP networks that can be utilized at different deployments. For example, if a central network ACL defines a network as 192.168.10.0/24, and a remote locations network range is 172.16.10.0/24, the ACL can be overridden at the remote location to suit their local (but remote) requirement. At the remote location, the ACL functions with the 172.16.10.0/24 network. A new ACL need not be created specifically for the remote deployment. This simplifies ACL definition and allows an administrator to better manage specific local requirements. Name Network If adding a new Network Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Provide a network address in the form of host/mask. 11 Select OK when completed to update the set of basic alias rules. Select Reset to revert the screen back to its last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 196 Device Configuration 5.2.8.17.2 Network Group Alias A network group alias is a set of configurations consisting of host and network configurations. Network configurations are complete networks in the form of 192.168.10.0/24 or an IP address range in the form of 192.168.10.10-192.168.10.20. Host configurations are in the form of a single IP address, 192.168.10.23. A network group alias can contain multiple definitions for a host, network, and IP address range. A maximum of eight (8) Host entries, eight (8) network entries and eight (8) IP addresses range entries can be configured inside a network group alias. A maximum of 32 network group alias entries can be created. To set a network group alias configuration:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Network to expand its sub menu options. 5 Select Alias. 6 Select the Network Group Alias tab. The screen displays the attributes of existing network group alias configurations. Figure 5-108 Network Group Alias screen Name Displays the administrator assigned name used with the network group alias. Wireless Controller and Service Platform System Reference Guide 5 - 197 Device Configuration Host Network Displays all the host aliases configured in the listed network group alias. Displays a blank column if no host alias is defined. Displays all network aliases configured in the listed network group alias. Displays a blank column if no network alias is defined. 7 Select Add to create a new policy, Edit to modify the attributes of an existing policy or Delete to remove obsolete policies. 8 Select the added row to expand it into configurable parameters for defining the network alias rule. 9 If adding a new Network Alias Rule, provide it a name up to 32 characters. The network group alias name Figure 5-109 Network Group Alias Add screen always starts with a dollar sign ($). 10 Define the following network group alias parameters:
Host Network Specify the Host IP address for up to eight IP addresses supporting network aliasing. Select the down arrow to add the IP address to the table. Specify the netmask for up to eight IP addresses supporting network aliasing. Subnets can improve network security and performance by organizing hosts into logical groups. Applying the subnet mask to an IP address separates the address into a host address and an extended network address. Select the down arrow to add the mask to the table. 11 Within the Range table, use the + Add Row button to specify the Start IP address and End IP address for the alias range or double-click on an existing an alias range entry to edit it. 12 Select OK when completed to update the network alias rules. Select Reset to revert the screen back to its last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 198 Device Configuration 5.2.8.17.3 Network Service Alias A network service alias is a set of configurations that consist of protocol and port mappings. Both source and destination ports are configurable. For each protocol, up to 2 source port ranges and up to 2 destination port ranges can be configured. A maximum of 4 protocol entries can be configured per network service alias. Use a service alias to associate more than one IP address to a network interface, providing multiple connections to a network from a single IP node. To define a service alias configuration:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Network to expand its sub menu options. 5 Select Alias. 6 Select the Network Service Alias tab. The screen displays existing network service alias configurations. Figure 5-110 Network Service Alias screen 7 Select Add to create a new policy, Edit to modify the attributes of an existing policy or Delete to remove obsolete policies. 8 Select the added row to expand it into configurable parameters for defining the service alias rule. Wireless Controller and Service Platform System Reference Guide 5 - 199 Device Configuration Figure 5-111 Network Service Alias Add screen 9 If adding a new Network Service Alias Rule, provide it a name up to 32 characters. Ensure a $ precedes the name. 10 Select + Add Row and provide the following configuration parameters:
Protocol Source Port
(Low and High) Destination Port
(Low and High) Specify the protocol for which the alias has to be created. Use the drop down to select the protocol from eigrp, gre, icmp, igmp, ip, vrrp, igp, ospf, tcp and udp. Select other if the protocol is not listed. When a protocol is selected, its protocol number is automatically selected. This field is only relevant if the protocol is either tcp or udp. Specify the source ports for this protocol entry. A range of ports can be specified. Select the Enter Ranges button next to the field to enter a lower and higher port range value. Up to eight (8) such ranges can be specified. This field is only relevant if the protocol is either tcp or udp. Specify the destination ports for this protocol entry. A range of ports can be specified. Select the Enter Ranges button next to the field to enter a lower and higher port range value. Up to eight (8) such ranges can be specified. 11 Within the Range field, use the + Add Row button to specify the Start IP address and End IP address for the service alias range or double-click on an existing service alias range entry to edit it. 12 Select OK when completed to update the service alias rules. Select Reset to revert the screen back to its last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 200 Device Configuration 5.2.8.18 Overriding a Profiles IPv6 Neighbor Configuration Overriding a Profiles Network Configuration IPv6 neighbor discovery uses ICMP messages and solicited multicast addresses to find the link layer address of a neighbor on the same local network, verify the neighbors reachability and track neighboring devices. Upon receiving a neighbor solicitation message, the destination replies with neighbor advertisement (NA). The source address in the NA is the IPv6 address of the device sending the NA message. The destination address in the neighbor advertisement message is the IPv6 address of the device sending the neighbor solicitation. The data portion of the NA includes the link layer address of the node sending the neighbor advertisement. Neighbor solicitation messages also verify the availability of a neighbor once its the link layer address is identified. When a node wants to verify the reachability of a neighbor, the destination address in a neighbor solicitation message is the unicast address of the neighbor. A neighbor is interpreted as reachable when an acknowledgment is returned indicating packets have been received and processed. If packets are reaching the device, theyre also reaching the next hop neighbor, providing a confirmation the next hop is reachable. To set an IPv6 neighbor discovery configuration:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select IPv6 Neighbor. 4 Set an IPv6 Neighbor Entry Timeout in either Seconds (15 - 86,400), Minutes (1 - 1,440), Hours
(1 - 24) or Days (1). The default setting is 1 hour. Figure 5-112 IPv6 Neighbor screen Wireless Controller and Service Platform System Reference Guide 5 - 201 5 Select + Add Row to define the configuration of IPv6 Neighbor Discovery configurations. A maximum of 256 neighbor entries can be defined. Device Configuration IPv6 Address Provide a static IPv6 IP address for neighbor discovery. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the Neighbor Discovery Protocol via Internet Control Message Protocol version 6 (ICMPv6) router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Enter the hardware encoded MAC addresses of up to 256 IPv6 neighbor devices. A neighbor is interpreted as reachable when an acknowledgment is returned indicating packets have been received and processed. If packets are reaching the device, theyre also reaching the next hop neighbor, providing a confirmation the next hop is reachable. Switch VLAN Interface Use the spinner control to set the virtual interface (from 1 - 4094) used MAC Address Device Type for neighbor advertisements and solicitation messages. Specify the device type for this neighbor solicitation is for. Options include Host, Router and DHCP Server. The default setting is Host. 6 Select OK to save the changes. Select Reset to revert to the last saved configuration. 5.2.9 Overriding a Profiles Security Configuration Profile Overrides A profile can have its own firewall policy, wireless client role policy, WEP shared key authentication, NAT policy and VPN policy (controllers and service platforms only) applied. If an existing firewall, client role or NAT policy is unavailable, an administrator can be navigated from the Profiles section of the UI to the Configuration > Security portion of the UI to create the required security policy configuration. Once created, a policys configuration can have an override applied to meet the changing data protection requirements of a devices environment. However, in doing so the device must now be managed separately from the profile configuration shared by other devices within the managed network. For more information on applying an override to an existing device profile, refer to the following sections:
Overriding a Profiles General Security Settings Overriding a Profiles Certificate Revocation List (CRL) Configuration Overriding a Profiles RADIUS Trustpoint Configuration Overriding a Profiles VPN Configuration Overriding a Profiles Auto IPSec Tunnel Configuration Overriding a Profiles NAT Configuration Overriding a Profiles Bridge NAT Configuration Overriding a Profiles Application Visibility Settings 5.2.9.1 Overriding a Profiles General Security Settings Overriding a Profiles Security Configuration A profile can leverage existing firewall, wireless client role and WIPS policies and apply them to the profiles configuration. This affords each profile a truly unique combination of data protection policies best meeting the Wireless Controller and Service Platform System Reference Guide 5 - 202 Device Configuration data protection requirements the profile supports. However, as deployment requirements arise, an individual device may need some or all of its general security configuration overridden from the profiles settings. To configure a profiles security settings and overrides:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Security to expand its sub menu options. 5 Select Settings. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. Figure 5-113 Profile Overrides - General Security screen Wireless Controller and Service Platform System Reference Guide 5 - 203 6 Refer to the General field to assign or override the following:
Device Configuration Firewall Policy Wireless Client Role Policy WEP Shared Key Authentication Client Identity Group CMP Policy Use the drop-down menu to select an existing Firewall Policy to use as an additional security mechanism with this profile. All devices using this profile must meet the requirements of the firewall policy to access the network. A firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the network. The means by which this is accomplished varies, but in principle, a firewall can be thought of as mechanisms both blocking and permitting data traffic within the network. If an existing Firewall policy does not meet your requirements, select the Create icon to create a new firewall policy that can be applied to this profile. An existing policy can also be selected and edited as needed using the Edit icon. Use the drop-down menu to select a client role policy used to strategically filter client connections based on a pre-defined set of filter rules and connection criteria. If an existing Wireless Client Role policy does not meet your requirements, select the Create icon to create a new configuration that can be applied to this profile. An existing policy can also be selected and edited as needed using the Edit icon. Select this option to require devices to use a WEP key to access the network using this profile. The controller or service platform use the key algorithm to convert an ASCII string to the same hexadecimal number. Clients without adapters need to use WEP keys manually configured as hexadecimal numbers. This option is disabled by default. Select the client identity group to apply to this device profile. Client identity is a set of unique fingerprints used to identify a class of devices. A Client identity group is a set of client attributes that identify devices and apply specific permissions and restrictions on them.The information is used to configure permissions and access rules for that device class and can assist administrators by applying permissions and rules to multiple devices simultaneously. Use the drop down-menu to assign a CMP policy to allow a device to communicate to a CMP supported CA server, initiate a certificate request and download the required certificates from the CA server. CMP supports multiple request options through for device communicating to a CMP supported CA server. The device can initiate a request for getting the certificates from the server. It can also auto update the certificates which are about to expire. 7 Use the Web Filter drop-down menu to select or override the URL Filter configuration applied to this virtual interface. Web filtering is used to restrict access to resources on the Internet. 8 Select OK to save the changes or overrides. Select Reset to revert to the last saved configuration. 5.2.9.2 Overriding a Profiles Certificate Revocation List (CRL) Configuration Overriding a Profiles Security Configuration A certificate revocation list (CRL) is a list of revoked certificates that are no longer valid. A certificate can be revoked if the certificate authority (CA) had improperly issued a certificate, or if a private-key is compromised. The most common reason for revocation is the user no longer being in sole possession of the private key. To define a Certificate Revocation configuration or override:
Wireless Controller and Service Platform System Reference Guide 5 - 204 Device Configuration 1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points within the managed network. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Security to expand its sub menu options. 5 Select Certificate Revocation. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. Figure 5-114 Profile Overrides - Certificate Revocation screen 6 Select the + Add Row button to add a column within the Certificate Revocation List (CRL) Update Interval table to quarantine certificates from use in the managed network. Additionally, a certificate can be placed on hold for a user defined period. If, for instance, a private key was found and nobody had access to it, its status could be reinstated. a Provide the name of the trustpoint in question within the Trustpoint Name field. The name cannot exceed 32 characters. b Enter the resource ensuring the trustpoints legitimacy within the URL field. c Use the spinner control to specify an interval (in hours) after which a device copies a CRL file from an external server and associates it with a trustpoint. 7 Select OK to save the changes and overrides made within the Certificate Revocation screen. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 205 Device Configuration 5.2.9.3 Overriding a Profiles RADIUS Trustpoint Configuration Overriding a Profiles Security Configuration A RADIUS certificate links identity information with a public key enclosed in the certificate. A certificate authority
(CA) is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate. To define a RADIUS Trustpoint configuration, utilize an existing stored trustpoint or launch the certificate manager to create a new one:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points within the managed network. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Security to expand its sub menu options. 5 Select Trustpoints. 6 Set the following RADIUS Security certificate settings:
Figure 5-115 Profile Overrides - Trustpoints screen RADIUS Certificate Authority RADIUS Server Certificate Either use the default-trustpoint or select the Stored radio button to enable a drop-down menu where an existing certificate can be leveraged. To leverage an existing certificate, select the Launch Manager button. Either use the default-trustpoint or select the Stored radio button to enable a drop-down menu where an existing certificate/trustpoint can be used. To leverage an existing trustpoint, select the Launch Manager button. Wireless Controller and Service Platform System Reference Guide 5 - 206 Device Configuration 7 Set the following HTTPS Trustpoints:
HTTPS Trustpoint Either use the default trustpoint or select the Stored radio button to enable a drop-down menu where an existing certificate/trustpoint can be utilized. To use an existing certificate for this device, select the Launch Manager button. For more information, see Certificate Management. 8 Select OK to save the changes made within the RADIUS Trustpoints screen. Select Reset to revert to the last saved configuration. 5.2.9.4 Overriding a Profiles VPN Configuration Overriding a Profiles Security Configuration IPSec VPN provides a secure tunnel between two networked peer devices. Administrators can define which packets are sent within the tunnel, and how theyre protected. When a tunnelled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination. Tunnels are sets of security associations (SA) between two peers. SAs define the protocols and algorithms applied to sensitive packets and specify the keying mechanisms used by tunneled peers. SAs are unidirectional and exist in both the inbound and outbound direction. SAs are established per the rules and conditions of defined security protocols (AH or ESP). Use crypto maps to configure IPSec VPN SAs. Crypto maps combine the elements comprising IPSec SAs. Crypto maps also include transform sets. A transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected traffic. One crypto map is utilized for each IPSec peer, however for remote VPN deployments one crypto map is used for all the remote IPSec peers. Internet Key Exchange (IKE) protocol is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE automatically negotiates IPSec SAs, and enables secure communications without time consuming manual pre-
configuration. To define a profiles VPN settings:
1 Select Devices from the Configuration tab. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Expand the Security menu and select VPN. The profiles VPN configuration can be set or overridden using either a VPN setup wizard or by manually configuring the required advanced settings. WiNG provides two (2) wizards providing either minimal or more thorough administration. Wireless Controller and Service Platform System Reference Guide 5 - 207 Device Configuration Figure 5-116 VPN Setup Wizard Quick Setup Wizard - Use the quick setup wizard to set a minimum number of basic VPN tunnel values. This wizard is designed for novice users, and enables them to setup a VPN configuration with minimum effort. This wizard uses default values for most parameters. Step By Step Wizard - Use the step-by-step wizard to create a VPN tunnel using settings updated from their minimum default values. This wizard is designed for intermediate users who require some VPN customization. Advanced VPN Configuration - The advanced VPN configuration option does not utilize a setup wizard. Rather, it utilizes and its own screen flow where just about every facet of a VPN tunnel configuration can be set by a qualified network administrator. For more information, see Setting the Profiles VPN Configuration on page 8-168. 5.2.9.4.4 Quick Setup Wizard The Quick Setup Wizard creates a VPN configuration with minimum administration. Default values are retained for most parameters. Wireless Controller and Service Platform System Reference Guide 5 - 208 Device Configuration 1 Select Quick Setup from the VPN Wizard screen. 2 Provide the following quick setup information to configure a VPN tunnel:
Figure 5-117 VPN Quick Setup Wizard Tunnel Name Tunnel Type Select Interface Traffic Selector (ACL) Provide a name for the tunnel. Tunnel name identifies the tunnel uniquely. Configure the type of the tunnel. Tunnel can be one of the following types:
Site-to-Site This tunnel provides a secured connection between two sites (default setting). Remote Access This tunnel provides access to a network to remote devices. Configure the interface to use for creating the tunnel. The following options are available:
VLAN Configure the tunnel over a Virtual LAN interface. Use the spinner to configure the VLAN number. WWAN Configure the tunnel over the WAN interface. PPPoE Configure the tunnel over the PPPoE interface. Configure ACLs that manage the traffic passing through the VPN tunnel. The following options are available:
Source Provide the source network along with its mask Destination Provide the destination network along with its mask. Wireless Controller and Service Platform System Reference Guide 5 - 209 Device Configuration Peer Authentication Local Identity Remote Identity IKE Policy Transform Set Configure the peer for this tunnel. The peer device can be specified either by its hostname or by its IP address. Set the authentication used to identify the peers with each other on opposite ends of the VPN tunnel connection. The following can be configured:
Certificate Use a certificate to authenticate (default value). Pre-Shared Key Use a pre-shared key to authenticate. Enter the secret key in the space provided for it. Configure the local identity used with this peer configuration for an IKE exchange with the target VPN IPSec peer. Options include IP Address, Distinguished Name, FQDN, email and string. The default setting is string. Configure the Access Point remote identifier used with this peer configuration for an IKE exchange with the target VPN IPSec peer. Options include IP Address, Distinguished Name, FQDN, email and string. The default setting is string. Configure the IKE policy to use. IKE is used to exchange authentication keys. Select from one of the following:
All Use any IKE policy (default value). IKE1 Use IKE 1 only IKE2 Use IKE 2 only Configure the transform set used to specify how traffic is protected within the crypto ACL defining the traffic that needs to be protected. Select the appropriate traffic set from the drop-down list. 3 Select Save to save the VPN quick setup tunnel configuration. To exit without saving, select Cancel. 5.2.9.4.5 Step By Step Wizard The Step-By-Step wizard creates a VPN connection with more manual configuration than the Quick Setup Wizard. Use this wizard to manually configure Access Control Lists, IKE Policy, and Transform Sets to customize the VPN Tunnel. 1 Select the Step-By-Step Wizard option from the VPN screen. 2 Select the Start button. Wireless Controller and Service Platform System Reference Guide 5 - 210 Device Configuration 3 Set the following VPN values for step 1:
Figure 5-118 VPN Step-By-Step Wizard - Step 1 Tunnel Name Tunnel Type Interface Traffic Selector Provide a name for the tunnel in the Tunnel Name field. Select the tunnel type being created. Two types of tunnels can be created. Site to Site (the default setting) is used to create a tunnel between two remote sites. Remote Access is used to create a tunnel between an user device and a network. Select the interface to use. Interface can be a Virtual LAN (VLAN) or WWAN or PPPoE depending on the interfaces available on the device. This field creates the Access Control List (ACL) that is used to control who uses the network. Provide the Source and Destination IP address ranges with their net mask. Click the Add Rule button to add the rule into the ACL. 4 Select the Next button to proceed to step 2. If any of the required values within the step 1 screen are not set properly, the second wizard screen will not display until they are properly set. Wireless Controller and Service Platform System Reference Guide 5 - 211 Device Configuration 5 Set the following VPN quick setup values for step 2:
Figure 5-119 VPN Step-By-Step Wizard - Step 2 Peer Authentication Local Identity Remote Identity IKE Policy Select the type of peer for this device when forming a tunnel. Peer information can be either an IP Address (default value) or hostname. Provide the IP address or the host name of the peer device. Configure how devices authenticate on opposite ends of the tunnel connection. Certificate The devices use certificates to authenticate with each other
(default value). Pre-Shared Key The devices use pre-shared key to authenticate. Configure the local identity for the VPN tunnel. IP Address The local identity is an IP address (default value). FQDN The local identity is a Fully Qualified Domain Name (FQDN). Email The local identity is an E-mail address. Configure the remote identity for the VPN tunnel. IP Address The remote identity is an IP address (default value). FQDN The remote identity is a FQDN. Email The remote identity is an E-mail address. Configure an IKE policy to use when creating this VPN Tunnel. The following options are available:
Use Default Select this option to use the default IKE profiles. Create new Policy Select this option to create a new IKE policy. Wireless Controller and Service Platform System Reference Guide 5 - 212 Device Configuration 6 Click the Add Peer button to add the tunnel peer information into the Peer(s) table. This table lists all the peers set for the VPN Tunnel. 7 Select Next to proceed to the step 3 screen. Use the Back button to go to the previous step. If any of the required values within the step 2 screen are not set properly, the third wizard screen will not display until they are properly set. 8 Set the following IPSec VPN values for step 3:
Figure 5-120 VPN Step-By-Step Wizard - Step 3 Transform Set Encryption Authentication The transform set is a set of configurations for creating the VPN tunnel and imposes a security policy on the tunnel. Primarily, the transform set comprises the following:
Encryption The encryption used for creating the tunnel. Authentication The authentication used to identify tunnel peers Mode The mode of the tunnel. This is the tunnels operational mode. From the drop-down, select any pre-configured Transform Set or select Create New Policy to create a new transform set. This field is enabled when Create New Policy is selected in Transform Set field. This is the encryption used on data traversing through the tunnel. Select either esp-null, des, 3des, aes, aes-192 or aes-256. This field is enabled when Create New Policy is selected in Transform Set field. This is how peers authenticate as the source of the packet to the other peers after a VPN tunnel has been created. Select either MD5, SHA, SHA256 or AES-XCBC-HMAC-128. Wireless Controller and Service Platform System Reference Guide 5 - 213 Device Configuration Mode This field is enabled when Create New Policy is selected in Transform Set field. This indicates how packets are transported through the tunnel. Tunnel Use this mode when the Tunnel is between two routers or servers. Transport Use this mode when the Tunnel is created between a client and a server. Security Association Configures the lifetime of a security association (SA). Keys and SAs should be periodically renewed to maintain security of the tunnel. The field defines the parameters that set the lifetime of a security association. Lifetime Set the duration (in seconds) after which the keys should be changed. Set a value from 500-2,147,483,646 seconds. Data This is the amount of data in KBs the key can use. The key is changed after this quantity of data has be encrypted/decrypted. Set a value from 500-2,147,483,646 KBs. 9 Select Next to proceed to the fourth configuration screen. Use the Back button to navigate to the previous step. If any of the required values within the step 3 screen are not set properly, the fourth wizard screen will not display until they are properly set. 10 Review the configuration and select Done initiate the creation of the VPN tunnel. Use the Back button to navigate to the previous screen. Select Close to close the wizard without creating a VPN Tunnel. Figure 5-121 VPN Step-By-Step Wizard - Step 4 5.2.9.4.6 Advanced VPN Configuration The advanced VPN configuration option does not utilize a setup wizard. Rather, it utilizes and its own screen flow where just about every facet of a VPN tunnel configuration can be set by a qualified network administrator. Wireless Controller and Service Platform System Reference Guide 5 - 214 Device Configuration For detailed information on creating a VPN tunnel configuration, refer to Setting the Profiles VPN Configuration on page 8-168. 5.2.9.5 Overriding a Profiles Auto IPSec Tunnel Configuration Overriding a Profiles Security Configuration Auto IPSec tunneling provides a secure tunnel between two networked peer controllers or service platforms and associated Access Points which are within a range of valid IP addresses. Administrators can define which packets are sent within the tunnel, and how theyre protected. When a tunnelled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination or associated Access Point Tunnels are sets of security associations (SA) between two peers. SAs define the protocols and algorithms applied to sensitive packets and specify the keying mechanisms used by tunnelled peers. SAs are unidirectional and exist in both the inbound and outbound direction. SAs are established per the rules and conditions of defined security protocols (AH or ESP). Internet Key Exchange (IKE) protocol is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE enables secure communications without time consuming manual pre-configuration for auto IPSec tunneling. To define an Auto IPSec Tunnel configuration or override that can be applied to a profile:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Security to expand its sub menu options. 5 Select Auto IPSec Tunnel. Figure 5-122 Profile Overrides - Auto IPSec Tunnel screen Wireless Controller and Service Platform System Reference Guide 5 - 215 The Settings field lists those Auto IPSec tunnel policies created thus far. Any of these policies can be selected and applied to a profile. Device Configuration NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. Group ID Authentication Type Authentication Key IKE Version Define a 1 - 64 character identifier for an IKE exchange supporting auto IPSec tunnel secure peers. Use the drop-down menu to select either RSA or PSK (Pre Shared Key) as the authentication type for secure peer authentication on the auto IPSec secure tunnel. Rivest, Shamir, and Adleman (RSA) is an algorithm for public key cryptography. Its the first algorithm known to be suitable for signing, as well as encryption. The default setting is RSA. Enter the 8 - 21 character shared key (password) used for auto IPSec tunnel secure peer authentication. Use the drop-down menu to select the IKE version used for auto IPSec tunnel secure authentication with the IPSec gateway. IKEv2 is the default setting. Enable NAT after IPSec Select the checkbox to enable internal source port NAT on the auto Use Unique ID Re-Authentication IKE Life Time IPSec secure tunnel. Select this option to use a unique ID with auto IPSec secure authentication for the IPSec remote gateway (appending the MiNT ID). This setting is disabled by default. Select this option to re-authenticate the key on a IKE rekey. This setting is enabled by default. Set a lifetime in either Seconds (600 - 86,400), Minutes (10 - 1,440), Hours (1 - 24) or Days (1) for IKE security association duration. The default setting is 8600 seconds. 6 Select OK to save the changes made to the auto IPSec tunnel configuration. Select Reset to revert to the last saved configuration. 5.2.9.6 Overriding a Profiles NAT Configuration Overriding a Profiles Security Configuration Network Address Translation (NAT) is a technique to modify network address information within IP packet headers in transit. This enables mapping one IP address to another to protect wireless controller managed network address credentials. With typical deployments, NAT is used as an IP masquerading technique to hide private IP addresses behind a single, public facing, IP address. Additionally, NAT is a process of modifying network address information in IP packet headers while in transit across a traffic routing device for the purpose of remapping one IP address to another. In most deployments NAT is used in conjunction with IP masquerading which hides RFC1918 private IP addresses behind a single public IP address. NAT can provide a profile outbound Internet access to wired and wireless hosts connected to either an Access Point or a wireless controller. Many-to-one NAT is the most common NAT technique for outbound Internet access. Wireless Controller and Service Platform System Reference Guide 5 - 216 Device Configuration Many-to-one NAT allows an Access Point or wireless controller to translate one or more internal private IP addresses to a single, public facing, IP address assigned to a 10/100/1000 Ethernet port or 3G card. To define a NAT configuration or override that can be applied to a profile:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points within the managed network. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Security to expand its sub menu options. 5 Select NAT. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. The NAT Pool screen displays by default. The NAT Pool screen lists those NAT policies created thus far. Any of these policies can be selected and applied to a profile. Figure 5-123 Profile Overrides - NAT Pool screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. Wireless Controller and Service Platform System Reference Guide 5 - 217 6 Select Add to create a new NAT policy that can be applied to a profile. Select Edit to modify or override the attributes of a existing policy or select Delete to remove obsolete NAT policies from the list of those available to a profile. Device Configuration 7 If adding a new NAT policy or editing the configuration of an existing policy, define the following parameters:
Figure 5-124 NAT Pool screen Name IP Address Range If adding a new NAT policy, provide a name to help distinguish it from others with similar configurations. The length cannot exceed 64 characters. Define a range of IP addresses that are hidden from the public Internet. NAT modifies network address information in the defined IP range while in transit across a traffic routing device. NAT only provides IP address translation and does not provide a firewall. A branch deployment with NAT by itself will not block traffic from being potentially routed through a NAT device. Consequently, NAT should be deployed with a stateful firewall. 8 Select the + Add Row button as needed to append additional rows to the IP Address Range table. 9 Select OK to save the changes or overrides made to the profiles NAT Pool configuration. Select Reset to revert to the last saved configuration. 10 Select the Static NAT tab. The Source tab displays by default and lists existing static NAT configurations. Existing static NAT configurations are not editable, but new configurations can be added or existing ones deleted as they become obsolete. Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a Web server on a perimeter interface with the Internet, use static address translation to map the actual address to a registered IP address. Static address translation hides the actual address of the server from users on insecure interfaces. Casual access by unauthorized users becomes much more difficult. Static NAT requires a dedicated address on the outside network for each host. Wireless Controller and Service Platform System Reference Guide 5 - 218 Device Configuration Figure 5-125 Profile Overrides - Static NAT screen 11 Select + Add Row to create a new static NAT configuration. 12 Set or override the following Source configuration parameters:
Source IP NAT IP Network Enter the local address used at the origination of the static NAT configuration. This address (once translated) is not exposed to the outside world when the translation address is used to interact with the remote destination. Enter the IP address of the matching packet to the specified value. The IP address modified can be either source or destination based on the direction specified. Select Inside or Outside NAT as the network direction. Select Inside to create a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a Web server on a perimeter interface with the Internet, use static address translation to map the actual address to a registered IP address. Static address translation hides the actual address of the server from users on insecure interfaces. Casual access by unauthorized users becomes much more difficult. Static NAT requires a dedicated address on the outside network for each host. Inside NAT is the default setting.Inside is the default setting. 13 Select the Destination tab to view destination NAT configurations and define packets passing through the NAT on the way back to the managed LAN are searched against to the records kept by the NAT engine. The destination IP address is changed back to the specific internal private class IP address to reach the LAN over the managed network. Wireless Controller and Service Platform System Reference Guide 5 - 219 Device Configuration 14 Select Add to create a new NAT destination configuration or Delete to permanently remove a NAT destination. Existing NAT destinations cannot be edited. Figure 5-126 NAT Destination screen 15 Set or override the following Destination configuration parameters:
Figure 5-127 NAT Destination Add screen Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a Web server on a perimeter interface with the Internet, use static address translation to map the actual address to a registered IP address. Static address translation hides the Wireless Controller and Service Platform System Reference Guide 5 - 220 actual address of the server from users on insecure interfaces. Casual access by unauthorized users becomes much more difficult. Static NAT requires a dedicated address on the outside network for each host. Device Configuration Protocol Destination IP Destination Port NAT IP NAT Port Network Select the protocol for use with static translation (TCP, UDP and Any are available options). TCP is a transport layer protocol used by applications requiring guaranteed delivery. Its a sliding window protocol handling both time outs and retransmissions. TCP establishes a full duplex virtual connection between two endpoints. Each endpoint is defined by an IP address and a TCP port number. The User Datagram Protocol (UDP) offers only a minimal transport service, non-guaranteed datagram delivery, and provides applications direct access to the datagram service of the IP layer. UDP is used by applications not requiring the level of service of TCP, or are using communications services (multicast or broadcast delivery) not available from TCP. The default setting is Any. Enter the local address used at the (source) end of the static NAT configuration. This address (once translated) is not exposed to the outside world when the translation address is used to interact with the remote destination. Use the spinner control to set the local port number used at the
(source) end of the static NAT configuration. The default value is port 1. Enter the IP address of the matching packet to the specified value. The IP address modified can be either source or destination based on the direction specified. Enter the port number of the matching packet to the specified value. This option is valid only if the direction specified is destination. Select Inside or Outside NAT as the network direction. Inside is the default setting. 16 Select OK to save the changes or overrides made to the static NAT configuration. Select Reset to revert to the last saved configuration. 17 Select the Dynamic NAT tab. Dynamic NAT configurations translate the IP address of packets going out from one interface to another interface based on configured conditions. Dynamic NAT requires packets be switched through a NAT router to generate translations in the translation table. Wireless Controller and Service Platform System Reference Guide 5 - 221 Device Configuration 18 Refer to the following to determine whether a new Dynamic NAT configuration requires creation, edit or Figure 5-128 Profile Overrides - Dynamic NAT screen deletion:
Source List ACL Network Interface Overload Type NAT Pool Overload IP ACL Precedence Lists an ACL name to define the packet selection criteria for the NAT configuration. NAT is applied only on packets which match a rule defined in the access list. These addresses (once translated) are not exposed to the outside world when the translation address is used to interact with the remote destination. Displays Inside or Outside NAT as the network direction for the dynamic NAT configuration. Lists the VLAN (from 1 - 4094) used as the communication medium between the source and destination points within the NAT configuration. Displays the Overload Type utilized when several internal addresses are NATed to only one or a few external addresses. Options include NAT Pool, One Global Address and Interface IP Address. Interface IP Address is the default setting. Displays the name of an existing NAT pool used with the dynamic NAT configuration. If One Global IP Address is selected as the Overload Type, define an IP address used a filter address for the IP ACL rule. Lists the administrator assigned priority set for the listed source list ACL. The lower the value listed the higher the priority assigned to these ACL rules. 19 Select Add to create a new Dynamic NAT configuration, Edit to modify or override an existing configuration or Delete to permanently remove a configuration. Wireless Controller and Service Platform System Reference Guide 5 - 222 Device Configuration 20 Set or override the following to define the Dynamic NAT configuration:
Figure 5-129 Dynamic NAT Add screen Source List ACL Network ACL Precedence Interface Overload Type NAT Pool Overload IP Use the drop-down menu to select an ACL name to define the packet selection criteria for NAT. NAT is applied only to packets which match a rule defined in the access list. These addresses (once translated) are not exposed to the outside world when the translation address is used to interact with a remote destination. Select Inside or Outside NAT as the network direction for the dynamic NAT configuration. Inside is the default setting. Set the priority (from 1 - 5000) for the source list ACL. The lower the value, the higher the priority assigned to these ACL rules. Use the drop-down menu to select the wireless WAN or VLAN ID
(1 - 4094) used as the communication medium between the source and destination points within the NAT configuration. Ensure the VLAN selected represents the intended network traffic within the NAT supported configuration. VLAN1 is available by default. Define the Overload Type utilized when several internal addresses are NATed to only one or a few external addresses. Options include NAT Pool, One Global Address and Interface IP Address. Interface IP Address is the default setting. Provide the name of an existing NAT pool for use with the dynamic NAT configuration. If One Global IP Address is selected as the Overload Type, define an IP address used a filter address for the IP ACL rule. 21 Select OK to save the changes or overrides made to the dynamic NAT configuration. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 223 Device Configuration 5.2.9.7 Overriding a Profiles Bridge NAT Configuration Overriding a Profiles Security Configuration Use Bridge NAT to manage Internet traffic originating at a remote site. In addition to traditional NAT functionality, Bridge NAT provides a means of configuring NAT for bridged traffic through an access point. NAT rules are applied to bridged traffic through the access point, and matching packets are NATed to the WAN link instead of being bridged on their way to the router. Using Bridge NAT, a tunneled VLAN (extended VLAN) is created between the NoC and a remote location. When a remote client needs to access the Internet, Internet traffic is routed to the NoC, and from there routed to the Internet. This increases the access time for the end user on the client. To resolve latency issues, Bridge NAT identifies and segregates traffic heading towards the NoC and outwards towards the Internet. Traffic towards the NoC is allowed over the secure tunnel. Traffic towards the Internet is switched to a local WLAN link with access to the Internet. To define a NAT configuration or override that can be applied to a profile:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Security to expand its sub menu options. 5 Select Bridge NAT. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. Wireless Controller and Service Platform System Reference Guide 5 - 224 Device Configuration 6 Review the following Bridge NAT configurations to determine whether a new Bridge NAT configuration requires creation or an existing configuration modified or removed. Figure 5-130 Security Bridge NAT screen Access List Interface NAT Pool Overload IP Overload Type ACL Precedence Displays the access list applying IP address access/deny permission rules to the Bridge NAT configuration. Lists the communication medium (outgoing layer 3 interface) between source and destination points. This is either the Access Points pppoe1 or wwan1 interface or the VLAN used as the redirection interface between the source and destination. Lists the names of existing NAT pools used with the Bridge NAT configuration. This displays only when Overload Type is NAT Pool. Lists the address used globally for numerous local addresses. Define the overload type utilized when several internal addresses are NATed to only one or a few external addresses. Set as either NAT Pool, One Global Address or Interface IP Address. Lists the administrator assigned priority set for the ACL. The lower the value listed the higher the priority assigned to these ACL rules. 7 Select Add to create a new Bridge VLAN configuration, Edit to modify an existing configuration or Delete to remove a configuration. Wireless Controller and Service Platform System Reference Guide 5 - 225 Device Configuration Figure 5-131 Security Source Dynamic NAT screen 8 Select the ACL whose IP rules are applied to the policy based forwarding rule. A new ACL can be defined by selecting the Create icon, or an existing set of IP ACL rules can be modified by selecting the Edit icon. 9 Use the IP Address Range table to configure IP addresses and address ranges that can used to access the Internet. ACL Precedence Interface NAT Pool Overload IP Overload Type Set the priority (from 1 - 5000) for the ACL. The lower the value, the higher the priority assigned to these ACL rules. Lists the outgoing layer 3 interface on which traffic is re-directed. The interface can be an Access Point wwan or pppoe interface. Traffic can also be redirected to a designated VLAN. Displays the NAT pool used by this Bridge NAT entry. A value is only displayed only when Overload Type has been set to NAT Pool. Lists the single global address supporting numerous local addresses. Lists the overload type utilized when several internal addresses are NATed to only one or a few external addresses. Options include NAT Pool, One Global Address and Interface IP Address. Interface IP Address is the default setting. 10 Select + Add Row to set the interface, overload and NAT pool settings for the Bridge NAT configuration. Wireless Controller and Service Platform System Reference Guide 5 - 226 Device Configuration 11 Select OK to save the changes made within the Add Row and Source Dynamic NAT screen. Select Reset to revert to the last saved configuration. Figure 5-132 Security Source Dynamic NAT screen 5.2.9.8 Overriding a Profiles Application Visibility Settings Overriding a Profiles Security Configuration Deep Pocket Inspection (DPI) is an advanced packet analysis technique, which analyzes packet and packet content headers to determine the nature of network traffic. When DPI is enabled, packets of all flows are subjected to DPI to get accurate results. DPI identifies applications (such as, Netflix, Twitter, Facebook, etc.) and extracts metadata
(such as, host name, server name, TCP-RTT, etc.) for further use by the WiNG firewall. To configure a profiles application visibility settings and overrides:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Security to expand its sub menu options. Wireless Controller and Service Platform System Reference Guide 5 - 227 Device Configuration 5 Select Application Visibility. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 6 Refer the following Application Visibility and Control Settings:
Figure 5-133 Profile Overrides - Application Visibility screen Enable dpi Enable Applications Logging Application Logging Level Enable Voice/Video Metadata Enable this setting to provide deep-packet inspection. When enabled, network flows are inspected at a granular level to identify applications (such as, Netflix, Twitter, Facebook, etc.) and extract metadata (such as, host name, server name, TCP-RTT, etc.) for further use by the WiNG firewall. Select this option to enable event logging for DPI application recognition. This setting is disabled by default. If enabling DPI application recognition event logging, set the logging level. Severity levels include Emergency, Alert, Critical, Errors, Warning, Notice, Info and Debug. The default logging level is Notification. Select this option to enable the metadata extraction from voice and video classified flows. The default setting is disabled. Wireless Controller and Service Platform System Reference Guide 5 - 228 Device Configuration Enable HTTP Metadata Select this option to enable the metadata extraction from HTTP flows. Enable SSL Metadata Enable TCP RTT The default setting is disabled. Select this option to enable the metadata extraction from SSL flows. The default setting is disabled. Select this option to enable extraction of RTT information from TCP flows. The default setting is disabled. 7 Review the Custom Applications for DPI field to select the custom applications available for this device profile. For information on creating custom applications and their categories, see Application on page 7-58. 8 If enabling TCP-RTT metadata collection, in the App Groups for TCP RTT field, specify the application groups for which TCP-RTT metadata collection is to be enabled. Select the Application Groups from the drop-down menu and use the green, down arrow to move the selection to the box below. Note, you can add maximum of 8
(eight) groups to the list. If the desired application group is not available, select the Create icon to define a new application group configuration or select the Edit icon to modify an existing application group. For information on creating custom application groups, see Application on page 7-58. 9 Select OK to save the changes or overrides. Select Reset to revert to the last saved configuration. 5.2.9.9 Overriding a Profiles VRRP Configuration Profile Overrides A default gateway is a critical resource for connectivity. However, its prone to a single point of failure. Thus, redundancy for the default gateway is required by the access point. If WAN backhaul is available, and a router failure occurs, then the Access Point should act as a router and forward traffic on to its WAN link. Define an external Virtual Router Redundancy Protocol (VRRP) configuration when router redundancy is required in a wireless network requiring high availability. The election of a VRRP master is central to the configuration of VRRP. A VRRP master (once elected) performs the following functions:
Responds to ARP requests Forwards packets with a destination link layer MAC address equal to the virtual router MAC address Rejects packets addressed to the IP address associated with the virtual router, if it is not the IP address owner Accepts packets addressed to the IP address associated with the virtual router, if it is the IP address owner or accept mode is true. Nodes losing the election process enter a backup state where they monitor the master for any failures, and in case of a failure, one of the backups become the master and assumes the management of the designated virtual IPs. A backup does not respond to an ARP request, and discards packets destined for a virtual IP resource. To define the configuration of a VRRP group:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of managed devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. Wireless Controller and Service Platform System Reference Guide 5 - 229 Device Configuration 4 Select VRRP. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 5 Review the following VRRP configuration data to assess if a new VRRP configuration is required of is an existing VRRP configuration requires modification or removal:
Figure 5-134 Profile Overrides - VRRP screen Virtual Router ID Description Virtual IP Addresses Interface Priority Lists a numerical index (1 - 255) used to differentiate VRRP configurations. The index is assigned when a VRRP configuration is initially defined. This ID identifies the virtual router a packet is reporting status for. Displays a description assigned to the VRRP configuration when it was either created or modified. The description is implemented to provide additional differentiation beyond the numerical virtual router ID. Lists the virtual interface IP address used as the redundant gateway address for the virtual route. Displays the interfaces selected on the Access Point to supply VRRP redundancy fail over support. Lists a numerical value (from 1 - 254) used for the virtual router master election process. The higher the numerical value, the higher the priority in the election process. 6 Select the Version tab to define the VRRP version scheme used with the configuration. Wireless Controller and Service Platform System Reference Guide 5 - 230 Device Configuration Figure 5-135 VRRP screen - Version tab VRRP version 3 (RFC 5798) and 2 (RFC 3768) are selectable to set the router redundancy. Version 3 supports sub-second (centisecond) VRRP failover and support services over virtual IP. For more information on the VRRP protocol specifications (available publicly) refer to http://www.ietf.org/rfc/rfc3768.txt (version 2) and http://www.ietf.org/rfc/rfc5798.txt (version 3). 7 From within VRRP tab, select Add to create a new VRRP configuration or Edit to modify the attributes of an existing VRRP configuration. If necessary, existing VRRP configurations can be selected and permanently removed by selecting Delete. Wireless Controller and Service Platform System Reference Guide 5 - 231 Device Configuration 8 If creating a new VRRP configuration, assign a Virtual Router ID from (1 - 255). In addition to functioning as numerical identifier, the ID identifies the virtual router a packet is reporting status for. 9 Define the following VRRP General parameters:
Figure 5-136 VRRP screen Description Priority Virtual IP Addresses Advertisement Interval Unit Advertisement Interval In addition to an ID assignment, a virtual router configuration can be assigned a textual description (up to 64 characters) to further distinguish it from others with a similar configuration. Use the spinner control to set a VRRP priority setting from 1 - 254. The controller or service platform uses the defined setting as criteria in selection of a virtual router master. The higher the value, the greater the likelihood of this virtual router ID being selected as the master. Provide up to 8 IP addresses representing the Ethernet switches, routers or security appliances defined as virtual router resources. Select either seconds, milliseconds or centiseconds as the unit used to define VRRP advertisements. Once an option is selected, the spinner control becomes enabled for that Advertisement Interval option. The default interval unit is seconds. If changing the VRRP group version from 2 to 3, ensure the advertisement interval is in centiseconds. Use VRRP group version 2 when the advertisement interval is either in seconds or milliseconds. Once an Advertisement Interval unit has been selected, use the spinner control to set the interval the VRRP master sends out advertisements on each of its configured VLANs. The default setting is 1 second. Wireless Controller and Service Platform System Reference Guide 5 - 232 Device Configuration Preempt Preempt Delay Interface Select this option to ensure a high priority backup router is available to preempt a lower priority backup router resource. The default setting is enabled. When selected, the Preempt Delay option becomes enabled to set the actual delay interval for pre-emption. This setting determines if a node with a higher priority can take over all the Virtual IPs from the nodes with a lower priority. If the Preempt option is selected, use the spinner control to set the delay interval
(in seconds) for pre-emption. Select this value to enable/disable VRRP operation and define the VLAN (1 -
4,094) interface where VRRP will be running. These are the interfaces monitored to detect a link failure. 10 Refer to the Protocol Extension field to define the following:
Sync Group Network Monitoring:
Local Interface Network Monitoring:
Critical Resource Network Monitoring:
Critical Resource Name Network Monitoring:
Delta Priority Select the option to assign a VRRP sync group to this VRRP IDs group of virtual IP addresses. This triggers VRRP fail over if an advertisement is not received from the virtual masters that are part of this VRRP sync group. This setting is disabled b y default. Select wwan1, pppoe1 and VLAN ID(s) as needed to extend VRRP monitoring to these local Access Point interfaces. Once selected, these interfaces can be assigned an increasing or decreasing level or priority for virtual routing within the VRRP group. Assign the priority level for the selected local interfaces. Backup virtual routers can increase or decrease their priority in case the critical resources connected to the master router fail, and then transition to the master state themselves. Additionally, the master virtual router can lower its priority if the critical resources connected to it fails, so the backup can transition to the master state. This value can only be set on the backup or master router resource, not both. Options include None, increment-priority, decrement priority. Select each critical resource needed for monitoring. The action specified in the critical resource drop-down menu is applied to each selected critical resource. Use this setting to decrement the configured priority (by the set value) when the monitored interface is down. When critical resource monitoring, the value is incremented by the setting defined. 11 Select OK to save the changes made to the VRRP configuration. Select Reset to revert to the last saved configuration. 5.2.9.10 Overriding a Profiles Critical Resource Configuration Profile Overrides Critical resources are device IP addresses or destinations interopreted as critical to the health of the network. The critical resource feature allows for the continuous monitoring of these defined addresses. A critical resource, if not available, can result in the network suffering performance degradation. A critical resource can be a gateway, AAA server, WAN interface or any hardware or service on which the stability of the network depends. Critical resources are pinged regularly. If theres a connectivity issue, an event is generated stating a critical resource is unavailable. By default, theres no enabled critical resource policy and one needs to be created and implemented. Critical resources can be monitored directly through the interfaces on which theyre discovered. For example, a critical resource on the same subnet as the access point can be monitored by its IP address. However, a critical resource located on a VLAN must continue to monitored on that VLAN. Wireless Controller and Service Platform System Reference Guide 5 - 233 Device Configuration Critical resource can be configured for Access Points and wireless controllers using their respective profiles. To define critical resources:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Critical Resources. Figure 5-137 Critical Resources screen - List of Critical Resources tab The screen lists the destination IP addresses or interfaces (VLAN, WWAN, or PPPoE) used for critical resource connection. IP addresses can be monitored directly by the controller, service platform or Access Point whereas a VLAN, WWAN or PPPoE must be monitored behind an interface. 5 The Critical Resource Name table displays the name of the resource(s) configured on this device. 6 Click the Add button at the bottom of the screen to add a new critical resource and connection method, or select an existing resource and select Edit to update the resources configuration. If adding a new critical resource, assign it a name up to 32 characters. Wireless Controller and Service Platform System Reference Guide 5 - 234 Device Configuration Figure 5-138 Critical Resources screen - Adding a Critical Resource 7 Select Use Flows to configure the critical resource to monitor using firewall flows for DHCP or DNS instead of ICMP or ARP packets to reduce the amount of traffic on the network. Select Sync Adoptees to sync adopted devices to state changes with a resource-state change message. These settings are disabled by default. 8 Use the Offline Resource Detection drop-down menu to define how critical resource event messages are generated. Options include Any and All. If selecting Any, an event is generated when the state of any single critical resource changes. If selecting All, an event is generated when the state of all monitored critical resources change. 9 Use the Monitor Criteria drop-down menu to select either rf-domain-manager, cluster-master or All as the resource for monitoring critical resources by one device and updating the rest of the devices in a group. If selecting rf-domain-manager, the current rf-domain manager performs resource monitoring, and the rest of the devices do not. The RF-domain-manager updates any state changes to the rest of the devices in the RF Domain. With the cluster-master option, the cluster master performs resource monitoring and updates the cluster members with state changes. With a controller managed RF Domain, Monitoring Criteria should be set tor All, since the controller might not know the VLAN bridged locally by the devices in the RF Domain monitoring DHCP. 10 Select the IP option (within the Monitor Via field at the top of the screen) to monitor a critical resource directly
(within the same subnet) using the provided IP address as a network identifier. 11 Select the Interface check box (within the Monitor Via field at the top of the screen) to monitor a critical resource using either the critical resources VLAN, WWAN1 or PPPoE1 interface. If VLAN is selected, a spinner control is enabled to define the destination VLAN ID used as the interface for the critical resource. 12 Select + Add Row to define the following for critical resource configurations:
IP Address Provide the IP address of the critical resource. This is the address used by the Access Point to ensure the critical resource is available. Up to four addresses can be defined. Wireless Controller and Service Platform System Reference Guide 5 - 235 Device Configuration Mode Port VLAN Set the ping mode used when the availability of a critical resource is validated. Select from:
arp-only Use the Address Resolution Protocol (ARP) for only pinging the critical resource. ARP is used to resolve hardware addresses when only the network layer address is known. arp-and-ping Use both ARP and Internet Control Message Protocol (ICMP) for pining the critical resource and sending control messages (device not reachable, requested service not available, etc.). Define the interface on which to monitor critical resource. This field lists the available hardware interfaces. This option is only available if the selected mode is ARP Only. Define the VLAN on which the critical resource is available using the spinner control. 13 Select the Monitor Interval tab. Figure 5-139 Critical Resources screen - Monitor Interval tab Set Monitor Interval as the duration between two successive pings to the critical resource. Define this value in seconds from 5 - 86,400. The default setting is 30 seconds. 14 Set the Source IP for Port-Limited Monitoring to define the IP address used as the source address in ARP packets used to detect a critical resource on a layer 2 interface. Generally, the source address 0.0.0.0 is used in the APR packets used to detect critical resources. However, some devices do not support the above IP address and drop the ARP packets. Use this field to provide an IP address specifically used for this purpose. The IP address used for Port-Limited Monitoring must be different from the IP address configured on the device. 15 Set the Monitoring Retries before Marking Resource as DOWN for the number of retry connection attempts (1 -
10) permitted before this device connection is defined as down (offline). The default setting is three connection attempts. 16 Select OK to save the changes to the critical resource configuration and monitor interval. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 236 Device Configuration 5.2.9.11 Overriding a Profiles Services Configuration Profile Overrides A profile can contain specific guest access (captive portal), DHCP server and RADIUS server configurations supported by the controller, service platform or Access Points own internal resources. These access, IP assignment and user authorization resources can be defined uniquely as profile requirements dictate. To define or override a profiles services configuration:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Select Services. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. Wireless Controller and Service Platform System Reference Guide 5 - 237 Device Configuration Figure 5-140 Profile Overrides - Services screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 5 Refer to the Captive Portal Hosting field to set or override the guest access configuration (captive portal) for this profile. A captive portal is an access policy for providing guests temporary and restrictive access to the wireless network. A captive portal configuration provides secure authenticated controller or service platform access using a standard Web browser. Hotspots provides authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the wireless network. Once logged into the captive portal additional Agreement, Welcome and Fail pages provide the administrator with a number of options on the hotspots screen flow and user appearance. Either select an existing captive portal policy, use the default captive portal policy or select the Create link to create a new configuration that can be applied to this profile. For more information, see Configuring Captive Portal Policies on page 11-1. Wireless Controller and Service Platform System Reference Guide 5 - 238 Device Configuration 6 Use the RADIUS Server Application Policy drop-down menu to select an application policy to authenticate users and authorize access to the network. A RADIUS policy provides the centralized management of authentication data (usernames and passwords). When an client attempts to associate, the controller or service platform sends the authentication request to the RADIUS server. If an existing RADIUS server policy does not meet your requirements, select the Create link to create a new policy. 7 Use the DHCP Server Policy drop-down menu assign this profile a DHCP server policy. If an existing DHCP policy does not meet the profiles requirements, select the Create icon to create a new policy configuration that can be applied to this profile or the Edit icon to modify the parameters of an existing DHCP Server policy. Dynamic Host Configuration Protocol (DHCP) allows hosts on an IP network to request and be assigned IP addresses as well as discover information about the network where they reside. Each subnet can be configured with its own address pool. Whenever a DHCP client requests an IP address, the DHCP server assigns an IP address from that subnets address pool. When the onboard DHCP server allocates an address for a DHCP client, the client is assigned a lease, which expires after an pre-determined interval. Before a lease expires, wireless clients (to which leases are assigned) are expected to renew them to continue to use the addresses. Once the lease expires, the client is no longer permitted to use the leased IP address. The profiles DHCP server policy ensures all IP addresses are unique, and no IP address is assigned to a second client while the first client's assignment is valid (its lease has not expired). 8 Use the DHCPv6 Server Policy drop-down menu assign this profile a DHCPv6 server policy. If an existing DHCP policy for IPv6 does not meet the profiles requirements, select the Create icon to create a new policy configuration that can be applied to this profile or the Edit icon to modify the parameters of an existing DHCP Server policy. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. DHCP in IPv6 works in with IPv6 router discovery. With the proper RA flags, DHCPv6 works like DHCP for IPv4. The central difference is the way a device identifies itself if assigning addresses manually instead of selecting addresses dynamically from a pool. For more information, see Configuring a Captive Portal Policy on page 11-2. 9 Use the Guest Management Policy drop-down menu to select an existing Guest Management policy to use as a mechanism to manage guest users with this profile. 10 Use the RADIUS Server Policy drop-down menu to select an existing RADIUS server policy to use as a user validation security mechanism with this profile. A profile can have its own unique RADIUS server policy to authenticate users and authorize access to the network. A profiles RADIUS policy provides the centralized management of controller or service platform authentication data (usernames and passwords). When an client attempts to associate, an authentication request is sent to the RADIUS server.For more information, see Configuring RADIUS Server Policies on page 11-
57. 11 Set Bonjour Gateway settings. Bonjour is Apples implementation of zero-configuration networking (Zeroconf). Zeroconf is a group of technologies that include service discovery, address assignment and hostname resolution. Bonjour locates devices such as printers, other computers and services that these computers offer over a local network. Bonjour provides a general method to discover services on a local area network (LAN). It allows users to set up a network without any configuration. Services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with special DNS configuration, it can be extended to find services across broadcast domains. 12 From the Forwarding Policy drop-down, select the Bonjour Gateway forwarding policy. n. Wireless Controller and Service Platform System Reference Guide 5 - 239 Device Configuration 13 Select OK to save the changes or overrides made to the profiles services configuration. Select Reset to revert to the last saved configuration. 5.2.9.12 Overriding a Profiles Management Configuration Profile Overrides Controllers and service platforms have mechanisms to allow/deny management access to the network for separate interfaces and protocols (HTTP, HTTPS, Telnet, SSH or SNMP). These management access configurations can be applied strategically to profiles as resource permissions dictate. Additionally, overrides can be applied to customize a devices management configuration, if deployment requirements change an a devices configuration must be modified from its original device profile configuration. Additionally, an administrator can define a profile with unique configuration file and device firmware upgrade support. In a clustered environment, these operations can be performed on one controller or service platform, then propagated to each member of the cluster and onwards to devices managed by each cluster member. To define or override a profiles management configuration:
1 Select Devices from the Configuration tab. The Device Configuration screen displays a list of devices or peer controllers, service platforms or Access Points. 2 Select a target device (by double-clicking it) from amongst those displayed within the Device Configuration screen. Devices can also be selected directly from the Device Browser in the lower, left-hand, side of the UI. 3 Select Profile Overrides from the Device menu to expand it into sub menu options. 4 Expand the Management menu item and select Settings. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. Wireless Controller and Service Platform System Reference Guide 5 - 240 Device Configuration Figure 5-141 Profile Overrides - Management Settings screen NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. 5 Refer to the Management Policy field to set or override a management configuration for this profile. A default management policy is also available if no existing policies are usable. Use the drop-down menu to select an existing management policy to apply to this profile. If no management policies exist meeting the data access requirements of this profile, select the Create icon to access screens used to define administration, access control and SNMP configurations. Select an existing policy and select the Wireless Controller and Service Platform System Reference Guide 5 - 241 Device Configuration Edit icon to modify the configuration of an existing management policy. For more information, see Viewing Management Access Policies on page 12-1. 6 Refer to the Message Logging field to define how the profile logs system events. Its important to log individual events to discern an overall pattern potentially impacting performance. Enable Message Logging Remote Logging Host Facility to Send Log Messages Syslog Logging Level Console Logging Level Select this option to enable the profile to log system events to a log file or a syslog server. Selecting this check box enables the rest of the parameters required to define the profiles logging configuration. This option is disabled by default. Use this table to define numerical (non DNS) IP addresses for up to three external resources where logged system events can be sent on behalf of the profile. Select the Delete icon as needed to remove an IP address. Use the drop-down menu to specify the local server (if used) for profile event log transfers. Event severity coincides with the syslog logging level defined for the profile. Assign a numeric identifier to log events based on criticality. Severity levels include 0 - Emergency, 1 - Alert, 2 - Critical, 3 - Errors, 4 - Warning, 5 - Notice, 6 - Info and 7 - Debug. The default logging level is 4. Event severity coincides with the syslog logging level defined for the profile. Assign a numeric identifier to log events based on criticality. Severity levels include 0 - Emergency, 1 - Alert, 2 - Critical, 3 - Errors, 4 - Warning, 5 - Notice, 6 - Info and 7 - Debug. The default logging level is 4. Time to Aggregate Repeated Messages Buffered Logging Level Event severity coincides with the syslog logging level defined for the profile. Assign a numeric identifier to log events based on criticality. Severity levels include 0 - Emergency, 1 - Alert, 2 - Critical, 3 - Errors, 4 - Warning, 5 - Notice, 6 - Info and 7 - Debug. The default logging level is 4. Define the increment (or interval) system events are logged on behalf of the profile. The shorter the interval, the sooner the event is logged. Either define an interval in Seconds
(0 - 60) or Minutes (0 -1). The default value is 0 seconds. Select the check box to define a log level for forwarding event logs. Log levels include Emergency, Alert, Critical, Error, Warning, Notice, Info and Debug. The default logging level is Error. Forward Logs to Controller 7 Refer to the System Event Messages section to define or override how controller or service platform system messages are logged and forwarded on behalf of the profile. Event System Policy Enable System Events Enable System Event Forwarding Select an Event System Policy from the drop-down menu. If an appropriate policy does not exist, select the Create button to make a new policy. Select the Enable System Events check box to allow the profile to capture system events and append them to a log file. Its important to log individual events to discern an overall pattern that may be negatively impacting controller or service platform performance. This setting is enabled by default. Select the Enable System Event Forwarding radio button to forward system events to another controller, service platform or cluster member. This setting is enabled by default. Wireless Controller and Service Platform System Reference Guide 5 - 242 Device Configuration 8 Refer to the Events E-mail Notification section to define or override how system event notification Emails are sent. SMTP Server Port of SMTP Sender E-mail Address Recipients E-mail Address Username for SMTP Server Password for SMTP Server Specify either the Hostname or IP Address of the outgoing SMTP server where notification Emails are originated. Hostnames cannot include an underscore character. If a non-standard SMTP port is used on the outgoing SMTP server, select this option and specify a port from 1 - 65,535 for the outgoing SMTP server to use. Specify the Email address from which notification Email is originated. This is the from address on notification Email. Specify up to 6 Email addresses to be the recipients of event Email notifications. Specify the sender username on the outgoing SMTP server. Many SMTP servers require users to authenticate with a username and password before sending Email through the server. Specify the password associated with the username of the sender on the outgoing SMTP server. Many SMTP servers require users to authenticate with a username and password before sending Email through the server. 9 Refer to the Persist Configurations Across Reloads section to define or override how configuration settings are handled after reloads. Configure Use the drop-down menu to configure whether configuration overrides should persist when the device configuration is reloaded. Available options are Enabled, Disabled and Secure. 10 Refer to the HTTP Analytics field to define analytic compression settings and update intervals. Compress Update Interval Select this option to use compression to when sending updates to the controller. This option is disabled by default. Define an interval in either Seconds (1 - 3,600), Minutes (1 - 60) or Hours (1) for interval to push buffered packets. The default setting in 1 minute. 11 Refer to the External Analytics Engine section to define or override analytics engine login information for an external host. The Guest Access & Analytics software module is a site-wide Enterprise License available only on service platforms. When a customer visits a store, they connect to the Wireless LAN via guest access using a mobile device. The user needs to authenticate only on their first visit, and will automatically connect to the network for subsequent visits. The Analytics module helps gather data about customer behavior such as web sites visited, search terms used, mobile device types, number of new users vs. repeat users. This data provides a better understanding of pricing strategies and promotions being run by competitors. The data can be exported for additional in-depth analysis. Controller URL User Name Select this option to provide service platform analytics to a local device. This setting is enabled by default. When using an external analytics engine with a NX9000 series service platform, enter the IP address or uniform resource locator (URL) for the system providing external analytics functions. Enter the user name needed to access the external analytics engine. Wireless Controller and Service Platform System Reference Guide 5 - 243 Device Configuration Password Update Interval Enter the password associated with the username on the external analytics engine. Set the interval in either Seconds (1 - 3,600), Minutes (1 - 60) or Hours (1) to forward buffered information to an external server resource, even when the buffers are not full. The default setting in 1 minute. 12 Select OK to save the changes and overrides made to the profiles Management Settings. Select Reset to revert to the last saved configuration. 13 Select Firmware from the Management menu. Figure 5-142 Profile Overrides - Management Firmware screen Wireless Controller and Service Platform System Reference Guide 5 - 244 Device Configuration 14 Refer to the Auto Install via DHCP Option field to configure automatic configuration file and firmware updates. Enable Configuration Update Enable Firmware Update Start Time (minutes) Select Enable Configuration Update (from within the Automatic Configuration Update field) to enable automatic profile configuration file updates from an external location. If enabled (the setting is disabled by default), provide a complete path to the target configuration file used in the update. Select this option to enable automatic firmware upgrades (for this profile) from a user defined remote location. This value is disabled by default. Use the spinner control to set the number of minutes to delay the start of an auto upgrade operation. Stagger the start of an upgrade operation as needed in respect to allowing an Access Point to complete its current client support activity before being rendered offline during the update operation. The default setting is 10 minutes. 15 Refer to the parameters within the Legacy Device Firmware Management field to set legacy Access Point firmware provisions:
Migration Firmware from AP71xx 4.x path Legacy AP650 Auto Update Provide a path to a firmware image used to provision AP71xx model Access Points currently utilizing a 4.x version legacy firmware file. Once a valid path is provided, the update is enabled to the version maintained locally for AP71xx models. Select this option to provision AP650 model Access Points from their legacy firmware versions to the version maintained locally for that model. This setting is enabled by default, making updates to AP650 models automatic if a newer AP650 image is maintained locally. 16 Use the parameters within the Automatic Adopted AP Firmware Upgrade section to define an automatic firmware upgrade from a local file. Enable Controller Upgrade of Device Firmware Number of Concurrent Upgrades Select the device model to upgrade using the most recent firmware file on the controller, service platform or Virtual Controller AP. This parameter is enabled by default. Select All to update all the listed device types Use the spinner control to define the maximum number (1 - 128) of adopted APs that can receive a firmware upgrade at the same time. The default value is 10. Keep in mind that during a firmware upgrade, the Access Point is offline and unable to perform its normal client support role until the upgrade process is complete. 17 Select the Persist AP Images on Controller button (from within the Firmware Persistence for Adopted Devices field) to enable the RF domain manager to retain and store the new image of an Access Point selected for a firmware update. The image is only stored on the RF domain manager when theres space to accommodate it. The upgrade sequence is different depending on whether the designated RF domain manager is a controller/
service platform or Access Point. When the RF domain manager is an Access Point - The NOC uploads a provisions an Access Point models firmware on to the Access Point RF domain manager. The NOC initiates an auto-update for Access Points using that models firmware. If the Persist Image on Controller option is selected, the RF domain manager retains the image for that model. The NOC then provisions the firmware of the next Access Point type to the RF domain manager. The auto-update process is then repeated for that model. Once all the selected models have been updated, the RF domain managers model is updated last. When the RF domain manager is a controller or service platform - The NOC adopts controllers to the NOCs cluster within its RF domain. The NOC triggers an update on active controllers or service platforms and reboots them as soon as the update is complete. As soon as the active nodes come back up, the NOC Wireless Controller and Service Platform System Reference Guide 5 - 245 Device Configuration triggers an update on standby controllers or service platforms and reboots them as soon as the update is complete. When the standby controllers or service platforms come back up the following conditions apply:
-
If the reboot is not scheduled - The Access Points adopted to RF domain members are not updated. Its expected the controllers and service platforms have auto-upgrade enabled which will update the Access Points when re-adopted. If the reboot is scheduled - The NOC pushes the first Access Point models firmware to the RF domain manager. The NOC initiates an Access Point upgrade on all Access Points on the RF domain manager for that model. If the Persist Image on Controller option is selected, the RF domain manager retains the image for that model. The NOC then provisions the firmware of the next Access Point type to the RF domain manager. This process is repeated until each selected Access Point model is updated.
-
The Firmware Persistence feature is enabled for all controller and service platform RF domain managers with the flash memory capacity to store firmware images for the selected Access Point models they provision. This feature is disabled for Access Point RF Domain managers that do not typically have the flash memory capacity needed. 18 Select Heartbeat from the Management menu. Select the Service Watchdog option to implement heartbeat messages to ensure associated devices are up and running and capable of effectively interoperating. The Service Watchdog is enabled by default. 19 Select OK to save the changes and overrides made to the profiles configuration. Select Reset to revert to the last saved configuration. 5.2.9.13 Overriding a Profiles Mesh Point Configuration Profile Overrides Mesh points are Access Points dedicated to mesh network support. Mesh networking enables users to access broadband applications anywhere (including moving vehicles). To set or override an Access Point profiles Mesh Point configuration:
1 Select Devices from the Web UI. 2 Select Device Configuration to expand its menu items. 3 Select Mesh Point. NOTE: A blue override icon (to the left of a parameter) defines the parameter as having an override applied. To remove an override go to the Basic Configuration section of the device and click the Clear Overrides button. This removes all overrides from the device. Wireless Controller and Service Platform System Reference Guide 5 - 246 Device Configuration Figure 5-143 Profile Overrides - Mesh Point screen 4 Refer to the Mesh Point screen to view existing Mesh Point overrides. If an existing Mesh Point override does not meet your requirements, select the Add button to create a new override or the Edit button to modify the parameters of an existing override. The Mesh Point screen displays the Settings tab by default. Figure 5-144 Mesh Point - Settings Screen Wireless Controller and Service Platform System Reference Guide 5 - 247 Device Configuration 5 Define the following settings from within the General field:
MeshConnex Policy Is Root If adding a new policy, specify a name for the MeshConnex Policy. The name cannot be edited later with other configuration parameters. Until a viable name is provided, the Settings tab cannot be enabled for configuration. Select the root behavior of this mesh point. Select True to indicate this mesh point is a root node for this mesh network. Select False to indicate this mesh point is not a root node for this mesh network. Root Selection Method Use the drop-down menu to determine whether this meshpoint is the root or Set as Cost Root Monitor Critical Resources Monitor Primary Port Link Wired Peer Excluded Path Method non-root meshpoint. Select either None, auto-mint or auto-proximity. The default setting is None. When auto-mint is selected, root selection is based on the total cost to the root. Cost to the root is measured as total cost through hops to the root node. Root selection occurs for the root with the least path cost. When auto-proximity is selected, root selection is based on signal strength of candidate roots. None indicates no preference in root selection. Select this option to set the mesh point as the cost root for meshpoint root selection. This setting is disabled by default. Enable this feature to allow dynamic conversion of a mesh point from root to non-root when there is a critical resource failure. This option is disabled by default. Enable this feature to allow dynamic conversion of a mesh point from root to non-root during a link down event. This option is disabled by default. Select this option to exclude a mesh from forming a link with another mesh device that's a wired peer. This option is disabled by default. From the drop-down menu, select the method to use for path selection in a mesh network. The available options are:
None Select this to indicate no criteria used in root path selection. uniform Select this to indicate that the path selection method is uniform. When selected, two paths will be considered equivalent if the average value is the same for these paths. mobile-snr-leaf Select this if this Access Point is mounted on a vehicle or a mobile platform (AP7161 models only). When selected, the path to the route will be selected based on the Signal To Noise Ratio (SNR) to the neighbor device. snr-leaf Select this to indicate the path with the best signal to noise ratio is always selected. bound-pair Select this option to bind one mesh point connection at a time. Once established, other mesh point connection requests are denied. NOTE: An AP7161 model Access Point can be deployed as a vehicular mounted modem (VMM) to provide wireless network access to a mobile vehicle (car, train etc.). A VMM provides layer 2 mobility for connected devices. VMM does not provide layer 3 services, such as IP mobility. For VMM deployment considerations, see Vehicle Mounted Modem (VMM) Deployment Considerations on page 5-
253. NOTE: When using 4.9GHz, the root preferences selection for the radios preferred interface still displays as 5GHz. Wireless Controller and Service Platform System Reference Guide 5 - 248 Device Configuration 6 Set the following Root Path Preference values:
Preferred Neighbor Preferred Root Preferred Interface Specify the MAC address of a preferred neighbor to override mesh point settings. Specify the MAC address of a a preferred root device to override mesh point settings. Use the drop-down menu to override the preferred mesh point interface to 2.4GHz, 4.9 GHz or 5.0GHz. None defines the interface as open to any radio band. 7 Set the following Path Method Hysteresis:
Minimum Threshold Signal Strength Delta Sustained Time Period SNR Delta Range Enter the minimum value for SNR above which a candidate for the next hop in a dynamic mesh network is considered for selection. This field along with Signal Strength Delta and Sustained Time Period are used to dynamically select the next hop in a dynamic mesh network. The default setting is 0 dB. Enter a delta value in dB. A candidate for selection as a next hop in a dynamic mesh network must have a SNR value that is higher than the value configured here. This field along with the Minimum Threshold and Sustained Time Period are used to dynamically select the next hop in a dynamic mesh network. The default setting is 1 dB. Enter the duration (in seconds or minutes) for the duration a signal must sustain the constraints specified in the Minimum Threshold and Signal Strength Delta path hysteresis values. These values are used to dynamically select the next hop in a dynamic mesh network. The default setting is 1 second. Select the root selection method hysteresis (from 1 - 100dB) SNR delta range a candidate must sustain. The default setting is 1 dB. 8 Select the Auto Channel Selection tab. Wireless Controller and Service Platform System Reference Guide 5 - 249 Device Configuration Figure 5-145 Mesh Point Auto Channel Selection - Dynamic Root Selection screen The Dynamic Root Selection screen displays by default. The Dynamic Root Selection screen provides configuration for the 2.4 GHz and 5.0/4.9 GHz frequencies. 9 Refer to the following. These descriptions are common for configuring either the 2.4 GHZ and 5.0/4.9 GHz frequencies Channel Width Priority Meshpoint Off-channel Duration Set the channel width the meshpoints automatic channel scan assigns to the selected radio. Available options include:
Automatic Defines the channel width is calculated automatically. This is the default value. 20 MHz Sets the width between two adjacent channels as 20 MHz. 40 MHz Sets the width between two adjacent channels as 40 MHz. 80 MHz Utilized for 802.11ac Access Points in the 5 GHz frequency. Configure the meshpoint monitored for automatic channel scans. This is the meshpoint assigned priority over other available mesh points. When configured, a mesh connection is established with this mesh point. If not configured, a meshpoint is automatically selected. This setting is disabled by default. Set the duration (from 20 - 250 milliseconds) the scan dwells on each channel when performing an off channel scan. The default is 50 milliseconds. Wireless Controller and Service Platform System Reference Guide 5 - 250 Device Configuration Off-channel Scan Frequency Meshpoint Root: Sample Count Meshpoint Root: Channel Hold Time Set the duration (from 1- 60 seconds) between two consecutive off channel scans. The default is 6 seconds. Configure the number of scan samples (from 1- 10) for data collection before a mesh channel is selected. The default is 5. Configure the duration (from 0 - 1440 minutes) to remain on a channel before channel conditions are reassessed for a possible channel change. Set this value to zero (0) to prevent an automatic channel selection from occurring. The default setting is 30 minutes. 10 Select the Path Method SNR tab to configure signal to noise (SNR) ratio values when selecting the path to the meshpoint root. Figure 5-146 Mesh Point Auto Channel Selection - Path Method SNR screen 11 Set the following 2.4 GHz and 5.0/4.9 GHz path method SNR data:
Channel Width Set the channel width the meshpoint automatic channel scan assigns to the selected radio. Available options include:
Automatic Defines the channel width calculation automatically. This is the default value. 20 MHz Sets the width between two adjacent channels as 20 MHz. 40 MHz Sets the width between two adjacent channels as 40 MHz. 80 MHz Utilized for 802.11ac Access Points in the 5 GHz frequency. Wireless Controller and Service Platform System Reference Guide 5 - 251 Device Configuration Priority Meshpoint SNR Delta SNR Threshold Off-channel Duration Set the meshpoint monitored for automatic channel scans. This is the meshpoint assigned priority over other available mesh points. When configured, a mesh connection is established with this mesh point. If not configured, a meshpoint is automatically selected. This setting is disabled by default. Set the signal to noise (SNR) ratio delta (from 1 - 100 dB) for mesh path selections. When path selection occurs, the defined value is utilized for selecting the optimal path. A better candidate, on a different channel, must have a signal strength that exceeds this delta value when compared to the signal strength of the next hop in the mesh network. The default setting is 5 dB. Set the SNR threshold for mesh path selections (from -100 to 0 dB). If the signal strength of the next mesh hop falls below this set value, a scan is triggered to select a better next hop. the default setting is -65 dB. Configure the duration (from 20 - 250 milliseconds) for scan dwells on each channel, when performing an off channel scan. The default setting is 50 milliseconds. 12 Select the Path Method Root Path Metric tab to calculate root path metrics. Figure 5-147 Mesh Point Auto Channel Selection - Root Path Metric screen Wireless Controller and Service Platform System Reference Guide 5 - 252 13 Set the following Path Method Root Path Metrics (applying to both the 2.4 GHz and 5.0/4.9 GHz frequencies):
Device Configuration Channel Width Priority Meshpoint Meshpoint: Path Minimum Meshpoint: Path Metric Threshold Meshpoint: Tolerance Period Meshpoint Root: Sample Count Meshpoint Root:
Off-channel Duration Meshpoint Root:
Channel Switch Delta Meshpoint Root:
Off-channel Scan Frequency Meshpoint Root:
Channel Hold Time Set the channel width meshpoint automatic channel scan should assign to the selected radio. The available options are:
Automatic Defines the channel width as calculated automatically. This is the default value. 20 MHz Set the width between two adjacent channels as 20 MHz. 40 MHz Set the width between two adjacent channels as 40 MHz 80 MHz Utilized for 802.11ac Access Points in the 5 GHz frequency. Define the meshpoint assigned priority over other available mesh points. When configured, a mesh connection is established with this mesh point. If not configured, a meshpoint is automatically selected. Set the minimum path metric (from 100 - 20,000) for mesh connection establishment. The default setting is 1000. Configure a minimum threshold (from 800 - 65535) for triggering an automatic channel selection for meshpoint selection. The default is 1500. Configure a duration to wait before triggering an automatic channel selection for the next mesh hop. The default is one minute. Set the number of scans (from 1- 10) for data collection before a mesh point root is selected. The default is 5. Configure the duration in the range of 20 - 250 milliseconds for the Off Channel Duration field. This is the duration the scan dwells on each channel when performing an off channel scan. The default is 50 milliseconds. Configure the delta (from 5 - 35 dBm) that triggers a meshpoint root automatic channel selection when exceeded. The default is 10 dBm. Configure the duration (from 1 -60 seconds) between two consecutive off channel scans for meshpoint root. The default is 6 seconds. Set the minimum duration (from 0 - 1440 minutes) to remain on a selected channel before channel conditions are reassessed for a possible channel change. Set this value to zero (0) to prevent an automatic channel selection from occurring. The default is 30 minutes. 14 Select OK to save the updates or overrides to the Mesh Point configuration. Select Reset to revert to the last saved configuration. 5.2.9.13.7 Vehicle Mounted Modem (VMM) Deployment Considerations Before defining a VMM configuration (mounting an AP7161 mesh point on a moving vehicle), refer to the following deployment guidelines to ensure the configuration is optimally effective:
Disable layer 2 stateful packet inspection from the firewall policy. For more information, see Firewall Policy Advanced Settings on page 10-10. Set the RTS threshold value to 1 on all mesh devices. The default is 2347. For more information on defining radio settings, refer to Access Point Radio Configuration on page 8-55. Use Opportunistic as the rate selection setting for the AP7161 radio. The default is Standard. For more information on defining this setting, see Radio Override Configuration. Disable Dynamic Chain Selection (radio setting). The default is enabled. This setting can be disabled in the CLI using the dynamic-chain-selection command, or in the UI (refer to Radio Override Configuration). Wireless Controller and Service Platform System Reference Guide 5 - 253 Device Configuration Disable A-MPDU Aggregation if the intended vehicular speed is greater than 30 mph. For more information, see Radio Override Configuration. Set a misconfiguration recovery time for the non-root AP profile. This configuration should delay the rejection of the newest configuration push from the controller, potentially causing adoption loss. The additional delay is to support cases when the new configuration from the controller causes the root AP to move from current channel to other channels, resulting in a mesh link going down, and in turn non-root APs losing adoption. This delay accommodates the time needed for the non-root AP to scan all channels and finding the best root node. The non-root AP can begin operating on the new channel, and establish the mesh link re-adopt to the controller. (For countries using DFS, the scan time is also factored in for the configured value). If the AP fails to find a suitable root node within this time, this new config is a misconfigured and the device would reject the latest config. For outdoor APs, it is recommended the misconfiguration-recovery-time be disabled. This can be accomplished by setting the value to 0. Update non root ap71xx profiles on the controller to include this change. Using an appropriate console terminal and or connection to your device log on to the CLI and follow these steps:
rfs6000-xxxxxx>enable rfs6000-xxxxxx #configure terminal Enter configuration commands, one per line. End with CNTL/Z. rfs6000-xxxxxx (config)#profile ap71xx Non-Root-AP71xx rfs6000-xxxxxx (config-profile-Non-Root-AP71xx)#misconfiguration-recovery-time 0 rfs6000-xxxxxx (config-profile-Non-Root-AP71xx)#
5.2.9.14 Overriding a Profiles Environmental Sensor Configuration (AP8132 Only) Profile Overrides A sensor module is a USB environmental sensor extension to an AP8132 model Access Point. It provides a variety of sensing mechanisms, allowing the monitoring and reporting of the Access Points radio coverage area. The output of the sensor's detection mechanisms are viewable using either the Environmental Sensor screen. To set or override an environmental sensor configuration for an AP8132 model Access Point:
1 Select the Configuration > Devices from the Web UI. 2 Select Profile Overrides to expand its menu items 3 Select Environmental Sensor. Wireless Controller and Service Platform System Reference Guide 5 - 254 Device Configuration 4 Set the following Light Sensor settings for the sensor module:
Figure 5-148 Profile Overrides - Environmental Sensor screen Enable Light Sensor Polling Time to Determine if Light is On/Off Shutdown WLAN Radio at Low Limit of Light Threshold Low Limit of Light Threshold High Limit of Light Threshold Select this option to enable the light sensor on the module. This setting is enabled by default. The light sensor reports whether the deployment location has its lights powered on or off. Define an interval in Seconds (2 - 201) or Minutes (1 - 4) for the sensor module to poll its environment to assess light intensity to determine whether lighting is on or off. The default polling interval is 11 seconds. Light intensity is used to determine whether the Access Points deployment location is currently populated with clients. Select this option to power off the Access Points radio if the light intensity dims below the set threshold. If enabled, select All (both radios), radio-1 or radio-2. Set the low threshold limit (from 0 - 1,000 lux) to determine whether the lighting is off in the Access Points deployment location. The default is 200. In daytime, the light sensor's value is between 350-450. The default values for the low threshold is 200, i.e., the radio is turned off if the average reading value is lower than 200. Set the upper threshold limit (from 100 - 10,000 lux) to determine whether the lighting is on in the Access Points deployment location. The default high threshold is 400. The radios are turned on when the average value is higher than 400. Wireless Controller and Service Platform System Reference Guide 5 - 255 Device Configuration 5 Enable or disable the following Environmental Sensors:
Enable Temperature Sensor Enable Motion Sensor Select this option to enable the modules temperature sensor. Results are reported back to the Access Points Environment screens within the Statistics node. This setting is enabled by default. Select this option to enable the modules motion sensor. Results are reported back to the Access Points Environment screens within the Statistics node. This setting is enabled by default. Enable Humidity Sensor Select this option to enable the modules humidity sensor. Results are reported back to the Access Points Environment screens within the Statistics node. This setting is enabled by default. 6 Define or override the following Shared Configuration settings:
Polling Interval for All Sensors Set an interval in either Seconds (1 - 100) or Minutes (1 - 2) for the time between sensor environmental polling (both light and environment). The default setting is 5 seconds. 7 Select OK to save the changes and overrides made to the environmental sensor screen. Select Reset to revert to the last saved configuration. 5.2.9.15 Overriding a Profiles Advanced Configuration Profile Overrides Refer to profiles advanced set of configuration screens to set client load balance calculations and ratios, set a MiNT configuration and set other miscellaneous settings. For more information, refer to the following:
Advanced Profile Client Load Balance Configuration Advanced MiNT Protocol Configuration Advanced Profile Miscellaneous Configuration 5.2.9.15.8 Advanced Profile Client Load Balance Configuration Overriding a Profiles Advanced Configuration Set a the ratios and calculation values used by Access Points to distribute client loads both amongst neighbor devices and the 2.4 and 5 GHz radio bands. To define Access Point client load balance algorithms:
1 Select the Configuration > Devices from the Web UI. 2 Select Profile Overrides to expand its menu items 3 Select Advanced to expand its sub menu items. 4 Select Client Load Balancing from the Advanced menu item. Wireless Controller and Service Platform System Reference Guide 5 - 256 Device Configuration 5 Use the Group ID field to define a group ID of up to 32 characters to differentiate the ID from others with Figure 5-149 Advanced Profile Overrides - Client Load Balancing screen similar configurations. 6 Select the SBC strategy from the drop-down menu to determine how band steering is conducted. Band steering directs 5 GHz-capable clients to that band. When an Access Point hears a request from a client to associate on both the 2.4 GHz and 5 GHz bands, it knows the client is capable of operation in 5 GHz. Band steering steers the client by responding only to the 5 GHz association request and not the 2.4 GHz request. The client only associates in the 5 GHz band. 7 Set the following Neighbor Selection Strategies:
Using probes from common clients Using notifications from roamed clients Using smart-rf neighbor detection Select this option to select neighbors (peer devices) using probes from common clients. This setting is enabled by default. Select this option to select neighbors (peer devices) using roam notifications from roamed clients. This setting is enabled by default. Select this option to select neighbors (peer devices) using Smart RF. This setting is enabled by default. 8 Enable Balance Band Loads by Radio (within the Band Load Balancing field) to distribute an Access Points client traffic load across both the 2.4 and 5 GHz radio bands. 9 Set the following Channel Load Balancing settings:
Balance 2.4 GHz Channel Loads Balance 5 GHz Channel Loads Select this option to balance an Access Points 2.4 GHz client load across all channels. This setting is enabled by default. Select this option to balance an Access Points 5 GHz client load across all channels. This setting is enabled by default. Wireless Controller and Service Platform System Reference Guide 5 - 257 Device Configuration 10 Enable Balance AP Loads (within the AP Load Balancing field) to distribute client traffic evenly amongst neighbor Access Points. 11 Set the following Advanced Parameters for client load balancing:
Max. 2.4 GHz Difference Considered Equal Min. Value to Trigger 2.4 Ghz Channel Balancing Weightage given to Client Count Weightage given to Throughput Max. 5 GHz Difference Considered Equal Min. Value to Trigger 5 Ghz Channel Balancing Weightage given to Client Count Weightage given to Throughput Set the maximum load difference (from 1 - 100%) considered equal when comparing 2.4 GHz client loads. The default setting is 1%. Set the threshold (from 1 - 100%) beyond which channel load balancing is triggered in the 2.4 GHz radio band. The default setting is 5%. Set the weightage (from 1- 100%) applied to client count calculations in the 2.4 GHz radio band. The default setting is 90%. Set the weightage (from 1- 100%) applied to client throughput calculations in the 2.4 GHz radio band. The default setting is 10%. Set the maximum load difference (from 1 - 100%) considered equal when comparing 5 GHz client loads. The default setting is 1%. Set the threshold (from 1 - 100%) beyond which channel load balancing is triggered in the 5 GHz radio band. The default setting is 5%. Set the weightage (from 1- 100%) applied to client count calculations in the 5 GHz radio band. The default setting is 90%. Set the weightage (from 1- 100%) applied to client throughput calculations in the 5 GHz radio band. The default setting is 10%. 12 Define the following AP Load Balancing settings:
Min. Value to Trigger Balancing Max. AP Load Difference Considered Equal Weightage given to Client Count Weightage given to Throughout Set a value (from 1 - 100%) used to trigger client load balancing when exceeded. The default setting is 5%. Set the maximum load balance differential (from 1 - 100%) considered equal when comparing neighbor Access Point client loads. The default setting is 1%. Set the weightage (from 1- 100%) applied to client count in an Access Points overall load calculation. The default setting is 90%. Set the weightage (from 1- 100%) applied to client throughput in an Access Points overall load calculation. The default setting is 10%. 13 Set the following Band Control values:
Max. Band Load Difference Considered Equal Band Ratio (2.4 GHz) Band Ratio (5 GHz) 5 GHz load at which both bands enabled 2.4 GHz load at which both bands enabled Set the maximum load difference (from 1 - 100%) considered equal when comparing band loads. The default setting is 1%. Set the relative load for the 2.4 GHz radio band as a leveled ratio from 1 - 10. The default setting is 0. Set the relative load for the 5 GHz radio band as a leveled ratio from 1 - 10. The default setting is 0. Define the 5 GHz radio load value (from 1 - 100%) above which the 5 GHz radio is equally preferred in the overall load balance distribution. The default is 75%. Define the 2.4 GHz radio load value (from 1 - 100%) above which the 2.4 GHz radio is equally preferred in the overall load balance distribution. The default is 75%. Wireless Controller and Service Platform System Reference Guide 5 - 258 Device Configuration 14 Define the following Neighbor Selection settings Minimal signal strength for common clients Minimum number of clients seen Max confirmed neighbors Minimum signal strength for smart-rf neighbors Define the minimum signal strength value (from -100 to 30 dBm) that must be exceeded for an Access Points detected client to be considered a common client. The default setting is -100 dBi. Set the minimum number of clients (from 0 - 256) that must be common to two or more Access Points for the Access Points to regard one another as neighbors using the common client neighbor detection strategy. The default setting is 0. Set the maximum number (from 1 - 16) of neighbor Access Points that must be detected amongst peer Access Point to initiate load balancing. The default setting is 16. Set the minimal signal strength value (from -100 to 30 dBm) for an Access Point detected using Smart RF to qualify as a neighbor Access Point. The default setting is - 65 dBm. 15 Select OK to save the changes made to the profiles Advanced client load balance configuration. Select Reset to revert to the last saved configuration. 5.2.9.15.9 Advanced MiNT Protocol Configuration Overriding a Profiles Advanced Configuration MINT provides the means to secure profile communications at the transport layer. Using MINT, a device can be configured to only communicate with other authorized (MINT enabled) devices. Keys can also be generated externally using any application (like openssl). These keys must be present on the device managing the domain for key signing to be integrated with the UI. A device needing to communicate with another first negotiates a security context with that device. The security context contains the transient keys used for encryption and authentication. A secure network requires users to know about certificates and PKI. However, administrators do not need to define security parameters for Access Points to be adopted (secure WISPe being an exception, but that isnt a commonly used feature). Also, users can replace any device on the network or move devices around and they continue to work. Default security parameters for MiNT are such that these scenarios continue to function as expected, with minimal user intervention required only when a new network is deployed To define or override a profiles MINT configuration:
1 Select the Configuration > Devices from the Web UI. 2 Select Profile Overrides to expand its menu items 3 Select Advanced to expand its sub menu items. 4 Select MINT Protocol from the Advanced menu item. Wireless Controller and Service Platform System Reference Guide 5 - 259 Device Configuration Figure 5-150 Advanced Profile Overrides MINT screen - Settings tab The Settings tab displays by default. 5 Refer to the Area Identifier field to define or override the Level 1 and Level 2 Area IDs used by the profiles MINT configuration. Level 1 Area ID Select this option to either use a spinner control for setting the Level 1 Area ID
(1 - 16,777,215) or create an alias for the ID. An alias enables an administrator to define a configuration item, such as a this area ID, as an alias once and use the alias across different configuration items. The default value is disabled. 6 Define or override the following Priority Adjustment in respect to devices supported by the profile:
Designated IS Priority Adjustment Use the spinner control to set a Designated IS Priority Adjustment setting. This is the value added to the base level DIS priority to influence the Designated IS
(DIS) election. A value of +1 or greater increases DISiness. The default setting is 0. 7 Select the Latency of Routing Recalculation option (within the Shortest Path First (SPF) field) to enable the spinner control used for defining or overriding a latency period (from 0 - 60 seconds). The default setting is disabled. 8 Define or override the following MINT Link Settings in respect to devices supported by the profile:
MLCP IP MLCP IPv6 Check this box to enable MINT Link Creation Protocol (MLCP) by IP Address. MLCP is used to create one UDP/IP link from the device to a neighbor. The neighboring device does not need to be a controller or service platform, it can be another Access Point with a path to the controller or service platform. This setting is enabled by default. Check this box to enable MLCP for automated MiNT UDP/IP link creation. This setting is enabled by default. Wireless Controller and Service Platform System Reference Guide 5 - 260 Device Configuration MLCP VLAN Tunnel MiNT across extended VLAN Check this box to enable MLCP by VLAN. MLCP is used to create one VLAN link from the device to a neighbor. That neighboring device does not need to be a controller or service platform, it can be another Access Point with a path to the controller or service platform. This setting is enabled by default. Select this option to tunnel MiNT protocol packets across an extended VLAN. This setting is disabled by default. 9 Select Tunnel Controller Load Balancing (Level 1) to enable load balance distribution via a WLAN tunnel controller. This setting is disabled by default. 10 Select Inter Tunnel Bridging (Level 2) to enable inter tunnel bridging. This setting is disabled by default. 11 Enter a 64 character maximum Tunnel Controller Name for this tunneled-WLAN-controller interface. 12 Enter a 64 character maximum Preferred Tunnel Controller Name this Access Point prefers to tunnel traffic to via an extended VLAN. 13 Select OK to save the updates and overrides to the MINT Protocol configuration. Select Reset to revert to the last saved configuration. 14 Select the IP tab to display the link IP network address information shared by the devices managed by the MINT configuration. Figure 5-151 Advanced Profile MINT screen - IP tab 15 The IP tab displays the IP address, Routing Level, Listening Link, Port, Forced Link, Link Cost, Hello Packet Interval, Adjacency Hold Time and IPSec Secure, and IPSec GW settings that devices use to securely communicate amongst one another. Select Add to create a new Link IP configuration or Edit to override an existing MINT configuration. Wireless Controller and Service Platform System Reference Guide 5 - 261 Device Configuration 16 Set the following Link IP parameters to complete the MINT network address configuration:
Figure 5-152 Advanced Profile MINT screen - Link IP tab IP Port Routing Level Listening Link Forced Link Link Cost Hello Packet Interval Adjacency Hold Time IPSec Secure IPSec GW Define or override the IP address used by peers for interoperation when supporting the MINT protocol. Use the drop-down to select the type of IP address provided. The available choices are IPv4 Address and IPv6 Address. To specify a custom port for MiNT links, select this option and use the spinner control to define or override the port number
(1 - 65,535). Use the spinner control to define or override a routing level of either 1 or 2. Specify a listening link of either 0 or 1. UDP/IP links can be created by configuring a matching pair of links, one on each end point. However, that is error prone and doesnt scale. So UDP/IP links can also listen (in the TCP sense), and dynamically create connected UDP/IP links when contacted. The typical configuration is to have a listening UDP/IP link on the IP address S.S.S.S, and for all the APs to have a regular UDP/IP link to S.S.S.S. Check this box to specify the MiNT link as a forced link. Use the spinner control to define or override a link cost from 1 - 10,000. The default value is 100. Set or override an interval in either Seconds (1 - 120) or Minutes (1 - 2) for the transmission of hello packets. The default interval is 15 seconds. Set or override a hold time interval in either Seconds (2 - 600) or Minutes (1 - 10) for the transmission of hello packets. The default interval is 46 seconds. Enable this option to provide IPSec secure peer authentication on the MiNT connection (link). This option is disabled by default. Select the numerical IP address or administrator defined hostname of the IPSec gateway. Hostnames cannot include an underscore character. Wireless Controller and Service Platform System Reference Guide 5 - 262 17 Select OK to save the updates and overrides to the MINT Protocols network address configuration. Select Reset to revert to the last saved configuration. 18 Select the VLAN tab to display link IP VLAN information shared by the devices managed by the MINT configuration. Device Configuration Figure 5-153 Advanced Profile MINT screen - VLAN tab The VLAN tab displays the VLAN, Routing Level, Link Cost, Hello Packet Interval and Adjacency Hold Time devices use to securely communicate amongst one another. Select Add to create a new VLAN link configuration or Edit to override an existing MINT VLAN configuration. Figure 5-154 Advanced Profile MINT screen - Add/Edit VLAN Wireless Controller and Service Platform System Reference Guide 5 - 263 Device Configuration 19 Set the following VLAN parameters for the MINT configuration:
VLAN Routing Level Link Cost Hello Packet Interval Adjacency Hold Time Define a VLAN ID from 1 - 4,094 used by peers for interoperation when supporting the MINT protocol. Use the spinner control to define or override a routing level of either 1 or 2. Use the spinner control to define or override a link cost from 1 - 10,000. The default value is 100. Set or override an interval in either Seconds (1 - 120) or Minutes (1 - 2) for the transmission of hello packets. The default interval is 15 seconds. Set or override a hold time interval in either Seconds (2 - 600) or Minutes (1 - 10) for the transmission of hello packets. The default interval is 46 seconds. 20 Select OK to save the updates and overrides to the MINT Protocol configuration. Select Reset to revert to the last saved configuration. 21 Select the Rate Limits tab to display data rate limits configured on extended VLANs and optionally add or edit rate limit configurations. Excessive traffic can cause performance issues on an extended VLAN. Excessive traffic can be caused by numerous sources including network loops, faulty devices or malicious software such as a worm or virus that has infected on one or more devices. Rate limiting reduces the maximum rate sent or received per wireless client. It prevents any single user from overwhelming the wireless network. It can also provide differential service for service providers. Uplink and downlink rate limits are usually configured on a RADIUS server using vendor specific attributes. Rate limits are extracted from the RADIUS servers response. When such attributes are not present, the settings defined on the controller, service platform or Access Point are applied. An administrator can set separate QoS rate limit configurations for data types transmitted from the network
(upstream) and data transmitted from a wireless clients back to associated radios (downstream). Figure 5-155 Advanced Profile MINT screen - Rate Limit tab Existing rate limit configurations display along with their virtual connection protocols and data traffic QoS customizations. 22 Select Add to create a new rate limit configuration. Wireless Controller and Service Platform System Reference Guide 5 - 264 Device Configuration 23 Set the following Rate Limits to complete the MINT configuration:
Figure 5-156 Advanced Profile MINT screen - Add/Edit Rate Limit Level Protocol Link Type VLAN IP Port Rate Select level2 to apply rate limiting for all links on level2. Select either mlcp or link as this configurations rate limit protocol. Mint Link Creation Protocol (MLCP) creates a UDP/IP link from the device to a neighbor. The neighboring device does not need to be a controller or service platform, it can be an Access Point with a path to the controller or service platform. Select link to rate limit using statically configured MiNT links. Select either VLAN, to configure a rate limit configuration on a specific virtual LAN, or IP to set rate limits on a static IP address/Port configuration. When the Protocol is set to link and the Link Type is set to VLAN, use the spinner control to select a virtual LAN from 1 - 4094 to refine the rate limiting configuration to a specific VLAN. When the Protocol is set to link and the Link Type is set to VLAN, enter the IP address as the network target for rate limiting. When the Protocol is set to link and the Link Type is set to VLAN, use the spinner control to set the virtual port (1 - 65,535) used for rate limiting traffic. Define a rate limit between 50 - 1,000,000 kbps. This limit constitutes a threshold for the maximum the number of packets transmitted or received (from all access categories). Traffic that exceeds the defined rate is dropped and a log message is generated. The default setting is 5000 kbps. Wireless Controller and Service Platform System Reference Guide 5 - 265 Max Burst Size Background Best-Effort Video Voice Device Configuration Use the spinner to set the maximum burst size from 0 - 1024 kb. The smaller the burst, the less likely the upstream packet transmission will result in congestion for the WLANs client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, administrators should add a 10% margin (minimally) to allow for traffic bursts. The default burst size is 320 kbytes. Configures the random early detection threshold (as a percentage) for low priority background traffic. Background packets are dropped and a log message generated if the rate exceeds the set value. Background traffic consumes the least bandwidth of any access category, so this value can be set to a lower value once a general upstream rate is known by the network administrator (using a time trend analysis). The default setting is 50%. Configures the random early detection threshold (as a percentage) for low priority best-effort traffic. Best-effort packets are dropped and a log message generated if the rate exceeds the set value. Best effort traffic consumes little bandwidth, so this value can be set to a lower value once a general upstream rate is known by the network administrator (using a time trend analysis).The default setting is 50%. Configures the random early detection threshold (as a percentage) for high priority video traffic. Video packets are dropped and a log message generated if the rate exceeds the set value. Video traffic consumes significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis).The default setting is 25%. Configures the random early detection threshold (as a percentage) for high priority voice traffic. Voice packets are dropped and a log message generated if the rate exceeds the set value. Voice applications consume significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis).The default setting is 0%. 24 Select OK to save the updates and overrides to the MINT Protocols rate limit configuration. Select Reset to revert to the last saved configuration. 5.2.9.15.10 Advanced Profile Miscellaneous Configuration Overriding a Profiles Advanced Configuration Refer to the advanced profiles Miscellaneous menu item to set or override a profiles NAS configuration. The profile database on the RADIUS server consists of user profiles for each connected network access server (NAS) port. Each profile is matched to a username representing a physical port. When the wireless controller authorizes users, it queries the user profile database using a username representative of the physical NAS port making the connection. Access Point LED behavior and RF Domain management can also be defined from within the Miscellaneous screen. 1 Select the Configuration > Devices from the Web UI. 2 Select Profile Overrides to expand its menu items 3 Select Advanced to expand its sub menu items. 4 Select Miscellaneous from the Advanced menu item. Wireless Controller and Service Platform System Reference Guide 5 - 266 Device Configuration Figure 5-157 Advanced Profile Overrides - Miscellaneous screen 5 Set a NAS-Identifier Attribute up to 253 characters in length. 6 This is the RADIUS NAS-Identifier attribute that typically identifies the controller, service platform or Access Point where a RADIUS message originates. 7 Set a NAS-Port-Id Attribute up to 253 characters in length. 8 This is the RADIUS NAS port ID attribute which identifies the device port where a RADIUS message originates. 9 Select the Turn on LEDs option (within the LEDs (Light Emitting Diodes) section) to enable the LEDs on Access Point. This parameter is not available for controllers or service platforms. Select the Flash Pattern(2) option (within the LEDs (Light Emitting Diodes) field) to flash an Access Points LEDs in a distinct manner (different from its operational LED behavior) to allow an administrator to validate an Access Point has received its configuration from its managing controller or service platform. Enabling this feature allows an administrator to validate an Access Point has received its configuration
(perhaps remotely at the site of deployment) without having to log into the managing controller or service platform. This feature is disabled by default. 10 Select the Capable check box (within the RF Domain Manager section) to designate this specific device as being the RF Domain manager for a particular RF Domain. The default value is enabled. 11 Select the Priority check box (within the RF Domain Manager section) to set a priority value for this specific profile managed device. Once enabled, use the spinner control to set a device priority between 1 - 255. The higher the number set, the higher the priority in the RF Domain manager election process. 12 Configure a Root Path Monitor Interval (from1 - 65,535 seconds) to specify how often to check if the mesh point is up or down. 13 Set the Additional Port value (within the RADIUS Dynamic Authorization field) from 1-65,535 to enable a CISCO Identity Services Engine (ISE) Authentication, Authorization and Accounting (AAA) server to dynamically authenticate a client. Wireless Controller and Service Platform System Reference Guide 5 - 267 Device Configuration When a client requests access to a CISCO ISE RADIUS server supported network, the server presents the client with a URL where a devices compliance is checked for definition file validity (this form of file validity checking is called posture). If the client device complies, it is allowed access to the network. 14 Enable Bluetooth Detection to scan for Bluetooth devices over the WiNG managed 2.4 GHz Access Point radio. Bluetooth is a technology for exchanging data over short distances using short-wavelength UHF radio waves in the 2.4 GHz band from mobile wireless clients. NOTE: Enabling Bluetooth detection results in interference on the Access Points 2.4 GHz radio when in WLAN mode. WLANs are susceptible to sources of interference by Bluetooth devices. 15 Select OK to save the changes made to the profiles Advanced Miscellaneous configuration. Select Reset to revert to the last saved configuration. 5.3 Auto Provisioning Policies Device Configuration Wireless devices can adopt other wireless devices. For example, a wireless controller can adopt an number of Access Points. When a device is adopted, the device configuration is determined by the adopting device. Since multiple configuration policies are supported, an adopting device needs to determine which configuration policies should be used for a given adoptee. Auto Provisioning Policies determine which configuration policies are used for an adoptee based on some of its properties. For example, a configuration policy could be assigned based on MAC address, IP address, CDP snoop strings, etc. Once created an auto provisioning policy can be used in profiles or device configuration objects. An auto provisioning policy contains a set of ordered by precedence rules that either deny or allow adoption based on potential adoptee properties and a catch-all variable that determines if the adoption should be allowed when none of the rules is matched. All rules (both deny and allow) are evaluated sequentially starting with the rule with the lowest precedence. The evaluation stops as soon as a rule has been matched, no attempt is made to find a better match further down in the set. The evaluation is performed using various matching criteria. The matching criteria supported include:
MAC VLAN IP Address Serial Number Model Matches the MAC address of a device attempting to be adopted. Either a single MAC address or a range of MAC addresses can be specified. Matches when adoption over a Layer 2 link matches the VLAN ID of an adoption request. Note that this is a VLAN ID as seen by the recipient of the request, in case of multiple hops over different VLANs this may different from VLAN ID set by the sender. A single VLAN ID is specified in the rule. This rule is ignored for adoption attempts over Layer 3. Matches when adoption is using a Layer 3 link matches the source IP address of an adoption request. In case of NAT the IP address may be different from what the sender has used. A single IP, IP range or IP/mask is specified in the rule. This rule is ignored for adoption attempts over Layer 2. Matches exact serial number (case insensitive). Matches exact model name (case insensitive). Wireless Controller and Service Platform System Reference Guide 5 - 268 Device Configuration DHCP Option FQDN CDP LLDP Matches the value found in DHCP vendor option 191 (case insensitive). DHCP vendor option 191 can be setup to communicate various configuration parameters to an AP. The value of the option in a string in the form of tag=value separated by a semicolon, e.g.tag1=value1;tag2=value2;tag3=value3. The access point includes the value of tagrf-domain, if present. This value is matched against the auto provisioning policy. Matches a substring to the FQDN of a device (case insensitive). Matches a substring in a list of CDP snoop strings (case insensitive). For example, if an Access Point snooped 3 devices: controller1.extremenetworks.com, controller2.extremenetworks.com and controller3.extremenetworks.com,controller1,extremenetworks, extremenetworks.com, are examples of the substrings that will match. Matches a substring in a list of LLDP snoop strings (case insensitive). For example, if an Access Point snooped 3 devices: controller1.extremenetworks.com, controller2.extremenetworks.com and controller3.extremenetworks.com,controller1, extremenetworks, extremenetworks.com, are substrings match. Auto Provisioning is the process to discover controllers or service platforms available in the network, pick the most desirable controller or service platform, establish an association, optionally obtain an image upgrade and obtain its configuration. At adoption, an Access Point solicits and receives multiple adoption responses from controllers and service platforms available on the network. These adoption responses contain loading policy information the Access Point uses to select the optimum controller or service platform for adoption. By default, an auto provisioning policy generally distributes AP adoption evenly amongst available controller or service platform. Modify existing adoption policies or create a new one as needed to meet the adoption requirements of a device and their assigned profile. NOTE: A device configuration does not need to be present for an auto provisioning policy to take effect. Once adopted, and the devices configuration is defined and applied by the controller or service platform, the auto provisioning policy mapping does not have impact on subsequent adoptions by the same device. An auto provisioning policy enables an administrator to define adoption rules an Access Points adoption by a wireless controller. Auto provisioning policies set the different restrictions on how an Access Point gets adopted to a wireless controller. To review existing Auto Provisioning Policy configurations:
1 Select Configuration > Devices > Auto Provisioning Policy. 2 The Auto-Provisioning screen displays by default. Wireless Controller and Service Platform System Reference Guide 5 - 269 Device Configuration Use the Auto-Provisioning screen to determine whether an existing policy can be used as is, a new Auto Provisioning Policy requires creation or an existing policy requires edit or deletion. Figure 5-158 Auto-Provisioning screen 3 Review the following Auto-Provisioning parameters:
Auto-Provisioning Policy Lists the name of each policy when it was created. It cannot be modified as part of the Auto Provisioning Policys edit process. Adopt if No Rules Match Displays whether this policy will adopt devices if no adoption rules apply. Double-
click within this column to launch the edit screen where rules can be defined for device adoption. This feature is disabled by default. Displays whether this policy will be run every time an AP is adopted. Double-click within this column to launch the edit screen where this option can be modified. This feature is disabled by default. Rerun Policy Rules Every Time AP Adopted 4 Select Add to create a new Auto Provisioning Policy, Edit to revise an existing Auto Provisioning Policy or Delete to permanently remove a policy. For instructions on either adding or editing an Auto Provisioning Policy, see Configuring an Auto-Provisioning Policy on page 5-270. 5.3.1 Configuring an Auto-Provisioning Policy Cluster Configuration Overrides (Controllers and Service Platforms Only) Auto-Provisioning Policies can be created or refined as unique deployment requirements dictate changes in the number of Access Point radios within a specific radio coverage area. To add a new Auto Provisioning Policy or edit an existing Auto-Provisioning Policy configuration:
Wireless Controller and Service Platform System Reference Guide 5 - 270 Device Configuration 1 From the Adoption screen, either select Add or select an existing Auto-Provisioning Policy and select Edit. 2 If adding a new Auto-Provisioning Policy, provide a name in the Auto-Provisioning Policy field. The name must not exceed 32 characters. Select Continue to enable the remaining parameters of the Auto-Provisioning Policy screen. The Rules tab displays by default. Figure 5-159 Auto-Provisioning Policy screen - Rules tab 3 Review the following Auto-Provisioning Policy rule data to determine whether a rule can be used as is, requires edit or whether new rules need to be defined:
Rule Precedence Operation Device Type Displays the precedence (sequence) the Adoption Policies rules are applied. Rules with the lowest precedence receive the highest priority. This value is set (from 1 -
1000) when adding a new Auto Provisioning Policy rule configuration. Lists the operation taken upon receiving an adoption request from an Access Point:
The following operations are available:
allow Allows the normal provisioning of connected Access Points upon request. deny Denies (prohibits) the provisioning of connected Access Point upon request. redirect When selected, an Access Point seeks a steering controller (upon adoption request), that will forward the network credentials of a designated controller resource that initiates the provisioning process. upgrade Conducts the provisioning of requesting Access Points from this controller resource. Sets the Access Point model for which this policy applies. Adoption rules are specific to the selected model. Wireless Controller and Service Platform System Reference Guide 5 - 271 Device Configuration Match Type Argument 1 Argument 2 RF Domain Name Profile Name Lists the matching criteria used in the policy. This is like a filter and further refines the APs that can be adopted. The Match Type can be one of the following:
MAC Address The filter type is a MAC Address of the selected Access Point model. IP Address The filter type is the IP address of the selected Access Point model. VLAN The filter type is a VLAN. Serial Number The filter type is the serial number of the selected Access Point model. Model Number The filter type is the Access Point model number. DHCP Option The filter type is the DHCP option value of the selected Access Point model. The number of arguments vary on the Match Type. This column lists the first argument value. This value is not set as part of the rule creation or edit process. The number of arguments vary on the Match Type. This column lists the second argument value. This value is not set as part of the rule creation or edit process. Sets the name of the RF Domain to which the device is adopted automatically. Select the Create icon to define a new RF Domain configuration or select the Edit icon to revise an existing configuration. Defines the name of the profile used when the Auto Provisioning Policy is applied to a device. Select the Create icon to define a new Profile configuration or the Edit icon to revise an existing configuration. For more information, see General Profile Configuration on page 8-5. 4 If a rule requires addition or modification, select either Add or Edit to define the required parameters using the Rule screen. Wireless Controller and Service Platform System Reference Guide 5 - 272 Device Configuration 5 Specify the following parameters in the Rule screen:
Figure 5-160 Auto Provisioning Policy Rule screen Rule Precedence Assign a priority from 1 - 10,000 for the application of the auto-provisioning policy rule. Operation Device Type Rules with thlowest value have priority. Define the operation taken upon receiving an adoption request from an Access Point: the following operations are available:
Allow Allows the normal provisioning of connected Access Points upon request. Deny Denies (prohibits) the provisioning of connected Access Point upon request. Redirect When selected, an Access Point seeks a steering controller (upon adoption request), that will forward the network credentials of a designated controller resource that initiates the provisioning process. Upgrade Conducts the provisioning of requesting Access Points from this controller resource. Set the Access Point model for which this policy applies. Adoption rules are specific to the selected model, as radio configurations are often unique to specific models. Wireless Controller and Service Platform System Reference Guide 5 - 273 Device Configuration Match Type Set the matching criteria used in the policy. This is like a filter and further refines Access Points capable of adoption. The Match Type can be one of the following:
MAC Address The filter type is a MAC Address of the selected Access Point model. IP Address The filter type is the IP address of the selected Access Point model. VLAN The filter type is a VLAN. Serial Number The filter type is the serial number of the selected Access Point model. Model Number The filter type is the Access Point model number. DHCP Option The filter type is the DHCP option value of the selected Access Point model. RF Domain Name Set the RF Domain to which the device is adopted automatically. Select the Create icon Profile Name Area Floor 1st Controller 2nd Controller Routing Level to define a new RF Domain configuration or select the Edit icon to revise an existing configuration. For more information, see to General Profile Configuration on page 8-5. Define the profile used when an Auto Provisioning Policy is applied to a device. Select the Create icon to define a new Profile configuration or select the Edit icon to revise an existing configuration. For more information, see General Profile Configuration on page 8-5. Enter a 64 character maximum deployment area name assigned to this policy. Enter a 32 character maximum deployment floor name assigned to this policy. When redirect is selected as the operation, provide a 1st choice steering controller Hostname or IP Address and port to forward network credentials for a controller resource to initiate the provisioning process. When redirect is selected as the operation, provide a 2nd choice steering controller Hostname or IP Address and port to forward network credentials for a controller resource to initiate the provisioning process. When redirect is selected as the operation, specify the routing level as 1 or 2. 6 Select OK to save the updates and overrides to the Auto-Provisioning policy rule configuration. Select Reset to revert to the last saved configuration. 7 Select the Default tab to define the Auto Provisioning Policys rule matching adoption configuration. Wireless Controller and Service Platform System Reference Guide 5 - 274 Device Configuration Figure 5-161 Auto Provisioning Policy screen - Default tab 8 Select Adopt if No Rules Match to adopt when no matching filter rules apply. This setting is disabled by default. 9 Select Rerun Policy Rules Every Time AP Adopted to run this policy and apply its rule set every time an Access Point is adopted. This setting is disabled by default. 10 Select OK to save the updates to the screen. Selecting Reset reverts the screen to the last saved configuration. 5.4 Managing an Event Policy Device Configuration Event Policies enable an administrator to create specific notification mechanisms using one, some or all of the SNMP, syslog, forwarding or e-mail notification options available to the controller or service platform. Each listed event can have customized notification settings defined and saved as part of an event policy. Thus, policies can be configured and administrated in respect to specific sets of client association, authentication/encryption and performance events. Once policies are defined, they can be mapped to device profiles strategically as the likelihood of an event applies to particular devices. By default, theres no enabled event policy and one needs to be created and implemented. When initially displayed, the Event Policy screen lists interfaces. Existing policies can have their event notification configurations modified as device profile requirements warrant. To define an event policy:
1 Select Configuration > Devices > Event Policy. 2 Select Add to create a new event policy or Edit to modify an existing policy. Use the Delete button to remove existing event policy. Wireless Controller and Service Platform System Reference Guide 5 - 275 Device Configuration Figure 5-162 Event Policy screen 3 Ensure the button is selected to enable the screen for configuration for a specific event category. This option needs to remain selected to apply the event policy configuration to the profile. 4 Refer to the Select Event Module drop-down menu on the top right-hand side of the screen and select an event module used to track the occurrence of each list event. 5 Review each event and select (or deselect) the SNMP, Syslog, Forward to Controller or Email Notification option as required for the event. Map an existing policy to a device profile as needed. Select Profile from the Map drop-down menu in the lower-left hand side of the screen. Expand the list of device profiles available, and apply the event policy as required. 6 Select OK to save the changes. Select Reset to revert to the last saved configuration. Delete obsolete rows as needed. 5.5 Managing MINT Policies Device Configuration To add or modify a MINT Policy:
Wireless Controller and Service Platform System Reference Guide 5 - 276 1 Select Configuration > Devices > MINT Policy to display the MINT Policy screen. Device Configuration 2 Configure the following parameters to configure the MINT policy:
Figure 5-163 MINT Policy Configuration screen Level 2 Area ID MTU UDP/IP Encapsulation Port Define a Level 2 Area ID for the Mint Policy. The Level 2 Area ID is the global mint area identifier. This area identifier separates two overlapping mint networks and need only be configured if the administrator has two mint networks that share the same packet broadcast domain. Specify a MTU value for the mint policy between 900 and 1,500. The MTU setting specifies the maximum packet size that will be used for mint packets. Larger packets will be fragmented so they fit within this packet size limit. The administrator may want to configure this parameter if the mint backhaul network requires or recommends smaller packet sizes. The default value is 1500. Specify the port to use for UDP/IP encapsulation between 2 and 65,534. This value specifies an alternate UDP port to be used by mint packets and must be an even number. This port number will be used by mint control packets, and this port value plus 1 will be used to carry mint data packets. The default value is 24576. 3 Select OK to save the changes. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 5 - 277 6 Wireless Configuration A Wireless Local Area Network (WLAN) is a data-communications system and wireless local area network that flexibly extends the functionalities of a wired LAN. A WLAN links two or more computers or devices using spread-
spectrum or OFDM modulation based technology. A WLAN does not require lining up devices for line-of-sight transmission, and are thus, desirable for wireless networking. Roaming users can be handed off from one wireless controller connected Access Point to another, like a cellular phone system. WLANs can therefore be configured around the needs of specific user groups, even when they are not in physical proximity. WLANs can be used to provide an abundance of services, including data communications (allowing mobile devices to access applications), E-mail, file and print services or even specialty applications (such as guest access control and asset tracking). Each wireless controller WLAN configuration contains encryption, authentication and QoS policies and conditions for user connections. Connected Access Point radios transmit periodic beacons for each BSS. A beacon advertises the SSID, security requirements, supported data rates of the wireless network to enable clients to locate and connect to the WLAN. WLANs are mapped to radios on each connected Access Point. A WLAN can be advertised from a single Access Point radio or can span multiple Access Points and radios. WLAN configurations can be defined to only provided service to specific areas of a site. For example a guest access WLAN may only be mapped to a 2.4GHz radio in a lobby or conference room providing limited coverage while a data WLAN is mapped to all 2.4GHz and 5GHz radios at the branch site providing complete coverage. RFS4000 and RFS6000 series wireless controllers support a maximum of 32 WLANs. The NX7500 service platforms support up to 256 WLANs. NX9000 series service platforms support up to 1000 WLANs. The wireless configuration is comprised the following policies:
Wireless LAN Policy Configuring WLAN QoS Policies Radio QoS Policy Association ACL Smart RF Policy MeshConnex Policy Mesh QoS Policy Passpoint Policy Sensor Policy These policies can be separately selected within the Configuration > Wireless pane located in top, left-hand, side of the UI. Wireless Controller and Service Platform System Reference Guide 6 - 1 Wireless Configuration 6.1 Wireless LAN Policy Figure 6-1 Configuration > Wireless pane To review the attributes of existing WLANs and, if necessary, modify their configurations:
1 Select Configuration > Wireless > Wireless LANs to display a high-level display of the existing WLANs. Figure 6-2 Wireless LANs screen Wireless Controller and Service Platform System Reference Guide 6 - 2 2 Refer to the following (read only) information to assess the attributes of the each WLAN available to the Wireless Configuration wireless controller:
WLAN SSID Description WLAN Status VLAN Pool Bridging Mode DHCP Option 82 DHCPv6 LDRA Authentication Type Encryption Type QoS Policy Displays the name of each available WLAN. Individual WLANs can selected and their SSID and client management properties modified. RFS4000 and RFS6000 series wireless controllers support a maximum of 32 WLANs. The NX7500 service platforms support up to 256 WLANs. NX9000 series service platforms support up to 1000 WLANs. Displays the name of the SSID assigned to the WLAN when created or last modified. Optionally, select a WLAN and click the Edit button to update the WLANs SSID. Displays the brief description set for each listed WLAN when it was either created or modified. Lists each WLANs current status as either Active or Shutdown. A green check mark defines the WLAN as available to clients on all radios where it has been mapped. A red X defines the WLAN as shutdown, meaning even if the WLAN is mapped to radios, its not available for clients to associate. Lists each WLANs current VLAN mapping. The wireless controller permits mapping a WLAN to more than one VLANs. When a client associates with a WLAN, the client is assigned a VLAN by load balance distribution. The VLAN is picked from a pool assigned to the WLAN. Keep in mind however, typical deployments only map a single VLAN to a WLAN. The use of a pool is strictly optional. Displays the bridging mode used by each WLAN. Available bridging modes are Local and Tunnel. DHCP Option 82 is commonly used in large enterprise deployments to provide client physical attachment information. Option 82 is used in distributed DHCP server/relay environments, where relays insert additional information to identify the clients point of attachment. A red X defines DHCP option 82 as disabled, a green check means its enabled. Lightweight DHCPv6 Relay Agent (LDRA) is used to insert relay-agent options in DHCPv6 message exchanges that identify client-facing interfaces. These relay agents are deployed to forward DHCPv6 messages between clients and servers when they are not on the same IPv6 link. A red X indicates this WLAN acts as a DHCPv6 LDRA. Displays the name of the authentication scheme this WLAN is using to secure its client membership transmissions. None is listed if authentication is not used within this WLAN. Refer to the Encryption type column if no authentication is used to verify there is some sort of data protection used with the WLAN or risk no protection at all. Displays the name of the encryption scheme this WLAN is using to secure its client membership transmissions. None is listed if encryption is not used within this WLAN. Refer to the Authentication type column if no encryption is used to verify there is some sort of data protection used with the WLAN or risk using this WLAN with no protection at all. Lists the QoS policy applied to each listed WLAN. A QoS policy needs to be custom selected (or created) for each WLAN in respect to the WLANs intended client traffic and the voice, video or normal data traffic it supports. Wireless Controller and Service Platform System Reference Guide 6 - 3 Wireless Configuration Association ACL Lists the Association ACL policy applied to each listed WLAN. An Association ACL is a policy-based Access Control List (ACL) that either prevents or allows wireless clients from connecting to a WLAN. The mapping of an Association ACL is strictly optional. Use the sequential set of WLAN screens to define a unique configuration for each WLAN. Refer to the following to set WLAN configurations:
Basic WLAN Configuration Configuring WLAN Security Configuring WLAN Firewall Support Configuring Client Settings Configuring WLAN Accounting Settings Configuring WLAN Service Monitoring Settings Configuring Client Load Balancing Settings Configuring Advanced WLAN Settings Configuring Auto Shutdown Settings 6.1.1 Basic WLAN Configuration Wireless LAN Policy When creating or modifying a WLAN, the Basic Configuration screen is the first screen that displays as part of the WLAN configuration screen flow. is the Use this screen to enable a WLAN and define its SSID, client behavior and VLAN assignments. 1 Select Configuration > Wireless > Wireless LAN Policy to display a high-level display of the existing WLANs. 2 Select the Add button to create an additional WLAN, or select an existing WLAN then Edit to modify its properties. RFS4000 and RFS6000 model wireless controllers support a maximum of 32 WLANs. The NX7500 service platform support up to 256 WLANs. The NX9000 Series supports up to 1000 WLANs. Wireless Controller and Service Platform System Reference Guide 6 - 4 Wireless Configuration 3 Refer to the WLAN Configuration field to define the following:
Figure 6-3 WLAN Policy Basic Configuration screen WLAN SSID Description WLAN Status If adding a new WLAN, enter its name in the space provided. Spaces between words are not permitted. The name could be a logical representation of the WLAN coverage area (engineering, marketing etc.). If editing an existing WLAN, the WLANs name appears at the top of the screen and cannot be modified. The name cannot exceed 32 characters. Enter or modify the Services Set Identification (SSID) associated with the WLAN. The maximum number of characters that can be used for the SSID is 32. Provide a textual description for the WLAN to help differentiate it from others with similar configurations. The description can be up to 64 characters. Select the Enabled radio button to make this WLAN active and available to clients on all radios where it has been mapped. Select the Disabled radio button to make this WLAN inactive, meaning even if the WLAN is mapped to radios, its not available for clients to associate and use. Wireless Controller and Service Platform System Reference Guide 6 - 5 Wireless Configuration QoS Policy Bridging Mode DHCP Option 82 Use the drop-down menu to assign an existing QoS policy to the WLAN or select the Create icon to define a new QoS policy or select the Edit icon to modify the configuration of the selected QoS Policy. QoS helps ensure each WLAN receives a fair share of the overall bandwidth, either equally or per the proportion configured. For information on creating a QoS policy that can be applied to WLAN, see Configuring WLAN QoS Policies. Use the drop-down menu to specify a bridging mode for the WLAN. Available bridging policy modes are Local, Tunnel or split-tunnel. Select this option to enable DHCP option 82. DHCP Option 82 provides client physical attachment information. This setting is disabled by default. Select this option to enable the DHCPv6 relay agent. The DHCPv6 LDRA (Lightweight DHCP Relay Agent) allows for DHCPv6 messages to be transmitted on existing networks that do not currently support IPv6 or DHCPv6. Select an existing Bonjour configuration to apply to the WLAN configuration. Bonjour provides a method to discover services on a WLAN. Bonjour allows users to set up a network without any configuration. Services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with a special DNS configuration, it can be extended to find services across broadcast domains. 4 Refer to the Other Settings field to define broadcast behavior within this specific WLAN. Bonjour Gateway Discovery Policy DHCPv6 LDRA Broadcast SSID Answer Broadcast Probes Select this check box to enable the wireless controller to broadcast SSIDs within beacons. If a hacker tries to isolate and hack a client SSID via a client, the ESSID will display since the ESSID is in the beacon. This feature is enabled by default. Select this check box to associate a client with a blank SSID
(regardless of which SSID the wireless controller is currently using). This feature is enabled by default. 5 Refer to the VLAN Assignment field to add or remove VLANs for the selected WLAN, and define the number of clients permitted. Remember, users belonging to separate VLANs can share the same WLAN. Its not necessary to create a new WLAN for every VLAN in the network. Single VLAN VLAN Pool Select the Single VLAN radio button to assign just one VLAN to this WLAN. Enter the name of the VLAN within the VLAN parameter field when the Single VLAN radio button is selected. Utilizing a single VLAN per WLAN is a more typical deployment scenario than using a VLAN pool. Select the VLAN Pool radio button to display a table with VLAN and wireless client columns (representing configurable options). Define the VLANs available to this WLAN. Additionally, define the number of wireless clients supported by each VLAN. Use the radio buttons on the left-hand side of the table to enable or disable each VLAN and wireless client configuration for the WLAN. Select the + Add Row button to add additional VLANs to the WLAN. 6 Select the Allow Radius Override check box in the RADIUS VLAN Assignment to allow an override to the WLAN configuration. If, as part of the authentication process, the RADIUS server returns a clients VLAN-ID in a Wireless Controller and Service Platform System Reference Guide 6 - 6 Wireless Configuration RADIUS Access-Accept packet, and this feature is enabled, all client traffic is forward on that VLAN. If disabled, the RADIUS server returned VLAN-ID is ignored and the VLAN configuration (defined above) is used. 7 Use the URL Filter field to configure user access restrictions to resources on the controller or service platform managed Internet. User access is controlled with URL Filters. Use the URL Filter drop down menu to select a preconfigured URL Filter. To create a new URL Filter, use the Create button. To edit an existing URL Filter, use the Edit button. 8 Select OK when completed to update the WLANs basic configuration. Select Reset to revert the screen back to the last saved configuration. 6.1.2 Configuring WLAN Security Wireless LAN Policy A WLAN can be assigned a security policy supporting authentication, captive portal (hotspot) or encryption schemes. Wireless Controller and Service Platform System Reference Guide 6 - 7 Wireless Configuration Figure 6-4 WLAN Policy Security screen Authentication ensures only known and trusted users or devices access a WLAN. Authentication is enabled per WLAN to verify the identity of both users and devices. Authentication is a challenge and response procedure for validating user credentials such as username, password and sometimes secret-key information. A client must authenticate to an Access Point to receive resources from the network. Controllers and service platforms support EAP, EAP PSK, EAP-MAC, MAC and PSK/None authentication options. Refer to the following to configure an authentication scheme for a WLAN:
Wireless Controller and Service Platform System Reference Guide 6 - 8 Wireless Configuration 802.1x EAP, EAP-PSK and EAP MAC MAC Authentication PSK / None Secure guest access to the network is referred to as captive portal access. A captive portal is guest access policy for providing guests temporary and restrictive access to the wireless network. Existing captive portal policies can be applied to a WLAN to provide secure guest access as needed. A captive portal configuration provides secure authenticated access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the network. Once logged into captive portal, additional Agreement, Welcome and Fail pages provide the administrator with a number of options on captive portal screen flow and user appearance. Refer to Captive Portal on page 6-13 for information on assigning a captive portal policy to a WLAN. A passpoint policy provides an interoperable platform for streamlining Wi-Fi access to Access Points deployed as public hotspots. Passpoint is supported across a wide range of wireless network deployment scenarios and client devices. For more information, see Passpoint Policy. Encryption is central for WLAN security, as it provides data privacy for traffic forwarded over a WLAN. When the 802.11 specification was introduced, Wired Equivalent Privacy (WEP) was the primary encryption mechanism. WEP has since been interpreted as flawed in many ways, and is not considered an effective standalone encryption scheme for securing a wireless controller WLAN. WEP is typically used WLAN deployments designed to support legacy clients. New device deployments should use either WPA or WPA2 encryption. Encryption applies a specific algorithm to alter its appearance and prevent unauthorized hacking. Decryption applies the algorithm in reverse, to restore the data to its original form. A sender and receiver must employ the same encryption/decryption method to interoperate. When both TKIP and CCMP are both enabled a mix of clients are allowed to associate with the WLAN. Some use TKIP, others use CCMP. Since broadcast traffic needs to be understood by all clients, the broadcast encryption type in this scenario is TKIP. TKIP-CCMP, WPA2-CCMP, WEP 64, WEP 128 and Keyguard encryption options are supported. Refer to the following to configure an encryption scheme for a WLAN:
TKIP-CCMP WPA2-CCMP WEP 64 WEP 128 Keyguard T5 Controller Security 6.1.2.1 802.1x EAP, EAP-PSK and EAP MAC Configuring WLAN Security The Extensible Authentication Protocol (EAP) is the de-facto standard authentication method used to provide secure authenticated access to WLANs. EAP provides mutual authentication, secured credential exchange, dynamic keying and strong encryption. 802.1X EAP can be deployed with WEP, WPA or WPA2 encryption schemes to further protect user information forwarded over WLANs. The EAP process begins when an unauthenticated supplicant (client device) tries to connect with an authenticator
(in this case, the authentication server). An Access Point passes EAP packets from the client to an authentication Wireless Controller and Service Platform System Reference Guide 6 - 9 Wireless Configuration server on the wired side of the Access Point. All other packet types are blocked until the authentication server
(typically, a RADIUS server) verifies the clients identity. 802.1X EAP provides mutual authentication over the WLAN during authentication. The 802.1X EAP process uses credential verification to apply specific policies and restrictions to WLAN users to ensure access is only provided to specific wireless controller resources. 802.1X requires a 802.1X capable RADIUS server to authenticate users and a 802.1X client installed on each devices accessing the EAP supported WLAN. An 802.1X client is included with most commercial operating systems, including Microsoft Windows, Linux and Apple OS X. The RADIUS server authenticating 802.1X EAP users can reside either internally or externally to a controller, service platform or Access Point. User account creation and maintenance can be provided centrally using ADSP or individually maintained on each device. If an external RADIUS server is used, EAP authentication requests are forwarded. When using PSK with EAP, the controller, service platform or Access Point sends a packet requesting a secure link using a pre-shared key. The authenticating device must use the same authenticating algorithm and passcode during authentication. EAP-PSK is useful when transitioning from a PSK network to one that supports EAP. The only encryption types supported with this are TKIP, CCMP and TKIP-CCMP. To configure EAP on a WLAN:
1 Select Configuration > Wireless > Wireless LAN Policy to display available WLANs. 2 Select the Add button to create an additional WLAN, or select and existing WLAN and Edit to modify the security properties of an existing WLAN. 3 Select Security. 4 Select EAP, EAP-PSK or EAP-MAC as the authentication type. Either option enables the radio buttons for various encryption mechanisms as an additional measure of security with the WLAN. Figure 6-5 EAP, EAP-PSK or EAP MAC Authentication screen 5 Either select an existing AAA Policy from the drop-down menu or select the Create icon to the right of the AAA Policy parameter to display a screen where new AAA policies can be created. Select the Edit icon to modify the configuration of the selected AAA policy. Authentication, authorization, and accounting (AAA) is a framework for intelligently controlling access to the network, enforcing user authorization policies and auditing and tracking usage. These combined processes are central for securing wireless client resources and wireless network data flows. 6 Select the Reauthentication check box to force EAP supported clients to reauthenticate. Use the spinner control set the number of seconds (from 30 - 86,400) that, once exceeded, forces the EAP supported client to reauthenticate to use the resources supported by the WLAN. Wireless Controller and Service Platform System Reference Guide 6 - 10 Wireless Configuration 7 Select OK when completed to update the WLANs EAP configuration. Select Reset to revert back to the last saved configuration. EAP, EAP-PSK and EAP MAC Deployment Considerations 802.1x EAP, EAP-PSK and EAP MAC Before defining a 802.1x EAP, EAP-PSK or EAP MAC supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective:
A valid certificate should be issued and installed on devices providing 802.1X EAP. The certificate should be issued from an Enterprise or public certificate authority to allow 802.1X clients to validate the identity of the authentication server prior to forwarding credentials. If using an external RADIUS server for EAP authentication, the round trip delay over the WAN should not exceed 150ms. Excessive delays over a WAN can cause authentication and roaming issues and impact wireless client performance. If experiencing excessive delays, consider using local RADIUS resources. 6.1.2.2 MAC Authentication Configuring WLAN Security MAC is a device level authentication method used to augment other security schemes when legacy devices are deployed using static WEP. MAC authentication can be used for device level authentication by permitting WLAN access based on device MAC address. MAC authentication is typically used to augment WLAN security options that do not use authentication
(such as static WEP, WPA-PSK and WPA2-PSK) MAC authentication can also be used to assign VLAN memberships, Firewall policies and time and date restrictions. MAC authentication can only identify devices, not users. MAC authentication only references a client wireless interface card MAC address when authenticating the device, it does not distinguish the devices user credentials. MAC authentication is somewhat poor as a standalone data protection technique, as MAC addresses can be easily spoofed by hackers who can provide a device MAC address to mimic a trusted device within the network. MAC authentication is enabled per WLAN profile, augmented with the use of a RADIUS server to authenticate each device. A devices MAC address can be authenticated against the local RADIUS server built into the device or centrally (from a datacenter). For RADIUS server compatibility, the format of the MAC address can be forwarded to the RADIUS server in non-delimited and or delimited formats:
To configure MAC on a WLAN:
1 Select Configuration > Wireless > Wireless LAN Policy to display available WLANs. 2 Select the Add button to create an additional WLAN, or select and existing WLAN and Edit to modify the security properties of an existing WLAN. 3 Select Security. 4 Select MAC as the Authentication Type. Selecting MAC enables the radio buttons for each encryption option as an additional measure of security for the WLAN. Wireless Controller and Service Platform System Reference Guide 6 - 11 Wireless Configuration Figure 6-6 MAC Authentication screen 5 Either select an existing AAA Policy from the drop-down menu or select the Create icon to the right of the AAA Policy parameter to display a screen where new AAA policies can be created. A default AAA policy is also available if configuring a WLAN for the first time and theres no existing policies. Select the Edit icon to modify the configuration of a selected AAA policy. Authentication, authorization, and accounting (AAA) is a framework for intelligently controlling access to the wireless client, enforcing user authorization policies and auditing and tracking usage. These combined processes are central for securing wireless client resources and wireless network data flows. 6 Select the Reauthentication option to force MAC supported clients to reauthenticate. Use the spinner control set the number of minutes (30 - 86,400) that, once exceeded, forces the EAP supported client to reauthenticate in order to use the resources supported by the WLAN. 7 Select OK when completed to update the WLANs MAC configuration. Select Reset to revert the screen back to the last saved configuration. MAC Authentication Deployment Considerations MAC Authentication Before defining a MAC authentication configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective:
MAC authentication can only be used to identify end-user devices, not the users themselves. MAC authentication is somewhat poor as a standalone data protection technique, as MAC addresses can be easily spoofed by hackers who can provision a MAC address on their device to mimic a trusted device. 6.1.2.3 PSK / None Configuring WLAN Security Open-system authentication can be referred to as no authentication, since no actual authentication and user credential validation takes place. A client user requests (and is granted) authentication with no credential exchange. Wireless Controller and Service Platform System Reference Guide 6 - 12 Wireless Configuration Figure 6-7 PSK / None Settings screen NOTE: Although None implies no authentication, this option is also used when pre-
shared keys are used for encryption (thus the PSK in the description). 6.1.2.4 Captive Portal Configuring WLAN Security A captive portal is an access policy for providing guests temporary and restrictive access to the controller, service platform or Access Point managed network. For an overview of the Captive Portal process and information on how to define a captive portal policy, see Configuring Captive Portal Policies on page 11-1. To assign a captive portal policy to a WLAN:
1 Select Configuration > Wireless > Wireless LAN Policy to display available WLANs. 2 Select the Add button to create an additional WLAN or select an existing WLAN and select Edit to modify the properties of an existing wireless controller WLAN. 3 Select Security. 4 Refer to the Captive Portal field within the WLAN Policy security screen. Figure 6-8 WLAN Policy Security screen - Captive Portal Field 5 Select the Captive Portal Enable option if authenticated guest access is required with the selected WLAN. This feature is disabled by default. 6 Select the Captive Portal if Primary Authentication Fails checkbox to enable the captive portal policy if the primary authentication is unavailable. This option is only enabled when Captive Portal Enable is selected. 7 Select the Captive Portal Policy to use with the WLAN from the drop-down menu. If no relevant policies exist, select the Create icon to define a new policy to use with this WLAN or the Edit icon to update the configuration of an existing Captive Portal policy. For more information, see Configuring Captive Portal Policies on page 11-1. 8 Select OK when completed to update the Captive Portal configuration. Select Reset to revert the WLAN Policy Security screen back to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 6 - 13 Wireless Configuration 6.1.2.5 Passpoint Configuring WLAN Security A passpoint policy provides an interoperable platform for streamlining Wi-Fi access to Access Points deployed as public hotspots (captive portals). Passpoint is supported across a wide range of wireless network deployment scenarios and client devices. To assign a passpoint policy to a WLAN:
1 Select Configuration > Wireless > Wireless LAN Policy to display available WLANs. 2 Select the Add button to create an additional WLAN or select an existing WLAN and select Edit to modify the properties of an existing wireless controller WLAN. 3 Select Security. 4 Refer to the Passpoint field within the WLAN Policy security screen. Figure 6-9 WLAN Policy Security screen - Passpoint Policy 5 Select an existing Passpoint Policy from the drop down menu to apply it to the WLAN. If no relevant policies exist, select the Create icon to define a new policy to use with this WLAN or the Edit icon to update the configuration of an existing passpoint policy. For more information, see Passpoint Policy on page 6-104. 6 Select OK when completed to update the Captive Portal configuration. Select Reset to revert the WLAN Policy Security screen back to the last saved configuration. 6.1.2.6 Registration Configuring WLAN Security Registration requires the validation of devices by address to continue the authentication process. To assign a Registration to a WLAN:
1 Select Configuration > Wireless > Wireless LAN Policy to display available WLANs. 2 Select the Add button to create an additional WLAN or select an existing WLAN and select Edit to modify the properties of an existing wireless controller WLAN. 3 Select Security. 4 Refer to the Registration section within the WLAN Policy security screen. Figure 6-10 WLAN Policy Security screen - MAC Registration Wireless Controller and Service Platform System Reference Guide 6 - 14 Wireless Configuration 5 Use the Type of Registration drop-down menu to set the self-registration type for the selected WLAN. Options include None, device, user and device-OTP. When captive portal guest users are authenticating using their User ID (Email Address/Mobile Number/
Member ID) and the received pass code in order to complete the registration process. The WLAN authentication type should be MAC-Authentication and the WLAN registration type should be configured as device-OTP. When captive portal device registration is through social media, the WLAN registration type should be set as device registration, and the captive portal needs to be configured for guest user social authentication. Enter a 64 character maximum RADIUS Group Name to which the registering user associates. When left blank, users are not associated with a RADIUS group. Use the Expiry Time spinner control to set the amount of time (from 1 - 43,800 hours) before registration addresses expire and must be re-entered. Set the Agreement Refresh as the amount of time (from 0 - 144,000 minutes) before the agreement page is displayed if the user has not been logged during the specified period. The default setting is 0 days. 6 Select OK when completed to update the Registration settings. Select Reset to revert the WLAN Policy Security screen back to the last saved configuration. 6.1.2.7 External Controller Configuring WLAN Security To set the WLANs external controller or service platform security configuration:
1 Select Configuration > Wireless > Wireless LAN Policy to display available WLANs. 2 Select the Add button to create an additional WLAN or select an existing WLAN and select Edit to modify its properties. 3 Select Security. 4 Refer to the External Controller section within the WLAN Policy security screen Figure 6-11 WLAN Policy Security screen - External Controller Field 5 Select the Enable option if WLAN authentication is handled using an external resource. This feature is disabled by default. Select the Follow AAA option if the resource handling WLAN authentication and accounting is an external RADIUS server specified within an AAA policy. However, ensure that an AAA policy identifying the authentication and accounting server exists and is associated with the WLAN. Note, in case of EGuest deployment, the authenticating and accounting server specified in the AAA policy should point to the EGuest server host. 6 If using an external resource, other than the AAA RADIUS server, use the drop-down menu to select either Hostname or IP Address and enter the server information in the Host field. Hostnames cannot include an underscore character. Wireless Controller and Service Platform System Reference Guide 6 - 15 Wireless Configuration 7 Select the Send Mode as either UDP, HTTP or HTTPS. The default setting is UDP. 8 Select OK when completed to update the External Controller configuration. Select Reset to revert the WLAN Policy Security screen back to the last saved configuration. 6.1.2.8 TKIP-CCMP Configuring WLAN Security CCMP is a security standard used by the Advanced Encryption Standard (AES). AES serves the same function TKIP does for WPA-TKIP. CCMP computes a Message Integrity Check (MIC) using the proven Cipher Block Chaining
(CBC) technique. Changing just one bit in a message produces a totally different result. The encryption method is Temporal Key Integrity Protocol (TKIP). TKIP addresses WEPs weaknesses with a re-
keying mechanism, a per-packet mixing function, a message integrity check and an extended initialization vector. However TKIP also has vulnerabilities. To configure TKIP-CCMP encryption on a WLAN:
1 Select Configuration > Wireless > Wireless LAN Policy to display available WLANs. 2 Select the Add button to create an additional WLAN or select an existing WLAN and Edit to modify its properties. 3 Select Security. 4 Select the TKIP-CCMP radio button from within the Select Encryption field. The screen populates with the parameters required to define a WLANs TKIP-CCMP configuration for the new or existing WLAN. Figure 6-12 TKIP-CCMP screen Wireless Controller and Service Platform System Reference Guide 6 - 16 Wireless Configuration 5 Define Key Settings. Pre-Shared Key Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share. The alphanumeric string allows character spaces. The string is converted into a numeric value. This passphrase saves the administrator from entering the 256-bit key each time keys are generated. 6 Define Key Rotation values. Unicast messages are addressed to a single device on the network. Broadcast messages are addressed to multiple devices. When using WPA2, a wireless client can use 2 keys, one unicast key, for its own traffic to and from an Access Point, and one broadcast key, the common key for all the clients in that subnet. Rotating the keys is recommended the keys so a potential hacker would not have enough data using a single key to attack the deployed encryption scheme. Unicast Rotation Interval Broadcast Rotation Interval Define an interval for unicast key transmission in seconds (30 -86,400). Some clients have issues using unicast key rotation, so ensure you know which kind of clients are impacted before using unicast keys. This feature is disabled by default. When enabled, the key indices used for encrypting/decrypting broadcast traffic are alternatively rotated based on the defined interval. Define an interval for broadcast key transmission in seconds (30-86,400). Key rotation enhances the broadcast traffic security on the WLAN. This feature is disabled by default. 7 Set the following Advanced settings for the WPA/WPA2-TKIP encryption scheme TKIP Countermeasure Hold Time Exclude WPA2 TKIP Use SHA256 The TKIP countermeasure hold-time is the time during which the use of the WLAN is disabled if TKIP countermeasures have been invoked on the WLAN. Use the drop-down menu to define a value in either Hours (0-18), Minutes (0-1,093) or Seconds (0-65,535). The default setting is 1 second. Select this option for an Access Point to advertise and enable support for only WPA-TKIP. This option can be used if certain older clients are not compatible with the newer WPA2-TKIP information elements. Enabling this option allows backwards compatibility for clients that support WPA-TKIP and WPA2-TKIP but do not support WPA2-CCMP. Enabling this feature is recommended if WPA-TKIP or WPA2-TKIP supported clients operate in a WLAN populated by WPA2-CCMP enabled clients. This feature is disabled by default. Select to enable use of the SHA-256 hash algorithms with WPA2. This is optional when using WPA2 without 802.11w Protected Management Frames (PMF) enabled. This is mandatory when PMF is enabled. 8 Select OK when completed to update the WLANs TKIP-CCMP encryption configuration. Select Reset to revert the screen back to its last saved configuration. 6.1.2.8.1 TKIP-CCMP Deployment Considerations Before defining a TKIP-CCMP supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective:
TKIP-CCMP should only be enabled for legacy device support when WPA2-CCMP support is not available. Though TKIP offers better security than WEP, it can be vulnerable to certain attacks. Wireless Controller and Service Platform System Reference Guide 6 - 17 Wireless Configuration When both TKIP and CCMP are both enabled a mix of clients are allowed to associate with the WLAN. Some use TKIP, others use CCMP. Since broadcast traffic needs to be understood by all clients, the broadcast encryption type in this scenario is TKIP. 6.1.2.9 WPA2-CCMP Configuring WLAN Security WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi Protected Access (WPA) and WEP. CCMP is the security standard used by the Advanced Encryption Standard (AES). AES serves the same function TKIP does for WPA-TKIP. CCMP computes a Message Integrity Check (MIC) using the proven Cipher Block Chaining (CBC) technique. Changing just one bit in a message produces a totally different result. WPA2/CCMP is based on the concept of a Robust Security Network (RSN), which defines a hierarchy of keys with a limited lifetime (similar to TKIP). Like TKIP, the keys the administrator provides are used to derive other keys. Messages are encrypted using a 128-bit secret key and a 128-bit block of data. The end result is an encryption scheme as secure as any the wireless controller provides for its associated clients. To configure WPA2-CCMP encryption on a WLAN:
1 Select Configuration > Wireless > Wireless LAN Policy to display available WLANs. 2 Select the Add button to create an additional WLAN or select an existing WLAN and choose Edit to modify the properties of an existing WLAN. 3 Select Security. 4 Select the WPA2-CCMP check box from within the select Select Encryption field. The screen populates with the parameters required to define a WPA2-CCMP configuration for the new or existing WLAN. Wireless Controller and Service Platform System Reference Guide 6 - 18 Wireless Configuration 5 Define Key Settings. Pre-Shared Key Figure 6-13 WPA2-CCMP screen Enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share. The alphanumeric string allows character spaces. The string is converted to a numeric value. This passphrase saves the administrator from entering the 256-bit key each time keys are generated. 6 Define Key Rotation values. Unicast messages are addressed to a single device on the network. Broadcast messages are addressed to multiple devices. When using WPA2-CCMP, a wireless client can use 2 keys: one unicast key, for its own traffic to and from an Access Point, and one broadcast key, the common key for all the clients in that subnet. Rotating these keys is recommended so a potential hacker will not have enough data using a single key to attack the deployed encryption scheme. Unicast Rotation Interval Broadcast Rotation Interval Define an interval for unicast key transmission in seconds (30 -86,400). Some clients have issues using unicast key rotation, so ensure you know which clients are impacted before using unicast keys. This value is disabled by default. When enabled, the key indices used for encrypting/decrypting broadcast traffic are alternatively rotated based on the defined interval. Define an interval for broadcast key transmission in seconds (30-
86,400). Key rotation enhances the broadcast traffic security on the WLAN. This value is disabled by default. Wireless Controller and Service Platform System Reference Guide 6 - 19 Wireless Configuration 7 Set the following Advanced for the WPA2-CCMP encryption scheme. TKIP Countermeasure Hold Time Exclude WPA2-TKIP Use SHA256 The TKIP countermeasure hold-time is the time during which the use of the WLAN is disabled if TKIP countermeasures have been invoked on the WLAN. Use the drop-down menu to define a value in either Hours (0-18), Minutes (0-1,092) or Seconds (0-65,535). The default setting is 60 seconds. Select this option for an Access Point to advertise and enable support for only WPA-TKIP. Select this option if certain older clients are not compatible with the newer WPA2-TKIP information elements. Enabling this option allows backwards compatibility for clients that support WPA-TKIP and WPA2-TKIP but do not support WPA2-CCMP. Consider enabling this feature if WPA-TKIP or WPA2-TKIP supported clients operate in a WLAN populated by WPA2-CCMP enabled clients. This feature is disabled by default. Select this option for an Access Point to advertise and enable support for only WPA-TKIP. Select this option if certain older clients are not compatible with the newer WPA2-TKIP information elements. Enabling this option allows backwards compatibility for clients that support WPA-TKIP and WPA2-TKIP but do not support WPA2-CCMP. Consider enabling this feature if WPA-TKIP or WPA2-TKIP supported clients operate in a WLAN populated by WPA2-CCMP enabled clients. This feature is disabled by default. 8 Select OK when completed to update the WLANs WPA2-CCMP encryption configuration. Select Reset to revert back to its last saved configuration. WPA2-CCMP Deployment Considerations WPA2-CCMP Before defining a WPA2-CCMP supported configuration on a wireless controller WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective:
WPA2-CCMP should be configured for all new (non visitor) WLANs requiring encryption, as its supported by the majority of the hardware and client vendors using wireless networking equipment. WPA2-CCMP supersedes WPA-TKIP and implements all the mandatory elements of the 802.11i standard. WPA2-
CCMP introduces a new AES-based algorithm called CCMP which replaces TKIP and WEP and is considered significantly more secure. 6.1.2.10 WEP 64 Configuring WLAN Security Wired Equivalent Privacy (WEP) is a security protocol specified in the IEEE Wireless Fidelity (Wi -Fi) standard. WEP is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN. WEP can be used with open, shared, MAC and 802.1 X EAP authentications. WEP is optimal for WLANs supporting legacy deployments when also used with 802.1X EAP authentication to provide user and device authentication and dynamic WEP key derivation and periodic key rotation. 802.1X provides authentication for devices and also reduces the risk of a single WEP key being deciphered. If 802.1X support is not available on the legacy device, MAC authentication should be enabled to provide device level authentication. WEP 64 uses a 40 bit key concatenated with a 24-bit initialization vector (IV) to form the RC4 traffic key. WEP 64 is a less robust encryption scheme than WEP 128 (containing a shorter WEP algorithm for a hacker to potentially duplicate), but networks that require more security are at risk from a WEP flaw. WEP is only recommended if there Wireless Controller and Service Platform System Reference Guide 6 - 20 Wireless Configuration are client devices incapable of using higher forms of security. The existing 802.11 standard alone offers administrators no effective method to update keys. To configure WEP 64 encryption on a WLAN:
1 Select Configuration > Wireless > Wireless LAN Policy to display available WLANs. 2 Select the Add button to create an additional WLAN or select Edit to modify the properties of an existing WLAN. 3 Select Security. 4 Select the WEP 64 check box from within the Select Encryption field. The screen populates with the parameters required to define a WEP 64 configuration for the WLAN. 5 Configure the following WEP 64 settings:
Figure 6-14 WEP 64 screen Generate Keys Keys 1-4 Restore Default WEP Keys Specify a 4 to 32 character Pass Key and click the Generate button. The pass key can be any alphanumeric string. Wireless devices and their connected clients use the algorithm to convert an ASCII string to the same hexadecimal number. Clients without adapters need to use WEP keys manually configured as hexadecimal numbers. Use the Key #1-4 fields to specify key numbers. For WEP 64 (40-bit key), the keys are 10 hexadecimal characters in length. Select one of these keys for default activation by clicking its radio button. Selecting Show displays a key in exposed plain text. If you feel it necessary to restore the WEP algorithm back to its default settings, click the Restore Default WEP Keys button. Wireless Controller and Service Platform System Reference Guide 6 - 21 Wireless Configuration Default WEP 64 keys are as follows:
Key 1 1011121314 Key 2 2021222324 Key 3 3031323334 Key 4 4041424344 6 Select OK when completed to update the WLANs WEP 64 encryption configuration. Select Reset to revert the screen back to its last saved configuration. WEP 64 Deployment Considerations Before defining a WEP 64 supported configuration on a wireless controller WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective:
Additional layers of security (beyond WEP) should be enabled to minimize the likelihood of data loss and security breaches. WEP enabled WLANs should be mapped to an isolated VLAN with firewall policies restricting access to hosts and suspicious network applications. WEP enabled WLANs should only be permitted access to resources required by legacy devices. If WEP support is needed for WLAN legacy device support, 802.1X EAP authentication should be also configured in order for the WLAN to provide authentication and dynamic key derivation and rotation. 6.1.2.11 WEP 128 Configuring WLAN Security Wired Equivalent Privacy (WEP) is a security protocol specified in the IEEE Wireless Fidelity (Wi -Fi) standard. WEP is designed to provide a WLAN with a level of security and privacy comparable to that of a wired LAN. WEP can be used with open, shared, MAC and 802.1 X EAP authentications. WEP is optimal for WLANs supporting legacy deployments when also used with 802.1X EAP authentication to provide user and device authentication and dynamic WEP key derivation and periodic key rotation. 802.1X provides authentication for devices and also reduces the risk of a single WEP key being deciphered. If 802.1X support is not available on the legacy device, MAC authentication should be enabled to provide device level authentication. WEP 128 uses a 104 bit key which is concatenated with a 24-bit initialization vector (IV) to form the RC4 traffic key. WEP may be all a small-business user needs for the simple encryption of wireless data. However, networks that require more security are at risk from a WEP flaw. WEP is only recommended if there are client devices incapable of using higher forms of security. The existing 802.11 standard alone offers administrators no effective method to update keys. WEP 128 provides a more robust encryption algorithm than WEP 64 by requiring a longer key length and pass key. Thus, making it harder to hack through the replication of WEP keys. To configure WEP 128 encryption on a WLAN:
1 Select Configuration > Wireless > Wireless LAN Policy to display available WLANs. 2 Select the Add button to create an additional WLAN or select Edit to modify the properties of an existing WLAN. 3 Select Security. 4 Select the WEP 128 check box from within the Select Encryption field. The screen populates with the parameters required to define a WEP 128 configuration for the WLAN. Wireless Controller and Service Platform System Reference Guide 6 - 22 Wireless Configuration 5 Configure the following WEP 128 settings:
Figure 6-15 WEP 128 screen Generate Keys Keys 1-4 Restore Default WEP Keys Specify a 4 to 32 character Pass Key and click the Generate button. The pass key can be any alphanumeric string. Wireless devices and their connected clients use the algorithm to convert an ASCII string to the same hexadecimal number. Clients without adapters need to use WEP keys manually configured as hexadecimal numbers. Use the Key #1-4 areas to specify key numbers. For WEP 128 (104-bit key), the keys are 26 hexadecimal characters in length. Select one of these keys for default activation by clicking its radio button. Selecting Show displays a key in exposed plain text. If you feel it necessary to restore the WEP algorithm back to its default settings, click the Restore Default WEP Keys button. Default WEP 128 keys are as follows:
Key 1 101112131415161718191A1B1C Key 2 202122232425262728292A2B2C Key 3 303132333435363738393A3B3C Key 4 404142434445464748494A4B4C 6 Select OK when completed to update the WLANs WEP 128 encryption configuration. Select Reset to revert the screen back to its last saved configuration. WEP 128 Deployment Considerations WEP 128 Before defining a WEP 128 supported configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective:
Wireless Controller and Service Platform System Reference Guide 6 - 23 Wireless Configuration Additional layers of security (beyond WEP) should be enabled to minimize the likelihood of data loss and security breaches. WEP enabled WLANs should be mapped to an isolated VLAN with firewall policies restricting access to hosts and suspicious network applications. WEP enabled WLANs should only be permitted access to resources required by legacy devices. If WEP support is needed for WLAN legacy device support, 802.1X EAP authentication should be also configured in order for the WLAN to provide authentication and dynamic key derivation and rotation. 6.1.2.12 Keyguard Configuring WLAN Security Keyguard is a form of WEP, and could be all a small business needs for the simple encryption of wireless data. KeyGuard is a proprietary encryption method, and an enhancement to WEP encryption, and was developed before the finalization of WPA-TKIP. The Keyguard encryption implementation is based on the IEEE Wi-Fi standard, 802.11i. To configure Keyguard encryption on a WLAN:
1 Select Configuration > Wireless > Wireless LAN Policy to display available WLANs. 2 Select the Add button to create an additional WLAN or select Edit to modify the properties of an WLAN. 3 Select Security. 4 Select the Keyguard check box from within the Select Encryption field. The screen populates with the parameters required to define a KeyGuard configuration for the WLAN. 5 Configure the following Keyguard settings:
Figure 6-16 WLAN KeyGuard Configuration screen Generate Keys Specify a 4 to 32 character Pass Key and click the Generate button. The pass key can be any alphanumeric string. Clients use the algorithm to convert an ASCII string to the same hexadecimal number. Clients without adapters need to use keys manually configured as hexadecimal numbers. Wireless Controller and Service Platform System Reference Guide 6 - 24 Wireless Configuration Keys 1-4 Restore Default WEP Keys Use the Key #1-4 areas to specify key numbers. For Keyguard (104-bit key), the keys are 26 hexadecimal characters in length. Select one of these keys for default activation by clicking its radio button. Selecting Show displays a key in exposed plain text. If you feel it necessary to restore the Keyguard algorithm back to its default settings, click the Restore Default WEP Keys button. This may be the case if the latest defined algorithm has been compromised and no longer provides its former measure of data security. Default WEP Keyguard keys are as follows:
Key 1 101112131415161718191A1B1C Key 2 202122232425262728292A2B2C Key 3 303132333435363738393A3B3C Key 4 404142434445464748494A4B4C 6 Select OK when completed to update the WLANs Keyguard encryption configuration. Select Reset to revert the screen back to its last saved configuration. KeyGuard Deployment Considerations Keyguard Before defining a Keyguard configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective:
Authentication techniques can also be enabled on WLANs supporting other proprietary techniques, such as KeyGuard. A WLAN using KeyGuard to support legacy devices should also use largely limited to the support of just those legacy clients using KeyGuard. 6.1.2.13 T5 Controller Security Configuring WLAN Security A T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. The Customer Premises Equipment (CPEs) are the T5 controller managed radio devices. These CPEs use Digital Subscriber Line (DSL) as their high speed Internet access mechanism using the CPEs physical wallplate connection and phone jack. To configure WLAN security settings for a T5 controller and its connected CPEs:
1 Select Configuration > Wireless > Wireless LAN Policy to display available WLANs. 2 Select the Add button to create an additional WLAN or select Edit to modify the properties of an WLAN. 3 Select Security. 4 Refer to the T5 PowerBroadband Security field at the bottom of the screen. Wireless Controller and Service Platform System Reference Guide 6 - 25 Wireless Configuration 5 Configure the following T5 PowerBroadband Security settings (available only when the WLAN supports T5 controllers and their connected CPEs radio devices):
Figure 6-17 T5 PowerBroadband Security screen Pre-Authentication Enable Security Type WEP Encryption Type Encryption Type HEX Passphrase PSK Version Select this option to invoke the use of pre-authentication 802.11i fast roaming. This setting is disabled by default. Select this option to enable the Security Type and WEP Encryptions Type drop-down menus used to define and apply different encryption and authentication settings to the T5 WLAN security configuration. Use the drop-down menu to select the security type to apply to the WLAN. Options include static-wep (default), wpa-enterprise and wpa-
personal. If static-wep is selected as the Encryption Type, use this setting to apply either a WEP64 or WEP128 encryption algorithm to the T5 support WLAN configuration. If wpa-enterprise or wpa-personal are selected as the Encryption Type, use this setting to apply either a CCMP, TKIP or TKIP-CCMP encryption algorithm to the T5 controller WLAN security configuration. If using static-wep, provide the 10-26 character Hex password used to derive the security key. If using static-wep, enter either an alphanumeric string of 8 to 63 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share. The alphanumeric string allows character spaces. The string is converted into a numeric value. This passphrase saves the administrator from entering the 256-bit key each time keys are generated. Enter either an alphanumeric string as the primary string both transmitting and receiving authenticators must share. The alphanumeric string allows character spaces. The string is converted into a numeric value. This passphrase saves the administrator from entering the 256-
bit key each time keys are generated. If wpa-enterprise or wpa-personal are selected as the Encryption Type, use this setting to apply a WPA or WPA2 encryption scheme to the T5 support WLAN configuration. Wireless Controller and Service Platform System Reference Guide 6 - 26 Wireless Configuration 6 Select OK when completed to update the T5 PowerBroadband Security configuration. Select Reset to revert the screen back to its last saved configuration. 6.1.3 Configuring WLAN Firewall Support Wireless LAN Policy A firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the network. The means by which this is accomplished varies, but in principle, a firewall can be thought of as mechanisms both blocking and permitting data traffic. For an overview of firewalls, see Wireless Firewall on page 10-1. WLANs use firewalls like Access Control Lists (ACLs) to filter/mark packets based on the WLAN from which they arrive, as opposed to filtering packets on Layer 2 ports. An ACL contains an ordered list of Access Control Entries
(ACEs). Each ACE specifies an action and a set of conditions (rules) a packet must satisfy to match the ACE. The order of conditions in the list is critical since filtering is stopped after the first match. IPv4 and IPv6 based firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC. Additionally, administrators can filter Layer 2 traffic on a physical Layer 2 interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to WLAN packet traffic. Keep in mind IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface. To review access policies, create a new policy or edit the properties of an existing policy:
1 Select Configuration > Wireless LANs > Wireless LAN Policy to display available WLANs. 2 Select the Add button to create a new WLAN or Edit to modify the properties of an existing WLAN. 3 Select Firewall from the Wireless LAN Policy options. Wireless Controller and Service Platform System Reference Guide 6 - 27 Wireless Configuration Figure 6-18 WLAN Policy Firewall screen The screen displays editable fields for IP Firewall Rules, MAC Firewall Rules, Trust Parameters, IPv6 Settings and Wireless Client Deny limits. Select an existing Inbound IP Firewall Rule and Outbound IP Firewall Rule using the drop-down menu. If no rules exist, select the Create icon to display a screen where Firewall rules can be created. Select the Edit icon to modify the configuration of a selected Firewall policy configuration. 4 If creating a new IP firewall rule, provide a name up to 32 characters. 5 Select the Add button. Wireless Controller and Service Platform System Reference Guide 6 - 28 Wireless Configuration Figure 6-19 IP Firewall Rules screen 6 IP firewall rule configurations can either be modified as a collective group of variables or selected and updated individually as their filtering attributes require a more refined update. a. Select the Edit Rule icon to the left of a particular IP firewall rule configuration to update its parameters collectively. b. Click the icon within the Description column (top right-hand side of the screen) and select IP filter values as needed to add criteria into the configuration of the IP ACL. Figure 6-20 IP Firewall Rules Add Criteria screen Wireless Controller and Service Platform System Reference Guide 6 - 29 Wireless Configuration Figure 6-21 IP Firewall Rules Add Criteria screen NOTE: Only those selected IP ACL filter attributes display. Each value can have its current setting adjusted by selecting that IP ACLs column to display a pop-up to adjust that one value. 7 Define the following IP firewall rule settings as required:
Precedence Action DNS Name DNS Match Type Source Destination Network Service Alias Specify or modify a precedence for this IP policy between 1-5000. Rules with lower precedence are always applied to packets first. If modifying a precedence to apply a higher integer, it will move down the table to reflect its lower priority. Every IP Firewall rule is made up of matching criteria rules. The action defines the packets disposition if it matches the specified criteria. The following actions are supported:
Deny - Instructs the Firewall to restrict a packet from proceeding to its destination. Allow - Instructs the Firewall to allow a packet to proceed to its destination. Specify the DNS Name which may be a full domain name, a portion of a domain name or a suffix. This name is used for the DNS Match Type criteria. Specify the DNS matching criteria that the DNS Name can be matched against. This can be configured as an exact match for a DNS domain name, a suffix for the DNS name or a domain that contains a portion of the DNS name. If traffic matches the configured criteria in the DNS Match Type, that rule will be applied to the ACL. Select the source IP address or network group configuration used as basic matching criteria for this IP ACL rule. Determine whether filtered packet destinations for this IP firewall rule do not require any classification (any), are designated as a set of configurations consisting of protocol and port mappings (an alias), set as a numeric IP address (host) or defined as network IP and mask. Selecting alias requires a destination network group alias be available or created. The service alias is a set of configurations consisting of protocol and port mappings. Both source and destination ports are configurable. Set an alphanumeric service alias (beginning with a $) and include the protocol as relevant. Selecting either tcp or udp displays an additional set of specific TCP/UDP source and destinations port options. Wireless Controller and Service Platform System Reference Guide 6 - 30 Wireless Configuration Source Port Destination Port ICMP Type ICMP Code Start VLAN End VLAN Mark Log Enable Description If using either tcp or udp as the protocol, define whether the source port for incoming IP ACL rule application is any, equals or an administrator defined range. If not using tcp or udp, this setting displays as N/A. This is the data local origination port designated by the administrator. Selecting equals invokes a spinner control for setting a single numeric port. Selecting range displays spinner controls for Low and High numeric range settings. A source port cannot be a destination port. If using either tcp or udp as the protocol, define whether the destination port for outgoing IP ACL rule application is any, equals or an administrator defined range. If not using tcp or udp, this setting displays as N/A. This is the data destination virtual port designated by the administrator. Selecting equals invokes a spinner control for setting a single numeric port. Selecting range displays spinner controls for Low and High numeric range settings. Selecting ICMP as the protocol for the IP rule displays an additional set of ICMP specific options for ICMP type and code. The Internet Control Message Protocol (ICMP) uses messages identified by numeric type. ICMP messages are used for packet flow control or generated in IP error responses. ICMP errors are directed to the source IP address of the originating packet. Assign an ICMP type from 1-10. Selecting ICMP as the protocol for the IP rule displays an additional set of ICMP specific options for ICMP type and code. Many ICMP types have a corresponding code, helpful for troubleshooting network issues (0 - Net Unreachable, 1 Host Unreachable, 2 Protocol Unreachable etc.). Select a Start VLAN icon within a table row to set (apply) a start VLAN range for this IP ACL filter. The Start VLAN represents the virtual LAN beginning numeric identifier arriving packets must adhere to in order to have the IP ACL rules apply. Select an End VLAN icon within a table row to set (apply) an end VLAN range for this IP ACL filter. The End VLAN represents the virtual LAN end numeric identifier arriving packets must adhere to in order to have the IP ACL rules apply. Select an IP Firewall rules Mark checkbox to enable or disable event marking and set the rules 8021p or dscp level (from 0 - 7). Select an IP Firewall rules Log checkbox to enable or disable event logging for this rules usage. Select an IP Firewall rules Enable or Disable icon to determine this rules inclusion with the IP firewall policy. Lists the administrator assigned description applied to the IP ACL rule. Select a description within the table to modify its character string as filtering changes warrant. Select the icon within the Description table header to launch a Select Columns screen used to add or remove IP ACL criteria from the table. 8 Select existing inbound and outbound MAC Firewall Rules using the drop-down menu. If no rules exist, select Create to display a screen where Firewall rules can be created. MAC firewall rules can also be applied to an EX3500 Ethernet PoE switch connected and utilized by a WiNG managed device. 9 Select the + Add Row button. 10 Select the added row to expand it into configurable parameters. Wireless Controller and Service Platform System Reference Guide 6 - 31 Wireless Configuration 11 Define the following parameters for either the inbound or outbound MAC Firewall Rules for either a WiNG managed device or an EX3500 switch connected to a WiNG managed device:
Figure 6-22 MAC Firewall Rules screen Allow VLAN ID Match 802.1P Source and Destination MAC Every IP Firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria. The following actions are supported:
Deny - Instructs the Firewall to deny a packet from proceeding to its destination. Permit - Instructs the Firewall to allow a packet to proceed to its destination. Enter a VLAN ID representative of the shared SSID each user employs to interoperate within the network (once authenticated by the local RADIUS server). The VLAN ID can be between 1 - 4094. EX3500 PoE switches utilize a VLAN Mask option (from 0 - 4095) to mask the exposure of the VLAN ID. Configures IP DSCP to 802.1p priority mapping for untagged frames. Use the spinner control to define a setting between 0-7. Enter both Source and Destination MAC addresses. The wireless controller uses the source IP address, destination MAC address as basic matching criteria. Provide a subnet mask if using a mask. Wireless Controller and Service Platform System Reference Guide 6 - 32 Wireless Configuration Action Traffic Class Ethertype Precedence Description The following actions are supported:
Log - Creates a log entry that a Firewall rule has allowed a packet to either be denied or permitted. Mark - Modifies certain fields inside the packet and then permits them. Therefore, mark is an action with an implicit permit. Mark, Log - Conducts both mark and log functions. Sets an ACL traffic classification value for the packets identified by this inbound MAC filter. Traffic classifications are used for QoS purposes. Use the spinner to define a traffic class from 1- 10. Use the drop-down menu to specify an Ethertype of either ipv6, arp, wisp or monitor 8021q. An EtherType is a two-octet field within an Ethernet frame. It is used to indicate which protocol is encapsulated in the payload of an Ethernet frame. EX3500 PoE switches utilize an Ether Mask option (from 0 - 65535) to mask the exposure of the Ethertype. Use the spinner control to specify a precedence for this MAC Firewall rule between 1-1500. Access policies with lower precedence are always applied first to packets. Provide an ACL setting description (up to 64 characters) for the rule to help differentiate the it from others with similar configurations. 12 If creating a new Association ACL, provide a name specific to its function. Avoid naming it after a WLAN it may support. The name cannot exceed 32 characters. 13 Assign an Application Policy to the firewall and set the following metadata extraction rules:
Application Policy Voice/Video Metadata HTTP Metadata SSL Metadata Use the drop-down menu to assign an application policy to the WLANs firewall configuration. When an application is recognized and classified by the WiNG application recognition engine, administrator defined actions can be applied to that specific application. An application policy defines the rules or actions executed on recognized HTTP, SSL and voice/video applications. For more information, refer to Application on page 7-58. Select this option to enable the extraction of voice and video metadata flows. When enabled, administrators can track voice and video calls by extracting parameters (packets transferred and lost, jitter, audio codec and application name). Most Enterprise VoIP applications like facetime, skype for business and VoIP terminals can be monitored for call quality and visualized on the NSight dashboard in manner similar to HTTP and SSL. Call quality and metrics can only be determined from calls established unencrypted. This setting is disabled by default. Select this option to enable the extraction of HTTP flows. When enabled, administrators can track HTTP Websites accessed by both internal and guest clients and visualize HTTP data usage, hits, active time and total clients on the NSight applications dashboard. This setting is disabled by default. Select this option to enable the extraction of SSL flows. When enabled, administrators can track SSL Websites accessed by both internal and guest clients and visualize SSL data usage, hits, active time and total clients on the NSight applications dashboard.This setting is disabled by default. Wireless Controller and Service Platform System Reference Guide 6 - 33 Wireless Configuration Enable TCP RTT Select this option to enable the extraction of Round Trip Time (RTT) from Transmission Control Protocol (TCP) flows. When enabled, the RTT information from TCP flows detected on the VLAN interface associated with the WLAN is extracted and forwarded to the NSight server by Access Points. However, this TCP-RTT metadata is viewable only on the NSight dashboard. Therefore, ensure the NSight server is up, an NSight policy (pointing to the NSight server) is applied on the Access Points RF Domain, and NSight analytics data collection is enabled. This setting is disabled by default. 14 Set the following Trust Parameters:
ARP Trust Validate ARP Header Mismatch DHCP Trust Select the check box to enable ARP Trust on this WLAN. ARP packets received on this WLAN are considered trusted and information from these packets is used to identify rogue devices within the network. This setting is disabled by default. Select this option to verify the mismatch for source MAC in the ARP and Ethernet headers. By default, mismatch verification is enabled. Select the check box to enable DHCP trust on this WLAN. This setting is disabled by default. 15 Set the following IPv6 Settings:
ND Trust Validate ND Header Mismatch DHCPv6 Trust RA Guard Select this option to enable the trust of neighbor discovery requests on an IPv6 supported firewall on this WLAN. This setting is disabled by default. Select this option to enable a mismatch check for the source MAC within the ND header and Link Layer Option. This setting is enabled by default. Select this option to enable the trust all DHCPv6 responses on this WLANs firewall. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. This setting is disabled by default. Select this option to enable router advertisements or ICMPv6 redirects on this WLANs firewall. This setting is disabled by default. 16 Set the following Wireless Client Deny configuration:
Wireless Client Denied Traffic Threshold Action Blacklist Duration If enabled, any associated client which exceeds the thresholds configured for storm traffic is either deauthenticated or blacklisted depending on the selected action. The threshold range is 1-1000000 packets per second. This feature is disabled by default. If enabling a wireless client threshold, use the drop-down menu to determine whether clients are deauthenticated when the threshold is exceeded or blacklisted from connectivity for a user defined interval. Selecting None applies no consequence to an exceeded threshold. Select the check box and define a setting between 0 - 86,400 seconds. Once the blacklist duration has been exceeded, offending clients can reauthenticate once again. 17 Set a Firewall Session Hold Time in either Seconds (1 - 300) or Minutes (1 - 5). This is the hold time for caching user credentials and firewall state information when a client roams. The default setting is 30 seconds. Wireless Controller and Service Platform System Reference Guide 6 - 34 Wireless Configuration 18 Select OK when completed to update this WLANs Firewall settings. Select Reset to revert the screen back to its last saved configuration. WLAN Firewall Deployment Considerations Before defining an access control configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective:
IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC ACL to the interface. 6.1.4 Configuring Client Settings Wireless LAN Policy Each WLAN can maintain its own unique client support configuration. These include wireless client inactivity timeouts and broadcast settings. 1 Select Configuration > Wireless > Wireless LAN Policy to display available WLANs. 2 Select the Add button to create an additional WLAN, or select and existing WLAN and Edit to modify its properties. 3 Select the Client Settings tab. Figure 6-23 WLAN Policy Client Settings screen Wireless Controller and Service Platform System Reference Guide 6 - 35 Wireless Configuration 4 Define the following Client Settings for the WLAN:
Enable Client-to-Client Communication Wireless Client Power Select this option to enable client to client communication within this WLAN. The default is enabled, meaning clients are allowed to exchange packets with other clients. It does not necessarily prevent clients on other WLANs from sending packets to this WLAN, but as long as this setting also disabled on that WLAN, clients are not permitted to interoperate. Use this parameter to set the maximum transmit power (between 0 -
20 dBm) communicated to wireless clients for transmission within the network. The default value is 20 dBm. Wireless Client Idle Time Set the maximum amount of time wireless clients are allowed to be Max Firewall Sessions per Client Max Clients Allowed Per Radio Radio Resource Measurement Radio Resource Measurement Channel Report Enforce Client Load Balancing Enforce DHCP Client Only Proxy ARP Mode idle within this WLAN. Set the idle time in either Seconds (60 -
86,400), Minutes (1 - 1,440), Hours (1 - 24) or Days (1). When this setting is exceeded, the client is no longer able to access resources and must re-authenticate. The default value is 1,800 seconds. Select this option to set the maximum amount of sessions (between 10
- 10,000) clients within the network over the Firewall. When enabled, this parameter limits the number of simultaneous sessions allowed by the Firewall per wireless client. This feature is disabled by default. Use the spinner control to set the maximum number of clients (from 0
- 256) allowed to associate to each radio within this WLAN. The default setting is 256. Select this option to enable radio resource measurement capabilities
(IEEE 802.11k) on this WLAN. 802.11k improves how traffic is distributed. In a WLAN, each device normally connects to an Access Point with the strongest signal. Depending on the number and locations of the clients, this arrangement can lead to excessive demand on one Access Point and underutilization others, resulting in degradation of overall network performance. With 802.11k, if the Access Point with the strongest signal is loaded to its capacity, a client connects to a underutilized Access Point. Even if the signal is weaker, the overall throughput is greater since its an efficient use of the networks resources. This setting is disabled by default. Select this option to enable radio resource measurement channel reporting (IEEE 802.11k) on this WLAN. This setting is disabled by default. Select the check box to distribute clients evenly amongst associated Access Point radios. This feature is disabled by default. Loads are balanced by ignoring association and probe requests. Probe and association requests are not responded to, forcing a client to associate with another Access Point radio. Select the check box to enforce that the firewall only allows packets from clients if they used DHCP to obtain an IP address, disallowing static IP addresses. This feature is disabled by default. Use the drop-down menu to define the proxy ARP mode as either Strict or Dynamic. Proxy ARP is the technique used to answer ARP requests intended for another system. By faking its identity, the Access Point accepts responsibility for routing packets to the actual destination. Dynamic is the default value. Wireless Controller and Service Platform System Reference Guide 6 - 36 Wireless Configuration Proxy ND Mode Enforce DHCP-Offer Validation Use the drop-down menu to define the proxy neighbor discovery (ND) mode for WLAN member clients as either Strict or Dynamic. ND Proxy is used in IPv6 to provide reachability by allowing the a client to act as proxy. Proxy certificate signing can be done either dynamically
(requiring exchanges of identity and authorization information) or statically when the network topology is defined. Dynamic is the default value. Select the check box to enforce DHCP offer validation. The default setting is disabled. 5 Define the following Wing Client Extensions to potentially increase client roaming reliability and handshake speed:
Move Operations Smart Scan Symbol Information Element WMM Load Information Element Scan Assist FT Aggregate Channel Info Interval Select the check box to enable the use of Hyper-Fast Secure Roaming
(HFSR) for clients utilizing this WLAN. This feature applies only to certain client devices. This feature is disabled by default. Enable smart scan to adjust clients channel scans to a few channels as opposed to all available channels. This feature is disabled by default. Select the check box to support the Symbol Information Element with legacy Symbol Technology clients, thus making them optimally interoperable with the latest Extreme Networks Access Points. The default setting is enabled. Select the check box to support a WMM Load Information Element in radio transmissions with legacy clients. The default setting is disabled. Enable scan assist to achieve faster roams on DFS channels by eliminating passive scans. Clients would get channel information directly from possible roam candidates. This setting is disabled by default. Enable fast transition (FT) aggregate to increase roaming speed by eliminating separate key exchange handshake frames with potential roam candidates. Enable fast transition to complete an initial FT over DS handshake with multiple roam candidates (up to 6) at once, eliminating the need to send separate FT over DS handshakes to each roam candidate. This setting is disabled by default. Configure the channel information interval to periodically retrieve channel information directly from potential roam candidates without making a scan assist request. 6 Define the following Coverage Hole Detection settings to determine how detected coverage holes are managed:
Enable Use 11k Clients Threshold Enable this setting to inform an Access Point when it experiences a coverage hole (area of poor wireless coverage). This setting is disabled by default. Optionally enable this setting to also use 802.11k-only-capable clients to detect coverage holes. This is a reduced set of coverage hole detection capabilities (only standard 11k messages and behaviors). This setting is disabled by default. Use the spinner control to set the Access Point signal strength (as seen by the client) below which a coverage hole incident is reported. The threshold can be set from -80 to -60. Wireless Controller and Service Platform System Reference Guide 6 - 37 Wireless Configuration Offset Use the spinner control to set the offset added to the threshold to obtain the Access Point signal strength (as seen by the client) considered adequate. The offset can be set from 5 to 20. 7 Set the following AP Attributes Information:
Enable Include Hostname Select this option to include the AP-Attributes information element in the beacon. The information element helps clients recognize which wing-extensions are supported by the AP. This setting is enabled by default. Select this option to include the AP's hostname in the AP-Attributes information element. This setting is disabled by default. 8 Define the following Timeout Settings for the WLAN:
Credential Cache Timeout VLAN Cache Timeout Set a timeout period for the credential cache in Days, Hours, Minutes or Seconds. Set a timeout period for the VLAN cache in Days, Hours, Minutes or Seconds. 9 Select Controller Assisted Mobility, within the Mobility field, to use a controller or service platforms mobility database to assist in roaming between RF Domains. This feature is disabled by default. 10 Use the Device ID settings, within the OpenDNS field, to specify a 16 character maximum OpenDNS device ID forwarded in a DNS query. OpenDNS extends DNS by adding additional features such as misspelling correction, phishing protection, and optional content filtering. 11 Select Client Isolation, within the T5 PowerBroadband Client Settings field, to disallow clients connecting to the WLAN to communicate with one another. This setting applies exclusively to CPE devices managed by a T5 controller and is disabled by default. Use the Inactivity Time Out field to define the inactivity timeout specific to T5 clients. Set the maximum amount of time T5 clients are allowed to be idle within this WLAN. Set the idle time in either Seconds (60 -
86,400), Minutes (1 - 1,440), Hours (0 - 24) or Days (0 - 1). When this setting is exceeded, the client is no longer able to access resources and must reauthenticate. The default value is 1,800 seconds. A T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. The Customer Premises Equipment (CPEs) are the T5 controller managed radio devices. These CPEs use a Digital Subscriber Line (DSL) as their high speed Internet access mechanism using the CPEs physical wallplate connection and phone jack. 12 Select OK when completed to update the WLANs client setting configuration. Select Reset to revert the screen back to the last saved configuration. 6.1.4.1 WLAN Client Setting Deployment Considerations Configuring Client Settings Before defining a WLANs client settings, refer to the following deployment guidelines to ensure the configuration is optimally effective:
Clients on the same WLAN associated with an AAP can communicate locally at the AP Level without going through the controller or service platform. If this is undesirable, an Access Point's Client-to-Client Communication option should be disabled. When the wireless client idle time setting is exceeded, the client is no longer able to access WLAN resources and must re-authenticate. The default value is 1,800 seconds. Wireless Controller and Service Platform System Reference Guide 6 - 38 Wireless Configuration 6.1.5 Configuring WLAN Accounting Settings Accounting is the method of collecting and sending security server information for billing, auditing, and reporting user data; such as start and stop times, executed commands (such as PPP), number of packets and number of bytes. Accounting enables wireless network administrators to track the services users are accessing and the network resources they are consuming. When accounting is enabled, the network access server reports and logs user activity to a RADIUS security server in the form of accounting records. Each accounting record is comprised of AV pairs and is stored on a local access control server. The data can be analyzed for network management, client billing, and/or auditing. Accounting methods must be defined through AAA. Accounting can be enabled and applied to WLANs, to uniquely log accounting events specific to the WLAN. Accounting logs contain information about the use of remote access services by users. This information is of great assistance in partitioning local versus remote users and how to best accommodate each. Remote user information can be archived to an external location for periodic network and user permission administration. To configure WLAN accounting settings:
1 Select Configuration > Wireless LANs > Wireless LAN Policy to display available WLANs. 2 Select the Add button to create an additional WLAN or select Edit to modify the properties of an existing WLAN. 3 Select Accounting. Figure 6-24 WLAN Policy Accounting screen Wireless Controller and Service Platform System Reference Guide 6 - 39 Wireless Configuration 4 Set the following System Log Accounting information:
Enable Syslog Accounting Syslog Host Syslog Port Proxy Mode Format Case Use this option to generate accounting records in standard syslog format (RFC 3164). The feature is disabled by default. Specify the IP address or hostname of the external syslog host where accounting records are routed. Hostnames cannot include an underscore character. Use the spinner control to set the destination UDP port number of the external syslog host where the accounting records are routed. If a proxy is needed to connect to the syslog server choose a proxy mode of Through RF Domain Manager or Through Wireless Controller. If no proxy is needed, select None. Specify the delimiter format for the MAC address to be packed in the syslog request. Available formats are No Delimiter (aabbccddeeff), Colon Delimiter (aa:bb:cc:dd:ee:ff), Dash Delimiter (aa-bb-cc-dd-ee-ff), Dot Delimiter (aabb.ccdd.eeff) and Middle Dash Delimiter (aabbcc-
ddeeff). Specify to send the MAC addresses in either Uppercase or Lowercase for syslog requests. 5 Select the Enable RADIUS Accounting check box to use an external RADIUS resource for AAA accounting. When the check box is selected, a AAA Policy field displays. Either use the default AAA policy with the WLAN, or select Create to define a new AAA configuration that can be applied to the WLAN. This setting is disabled by default. 6 Select OK when completed to update this WLANs accounting settings. Select Reset to revert the screen to its last saved configuration. 6.1.5.1 Accounting Deployment Considerations Before defining a WLAN AAA configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective:
When using RADIUS authentication, the WAN port round trip delay should not exceed 150ms. Excessive delay over a WAN can cause authentication and roaming issues. When excessive delays exists, a distributed RADIUS service should be used. Authorization policies should be implemented when users need to be restricted to specific WLANs, or time and date restrictions need to be applied. Authorization policies can also apply bandwidth restrictions and assign Firewall policies to users and devices. 6.1.6 Configuring WLAN Service Monitoring Settings Wireless LAN Policy Service Monitoring is a mechanism for administrating external AAA server, captive portal server, Access Point adoption, and DHCP server activity for WLANs. Service monitoring enables an administrator to better notify users of a services availability and make resource substitutions. Service monitoring can be enabled and applied to log activity as needed for specific WLANs. External services can be rendered unavailable due to any of the following instances:
When the RADIUS authentication server becomes unavailable. The RADIUS server could be local or external to the controller, service platform or Access Point. Wireless Controller and Service Platform System Reference Guide 6 - 40 Wireless Configuration When an externally hosted captive portal is unavailable (for any reason) When a monitored DHCP server resource becomes unavailable If an Access Points connected controller or service platform becomes unavailable To configure WLAN service monitoring:
1 Select Configuration > Wireless LANs > Wireless LAN Policy to display a high-level display of the existing WLANs. 2 Select the Add button to create an additional WLAN or select Edit to modify the properties of an existing WLAN. 3 Select Service Monitoring. Figure 6-25 WLAN Policy Service Monitoring screen 4 Select the AAA Server monitoring option to monitor a dedicated external RADIUS server and ensure its adoption resource availability. This setting is disabled by default. 5 Select the Captive Portal External Server monitoring option to monitor externally hosted captive portal activity, and temporary and restrictive user access to the controller or service platform managed network. This setting is disabled by default. 6 Refer to the Adoption Monitoring field to set the WLANs adoption service monitoring configuration. Enable VLAN Enable adoption monitoring to check Access Point adoptions to the controller or service platform. When the connection is lost, captive portal users are migrated to a defined VLAN. This feature is disabled by default, so it must be enabled to monitor WLAN specific adoption data. Select the VLAN users are migrated to when an Access Points connection to its adopting controller or service platform is lost. The available range is from 1 - 4,094. Wireless Controller and Service Platform System Reference Guide 6 - 41 Wireless Configuration 7 Refer to the DHCP Server Monitoring field to set the WLANs adoption service monitoring configuration. Enable VLAN CRM Name Select enable to monitor activity over the defined DHCP Server. When the connection to the DHCP server is lost, captive portal users are automatically migrated a defined VLAN. The feature is disabled by default. Select the VLAN users are migrated to when the defined DHCP server resource becomes unavailable. The available range is from 1 - 4,094. Enter the DHCP server to monitor for availability. When this DHCP server resource becomes unavailable, the device falls back to defined VLAN. This VLAN has a DHCP server configured that provides a pool of IP addresses and with a lease time less than the main DHCP server. 8 Refer to the DNS Server Monitoring field to set the WLANs DNS service monitoring configuration. Enable VLAN CRM Name Select enable to monitor activity over the defined DNS Server. When the connection to the DNS server is lost, captive portal users are automatically migrated a defined VLAN. The feature is disabled by default. Select the VLAN users are migrated to when the defined DNS server resource becomes unavailable. The available range is from 1 - 4,094. Enter the DNS server to monitor for availability. When this DNS server resource becomes unavailable, the device falls back to defined VLAN. This VLAN has a DNS server configured that provides DNS address resolution till the main DNS server becomes available. 9 Select OK when completed to update this WLANs service monitor settings. Select Reset to revert the screen back to its last saved configuration. 6.1.7 Configuring Client Load Balancing Settings Wireless LAN Policy To configure WLAN client load balance settings:
1 Select Configuration > Wireless LANs > Wireless LAN Policy to display a high-level display of the existing WLANs. 2 Select the Add button to create an additional WLAN or select Edit to modify the properties of an existing wireless controller WLAN. 3 Select Client Load Balancing. Wireless Controller and Service Platform System Reference Guide 6 - 42 Wireless Configuration 4 Refer to the Load Balancing Settings section to configure load balancing for the WLAN. Figure 6-26 WLAN Policy Client Load Balancing screen Enforce Client Load Balancing Select this option to enforce a client load balance distribution on this WLANs Access Point radios. AP6522, AP6532, AP6562, AP7161, AP7602, AP7622, AP81XX and AP8232 models can support 256 clients per Access Point. AP6521 model can support up to 128 clients per Access Point. AP7612, AP7632, AP7662 models can support 512 clients per Access Point. Loads are balanced by ignoring association and probe requests. Probe and association requests are not responded to, forcing a client to associate with another Access Point radio.This setting is disabled by default. Band Discovery Interval Enter a value (from 0 - 10,000 seconds) to set the interval dedicated to discover a clients radio band capability before its Access Point radio association. The default setting is 24 seconds. Capability Ageout Time Define a value in either Seconds (0 - 10,000), Minutes (0 -166) or Hours (0 -2) to ageout a clients capabilities from the internal table. The default is 24 seconds. 5 Refer to the Load Balancing Settings (2.4GHz) section to configure load balancing for the 2.4 GHz WLAN. Single Band Clients Max Probe Requests Probe Request Interval Select this option to enable association for single band clients on the 2.4GHz frequency, even if load balancing is available. This setting is enabled by default. Enter a value from 0 - 10,000 for the maximum number of probe requests for clients using the 2.4GHz frequency. The default value is 60. Enter a value in seconds between 0 - 10,000 to configure the interval for client probe requests beyond which it is allowed to associate for clients on the 2.4GHz network. The default is 10 seconds. Wireless Controller and Service Platform System Reference Guide 6 - 43 Wireless Configuration 6 Refer to the Load Balancing Settings (5GHz) section to configure load balancing for the 5 GHz WLAN. Single Band Clients Max Probe Requests Probe Request Interval Select this option to enable the association of single band clients on 5GHz, even if load balancing is available. This setting is enabled by default. Enter a value from 0 - 10,000 for the maximum number of probe requests for clients using 5GHz. The default value is 60. Enter a value in seconds from 0 - 10,000 to configure the interval for client probe requests. When exceeded, clients can associate using 5GHz. The default setting is 10 seconds. 7 Select OK when completed to update this WLANs advanced settings. Select Reset to revert the screen back to its last saved configuration. 6.1.8 Configuring Advanced WLAN Settings Wireless LAN Policy To configure advanced settings on a WLAN:
1 Select Configuration > Wireless LANs > Wireless LAN Policy to display available WLANs. 2 Select the Add button to create an additional WLAN or select Edit to modify the properties of an existing WLAN. 3 Select Advanced. Wireless Controller and Service Platform System Reference Guide 6 - 44 Wireless Configuration 4 Refer to the Protected Management Frames (802.11w) field to set a frame protection mode and security association for the WLANs advanced configuration. Figure 6-27 WLAN Policy Advanced screen Mode SA Query Attempts Select a radio button for the mode (either Disabled, Optional or Mandatory). Disabled is the default setting. Use the spinner control to set the number of security association query attempts between 1-10. The default value is 5. SA Query Retry Timeout Set the timeout (from 100-1,000 milliseconds) for waiting for a response to a SA query before resending it. The default is 201 milliseconds. 5 Refer to the Advanced RADIUS Configuration field to set the WLANs NAS configuration and RADIUS Dynamic Authorization. NAS Identifier Specify whats included in the RADIUS NAS-Identifier field for authentication and accounting packets relating to this WLAN. Configuring a value is optional, and defaults are used if not configured. Wireless Controller and Service Platform System Reference Guide 6 - 45 Wireless Configuration NAS Port RADIUS Dynamic Authorization The profile database on the RADIUS server consists of user profiles for each connected network access server (NAS) port. Each profile is matched to a username representing a physical port. When authorizing users, it queries the user profile database using a username representative of the physical NAS port making the connection. Set the numeric port value from 0-4,294,967,295. Select the check box to enable a mechanism that extends the RADIUS protocol to support unsolicited messages sent from the RADIUS server. These messages allow administrators to issue change of authorization
(CoA) messages, which affect session authorization, or Disconnect Messages (DM), which terminated a session immediately. This feature is disabled by default. 6 Refer to the Radio Rates field to define selected data rates for both the 2.4 and 5.0 GHz bands. Figure 6-28 Advanced WLAN Rate Settings 2.4 GHz screen Wireless Controller and Service Platform System Reference Guide 6 - 46 Wireless Configuration Figure 6-29 Advanced WLAN Rate Settings 5 GHz screen Define both minimum Basic and optimal Supported rates as required for the 802.11b rates, 802.11g rates and 802.11n supported by the 2.4 GHz band and the 802.11a and 802.11n rates supported by the 5.0 GHz band. These are the supported client rates within this WLAN. 802.11n MCS rates are defined as follows both with and without short guard intervals (SGI):
Table 6.1 MCS-1Stream MCS Index Number of Streams 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 40MHz With SGI 0 1 2 3 4 5 6 7 0 1 2 3 4 5 MCS Index 1 1 1 1 1 1 1 1 2 2 2 2 2 2 6.5 13 19.5 26 39 52 58.5 65 7.2 14.4 21.7 28.9 43.4 57.8 65 72.2 13.5 27 40.5 54 81 108 121.5 135 15 30 45 60 90 120 135 150 Table 6.2 MCS-2Stream Number of Streams 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 40MHz With SGI 13 26 39 52 78 104 14.4 28.9 43.4 57.8 86.7 115.6 27 54 81 108 162 216 30 60 90 120 180 240 Wireless Controller and Service Platform System Reference Guide 6 - 47 Wireless Configuration MCS Index Number of Streams 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 40MHz With SGI Table 6.2 MCS-2Stream MCS Index 6 7 0 1 2 3 4 5 6 7 2 2 3 3 3 3 3 3 3 3 117 130 130 144.4 243 270 270 300 Table 6.3 MCS-3Stream Number of Streams 20 MHz No SGI 20 MHz With SGI 40 MHz No SGI 40MHz With SGI 19.5 39 58.5 78 117 156 175.5 195 21.7 43.3 65 86.7 130.7 173.3 195 216.7 40.5 81 121.5 162 243 324 364.5 405 45 90 135 180 270 360 405 450 802.11ac MCS rates are defined as follows both with and without short guard intervals (SGI):
Table 6.4 MCS-802.11ac (theoretical throughput for single spatial streams) MCS Index 0 1 2 3 4 5 6 7 8 9 20 MHz No SGI 6.5 13 19.5 26 39 52 58.5 65 78 n/a 20 MHz With SGI 7.2. 14.4 21.7 28.9 43.3 57.8 65 72.2 86.7 n/a 40 MHz No SGI 13.5 27 40.5 54 81 108 121.5 135 162 180 40MHz With SGI 15 30 45 60 90 120 135 150 180 200 80 MHz No SGI 29.3 58.5 87.8 117 175.5 234 263.3 292.5 351 390 80MHz With SGI 32.5 65 97.5 130 195 260 292.5 325 390 433.3 7 Set the following Transition options:
Fast BSS Transition Fast BSS Transition Over DS If needed, select the Fast BSS Transition check box to enable 802.11r fast roaming on this WLAN. This setting is disabled by default. 802.11r is an attempt to undo the burden that security and QoS added to the handoff process, and restore it back to an original four message exchange process. The central application for the 802.11r standard is VOIP using mobile phones within wireless Internet networks. Optionally select the Fast BSS Transition Over DS check box to enable 802.11r over DS fast roaming on this WLAN. This setting is enabled by default. Wireless Controller and Service Platform System Reference Guide 6 - 48 Wireless Configuration 8 Enable HTTP Analysis for log file analysis on this WLAN. This setting is disabled by default. 9 Set the following HTTP analysis Filter settings for the WLAN:
Filter Out Images Filter Post Strip Query String Select this option to filter images out of this WLANs log files. This setting is disabled by default. Select this option to filter posts out of this WLANs log files. This setting is disabled by default. Select this option to filter query strings out of this WLANs log files. This setting is disabled by default. 10 Set the following Forward to Syslog Server settings for HTTP analysis on this WLAN:
Enable Host Port Proxy Mode Select the check box to forward any firewall HTTP Analytics to a specified syslog server for this WLAN. This setting is disabled by default. Enter a Hostname or IP Address for the syslog server to forward HTTP Analytics. Hostnames cannot include an underscore character. Specify the port number utilized by the syslog server. The default port is 514. If a proxy is needed to connect to the syslog server, select a proxy mode of either Through RF Domain Manager or Through Wireless Controller. If no proxy is needed, select None. 11 Select OK when completed to update this WLANs advanced settings. Select Reset to revert the screen back to its last saved configuration. 6.1.9 Configuring Auto Shutdown Settings Wireless LAN Policy The Auto Shutdown feature set the WLAN to shutdown when certain criteria are met. It also allows administrators to set the operating days and hours of certain WLANs for security or bandwidth purposes. To configure advanced settings on a WLAN:
1 Select Configuration > Wireless LANs > Wireless LAN Policy available WLANs. 2 Select the Add button to create an additional WLAN or select Edit to modify the properties of an existing WLAN. 3 Select Auto Shutdown. Wireless Controller and Service Platform System Reference Guide 6 - 49 Wireless Configuration 4 Refer to the Auto Shutdown field to set the WLANs shutdown criteria. Figure 6-30 WLAN Policy Auto Shutdown screen Shutdown on Mesh Point Loss Shutdown on Primary Port Link Loss Shutdown on Unadoption Select this option to automatically disable the WLAN when its associated mesh point is unreachable. This setting is disabled by default. Select this option to automatically disable the WLAN when its primary port link is unreachable. This setting is disabled by default. Select this option to automatically disable the WLAN when associated Access Points are unadopted. This setting is disabled by default. 5 Set the following Critical Resource Down settings to determine whether a WLAN auto shutdown is enabled when a defined critical resource goes offline:
Shutdown on Critical Enable this feature to bring the selected WLAN offline when a defined Resource Down critical resource goes offline. This setting is disabled by default. Critical Resource Name When enabled, enter a 127 character maximum critical resource name.This is the resource that must remain online to render the selected WLAN online. 6 To configure Time Based Access for this WLAN, click + Add Row and configure each of the following options. Days Use the drop-down menu to select a day of the week to apply this access policy. Selecting All will apply the policy every day. Selecting weekends will apply the policy on Saturdays and Sundays only. Selecting weekdays will apply the policy on Monday, Tuesday, Wednesday, Thursday and Friday only. Selecting individual days of the week will apply the policy only on the selected day. Wireless Controller and Service Platform System Reference Guide 6 - 50 Wireless Configuration Start Time End Time This value sets the starting time the WLAN is activated. Use the spinner controls to select the hour and minute, in a 12h time format. Then use the radio button to choose AM or PM. This value sets the ending time of day(s) that the WLAN will be disabled. Use the spinner controls to select the hour and minute, in a 12h time format. Then use the radio button to choose AM or PM. 7 Select OK when completed to update the auto shutdown settings. Select Reset to revert the screen back to its last saved configuration. 6.2 Configuring WLAN QoS Policies Wireless LAN Policy QoS provides a data traffic prioritization scheme. QoS reduces congestion from excessive traffic. If there is enough bandwidth for all users and applications (unlikely because excessive bandwidth comes at a very high cost), then applying QoS has very little value. QoS provides policy enforcement for mission-critical applications and/or users that have critical bandwidth requirements when bandwidth is shared by different users and applications. QoS helps ensure each WLAN receives a fair share of the overall bandwidth, either equally or as per the proportion configured. Packets directed towards clients are classified into categories such as Video, Voice and Data. Packets within each category are processed based on the weights defined for each WLAN. The Quality of Service screen displays a list of QoS policies available to WLANs. If none of the exiting QoS policies supports an ideal QoS configuration for the intended data traffic of this WLAN, select the Add button to create new policy. Select the radio button of an existing WLAN and select Ok to map the QoS policy to the WLAN displayed in the banner of the screen. Use the WLAN Quality of Service (QoS) Policy screen to add a new QoS policy or edit the attributes of an existing policy. NOTE: WLAN QoS configurations differ significantly from QoS policies configured for radios. WLAN QoS configurations are designed to support the data requirements of wireless clients, including the data types they support and their network permissions. Radio QoS policies are specific to the transmit and receive characteristics of the connected radios themselves, independent from the wireless clients the Access Point radios supported. Wireless Controller and Service Platform System Reference Guide 6 - 51 1 Select Configuration > Wireless > WLAN QoS Policy to display existing QoS policies available to WLANs. Wireless Configuration 2 Refer to the following read-only information on each listed QoS policy to determine whether an existing policy can be used as is, an existing policy requires edit or a new policy requires creation:
Figure 6-31 WLAN QoS Policy screen WLAN QoS Policy Wireless Client Classification Displays the name assigned to this WLAN QoS policy when it was initially created. The assigned policy name cannot be modified as part of the edit process. Lists each policys Wireless Client Classification as defined for this WLAN's intended traffic. The Classification Categories are the different WLAN-WMM options available to a radio. Classification types include:
WMM Implies WiFi Multimedia QoS extensions are enabled on this radio. This allows different traffic streams between the wireless client and the Access Point to be prioritized according to the type of traffic
(voice, video etc). WMM classification is required to support the high throughput data rates required of 802.11n device support. Voice Optimized for voice traffic. Implies all traffic on this WLAN is prioritized as voice traffic on the radio. Video Optimized for video traffic. Implies all traffic on this WLAN is prioritized as video traffic on the radio. Normal Optimized for best effort traffic. Implies all traffic on this WLAN is prioritized as best effort traffic on the radio. Low Optimized for background traffic. Implies all traffic on this WLAN is low priority on the radio. Non-Unicast Optimized for non-Unicast traffic. Implies all traffic on this WLAN is designed for broadcast or multicast. Wireless Controller and Service Platform System Reference Guide 6 - 52 Wireless Configuration SVP Prioritization WMM Power Save Multicast Mask Primary Multicast Mask Secondary A green check mark defines the policy as having Spectralink Voice Prioritization (SVP) enabled to allow the wireless controller to identify and prioritize traffic from Spectralink/Polycomm phones using the SVP protocol. Phones using regular WMM and SIP are not impacted by SVP prioritization. A red X defines the QoS policy as not supporting SVP prioritization. Enables support for the WMM based power-save mechanism, also known as Unscheduled Automatic Power Save Delivery (U-APSD). This is primarily used by voice devices that are WMM capable. The default setting is enabled. Displays the primary multicast mask defined for each listed QoS policy. Normally all multicast and broadcast packets are buffered until the periodic DTIM interval (indicated in the 802.11 beacon frame), when clients in power save mode wake to check for frames. However, for certain applications and traffic types, the administrator may want the frames transmitted immediately, without waiting for the DTIM interval. By configuring a primary and secondary multicast mask, an administrator can indicate which frames are transmitted immediately. Setting masks is optional and only needed if there are traffic types requiring special handling. Displays the secondary multicast mask defined for each listed QoS policy. NOTE: When using a wireless client classification other than WMM, only legacy rates are supported on that WLAN. 3 Either select the Add button to define a new WLAN QoS policy, or select an existing WLAN QoS policy and select Edit to modify its existing configuration. Existing QoS policies can be selected and deleted as needed. Optionally Copy a policy or Rename a WLAN QoS Policy as needed. A Quality of Service (QoS) policy screen displays for the new or selected WLAN. The screen displays the WMM tab by default, but additional tabs also display for WLAN and wireless client rate limit configurations. For more information, refer to the following:
Configuring a WLANs QoS WMM Settings Configuring Rate Limit Settings 6.2.1 Configuring a WLANs QoS WMM Settings Using WMM, end-user satisfaction is maintained in a wider variety of environments and traffic conditions. WMM makes it possible for both home networks and Enterprises to decide which data streams are most important and assign them a higher traffic priority. WMMs prioritization capabilities are based on the four access categories. The higher the access category, the higher the probability to transmit this kind of traffic over the WLAN. Access categories were designed to correspond to 802.1d priorities to facilitate interoperability with QoS policy management mechanisms. WMM enabled wireless controllers/Access Points coexist with legacy devices (not WMM-enabled). Packets not assigned to a specific access category are categorized by default as having best effort priority. Applications assign each data packet to a given access category packets are then added to one of four independent transmit queues (one per access category - voice, video, best effort or background) in the client. The Wireless Controller and Service Platform System Reference Guide 6 - 53 Wireless Configuration client has an internal collision resolution mechanism to address collision among different queues, which selects the frames with the highest priority to transmit. The same mechanism deals with external collision, to determine which client(s) should be granted the opportunity to transmit (TXOP). The collision resolution algorithm responsible for traffic prioritization is probabilistic and depends on two timing parameters that vary for each access category. The minimum interframe space, or Arbitrary Inter-Frame Space Number (AIFSN) The contention window, sometimes referred to as the random backoff wait Both values are smaller for high-priority traffic. The value of the contention window varies through time. Initially the contention window is set to a value that depends on the AC. As frames with the highest AC tend to have the lowest backoff values, they are more likely to get a TXOP. After each collision the contention window is doubled until a maximum value (also dependent on the AC) is reached. After successful transmission, the contention window is reset to its initial, AC dependant value. The AC with the lowest backoff value gets the TXOP. To configure a WMM configuration for a WLAN:
1 Select Configuration > Wireless > WLAN QoS Policy to display existing QoS Policies. 2 Select the Add button to create a new QoS policy or Edit to modify the properties of an existing WLAN QoS policy. The WMM tab displays by default. Wireless Controller and Service Platform System Reference Guide 6 - 54 Wireless Configuration Figure 6-32 WLAN QoS Policy - WMM screen Wireless Controller and Service Platform System Reference Guide 6 - 55 3 Configure the following in respect to the WLANs intended WMM radio traffic and user requirements:
Wireless Configuration Wireless Client Classification Non-Unicast Classification Enable Voice Prioritization Enable SVP Prioritization Enable WMM Power Save Enable QBSS Load IE Use the drop-down menu to select the Wireless Client Classification for this WLAN's intended traffic type. The classification categories are the different WLAN-WMM options available to the radio. Classification types include:
WMM Implies WiFi Multimedia QoS extensions are enabled on this radio. This allows different traffic streams between the wireless client and the Access Point to be prioritized according to the type of traffic
(voice, video etc). The WMM classification is required to support the high throughput data rates required of 802.11n device support. WMM is the default setting. Voice Optimized for voice traffic. Implies all traffic on this WLAN is prioritized as voice traffic on the radio. Video Optimized for video traffic. Implies all traffic on this WLAN is prioritized as video traffic on the radio. Normal Optimized for best effort traffic. Implies all traffic on this WLAN is prioritized as best effort traffic on the radio. Low Optimized for background traffic. Implies all traffic on this WLAN is low priority on the radio. Use the drop-down menu to select the Non-Unicast Classification for this WLAN's intended traffic. Non-unicast classification types include:
Voice Optimized for voice traffic. Implies all traffic on this WLAN is prioritized as voice traffic on the radio. Video Optimized for video traffic. Implies all traffic on this WLAN is prioritized as video traffic on the radio. Normal Optimized for best effort traffic. Implies all traffic on this WLAN is prioritized as best effort traffic on the radio. Low Optimized for background traffic. Implies all traffic on this WLAN is low priority on the radio. Select this option if Voice traffic is prioritized on the WLAN. This gives priority to voice and voice management packets supported only on certain legacy VOIP phones. This feature is disabled by default. Enabling Spectralink Voice Prioritization (SVP) allows the identification and prioritization of traffic from Spectralink/Polycomm phones. This gives priority to voice on certain legacy VOIP phones. If the wireless client classification is WMM, non WMM devices recognized as voice devices have their traffic transmitted at voice priority. Devices are classified as voice when they emit SIP, SCCP, or H323 traffic. Thus, selecting this option has no effect on devices supporting WMM. This feature is disabled by default. Enables support for the WMM based power-save mechanism, also known as Unscheduled Automatic Power Save Delivery (U-APSD). This is primarily used by voice devices that are WMM capable. The default setting is enabled. Check this option to enable a QoS Basis Service Set (QBSS) information element (IE) in beacons and probe response packets advertised by Access Points. The default value is enabled. Wireless Controller and Service Platform System Reference Guide 6 - 56 Wireless Configuration Configure Non WMM Client Traffic Use the drop-down menu to select the Non-WMM client traffic Classification. Non-WMM classification types include:
Voice Optimized for voice traffic. Implies all traffic on this WLAN is prioritized as voice traffic on the radio. Video Optimized for video traffic. Implies all traffic on this WLAN is prioritized as video traffic on the radio. Normal Optimized for best effort traffic. Implies all traffic on this WLAN is prioritized as best effort traffic on the radio. Low Optimized for background traffic. Implies all traffic on this WLAN is low priority on the radio. 4 Set the following Voice Access settings for the WLANs QoS policy:
Transmit Ops AIFSN ECW Min ECW Max Use the slider to set the maximum device transmit duration after obtaining a transmit opportunity. The default value is 47. Set the current Arbitrary Inter-frame Space Number (AIFSN) between 2-15. Higher-priority traffic voice categories should have lower AIFSNs than lower-priority traffic categories. This will cause lower-priority traffic to wait longer before attempting access. The default value is 2. The ECW Min is combined with the ECW Max to create the contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. The available range is from 0-15. The default value is 2. The ECW Max is combined with the ECW Min to create the contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. The available range is from 0-15. The default value is 3. 5 Set the following Normal (Best Effort) Access settings for the WLANs QoS policy:
Transmit Ops AIFSN ECW Min ECW Max Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity. The default value is 0. Set the current AIFSN between 2-15. Lower priority traffic categories should have higher AIFSNs than higher priority traffic categories. This will cause lower priority traffic to wait longer before attempting access. The default value is 3. The ECW Min is combined with the ECW Max to create the contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Higher values are used for lower priority traffic (like Normal). The available range is from 0-15. The default value is 4. The ECW Max is combined with the ECW Min to create the contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Higher values are used for lower priority traffic (like Normal). The available range is from 0-15. The default value is 10. Wireless Controller and Service Platform System Reference Guide 6 - 57 Wireless Configuration 6 Set the following Video Access settings for the WLANs QoS policy:
Transmit Ops AIFSN ECW Min ECW Max Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity. The default values is 94. Set the current Arbitrary Inter-frame Space Number (AIFSN) between 2-15. Higher-priority traffic video categories should have lower AIFSNs than lower-priority traffic categories. This will cause lower-priority traffic to wait longer before attempting access. The default value is 2. The ECW Min is combined with the ECW Max to create the contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic (like video). The available range is from 0-15. The default value is 3. The ECW Max is combined with the ECW Min to create the contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic (like video). The available range is from 0-15. The default value is 4. 7 Set the following Low (Background) Access settings for the WLANs QoS policy:
Transmit Ops AIFSN ECW Min ECW Max Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity. For higher-priority traffic categories, this value should be set to a low number. The default value is 0. Set the current AIFSN between 2-15. Lower priority traffic categories should have higher AIFSNs than higher priority traffic categories. This will cause lower priority traffic to wait longer before attempting access. The default value is 7. The ECW Min is combined with the ECW Max to create the contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Higher values are used for lower priority traffic (like Low). The available range is from 0-15. The default value is 4. The ECW Max is combined with the ECW Min to create the contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Higher values are used for lower priority traffic (like Low). The available range is from 0-15. The default value is 10. 8 Set the following Other Settings for the WLANs QoS policy:
Trust IP DSCP Trust 802.11 WMM QoS Select this option to trust IP DSCP values for WLANs. The default value is enabled. Select this option to trust 802.11 WMM QoS values for WLANs. The default value enabled. 9 Select OK when completed to update this WLANs QoS settings. Select Reset to revert the screen back to its last saved configuration. 6.2.2 Configuring Rate Limit Settings Excessive traffic can cause performance issues or bring down the network entirely. Excessive traffic can be caused by numerous sources including network loops, faulty devices or malicious software such as a worm or virus that Wireless Controller and Service Platform System Reference Guide 6 - 58 Wireless Configuration has infected on one or more devices. Rate limiting reduces the maximum rate sent or received from the wireless network (and WLAN) per wireless client. It prevents any single user from overwhelming the wireless network. It can also provide differential service for service providers. The uplink and downlink rate limits are usually configured on a RADIUS server using vendor specific attributes. Rate limits are extracted from the RADIUS servers response. When such attributes are not present, the settings defined on the controller, service platform or Access Point are applied. An administrator can set separate QoS rate limit configurations for data transmitted from the network
(upstream) and data transmitted from a WLANs wireless clients back to associated radios (downstream). Before defining rate limit thresholds for WLAN upstream and downstream traffic, define the normal number of ARP, broadcast, multicast and unknown unicast packets that typically transmit and receive from each supported WMM access category. If thresholds are defined too low, normal network traffic (required by end-user devices) will be dropped resulting in intermittent outages and performance problems. Connected wireless clients can also have QoS rate limit settings defined in both the upstream and downstream direction. To configure a QoS rate limit configuration for a WLAN:
1 Select Configuration > Wireless > WLAN QoS Policy to display existing QoS policies available to WLANs. 2 Either select the Add button to define a new WLAN QoS policy, or select an existing WLAN QoS policy and select Edit to modify its existing configuration. 3 Select the Rate Limit tab. Wireless Controller and Service Platform System Reference Guide 6 - 59 Wireless Configuration 4 Configure the following parameters in respect to the intended WLAN Upstream Rate Limit, or traffic from the controller or service platform to associated Access Point radios and connected wireless clients:
Figure 6-33 QoS Policy WLAN Rate Limit screen Enable Rate Select the Enable check box to enable rate limiting for data transmitted from the controller or service platform to associated Access Point radios and connected wireless clients. Enabling this option does not invoke rate limiting for data traffic in the downstream direction. This feature is disabled by default. Define an upstream rate limit between 50 - 1,000,000 kbps. This limit constitutes a threshold for the maximum the number of packets transmitted or received over the WLAN (from all access categories). Traffic that exceeds the defined rate is dropped and a log message is generated. The default setting is 5000 kbps. Wireless Controller and Service Platform System Reference Guide 6 - 60 Wireless Configuration Maximum Burst Size Set a maximum burst size between 2 - 1024 kbytes. The smaller the burst, the less likely the upstream packet transmission will result in congestion for the WLANs client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, administrators should add a 10% margin (minimally) to allow for traffic bursts. The default burst size is 320 kbytes. 5 Set the following WLAN Upstream Random Early Detection Threshold settings for each access category. An early random drop is done when a traffic stream falls below the set threshold. Background Traffic Best Effort Traffic Video Traffic Voice Traffic Set a percentage value for background traffic in the upstream direction. This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped and a log message is generated. Background traffic consumes the least bandwidth of any access category, so this value can be set to a lower value once a general upstream rate is known by the network administrator (using a time trend analysis). The default threshold is 50%. Set a percentage value for best effort traffic in the upstream direction. This is a percentage of the maximum burst size for normal priority traffic. Best effort traffic exceeding the defined threshold is dropped and a log message is generated. Best effort traffic consumes little bandwidth, so this value can be set to a lower value once a general upstream rate is known by the network administrator (using a time trend analysis). The default threshold is 50%. Set a percentage value for video traffic in the upstream direction. This is a percentage of the maximum burst size for video traffic. Video traffic exceeding the defined threshold is dropped and a log message is generated. Video traffic consumes significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis). The default threshold is 25%. Set a percentage value for voice traffic in the upstream direction. This is a percentage of the maximum burst size for voice traffic. Voice traffic exceeding the defined threshold is dropped and a log message is generated. Voice applications consume significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis). The default threshold is 0%. 6 Configure the following parameters in respect to the intended WLAN Downstream Rate Limit, or traffic from wireless clients to associated Access Point radios and the controller or service platform:
Enable Select the Enable radio button to enable rate limiting for data transmitted from the controller or service platform to its associated Access Point radios and connected wireless clients. Enabling this option does not invoke rate limiting for data traffic in the upstream direction. This feature is disabled by default. Wireless Controller and Service Platform System Reference Guide 6 - 61 Wireless Configuration Rate Maximum Burst Size Define an upstream rate limit between 50 - 1,000,000 kbps. This limit constitutes a threshold for the maximum the number of packets transmitted or received over the WLAN (from all access categories). Traffic that exceeds the defined rate is dropped and a log message is generated. The default setting is 5000 kbps. Set a maximum burst size between 2 - 1024 kbytes. The smaller the burst, the less likely the downstream packet transmission will result in congestion for the WLANs client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, administrators should add a 10%
margin (minimally) to allow for traffic bursts. The default burst size is 320 kbytes. 7 Set the following WLAN Downstream Random Early Detection Threshold settings for each access category. An early random drop is done when the amount of tokens for a traffic stream falls below the set threshold. Background Traffic Best Effort Traffic Video Traffic Voice Traffic Set a percentage value for background traffic in the downstream direction. This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped and a log message is generated. Background traffic consumes the least bandwidth of any access category, so this value can be set to a lower value once a general downstream rate is known by the network administrator (using a time trend analysis). The default threshold is 50%. Set a percentage value for best effort traffic in the downstream direction. This is a percentage of the maximum burst size for normal traffic. Best effort traffic exceeding the defined threshold is dropped and a log message is generated. Best effort traffic consumes little bandwidth, so this value can be set to a lower value once a general downstream rate is known by the network administrator (using a time trend analysis). The default threshold is 50%. Set a percentage value for video traffic in the downstream direction. This is a percentage of the maximum burst size for video traffic. Video traffic exceeding the defined threshold is dropped and a log message is generated. Video traffic consumes significant bandwidth, so this value can be set to a higher value once a general downstream rate is known by the network administrator (using a time trend analysis). The default threshold is 25%. Set a percentage value for voice traffic in the downstream direction. This is a percentage of the maximum burst size for voice traffic. Voice traffic exceeding the defined threshold is dropped and a log message is generated. Voice applications consume significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis). The default threshold is 0%. 0% means no early random drops will occur. 8 Configure the following parameters in respect to the intended Wireless Client Upstream Rate Limit:
Enable Select the Enable radio button to enable rate limiting for data transmitted from the client to its associated Access Point radio and connected wireless controller. Enabling this option does not invoke client rate limiting for data traffic in the downstream direction. This feature is disabled by default. Wireless Controller and Service Platform System Reference Guide 6 - 62 Wireless Configuration Rate Define an upstream rate limit between 50 - 1,000,000 kbps. This limit constitutes a threshold for the maximum the number of packets transmitted or received (from all access categories). Traffic that exceeds the defined rate is dropped by the client and a log message is generated. The default rate is 1,000 kbps. Set a maximum burst size between 2 - 1024 kbytes. The smaller the burst, the less likely the upstream packet transmission will result in congestion for the wireless client. The default burst size is 64 kbytes. 9 Set the following Wireless Client Upstream Random Early Detection Threshold settings for each access Maximum Burst Size category:
Background Traffic Best Effort Traffic Video Traffic Voice Traffic Set a percentage value for background traffic in the upstream direction. This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 50%. Set a percentage for best effort traffic in the upstream direction. This is a percentage of the maximum burst size for normal traffic. Best effort traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 50%. Set a percentage value for video traffic in the upstream direction. This is a percentage of the maximum burst size for video traffic. Video traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 25%. Set a percentage value for voice traffic in the downstream direction. This is a percentage of the maximum burst size for voice traffic. Voice traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 0%.0% implies no early random drops occur. 10 Configure the following parameters in respect to the intended Wireless Client Downstream Rate Limit (traffic from a controller or service platform to associated Access Point radios and the wireless client):
Enable Rate Maximum Burst Size Select the Enable radio button to enable rate limiting for data transmitted from connected wireless clients to the controller or service platform. Enabling this option does not invoke rate limiting for data traffic in the upstream direction. This feature is disabled by default. Define a downstream rate limit between 50 - 1,000,000 kbps.This limit constitutes a threshold for the maximum the number of packets transmitted or received by the client. Traffic that exceeds the defined rate is dropped and a log message is generated. The default rate is 1,000 kbytes. Set a maximum burst size between 2 - 64 kbytes. The smaller the burst, the less likely the downstream packet transmission will result in congestion for the wireless client. The default burst size is 64 kbytes. 11 Set the following Wireless Clients Downstream Random Early Detection Threshold settings:
Background Traffic Set a percentage value for background traffic in the downstream direction. This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default is 50%. Wireless Controller and Service Platform System Reference Guide 6 - 63 Wireless Configuration Best Effort Traffic Video Traffic Voice Traffic Set a percentage value for best effort traffic in the downstream direction. This is a percentage of the maximum burst size for normal traffic. Best effort traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default is 50%. Set a percentage value for video traffic in the downstream direction. This is a percentage of the maximum burst size for video traffic. Video traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default is 25%. Set a percentage value for voice traffic in the downstream direction. This is a percentage of the maximum burst size for voice traffic. Voice traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 0%.0% means no early random drops occur. 12 Select OK to update this WLANs QoS rate limit settings. Select Reset to revert to the last saved configuration. 6.2.3 Configuring Multimedia Optimization Settings Multimedia optimizations customize the size and speed of multimedia content (voice, video etc.) to deliver WLAN traffic strategically to the WLAN's managed clients and their defined QoS requirements. To configure multimedia optimizations for a controller, service platform or Access Point managed WLAN:
1 Select Configuration > Wireless > WLAN QoS Policy to display existing QoS policies available to WLANs. 2 Either select the Add button to define a new WLAN QoS policy, or select an existing WLAN QoS policy and select Edit to modify its existing configuration. 3 Select the Multimedia Optimizations tab. Wireless Controller and Service Platform System Reference Guide 6 - 64 Wireless Configuration 4 Configure the following parameters in respect to the intended Multicast Mask:
Figure 6-34 QoS Policy WLAN Multimedia Optimizations screen Multicast Mask Primary Multicast Mask Secondary Configure the primary multicast mask defined for each listed QoS policy. Normally all multicast and broadcast packets are buffered until the periodic DTIM interval (indicated in the 802.11 beacon frame), when clients in power save mode wake to check for frames. However, for certain applications and traffic types, an administrator may want the frames transmitted immediately, without waiting for the DTIM interval. By configuring a primary and secondary multicast mask, an administrator can indicate which frames are transmitted immediately. Setting masks is optional and only needed if there are traffic types requiring special handling. Set a secondary multicast mask for the WLAN QoS policy in case the primary becomes unavailable. 5 Set the following Accelerated Multicast settings:
Disable Multicast Streaming Select this option to disable all Multicast Streaming on the WLAN. Wireless Controller and Service Platform System Reference Guide 6 - 65 Wireless Configuration Automatically Detect Multicast Streams Manually Configure Multicast Adddresses Select this option to have multicast packets converted to unicast to provide better overall airtime utilization and performance. The administrator can either have the system automatically detect multicast streams and convert all detected multicast streams to unicast, or specify which multicast streams are converted to unicast. When the stream is converted and queued for transmission, there are a number of classification mechanisms that can be applied to the stream and the administrator can select what type of classification they wan. Select this option and specify a list of multicast addresses and classifications. Packets are accelerated when the destination addresses matches. 6 Select OK when completed to update this WLAN's Multimedia Optimizations settings. Select Reset to revert the screen back to its last saved configuration. 6.2.4 WLAN QoS Deployment Considerations Before defining a QoS configuration on a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective:
WLAN QoS configurations differ significantly from QoS policies configured for wireless controller associated Access Point radios. WLAN QoS configurations are designed to support the data requirements of wireless clients, including the data types they support and their network permissions. Radio QoS policies are specific to the transmit and receive characteristics of the connected radios themselves, independent from the wireless clients these Access Point radios support. Enabling WMM support on a WLAN only advertises WMM capability to wireless clients. The wireless clients must be also able to support WMM and use the parameters correctly while accessing the wireless network to truly benefit. Rate limiting is disabled by default on all WLANs. To enable rate limiting, a threshold must be defined for WLAN. Before enabling rate limiting on a WLAN, a baseline for each traffic type should be performed. Once a baseline has been determined, a minimum 10% margin should be added to allow for traffic bursts. The bandwidth required for real-time applications such as voice and video are very fairly easy to calculate as the bandwidth requirements are consistent and can be realistically trended over time. Applications such as Web, database and Email are harder to estimate, since bandwidth usage varies depending on how the applications are utilized. 6.3 Radio QoS Policy Without a dedicated QoS policy, a wireless network operates on a best-effort delivery basis, meaning all traffic has equal priority and an equal chance of being delivered in a timely manner. When congestion occurs, all traffic has an equal chance of being dropped!
When configuring a QoS policy for a radio, select specific network traffic, prioritize it, and use congestion-
management and congestion-avoidance techniques to provide deployment customizations best suited to each QoS policys intended wireless client base. Wireless devices, associated Access Point radios and connected clients support several Quality of Service (QoS) techniques enabling real-time applications (such as voice and video) to co-exist simultaneously with lower priority background applications (such as Web, E-mail and file transfers). A well designed QoS policy should:
Wireless Controller and Service Platform System Reference Guide 6 - 66 Wireless Configuration Classify and mark data traffic to accurately prioritize and segregate it (by access category) throughout the network. Minimize the network delay and jitter for latency sensitive traffic. Ensure higher priority traffic has a better likelihood of delivery in the event of network congestion. Prevent the ineffective utilization of Access Points degrading session quality by configuring admission control mechanisms within each radio QoS policy Wireless clients supporting low and high priority traffic contend with one another for access and data resources. The IEEE 802.11e amendment has defined Enhanced Distributed Channel Access (EDCA) mechanisms stating high priority traffic can access the network sooner then lower priority traffic. The EDCA defines four traffic classes (or access categories); voice (highest), video (next highest), best effort and background (lowest).The EDCA has defined a time interval for each traffic class, known as the Transmit Opportunity (TXOP). The TXOP prevents traffic of a higher priority from completely dominating the wireless medium, thus ensuring lower priority traffic is still supported by controller or service platform associated Access Points and their connected radios. IEEE 802.11e includes an advanced power saving technique called Unscheduled Automatic Power Save Delivery (U-
APSD) that provides a mechanism for wireless clients to retrieve packets buffered by an Access Point. U-APSD reduces the amount of signaling frames sent from a client to retrieve buffered data from an Access Point. U-APSD also allows Access Points to deliver buffered data frames as bursts, without backing-off between data frames. These improvements are useful for voice clients, as they provide improved battery life and call quality. The Wi-Fi alliance has created Wireless Multimedia (WMM) and WMM Power Save (WMM-PS) certification programs to ensure interoperability between 802.11e WLAN infrastructure implementations and wireless clients. A WiNG wireless network supports both WMM and WMM-Power Save techniques. WMM and WMM-PS (U-APSD) are enabled by default in each WLAN profile. Enabling WMM support on a WLAN just advertises the WLANs WMM capability and radio configuration to wireless clients. The wireless clients must be also able to support WMM and use the values correctly while accessing the WLAN. WMM includes advanced parameters (CWMin, CWMax, AIFSN and TXOP) specifying back-off duration and inter-
frame spacing when accessing the network. These parameters are relevant to both connected Access Point radios and their wireless clients. Parameters impacting Access Point transmissions to their clients are controlled using per radio WMM settings, while parameters used by wireless clients are controlled by a WLANs WMM settings. WiNG wireless devices include a Session Initiation Protocol (SIP), Skinny Call Control Protocol (SCCP) and Application Layer Gateway (ALGs) enabling devices to identify voice streams and dynamically set voice call bandwidth. Controllers and service platforms use the data to provide prioritization and admission control to these devices without requiring TSPEC or WMM client support. WiNG wireless devices support static QoS mechanisms per WLAN to provide prioritization of WLAN traffic when legacy (non WMM) clients are deployed. When enabled on a WLAN, traffic forwarded to a client is prioritized and forwarded based on the WLANs WMM access control setting. NOTE: Statically setting a WLAN WMM access category value only prioritizes traffic from the to the client, not from the client. Wireless Controller and Service Platform System Reference Guide 6 - 67 Wireless Configuration Rate limits can be applied to WLANs using groups defined locally or externally from a RADIUS server using Vendor Specific Attributes (VSAs). Rate limits can be applied to authenticating users using 802.1X, captive portal authentication and MAC authentication. 6.3.1 Configuring Radio QoS Policies Radio QoS Policy To configure a radios QoS policy:
1 Select Configuration > Wireless > Radio QoS Policy to display existing Radio QoS policies. Figure 6-35 Radio QoS Policy screen The Radio QoS Policy screen lists those radio QoS policies created thus far. Any of these policies can be selected and applied. 2 Refer to the following information listed for each existing Radio QoS policy:
Radio QoS Policy Firewall detection traffic Enable (e.g., SIP) Displays the name of each Radio QoS policy. This is the name set for each listed policy when it was created and cannot be modified as part of the policy edit process. A green check mark defines the policy as applying radio QoS settings to traffic detected by the Firewall. A red X defines the policy as having Firewall detection disabled. When enabled, the Firewall simulates the reception of frames for voice traffic when the voice traffic was originated via SIP or SCCP control traffic. If a client exceeds configured values, the call is stopped and/or received voice frames are forwarded at the next non admission controlled traffic class priority. This applies to clients that do not send TSPEC frames only. Wireless Controller and Service Platform System Reference Guide 6 - 68 Wireless Configuration Implicit TSPEC Voice Best Effort Video Background A green check mark defines the policy as requiring wireless clients to send their traffic specifications to a controller or service platform managed Access Point before they can transmit or receive data. If enabled, this setting applies to just this radios QoS policy. When enabled, the Access Point simulates the reception of frames for any traffic class by looking at the amount of traffic the client is receiving and sending. If the client sends more traffic than has been configured for an admission controlled traffic class, the traffic is forwarded at the priority of the next non admission controlled traffic class. This applies to clients that do not send TSPEC frames only. A green check mark indicates that Voice prioritization QoS is enabled on the radio. A red X indicates Voice prioritization QoS is disabled on the radio. A green check mark indicates that Best Effort QoS is enabled on the radio. A red X indicates Best Effort QoS is disabled on the radio. A green check mark indicates that Video prioritization QoS is enabled on the radio. A red X indicates Video prioritization QoS is disabled on the radio. A green check mark indicates that Background prioritization QoS is enabled on the radio. A red X indicates Background prioritization QoS is disabled on the radio. 3 Either select Add to create a new radio QoS policy, or select one of the existing policies listed and select the Edit button to modify its configuration. Optionally Copy or Rename QoS policies as needed. Figure 6-36 Radio QoS Policy WMM screen The Radio QoS Policy screen displays the WMM tab by default. Use the WMM tab to define the access category configuration (CWMin, CWMax, AIFSN and TXOP values) in respect to the type of wireless data planned for this new or updated WLAN radio QoS policy. Wireless Controller and Service Platform System Reference Guide 6 - 69 Wireless Configuration 4 Set the following Voice Access settings for the Radio QoS policy:
Transmit Ops AIFSN ECW Min ECW Max Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity. When resources are shared between a Voice over IP (VoIP) call and a low priority file transfer, bandwidth is normally exploited by the file transfer, thus reducing call quality or even causing the call to disconnect. With voice QoS, a VoIP call (a real-
time session), receives priority, maintaining a high level of voice quality. For higher-priority traffic categories (like voice), the Transmit Ops value should be set to a low number. The default value is 47. Set the current AIFSN between 1-15. Higher-priority traffic voice categories should have lower AIFSNs than lower-priority traffic categories. This will cause lower-priority traffic to wait longer before attempting access. The default value is 1. The ECW Min is combined with the ECW Max to create a contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. The available range is from 0-15. The default value is 2. The ECW Max is combined with the ECW Min to create a contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic. The available range is from 0-15. The default value is 3. 5 Set the following Normal (Best Effort) Access settings for the radio QoS policy:
Transmit Ops AIFSN ECW Min ECW Max Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity. For higher-priority traffic categories, this value should be set to a low number. The default value is 0. Set the current AIFSN between1-15. Lower priority traffic categories should have higher AIFSNs than higher priority traffic categories. This will cause lower priority traffic to wait longer before attempting access. The default value is 3. The ECW Min is combined with the ECW Max to create a contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Higher values are used for lower priority traffic (like Normal). The available range is from 0-15. The default value is 4. The ECW Max is combined with the ECW Min to create a contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Higher values are used for lower priority traffic (like Normal). The available range is from 0-15. The default value is 6. 6 Set the following Video Access settings for the Radio QoS policy:
Transmit Ops Use the spinner control to set the maximum duration a radio can transmit after obtaining a transmit opportunity. For higher-priority traffic categories (like video), this value should be set to a low number. The default value is 94. Wireless Controller and Service Platform System Reference Guide 6 - 70 Wireless Configuration AIFSN ECW Min ECW Max Set the current AIFSN between 1-15. Higher-priority traffic categories should have lower AIFSNs than lower-priority traffic categories. This will cause lower-priority traffic to wait longer before attempting access. The default value is 1. The ECW Min is combined with the ECW Max to create a contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic (like video). The available range is from 0-15. The default value is 3. The ECW Max is combined with the ECW Min to create a contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic (like video). The available range is from 0-15. The default value is 4. 7 Set the following Low (Background) Access settings for the radio QoS policy:
Transmit Ops AIFSN ECW Min ECW Max Use the slider to set the maximum duration a device can transmit after obtaining a transmit opportunity. For higher-priority traffic categories, this value should be set to a low number. The default value is 0. Set the current AIFSN between 1-15. Lower priority traffic categories should have higher AIFSNs than higher priority traffic categories. This will cause lower priority traffic to wait longer before attempting access. The default value is 7. The ECW Min is combined with the ECW Max to create a contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Higher values are used for lower priority traffic (like Low). The available range is from 0-15. The default value is 4. The ECW Max is combined with the ECW Min to create a contention value in the form of a numerical range. From this range, a random number is selected for the back off mechanism. Lower values are used for higher priority traffic (like video). The available range is from 0-15. The default value is 10. 8 Select OK when completed to update the radio QoS settings for this policy. Select Reset to revert the WMM screen back to its last saved configuration. 9 Select the Admission Control tab to configure an admission control configuration for selected radio QoS policy. Admission control requires clients send their traffic specifications (TSPEC) to a controller or service platform managed Access Point before they can transmit or receive data. The name of the Radio QoS policy for which the admission control settings apply displays in the banner of the QoS Policy screen. Wireless Controller and Service Platform System Reference Guide 6 - 71 Wireless Configuration Figure 6-37 Radio QoS Policy Admission Control screen 10 Select the Firewall detection traffic Enable (e.g, SIP) check box to force admission control to traffic whose access category is detected by the firewall. This feature is enabled by default. 11 Select the Implicit TSPEC check box to require wireless clients to send their traffic specifications to a controller or service platform managed Access Point before they can transmit or receive data. If enabled, this setting applies to just this radios QoS policy. This feature is enabled by default. 12 Set the following Voice Access admission control settings for this radio QoS policy:
Enable Voice Maximum Airtime Select the check box to enable admission control for this policys voice traffic. Only voice traffic admission control is enabled, not any of the other access categories (each access category must be separately enabled and configured). Set the maximum airtime (in the form of a percentage of the radios bandwidth) allotted to admission control for voice supported client traffic. The available percentage range is from 0-150%, with 150% being available to account for over-subscription. This value ensures the radios bandwidth is available for high bandwidth voice traffic (if anticipated on the wireless medium) or other access category traffic if voice support is not prioritized. Voice traffic requires longer radio airtime to process, so set a longer airtime value if this radio QoS policy is intended to support voice. The default value is 75%. Wireless Controller and Service Platform System Reference Guide 6 - 72 Wireless Configuration Maximum Wireless Clients Maximum Roamed Wireless Clients Reserved for Roam Set the number of voice supported wireless clients allowed to exist
(and consume bandwidth) within the radios QoS policy. Select from an available range of 0-256 clients. Consider setting this value proportionally to the number of other QoS policies supporting the voice access category, as wireless clients supporting voice use a greater proportion of resources than lower bandwidth traffic (like low and best effort categories). The default value is 100 clients. Set the number of voice supported wireless clients allowed to roam to a different radio. Select from a range of 0-256 clients. The default value is 10 roamed clients. Set the roam utilization (in the form of a percentage of the radios bandwidth) allotted to admission control for voice supported clients who have roamed to a different radio. The available percentage range is from 0-150%, with 150% available to account for over-subscription. The default value is 10%. 13 Set the following Normal (Best Effort) Access admission control settings for this radio QoS policy Enable Best Effort Maximum Airtime Maximum Wireless Clients Maximum Roamed Wireless Clients Reserved for Roam Select the check box to enable admission control for this policys video traffic. Only normal background traffic admission control is enabled, not any of the other access categories (each access category must be separately enabled and configured). This feature is disabled by default. Set the maximum airtime (in the form of a percentage of the radios bandwidth) allotted to admission control for normal background client traffic. The available percentage range is from 0-150%, with 150%
being available to account for over-subscription. This value helps ensure the radios bandwidth is available for lower bandwidth normal traffic (if anticipated to proliferate the wireless medium). Normal background traffic only needs a short radio airtime to process, so set an intermediate airtime value if this radio QoS policy is reserved for background data support. The default value is 75%. Set the number of wireless clients supporting background traffic allowed to exist (and consume bandwidth) within the radios QoS policy. Select from an available range of 0-256 clients. The default value is 100 clients. Set the number of voice supported wireless clients allowed to roam to a different radio. Select from a range of 0-256 clients. The default value is 10 roamed clients. Set the roam utilization (in the form of a percentage of the radios bandwidth) allotted to admission control for normal background supported clients who have roamed to a different radio. The available percentage range is from 0-150%, with 150% available to account for over-subscription. The default value is 10%. 14 Set the following Video Access admission control settings for this radio QoS policy:
Enable Video Select the check box to enable admission control for this policys video traffic. Only video traffic admission control is enabled, not any of the other access categories (each access category must be separately enabled and configured). This feature is disabled by default. Wireless Controller and Service Platform System Reference Guide 6 - 73 Wireless Configuration Maximum Airtime Maximum Wireless Clients Maximum Roamed Wireless Clients Reserved for Roam Set the maximum airtime (in the form of a percentage of the radios bandwidth) allotted to admission control for video supported client traffic. The available percentage range is from 0-150%, with 150% being available to account for over-subscription. This value helps ensure the radios bandwidth is available for high bandwidth video traffic (if anticipated on the wireless medium) or other access category traffic if video support is not prioritized. Video traffic requires longer radio airtime to process, so set a longer airtime value if this radio QoS policy is intended to support video. The default value is 75%. Set the number of wireless clients supporting background traffic allowed to exist (and consume bandwidth) within the radios QoS policy. Select from an available range of 0-256 clients. The default value is 100 clients. Set the number of video supported wireless clients allowed to roam to a different radio. Select from a range of 0-256 clients. The default value is 10 roamed clients. Set the roam utilization (in the form of a percentage of the radios bandwidth) allotted to admission control for video supported clients who have roamed to a different radio. The available percentage range is from 0-150%, with 150% accounting for over-subscription. The default value is 10%. 15 Set the following Low (Background) Access admission control settings for this radio QoS policy:
Enable Background Maximum Airtime Maximum Wireless Clients Maximum Roamed Wireless Clients Reserved for Roam Select the check box to enable admission control for this policys lower priority best effort traffic. Only low best effort traffic admission control is enabled, not any of the other access categories (each access category must be separately enabled and configured). Set the maximum airtime (in the form of a percentage of the radios bandwidth) allotted to admission control for low, best effort, client traffic. The available percentage range is from 0-150%, with 150% being available to account for over-subscription. Best effort traffic only needs a short radio airtime to process, so set an intermediate airtime value if this radio QoS policy is reserved to support background data. The default value is 75%. Set the number of low and best effort supported wireless clients allowed to exist (and consume bandwidth) within the radios QoS policy. Select from an available range of 0-256 clients. The default value is 100 clients. Set the number of low and best effort supported wireless clients allowed to roam to a different radio. Select from a range of 0-256 clients. The default value is 10 roamed clients. Set the roam utilization (in the form of a percentage of the radios bandwidth) allotted to admission control for normal background supported clients who have roamed to a different radio. The available percentage range is from 0-150%, with 150% available to account for over-subscription. The default value is 10%. 16 Select the Multimedia Optimizations tab to set the advanced multimedia QoS and Smart Aggregation configuration for selected radio QoS policy. Wireless Controller and Service Platform System Reference Guide 6 - 74 Wireless Configuration 17 Set the following Accelerated Multicast settings for this radio QoS policy:
Figure 6-38 Radio QoS Policy Multimedia Optimizations screen Maximum multicast streams allowed When wireless client count exceeds the above limit Maximum multicast streams per client Packets per second for multicast flow for it to be accelerated Timeout for wireless clients Specify the maximum number of multicast streams (between 0 and 256) permitted to use accelerated multicast. The default value is 25. When the wireless client count using accelerated multicast exceeds the maximum number, set the radio to either Reject new wireless clients or Revert existing clients to a non-accelerated state. Specify the maximum number of multicast streams (between 1 and 4) wireless clients can use. The default value is 2. Specify the threshold of multicast packets per second (between 1 and 500) that triggers acceleration for wireless clients. The default value is 25. Specify a timeout value in seconds (between 5 and 6,000) for wireless clients to revert back to a non-accelerated state. The default value is 60. 18 Define the following Smart Aggregation settings:
Smart Aggregation enhances frame aggregation by dynamically selecting the time when the aggregated frame is transmitted. In a frames typical aggregation, an aggregated frame is sent when it meets one of these conditions:
When a preconfigured number of aggregated frames is reached Wireless Controller and Service Platform System Reference Guide 6 - 75 Wireless Configuration When an administrator defined interval has elapsed since the first frame (of a set of frames to be aggregated) was received When an administrator defined interval has elapsed since the last frame (not necessarily the final frame) of a set of frames to be aggregated was received With this enhancement, an aggregation delay is set uniquely for each traffic class. For example, voice traffic might not be aggregated, but sent immediately. Whereas, background data traffic is set a delay for aggregating frames, and these aggregated frames are sent. Smart Aggregation Max Delay for Best Effort Max Delay for Background Max Delay for Streaming Video Max Delay for Video Conferencing Max Delay for Voice Minimum frames per Aggregate limit Max Mesh Links Select to enable smart aggregation and dynamically define when an aggregated frame is transmitted. Smart aggregation is disabled by default. Set the maximum time (in milliseconds) to delay best effort traffic. The default setting is 150 milliseconds. Set the maximum time (in milliseconds) to delay background traffic. The default setting is 250 milliseconds. Set the maximum time (in milliseconds) to delay streaming video traffic. The default setting is 150 milliseconds. Set the maximum time (in milliseconds) to delay video conferencing traffic. The default setting is 40 milliseconds. Set the maximum time (in milliseconds) to delay voice traffic. The default setting is 0 milliseconds. Set the minimum number of frames to aggregate in a frame before it is transmitted. The default setting is 8 frames. Set the maximum number of mesh hops for smart aggregation. The default setting is 3. Select OK to update the radio QoS settings for this policy. Select Reset to revert to the last saved configuration. 6.3.2 Radio QoS Configuration and Deployment Considerations Radio QoS Policy Before defining a radio QoS policy, refer to the following deployment guidelines to ensure the configuration is optimally effective:
To support QoS, each multimedia application, wireless client and WLAN is required to support WMM. WMM enabled clients can co-exist with non-WMM clients on the same WLAN. Non-WMM clients are always assigned a Best Effort access category. Default WMM values should be used for all deployments. Changing these values can lead to unexpected traffic blockages, and the blockages might be difficult to diagnose. Overloading an Access Point radio with too much high priority traffic (especially voice) degrades overall service quality for all users. TSPEC admission control is only available with newer voice over WLAN phones. Many legacy voice devices do not support TSPEC or even support WMM traffic prioritization. Wireless Controller and Service Platform System Reference Guide 6 - 76 Wireless Configuration 6.4 Association ACL An association ACL is a policy-based ACL that either prevents or allows wireless clients from connecting to a WLAN. An association ACL affords a system administrator the ability to grant or restrict client access by specifying a wireless client MAC address or range of MAC addresses to either include or exclude from connectivity. Association ACLs are applied to WLANs as an additional access control mechanism. They can be applied to WLANs from within a WLAN Policys Advanced configuration screen. For more information on applying an existing Association ACL to a WLAN, see Configuring Advanced WLAN Settings. To define an association ACL deployable with a WLAN:
1 Select Configuration > Wireless > Association ACL to display existing Association ACLs. The Association Access Control List (ACL) screen lists those Association ACL policies created thus far. Any of these policies can be selected and applied. Figure 6-39 Association Access Control List (ACL) screen 2 Select Add to define a new ACL configuration, Edit to modify an existing ACL configuration or Delete to remove one. Optionally Copy or Rename a list as needed. A unique Association ACL screen displays for defining the new ACL or modifying a selected ACL. Wireless Controller and Service Platform System Reference Guide 6 - 77 Wireless Configuration Figure 6-40 Association Access Control List (ACL) screen 3 Select the + Add Row button to add an association ACL template. 4 Set the following parameters for the creation or modification of the Association ACL:
Association ACL Precedence Starting MAC Address Ending MAC Address Allow/Deny If creating an new association ACL, provide a name specific to its function. Avoid naming it after the WLAN it may support. The name cannot exceed 32 characters. The rules within a WLAN's ACL are applied to packets based on their precedence values. Every rule has a unique sequential precedence value you define. You cannot add two ruless with the same precedence. The default precedence is 1, so be careful to prioritize ACLs accordingly as they are added. Provide a starting MAC range address for clients requesting association. Provide an ending MAC range address for clients requesting association. Use the drop-down menu to either Allow or Deny access if a MAC address matches this rule. 5 Select the + Add Row button to add MAC address ranges and allow/deny designations. 6 Select OK to update the Association ACL settings. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 6 - 78 Wireless Configuration 6.4.1 Association ACL Deployment Considerations Association ACL Before defining an Association ACL configuration and applying it to a WLAN, refer to the following deployment guidelines to ensure the configuration is optimally effective:
Use the Association ACL screen strategically to name and configure ACL policies meeting the requirements of the particular WLANs they may map to. However, be careful not to name ACLs after specific WLANs, as individual ACL policies can be used by more than one WLAN. You cannot apply more than one MAC based ACL to a Layer 2 interface. If a MAC ACL is already configured on a Layer 2 interface, and a new MAC ACL is applied to the interface, the new ACL replaces the previously configured one. 6.5 Smart RF Policy Self Monitoring At Run Time RF Management (Smart RF) is a WiNG innovation designed to simplify RF configurations for new deployments, while (over time) providing on-going deployment optimization radio performance improvements. A Smart RF policy can reduce deployment costs by scanning the RF environment to determine the best channel and transmit power configuration for each radio. Smart RF policies can be applied to specific RF Domains, to apply site specific deployment configurations and self-healing values to groups of devices within pre-defined physical RF coverage areas. Smart RF centralizes the decision process and makes intelligent RF configuration decisions using information obtained from the RF environment. Smart RF helps reduce ongoing management and maintenance costs by constantly monitoring the network for external interference, neighbor interference, non-WiFi interference and client connectivity. Smart RF then intelligently applies various algorithms to arrive at the optimal channel and power selection for all Access Points in the network and constantly reacts to changes in the RF environment. Smart RF also provides self-healing functions by monitoring the network in real-time and provides automatic mitigation from potentially problematic events such as radio interference, non-WiFi interference (noise), external WiFi interference, coverage holes and radio failures. Smart RF employs self-healing to enable a WLAN to better maintain wireless client performance and site coverage during dynamic RF environment changes, which typically require manual reconfiguration to resolve. Smart RF is supported on any RF Domain manager. In standalone environments, individual controllers, service platforms or Access Points manage the calibration and monitoring phases. In clustered environments, a single controller or service platform is elected a Smart RF master and the remaining cluster members operate as Smart RF clients. In cluster operation, the Smart RF master co-ordinates the calibration and configuration and during the monitoring phase receives information from the Smart RF clients. If a Smart RF managed radio is operating in WLAN mode on a channel requiring DFS, it will switch channels if radar is detected. If Smart RF is enabled, the radio picks a channel defined in the Smart RF policy. If Smart RF is disabled, but a Smart RF policy is mapped, the radio picks a channels specified in the Smart RF policy If no SMART RF policy is mapped, the radio selects a random channel Wireless Controller and Service Platform System Reference Guide 6 - 79 Wireless Configuration If the radio is a dedicated sensor, it stops termination on that channel if a neighboring Access Points detects radar. The Access Point attempts to come back to its original channel (statically configured or selected by Smart RF) after the channel evacuation period has expired. Change this behavior using a no dfs-rehome command from the controller or service platform CLI. This keeps the radio on the newly selected channel and prevents the radio from coming back to the original channel, even after the channel evacuation period. NOTE: RF planning must be performed to ensure overlapping coverage exists at a deployment site for Smart RF to be a viable network performance tool. Smart RF can only provide recovery when Access Points are deployed appropriately. Smart RF is not a solution, it's a temporary measure. Administrators need to determine the root cause of RF deterioration and fix it. Smart RF history/events can assist. To define a Smart RF policy:
1 Select Configuration > Wireless > Smart RF Policy to display existing Smart RF policies. The Smart RF screen lists those Smart RF policies created thus far. Any of these policies can be selected and applied. The user has the option of displaying the configurations of each Smart RF Policy defined thus far, or referring to the Smart RF Browser and either selecting individual Smart RF polices or selecting existing RF Domains to review which Smart RF policies have been applied. For more information on how RF Domains function, and how to apply a Smart RF policy, see About RF Domains and Managing RF Domains. Figure 6-41 Smart RF Policy screen 2 Refer to the following configuration data for existing Smart RF policies:
Smart RF Policy Displays the name assigned to the Smart RF policy when it was initially created. The name cannot be modified as part of the edit process. Smart RF Policy Enable Displays a green check mark if Smart RF has been enabled for the Interference Recovery listed policy. A red X designates the policy as being disabled. Displays a green check mark if interference recovery has been enabled for the listed policy. A red X designates interference recovery being disabled. Wireless Controller and Service Platform System Reference Guide 6 - 80 Wireless Configuration Coverage Hole Recovery Displays a green check mark if coverage hole recovery has been enabled for the listed policy. A red X designates coverage hole recovery being disabled. Displays a green check mark if neighbor recovery has been enabled for the listed policy. A red X designates neighbor recovery being disabled. Neighbor Recovery 3 Select Add to create a new Smart RF policy, Edit to modify the attributes of a existing policy or Delete to remove obsolete policies from the list of those available. Optionally Copy or Rename a list as needed. The Basic Configuration screen displays by default for the new or modified Smart RF policy. 4 Refer to the Basic Settings field to enable a Smart RF policy and define its sensitivity and detector status. Figure 6-42 Smart RF Basic Configuration screen Sensitivity Select a radio button corresponding to the desired Smart RF sensitivity. Options include Low, Medium, High and Custom. Medium, is the default setting. The Custom option allows an administrator to adjust the parameters and thresholds for Interference Recovery, Coverage Hole Recovery and Neighbor Recovery. Using the Low, Medium (recommended) and High settings still allow these features to be utilized. SMART RF Policy Enable Select the Smart RF Policy Enable check box to enable this Smart RF policy for immediate support or inclusion with a RF Domain. Smart RF is enabled by default. Wireless Controller and Service Platform System Reference Guide 6 - 81 Wireless Configuration Interference Recovery Select the check box to enable Interference Recovery from neighboring radios and other sources of WiFi and non-WiFi interference when excess noise and interference is detected within the Smart RF supported radio coverage area. Smart RF provides mitigation from interference sources by monitoring the noise levels and other RF parameters on an Access Point radios current channel. When a noise threshold is exceeded, Smart RF can select an alternative channel with less interference. To avoid channel flapping, a hold timer is defined which disables interference avoidance for a specific period of time upon detection. Interference Recovery is enabled by default. Coverage Hole Recovery Select the check box to enable Coverage Hole Recovery when a radio Neighbor Recovery coverage hole is detected within the Smart RF supported radio coverage area. When coverage hole is detected, Smart RF first determines the power increase needed based on the signal to noise ratio for a client as seen by the Access Point radio. If a clients signal to noise value is above the threshold, the transmit power is increased until the signal to noise rate falls below the threshold. Select the check box to enable Neighbor Recovery when a failed radio is detected within the Smart RF supported radio coverage area. Smart RF can provide automatic recovery by instructing neighboring APs to increase their transmit power to compensate for the coverage loss. Neighbor recovery is enabled by default when the sensitivity setting is medium. 5 Refer to the Calibration Assignment field to define whether Smart RF Calibration and radio grouping is conducted by area or floor. Both options are disabled by default. 6 Select OK to update the Smart RF Basic Configuration settings for this policy. Select Reset to revert to the last saved configuration. 7 Select Channel and Power. Use the Channel and Power screen to refine Smart RF power settings over both 5 and 2.4 GHz radios and select channel settings in respect to the device channel usage. Wireless Controller and Service Platform System Reference Guide 6 - 82 Wireless Configuration Figure 6-43 Smart RF Channel and Power screen NOTE: The Power Settings and Channel Settings parameters are only enabled when Custom or Medium is selected as the Sensitivity setting from the Basic Configuration screen. 8 Refer to the Power Settings field to define Smart RF recovery settings for either the selected 5.0 GHz (802.11a) or 2.4 GHz (802.11bg) radio. 5 GHz Minimum Power 5 GHz Maximum Power Use the spinner control to select a 1 - 20 dBm minimum power level for Smart RF to assign to a radio in the 5 GHz band. 4 dBm is the default setting. Use the spinner control to select a 1 - 20 dBm maximum power level Smart RF can assign a radio in the 5 GHz band. 17 dBm is the default setting. 2.4 GHz Minimum Power Use the spinner control to select a 1 - 20 dBm minimum power level 2.4 GHz Maximum Power Smart RF can assign a radio in the 2.4 GHz band. 4 dBm is the default setting. Use the spinner control to select a 1 - 20 dBm maximum power level Smart RF can assign a radio in the 2.4 GHz band. 17 dBm is the default setting. Wireless Controller and Service Platform System Reference Guide 6 - 83 9 Set the following Channel Settings for the 5.0 GHz and 2.4 GHz radios:
Wireless Configuration 5 GHz Channels 5 GHz Channel Width 2.4 GHz Channels 2.4 GHz Channel Width Use the Select drop-down menu to define the 5 GHz channels used for Smart RF assignments. 20 and 40 MHz channel widths are supported by the 802.11a radio. 20/
40 MHz operation (the default setting for the 5 GHz radio) allows the Access Point to receive packets from clients using 20 MHz of bandwidth while transmitting a packet using 40 MHz bandwidth. This mode is supported for 11n users on both the 2.4 and 5 GHz radios. If an 11n user selects two channels (a Primary and Secondary channel), the system is configured for dynamic 20/40 operation. When 20/40 is selected, clients can take advantage of wider channels. 802.11n clients experience improved throughput using 40 MHz while legacy clients
(either 802.11a or 802.11b/g depending on the radio selected) can still be serviced without interruption using 20 MHz. Select Automatic to enable automatic assignment of channels to working radios to avoid channel overlap and avoid interference from external RF sources. 40MHz is the default setting. If deploying an 802.11ac supported Access Point, 80MHz channel width options are available as well. Set the 2.4 GHz channels used in Smart RF scans. 20 and 40 MHz channel widths are supported by the 802.11a radio. 20 MHz is the default setting for 2.4 GHz radios. 20/40 MHz operation
(the default setting for the 5 GHz radio) allows the Access Point to receive packets from clients using 20 MHz of bandwidth while transmitting a packet using 40 MHz bandwidth. This mode is supported for 11n users on both the 2.4 and 5 GHz radios. If an 11n user selects two channels (a Primary and Secondary channel), the system is configured for dynamic 20/40 operation. When 20/40 is selected, clients can take advantage of wider channels. 802.11n clients experience improved throughput using 40 MHz while legacy clients
(either 802.11a or 802.11b/g depending on the radio selected) can still be serviced without interruption using 20 MHz. Select Automatic to enable automatic assignment of channels to working radios to avoid channel overlap and avoid interference from external RF sources. 20MHz is the default setting. 10 Select + Add Row and set the following Area Based Channel Settings for the Smart RF policy:
Area Band Channel List Specify the deployment area assigned to the listed policy when deployed a means of identifying the devices physical locations. Specify the radio band, either 2.4 GHz or 5 GHz, for the Smart RF policy assigned to the specified area. Specify the channels associated with the Smart RF policy for the specified area and band. 11 Select OK to update the Smart RF Channel and Power settings for this policy. Select Reset to revert to the last saved configuration. 12 Select the Scanning Configuration tab. Wireless Controller and Service Platform System Reference Guide 6 - 84 Wireless Configuration Figure 6-44 Smart RF Scanning Configuration screen NOTE: The monitoring and scanning parameters within the Scanning Configuration screen are only enabled when Custom is selected as the Sensitivity setting from the Basic Configuration screen. 13 Enable or disable Smart Monitoring Enable. The feature is enabled by default. When enabled, detector radios monitor their coverage areas for potential failed peers or coverage area holes requiring transmission adjustments for coverage compensation. 14 Select + Add Row and set OCS Monitoring Awareness Settings for the Smart RF policy:
Threshold Select this option and specify a threshold from 10 - 10,000. When the threshold is reached awareness settings are overridden with the values specified in the table. Wireless Controller and Service Platform System Reference Guide 6 - 85 Wireless Configuration Index Day Start Time End Time Select an Index value from 1 - 3 for awareness overrides. The overrides are executed based on index, with the lowest index being executed first. Use the drop-down menu to select a day of the week to apply the override. Selecting All will apply the policy every day. Selecting weekends will apply the policy on Saturdays and Sundays only. Selecting weekdays will apply the policy on Monday, Tuesday, Wednesday, Thursday and Friday. Selecting individual days of the week will apply the policy only on the selected day. This value sets the starting time of day(s) that the overrides will be activated. Use the spinner controls to select the hour and minute, in 12h time format. Then use the radio button to choose AM or PM. This value sets the ending time of day(s) that the overrides will be disabled. Use the spinner controls to select the hour and minute, in 12h time format. Then use the radio button to choose AM or PM. 15 Set the following Scanning Configurations for both the 2.4 and 5.0 GHz radio bands:
Duration Frequency Extended Scan Frequency Sample Count Client Aware Scanning Power Save Aware Scanning Voice Aware Scanning Transmit Load Aware Scanning Set a channel scan duration (from 20 - 150 milliseconds) Access Point radios use to monitor devices within the network and, if necessary, perform self healing and neighbor recovery to compensate for coverage area losses within a RF Domain. The default setting is 50 milliseconds for both the 2.4 and 5 GHz bands. Set the scan frequency using the drop-down menu. Set a scan frequency in either Seconds (1 - 120) or Minutes (0 - 2). The default setting is 6 seconds for both the 5 and 2.4 GHz bands. Use the spinner control to set an extended scan frequency between 0 -
50. This is the frequency radios scan channels on other than their peer radios. The default setting is 5 for both the 5 and 2.4 GHz bands. Use the spinner control to set a sample scan count value between 1 -
15. This is the number of RF readings radios gather before they send the data to the Smart RF master. The default setting is 5 for both the 5 and 2.4 GHz bands Set a client awareness count (number of clients from 1 - 255) for off channel scans of either the 5 GHz or 2.4 GHz band. Select either the Dynamic, Strict or Disable radio button to define how power save scanning is set for Smart RF. Strict disables smart monitoring as long as a power save capable client is associated to a radio. Dynamic disables smart monitoring as long as there is data buffered for a power save client at the radio. The default setting is Dynamic for both the 5 and 2.4 GHz bands. Select either the Dynamic, Strict or Disable radio button to define how voice aware recognition is set for Smart RF. Strict disables smart monitoring as long as a voice client is associated to a radio. Dynamic disables smart monitoring as long as there is data buffered for a voice client at the radio. The default setting is Dynamic for both the 5 and 2.4 GHz bands. Select this option to set a transmit load percentage from 1 - 100 serving as a threshold before scanning is avoided for an Access Points 2.4 GHz radio. Wireless Controller and Service Platform System Reference Guide 6 - 86 Wireless Configuration 16 Select OK to update the Smart RF Scanning Configuration settings for this policy. Select Reset to revert to the last saved configuration. 17 Select Recovery. NOTE: The recovery parameters within the Neighbor Recovery, Interference and Coverage Hole Recovery tabs are only enabled when Custom is selected as the Sensitivity setting from the Basic Configuration screen. The Neighbor Recovery tab displays by default. Use the Neighbor, Interference and Coverage Hole recovery tabs to define how 5 and 2.4 GHz radios compensate for failed neighbor radios, interference impacting the Smart RF supported network and detected coverage holes requiring neighbor radio intervention. 18 Set the Hold Time for the Smart RF configuration. Power Hold Time Defines the minimum time between two radio power changes during neighbor recovery. Set the time in either Seconds (0 - 3,600), Minutes
(0 - 60) or Hours (0 - 1). The default setting is 0 seconds. Figure 6-45 Smart RF Advanced Configuration screen - Neighbor Recovery tab 19 Set the following Neighbor Recovery parameters:
5 GHz Neighbor Power Threshold 2.4 GHz Neighbor Power Threshold Use the spinner control to set a value between -85 to -55 dBm the 5.0 GHz radio uses as a maximum power increase threshold if the radio is required to increase its output power to compensate for a failed radio within its wireless radio coverage area. The default value is -70 dBm. Use the spinner control to set a value between -85 to -55 dBm the 2.4 GHz radio uses as a maximum power increase threshold if the radio is required to increase its output power to compensate for a failed radio within its wireless radio coverage area. The default value is -70 dBm. Wireless Controller and Service Platform System Reference Guide 6 - 87 Wireless Configuration 20 Set the following Dynamic Sample Recovery parameters:
Dynamic Sample Enabled Select this option to enable dynamic sampling. Dynamic sampling enables an administrator to define how Smart RF adjustments are triggered by locking retry and threshold values. This setting is disabled by default. Dynamic Sample Retries Set the number of retries (from 1 - 10) attempted before a power level Dynamic Sample Threshold adjustment is implemented to compensate for a potential coverage hole. The default setting is 3. Set the minimum number of sample reports (from 1- 30) before a Smart RF power compensation requires dynamic sampling. The default setting is 5. 21 Select OK to update the Smart RF Neighbor Recovery settings for this policy. Select Reset to revert to the last saved configuration. 22 Select the Interference Recovery tab. Figure 6-46 Smart RF Advanced Configuration screen - Interference Recovery tab 23 Set the following Interference Recovery parameters:
Interference Noise Select the check box to allow the Smart RF policy to scan for excess interference from supported radio devices. WLANs are susceptible to sources of interference, such as neighboring radios, cordless phones, microwave ovens and Bluetooth devices. When interference for WiFi sources is detected, Smart RF supported devices can change the channel and move to a cleaner channel. This feature is enabled by default. Select the check box to allow the Smart RF policy to scan for excess noise from WiFi devices. When detected, Smart RF supported devices can change their channel and move to a cleaner channel. This feature is enabled by default. Wireless Controller and Service Platform System Reference Guide 6 - 88 Wireless Configuration Noise Factor Channel Hold Time Client Threshold 5 GHz Channel Switch Delta 2.4 GHz Channel Switch Delta Define the noise factor (level of network interference detected) taken into account by Smart RF during interference recovery calculations. The default setting is 1.50. Defines the minimum time between channel changes during neighbor recovery. Set the time in either Seconds (0 - 86,400), Minutes (0 -
1,440) or Hours (0 - 24) or Days (0 - 1). The default setting is 30 minutes. Use the spinner to set a client threshold for the Smart RF policy between 1 - 255. If the set threshold number of clients are connected to a radio, it does not change its channel even though it requires one, based on the interference recovery determination made by the smart master. The default is 50. Use the spinner to set a channel interference delta (between 5 - 35 dBm) for the 5.0 GHz radio. This parameter is the difference between interference levels on the current channel and a prospective channel. If the difference is below the configured threshold, the channel will not change. The default setting is 20 dBm. Use the spinner to set a channel interference delta (between 5 - 35 dBm) for the 2.4 GHz radio. This parameter is the difference between interference levels on the current channel and a prospective channel. If the difference is below the configured threshold, the channel will not change. The default setting is 20 dBm. 24 Select OK to update the Smart RF Interference Recovery settings for this policy. Select Reset to revert to the last saved configuration. 25 Select the Coverage Hole Recovery tab. Figure 6-47 Smart RF Advanced Configuration screen - Coverage Hole Recovery tab Wireless Controller and Service Platform System Reference Guide 6 - 89 Wireless Configuration 26 Set the following Coverage Hole Recovery for 2.4 GHz and 5.0 GHz parameters:
Client Threshold SNR Threshold Coverage Interval Interval Use the spinner to set a client threshold for the Smart RF policy between 1 - 255. This is the minimum number of clients a radio should have associated in order for coverage hole recovery to trigger. The default setting is 1. Use the spinner control to set a signal to noise threshold (between 1 -
75 dB). This is the signal to noise threshold for an associated client as seen by its associated Access Point radio. When exceeded, the radio increases its transmit power in order to increase coverage for the associated client. The default value is 20 dB. Define the interval coverage hole recovery should be initiated after a coverage hole is detected. The default is 10 seconds for both the 2.4 and 5.0 GHz radios. Define the interval coverage hole recovery should be conducted before a coverage hole is detected. The default is 30 seconds for both the 2.4 and 5.0 GHz radios. 27 Select OK to update the Smart RF coverage hole recovery settings for this policy. Select Reset to revert to the last saved configuration. 6.5.1 Smart RF Configuration and Deployment Considerations Smart RF Policy Before defining a Smart RF policy, refer to the following deployment guidelines to ensure the configuration is optimally effective:
The Smart RF calibration process impacts associated users and should not be run during business or production hours. The calibration process should be performed during scheduled maintenance intervals or non-business hours. For Smart RF to provide effective recovery, RF planning must be performed to ensure overlapping coverage exists at the deployment site. Smart RF can only provide recovery when Access Points are deployed appropriately. Smart RF is not a solution, it's a temporary measure. Administrators need to determine the root cause of RF deterioration and fix it. Smart RF history/events can assist. If a Smart RF managed radio is operating in WLAN mode on a channel requiring DFS, it will switch channels if radar is detected. If Smart RF is enabled, the radio picks a channel defined in the Smart RF policy If Smart RF is disabled, but a Smart RF policy is mapped, the radio picks a channels specified in the Smart RF policy If no SMART RF policy is mapped, the radio selects a random channel If the radio is a dedicated sensor, it stops termination on that channel if a neighboring Access Points detects radar. The Access Point attempts to come back to its original channel (statically configured or selected by Smart RF) after the channel evacuation period has expired. Change this behavior using a no dfs-rehome command from the controller or service platform CLI. This keeps the radio on the newly selected channel and prevents the radio from coming back to the original channel, even after the channel evacuation period. Wireless Controller and Service Platform System Reference Guide 6 - 90 Wireless Configuration 6.6 MeshConnex Policy MeshConnex is a mesh networking technology that is comparable to the 802.11s mesh networking specification. MeshConnex meshing uses a hybrid proactive/on-demand path selection protocol, similar to Ad hoc On Demand Distance Vector (AODV) routing protocols. This allows it to form efficient paths using multiple attachment points to a distribution WAN, or form purely ad-hoc peer-to-peer mesh networks in the absence of a WAN. Each device in the MeshConnex mesh proactively manages its own path to the distribution WAN, but can also form peer-to-
peer paths on demand to improve forwarding efficiency. MeshConnex is not compatible with MiNT Based meshing, though the two technologies can be enabled simultaneously in certain circumstances. MeshConnex is designed for large-scale, high-mobility outdoor mesh deployments. MeshConnex continually gathers data from beacons and transmission attempts to estimate the efficiency and throughput of each MP-to-MP link. MeshConnex uses this data to dynamically form and continually maintain paths for forwarding network frames. In MeshConnex systems, a mesh point (MP) is a virtual mesh networking instance on a device, similar to a WLAN AP. On each device, up to 4 MPs can be created and 2 can be created per radio. MPs can be configured to use one or both radios in the device. If the MP is configured to use both radios, the path selection protocols will continually select the best radio to reach each destination. Each MP participates in a single Mesh Network, defined by the MeshID. The MeshID is typically a descriptive network name, similar to the SSID of a WLAN. All MPs configured to use the same MeshID attempt to form a mesh and interoperate. The MeshID allows overlapping mesh networks to discriminate and disregard MPs belonging to different networks. To define a MeshConnex policy:
1 Select Configuration > Wireless > MeshConnex Policy to display existing MeshConnex policies. 2 Refer to the following configuration data for existing MeshConnex policies:
Figure 6-48 MeshConnex Policy screen Mesh Point Name Mesh ID Mesh Point Status Descriptions Displays the administrator assigned name of each listed mesh point. Displays the IDs (mesh identifiers) assigned to mesh points. Specified the status of each configured mesh point (either Enabled or Disabled). Displays any descriptive text provided by the administrator for each configured mesh point. Wireless Controller and Service Platform System Reference Guide 6 - 91 Wireless Configuration Control VLAN Allowed VLANs Security Mode Mesh QoS Policy Displays the VLAN (virtual interface ID) for the control VLAN on each of the configured mesh points. Displays the list of VLANs allowed on each configured mesh point. Displays the security assigned to each configured mesh point. The field displays None for no security or PSK for pre-shared key authentication. Displays the mesh Quality of Service policy associated to each configured mesh point. 3 Select Add to create a new MeshConnex policy, Edit to modify the attributes of a existing policy or Delete to remove obsolete policies from the list of those available. Optionally Copy or Rename a policy as needed. The Configuration screen displays by default for the new or modified MeshConnex policy. Figure 6-49 MeshConnex Configuration screen 4 Refer to the Basic Configuration field to define a MeshConnex configuration. Mesh Point Name Mesh Id Mesh Point Status Mesh QoS Policy Beacon Format Specify a name for the new mesh point. The name should be descriptive to easily differentiate it from other mesh points. This field is mandatory. Specify a 32 character maximum mesh identifier for this mesh point. This field is optional. To enable this mesh point, click the Enabled radio button. To disable the mesh point click the Disabled button.The default value is enabled. Use the drop-down menu to specify the mesh Quality of Service policy to use on this mesh point. This value is mandatory. If no suitable Mesh QoS policies exist, click the create icon to create a new Mesh QoS policy. Use the drop-down menu to specify the format for beacon transmissions. To use Access Point style beacons, select access-point from the drop-down menu. To use mesh point style beacons, select mesh-point. The default value is mesh-point. Wireless Controller and Service Platform System Reference Guide 6 - 92 Wireless Configuration Is Root Control VLAN Allowed VLANs Neighbor Inactivity Timeout Description Select this option to specify the mesh point as a root in the mesh topology. Use the spinner control to specify a VLAN to carry meshpoint control traffic. The valid range for control VLAN is between 1 and 4094. The default value is VLAN 1. Specify the VLANs allowed to pass traffic on the mesh point. Separate all VLANs with a comma. To specify a range of allowed VLANs separate the starting VLAN and the ending VLAN with a hyphen. Specify a timeout in seconds, minutes, hours or days, up to a maximum of 1 day. This represents the allowed interval between frames received from a neighbor before their client privileges are revoked. The default value is 2 minutes. Enter a 64 character maximum description about the mesh point configuration. 5 Select OK to update the MeshConnex Configuration settings for this policy. Select Reset to revert to the last saved configuration. 6 Select the Security tab. Figure 6-50 MeshConnex Security screen Wireless Controller and Service Platform System Reference Guide 6 - 93 Wireless Configuration 7 Refer to the Select Authentication field to define an authentication method for the mesh policy. Security Mode Select a security authentication mode for the mesh point. Select None to have no authentication for the mesh point. Select EAP to use a secured credential exchange, dynamic keying and strong encryption. If selecting EAP, refer to the EAP PEAP Authentication field at the bottom of the screen and define the credentials of an EAP user and trustpoint. Select PSK to set a pre-shared key as the authentication for the mesh-point. If PSK is selected, enter a pre-shared key in the Key Settings field. 8 Set the following Key Settings for the mesh point:
Pre-Shared Key When the security mode is set as PSK, enter a 64 character HEX or an 8-63 ASCII character passphrase used for authentication on the mesh point. 9 Set the following Key Rotation for the mesh point:
Unicast Rotation Interval Define an interval for unicast key transmission (30 -86,400 seconds). Broadcast Rotation Interval When enabled, the key indices used for encrypting/decrypting broadcast traffic is alternatively rotated based on the defined interval. Define an interval for broadcast key transmission in seconds (30-
86,400). Key rotation enhances the broadcast traffic security on the WLAN. 10 Set the following EAP PEAP Authentication settings if using EAP to secure the mesh point:
User ID Password Trust Point EAP TLS Type EAP Identity AAA Policy Create a 32 character maximum user name for a peap-mschapv2 authentication credential exchange. Define a 32 character maximum password for the EAP PEAP username created above. Provide the 64 character maximum name of the trustpoint used for installing the CA certificate and validating the server certificate. Provide the 64 character maximum name of the trustpoint used for installing the client certificate, client private key and CA certificate. Use the drop-down menu to select the EAP authentication method used by the supplicant. The default EAP type is PEAP-MS-CHAPv2. Enter the 32 character maximum identity string used during phase 1 authentication. This string does not need to represent the identity of the user, rather an anonymous identity string. Select an existing AAA Policy from the drop-down menu to apply to this users mesh point EAP configuration. Authentication, authorization, and accounting (AAA) is a framework for intelligently controlling access to the network, enforcing user authorization policies and auditing and tracking usage. These combined processes are central for securing wireless client resources and wireless network data flows. 11 Select OK to save the changes made to the configuration. Select Reset to revert to the last saved configuration. 12 Select the Radio Rates tab. Wireless Controller and Service Platform System Reference Guide 6 - 94 Wireless Configuration Figure 6-51 Radio Rate Settings 13 Set the following Radio Rates for both the 2.4 and 5 GHz radio bands:
2.4 GHz Mesh Point 5.0 GHz Mesh Point Click the Select button to configure radio rates for the 2.4 GHz band. Define both minimum Basic and optimal Supported rates as required for the 802.11b rates, 802.11g rates and 802.11n rates supported by the 2.4 GHz band. These are the rates wireless client traffic is supported within this mesh point. If supporting 802.11n, select a Supported MCS index. Set a MCS (modulation and coding scheme) in respect to the radios channel width and guard interval. A MCS defines (based on RF channel conditions) an optimal combination of 8 data rates, bonded channels, multiple spatial streams, different guard intervals and modulation types. Mesh points can communicate as long as they support the same basic MCS (as well as non-11n basic rates). The selected rates apply to associated client traffic within this mesh point only. Click the Select button to configure radio rates for the 5.0 GHz band. Define both minimum Basic and optimal Supported rates as required for 802.11a and 802.11n rates supported by the 5.0 GHz radio band. These are the rates wireless client traffic is supported within this mesh point. If supporting 802.11n, select a Supported MCS index. Set a MCS
(modulation and coding scheme) in respect to the radios channel width and guard interval. A MCS defines (based on RF channel conditions) an optimal combination of 8 data rates, bonded channels, multiple spatial streams, different guard intervals and modulation types. Mesh points can communicate as long as they support the same basic MCS (as well as non-11n basic rates). The selected rates apply to associated client traffic within this mesh point only. Wireless Controller and Service Platform System Reference Guide 6 - 95 Wireless Configuration Figure 6-52 Advanced Rate Settings 2.4 GHz screen Figure 6-53 Advanced Rate Settings 5 GHz screen Define both minimum Basic and optimal Supported rates as required for the 802.11b rates, 802.11g rates and 802.11n rates supported by the 2.4 GHz band and 802.11a and 802.11n rates supported by the 5.0 GHz radio band. These are the rates wireless client traffic is supported within this mesh point. If supporting 802.11n, select a Supported MCS index. Set a MCS (modulation and coding scheme) in respect to the radios channel width and guard interval. A MCS defines (based on RF channel conditions) an optimal Wireless Controller and Service Platform System Reference Guide 6 - 96 Wireless Configuration combination of 8 data rates, bonded channels, multiple spatial streams, different guard intervals and modulation types. Clients can associate as long as they support basic MCS (as well as non-11n basic rates). 14 Select OK to save the changes made to the configuration. Select Reset to revert to the last saved configuration. 6.7 Mesh QoS Policy Mesh Quality of Service (QoS) provides a data traffic prioritization scheme. QoS reduces congestion from excessive traffic. If there is enough bandwidth for all users and applications (unlikely because excessive bandwidth comes at a very high cost), then applying QoS has very little value. QoS provides policy enforcement for mission-critical applications and/or users that have critical bandwidth requirements when bandwidth is shared by different users and applications. Mesh QoS helps ensure each mesh point on the mesh network receives a fair share of the overall bandwidth, either equally or as per the proportion configured. Packets directed towards clients are classified into categories such as video, voice and data. packets within each category are processed based on the weights defined for each mesh point. The Quality of Service screen displays a list of Mesh QoS policies available to mesh points. Each mesh QoS policy can be selected to edit its properties. If none of the exiting Mesh QoS policies supports an ideal QoS configuration for the intended data traffic of this mesh point, select the Add button to create new policy. Select an existing mesh QoS policy and select Edit to change the properties of the Mesh QoS policy. To define a Mesh QoS policy:
1 Select Configuration > Wireless > Mesh QoS Policy to display existing Mesh QoS policies. Figure 6-54 Mesh QoS Policy screen Wireless Controller and Service Platform System Reference Guide 6 - 97 Wireless Configuration 2 Refer to the following configuration data for existing Smart RF policies:
Mesh QoS Policy Mesh Tx Rate Limit Mesh Rx Rate Limit Displays the administrator assigned name of each mesh QoS policy. Displays whether or not a Mesh Tx Rate Limit is enabled for each Mesh QoS policy. When the rate limit is enabled a green check mark is displayed, when it is disabled a red X is displayed. Displays whether or not a Mesh Rx Rate Limit is enabled for each Mesh QoS policy. When the rate limit is enabled a green check mark is displayed, when it is disabled a red X is displayed. Neighbor Rx Rate Limit Displays whether or not a Neighbor Rx Rate Limit is enabled for each Mesh QoS policy. When the rate limit is enabled a green check mark is displayed, when it is disabled a red X is displayed. Neighbor Tx Rate Limit Displays whether or not a Neighbor Tx Rate Limit is enabled for each Mesh QoS policy. When the rate limit is enabled a green check mark is displayed, when it is disabled a red X is displayed. Displays the forwarding QoS classification for each Mesh QoS policy. Classification types are Trust, Voice, Video, Best Effort and Background. Classification 3 Select the Add button to define a new Mesh QoS policy, or select an existing Mesh QoS policy and select Edit to modify its existing configuration. Existing QoS policies can be selected and deleted as needed. Optionally Copy or Rename a policy as needed. The Rate Limit screen displays by default for the new or modified QoS policy. Excessive traffic can cause performance issues or bring down the network entirely. Excessive traffic can be caused by numerous sources including network loops, faulty devices or malicious software such as a worm or virus that has infected on one or more devices at the branch. Rate limiting limits the maximum rate sent to or received from the wireless network (and mesh point) per neighbor. It prevents any single user from overwhelming the wireless network. It can also provide differential service for service providers. An administrator can set separate QoS rate limit configurations for data transmitted from the network and data transmitted from a mesh points neighbor back to their associated Access Point radios and managing controller or service platform. Before defining rate limit thresholds for mesh point transmit and receive traffic, define the normal number of ARP, broadcast, multicast and unknown unicast packets that typically transmit and receive from each supported WMM access category. If thresholds are defined too low, normal network traffic (required by end-
user devices) is dropped, resulting in intermittent outages and performance problems. A connected neighbor can also have QoS rate limit settings defined in both the transmit and receive direction. Wireless Controller and Service Platform System Reference Guide 6 - 98 Wireless Configuration 4 Configure the following parameters in respect to the intended From Air Upstream Rate Limit, or traffic from the controller to associated Access Point radios and their associated neighbor:
Figure 6-55 Mesh QoS Policy Rate Limit screen Mesh Tx Rate Limit Rate Maximum Burst Size Select the check box to enable rate limiting for all data received from any mesh point in the mesh network. This feature is disabled by default. Define a receive rate limit between 50 - 1,000,000 kbps. This limit constitutes a threshold for the maximum the number of packets transmitted or received over the mesh point (from all access categories). Traffic that exceeds the defined rate is dropped and a log message is generated. The default setting is 5000 kbps. Set a maximum burst size between 2 - 1024 kbytes. The smaller the burst, the less likely the transmit packet transmission will result in congestion for the mesh points client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, administrators should then add a 10% margin (minimally) to allow for traffic bursts at the site. The default burst size is 320 kbytes. Wireless Controller and Service Platform System Reference Guide 6 - 99 5 Set the following From Air Upstream Random Early Detection Threshold settings for each access category. An early random drop is done when a traffic stream falls below the set threshold. Wireless Configuration Background Traffic Best Effort Traffic Video Traffic Voice Traffic Set a percentage value for background traffic in the transmit direction. This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped and a log message is generated. Background traffic consumes the least bandwidth of any access category, so this value can be set to a lower value once a general transmit rate is known by the network administrator (using a time trend analysis). The default threshold is 50%. Set a percentage value for best effort traffic in the transmit direction. This is a percentage of the maximum burst size for normal priority traffic. Best effort traffic exceeding the defined threshold is dropped and a log message is generated. Best effort traffic consumes little bandwidth, so this value can be set to a lower value once a general transmit rate is known by the network administrator (using a time trend analysis). The default threshold is 50%. Set a percentage value for video traffic in the transmit direction. This is a percentage of the maximum burst size for video traffic. Video traffic exceeding the defined threshold is dropped and a log message is generated. Video traffic consumes significant bandwidth, so this value can be set to a higher value once a general transmit rate is known by the network administrator (using a time trend analysis). The default threshold is 25%. Set a percentage value for voice traffic in the transmit direction. This is a percentage of the maximum burst size for voice traffic. Voice traffic exceeding the defined threshold is dropped and a log message is generated. Voice applications consume significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis). The default threshold is 0%. 6 Configure the following parameters in respect to the intended To Air Downstream Rate Limit, or traffic from neighbors to associated Access Point radios and the controller or service platform:
Mesh Rx Rate Limit Rate Maximum Burst Size Select the check box to enable rate limiting for all data transmitted by the device to any mesh point in the mesh. This feature is disabled by default. Define an transmit rate limit between 50 - 1,000,000 kbps. This limit constitutes a threshold for the maximum the number of packets transmitted or received over the mesh point (from all access categories). Traffic that exceeds the defined rate is dropped and a log message is generated. The default setting is 5000 kbps. Set a maximum burst size between 2 - 1024 kbytes. The smaller the burst, the less likely the receive packet transmission will result in congestion for the mesh points wireless client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, administrators should then add a minimum of a 10% margin to allow for traffic bursts at the site. The default burst size is 320 kbytes. Wireless Controller and Service Platform System Reference Guide 6 - 100 7 Set the following To Air Downstream Random Early Detection Threshold settings for each access category. An early random drop occurs when the amount of tokens for a traffic stream falls below the set threshold. Wireless Configuration Background Traffic Best Effort Traffic Video Traffic Voice Traffic Set a percentage value for background traffic in the receive direction. This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped and a log message is generated. Background traffic consumes the least bandwidth of any access category, so this value can be set to a lower value once a general receive rate is known by the network administrator (using a time trend analysis). The default threshold is 50%. Set a percentage value for best effort traffic in the receive direction. This is a percentage of the maximum burst size for normal traffic. Best effort traffic exceeding the defined threshold is dropped and a log message is generated. Best effort traffic consumes little bandwidth, so this value can be set to a lower value once a general receive rate is known by the network administrator (using a time trend analysis). The default threshold is 50%. Set a percentage value for video traffic in the receive direction. This is a percentage of the maximum burst size for video traffic. Video traffic exceeding the defined threshold is dropped and a log message is generated. Video traffic consumes significant bandwidth, so this value can be set to a higher value once a general receive rate is known by the network administrator (using a time trend analysis). The default threshold is 25%. Set a percentage value for voice traffic in the receive direction. This is a percentage of the maximum burst size for voice traffic. Voice traffic exceeding the defined threshold is dropped and a log message is generated. Voice applications consume significant bandwidth, so this value can be set to a higher value once a general transmit rate is known by the network administrator (using a time trend analysis). The default threshold is 0%. 0% means no early random drops will occur. 8 Configure the following parameters in respect to the intended Neighbor Settings From Air Upstream Rate Limit:
Neighbor Rx Rate Limit Rate Maximum Burst Size Select the radio button to enable rate limiting for data transmitted from the client to its associated Access Point radio and connected controller or service platform. Enabling this option does not invoke client rate limiting for data traffic in the receive direction. This feature is disabled by default. Define an transmit rate limit between 50 - 1,000,000 kbps. This limit constitutes a threshold for the maximum the number of packets transmitted or received (from all access categories). Traffic that exceeds the defined rate is dropped by the client and a log message is generated. The default rate is 1,000 kbps. Set a maximum burst size between 2 - 1024 kbytes. The smaller the burst, the less likely the transmit packet transmission will result in congestion for the wireless client. The default burst size is 64 kbytes. Wireless Controller and Service Platform System Reference Guide 6 - 101 Wireless Configuration 9 Set the following Neighbor Settings From Air Upstream Random Early Detection Threshold for each access category:
Background Traffic Best Effort Traffic Video Traffic Voice Traffic Set a percentage value for background traffic in the transmit direction. This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 50%. Set a percentage value for best effort traffic in the transmit direction. This is a percentage of the maximum burst size for normal traffic. Best effort traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 50%. Set a percentage value for video traffic in the transmit direction. This is a percentage of the maximum burst size for video traffic. Video traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 25%. Set a percentage value for voice traffic in the receive direction. This is a percentage of the maximum burst size for voice traffic. Voice traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 0%.0% implies no early random drops will occur. 10 Configure the following parameters in respect to the intended Neighbor To Air Downstream Rate Limit, or traffic from a controller or service platform to associated Access Point radios and the wireless client:
Neighbor Tx Rate Limit Rate Maximum Burst Size Select the radio button to enable rate limiting for data transmitted from connected wireless clients. Enabling this option does not invoke rate limiting for data traffic in the transmit direction. This feature is disabled by default. Define a receive rate limit between 50 - 1,000,000 kbps.This limit constitutes a threshold for the maximum the number of packets transmitted or received by the client. Traffic that exceeds the defined rate is dropped and a log message is generated. The default rate is 1,000 kbytes. Set a maximum burst size between 2 - 64 kbytes. The smaller the burst, the less likely the receive packet transmission will result in congestion for the wireless client. The default burst size is 64 kbytes. 11 Set the following To Air Downstream Random Early Detection settings for each access category:
Background Traffic Best Effort Traffic Video Traffic Set a percentage value for background traffic in the receive direction. This is a percentage of the maximum burst size for low priority traffic. Background traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default is 50%. Set a percentage value for best effort traffic in the receive direction. This is a percentage of the maximum burst size for normal traffic. Best effort traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default is 50%. Set a percentage value for video traffic in the receive direction. This is a percentage of the maximum burst size for video traffic. Video traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default is 25%. Wireless Controller and Service Platform System Reference Guide 6 - 102 Wireless Configuration Voice Traffic Set a percentage value for voice traffic in the receive direction. This is a percentage of the maximum burst size for voice traffic. Voice traffic exceeding the defined threshold is dropped by the client and a log message is generated. The default threshold is 0%.0% means no early random drops occur. 12 Select OK when completed to update this Mesh QoS rate limit settings. Select Reset to revert the screen back to its last saved configuration. 13 Select the Multimedia Optimizations tab. 14 Set the following Accelerated Multicast settings:
Figure 6-56 Mesh QoS Policy Multimedia Optimizations screen Disable Multicast Streaming Automatically Detect Multicast Streams Select this option to disable all Multicast Streaming on the mesh point. Select this option to allow the administrator to have multicast packets that are being bridged converted to unicast to provide better overall airtime utilization and performance. The administrator can either have the system automatically detect multicast streams and convert all detected multicast streams to unicast, or specify which multicast streams are to be converted to unicast. When the stream is converted and being queued up for transmission, there are a number of classification mechanisms that can be applied to the stream and the administrator can select what type of classification they would want. Classification types are Trust, Voice, Video, Best Effort, and Background. Wireless Controller and Service Platform System Reference Guide 6 - 103 Wireless Configuration Manually Configure Multicast Addresses Select + Add Row and specify a list of multicast addresses and classifications. Packets are accelerated when the destination addresses matches. 15 Select OK when completed to update the Mesh Multimedia Optimizations settings. Select Reset to revert the screen back to its last saved configuration. 6.8 Passpoint Policy A passpoint policy provides an interoperable platform for streamlining Wi-Fi access to Access Points deployed as public hotspots. Passpoint is supported across a wide range of wireless network deployment scenarios and client devices. Passpoint makes connecting to Wi-Fi networks easier by authenticating the user with an account based on an existing relationship, such as the user's mobile carrier or broadband ISP. The Passpoint Policy screen displays a list of passpoint polices for network hotspots. Each passpoint policy can be selected to edit its properties. If no exiting passpoint policies supports the required deployment, select Add to create a new policy. To administrate and manage existing passpoint policies:
1 Select Configuration > Wireless > Passpoint Policy to display existing policies. Figure 6-57 Passpoint Policy screen 2 Refer to the following configuration data for existing passpoint policies:
Name Access Network Type Operator Name Displays the administrator assigned name of each passpoint policy. Displays the network access permissions the administrator has set for the passpoint policy. Displays the unique name assigned to the administrator or operator responsible for the configuration and operation of the Access Point managed hotspot. Wireless Controller and Service Platform System Reference Guide 6 - 104 Wireless Configuration Venue Name Displays the administrator assigned name of the venue (or physical location) of the deployed Access Point hotspot. 3 Select Add to define a new passpoint policy, or select an existing policy and select Edit to modify its configuration. Existing policies can be selected and deleted, copied, or renamed as needed. Optionally Copy or Rename a policy as needed. 4 Refer to the following Settings to define an Internet connection medium for the passpoint policy:
Figure 6-58 Passpoint Policy - Configuration screen Domain Name HESSID Internet Optionally add a 255 character maximum domain name to the pool available to the passpoint policy. Select this option to apply a homogenous ESS ID. Leaving this option blank applies the BSSID instead. This option is disabled by default. Select this option to enable Internet access to users of the passpoint hotspot. Internet access is enabled by default. Wireless Controller and Service Platform System Reference Guide 6 - 105 Wireless Configuration IPv4 Address Type IPv6 Address Type OSU SSID ROAM Consort Use the drop-down menu to select the IPv4 formatted address type for this passpoint policy. IPv4 is a connectionless protocol operating on a best effort delivery model. IPv4 does not guarantee delivery or assures proper sequencing or avoidance of duplicate delivery (unlike TCP). Options include, not available, public, port-restricted, port-
restricted-double-nat, single-nat, double-nat, port-restricted-single-nat and unknown. Use the drop-down menu to select the IPv4 formatted address type for this passpoint policy. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. Options include, available, unavailable and unknown. Optionally define a 32 character maximum sign-on ID that must be correctly provided to access the passpoint policys hotspot resources. Provide a 0 - 255 character roaming consortium number. A roaming consort ID is sent as roaming consortium information in a hotspot query response. 5 Set the following WAN Metrics for upstream and downstream bandwidth:
Up Speed Down Speed Enable this option to estimate the maximum upstream bandwidth from 0 - 4,294,967,295 Kbps. Enable this option to estimate the maximum downstream bandwidth from 0 - 4,294,967,295 Kbps. 6 Set the following Connection Capability for passpoint policys FTP, HTTP, ICMP, IPSec VPN, PPTP VPN, SIP, SSH and TLS VPN interfaces:
7 Use the drop-down menu to define these interfaces as open, closed or unknown for this passpoint policy configuration. Disabling unused interfaces is recommended to close unnecessary security holes. 8 Select + Add Row to set a Connection Capability Variable to make specific virtual ports open or closed for Wi-Fi connection attempts, set rules for how the user is to connect with routing preference using this passpoint policy. 9 Select + Add Row and set a Network Authentication Type to select how Wi-Fi connection attempts are authenticated and validated using a dedicated redirection URL resource. 10 Refer to the Basic Configuration field to set the following:
Access Network Type Use the drop-down menu to select the network access method for this passpoint policy. Access network types include:
private General access to a private network hotspot (default setting) private-guest Access to a private network hotspot with guest services chargeable-public Access to a public hotspot with billable services personal-device Access to a hotspot for personal devices such as wireless routers emergency services Dedicated network hotspot access for emergency services only Wireless Controller and Service Platform System Reference Guide 6 - 106 Wireless Configuration Venue Group Venue Type Venue Name Venue Name Lang Passpoint is supported across a wide range of wireless network deployment scenarios and client devices. Select the group type best suited to the majority of hotspot requestors utilizing the passpoint policys unique configuration. Select the venue type best suited to the actual location passpoint requestors are located. If an adequate option cannot be applied, a numeric venue type can be utilized. Enter the Venue Name and address. The operator can configure an Access Point to describe the location of the hotspot. This information typically includes the name and address of the deployment location where the hotspot is located. Enter the name and address configured for the Access Point hotspot. The name cannot exceed 252 characters. Hotspot operators can list venue names in multiple languages. Select the + Add Row button to add venue name languages. Enter the two or three character ISO-14962-1997 encoded string that defines the language used in the Code field. Enter the name of the venue in the Name field. The name cannot exceed 252 characters. 11 Refer to the Operator Network Parameters field to define the following:
Operator Name Operator Name Lang PLMNID Provide the unique name (in English) of the administrator or operator responsible for the configuration and management or the hotspot. The name cannot exceed 64 characters. Operator names can be listed in multiple languages. Select + Add Row to add operator name languages. Enter the two or three character ISO-14962-1997 encoded string defining the language used in the Code field. Enter the name of the operator in the Name field. The name cannot exceed 252 characters. Operators providing mobile and Wi-Fi hotspot services have a unique Public Land Mobile Network (PLMN) ID. Select the + Add Row button to add PLMN information for operators responsible for the configuration and operation of the hotspot. Provide a Description for the PLMN not exceeding 64 characters. Enter a three digit Mobile Country Code (MCC) and two digit Mobile Network Code (MNC) for the PLMN ID. The MCC identifies the region and country where the hotspot is deployed. The MNC identifies the operator responsible for the configuration and management of the hotspot by PLMN ID and country. Both the MCC and MNC fields are mandatory. 12 Select OK when completed to update the passpoint policy settings. Select Reset to revert the screen back to the last saved configuration. 13 Select the NAI Realm tab. The Network Access Identifier (NAI) is the user identity submitted by the hotspot requesting client during authentication. The standard syntax is user@realm. NAI is frequently used when roaming, to identify the user and assist in routing an authentication request to the user's authentication server. The realm name is often the domain name of the service provider. The NAI realm screen displays those realms created thus far for utilization with a passpoint policy. Wireless Controller and Service Platform System Reference Guide 6 - 107 Wireless Configuration Figure 6-59 Passpoint Policy - NAI Realm screen Either select Add to create a new NAI realm configuration for passpoint hotspot utilization, Edit to modify the attributes on an existing selected configuration or Delete to remove a selected configuration from those available. Provide a Realm Name or names (32 characters maximum) delimited by a semi colon. Select + Add Row to create a EAP Method configuration for the NAI realm. Figure 6-60 Passpoint Policy - NAI Realm Add/Edit screen Wireless Controller and Service Platform System Reference Guide 6 - 108 Wireless Configuration 14 Set the following EAP Method attributes to secure the NAI realm used by the passpoint policy:
Index Method Authentication Type Authentication Value Authentication Vendor ID Authentication Vendor Specific Authentication Vendor Type Select an EAP instance index from 1 - 10 to apply to this hotspots EAP credential exchange and verification session. NAIs are often user identifiers in the EAP authentication protocol. Set an EAP method for the NAI realm. Options include identity, otp, gtc, rsa-public-key, tls, sim, ttls, peap, ms-auth, ms-authv2, fast, psk and ikev2. Use the drop-menu to specify the EAP method authentication type. Options include expanded-eap, non-eap-inner, inner-eap, expanded-
inner-eap, credential, tunn-eap-credential and vendor. If setting the authentication type to either non-eap-inner, inner-eap, credential or tunnel-eap-credential define an authentication value that must be shared with the EAP credential validation server resource. If the authentication type is set to either, expanded-eap or expanded-
inner-eap, set a 6 character authentication vendor ID that must match the one utilized by the EAP server resource. If required, add 2 - 510 character vendor specific authentication data required for the selected authentication type. Enter the value is an a-
FA -F0-9 format. Set a 8 character authentication vendor type used exclusively for the expanded-eap or expanded-inner-eap authentication types. 15 Select OK to save the updates to the NAI realm. 16 Select the OSU Provider tab. Issues certificates (creates and signs) WiNG managed clients can use Online Sign-Up (OSU) for registration and credential provisioning to obtain hotspot network access. Service providers have an OSU AAA server and certificate authority (CA). For a client and hotspot to trust one another, the OSU server holds a certificate signed by a CA whose root certificate is issued by a CA authorized by the Wi-Fi Alliance, and CA certificates are installed on the client device. A CA performs four functions:
Maintains certificate status information and issues certificate revocation lists (CRLs) Publishes current (non-expired) certificates and CRLs Maintains status archives for the expired or revoked certificates it has issued Passpoint certificates are governed by the Hotspot 2.0 OSU Certificate Policy Specification. An OSU server certificate should be obtained from any of the CAs authorized by the Wi-Fi Alliance. Once an OSU provider is selected, the client connects to the OSU WLAN. It then triggers an HTTPS connection to the OSU server, which was received with the OSU providers list. The client validates the server certificate to ensure it's a trusted OSU server. The client is prompted to complete an online registration through their browser. When the client has a valid credential for the hotspot 2.0 WLAN, it disassociates from the OSU WLAN and connects to the hotspot 2.0 WLAN. The OSU Provider screen displays those provider configurations created thus far for utilization with a passpoint policy. Wireless Controller and Service Platform System Reference Guide 6 - 109 Wireless Configuration Figure 6-61 Passpoint Policy - OSU Provider screen 17 Either select Add to create a new OSU provider configuration for passpoint hotspot utilization, Edit to modify the attributes on an existing selected configuration or Delete to remove a selected configuration from those available. Wireless Controller and Service Platform System Reference Guide 6 - 110 Wireless Configuration Figure 6-62 Passpoint Policy - OSU Provider Add/Edit screen 18 If creating a new OSU provider configuration, provide it a 32 character maximum OSU ID serving as an online sign up identifier. 19 Set the following attributes to secure the NAI realm used by the passpoint policy:
Server URL NAI Method OMA DM Priority Provide a 255 character maximum sign up server URL for the OSU provider. Enter a 255 character maximum Network Access Identifier (NAI) to identify the user and assist in routing an authentication request to the authentication server. The realm name is often the domain name of the service provider Select this option to provide open mobile alliance (OMA) device management priority. The OMA is a standards body developing open standards for mobile clients. OMA is relevant to service providers working across countries (with different languages), operators and mobile terminals. Adherence to OMA is strictly voluntary. Use the drop-
menu to specify the priority as 1 or 2. Wireless Controller and Service Platform System Reference Guide 6 - 111 Wireless Configuration Method SOAP XML SPP Priority Select this option to apply a SOAP-XML subscription provisioning protocol priority of either 1 or 2. The simple object access protocol
(SOAP) is a protocol for exchanging structured information in Web services. SOAP uses XML as its message format, and relies on other application layer protocols, like HTTP or SMTP for message negotiation and transmission. 20 Refer to the Name field to optionally set a 252 character English language sign up name, then provide a 3 character maximum ISO-639 language Code to apply the sign up name in a language other then English. Apply a 252 character maximum hexadecimal online sign up Name to encode in the ISO-639 language code applied to the sign up name. 21 Refer to the OSU Provider Description field to set an online sign up description in a language other then English. Select + Add Row and provide a 3 character maximum ISO-639 language Code to apply the sign up name in a language other then English. Apply a 252 character maximum hexadecimal online sign up Description to encode in the ISO-639 language code applied to the sign up name. 22 Optionally provide an OSU Provider Icon by selecting + Add Row. Apply the following configuration attributes to the icon. Code File Name Height MIME Type Width Enter a 3 character maximum ISO-639 language Code to define the language used in the OSU provider icon. Provide a 255 character maximum icon name and directory path location to the icon file. Provide the icon height size in pixels from 0 - 65,535. The default setting is 0. Set the icon MIME file type from 0 - 64. The MIME associates filename extensions with a MIME type. A MIME enables a fallback on an extension and are frequently used by Web servers. Provide the icon width size in pixels from 0 - 65,535. The default setting is 0. 23 Select OK to save the updates to the OSU provider configuration. Select Reset to revert to the last saved configuration. 6.9 Sensor Policy In addition to WIPS support, sensor functionality has now been added for Extreme Networks MPact locationing system. The MPact system for Wi-Fi locationing includes WiNG controllers and Access Points functioning as sensors. Within the MPact architecture, sensors scan for RSSI data on an administrator defined interval and send to a dedicated MPact Server resource, as opposed to an ADSP server. The MPact Server collects the RSSI data from WiNG sensor devices, and calculates the location of Wi-Fi devices for MPact administrators. To administrate and manage existing sensor policies:
Wireless Controller and Service Platform System Reference Guide 6 - 112 1 Select Configuration > Wireless > Sensor Policy to display existing policies. Wireless Configuration 2 Select Add to define a new sensor policy, or select an existing policy and select Edit to modify its configuration. Existing sensor policies can be selected and deleted, copied, or renamed as needed. Figure 6-63 Sensor Policy screen NOTE: If a dedicated sensor is utilized with WIPS for rogue detection, any sensor policy selected from the Sensor Policy drop-down menu is discarded and not utilized by the sensor. To avoid this situation, use ADSP channel settings exclusively to configure the sensor and not the WiNG interface. 3 Select Add to define a new sensor policy, or select an existing policy and select Edit to modify its configuration. Existing sensor policies can be selected and deleted, copied, or renamed as needed. Figure 6-64 Sensor Policy - Configuration screen Wireless Controller and Service Platform System Reference Guide 6 - 113 Wireless Configuration 4 If creating a new sensor policy, assign it a Name up to 32 characters. No character spaces are permitted within the name. Define a name unique to the policys channel and scan mode configuration to help differentiate it from other policies. If adding a new sensor policy, the Name must be provided and Continue selected to enable the remaining configuration parameters. Use the RSSI Scan Interval drop-down menu to set a scan interval from 1 - 60 seconds. This is the scan period dedicated sensors (Access Point radios) utilize for RSSI (signal strength) assessments. Once obtained, the sensor sends the RSSI data to a specified MPact server resource (not an ADSP server) for the calculation of Wi-
Fi device locations. The default is 1 second. 5 Set the following Scan Mode values depending on whether Default-Scan, Custom Scan or Channel Lock has been selected as the mode of scan operation:
Channel Channel Width Scan Weight Default-Scan - The list of available scan channels is fixed and defaulted in a spread pattern of 1, 6, 11, 36, 40, 44 and 48. No alternations to this channel pattern are available to the administrator. Custom-Scan - A list of unique channels in the 2.4, 4.9, 5 and 6 GHz band can be collectively or individually enabled for customized channel scans and RSSI reporting. Channel-Lock - Once selected, the existing Channel, Channel Width and Scan Weight table items are replaced by a Lock Frequency drop-
down menu. Use this menu to lock the RSSI scan to one specific channel. Default-Scan - Each channels width is fixed and defaulted to either 40MHz-Upper (Ch 1), 40MHz-Lower (Ch 6 and CH 11) or 80MHz (CH 36, CH 40, CH 44 and CH 48). Custom-Scan - When custom channels are selected for RSSI scans, each selected channel can have its own width defined. Numerous channels have their width fixed at 20MHz, 802.11a radios support 20 and 40 MHz channel widths. Channel-Lock - If a specific channel is selected and locked for an RSSI scan, theres no ability to refine the width between adjacent channels, as only one channel is locked. Default-Scan - Each default channels scan is of equal duration (1000) within the defined RSSI scan interval. No one channel receives scan priority within the defined RSSI scan interval. Custom-Scan - Each selected channel can have its weight prioritized in respect to the amount of time a scan is permitted within the defined RSSI scan interval. Channel-Lock - If a specific channel is selected and locked for an RSSI scan, theres no ability to refine the scan weightage in respect to all the remaining unlocked channels. 6 Select OK when completed to update the sensor policy settings. Select Reset to revert the screen back to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 6 - 114 7 Network Configuration Controllers, service platforms and Access Points allow packet routing customizations and unique network resources for deployment specific routing configurations. For more information on the options available, refer to the following:
IPv6 Router Advertisement Policy Policy Based Routing L2TP V3 Configuration Crypto CMP Policy AAA Policy AAA TACACS Policy BGP Alias Application Policy Application Application Group Schedule Policy URL Filtering Web Filtering EX3500 QoS Class EX3500 QoS Policy Map Network Deployment Considerations 7.1 Policy Based Routing Define a policy based routing (PBR) configuration to direct packets to selective paths. PBR can optionally mark traffic for preferential services. PBR minimally provides the following:
A means to use source address, protocol, application and traffic class as traffic routing criteria The ability to load balance multiple WAN uplinks A means to selectively mark traffic for QoS optimization Since PBR is applied to incoming routed packets, a route-map is created containing a set of filters and associated actions. Based on the actions defined in the route-map, packets are forwarded to the next relevant hop. Route-
maps are configurable under a global policy called routing-policy, and applied to profiles and devices. Route-maps contain a set of filters which select traffic (match clauses) and associated actions (set clauses) for routing. A routemap consists of multiple entries, each carrying a precedence value. An incoming packet is matched against the route-map with the highest precedence (lowest numerical value). If it matches, the routing decision is based on this route-map. If the packet does not match the route-map, the route-map entry with next highest precedence is matched. If the incoming packet does not match any of the route-map entries, its subjected to typical destination based routing. Each route-map entry can optionally enable/disable logging. The following criteria can optionally be used as traffic selection segregation criteria:
IP Access List - A typical IP ACL can be used for traffic permissions. The mark and log actions in ACL rules however are neglected. Route-map entries have separate logging. Only one ACL can be configured per route map entry. Wireless Controller and Service Platform System Reference Guide 7 - 1 Network Configuration IP DSCP - Packet filtering can be performed by traffic class, as determined from the IP DSCP field. One DSCP value is configurable per route map entry. If IP ACLs on a WLAN, ports or SVI mark the packet, the new/
marked DSCP value is used for matching. Incoming WLAN - Packets can be filtered by the incoming WLAN. There are two ways to match the WLAN:
If the device doing policy based routing has an onboard radio and a packet is received on a local WLAN, then
-
this WLAN is used for selection. If the device doing policy based routing does not have an onboard radio and a packet is received from an extended VLAN, then the device which received the packet passes the WLAN information in the MINT packet for the PBR router to use as match criteria.
-
Client role - The client role can be used as match criteria, similar to a WLAN. Each device has to agree on a unique identifier for role definition and pass the same MINT tunneled packets. Incoming SVI - A source IP address qualifier in an ACL typically satisfies filter requirements. But if the host originating the packet is multiple hops away, the incoming SVI can be used as match criteria. In this context the SVI refers to the device interface performing policy based routing, and not the originating connected device. Each route map entry has a set of match and set (action) clauses. ACL rules configured under route map entries merge to create a single ACL. Route map precedence values determine the prioritization of the rules in this merged ACL. An IP DSCP value is also added to the ACL rules. Set (or action) clauses determine the routing function when a packet satisfies match criteria. If no set clauses are defined, the default is to fallback to destination based routing for packets satisfying the match criteria. If no set clause is configured and fallback to destination based routing is disabled, then the packet is dropped. The following can be defined within set clauses:
Next hop - The IP address of the next hop or the outgoing interface through which the packet should be routed. Up to two next hops can be specified. The outgoing interface should be a PPP, a tunnel interface or a SVI which has DHCP client configured. The first reachable hop should be used, but if all the next hops arent reachable, typical destination based route lookup is performed. Default next hop - If a packet subjected to PBR does not have an explicit route to the destination, the configured default next hop is used. This can be either the IP address of the next hop or the outgoing interface. Only one default next hop can be defined. The difference between the next hop and the default next-hop is in case of former, PBR occurs first, then destination based routing. In case of the latter, the order is reversed. With both cases:
a If a defined next hop is reachable, its used. If fallback is configured refer to (b). b Do normal destination based route lookup. If a next hop is found its used, if not refer to (c). c If default next hop is configured and reachable, its used. If not, drop the packet. Fallback - Fallback to destination based routing if none of the configured next hops are reachable (or not configured). This is enabled by default. Mark IP DSCP - Set IP DSCP bits for QoS using an ACL. The mark action of the route maps takes precedence over the mark action of an ACL. NOTE: A packet should optimally satisfy all the match criteria, if no match clause is defined in a route-map, it would match everything. Packets not conforming to any of the match clauses are subjected to normal destination based routing. To define a PBR configuration:
1 Select the Configuration tab from the Web UI. 2 Select Network. Wireless Controller and Service Platform System Reference Guide 7 - 2
1 2 3 4 | WiNG 5.9.1 System Reference Guide Part 2 | Users Manual | 5.50 MiB |
3 Select Policy Based Routing. The Policy Based Routing screen displays by default. Network Configuration Figure 7-1 Policy Based Routing screen 4 Either select Add to create a new PBR configuration, Edit to modify the attributes of an existing PBR configuration or Delete to remove a selected PBR configuration. 5 If creating a new PBR policy assign it a Policy Name up to 32 characters to distinguish this route map configuration from others with similar attributes. Select Continue to proceed to the Policy Name screen where route map configurations can be added, modified or removed. Select Exit to exit without creating a PBR policy. 6 Refer to the following to determine whether a new route-map configuration requires creation or an existing route-map requires modification or removal:
Figure 7-2 Policy Based Routing, Policy Name screen Precedence DSCP Lists the numeric precedence (priority) assigned to each listed PBR configuration. A routemap consists of multiple entries, each carrying a precedence value. An incoming packet is matched against the route-map with the highest precedence (lowest numerical value). Displays each policys DSCP value used as matching criteria for the route map. DSCP is the Differentiated Services Code Point field in an IP header and is for packet classification. Packets are filtered based on the traffic class defined in the IP DSCP field. One DSCP value can be configured per route map entry. Wireless Controller and Service Platform System Reference Guide 7 - 3 Network Configuration Role Policy User Role Access Control List Displays each policys IP ACL used as an access/deny filter criteria for the Lists each policys role policy used as matching criteria. Lists the user role defined in the Role Policy. WLAN route map. Displays each policys WLAN used as an access/deny filter for the route map. Incoming Interface Display the name of the Access Point WWAN or VLAN interface on which the packet is received for the listed PBR policy. 7 Select Add or Edit to create or modify a route-map configuration. Configurations can optionally be removed by selecting Delete. Figure 7-3 Policy Based Routing screen - Add a Route Map 8 If adding a route map, use the spinner control to set a numeric Precedence (priority) for this route-map. An incoming packet is matched against the route-map with the highest precedence (lowest numerical value). 9 Refer to the Match Clauses field to define the following matching criteria for the route-map configuration:
DSCP Select this option to enable a spinner control to define the DSCP value used as matching criteria for the route map. DSCP is the Differentiated Services Code Point field in an IP header and is for packet classification. Packets are filtered based on the traffic class defined in the IP DSCP field. One DSCP value can be configured per route map entry. Wireless Controller and Service Platform System Reference Guide 7 - 4 Network Configuration Role Policy User Role Use the drop-down to select a Role Policy to use with this route-map. Click the Create icon to create a new Role Policy. To view and modify an existing policy, click the Edit icon. Use the drop-down menu to select a role defined in the selected Role Policy. This user role is used while deciding the routing. Access Control List Use the drop-down menu to select an IP based ACL used as matching WLAN Incoming Interface criteria for this route-map. Click the Create icon to create a new ACL. To view and modify an existing ACL, click the Edit icon. Use the drop-down menu to select the Access Point WLAN used as matching criteria for this route-map. Click the Create icon to create a new WLAN. To view and modify an existing WLAN, click the Edit icon. Select this option to enable radio buttons used to define the interfaces required to receive route-map packets. Use the drop-down menu to define either the Access Points wwan1 or pppoe1 interface. Neither is selected by default. Or, select the VLAN ID option to define the Access Point VLAN to receive route-map-packets. 10 Set the following Action Clauses to determine the routing function performed when a packet satisfies match criteria. Optionally fallback to destination based routing if no hop resource is available. Next Hop (Primary) Define a first hop priority request. Set either the IP address of the virtual Next Hop
(Secondary) Default Next Hop Use Destination Routing Mark resource or select the Interface option and define either a wwan1, pppoe1 or a VLAN interface. In the simplest terms, if this primary hop resource is available, its used with no additional considerations. If the primary hop request were unavailable, a second resource can be defined. Set either the IP address of the virtual resource or select the Interface option and define either a wwan1, pppoe1 or a VLAN interface. If a packet subjected to PBR does not have an explicit route to the destination, the configured default next hop is used. This value is set as either the IP address of the next hop or the outgoing interface. Only one default next hop can be defined. The difference between the next hop and the default next-hop is in case of former, PBR occurs first, then destination based routing. In case of the latter, the order is reverse. Set either the next hop IP address or define either a wwan1, pppoe1 or a VLAN interface. It may be a good idea to select this option to default back to destination based routing if none of the defined hop resources are reachable. Packets are dropped if a next hop resource is unavailable and fallback to destination routing is disabled. This option is enabled by default. Select this option and use the spinner control to set IP DSCP bits for QoS using an ACL. The mark action of the route maps takes precedence over the mark action of an ACL. 11 Select OK to save the updates to the route-map configuration. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 7 - 5 Network Configuration 7.2 L2TP V3 Configuration L2TP V3 is an IETF standard used for transporting different types of layer 2 frames in an IP network. L2TP V3 defines control and encapsulation protocols for tunneling layer 2 frames between two IP nodes. Use L2TP V3 to create tunnels for transporting layer 2 frames. L2TP V3 enables WiNG managed wireless devices to create tunnels for transporting Ethernet frames to and from bridge VLANs and physical ports. L2TP V3 tunnels can be defined between WiNG devices and other vendor devices supporting the L2TP V3 protocol. Multiple pseudowires can be created within an L2TP V3 tunnel. WiNG Access Points support an Ethernet VLAN pseudowire type exclusively. NOTE: A pseudowire is an emulation of a layer 2 point-to-point connection over a packet-switching network (PSN). A pseudowire was developed out of the necessity to encapsulate and tunnel layer 2 protocols across a layer 3 network. Ethernet VLAN pseudowires transport Ethernet frames to and from a specified VLAN. One or more L2TP V3 tunnels can be defined between tunnel end points. Each tunnel can have one or more L2TP V3 sessions. Each tunnel session corresponds to one pseudowire. An L2TP V3 control connection (a L2TP V3 tunnel) needs to be established between the tunneling entities before creating a session. For optimal pseudowire operation, both the L2TP V3 session originator and responder need to know the psuedowire type and identifier. These two parameters are communicated during L2TP V3 session establishment. An L2TP V3 session created within an L2TP V3 connection also specifies multiplexing parameters for identifying a pseudowire type and ID. The working status of a pseudowire is reflected by the state of the L2TP V3 session. If a L2TP V3 session is down, the pseudowire associated with it must be shut down. The L2TP V3 control connection keep-alive mechanism can serve as a monitoring mechanism for the pseudowires associated with a control connection. NOTE: If connecting an Ethernet port to another Ethernet port, the pseudowire type must be Ethernet port, if connecting an Ethernet VLAN to another Ethernet VLAN, the pseudowire type must be Ethernet VLAN. To define an L2TP V3 tunnel configuration:
Wireless Controller and Service Platform System Reference Guide 7 - 6 1 Select Configuration > Network > L2TPv3. Network Configuration The L2TP V3 screen lists the policy configurations defined thus far. Figure 7-4 L2TP v3 Policy screen 2 Refer to the following to determine whether a new L2TP V3 requires creation or modification:
Name Cookie size Hello Interval Lists the 31 character maximum name assigned to each listed L2TP V3 policy, designated upon creation. Displays the size of each policys cookie field present within each L2TP V3 data packet. L2TP V3 data packets contain a session cookie which identifies the session (pseudowire) corresponding to it. If using the CLI, cookie size can't be configured per session, and are the same size for all sessions within a tunnel. Displays each policys interval between L2TP V3 hello keep alive messages exchanged within the L2TP V3 connection. Reconnect Attempt Lists each policys maximum number of reconnection attempts available to reestablish the tunnel if the connection is lost. Reconnect Interval Displays the duration set for each listed policy between two successive Retry Count Retry Time Out Rx Window Size Tx Window Size Failover Delay Force L2 Path Recovery reconnection attempts. Lists the number of retransmission attempts set for each listed policy before a target tunnel peer is defined as not reachable. Lists the interval the interval (in seconds) set for each listed policy before the retransmission of a L2TP V3 signaling message. Displays the number of packets that can be received without sending an acknowledgement. Displays the number of packets that can be transmitted without receiving an acknowledgement. Lists the time (in either seconds or minutes) for establishing a tunnel after a failover (VRRP/RF Domain/Cluster). Lists whether force L2 path recovery is enabled (as defined by a green checkmark) or disabled (as defined by a red X). Once a tunnel is established, enabling this setting forces server and gateway learning behind the L2TPv3 tunnel. 3 Select Add to create a new L2TP V3 policy, Edit to modify the attributes of a selected policy or Delete to remove obsolete policies from the list of those available. Existing policies can be copied or deleted as needed. Wireless Controller and Service Platform System Reference Guide 7 - 7 Network Configuration Figure 7-5 L2TP V3 Policy Creation screen 4 If creating a new L2TP V3 policy assign it a Name up to 31 characters. Remember, a single L2TP V3 policy can be used by numerous L2TP V3 tunnels. 5 Define the following Policy Details to add a device to a list of devices sanctioned for network operation:
Cookie size Hello Interval L2TP V3 data packets contain a session cookie which identifies the session
(pseudowire) corresponding to it. Use the spinner control to set the size of the cookie field present within each L2TP V3 data packet. Options include 0, 4 and 8. the default setting is 0. If using the CLI, the cookie size can't be configured per session, and are the same size for all sessions within a tunnel. Define an interval in either Seconds (1 - 3,600), Minutes (1 -60) or Hours (1) between L2TP V3 hello keep alive messages exchanged within the L2TP V3 control connection. The default setting is 1 minute. Reconnect Attempt Use the spinner control to set a value (from 0 - 8) representing the maximum number of reconnection attempts initiated to reestablish the tunnel. The default interval is 0. Reconnect Interval Define an interval in either Seconds (1 - 3,600), Minutes (1 -60) or Hours (1) Retry Count Retry Time Out between two successive reconnection attempts. The default setting is 2 minutes. Use the spinner control to define how many retransmission attempts are made before determining a target tunnel peer is not reachable. The available range is from 1 - 10, with a default value of 5. Use the spinner control to define the interval (in seconds) before initiating a retransmission of a L2TP V3 signaling message. The available range is from 1 - 250, with a default value of 5. Wireless Controller and Service Platform System Reference Guide 7 - 8 Network Configuration Rx Window Size Tx Window Size Failover Delay Force L2 Path Recovery Specify the number of packets that can be received without sending an acknowledgement. The available range is from 1 - 15, with a default setting of 10. Specify the number of packets that can be transmitted without receiving an acknowledgement. The available range is from 1 - 15, with a default setting of 10. Set the time in Seconds (5 - 60) or Minutes (1) for establishing a tunnel after a failover (VRRP/RF Domain/Cluster). The default setting is 5 seconds. Determine whether force L2 path recovery is enabled or disabled. Once a tunnel is established, enabling this setting forces server and gateway learning behind the L2TPv3 tunnel. The default setting is disabled. 6 Select OK to save the updates to the L2TP V3 policy. Select Reset to revert to the last saved configuration. 7.3 Crypto CMP Policy Certificate Management Protocol (CMP) is an Internet protocol to obtain and manage digital certificates in a Public Key Infrastructure (PKI) network. A Certificate Authority (CA) issues the certificates using the defined CMP. Using CMP, a device can communicate to a CMP supported CA server, initiate a certificate request and download the required certificates from the CA server. CMP supports multiple request options through for device communicating to a CMP supported CA server. The device can initiate a request for getting the certificates from the server. It can also auto update the certificates which are about to expire. The CMP client on the controller, service platform or Access Point triggers a request for the configured CMS CA server. Once the certificate is validated and confirmed from the CA server it is saved on the device and becomes part of the trustpoint. During the creation of the CMP policy the trustpoint is assigned a name and client information. An administrator can use a manually created trustpoint for one service (like HTTPs) and use the CMP generated trustpoint for RADIUS EAP certificate based authentication. To review, create or edit a Crypto CMP policy:
Wireless Controller and Service Platform System Reference Guide 7 - 9 1 Select Configuration > Network > Crypto CMP Policy. Network Configuration The Crypto CMP Policy screen lists the policy configurations defined thus far. Figure 7-6 Crypto CMP Policy screen 2 Select Add to create a new Crypto CMP policy, Edit to modify the attributes of a selected policy or Delete to remove obsolete policies from the list of those available. Existing policies can be copied or renamed as needed. Wireless Controller and Service Platform System Reference Guide 7 - 10 Network Configuration Figure 7-7 Crypto CMP Policy Creation screen 3 If creating a new Crypto CMP policy assign it a Name up to 31 characters to help distinguish it. 4 Set the Certificate Renewal Timeout period to trigger a new certificate renewal request with the dedicated CMP server resource. The range is 1-60 days. The default is 14 days. The expiration of the certificate is checked once a day. When a certificate is about to expire a certificate renewal is initiated with the server via an existing IPsec tunnel. If the tunnel is not established, the CMP renewal request is not sent. If a renewal succeeds the newly obtained certificate overwrites an existing certificate. If the renewal fails, an error is logged. 5 Select Certificate Update to update the renewal data of the certificate. This setting is enabled by default. 6 Select Certificate Validate to validate the cross-certificate when enabled. This setting is disabled by default. 7 Select Auto-gen Unique ID to add (prepend) an autogenerated ID in both the subject and sender fields. This setting is disabled by default. 8 Use the Certificate Key Size spinner control to set a key size (from 2,048 - 4096 bits) for the certificate request. The default key size is 2,048. Wireless Controller and Service Platform System Reference Guide 7 - 11 Network Configuration 9 Select + Add Row and define the following CMS Server Configuration settings for the server resource:
Enable IP Path Port Use the drop-down menu to set the CMS server as either the Primary (first choice) or Secondary (secondary option) CMP server resource. Define the IP address for the CMP CA server managing digital certificate requests. CMP certificates are encrypted with CA's public key and transmitted to the defined IP destination over a typical HTTP or TLS session. Provide a complete path to the CMP CAs trustpoint. Provide a CMP CA port number. 10 Set the following Trust Points settings.The trustpoint is used for various services as specifically set the controller, service platform or Access Point. Name Subject Name Reference ID Secret Sender Name Recipient Name Enter the 32 character maximum name assigned to the target trustpoint. A trustpoint represents a CA/identity pair containing the identity of the CA, CA specific configuration parameters, and an association with an enrolled identity certificate. This field is mandatory. Provide a subject name of up to 512 characters for the certificate template example. This field is mandatory. Set the user reference value for the CMP CA trust point message. The range is 0-256. This field is mandatory. Specify the secret used for trustpoint authentication over the designated CMP server resource. Enter a sender name up to 512 characters for the trustpoint request. This field is mandatory. Enter a recipient name value of up to 512 characters for the trustpoint request. 11 Use the SAN Type drop-down menu to provide an alternative name (disguise) for the subject. Options include email, IP Address, Distinguished Name, FQDN and string. 12 Use the SAN Value field to enter a 128 character maximum alternative value for the subject. 13 Select OK to save the updates to the CMP Crypto policy, Reset to revert to the last saved configuration, or Exit to close the screen. 7.4 AAA Policy Authentication, Authorization, and Accounting (AAA) provides the mechanism by which network administrators define access control within the network. Controllers, service platforms and Access Points can interoperate with external RADIUS and LDAP Servers (AAA Servers) to provide user database information and user authentication data. Each WLAN can maintain its own unique AAA configuration. AAA provides a modular way of performing the following services:
Wireless Controller and Service Platform System Reference Guide 7 - 12 Network Configuration Authentication Authentication provides a means for identifying users, including login and password dialog, challenge and response, messaging support and (depending on the security protocol), encryption. Authentication is the technique by which a user is identified before allowed access to the network. Configure AAA authentication by defining a list of authentication methods, and then applying the list to various interfaces. The list defines the authentication schemes performed and their sequence. The list must be applied to an interface before the defined authentication technique is conducted. Authorization Authorization occurs immediately after authentication. Authorization is a method for remote access control, including authorization for services and individual user accounts and profiles. Authorization functions through the assembly of attribute sets describing what the user is authorized to perform. These attributes are compared to information contained in a database for a given user and the result is returned to AAA to determine the user's actual capabilities and restrictions. The database could be located locally or be hosted remotely on a RADIUS server. Remote RADIUS servers authorize users by associating attribute-value (AV) pairs with the appropriate user. Each authorization method must be defined through AAA. When AAA authorization is enabled its applied equally to all interfaces. Accounting Accounting is the method for collecting and sending security server information for billing, auditing, and reporting user data; such as start and stop times, executed commands (such as PPP), number of packets, and number of bytes. Accounting enables wireless network administrators to track the services users are accessing and the network resources they are consuming. When accounting is enabled, the network access server reports user activity to a RADIUS security server in the form of accounting records. Each accounting record is comprised of AV pairs and is stored on the access control server. The data can be analyzed for network management, client billing, and/or auditing. Accounting methods must be defined through AAA. When AAA accounting is activated, its applied equally to all interfaces on the access servers. To define unique WLAN AAA configurations:
1 Select Configuration > Network > AAA Policy to display existing AAA policies. The Authentication, Authorization, and Accounting (AAA) screen lists those AAA policies created thus far. Any of these policies can be selected and applied. 2 Refer to the following information listed for each existing AAA policy:
Figure 7-8 Authentication, Authorization, and Accounting (AAA) screen AAA Policy Displays the name assigned to the AAA TACACS policy when it was initially created. The name cannot be edited within a listed profile. Wireless Controller and Service Platform System Reference Guide 7 - 13 Network Configuration Accounting Packet Type Displays the accounting type set for the AAA policy. Options include:
Start Only - Sends a start accounting notice to initiate user accounting. Start/Stop - Sends a start accounting notice at the beginning of a process and a stop notice at the end of a process. The start accounting record is sent in the background. The requested process begins regardless of whether the start accounting notice is received by the accounting server. Start/Interim/Stop - Sends a start accounting notice at the beginning of a process and a stop notice at the end of a process. A notice is also sent at the completion of each interim packet transmission during the process. Lists each AAA policys interval used to send a RADIUS accounting request to the RADIUS server. Lists the name Network Access Control (NAC) filter used to either include or exclude clients from access. The server pooling mode controls how requests are transmitted across RADIUS servers. Selecting Failover results in working down the list of servers if a server is unresponsive or unavailable. Load Balanced uses all available servers transmitting requests in round robin. Request Interval NAC Policy Server Pooling Mode 3 To configure a new AAA policy, click the Add button. To modify an existing policy, select it from amongst those available and select the Edit button. Optionally Copy or Rename the AAA policy as needed. 4 Refer to the following AAA authentication policy data:
Figure 7-9 AAA Policy - RADIUS Authentication screen Server ID Server Type Host Displays the numerical server index (1-6) for the accounting server when added to the list available. Displays the type of AAA server in use either Host, onboard-self, or onboard-controller. Displays the IP address or hostname of the RADIUS authentication server. Wireless Controller and Service Platform System Reference Guide 7 - 14 Network Configuration Port Request Proxy Mode Request Attempts Request Timeout DSCP NAI Routing Enable NAC Enable Displays the port on which the RADIUS server listens to traffic within the network. The port range is 1 to 65,535. The default port is 1812. Displays whether a request is transmitted directly through the server or proxied through the Access Point or RF Domain manager. Displays the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session. The available range is between 1 and 10 attempts. The default is 3 attempts. Displays the time (from 1 - 60) seconds for the re-transmission of request packets. The default is 3 seconds. If this time is exceeded, the authentication session is terminated. Displays the DSCP value as a 6-bit parameter in the header of every IP packet used for packet classification. The valid range is from 0 - 63 with a default of 46. Displays NAI routing status. AAA servers identify clients using the NAI. The NAI is a character string in the format of an e-mail address as either user or user@ but it need not be a valid e-mail address or a fully qualified domain name. The NAI can be used either in a specific or generic form. The specific form, which must contain the user portion and may contain the @ portion, identifies a single user. The generic form allows all users to be configured on a single command line. Each user still needs a unique security association, but these associations can be stored on a AAA server. The original purpose of the NAI was to support roaming between dialup ISPs. Using NAI, each ISP need not have all the accounts for all of its roaming partners in a single RADIUS database. RADIUS servers can proxy requests to remote servers for each. A green check defines NAC as enabled, while a Red X defines NAC disabled with this AAA policy. 5 Select a configuration from the table and select Edit, or select Add to create a new RADIUS authentication policy. Optionally Delete a policy as they become obsolete. Wireless Controller and Service Platform System Reference Guide 7 - 15 Network Configuration 6 Define the following Settings to add or modify a AAA RADIUS authentication server configuration:
Figure 7-10 AAA Policy - Add RADIUS Authentication Server Server ID Server Type Host Port Secret Request Proxy Mode Request Mint Host Request Attempts If adding a server, define the numerical server index (1-6) for the authentication server when added to the list available. Select the type of AAA server in use either Host, onboard-self, onboard-controller or onboard-centralized-controller. Specify the IP address or hostname of the RADIUS authentication server. Hostnames cannot include an underscore character. Define or edit the port on which the RADIUS server listens to traffic within the network. The port range is 1 to 65,535. The default port is 1812. Specify the secret used for authentication on the selected RADIUS server. By default the secret will be displayed as asterisks. To show the secret in plain text, check the Show box. Select the method of proxy that browsers communicate with the RADIUS authentication server. The mode could either be None, Through Wireless Controller, through-centralized-controller, Through RF Domain Manager, or Through Mint Host. Specify a 64 character maximum hostname (or Mint ID) of the Mint device used for proxying requests. Hostnames cannot include an underscore character. Specify the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session. The available range is between 1 and 10 attempts. The default is 3 attempts. Wireless Controller and Service Platform System Reference Guide 7 - 16 Network Configuration Request Timeout Specify the time between 1 and 60 seconds for the re-transmission of request packets. The default is 5 seconds. If this time is exceeded, the authentication session is terminated. Request Timeout Factor Specify the amount of time between 50 and 200 seconds between DSCP retry timeouts for the re-transmission of request packets. The default is 100. Specify the DSCP value as a 6-bit parameter in the header of every IP packet used for packet classification. The valid range is between 0 and 63 with a default value of 46. 7 Set the following Network Access Identifier Routing values:
NAI Routing Enable Realm Realm Type Strip Realm 8 Select the RADIUS Accounting tab. Check to enable NAI routing. AAA servers identify clients using the NAI. The NAI is a character string in the format of an e-mail address as either user or user@ but it need not be a valid e-mail address or a fully qualified domain name. The NAI can be used either in a specific or generic form. The specific form, which must contain the user portion and may contain the @ portion, identifies a single user. The generic form allows users to be configured on a single command line. Each user still needs a unique security association, but these associations can be stored on a AAA server. The original purpose of the NAI was to support roaming between dialup ISPs. Using NAI, each ISP need not have all the accounts for all of its roaming partners in a single RADIUS database. RADIUS servers can proxy requests to remote servers for each. Enter the realm name in the field. The name cannot exceed 50 characters. When the RADIUS server receives a request for a user name the server references a table of usernames. If the user name is known, the server proxies the request to the RADIUS server. Specify whether the Prefix or Suffix of the username is matched to the realm. Check strip to remove information from the packet when NAI routing is enabled. Wireless Controller and Service Platform System Reference Guide 7 - 17 Network Configuration 9 Refer to the following information for each existing AAA server policy to determine whether new RADIUS accounting policies require creation or existing policies require modification:
Figure 7-11 AAA Policy - RADIUS Accounting screen Server ID Host Port Server Type Request Timeout Request Attempts DSCP Request Proxy Mode Displays the numerical server index (1-6) for the accounting server assigned when added to the WiNG operating system. Displays the IP address or hostname of the RADIUS authentication server. Hostnames cannot include an underscore character. Displays the port on which the RADIUS server listens to traffic within the network. The port range is 1 to 65,535. The default port is 1813. Displays the type of AAA server in use either Host, onboard-self, or onboard-controller. Displays the time between 1 and 60 seconds for the wireless controllers re-transmission of request packets. If this time is exceeded, the authentication session is terminated. Displays the number of attempts a client can retransmit a missed frame to the RADIUS server before it times out of the authentication session. The available range is between 1 and 10 attempts. The default is 3 attempts. Displays the DSCP value as a 6-bit parameter in the header of every IP packet used for packet classification. The valid range is between 0 and 63 with a default value of 34. Displays the method of proxy that browsers communicate with the RADIUS authentication server. The mode could either be None, Through Wireless Controller, or Through RF Domain Manager. Wireless Controller and Service Platform System Reference Guide 7 - 18 Network Configuration NAI Routing Enable Displays NAI routing status. AAA servers identify clients using the NAI. The NAI is a character string in the format of an e-mail address as either user or user@ but it need not be a valid e-mail address or a fully qualified domain name. The NAI can be used either in a specific or generic form. The specific form, which must contain the user portion and may contain the @ portion, identifies a single user. The generic form allows all users to be configured on a single command line. Each user still needs a unique security association, but these associations can be stored on a AAA server. The original purpose of the NAI was to support roaming between dialup ISPs. Using NAI, each ISP need not have all the accounts for all of its roaming partners in a single RADIUS database. RADIUS servers can proxy requests to remote servers for each. 10 To edit an existing accounting profile, select the profile then Edit. To add a new policy select Add. Optionally Delete a policy as they become obsolete. Figure 7-12 AAA Policy - Add RADIUS Accounting Server 11 If creating a new AAA Accounting Server configuration as a user database and user authentication resource, assign it a Server ID from 1 - 6. 12 Define the following Settings to add or modify AAA RADIUS accounting server configuration. Server Type Select the type of AAA server as either Host, onboard-self, onboard-
controller or onboard-centralized-controller. Wireless Controller and Service Platform System Reference Guide 7 - 19 Network Configuration Host Port Secret Request Proxy Mode Request Mint Host Request Attempts Request Timeout Retry Timeout Factor DSCP Specify the IP address or hostname of the RADIUS accounting server. Hostnames cannot include an underscore character. Select Alias to define the hostname alias once and use the alias character set across different configuration items. Define or edit the port on which the RADIUS accounting server listens to traffic within the network. The port range is 1 to 65,535. The default port is 1813. Specify the secret (password) used for authentication on the selected RADIUS server. By default the secret is displayed as asterisks. To show the secret in plain text, select Show. Select the method of proxy that browsers communicate with the RADIUS authentication server. The mode could either be None, Through Wireless Controller, through-centralized-controller, Through RF Domain Manager or Through Mint Host. Specify a 64 character maximum hostname or the Mint ID of the Mint device used for proxying requests. Hostnames cannot include an underscore character. Displays the number of attempts a client can retransmit a missed frame to the RADIUS accounting server before it times out of the authentication session. The available range is 1 - 10 attempts. The default is 3 attempts. Specify the time from 1 - 60 seconds for the re-transmission of request packets. The default is 5 seconds. If this time is exceeded, the authentication session is terminated. Specify the amount of time from 50 - 200 seconds between retry timeouts for the re-transmission of request packets. The default is 100. Displays the DSCP value as a 6-bit parameter in the header of every IP packet used for packet classification. The valid range is between 0 and 63 with a default value of 34. 13 Set the following Network Access Identifier routing values for the accounting server:
NAI Routing Enable Realm Realm Type Check to enable NAI routing. AAA servers identify clients using the NAI. The NAI is a character string in the format of an e-mail address as either user or user@ but it need not be a valid e-mail address or a fully qualified domain name. The NAI can be used either in a specific or generic form. The specific form, which must contain the user portion and may contain the @ portion, identifies a single user. The generic form allows all users in a given or without a to be configured on a single command line. Each user still needs a unique security association, but these associations can be stored on a AAA server. The original purpose of the NAI was to support roaming between dialup ISPs. Using NAI, each ISP need not have all the accounts for all of its roaming partners in a single RADIUS database. RADIUS accounting servers can proxy requests to remote servers for each. Enter the realm name in the field. The name cannot exceed 50 characters. When the RADIUS server receives a request for a user name the server references a table of usernames. If the user name is known, the server proxies the request to the RADIUS server. Specify whether the Prefix or Suffix of the username is matched to the realm. Wireless Controller and Service Platform System Reference Guide 7 - 20 Strip Realm Check strip to remove information from the packet when NAI routing is enabled. 14 Select the Settings tab. Network Configuration 15 Set the Protocol for MAC, Captive-Portal Authentication. Figure 7-13 AAA Policy - Settings screen The authentication protocol Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP) MS-CHAP or MS-CHAPv2 when the server is used for any non-EAP authentication. PAP is the default setting. 16 Set the following RADIUS Accounting settings:
Accounting Packet Type Set the RADIUS Accounting request packet type. Options include Stop Request Interval Only, Start/Stop and Start/Interim/Stop. Start/Stop is the default setting. Set the periodicity of the interim accounting requests to 1 hour, 1 - 60 minutes or 60 - 3600 seconds. The default is 30 minutes. Wireless Controller and Service Platform System Reference Guide 7 - 21 Network Configuration Accounting Server Preference Select the server preference for RADIUS accounting. The options include:
Prefer Same Authentication Server Host - Uses the authentication server host name as the host used for RADIUS accounting. This is the default setting. Prefer Same Authentication Server Index - Uses the same index as the authentication server for RADIUS accounting. Select Accounting Server Independently - Allows users to specify a RADIUS accounting server separate from the RADIUS authentication server. 17 Set the following RADIUS Address Format settings:
Format Case Attributes Select the format of the MAC address used in the RADIUS accounting packets. Select whether the MAC address is sent using uppercase or lowercase characters. The default setting is uppercase. Select whether the format specified applies only to the username/
password in MAC Auth requests or for all attributes including a MAC address, such as calling-station-id or called-station-id. 18 Set the Server Pooling Mode:
Server Pooling Mode Control how requests are transmitted across RADIUS servers. Failover implies traversing the list of servers if any server is unresponsive. Load Balanced means using all servers in a round-robin fashion. The default setting is Failover. 19 Set the following EAP Wireless Client Settings:
Client Attempts Request Timeout ID Request Timeout Retransmission Scale Factor Defines the number of times (1 - 10) an EAP request is transmitted to a client before giving up. The default setting is 3. Set the amount of time after which an EAP request to a client is retried. The default setting is 3 seconds. Define the amount of time (1 - 60 seconds) after which an EAP ID Request to a client is retried. The default setting is 30 seconds. Set the scaling of the retransmission attempts. Timeout at each attempt is a function of the request timeout factor and client attempts number. 100 (default setting) implies a constant timeout at each retry;
smaller values indicate more aggressive (shorter) timeouts, larger numbers set more conservative (longer) timeouts on each successive attempt. 20 Set Access Request Attributes. Cisco VSA Audit Session Id Accounting Delay Time Set a vendor specific attribute (VSA) to allow CISCOs Identity Services Engine (ISE) to validate a requesting clients network compliance, such as the validity of virus definition files (antivirus software or definition files for an anti-spyware software application). This setting is disabled by default. Select this option to enable the support of an accounting delay time attribute within accounting requests. This setting is disabled by default. Wireless Controller and Service Platform System Reference Guide 7 - 22 Network Configuration Accounting Multi Session Id Chargeable User Id Add Framed IP Address Framed MTU RFC5580 Location Information RFC5580 Operator Name Service-Type NAS IPv6 Address Proxy NAS Identifier Select this option to enable the support of an accounting multi session ID attribute. This setting is disabled by default. Select this option to enable the support of chargeable user identity. This setting is disabled by default. Select this option to add an IP address attribute to access requests. This setting is disabled by default. Set the framed MTU attribute (from 100 - 1500) used in access requests. The default setting is 1400. Select a support option for the RFC5580 location attribute. Options include None, include-always and server-requested. The default setting is None. Provide a 63 character maximum RFC5580 operator name. Set the service type attribute value. Options include framed (default setting) and login. Select this option to provide support for NAS IPv6 formatted addresses when not proxying. This setting is disabled by default. Select a RADIUS attribute NAS identifier when proxying through the controller or RF Domain manager. Options include originator (default setting) or proxier. Proxy NAS IPv6 Address Sets the RADIUS attribute NAS IP address and NAS IPv4 address behavior when proxying through the controller or RF Domain manager. Options include None and proxier (default setting). 21 Select OK to save the updates to the AAA configuration. Select Reset to revert to the last saved configuration. 7.5 AAA TACACS Policy Terminal Access Controller Access - Control System+ (TACACS) is a protocol created by CISCO Systems which provides access control to network devices (routers, network access servers and other networked computing devices) using one or more centralized servers. TACACS provides separate authentication, authorization, and accounting services running on different servers. TACACS controls user access to devices and network resources while providing separate accounting, authentication, and authorization services. Some of the services provided by TACACS are:
Authorizing each command with the TACACS server before execution Accounting each sessions logon and log off event Authenticating each user with the TACACS server before enabling access to network resources. To define a unique AAA TACACS configuration:
1 Select the Configuration tab from the Web UI. 2 Select Network. 3 Select AAA TACACS Policy to display a high level display of existing AAA policies. The Authentication, Authorization, and Accounting (AAA) TACACS screen lists existing AAA policies. Any of these policies can be selected and applied to a controller, service platform or Access Point. Wireless Controller and Service Platform System Reference Guide 7 - 23 Network Configuration Figure 7-14 Authentication, Authorization, and Accounting (AAA) TACACS screen 4 Refer to the following information for each existing AAA TACACS policy to determine whether new policies require creation or existing policies require modification:
AAA TACACS Policy Accounting Access Method Authentication Access Method Authorization Access Method Displays the name assigned to the AAA TACACS policy when it was initially created. The name cannot be edited within a listed profile. Displays the connection method used to access the AAA TACACS accounting server. Options include All, SSH, Console, or Telnet. Displays the method used to access the AAA TACACS authentication server. Options include All, SSH, Console, Telnet, or Web. Displays the method used to access the AAA TACACS authorization server. Options include All, SSH, Console, or Telnet. 5 Select Add to configure a new AAA TACACS policy. Optionally Copy or Rename a policy as needed. 6 Provide a 32 character maximum name for the policy in the AAA TACACS Policy field. Select OK to proceed. The Server Info tab displays by default. Wireless Controller and Service Platform System Reference Guide 7 - 24 Network Configuration 7 Under the Authentication table, select + Add Row. Figure 7-15 AAA TACACS Policy - Server Info Figure 7-16 AAA TACACS Policy - Authentication Server - Add Row Wireless Controller and Service Platform System Reference Guide 7 - 25 Network Configuration 8 Set the following Authentication settings:
Server Id Host Port Secret Request Attempts Request Timeout Retry Timeout Factor Set numerical server index (1-2) for the authentication server when added to the list of available TACACS authentication server resources. Specify the IP address or hostname of the AAA TACACS server. Hostnames cannot include an underscore character. Define or edit the port on which the AAA TACACS server listens to traffic. The port range is 1 - 65,535. The default port is 49. Specify (and confirm) the secret (password) used for authentication between the selected AAA TACACS server and the controller, service platform or Access Point. By default the secret is displayed as asterisk. To show the secret in plain text, select Show. Set the number of connection request attempts to the TACACS server before it times out of the authentication session. The available range is from 1 - 10. The default is 3. Specify the time for the re-transmission of request packets after an unsuccessful attempt. The default is 3 seconds. If the set time is exceeded, the authentication session is terminated. Set the scaling of retransmission attempts from 50 - 200 seconds. The timeout at each attempt is the function of the retry timeout factor and the attempt number. 100 (the default value) implies a constant timeout on each retry. Smaller values indicate more aggressive (shorter) timeouts. Larger numbers define more conservative (larger) timeouts on each successive attempt. The default is 100. 9 Select OK to save the changes or Exit to close the screen. 10 Set the Server Preference, within the Authorization field, to specify which server, in the pool of servers, is selected to receice authorization requests. Options include None, authenticated-server-host, and authenticated-
server-number. If selecting None or authenticated-server-number select + Add Row and set the servers ID, host, port, password and connection attempt parameters. 11 Set the following Authorization Server Details:
Server Id Host Port Secret Request Attempts Request Timeout Lists the numerical server index (1-2) for each authentication server when added to the list available to the controller, service platform or Access Point. Displays the IP address or hostname set for the AAA TACACS authentication server. Displays the port the TACACS authentication server listens to traffic. The port range is 1 - 65,535. The default port is 49. Specify (and confirm) the secret (password) used for authentication between the selected AAA TACACS server and the controller, service platform or Access Point. By default the secret is displayed as asterisks. To show the secret in plain text, select Show. Displays the number of connection attempts before the controller, service platform or Access Point times out of the authentication session. The available range is from 1 - 10. The default is 3. Specify the time for the re-transmission of request packets after an unsuccessful attempt. The default is 3 seconds. If the set time is exceeded, the authentication session is terminated. Wireless Controller and Service Platform System Reference Guide 7 - 26 Network Configuration Retry Timeout Factor Set the scaling of retransmission attempts from 50 - 200 seconds. The timeout at each attempt is the function of the retry timeout factor and the attempt number. 100 (the default value) implies a constant timeout on each retry. Smaller values indicate more aggressive (shorter) timeouts. Larger numbers define more conservative (larger) timeouts on each successive attempt. The default is 100. 12 Click OK to save the changes, Reset to revert to the last saved configuration or Exit to close the screen. 13 Set the Server Preference, within the Accounting field, to select the accounting server, from the pool of servers, to receive accounting requests. Options inlcude None, authenticated-server-host, authenticated-server-number, authorized-server-host and authorized-server-number. The default is authenticated-server-host. If selecting None, authenticated-server-number or authorized-server-number select + Add Row and set the servers ID, host, port, password and connection attempt parameters. 14 Set the following Accounting Server Details:
Server Id Host Port Secret Request Attempts Request Timeout Retry Timeout Factor Lists the numerical server index (1-2) for each authentication server when added to the list available to the controller, service platform or Access Point. Displays the IP address or hostname set for the AAA TACACS authentication server. Displays the port the TACACS authentication server listens to traffic. The port range is 1 - 65,535. The default port is 49. Specify (and confirm) the secret (password) used for authentication between the selected AAA TACACS server and the controller, service platform or Access Point. By default the secret is displayed as asterisks. To show the secret in plain text, select Show. Displays the number of connection attempts before the controller, service platform or Access Point times out of the authentication session. The available range is from 1 - 10. The default is 3. Specify the time for the re-transmission of request packets after an unsuccessful attempt. The default is 3 seconds. If the set time is exceeded, the authentication session is terminated. Set the scaling of retransmission attempts from 50 - 200 seconds. The timeout at each attempt is the function of the retry timeout factor and the attempt number. 100 (the default value) implies a constant timeout on each retry. Smaller values indicate more aggressive (shorter) timeouts. Larger numbers define more conservative (larger) timeouts on each successive attempt. The default is 100. 15 Select OK to save the changes, Reset to revert to the last saved configuration or Exit to close the screen. 16 Select the Settings tab. Wireless Controller and Service Platform System Reference Guide 7 - 27 Network Configuration 17 Set the following AAA TACACS Authentication server configuration parameters:
Figure 7-17 AAA TACACS Policy - Settings screen Authentication Access Method Specify the connection method(s) for authentication requests. All Authentication is performed for all types of access without prioritization. Console Authentication is performed only for console access. Telnet Authentication is performed only for access through Telnet. SSH Authentication is performed only for access through SSH. Web Authentication is performed only for access through the Web interface. Select to enable the AAA TACACS authentication server to be used with the @<server name> nomenclature. The specified server must be present in the list of defined Authentication servers. Directed Request 18 Set the following AAA TACACS Authorization server configuration parameters:
Authorization Access Method Specify the connection methods for authorization requests:
All Authorization is performed for all types of access without prioritization. Console Authorization is performed only for console access. Telnet Authorization is performed only for access through Telnet. SSH Authorization is performed only for access through SSH. Wireless Controller and Service Platform System Reference Guide 7 - 28 Network Configuration Allow Privileged Commands Select this option to enable privileged commands executed without command authorization. Privileged commands are commands that can alter/change the authorization server configuration. 19 Set the following AAA TACACS Accounting server configuration parameters:
Accounting Access Method Specify access methods for accounting server connections. All Accounting is performed for all types of access with none given priority. Console Accounting is performed for console access only. Telnet Accounting is performed only for access through Telnet. SSH Accounting is performed only for access through SSH. Select the option to enable accounting upon authentication failures. This setting is disabled by default. Select this option to enable accounting for CLI commands. This setting is disabled by default. Select this option to enable accounting for session start and session stop events. This setting is disabled by default. Authentication Failure CLI Commands Session 20 Select + Add Row and set the following Service Protocol Settings parameters:
Service Name Service Protocol Provide a 30 character maximum shell service for user authorization. Enter a protocol for user authentication using the service. NOTE: A maximum or 5 entries can be made in the Service Protocol Settings table. 21 Select OK to save the updates to the AAA TACACS policy. Select Reset to revert to the last saved configuration. 7.6 IPv6 Router Advertisement Policy An IPv6 router policy allows routers to advertise their presence in response to solicitation messages. After receiving a neighbor solicitation message, the destination node sends an advertisement message. which includes the link layer address of the source node. After receiving the advertisement, the destination device replies with a neighbor advertisement message on the local link. After the source receives the advertisement it can communicate with other devices. Advertisement messages are also sent to indicate a change in link layer address for a node on the local link. With such a change, the multicast address becomes the destination address for advertisement messages. To define a IPv6 router advertisement policy:
Wireless Controller and Service Platform System Reference Guide 7 - 29 1 Select Configuration > Network > IPv6 Router Advertisement Policy. Network Configuration Figure 7-18 Network IPv6 Router Advertisement Policy screen 2 Select Add to create a new IPv6 router advertisement policy, Edit to modify the attributes of a selected policy or Delete to remove obsolete policies from the list of those available. Existing policies can be copied or renamed as needed. Provide a 32 character maximum name for the policy in the IPv6 RA Policy Name field. Select OK to proceed. The IPv6 RA Policy Name screen displays. Wireless Controller and Service Platform System Reference Guide 7 - 30 Network Configuration 3 Set the following Router Advertisement Policy Basic Settings:
Figure 7-19 Network IPv6 RA Policy Name screen Advertise MTU Advertise Hop Count Assist in Neighbor Discovery Default Router Lifetime Managed Address Configuration Flag Select this option to include the Maximum Transmission Unit (MTU) in the router advertisements. The default setting is disabled. Select this option to include the hop count in the header of outgoing IPv6 packets. The default setting is disabled. Select this option to send the source link layer address in a router advertisement to assist in neighbor discovery. The default setting is enabled. Set the default router lifetime availability for IPv6 router advertisements. A lifetime of 0 indicates that the router is not a default router. The router advertisement interval range is 0 - 9000 Seconds, 0 - 150 Minutes, or 0 - 2.5 Hours. The default is 30 minutes. Select this option to send the managed address configuration flag in router advertisements. When set, the flag indicates that the addresses are available via DHCP v6. The default setting is disabled. Wireless Controller and Service Platform System Reference Guide 7 - 31 Network Configuration Other Configuration Flag RA Interval RA Consistency Flag Router Preference Suppress RA Select this option to send the other configuration flag in router advertisements. When set, the flag indicates other configuration information (DNS related information, information on other servers within the network) is available via DHCP v6. The default setting is disabled. Set the interval for unsolicited IPv6 router assignments. The router advertisement interval range is 3 - 1800 seconds or 0 - 150 minutes. The default is 5 minutes. Select this option to check if parameters advertised by other routers on the local link are in conflict with those router advertisements by this controller, service platform or Access Point. This option is disabled by default. Set a High, Medium or Low preference designation on this router versus other router resource that may be available to the controller, service platform or Access Point. The default setting is medium. Use this setting to enable or diable the transmission of a router advertisement within the IPv6 packet. This setting is enabled by default. Unicast Solicited RA Select this option to enable the unicast (single destination) transmission of a router advertisement within the IPv6 packet. This setting is disabled by default. 4 Set the following Neighbor Discovery Reachable Time Settings:
Advertise ND Reachable Time in RA Override System ND Reachable Time in RA Select this option not specify the neighbor reachable time in the router advertisements. When unspecified, the neighbor reachable time configured for the system is advertised. The default setting is disabled. Set the period for sending neighbor reachable time in the router advertisements. When unspecified, the neighbor reachable time configured for the system is advertised. The interval range is from 5,000 - 3,600,000 milliseconds. The default is 5000 milliseconds. 5 Set the following Neighbor Solicitation Retransmit Time Settings:
Advertise NS Retransmit Timer in RA Override System NS Retransmit Interval in RA Select this option to not specify the neighbor solicitation retransmit timer value in router advertisements. The default setting is disabled. Set the period for sending the neighbor solicitation retransmit timer in router advertisements. When unspecified, the setting configured for the system is advertised. The interval range is from 1000 - 3,600,000 milliseconds. The default is 1000 milliseconds. 6 Select + Add Row under the Router Advertisement Policy DNS Settings table and set the following:
DNS Server IPv6 Address Use a DNS server to resolve host names to IPv6 addresses. When an IPv6 host is configured with the address of a DNS server, the host sends DNS name queries to the server for resolution. This field is mandatory Set the lifetime afforded to the DNS server resource. Options include expired, External (fixed), and infinite. The default is External (fixed). DNS Server Lifetime Type DNS Server Lifetime Set the maximum time the DNS server is available for name resolution. The interval range is from 1000 - 3,600,000 milliseconds. The default is 10 minutes. Wireless Controller and Service Platform System Reference Guide 7 - 32 Network Configuration 7 Select + Add Row under the Router Advertisement Policy Domain Name Settings table and define the following settings:
Domain Name Domain Name Lifetime Type Domain Name Lifetime Enter a fully qualified domain name (FQDN) is an unambiguous domain name available a router advertisement resource. To distinguish an FQDN from a regular domain name, a trailing period is added. For example, somehost.example.com. This field is mandatory Set the DNS Server Lifetime Type. Options include expired, External (fixed), and infinite. The default is External (fixed). Set the maximum time the DNS domain name is available as a name resolution resource. The default is 10 minutes. 8 Select OK to save the changes, Reset to revert to the last saved configuration or Exit to close the screen. 7.7 BGP Border Gateway Protocol (BGP) is an inter-ISP routing protocol for establishing routes between ISPs. ISPs use BGP to exchange routing and reachability information between Autonomous Systems (AS) on the Internet. BGP makes routing decisions based on paths, network policies and/or rules set by network administrators. The primary role of a BGP system is to exchange network reachability information with other BGP peers. This includes AS information the reachability information traverses. This information is sufficient to create a graph of AS connectivity from which routing decisions are created and rules enforced. An Autonomous System (AS) is a set of routers under the same administration using Interior Gateway Protocol
(IGP) and common metrics to define how to route packets. AS uses inter-AS routing to route packets to other ASs. For an external AS, an AS appears as a single coherent interior routing plan and presents a consistent picture of reachable destinations. Routing information exchanged through BGP supports only destination based forwarding (it assumes that a router forwards packets based on the destination address carried in the IP header of the packet). BGP uses TCP as its transport protocol. This eliminates the need to implement explicit update fragmentation, retransmission, acknowledgment, and sequencing. BGP listens on TCP port 179. The error notification mechanism used in BGP assumes TCP supports a graceful close (all outstanding data is delivered before the connection is closed). Refer to the following to configure access lists, path lists, IP prefix lists, community lists and external community lists for BGP:
IP Access List AS Path List IP Prefix List Community List External Community List To review existing BGP configurations or potentially create new ones:
1 Select the Configuration > Network > BGP. Expand the BGP menu to display its submenu options. 2 Select Route Map. Wireless Controller and Service Platform System Reference Guide 7 - 33 In a BGP implementation, a route map is a method to control and modify routing information. The control and modification of routing information occurs using route redistribution rules. Network Configuration 3 Select Add to create a new route map, Edit to modify the attributes of a selected route. Existing route map Figure 7-20 Network BGP Route Map screen configurations can be copied or renamed as needed. The Route Map Rule screen lists existing rules and their access permissions. The General tab is displayed by default when adding or editing route maps. Wireless Controller and Service Platform System Reference Guide 7 - 34 Network Configuration 4 Set the following General settings:
Figure 7-21 Network Route Map Name - General screen Description Access Provide a 64 character maximum description to help distinguish this route map from others with similar access permissions. Set the permit or deny access designation for the route map. The default setting is deny. 5 Select the Match Rule tab. Wireless Controller and Service Platform System Reference Guide 7 - 35 Network Configuration 6 Set the following Match Rule settings:
Figure 7-22 Network Route Map Name - Match Rule screen AS-Path Metric Origin An AS path is a list of Autonomous Systems (AS) a packet traverses to reach its destination. From the drop-down menu, select a pre-configured AS-Path list. Use the Create icon to create an AS-Path list or select an existing one and use the Edit icon. Select this option to define the exterior metric (1 - 4,294,967,295) used for route map distribution. BGP uses a route table managed by the external defined. Setting a metric provides a dynamic way to load balance between routes of equal cost. Use the drop-down menu to set the source of the BGP route. Options include:
egp - Matches if the origin of the route is from the exterior gateway protocol (eBGP). eBGP exchanges routing table information between hosts outside an autonomous system. igp - Matches if the origin of the route is from the interior gateway protocol
(iBGP). iBGP exchanges routing table information between routers within an autonomous system. incomplete - Matches if the origin of the route is not identifiable. Wireless Controller and Service Platform System Reference Guide 7 - 36 Network Configuration Community Exact Match Tag IP Route Source IP Route Source Prefix List IP Next Hop Prefix List IP Next Hop IP Address IP Address Prefix List Use the drop-down menu to set the autonomous system community. A new community can be defined by selecting the Create icon, or an existing autonomous system community can be modified by selecting the Edit icon. Options include:
internet - Advertises this route to the Internet. This is a global community. local-AS - Prevents the transmit of packets outside the local AS. no-advertise - Do not advertise this route to any peer, either internal or external. no-export - Do not advertise to BGP peers, keeping this route within an AS. aa:nn - The first part (aa) represents the AS number. The second part (nn) represents a 2-byte number. When matching the Community, use exact matching. The default setting is disabled. The Tag is a way to preserve a routes AS path information for routers in iBGP. The default setting is disabled. The IP Route Source is a list of IP addresses used to filter routes based on the advertised IP address of the source. Use the drop-down menu to set the IP route source. A new route source can be defined by selecting the Create icon, or an existing one can be modified by selecting the Edit icon. The IP Route Source Prefix List is a list of prefixes used to filter routes based on the prefix list used for the source. Use the drop-down menu to set the IP route source prefix list. A new list can be defined by selecting the Create icon, or an existing AS-Path can be modified by selecting the Edit icon. The IP Next Hop Prefix List is a list of prefixes for the routes next hop determining how the route is filtered. Use the drop-down menu to set the IP next hop prefix list. A new list can be defined by selecting the Create icon, or an existing IP next hop prefix list can be modified by selecting the Edit icon. The IP Next Hop is a list of IP addresses used to filter routes based on the IP address of the next hop in the route. Use the drop-down menu to set an IP next hop. A new next hop can be defined by selecting the Create icon, or an existing IP next hop can be modified by selecting the Edit icon. The IP Address parameter is a list of IP addresses in the route used to filter the route. Use the drop-down menu to set the IP address. A new address can be defined by selecting the Create icon, or an existing IP address can be modified by selecting the Edit icon. The IP Address Prefix List is a list of prefixes in the route used to filter the route. Use the drop-down menu to set the IP address prefix list. A new community can be defined by selecting the Create icon, or an existing IP address prefix list can be modified by selecting the Edit icon. 7 Use the drop-down menu to set the Math Rule Experimental Feature External Community setting. A new External Community setting can be defined by selecting the Create icon, or an existing External Community setting can be modified by selecting the Edit icon. 8 Select the Set Rule tab. Wireless Controller and Service Platform System Reference Guide 7 - 37 Network Configuration 9 Define the following Set Rule parameters:
Figure 7-23 Network Route Map Name - Set Rule screen Aggregator AS ASN Select the Autonomous System Number (ASN) for the BGP aggregator. Aggregator IP Aggregates minimize the size of routing tables. Aggregation combines the characteristics of multiple routes and advertises them as a single route. Select the ASN for this aggregator. Set a value from 1 - 4,294,967,295. This setting is disabled by default. Provide the IP address of the route aggregator. BGP allows the aggregation of specific routes into one route using an aggregate IP address. Enter an AS, or a list of ASs, excluded from the AS path. Enter an AS, or a list of ASs, prepended to the AS path. Exclude AS path Path prepend Atomic Aggregate When a BGP enabled wireless controller or service platforms receives a set Community List Community IP Address Enable (Next hop peer) Local Preference of overlapping routes from a peer, or if the set of routes selects a less specific route, then the local device must set this value when propagating the route to its neighbors. This setting is disabled by default. The Community List is a list of communities added to the route. A BGP community is a group of routes sharing a common attribute. The Community is the community attribute set to this route. Set the IP address for this route. Select this option to enable the identification of the next hop address for peer devices. This setting is disabled by default. Select this option to enable the communication of preferred routes out of the AS between peers. This setting is disabled by default. Wireless Controller and Service Platform System Reference Guide 7 - 38 Network Configuration Metric Origin Originator ID Source ID Tag Weight BGP uses a route table managed by the external metric defined. Setting a metric provides a dynamic way to load balance between routes of equal cost. Set a metric value for this route from 1 - 4,294,967,295. Select the origin code for this BGP route. egp - Sets the origin of the route to eBGP. igp - Sets the origin of the route to iBGP. incomplete - Sets the origin of the route as not identifiable. Set this if the route is from a source other than eBGP or iBGP. Set the IP address of the originator of this route map. Set the IP address of the source of this route map. The Tag is a way to preserve a routes AS path information for routers in iBGP. Set a tag value from 1 - 65535. Select this option to enable the assignment of a weighted priority to the aggregate route. The range is 1 - 4,294,967,295. 10 Set the following Set Rule Experimental Feature settings:
Route Target Community Site of Origin Community Enter a 254 character maximum route target community name. Enter a 254 character maximum origin community associated with the route reflector. 11 Click OK to save the changes, Reset to revert to the last saved configuration or Exit to close the screen. 7.7.1 IP Access List BGP peers and route maps can reference a single IP based access list. Apply IP access lists to both inbound and outbound route updates. Every route update is passed through the access list. BGP applies each rule in the access list in the order it appears in the list. When a route matches a rule, the decision to permit or deny the route is applied. No additional rules are processed. To define a IP access list:
1 Select the Configuration > Network > BGP. Expand the BGP menu to display its submenu options. 2 Select IP Access List. Wireless Controller and Service Platform System Reference Guide 7 - 39 Network Configuration 3 Select Add to create a new IP access list, Edit to modify the attributes of a selected list or Delete to remove an obsolete list. Existing policies can be copied or renamed as needed. Figure 7-24 Network BGP IP Access List screen Wireless Controller and Service Platform System Reference Guide 7 - 40 Network Configuration 4 Set the following IP Access List settings:
Figure 7-25 Network BGP IP Access List Name screen IP Prefix Access Exact Match Provide the IP address used to define the prefix list rule. Use the drop-down menu to Permit or Deny requests for network access originating from IP addresses with the IP prefix. The default setting is deny. Check to require an exact match for the IP prefix before access is granted. Permit and deny apply only when there is an exact match between the regular expression and the autonomous system path.This setting is disabled by default. 5 Click OK to save the changes, Reset to revert to the last saved configuration or Exit to close the screen. 7.7.2 AS Path List BGP uses a routing algorithm to exchange network reachability information with other BGP supported devices. Network availability ad reachability information is exchanged between BGP peers in routing updates. This information contains a network number, path specific attributes and the list of autonomous system numbers a route transits to reach a destination. This list is contained in the AS path. BGP prevents routing loops by rejecting any routing update that contains a local autonomous system number, as this indicates the route has already traveled through that autonomous system and a loop would be created. BGPs routing algorithm is a combination of a distance vector routing algorithm and AS path loop detection. The AS path contains a set of numbers for passing routing information. A BGP supported device adds its own autonomous system number to the list when it forwards an update message to external peers. To define an AS path list:
Wireless Controller and Service Platform System Reference Guide 7 - 41 1 Select the Configuration > Network > BGP. Expand the BGP menu to display its submenu options. 2 Select AS Path List. Network Configuration 3 Select Add to create a new AS path list or Edit to modify the attributes of a selected path list. Existing policies can be copied or renamed as needed. Figure 7-26 Network BGP AS Path List screen Figure 7-27 Network BGP AS Path List Name screen Wireless Controller and Service Platform System Reference Guide 7 - 42 4 Set the following AS Path List settings:
Network Configuration Regular Expression Provide a 64 character maximum regular expression unique to the AS path Allow list rule. Regular expressions are used to specify patterns to match community attributes. Use the drop-down menu to Permit or Deny requests for network access using the defined AS path list. The default setting is deny. 5 Click OK to save the changes, Reset to revert to the last saved configuration or Exit to close the screen. 7.7.3 IP Prefix List IP prefix lists are a convenient way to filter networks in BGP supported networks. IP prefix lists work similarly to access lists. A prefix list contains ordered entries processed sequentially. Like access lists, the evaluation of a prefix against a prefix list ends as soon as a match is found. To restrict the routing information advertised, use filters consisting of an IP prefix list applied to updates both to and from neighbors. To define an IP prefix list:
1 Select the Configuration > Network > BGP. Expand the BGP menu to display its submenu options. 2 Select IP Prefix List. 3 Select Add to create a new IP prefix list or Edit to modify the attributes of a selected list. Existing policies can be copied or renamed as needed. Figure 7-28 Network BGP IP Profile List screen Wireless Controller and Service Platform System Reference Guide 7 - 43 Network Configuration 4 Define the following IP Prefix List settings:
Figure 7-29 Network BGP IP Prefix List Name screen Sequence IP Prefix Greater Than Less Than Allow Supply a sequence number to determine the prefix utilization order for existing lists. Set the IP prefix used as an prefix list rule. Specify a greater than or equal to value for an IP prefix range. Specify a less than or equal to value for an IP prefix range. Use the drop-down menu to set a Permit or Deny designation to the rule configuration. 5 Click OK to save the changes, Reset to revert to the last saved configuration or Exit to close the screen. 7.7.4 Community List A BGP community is a group of routes sharing a common attribute. The BGP list enables an administrator to assign names to community lists and increase the number of community lists configurable. A community list can be configured with regular expressions and numbered community lists. All the rules in numbered communities apply to named community lists, except there is no limitation in the number of community attributes configurable for a named community list. To define a BGP community list:
1 Select the Configuration > Network > BGP. Expand the BGP menu to display its submenu options. 2 Select Community List. Wireless Controller and Service Platform System Reference Guide 7 - 44 Network Configuration 3 Select Add to create a new community list or Edit to modify the attributes of a selected list. Existing lists can be copied or renamed as needed. Figure 7-30 Network BGP Community List screen Figure 7-31 Network BGP Community List Name screen 4 Define whether the list is Standard or Expanded. Standard community lists specify known communities and community numbers. Expanded community lists filter communities using a regular expression that specifies patterns to match the attributes of different communities. Wireless Controller and Service Platform System Reference Guide 7 - 45 Network Configuration 5 Set the following Community List settings:
Community Id Allow Provide a community ID unique to this particular rule. The following are available:
internet - Advertises this route to the Internet. This is a global community. local-AS - Prevents the transmit of packets outside the local AS. no-advertise - Do not advertise this route to any peer, either internal or external. no-export - Do not advertise to BGP peers (keeping) this route within an AS. aa:nn - The first part (aa) represents the AS number. The second part (nn) represents a 2-byte number. Use the drop-down menu to Permit or Deny requests for the community ID. The default setting is deny. 6 Click OK to save the changes, Reset to revert to the last saved configuration or Exit to close the screen. 7.7.5 External Community List A BGP external community is a group of routes sharing a common attribute, regardless of their network or physical boundary. By using a BGP community attribute, routing policies can implement inbound or outbound route filters based on a community tag, rather than a long list of individual permit or deny rules. A BGP community list is used to create groups of communities to use in a match clause of a route map. An external community list can be used to control which routes are accepted, preferred, distributed, or advertised. To define a BGP external community list:
1 Select the Configuration > Network > BGP. Expand the BGP menu to display its submenu options. 2 Select External Community List. Figure 7-32 Network BGP External Community List screen 3 Select Add to create a new external community list, Edit to modify the attributes of a selected list or Delete to remove an obsolete list from those available. Existing lists can be copied or renamed as needed. Wireless Controller and Service Platform System Reference Guide 7 - 46 Network Configuration Figure 7-33 Network BGP External Community List Name screen 4 Define whether the list is Standard or Expanded. Standard community lists specify known communities and community numbers. Expanded community lists filter communities using a regular expression that specifies patterns to match the attributes of different communities. 5 Set the following based on the Standard or Extended option selected:
Community Id Allow If selecting Standard, enter a numeric community ID unique to this particular rule. If selecting Extended, enter a regular expression unique to this particular rule. Use the drop-down menu to Permit or Deny requests for the external community ID. The default setting is deny. 6 Click OK to save the changes, Reset to revert to the last saved configuration or Exit to close the screen. 7.8 Alias With large deployments, the configuration of remote sites utilizes a set of shared attributes, of which a small set of attributes are unique for each location. For such deployments, maintaining separate configuration (WLANs, profiles, policies and ACLs) for each remote site is complex. Migrating any global change to a particular configuration item to all the remote sites is a complex and time consuming operation. Also, this practice does not scale gracefully for quick growing deployments. An alias enables an administrator to define a configuration item, such as a hostname, as an alias once and use the defined alias across different configuration items such as multiple ACLs. Wireless Controller and Service Platform System Reference Guide 7 - 47 Network Configuration Once a configuration item, such as an ACL, is utilized across remote locations, the Alias used in the configuration item (ACL) is modified to meet local deployment requirement. Any other ACL or other configuration items using the modified alias also get modified, simplifying maintenance at the remote deployment. Aliases have scope depending on where the Alias is defined. Alias are defined with the following scopes:
Global aliases are defined from the Configuration > Network > Alias screen. Global aliases are available for use globally across all devices, profiles and RF Domains in the system. Profiles aliases are defined from the Configuration > Devices > System Profile > Network > Alias screen. Profile aliases are available for use to a specific group of wireless controllers or Access Points. Alias values defined in a profile override the alias values defined within global aliases. RF Domain aliases are defined from the Configuration > Devices > RF Domain > Alias screen. RF Domain aliases are available for use for a site as a RF Domain is site specific. RF Domain alias values override alias values defined in a global alias or a profile alias configuration. Device aliases are defined from the Configuration > Devices > Device Overrides > Network > Alias screen. Device aliases are utilized by a singular device only. Device alias values override global, profile or RF Domain alias configurations. Using an alias, configuration changes made at a remote location override any updates at the management center. For example, if an network alias defines a network range as 192.168.10.0/24 for the entire network, and at a remote deployment location, the local network range is 172.16.10.0/24, the network alias can be overridden at the deployment location to suit the local requirement. For the remote deployment location, the network alias work with the 172.16.10.0/24 network. Existing ACLs using this network alias need not be modified and will work with the local network for the deployment location. This simplifies ACL definition and management while taking care of specific local deployment requirements. For more information, refer to the following:
Network Basic Alias Network Group Alias Network Service Alias 7.8.1 Network Basic Alias A basic alias is a set of configurations consisting of VLAN, Host, Network and Address Range alias configurations. A VLAN alias is a configuration for optimal VLAN re-use and management for local and remote deployments. A host alias configuration is for a particular host devices IP address. A network alias configuration is utilized for an IP address on a particular network. An address range alias is a configuration for a range of IP addresses. To set a network basic alias configuration:
1 Select Configuration > Network from the Web UI. 2 Select Alias from the Network menu options on the left-hand side of the UI. The Alias screen displays with the Basic Alias tab displayed by default. Wireless Controller and Service Platform System Reference Guide 7 - 48 Network Configuration 3 Select + Add Row to define VLAN Alias settings:
Figure 7-34 Basic Alias screen Use the Vlan Alias field to create unique aliases for VLANs that can be utilized at different deployments. For example, if a VLAN ID is set as 10 for the central network, and the VLAN is set as 26 at a remote location, the VLAN can be overridden at the remote location using an alias. At the remote location, the network is functional with an ID of 26, but utilizes the name defined at the central local network. A new VLAN need not be created specifically at the remote location. Name Vlan If adding a new VLAN Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Use the spinner control to set a numeric VLAN from 1 - 4094. 4 Select + Add Row to define Address Range Alias settings:
Use the Address Range Alias field to create aliases for IP address ranges that can be utilized at different deployments. For example, if an ACL defines a pool of network addresses as 192.168.10.10 through 192.168.10.100 for an entire network, and a remote locations network range is 172.16.13.20 through 172.16.13.110, Wireless Controller and Service Platform System Reference Guide 7 - 49 Network Configuration the remote locations ACL can be overridden using an alias. At the remote location, the ACL works with the 172.16.13.20-110 address range. A new ACL need not be created specifically for the remote deployment location. Name Start IP End IP If adding a new Address Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Set a starting IP address used with a range of addresses utilized with the address range alias. Set an ending IP address used with a range of addresses utilized with the address range alias. 5 Select + Add Row to define String Alias settings:
Use the String Alias field to create aliases for hosts that can be utilized at different deployments. For example, if the main domain at a remote location is called loc1.domain.com and at another deployment location it is called loc2.domain.com, the alias can be overridden at the remote location to suit the local (but remote) requirement. At one remote location, the alias functions with the loc1.domain.com domain and at the other with the loc2.domain.com domain. You can also use a string alias to configure the Bonjour Service instance name. Once configured, use the string alias in the Bonjour Gateway Discovery Policy context to specify the Bonjour service instance name to be used as the match criteria. For more information, see Configuring a Bonjour Discovery Policy Name Value If adding a new String Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Provide a string value to use in the alias. 6 Select + Add Row to define Host Alias settings:
Use the Host Alias field to create aliases for hosts that can be utilized at different deployments. For example, if a central network DNS server is set a static IP address, and a remote locations local DNS server is defined, this host can be overridden at the remote location. At the remote location, the network is functional with a local DNS server, but uses the name set at the central network. A new host need not be created at the remote location. This simplifies creating and managing hosts and allows an administrator to better manage specific local requirements. Name Host If adding a new Host Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Set the IP address of the host machine. 7 Select + Add Row to define Network Alias settings:
Use the Network Alias field to create aliases for IP networks that can be utilized at different deployments. For example, if a central network ACL defines a network as 192.168.10.0/24, and a remote locations network range is 172.16.10.0/24, the ACL can be overridden at the remote location to suit their local (but remote) requirement. At the remote location, the ACL functions with the 172.16.10.0/24 network. A new ACL need not be created specifically for the remote deployment. This simplifies ACL definition and allows an administrator to better manage specific local requirements. Name Network If adding a new Network Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Provide a network address in the form of host/mask. 8 Select OK when completed to update the set of basic alias rules. Select Reset to revert the screen back to its last saved configuration. Wireless Controller and Service Platform System Reference Guide 7 - 50 Network Configuration 7.8.2 Network Group Alias A network group alias is a set of configurations consisting of host and network configurations. Network configurations are complete networks in the form of 192.168.10.0/24 or an IP address range in the form of 192.168.10.10-192.168.10.20. Host configurations are in the form of a single IP address, 192.168.10.23. A network group alias can contain multiple definitions for a host, network, and IP address range. A maximum of eight (8) Host entries, eight (8) network entries and eight (8) IP addresses range entries can be configured inside a network group alias. A maximum of 32 network group alias entries can be created. To set a network group alias configuration:
1 Select Configuration > Network from the Web UI. 2 Select Alias from the Network menu options on the left-hand side of the UI. 3 Select the Network Group Alias tab. The screen displays existing network group alias configurations. Name Host Network Figure 7-35 Network Group Alias screen Displays the administrator assigned name used with the network group alias. Displays all the host aliases configured in the listed network group alias. Displays a blank column if no host alias is defined. Displays all network aliases configured in the listed network group alias. Displays a blank column if no network alias is defined. 4 Select Add to create a new policy, Edit to modify the attributes of an existing policy or Delete to remove obsolete policies. 5 Select the added row to expand it into configurable parameters for defining the network alias rule. Wireless Controller and Service Platform System Reference Guide 7 - 51 Network Configuration 6 If adding a new Network Alias Rule, provide it a name up to 32 characters. The network group alias name Figure 7-36 Network Group Alias Add screen always starts with a dollar sign ($). 7 Define the following network alias parameters:
Host Network Specify the Host IP address for up to eight IP addresses supporting network aliasing. Select the down arrow to add the IP address to the table. Specify the netmask for up to eight IP addresses supporting network aliasing. Subnets can improve network security and performance by organizing hosts into logical groups. Applying the subnet mask to an IP address separates the address into a host address and an extended network address. Select the down arrow to add the mask to the table. 8 Within the Range table, use the + Add Row button to specify the Start IP address and End IP address for the alias range or double-click on an existing an alias range entry to edit it. 9 Select OK when completed to update the network alias rules. Select Reset to revert the screen back to its last saved configuration. 7.8.3 Network Service Alias A Network service alias is a set of configurations that consist of protocol and port mappings. Both source and destination ports are configurable. For each protocol, up to 2 source port ranges and up to 2 destination port ranges can be configured. A maximum of 4 protocol entries can be configured per network service alias. Use a service alias to associate more than one IP address to a network interface, providing multiple connections to a network from a single IP node. To define a service alias configuration:
Wireless Controller and Service Platform System Reference Guide 7 - 52 1 Select Configuration > Network from the Web UI. 2 Select Alias from the Network menu options on the left-hand side of the UI. 3 Select the Network Service Alias tab. The screen displays existing network service alias configurations. Network Configuration Figure 7-37 Network Service Alias screen 4 Select Add to create a new policy, Edit to modify the attributes of an existing policy or Delete to remove obsolete policies. 5 Select the added row to expand it into configurable parameters for defining the service alias rule. Figure 7-38 Network Service Alias Add screen Wireless Controller and Service Platform System Reference Guide 7 - 53 Network Configuration 6 If adding a new Service Alias Rule, provide it a name up to 32 characters. Ensure a $ precedes the name. 7 Select + Add Row and provide the following configuration parameters:
Protocol Source Port
(Low and High) Destination Port
(Low and High) Specify the protocol for which the alias has to be created. Use the drop down to select the protocol from eigrp, gre, icmp, igmp, ip, vrrp, igp, ospf, tcp and udp. Select other if the protocol is not listed. When a protocol is selected, its protocol number is automatically selected. This field is only relevant if the protocol is either tcp or udp. Specify the source ports for this protocol entry. A range of ports can be specified. Select the Enter Ranges button next to the field to enter a lower and higher port range value. Up to eight (8) such ranges can be specified. This field is only relevant if the protocol is either tcp or udp. Specify the destination ports for this protocol entry. A range of ports can be specified. Select the Enter Ranges button next to the field to enter a lower and higher port range value. Up to eight (8) such ranges can be specified. 8 Within the Range field, use the + Add Row button to specify the Start IP address and End IP address for the service alias range or double-click on an existing service alias range entry to edit it. 9 Select OK when completed to update the service alias rules. Select Reset to revert the screen back to its last saved configuration. 7.9 Application Policy When an application is recognized and classified by the WiNG application recognition engine, administrator defined actions can be applied to that specific application. An application policy defines the rules or actions executed on recognized applications (for example, Facebook) or application-categories (for example, social-
networking). The following are the rules/actions that can be applied in an application policy:
Allow - Allow packets for a specific application or application category Deny - Deny packets for a a specific application or application category Mark - Mark packets with DSCP/8021p value for a specific application or application category Rate-limit - Rate limit packets from specific application types. For each rule defined, a precedence is assigned to resolve conflicting rules for applications and categories. A deny rule is exclusive, as no other action can be combined with a deny. An allow rule is redundant with other actions, since the default action is allow. An allow rule is useful when wanting to deny packets for a category, but wanting to allow a few applications in the same category to proceed. In such a cases, add an allow rule for applications with a higher precedence then a deny rule for that category. Mark actions mark packets for a recognized application and category with DSCP/8021p values used for QoS. Rate-
limits create a rate-limiter applied to packets recognized for an application and category. Ingress and egress rates need to be specified for the rate-limiter, but both are not required. Mark and rate-limit are the only two actions that can be combined for an application and category. All other combinations are invalid. To define an application policy configuration:
Wireless Controller and Service Platform System Reference Guide 7 - 54 1 Select Configuration > Network > Application Policy. Network Configuration The screen lists the application policy configurations defined thus far. Figure 7-39 Application Policy screen 2 Refer to the following to determine whether a new application policy requires creation, modification or deletion:
Name Description Lists the 32 character maximum name assigned to each listed application policy, designated upon creation. Displays the 80 character maximum description assigned to each listed application policy, as a means of further distinguishing policies with similar configurations. 3 Select Add to create a new application policy, Edit to modify the attributes of a selected policy or Delete to remove obsolete policies from the list of those available. Existing policies can be copied or renamed as needed. Wireless Controller and Service Platform System Reference Guide 7 - 55 Network Configuration Figure 7-40 Application Policy Add/Edit screen 4 If creating a new application policy, assign it a Name up to 32 characters. 5 Provide this application policy an 80 character maximum Description to highlight its application and category filters and differentiate it from other policies with similar configurations. 6 Define the following Application Policy Logging options to enable and filter logging for application specific packet flows:
Enable Logging Logging Level Enables the log functionality, where each new flow is shown with the corresponding matched application, the action taken and the policy name. When enabled, logging just shows what applications are getting recognized. Select this option to log application events by severity. Severity levels include Emergency, Alert, Critical, Errors, Warning, Notification, Information and Debug. The default logging level is Notification. Wireless Controller and Service Platform System Reference Guide 7 - 56 Network Configuration 7 Refer to the Application Policy Enforcement Time table configure time periods for policy activation for each policy. Select + Add Row to populate the table with an enforcement time configuration to activate application policies based on the current local time. The option to configure a time activation period is applicable for a single application policy. Configure the days and time period when the application policy is enforced. If no time enforcement configuration is set, the policy is continually in effect without restriction. 8 Refer to the Application Policy Rules table assess existing policy rules, their precedence (implementation priority), their actions (allow, deny etc.), application category and schedule policy enforcement restrictions. 9 Select + Add Row launch a screen to create a new policy rule. 10 Assign the following attributes to the new application rule policy:
Figure 7-41 Application Policy, Add Rule screen Precedence Action Application Set the priority (from 1 - 256) for the application policy rule. The lower the value, the higher the priority assigned to this rules enforcement action and the category and application assigned. A precedence also helps resolve conflicting rules for applications and categories. Set the action executed on the selected application category and application. The default setting is Allow. From the App-Category table, select the category for which the application rule applies. Selecting All auto-selects All within the Application table. Select All from the Application table to list all application category statistics, or specify a particular category name to display its statistics only. Wireless Controller and Service Platform System Reference Guide 7 - 57 Network Configuration 11 Use the Schedule Policy drop-down menu to select an existing schedule policy to strategically enforce application filter policy rules for specific intervals. This provides stricter, time and schedule based, access or restriction to specific applications and their parent categories. If an existing policy does not meet requirements, either select the Create icon to configure a new policy or the Edit icon to modify an existing policy. For more information on configuring schedule policies, see Schedule Policy on page 7-62. Select OK to save the updates to the application policy. Select Reset to revert to the last saved configuration. 7.10 Application Use the Application screen to create custom application configurations. To create a user-defined application:
1 Select Configuration > Network > Application. The screen lists the application configurations defined thus far. Figure 7-42 Application screen 2 Refer to the following to determine whether a application requires creation, modification or deletion:
Name Category Application Description Displays the name of each user-defined application created using this application interface. Lists the category to which each listed user-defined application belongs. Lists the 80 character maximum description administratively assigned to each listed user-defined application. 3 Select Add to create a new application configuration, Edit to modify the attributes of a selected application or Delete to remove obsolete applications from the list of those available. Wireless Controller and Service Platform System Reference Guide 7 - 58 Network Configuration Figure 7-43 Application Policy Add screen 4 If creating a new user-defined application type, assign it a Name up to 32 characters. Ensure you do create confusion by naming a user-defined application with the same name as an existing application appearing the Application Policy screen. 5 Provide an 80 character maximum Application Description to each new user-defined application to further differentiate it from existing applications. 6 Refer to the Application Definition field to assign either a network service alias, pre-defined URL list or set of HTTPS parameters to the user-defined application. Network Service URL List HTTPS Use the drop-down menu to select an existing network service alias for the user-defined application. If theres no existing network service alias suited to this new user-defined application, select the Create icon to define a new alias or the Edit icon to modify an existing one. Provide or modify a 32 character maximum name, along with a protocol type or number and source and destination port value. Up to four service aliases can be supported. Use the drop-down menu to select a pre-defined URL list to apply to the user-defined application. URL lists are utilized for whitelisting and blacklisting Web application URLs from being launched and consuming bandwidth within the WiNG managed network. If theres no URL list suited to this new user-defined application, select the Create icon to define a new list or the Edit icon to modify an existing URL list. Select the + Add Row button to populate the table with configurable rows for HTTPS parameter type, attribute type, match criteria for the HTTPS server name and 64 character maximum server name attribute used in the HTTPS server message exchange. Wireless Controller and Service Platform System Reference Guide 7 - 59 Network Configuration 7 Select OK to save the updates to the user-defined application configuration. Select Reset to revert to the last saved configuration. 7.11 Application Group An application group is a heterogeneous, user-defined collection of system-provided and/or user-defined applications and application categories. It consists of multiple applications grouped together to form a collection. Use this option to review/edit existing application groups and create new application groups. To review an application group:
1 Select Configuration > Network > Application Group. Figure 7-44 Application Group screen The screen lists the existing application group configurations. You can edit and existing application group or create a new application group. 2 Refer to the following to determine whether an application group requires creation, modification or deletion:
Name Description Displays the name of each user-defined application group Displays the description assigned to each listed user-defined application group. 3 Select Add to create a new application group configuration, Edit to modify the attributes of a selected application group or Delete to remove obsolete application groups from the list of those available. Wireless Controller and Service Platform System Reference Guide 7 - 60 Network Configuration Figure 7-45 Application Group Add screen 4 If creating a new application group, assign a Name not exceeding 32 characters in length. Ensure that the name uniquely differentiates it from existing application groups. 5 Provide an 80 character maximum Description to further differentiate the new group from existing application groups 6 Refer to the All Applications field. This field lists available applications - system-provided and user-defined. The WiNG software has 299 built-in applications, in addition to the user-defined ones. To facilitate your search, enter a string value in the *Enter Application name to search field. Based on the search string provided, the All Applications list is updated to display applications containing the specified string. 7 Select the applications to be included in the application group and move to the Selected Applications list. 8 Select OK to save the updates to the application group configuration. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 7 - 61 Network Configuration 7.12 Schedule Policy Define schedule policies to strategically enforce application filter policy rules for specific intervals. This provides stricter, time and schedule based, access or restriction to specific applications and their parent categories. To review existing schedule policies and assess whether new ones require creation or modification:
1 Select Configuration > Network > Schedule Policy. 2 Select Add to create a new schedule policy time rule, or select an existing policy then Edit to modify the duration of an existing time rule. Schedule policies can be Deleted as they become obsolete. Copy or Rename a schedule policy as needed. Figure 7-46 Schedule Policy screen Figure 7-47 Schedule Policy Add/Edit screen Wireless Controller and Service Platform System Reference Guide 7 - 62 Network Configuration 3 If creating a new schedule policy time rule configuration, enter a 32 character maximum Name relevant to its specific permissions objective. 4 Provide this schedule policy an 80 character maximum Description to differentiate it from other policies with similar time rule configurations. 5 Define the following Time Rule settings:
Days Start Time End Time Use the drop-down menu to select a day of the week to apply this schedule policy time rule. Selecting All applies the schedule policy every day (no enforcement rule restrictions). Selecting weekends applies the policy on Saturdays and Sundays only. Selecting weekdays applies the policy on Monday, Tuesday, Wednesday, Thursday and Friday only. Selecting individual days of the week applies the policy only on just selected day. Set the start when the schedule policy time rule applies. Use the spinner controls to select the hour and minute, in a 12h time format. Then use the radio button to choose AM or PM. Set the ending time when the time rule is no longer enforced. Use the spinner controls to select the hour and minute, in a 12h time format. Then use the radio button to choose AM or PM. 6 Select OK to save the updates to the schedule policy time rule configuration. Select Reset to revert to the last saved configuration. 7.13 URL Filtering A URL filter is Web content filter. A URL filter is comprised of several filter rules. To construct a filter rule, either whitelist or blacklist a filter level, category type, category or a custom category. A whitelist bans all sites except the categories and URL lists defined in the whitelist. The blacklist allows all sites except the categories and URL lists defined in the blacklist. To review existing URL filter rules and assess whether new ones require creation or modification:
1 Select Configuration > Network > URL Filter. 2 Select Add to create a new URL filter rule configuration, or select an exiting configuration then Edit to modify the attributes of an existing rule. Obsolete rules can be selected and Deleted as required. Figure 7-48 URL Filter screen Wireless Controller and Service Platform System Reference Guide 7 - 63 Network Configuration Figure 7-49 URL Filter - Web Filter Rules tab 3 If creating a new URL filter rule, enter a 32 character maximum Name relevant to its filtering objective and select Continue. 4 Select Add to create a new Web filter rule configuration, or select an exiting configuration then Edit to modify the attributes of an existing Web filter rule. 5 Define the following Web Filter Rule settings:
Figure 7-50 URL Filter - Add/Edit Web Filter Rules Precedence Set a precedence (priority) from 1 - 500 for the filter rules utilization versus other Web filter rules. 1 is the highest priority and 500 the lowest. Wireless Controller and Service Platform System Reference Guide 7 - 64 Network Configuration Method Filter Type Category Category Type Level URL List Description Select either whitelist or Blacklist to specify whether the rule is for inclusion or exclusion. A whitelist bans all sites except the categories and URL lists defined in the whitelist. The blacklist allows all sites except the categories and URL lists defined in the blacklist. If the Filter Type is set to category, use the drop down menu to select from a list of predefined categories to align with the whitelist or blacklist Method designation and the precedence assigned. A category is a pre-defined URL list available in the WiNG software. If category is selected as the Filter Type, the Category drop-down menu becomes enabled for the selection of an existing URL type or whitelist or blacklist. Categories are based on an external database, and cannot be modified or removed. Custom categories can be created with the URL List and added to the database. When category_type is selected as the Filter Type, select an existing category type (adult-content, security-risk etc.) and either blacklist or whitelist the URLs in that category type. There are 12 category types available. Basic, Low, Medium, medium-high and High filter levels are available. Each level is pre-configured to use a set of category types. The user cannot change the categories in the category types used for these pre-configured filter-level settings, and add/modify/remove the category types mapped to the filter-level setting. URL lists are customized categories included in the custom filter-level setting. URL lists enable an administrator to blacklist or whitelist URLs in addition to the built-in categories. Enter a 80 character maximum description for this Web filter rule to help differentiate it from others with similar category include or exclude rule configurations. 6 Select OK to save the changes to the Web Filter Rule. Select Exit to close the screen without saving the updates. 7 Select the URL Error Page tab to define the configuration and layout of a URL error page launched when a Web filter rule is invoked and an error page needs to be displayed to a user instead of theyre expected Web page. Wireless Controller and Service Platform System Reference Guide 7 - 65 Network Configuration 8 Set the following URL Error Page display properties:
Figure 7-51 URL Filter screen - URL Error Page Name Description Page Path External Page URL Internal Page Title Internal Page Header Provide a 32 character maximum name for the title of the blocking page. The name should help convey that this page is launched to prevent the clients requested page from displaying. Provide a 80 character maximum description of the page to help differentiate it from other pages with similar page restriction properties. Set the path to the page sent back to the client browser explaining the reason for blocking the clients requested URL. It can be generated internally at the time the page is sent, or be a URL to an External Web server if the administrator chooses to utilize a customized page. The default setting is Internal, requiring the administrator to define the page configuration within the fields in the Internal Page Configuration portion of the screen. If External is selected as the Page Path, provide a 511 character maximum External Page URL used as the Web link designation of the externally hosted blocking page. Either enter a 255 character maximum title for the URL blocking page or use the existing default text (This URL may have been filtered). Either enter a 255 character maximum header for the top of the URL blocking page or use the existing default text (The requested URL could not be retrieved). Wireless Controller and Service Platform System Reference Guide 7 - 66 Network Configuration Internal Page Content Internal Page Footer Internal Page Org Name Internal Page Org Structure Internal Page Logo 1 Internal Page Logo 2 Enter a 255 character maximum set of text used as the main body (middle portion) of the blocking page. Optionally use the default message (The site you have attempted to reach may be considered inappropriate for access). Either enter a 255 character maximum footer for the bottom of the URL blocking page or use the existing default text (If you have any questions contact your IT department). Enter a 255 character maximum organizational name responsible for the URL blocking page. The default organizational name (Your Organizational Name) is not very practical, and is just a guideline for customization. Enter a 255 character maximum organizational signature responsible for the URL blocking page. The default organizational signature (Your Organizational Name, All Rights Reserved) is not very practical, and is just a guideline for customization. Provide the location and filename of a small graphic image displayed in the blocking page. Provide the location and filename of a main graphic image displayed in the blocking page. 9 Select OK to save the updates to the URL filter configuration. Select Reset to revert to the last saved configuration. 7.14 Web Filtering A Web filter policy is means of managing the number of records and time cached URLs are retained. A policy also determines whether to filter access to a cached URL when a categorization server is unreachable or unable to classify request types. To review existing Web filter policies and assess whether new ones require creation, modification or deletion:
1 Select Configuration > Network > Web Filter. 2 Select Add to create a new Web filter policy, or select an existing policy and Edit to modify its attributes. Obsolete policies can be selected and Deleted as needed. Figure 7-52 Web Filter Policy screen Wireless Controller and Service Platform System Reference Guide 7 - 67 Network Configuration Figure 7-53 Web Filter - Add/Edit 3 If creating a Web URL filter, enter a 32 character maximum Name relevant to its filtering objective and cache considerations, then select Continue. 4 Define the following Web Filtering Policy settings. Maximum Cached Records Time Validity for Cached URL Access to Unreachable Server Access to Uncategorized URL Set the maximum number of records (from 0 - 4,000,000) for Web content cached locally on this controller or service platform. The default setting is 100,000 records. Set the maximum amount of a time, from 0 - 86,400 seconds, a URL is valid in the controller or service platform cache. Consider the bandwidth depletion if caching a large number of records over the maximum permissible time validity. Either pass or block (filter) access to a cached URL when the categorization server is unreachable. Access is allowed by default. Either pass or block (filter) access to a cached URL when the categorization server fails to classify a request type. Access is allowed by default. 5 Select OK to save the changes to the Web filter policy. Select Exit to close the screen without saving the updates. 7.15 EX3500 QoS Class An EX3500 switch can have its own QoS class policy applied as specific interoperability requirements dictate between an EX3500 switch and its connected devices. The QoS class configuration specifies permitted and excluded MAC and IP addresses and the precedence upon which filter rules are applied to EX3500 switch traffic. To review existing EX3500 QoS policies and assess whether new ones require creation, modification or deletion:
Wireless Controller and Service Platform System Reference Guide 7 - 68 1 Select Configuration > Network > EX3500 QoS Class. Network Configuration Figure 7-54 EX3500 QoS Class screen 2 Select Add to create a new EX3500 QoS policy, or select an existing policy and Edit to modify its attributes. Obsolete policies can be selected and Deleted as needed. Copy a policy to duplicate an existing QoS policy or Rename them as needed. Figure 7-55 EX3500 QoS Class screen - Add/Edit 3 If creating a EX3500 QoS policy, enter a 64 character maximum Description to help differentiate this policy's EX3500 traffic prioritization scheme. 4 Refer to the DSCP field to set the DSCP value as a 6-bit parameter in the header of every IP packet used for packet classification. The range is 0 to 63 like DSCPv6. The screen maps the 6-bit Differentiated Service Code Point (DSCP) code points to the older 3-bit IP Precedent field located in the Type of Service byte of an IP header. DSCP is a protocol for specifying and controlling network traffic by class so that certain traffic types get precedence. DSCP specifies a specific per-hop behavior that is applied to a packet. This QoS assignment can be overridden as needed, but removes the device configuration from the profile that may be shared with other similar device models. Wireless Controller and Service Platform System Reference Guide 7 - 69 Network Configuration 5 Use the Cos field to Assign a 802.1p priority (0 - 7) as a 3-bit IP precedence value of the IP header used to set the user priority. The valid values for this field are 0 Best Effort, 1 Background, 2 Spare, 3 Excellent Effort, 4 Controlled Load, 5 Video, 6 Voice, 7 Network Control. 6 Optionally apply MAC ACL rules to EX3500 packet traffic. Use the drop-down menu to select an existing MAC ACL, select the Create icon to add a new MAC ACL rule, or select an existing MAC ACL and the Edit icon to modify its configuration. For information on creating MAC ACLs, refer to Configuring MAC Firewall Rules on page 10-15. Administrators can filter Layer 2 EX3500 traffic on a physical Layer 2 interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to WLAN packet traffic. 7 Optionally apply IP based Standard ACL rules to EX3500 packet traffic. A standard ACL for an EX3500 is a policy-based ACL that either prevents or allows specific clients from using the device. Select the Create icon to add a new ACL rule, or select an existing ACL and the Edit icon to modify its configuration. If creating a new standard ACL, provide a name up to 32 characters to help differentiate this rule from others with similar configurations. Select + Add Row. For more information on creating a standard ACL, see EX3500 ACL Standard on page 10-29. 8 Set the following standard ACL attributes:
Figure 7-56 EX3500 QoS Class screen - Add/Edit Source IP Address Allow Time Range Set whether the permit or deny rules assigned to this ACL are applied to a Host IP address, Network IP address and mask or Any address. Set the Permit or Deny action on IP packet traffic with the EX3500 switch. The default is Permit. Defines the period when the permit or deny are applied to EX3500 IP traffic. Wireless Controller and Service Platform System Reference Guide 7 - 70 Network Configuration 9 Refer to the DSCPV6 field and select + Add Row to specify a DSCPV6 value from 0 - 63. DSCPv6 specifies the Differentiated Services Code Point version 6 of a classifier assigned to an interface. Use DSCPv6 for IPv6 multicast traffic support. 10 Refer to the Extended ACL field and either select an existing extended IP ACL from the drop-down menu, add a new extended IP ACL by selecting the Create icon, or modify an existing one by selecting the Edit icon. For more information on extended IP ACLs, refer to EX3500 ACL Extended on page 10-31. An extended ACL is comprised of access control entries (ACEs). Each ACE specifies a source and destination for matching and filtering traffic to the EX3500 switch. Figure 7-57 EX3500 QoS Class - Extended ACL Name Precedence Source Destination Action If creating a new extended ACL, provide a 32 character maximum name to this extended ACL to differentiate its EX3500 traffic filtering configuration. Specify or modify a precedence for this IP policy between 1-128. Rules with lower precedence are always applied to packets first. If modifying a precedence to apply a higher integer, it will move down the table to reflect its lower priority. Determine whether filtered packet source for this IP firewall rule do not require any classification (any), are set as a numeric IP address (host) or apply to any. Determine whether filtered packet destinations for this IP firewall rule do not require any classification (any), are set as a numeric IP address (host) or apply to any. Every rule is made up of matching criteria rules. The action defines the packets disposition if it matches the specified criteria. The following actions are supported:
Deny - Instructs the ACL to restrict a packet from proceeding to its destination when filter conditions are matched. Allow - Instructs the ACL to allow a packet to proceed to its destination when filter conditions are matched. Wireless Controller and Service Platform System Reference Guide 7 - 71 Network Configuration Time Range Protocol Source Port Destination Port DSCP IP Header Lists time range when each listed ACL is enabled. An EX3500 Time Range is a set of configurations consisting of periodic and absolute time ranges. Periodic ranges can be configured to reoccur based on periodicity such as daily, weekly, weekends, weekdays and on specific week day such as Sunday. Absolute time ranges can be configured to a range of days during a particular period. Absolute time ranges do not reoccur. For more information, see EX3500 Time Range on page 10-64. Specify the protocol for which the alias has to be created. Use the drop down to select the protocol from eigrp, gre, icmp, igmp, ip, vrrp, igp, ospf, tcp, udp or other. Select other if the protocol is not listed. When a protocol is selected, its protocol number is automatically selected. Specify a source port for the TCP or UDP protocols. The source specifies the IP address or FQDN from which the packet is sent.The source port is not displayed by default and must be selected from the upper-right hand side of the screen. Specify a destination port for the TCP or UDP protocols. The destination specifies the IP address or FQDN to which the packet is being sent. The destination port is not displayed by default and must be selected from the upper-right hand side of the screen. Select this option to specify a DSCP value from 0 - 63. DSCP specifies the Differentiated Services Code Point version 6 of a classifier assigned to an interface. Sets the IP precedence level from 0-7. 11 Refer to the Precedence field and select + Add Row to assign a precedence (priority) to this EX3500 QoS policy. Rules are applied in order from 0 - 7. 12 Optionally refine the virtual interface (VLAN) to which the EX3500 QoS policy is applied by selecting a VLAN from 1 - 4094. 13 Select OK to save the changes. Select Reset to revert to the last saved configuration. 7.16 EX3500 QoS Policy Map An EX3500 switch can have its own WiNG defined policy map that can be attached to an interface to specify a QoS service policy. Use a QoS policy map to assign priority to mission critical EX3500 switch data traffic, prevent EX3500 switch bandwidth congestion and prevent packet drops. To review existing EX3500 QoS policy map configurations and assess whether new ones require creation, modification or deletion:
Wireless Controller and Service Platform System Reference Guide 7 - 72 1 Select Configuration > Network > EX3500 QoS Policy Map. Network Configuration Figure 7-58 EX3500 QoS Policy Map screen 2 Select Add to create a new EX3500 QoS policy map, or select an existing policy and Edit to modify its attributes. Obsolete policy maps can be selected and Deleted as needed. Copy to duplicate an existing policy map or Rename them as needed. Figure 7-59 EX3500 QoS Policy Map - Basic Properties screen 3 If adding a new EX3500 QoS policy map, enter a 32 character maximum Name to help differentiate this policy from others with similar attributes. 4 Enter a 64 character maximum Description to help differentiate this policys EX3500 traffic prioritization scheme. 5 Select OK to save the changes. Select Reset to revert to the last saved configuration. 6 Select the Class Map tab. Existing class map configurations display along with their drop designations defining whether packets will be dropped if exceeding the actions set for this class map configuration. Wireless Controller and Service Platform System Reference Guide 7 - 73 Network Configuration Figure 7-60 EX3500 QoS Policy Map - Class Map screen 7 Select Add to create a new EX3500 QoS class map, or select an existing class name and Edit to modify its attributes. Obsolete class maps can be selected and Deleted as needed. Wireless Controller and Service Platform System Reference Guide 7 - 74 Network Configuration 8 Set the following class map Police actions to apply traffic restrictions and packet drop criteria to EX3500 switch Figure 7-61 EX3500 QoS Policy Map - Class Map Add/Edit screen data traffic:
Enable Police Traffic Type Drop New IP DSCP Enable this option to apply traffic type classification restrictions and packet drop criteria to EX3500 switch data traffic. This option is dialed by default. Use the drop-down menu to specify the EX3500 switch traffic type to drop when the specified violation criteria is exceeded. A policing scheme can be applied before writing packets to the TX port by dropping or changing the color (green, yellow or red) of the packet in a static manner, depending on both the input and output colors of the packets. Options include flow, srtcm_color_aware, srtcm_color_blind, trtcm_color_aware and trtcm_color_blind. Select this option to drop EX3500 switch packets when the violation action criteria has been exceeded. This option is not available when flow is selected as Police Action Type. Use the spinner control to set a DSCP value (from 0 - 63) as required by an exceeded action criteria. DSCP is the Differentiated Services Code Point field in an IP header for packet classification. Packets are filtered based on the traffic class defined in the IP DSCP field. This option is not available when flow is selected as the Police Action Type or when Drop is enabled. Wireless Controller and Service Platform System Reference Guide 7 - 75 Network Configuration Violate-Action Drop Select this option to drop packets when the specified traffic type Exceeded Burst Size When srtcm_color_aware or srtcm_color_blind are selected as the Police Violate Action New IP DSCP Committed Burst Size Committed Rate Peak Burst Size Peak Into Rate classification restrictions and packet drop criteria are exceeded. When enabled (default setting), the Violate Action New IP DSCP setting is disabled. If the Violate-Action Drop option is disabled, set a DSCP value (from 0 - 63) as required by an exceeded action criteria. Set a committed (maximum) burst size between 0 - 16,000,000. The smaller the burst, the less likely received EX3500 switch packets result in data traffic congestion. Set the committed information rate (CIR) from 0 - 1,000,000 for EX3500 switch data traffic. The CIR is a bandwidth (expressed in bits per second) allocated to the connection with the EX3500 switch. This form of rate limiting reduces the maximum rate sent or received, and prevents any single EX3500 switch from overwhelming the WiNG managed network. Traffic Type, set an excess burst size (from 0 - 16,000,000 bytes). The excess busrt size allows for periods of bursting traffic exceeding both the committed information rate (CIR) and committed burst size. When trtcm_color_aware or trtcm_color_blind are selected as the Police Traffic Type, set a Peak Burst Size (from 0 - 16,000,000 bytes). The Peak Burst Size defines the maximum number of bytes of unused peak bandwidth capacity that can be accumulated. The accumulated bandwidth allows for periods of bursting traffic exceeding the Peak Info Rate and Committed Burst Size. When trtcm_color_aware or trtcm_color_blind are selected as the Police Traffic Type, set a Peak Info Rate (from 0 - 1,000,000 kilobytes per second). The Peak Info Rate is the maximum rate for traffic arriving or departing the interface under peak conditions. Traffic exceeding the committed information rate (CIR) and the committed burst size is metered to the Peak Info Rate. 9 Refer to the Set field to define the EX3500s traffic type and set its behavior. Enable Traffic Type PHB Cos Select enable to refine the EX3500s traffic type to either PHB, COS or DSCP. Use the drop-down menu to specify the EX3500 switch traffic type. Options include phb, cos and DSCP. Once an option is selected, refine that traffic types behavior. When PHB is selected as the Traffic Type, set the per-hop behavior value
(from 1 - 7) applied to matching packets. The PHB defines the policy and priority applied to a packet when traversing a hop. PHBs are created (one for each combination of the top 3 bits) as bbb000 to match precedence behaviors and leaves other DSCP values open, where each b may take the value zero or 1. When Cos is selected as the Traffic Type, assign a 802.1p priority (0 - 7) as a 3-bit IP precedence value of the IP header used to set the EX3500 switch user priority. The valid values for this field are 0 Best Effort, 1 Background, 2 Spare, 3 Excellent Effort, 4 Controlled Load, 5 Video, 6 Voice, 7 Network Control. Wireless Controller and Service Platform System Reference Guide 7 - 76 Network Configuration DSCP When DSCP is selected as the Traffic Type, set a DSCP value (from 0 - 63). DSCP is the Differentiated Services Code Point field in an IP header for EX3500 switch packet classification. Packets are filtered based on the traffic class defined in the IP DSCP field. 10 Select OK to save the changes. Select Reset to revert to the last saved configuration. 7.17 Network Deployment Considerations Before defining a L2TPV3 configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective:
In respect to L2TP V3, data transfers on the pseudowire can start as soon as session establishment corresponding to the pseudowire is complete. In respect to L2TP V3, the control connection keep-alive mechanism of L2TP V3 can serve as a monitoring mechanism for the pseudowires associated with a control connection. Wireless Controller and Service Platform System Reference Guide 7 - 77 8 Profile Configuration Profiles enable administrators to assign a common set of configuration parameters and policies to controllers, service platforms and Access Points. Profiles can be used to assign common or unique network, wireless and security parameters to devices across a large, multi segment, site. The configuration parameters within a profile are based on the hardware model the profile was created to support. The controllers, service platforms and Access Points support both default and user defined profiles implementing new features or updating existing parameters. The central benefit of a profile is its ability to update devices collectively without having to modify individual device configurations. Profiles assign configuration parameters, applicable policies and WLANs to one or more controllers, services platforms and Access Points, thus allowing smart administration across large wireless network segments. However, individual devices can still be assigned unique configuration parameters that follow the flat configuration model supported in previous software releases. As individual device updates are made, these device no longer share the profile based configuration they originally supported. Changes made to the profile are automatically inherited by all assigned devices, but not those devices who have had their configuration customized. These devices require careful administration, as they no longer can be tracked and as profile members. Their customized configurations overwrite their profile configurations until the profile can be re-applied to the device. Each controller, service platform and Access Point is automatically assigned a default profile unless an AP auto provisioning policy is defined that specifically assigns the Access Point to a user defined profile. A default profile for each supported model is automatically added to a devices configuration file when the device is discovered. Default profiles can also be manually added prior to discovery when needed. Default profiles are ideal for single site deployments where controllers, service platforms or Access Points share a common configuration. Device Model anyap AP6521 AP6522 AP6532 AP6562 AP7161 AP7502 AP7522 AP7532 AP7562 AP7602 AP7612 AP7622 AP7632 AP7662 AP8132, AP8163 AP8232 Default Profile anyap default-ap6521 default-ap6522 default-ap6532 default-ap6562 default-ap71xx default-ap7502 default-ap7522 default-ap7532 default-ap7562 default-ap7602 default-ap7612 default-ap7622 default-ap7632 default-ap7662 default-ap81xx default-ap82xx Wireless Controller and Service Platform System Reference Guide 8 - 1 Profile Configuration AP8432 AP8533 EX3524 EX3548 NX5500 NX7500 NX9500, NX9510 RFS4000 RFS6000 T5 VX9000 default-ap8432 default-ap8533 default-ex3524 default-ex3548 default-nx5500 default-nx75xx default-nx9000 default-rfs4000 default-rfs6000 default-t5 default-vx User defined profiles are manually created for each supported controller, service platform and Access Point model. User defined profiles can be manually assigned or automatically assigned to Access Points using an AP Auto provisioning policy. AP Adoption policies provide the means to easily assign profiles to Access Points based on model, serial number, VLAN ID, DHCP option, IP address (subnet) and MAC address. User defined profiles are recommended for larger deployments using centralized controllers and service platforms when groups of devices on different floors, buildings or sites share a common configuration. Each default and user defined profile contains policies and configuration parameters. Changes made to these parameters are automatically inherited by the devices assigned to the profile. Review existing profiles to determine whether a new profile requires creation, or an existing profile requires edit or deletion. To review the existing profiles:
1 Select the Configuration tab from the Web UI. 2 Select Profiles from the Configuration tab. 3 Select Manage Profiles from the Configuration > Profiles menu. Wireless Controller and Service Platform System Reference Guide 8 - 2 Profile Configuration 4 Review the following information on existing profiles:
Figure 8-1 Profile screen Profile Lists the user-assigned name defined for each profile when created. Profile names cannot be edited with a profiles configuration. Wireless Controller and Service Platform System Reference Guide 8 - 3 Type Displays the device type (and subsequent device specific configuration) supported by each listed profile. Available device types include:
Profile Configuration AP6521 AP6522 AP6532 AP6562 AP71xx AP7502 AP7522 AP7532 AP7562 AP7602 AP7612 AP7622 AP7632 AP7662 AP81xx AP82xx AP8432 AP8533 EX3524 EX3548 RFS4000 RFS6000 NX5500 NX75xx NX9000 T5 VX9000 Auto Provisioning Policy Firewall Policy Wireless Client Role Policy Displays the auto provisioning policy applied to this profile. At adoption, an AP solicits and receives multiple adoption responses. These adoption responses contain preference and loading policy information the AP uses to select the optimum controller, service platform or peer Access Point model for adoption. By default, an auto provisioning policy generally distributes AP adoption evenly amongst available adopters. Modify existing adoption policies or create a new one as needed to meet the adoption requirements of this particular profile. Displays an existing firewall policy, if any, assigned to each listed profile. Firewall policies can be assigned when creating or editing a profile. Lists the name of the wireless client role policy currently applied to the listed device. The wireless client role policy contains the matching rules and IP and MAC Inbound and Outbound policies used to filter traffic to and from clients. DHCP Server Policy Lists the name of the DHCP Server Policy used with each listed profile. An internal DHCP server groups wireless clients based on defined user-class option values. Clients with a defined set of user class values are segregated by class. A DHCP server can associate multiple classes to each pool. Each class in a pool is assigned an exclusive range of IP addresses. Wireless Controller and Service Platform System Reference Guide 8 - 4 Profile Configuration Management Policy Lists the name of Management policies applied to each listed profile. A RADIUS Server Policy management policy is a mechanism to allow/deny management access for separate interfaces and protocols (HTTP, HTTPS, Telnet, SSH or SNMP). Management access can be enabled/disabled as required for each policy. Displays the name of the RADIUS Server policy applied to each listed profile. A RADIUS Server policy provides customized, profile specific, management of authentication data (usernames and passwords). 5 Select the Add button to create a new profile, Edit to revise a selected profile configuration or Delete to permanently remove a selected profile. Optionally Copy or Rename profiles as needed. The following tasks comprise required profile configuration activities:
General Profile Configuration Profile Cluster Configuration (Controllers and Service Platforms) Profile Adoption Configuration (APs Only) Profile Adoption Configuration (Controllers Only) Profile Radio Power (AP7161, AP81XX Only) Profile 802.1x Configuration Profile Interface Configuration Profile Network Configuration Profile Security Configuration Profile VRRP Configuration Profile Critical Resources Configuration Profile Services Configuration Profile Management Configuration Profile Mesh Point Configuration Profile Environmental Sensor Configuration (AP8132 Only) Advanced Profile Configuration 8.1 General Profile Configuration Each profile requires a provisioning policy and clock synchronization settings as part of its general configuration. Each profile can have a unique provisioning policy and system time. Controllers, service platforms and Access Points are automatically assigned a default profile unless an AP provisioning policy has been defined that specifically assigns Access Points to a user defined profile. During the general configuration process, a provisioning policy can be assigned to a specific profile or a new provisioning policy can be created and applied to the profile. Adoption is the process an AP uses to discover potential adopters in the network, pick the most desirable one, establish an association and obtain its configuration. Network Time Protocol (NTP) manages time and/or network clock synchronization within the network. NTP is a client/server implementation. Controllers, service platforms and Access Points (NTP clients) periodically synchronize their clock with a master clock (an NTP server). For example, a controller resets its clock to 07:04:59 upon reading a time of 07:04:59 from its designated NTP server. Additionally, if the profile is supporting an Access Point, the profiles general configuration provides an option to disable the devices LEDs. To define a profiles general configuration:
Wireless Controller and Service Platform System Reference Guide 8 - 5 Profile Configuration 1 Select the Configuration tab from the Web UI. 2 Select Profiles from the Configuration tab. 3 Select Manage Profiles from the Configuration > Profiles menu. 4 Select General. A General configuration screen displays for the new or existing profile. Figure 8-2 General Profile - screen 5 If creating a new profile, provide a name (up to 32 characters) within the Profile parameter field. 6 Use the Type drop-down menu to specify the device model for which the profile applies. Profiles can only be applied to the same device type selected when the profile is initially created. 7 Refer to the Location field to define the devices deployment location area. Area Floor Floor Number Enter a 64 character maximum description for the selected devices physical deployment area. This area can be further refined by floor and floor number descriptions. Enter a 32 character maximum description for the selected devices building floor placement. This area can be further refined by floor and floor number descriptions. Use the spinner control to assign a numeric deployment floor number
(from 1 - 4094) for this device. The default floor is 1. 8 Within the Statistics field, use the NoC Update Interval to set the statistics update interval (from 0, 5 - 3600 seconds) from the RF Domain manager to its adopting controller. The default value is 0. A value of 0 is allowable for an auto mode where the update interval is auto adjusted by the controller based on load information. Wireless Controller and Service Platform System Reference Guide 8 - 6 9 Select + Add Row below the Network Time Protocol (NTP) table to define the configurations of NTP server resources used to obtain system time. Up to 3 servers can be added. Set the following parameters to define the NTP configuration:
Profile Configuration Server IP Key Number Key Preferred AutoKey Version Minimum Polling Interval Maximum Polling Interval Set the IP address of each server added as a potential NTP resource. Select the number of the associated authentication peer key for the NTP resource. Enter a 64 character maximum key used when the autokey setting is set to false (disabled). Select the Show option to expose the actual character string comprising the key. Select this option to designate this NTP resource as a preferred NTP resource. This setting is disabled by default. Select the check box to enable an autokey configuration for the NTP resource. The default setting is disabled. Use the spinner control to specify the version number (from 0 - 4) used by this NTP server resource. The default setting is 0. Use the spinner control to set the minimum polling interval (in seconds) used to contact the NTP server resource. Once set, the NTP resource is polled no sooner then the defined interval. The default setting is 64 seconds. Use the spinner control to set the maximum polling interval (in seconds) used to contact the NTP server resource. Once set, the NTP resource is polled no later then the defined interval. The default setting is 1024 seconds. 10 Refer to the RAID Alarm field to either enable or disable the chassis alarm that sounds when events are detected that degrade RAID support (drive content mirroring) on a series service platform. NOTE: RAID controller drive arrays are available within NX7500 and NX9000 series service platforms (NX9000, NX9500 and NX9510 models) only. However, they can be administrated on behalf of a profile by a different model service platform or controller. RAID controller drive arrays are available within NX7530 and NX9000 series service platforms (NX9000, NX9500 and NX9510 models) only. However, they can be administrated on behalf of a profile by a different model service platform or controller. Service platforms include a single Intel MegaRAID controller (virtual drive) with RAID-1 mirroring support enabled. The online virtual drive supports up to two physical drives that could require hot spare substitution if a drive were to fail. An administrator can manage the RAID controller event alarm and syslogs supporting the array hardware from the service platform user interface and is not required to reboot the service platform BIOS. For information on setting the service platform drive array configuration and diagnostic behavior of its member drives, refer to RAID Operations on page 14-19. To view the service platforms current RAID array status, drive utilization and consistency check information, refer to RAID Statistics on page 15-114. 11 Select OK to save the changes made to the general profile configuration. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 8 - 7 Profile Configuration 8.1.1 General Profile Configuration and Deployment Considerations General Profile Configuration Before defining a general profile configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective:
A default profile is applied automatically, and default AP profiles are applied to discovered Access Points. Each user defined profile requires a unique name. User defined profiles can be automatically assigned to Access Points using AP adoption policies. Each controller, service platform and Access Point model is automatically assigned a default profile based on the hardware type selected when the profile is initially created. 8.2 Profile Cluster Configuration (Controllers and Service Platforms) Configuration and network monitoring are two tasks a network administrator faces as a network grows in terms of the number of managed devices. Such scalability requirements lead network administrators to look for managing and monitoring each node from a single centralized management entity. A controller or service platform not only provides a centralized management solution, it provides a centralized management profile that can be shared by any single cluster member. This eliminates dedicating a management entity to manage all cluster members and eliminates a single point of failure. A redundancy group (cluster) is a set of controller or services platforms (nodes) uniquely defined by a profiles configuration. Within the redundancy group, members discover and establish connections to other members and provide wireless network self-healing support in the event of cluster member failure. A clusters load balance is typically distributed evenly amongst the cluster members. Define how often this profile is load balanced for radio distribution, as radios can come and go and members can join and exit the cluster. To define a cluster configuration for use with a profile:
1 Select the Configuration tab from the Web UI. 2 Select Profiles from the Configuration tab. 3 Select Manage Profiles from the Configuration > Profiles menu. 4 Select Cluster. A screen displays where the profiles cluster and AP load balancing configuration can bet set. Wireless Controller and Service Platform System Reference Guide 8 - 8 Profile Configuration 5 Define the following Cluster Settings parameters to set this profiles cluster mode and deployment settings:
Figure 8-3 Controller Profile - Cluster screen Cluster Mode Cluster Name Master Priority A member can be in either an Active or Standby mode. All active member can adopt Access Points. Standby members only adopt Access Points when an active member has failed or sees an Access Point not adopted by a controller or service platform. The default cluster mode is Active and enabled for use with the profile. Define a name for the cluster name unique to its configuration or profile support requirements. The name cannot exceed 64 characters. Set a priority value from1 - 255, with the higher value given higher priority. This configuration is the devices priority to become the cluster master. In a cluster environment, one device from the cluster is elected as the cluster master. The master priority setting is the devices priority to become cluster master. The active primary controller has the higher master priority. The default value is 128. Wireless Controller and Service Platform System Reference Guide 8 - 9 Profile Configuration Handle STP Convergence Force Configured State Force Configured State Delay RADIUS Counter DB Sync Time Select the check box to enable Spanning Tree Protocol (STP) convergence for the controller or service platform. In general, this protocol is enabled in layer 2 networks to prevent network looping. Spanning Tree is a network layer protocol that ensures a loop-free topology in a mesh network of inter-connected layer 2 controllers or service platforms. The spanning tree protocol disables redundant connections and uses the least costly path to maintain a connection between any two cluster members in the network. If enabled, the network forwards data only after STP convergence. Enabling STP convergence delays the redundancy state machine execution until the STP convergence is completed (the standard protocol value for STP convergence is 50 seconds). Delaying the state machine is important to load balance APs at startup. The default setting is disabled. Select the check box to enable this controller or service platform to take over for an active controller or service platform member if it were to fail. A standby node takes over APs adopted by the failed controller or service platform. If the failed controller or service platform were to come available again, the active controller or service platform starts a timer based on the Auto Revert Delay interval. At the expiration of the Auto Revert Delay, the standby node releases all adopted APs and goes back to a monitoring mode. The Auto Revert Delay timer is stopped and restarted if the active controller or service platform goes down and comes up during the Auto Revert Delay interval. The default value is disabled. Specify a delay interval (from 3 - 1,800 minutes) a standby node waits before releasing adopted APs and goes back to a monitoring mode when a controller or service platform becomes active again after a failure. The default interval is 5 minutes. Specify a sync time (from 1 - 1,440 minutes) a RADIUS counter database uses as its synchronization interval with the dedicated NTP server resource. The default interval is 5 minutes. 6 Within the Cluster Member field, select the Cluster VLAN checkbox to enable a spinner control to designate the VLAN where cluster members are reachable. Specify a VLAN from 1 - 4094. Select + Add Row and specify the IP addresses of the VLANs cluster members. Set a routing level of either 1 or 2, where 1 is local routing and 2 is inter-site routing. 7 Select OK to save the changes made to the profiles cluster configuration. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 8 - 10 Profile Configuration 8.2.1 Cluster Profile Configuration and Deployment Considerations Profile Cluster Configuration (Controllers and Service Platforms) Before defining a profile cluster configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective:
A cluster member cannot adopt more APs than its hardware capacity allows. This is important when the number of pooled AP and AAP licenses exceeds the aggregated AP and AAP capacity available after a cluster member has failed. A cluster supported profile should be designed to ensure adequate AP and AAP capacity exists to address failure scenarios involving both APs and AAPs. When clustering is enabled for a profile and a failure occurs, AP and AAP licenses are persistent in the cluster even during reboots or power outages. If a cluster member failure were to occur, clustering should remain enabled on all remaining cluster members or the pooled member licenses will be lost. 8.3 Profile Adoption Configuration (APs Only) Adoption is the process an Access Point uses to discover available controllers, pick the most desirable controller, establish a controller association and optionally obtain an image upgrade and configuration. Adoption is configurable and supported within a device profile and applied to other Access Points supported by the profile. Individual attributes of an Access Points auto provisioning policy can be overridden as specific parameters require modification. At adoption, an Access Point solicits and receives multiple adoption responses from controllers and service platforms available on the network. These adoption responses contain loading policy information the Access Point uses to select the optimum controller or service platform for adoption. By default, an auto provisioning policy generally distributes AP adoption evenly amongst available controllers and service platforms. Modify existing adoption policies or create a new one as needed to meet the adoption requirements of a device and their assigned profile. To define an Access Points adoption configuration:
Select the Configuration tab from the Web UI. 1 Select Profiles from the Configuration tab. 2 Select Manage Profiles from the Configuration > Profiles menu. 3 Select Adoption. Wireless Controller and Service Platform System Reference Guide 8 - 11 Profile Configuration Figure 8-4 Provisioning Policy - Adoption screen 4 Within the Controller Group field, use the Preferred Group item to set an optimal group for the Access Points adoption. The name of the preferred group cannot exceed 64 characters. 5 Select the check box to define or override a Controller VLAN the Access Points associating controller or service platform is reachable on. VLANs 0 and 4,094 are reserved and cannot be used by a controller or service platform VLAN. 6 Set the following Auto-Provisioning Policy settings for Access Point adoptions:
Use NOC Auto-Provisioning Policy Auto-Provisioning Policy Select this option to use the NOC controllers auto provisioning policy and not the policy maintained locally. The NOC is an elected controller or service platform capable of provisioning all of its peer controllers, service platforms and adopted devices. This setting is disabled by default. NOC controllers are NX9000, NX9500, NX9510, NX7500, and RFS6000 models. Select an auto provisioning policy from the drop-down menu. To create a new auto provisioning policy, select the Create icon or modify an existing one by selecting the Edit icon. Wireless Controller and Service Platform System Reference Guide 8 - 12 Profile Configuration Learn and Save Network Configuration Select this option to learn and save the configuration of any device requesting adoption. This setting is enabled by default. 7 Set the following Controller Hello Interval parameters:
Hello Interval Adjacency Hold Time Define an interval (from 1 - 120 seconds) between hello keep alive messages exchanged with the adopting device. These messages serve as a connection validation mechanism to ensure the availability of the adopting resource. Set the time (from 2 - 600 seconds) after the last hello packet after which the connection between the controller and Access Point is defined as lost and their connection is re-established. 8 Use the spinner control to define an Offline Duration timeout (from 5 - 43,200 minutes) to detect whether an adopted device is offline. The default setting is 10 minutes. 9 Enter Controller Hostnames as needed to define resources for Access Point adoption. Select + Add Row as needed to populate the table with IP Addresses or Hostnames used as Access Point adoption resources into the managed network. Host Pool Routing Level IPSec Secure IPSec GW Force Remote VPN Client Use the drop-down menu to specify whether the adoption resource is defined as a (non DNS) IP Address or a Hostname. Once defined, provide the numerical IP or Hostname. A Hostname cannot exceed 64 characters. Use the spinner control to set a pool of either 1 or 2. This is the pool the target controller or service platform belongs to. Define a routing level (either 1 or 2) for the link between adopting devices. The default setting is 1. Enable this option to provide IPSec secure peer authentication on the connection (link) between the adopting devices. This option is disabled by default. Select the numerical IP address or administrator defined hostname of the adopting controller resource. A Hostname cannot exceed 64 characters. Enable this setting to create a forced link between an Access Point and adopting controller, even when not necessarily needed. This setting is disabled by default. Displays whether a secure controller link has been established using a remote VPN client. 10 Select OK to save the changes to the Access Point profile adoption configuration. Select Reset to revert to the last saved configuration. 8.4 Profile Adoption Configuration (Controllers Only) Adoption is the process an Access Point uses to discover available controllers, pick the most desirable controller, establish a controller association and optionally obtain an image upgrade and configuration. Adoption is configurable and supported within a device profile and applied to other Access Points supported by the profile. Individual attributes of an Access Points auto provisioning policy can be overridden as specific parameters require modification. Wireless Controller and Service Platform System Reference Guide 8 - 13 Profile Configuration At adoption, an Access Point solicits and receives multiple adoption responses from controllers and service platforms available on the network. These adoption responses contain loading policy information the Access Point uses to select the optimum controller or service platform for adoption. By default, an auto provisioning policy generally distributes AP adoption evenly amongst available controllers and service platforms. Modify existing adoption policies or create a new one as needed to meet the adoption requirements of a device and their assigned profile. To define a controller or service platforms adoption configuration:
Select the Configuration tab from the Web UI. 1 Select Profiles from the Configuration tab. 2 Select Manage Profiles from the Configuration > Profiles menu. 3 Select Adoption. Figure 8-5 Provisioning Policy - Adoption screen 4 Within the Controller Group field, use the Group item to set provide the controller group this controller or service platform belongs to. A preferred group can also be selected for the adoption of this controller or service platform. The name of the preferred group cannot exceed 64 characters. Wireless Controller and Service Platform System Reference Guide 8 - 14 Profile Configuration 5 Set the following Auto Provision Policy parameters:
Use NOC Auto-Provisioning Policy Auto-Provisioning Policy Learn and Save Network Configuration Select this option to use the NOCs auto provisioning policy instead of the policy local to the controller or service platform. The NOC is an elected controller or service platform capable of provisioning all of its peer controllers, service platforms and adopted devices. This setting is disabled by default. Select an auto provisioning policy from the drop-down menu. To create a new auto provisioning policy, select the Create icon or modify an existing one by selecting the Edit icon. Select this option to enable allow the controller tor service platform to maintain a local configuration records of devices requesting adoption and provisioning. This feature is enabled by default. 6 Set the following Controller Adoption Settings settings:
Allow Adoption of Devices Allow Adoption of External Devices Allow Monitoring of External Devices Allow Adoption of this Controller Preferred Group Hello Interval Adjacency Hold Time Offline Duration Select either Access Points or Controllers (or both) to refine whether this controller or service platform can adopt just networked Access Points or peer controller devices as well. Select this option to enable this controller or service platform to adopt T5 model devices or EX3500 model switches. Select this option to enable monitoring only of T5 model devices or EX3500 model switches by this controller or service platform. When enabled, WiNG does not configure EX3500 switches or a T5, it only monitors those devices for statistics and events. Select the option to enable this controller or service platform to be capable of adoption by other controllers or service platforms. This settings is disabled by default and must be selected to allow peer adoptions. If Allow Adoption of this Controller is selected, provide the controller group preferred as the adopting entity for this controller or service platform. If utilizing this feature, ensure the appropriate group is provided within the Controller Group field. Select this option to define the hello packet exchange interval
(from 1 - 120 seconds) between the controller or service platform and an adoption requesting Access Point. Select this option to set a hold time interval (from 2 - 600 seconds) for the transmission of hello packets. Use the spinner control to define a timeout (from 5 - 43,200 minutes) to detect whether an adopted device is offline. The default setting is 10 minutes. 7 Enter Controller Hostnames as needed to define resources for Access Point adoption. NOTE: This field is only available when Allow Adoption of this Controller is selected. Wireless Controller and Service Platform System Reference Guide 8 - 15 Profile Configuration 8 Select + Add Row as needed to populate the table with IP Addresses or Hostnames used as Access Point adoption resources into the managed network. A Hostname cannot exceed 64 characters. Host Pool Routing Level IPSec Secure IPSec GW Force Remote VPN Client Use the drop-down menu to specify whether the adoption resource is defined as a (non DNS) IP Address or a Hostname. Once defined, provide the numerical IP or Hostname. A Hostname cannot exceed 64 characters. Use the spinner control to set a pool of either 1 or 2. This is the pool the target controller or service platform belongs to. Define a routing level (either 1 or 2) for the link between adopting devices. The default setting is 1. Enable this option to provide IPSec secure peer authentication on the connection (link) between the adopting devices. This option is disabled by default. Select the numerical IP address or administrator defined hostname of the adopting controller resource. A Hostname cannot exceed 64 characters. Enable this setting to create a forced link between an Access Point and adopting controller, even when not necessarily needed. This setting is disabled by default. Displays whether a secure controller link has been established using a remote VPN client. 9 Select OK to save the changes to the controller or service platform profile adoption configuration. Select Reset to revert to the last saved configuration. 8.5 Profile Radio Power (AP7161, AP81XX Only) This option is only available for AP7161, AP8122 and AP8132 Access Points. Use the Power screen to set one of two power modes (3af or Auto) for the Access Point profile. When Automatic is selected, the Access Point safely operates within available power. Once the power configuration is determined, the Access Point configures its operating power characteristics based on its model and power configuration. An Access Point uses a complex programmable logic device (CPLD) to manage power. The CPLD determines proper supply sequencing, the maximum power available and other status information. One of the primary functions of the CPLD is to determine the maximum power budget. When an Access Point is powered on (or performing a cold reset), the CPLD determines the maximum power provided by the POE device and the budget available to the Access Point. The CPLD also determines the Access Point hardware SKU (model) and the number of radios. If the Access Points POE resource cannot provide sufficient power to run the Access Point (with all intended interfaces enabled), some of the following interfaces could be disabled or modified:
The Access Points transmit and receive algorithms could be negatively impacted The Access Points transmit power could be reduced due to insufficient power The Access Points WAN port configuration could be changed (either enabled or disabled) To define an Access Points power configuration:
Wireless Controller and Service Platform System Reference Guide 8 - 16 Profile Configuration 1 Select the Configuration tab from the Web UI. 2 Select Profiles from the Configuration tab. 3 Select Manage Profiles from the Configuration > Profiles menu. 4 Select Power. A screen displays where the Access Point profiles power mode can be defined. 5 Use the Power Mode drop-down menu to set the Power Mode Configuration on this AP. Figure 8-6 Profile - Power screen NOTE: Single radio model Access Points always operate using a full power configuration. The power management configurations described in this section do not apply to single radio Access Point models. When an Access Point is powered on for the first time, it determines the power budget available. Using the Automatic setting, the Access Point automatically determines the best power configuration based on the available power budget. Automatic is the default setting. If 802.3af is selected, the Access Point assumes 12.95 watts are available. If the mode is changed, the Access Point requires a reset to implement the change. If 802.3at is selected, the Access Point assumes 23 - 26 watts are available. 6 Set the Access Point radios 802.3af Power Mode and the radios 802.3at Power Mode. 7 Use the drop-down menu for each power mode to define a mode of either Range or Throughput. 8 Select Throughput to transmit packets at the radios highest defined basic rate (based on the radios current basic rate settings). This option is optimal in environments where the transmission range is secondary to broadcast/multicast transmission performance. 9 Select Range when range is preferred over performance for broadcast/multicast (group) traffic. The data rates used for range are the lowest defined basic rates. Throughput is the default setting for both 802.3af and 802.3at. 10 Select OK to save the changes made to the Access Point power configuration. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 8 - 17 Profile Configuration 8.6 Profile 802.1x Configuration 802.1X provides administrators secure, identity based access control as another data protection option to utilize with a device profile. 802.1X is an IEEE standard for media-level (Layer 2) access control, offering the capability to permit or deny network connectivity based on the identity of the user or device. 1 Select the Configuration tab from the Web UI. 2 Select Profiles from the Configuration tab. 3 Select Manage Profiles from the Configuration > Profiles menu. 4 Select Wired 802.1x. 5 Set the following Wired 802.1x Settings:
Figure 8-7 Profile - Wired 802.1x screen Dot1x Authentication Control Dot1x AAA Policy Dot1x Guest VLAN Control Dot1x Hold Time MAC Authentication AAA Policy Select this option to globally enable 802.1x authentication for the selected device. This setting is disabled by default. Use the drop-down menu to select an AAA policy to associate with the wired 802.1x traffic. If a suitable AAA policy does not exist, click the Create icon to create a new policy or the Edit icon to modify an existing policy. Select this option to globally enable 802.1x guest VLANs for the selected device. This setting is disabled by default. Select this option to globally enable 802.1x hold time for the selected device. When Dot1X authentication fails 3 times continuously, this is the time period for which no RADIUS requests are sent. The default value is 1 minute. Use the drop-down menu to select an AAA authentication policy for MAC address authentication. If a suitable MAC AAA policy does not exist, click the Create icon to create a new policy or the Edit icon to modify an existing policy. Wireless Controller and Service Platform System Reference Guide 8 - 18 Profile Configuration 6 Select OK to save the changes to the 802.1x configuration. Select Reset to revert to the last saved configuration. 8.7 Profile Interface Configuration A profiles interface configuration can be defined to support separate physical Ethernet configurations both unique and specific to controllers and series service platforms. Ports vary depending on platform, but controller or service platform models do have some of the same physical interfaces A controller or service platform requires its Virtual Interface be configured for layer 3 (IP) access or layer 3 service on a VLAN. A Virtual Interface defines which IP address is associated with each VLAN ID the controller is connected to. If the profile is configured to support an Access Point radio, an additional Radios option is available, unique to the Access Points radio configuration. A profiles interface configuration process consists of the following:
Ethernet Port Configuration Virtual Interface Configuration Port Channel Configuration VM Interface Configuration Access Point Radio Configuration WAN Backhaul Configuration PPPoE Configuration Bluetooth Configuration Additionally, deployment considerations and guidelines for profile interface configurations are available for review prior to defining a configuration that could significantly impact the performance of the network. For more information, see Profile Interface Deployment Considerations. 8.7.1 Ethernet Port Configuration Profile Interface Configuration The ports available on controllers vary depending RFS controller model. The following ports are available to controllers:
RFS4000 - ge1, ge2, ge3, ge4, ge5, up1 RFS6000 - ge1, ge2, ge3, ge4, ge5, ge6, ge7, ge8, me1, up1 GE ports on RFS4000 and RFS6000 models are RJ-45 ports supporting 10/100/1000Mbps. The GE ports on a RFS7000 can be RJ-45 or fiber ports supporting 10/100/1000Mbps. ME ports are available on RFS6000 and RFS7000 platforms. ME ports are out-of-band management ports used to manage the controller via CLI or Web UI, even when the other ports on the controller are unreachable. The following ports are available to NX series service platform models:
NX5500 - ge1-ge24 NX7500 - ge1-ge24, xge1-xge2 NX9000 series - ge1, ge2, xge1-xge4 EX3524 - ge1-1-ge1-24 Wireless Controller and Service Platform System Reference Guide 8 - 19 Profile Configuration EX3548 - ge1-1-ge1-48 NOTE: For a NX7500 model service platform, there are options for either a 2 port or 4 port network management card. Either card can be managed using WiNG. If the 4 port card is used, ports ge7-ge10 are available. If the 2 port card is used, ports xge1-xge2 are available. UP ports are available on RFS4000 and RFS6000 controller. An UP port supports either RJ-45 or fiber. The UP port is the preferred means to connect to the backbone as it has a non-blocking 1gbps connection unlike the GE ports. The following ports are available on Access Points:
AP6521 - GE1/POE (LAN) AP6522 - GE1/POE (LAN) AP6532 - GE1/POE AP6562 - GE1/POE AP7161 - GE1/POE (LAN), GE2 (WAN) AP7502 - GE1 (THRU), fe1, fe2, fe3, AP7522 - GE1/POE (LAN) AP7532 - GE1/POE (LAN) AP7602 - GE1/POE (LAN), GE2 (WAN) AP7612 - GE1/POE (LAN), GE2 (WAN) AP7622 - GE1/POE (LAN) AP7632 - GE1/POE (LAN) AP7662 - GE1/POE (LAN), GE2 (WAN) AP81XX - GE1/POE (LAN), GE2 (WAN) AP82XX - GE1/POE (LAN), GE2 (WAN) To define a profiles Ethernet port configuration:
1 Select Configuration > Profiles > Interface. 2 Expand the Interface menu to display its submenu options. 3 Select Ethernet Ports. The Ethernet Ports screen displays configuration, runtime status and statistics regarding the physical ports on the controller or service platform. Wireless Controller and Service Platform System Reference Guide 8 - 20 Profile Configuration 4 Refer to the following to assess port status and performance:
Figure 8-8 Ethernet Ports screen Name Type Description Admin Status Mode Displays the physical port name reporting runtime data and statistics. Supported ports vary depending on Access Point, controller or service platform model. RFS4000 - ge1, ge2, ge3, ge4, ge5, up1 RFS6000 - ge1, ge2, ge3, ge4, ge5, ge6, ge7, ge8, me1, up1 NX5500 - ge1-ge24 NX7500 - ge1-ge24, xge1-xge2 NX9000 series- ge1, ge2, xge1-xge4 Displays the physical port type. Copper is used on RJ45 Ethernet ports and Optical materials are used on fiber optic gigabit Ethernet ports. Displays an administrator defined description for each listed controller or service platform port. A green checkmark defines the port as active and currently enabled with the profile. A red X defines the port as currently disabled and not available for use. The interface status can be modified with the port configuration as needed. Displays the profiles switching mode as currently either Access or Trunk
(as defined within the Ethernet Port Basic Configuration screen). If Access is selected, the listed port accepts packets only from the native VLAN. Frames are forwarded out the port untagged with no 802.1Q header. All frames received on the port are expected as untagged and mapped to the native VLAN. If set to Trunk, the port allows packets from a list of VLANs added to the trunk. A port configured as Trunk supports multiple 802.1Q tagged VLANs and one Native VLAN which can be tagged or untagged. Wireless Controller and Service Platform System Reference Guide 8 - 21 Profile Configuration Native VLAN Tag Native VLAN Allowed VLANs Lists the numerical VLAN ID (1 - 4094) set for the native VLAN. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk mode. A green checkmark defines the native VLAN as tagged. A red X defines the native VLAN as untagged. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so upstream Ethernet devices know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. A native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Displays those VLANs allowed to send packets over the listed port. Allowed VLANs are only listed when the mode has been set to Trunk. 5 To edit the configuration of an existing port, select it from amongst those displayed and select the Edit button. The Ethernet port Basic Configuration screen displays by default. Figure 8-9 Ethernet Ports - Basic Configuration screen Wireless Controller and Service Platform System Reference Guide 8 - 22 Profile Configuration 6 Set the following Ethernet port Properties:
Description Admin Status Speed Duplex Enter a brief description for the port (64 characters maximum). The description should reflect the ports intended function to differentiate it from others with similar configurations or perhaps just the name of the physical port. Select the Enabled radio button to define this port as active to the profile it supports. Select the Disabled radio button to disable this physical port in the profile. It can be activated at any future time when needed. Select the speed at which the port can receive and transmit the data. Select either 10 Mbps, 100 Mbps or 1000 Mbps. Select either of these options to establish a 10, 100 or 1000 Mbps data transfer rate for the selected half duplex or full duplex transmission over the port. These options are not available if Auto is selected. Select Automatic to enable the port to automatically exchange information about data transmission speed and duplex capabilities. Auto negotiation is helpful when in an environment where different devices are connected and disconnected on a regular basis. Automatic is the default setting. Select either half, full or automatic as the duplex option. Select Half duplex to send data over the port, then immediately receive data from the same direction in which the data was transmitted. Like a full-duplex transmission, a half-duplex transmission can carry data in both directions, just not at the same time. Select Full duplex to transmit data to and from the controller or service platform port at the same time. Using Full duplex, the port can send data while receiving data as well. Select Automatic to dynamically duplex as port performance needs dictate. Automatic is the default setting. 7 Enable or disable the following CDP/LLDP parameters used to configure Cisco Discovery Protocol and Link Layer Discovery Protocol for this profiles Ethernet port configuration:
Cisco Discovery Protocol Receive Cisco Discovery Protocol Transmit Link Layer Discovery Protocol Receive Link Layer Discovery Protocol Transmit Select this box to allow the Cisco discovery protocol to be received on this port. If enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors. This option is enabled by default. Select this box to allow the Cisco discovery protocol to be transmitted on this port. If enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors. Select this box to allow the Link Layer discovery protocol to be received on this port. If enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors. This option is enabled by default. Select this box to allow the Link Layer discovery protocol to be transmitted on this port. If enabled, the port sends out periodic interface updates to a multicast address to advertise its presence to neighbors. Wireless Controller and Service Platform System Reference Guide 8 - 23 Profile Configuration 8 Set the following Power Over Ethernet (PoE) parameters for this profiles Ethernet port configuration:
Enable POE Power Limit Power Priority Select this option to configure the selected controller or service platform port to use Power over Ethernet. To disable PoE on a port, uncheck this option. PoE is supported on RFS4000 and RFS6000 model controllers. When enabled, the controller or service platform supports 802.3af PoE on each of its ge ports. The PoE allows users to monitor port power consumption and configure power usage limits and priorities for each ge port. Use the spinner control to set the total watts available for Power over Ethernet on the defined ge port. Set a value between 0 - 40 watts. Set the power priority for the listed port to either to either Low, Medium or High. This is the priory assigned to this port versus the power requirements of the other ports on the controller or service platform. 9 Define the following Switching Mode parameters to apply to the Ethernet port configuration:
Mode Native VLAN Tag Native VLAN Allowed VLANs Select either the Access or Trunk radio button to set the VLAN switching mode over the port. If Access is selected, the port accepts packets only form the native VLANs. Frames are forwarded out the port untagged with no 802.1Q header. All frames received on the port are expected as untagged and are mapped to the native VLAN. If the mode is set to Trunk, the port allows packets from a list of VLANs you add to the trunk. A port configured as Trunk supports multiple 802.1Q tagged VLANs and one Native VLAN which can be tagged or untagged. Access is the default mode. Use the spinner control to define a numerical Native VLAN ID between 1 -
4094. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN which untagged traffic will be directed over when using a port in trunk mode. The default VLAN is 1. Select the check box to tag the native VLAN. Devices support the IEEE 802.1Q specification for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs. If the upstream Ethernet device does not support IEEE 802.1Q tagging, it does not interpret the tagged frames. When VLAN tagging is required between devices, both devices must support tagging and be configured to accept tagged VLANs. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so upstream Ethernet devices know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. This feature is disabled by default. Selecting Trunk as the mode enables the Allowed VLANs parameter. Add VLANs that exclusively send packets over the listed port. 10 Select a Captive Portal Enforcement option for the selected Ethernet port interface. Captive portal enforcement allows wired network users to pass traffic through the captive portal without being redirected to an authentication page. Authentication instead takes place when the RADIUS server is queried against the wired user's MAC address. If the MAC address is in the RADIUS server's user database, the user can Wireless Controller and Service Platform System Reference Guide 8 - 24 Profile Configuration pass traffic on the captive portal. If None is selected, captive portal policies are not enforced on the wired interface. If Authentication Failure is selected, captive portal policies are enforced only when RADIUS authentication of the clients MAC address is not successful. If Always is selected, captive portal policies are enforced regardless of whether the client's MAC address is in the RADIUS server's user database. 11 Optionally select the Port Channel checkbox and define a setting between 1 - 3 using the spinner control. This sets the channel group for the port. The upper limit depends on the device on which this value is configured. 12 Select OK to save the changes made to the Ethernet Port Basic Configuration. Select Reset to revert to the last saved configuration. 13 Select the Security tab. Figure 8-10 Ethernet Ports - Security screen 14 Refer to the Access Control field. As part of the ports security configuration, inbound IPv4/IPv6 and MAC address firewall rules are required. Use the drop-down menus to select the firewall rules to apply to this profiles Ethernet port configuration. The firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances. Use the IPv4 Inbound Firewall Rules drop down menu to select the IPv4 specific firewall rules to apply to this profiles Ethernet port configuration. IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper Wireless Controller and Service Platform System Reference Guide 8 - 25 Profile Configuration sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity. Use the IPv6 Inbound Firewall Rules drop down menu to select the IPv6 specific firewall rules to apply to this profiles Ethernet port configuration. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. If a firewall rule does not exist suiting the data protection needs of the target port configuration, select the Create icon to define a new rule configuration or select the Edit icon to modify an existing configuration. 15 Refer to the Trust field to define the following:
Trust ARP Responses Select the check box to enable ARP trust on this port. ARP packets received on this port are considered trusted and information from these packets is used to identify rogue devices within the network. The default value is disabled. Trust DHCP Responses Select the check box to enable DHCP trust on this port. If enabled, only ARP header Mismatch Validation Trust 802.1p COS values Trust IP DSCP DHCP responses are trusted and forwarded on this port, and a DHCP server can be connected only to a DHCP trusted port. The default value is enabled. Select this option to enable a mismatch check for the source MAC in both the ARP and Ethernet header. The default value is disabled. Select the check box to enable 802.1p COS values on this port. The default value is enabled. Select the check box to enable IP DSCP values on this port. The default value is enabled. NOTE: Some vendor solutions with VRRP enabled send ARP packets with Ethernet SMAC as a physical MAC and inner ARP SMAC as VRRP MAC. If this configuration is enabled, a packet is allowed, despite a conflict existing. 16 Set the following IPv6 Settings:
Trust ND Requests Trust DHCPv6 Responses Select this option to enable IPv6 neighbor discovery request trust on this Ethernet port. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery Protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters. This setting is disabled by default. Select this option to enable the trust all DHCPv6 responses on this Ethernet port.DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. DHCPv6 relay agents receive messages from clients and forward them a DHCPv6 server. The server sends responses back to the relay agent, and the relay agent sends the responses to the client on the local link. This setting is enabled by default. Wireless Controller and Service Platform System Reference Guide 8 - 26 Profile Configuration ND Header Mismatch Validation RA Guard Select this option to enable a mismatch check for the source MAC within the neighbor discovery header and link layer option. This setting is disabled by default. Select this option to enable router advertisements or ICMPv6 redirects from this Ethernet port. Router advertisements are periodically sent to hosts or sent in response to neighbor solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information.This setting is disabled by default. 17 Set the following 802.1X Settings:
Host Mode Guest VLAN Port Control Re Authenticate Max Reauthenticate Count Quiet Period Use the drop-down menu to select the host mode configuration to apply to this port. Options include single-host or multi-host. The default setting is single-host. Specify a guest VLAN for this port from 1 - 4094. This is the VLAN traffic is bridged on if this port is unauthorized and the guest VLAN is globally enabled. Use the drop-down menu to set the port control state to apply to this port. Options include force-authorized, force-unauthorized and automatic. The default setting is force-authorized. Select this setting to force clients to reauthenticate on this port. The default setting is disabled, thus clients do not need to reauthenticate for connection over this port until this setting is enabled. Set the maximum reauthentication attempts (1 - 10) before this port is moved to unauthorized. The default setting is 2. Set the quiet period for this port from 1 - 65,535 seconds.This is the maximum wait time 802.1x waits upon a failed authentication attempt. The default setting is 60 seconds. Reauthenticate Period Use the spinner control to set the reauthentication period for this port Port MAC Authentication from 1 - 65,535 seconds. The default setting is 60 seconds. When enabled, a ports MAC address is authenticated, as only one MAC address is supported per wired port. When successfully authenticated, packets from the source are processed. Packets from all other sources are dropped. Port MAC authentication is supported on RFS4000, RFS6000 model controllers. Port MAC authentication may be enabled on ports in conjunction with Wired 802.1x settings for a MAC Authentication AAA policy. 18 Select Enable within the 802.1x supplicant (client) field to enable a username and password pair used when authenticating users on this port. This setting is disabled by default. The password cannot exceed 32 characters. 19 Select OK to save the changes made to the Ethernet ports security configuration. Select Reset to revert to the last saved configuration. 20 Select the Spanning Tree tab. Wireless Controller and Service Platform System Reference Guide 8 - 27 Profile Configuration 21 Define the following PortFast parameters for the ports MSTP configuration:
Figure 8-11 Ethernet Ports - Spanning Tree screen Enable PortFast Enable PortFast BPDU Filter Enable PortFast BPDU Guard Select the check box to enable fast transitions and drop-down menus for both the Enable Portfast BPDU Filter and Enable Portfast BPDU guard options for the port. This setting is disabled by default. Select enable to invoke a BPDU filter for this portfast enabled port. Enabling the BPDU filter feature ensures this PortFast enabled port does not transmit or receive BPDUs. Select enable to invoke a BPDU guard for this portfast enabled port. Enabling the BPDU Guard feature means this portfast-enabled port will shutdown on receiving a BPDU. Thus, no BPDUs are processed. 22 Set the following MSTP Configuration parameters:
Link Type Cisco MSTP Interoperability Select either the Point-to-Point or Shared radio button. Selecting Point-
to-Point indicates the port should be treated as connected to a point-
to-point link. Selecting Shared indicates this port should be treated as having a shared connection. A port connected to a hub is on a shared link, while one the connected to a controller or service platform is a point-to-point link. Select either the Enable or Disable radio buttons. This enables interoperability with Ciscos version of MSTP over the port, which is incompatible with standard MSTP. Force Protocol Version Sets the protocol version to either STP(0), Not Supported(1), RSTP(2) or MSTP(3). MSTP is the default setting. Wireless Controller and Service Platform System Reference Guide 8 - 28 Profile Configuration Guard Determines whether the port enforces root bridge placement. Setting the guard to Root ensures the port is a designated port. Typically, each guard root port is a designated port, unless two or more ports (within the root bridge) are connected together. If the bridge receives superior
(BPDUs) on a guard root-enabled port, the guard root moves the port to a root-inconsistent STP state. This state is equivalent to a listening state. No data is forwarded across the port. Thus, the guard root enforces the root bridge position. 23 Refer to the Spanning Tree Port Cost table. Define an Instance Index using the spinner control, then set the Cost. The default path cost depends on the speed of the port. The cost helps determine the role of the port in the MSTP network. The designated cost is the cost for a packet to travel from this port to the root in the MSTP configuration. The slower the media, the higher the cost. Speed
<=100000 bits/sec
<=1000000 bits/sec
<=10000000 bits/sec
<=100000000 bits/sec
<=1000000000 bits/sec
<=10000000000 bits/sec
<=100000000000 bits/
sec
<=1000000000000 bits/
sec
>1000000000000 bits/
sec Default Path Cost 200000000 20000000 2000000 200000 20000 2000 200 20 2 24 Select + Add Row as needed to include additional indexes. 25 Refer to the Spanning Tree Port Priority table. Define an Instance Index using the spinner control and then set the Priority. The lower the priority, a greater likelihood of the port becoming a designated port. Thus applying an higher override value impacts the ports likelihood of becoming a designated port. Select + Add Row needed to include additional indexes. 26 Select OK to save the changes made to the Ethernet Ports spanning tree configuration. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 8 - 29 Profile Configuration 8.7.2 Virtual Interface Configuration Profile Interface Configuration A Virtual Interface is required for layer 3 (IP) access or to provide layer 3 service on a VLAN. The Virtual Interface defines which IP address is associated with each connected VLAN ID. A Virtual Interface is created for the default VLAN (VLAN 1) to enable remote administration. A Virtual Interface is also used to map VLANs to IP address ranges. This mapping determines the destination networks for routing. To review existing Virtual Interface configurations and either create a new Virtual Interface configuration, modify an existing configuration or delete an existing configuration:
1 Select Configuration > Profiles > Interface. 2 Expand the Interface menu to display its submenu options. 3 Select Virtual Interfaces. 4 Review the following parameters unique to each virtual interface configuration:
Figure 8-12 Virtual Interfaces screen Name Type Description Admin Status VLAN IP Address Displays the name of each listed Virtual Interface assigned when it was created. The name is between 1 - 4094, and cannot be modified as part of a Virtual Interface edit. Displays the type of Virtual Interface for each listed interface. Displays the description defined for the Virtual Interface when it was either initially created or edited. A green checkmark defines the listed Virtual Interface configuration as active and enabled with its supported profile. A red X defines the Virtual Interface as currently disabled. The interface status can be modified when a new Virtual Interface is created or an existing one modified. Displays the numerical VLAN ID associated with each listed interface. Defines whether DHCP was used to obtain the primary IP address used by the Virtual Interface configuration. Wireless Controller and Service Platform System Reference Guide 8 - 30 5 Select Add to define a new Virtual Interface configuration, Edit to modify the configuration of an existing Virtual Interface or Delete to permanently remove a selected Virtual Interface. Profile Configuration Figure 8-13 Virtual Interfaces - Basic Configuration screen - General tab The Basic Configuration screens General tab displays by default, regardless of a whether a new Virtual Interface is created or an existing one is being modified. 6 If creating a new Virtual Interface, use the VLAN ID spinner control to define a numeric ID from 1 - 4094. Select the Continue button to initialize the rest of the parameters on the screen. 7 Define the following parameters from within the Properties field:
Description Admin Status Provide or edit a description (up to 64 characters) for the Virtual Interface that helps differentiate it from others with similar configurations. Either select either the Disabled or Enabled radio button to define this interfaces current status. When set to Enabled, the Virtual Interface is operational and available. The default value is enabled. Wireless Controller and Service Platform System Reference Guide 8 - 31 Profile Configuration 8 Define the following NAT parameters from within the Network Address Translation (NAT) field:
NAT Direction Define the Network Address Translation (NAT) direction. Options include:
Inside - The inside network is transmitting data over the network its intended destination. On the way out, the source IP address is changed in the header and replaced by the (public) IP address. Outside - Packets passing through the NAT on the way back to the controller or service platform managed LAN are searched against to the records kept by the NAT engine. There, the destination IP address is changed back to the specific internal private class IP address in order to reach the LAN over the network. None - No NAT activity takes place. This is the default setting. 9 Set the following DHCPv6 Client Configuration. The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) provides a framework for passing configuration information. Stateless DHCPv6 Client Prefix Delegation Client Request DHCPv6 Options Select this option to request information from the DHCPv6 server using stateless DHCPv6. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. This setting is disabled by default. Specify a 32 character maximum request prefix for prefix delegation from a DHCPv6 server over this virtual interface. Devices use prefixes to distinguish destinations that reside on-link from those reachable using a router. Select this option to request DHCPv6 options on this virtual interface. DHCPv6 options provide configuration information for a node that must be booted using the network rather than locally. This setting is disabled by default. 10 Set the Bonjour Gateway settings for the virtual interface. Bonjour is Apples implementation of zero-configuration networking (Zeroconf). Zeroconf is a group of technologies that include service discovery, address assignment and hostname resolution. Bonjour locates devices such as printers, other computers and services that these computers offer over a local network. Bonjour provides a general method to discover services on a local area network (LAN). It allows users to set up a network without any configuration. Services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with special DNS configuration, it can be extended to find services across broadcast domains. From the drop-down, select the Bonjour Gateway discover policy. Select the Create icon to define a new Bonjour Gateway policy configuration or select the Edit icon to modify an existing Bonjour Gateway policy configuration. 11 Set the following MTU settings for the virtual interface:
Maximum Transmission Unit
(MTU) Set the PPPoE client maximum transmission unit (MTU) from 500 - 1,492. The MTU is the largest physical packet size in bytes a network can transmit. Any messages larger than the MTU are divided into smaller packets before being sent. A PPPoE client should be able to maintain its point-to-point connection for this defined MTU size. The default MTU is 1,492. Wireless Controller and Service Platform System Reference Guide 8 - 32 Profile Configuration IPv6 MTU Set an IPv6 MTU for this virtual interface from 1,280 - 1,500. A larger MTU provides greater efficiency because each packet carries more user data while protocol overheads, such as headers or underlying per-packet delays, remain fixed; the resulting higher efficiency means a slight improvement in bulk protocol throughput. A larger MTU results in the processing of fewer packets for the same amount of data. The default is 1,500. 12 Within the ICMP field, define whether ICMPv6 redirect messages are sent. A redirect requests data packets be sent on an alternative route. This setting is enabled by default. 13 Within the Address Autoconfiguration field, define whether to configure IPv6 addresses on this virtual interface based on the prefixes received in router advertisement messages. Router advertisements contain prefixes used for link determination, address configuration and maximum hop limits. This setting is enabled by default. 14 Set the following Router Advertisement Processing settings for the virtual interface. Router advertisements are periodically sent to hosts or sent in response to solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. Accept RA No Default Router No MTU No Hop Count Enable this option to allow router advertisements over this virtual interface. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet layer configuration parameters.This setting is enabled by default. Select this option to consider routers unavailable on this interface for default router selection. This setting is disabled by default. Select this option to not use the existing MTU setting for router advertisements on this virtual interface. If the value is set to zero no MTU options are sent. This setting is disabled by default. Select this option to not use the hop count advertisement setting for router advertisements on this virtual interface. This setting is disabled by default. 15 Select OK to save the changes. Select Reset to revert to the last saved configuration. 16 Select the IPv4 tab to set IPv4 settings for this virtual interface. IPv4 is a connectionless protocol operating on a best effort delivery model. IPv4 does not guarantee delivery or assures proper sequencing or avoidance of duplicate delivery (unlike TCP). Wireless Controller and Service Platform System Reference Guide 8 - 33 Profile Configuration 17 Set the following network information from within the IPv4 Addresses field:
Figure 8-14 Virtual Interfaces - Basic Configuration screen - IPv4 tab Enable Zero Configuration Zero configuration can be a means of providing a primary or secondary IP addresses for the virtual interface. Zero configuration (or zero config) is a wireless connection utility included with Microsoft Windows XP and later as a service dynamically selecting a network to connect based on a user's preferences and various default settings. Zero config can be used instead of a wireless network utility from the manufacturer of a computer's wireless networking device. This value is set to None by default. Define the IP address for the VLAN associated Virtual Interface. Select this option to allow DHCP to provide the IP address for the Virtual Interface. Selecting this option disables the Primary IP address field. Select this option to allow DHCP to obtain a default gateway address and DNS resource for one virtual interface. This setting is disabled by default and only available when the Use DHCP to Obtain IP option is selected. Primary IP Address Use DHCP to Obtain IP Use DHCP to obtain Gateway/DNS Servers Secondary Addresses Use the Secondary Addresses parameter to define additional IP addresses to associate with VLAN IDs. The address provided in this field is used if the primary IP address is unreachable. 18 Refer to the DHCP Relay field to set the DHCP relay server configuration used with the Virtual Interface. Respond to DHCP Relay Packets Select this option to allow the onboard DHCP server to respond to relayed DHCP packets on this interface. This setting is disabled by default. Wireless Controller and Service Platform System Reference Guide 8 - 34 Profile Configuration DHCP Relays Provide IP addresses for DHCP server relay resources. DHCP relays exchange messages between a DHCPv6 server and client. A client and relay agent exist on the same link. When A DHCP request is received from the client, the relay agent creates a relay forward message and sends it to a specified server address. If no addresses are specified, the relay agent forwards the message to all DHCP server relay multicast addresses. The server creates a relay reply and sends it back to the relay agent. The relay agent then sends back the response to the client. 19 Select OK to save the changes to the IPv4 configuration. Select Reset to revert to the last saved configuration. 20 Select the IPv6 tab to set IPv6 settings for this virtual interface. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet layer configuration parameters. Figure 8-15 Virtual Interfaces - Basic Configuration screen - IPv6 tab 21 Enable the Enforce Duplicate Address option to enforce duplicate address protection when any wired port is connected and in a forwarding state. This option is enabled by default. 22 Refer to the IPv6 Address Prefix from Provider table to create IPv6 format prefix shortcuts as supplied by an ISP. Wireless Controller and Service Platform System Reference Guide 8 - 35 Select + Add Row to launch a sub screen wherein a new delegated prefix name and host ID can be defined. Profile Configuration Figure 8-16 Virtual Interfaces - Basic Configuration screen - IPv6 tab - Add Address Prefix from Provider Delegated Prefix Name Host ID Enter a 32 character maximum name for the IPv6 address prefix from provider. Define the subnet ID, host ID and prefix length. Select OK to save the changes to the new IPv6 prefix from provider. Select Exit to close the screen without saving the updates. 23 Refer to the IPv6 Address Prefix from Provider EUI64 table to set an (abbreviated) IP address prefix in EUI64 format. Select + Add Row to launch a sub screen wherein a new delegated prefix name and host ID can be defined in EUI64 format. Wireless Controller and Service Platform System Reference Guide 8 - 36 Profile Configuration Figure 8-17 Virtual Interfaces - Basic Configuration screen - IPv6 tab - Add Address Prefix from Provider EUI64 Delegated Prefix Name Host ID Enter a 32 character maximum name for the IPv6 prefix from provider in EUI format. Using EUI64, a host can automatically assign itself a unique 64-bit IPv6 interface identifier without manual configuration or DHCP. Define the subnet ID and prefix length. 24 Select OK to save the changes to the new IPv6 prefix from provider in EUI64 format. Select Exit to close the screen without saving the updates. 25 Refer to the DHCPv6 Relay table to set the address and interface of the DHCPv6 relay. The DHCPv6 relay enhances an extended DHCP relay agent by providing support in IPv6. DHCP relays exchange messages between a DHCPv6 server and client. A client and relay agent exist on the same link. When A DHCP request is received from the client, the relay agent creates a relay forward message and sends it to a specified server address. If no addresses are specified, the relay agent forwards the message to all DHCP server relay multicast addresses. The server creates a relay reply and sends it back to the relay agent. The relay agent then sends back the response to the client. 26 Select + Add Row to launch a sub screen wherein a new DHCPv6 relay address and interface VLAN ID can be set. Wireless Controller and Service Platform System Reference Guide 8 - 37 Profile Configuration Figure 8-18 Virtual Interfaces - Basic Configuration screen - IPv6 tab - Add DHCPv6 Relay Address Interface Enter an address for the DHCPv6 relay. These DHCPv6 relay receive messages from DHCPv6 clients and forward them to DHCPv6 servers. The DHCPv6 server sends responses back to the relay, and the relay then sends these responses to the client on the local network link. Select this option to enable a spinner control to define a VLAN ID from 1 -
4,094 used as the virtual interface for the DHCPv6 relay. The interface designation is only required for link local and multicast addresses. A local link address is a locally derived address designed for addressing on a single link for automatic address configuration, neighbor discovery or when no routing resources are available. 27 Select OK to save the changes to the DHCPv6 relay configuration. Select Exit to close the screen without saving the updates. 28 Select the IPv6 RA Prefixes tab. Wireless Controller and Service Platform System Reference Guide 8 - 38 Profile Configuration Figure 8-19 Virtual Interfaces - Basic Configuration screen - IPv6 RA Prefixes tab 29 Use the Router Advertisement Policy drop-down menu to select and apply a policy to the virtual interface. Router advertisements are periodically sent to hosts or sent in response to solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. 30 Review the configurations of existing IPv6 advertisement policies. If needed select + Add Row to define the configurations of up to 16 additional IPv6 RA prefix configurations. Wireless Controller and Service Platform System Reference Guide 8 - 39 Profile Configuration Figure 8-20 Virtual Interfaces - Basic Configuration screen - Add IPv6 RA Prefix 31 Set the following IPv6 RA Prefix settings:
Prefix Type Prefix or ID Site Prefix Valid Lifetime Type Valid Lifetime Sec Valid Lifetime Date Set the prefix delegation type used with this configuration. Options include general-prefix (default), Prefix, and prefix-from-provider. The default setting is Prefix. A provider assigned prefix is made available from an Internet Service Provider (ISP) to automate the process of providing and informing the prefixes used. Set the actual prefix or ID used with the IPv6 router advertisement. The site prefix is added into a router advertisement prefix. The site address prefix signifies the address is only on the local link. Set the lifetime for the prefix's validity. Options include External (fixed), decrementing and infinite. If set to External (fixed), just the Valid Lifetime Sec setting is enabled to define the exact time interval for prefix validity. If set to decrementing, use the lifetime date and time settings to refine the prefix expiry period. If the value is set for infinite, no additional date or time settings are required for the prefix and the prefix will not expire. The default setting is External (fixed). If the lifetime type is set to External (fixed), set the Seconds, Minutes, Hours or Days value used to measurement criteria for the prefix's expiration. 30 days, 0 hours, 0 minutes and 0 seconds is the default lifetime. If the lifetime type is set to External (fixed), set the date in MM/DD/YYYY format for the expiration of the prefix. Wireless Controller and Service Platform System Reference Guide 8 - 40 Profile Configuration Valid Lifetime Time Preferred Lifetime Type Preferred Lifetime Sec Preferred Lifetime Date Preferred Lifetime Time Autoconfig On Link If the lifetime type is set to decrementing, set the time for the prefix's validity. Set the administrator preferred lifetime for the prefix's validity. Options include External (fixed), decrementing and infinite. If set to External
(fixed), just the Valid Lifetime Sec setting is enabled to define the exact time interval for prefix validity. If set to decrementing, use the lifetime date and time settings to refine the prefix expiry period. If the value is set for infinite, no additional date or time settings are required for the prefix and the prefix will not expire. The default setting is External (fixed). If the administrator preferred lifetime type is set to External (fixed), set the Seconds, Minutes, Hours or Days value used to measurement criteria for the prefix's expiration. 30 days, 0 hours, 0 minutes and 0 seconds is the default lifetime. If the administrator preferred lifetime type is set to External (fixed), set the date in MM/DD/YYYY format for the expiration of the prefix. If the preferred lifetime type is set to decrementing, set the time for the prefix's validity. Autoconfiguration includes generating a link-local address, global addresses via stateless address autoconfiguration and duplicate address detection to verify the uniqueness of the addresses on a link. This setting is enabled by default. Select this option to keep the IPv6 RA prefix on the local link. The default setting is enabled. 32 Select OK to save the changes to the IPv6 RA prefix configuration. Select Exit to close the screen without saving the updates. 33 Select the Security tab. Figure 8-21 Virtual Interfaces - Security screen 34 Use the IPv4 Inbound Firewall Rules drop down menu to select the IPv4 specific inbound firewall rules to apply to this profiles virtual interface configuration. Select the Create icon to define a new IPv4 firewall rule configuration or select the Edit icon to modify an existing configuration. Wireless Controller and Service Platform System Reference Guide 8 - 41 Profile Configuration IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, since it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery
(unlike (TCP). IPv4 and IPv6 are different enough to warrant separate protocols. IPv6 devices can alternatively use stateless address autoconfiguration. IPv4 hosts can use link local addressing to provide local connectivity. 35 Use the IPv6 Inbound Firewall Rules drop down menu to select the IPv6 specific inbound firewall rules to apply to this profiles virtual interface configuration. Select the Create icon to define a new IPv6 firewall rule configuration or select the Edit icon to modify an existing configuration. IPv6 is the latest revision of the Internet Protocol (IP) replacing IPv4. IPV6 provides enhanced identification and location information for systems routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. 36 Use the VPN Crypto Map drop down menu to select a crypto map to apply to this profiles virtual interface configuration. Crypto maps are sets of configuration parameters for encrypting packets passing through a VPN Tunnel. If a crypto map does not exist suiting the needs of this virtual interface, select the Create icon to define a new crypto map configuration or the Edit icon to modify an existing crypto map. For more information, see Overriding a Profiles VPN Configuration on page 5-207. 37 Use the Web Filter drop-down menu to select or override the URL Filter configuration applied to this virtual interface. Web filtering is used to restrict access to specific (administrator defined) resources on the Internet. 38 Select the Dynamic Routing tab (if available on your controller or service platform). Open Shortest Path First (OSPF) is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from Figure 8-22 Virtual Interfaces - Dynamic Routing screen Wireless Controller and Service Platform System Reference Guide 8 - 42 Profile Configuration neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets. 39 Define the following OSPF Settings:
Priority Cost Bandwidth Select this option to set the OSPF priority used to select the network designated route. Use the spinner control to set the value from 0 - 255. Select this option to set the cost of the OSPF interface. Use the spinner control to set the value from 1 - 65,535. Set the OSPF interface bandwidth (in Kbps) from 1 - 10,000,000. 40 Select the authentication type from the Chosen Authentication Type drop-down used to validate credentials within the OSPF dynamic route. Options include simple-password, message-digest, null and None. The default value is None. 41 Select + Add Row at the bottom of the MD5 Authentication table to add the Key ID and Password used for an MD5 validation of authenticator credentials. Use the spinner control to set the OSPF message digest authentication key ID. The available range is from 1 - 255. The password is the OSPF key either displayed as series or asterisks or in plain text (by selecting Show). 42 Select OK to save the changes to the virtual interface security configuration. Select Exit to close the screen without saving the updates. 8.7.3 Port Channel Configuration Profile Interface Configuration Profiles can be applied customized port channel configurations as part of their Interface configuration. To define a port channel configuration for a profile:
1 Select Configuration > Profiles > Interface. 2 Expand the Interface menu to display its submenu options. 3 Select Port Channels. Wireless Controller and Service Platform System Reference Guide 8 - 43 Profile Configuration 4 Refer to the following to review existing port channel configurations and their current status:
Figure 8-23 Port Channels screen Name Type Description Admin Status Displays the port channels numerical identifier assigned to it when it was created. The numerical name cannot be modified as part of the edit process. Displays whether the type is a port channel. Lists a a short description (64 characters maximum) describing the port channel or differentiating it from others with similar configurations. A green checkmark defines the listed port channel as active and currently enabled with the profile. A red X defines the port channel as currently disabled and not available for use. The interface status can be modified with the port channel configuration as required. 5 Select Add to add a new configuration. To edit the configuration of an existing port channel, select it from amongst those displayed and select the Edit button. The port channel Basic Configuration screen displays by default. Configurations can be optionally removed by selecting Delete. Wireless Controller and Service Platform System Reference Guide 8 - 44 Profile Configuration 6 Set the following port channel Properties:
Figure 8-24 Port Channels - Basic Configuration screen Description Admin Status Speed Duplex Enter a brief description for the controller or service platform port channel (64 characters maximum). The description should reflect the port channels intended function. Select the Enabled radio button to define this port channel as active to the profile it supports. Select the Disabled radio button to disable this port channel configuration within the profile. It can be activated at any future time when needed. The default setting is enabled. Select the speed at which the port channel can receive and transmit the data. Select either 10 Mbps, 100 Mbps, 1000 Mbps. Select either of these options to establish a 10, 100 or 1000 Mbps data transfer rate for the selected half duplex or full duplex transmission over the port. These options are not available if Automatic is selected. Select Automatic to enable the port channel to automatically exchange information about data transmission speed and duplex capabilities. Auto negotiation is helpful when in an environment where different devices are connected and disconnected on a regular basis. Automatic is the default setting. Select either Half, Full or Automatic as the duplex option. Select Half duplex to send data over the port channel, then immediately receive data from the same direction in which the data was transmitted. Like a Full duplex transmission, a Half duplex transmission can carry data in both directions, just not at the same time. Select Full duplex to transmit data to and from the port channel at the same time. Using Full duplex, the port channel can send data while receiving data as well. Select Automatic to dynamically duplex as port channel performance needs dictate. Automatic is the default setting. 7 Use the Port Channel Load Balance drop-down menu to define whether port channel load balancing is conducted using a Source/Destination IP or a Source/Destination MAC. Source/Destination IP is the default setting. Wireless Controller and Service Platform System Reference Guide 8 - 45 Profile Configuration 8 Define the following Switching Mode parameters to apply to the port channel configuration:
Mode Native VLAN Select either the Access or Trunk radio button to set the VLAN switching mode over the port channel. If Access is selected, the port channel accepts packets only form the native VLANs. Frames are forwarded out the port untagged with no 802.1Q header. All frames received on the port are expected as untagged and are mapped to the native VLAN. If the mode is set to Trunk, the port channel allows packets from a list of VLANs you add to the trunk. A port channel configured as Trunk supports multiple 802.1Q tagged VLANs and one Native VLAN which can be tagged or untagged. Access is the default setting. Use the spinner control to define a numerical ID between 1 - 4094. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN which untagged traffic will be directed over when using trunk mode. The default value is 1. Tag the Native VLAN Select the checkbox to tag the native VLAN. Devices support the IEEE 802.1Q specification for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs. If the upstream Ethernet device does not support IEEE 802.1Q tagging, it does not interpret the tagged frames. When VLAN tagging is required between devices, both devices must support tagging and be configured to accept tagged VLANs. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so upstream Ethernet devices know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. This setting is disabled by default. Selecting Trunk as the mode enables the Allowed VLANs parameter. Add VLANs that exclusively send packets over the port channel. Allowed VLANs 9 Select OK to save the changes made to the port channel Basic Configuration. Select Reset to revert to the last saved configuration. 10 Select the Security tab. Wireless Controller and Service Platform System Reference Guide 8 - 46 Profile Configuration Figure 8-25 Port Channels - Security screen 11 Refer to the Access Control section. As part of the port channels security configuration, Inbound IPv4 IP, IPv6 IP and MAC address firewall rules are required. Use the drop-down menus to select the firewall rules to apply to this profiles port configuration. The firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances Use the IPv4 Inbound Firewall Rules drop down menu to select the IPv4 specific firewall rules to apply to this profiles port channel configuration. IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity. Use the IPv6 Inbound Firewall Rules drop down menu to select the IPv6 specific firewall rules to apply to this profiles port channel configuration. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. 12 If a firewall rule does not exist suiting the data protection needs of the target port channel configuration, select the Create icon to define a new rule configuration or the Edit icon to modify an existing firewall rule configuration. Wireless Controller and Service Platform System Reference Guide 8 - 47 Profile Configuration 13 Refer to the Trust field to define the following:
Trust ARP Responses Select the check box to enable ARP trust on this port channel. ARP packets received on this port are considered trusted and information from these packets is used to identify rogue devices within the network. The default value is disabled. Trust DHCP Responses Select the check box to enable DHCP trust. If enabled, only DHCP ARP header Mismatch Validation Trust 802.1p COS values Trust IP DSCP responses are trusted and forwarded on this port channel, and a DHCP server can be connected only to a DHCP trusted port. The default value is enabled. Select the check box to enable a mismatch check for the source MAC in both the ARP and Ethernet header. The default value is enabled. Select the check box to enable 802.1p COS values on this port channel. The default value is enabled. Select the check box to enable IP DSCP values on this port channel. The default value is enabled. 14 Refer to the IPv6 Settings field to define the following:
Trust ND Requests Trust DHCPv6 Responses ND header Mismatch Validation RA Guard Select the check box to enable neighbor discovery (ND) request trust on this port channel (neighbor discovery requests received on this port are considered trusted). Use ND to determine the link-layer addresses for neighbors known to reside on attached links, similar to Address Resolution Protocol (ARP) on Ethernet in IPv4. The default value is disabled. Select the check box to enable DHCPv6 trust. If enabled, only DHCPv6 responses are trusted and forwarded on this port channel, and a DHCPv6 server can be connected only to a trusted port. DHCPv6 relay agents receive messages from clients and forward them to a DHCPv6 server. The server sends responses back to the relay agent, and the relay agent sends the responses to the client on the local link. The default value is enabled. Select the check box to enable a mismatch check for the source MAC in both the ND header and link layer option. The default value is disabled. Select this option to allow router advertisements or IPv6 redirects from this port. Router advertisements are periodically sent to hosts or sent in response to solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information.This setting is enabled by default. 15 Select OK to save the changes to the security configuration. Select Reset to revert to the last saved configuration. 16 Select the Spanning Tree tab. Wireless Controller and Service Platform System Reference Guide 8 - 48 Profile Configuration 17 Define the following PortFast parameters for the port channels MSTP configuration:
Figure 8-26 Port Channels - Spanning Tree screen Enable PortFast Enable PortFast BPDU Filter Enable PortFast BPDU Guard Select the check box to enable drop-down menus for both the port Enable Portfast BPDU Filter and Enable Portfast BPDU guard options. This setting is disabled by default. Select Enable to invoke a BPDU filter for this portfast enabled port channel. Enabling the BPDU filter feature ensures this port channel does not transmit or receive any BPDUs. The default setting is None. Select Enable to invoke a BPDU guard for this portfast enabled port channel. Enabling the BPDU Guard feature means this port will shutdown on receiving a BPDU. Thus, no BPDUs are processed. The default setting is None. 18 Set the following MSTP Configuration parameters for the port channel:
Link Type Cisco MSTP Interoperability Select either the Point-to-Point or Shared radio button. Selecting Point-
to-Point indicates the port should be treated as connected to a point-
to-point link. Selecting Shared indicates this port should be treated as having a shared connection. A port connected to a hub is on a shared link, while the one connected to a controller or service platform is a point-to-point link. Point-to-Point is the default setting. Select either the Enable or Disable radio buttons. This enables interoperability with Ciscos version of MSTP, which is incompatible with standard MSTP. This setting is disabled by default. Force Protocol Version Sets the protocol version to either STP(0), Not Supported(1), RSTP(2) or MSTP(3). MSTP is the default setting. Wireless Controller and Service Platform System Reference Guide 8 - 49 Profile Configuration Guard Determines whether the port channel enforces root bridge placement. Setting the guard to Root ensures the port is a designated port. Typically, each guard root port is a designated port, unless two or more ports (within the root bridge) are connected together. If the bridge receives superior (BPDUs) on a guard root-enabled port, the guard root moves the port to a root-inconsistent STP state. This state is equivalent to a listening state. No data is forwarded across the port. Thus, the guard root enforces the root bridge position. 19 Refer to the Spanning Tree Port Cost table. Define an Instance Index using the spinner control and then set the cost. The default path cost depends on the user defined port speed.The cost helps determine the role of the port channel in the MSTP network. The designated cost is the cost for a packet to travel from this port to the root in the MSTP configuration. The slower the media, the higher the cost. Speed
<=100000 bits/sec
<=1000000 bits/sec
<=10000000 bits/sec
<=100000000 bits/sec
<=1000000000 bits/sec
<=10000000000 bits/sec
<=100000000000 bits/
sec
<=1000000000000 bits/
sec
>1000000000000 bits/
sec Default Path Cost 200000000 20000000 2000000 200000 20000 2000 200 20 2 20 Select + Add Row as needed to include additional indexes. 21 Refer to the Spanning Tree Port Priority table. Define an Instance Index using the spinner control and then set the Priority. The lower the priority, a greater likelihood of the port becoming a designated port. 22 Select + Add Row needed to include additional indexes. 23 Select OK to save the changes made to the Ethernet Port Spanning Tree configuration. Select Reset to revert to the last saved configuration. 8.7.4 VM Interface Configuration Profile Interface Configuration WiNG provides a dataplane bridge for external network connectivity for Virtual Machines (VMs). VM Interfaces define which IP address is associated with each VLAN ID the service platform is connected to and enables remote service platform administration. Each custom VM can have up to a maximum of two VM interfaces. Each VM interface can be mapped to one of sixteen VMIF ports on the dataplane bridge. This mapping determines the destination for service platform routing. Wireless Controller and Service Platform System Reference Guide 8 - 50 Profile Configuration By default, VM interfaces are internally connected to the dataplane bridge via VMIF1. VMIF1 is an untagged port providing access to VLAN 1 to support the capability to connect the VM interfaces to any of the VMIF ports. This provides the flexibility to move a VM interface onto different VLANs as well as configure specific firewall and QOS rules. To define a VM interface profile configuration:
1 Select Configuration > Profiles > Interface. 2 Expand the Interface menu to display its submenu options. 3 Select VM. 4 Refer to the following to review VM interface configurations and status:
Figure 8-27 Profile - VM Interfaces screen Name Type Description Admin Status Mode Displays the VM interface numerical identifier assigned when it was created. The numerical name cannot be modified as part of the edit process. Displays whether the type is VM interface. Lists a short description (64 characters maximum) describing the VM interface or differentiating it from others with similar configurations. A green check mark defines the listed VM interface as active and currently enabled with the profile. A red X defines the VM interface as currently disabled and not available for use. The interface status can be modified with the VM interface Basic Configuration screen as required. Displays the layer 3 mode of the VM interface as either Access or Trunk
(as defined within the VM Interfaces Basic Configuration screen). If Access is selected, the listed VM interface accepts packets only from the native VLAN. Frames are forwarded untagged with no 802.1Q header. All frames received on the port are expected as untagged and mapped to the native VLAN. If set to Trunk, the port allows packets from a list of VLANs added to the trunk. A VM interface configured as Trunk supports multiple 802.1Q tagged VLANs and one Native VLAN which can be tagged or untagged. Wireless Controller and Service Platform System Reference Guide 8 - 51 Profile Configuration Native VLAN Tag Native VLAN Allowed VLANs Lists the numerical VLAN ID (1 - 4094) set for the native VLAN. The native VLAN allows a VM interface to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a VM interface in trunk mode. A green check mark defines the native VLAN as tagged. A red X defines the native VLAN as untagged. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so upstream VM interface ports know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream VM interface classifies the frame using the default or native VLAN assigned to the Trunk port. A native VLAN allows a VM interface to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Displays those VLANs allowed to send packets over the listed VM interface. Allowed VLANs are only listed when the mode has been set to Trunk. 5 To edit the configuration of an existing VM interface, select it from amongst those displayed and select the Edit button. The VM Interfaces Basic Configuration screen displays by default. 6 Set the following VM interface Properties:
Figure 8-28 Profile - VM Interfaces Basic Configuration screen Description Admin Status Enter a brief description for the controller or service platform VM interface (64 characters maximum). Select the Enabled radio button to define this VM interface as active to the profile it supports. Select the Disabled radio button to disable this VM interface configuration in the profile. It can be activated at any future time when needed. Wireless Controller and Service Platform System Reference Guide 8 - 52 Profile Configuration 7 Set the following Switching Mode parameters to apply to the VM Interface configuration:
Mode Native VLAN Select either the Access or Trunk radio button to set the VLAN switching mode over the VM interface. If Access is selected, the VM interface accepts packets only from the native VLAN. Frames are forwarded untagged with no 802.1Q header. All frames received on the VMIF port are expected as untagged and are mapped to the native VLAN. If the mode is set to Trunk, the VM interface allows packets from a list of VLANs you add to the trunk. A VM interface configured as Trunk supports multiple 802.1Q tagged VLANs and one Native VLAN which can be tagged or untagged. Access is the default setting. Use the spinner control to define a numerical Native VLAN ID from 1 - 4094. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic will be directed over when using trunk mode. The default value is 1. Tag the Native VLAN Select this option to tag the native VLAN. Service platforms support the IEEE 802.1Q specification for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream VMIF that the frame belongs. If the upstream VMIF does not support IEEE 802.1Q tagging, it does not interpret the tagged frames. When VLAN tagging is required between VM interface ports, both VM interfaces must support tagging and be configured to accept tagged VLANs. When a frame is tagged, a 12 bit frame VLAN ID is added to the 802.1Q header, so upstream VM interfaces know which VLAN ID the frame belongs to. The 12 bit VLAN ID is read and the frame is forwarded to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream VMIF classifies the frame using the default or native VLAN assigned to the Trunk port. The native VLAN allows a VM interface to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. This setting is disabled by default. Selecting Trunk as the mode enables the Allowed VLANs parameter. Add VLANs that exclusively send packets over the VM interface. The available range is from 1 - 4094. The maximum number of entries is 256. Allowed VLANs 8 Select OK to save the changes to the VM interface basic configuration. Select Reset to revert to the last saved configuration. 9 Select the Security tab. Wireless Controller and Service Platform System Reference Guide 8 - 53 Profile Configuration Figure 8-29 Profile - VM Interfaces Security screen 10 Refer to the Access Control field. As part of the VM interfaces security configuration, IPv4 and IPv6 Inbound and MAC Inbound address firewall rules are required. Use the drop-down menus to select the firewall rules to apply to this profiles VM interface configuration. The firewall inspects IP and MAC traffic flows and detects attacks typically not visible to traditional wired firewall appliances. Use the IPv4 Inbound Firewall Rules drop down menu to select the IPv4 specific firewall rules to apply to this profiles VM interface configuration. IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity. Use the IPv6 Inbound Firewall Rules drop down menu to select the IPv6 specific firewall rules to apply to this profiles VM interface configuration. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. If a firewall rule does not exist suiting the data protection needs of the target VM interface configuration, select the Create icon to define a new rule configuration, or the Edit icon to modify an existing firewall rule configuration. 11 Refer to the Trust field to set the following:
Trust ARP Responses Select this option to enable ARP trust on this VM interface. ARP packets received on this port are considered trusted, and information from these packets is used to identify rogue devices. The default value is disabled. Wireless Controller and Service Platform System Reference Guide 8 - 54 Profile Configuration Trust DHCP Responses Select this option to enable DHCP trust on this VM interface. If enabled, ARP header Mismatch Validation Trust 802.1p COS values Trust IP DSCP only DHCP responses are trusted and forwarded on this VM interface, and a DHCP server can be connected only to a DHCP trusted port. The default value is enabled. Select this option to enable a source MAC mismatch check in both the ARP and Ethernet header. The default value is enabled. Select this option to enable 802.1p COS values on this VM interface. The default value is enabled. Select this option to enable IP DSCP values on this VM interface. The default value is enabled. 12 Set the following IPv6 Settings required for unique IPv6 support:
Trust ND Requests Trust DHCPv6 Responses ND Header Mismatch Validation RA Guard Select this option to enable the trust of neighbor discovery requests required on an IPv6 network on this VM interface. This setting is disabled by default. Select this option to enable the trust all DHCPv6 responses on this VM interface. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. DHCPv6 relay agents receive messages from clients and forward them to a DHCPv6 server. The server sends responses back to the relay agent, and the relay agent sends the responses to the client on the local link. This setting is enabled by default. Select this option to enable a mismatch check for the source MAC within the ND header and link layer option. This setting is disabled by default. Select this option to enable router advertisements or ICMPv6 redirects from this VM interface. Router advertisements are periodically sent to hosts or sent in response to neighbor solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. This setting is disabled by default. Select OK to save the changes to the security configuration. Select Reset to revert to the last saved configuration. 8.7.5 Access Point Radio Configuration Profile Interface Configuration Access Points can have their radio configurations modified once their radios have successfully associated to an adopting peerAccess Point, wireless controller or a service platform. Take care not to modify an Access Points configuration using its resident Web UI, CLI or SNMP interfaces when managed by a profile, or risk the Access Point having a configuration independent from the profile until the profile can be uploaded to the Access Point again. To define a Access Point radio configuration from the Access Points associated controller or service platform:
1 Select Configuration > Profiles > Interface. 2 Expand the Interface menu to display its submenu options. 3 Select Radios. Wireless Controller and Service Platform System Reference Guide 8 - 55 Profile Configuration 4 Review the following to determine whether a radio configuration requires modification to better support the managed network:
Figure 8-30 Access Point - Radios screen Name Type Description Admin Status RF Mode Channel Transmit Power Displays whether the reporting radio is the Access Points radio1, radio2 or radio3. Displays the type of radio housed by each listed Access Point. Displays a brief description of the radio provided by the administrator when the radios configuration was added or modified. A green checkmark defines the listed radio as active and enabled with its supported profile. A red X defines the radio as currently disabled. Displays whether each listed radio is operating in the 802.11a/n or 802.11b/
g/n radio band. If the radio is a dedicated sensor, it will be listed as a sensor to define the radio as not providing typical WLAN support. If the radio is a client-bridge, it provides a typical bridging function and does not provide WLAN support. The radio band is set from within the Radio Settings tab. Lists the channel setting for the radio. Smart is the default setting. If set to smart, the Access Point scans non-overlapping channels listening for beacons from other Access Points. After the channels are scanned, it selects the channel with the fewest Access Points. In the case of multiple Access Points on the same channel, it selects the channel with the lowest average power level. Lists the transmit power for each radio displayed as a value in miliwatts. If smart is displayed, the radio has been set to make compensations for failed or poorly performing neighbor radios. 5 If required, select a radio configuration and select the Edit button to modify its configuration. Wireless Controller and Service Platform System Reference Guide 8 - 56 Profile Configuration The Radio Settings tab displays by default. Figure 8-31 Access Point Radio - Radio Settings tab 6 Define the following radio configuration parameters from within the Properties field:
Description Admin Status Radio QoS Policy Provide or edit a description (1 - 64 characters in length) for the radio that helps differentiate it from others with similar configurations. Select the Enabled radio button to define this radio as active to the profile it supports. Select the Disabled radio button to disable this radio configuration within the profile. It can be activated at any future time when needed. The default setting is enabled. Use the drop-down menu to specify an existing QoS policy to apply to the Access Point radio in respect to its intended radio traffic. If theres no existing suiting the radios intended operation, select the Create icon to define a new QoS policy that can be applied to this profile. Wireless Controller and Service Platform System Reference Guide 8 - 57 Profile Configuration Association ACL Use the drop-down menu to specify an existing Association ACL policy to apply to the Access Point radio. An Association ACL is a policy-based ACL that either prevents or allows wireless clients from connecting to an Access Point radio. An ACL is a sequential collection of permit and deny conditions that apply to packets. When a packet is received on an interface, its compared against applied ACLs to verify the packet has the required permissions to be forwarded. If a packet does not meet any of the criteria specified in the ACL, the packet is dropped. Select the Create icon to define a new Association ACL that can be applied to this profile. 7 Set the following profile Radio Settings for the selected Access Point radio:
RF Mode Lock RF Mode Channel DFS Revert Home DFS Duration Transmit Power Set the mode to either 2.4 GHz WLAN or 5 GHz WLAN depending on the radios intended client support requirement. Set the mode to Sensor if using the radio for rogue device detection. To a radio as a detector, disable Sensor support on the other radio. Set the mode to scan-ahead to use the secondary radio to scan for an active channel for backhaul transmission in the event of a radio trigger on the principal radio. The Access Point should then switch radios allowing transmission to continue. This is required in environments where handoff is required and DFS triggers are common. Select the check box to lock Smart RF for this radio. The default setting is disabled. Use the drop-down menu to select the channel of operation for the radio. Only a trained installation professional should define the radio channel. Select Smart for the radio to scan non-overlapping channels listening for beacons from other Access Points. After channels are scanned, the radio selects the channel with the fewest Access Points. In the case of multiple Access Points on the same channel, it selects the channel with the lowest average power level. The default value is Smart. Channels with a w appended to them are unique to the 40 MHz band. Channels with a ww appended to them are 802.11ac specific, only appear when using an AP8232, and are unique to the 80 MHz band. Select this option to revert to the home channel after a DFS evacuation period. Set the DFS holdtime from 30 to 3,600 minutes. The default is 90 minutes. Set the transmit power of the selected Access Point radio. If using a dual or three radio model Access Point, each radio should be configured with a unique transmit power in respect to its intended client support function. A setting of 0 defines the radio as using Smart RF to determine its output power. 20 dBm is the default value. Selecting smart deactivates the spinner control and automatically reflects a "0" in the spinner control's grayed out box. Wireless Controller and Service Platform System Reference Guide 8 - 58 Profile Configuration Antenna Gain Antenna Mode Enable Antenna Diversity Set the antenna between 0.00 - 15.00 dBm. The Access Points Power Management Antenna Configuration File (PMACF) automatically configures the Access Points radio transmit power based on the antenna type, its antenna gain (provided here) and the deployed countrys regulatory domain restrictions. Once provided, the Access Point calculates the power range. Antenna gain relates the intensity of an antenna in a given direction to the intensity that would be produced ideally by an antenna that radiates equally in all directions (isotropically), and has no losses. Although the gain of an antenna is directly related to its directivity, its gain is a measure that takes into account the efficiency of the antenna as well as its directional capabilities. Only a professional installer should set the antenna gain. The default value is 0.00. Use the drop-down menu to select the number of transmit and receive antennas on the Access Point. 1x1 is used for transmissions over just the single A antenna, 1x3 is used for transmissions over the A antenna and all three antennas for receiving. 2x2 is used for transmissions and receipts over two antennas for dual antenna models. The default setting is dynamic based on the Access Point model deployed and its transmit power settings. Select this box to enable antenna diversity on supported antennas. Antenna diversity uses two or more antennas to increase signal quality and strength. This option is disabled by default. Adaptivity Recovery Select this option to switch channels when an Access Points radio is in Adaptivity Timeout Wireless Client Power Dynamic Chain Selection Data Rates adaptivity mode. In adaptivity mode, an Access Point monitors interference on its set channel and stops functioning when the radios defined interference tolerance level is exceeded. When the defined adaptivity timeout is exceeded, the radio resumes functionality on a different channel. This option is enabled by default. Set the adaptivity timeout from 30 to 3,600 minutes. The default setting is 90 minutes. Select this option to specify the transmit power on supported wireless clients. If this is enabled set a client power level between 0 to 20 dBm. This option is disabled by default. Select this option for the radio to dynamically change the number of transmit chains. This option is enabled by default. Once the radio band is provided, the Data Rates drop-down menu populates with rate options depending on the 2.4 or 5 GHz band selected. If the radio band is set to Sensor or Detector, the Data Rates drop-down menu is not enabled, as the rates are fixed and not user configurable. If 2.4 GHz is selected as the radio band, select separate 802.11b, 802.11g and 802.11n rates and define how they are used in combination. If 5 GHz is selected as the radio band, select separate 802.11a and 802.11n rates then define how they are used together. When using 802.11n (in either the 2.4 or 5 GHz band), Set a MCS (modulation and coding scheme) in respect to the radios channel width and guard interval. A MCS defines (based on RF channel conditions) an optimal combination of 8 data rates, bonded channels, multiple spatial streams, different guard intervals and modulation types. Clients can associate as long as they support basic MCS (as well as non-11n basic rates). Wireless Controller and Service Platform System Reference Guide 8 - 59 Profile Configuration Radio Placement Max Clients Rate Selection Method Use the drop-down menu to specify whether the radio is located Indoors or Outdoors. The placement should depend on the country of operation and its regulatory domain requirements for radio emissions.The default setting is Indoors. Use the spinner control to set a maximum permissible number of clients to connect with this radio. The available range is between 0 - 256 clients. The default value is 256. Specify a radio selection method for the radio. The selection methods are:
Standard - standard monotonic radio selection method will be used. Opportunistic - sets opportunistic radio link adaptation (ORLA) as the radio selection method. This mode uses opportunistic data rate selection to provide the best throughput. The ORLA rate selection mode is supported only on the AP7161 and AP8163 model Access Points. 8 Set the following profile WLAN Properties for the selected Access Point radio. Beacon Interval DTIM Interval BSSID Set the interval between radio beacons in milliseconds (either 50, 100 or 200). A beacon is a packet broadcast by adopted radios to keep the network synchronized. The beacon includes the WLAN service area, radio address, broadcast destination addresses, time stamp and indicators about traffic and delivery such as a DTIM. Increase the DTIM/beacon settings (lengthening the time) to let nodes sleep longer and preserve battery life. Decrease these settings (shortening the time) to support streaming-multicast audio and video applications that are jitter-sensitive. The default value is 100 milliseconds. Set a DTIM Interval to specify a period for Delivery Traffic Indication Messages (DTIM). A DTIM is periodically included in a beacon frame transmitted from adopted radios. The DTIM period determines how often the beacon contains a DTIM, for example, 1 DTIM for every 10 beacons. The DTIM indicates broadcast and multicast frames (buffered at the Access Point) are soon to arrive. These are simple data frames that require no acknowledgement, so nodes sometimes miss them. Increase the DTIM/
beacon settings (lengthening the time) to let nodes sleep longer and preserve their battery life. Decrease these settings (shortening the time) to support streaming multicast audio and video applications that are jitter-sensitive. Wireless Controller and Service Platform System Reference Guide 8 - 60 Profile Configuration RTS Threshold Short Preamble Guard Interval Specify a Request To Send (RTS) threshold (between 1 - 65,536 bytes) for use by the WLAN's adopted Access Point radios. RTS is a transmitting station's signal that requests a Clear To Send (CTS) response from a receiving client. This RTS/CTS procedure clears the air where clients are contending for transmission time. Benefits include fewer data collisions and better communication with nodes that are hard to find (or hidden) because of other active nodes in the transmission path. Control RTS/CTS by setting an RTS threshold. This setting initiates an RTS/CTS exchange for data frames larger than the threshold, and sends
(without RTS/CTS) any data frames smaller than the threshold. Consider the trade-offs when setting an appropriate RTS threshold for the WLAN's Access Point radios. A lower RTS threshold causes more frequent RTS/CTS exchanges. This consumes more bandwidth because of additional latency (RTS/CTS exchanges) before transmissions can commence. A disadvantage is the reduction in data-frame throughput. An advantage is quicker system recovery from electromagnetic interference and data collisions. Environments with more wireless traffic and contention for transmission make the best use of a lower RTS threshold. A higher RTS threshold minimizes RTS/CTS exchanges, consuming less bandwidth for data transmissions. A disadvantage is less help to nodes that encounter interference and collisions. An advantage is faster data-
frame throughput. Environments with less wireless traffic and contention for transmission make the best use of a higher RTS threshold. If using an 802.11bg radio, select this checkbox for the radio to transmit using a short preamble. Short preambles improve throughput. However, some devices (SpectraLink/Polycomm phones) require long preambles. The default value is disabled. Use the drop-down menu to specify a Long or Any guard interval. The guard interval is the space between the packets being transmitted. The guard interval is there to eliminate inter-symbol interference (ISI). ISI occurs when echoes or reflections from one transmission interfere with another. Adding time between transmissions allows echo's and reflections to settle before the next packet is transmitted. A shorter guard interval results in a shorter times which reduces overhead and increases data rates by up to 10%.The default value is Long. Probe Response Rate Use the drop-down menu to specify the data transmission rate used for Probe Response Retry the transmission of probe responses. Options include, highest-basic, lowest-basic and follow-probe-request (default setting). Select the check box to retry probe responses if they are not acknowledged by the target wireless client. The default value is enabled. 9 Select a mode from the Feed WLAN Packets to Sensor menu (within the Radio Share field) to enable this feature. Select either Inline or Promiscuous mode to allow the packets the radio is switching to also be used by the WIPS analysis module. This feature can be enabled in two modes: an inline mode where the wips sensor receives the packets from the radios with radio operating in normal mode. A promiscuous mode where the radio is configured to a mode where it receives all packets on the channel whether the destination address is the radio or not, and the wips module can analyze them. 10 Select the WLAN Mapping/Mesh Mapping tab. Wireless Controller and Service Platform System Reference Guide 8 - 61 Profile Configuration Figure 8-32 Access Point Radio - WLAN Mapping/Mesh Mapping screen 11 Refer to the WLAN/BSS Mappings field to set WLAN BSSID assignments for an existing Access Point deployment. Administrators can assign each WLAN its own BSSID. If using a single-radio Access Point, there are 8 BSSIDs available. If using a dual-radio Access Point there are 8 BSSIDs for the 802.11b/g/n radio and 8 BSSIDs for the 802.11a/n radio. 12 Select Advanced Mapping to enable WLAN mapping to a specific BSS ID. 13 Select OK to save the changes to the WLAN Mapping. Select Reset to revert to the last saved configuration. 14 Select the Legacy Mesh tab. Wireless Controller and Service Platform System Reference Guide 8 - 62 Profile Configuration 15 Refer to the Settings field to define mesh settings for the Access Point radio. Figure 8-33 Profile - Access Point Legacy Mesh tab Mesh Mesh Links Mesh PSK Use the drop-down menu to set the mesh mode for this radio. Available options are Disabled, Portal or Client. Setting the mesh mode to Disabled deactivates all mesh activity on this radio. Setting the mesh mode to Portal turns the radio into a mesh portal. This will start the radio beaconing immediately and accept connections from other mesh nodes. Setting the mesh mode to client enables the radio to operate as a mesh client and scan and connect to mesh portals or nodes connected to portals. Specify the number of mesh links allowed by the radio. The radio can have between 1-6 mesh links when the radio is configured as a Portal or Client. Provide the encryption key in either ASCII or Hex format. Administrators must ensure this key is configured on the Access Point when staged for mesh, added to the mesh client and to the portal Access Points configuration on the controller or service platform. Select Show to expose the characters used in the PSK. NOTE: Only single hop mesh links are supported at this time. Wireless Controller and Service Platform System Reference Guide 8 - 63 Profile Configuration NOTE: The mesh encryption key is configurable from the Command Line Interface
(CLI) using the command 'mesh psk'. Administrators must ensure that this key is configured on the AP when it is being staged for mesh, and also added to the mesh client as well as to the portal APs configuration on the controller or service platform. 16 Refer to the Preferred Peer Device table to add mesh peers. For each peer added, enter its MAC Address and a Priority between 1 and 6. The lower the priority number the higher priority it'll be given when connecting to mesh infrastructure. 17 Select the + Add Row button to add preferred peer devices for the radio to connect to in mesh mode. 18 Select the Client Bridge Settings tab to configure the selected radio as a client-bridge. Note, before configuring the client-bridge parameters, set the radio's rf-mode to bridge. An Access Point's radio can be configured to form a bridge between its wireless/wired clients and an infrastructure WLAN. The bridge radio authenticates and associates with the infrastructure WLAN Access Point. After successful association, the Access Point switches frames between its bridge radio and wired/
wireless client(s) connected either to its GE port(s) or to the other radio, there by providing the clients access to the infrastructure WLAN resources. This feature is supported only on the AP6522, AP6562, AP7522, AP7532, AP7562, AP7602, and AP7622 model Access Points. Wireless Controller and Service Platform System Reference Guide 8 - 64 Profile Configuration 19 Refer to the General field and define the following configurations:
Figure 8-34 Profile - Access Point Client Bridge Settings tab SSID VLAN Max Clients Connect through Bridges Set the infrastructure WLANs SSID the client-bridge Access Point associates with. Set the VLAN to which the bridged clients sessions are mapped after successful association with the infrastructure WLAN. Once mapped, the client bridge communicates with permitted hosts over the infrastructure WLAN. Specify the VLAN from 1 to 4095. Set the maximum number of bridge MAC addresses form 1 to 64. This is the maximum number of client-bridge Access Points that can associate with an infrastructure WLAN. The default value is 64. Set the maximum number of client-bridge Access Points that can associate with the infrastructure WLAN. Specify a value from 1 to 14. The default value is 14. Wireless Controller and Service Platform System Reference Guide 8 - 65 Profile Configuration Channel Dwell Time Authentication Encryption Set the channel-dwell time from 50 to 2000 milliseconds. This is the time the client-bridge radio dwells on each channel (configured in the list of channels) when scanning for an infrastructure WLAN. The default is 150 milliseconds. Set the mode of authentication with the infrastructure WLAN. The authentication mode specified here should be the same as that configured on the infrastructure WLAN. The options are None and EAP. If selecting EAP, specify the EAP authentication parameters. The default setting in None. For information on WLAN authentication, see Configuring WLAN Security. Set the packet encryption mode. The encryption mode specified here should be the same as that configured on the infrastructure WLAN. The options are None, CCMP and TKIP. The default setting is None. For information on WLAN encryption, see Configuring WLAN Security. 20 Refer to the EAP Parameters field and define the following EAP authentication parameters:
Type Username Password Pre-shared Key Handshake Basic Rate Use the drop-down menu to select the EAP authentication method used by the supplicant. The options are TLS and PEAP-MS-CHAPv2. The default EAP type is PEAP-MS-CHAPv2. Set the 32 character maximum user name for an EAP authentication credential exchange. Set the 32 character maximum password for the EAP user name specified above. Set the pre-shared key (PSK) used with EAP. Note, the authenticating algorithm and PSK configured should be same as that on the infrastructure WLAN. Set the basic rate of exchange of handshake packets between the client-
bridge and infrastructure WLAN Access Points. The options are highest and normal. The default value is highest. 21 Refer to the Channel Lists field and define the list of channels the client-bridge radio scans when scanning for an infrastructure WLAN. Band A Band BG Define a list of channels for scanning across all the channels in the 5.0 GHz radio band. Define a list of channels for scanning across all the channels in the 2.4 GHz radio band. 22 Refer to the Keepalive Parameters field and define the following configurations:
Keepalive Type Keepalive Interval Set the keepalive frame type exchanged between the client-bridge and infrastructure Access Points. This is the type of packets exchanged between the client-bridge and infrastructure Access Points, at specified intervals, to keep the client-bridge link up and active. The options are null-
data and WNMP packets. The default value is null-data. Set the keepalive interval from 0 to 86,400 seconds. This is the interval between two successive keepalive frames exchanged between the client-
bridge and infrastructure Access Points. The default value is 300 seconds. Wireless Controller and Service Platform System Reference Guide 8 - 66 Profile Configuration Inactivity Timeout Set the inactivity timeout for each bridge MAC address from 0 to 8,64,000 seconds. This is the time for which the client-bridge Access Point waits before deleting a wired/wireless clients MAC address from which a frame has not been received for more than the time specified here. For example, if the inactivity time is set at 120 seconds, and if no frames are received from a client (MAC address) for 120 seconds, it is deleted. The default value is 600 seconds. 23 Refer to the Radio Link Behaviour field and define the following configurations:
Shutdown Other Radio when Link Goes Down Refresh VLAN Interface when Link Comes Up Select this option to enable shutting down of the non-client bridge radio
(this is the radio to which wireless-clients associate) when the link between the client-bridge and infrastructure Access Points is lost. When enabled, wireless clients associated with the non-client bridge radio are pushed to search for and associate with other Access Points having backhaul connectivity. This option is disabled by default. If enabling this option, specify the time for which the non-client bridge radio is shut down. Use the spinner to specify a time from 1 - 1,800 seconds. Select this option to enable the SVI to refresh on re-establishing client bridge link to the infrastructure Access Point. If using a DHCP assigned IP address, it also causes a DHCP renew. This option is enabled by default. 24 Refer to the Roam Criteria field and define the following configuration:Select OK to save or override the Seconds for Missed Beacons Minimum Signal Strength Set the interval from 0 - 60 seconds. This is the time for which the client-
bridge Access Point waits, after missing a beacon from the associated infrastructure WLAN Access Point, before roaming to another infrastructure Access Point. For example, if the missed-beacon time is set to 30 seconds, and if more than 30 seconds have passed since the last beacon was received from the associated infrastructure Access Point, the client-bridge Access Point resumes scanning for another infrastructure Access Point. The default value s 20 seconds. Set the minimum signal-strength threshold for signals received from the infrastructure Access Point. Specify a value from -128 to -40 dBm. If the RSSI value of signals received from the infrastructure Access Point falls below the value specified here, the client-bridge Access Point resumes scanning for another infrastructure Access Point. The default is -75 dBm. 25 Select OK to save or override the changes to the Client Bridge Settings screen. Select Reset to revert to the last saved configuration. 26 Select the Advanced Settings tab. Wireless Controller and Service Platform System Reference Guide 8 - 67 Profile Configuration Figure 8-35 Access Point Radio - Advanced Settings screen 27 Refer to the Aggregate MAC Protocol Data Unit (A-MPDU) field to define how MAC service frames are aggregated by the Access Point radio. A-MPDU Modes Minimum Gap Between Frames Received Frame Size Limit Transmit Frame Size Limit Use the drop-down menu to define the A-MPDU mode supported. Options include Transmit Only, Receive Only, Transmit and Receive and None. The default value is Transmit and Receive. Using the default value, long frames can be both sent and received (up to 64 KB). When enabled, define either a transmit or receive limit (or both). Use the drop-down menu to define the minimum gap between A-MPDU frames (in microseconds). A setting of auto defines the gap as system defined. The default value is 4 microseconds. If a support mode is enabled allowing A-MPDU frames, define an advertised maximum limit for received A-MPDU aggregated frames. Options include 8191, 16383, 32767 or 65535 bytes. The default value is 65535 bytes. Use the spinner control to set limit on transmitted A-MPDU aggregated frames. The available range is between 2,000 - 65,535 bytes). The default value is 65535 bytes. 28 Use the A-MSDU Modes drop-down menu in the Aggregate MAC Service Data Unit (A-MSDU) section to set the supported A-MSDU mode. Available modes include Receive Only and Transmit and Receive. Transmit and Receive is the default value. Using Transmit and Receive, frames up to 4 KB can be sent and received. The buffer limit is not configurable. Wireless Controller and Service Platform System Reference Guide 8 - 68 Profile Configuration 29 Use the Airtime Fairness fields to optionally prioritize wireless access to devices. Select Prefer High Throughput Clients to prioritize clients with higher throughput (802.11n clients) over clients with slower throughput (802.11 a/b/g) clients. Use the spinner control to set a weight for the higher throughput clients. Enable Fair Access Prefer High Throughput Clients Select Enable Fair Access to enable this feature and provide equal access client access to radio resources. Select Prefer High Throughput Clients to prioritize clients with higher throughput (802.11n clients) over clients with slower throughput (802.11 a/
b/g) clients. Use the spinner control to set a weight for the higher throughput clients. 30 Set or override the following Miscellaneous advanced radio settings:
RIFS Mode STBC Mode Transmit Beamforming Define a RIFS mode to determine whether interframe spacing is applied to Access Point transmissions or received packets, both, or neither The default mode is Transmit and Receive. Interframe spacing is an interval between two consecutive Ethernet frames to enable a brief recovery between packets and allow target devices to prepare for the reception of the next packet. Consider setting this value to None for high priority traffic to reduce packet delay. Select a spacetime block coding (STBC) option to transmit multiple data stream copies across Access Point antennas to improve signal reliability. An Access Points transmitted signal traverses a problematic environment, with scattering, reflection and refraction all prevalent. The signal can be further corrupted by noise at the receiver. Consequently, some of the received data copies are less corrupt and better than others. This redundancy means theres a greater chance of using one, or more, of the received copies to successfully decode the signal. STBC effectively combines all the signal copies to extract as much information from each as possible. Enable beamforming to steer signals to peers in a specific direction to enhance signal strength and improve throughput amongst meshed devices (not clients). Each Access Point radio support up to 16 beamforming capable mesh peers. When enabled, a beamformer steers its wireless signals to its peers. A beamformee device assists the beamformer with channel estimation by providing a feedback matrix. The feedback matrix is a set of values sent by the beamformee to assist the beamformer in computing a steering matrix. A steering matrix is an additional set of values used to steer wireless signals at the beamformer so constructive signals arrive at the beamformee for better SNR and throughput. Any beamforming capable mesh peer connecting to a radio whose capacity is exhausted cannot enable beamforming itself. Transmit beamforming is available on AP81XX (AP8122, AP8132 and AP8163) model Access Points only, and is disabled by default. 31 Set the following Aeroscout Properties:
Forwarding Host Specify the Aeroscout engines IP address. When specified, the AP forwards Aeroscout beacons directly to the Aeroscout locationing engine without proxying through the controller or RF Domain manager. Note: Aeroscout beacon forwarding is supported on the AP6532, AP7502, AP7522, AP7532, AP7562, AP8432, AP8533 model Access Points. Wireless Controller and Service Platform System Reference Guide 8 - 69 Profile Configuration Forwarding Port Use the spinner control to set the port on which the Aeroscout engine is reachable. MAC to be forwarded Specify the MAC address to be forwarded. 32 Set the following Ekahau Properties:
Forwarding Host Forwarding Port Specify the Ekahau engine IP address. Using Ekahau small, battery powered Wi-Fi tags are attached to tracked assets or carried by people. Ekahau processes locations, rules, messages and environmental data and turns the information into locationing maps, alerts and reports. Use the spinner control to set the Ekahau TZSP port used for processing information from locationing tags. MAC to be forwarded Specify the MAC address to be forwarded. 33 Set the following Non-Unicast Traffic values for the profiles supported Access Point radio and its connected wireless clients:
Broadcast/Multicast Transmit Rate Broadcast/Multicast Forwarding Use the drop-down menu to define the data rate broadcast and multicast frames are transmitted. Seven different rates are available, if the not using the same rate for each BSSID, each with a separate menu. Define whether client broadcast and multicast packets should always follow DTIM, or only follow DTIM when using Power Save Aware mode. The default setting is Follow DTIM. 34 Refer to the Sniffer Redirect (Packet Capture) field to define the radios captured packet configuration. Host for Redirected Packets Channel to Capture Packets If packets are re-directed from a connected Access Point radio, define an IP address for a resource (additional host system) used to capture the re-
directed packets. This address is the numerical (non DNS) address of the host used to capture the re-directed packets. Use the drop-down menu to specify the channel used to capture re-
directed packets. The default value is channel 1. 35 Refer to the Channel Scanning field to define the radios captured packet configuration. Enable Off-Channel Scan Off Channel Scan list for 5GHz Off Channel Scan list for 2.4GHz Max Multicast Scan Interval Enable this option to scan across all channels using this radio. Channel scans use Access Point resources and can be time consuming, so only enable when your sure the radio can afford the bandwidth be directed towards to the channel scan and does not negatively impact client support. Define a list of channels for off channel scans using the 5GHz Access Point radio. Restricting off channel scans to specific channels frees bandwidth otherwise utilized for scanning across all the channels in the 5GHz radio band. Define a list of channels for off channel scans using the 2.4GHz Access Point radio. Restricting off channel scans to specific channels frees bandwidth otherwise utilized for scanning across all the channels in the 2.4GHz radio band. Set the maximum number (from 0 - 100) of multicast/broadcast messages used to perform off channel scanning. The default setting is 4. Set the interval (from 2 - 100 dtims) off channel scans occur. The default setting is 20dtims. Wireless Controller and Service Platform System Reference Guide 8 - 70 Profile Configuration Sniffer Redirect Specify the IP address of the host to which captured off channel scan packets are redirected. 36 If deploying an AP7161 or AP7181 model Access Point, the following AP7161 settings are available:
Enable Antenna Downtilt Extended Range Enable this settings to allow the Access Point to physically transmit in a downward orientation (ADEPT mode). Set an extended range (from 1 - 25 kilometers) to allow AP7161 and AP7181 model Access Points to transmit and receive with their clients at greater distances without being timed out. 37 Select OK to save the changes to the Advanced Settings screen. Select Reset to revert to the last saved configuration. 8.7.6 WAN Backhaul Configuration Profile Interface Configuration A Wireless Wide Area Network (WWAN) card is a specialized network interface card that allows a network device to connect, transmit and receive data over a Cellular Wide Area Network. The AP7161, RFS4000 and RFS6000 all have a PCI Express card slot that supports 3G WWAN cards. The WWAN card uses point-to-point protocol (PPP) to connect to the Internet Service Provider (ISP) and gain access to the Internet. PPP is the protocol used for establishing internet links over dial-up modems, DSL connections, and many other types of point-to-point communications. PPP packages your systems TCP/IP packets and forwards them to the serial device where they can be put on the network. PPP is a full-duplex protocol used on various physical media, including twisted pair or fiber optic lines or satellite transmission. It uses a variation of High Speed Data Link Control (HDLC) for packet encapsulation. To define a WAN Backhaul configuration:
1 Select Configuration > Profiles > Interface. 2 Expand the Interface menu to display its submenu options. 3 Select WAN Backhaul. Wireless Controller and Service Platform System Reference Guide 8 - 71 Profile Configuration 4 Refer to the WAN (3G) Backhaul configuration to specify WAN card settings:
Figure 8-36 Profile -WAN Backhaul screen WAN Interface Name Displays the WAN Interface name for the WAN 3G Backhaul card. Enable WAN (3G) Select this option to enable 3G WAN card support on the device. A supported 3G card must be connected to the device for this feature to work. 5 Set the following authentication parameters from within the Basic Settings field:
Username Provide a 32 character maximum username for authentication support by the cellular data carrier. Provide a password for authentication support by the cellular data carrier. Password Authentication Type Use the drop-down menu to specify authentication type used by your cellular data provider. Supported authentication types are None, PAP, CHAP, MSCHAP, and MSCHAP-v2. Wireless Controller and Service Platform System Reference Guide 8 - 72 Profile Configuration 6 Define the following NAT parameters from within the Network Address Translation (NAT) field:
NAT Direction Define the Network Address Translation (NAT) direction. Options include:
Inside - The inside network is transmitting data over the network its intended destination. On the way out, the source IP address is changed in the header and replaced by the (public) IP address. Outside - Packets passing through the NAT on the way back to the controller or service platform managed LAN are searched against to the records kept by the NAT engine. There, the destination IP address is changed back to the specific internal private class IP address in order to reach the LAN over the network. None - No NAT activity takes place. This is the default setting. 7 Define the following security parameters from within the Security Settings field:
IPv4 Inbound Firewall Rules VPN Crypto Map Use the drop-down menu to select an inbound IPv4 ACL to associate with traffic on the WAN backhaul. This setting pertains to IPv4 inbound traffic only and not IPv6. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity. If an appropriate IP ACL does not exist, select the Add button to create a new one. If necessary, specify a crypto map for the wireless WAN. A crypto map can be up to 256 characters long. If a suitable crypto map is not available, click the Create button to configure a new one. 8 Define the following route parameters from within the Default Route Priority field:
WWAN Default Route Priority Use the spinner control to define a priority from 1 - 8,000 for the default route learned by the wireless WAN. The default value is 3000. 9 Select OK to save the changes to the screen. Select Reset to revert to the last saved configuration. 8.7.7 PPPoE Configuration Profile Interface Configuration PPP over Ethernet (PPPoE) is a data-link protocol for dialup connections. PPPoE allows an Access Point to use a broadband modem (DSL, cable modem, etc.) for access to high-speed data and broadband networks. Most DSL providers are currently supporting (or deploying) the PPPoE protocol. PPPoE uses standard encryption, authentication, and compression methods as specified by the PPPoE protocol. PPPoE enables a point-to-point connection to an ISP over existing Ethernet interface. To provide a point-to-point connection, each PPPoE session determines the Ethernet address of a remote PPPoE client, and establishes a session. PPPoE uses both a discover and session phase to identify a client and establish a point-to-point connection. By using such a connection, a Wireless WAN failover is available to maintain seamless network access if the Wired WAN were to fail. NOTE: Devices with PPPoE enabled continue to support VPN, NAT, PBR and 3G failover over the PPPoE interface. Multiple PPPoE sessions are supported using a single user account user account if RADIUS is configured to allow simultaneous access. Wireless Controller and Service Platform System Reference Guide 8 - 73 Profile Configuration When PPPoE client operation is enabled, it discovers an available server and establishes a PPPoE link for traffic slow. When a wired WAN connection failure is detected, traffic flows through the WWAN interface in fail-over mode (if the WWAN network is configured and available). When the PPPoE link becomes accessible again, traffic is redirected back through the Access Points wired WAN link. When the Access Point initiates a PPPoE session, it first performs a discovery to identify the Ethernet MAC address of the PPPoE client and establish a PPPoE session ID. In discovery, the PPPoE client discovers a server to host the PPPoE connection. To create a PPPoE point-to-point configuration 1 Select Configuration > Profiles > Interface. 2 Expand the Interface menu to display its submenu options. 3 Select PPPoE. Figure 8-37 Profile -PPPoE screen 4 Use the Basic Settings field to enable PPPoE and define a PPPoE client Admin Status Service Select Enable to support a high speed client mode point-to-point connection using the PPPoE protocol. The default setting is disabled. Enter the 128 character maximum PPPoE client service name provided by the service provider. Wireless Controller and Service Platform System Reference Guide 8 - 74 Profile Configuration DSL Modem Network
(VLAN) Client IP Address Use the spinner control to set the PPPoE VLAN (client local network) connected to the DSL modem. This is the local network connected to DSL modem. The available range is 1 - 4,094. The default VLAN is VLAN1. Provide the numerical (non hostname) IP address of the PPPoE client. 5 Define the following Authentication parameters for PPPoE client interoperation:
Username Password Provide the 64 character maximum username used for authentication support by the PPPoE client. Provide the 64 character maximum password used for authentication by the PPPoE client. Authentication Type Use the drop-down menu to specify authentication type used by the PPPoE client, and whose credentials must be shared by its peer Access Point. Supported authentication options include None, PAP, CHAP, MSCHAP, and MSCHAP-v2. 6 Define the following Connection settings for the PPPoE point-to-point connection with the PPPoE client:
Maximum Transmission Unit
(MTU) Client Idle Timeout Keep Alive Set the PPPoE client maximum transmission unit (MTU) from 500 - 1,492. The MTU is the largest physical packet size in bytes a network can transmit. Any messages larger than the MTU are divided into smaller packets before being sent. A PPPoE client should be able to maintain its point-to-point connection for this defined MTU size. The default MTU is 1,492. Set a timeout in either Seconds (1 - 65,535), Minutes (1 - 1,092) or Hours (1
- 18). The Access Point uses the defined timeout so it does not sit idle waiting for input from the PPPoE client and server that may never come. The default setting is 10 minutes. Select this option to ensure the point-to-point connection to the PPPoE client is continuously maintained and not timed out. This setting is disabled by default. 7 Set the Network Address Translation (NAT) direction for the PPPoE configuration. Network Address Translation (NAT) converts an IP address in one network to a different IP address or set of IP addresses in another network. The Access Point maps its local (Inside) network addresses to WAN (Outside) IP addresses, and translates the WAN IP addresses on incoming packets to local IP addresses. NAT is useful because it allows the authentication of incoming and outgoing requests, and minimizes the number of WAN IP addresses needed when a range of local IP addresses is mapped to each WAN IP address. The default setting is None (neither inside or outside). 8 Define the following Security Settings for the PPPoE configuration:
IPv4 Inbound Firewall Rules VPN Crypto Map Use the drop-down menu to select a firewall (set of IP access connection rules) to apply to the PPPoE client connection. If a firewall rule does not exist suiting the data protection needs of the PPPoE client connection, select the Create icon to define a new rule configuration or the Edit icon to modify an existing rule. For more information, see Setting an IPv4 or IPv6 Firewall Policy on page 10-21. Use the drop-down menu to apply an existing crypt map configuration to this PPPoE interface. Crypto Maps are sets of configuration parameters for encrypting packets that pass through the VPN Tunnel. 9 Use the spinner control to set the Default Route Priority for the default route learnt using PPPoE. Select from 1 -
8,000. The default setting is 2,000. Wireless Controller and Service Platform System Reference Guide 8 - 75 Profile Configuration 10 Select OK to save the changes to the PPPoE screen. Select Reset to revert to the last saved configuration. Saved configurations are persistent across reloads. 8.7.8 Bluetooth Configuration Profile Interface Configuration AP-8432 and AP-8533 model Access Points utilize a built in Bluetooth chip for specific Bluetooth functional behaviors in a WiNG managed network. AP-8432 and AP-8533 models support both Bluetooth classic and Bluetooth low energy technology. These platforms can use their Bluetooth classic enabled radio to sense other Bluetooth enabled devices and report device data (MAC address, RSSI and device calls) to an ADSP server for intrusion detection. If the device presence varies in an unexpected manner, ADSP can raise an alarm. NOTE: AP-8132 model Access Points support an external USB Bluetooth radio providing ADSP Bluetooth classic sensing functionality only, not the Bluetooth low energy beaconing functionality available for AP-8432 and AP-8533 model Access Points described in this section. AP-8432 and AP-8533 model Access Points support Bluetooth beaconing to emit either iBeacon or Eddystone-
URL beacons. The Access Points Bluetooth radio sends non-connectable, undirected low-energy (LE) advertisement packets on a periodic basis. These advertisement packets are short, and sent on Bluetooth advertising channels that conform to already-established iBeacon and Eddystone-URL standards. Portions of the advertising packet are still customizable however. To define a profiles Bluetooth radio interface configuration:
1 Select Configuration > Profiles > Interface. 2 Expand the Interface menu to display its submenu options. 3 Select Bluetooth. Wireless Controller and Service Platform System Reference Guide 8 - 76 Profile Configuration 4 Set the following Bluetooth Radio Configuration:
Figure 8-38 Profile Overrides - Bluetooth screen Admin Status Description Enable or Disable Bluetooth support capabilities for AP-8432 or AP-
8533 model Access Point Bluetooth radio transmissions. The default value is disabled. Define a 64 character maximum description for the Access Points Bluetooth radio to differentiate this radio interface from other Bluetooth supported radios that may be members of the same RF Domain. 5 Set the following Basic Settings:
Bluetooth Radio Functional Mode Beacon Transmission Period Set the Access Points Bluetooth radio functional mode to either bt-sensor or le-beacon. Use bt-sensor mode for ADSP Bluetooth classic sensing. Use le-beacon mode to have the Access Point transmit both ibeacon and Eddystone-URL low energy beacons. le-beacon is the default setting. Set the Bluetooth radios beacon transmission period from 100 - 10,000 milliseconds. The default setting is 1,000 milliseconds. Wireless Controller and Service Platform System Reference Guide 8 - 77 Profile Configuration Beacon Transmission Pattern When the Bluetooth radios mode is set to le-beacon, use the enabled drop-down menu to set the beacons emitted transmission pattern to either eddystone_url1, eddystone_url2 or ibeacon. An eddystone-URL frame broadcasts a URL using a compressed encoding scheme to better fit within a limited advertisement packet. Once decoded, the URL can be used by a client for Internet access. iBeacon was created by Apple for use in iOS devices (beginning with iOS version 7.0). There are three data fields Apple has made available to iOS applications, a UUID for device identification, a Major value for device class and a Minor value for more refined information like product category. 6 Define the following Eddystone Settings if the Beacon Transmission Pattern has been set to either eddystone_url1 or eddystone_url2:
Eddystone Beacon Calibration Signal Strength URL-1 to Transmit Eddystone-URL URL-2 to Transmit Eddystone-URL Set the eddystone beacon measured calibration signal strength, from -
127 to 127 dBm, at 0 meters. Mobile devices can approximate their distance to beacons based on received signal strength. However, distance readings can fluctuate since they depend on several external factors. The closer you are to a beacon, the more accurate the reported distance. This setting is the projected calibration signal strength at 0 meters. The default setting is -19 dBm. Enter a 64 character maximum eddystone-URL1. The URL must be 18 characters or less once auto-encoding is applied. The encoding process is for getting the URL to fit within the beacons payload. Enter a 64 character maximum eddystone-URL2. The URL must be 18 characters or less once auto-encoding is applied. The encoding process is for getting the URL to fit within the beacons payload. 7 Define the following iBeacon Settings if the Beacon Transmission Pattern has been set to iBeacon:
iBeacon Calibration Signal Strength iBeacon Major Number iBeacon Minor Number iBeacon UUID Set the ibeacon measured calibration signal strength, from -127 to 127 dBm, at 1 meter. Mobile devices can approximate their distance to beacons based on received signal strength. However, distance readings can fluctuate since they depend on several external factors. The closer you are to a beacon, the more accurate the reported distance. This setting is the projected calibration signal strength at 1 meter. The default setting is -60 dBm. Set the iBeacon Major value from 0 - 65,535. Major values identify and distinguish groups. For example, each beacon on a specific floor in a building could be assigned a unique major value. The default is 1,111. Set the iBeacon Minor value from 0 - 65,535. Minor values identify and distinguish individual beacons. Minor values help identify individual beacons within a group of beacons assigned a major value. The default setting is 2,222. Define a 32 hex character maximum UUID. The Universally Unique IDentifier (UUID) classification contains 32 hexadecimal digits. The UUID distinguishes iBeacons in the network from all other beacons in networks outside of your direct administration. 8 Select OK to save the changes to the Bluetooth configuration. Select Reset to revert to the last saved configuration. Saved configurations are persistent across reloads. Wireless Controller and Service Platform System Reference Guide 8 - 78 Profile Configuration 8.7.9 Profile Interface Deployment Considerations Profile Interface Configuration Before defining a profiles interface configuration (supporting Ethernet port, Virtual Interface, port channel and Access Point radio configurations) refer to the following deployment guidelines to ensure these configuration are optimally effective:
Power over Ethernet is supported on RFS4000 and RFS6000 model controllers. When enabled, the controller supports 802.3af PoE on each of its ge ports. When changing from a default DHCP address to a fixed IP address, set a static route first. This is critical when the controller or service platform is being accessed from a subnet not directly connected to the controller or service platform and the default route was set from DHCP. Take care not to modify an Access Points configuration using its resident Web UI, CLI or SNMP interfaces when managed by a profile, or risk the Access Point having a configuration independent from the profile until the profile can be uploaded to the Access Point once again. 8.8 Profile Network Configuration Setting a profiles network configuration is a large task comprised of numerous administration activities. A profiles network configuration process consists of the following:
Setting a Profiles DNS Configuration Setting a Profiles ARP Configuration Setting a Profiles L2TPV3 Configuration Setting a Profiles GRE Configuration Setting a Profiles IGMP Snooping Configuration Setting a Profiles MLD Snooping Configuration Setting a Profiles Quality of Service (QoS) Configuration Setting a Profiles Spanning Tree Configuration Setting a Profiles Routing Configuration Setting a Profiles Dynamic Routing (OSPF) Configuration Setting a Profiles Border Gateway Protocol (BGP) Configuration Setting a Profiles Forwarding Database Configuration Setting a Profiles Bridge VLAN Configuration Setting a Profiles Cisco Discovery Protocol Configuration Setting a Profiles Link Layer Discovery Protocol Configuration Setting a Profiles Miscellaneous Network Configuration Setting a Profiles Alias Configuration Setting a Profiles IPv6 Neighbor Configuration Before beginning any of the profile network configuration activities described in the sections above, review the configuration and deployment considerations available in Profile Network Configuration and Deployment Considerations. Wireless Controller and Service Platform System Reference Guide 8 - 79 Profile Configuration 8.8.1 Setting a Profiles DNS Configuration Profile Network Configuration Domain Naming System (DNS) DNS is a hierarchical naming system for resources connected to the Internet or a private network. Primarily, DNS resources translate domain names into IP addresses. If one DNS server doesn't know how to translate a particular domain name, it asks another one until the correct IP address is returned. DNS enables access to resources using human friendly notations. DNS converts human friendly domain names into notations used by different networking equipment for locating resources. As a resource is accessed (using human-friendly hostnames), its possible to access the resource even if the underlying machine friendly notation name changes. Without DNS, in the simplest terms, you would need to remember a series of numbers (123.123.123.123) instead of an easy to remember domain name (for example, www.domainname.com). To define the DNS configuration:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select DNS. Figure 8-39 DNS screen 4 Set the following Domain Name System (DNS) configuration data:
Domain Name Enable Domain Lookup DNS Server Forwarding Provide the default domain name used to resolve DNS names. The name cannot exceed 64 characters. Select the check box to enable DNS. When enabled, human friendly domain names are converted into numerical IP destination addresses. The radio button is selected by default. Select this option to enable the forwarding DNS queries to external DNS servers if a DNS query cannot be processed by local DNS resources. This feature is disabled by default. Wireless Controller and Service Platform System Reference Guide 8 - 80 Profile Configuration 5 Set the following DNS Server configuration data:
Name Servers Provide a list of up to three DNS servers to forward DNS queries if local DNS resources are unavailable. The DNS name servers are used to resolve IP addresses. Use the Clear link (next to each DNS server) to clear the DNS name servers IP address from the list. 6 Set the following DNS Servers IPv6 configuration data when using IPv6:
IPv6 DNS Name Server IPv6 DNS Server Forward Provide the default domain name used to resolve IPv6 DNS names. When an IPv6 host is configured with the address of a DNS server, the host sends DNS name queries to the server for resolution. A maximum of three entries are permitted. Select the check box to enable IPv6 DNS domain names to be converted into numerical IP destination addresses. The setting is disabled by default. Select OK to save the changes made to the DNS configuration. Select Reset to revert to the last saved configuration. 8.8.2 Setting a Profiles ARP Configuration Profile Network Configuration Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a hardware MAC address recognized on the network. ARP provides protocol rules for making this correlation and providing address conversion in both directions. When an incoming packet destined for a host arrives, ARP is used to find a physical host or MAC address that matches the IP address. ARP looks in its ARP cache and, if it finds the address, provides it so the packet can be converted to the right packet length and format and sent to its destination. If no entry is found for the IP address, ARP broadcasts a request packet in a special format on the LAN to see if a device knows it has that IP address associated with it. A device that recognizes the IP address as its own returns a reply indicating it. ARP updates the ARP cache for future reference and then sends the packet to the MAC address that replied. To define an ARP supported configuration:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select ARP. 4 Select + Add Row from the lower right-hand side of the screen to populate the ARP table with rows used to define ARP network address information. Wireless Controller and Service Platform System Reference Guide 8 - 81 Profile Configuration 5 Set the following parameters to define the ARP configuration:
Figure 8-40 ARP screen Switch VLAN Interface IP Address MAC Address Device Type Use the spinner control to select a VLAN interface for an address requiring resolution. Define the IP address used to fetch a MAC Address. Set the target MAC address subject to resolution. This is the MAC used for mapping an IP address to a MAC address recognized on the network. Specify the device type the ARP entry supports. Host is the default setting. 6 To add additional ARP configurations, select + Add Row button and enter the configuration information. 7 Select the OK button located at the bottom right of the screen to save the changes to the ARP configuration. Select Reset to revert to the last saved configuration. 8.8.3 Setting a Profiles L2TPV3 Configuration Profile Network Configuration L2TP V3 is an IETF standard used for transporting different types of layer 2 frames in an IP network (and Access Point profile). L2TP V3 defines control and encapsulation protocols for tunneling layer 2 frames between two IP nodes. Use L2TP V3 to create tunnels for transporting layer 2 frames. L2TP V3 enables wireless devices to create tunnels for transporting Ethernet frames to and from bridge VLANs and physical ports. L2TP V3 tunnels can be defined between other vendor devices supporting the L2TP V3 protocol. Wireless Controller and Service Platform System Reference Guide 8 - 82 Profile Configuration Multiple pseudowires can be created within an L2TP V3 tunnel. Access Points support an Ethernet VLAN pseudowire type exclusively. NOTE: A pseudowire is an emulation of a layer 2 point-to-point connection over a packet-switching network (PSN). A pseudowire was developed out of the necessity to encapsulate and tunnel layer 2 protocols across a layer 3 network. Ethernet VLAN pseudowires transport Ethernet frames to and from a specified VLAN. One or more L2TP V3 tunnels can be defined between tunnel end points. Each tunnel can have one or more L2TP V3 sessions. Each tunnel session corresponds to one pseudowire. An L2TP V3 control connection (a L2TP V3 tunnel) needs to be established between the tunneling entities before creating a session. For optimal pseudowire operation, both the L2TP V3 session originator and responder need to know the psuedowire type and identifier. These two parameters are communicated during L2TP V3 session establishment. An L2TP V3 session created within an L2TP V3 connection also specifies multiplexing parameters for identifying a pseudowire type and ID. The working status of a pseudowire is reflected by the state of the L2TP V3 session. If a L2TP V3 session is down, the pseudowire associated with it must be shut down. The L2TP V3 control connection keep-alive mechanism can serve as a monitoring mechanism for the pseudowires associated with a control connection. NOTE: If connecting an Ethernet port to another Ethernet port, the pseudowire type must be Ethernet port, if connecting an Ethernet VLAN to another Ethernet VLAN, the pseudowire type must be Ethernet VLAN. To define an L2TPV3 configuration for an Access Point profile:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Expand the Network menu and select L2TPv3. The General tab displays by default with additional L2RPv3 Tunnel and Manual Session tabs available. Wireless Controller and Service Platform System Reference Guide 8 - 83 Profile Configuration 4 Set the following General Settings for a L2TPv3 profile configuration:
Figure 8-41 Network - L2TPv3 screen, General tab Hostname Router ID UDP Listen Port Tunnel Bridging Define a 64 character maximum host name to specify the name of the host thats sent tunnel messages. Tunnel establishment involves exchanging 3 message types (SCCRQ, SCCRP and SCCN) with the peer. Tunnel IDs and capabilities are exchanged during the tunnel establishment with the host. Set either the numeric IP address or the integer used as an identifier for tunnel AVP messages. AVP messages assist in the identification of a tunnelled peer. Select this option to set the port used for listening to incoming traffic. Select a port from 1,024 - 65,535. Select this option to enable bridge packets between two tunnel end points. This setting is disabled by default. 5 Set the following Logging Settings for a L2TPv3 profile configuration:
Enable Logging IP Address Hostname Router ID Select the is option to enable the logging of Ethernet frame events to and from bridge VLANs and physical ports on a defined IP address, host or router ID. This setting is disabled by default. Optionally use a peer tunnel ID address to capture and log L2TPv3 events. Use Any to log any IP address. If not using an IP address for event logging, optionally use a peer tunnel hostname to capture and log L2TPv3 events. Use Any to log all hostnames. A Hostname cannot exceed 64 characters. If not using an IP address or a hostname for event logging, use a router ID to capture and log L2TPv3 events. Use Any to log all routers. Wireless Controller and Service Platform System Reference Guide 8 - 84 6 Select the L2TPv3 Tunnel tab. Profile Configuration 7 Review the following L2TPv3 tunnel configuration data:
Figure 8-42 Network - L2TPv3 screen, T2TP tunnel tab Name Local IP Address MTU Use Tunnel Policy Local Hostname Local Router ID Establishment Criteria Critical Resource Displays the name of each listed L2TPv3 tunnel assigned upon creation. Lists the IP address assigned as the local tunnel end point address, not the interface IP address. This IP is used as the tunnel source IP address. If this parameter is not specified, the source IP address is chosen automatically based on the tunnel peer IP address. Displays the maximum transmission unit (MTU) size for each listed tunnel. The MTU is the size (in bytes) of the largest protocol data unit that the layer can pass between tunnel peers. Lists the L2TPv3 tunnel policy assigned to each listed tunnel. Lists the tunnel specific hostname used by each listed tunnel. This is the host name advertised in tunnel establishment messages. Specifies the router ID sent in the tunnel establishment messages. Specifies the criteria required for a tunnel between two peers. Specifies the critical resource that should exist for a tunnel between two peers. Critical resources are device IP addresses or interface destinations interpreted as critical to the health of the network. Critical resources allow for the continuous monitoring of these defined addresses. A critical resource, if not available, can result in the network suffering performance degradation. A critical resource can be a gateway, AAA server, WAN interface or any hardware or service on which the stability of the network depends. Critical resources are pinged regularly. If theres a connectivity issue, an event is generated stating a critical resource is unavailable. Wireless Controller and Service Platform System Reference Guide 8 - 85 Profile Configuration Peer IP Address Host Name Specifies the IP address of the tunnel peer device. Specifies the host name of the tunnel device. 8 Either select Add to create a new L2TPv3 tunnel configuration, Edit to modify an existing tunnel configuration or Delete to remove a tunnel from those available to this profile. 9 If creating a new tunnel configuration, assign it a 31 character maximum Name. Select OK to create a L2TPv3 tunnel. Figure 8-43 Network - L2TPv3 screen, L2TPv3 Tunnel Session Information Refer to the Session table to review the configurations of the peers available for tunnel connection. Select +
Add Row to populate the table with configurable session parameters for this tunnel configuration. 10 Define the following Session values required for the L2TPv3 tunnel configuration:
Name Pseudowire ID Traffic Source Type Traffic Source Value Native Enter a 31 character maximum session name. There is no idle timeout for a tunnel. A tunnel is not usable without a session and a subsequent session name. The tunnel is closed when the last session tunnel session is closed. Define a psuedowire ID for this session. A pseudowire is an emulation of a layer 2 point-to-point connection over a packet-switching network (PSN). A pseudowire was developed out of the necessity to encapsulate and tunnel layer 2 protocols across a layer 3 network. Lists the type of traffic tunnelled in this session (VLAN etc.). Define a VLAN range to include in the tunnel session. Available VLAN ranges are from 1 - 4,094. Select this option to provide a VLAN ID that will not be tagged in tunnel establishment and packet transfer. 11 Select Settings. Wireless Controller and Service Platform System Reference Guide 8 - 86 Profile Configuration 12 Define the following Settings required for the L2TPv3 tunnel configuration:
Figure 8-44 Network - L2TPv3 screen - Add L2TPv3 Tunnel Settings Local IP Address MTU Use Tunnel Policy Local Hostname Local Router ID Enter the IP address assigned as the local tunnel end point address, not the interface IP address. This IP is used as the tunnel source IP address. If this parameter is not specified, the source IP address is chosen automatically based on the tunnel peer IP address. This parameter is applicable when establishing the tunnel and responding to incoming tunnel create requests. Set the maximum transmission unit (MTU). The MTU is the size (in bytes) of the largest protocol data unit the layer can pass between tunnel peers. Define a MTU from 128 - 1,460 bytes. The default setting is 1,460. A larger MTU means processing fewer packets for the same amount of data. Select the L2TPv3 tunnel policy. The policy consists of user defined values for protocol specific parameters which can be used with different tunnels. If none is available, a new policy can be created or an existing one can be modified. Provide the tunnel specific hostname used by this tunnel. This is the host name advertised in tunnel establishment messages. A Hostname cannot exceed 64 characters. Specify the router ID sent in tunnel establishment messages with a target peer device. Wireless Controller and Service Platform System Reference Guide 8 - 87 Profile Configuration Establishment Criteria VRRP Group Critical Resource Specify the establishment criteria for creating a tunnel. The tunnel is only created if this device is one of the following:
vrrp-master cluster-master rf-domain-manager The tunnel is always created if Always is selected. This indicates the device need not be any one of the above three (3) to establish a tunnel. Set the VRRP group ID. VRRP groups is only enabled when the Establishment Criteria is set to vrrp-master. The Critical Resources table lists important resources defined for this system. The tunnel is created and maintained only if these critical resources are available. The tunnel is removed if any one of the defined resources goes down or is unreachable. 13 Select + Add Row and define the following Rate Limit settings for the L2TPv3 tunnel configuration. Rate limiting limits the maximum rate sent to or received from L2TPv3 tunnel members. Session Name Direction Maximum Burst Size Rate Background Best-Effort Video Voice Use the drop-down menu to select the tunnel session that will have the direction, burst size and traffic rate settings applied. Select the direction for L2TPv3 tunnel traffic rate limiting. Egress traffic is outbound L2TPv3 tunnel data coming to the controller, service platform or Access Point. Ingress traffic is inbound L2TPv3 tunnel data coming to the controller, service platform or Access Point. Set the maximum burst size for egress or ingress traffic rate limiting
(depending on which direction is selected) on a L2TPv3 tunnel. Set a maximum burst size between 2 - 1024 kbytes. The smaller the burst, the less likely the upstream packet transmission will result in congestion for L2TPv3 tunnel traffic. The default setting is 320 bytes. Set the data rate (from 50 - 1,000,000 kbps) for egress or ingress traffic rate limiting (depending on which direction is selected) for an L2TPv3 tunnel. The default setting is 5000 kbps. Set the Random Early Detection threshold in percentage (%) of the Maximum Burst Size value for low priority traffic. The default value is 50%. Set the Random Early Detection threshold in percentage (%) of the Maximum Burst Size value for normal priority traffic. The default value is 50%. Set the Random Early Detection threshold in percentage (%) of the Maximum Burst Size value for video traffic. The default value is 25%. Set the Random Early Detection threshold in percentage (%) of the Maximum Burst Size value for voice traffic. The default value is 0%. Refer to the Peer table to review the configurations of the peers available for tunnel connection. 14 Select + Add Row to populate the table with a maximum of two peer configurations. Wireless Controller and Service Platform System Reference Guide 8 - 88 Profile Configuration 15 Define the following Peer settings:
Figure 8-45 Network - L2TPv3 screen, Add L2TPv3 Peer Configuration Peer ID Peer IP Address Hostname Router ID Encapsulation UDP Port IPsec Secure IPsec Gateway Define the primary peer ID used to set the primary and secondary peer for tunnel failover. If the peer is not specified, tunnel establishment does not occur. However, if a peer tries to establish a tunnel with this Access Point, it creates the tunnel if the hostname and/or Router ID matches. Select this option to enter the numeric IP address used as the tunnel destination peer address for tunnel establishment. Assign the peer a hostname used as matching criteria in the tunnel establishment process. A Hostname cannot exceed 64 characters. Specify the router ID sent in tunnel establishment messages with this specific peer. Select either IP or UDP as the peer encapsulation protocol. The default setting is IP. UDP uses a simple transmission model without implicit handshakes. If UDP encapsulation is selected, use the spinner control to define the UDP encapsulation port. Enable this option to enable security on the connection between the Access Point and the Virtual Controller resource. Specify the IP Address of the IPSecs secure gateway resource used to protect tunnel traffic. Wireless Controller and Service Platform System Reference Guide 8 - 89 Profile Configuration 16 From back at the Settings tab, set the following Fast Failover parameters. Enable Enable Aggressive Mode When enabled, the device starts sending tunnel requests on both peers, and in turn, establishes the tunnel on both peers. If disabled, tunnel establishment only occurs on one peer, with failover and other functionality the same as legacy behavior. If fast failover is enabled after establishing a single tunnel the establishment is restarted with two peers. One tunnels defined as active and the other standby. Both tunnels perform connection health checkups with individual hello intervals. This setting is disabled by default. When enabled, tunnel initiation hello requests are set to zero. For failure detections, hello attempts are not retried, regardless of defined retry attempts. This setting is disabled by default. 17 Select OK to save the changes. Select Reset to revert to the last saved configuration. 18 Select the Manual Session tab. After a successful tunnel connection and establishment, individual sessions can be created. Each session is a single data stream. After successful session establishment, data corresponding to that session (pseudowire) can be transferred. If a session is down, the pseudowire associated with it is shut down as well. Figure 8-46 Network - L2TPv3 screen, Manual Session tab Wireless Controller and Service Platform System Reference Guide 8 - 90 Profile Configuration 19 Refer to the following manual session configurations to determine whether one should be created or modified:
IP Address Local Session ID MTU Name Remote Session ID Lists the IP address assigned as the local tunnel end point address, not the interface IP address. This IP is used as the tunnel source IP address. If this parameter is not specified, the source IP address is chosen automatically based on the tunnel peer IP address. This parameter is applicable when establishing the session and responding to incoming requests. Displays the numeric identifier assigned to each listed tunnel session. This is the pseudowire ID for the session. This pseudowire ID is sent in a session establishment message to the L2TP peer. Displays each sessionss maximum transmission unit (MTU). The MTU is the size (in bytes) of the largest protocol data unit the layer can pass between tunnel peers in this session. A larger MTU means processing fewer packets for the same amount of data. Lists the name assigned to each listed manual session. Lists the remote session ID passed in the establishment of the tunnel session. 20 Select Add to create a new manual session, Edit to modify an existing session configuration or Delete to remove a selected manual session. Figure 8-47 Network - L2TPv3 screen, Add Manual Session Configuration Wireless Controller and Service Platform System Reference Guide 8 - 91 21 Set the following Manual Session parameters:
Profile Configuration Name IP Address IP Local Session ID MTU Remote Session ID Encapsulation UDP Port Source Type Source Value Native VLAN Define a 31 character maximum name for this tunnel session. The session is created after a successful tunnel connection and establishment. Each session name represents a single data stream. Specify the IP address used as the tunnel source IP address. If not specified, the tunnel source IP address is selected automatically based on the tunnel peer IP address. This address is applicable only for initiating the tunnel. When responding to incoming tunnel create requests, it would use the IP address received in the tunnel creation request. Set the IP address of an L2TP tunnel peer. This is the peer allowed to establish the tunnel. Set the numeric identifier for the tunnel session. This is the pseudowire ID for the session. This pseudowire ID is sent in session establishment message to the L2TP peer. Define the session maximum transmission unit (MTU) as the size (in bytes) of the largest protocol data unit the layer can pass between tunnel peers in this session. A larger MTU means processing fewer packets for the same amount of data. Use the spinner control to set the remote session ID passed in the establishment of the tunnel session. Assign an ID in the range of 1 -
4,294,967,295. Select either IP or UDP as the peer encapsulation protocol. The default setting is IP. UDP uses a simple transmission model without implicit handshakes. If UDP encapsulation is selected, use the spinner control to define the UDP encapsulation port. This is the port where the L2TP service is running. Select a VLAN as the virtual interface source type. Define the Source Value range (1 - 4,094) to include in the tunnel. Tunnel session data includes VLAN tagged frames. Select this option to define the native VLAN that will not be tagged. 22 Select the + Add Row button to set the following:
Cookie Size Value 1 Value 2 End Point Set the size of the cookie field within each L2TP data packet. Options include 0, 4 and 8. The default setting is 0. Set the cookie value first word. Set the cookie value second word. Define whether the tunnel end point is local or remote. 23 Select OK to save the changes to the configuration. Select Reset to revert to the last saved configuration. 8.8.4 Setting a Profiles GRE Configuration Profile Network Configuration Generic routing encapsulation (GRE) tunneling can be configured to bridge Ethernet packets between WLANs and a remote WLAN gateway over a GRE tunnel. The tunneling of 802.3 packets using GRE is an alternative to MiNT or L2TPv3. Related features like ACLs for extended VLANs are still available using layer 2 tunneling over GRE. Wireless Controller and Service Platform System Reference Guide 8 - 92 Profile Configuration Using GRE, Access Points map one or more VLANs to a tunnel. The remote endpoint is a user-configured WLAN gateway IP address, with an optional secondary IP address should connectivity to the primary GRE peer be lost. VLAN traffic is expected in both directions in the GRE tunnel. A WLAN mapped to these VLANs can be either open or secure. Secure WLANs require authentication to a remote RADIUS server available within your deployment using standard RADIUS protocols. Access Points can reach both the GRE peer as well as the RADIUS. Previous releases supported only IPv4 tunnel end points, now support for both IPv4 or IPv6 tunnel endpoints is available. However, a tunnel needs to contain either IPv4 or IPv6 formatted device addresses and cannot be mixed. With the new IPv6 tunnel implementation, all outbound packets are encapsulated with the GRE header, then the IPv6 header. The header source IP address is the local address of the IPv6 address of tunnel interface, and the destination address peer address of the tunnel. All inbound packets are de-capsulated by removing the IPv6 and GRE header before sending it over to the IP stack. To define a GRE configuration:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select GRE. The screen displays existing GRE configurations. 4 Select the Add button to create a new GRE tunnel configuration or select an existing tunnel and select Edit to modify its current configuration. To remove an existing GRE tunnel, select it from amongst those displayed and select the Delete button. Figure 8-48 Profile - Network GRE screen Wireless Controller and Service Platform System Reference Guide 8 - 93 5 If creating a new GRE configuration, assign it a name to distinguish its configuration. 6 Define the following settings for the GRE configuration:
Profile Configuration DSCP Options Tunneled VLANs Native VLAN Tag Native VLAN MTU MTU6 Use the spinner control to set the tunnel DSCP / 802.1q priority value from encapsulated packets to the outer packet IPv4 header. Define the VLAN connected clients use to route GRE tunneled traffic within their respective WLANs. Set a numerical VLAN ID (1 - 4095) for the native VLAN. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk mode. Select this option to tag the native VLAN. The IEEE 802.1Q specification is supported for tagging frames and coordinating VLANs between devices. IEEE 802.1Q adds four bytes to each frame identifying the VLAN ID for upstream devices that the frame belongs. If the upstream Ethernet device does not support IEEE 802.1Q tagging, it does not interpret the tagged frames. When VLAN tagging is required between devices, both devices must support tagging and be configured to accept tagged VLANs. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so upstream Ethernet devices know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. This feature is disabled by default. Set an IPv4 tunnels maximum transmission unit (MTU) from 128 -
1,476. The MTU is the largest physical packet size (in bytes) transmittable within the tunnel. Any messages larger than the MTU are divided into smaller packets before being sent. A larger MTU provides greater efficiency because each packet carries more user data while protocol overheads, such as headers or underlying per-packet delays, remain fixed; the resulting higher efficiency means a slight improvement in bulk protocol throughput. A larger MTU results in the processing of fewer packets for the same amount of data. For IPv4, the overhead is 24 bytes (20 bytes IPv4 header + 4 bytes GRE Header), thus the default setting for an IPv4 MTU is 1,476. Set an IPv6 tunnels MTU from 128 - 1,456. The MTU is the largest physical packet size (in bytes) transmit able within the tunnel. Any messages larger than the MTU are divided into smaller packets before being sent. A larger MTU provides greater efficiency because each packet carries more user data while protocol overheads, such as headers or underlying per-packet delays, remain fixed; the resulting higher efficiency means a slight improvement in bulk protocol throughput. A larger MTU results in the processing of fewer packets for the same amount of data. For IPv6, the overhead is 44 bytes (40 bytes IPv6 header + 4 bytes GRE header), thus the default setting for an IPv6 MTU is 1,456. 7 The Peer table lists the credentials of the GRE tunnel end points. Add new table rows as needed to add additional GRE tunnel peers. Wireless Controller and Service Platform System Reference Guide 8 - 94 Profile Configuration Select + Add Row to populate the table with a maximum of two peer configurations. 8 Define the following Peer parameters:
Peer Index Peer IP Address Assign a numeric index to each peer to help differentiate tunnel end points. Define the IP address of the added GRE peer to serve as a network address identifier. Designate whether the IP is formatted as an IPv4 or IPv6 address. IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike TCP). IPv4 hosts can use link local addressing to provide local connectivity. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. 9 Set the following Establishment Criteria for the GRE tunnel configuration:
Criteria VRRP Group Specify the establishment criteria for creating a GRE tunnel. In a multi-
controller within a RF domain, its always the master node with which the tunnel is established. The tunnel is only created if the tunnel device is designated one of the following:
vrrp-master cluster-master rf-domain-manager The tunnel is automatically created if Always (default setting) is selected. This indicates the device need not be any one of the above three (3) to establish a tunnel. Set the VRRP group ID only enabled when the Establishment Criteria is set to vrrp-master. A virtual router redundancy group (VRRP) enables the creation of a group of routers as a default gateway for redundancy. Clients can point to the IP address of the VRRP virtual router as their default gateway and utilize a different group member if a master becomes unavailable. 10 Define the following Failover parameters to apply to the GRE tunnel configuration:
Enable Failover Ping Interval Number of Retries Select this option to periodically ping the primary gateway to assess its availability for failover support. Set the duration between two successive pings to the gateway. Define this value in seconds from 0 - 86,400. Set the number of retry ping opportunities before the session is terminated. 11 Select the OK button located to save the changes. Select Reset to revert to the last saved configuration. 8.8.5 Setting a Profiles IGMP Snooping Configuration Profile Network Configuration The Internet Group Management Protocol (IGMP) is used for managing IP multicast group members. The controller or service platform listens to IGMP network traffic and forwards the IGMP multicast packets to radios on which the Wireless Controller and Service Platform System Reference Guide 8 - 95 Profile Configuration interested hosts are connected. On the wired side of the network, the controller or service platform floods all the wired interfaces. This feature reduces unnecessary flooding of multicast traffic in the network. To define a Profiles IGMP settings:
1 Select Configuration > Profiles > Network. Expand the Network menu to display its submenu options. Select IGMP Snooping. 2 Define or override the following General IGMP parameters configuration:
Figure 8-49 Profile - Network IGMP Snooping screen Enable IGMP Snooping Forward Unknown Multicast Packets Enable Fast leave processing Select this option to enable IGMP snooping. If disabled, snooping on a per VLAN basis is also disabled. This feature is enabled by default. If disabled, the settings under the bridge configuration are overridden. For example, if IGMP snooping is disabled, but the bridge VLAN is enabled, the effective setting is disabled. Select this option to enable the forwarding of multicast packets from unregistered multicast groups. If disabled, the unknown multicast forward feature is also disabled for individual VLANs. This setting is enabled by default. Select this option to remove a Layer 2 LAN interface from the IGMP snooping forwarding table entry without initially sending IGMP group-specific queries to the interface. When receiving a group-
specific IGMPv2 leave message, IGMP snooping removes the interface from the Layer 2 forwarding table entry for that multicast group, unless a multicast router was learned on the port. Fast-leave processing enhances bandwidth management for each host on the network. Wireless Controller and Service Platform System Reference Guide 8 - 96 3 Set or override the following IGMP Querier parameters for the profiles bridge VLAN configuration:
Profile Configuration Enable IGMP Querier IGMP Version IGMP Query Interval Select this option to enable IGMP querier. IGMP snoop querier is used to keep host memberships alive. Its primarily used in a network where theres a multicast streaming server and hosts subscribed to the server and no IGMP querier present. An IGMP querier sends out periodic IGMP query packets. Interested hosts reply with an IGMP report packet. IGMP snooping is only conducted on wireless radios. IGMP multicast packets are flooded on wired ports. IGMP multicast packet are not flooded on the wired port. IGMP membership is also learnt on it and only if present, then it is forwarded on that port. Use the spinner control to set the IGMP version compatibility to either version 1, 2 or 3. IGMPv1 is defined by RFC 1112, IGMPv2 is defined by RFC 2236 and IGMPv3 defined by RFC 4604 which defines both IGMPv3 and MLDv2. IGMPv2 improves over IGMPv1 by adding the ability for a host to signal desire to leave a multicast group. IGMPv3 improves over IGMPv2 by adding the ability to listen to multicast traffic originating from a set of source IP addresses exclusively. The default setting is 3. Set the interval IGMP queries are made. Options include Seconds (1 -
18,000), Minutes (1 - 300) and Hours (1 - 5). The default setting is one minute. IGMP Robustness Variable IGMP utilizes a robustness value used by the sender of a query. The robustness variable enables refinements to account for expected packet loss on a subnet. Increasing the robust count allows for more packet loss, but increases the leave latency of the subnetwork unless the value is zero. The default variable is 2. Maximum Response Time Specify the maximum interval (from 1 - 25 seconds) before sending a responding report. When no reports are received from a radio, radio information is removed from the snooping table. The controller or service platform only forwards multicast packets to radios present in the snooping table. For IGMP reports from wired ports, the controller or service platform forwards these reports to the multicast router ports. The default setting is 10 seconds. Specify an interval in either Seconds (60 - 300) or Minutes (1 - 5) used as a timeout interval for other querier resources. The default setting is 1 minute. Other Querier Timer Expiry 4 Select the OK button located to save the changes. Select Reset to revert to the last saved configuration. 8.8.6 Setting a Profiles MLD Snooping Configuration Profile Network Configuration Multicast Listener Discovery (MLD) snooping enables a controller, service platform or Access Point to examine MLD packets and make forwarding decisions based on content. MLD is used by IPv6 devices to discover devices wanting to receive multicast packets destined for specific multicast addresses. MLD uses multicast listener queries and multicast listener reports to identify which multicast addresses have listeners and join multicast groups. MLD snooping caps the flooding of IPv6 multicast traffic on controller, service platform or Access Point VLANs. When enabled, MLD messages are examined between hosts and multicast routers and to discern which hosts are Wireless Controller and Service Platform System Reference Guide 8 - 97 Profile Configuration receiving multicast group traffic. The controller, service platform or Access Point then forwards multicast traffic only to those interfaces connected to interested receivers instead of flooding traffic to all interfaces. To set an IPv6 MLD snooping configuration for the profile:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select MLD Snooping. 4 Define the following General MLD snooping settings:
Figure 8-50 Profile - Network MLD Snooping screen Enable MLD Snooping Forward Unknown Multicast Packets Enable MLD snooping to examine MLD packets and provide content forwarding for this profile. Packets delivered to group members are identified by a single multicast group address. Multicast packets are delivered to a group using best-effort reliability, just like IPv6 unicast. MLD snooping is disabled by default. Use this option to either enable or disable IPv6 unknown multicast forwarding. This setting is enabled by default. 5 Define the following MLD Querier settings for the MLD snooping configuration:
Enable MLD Querier MLD Version Select the option to enable MLD querier on the controller, service platform or Access Point. When enabled, the device sends query messages to discover which network devices are members of a given multicast group. This setting is disabled by default. Define whether MLD version 1 or 2 is utilized as the MLD querier. MLD version 1 is based on IGMP version 2 for IPv4. MLD version 2 is based on IGMP version 3 for IPv4 and is fully backward compatible. IPv6 multicast uses MLD version 2. The default MLD version is 2. Wireless Controller and Service Platform System Reference Guide 8 - 98 Profile Configuration MLD Query Interval MLD Robustness Variable Maximum Response Time Other Querier time Expiry Set the interval in which query messages are sent to discover device multicast group memberships. Set an interval in either Seconds (1 -
18,000), Minutes (1 - 300) or Hours (1 - 5). The default interval is 1 minute. Set a MLD IGMP robustness value (1 - 7) used by the sender of a query. The MLD robustness variable enables refinements to account for expected packet loss on a subnet. Increasing the robust count allows for more packet loss, but increases the leave latency of the subnetwork unless the value is zero. The default variable is 2. Specify the maximum response time (from 1 - 25,000 milliseconds) before sending a responding report. Queriers use MLD reports to join and leave multicast groups and receive group traffic. The default setting is 10 milliseconds. Specify an interval in either Seconds (60 - 300) or Minutes (1 - 5) used as a timeout interval for other querier resources. The default setting is 1 minute. 6 Select the OK button located to save the changes. Select Reset to revert to the last saved configuration. 8.8.7 Setting a Profiles Quality of Service (QoS) Configuration Profile Network Configuration QoS values are required to provide priority to some packets over others. For example, voice packets get higher priority than data packets to provide a better quality of service for high priority voice traffic. The profile QoS screen maps the 6-bit Differentiated Service Code Point (DSCP) code points to the older 3-bit IP Precedent field located in the Type of Service byte of an IP header. DSCP is a protocol for specifying and controlling network traffic by class so certain traffic types get precedence. DSCP specifies a specific per-hop behavior applied to a packet. To define an QoS configuration for DSCP and IPv6 traffic class mappings:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select Quality of Service. The Traffic Shaping screen displays with the Basic Configuration tab displayed by default. Wireless Controller and Service Platform System Reference Guide 8 - 99 Profile Configuration Figure 8-51 Profile Overrides - Network QoS Traffic Shaping Basic Configuration screen Apply traffic shaping to specific applications to apply application categories. When application and ACL rules are conflicting, applications have priority, followed by application categories, then ACLs. 4 Select Enable to provide traffic shaping using the defined bandwidth, rate and class mappings. 5 Set the Total Bandwidth configurable for the traffic shaper. Set the value from either 1 - 1,000 Mbps, or from 250 - 1,000,000 Kbps. Select + Add Row within the Rate Configuration table to set the Class Index (1 - 4) and Rate (in either Kbps, Mbps or percentage) for the traffic shaper class. Use the rate configuration to control the maximum traffic rate sent or received on the device. Consider this form of rate limiting on interfaces at the edge of a network to limit traffic into or out of the network. Traffic within the set limit is sent and traffic exceeding the set limit is dropped or sent with a different priority. Refer to the IP ACL Class Mapping table and select + Add Row to apply an IPv4 formatted ACL to the shaper class mapping. Select + Add Row to add mappings. For more information on creating IP based firewall rules, refer to Configuring IP Firewall Rules on page 10-20 and Setting an IPv4 or IPv6 Firewall Policy on page 10-21. Refer to the IPv6 ACL Class Mapping table and select + Add Row to apply an IPv6 formatted ACL to the shaper class mapping. Select + Add Row to add mappings. For more information on creating IP based firewall rules, refer to Configuring IP Firewall Rules on page 10-20 and Setting an IPv4 or IPv6 Firewall Policy on page 10-21. Refer to the App-Category to Class Mapping table and select + Add Row to apply an application category to shaper class mapping. Select + Add Row to add mappings by selecting the application category and its traffic shaper class. For more information on creating an application category, refer to Application on page 7-58. Refer to the Application to Class Mapping table and select + Add Row to apply an application to shaper class mapping. Select + Add Row to add mappings by selecting the application and its traffic shaper class. For more information on creating an application, refer to Application on page 7-58. Wireless Controller and Service Platform System Reference Guide 8 - 100 6 Select the OK button located to save the changes to the traffic shaping basic configuration. Select Reset to revert to the last saved configuration. 7 Select the Advanced Configuration tab. Profile Configuration Figure 8-52 Profile Overrides - Network QoS Traffic Shaping Advanced Configuration screen 8 Set the following Activation Criteria for traffic shaper activation:
Activation Criteria VRRP Group Use the drop-down menu to determine when the traffic shaper is invoked. Options include vrrp-master, cluster-master, rf-domain-
manager and Always. A VRRP master responds to ARP requests, forwards packets with a destination link MAC layer address equal to the virtual router MAC layer address, rejects packets addressed to the IP associated with the virtual router and accepts packets addressed to the IP associated with the virtual router. The solitary cluster master is the cluster member elected, using a priority assignment scheme, to provide management configuration and Smart RF data to other cluster members. Cluster requests go through the elected master before dissemination to other cluster members. The RF Domain manager is the elected member capable of storing and provisioning configuration and firmware images for other members of the RF Domain. Set the VRRP group ID from 1 - 255. VRRP groups is only enabled when the Establishment Criteria is set to vrrp-master. 9 Select + Add Row within the Buffers Configuration table to set the following:
Class Index Set a class index from 1 - 4. Wireless Controller and Service Platform System Reference Guide 8 - 101 Profile Configuration Max Buffers RED Level RED Percent Set the Max Buffers to specify the queue length limit after which the queue starts to drop packets. Set the maximum queue lengths for packets. The upper length is 400 for Access Points Set the packet queue length for RED. The upper limit is 400 for Access Points. The rate limiter uses the random early detection (RED) algorithm for rate limiting traffic. RED is a queueing technique for congestion avoidance. RED monitors the average queue size and drops or marks packets. If the buffer is near empty, all incoming packets are accepted. When the queue grows, the probability for dropping an incoming packet also grows. When the buffer is full, the probability has reached 1 and all incoming packets are dropped. Set a percentage (1 - 100) for RED rate limiting at a percentage of maximum buffers. Select + Add Row within the Latency Configuration table to set the Class Index (1 - 4), Max Latency and latency measurement Unit. Max latency specifies the time limit after which packets start dropping (maximum packet delay in the queue). The maximum number of entries is 8. Select whether msec (default) or usec is unit for latency measurement. When a new packet arrives it knows how much time to wait in the queue. If a packet takes longer than the latency value its dropped. By default latency is not set, so packets remain in queue for long time. Refer to the Queue Priority Mapping table to set the traffic shaper queue priority and specify a particular queue inside a class. There are 8 queues (0 - 7), and traffic is queued in each based on incoming packets mark 802.1p markings. 10 Select the OK button located to save the changes to the traffic shaping advanced configuration. Select Reset to revert to the last saved configuration. 11 Select the Priority Mapping tab. Figure 8-53 Profile - Network QoS screen Wireless Controller and Service Platform System Reference Guide 8 - 102 Profile Configuration 12 Set the following DSCP Mapping for untagged frames:
DSCP 802.1p Priority Lists the DSCP value as a 6-bit parameter in the header of every IP packet used for packet classification. Assign a 802.1p priority as a 3-bit IP precedence value in the Type of Service field of the IP header used to set the priority. The valid values for this field are 0-7. Up to 64 entries are permitted. The priority values are:
0 Best Effort 1 Background 2 Spare 3 Excellent Effort 4 Controlled Load 5 Video 6 Voice 7 Network Control 13 Use the spinner controls within the 802.1p Priority field for each DSCP row to change the priority value. 14 Set a IPv6 Traffic Class Mapping to map IPv6 traffic classes to 802.1p priority mappings for untagged frames. Traffic Class 802.1p Priority Devices that originate a packet must identify different classes or priorities for IPv6 packets. Devices use the traffic class field in the IPv6 header to set this priority. Assign a 802.1p priority as a 3-bit IP precedence value in the Type of Service field of the IP header used to set the priority. The valid values for this field are 0-7. Up to 64 entries are permitted. The priority values are:
0 Best Effort 1 Background 2 Spare 3 Excellent Effort 4 Controlled Load 5 Video 6 Voice 7 Network Control 15 Use the spinner controls within the 802.1p Priority field for each Traffic Class row to change the priority value. 16 Select the OK button located to save the changes. Select Reset to revert to the last saved configuration. 8.8.8 Setting a Profiles Spanning Tree Configuration Profile Network Configuration The Multiple Spanning Tree Protocol (MSTP) provides an extension to STP to optimize the usefulness of VLANs. MSTP allows for a separate spanning tree for each VLAN group, and blocks all but one of the possible alternate paths within each spanning tree topology. Wireless Controller and Service Platform System Reference Guide 8 - 103 Profile Configuration If theres just one VLAN in the Access Point managed network, a single spanning tree works fine. However, if the network contains more than one VLAN, the network topology defined by single STP would work, but its possible to make better use of the alternate paths available by using an alternate spanning tree for different VLANs or groups of VLANs. A MSTP supported deployment uses multiple MST regions with multiple MST instances (MSTI). Multiple regions and other STP bridges are interconnected using one single common spanning tree (CST). MSTP includes all of its spanning tree information in a single Bridge Protocol Data Unit (BPDU) format. BPDUs are used to exchange information bridge IDs and root path costs. Not only does this reduce the number of BPDUs required to communicate spanning tree information for each VLAN, but it also ensures backward compatibility with RSTP. MSTP encodes additional region information after the standard RSTP BPDU as well as a number of MSTI messages. Each MSTI messages conveys spanning tree information for each instance. Each instance can be assigned a number of configured VLANs. The frames assigned to these VLANs operate in this spanning tree instance whenever they are inside the MST region. To avoid conveying their entire VLAN to spanning tree mapping in each BPDU, the Access Point encodes an MD5 digest of their VLAN to an instance table in the MSTP BPDU. This digest is used by other MSTP supported devices to determine if the neighboring device is in the same MST region as itself. MD5 is a message digest algorithm using a cryptographic hash producing a 128-bit (16-byte) hash value, usually expressed in text as a 32 digit hexadecimal number. MD5 has been utilized in a wide variety of cryptographic applications, and is also commonly used to verify data integrity. To define a spanning tree configuration:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select Spanning Tree. Wireless Controller and Service Platform System Reference Guide 8 - 104 Profile Configuration 4 Set the following MSTP Configuration parameters Figure 8-54 Profile - Network Spanning Tree screen MSTP Enable Max Hop Count MST Config Name MST Revision Level Cisco MSTP Interoperability Hello Time Select this option to enable MSTP for this profile. MSTP is disabled by default, so if requiring different (groups) of VLANs with the profile supported network segment. Define the maximum number of hops the BPDU will consider valid in the spanning tree topology. The available range is from 7 -127. The default setting is 20. Define a 64 character maximum name for the MST region as an identifier. Set a numeric revision value ID for MST configuration information. Set a value from 0 - 255. The default setting is 0. Select either the Enable or Disable radio buttons to enable/disable interoperability with Ciscos version of MSTP, which is incompatible with standard MSTP. This setting is disabled by default. Set a BPDU hello interval from 1 - 10 seconds. BPDUs are exchanged regularly (every 2 seconds by default) and enable supported devices to keep track of network changes and star/stop port forwarding as required. Wireless Controller and Service Platform System Reference Guide 8 - 105 Profile Configuration Forward Delay Maximum Age Set the forward delay time from 4 - 30 seconds. When a device is first attached to a port, it does not immediately start to forward data. It first processes BPDUs and determines the network topology. When a host is attached the port always goes into the forwarding state, after a delay of while it goes through the listening and learning states. The time spent in the listening and learning states is defined by the forward delay (15 seconds by default). Use the spinner control to set the maximum time (in seconds) to listen for the root bridge. The root bridge is the spanning tree bridge with the smallest (lowest) bridge ID. Each bridge has a unique ID and a configurable priority number, the bridge ID contains both. The available range is from 6 - 40. The default setting is 20. 5 Set the following PortFast parameters for the profile configuration:
PortFast BPDU Filter PortFast BPDU Guard Select Enable to invoke a BPDU filter for this portfast enabled port. Enabling the BPDU filter feature ensures this port channel does not transmit or receive any BPDUs. BPDUs are exchanged regularly and enable the Access Point to keep track of network changes and to start and stop port forwarding as required. The default setting is disabled. Select Enable to invoke a BPDU guard for the portfast enabled port. Enabling the BPDU Guard feature means this port shuts down on receiving a BPDU. Thus, no BPDUs are processed. BPDUs are exchanged regularly and enable the Access Point to track network changes and start and stop port forwarding as required. The default is disabled. 6 Set the following Error Disable parameters for the profile configuration:
Enable Recovery Recovery Interval Select this option to enable a error disable timeout resulting from a BPDU guard. This setting is disabled by default. Define the recovery interval used to enable disabled ports. The available range is from 10 - 1,000,000 seconds with a default setting of 300. 7 Use the Spanning Tree Instance table to add indexes to the spanning tree topology. Add up to 16 indexes and use the Priority setting to define the bridge priority used to determine the root bridge. The lower the setting defined, the greater the likelihood of becoming the root bridge in the spanning tree topology. 8 Use the Spanning Tree Instance VLANs table to add VLAN instance indexes (by numeric ID) and VLANs to the spanning tree topology. 9 Select the OK button located to save the changes. Select Reset to revert to the last saved configuration 8.8.9 Setting a Profiles Routing Configuration Profile Network Configuration Routing is the process of selecting IP paths to strategically route network traffic. Set Destination IP and Gateway addresses enabling the assignment of static IP addresses for requesting clients without creating numerous host pools with manual bindings. This eliminates the need for a long configuration file, and reduces the resource space required to maintain address pools. Wireless Controller and Service Platform System Reference Guide 8 - 106 Profile Configuration Both IPv4 and IPv6 routes are separately configurable using their appropriate tabs. For IPv6 networks, routing is the part of IPv6 that provides forwarding between hosts located on separate segments within a larger IPv6 network where IPv6 routers provide packet forwarding for other IPv6 hosts. To create a profiles static routes:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select Routing. The IPv4 Routing tab displays by default. Figure 8-55 Static Routes screen, IPv4 Routing tab 4 Select IP Routing to enable static routes using IP addresses. This sets Destination IP and Gateway addresses enabling the assignment of static IP addresses for requesting clients. This option is enabled by default. Use the drop-down menu to select a Policy Based Routing policy. If a suitable policy is unavailable, select the Create icon or modify an existing policy-based routing policy by selecting the Edit icon. Policy-based routing (PBR) is a means of expressing and forwarding (routing) data packets based on policies defined by administrators. PBR provides a flexible mechanism for routing packets through routers, complementing existing routing protocols. PBR is applied to incoming packets. Packets received on an interface with PBR enabled are considered are passed through enhanced packet filters (route maps). Based on the route maps, packets are forwarded/routed to their next hop. 5 Refer to the Static Routes table to set Destination IP and Gateway addresses enabling the assignment of static IP addresses to requesting clients (without creating numerous host pools with manual bindings). Add IP addresses and network masks in the Network Address column. Wireless Controller and Service Platform System Reference Guide 8 - 107 Profile Configuration Provide the Gateway address used to route traffic. Provide an IP address for the Default Gateway used to route traffic. Note, when routing packets, the system, by default, obtains IP addresses of the Default Gateway and Name Servers from the DHCP server policy. But, if manually configuring the Default Gateway for static routing, also configure the Name Servers IP address in the device/profile config contexts. For more information on using the GUI to configure Name Servers, see Setting a Profiles DNS Configuration. If using the CLI, in the device/
profile config context, execute the following command: ip > name-server > <NAME-SERVER-IP-ADDRESS>. 6 Refer to the Default Route Priority field to set the following:
Static Default Route Priority Use the spinner control to set the priority value (1 - 8,000) for the default static route. This is the weight assigned to this route versus others that have been defined. The default setting is 100. Use the spinner control to set the priority value (1 - 8,000) for the default route learnt from the DHCP client. The default setting is 1000. DHCP Client Default Route Priority Enable Routing Failure When selected, all default gateways are monitored for activity. The system will failover to a live gateway if the current gateway becomes unusable. This feature is enabled by default. 7 Select the OK button located at the bottom right of the screen to save the changes to the IPv4 routing configuration. Select Reset to revert to the last saved configuration. 8 Select the IPv6 Routing tab. IPv6 networks are connected by IPv6 routers. IPv6 routers pass IPv6 packets from one network segment to another. Figure 8-56 Static Routes screen, IPv6 Routing tab Wireless Controller and Service Platform System Reference Guide 8 - 108 Profile Configuration 9 Select Unicast Routing to enable IPv6 unicast routing for this profile. Keeping unicast enabled allows the profiles neighbor advertisements and solicitations in unicast (as well as multicast) to provide better neighbor discovery. This setting is enabled by default. 10 Select Unique Local Address Reject Route to reject Unique Local Address (ULA). ULA is an IPv6 address block
(fc00::/7) that is an approximate IPv6 counterpart to IPv4 private addresses. When selected, a reject entry is added to the IPv6 routing table to reject packets with Unique Local Address. 11 Set a System Neighbor Solicitation Retransmit Interval (from 1,000 to 3,600,000 milliseconds) as the interval between neighbor solicitation (NS) messages. NS messages are sent by a node to determine the link layer address of a neighbor, or verify a neighbor is still reachable via a cached link-layer address. The default is 1,000 milliseconds. 12 Set a System Neighbor Discovery Reachable Time (from 5,000 to 3,600,000 milliseconds) as the time a neighbor is assumed to be reachable after receiving a receiving a neighbor discovery (ND) confirmation for their reachability. The default is 30,000 milliseconds. 13 Set an IPv6 Hop Count (from 1 - 255) as the maximum number of hops considered valid when sending IP packets. The default setting is 64. 14 Set the Router Advertisement Conversion to Unicast settings:
RA Convert Throttle Throttle Interval
(milliseconds) Max RAs Select this option to convert multicast router advertisements (RA) to unicast router advertisements at the dot11 layer. Unicast addresses identify a single network interface, whereas a multicast address is used by multiple hosts. This setting is disabled by default. Select this option to throttle RAs before converting to unicast. Once enabled, set the throttle interval and maximum number of RAs. This setting is disabled by default. Enable this setting to define the throttle interval (3 - 1,800 seconds). The default setting is 3 seconds. Enable this setting to define the maximum number of router advertisements per router (1 - 256) during the throttle interval. The default setting is 1. 15 Select + Add Row as needed within the IPv6 Routes table to add an additional 256 IPv6 route resources. Wireless Controller and Service Platform System Reference Guide 8 - 109 Profile Configuration Figure 8-57 Static Routes screen, Add IPv6 Route Network Address Gateway Interface Set the IPv6 network address. Other than the length and slightly different look versus an IPv4 address, the IPv6 address concept is same as IPv4. Set the IPv6 route gateway. A network gateway in IPv6 is the same as in IPv4. A gateway address designates how traffic is routed out of the current subnet. If using a link local address, set the VLAN (1 - 4,094) used a virtual routing interface for the local address. 16 Select the OK button located at the bottom right of the screen to save the changes to the IPv6 routing configuration. Select Reset to revert to the last saved configuration. 8.8.10 Setting a Profiles Dynamic Routing (OSPF) Configuration Profile Network Configuration Open Shortest Path First (OSPF) is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets. OSPF detects changes in the topology, like a link failure, and plots a new loop-free routing structure. It computes the shortest path for each route using a shortest path first algorithm. Link state data is maintained on each router and is periodically updated on all OSPF member routers. OSPF uses a route table managed by the link cost (external metrics) defined for each routing interface. The cost could be the distance of a router (round-trip time), link throughput or link availability. Setting a cost value provides a dynamic way to load balancing traffic between routes of equal cost. Wireless Controller and Service Platform System Reference Guide 8 - 110 Profile Configuration An OSPF network can be subdivided into routing areas to simplify administration and optimize traffic utilization. Areas are logical groupings of hosts and networks, including routers having interfaces connected to an included network. Each area maintains a separate link state database whose information may be summarized towards the rest of the network by the connecting router. Areas are identified by 32-bit IDs, expressed either in decimal, or octet-based dot-decimal notation. Areas can defined as:
stub area - A stub area is an area which does not receive route advertisements external to the autonomous system
(AS) and routing from within the area is based entirely on a default route. totally-stub - A totally stubby area does not allow summary routes and external routes. A default route is the only way to route traffic outside of the area. When theres only one route out of the area, fewer routing decisions are needed, lowering system resource utilization. non-stub - A non-stub area imports autonomous system external routes and send them to other areas. However. it still cannot receive external routes from other areas. nssa - NSSA is an extension of a stub that allows the injection of limited external routes into a stub area. If selecting NSSA, no external routes, except a default route, enter the area. totally nssa - Totally nssa is an NSSA using 3 and 4 summary routes are not flooded into this type of area. It is also possible to declare an area both totally stubby and not-so-stubby, which means that the area will receive only the default route from area 0.0.0.0, but can also contain an autonomous system boundary router (ASBR) that accepts external routing information and injects it into the local area, and from the local area into area 0.0.0.0. A router running OSPF sends hello packets to discover neighbors and elect a designated router. The hello packet includes link state information and list of neighbors. OSPF is savvy with layer 2 topologies. If on a point-to-point link, OSPF knows it is sufficient, and the link stays up. If on a broadcast link, the router waits for election before determining if the link is functional. To define a dynamic routing configuration:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Expand the Network menu and select OSPF. The OSPF Settings tab displays by default, with additional Area Settings and Interface Settings tabs available. Wireless Controller and Service Platform System Reference Guide 8 - 111 Profile Configuration 4 Enable/disable OSPF and provide the following dynamic routing settings:
Figure 8-58 OSPF Settings screen Enable OSPF Router ID Auto-Cost Passive Mode on All Interfaces Passive Removed Passive Mode Select this option to enable OSPF for this Access Point. OSPF is disabled by default. Select this option to define a router ID (numeric IP address) for this Access Point. This ID must be established in every OSPF instance. If not explicitly configured, the highest logical IP address is duplicated as the router identifier. However, since the router identifier is not an IP address, it does not have to be a part of any routable subnet in the network. Select this option to specify the reference bandwidth (in Mbps) used to calculate the OSPF interface cost if OSPF is either STUB or NSSA. The default setting is 1. When selected, all layer 3 interfaces are set as an OSPF passive interface. This setting is disabled by default. If enabling Passive Mode on All Interfaces, use the spinner control to select VLANs (by numeric ID) as OSPF non passive interfaces. Multiple VLANs can be added to the list. If disabling Passive Mode on All Interfaces, use the spinner control to select VLANs (by numeric ID) as OSPF passive interfaces. Multiple VLANs can be added to the list. Wireless Controller and Service Platform System Reference Guide 8 - 112 Profile Configuration VRRP State Check Select this option to use OSPF only if the VRRP interface is not in a backup state. The Virtual Router Redundancy Protocol (VRRP) provides automatic assignments of available Internet Protocol (IP) routers to participating hosts. This increases the availability and reliability of routing paths via automatic default gateway selections on an IP subnetwork. This setting is enabled by default. 5 Set the following OSPF Overload Protection settings:
Number of Routes Retry Count Retry Time Out Reset Time Use the spinner control to set the maximum number of OSPN routes permitted. The available range is from 1 - 4,294,967,295. Set the maximum number of retries (OSPF resets) permitted before the OSPF process is shut down. The available range is from 1 - 32. The default setting is 5. Set the duration (in seconds) the OSPF process remains off before initiating its next retry. The available range is from 1 - 3,600 seconds. The default is 60 seconds. Set the reset time (in seconds) that, when exceeded, changes the retry count is zero. The available range is from 1 - 86,400. The default is 360 seconds. 6 Set the following Default Information:
Originate Always Metric Type Route Metric Select this option to make the default route a distributed route. This setting is disabled by default. Enabling this setting continuously maintains a default route, even when no routes appear in the routing table. This setting is disabled by default. Select this option to define the exterior metric type (1 or 2) used with the default route. Select this option to define route metric used with the default route. OSPF uses path cost as its routing metric. Its defined by the speed
(bandwidth) of the interface supporting a given route. 7 Refer to the Route Redistribution table to set the types of routes that can be used by OSPF. Select the + Add Row button to populate the table. Set the Route Type used to define the redistributed route. Options include connected, kernal and static. Select the Metric Type option to define the exterior metric type (1 or 2) used with the route redistribution. Select the Metric option to define route metric used with the redistributed route. 8 Use the OSPF Network table to define networks (IP addresses) to connect using dynamic routes. Select the + Add Row button to populate the table. Add the IP address and mask of the Network(s) participating in OSPF. Additionally, define the OSPF area (IP address) to which the network belongs. 9 Set an OSPF Default Route Priority (1 - 8,000) as the priority of the default route learnt from OSPF. The default value is 7000. 10 Select the Area Settings tab. An OSPF Area contains a set of routers exchanging Link State Advertisements (LSAs) with others in the same area. Areas limit LSAs and encourage aggregate routes. Wireless Controller and Service Platform System Reference Guide 8 - 113 Profile Configuration 11 Review existing Area Setting configurations:
Figure 8-59 OSPF Area Settings screen Area ID Authentication Type Type Displays either the IP address or integer representing the OSPF area. Lists the authentication schemes used to validate the credentials of dynamic route connections. Lists the OSPF area type in each listed configuration. 12 Select Add to create a new OSPF configuration, Edit to modify an existing configuration or Delete to remove a configuration. Wireless Controller and Service Platform System Reference Guide 8 - 114 Profile Configuration 13 Set the OSPF Area configuration. Area ID Authentication Type Type Default Cost Translate Type Range Figure 8-60 OSPF Area Configuration screen Use the drop down menu and specify either an IP address or Integer for the OSPF area. Select either None, simple-password or message-digest as the credential validation scheme used with the OSPF dynamic route. The default setting is None. Set the OSPF area type as either stub, totally-stub, nssa, totally-nssa or non-stub. Select this option to set the default summary cost advertised if creating a stub. Set a value from 1 - 16, 777,215. Define how messages are translated. Options include translate-
candidate, translate always and translate-never. The default setting is translate-candidate. Specify a range of addresses for routes matching the address/mask for OSPF summarization. 14 Select the OK button to save the changes to the area configuration. Select Reset to revert to the last saved configuration. 15 Select the Interface Settings tab. Wireless Controller and Service Platform System Reference Guide 8 - 115 Profile Configuration 16 Review existing Interface Settings using the following:
Figure 8-61 OSPF Interface Settings screen Name Type Description Admin Status VLAN IP Address Displays the name defined for the interface configuration. Displays the type of interface. Lists each interfaces 32 character maximum description. Displays whether administrative privileges have been enabled (with a green checkmark) or disabled (defined by a red X) for the OSPF routes virtual interface connection. Lists the VLAN IDs set for each listed OSPF route virtual interface. Displays the IP addresses defined as virtual interfaces for dynamic OSPF routes. Zero config and DHCP can be used to generate route addresses, or a primary and secondary address can be manually provided. 17 Select the Add button to define a new set of virtual interface basic settings, or Edit to update the settings of an existing virtual interface configuration. Wireless Controller and Service Platform System Reference Guide 8 - 116 Profile Configuration Figure 8-62 Virtual Interfaces - Basic Configuration screen - General tab The Basic Configuration screens General tab displays by default, regardless of a whether a new Virtual Interface is created or an existing one is being modified for the OSPF configuration. 18 If creating a new Virtual Interface, use the VLAN ID spinner control to define a numeric ID from 1 - 4094. Select the Continue button to initialize the rest of the parameters on the screen. 19 Define the following parameters from within the Properties field:
Description Admin Status Provide or edit a description (up to 64 characters) for the Virtual Interface that helps differentiate it from others with similar configurations. Either select either the Disabled or Enabled radio button to define this interfaces current status. When set to Enabled, the Virtual Interface is operational and available. The default value is enabled Wireless Controller and Service Platform System Reference Guide 8 - 117 Profile Configuration 20 Define the following NAT parameters from within the Network Address Translation (NAT) field:
NAT Direction Define the Network Address Translation (NAT) direction. Options include:
Inside - The inside network is transmitting data over the network its intended destination. On the way out, the source IP address is changed in the header and replaced by the (public) IP address. Outside - Packets passing through the NAT on the way back to the controller or service platform managed LAN are searched against to the records kept by the NAT engine. There, the destination IP address is changed back to the specific internal private class IP address in order to reach the LAN over the network. None - No NAT activity takes place. This is the default setting. 21 Set the following DHCPv6 Client Configuration. The Dynamic Host Configuration Protocol for IPv6 (DHCPv6) provides a framework for passing configuration information. Stateless DHCPv6 Client Prefix Delegation Client Request DHCPv6 Options Select this option to request information from the DHCPv6 server using stateless DHCPv6. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. This setting is disabled by default. Specify a 32 character maximum request prefix for prefix delegation from a DHCPv6 server over this virtual interface. Select this option to request DHCPv6 options on this virtual interface. DHCPv6 options provide configuration information for a node that must be booted using the network rather than from locally. This setting is disabled by default. 22 Set the following Bonjour Gateway settings.Bonjour is Apples implementation of zero-configuration networking
(Zeroconf). Zeroconf is a group of technologies that include service discovery, address assignment and hostname resolution. Bonjour locates devices such as printers, other computers and services that these computers offer over a local network. Bonjour provides a general method to discover services on a local area network (LAN). It allows users to set up a network without any configuration. Services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with special DNS configuration, it can be extended to find services across broadcast domains. From the drop-down, select the Bonjour Gateway Discovery Policy. Select the Create icon to define a new Bonjour Gateway policy configuration or select the Edit icon to modify an existing Bonjour Gateway policy configuration. 23 Set the following MTU settings for the virtual interface:
Maximum Transmission Unit
(MTU) Set the PPPoE client maximum transmission unit (MTU) from 500 - 1,492. The MTU is the largest physical packet size in bytes a network can transmit. Any messages larger than the MTU are divided into smaller packets before being sent. A PPPoE client should be able to maintain its point-to-point connection for this defined MTU size. The default MTU is 1,492. Wireless Controller and Service Platform System Reference Guide 8 - 118 Profile Configuration IPv6 MTU Set an IPv6 MTU for this virtual interface from 1,280 - 1,500. A larger MTU provides greater efficiency because each packet carries more user data while protocol overheads, such as headers or underlying per-packet delays, remain fixed; the resulting higher efficiency means a slight improvement in bulk protocol throughput. A larger MTU results in the processing of fewer packets for the same amount of data. The default is 1,500. 24 Within the ICMP field, define whether ICMPv6 redirect messages are sent. Redirect requests data packets be sent on an alternative route. This setting is enabled by default. 25 Within the Address Autoconfiguration field, define whether to configure IPv6 addresses on this virtual interface based on the prefixes received in router advertisement messages. This setting is enabled by default. 26 Set the following Router Advertisement Processing settings for the virtual interface. Router advertisements are periodically sent to hosts or sends in response to solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. Accept RA No Default Router No MTU No Hop Count Enable this option to allow router advertisements over this virtual interface. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters.This setting is enabled by default. Select this option to not consider routers present on this interface for default router selection. This setting is disabled by default. Select this option to not use the set MTU value for router advertisements on this virtual interface. This setting is disabled by default. Select this option to not use the hop count advertisement setting for router advertisements on this virtual interface. This setting is disabled by default. 27 Select OK to save the changes. Select Reset to revert to the last saved configuration. 28 Select the IPv4 tab to set IPv4 settings for this virtual interface. IPv4 is a connectionless protocol It operates on a best effort delivery model that does not guarantee delivery or assures proper sequencing or avoidance of duplicate delivery (unlike TCP). Wireless Controller and Service Platform System Reference Guide 8 - 119 Profile Configuration 29 Set the following network information from within the IPv4 Addresses field:
Figure 8-63 Virtual Interfaces - Basic Configuration screen - IPv4 tab Enable Zero Configuration Zero Configuration can be a means of providing a primary or secondary IP addresses for the virtual interface. Zero configuration (or zero config) is a wireless connection utility included with Microsoft Windows XP and later as a service dynamically selecting a network to connect based on a user's preferences and various default settings. Zero config can be used instead of a wireless network utility from the manufacturer of a computer's wireless networking device. This value is set to None by default. Define the IP address for the VLAN associated Virtual Interface. Select this option to allow DHCP to provide the IP address for the Virtual Interface. Selecting this option disables the Primary IP address field. Select this option to allow DHCP to obtain a default gateway address, and DNS resource for one virtual interface. This setting is disabled by default and only available when the Use DHCP to Obtain IP option is selected. Primary IP Address Use DHCP to Obtain IP Use DHCP to obtain Gateway/DNS Servers Secondary Addresses Use the Secondary Addresses parameter to define additional IP addresses to associate with VLAN IDs. The address provided in this field is used if the primary IP address is unreachable. 30 Refer to the DHCP Relay field to set the DHCP relay server configuration used with the Virtual Interface. Respond to DHCP Relay Packets Select the Respond to DHCP Relay Packets option to allow the onboard DHCP server to respond to relayed DHCP packets on this interface. This setting is disabled by default. Wireless Controller and Service Platform System Reference Guide 8 - 120 Profile Configuration DHCP Relays Provide IP addresses for DHCP server relay resources. DHCP relays exchange messages between a DHCPv6 server and client. A client and relay agent exist on the same link. When A DHCP request is received from the client, the relay agent creates a relay forward message and sends it to a specified server address. If no addresses are specified, the relay agent forwards the message to all DHCP server relay multicast addresses. The server creates a relay reply and sends it back to the relay agent. The relay agent then sends back the response to the client. 31 Select OK to save the changes to the IPv4 configuration. Select Reset to revert to the last saved configuration. 32 Select the IPv6 tab to set IPv6 settings for this virtual interface. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters. Figure 8-64 Virtual Interfaces - Basic Configuration screen - IPv6 tab 33 Refer to the IPv6 Addresses field to define how IP6 addresses are created and utilized. IPv6 Mode Select this option to enable IPv6 support on this virtual interface. Wireless Controller and Service Platform System Reference Guide 8 - 121 Profile Configuration IPv6 Address Static IPv6 Address Static using EUI64 IPv6 Address Link Local Define up to 15 global IPv6 IP addresses that can created statically. IPv6 addresses are represented as eight groups of four hexadecimal digits separated by colons. Optionally set up to 15 global IPv6 IP addresses (in the EUI-64 format) that can created statically. The IPv6 EUI-64 format address is obtained through a 48-bit MAC address. The MAC is initially separated into two 24-
bits, with one being an OUI (Organizationally Unique Identifier) and the other being client specific. A 16-bit 0xFFFE is then inserted between the two 24-bits for the 64-bit EUI address. IEEE has chosen FFFE as a reserved value which can only appear in EUI-64 generated from the an EUI-48 MAC address. Provide the IPv6 local link address. IPv6 requires a link local address assigned to every interface the IPv6 protocol is enabled, even when one or more routable addresses are assigned. 34 Enable the Enforce Duplicate Address option to enforce duplicate address protection when any wired port is connected and in a forwarding state. This option is enabled by default 35 Refer to the IPv6 Address Prefix from Provider table use prefix abbreviations as shortcuts of the entire character set comprising an IPv6 formatted IP address. Select + Add Row to launch a sub screen wherein a new delegated prefix name and host ID can be defined. Figure 8-65 Virtual Interfaces - Basic Configuration screen - IPv6 tab - Add Address Prefix from Provider Delegated Prefix Name Host ID Enter a 32 character maximum name for the IPv6 address prefix from provider. Define the subnet ID, host ID and prefix length. 36 Select OK to save the changes to the new IPv6 prefix from provider. Select Exit to close the screen without saving the updates. 37 Refer to the IPv6 Address Prefix from Provider EUI64 table to review ISP provided address prefix abbreviations. Wireless Controller and Service Platform System Reference Guide 8 - 122 38 Select + Add Row to launch a sub screen wherein a new delegated prefix name and host ID can be defined in EUI64 format. Profile Configuration Figure 8-66 Virtual Interfaces - Basic Configuration screen - IPv6 tab - Add Address Prefix from Provider EUI64 Delegated Prefix Name Host ID Enter a 32 character maximum name for the IPv6 prefix from provider in EUI format. Define the subnet ID and prefix length. 39 Select OK to save the changes to the new IPv6 prefix from provider in EUI64 format. Select Exit to close the screen without saving the updates. 40 Refer to the DHCPv6 Relay table to set the address and interface of the DHCPv6 relay. The DHCPv6 relay enhances an extended DHCP relay agent by providing support in IPv6. DHCP relays exchange messages between a DHCPv6 server and client. A client and relay agent exist on the same link. When A DHCP request is received from the client, the relay agent creates a relay forward message and sends it to a specified server address. If no addresses are specified, the relay agent forwards the message to all DHCP server relay multicast addresses. The server creates a relay reply and sends it back to the relay agent. The relay agent then sends back the response to the client. 41 Select + Add Row to launch a sub screen wherein a new DHCPv6 relay address and interface VLAN ID can be set. Wireless Controller and Service Platform System Reference Guide 8 - 123 Profile Configuration Figure 8-67 Virtual Interfaces - Basic Configuration screen - IPv6 tab - Add DHCPv6 Relay Address Interface Enter an address for the DHCPv6 relay. These DHCPv6 relay receive messages from DHCPv6 clients and forward them to DHCPv6 servers. The DHCPv6 server sends responses back to the relay, and the relay then sends these responses to the client on the local network link. Select this option to enable a spinner control to define a VLAN ID from 1 -
4,094 used as the virtual interface for the DHCPv6 relay. The interface designation is only required for link local and multicast addresses. A local link address is a locally derived address designed for addressing on a single link for automatic address configuration, neighbor discovery or when no routing resources are available. 42 Select OK to save the changes to the DHCPv6 relay configuration. Select Exit to close the screen without saving the updates. 43 Select the IPv6 RA Prefixes tab. Wireless Controller and Service Platform System Reference Guide 8 - 124 Profile Configuration Figure 8-68 Virtual Interfaces - Basic Configuration screen - IPv6 RA Prefixes tab 44 Use the Router Advertisement Policy drop-down menu to select and apply a policy to the virtual interface. Router advertisements are periodically sent to hosts or sent in response to solicitation requests. The advertisement includes IPv6 prefixes and other subnet and host information. Review the configurations of existing IPv6 advertisement policies. If needed select + Add Row to define the configuration of an additional IPv6 RA prefix. Wireless Controller and Service Platform System Reference Guide 8 - 125 Profile Configuration Figure 8-69 Virtual Interfaces - Basic Configuration screen - Add IPv6 RA Prefix 45 Set the following IPv6 RA Prefix settings:
Prefix Type Prefix or ID Site Prefix Valid Lifetime Type Valid Lifetime Sec Valid Lifetime Date Set the prefix delegation type used with this configuration. Options include, Prefix, and prefix-from-provider. The default setting is Prefix. A provider assigned prefix is made available from an Internet Service Provider (ISP) to automate the process of providing and informing the prefixes used. Set the actual prefix or ID used with the IPv6 router advertisement. The site prefix is added into a router advertisement prefix. The site address prefix signifies the address is only on the local link. Set the lifetime for the prefix's validity. Options include External (fixed), decrementing and infinite. If set to External (fixed), just the Valid Lifetime Sec setting is enabled to define the exact time interval for prefix validity. If set to decrementing, use the lifetime date and time settings to refine the prefix expiry period. If the value is set for infinite, no additional date or time settings are required for the prefix and the prefix will not expire. The default setting is External (fixed). If the lifetime type is set to External (fixed), set the Seconds, Minutes, Hours or Days value used to measurement criteria for the prefix's expiration. 30 days, 0 hours, 0 minutes and 0 seconds is the default lifetime. If the lifetime type is set to External (fixed), set the date in MM/DD/YYYY format for the expiration of the prefix. Wireless Controller and Service Platform System Reference Guide 8 - 126 Profile Configuration Valid Lifetime Time Preferred Lifetime Type Preferred Lifetime Sec Preferred Lifetime Date Preferred Lifetime Time Autoconfig On Link If the lifetime type is set to decrementing, set the time for the prefix's validity. Set the administrator preferred lifetime for the prefix's validity. Options include External (fixed), decrementing and infinite. If set to External
(fixed), just the Valid Lifetime Sec setting is enabled to define the exact time interval for prefix validity. If set to decrementing, use the lifetime date and time settings to refine the prefix expiry period. If the value is set for infinite, no additional date or time settings are required for the prefix and the prefix will not expire. The default setting is External (fixed). If the administrator preferred lifetime type is set to External (fixed), set the Seconds, Minutes, Hours or Days value used to measurement criteria for the prefix's expiration. 30 days, 0 hours, 0 minutes and 0 seconds is the default lifetime. If the administrator preferred lifetime type is set to External (fixed), set the date in MM/DD/YYYY format for the expiration of the prefix. If the preferred lifetime type is set to decrementing, set the time for the prefix's validity. Autoconfiguration includes generating a link-local address, global addresses via stateless address autoconfiguration and duplicate address detection to verify the uniqueness of the addresses on a link. This setting is enabled by default. Select this option to keep the IPv6 RA prefix on the local link. The default setting is enabled. 46 Select OK to save the changes to the IPv6 RA prefix configuration. Select Exit to close the screen without saving the updates. 47 Select the Security tab. Figure 8-70 Virtual Interfaces - Security screen 48 Use the IPv4 Inbound Firewall Rules drop down menu to select the IPv4 specific inbound firewall rules to apply to this profiles virtual interface configuration. Select the Create icon to define a new IPv4 firewall rule configuration or select the Edit icon to modify an existing configuration. Wireless Controller and Service Platform System Reference Guide 8 - 127 Profile Configuration IPv4 is a connectionless protocol for packet switched networking. IPv4 operates as a best effort delivery method, since it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery
(unlike (TCP). IPv4 and IPv6 are different enough to warrant separate protocols. IPv6 devices can alternatively use stateless address autoconfiguration. IPv4 hosts can use link local addressing to provide local connectivity. 49 Use the IPv6 Inbound Firewall Rules drop down menu to select the IPv6 specific inbound firewall rules to apply to this profiles virtual interface configuration. Select the Create icon to define a new IPv6 firewall rule configuration or select the Edit icon to modify an existing configuration. IPv6 is the latest revision of the Internet Protocol (IP) replacing IPv4. IPV6 provides enhanced identification and location information for systems routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. 50 Use the VPN Crypto Map drop down menu to select a crypto map to apply to this profiles virtual interface configuration. Crypto maps are sets of configuration parameters for encrypting packets passing through a VPN Tunnel. If a crypto map does not exist suiting the needs of this virtual interface, select the Create icon to define a new crypto map configuration or the Edit icon to modify an existing crypto map. For more information, see Overriding a Profiles VPN Configuration on page 5-207. 51 Select OK to save the changes to the OSPF configuration. Select Reset to revert to the last saved configuration. 52 Select the Dynamic Routing tab (if available in your profile). 53 Define or override the following parameters from within the OSPF Settings field:
Figure 8-71 OSPF Virtual Interface - Dynamic Routing screen Priority Select this option to set the OSPF priority used to select the network designated route. Use the spinner control to set the value from 0 - 255. Wireless Controller and Service Platform System Reference Guide 8 - 128 Profile Configuration Cost Bandwidth Select this option to set the cost of the OSPF interface. Use the spinner control to set the value from 1 - 65,535. Set the OSPF interface bandwidth (in Kbps) from 1 - 10,000,000. 54 Select the authentication type from the Chosen Authentication Type drop-down used to validate credentials within the OSPF dynamic route. Options include simple-password, message-digest, null and None. The default value is None. 55 Select + Add Row at the bottom of the MD5 Authentication table to add the Key ID and Password used for an MD5 validation of authenticator credentials. Use the spinner control to set the OSPF message digest authentication key ID. The available range is from 1 - 255. The password is the OSPF key either displayed as series or asterisks or in plain text (by selecting Show). MD5 is a message digest algorithm using a cryptographic hash producing a 128-bit (16-byte) hash value, usually expressed in text as a 32 digit hexadecimal number. MD5 has been utilized in a wide variety of cryptographic applications, and is also commonly used to verify data integrity. 56 Select OK to save the changes to the configuration. Select Reset to revert to the last saved configuration. 8.8.11 Setting a Profiles Border Gateway Protocol (BGP) Configuration Profile Network Configuration Border Gateway Protocol (BGP) is an inter-ISP routing protocol which establishes routing between ISPs. ISPs use BGP to exchange routing and reachability information between Autonomous Systems (AS) on the Internet. BGP makes routing decisions based on paths, network policies and/or rules configured by network administrators. The primary role of a BGP system is to exchange network reachability information with other BGP peers. This information includes information on AS that the reachability information traverses. This information is sufficient to create a graph of AS connectivity from which routing decisions can be created and rules enforced. An Autonomous System (AS) is a set of routers under the same administration that use Interior Gateway Protocol
(IGP) and common metrics to define how to route packets within the AS. AS uses inter-AS routing to route packets to other ASs. For an external AS, an AS appears to have a single coherent interior routing plan and presents a consistent picture of the destinations reachable through it. Routing information exchanged through BGP supports only destination based forwarding (it assumes a router forwards packets based on the destination address carried in the IP header of the packet). BGP uses TCP as its transport protocol. This eliminates the need to implement explicit update fragmentation, retransmission, acknowledgement, and sequencing. BGP listens on TCP port 179. The error notification mechanism used in BGP assumes that TCP supports a graceful close (all outstanding data is delivered before the connection is closed). To define a profiles BGP configuration:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select BGP. NOTE: BGP is only supported on RFS4000, RFS6000 and NX9500 model controllers and service platforms. Wireless Controller and Service Platform System Reference Guide 8 - 129 The General tab displays by default. Profile Configuration 4 Review the following BGP general configuration parameters to determine whether an update is warranted. Figure 8-72 Border Gateway Protocol - General tab ASN Enable Define the Autonomous System Number (ASN). ASN is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packets. Select a value from 1 - 4,294,967,295. Enable to start BGP on this controller or service platform. BGP is only supported on RFS4000, RFS6000 and NX9500 model controllers and service platforms. The default is disabled. Always Compare MED Multi-exit Discriminator (MED) is a value used by BGP peers to select the best route among multiple routes. When enabled, the MED value encoded in the route is always compared when selecting the best route to the host network. A route with a lower MED value is always selected over a route with a higher MED value. BGP does not discriminate between iBGP and eBGP when using MED for route selection. This option is mutually exclusive to the Deterministic MED option. Select this option to enable IPv4 unicast traffic for neighbors. This option is disabled by default. Default IPv4 Unicast Wireless Controller and Service Platform System Reference Guide 8 - 130 Profile Configuration Default Local Preference IP Default Gateway Priority Deterministic MED Enforce First AS Select this option to enable a local preference for the neighbor. When enabled, set the local preference value (1 - 4,294,967,295). Set the default priority value for the IP Default Gateway. Set a value from 1 - 8000. The default is 7500. Multi-exit Discriminator (MED) is used by BGP peers to select the best route among multiple routes. When enabled, MED route values (from the same AS) are compared to select the best route. This best route is then compared with other routes in the BGP route table to select the best overall route. This option is mutually exclusive to the Always Compare MED option. Select this option to deny any updates received from an external neighbor that does not have the neighbors configured AS at the beginning of the received AS path parameter. This enhances security by not allowing traffic from an unauthorized AS. This setting is disabled by default. Log Neighbor Changes Fast External Failover Select this option to immediately reset the BGP session on the interface once the BGP connection goes down. Normally, when a BGP connection goes down, the device waits for the expiry of the duration specified in Holdtime parameter before bringing down the interface. This setting is enabled by default. Select this option to enable logging of changes in routes to neighbor BGP peers. This enables the logging of only the changes in neighbor routes. All other events must be explicitly turned on using debug commands. This setting is disabled by default. Select this option to enable a network import check to ensure consistency in advertisements. This setting is disabled by default. Select this option to manually configure the router ID for this BGP supported controller or service platform. The router ID identifies the device uniquely. When no router ID is specified, the IP address of the interface is considered the router ID. This setting is disabled by default. Select this option to set the scanning interval for updating BGP routes. This interval is the period between two consecutive scans the BGP device checks for the validity of routes in its routing table. To disable this setting, set the value to Zero (0). The default setting is 60 seconds. Network Import Check Router ID Scan Time 5 Optionally select the Missing AS Worst option to treat any path that does not contain a MED value as the least preferable route. This setting is disabled by default. 6 Set the following Bestpath parameters:
AS-Path Ignore Compare Router ID Select this option to prevent an AS path from being considered as a criteria for selecting a preferred route. The route selection algorithm uses the AS path as one of the criteria when selecting the best route. When this option is enabled, the AS path is ignored. Select this option to use the router ID as a selection criteria when deermining a preferred route. The route selection algorithm uses various criteria when selecting the best route. When this option is enabled, the router ID is used to select the best path between two identical BGP routes. The route with the lower route ID is selected over a route with a higher route id. Wireless Controller and Service Platform System Reference Guide 8 - 131 Profile Configuration 7 Set or override the following Distance for Route Types. The distance parameter is a rating of route trustworthiness. The greater the distance, the lower the trust rating. The distance can be set for each type of route indicating its trust rating:
External Routes Internal Routes Local Routes External routes are those routes learned from a neighbor of this BGP device. Set a value from 1 - 255. Internal routes are those routes learned from another router within the same AS. Set a value from 1 - 255. Local routes are those routes being redistributed from other processes within this BGP router. Set a value from 1 - 255. 8 Set or override the following Route Limit parameters:
Number of Routes Reset Time Retry Count Retry Timeout Configures the number of routes that can be stored on this BGP router. Set this value based on the available memory on this BGP router. Configure a value from 1 - 4,294,967,295. The default value is 9,216 routes. Configures the reset time. This is the time limit after which the Retry Count value is set to Zero (0). Set a value from 1- 86,400 seconds. Configures the number of time the BGP process is reset before it is shut down. Once shut down, the BGP process has to be started manually. The BGP process is reset if it is flooded with route entries that exceed its number of routes. Set a value from 1 - 32. Configures the time duration in seconds the BGP process is shutdown temporarily before a reset of the process is attempted. Set a value from 1
- 3,600 seconds. 9 Set the following Timers:
Keepalive Holdtime Set the duration, in seconds, for the keep alive timer used to maintain connections between BGP neighbors. Set a value from 1 - 65,535 seconds. Set the time duration, in seconds, for the hold (delay) of packet transmissions. 10 Set the following Aggregate Address fields:
Aggregate addresses are used to minimize the size of the routing tables. Aggregation combines the attributes of several different routes and advertises a single route. This creates an aggregation entry in the BGP routing table if more specific BGP routes are available in the specified address range. IP Prefix Summary Only As Set Enter an IP address and mask used as the aggregate address. Select this option to advertise the IP Prefix route to the BGP neighbor while suppressing the detailed and more specific routes. Generates AS set path information. Select to enable. When selected, it creates an aggregate entry advertising the path for this route, consisting of all elements contained in all the paths being summarized. Use this parameter to reduce the size of path information by listing the AS number only once, even if it was included in the multiple paths that were aggregated. 11 Set the following Distance for IP Source Prefix fields:
IP Source Prefix Enter an IP address and mask used as the prefix source address. Wireless Controller and Service Platform System Reference Guide 8 - 132 Profile Configuration Admin Distance IP Access List Use the spinner control to set the BGP routes admin distance from 1 -
255. Provide the IP address used to define the prefix list rule. 12 Configure the following Network values:
Network Pathlimit Backdoor Route Map Configure an IP address to broadcast to neighboring BGP peers. This network can be a single IP address or a range of IP addresses in A.B.C.D/
M format. Configure the maximum path limit for this AS. Set a value from 1 - 255 AS hops. Select this option to indicate to border devices this network is reachable using a backdoor route. A backdoor network is treated the same as a local network, except it is not advertised. This setting is disabled by default. Select an existing route map as a method of controlling and modifying routing information. The control of route information occurs using route redistribution keys. 13 Configure the following Route Redistribute values:
Route Type Metric Route Map Use the drop-down menu to define the route type as either connected, kernal, ospf or static. Select this option to set a numeric route metric used for route matching and permit designations. Select an existing route map as a method of controlling and modifying routing information. The control of route information occurs using route redistribution keys. 14 Select OK to save the changes and overrides. Select Reset to revert to the last saved configuration. 15 Select the Neighbor tab. Wireless Controller and Service Platform System Reference Guide 8 - 133 Profile Configuration Figure 8-73 Border Gateway Protocol - Neighbor tab The Neighbor tab displays a list of configured BGP neighbor devices identified by their IP address. Select Add to add a new BGP neighbor configuration or select an existing Identifier and select Edit to modify it. The following screen displays with the General tab displayed by default. Wireless Controller and Service Platform System Reference Guide 8 - 134 Profile Configuration The General tab displays the different configuration parameters for the neighbor BGP device. Figure 8-74 Border Gateway Protocol - Neighbor tab - General screen 16 Configure the following common parameters:
Remote AS Advertise Capability Dynamic Define the Autonomous System Number (ASN) for the neighbor BGP device. ASN is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packets within the AS. Set a value from 1 - 4,294,967,295. Select this option to show a neighbor devices capability to advertise or withdraw and address capability to other peers in a non-disruptive manner. This setting is disabled by default. Wireless Controller and Service Platform System Reference Guide 8 - 135 Profile Configuration Advertise Capability ORF Advertisement Interval Disable Capability Negotiation Description Disable Connected Check Enforce Multihop Next Hop Self Override Capability Passive Password Reconnect Interval Send Community Shutdown Select this option to enable Outbound Router Filtering (ORF) and advertise this capability to peer devices. ORFs send and receive capabilities to lessen the number of updates exchanged between BGP peers. By filtering updates, ORF minimizes update generation and exchange overhead. The local BGP device advertises ORF in the send mode. The peer BGP device receives the ORF capability in receive mode. The two devices exchange updates to maintain the ORF for each router. Only a peer group or an individual BGP router can be configured to be in receive or send mode. A member of a peer group cannot be configured. Use the Advertisement Interval to set the minimum interval between sending BGP router updates. Sending too many router updates creates flapping of routes leading to possible disruptions. Set a minimum interval so that the BGP routing updates are sent after the set interval in seconds. The default is 5 seconds. Select to disable capability negotiation with BGP neighbors. This is to allow compatibility with older BGP versions that have no capability parameters used in the open messages between peers. This setting id disabled by default. Provide a 80 character maximum description for this BGP neighbor device. If utilizing loopback interfaces to connect single-hop BGP peers, enable the neighbor disable connected check before establishing a the BGP peering session.This setting is disabled by default. A multihop route is a route to external peers on indirectly connected networks. Select to enforce neighbors to perform multi-hop check. This setting is disabled by default. Select to enable Next Hop Self. Use this to configure this device as the next hop for a BGP speaking neighbor or peer group. This allows the BGP device to change the next hop information that is sent to iBGP peers. The next hop address is set to the IP address of the interface used to communicate with the eBGP neighbor. This setting is disabled by default Select this to enable the ability to override capability negotiation result. This setting is disabled by default. Select this option to set this BGP neighbor as passive. When a neighbor is set as passive, the local device should not attempt to open a connection to this device. This setting is disabled by default. Select this option to set a password for this BGP neighbor. Use the text-
box to enter the password to use for this neighbor. Set a reconnection interval for peer BGP devices from 0 - 65,535 seconds. The default setting is 120 seconds. Select this option to ensure the community attribute is sent to the BGP neighbor. The community attribute groups destinations in a certain community and applies routing decisions based on the community. On receiving community attribute, the BGP router announces it to the neighbor. Select this option to administratively shutdown this BGP neighbor. This setting is disabled by default. Wireless Controller and Service Platform System Reference Guide 8 - 136 Profile Configuration Soft Reconfiguration Inbound Update Source Unsuppress Map Weight Select this option to store updates for inbound soft reconfiguration. Soft-
reconfiguration can be used in lieu of BGP route refresh capability. Selecting this option enables local storage of all received routes and their attributes. This requires additional memory on the BGP device. When a soft reset (inbound) is performed on the neighbor device, the locally stored routes are reprocessed according to the inbound policy. The BGP neighbor connection is not affected. Select this option to allow internal BGP sessions to use any operational interface for TCP connections. Use Update Source in conjunction with any specified interface on the router. The loopback interface is the interface that is most commonly used with this command. The use of loopback interface eliminates a dependency and BGP does not have to rely on the availability of a particular interface for making TCP connections. This setting is disabled by default. Enable Unsuppress Map to selectively advertise more precise routing information to this neighbor. Use this in conjunction with the Route Aggregate command. The Route Aggregate command creates a route map with a IP/mask address that consolidates the subnets under it. This enables a reduction in number of route maps on the BGP device to one entry that encompasses all the different subnets. Use Unsuppress Map to selectively allow/deny a subnet or a set of subnets. Use the Create icon to create a new route map. Use the Edit icon to edit an existing route map list after selecting it. Select to set the weight of all routes learned from this BGP neighbor. Weight is used to decide the preferred route when the same route is learned from multiple neighbors. The highest weight is always chosen. 17 Configure or set the following Default Originate parameters. Default originate is used by the local BGP router to send the default route 0.0.0.0 to its neighbor for use as a default route. Enable Route Map Select to enable Default Originate on this BGP neighbor. This setting is disabled by default. Use the drop-down menu to select a route map to use as the Default Originate route. 18 Configure or set the following Route Map parameters by selecting Add Row. This configures how route maps are applied for this BGP neighbor. Direction Route Map Use the drop-down menu to configure the direction on which the selected route map is applied. Select one from in, out, export or import. Use the drop-down menu to select the route map to use with this BGP neighbor. Use the Create icon to create a new route map. Use the Edit icon to edit an existing route map after selecting it. 19 Configure or set the following Distribute List parameters by selecting Add Row. Up to 2 distribute list entries can be created. Direction Use the drop-down menu to configure the direction on which the selected IP access list is applied. Select either in or out. Wireless Controller and Service Platform System Reference Guide 8 - 137 Profile Configuration Name Use the drop-down menu to select the route map to use with this BGP neighbor. Use the Create icon to create a new IP Access list. Use the Edit icon to edit an existing IP Access list after selecting it. 20 Configure or set the following eBGP Multihop parameters. This configures the maximum number of hops that can be between eBGP neighbors not directly connected to each other. Enable Max Hops Select to enable eBGP Multihop on this BGP neighbor. Set the maximum number of hops between eBGP neighbors not connected directly. Select a value from 1 - 255. 21 Configure or set the following Filter List parameters by selecting Add Row. Up to 2 filter list entries can be created.be created. Direction Name Use the drop-down menu to configure the direction on which the selected AS Path list is applied. Select either in or out. Use the drop-down menu to select the AS Path list to use with this BGP neighbor. Use the Create icon to create a new AS Path list. Use the Edit icon to edit an existing AS Path list after selecting it. 22 Configure or set the following Local AS parameters.
!
CAUTION: This is an experimental feature and its actual operation may be unpredictable. AS Number No Prepend Specify the local Autonomous System (AS) number. Select from 1 - 4,294,967,295. Select to enable. When enabled, the local AS number is not prepended to route updates from eBGP peers. 23 Configure or set the following Maximum Prefix value. This configures the maximum number of prefix that can be received from a BGP neighbor. Prefix Limit Threshold Percent Restart Limit Warning Only Sets the maximum number of prefix that can be received from a BGP neighbor. Select from 1 - 4,294,967,295. Once this threshold is reached, the BGP peer connection is reset. Sets the threshold limit for generating a log message. When this percent of the Prefix Limit is reached, a log entry is generated. For example if the Prefix Limit is set to 100 and Threshold Percent is set to 65, then after receiving 65 prefixes, a log entry is created. Sets the number of times a reset BGP peer connection is restarted. Select a value from 1 - 65535 Select to enable. When the number of prefixes specified in Prefix Limit field is exceeded, the connection is reset. However, when this option is enabled, the connection is not reset and an event is generated instead. This setting is disabled by default. 24 Configure or set the following Prefix List parameters. Up to 2 prefix list entries can be created. Direction Use the drop-down menu to configure the direction on which the selected IP prefix list is applied. Select either in or out. Wireless Controller and Service Platform System Reference Guide 8 - 138 Profile Configuration Name Use the drop-down menu to select the IP prefix list to use with this BGP neighbor. Use the Create icon to create a new IP prefix list or select the Edit icon to edit an existing IP prefix list after selecting it. 25 Set the following Timers for this BGP neighbor:
Keepalive Holdtime Set the time duration in seconds for keepalive. The keep alive timer is used to maintain connections between BGP neighbors. Set a value from 1
- 65,535 seconds. Set the time duration in seconds for hold time. 26 Select OK to save the changes. Select Reset to revert to the last saved configuration. 27 Select the Experimental tab.
!
CAUTION: This is an experimental feature and its actual operation may be unpredictable. 28 Set the following Experimental BGP parameters:
Figure 8-75 Border Gateway Protocol - Neighbor tab - Experimental tab Activate Attribute Unchanged AS-Path Attribute Unchanged Med Enable an address family for this neighbor. This setting is enabled by default. Select to enable propagating AS path BGP attribute unchanged to this neighbor BGP device. This setting is enabled by default. Select to enable propagating MED BGP attribute unchanged to this neighbor BGP device. This setting is enabled by default. Wireless Controller and Service Platform System Reference Guide 8 - 139 Profile Configuration Attribute Unchanged Next Hop Peer Group Remove Private AS Select to enable propagating the next hop BGP attribute value unchanged to this neighbor BGP device. This setting is enabled by default. Set the peer group for this BGP neighbor device. Peer groups are a set of BGP neighbors with the same update policies. This facilitates the updates of various policies, such as, distribute lists and filter lists. The peer group can be configured as a single entity. Any changes made to the peer group is propagated to all members. Select this option to remove the private Autonomous System (AS) number from outbound updates. Private AS numbers are not advertised to the Internet. This option is used with external BGP (eBGP) peers only. The router removes the AS numbers only if the update includes private AS numbers. If the update includes both private and public AS numbers, the system treats it as an error. Route Reflector Client Select this option to enable this BGP neighbor as a route reflector client Route Server Client Strict Capability Match TCP Port for the local router. Route reflectors control large numbers of iBGP peering.Using route reflection, the number of iBGP peers is reduced. This option configures the local BGP device as a route reflector and the neighbor as its route reflector client. This setting is disabled by default. Select this option to enable this neighbor BGP device to act as a route server client. This setting is disabled by default. Select this option to enable a strict capability match before allowing a neighbor BGP peer to open a connection. When capabilities do not match, the BGP connection is closed. This setting is disabled by default. Select to enable configuration of non-standard BGP port for this BGP neighbor. By default the BGP port number is 179. To configure a non standard port for this BGP neighbor, use the control to set the port number. Select a value from 1 - 65535. 29 Configure or set the following Allowas In parameters. This configures the Provider Edge (PE) routers to allow the re-advertisement of all prefixes containing duplicate Autonomous System Numbers (ASN). This creates a pair of VPN Routing/Forwarding (VRF) instances on each PE router to receive and re-advertise prefixes. The PE router receives prefixes with ASNs from all PE routers and advertises to its neighbor PE routers on one VRF. The other VRF receives prefixes with ASNs from the Customer Edge (CE) routers and re-advertises them to all PE routers in the configuration. Enable Allowed Occurrences Select this option to enable re-advertisement of all prefixes containing duplicate ASNs. Set the maximum number of times an ASN is advertised. Select a value in the rage 1 - 10. 30 Select OK to save the changes. Select Reset to revert to the last saved configuration. Select Exit to close this window and go back to the main screen. 31 Select the Experimental tab from the BGP main screen.
!
CAUTION: This is an experimental feature and its actual operation may be unpredictable. Wireless Controller and Service Platform System Reference Guide 8 - 140 Profile Configuration 32 Set the following Experimental BGP features:
Figure 8-76 Border Gateway Protocol - Experimental tab Confederation Identifier Client to Client Reflection Cluster ID Confederation Peers Enable and set a confederation identifier to allow an AS to be divided into several ASs. This confederation is visible to external routers as a single AS. Select a value from 1 - 4,294,967,295. Select to enable client-to-client route reflection. Route reflectors are used when all iBGP speakers are not fully meshed. If the clients are fully meshed, the route-reflectors are not required. The default is enabled. Select to enable and set a Cluster ID if the BGP cluster has more than one route-reflectors. A cluster generally consists of a single route-
reflector and its clients. The cluster is usually identified by the router ID of this single route-reflector. Sometimes, to increase the redundancy, a cluster might have more than one route-reflectors configured. In this case, all route-reflectors in the cluster are identified by the Cluster ID. Select a value from 1 - 4,294,967,295. Use this spinner to select the confederation members. Once selected, select the Down Arrow button next to this control to add the AS as a confederation member. Multiple AS configurations can be added to the list of confederation members. To remove an AS as a confederation member, select the AS from the list and select the Up Arrow button next to the list. 33 Configure or set the following Bestpath parameter:
AS-Path Confed Select this option to allow the comparison of the confederation AS path length when selecting the best route. This indicates the AS confederation path length must be used, if available, in the BGP path when deciding the best path. Wireless Controller and Service Platform System Reference Guide 8 - 141 Profile Configuration 34 Configure or set the following Bestpath MED parameter:
Confed Select to enable. Use this option to allow comparing MED when selecting the best route when learned from confederation peers. This indicates that MED must be used, when available, in the BGP best path when deciding the best path between routes from different confederation peers. 35 Configure or set the following Dampening parameters. Dampening minimizes the instability caused by route flapping. A penalty is added for every flap in the flapping route. As soon as the total penalty reaches the Route Suppress Limit value, the advertisement of this route is suppressed. This penalty is delayed when the time specified in Half Lifetime occurs. Once the penalty becomes lower than the value specified in Start Route Reuse, the advertisement of the route is un-suppressed. Enable Half Lifetime Start Route Reuse Start Route Suppress Route Suppress Limit Select to enable dampening on advertised routes. When this option is selected, other configuration fields in this Dampening field are enabled. This setting is disabled by default. Select to enable and configure the half lifetime value. A penalty is imposed on a route that flaps. This is the time for the penalty to decrease to half its current value. Set a value from 1 - 45 in minutes. The default is 1 second. Select to enable and configure the route reuse value. When the penalty for a suppressed route decays below the value specified in Start Route Reuse field, the route is un-suppressed. Set a value from 1 - 20000. Select to enable and configure the route suppress value. When a route flaps, a penalty is added to the route. When the penalty reaches or exceeds the value specified in Route Suppress Limit, the route is suppressed. Set a value from 1 - 20000. Select to enable and configure the maximum duration in minutes a suppressed route is suppressed. This is the maximum duration for which a route remains suppressed before it is reused. Set a value from 1 - 255 minutes. 36 Configure or set the Graceful Restart parameters. This provides a graceful restart mechanism for a BGP session reset in which the BGP daemon is not restarted, so that any changes in network configuration that caused the BGP reset does not affect packet forwarding. Enable Stalepath Time Select to enable a graceful restart on this BGP router. This section is disabled by default. Configure the maximum time to retain stale paths from restarting neighbor. This is the time the paths from a restarting neighbor is preserved. All stale paths, unless reinstated by the neighbor after re-
establishment, are deleted at the expiry of this timer value. Set a value from 1 - 3600 seconds. 37 Select OK to save the changes. Select Reset to revert to the last saved configuration. Select Exit to close this window and go back to the main screen. 8.8.12 Setting a Profiles Forwarding Database Configuration Profile Network Configuration A Forwarding Database is used by a bridge to forward or filter packets. The bridge reads the packets destination MAC address and decides to either forward the packet or drop (filter) it. If it is determined the destination MAC is Wireless Controller and Service Platform System Reference Guide 8 - 142 Profile Configuration on a different network segment, it forwards the packet to the segment. If the destination MAC is on the same network segment, the packet is dropped (filtered). As nodes transmit packets through the bridge, the bridge updates its forwarding database with known MAC addresses and their locations on the network. This information is then used to filter or forward the packet. To define a forwarding database configuration:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select Forwarding Database. 4 Define a Bridge Aging Time between 0, 10-1,000,000 seconds. Figure 8-77 Forwarding Database screen The aging time defines the length of time an entry remains in the a bridges forwarding table before being deleted due to inactivity. If an entry replenishments a destination generating continuous traffic, this timeout value will never be invoked. However, if the destination becomes idle, the timeout value represents the length of time that must be exceeded before an entry is deleted from the forwarding table. The default setting is 300 seconds. 5 Define a L3e Lite Entry Aging Time between 10-1,000,000 seconds. The default setting is 300 seconds. 6 Use the + Add Row button to create a new row within the MAC address table. 7 Set a destination MAC Address address. The bridge reads the packets destination MAC address and decides to forward the packet or drop (filter) it. If its determined the destination MAC is on a different network, it forwards the packet to the segment. If the destination MAC is on the same network segment, the packet is dropped
(filtered) Wireless Controller and Service Platform System Reference Guide 8 - 143 Profile Configuration 8 Define the target VLAN ID if the destination MAC is on a different network segment. 9 Provide an Interface Name used as the target destination interface for the target MAC address. 10 Select OK to save the changes. Select Reset to revert to the last saved configuration. 8.8.13 Setting a Profiles Bridge VLAN Configuration Profile Network Configuration A Virtual LAN (VLAN) is separately administrated virtual network within the same physical managed network. VLANs are broadcast domains defined to allow control of broadcast, multicast, unicast, and unknown unicast within a Layer 2 device. Administrators often need to route traffic to interoperate between different VLANs. Bridging VLANs are only for non-routable traffic, like tagged VLAN frames destined to some other device which will untag it. When a data frame is received on a port, the VLAN bridge determines the associated VLAN based on the port of reception. Using forwarding database information, the Bridge VLAN forwards the data frame on the appropriate port(s). VLAN's are useful to set separate networks to isolate some computers from others, without actually having to have separate cabling and Ethernet switches. Controllers and service platforms can do this on their own, without the need to know what VLAN it's on (this is called port-based VLAN, since it's assigned by port). Another common use is to put specialized devices like VoIP Phones on a separate network for easier configuration, administration, security or service quality. To define a bridge VLAN configuration:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select Bridge VLAN. Figure 8-78 Profile - Network Bridge VLAN screen Wireless Controller and Service Platform System Reference Guide 8 - 144 Profile Configuration 4 Review the following VLAN configuration parameters to determine whether an update is warranted:
VLAN Description Edge VLAN Mode Lists the numerical identifier defined for the Bridge VLAN when initially created. The available range is from 1 - 4095. This value cannot be modified during the edit process. Lists a description of the VLAN assigned when it was created or modified. The description should be unique to the VLANs specific configuration and help differentiate it from other VLANs with similar configurations. Defines whether the VLAN is currently in edge VLAN mode. A green checkmark defines the VLAN as extended. An edge VLAN is the VLAN where hosts are connected. For example, if VLAN 10 is denied with wireless clients, and VLAN 20 is where the default gateway resides, VLAN 10 should be marked as an edge VLAN and VLAN 20 shouldnt. When defining a VLAN as an edge VLAN, the firewall enforces additional checks on hosts in that VLAN. For example, a host cannot move from an edge VLAN to another VLAN and still keep firewall flows active. Trust ARP Responses When ARP trust is enabled, a green checkmark displays. When disabled, a red X displays. Trusted ARP packets are used to update the IP-MAC Table to prevent IP spoof and arp-cache poisoning attacks. Trust DHCP Responses When DHCP trust is enabled, a green checkmark displays. When IPv6 Firewall DHCPv6 Trust RA Guard disabled, a red X displays. When enabled, DHCP packets from a DHCP server are considered trusted and permissible. DHCP packets are used to update the DHCP Snoop Table to prevent IP spoof attacks. Lists whether an IPv6 firewall is enabled on this bridge VLAN. A green checkmark defines this setting as enabled. A red X defines this setting as disabled. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. These hosts require firewall packet protection unique to IPv6 traffic, as IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters. Lists whether DHCPv6 responses are trusted on this bridge VLAN. A green checkmark defines this setting as enabled. A red X defines this setting as disabled. If enabled, only DHCPv6 responses are trusted and forwarded over the bridge VLAN. Lists whether router advertisements (RA) are allowed on this bridge VLAN. A green checkmark defines this setting as enabled. A red X defines this setting as disabled. RAs are periodically sent to hosts or sent in response to solicitation requests. The advertisement includes IPv6 prefixes (address abbreviations) and other subnet and host information. 5 Select Add to define a new bridge VLAN configuration, Edit to modify an existing bridge VLAN configuration or Delete to remove a VLAN configuration. Wireless Controller and Service Platform System Reference Guide 8 - 145 Profile Configuration The General tab displays by default. Figure 8-79 Bridge VLAN - General tab 6 If adding a new Bridge VLAN configuration, use the spinner control to define a VLAN ID between 1 - 4094. This value must be defined and saved before the General tab can become enabled and the remainder of the settings defined. VLAN IDs 0 and 4095 are reserved and unavailable. 7 Set the following General bridge VLAN parameters:
Description Per VLAN Firewall If creating a new Bridge VLAN, provide a description (up to 64 characters) unique to the VLANs specific configuration to help differentiate it from other VLANs with similar configurations. Enable this setting to provide firewall allow and deny conditions over the bridge VLAN. This setting is enabled by default. 8 Set or override the following URL Filter parameters. Web filters are used to control the access to resources on the Internet URL Filter Use the drop-down menu to select a URL filter to use with this Bridge VLAN. 9 Set or override the following Application Policy parameters. Use the drop-down to select the appropriate Application Policy to use with this Bridge VLAN configuration. Wireless Controller and Service Platform System Reference Guide 8 - 146 Profile Configuration 10 Set the following Extended VLAN Tunnel parameters:
Bridging Mode IP Outbound Tunnel ACL IPv6 Outbound Tunnel ACL MAC Outbound Tunnel ACL Tunnel Over Level 2 Specify one of the following bridging modes for the VLAN. Automatic - Select automatic to let the controller or service platform determine the best bridging mode for the VLAN. Local - Select Local to use local bridging mode for bridging traffic on the VLAN. Tunnel - Select Tunnel to use a shared tunnel for bridging traffic on the VLAN. Isolated-Tunnel - Uses a dedicated tunnel for bridging traffic on the VLAN. Select an IP Outbound Tunnel ACL for outbound traffic from the drop-
down menu. If an appropriate outbound IP ACL is not available, select the Create button to make a new one. Select an IPv6 Outbound Tunnel ACL for outbound traffic from the drop-down menu. If an appropriate outbound IP ACL is not available, select the Create button to make a new one. Select a MAC Outbound Tunnel ACL for outbound traffic from the drop-
down menu. If an appropriate outbound MAC ACL is not available click the Create button to make a new one. Select this option to allow VLAN traffic to be tunneled over level 2 links. This setting is disabled by default. NOTE: Local and Automatic bridging modes do not work with ACLs. ACLs can only be used with tunnel or isolated-tunnel modes. 11 Select the Level 2 Tunnel Broadcast Optimization checkbox to enable broadcast optimization on this bridge VLAN. L2 Tunnel Broadcast Optimization prevents flooding of ARP packets over the virtual interface. Based on the learned information, ARP packets are filtered at the wireless controller level. This option is enabled by default. If enabling L2 tunnel broadcast optimization, set the Level 2 Forward Additional Packet Types as None or WNMP to specify if additional packet types are forwarded or not across the L2 tunnel. By default, L2 tunnel broadcast optimization disables Wireless Network Management Protocol (WNMP) packet forwarding also across the L2 tunnel. Use this option to enable the forwarding of only WNMP packets. The default value is None. 12 Select + Add Row to set the following Tunnel Rate Limit parameters:
Mint Link Level Rate Max Burst Size Select the MINT link level from the drop-down menu. Define a transmit rate limit between 50 - 1,000,000 kbps. This limit constitutes a threshold for the maximum the number of packets transmitted or received over the bridge VLAN. Traffic that exceeds the defined rate is dropped and a log message is generated. The default setting is 5,000 kbps. Set a maximum burst size between 0 - 1024 kbytes. The smaller the burst, the less likely the receive packet transmission will result in congestion. The default burst size is 320 kbytes. Wireless Controller and Service Platform System Reference Guide 8 - 147 Profile Configuration Background Best-Effort Video Voice Set the random early detection threshold in % for low priority background traffic. Set a value from 1 - 100%. The default is 50%. Set the random early detection threshold in % for low priority best-effort traffic. Set a value from 1 - 100%. The default is 50%. Set the random early detection threshold in % for high priority video traffic. Set a value from 1 - 100%. The default is 25%. Set the random early detection threshold in % for high priority voice traffic. Set a value from 1 - 100%. The default is 25%. 13 Set the following Layer 2 Firewall parameters:
Trust ARP Response Select this option to use trusted ARP packets to update the DHCP Snoop Table to prevent IP spoof and arp-cache poisoning attacks. This feature is disabled by default. Trust DHCP Responses Select this option to use DHCP packets from a DHCP server as trusted and permissible within the managed network. DHCP packets are used to update the DHCP Snoop Table to prevent IP spoof attacks. This feature is disabled by default. Select this option to enable edge VLAN mode. When selected, the edge controller or service platforms IP address in the VLAN is not used, and is now designated to isolate devices and prevent connectivity. This feature is enabled by default. Enable Edge VLAN Mode 14 Set the following IPv6 Settings:
IPv6 Firewall DHCPv6 Trust RA Guard Select this option to enable an IPv6 firewall on this bridge VLAN. This setting is enabled by default. Select this option to enable the trust all DHCPv6 responses on this bridge VLAN. DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. This setting is enabled by default. Select this option to enable router advertisements or ICMPv6 redirects on this bridge VLAN. This setting is enabled by default. 15 Refer to the Captive Portal field to select an existing captive portal configuration to apply access restrictions to the bridge VLAN configuration. A captive portal is an access policy for providing temporary and restrictive access using a standard Web browser. Captive portals provides authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the network. Once logged into the captive portal, additional Terms and Agreement, Welcome, Fail and No Service pages provide the administrator with a number of options on captive portal screen flow and user appearance. If an existing captive portal does not suite the bridge VLAN configuration, either select the Edit icon to modify an existing configuration or select the Create icon to define a new configuration that can be applied to the bridge VLAN. For information on configuring a captive portal policy, see Configuring Captive Portal Policies on page 11-1. 16 Refer to the Captive Portal Snoop Subnet field to configure the IPv4 clients to be excluded when snooping an IPv4 subnet for static wired captive portal clients. In the Subnet field, provide the subnet to snoop on. In the Exclude IP provide one (1) IP address in the subnet that can be excluded from snooping. Wireless Controller and Service Platform System Reference Guide 8 - 148 Profile Configuration 17 Refer to the Captive Portal Snoop IPv6 Subnet field to configure the IPv6 clients to be excluded when snooping an IPv6 subnet for static wired captive portal clients. Multiple rows can be added to this field. Subnet Exclude IP Use this field to provide an IPv6 subnet to snoop on. Use this field to provide the IPv6 address in the subnet that can be excluded from snooping. 18 Select the OK button to save the changes to the General tab. Select Reset to revert to the last saved configuration. 19 Select the IGMP Snooping tab to define the VLANs IGMP configuration. Figure 8-80 Bridge VLAN - IGMP Snooping Tab 20 Define the following General IGMP parameters for the bridge VLAN configuration:
The Internet Group Management Protocol (IGMP) is a protocol used for managing members of IP multicast groups. Controller and service platforms listen to IGMP network traffic and forward IGMP multicast packets to radios on which the interested hosts are connected. On the wired side of the network, the wired interfaces are flooded. This feature reduces the unnecessary flooding of multicast traffic in the network. Enable IGMP Snooping Select the check box to enable IGMP snooping. If disabled, snooping on a per VLAN basis is also disabled. This feature is enabled by default. If disabled, the settings under bridge configuration are overridden. For example, if IGMP snooping is disabled, but the bridge VLAN is enabled, the effective setting is disabled. Select the check box to enable to forward unicast packets from unregistered multicast groups. If disabled (the default setting), the unknown unicast forward feature is also disabled for individual VLANs. Forward Unknown Unicast Packets Wireless Controller and Service Platform System Reference Guide 8 - 149 Profile Configuration Enable Fast leave processing Last Member Query Count Select this option to remove a Layer 2 LAN interface from the IGMP snooping forwarding table entry without initially sending IGMP group-
specific queries to the interface. When receiving a group specific IGMPv2 leave message, IGMP snooping removes the interface from the Layer 2 forwarding table entry for that multicast group, unless a multicast router was learned on the port. Fast-leave processing enhances bandwidth management for all hosts on the network. This setting is disabled by default. Specify the number (1 - 7) of group specific queries sent before removing an IGMP snooping entry. The default settings is 2. 21 Define the following Multicast Router settings:
Interface Names Multicast Router Learn Mode Select the ge1 or radio interfaces used to IGMP snooping over a multicast router. Set the pim-dvmrp or static multicast routing learn mode. 22 Set the following IGMP Querier parameters for the profiles bridge VLAN configuration:
Enable IGMP Querier Source IP Address IGMP Version Maximum Response Time Other Querier Timer Expiry IGMP snoop querier is used to keep host memberships alive. Its primarily used in a network where theres a multicast streaming server, hosts subscribed to the server and no IGMP querier present. An IGMP querier sends out periodic IGMP query packets. Interested hosts reply with an IGMP report packet. IGMP snooping is only conducted on wireless radios. IGMP multicast packets are flooded on wired ports. IGMP multicast packet are not flooded on the wired port. IGMP membership is also learnt on it and only if present, then it is forwarded on that port. Define an IP address applied as the source address in the IGMP query packet. This address is used as the default VLAN querier IP address. Use the spinner control to set the IGMP version compatibility to either version 1, 2 or 3. The default setting is 3. Specify the maximum time (from 1 - 25 seconds) before sending a responding report. When no reports are received from a radio, radio information is removed from the snooping table. For IGMP reports from wired ports, reports are only forwarded to the multicast router ports. The default setting is 10 seconds. Specify an interval in either Seconds (60 - 300) or Minutes (1 - 5) used as a timeout interval for other querier resources. The default setting is 1 minute. 23 Select the OK button located at the bottom right of the screen to save the changes to the IGMP Snooping tab. Select Reset to revert to the last saved configuration. 24 Select the MLD Snooping tab. Wireless Controller and Service Platform System Reference Guide 8 - 150 Profile Configuration Figure 8-81 Bridge VLAN - MLD Snooping Tab Define the following General MLD snooping parameters for the bridge VLAN configuration Multicast Listener Discovery (MLD) snooping enables a controller, service platform or Access Point to examine MLD packets and make forwarding decisions based on content. MLD is used by IPv6 devices to discover devices wanting to receive multicast packets destined for specific multicast addresses. MLD uses multicast listener queries and multicast listener reports to identify which multicast addresses have listeners and join multicast groups. MLD snooping caps the flooding of IPv6 multicast traffic on controller, service platform or Access Point VLANs. When enabled, MLD messages are examined between hosts and multicast routers and to discern which hosts are receiving multicast group traffic. The controller, service platform or Access Point then forwards multicast traffic only to those interfaces connected to interested receivers instead of flooding traffic to all interfaces. Enable MLD Snooping Forward Unknown Unicast Packets Enable MLD snooping to examine MLD packets and support content forwarding on this bridge VLAN. Packets delivered are identified by a single multicast group address. Multicast packets are delivered using best-effort reliability, just like IPv6 unicast. MLD snooping is enabled by default. Use this option to either enable or disable IPv6 unknown unicast forwarding. Unicast addresses identify a single network interface, whereas a multicast address is used by multiple hosts. This setting is enabled by default. 25 Define the following Multicast Router settings:
Interface Names Select the physical ge port or radio interfaces used for MLD snooping. Wireless Controller and Service Platform System Reference Guide 8 - 151 Profile Configuration Multicast Router Learn Mode Set the pim-dvmrp or static multicast routing learn mode. DVMRP builds a parent-child database using a constrained multicast model to build a forwarding tree rooted at the source of the multicast packets. Multicast packets are initially flooded down this source tree. If redundant paths are on the source tree, packets are not forwarded along those paths. 26 Set the following MLD Querier parameters for the profiles bridge VLAN configuration:
Enable MLD Querier MLD Version Maximum Response Time Other Querier Timer Expiry Select the option to enable MLD querier on the controller, service platform or Access Point. When enabled, the device sends query messages to discover which network devices are members of a given multicast group. This setting is enabled by default. Define whether MLD version 1 or 2 is utilized with the MLD querier. MLD version 1 is based on IGMP version 2 for IPv4. MLD version 2 is based on IGMP version 3 for IPv4 and is fully backward compatible. IPv6 multicast uses MLD version 2. The default MLD version is 2. Specify the maximum response time (from 1 - 25,000 milliseconds) before sending a responding report. Queriers use MLD reports to join and leave multicast groups and receive group traffic. The default setting is 1 milliseconds. Specify an interval in either Seconds (60 - 300) or Minutes (1 - 5) used as a timeout interval for other querier resources. The default setting is 60 seconds. 27 Select the OK button located at the bottom right of the screen to save the changes. Select Reset to revert to the last saved configuration. 8.8.14 Setting a Profiles Cisco Discovery Protocol Configuration Profile Network Configuration The Cisco Discovery Protocol (CDP) is a proprietary data link layer network protocol implemented in Cisco networking equipment and used to share information about network devices. To set a profiles CDP configuration:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select Cisco Discovery Protocol (CDP). Wireless Controller and Service Platform System Reference Guide 8 - 152 Profile Configuration Figure 8-82 Profile - Network Cisco Discovery Protocol screen 4 Check the Enable CDP box to enable the Cisco Discovery Protocol on the device. 5 Refer to the Hold Time field and use the spinner control to define a hold time between 10 - 1800 seconds for transmitted CDP Packets. The default value is 180 seconds. 6 Refer to the Timer field and use the spinner control to define a interval between 5 - 900 seconds to transmit CDP Packets. The default value is 60 seconds. 7 Select the OK button to save the changes. Select Reset to revert to the last saved configuration. 8.8.15 Setting a Profiles Link Layer Discovery Protocol Configuration Profile Network Configuration The Link Layer Discovery Protocol (LLDP) or IEEE 802.1AB is a vendor-neutral Data Link Layer protocol used by network devices for advertising of (announcing) identity, capabilities and interconnections on a IEEE 802 LAN network. The protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity Discovery. Both LLDP snooping and ability to generate and transmit LLDP packets is provided. Information obtained via CDP and LLDP snooping is available in the UI. Information obtained using LLDP is provided by an Access Point during the adoption process, so the layer 2 device detected by the Access Point can be used as a criteria in the provisioning policy. To set a profiles LLDP configuration:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select Link Layer Discovery Protocol. Wireless Controller and Service Platform System Reference Guide 8 - 153 Profile Configuration Figure 8-83 Profile - Network Link Layer Discovery Protocol screen 4 Check the Enable LLDP box to enable Link Layer Discovery Protocol on the device. 5 Refer to the Hold Time field and use the spinner control to define a hold time from 10 - 1800 seconds for transmitted LLDP packets. The default value is 180 seconds. 6 Refer to the Timer field and use the spinner control to define the interval between 5 - 900 seconds to transmit LLDP packets. The default value is 60 seconds. 7 Enable Inventory Management Discovery to track and identify inventory attributes including manufacturer, model or software version. 8 Extended Power via MDI Discovery provides detailed power information through end points and other connected devices. Select the Extended Power via MDI Discovery box to enable this feature. or select the Default for Type option to use a WiNG internal default value. 9 Select the OK button to save the changes. Select Reset to revert to the last saved configuration. 8.8.16 Setting a Profiles Miscellaneous Network Configuration Profile Network Configuration A profile can be configured to include a hostname in a DHCP lease for a requesting device and its profile. This helps an administrator track the leased DHCP IP address by hostname for the supported device profile. When numerous DHCP leases are assigned, an administrator can better track the leases when hostnames are used instead of devices. To include a hostnames in DHCP request:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select Miscellaneous. Wireless Controller and Service Platform System Reference Guide 8 - 154 Profile Configuration 4 Refer to the DHCP Settings section to configure miscellaneous DHCP Settings. Figure 8-84 Profile Miscellaneous screen Include Hostname in Select Include Hostname in DHCP Request to include a hostname in a DHCP Request DHCP lease for a requesting device. This feature is disabled by default. DHCP Persistent Lease Enables a persistent DHCP lease for a requesting device. A persistent DHCP lease assigns the same IP Address and other network information to the device each time it renews its DHCP lease. 5 Select the OK button located at the bottom right of the screen to save the changes. Select Reset to revert to the last saved configuration. 8.8.17 Setting a Profiles Alias Configuration Profile Network Configuration With large deployments, the configuration of remote sites utilizes a set of shared attributes, of which a small set of attributes are unique for each location. For such deployments, maintaining separate configuration (WLANs, profiles, policies and ACLs) for each remote site is complex. Migrating any global change to a particular configuration item to all the remote sites is a complex and time consuming operation. Also, this practice does not scale gracefully for quick growing deployments. An alias enables an administrator to define a configuration item, such as a hostname, as an alias once and use the defined alias across different configuration items such as multiple ACLs. Once a configuration item, such as an ACL, is utilized across remote locations, the Alias used in the configuration item (ACL) is modified to meet local deployment requirement. Any other ACL or other configuration items using the modified alias also get modified, simplifying maintenance at the remote deployment. Aliases have scope depending on where the Alias is defined. Alias are defined with the following scopes:
Global aliases are defined from the Configuration > Network > Alias screen. Global aliases are available for use globally across all devices, profiles and RF Domains in the system. Profiles aliases are defined from the Configuration > Devices > System Profile > Network > Alias screen. Profile aliases are available for use to a specific group of wireless controllers or Access Points. Alias values defined in a profile override the alias values defined within global aliases. Wireless Controller and Service Platform System Reference Guide 8 - 155 Profile Configuration RF Domain aliases are defined from the Configuration > Devices > RF Domain > Alias screen. RF Domain aliases are available for use for a site as a RF Domain is site specific. RF Domain alias values override alias values defined in a global alias or a profile alias configuration. Device aliases are defined from the Configuration > Devices > Device Overrides > Network > Alias screen. Device aliases are utilized by a singular device only. Device alias values override global, profile or RF Domain alias configurations. Using an alias, configuration changes made at a remote location override any updates at the management center. For example, if an network alias defines a network range as 192.168.10.0/24 for the entire network, and at a remote deployment location, the local network range is 172.16.10.0/24, the network alias can be overridden at the deployment location to suit the local requirement. For the remote deployment location, the network alias work with the 172.16.10.0/24 network. Existing ACLs using this network alias need not be modified and will work with the local network for the deployment location. This simplifies ACL definition and management while taking care of specific local deployment requirements. For more information, refer to the following:
Basic Alias Network Group Alias Network Service Alias 8.8.17.1 Basic Alias Setting a Profiles Alias Configuration A basic alias is a set of configurations consisting of VLAN, Host, Network and Address Range alias configurations. A VLAN alias is a configuration for optimal VLAN re-use and management for local and remote deployments. A host alias configuration is for a particular host devices IP address. A network alias configuration is utilized for an IP address on a particular network. An address range alias is a configuration for a range of IP addresses. To set a network basic alias configuration:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select Alias. The Alias screen displays with the Basic Alias tab displayed by default. Wireless Controller and Service Platform System Reference Guide 8 - 156 Profile Configuration 4 Select + Add Row to define VLAN Alias settings:
Figure 8-85 Basic Alias screen Use the Vlan Alias field to create unique aliases for VLANs that can be utilized at different deployments. For example, if a VLAN ID is set as 10 for the central network, and the VLAN is set as 26 at a remote location, the VLAN can be overridden at the remote location using an alias. At the remote location, the network is functional with an ID of 26, but utilizes the name defined at the central local network. A new VLAN need not be created specifically at the remote location. Name Vlan If adding a new VLAN Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Use the spinner control to set a numeric VLAN ID from 1 - 4094. 5 Select + Add Row to define Address Range Alias settings:
Use the Address Range Alias field to create aliases for IP address ranges that can be utilized at different deployments. For example, if an ACL defines a pool of network addresses as 192.168.10.10 through 192.168.10.100 for an entire network, and a remote locations network range is 172.16.13.20 through 172.16.13.110, Wireless Controller and Service Platform System Reference Guide 8 - 157 Profile Configuration the remote locations ACL can be overridden using an alias. At the remote location, the ACL works with the 172.16.13.20-110 address range. A new ACL need not be created specifically for the remote deployment location. Name Start IP End IP If adding a new Address Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Set a starting IP address used with a range of addresses utilized with the address range alias. Set an ending IP address used with a range of addresses utilized with the address range alias. 6 Select + Add Row to define String Alias settings:
Use the String Alias field to create aliases for hosts that can be utilized at different deployments. For example, if the main domain at a remote location is called loc1.domain.com and at another deployment location it is called loc2.domain.com, the alias can be overridden at the remote location to suit the local (but remote) requirement. At one remote location, the alias functions with the loc1.domain.com domain and at the other with the loc2.domain.com domain. Name Value If adding a new String Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Provide a string value to use in the alias. 7 Select + Add Row to define Host Alias settings:
Use the Host Alias field to create aliases for hosts that can be utilized at different deployments. For example, if a central network DNS server is set a static IP address, and a remote locations local DNS server is defined, this host can be overridden at the remote location. At the remote location, the network is functional with a local DNS server, but uses the name set at the central network. A new host need not be created at the remote location. This simplifies creating and managing hosts and allows an administrator to better manage specific local requirements. Name Host If adding a new Host Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Set the IP address of the host machine. 8 Select + Add Row to define Network Alias settings:
Use the Network Alias field to create aliases for IP networks that can be utilized at different deployments. For example, if a central network ACL defines a network as 192.168.10.0/24, and a remote locations network range is 172.16.10.0/24, the ACL can be overridden at the remote location to suit their local (but remote) requirement. At the remote location, the ACL functions with the 172.16.10.0/24 network. A new ACL need not be created specifically for the remote deployment. This simplifies ACL definition and allows an administrator to better manage specific local requirements. Name Network If adding a new Network Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Provide a network address in the form of host/mask. 9 Select OK when completed to update the set of basic alias rules. Select Reset to revert the screen back to its last saved configuration. Wireless Controller and Service Platform System Reference Guide 8 - 158 Profile Configuration 8.8.17.2 Network Group Alias A network group alias is a set of configurations consisting of host and network configurations. Network configurations are complete networks in the form of 192.168.10.0/24 or an IP address range in the form of 192.168.10.10-192.168.10.20. Host configurations are in the form of a single IP address, 192.168.10.23. A network group alias can contain multiple definitions for a host, network, and IP address range. A maximum of eight (8) Host entries, eight (8) network entries and eight (8) IP addresses range entries can be configured inside a network group alias. A maximum of 32 network group alias entries can be created. To set a network group alias configuration:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select Alias. 4 Select the Network Group Alias tab. The screen displays the attributes of existing network group alias configurations. Name Host Network Figure 8-86 Network Group Alias screen Displays the administrator assigned name used with the network group alias. Displays all the host aliases configured in the listed network group alias. Displays a blank column if no host alias is defined. Displays all network aliases configured in the listed network group alias. Displays a blank column if no network alias is defined. 5 Select Add to create a new policy, Edit to modify the attributes of an existing policy or Delete to remove obsolete policies. 6 Select the added row to expand it into configurable parameters for defining the network alias rule. Wireless Controller and Service Platform System Reference Guide 8 - 159 Profile Configuration 7 If adding a new Network Alias Rule, provide it a name up to 32 characters. The network group alias name Figure 8-87 Network Group Alias Add screen always starts with a dollar sign ($). 8 Define the following network group alias parameters:
Host Network Specify the Host IP address for up to eight IP addresses supporting network aliasing. Select the down arrow to add the IP address to the table. Specify the netmask for up to eight IP addresses supporting network aliasing. Subnets can improve network security and performance by organizing hosts into logical groups. Applying the subnet mask to an IP address separates the address into a host address and an extended network address. Select the down arrow to add the mask to the table. 9 Within the Range table, use the + Add Row button to specify the Start IP address and End IP address for the alias range or double-click on an existing an alias range entry to edit it. 10 Select OK when completed to update the network alias rules. Select Reset to revert the screen back to its last saved configuration. 8.8.17.3 Network Service Alias A network service alias is a set of configurations that consist of protocol and port mappings. Both source and destination ports are configurable. For each protocol, up to 2 source port ranges and up to 2 destination port ranges can be configured. A maximum of 4 protocol entries can be configured per network service alias. Use a service alias to associate more than one IP address to a network interface, providing multiple connections to a network from a single IP node. To define a service alias configuration:
Wireless Controller and Service Platform System Reference Guide 8 - 160 Profile Configuration 1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select Alias. 4 Select the Network Service Alias tab. The screen displays existing network service alias configurations. Figure 8-88 Network Service Alias screen 5 Select Add to create a new policy, Edit to modify the attributes of an existing policy or Delete to remove obsolete policies. 6 Select the added row to expand it into configurable parameters for defining the service alias rule. Figure 8-89 Network Service Alias Add screen 7 If adding a new Network Service Alias Rule, provide it a name up to 32 characters. Ensure a $ precedes the name. 8 Select + Add Row and provide the following configuration parameters:
Protocol Source Port
(Low and High) Specify the protocol for which the alias has to be created. Use the drop down to select the protocol from eigrp, gre, icmp, igmp, ip, vrrp, igp, ospf, tcp and udp. Select other if the protocol is not listed. When a protocol is selected, its protocol number is automatically selected. This field is only relevant if the protocol is either tcp or udp. Specify the source ports for this protocol entry. A range of ports can be specified. Select the Enter Ranges button next to the field to enter a lower and higher port range value. Up to eight (8) such ranges can be specified. Wireless Controller and Service Platform System Reference Guide 8 - 161 Profile Configuration Destination Port
(Low and High) This field is only relevant if the protocol is either tcp or udp. Specify the destination ports for this protocol entry. A range of ports can be specified. Select the Enter Ranges button next to the field to enter a lower and higher port range value. Up to eight (8) such ranges can be specified. 9 Within the Range field, use the + Add Row button to specify the Start IP address and End IP address for the service alias range or double-click on an existing service alias range entry to edit it. 10 Select OK when completed to update the service alias rules. Select Reset to revert the screen back to its last saved configuration. 8.8.18 Setting a Profiles IPv6 Neighbor Configuration Profile Network Configuration IPv6 neighbor discovery uses ICMP messages and solicited multicast addresses to find the link layer address of a neighbor on the same local network, verify the neighbors reachability and track neighboring devices. Upon receiving a neighbor solicitation message, the destination replies with neighbor advertisement (NA). The source address in the advertisement is the IPv6 address of the device sending the message. The destination address in the advertisement message is the IPv6 address of the device sending the neighbor solicitation. The data portion of the NA includes the link layer address of the node sending the neighbor advertisement. Neighbor solicitation messages also verify the availability of a neighbor once its the link layer address is identified. When a node wants to verify the reachability of a neighbor, the destination address in a neighbor solicitation message is the unicast address of the neighbor. A neighbor is interpreted as reachable when an acknowledgment is returned indicating packets have been received and processed. If packets are reaching the device, theyre also reaching the next hop neighbor, providing a confirmation the next hop is reachable. To set an IPv6 neighbor discovery configuration:
1 Select Configuration > Profiles > Network. 2 Expand the Network menu to display its submenu options. 3 Select IPv6 Neighbor. Wireless Controller and Service Platform System Reference Guide 8 - 162 Profile Configuration Figure 8-90 IPv6 Neighbor screen 4 Set an IPv6 Neighbor Entry Timeout in either Seconds (15 - 86,400), Minutes (1 - 1,440), Hours
(1 - 24) or Days (1). The default setting is 1 hour. 5 Select + Add Row to define the configuration of IPv6 Neighbor Discovery configurations. A maximum of 256 neighbor entries can be defined. IPv6 Address Provide a static IPv6 IP address for neighbor discovery. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via CMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters;
routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Enter the hardware encoded MAC addresses of up to 256 IPv6 neighbor devices. A neighbor is interpreted as reachable when an acknowledgment is returned indicating packets have been received and processed. If packets are reaching the device, theyre also reaching the next hop neighbor, providing a confirmation the next hop is reachable. Switch VLAN Interface Use the spinner control to set the virtual interface (from 1 - 4094) used MAC Address Device Type for neighbor advertisements and solicitation messages. Specify the device type for this neighbor solicitation. Neighbor solicitations request the link layer address of a target node while providing the senders own link layer address to the target. Neighbor solicitations are multicast when the node needs to resolve an address and unicast when the node seeks to verify the reachability of a neighbor. Options include Host, Router and DHCP Server. The default setting is Host. 6 Select OK to save the changes. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 8 - 163 Profile Configuration 8.8.19 Profile Network Configuration and Deployment Considerations Profile Network Configuration Before defining a profiles network configuration, refer to the following deployment guidelines to ensure the profile configuration is optimally effective:
Administrators often need to route traffic between different VLANs. Bridging VLANs are only for non-
routable traffic, like tagged VLAN frames destined to some other device which will untag it. When a data frame is received on a port, the VLAN bridge determines the associated VLAN based on the port of reception. Static routes, while easy, can be overwhelming within a large or complicated network. Each time there is a change, someone must manually make changes to reflect the new route. If a link goes down, even if there is a second path, the router would ignore it and consider the link down. Static routes require extensive planning and have a high management overhead. The more routers in a network, the more routes need that to be configured. If you have N number of routers and a route between each router is needed, then you must configure N x N routes. Thus, for a network with nine routers, youll need a minimum of 81 routes (9 x 9 = 81). 8.9 Profile Security Configuration A profile can have its own firewall policy, wireless client role policy, WEP shared key authentication, NAT policy and VPN policy applied. If an existing firewall, client role or NAT policy is unavailable, an administrator can navigate from Configuration > Profiles to Configuration > Security to create the required security policy configuration. Once created, separate policies can be applied to the profile to best support the data protection and security requirements of the device model supported by the profile. For more information, refer to the following sections:
Setting the Profiles Security Settings Setting the Profiles Certificate Revocation List (CRL) Configuration Setting the Profiles Trustpoint Configuration Setting the Profiles VPN Configuration Setting the Profiles Auto IPSec Tunnel Configuration Setting the Profiles NAT Configuration Setting the Profiles Bridge NAT Configuration Setting the Profiles Application Visibility (AVC) Configuration 8.9.1 Setting the Profiles Security Settings Profile Security Configuration A profile can leverage existing firewall, wireless client role and WIPS policies and apply them to the profiles configuration. This affords each profile a truly unique combination of data protection policies best meeting the data protection requirements of the profiles supported device model. To define a profiles security settings:
1 Select the Configuration tab from the Web UI. 2 Select Profiles from the Configuration tab. 3 Select Manage Profiles from the Configuration > Profiles menu. 4 Select Security. Wireless Controller and Service Platform System Reference Guide 8 - 164 5 Select Settings. Profile Configuration 6 Refer to the General field to assign or create the following security policys to the profile:
Figure 8-91 Security - Settings screen Firewall Policy Wireless Client Role Policy WEP Shared Key Authentication Use the drop-down menu to select an existing Firewall Policy to use as an additional security mechanism with this profile. All devices using this profile must meet the requirements of the firewall policy to access the network. A firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the network. The means by which this is accomplished varies, but in principle, a firewall can be thought of as mechanisms both blocking and permitting data traffic within the network. If an existing Firewall policy does not meet your requirements, select the Create icon to create a new firewall policy that can be applied to this profile. An existing policy can also be selected and edited as needed using the Edit icon. Use the drop-down menu to select a client role policy used to strategically filter client connections based on a pre-defined set of filter rules and connection criteria. If an existing Wireless Client Role policy does not meet your requirements, select the Create icon to create a new configuration that can be applied to this profile. An existing policy can also be selected and edited as needed using the Edit icon. Select this option to require devices to use a WEP key to access the network using this profile. The controller or service platform use the key algorithm to convert an ASCII string to the same hexadecimal number. Clients without adapters need to use WEP keys manually configured as hexadecimal numbers. This option is disabled by default. Wireless Controller and Service Platform System Reference Guide 8 - 165 Profile Configuration Client Identity Group CMP Policy Select the client identity group to apply to this device profile. Client identity is a set of unique fingerprints used to identify a class of devices. A Client identity group is a set of client attributes that identify devices and apply specific permissions and restrictions on them.The information is used to configure permissions and access rules for that device class and can assist administrators by applying permissions and rules to multiple devices simultaneously. For information on setting a client identity group configuration that can be selected and applied to a device profile, see Device Fingerprinting on page 10-47. Use the drop down-menu to assign a CMP policy to allow a device to communicate to a CMP supported CA server, initiate a certificate request and download the required certificates from the CA server. CMP supports multiple request options through for device communicating to a CMP supported CA server. The device can initiate a request for getting the certificates from the server. It can also auto update the certificates which are about to expire. 7 Use the Content Filtering Policy drop-down menu to select or override the URL Filter configuration applied to this virtual interface. URL filtering is used to restrict access to specific resources (by category) on the Internet. 8 Select OK to save the changes made within the Settings screen. Select Reset to revert to the last saved configuration. 8.9.2 Setting the Profiles Certificate Revocation List (CRL) Configuration Profile Security Configuration A certificate revocation list (CRL) is a list of certificates that have been revoked or are no longer valid. A certificate can be revoked if the certificate authority (CA) had improperly issued a certificate, or if a private-key is compromised. The most common reason for revocation is the user no longer being in sole possession of the private key. To define a CRL configuration that can be applied to a profile:
1 Select the Configuration tab from the Web UI. 2 Select Profiles from the Configuration tab. 3 Select Manage Profiles from the Configuration > Profiles menu. 4 Select Security. 5 Select Certificate Revocation. Wireless Controller and Service Platform System Reference Guide 8 - 166 Profile Configuration Figure 8-92 Security - Certificate Revocation screen 6 Select the + Add Row button to add a column within the Certificate Revocation List (CRL) Update Interval table to quarantine certificates from use in the network. Additionally, a certificate can be placed on hold for a defined period. If, for instance, a private key was found and nobody had access to it, its status could be reinstated. a Provide the name of the trustpoint in question within the Trustpoint Name field. The name cannot exceed 32 characters. b Enter the resource ensuring the trustpoints legitimacy within the URL field. c Use the spinner control to specify an interval (in hours) after which a device copies a CRL file from an external server and associates it with a trustpoint. 7 Select OK to save the changes made within the Certificate Revocation screen. Select Reset to revert to the last saved configuration. 8.9.3 Setting the Profiles Trustpoint Configuration Profile Security Configuration A RADIUS certificate links identity information with a public key enclosed in the certificate. A certificate authority
(CA) is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate. To define a RADIUS Trustpoint configuration that can be applied to a profile:
1 Select the Configuration tab from the Web UI. 2 Select Profiles from the Configuration tab. 3 Select Manage Profiles from the Configuration > Profiles menu. 4 Select Security. 5 Select Trustpoints. Wireless Controller and Service Platform System Reference Guide 8 - 167 Profile Configuration 6 Set the following RADIUS Security certificate settings:
Figure 8-93 Security - Trustpoint screen RADIUS Certificate Authority RADIUS Server Certificate Either use the default-trustpoint or select an existing certificate. Either use the default-trustpoint or select an existing certificate/trustpoint. 7 Set the following HTTPS Trustpoints settings:
HTTPS Trustpoint Either use the default trustpoint or select the Stored radio button to enable a drop-down menu where an existing certificate/trustpoint can be utilized. For more information, see Certificate Management on page 5-12. 8 Select OK to save the changes made within the RADIUS Trustpoints screen. Select Reset to revert to the last saved configuration, 8.9.4 Setting the Profiles VPN Configuration Profile Security Configuration IPSec VPN provides a secure tunnel between two networked peer controllers or service platforms. Administrators can define which packets are sent within the tunnel, and how theyre protected. When a tunnelled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination. Tunnels are sets of security associations (SA) between two peers. SAs define the protocols and algorithms applied to sensitive packets and specify the keying mechanisms used by tunnelled peers. SAs are unidirectional and exist in both the inbound and outbound direction. SAs are established per the rules and conditions of defined security protocols (AH or ESP). Use crypto maps to configure IPSec VPN SAs. Crypto maps combine the elements comprising IPSec SAs. Crypto maps also include transform sets. A transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected traffic. One crypto map is utilized for each IPsec peer, however for remote VPN deployments one crypto map is used for all the remote IPsec peers. Wireless Controller and Service Platform System Reference Guide 8 - 168 Internet Key Exchange (IKE) protocol is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE automatically negotiates IPSec SAs, and enables secure communications without time consuming manual pre-
configuration. Profile Configuration To define a profiles VPN settings:
1 Select the Configuration tab from the Web UI. 2 Select Profiles from the Configuration tab. 3 Select Manage Profiles from the Configuration > Profiles menu. 4 Select Security. 5 Select VPN Configuration. The Basic Settings tab displays by default. Refer to the Peer Settings table to add peer addresses and keys for VPN tunnel destinations. Use the + Add Row function as needed to add additional destinations and keys. Figure 8-94 Profile Security - VPN IKE Policy screen 6 Select either the IKEv1 or IKEv2 radio button to enforce VPN peer key exchanges using either IKEv1 or IKEv2. IKEv2 provides improvements from the original IKEv1 design (improved cryptographic mechanisms, NAT and firewall traversal, attack resistance etc.) and is recommended in most deployments. The appearance of the IKE Policy screens differ depending on the selected IKEv1 or IKEv2 mode. 7 Refer to the following to determine whether an IKE Policy requires creation, modification or removal:
Name DPD Keep Alive Displays the 32 character maximum name assigned to the IKE policy. Lists each policys IKE keep alive message interval defined for IKE VPN tunnel dead peer detection. Wireless Controller and Service Platform System Reference Guide 8 - 169 Profile Configuration IKE LifeTime DPD Retries Displays each policys lifetime for an IKE SA. The lifetime defines how long a connection (encryption/authentication keys) should last, from successful key negotiation to expiration. Two peers need not exactly agree on the lifetime, though if they do not, there is some clutter for a superseded connection on the peer defining the lifetime as longer. Lists each policys number maximum number of keep alive messages sent before a VPN tunnel connection is defined as dead by the peer. This screen only appears when IKEv1 is selected. 8 Select Add to define a new IKE Policy configuration, Edit to modify an existing configuration or Delete to remove an existing configuration. Figure 8-95 Profile Security - IKE Policy - Add/Edit screen Name DPD Keep Alive Mode DPD Retries If creating a new IKE policy, assign it a 32 character maximum name to help differentiate this IKE configuration from others with similar parameters. Configure the IKE keep alive message interval used for dead peer detection on the remote end of the IPSec VPN tunnel. Set this value in either Seconds (10 - 3,600), Minutes (1 - 60) or Hours (1). The default setting is 30 seconds. This setting is required for both IKEv1 and IKEV2. If using IKEv1, use the drop-down menu to define the IKE mode as either Main or Aggressive. IPSEC has two modes in IKEv1 for key exchanges. Aggressive mode requires 3 messages be exchanged between the IPSEC peers to setup the SA, Main requires 6 messages. The default setting is Main. Use the spinner control to set the maximum number of keep alive messages sent before a VPN tunnel connection is defined as dead. The available range is from 1 - 100. The default setting is 5. Wireless Controller and Service Platform System Reference Guide 8 - 170 Profile Configuration IKE LifeTime Set the lifetime defining how long a connection (encryption/
authentication keys) should last from successful key negotiation to expiration. Set this value in either Seconds (600 - 86,400), Minutes
(10 - 1,440), Hours (1 - 24) or Days (1). This setting is required for both IKEv1 and IKEV2. 9 Select + Add Row to define the network address of a target peer and its security settings. Name DH Group Encryption Authentication If creating a new IKE policy, assign the target peer (tunnel destination) a 32 character maximum name to distinguish it from others with a similar configuration. Use the drop-down menu to define a Diffie-Hellman (DH) identifier used by the VPN peers to derive a shared secret password without having to transmit. DH groups determine the strength of the key used in key exchanges. The higher the group number, the stronger and more secure the key. Options include 2, 5 and 14. The default setting is 5. Select an encryption method used by the tunnelled peers to securely interoperate. Options include 3DES, AES, AES-192 and AES-256. The default setting is AES-256. Select an authentication hash algorithm used by the peers to exchange credential information. Options include SHA, SHA256, AES-
XCBC-HMAC-128 and MD5. The default setting is SHA. 10 Select OK to save the changes made within the IKE Policy screen. Select Reset to revert to the last saved configuration. Select the Delete Row icon as needed to remove a peer configuration. 11 Select the Peer Configuration tab to assign additional network address and IKE settings to the an intended VPN tunnel peer destination. Figure 8-96 Profile Security - VPN Peer Destination screen (IKEv1 example) 12 Select either the IKEv1 or IKEv2 radio button to enforce VPN key exchanges using either IKEv1 or IKEv2. Wireless Controller and Service Platform System Reference Guide 8 - 171 Profile Configuration 13 Refer to the following to determine whether a new VPN Peer Configuration requires creation, an existing configuration requires modification or a configuration requires removal. Name IP/Hostname Authentication Type LocalID RemoteID IKE Policy Name Lists the 32 character maximum name assigned to each listed peer configuration upon creation. Displays the IP address (or host address FQDN) of the IPSec VPN peer targeted for secure tunnel connection and data transfer. Lists whether the peer configuration has been defined to use pre-shared key (PSK) or RSA. Rivest, Shamir, and Adleman (RSA) is an algorithm for public key cryptography. Its the first algorithm known to be suitable for both signing and encryption. If using IKEv2, this screen displays both local and remote authentication, as both ends of the VPN connection require authentication. Lists the local identifier used within this peer configuration for an IKE exchange with the target VPN IPSec peer. Displays the means the target remote peer is to be identified (string, FQDN etc.) within the VPN tunnel. Lists the IKEv1 or IKE v2 policy used with each listed peer configuration. If a policy requires creation, select the Create button. 14 Select Add to define a new peer configuration, Edit to modify an existing configuration or Delete to remove an existing peer configuration. The parameters that can de defined for the peer configuration vary depending on whether IKEv1 or IKEv2 was selected. Figure 8-97 Profile Security - VPN IKE Policy - Add IKE Peer screen Name If creating a new peer configuration (remote gateway) for VPN tunnel connection, assign it a 32 character maximum name to distinguish it from other with similar attributes. Wireless Controller and Service Platform System Reference Guide 8 - 172 Profile Configuration IP Type or Select IP/Hostname Authentication Type Authentication Value Local Identity Remote Identity IKE Policy Name Enter either the IP address or FQDN hostname of the IPSec VPN peer used in the tunnel setup. If IKEv1 is used, this value is titled IP Type, if IKEv2 is used, this parameter is titled Select IP/Hostname. A Hostname cannot exceed 64 characters. Select either pre-shared key (PSK) or RSA. Rivest, Shamir, and Adleman
(RSA) is an algorithm for public key cryptography. Its the first algorithm known to be suitable for signing and encryption If using IKEv2, this screen displays both local and remote authentication options, as both ends of the VPN connection require authentication. RSA is the default value for both local and remote authentication (regardless of IKEv1 or IKEv2). Define the authentication string (shared secret) shared by both ends of the VPN tunnel connection. The string must be between 8 - 21 characters long. If using IKEv2, both a local and remote string must be specified for handshake validation at both ends (local and remote) of the VPN connection. Select the local identifier used with this peer configuration for an IKE exchange with the target VPN IPSec peer. Options include IP Address, Distinguished Name, FQDN, email and string. The default setting is string. Select the remote identifier used with this peer configuration for an IKE exchange with the target VPN IPSec peer. Options include IP Address, Distinguished Name, FQDN, email and string. The default setting is string. Select the IKEv1 or IKE v2 policy name (and settings) to apply to this peer configuration. If a policy requires creation, select the Create icon. 15 Select OK to save the changes made within the peer configuration screen. Select Reset to revert to the last saved configuration. 16 Select the Transform Set tab. Create or modify Transform Set configurations to specify how traffic is protected. Wireless Controller and Service Platform System Reference Guide 8 - 173 Profile Configuration 17 Review the following attributes of existing Transform Set configurations:
Figure 8-98 Profile Security - VPN Transform Set screen Name Authentication Algorithm Lists the 32 character maximum name assigned to each listed transform set upon creation. Again, a transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected traffic. Lists each transform setss authentication scheme used to validate identity credentials. The authentication scheme is either HMAC-SHA or HMAC-MD5. Encryption Algorithm Displays each transform sets encryption method for protecting Mode transmitted traffic. Displays either Tunnel or Transport as the IPSec tunnel type used with the transform set. Tunnel is used for site-to-site VPN and Transport should be used for remote VPN deployments. 18 Select Add to define a new transform set configuration, Edit to modify an existing configuration or Delete to remove an existing transform set. Wireless Controller and Service Platform System Reference Guide 8 - 174 Profile Configuration 19 Define the following settings for the new or modified transform set configuration:
Figure 8-99 Profile Security - VPN Transform Set create/modify screen Name Authentication Algorithm If creating a new transform set, define a 32 character maximum name to differentiate this configuration from others with similar attributes. Set the transform setss authentication scheme used to validate identity credentials. Use the drop-down menu to select either HMAC-SHA or HMAC-MD5. The default setting is HMAC-SHA. Encryption Algorithm Set the transform set encryption method for protecting transmitted traffic. Options include DES, 3DES, AES, AES-192 and AES-256. The default setting is AES-256. Use the drop-down menu to select either Tunnel or Transport as the IPSec tunnel type used with the transform set. Tunnel is used for site-to-
site VPN and Transport should be used for remote VPN deployments. Mode 20 Select OK to save the changes made within the Transform Set screen. Select Reset to revert to the last saved configuration. 21 Select the Crypto Map tab. Use crypto maps (as applied to IPSec VPN) to combine the elements used to create IPSec SAs (including transform sets). Wireless Controller and Service Platform System Reference Guide 8 - 175 Profile Configuration 22 Review the following Crypto Map configuration parameters to assess their relevance:
Figure 8-100 Profile Security - VPN Crypto Map screen Name IP Firewall Rules IPSec Transform Set Lists the 32 character maximum name assigned for each crypto map upon creation. This name cannot be modified as part of the edit process. Lists the IP firewall rules defined for each displayed crypto map configuration. Each firewall policy contains a unique set of access/deny permissions applied to the VPN tunnel and its peer connection. Displays the transform set (encryption and has algorithms) applied to each listed crypto map configuration. Thus, each crypto map can be customized with its own data protection and peer authentication schemes. 23 If requiring a new crypto map configuration, select the Add button. If updating the configuration of an existing crypto map, select it from amongst those available and select the Edit button. 24 If adding a new crypto map, assign it a name up to 32 characters in length as a unique identifier. Select the Continue button to proceed to the VPN Crypto Map screen. Wireless Controller and Service Platform System Reference Guide 8 - 176 Profile Configuration 25 Review the following before determining whether to add or modify a crypto map configuration. Figure 8-101 Profile Security - VPN Crypto Map Add / Edit screen Sequence IP Firewall Rules IPSec Transform Set Each crypto map configuration uses a list of entries based on a sequence number. Specifying multiple sequence numbers within the same crypto map, provides the flexibility to connect to multiple peers from the same interface, based on the sequence number (from 1 -
1,000). Lists the IP firewall rules defined for each displayed crypto map configuration. Each firewall policy contains a unique set of access/deny permissions applied to the VPN tunnel and its peer connection. Displays the transform set (encryption and hash algorithms) applied to each listed crypto map configuration. Thus, each crypto map can be customized with its own data protection and peer authentication schemes. 26 If requiring a new crypto map configuration, select the Add button. If updating the configuration of an existing crypto map, select it from amongst those available and select the Edit button. Wireless Controller and Service Platform System Reference Guide 8 - 177 Profile Configuration 27 Define the following Settings to set the crypto map configuration:
Figure 8-102 Profile Security - VPN Crypto Map Entry screen Sequence Type IP Firewall Rules IPSec Transform Set Mode Local End Point Each crypto map configuration uses a list of entries based on a sequence number. Specifying multiple sequence numbers within the same crypto map extends connection flexibility to multiple peers on the same interface, based on this selected sequence number (from 1 -
1,000). Define the site-to-site-manual, site-to-site-auto or remote VPN configuration defined for each listed crypto map configuration. Use the drop-down menu to select the ACL used to protect IPSec VPN traffic. New access/deny rules can be defined for the crypto map by selecting the Create icon, or an existing set of firewall rules can be modified by selecting the Edit icon. Select the transform set (encryption and hash algorithms) to apply to this crypto map configuration. Use the drop-down menu to define which mode (pull or push) is used to assign a virtual IP. This setting is relevant for IKEv1 only, since IKEv2 always uses the configuration payload in pull mode. The default setting is push. Select this radio button to define an IP address as a local tunnel end point address. This setting represents an alternative to an interface IP address. Wireless Controller and Service Platform System Reference Guide 8 - 178 Profile Configuration Perfect Forward Secrecy (PFS) Lifetime (kB) Lifetime (seconds) Protocol Remote VPN Type Manual Peer IP Time Out PFS is key-establishment protocol, used to secure VPN communications. If one encryption key is compromised, only data encrypted by that specific key is compromised. For PFS to exist, the key used to protect data transmissions must not be used to derive any additional keys. Options include None, 2, 5 and 14. The default setting is None. Select this option to define a connection volume lifetime (in kilobytes) for the duration of an IPSec VPN security association. Once the set volume is exceeded, the association is timed out. Use the spinner control to set the volume from 500 - 2,147,483,646 kilobytes. Select this option to define a lifetime (in seconds) for the duration of an IPSec VPN security association. Once the set value is exceeded, the association is timed out. The available range is from 120 - 86,400 seconds. The default setting is 120 seconds. Select the security protocol used with the VPN IPSec tunnel connection. SAs are unidirectional, existing in each direction and established per security protocol. Options include ESP and AH. The default setting is ESP. Define the remote VPN type as either None or XAuth. XAuth (extended authentication) provides additional authentication validation by permitting an edge device to request extended authentication information from an IPSec host. This forces the host to respond with additional authentication credentials. The edge device responds with a failed or passed message. The default setting is XAuth. Select this option to define the IP address of an additional encryption/
decryption peer. Set an IPSec security association (SA) timeout in either Seconds
(120 - 86,400), Minutes (2 - 1,440), Hours (1 - 24) or Days (1). The default setting is 15 minutes. Enable NAT after IPSec Enable this setting to utilize IP/Port NAT on the VPN tunnel. This setting is disabled by default. 28 Select OK to save the updates made to the Crypto Map Entry screen. Selecting Reset reverts the screen to its last saved setting. 29 Select Remote VPN Server. Use this screen to define the server resources used to secure (authenticate) a remote VPN connection with a target peer. Wireless Controller and Service Platform System Reference Guide 8 - 179 Profile Configuration Figure 8-103 Profile Security - Remote VPN Server screen (IKEv1 example) 30 Select either the IKEv1 or IKEv2 radio button to enforce peer key exchanges over the remote VPN server using either IKEv1 or IKEv2. IKEv2 provides improvements from the original IKEv1 design (improved cryptographic mechanisms, NAT and firewall traversal, attack resistance etc.) and is recommended in most deployments. The appearance of the screen differs depending on the selected IKEv1 or IKEv2 mode. 31 Set the following IKEv1 or IKEv2 Settings:
Authentication Method Use the drop-down menu to specify the authentication method used to validate the credentials of the remote VPN client. Options include Local
(on board RADIUS resource if supported) and RADIUS (designated external RADIUS resource). If selecting Local, select the + Add Row button and specify a User Name and Password for authenticating remote VPN client connections with the local RADIUS resource. The default setting is Local. AP6521 model Access Point does not have a local RADIUS resource and must use an external RADIUS server resource. Select the AAA policy used with the remote VPN client. AAA policies define RADIUS authentication and accounting parameters. The Access Point can optionally use AAA server resources (when using RADIUS as the authentication method) to provide user database and authentication data. AAA Policy 32 Refer to the Username Password Settings field and specify local user database user name and password credentials required for user validation when conducting authentication locally. 33 Refer to the Wins Server Settings field and specify primary and secondary server resources for validating RADIUS authentication requests on behalf of a remote VPN client. These external WINS server resources are available to validate RADIUS resource requests. Wireless Controller and Service Platform System Reference Guide 8 - 180 Profile Configuration 34 Refer to the Name Server Settings field and specify primary and secondary server resources for validating RADIUS authentication requests on behalf of a remote VPN client. These external name server resources are available to validate RADIUS resource requests. 35 Select the IP Local Pool option to define an IP address and mask for a virtual IP pool used to IP addresses to remote VPN clients. 36 If using IKEv2, specify these additional DHCP settings (required for IKEv2 only):
DHCP Server Type DHCP Server IP Local Pool Relay Agent IP Address Specify whether the DHCP server is specified as an IP address, Hostname (FQDN) or None (a different classification will be defined). Dynamic Host Configuration Protocol (DHCP) allows hosts on an IP network to request and be assigned IP addresses and discover information about the network where they reside. Depending on the DHCP server type selected, enter either the numerical IP address, hostname or other (if None is selected as the server type). A Hostname cannot exceed 64 characters. Define an IP address and mask for a virtual IP pool used to assign IP addresses to requesting remote VPN clients. Select this option to define a DHCP relay agent IP address. DHCP relays exchange messages between a DHCPv6 server and client. A client and relay agent exist on the same link. When A DHCP request is received from the client, the relay agent creates a relay forward message and sends it to a specified server address. If no addresses are specified, the relay agent forwards the message to all DHCP server relay multicast addresses. The server creates a relay reply and sends it back to the relay agent. The relay agent then sends back the response to the client. 37 Select OK to save the updates made to the Remote VPN Server screen. Selecting Reset reverts the screen to its last saved configuration. 38 Select the Remote VPN Client tab. Wireless Controller and Service Platform System Reference Guide 8 - 181 Profile Configuration 39 Set the following Remote VPN Client configuration settings:
Figure 8-104 Profile Security - Remote VPN Client screen Shutdown Transform Set Select this option to shutdown the remote VPN client. Select the transform set configuration to apply to remote client VPN connections. A transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected client traffic. 40 Refer to the Peer List to select IKEV2 peer configurations and assign them priorities for utilization with Remote VPN client connections. IKEv2 uses an initial handshake in which VPN peers negotiate cryptographic algorithms, mutually authenticate, and establish a session key, creating an IKE-SA. Additionally, a first IPsec SA is established during the initial SA creation. All IKEv2 messages are request/response pairs. It is the responsibility of the side sending the request to retransmit if it does not receive a timely response. 41 Set the following DHCP Peer Authentication settings:
Auth Type Key Use the drop-down menu to specify the DHCP peer authentication type. Options include PSK and rsa. The default setting is rsa. Provide a 8 - 21 character shared key password for DHCP peer authentication. 42 Set the following DHCP Peer Localid settings:
Type value Select the DHCP peer local ID type. Options include string and autogen-
uniqueid. The default setting is string. Set the DHCP peer local ID. The ID cannot exceed 128 characters. Wireless Controller and Service Platform System Reference Guide 8 - 182 Profile Configuration 43 Select OK to save the updates made to the Remote VPN Client screen. Selecting Reset reverts the screen to its last saved configuration. 44 Select the Global Settings tab. The Global Settings screen provides options for Dead Peer Detection (DPD). DPD represents the actions taken upon the detection of a dead peer within the IPSec VPN tunnel connection. 45 Define the following IPSec Global settings:
Figure 8-105 Profile Security - Global VPN Settings screen df bit IPsec Lifetime (kB) IPsec Lifetime
(seconds) Plain Text Deny Select the DF bit handling technique used for the ESP encapsulating header. Options include Clear, set and copy. The default setting is Copy. Set a connection volume lifetime (in kilobytes) for the duration of an IPSec VPN security association. Once the set volume is exceeded, the association is timed out. Use the spinner control to set the volume from 500 - 2,147,483,646 kilobytes. The default settings is 4,608,000 kilobytes. Set a lifetime (in seconds) for the duration of an IPSec VPN security association. Once the set value is exceeded, the association is timed out. The available range either Seconds (120 - 86,400), Minutes (2 - 1,440), Hours (1 - 24) or Days (1). The default setting is 3,600 seconds. Select global or interface to set the scope of the ACL. The default setting is global, expanding the rules of the ACL beyond just the interface. Wireless Controller and Service Platform System Reference Guide 8 - 183 Profile Configuration Enable IKE Uniquelds Select this option to initiate a unique ID check. This setting is disabled by default. 46 Set the following IKEV1 Settings:
DPD KeepAlive DPD Retries NAT KeepAlive Define the interval (or frequency) for IKE keep alive messages for dead peer detection. Options include Seconds (10 - 3,600), Minutes (1 - 60) and Hours (1). The default setting is 30 seconds. Use the spinner control to define the number of keep alive messages sent to an IPSec VPN client before the tunnel connection is defined as dead. The available range is from 1 - 100. The default number of messages is 5. Define the interval (or frequency) for NAT keep alive messages for dead peer detection. Options include Seconds (10 - 3,600), Minutes (1 - 60) and Hours (1). The default setting is 20 seconds. 47 Set the following IKEV2 Settings:
DPD KeepAlive DPD Retries NAT KeepAlive Cookie Challenge Threshold Crypto NAT Pool Define the interval (or frequency) for IKE keep alive messages for dead peer detection. Options include Seconds (10 - 3,600), Minutes (1 - 60) and Hours (1). The default setting is 30 seconds. Use the spinner control to define the number of keep alive messages sent to an IPSec VPN client before the tunnel connection is defined as dead. The available range is from 1 - 100. The default number of messages is 5. Define the interval (or frequency) for NAT keep alive messages for dead peer detection. Options include Seconds (10 - 3,600), Minutes (1 - 60) and Hours (1). The default setting is 20 seconds. Use the spinner control to define the number of half open IKE security associations (SAs) (from 1 - 100) that, when exceeded, enables the cookie challenge mechanism. The is setting applies exclusively to IKEV2. The default setting is 5. Select the NAT pool used for internal source NAT on IPSec tunnels. NAT is used as an IP masquerading technique to hide private IP addresses behind a single, public facing, IP address. 48 Select OK to save the updates made to the screen. Selecting Reset reverts the screen to its last saved configuration. 8.9.5 Setting the Profiles Auto IPSec Tunnel Configuration Profile Security Configuration Auto IPSec tunneling provides a secure tunnel between two networked peer controllers or service platforms and associated Access Points. Administrators can define which packets are sent within the tunnel, and how theyre protected. When a tunnelled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination or associated Access Point. Tunnels are sets of security associations (SA) between two peers. SAs define the protocols and algorithms applied to sensitive packets and specify the keying mechanisms used by tunnelled peers. SAs are unidirectional and exist in both the inbound and outbound direction. SAs are established per the rules and conditions of defined security protocols (AH or ESP). Wireless Controller and Service Platform System Reference Guide 8 - 184 Profile Configuration Internet Key Exchange (IKE) protocol is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE enables secure communications without time consuming manual pre-configuration for auto IPSec tunneling. To define an Auto IPsec Tunnel configuration that can be applied to a profile:
1 Select the Configuration tab from the Web UI 2 Select Profiles from the Configuration tab. 3 Select Manage Profiles from the Configuration > Profiles menu. 4 Select Security. 5 Select Auto IPSec Tunnel. 6 The Auto IPSec Tunnel screen displays by default. Refer to the Settings field to set an Auto IPSec Tunnel configuration for use with this profile. Figure 8-106 Security Auto IPSec Tunnel screen Group ID Authentication Type Authentication Key IKE Version Define a 1 - 64 character group identifier for an IKE exchange supporting auto IPSec tunnel secure peers. Use the drop-down menu to select either RSA or PSK (Pre Shared Key) as the authentication type for secure peer authentication on the auto IPSec secure tunnel. Rivest, Shamir, and Adleman (RSA) is an algorithm for public key cryptography. Its the first algorithm known to be suitable for signing, as well as encryption. The default setting is RSA. Enter the 8 - 21 character shared key (password) used for auto IPSec tunnel secure peer authentication. Use the drop-down menu to select the IKE version used for auto IPSec tunnel secure authentication with the IPSec gateway. Enable NAT after IPSec Select this option to enable internal source port NAT on the auto IPSec Use Unique ID secure tunnel. Select this option to use a unique ID with auto IPSec secure authentication for the IPSec remote gateway (appending the MiNT ID). This setting is disabled by default. Wireless Controller and Service Platform System Reference Guide 8 - 185 Profile Configuration Re-Authentication IKE Lifetime Select this option to re-authenticate the key on an IKE rekey. This setting is enabled by default. Set a lifetime in either Seconds (600 - 86,400), Minutes (10 - 1,440), Hours (1 - 24) or Days (1) for IKE security association duration. The default is 8600 seconds. 7 Select OK to save the changes made to the auto IPSec tunnel configuration. Select Reset to revert to the last saved configuration. 8.9.6 Setting the Profiles NAT Configuration Profile Security Configuration Network Address Translation (NAT) is a technique to modify network address information within IP packet headers in transit across a traffic routing device. This enables mapping one IP address to another to protect network address credentials. With typical deployments, NAT is used as an IP masquerading technique to hide private IP addresses behind a single, public facing, IP address. NAT is a process of modifying network address information in IP packet headers while in transit across a traffic routing device for the purpose of remapping one IP address to another. In most deployments NAT is used in conjunction with IP masquerading which hides RFC1918 private IP addresses behind a single public IP address. NAT can provide an profile outbound Internet access to wired and wireless hosts connected to either an Access Point or a wireless controller. Many-to-one NAT is the most common NAT technique for outbound Internet access. Many-to-one NAT allows an Access Point or wireless controller to translate one or more internal private IP addresses to a single, public facing, IP address assigned to a 10/100/1000 Ethernet port or 3G card. To define a NAT configuration that can be applied to a profile:
1 Select the Configuration tab from the Web UI 2 Select Profiles from the Configuration tab. 3 Select Manage Profiles from the Configuration > Profiles menu. 4 Select Security. 5 Select NAT. Wireless Controller and Service Platform System Reference Guide 8 - 186 Profile Configuration Figure 8-107 Security NAT screen - NAT Pool tab The NAT Pool displays by default. The NAT Pool screen lists those NAT policies created thus far. Any of these policies can be selected and applied to a profile. 6 Select Add to create a new NAT policy that can be applied to a profile. Select Edit to modify the attributes of a existing policy or select Delete to remove obsolete NAT policies from the list of those available to a profile. Figure 8-108 Security NAT Pool screen Wireless Controller and Service Platform System Reference Guide 8 - 187 Profile Configuration 7 If adding a new NAT policy or editing the configuration of an existing policy, define the following parameters:
Name IP Address Range If adding a new NAT policy, provide a name to help distinguish it from others with similar configurations. The length cannot exceed 64 characters. Define a range of IP addresses hidden from the public Internet. NAT modifies network address information in the defined IP range while in transit across a traffic routing device. NAT only provides IP address translation and does not provide a firewall. A branch deployment with NAT by itself will not block traffic from being potentially routed through a NAT device. Consequently, NAT should be deployed with a stateful firewall. 8 Select the + Add Row button as needed to append additional rows to the IP Address Range table. 9 Select OK to save the changes made to the profiles NAT Pool configuration. Select Reset to revert to the last saved configuration. 10 Select the Static NAT tab. The Source tab displays by default and lists existing static NAT configurations. Existing static NAT configurations are not editable, but new configurations can be added or existing ones deleted as they become obsolete. Static NAT creates a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a Web server on a perimeter interface with the Internet, use static address translation to map the actual address to a registered IP address. Static address translation hides the actual address of the server from users on insecure interfaces. Casual access by unauthorized users becomes much more difficult. Static NAT requires a dedicated address on the outside network for each host. Figure 8-109 Static NAT screen Wireless Controller and Service Platform System Reference Guide 8 - 188 Profile Configuration 11 Select + Add Row to create a new static NAT configuration. Existing NAT source configurations are not editable. 12 Set or override the following Source configuration parameters:
Source IP NAT IP Network Enter the local address used at the origination of the static NAT configuration. This address (once translated) is not exposed to the outside world when the translation address is used to interact with the remote destination. Enter the IP address of the matching packet to the specified value. The IP address modified can be either source or destination based on the direction specified. Select Inside or Outside NAT as the network direction. Select Inside to create a permanent, one-to-one mapping between an address on an internal network and a perimeter or external network. To share a Web server on a perimeter interface with the Internet, use static address translation to map the actual address to a registered IP address. Static address translation hides the actual address of the server from users on insecure interfaces. Casual access by unauthorized users becomes much more difficult. Static NAT requires a dedicated address on the outside network for each host. Inside NAT is the default setting.Inside is the default setting. 13 Select the Destination tab to view destination NAT configurations and ensure packets passing through the NAT back to the managed LAN are searched against the records kept by the NAT engine. The destination IP address is changed back to the specific internal private class IP address to reach the LAN over the network. 14 Select Add to create a new NAT destination configuration. Existing NAT destination configurations are not editable. Figure 8-110 NAT Destination screen Wireless Controller and Service Platform System Reference Guide 8 - 189 Profile Configuration 15 Set the following Destination configuration parameters:
Figure 8-111 NAT Destination Add screen Protocol Destination IP Destination Port NAT IP NAT Port Network Select the protocol for use with static translation. TCP, UDP and Any are available options. TCP is a transport layer protocol used by applications requiring guaranteed delivery. Its a sliding window protocol handling both timeouts and retransmissions. TCP establishes a full duplex virtual connection between two endpoints. Each endpoint is defined by an IP address and a TCP port number. The User Datagram Protocol (UDP) offers only a minimal transport service, non-guaranteed datagram delivery, and provides applications direct access to the datagram service of the IP layer. UDP is used by applications not requiring the level of service of TCP or are using communications services (multicast or broadcast delivery) not available from TCP. The default setting is Any. Enter the local address used at the (source) end of the static NAT configuration. This address (once translated) is not be exposed to the outside world when the translation address is used to interact with the remote destination. Use the spinner control to set the local port used at the (source) end of the static NAT configuration. The default port is 1. Enter the IP address of the matching packet to the specified value. The IP address modified can be either source or destination based on the direction specified. Set the port number of the matching packet to the specified value. This option is valid only if the direction specified is destination. Select Inside or Outside NAT as the network direction. Inside is the default setting. 16 Select OK to save the changes made to the static NAT configuration. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 8 - 190 17 Select the Dynamic NAT tab. Dynamic NAT translates the IP address of packets from one interface to another interface based on configured conditions. Dynamic NAT requires packets be switched through a NAT router to generate translations in the translation table. Profile Configuration 18 Refer to the following to determine whether a new Dynamic NAT configuration requires creation, edit or Figure 8-112 Dynamic NAT screen deletion:
Source List ACL Network Interface Overload Type NAT Pool Overload IP ACL Precedence Lists an ACL name to define the packet selection criteria for the NAT configuration. NAT is applied only on packets which match a rule defined in the access list. These addresses (once translated) are not exposed to the outside world when the translation address is used to interact with the remote destination. Displays Inside or Outside NAT as the network direction for the dynamic NAT configuration. Lists the VLAN (between 1 - 4094) used as the communication medium between the source and destination points within the NAT configuration. Lists the Overload Type used with the listed IP ACL rule. Options include NAT Pool, One Global Address and Interface IP Address. Interface IP Address is the default setting. Displays the name of an existing NAT pool used with the dynamic NAT configuration. Enables the use of one global address for numerous local addresses. Lists the administrator assigned priority set for the listed source list ACL. The lower the value listed the higher the priority assigned to these ACL rules. Wireless Controller and Service Platform System Reference Guide 8 - 191 19 Select Add to create a new Dynamic NAT configuration, Edit to modify an existing configuration or Delete to permanently remove a configuration. Profile Configuration 20 Set the following to define the Dynamic NAT configuration:
Figure 8-113 Source ACL List screen Source List ACL Network ACL Precedence Interface Overload Type NAT Pool Overload IP Use the drop-down menu to select an ACL name to define the packet selection criteria for NAT. NAT is applied only on packets which match a rule defined in the access list. These addresses (once translated) are not exposed to the outside world when the translation address is used to interact with the remote destination. Select Inside or Outside NAT as the network direction for the dynamic NAT configuration. Inside is the default setting. Set the priority (from 1 - 5000) for the source list ACL. The lower the value, the higher the priority assigned to these ACL rules. Use the drop-down menu to select the VLAN (between 1 - 4094) used as the communication medium between the source and destination points within the NAT configuration. Ensure the VLAN selected represents the intended network traffic within the NAT supported configuration. VLAN1 is available by default. Select the check box of Overload Type used with the listed IP ACL rule. Options include NAT Pool, One Global Address and Interface IP Address. Interface IP Address is the default setting. Provide the name of an existing NAT pool for use with the dynamic NAT configuration. Enables the use of one global address for numerous local addresses. 21 Select OK to save the changes made to the dynamic NAT configuration. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 8 - 192 Profile Configuration 8.9.7 Setting the Profiles Bridge NAT Configuration Profile Security Configuration Use Bridge NAT to manage Internet traffic originating at a remote site. In addition to traditional NAT functionality, Bridge NAT provides a means of configuring NAT for bridged traffic through an Access Point. NAT rules are applied to bridged traffic through the Access Point, and matching packets are NATed to the WAN link instead of being bridged on their way to the router. Using Bridge NAT, a tunneled VLAN (extended VLAN) is created between the NoC and a remote location. When a remote client needs to access the Internet, Internet traffic is routed to the NoC, and from there routed to the Internet. This increases the access time for the end user on the client. To resolve latency issues, Bridge NAT identifies and segregates traffic heading towards the NoC and outwards towards the Internet. Traffic towards the NoC is allowed over the secure tunnel. Traffic towards the Internet is switched to a local WLAN link with access to the Internet. To define a NAT configuration that can be applied to a profile:
1 Select the Configuration tab from the Web UI 2 Select Profiles from the Configuration tab. 3 Select Manage Profiles from the Configuration > Profiles menu 4 Select Security. 5 Select Bridge NAT. Figure 8-114 Security Bridge NAT screen Wireless Controller and Service Platform System Reference Guide 8 - 193 Profile Configuration 6 Review the following Bridge NAT configurations to determine whether a new Bridge NAT configuration requires creation or an existing configuration be modified or removed. Access List Interface NAT Pool Overload IP Overload Type ACL Precedence Lists the ACL applying IP address access/deny permission rules to the Bridge NAT configuration. Lists the communication medium (outgoing layer 3 interface) between source and destination points. This is either the Access Points pppoe1 or wwan1 interface or the VLAN used as the redirection interface between the source and destination. Lists the names of existing NAT pools used with the Bridge NAT configuration. This displays only when the Overload Type is NAT Pool. Lists the address used globally and collectively for numerous local addresses. Lists the overload type used with the listed IP ACL rule. Set as either NAT Pool, One Global Address or Interface IP Address. Lists the administrator assigned priority set for the ACL. The lower the value listed the higher the priority assigned to these ACL rules. 7 Select Add to create a new Bridge VLAN configuration, Edit to modify an existing configuration or Delete to remove a configuration. Figure 8-115 Security Source Dynamic NAT screen 8 Select the Access List whose IP rules are applied to this policy based forwarding rule. A new ACL can be defined by selecting the Create icon, or an existing set of IP ACL rules can be modified by selecting the Edit icon. 9 Use the IP Address Range table to configure IP addresses and address ranges used to access the Internet. ACL Precedence Set the priority (from 1 - 5000) for the ACL. The lower the value, the higher the priority assigned to these ACL rules. Wireless Controller and Service Platform System Reference Guide 8 - 194 Profile Configuration Interface NAT Pool Overload IP Overload Type Lists the outgoing layer 3 interface on which traffic is re-directed. The interface can be an Access Point wwan1 or pppoe1 interface. Traffic can also be redirected to a designated VLAN. Displays the NAT pool used by this Bridge NAT entry. A value is only displayed only when Overload Type has been set to NAT Pool. Lists whether a single global address collectively supports numerous local addresses. Displays the override type for this policy based forwarding rule. 10 Select + Add Row to set IP address range settings for the Bridge NAT configuration. 11 Select OK to save the changes made within the Add Row and Source Dynamic NAT screen. Select Reset to revert to the last saved configuration. Figure 8-116 Security Source Dynamic NAT screen 8.9.8 Setting the Profiles Application Visibility (AVC) Configuration Profile Security Configuration Deep packet inspection (DPI) is an advanced packet analysis technique, which analyzes packet and packet content headers to determine the nature of network traffic. When DPI is enabled, packets of all flows are subjected to DPI to get accurate results. DPI identifies applications (such as, Netflix, Twitter, Facebook, etc.) and extracts metadata
(such as, host name, server name, TCP-RTT, etc.) for further use by the WiNG firewall. To configure a profiles application visibility settings and overrides:
1 Select the Configuration tab from the Web UI 2 Select Profiles from the Configuration tab. 3 Select Manage Profiles from the Configuration > Profiles menu Wireless Controller and Service Platform System Reference Guide 8 - 195 4 Select Security. 5 Select Application Visibility. Profile Configuration 6 Refer the following Application Visibility and Control Settings:
Figure 8-117 Profile - Security - Application Visibility screen Enable dpi Enable Applications Logging Application Logging Level Enable this setting to provide deep-packet inspection. When enabled, network flows are inspected at a granular level to identify applications (such as, Netflix, Twitter, Facebook, etc.) and extract metadata (such as, host name, server name, TCP-RTT, etc.) for further use by the WiNG firewall. Select this option to enable event logging for DPI application recognition. This setting is disabled by default. If enabling DPI application recognition, set the logging level. Severity levels include Emergency, Alert, Critical, Errors, Warning, Notice, Info and Debug. The default logging level is Notification. Select this option to enable the metadata extraction from voice and video classified flows. The default setting is disabled. Enable Voice/Video Metadata Enable HTTP Metadata Select this option to enable the metadata extraction from HTTP flows. The default setting is disabled. Wireless Controller and Service Platform System Reference Guide 8 - 196 Profile Configuration Enable SSL Metadata Enable TCP RTT Select this option to enable the metadata extraction from SSL flows. The default setting is disabled. Select this option to enable extraction of RTT information from TCP flows. The default setting is disabled. 7 Review the Custom Applications for DPI field to select the custom applications available for this device profile. For information on creating custom applications and their categories, see Application on page 7-58. If enabling TCP-RTT metadata collection, in the App Groups for TCP RTT field, specify the application groups for which TCP-RTT metadata collection is to be enabled. Select the Application Groups from the drop-down menu and use the green, down arrow to move the selection to the box below. Note, you can add maximum of 8 (eight) groups to the list. If the desired application group is not available, select the Create icon to define a new application group configuration or select the Edit icon to modify an existing application group. For information on creating custom application groups, see Application Group on page 7-60. 8 Select OK to save the changes or overrides. Select Reset to revert to the last saved configuration. 8.9.9 Profile Security Configuration and Deployment Considerations Profile Security Configuration Before defining a profiles security configuration, refer to the following deployment guidelines to ensure the profile configuration is optimally effective:
Make sure the contents of the certificate revocation list are periodically audited to ensure revoked certificates remain quarantined or validated certificates are reinstated. A RFS4000 model wireless controller ships with a baseline configuration supporting many-to-one NAT between devices connected to GE1 - GE5 ports on VLAN 1, and the UP1 port assigned to VLAN 2100. A RFS4000 can be deployed within a small site using its default configuration, and then be connected to a Internet service providing instant access to the Internet. NAT alone does not provide a firewall. If deploying NAT on a controller or service platform profile, add a firewall on the profile to block undesirable traffic from being routed. For outbound Internet access, a stateful firewall can be configured to deny all traffic. If port address translation is required, a stateful firewall should be configured to only permit the TCP or UDP ports being translated. A RFS6000 model wireless controller ships with a minimum baseline configuration without NAT enabled. A RFS6000 wireless controller requires VLAN configuration, IP addressing and NAT rules be created before many-to-one NAT services can be defined. RFS4000 and RFS6000 model wireless controllers can provide outbound NAT services for hosts connected to multiple VLANs. For small deployments, VLANs should be terminated within a RFS4000 wireless controller providing site routing services. For medium-scale deployments, VLANs are typically terminated on a L3 (IP layer) or L2 (Ethernet layer). 8.10 Profile VRRP Configuration A default gateway is a critical resource for connectivity. However, its prone to a single point of failure. Thus, redundancy for the default gateway is required. If WAN backhaul is available, and a router failure occurs, then the Access Point should act as a router and forward traffic on to its WAN link. Define an external Virtual Router Redundancy Protocol (VRRP) configuration when router redundancy is required in a network requiring high availability. Central to the configuration of VRRP is the election of a VRRP master. A VRRP master (once elected) performs the following functions:
Wireless Controller and Service Platform System Reference Guide 8 - 197 Profile Configuration Responds to ARP requests Forwards packets with a destination link layer MAC address equal to the virtual router MAC address Rejects packets addressed to the IP address associated with the virtual router, if it is not the IP address owner Accepts packets addressed to the IP address associated with the virtual router, if it is the IP address owner or accept mode is true. Those nodes that lose the election process enter a backup state. In the backup state they monitor the master for any failures, and in case of a failure one of the backups, in turn, becomes the master and assumes the management of the designated virtual IPs. A backup does not respond to an ARP request, and discards packets destined for a virtual IP resource. To define the configuration of a VRRP group:
1 Select Configuration > Profiles. 2 Select VRRP. 3 Review the following VRRP configuration data to assess if a new VRRP configuration is required or if an existing VRRP configuration requires modification or removal:
Figure 8-118 Profile - VRRP screen Virtual Router ID Description Virtual IP Addresses Lists a numerical index (1 - 254) used to differentiate VRRP configurations. The index is assigned when a VRRP configuration is initially defined. This ID identifies the virtual router a packet is reporting status for. Displays a description assigned to the VRRP configuration when it was either created or modified. The description is implemented to provide additional differentiation beyond the numerical virtual router ID. Lists the virtual interface IP address used as the redundant gateway address for the virtual route. Wireless Controller and Service Platform System Reference Guide 8 - 198 Profile Configuration Interface Priority Displays the interfaces selected on the Access Point to supply VRRP redundancy failover support. Lists a numerical value (1 - 254) used for the virtual router master election process. The higher the numerical value, the higher the priority in the election process. 4 Select the Version tab to define the VRRP version scheme used with the configuration. Figure 8-119 VRRP screen - Version tab VRRP version 3 (RFC 5798) and 2 (RFC 3768) are options for router redundancy. Version 3 supports sub-
second (centisecond) VRRP failover and support services over virtual IP. For more information on the VRRP protocol specifications (available publicly) refer to http://www.ietf.org/rfc/rfc3768.txt (version 2) and http://
www.ietf.org/rfc/rfc5798.txt (version 3). 5 From within VRRP tab, select Add to create a new VRRP configuration or Edit to modify the attributes of an existing VRRP configuration. If necessary, existing VRRP configurations can be selected and permanently removed by selecting Delete. If adding or editing a VRRP configuration, the following screen displays:
Wireless Controller and Service Platform System Reference Guide 8 - 199 Profile Configuration 6 If creating a new VRRP configuration, assign a Virtual Router ID from (1 - 255). In addition to functioning as numerical identifier, the ID identifies the Access Points virtual router a packet is reporting status for. 7 Define the following VRRP General parameters:
Figure 8-120 VRRP screen Description Priority Virtual IP Addresses Advertisement Interval Unit In addition to an ID assignment, a virtual router configuration can be assigned a textual description (up to 64 characters) to further distinguish it from others with a similar configuration. Use the spinner control to set a VRRP priority setting from 1 - 254. The Access Point uses the defined setting as criteria in selection of a virtual router master. The higher the value, the greater the likelihood of this virtual router ID being selected as the master. Provide up to 8 IP addresses representing Ethernet switches, routers or security appliances defined as virtual routing resources. Select either seconds, milliseconds or centiseconds as the unit used to define VRRP advertisements. Once an option is selected, the spinner control becomes enabled for that Advertisement Interval option. The default interval unit is seconds. If changing the VRRP group version from 2 to 3, ensure the advertisement interval is in centiseconds. Use VRRP group version 2 when the advertisement interval is either in seconds or milliseconds. Wireless Controller and Service Platform System Reference Guide 8 - 200 Profile Configuration Advertisement Interval Preempt Preempt Delay Interface Once a Advertisement Interval Unit has been selected, use the spinner control to set the Interval at which the VRRP master sends out advertisements on each of its configured VLANs. The default setting is 1 second. Select this option to ensure a high priority backup router is available to preempt a lower priority backup router resource. The default setting is enabled. When selected, the Preempt Delay option becomes enabled to set the actual delay interval for pre-emption. This setting determines if a node with a higher priority can takeover all the Virtual IPs from the nodes with a lower priority. If the Preempt option is selected, use the spinner control to set the delay interval (in seconds) for pre-emption. Select this value to enable/disable VRRP operation and define the VLAN
(1 - 4,094) interface where VRRP is running. These are the interfaces monitored to detect a link failure. 8 Refer to the Protocol Extension field to define the following:
Sync Group Network Monitoring:
Local Interface Network Monitoring:
Critical Resource Name Network Monitoring:
Delta Priority Select the option to assign a VRRP sync group to this VRRP IDs group of virtual IP addresses. This triggers VRRP failover if an advertisement is not received from the virtual masters that are part of this VRRP sync group. This setting is disabled b y default. Select the wwan1, pppoe1 and VLAN ID(s) as needed to extend VRRP monitoring to these local interfaces. Once selected, these interfaces can be assigned an increasing or decreasing level or priority for virtual routing within the VRRP group. Assign the priority level for the selected local interfaces. Backup virtual routers can increase or decrease their priority in case the critical resources connected to the master router fail, and transition to the master state. Additionally, the master virtual router can lower its priority if the critical resources connected to it fails, so the backup can transition to the master state. This value can only be set on the backup or master router resource, not both. Options include None, increment-priority and decrement priority. Use this setting to decrement the configured priority (by the set value) when the monitored interface is down. When critical resource monitoring, the configured value is incremented by the value defined. 9 Select OK to save the changes made to the VRRP configuration. Select Reset to revert to the last saved configuration. 8.11 Profile Critical Resources Configuration Critical resources are device IP addresses or interface destinations on the network defined as critical to the health of the network. The critical resource feature allows for the continuous monitoring of these addresses. A critical resource, if not available, can result in the network suffering performance degradation. A critical resource can be a gateway, AAA server, WAN interface or any hardware or service on which the stability of the network depends. Critical resources are pinged regularly. If theres a connectivity issue, an event is generated stating a critical resource is unavailable. By default, theres no enabled critical resource policy and one needs to be created and implemented. Wireless Controller and Service Platform System Reference Guide 8 - 201 Profile Configuration Critical resources can be monitored directly through the interfaces on which theyre discovered. For example, a critical resource on the same subnet as an Access Point can be monitored by its IP address. However, a critical resource located on a VLAN must continue to monitored on that VLAN. Critical resources can be configured for Access Points and wireless controllers using their respective profiles. To define critical resources:
1 Select Configuration > Profiles. 2 Select Critical Resources. Figure 8-121 Critical Resources screen - List of Critical Resources tab The screen lists the destination IP addresses or interfaces (VLAN, WWAN, or PPPoE) used for critical resource connection. IP addresses can be monitored directly by the controller or service platform, whereas a VLAN, WWAN or PPPoE must be monitored behind an interface. 3 Click the Add button at the bottom of the screen to add a new critical resource and connection method, or select and existing resource and select Edit to update the resources configuration. Wireless Controller and Service Platform System Reference Guide 8 - 202 Profile Configuration Figure 8-122 Critical Resources screen - Adding a Critical Resource 4 Select Use Flows to configure the critical resource to monitor using firewall flows for DHCP or DNS instead of ICMP or ARP packets to reduce the amount of traffic on the network. Select Sync Adoptees to sync adopted devices to state changes with a resource-state change message. These settings are disabled by default. 5 Use the Offline Resource Detection drop-down menu to define how critical resource event messages are generated. Options include Any and All. If selecting Any, an event is generated when the state of any single critical resource changes. If selecting All, an event is generated when the state of all monitored critical resources change. 6 Use the Monitor Criteria drop-down menu to select either rf-domain-manager, cluster-master or All as the resource for monitoring critical resources by one device and updating the rest of the devices in a group. If selecting rf-domain-manager, the current rf-domain manager performs resource monitoring, and the rest of the devices do not. The RF-domain-manager updates any state changes to the rest of the devices in the RF Domain. With the cluster-master option, the cluster master performs resource monitoring and updates the cluster members with state changes. With a controller managed RF Domain, Monitoring Criteria should be set tor All, since the controller might not know the VLAN bridged locally by the devices in the RF Domain monitoring DHCP. 7 Select the IP option (within the Monitor Via field at the top of the screen) to monitor a critical resource directly
(within the same subnet) using the provided IP address as a network identifier. 8 Select the Interface checkbox (within the Monitor Via field at the top of the screen) to monitor a critical resource using either the critical resources VLAN, WWAN1 or PPPoE1 interface. If VLAN is selected, a spinner control is enabled to define the destination VLAN ID used as the interface for the critical resource. 9 Select + Add Row to define the following for critical resource configurations:
IP Address Provide the IP address of the critical resource. This is the address used to ensure the critical resource is available. Up to four addresses can be defined. Wireless Controller and Service Platform System Reference Guide 8 - 203 Profile Configuration Mode Port VLAN Set the ping mode used when the availability of a critical resource is validated. Select from:
arp-only Use the Address Resolution Protocol (ARP) for only pinging the critical resource. ARP is used to resolve hardware addresses when only the network layer address is known. arp-and-ping Use both ARP and Internet Control Message Protocol
(ICMP) for pining the critical resource and sending control messages
(device not reachable, requested service not available, etc.). Use the drop-down menu to provide the physical port for each critical resource. The ports available depend on the device in use. Define the VLAN on which the critical resource is available using the spinner control. 10 Select the Monitor Interval tab. Figure 8-123 Critical Resources screen - Monitor Interval tab 11 Set Monitor Interval as the duration between two successive pings to the critical resource. Define this value in seconds from 5 - 86,400. The default setting is 30 seconds. 12 Set the Source IP for Port-Limited Monitoring to define the IP address used as the source address in ARP packets used to detect a critical resource on a layer 2 interface. Generally, the source address 0.0.0.0 is used in the APR packets used to detect critical resources. However, some devices do not support the above IP address and drop the ARP packets. Use this field to provide an IP address specifically used for this purpose. The IP address used for Port-Limited Monitoring must be different from the IP address configured on the device. 13 Set the Monitoring Retries before Marking Resource as DOWN for the number of retry connection attempts (1 -
10) permitted before this device connection is defined as down (offline). The default setting is three connection attempts. 14 Select OK to save the changes to the monitor interval. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 8 - 204 Profile Configuration 8.12 Profile Services Configuration A profile can contain specific captive portal, DHCP server and RADIUS server configurations supported by the controller or service platforms own internal resources. These captive portal, IP assignment and user authorization resources can be defined uniquely as profile requirements dictate. To define a profiles services configuration:
1 Select the Configuration tab from the Web UI. 2 Select Profiles from the Configuration tab. 3 Select Manage Profiles from the Configuration > Profiles menu. 4 Select Services. Figure 8-124 Profile Services screen 5 Refer to the Captive Portal Hosting section to select or set a guest access configuration (captive portal) for use with this profile. A captive portal is guest access policy for providing guests temporary and restrictive access to the network. A captive portal provides secure authenticated access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the network. Once logged into the captive Wireless Controller and Service Platform System Reference Guide 8 - 205 Profile Configuration portal, additional Agreement, Welcome and Fail pages provide the administrator with a number of options on screen flow and user appearance. Either select an existing captive portal policy, use the default captive portal policy or select the Create link to create a new captive portal that can be applied to the profile. For morel information, see, Configuring a Captive Portal Policy. 6 Select a RADIUS Server Application Policy policy to authenticate users and authorize access to the network. A RADIUS policy provides the centralized management of authentication data (usernames and passwords). When an client attempts to associate, the controller or service platform sends the authentication request to the RADIUS server. If no existing policies are available select the Create link. 7 Use the DHCP Server Policy drop-down menu assign this profile a DHCP or DHCPv6 server policy. If an existing DHCP or DHCPv6 policy does not meet the profiles requirements, select the Create button to create a new policy configuration that can be applied to this profile. Dynamic Host Configuration Protocol (DHCP) allows hosts on an IP network to request and be assigned IP addresses as well as discover information about the network where they reside. Each subnet can be configured with its own address pool. Whenever a DHCP client requests an IP address, the DHCP server assigns an IP address from that subnets address pool. When the onboard DHCP server allocates an address for a DHCP client, the client is assigned a lease, which expires after an pre-determined interval. Before a lease expires, wireless clients (to which leases are assigned) are expected to renew them to continue to use the addresses. Once the lease expires, the client is no longer permitted to use the leased IP address. The profiles DHCP server policy ensures all IP addresses are unique, and no IP address is assigned to a second client while the first client's assignment is valid (its lease has not expired). DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. DHCP in IPv6 works in with IPv6 router discovery. With the proper RA flags, DHCPv6 works like DHCP for IPv4. The central difference is the way a device identifies itself if assigning addresses manually instead of selecting addresses dynamically from a pool. 8 Use the Guest Management Policy drop-down menu to select an existing Guest Management policy to use as a mechanism to manage guest users with this profile. 9 Use the RADIUS Server Policy drop-down menu to select an existing RADIUS server policy to use as a user validation security mechanism with this profile. A profile can have its own unique RADIUS server policy to authenticate users and authorize access to the network. A profiles RADIUS policy provides the centralized management of controller or service platform authentication data (usernames and passwords). When an client attempts to associate, an authentication request is sent to the RADIUS server. For more information, see Setting the RADIUS Configuration. 10 From the Forwarding Policy drop-down, select the Bonjour Gateway forwarding policy. Select the Create icon to define a new Bonjour Gateway forwarding policy configuration or select the Edit icon to modify an existing Bonjour Gateway forwarding policy configuration. Bonjour is Apples implementation of zero-configuration networking (Zeroconf). Zeroconf is a group of technologies that include service discovery, address assignment and hostname resolution. Bonjour locates devices such as printers, other computers and services that these computers offer over a local network. Bonjour provides a general method to discover services on a local area network (LAN). It allows users to set up a network without any configuration. Services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with special DNS configuration, it can be extended to find services across broadcast domains. Wireless Controller and Service Platform System Reference Guide 8 - 206 Profile Configuration 11 Select OK to save the changes made to the profiles services configuration. Select Reset to revert to the last saved configuration. 8.12.1 Services Configuration and Deployment Considerations Profile Services Configuration Before defining a profiles captive portal, DHCP and RADIUS services configuration, refer to the following deployment guidelines to ensure the profile configuration is optimally effective:
A profile plan should consider the number of wireless clients allowed on the captive portal and the services provided, or if the profile should support captive portal access at all. Profile configurations supporting a captive portal should include firewall policies to ensure logical separation is provided between guest and internal networks so internal networks and hosts are not reachable from captive portals. DHCPs lack of an authentication mechanism means a DHCP server supported profile cannot check if a client or user is authorized to use a given user class. This introduces a vulnerability when using user class options. Ensure a profile using an internal DHCP resource is also provisioned with a strong user authorization and validation configuration. 8.13 Profile Management Configuration Controllers and service platforms have mechanisms to allow/deny management access to the network for separate interfaces and protocols (HTTP, HTTPS, Telnet, SSH or SNMP). These management access configurations can be applied strategically to profiles as resource permissions dictate. Additionally, an administrator can define a profile with unique configuration file and device firmware upgrade support. In a clustered environment, these operations can be performed on one controller or service platform, then propagated to each member of the cluster and onwards to the devices managed by each cluster member. To define a profiles management configuration:
1 Select the Configuration tab from the Web UI. 2 Select Profiles from the Configuration tab. 3 Select Manage Profiles from the Configuration > Profiles menu. 4 Select Management. 5 Expand the Management menu item to display its sub menu options. 6 Select Settings from the Management menu. Wireless Controller and Service Platform System Reference Guide 8 - 207 Profile Configuration Figure 8-125 Profile Management Settings screen 7 Refer to the Management Policy field to select or set a management configuration for use with this profile. A default management policy is also available if no existing policies are usable. Use the drop-down menu to select an existing management policy to apply to this profile. If no management policies exist meeting the data access requirements of this profile, select the Create icon to access a series of screens used to define administration, access control and SNMP configurations. Select an existing policy and select the Edit icon to modify the configuration of an existing management policy. For more information, see Viewing Management Access Policies. 8 Refer to the Message Logging field to define how the profile logs system events. Its important to log individual events to discern an overall pattern that may be negatively impacting performance using the configuration defined for this profile. Enable Message Logging Remote Logging Host Select this option to enable the profile to log system events to a user defined log file or a syslog server. Selecting this check box enables the rest of the parameters required to define the profiles logging configuration. This option is disabled by default. Use this table to define numerical (non DNS) IP addresses for up to three external resources where logged system events can be sent on behalf of the profile. Select Clear as needed to remove an IP address. Wireless Controller and Service Platform System Reference Guide 8 - 208 Profile Configuration Facility to Send Log Messages Syslog Logging Level Console Logging Level Use the drop-down menu to specify the local server facility (if used) for the profiles syslog event log transfer. Event severity coincides with the syslog logging level defined for the profile. Assign an identifier to log events based on criticality. Severity levels include 0 - Emergency, 1 - Alert, 2 - Critical, 3 - Errors, 4 - Warning, 5 - Notice, 6 - Info and 7 - Debug. The default logging level is 4. Event severity coincides with the syslog logging level defined for the profile. Assign an identifier to log events based on criticality. Severity levels include 0 - Emergency, 1 - Alert, 2 - Critical, 3 - Errors, 4 - Warning, 5 - Notice, 6 - Info and 7 - Debug. The default logging level is 4. Time to Aggregate Repeated Messages Buffered Logging Level Event severity coincides with the syslog logging level defined for the profile. Assign an identifier to log events based on criticality. Severity levels include 0 - Emergency, 1 - Alert, 2 - Critical, 3 - Errors, 4 - Warning, 5 - Notice, 6 - Info and 7 - Debug. The default logging level is 4. Define the increment (or interval) system events are logged on behalf of this profile. The shorter the interval, the sooner the event is logged. Either define an interval in Seconds (0 - 60) or Minutes (0 -1). The default value is 0 seconds. Select the checkbox to define a log level for forwarding event logs. Log levels include Emergency, Alert, Critical, Error, Warning, Notice, Info and Debug. The default logging level is Error. Forward Logs to Controller 9 Refer to the System Event Messages section to define how system messages are logged and forwarded on behalf of the profile. Event System Policy Enable System Events Enable System Event Forwarding Select an Event System Policy from the drop-down menu. If an appropriate policy does not exist click the Create button to make a new policy. Select this option to allow the profile to capture system events and append them to a log file. Its important to log individual events to discern an overall pattern that may be negatively impacting system performance. This setting is enabled by default. Select the Enable System Event Forwarding box to enable the forwarding of system events to another cluster member. This setting is enabled by default. 10 Refer to the Events E-mail Notification section to define how system event notification emails are sent. SMTP Server Port of SMTP Sender Email Address Recipients E-mail Address Specify either the Hostname or IP Address of the outgoing SMTP server where notification emails will be originated. A Hostname cannot exceed 64 characters. If a non-standard SMTP port is used on the outgoing SMTP server check this box and specify a port between 1 and 65,535 for the outgoing SMTP server to use. Specify the 64 character maximum email address from which notification emails are originated. This is the from address on notification emails. Specify up to 6 Email addresses to be the recipients of event Email notifications. Wireless Controller and Service Platform System Reference Guide 8 - 209 Profile Configuration Username for SMTP Server Password for SMTP Server Specify the username of the sender on the outgoing SMTP server. Many SMTP servers require users to authenticate with a username and password before sending email through the server. Specify the password associated with the username of the sender on the outgoing SMTP server. Many SMTP servers require users to authenticate with a username and password before sending email through the server. 11 Refer to the Persist Configurations Across Reloads field to define or override how configuration settings are handled after reloads. Persist Configurations Across Reloads Use the drop-down menu to configure whether configuration overrides should persist when the device configuration is reloaded. Available options are Enabled, Disabled and Secure. 12 Refer to the HTTP Analytics field to define analytic compression settings and update intervals. Compress Update Interval Select this option to use compression to when sending updates to the controller. This option is disabled by default. Define an interval in either Seconds (1 - 3,600), Minutes (1 - 60) or Hours (1) for interval to push buffered packets. The default setting in 1 minute. 13 Refer to the External Analytics Engine section to define or override analytics engine login information for an external host. The Guest Access & Analytics software module is a site-wide Enterprise License available only on the NX9000 service platforms. When a customer visits a store, they connect to the Wireless LAN via guest access using a mobile device. The user needs to authenticate only on their first visit, and will automatically connect to the network for subsequent visits. The Analytics module helps gather data about customer behavior such as web sites visited, search terms used, mobile device types, number of new users vs. repeat users. This data provides a better understanding of pricing strategies and promotions being run by competitors. The data can be exported for additional in-depth analysis. Controller URL User Name Password Update Interval Select this option to provide service platform analytics to a local device. This setting is enabled by default. When using an external analytics engine with a NX9000 series service platform, enter the IP address or uniform resource locator (URL) for the system providing external analytics functions. Enter the user name needed to access the external analytics engine. Enter the password associated with the username on the external analytics engine. Set the interval in either Seconds (1 - 3,600), Minutes (1 - 60) or Hours
(1) to forward buffered information to an external server resource, even when the buffers are not full. The default setting in 1 minute. 14 Select OK to save the changes made to the profiles management settings. Select Reset to revert to the last saved configuration. 15 Select Firmware from the Management menu. Wireless Controller and Service Platform System Reference Guide 8 - 210 Profile Configuration 16 Refer to the Auto Install via DHCP Option section to configure automatic configuration file and firmware Figure 8-126 Profile Management Firmware screen updates. Enable Configuration Update Enable Firmware Upgrade Select the Enable Configuration Update radio button (from within the Automatic Configuration Update field) to enable automatic configuration file updates for the profile from an external location. If enabled (the setting is disabled by default), provide a complete path to the target configuration file used in the update. Select this option to enable automatic firmware upgrades (for this profile) from a user defined remote location. This value is disabled by default. Wireless Controller and Service Platform System Reference Guide 8 - 211 Profile Configuration Start Time (minutes) Use the spinner control to set the number of minutes to delay the start of an auto upgrade operation. Stagger the start of an upgrade operation as needed in respect to allowing an Access Point to complete its current client support activity before being rendered offline during the update operation. The default setting is 10 minutes. 17 Refer to the parameters within the Legacy Device Firmware Management field to set legacy Access Point firmware provisions:
Migration Firmware from AP71xx 4.x path Legacy AP650 Auto Update Provide a path to a firmware image used to provision AP71xx model Access Points currently utilizing a 4.x version legacy firmware file. Once a valid path is provided, the update is enabled to the version maintained locally for AP71xx models. Select this option to provision AP650 model Access Points from their legacy firmware versions to the version maintained locally for that model. This setting is enabled by default, making updates to AP650 models automatic if a newer AP650 image is maintained locally. 18 Use the parameters within the Automatic Adopted Device Firmware Upgrade section to define an automatic firmware upgrade from a local file. Enable Controller Upgrade of Device Firmware Number of Concurrent Upgrades. Select this radio button to enable adopted devices to upgrade to a newer firmware version using its associated controller or service platforms most recent resident firmware file for that specific model. This parameter is disabled by default. Use the spinner control to define the maximum number (1 - 20) of adopted Access Points that can receive a firmware upgrade at the same time. Keep in mind, during a firmware upgrade, the Access Point is offline and unable to perform its normal wireless client support function until the upgrade process is complete. 19 Select the Persist AP images on Controller button (from within the Firmware Persistence for Adopted Devices field) to enable the RF domain manager to retain and store the new image of an Access Point selected for a firmware update. The image is only stored on the RF domain manager when theres space to accommodate it. The upgrade sequence is different depending on whether the designated RF domain manager is a controller/
service platform or Access Point. When the RF domain manager is an Access Point - The NOC uploads a provisions an Access Point models firmware on to the Access Point RF domain manager. The NOC initiates an auto-update for Access Points using that models firmware. If the Persist Image on Controller option is selected, the RF domain manager retains the image for that model. The NOC then provisions the firmware of the next Access Point type to the RF domain manager. The auto-update process is then repeated for that model. Once all the selected models have been updated, the RF domain managers model is updated last. When the RF domain manager is a controller or service platform - The NOC adopts controllers to the NOCs cluster within its RF domain. The NOC triggers an update on active controllers or service platforms and reboots them as soon as the update is complete. As soon as the active nodes come back up, the NOC triggers an update on standby controllers or service platforms and reboots them as soon as the update is complete. When the standby controllers or service platforms come back up:
-
If the reboot is not scheduled - The Access Points adopted to RF domain members are not updated.Its expected the controllers and service platforms have auto-upgrade enabled which will update the Access Points when re-adopted. If the reboot is scheduled - The NOC pushes the first Access Point models firmware to the RF domain manager. The NOC initiates an Access Point upgrade on all Access Points on the RF domain manager for that model. If the Persist Image on Controller option is selected, the RF domain manager retains the image for
-
Wireless Controller and Service Platform System Reference Guide 8 - 212 Profile Configuration that model. The NOC then provisions the firmware of the next Access Point type to the RF domain manager. This process is repeated until each selected Access Point model is updated. The Firmware Persistence feature is enabled for all controller and service platform RF domain managers with the flash memory capacity to store firmware images for the selected Access Point models they provision. This feature is disabled for Access Point RF domain managers that do not typically have the required flash memory capacity. 20 Select Heartbeat from the Management menu. Select the Service Watchdog option to implement heartbeat messages to ensure associated devices are up and running and capable of effectively interoperating. The Service Watchdog is enabled by default. 21 Select OK to save the changes made to the profile maintenance Heartbeat tab. Select Reset to revert to the last saved configuration. 8.13.1 Profile Management Configuration and Deployment Considerations Profile Management Configuration Before defining a profiles management configuration, refer to the following deployment guidelines to ensure the profile configuration is optimally effective:
Define profile management access configurations providing both encryption and authentication. Management services like HTTPS, SSH and SNMPv3 should be used when possible, as they provide data privacy and authentication. SNMPv3 should be used for management profile configurations, as it provides both encryption and authentication and SNMPv1 and v2 do not. 8.14 Profile Mesh Point Configuration Mesh points are Access Points dedicated to mesh network support. Mesh networking enables users to access broadband applications anywhere (including moving vehicles). To review a profiles mesh point configuration:
1 Select the Configuration tab from the Web UI. 2 Select Profiles from the Configuration tab. 3 Select Manage Profiles from the Configuration > Profiles menu. 4 Select Mesh Point. Wireless Controller and Service Platform System Reference Guide 8 - 213 Profile Configuration Figure 8-127 Profile - Mesh Point screen 5 Refer to the Mesh Point screen to view existing Mesh Points. If an existing Mesh Point configuration does not meet your requirements, select the Add button to create a new mesh point configuration or the Edit button to modify the parameters of an existing mesh point configuration. The Mesh Point screen displays the Settings tab by default. Wireless Controller and Service Platform System Reference Guide 8 - 214 Profile Configuration 6 Define the following Settings:
MeshConnex Policy Is Root Figure 8-128 Mesh Point - Settings Screen If adding a new policy, specify a name for the MeshConnex Policy. The name cannot be edited later with other configuration parameters. Until a viable name is provided, the Settings tab cannot be enabled for configuration. Select the root behavior of this mesh point. Select True to indicate this mesh point is a root node for this mesh network. Select False to indicate this mesh point is not a root node for this mesh network. Root Selection Method Use the drop-down menu to determine whether this meshpoint is the root or non-root meshpoint. Select either None, auto-mint or auto-
proximity. The default setting is None. When auto-mint is selected, root selection is based on the total cost to the root. Cost to the root is measured as total cost through hops to the root node. Root selection occurs for the root with the least path cost. When auto-proximity is selected, root selection is based on signal strength of candidate roots. None indicates no preference in root selection. Select this option to set the mesh point as the cost root for meshpoint root selection. This setting is disabled by default. Enable this feature to allow dynamic conversion of a mesh point from root to non-root when there is a critical resource failure. This option is disabled by default. Set as Cost Root Monitor Critical Resources Wireless Controller and Service Platform System Reference Guide 8 - 215 Profile Configuration Monitor Primary Port Link Wired Peer Excluded Path Method Enable this feature to allow dynamic conversion of a mesh point from root to non-root during a link down event. This option is disabled by default. Select this option to exclude a mesh from forming a link with another mesh device that's a wired peer. This option is disabled by default. Use the drop-down menu to select the method (criteria) used for selecting the root path. The following options are available:
None Select this to indicate no criteria used in root path selection. uniform Select this to indicate that the path selection method is uniform. When selected, two paths will be considered equivalent if the average value is the same for these paths. mobile-snr-leaf Select this option if the Access Point is mounted on a vehicle or a mobile platform (AP7161 models only). When selected, the path to the route will be selected based on the Signal To Noise Ratio
(SNR) to the neighbor device. snr-leaf Select this to indicate the path with the best signal to noise ratio is always selected. bound-pair Select this option to bind one mesh point connection at a time. Once established, other mesh point connection requests are denied. NOTE: An AP7161 model Access Point can be deployed as a vehicular mounted modem (VMM) to provide wireless network access to a mobile vehicle (car, train etc.). A VMM provides layer 2 mobility for connected devices. VMM does not provide layer 3 services, such as IP mobility. For VMM deployment considerations, see Vehicle Mounted Modem (VMM) Deployment Considerations on page 8-
221. NOTE: When using 4.9GHz, the root preferences selection for the radios preferred interface still displays as 5GHz. 7 Set the following Root Path Preference:
Preferred Neighbor Preferred Root Preferred Interface Specify the MAC address of a preferred mesh point neighbor. Specify the MAC address of a a preferred root device. Use the drop-down menu to set the preferred mesh point interface to 2.4GHz, 4.9 GHz or 5.0GHz. Selecting None makes all mesh point interfaces of equal priority for root path preference. 8 Set the following Path Method Hysteresis:
Minimum Threshold Signal Strength Delta Enter the minimum value for SNR above which a candidate for the next hop in a dynamic mesh network is considered for selection. This field along with Signal Strength Delta and Sustained Time Period are used to dynamically select the next hop in a dynamic mesh network. The default setting is 0 dB. Enter a delta value in dB. A candidate for selection as a next hop in a dynamic mesh network must have a SNR value higher than the set value. This field, along with the Minimum Threshold and Sustained Time Period, are used to dynamically select the next hop in a dynamic mesh network. The default setting is 1 dB. Wireless Controller and Service Platform System Reference Guide 8 - 216 Profile Configuration Sustained Time Period SNR Delta Range Enter the duration (in seconds or minutes) for the duration a signal must sustain the constraints specified in the Minimum Threshold and Signal Strength Delta path hysteresis value. These values are used to dynamically select the next hop in a dynamic mesh network. The default setting is 1 second. Select the root selection method hysteresis (from 1 - 100dB) SNR delta range a candidate must sustain. The default setting is 1 dB. 9 Select the Auto Channel Selection tab. Figure 8-129 Mesh Point Auto Channel Selection - Dynamic Root Selection screen The Dynamic Root Selection screen displays by default. The Dynamic Root Selection screen provides configuration options for the 2.4 GHz and 5.0/4.9 GHz frequencies. Wireless Controller and Service Platform System Reference Guide 8 - 217 Profile Configuration 10 Set the following values (common to both 2.4 GHZ and 5.0/4.9 GHz):
Channel Width Priority Meshpoint Off-channel Duration Off-channel Scan Frequency Meshpoint Root -
Sample Count Meshpoint Root -
Channel Hold Time Set the channel width the meshpoints automatic channel scan assigns to the selected radio. Available options include:
Automatic Defines the channel width is calculated automatically. This is the default value. 20 MHz Sets the width between two adjacent channels as 20 MHz. 40 MHz Sets the width between two adjacent channels as 40 MHz. 80 MHz Sets the width between two adjacent channels as 80 MHz for 802.11ac Access Points. Configure the meshpoint monitored for automatic channel scans. This is the meshpoint assigned priority over other available mesh points. When configured, a mesh connection is established with this mesh point. If not configured, a meshpoint is automatically selected. This setting is disabled by default. Set the duration (from 20 - 250 milliseconds) the scan dwells on each channel when performing an off channel scan. The default is 50 milliseconds. Set the duration (from 1- 60 seconds) between two consecutive off channel scans. The default is 6 seconds. Configure the number of scan samples (from 1- 10) performed for data collection before a mesh channel is selected. The default is 5. Configure the duration (from 0 - 1440 minutes) to remain on a channel before channel conditions are reassessed for a possible channel change. Set this value to zero (0) to prevent an automatic channel selection from occurring. The default setting is 30 minutes. 11 Select the Path Method SNR tab to configure signal to noise (SNR) ratio values when selecting the path to the meshpoint root. Wireless Controller and Service Platform System Reference Guide 8 - 218 Profile Configuration Figure 8-130 Mesh Point Auto Channel Selection - Path Method SNR screen 12 Set the following 2.4 GHz and 5.0/4.9 GHz path method SNR data:
Channel Width Priority Meshpoint Set the channel width the meshpoint automatic channel scan assigns to the selected radio. Available options include:
Automatic Defines the channel width calculation automatically. This is the default value. 20 MHz Sets the width between two adjacent channels as 20 MHz. 40 MHz Sets the width between two adjacent channels as 40 MHz. 80 MHz Sets the width between two adjacent channels as 80 MHz for 802.11ac Access Points. Set the meshpoint monitored for automatic channel scans. This is the meshpoint assigned priority over other available mesh points. When configured, a mesh connection is established with this mesh point. If not configured, a meshpoint is automatically selected. This setting is disabled by default. Wireless Controller and Service Platform System Reference Guide 8 - 219 Profile Configuration SNR Delta SNR Threshold Off-channel Duration Set the signal to noise (SNR) ratio delta (from 1 - 100 dB) for mesh path selections. When path selection occurs, the defined value is utilized for selecting the optimal path. A better candidate, on a different channel, must have a signal strength that exceeds this delta value when compared to the signal strength of the next hop in the mesh network. The default setting is 5 dB. Set the SNR threshold for mesh path selections (from -100 to 0 dB). If the signal strength of the next mesh hop falls below this set value, a scan is triggered to select a better next hop. the default setting is -65 dB. Configure the duration (from 20 - 250 milliseconds) for scan dwells on each channel, when performing an off channel scan. The default setting is 50 milliseconds. 13 Select the Path Method Root Path Metric tab to calculate root path metrics for a mesh point. Figure 8-131 Mesh Point Auto Channel Selection - Root Path Metric screen Wireless Controller and Service Platform System Reference Guide 8 - 220 14 Set the following Path Method Root Path Metrics (applying to both the 2.4 GHz and 5.0/4.9 GHz frequencies):
Profile Configuration Channel Width Priority Meshpoint Meshpoint: Path Minimum Meshpoint: Path Metric Threshold Meshpoint: Tolerance Period Meshpoint Root: Sample Count Meshpoint Root: Off-
channel Scan Frequency Meshpoint Root: Channel Hold Time Meshpoint Root: Channel Switch Delta Set the channel width meshpoint automatic channel scan should assign to the selected radio. The available options are:
Automatic Defines the channel width as calculated automatically. This is the default value. 20 MHz Set the width between two adjacent channels as 20 MHz. 40 MHz Set the width between two adjacent channels as 4 0 MHz. 80 MHz Sets the width between two adjacent channels as 80 MHz for 802.11ac Access Points. Define the meshpoint assigned priority over other available mesh points. When configured, a mesh connection is established with this mesh point. If not configured, a meshpoint is automatically selected. Set the minimum path metric (from 100 - 20,000) for mesh connection establishment. The default setting is 1000. Configure a minimum threshold (from 800 - 65535) for triggering an automatic channel selection for meshpoint selection. The default is 1500. Configure a duration to wait before triggering an automatic channel selection for the next mesh hop. The default is one minute. Set the number of scans (from 1- 10) for data collection before a mesh point root is selected. The default is 5. Configure the duration (from 1 -60 seconds) between two consecutive off channel scans for meshpoint root. The default is 6 seconds. Set the minimum duration (from 0 - 1440 minutes) to remain on a selected channel before channel conditions are reassessed for a possible channel change. Set this value to zero (0) to prevent an automatic channel selection from occurring. The default is 30 minutes. Configure the delta (from 5 - 35 dBm) that triggers a meshpoint root automatic channel selection when exceeded. The default is 10 dBm. 15 Select OK to save the updates to the Mesh Point configuration. Select Reset to revert to the last saved configuration. 8.14.1 Vehicle Mounted Modem (VMM) Deployment Considerations Before defining a VMM configuration (mounting an AP7161 mesh point on a moving vehicle), refer to the following deployment guidelines to ensure the configuration is optimally effective:
Disable layer 2 stateful packet inspection from the firewall policy. For more information, see Firewall Policy Advanced Settings on page 10-10. Set the RTS threshold value to 1 on all mesh devices. The default is 2347. For more information on defining radio settings, refer to Access Point Radio Configuration on page 8-55. Use Opportunistic as the rate selection setting for the AP7161 radio. The default is Standard. Disable Dynamic Chain Selection (radio setting). The default is enabled. This setting can be disabled in the CLI using the dynamic-chain-selection command, or in the UI. Disable A-MPDU Aggregation if the intended vehicular speed is greater than 30 mph. Wireless Controller and Service Platform System Reference Guide 8 - 221 Profile Configuration Setting a misconfiguration recovery time for the non-root AP profile is recommended. This should delay the rejection of the newest configuration push from the controller, potentially causing adoption loss. The additional delay is to support cases when the new configuration from the controller causes the root AP to move from current channel to other channels, resulting in a mesh link going down, and in turn non-root APs losing adoption. This delay accommodates the time needed for the non-root AP to scan all channels and finding the best root node. The non-root AP can begin operating on the new channel, and establish the mesh link re-adopt to the controller. (For countries using DFS, the scan time is also factored in for the configured value). If the AP fails to find a suitable root node within this time, this new config is a misconfiguration and the device would reject the latest config. For outdoor APs, it is recommended the misconfiguration-recovery-time be disabled. This can be accomplished by setting the value to 0. Update non root ap71xx profiles on the controller to include this change. Using an appropriate console terminal and or connection to your device log on to the CLI and follow these steps:
rfs6000-xxxxxx>enable rfs6000-xxxxxx #configure terminal Enter configuration commands, one per line. End with CNTL/Z. rfs6000-xxxxxx (config)#profile ap71xx Non-Root AP71xx rfs6000-xxxxxx (config-profile-Non-Root-AP71xx)#misconfiguration-recovery-time 0 rfs6000-xxxxxx (config-profile-Non-Root-AP71xx)#
8.15 Profile Environmental Sensor Configuration (AP8132 Only) A sensor module is a USB environmental sensor extension to either an AP8132 or AP8232 model Access Point. It provides a variety of sensing mechanisms, allowing the monitoring and reporting of the Access Points radio coverage area. The output of the sensor's detection mechanisms are viewable using either the Environmental Sensor screen. To set or override an environmental sensor configuration for an AP8132 model Access Point:
1 Select the Configuration tab from the Web UI. 2 Select Profiles from the Configuration tab. 3 Select Manage Profiles from the Configuration > Profiles menu. 4 Select Environmental Sensor. Wireless Controller and Service Platform System Reference Guide 8 - 222 Profile Configuration 5 Set the following Light Sensor settings for the sensor module:
Figure 8-132 Profile - Environmental Sensor screen Enable Light Sensor Polling Time to Determine if Light is On/Off Shutdown WLAN Radio at Low Limit of Light Threshold Low Limit of Light Threshold High Limit of Light Threshold Select this option to enable the light sensor on the module. This setting is enabled by default. The light sensor reports whether the deployment location has its lights powered on or off. Define an interval in Seconds (2 - 201) or Minutes (1 - 4) for the sensor module to poll its environment to assess light intensity to determine whether lighting is on or off. The default polling interval is 10 seconds. Light intensity is used to determine whether the Access Points deployment location is currently populated with clients. Select this option to power off the Access Points radio if the light intensity dims below the set threshold. If enabled, select All (both radios), radio-1 or radio-2. Set the low threshold limit (from 0 - 1,000 lux) to determine whether the lighting is off in the Access Points deployment location. The default is 200. In daytime, the light sensor's value is between 350-450. The default values for the low threshold is 200, i.e., the radio is turned off if the average reading value is lower than 200. Set the upper threshold limit (from 100 - 10,000 lux) to determine whether the lighting is on in the Access Points deployment location. The default high threshold is 400. The radios are turned on when the average value is higher than 400. 6 Enable or disable the following Environmental Sensors:
Enable Temperature Sensor Select this option to enable the modules temperature sensor. Results are reported back to the Access Points Environment screens within the Statistics node. This setting is enabled by default. Wireless Controller and Service Platform System Reference Guide 8 - 223 Profile Configuration Enable Motion Sensor Select this option to enable the modules motion sensor. Results are reported back to the Access Points Environment screens within the Statistics node. This setting is enabled by default. Enable Humidity Sensor Select this option to enable the modules humidity sensor. Results are reported back to the Access Points Environment screens within the Statistics node. This setting is enabled by default. 7 Define or override the following Shared Configuration setting:
Polling Interval for All Sensors Set an interval in either Seconds (1 - 100) or Minutes (1 - 2) for the time between all environmental polling (both light and environment). The default setting is 5 seconds. 8 Select OK to save the changes made to the environmental sensor screen. Select Reset to revert to the last saved configuration. 8.16 Advanced Profile Configuration A profiles advanced configuration is comprised of defining its MINT protocol configuration and the profiles NAS identifier and port ID attributes. MINT provides secure profile communications at the transport layer. Using MINT, a device can be configured to only communicate with other authorized (MINT enabled) devices. Therefore, MINT is well designed for profile support, wherein a group of managed devices share the same configuration attributes. Refer to the advanced profiles Miscellaneous menu item to set the profiles NAS configuration. The profile database on the RADIUS server consists of user profiles for each connected network access server (NAS) port. To set a profiles advanced configuration:
1 Select the Configuration tab from the Web UI. 2 Select Profiles from the Configuration tab. 3 Select Manage Profiles from the Configuration > Profiles menu. 4 Select Advanced and expand the menu item. The following sub menu items are available as advanced profile configuration options:
Client Load Balance Configuration Configuring MINT Protocol Advanced Profile Miscellaneous Configuration 8.16.1 Client Load Balance Configuration Advanced Profile Configuration Set a the ratios and calculation values used by Access Points to distribute client loads both amongst neighbor devices and the 2.4 and 5 GHz radio bands. To define Access Point client load balance algorithms:
Wireless Controller and Service Platform System Reference Guide 8 - 224 1 Select Client Load Balancing from the Advanced menu item. Profile Configuration Figure 8-133 Advanced Profile - Client Load Balancing screen 2 Use the Group ID field to define a group ID of up to 32 characters to differentiate the ID from others with similar configurations. 3 Select the SBC strategy from the drop-down menu to determine how band steering is conducted. Band steering directs 5 GHz-capable clients to that band. When an Access Point hears a request from a client to associate on both the 2.4 GHz and 5 GHz bands, it knows the client is capable of operation in 5 GHz. Band steering steers the client by responding only to the 5 GHz association request and not the 2.4 GHz request. The client only associates in the 5 GHz band. 4 Set the following Neighbor Selection Strategies:
Using Probes from common clients Using Notifications from roamed clients Using smart-rf neighbor detection Select this option to select neighbors (peer devices) using probes from common clients. This setting is enabled by default. Select this option to select neighbors (peer devices) using roam notifications from roamed clients. This setting is enabled by default. Select this option to select neighbors (peer devices) using Smart RF. This setting is enabled by default. Wireless Controller and Service Platform System Reference Guide 8 - 225 Profile Configuration 5 Enable Balance Band Loads by Radio to distribute an Access Points client traffic load across both the 2.4 and 5 GHz radio bands. 6 Set the following Channel Load Balancing settings:
Balance 2.4 GHz Channel Loads Balance 5 GHz Channel Loads Select this option to balance an Access Points 2.4 GHz client load across all channels available to that model SKU. This setting is enabled by default. Select this option to balance an Access Points 5 GHz client load across all channels available to that model SKU. This setting is enabled by default. 7 Enable Balance AP Loads (from within the AP Load Balance field) to distribute client traffic evenly amongst neighbor Access Points. This setting is enabled by default. 8 Set the following Band Control values:
Max. Band Load Difference Considered Equal Band Ratio (2.4 GHz) Band Ratio (5 GHz) 5 GHz load at which both bands enabled 2.4 GHz load at which both bands enabled Set the maximum load difference (from 1 - 100%) considered equal when comparing band loads. The default setting is 1%. Set the relative load for the 2.4 GHz radio band as a leveled ratio from 1 - 10. The default setting is 0. Set the relative load for the 5 GHz radio band as a leveled ratio from 1 -
10. The default setting is 0. Define the 5 GHz radio load value (from 1 - 100%) above which the 5 GHz radio is equally preferred in the overall load balance distribution. The default is 75%. Define the 2.4 GHz radio load value (from 1 - 100%) above which the 2.4 GHz radio is equally preferred in the overall load balance distribution. The default is 75%. 9 Define the following Neighbor Selection settings:
Minimal signal strength for common clients Minimum number of clients seen Max confirmed neighbors Minimum signal strength for smart-rf neighbors Define the minimum signal strength value (from -100 to 30 dBm) that must be exceeded for an Access Points detected client to be considered a common client. the default setting is -100 dBi. Set the minimum number of clients (from 0 - 256) that must be common to two or more Access Points for the Access Points to regard one another as neighbors using the common client neighbor detection strategy. The default setting is 0. Set the maximum number (from 1 - 16) of neighbor Access Points that must be detected amongst peer Access Point to initiate load balancing. The default setting is 16. Set the minimal signal strength value (from -100 to 30 dBm) for an Access Point detected using Smart RF to qualify as a neighbor Access Point. the default setting is - 65 dBm. 10 Set the following Advanced Parameters for client load balancing:
Max. 2.4 GHz Difference Considered Equal Set the maximum load difference (from 1 - 100%) considered equal when comparing 2.4 GHz client loads. The default setting is 1%. Wireless Controller and Service Platform System Reference Guide 8 - 226 Profile Configuration Min. Value to Trigger 2.4 Ghz Channel Balancing Weightage given to Client Count Weightage given to Throughput Max. 5 GHz Difference Considered Equal Min. Value to Trigger 5 Ghz Channel Balancing Weightage given to Client Count Weightage given to Throughput Set the threshold (from 1 - 100%) beyond which channel load balancing is triggered in the 2.4 GHz radio band. The default setting is 5%. Set the weightage (from 1- 100%) applied to client count calculations in the 2.4 GHz radio band. The default setting is 90%. Set the weightage (from 1- 100%) applied to client throughput calculations in the 2.4 GHz radio band. The default setting is 10%. Set the maximum load difference (from 1 - 100%) considered equal when comparing 5 GHz client loads. The default setting is 1%. Set the threshold (from 1 - 100%) beyond which channel load balancing is triggered in the 5 GHz radio band. The default setting is 5%. Set the weightage (from 1- 100%) applied to client count calculations in the 5 GHz radio band. The default setting is 90%. Set the weightage (from 1- 100%) applied to client throughput calculations in the 5 GHz radio band. The default setting is 10%. 11 Define the following AP Load Balancing settings:
Min. Value to Trigger Balancing Max. AP Load Difference Considered Equal Weightage Given to Client Count Weightage Given to Throughout Set a value (from 1 - 100%) used to trigger client load balancing when exceeded. The default setting is 5%. Set the maximum load balance differential (from 1 - 100%) considered equal when comparing neighbor Access Point client loads. The default setting is 1%. Set the weightage (from 1- 100%) applied to client count in an Access Points overall load calculation. The default setting is 90%. Set the weightage (from 1- 100%) applied to client throughput in an Access Points overall load calculation. The default setting is 10%. 12 Select OK to save the changes made to the profiles client load balance configuration. Select Reset to revert to the last saved configuration. 8.16.2 Configuring MINT Protocol Advanced Profile Configuration MINT provides the means to secure profile communications at the transport layer. Using MINT, a device can be configured to only communicate with other authorized (MINT enabled) devices. Keys can be generated externally using any application (like openssl). These keys must be present on the managed device managing the domain for key signing to be integrated with the UI. A MAP device that needs to communicate with another first negotiates a security context with that device. The security context contains the transient keys used for encryption and authentication. A secure network requires users to know about certificates and PKI. However, administrators do not need to define security parameters for Access Points to be adopted
(secure WISPe being an exception, but that isnt a commonly used feature). Also, users can replace any device on the network or move devices around and they continue to work. Default security parameters for MiNT are such that these scenarios continue to function as expected, with minimal user intervention required only when a new network is deployed. To define a profiles MINT configuration:
Wireless Controller and Service Platform System Reference Guide 8 - 227 1 Select MINT Protocol from the Advanced profile menu item. Profile Configuration The Settings tab displays by default. Figure 8-134 Advanced Profile MINT screen - Settings tab 2 Refer to the Area Identifier field to define the Level 1 and Level 2 Area IDs used by the profiles MINT configuration. Level 1 Area ID Select this option to either use a spinner control for setting the Level 1 Area ID (1 - 16,777,215) or create an alias for the ID. An alias enables an administrator to define a configuration item, such as a this area ID, as an alias once and use the alias across different configuration items. The default value is disabled. 3 Define the following Priority Adjustment in respect to devices supported by the profile:
Designated IS Priority Adjustment Set a Designated IS Priority Adjustment setting from -255 and 255. This is the value added to the base level DIS priority to influence the Designated IS (DIS) election. A value of +1 or greater increases DISiness. The default setting is 0. 4 Select the Latency of Routing Recalculation check box (within the Shortest Path First (SPF) field) to enable the spinner control used for defining a latency period from 0 - 60 seconds. The default setting has the check box disabled. Wireless Controller and Service Platform System Reference Guide 8 - 228 Profile Configuration 5 Define the following MINT Link Settings in respect to devices supported by the profile:
MLCP IP MLCP IPv6 MLCP VLAN Tunnel MiNT across extended VLAN Check this box to enable MINT Link Creation Protocol (MLCP) by IP Address. MLCP is used to create one UDP/IP link from the device to a neighbor. The neighboring device does not need to be a controller or service platform, it can be another Access Point with a path to the controller or service platform. Check this box to enable MLCP for automated MiNT UDP/IP link creation. This setting is enabled by default. Check this box to enable MLCP by VLAN. MLCP is used to create one VLAN link from the device to a neighbor. That neighboring device does not need to be a controller or service platform, it can be another Access Point with a path to the controller or service platform. Select this option to tunnel MiNT protocol packets across an extended VLAN. This setting is disabled by default. 6 Select Tunnel Controller Load Balancing (Level 1) to enable load balance distribution via a WLAN tunnel controller. This setting is disabled by default. 7 Select Inter Tunnel Bridging (Level 2) to enable inter tunnel bridging. This setting is disabled by default. 8 Enter a 64 character maximum Tunnel Controller Name for this tunneled-WLAN-controller interface. 9 Enter a 64 character maximum Preferred Tunnel Controller Name this Access Point prefers to tunnel traffic to via an extended VLAN. 10 Select the IP tab to display the link IP network address information shared by the devices managed by the MINT configuration. Figure 8-135 Advanced Profile MINT screen - IP tab 11 The IP tab displays the IP address, routing level, link cost, hello packet interval and Adjacency Hold Time managed devices use to securely communicate amongst one another within the managed network. Select Add to create a new Link IP configuration or Edit to modify an existing MINT configuration. Wireless Controller and Service Platform System Reference Guide 8 - 229 Profile Configuration 12 Set the following Link IP parameters to complete the MINT network address configuration:
Figure 8-136 Advanced Profile MINT screen - IP Add tab IP Port Routing Level Listening Link Forced Link Link Cost Hello Packet Interval Adjacency Hold Time IPSec Secure IPSec GW Define or override the IP address used by peers for interoperation when supporting the MINT protocol. Use the drop-down to select the type of IP address provided. The available choices are IPv4 Address and IPv6 Address. To specify a custom port for MiNT links, select this option and use the spinner control to define the port number between 1 and 65,535. Use the spinner control to define a routing level of either 1 or 2. Specify a listening link of either 0 or 1. UDP/IP links can be created by configuring a matching pair of links, one on each end point. However, that is error prone and doesnt scale. So UDP/IP links can also listen (in the TCP sense), and dynamically create connected UDP/IP links when contacted. Check this box to specify the MiNT link as a forced link. Use the spinner control to define a link cost between 1 - 10,000. The default value is 100. Set an interval in either Seconds (1 - 120) or Minutes (1 - 2) for the transmission of hello packets. The default interval is 15 seconds. Set a hold time interval in either Seconds (2 - 600) or Minutes (1 - 10) for the transmission of hello packets. The default interval is 46 seconds. Enable this option to provide IPSec secure peer authentication on the MiNT connection (link). This option is disabled by default. Select the numerical IP address or administrator defined hostname of the IPSec gateway. Wireless Controller and Service Platform System Reference Guide 8 - 230 13 Select the VLAN tab to display the link IP VLAN information shared by the devices managed by the MINT configuration. Profile Configuration Figure 8-137 Advanced Profile MINT screen - VLAN tab 14 The VLAN tab displays the VLAN, Routing Level, Link Cost, Hello Packet Interval and Adjacency Hold Time managed devices use to securely communicate amongst one another. Select Add to create a new VLAN link configuration or Edit to modify an existing MINT configuration. Figure 8-138 Advanced Profile MINT screen - VLAN tab Wireless Controller and Service Platform System Reference Guide 8 - 231 Profile Configuration 15 Set the following VLAN parameters for the MINT configuration:
VLAN Routing Level Link Cost Hello Packet Interval Adjacency Hold Time Define a VLAN ID between 1 - 4,094 used by peers for interoperation when supporting the MINT protocol. Use the spinner control to define a routing level of either 1 or 2. Use the spinner control to define a link cost between 1 - 10,000. The default value is 100. Set an interval in either Seconds (1 - 120) or Minutes (1 - 2) for the transmission of hello packets. The default interval is 15 seconds. Set a hold time interval in either Seconds (2 - 600) or Minutes (1 - 10) for the transmission of hello packets. The default interval is 46 seconds. 16 Select OK to save the updates and overrides to the MINT Protocols VLAN configuration. Select Reset to revert to the last saved configuration. 17 Select the Rate Limits tab to display data rate limits configured on extended VLANs and optionally add or edit rate limit configurations. Excessive traffic can cause performance issues on an extended VLAN. Excessive traffic can be caused by numerous sources including network loops, faulty devices or malicious software such as a worm or virus that has infected on one or more devices. Rate limiting reduces the maximum rate sent or received per wireless client. It prevents any single user from overwhelming the wireless network. It can also provide differential service for service providers. Uplink and downlink rate limits are usually configured on a RADIUS server using vendor specific attributes. Rate limits are extracted from the RADIUS servers response. When such attributes are not present, the settings defined on the controller, service platform or Access Point are applied. An administrator can set separate QoS rate limit configurations for data types transmitted from the network
(upstream) and data transmitted from a wireless clients back to associated radios (downstream). Figure 8-139 Advanced Profile MINT screen - Rate Limit tab Existing rate limit configurations display along with their virtual connection protocols and data traffic QoS customizations. 18 Select Add to create a new rate limit configuration. Wireless Controller and Service Platform System Reference Guide 8 - 232 Profile Configuration 19 Set the following Rate Limits to complete the MINT configuration:
Figure 8-140 Advanced Profile MINT screen - Add Rate Limit Level Protocol Link Type VLAN IP Port Rate Select level2 to apply rate limiting for all links on level2. Select either mlcp or link as this configurations rate limit protocol. Mint Link Creation Protocol (MLCP) creates a UDP/IP link from the device to a neighbor. The neighboring device does not need to be a controller or service platform, it can be an Access Point with a path to the controller or service platform. Select link to rate limit using statically configured MiNT links. Select either VLAN, to configure a rate limit configuration on a specific virtual LAN, or IP to set rate limits on a static IP address/Port configuration. When the Protocol is set to link and the Link Type is set to VLAN, use the spinner control to select a virtual LAN from 1 - 4094 to refine the rate limiting configuration to a specific VLAN. When the Protocol is set to link and the Link Type is set to VLAN, enter the IP address as the network target for rate limiting. When the Protocol is set to link and the Link Type is set to VLAN, use the spinner control to set the virtual port (1 - 65,535) used for rate limiting traffic. Define a rate limit between 50 - 1,000,000 kbps. This limit constitutes a threshold for the maximum the number of packets transmitted or received (from all access categories). Traffic that exceeds the defined rate is dropped and a log message is generated. The default setting is 5000 kbps. Wireless Controller and Service Platform System Reference Guide 8 - 233 Profile Configuration Max Burst Size Background Best-Effort Video Voice Use the spinner to set the maximum burst size from 0 - 1024 kb. The smaller the burst, the less likely the upstream packet transmission will result in congestion for the WLANs client destinations. By trending the typical number of ARP, broadcast, multicast and unknown unicast packets over a period of time, the average rate for each access category can be obtained. Once a baseline is obtained, administrators should add a 10% margin (minimally) to allow for traffic bursts. The default burst size is 320 kbytes. Configures the random early detection threshold (as a percentage) for low priority background traffic. Background packets are dropped and a log message generated if the rate exceeds the set value. Background traffic consumes the least bandwidth of any access category, so this value can be set to a lower value once a general upstream rate is known by the network administrator (using a time trend analysis). The default setting is 50%. Configures the random early detection threshold (as a percentage) for low priority best-effort traffic. Best-effort packets are dropped and a log message generated if the rate exceeds the set value. Best effort traffic consumes little bandwidth, so this value can be set to a lower value once a general upstream rate is known by the network administrator (using a time trend analysis).The default setting is 50%. Configures the random early detection threshold (as a percentage) for high priority video traffic. Video packets are dropped and a log message generated if the rate exceeds the set value. Video traffic consumes significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis).The default setting is 25%. Configures the random early detection threshold (as a percentage) for high priority voice traffic. Voice packets are dropped and a log message generated if the rate exceeds the set value. Voice applications consume significant bandwidth, so this value can be set to a higher value once a general upstream rate is known by the network administrator (using a time trend analysis).The default setting is 0%. 20 Select OK to save the updates and overrides to the MINT Protocols rate limit configuration. Select Reset to revert to the last saved configuration. 8.16.3 Advanced Profile Miscellaneous Configuration Advanced Profile Configuration Refer to the advanced profiles Miscellaneous menu item to set the profiles NAS configuration. The profile database on the RADIUS server consists of user profiles for each connected network access server (NAS) port. Each profile is matched to a username representing a physical port. When users are authorized, it queries the user profile database using a username representative of the physical NAS port making the connection. Wireless Controller and Service Platform System Reference Guide 8 - 234 1 Select Miscellaneous from the Advanced Profiles menu item. Profile Configuration Figure 8-141 Advanced Profile Miscellaneous screen 2 Set a NAS-Identifier Attribute up to 253 characters. This is the RADIUS NAS-Identifier attribute that typically identifies the controller or service platform where a RADIUS message originates. 3 Set a NAS-Port-Id Attribute up to 253 characters in length. This is the RADIUS NAS port ID attribute which identifies the device port where a RADIUS message originates. 4 Select the Turn on LEDs option (within the LEDs (Light Emitting Diodes) section) to enable the LEDs on Access Point. This parameter is not available for controllers or service platforms. Select the Flash Pattern(2) option (within the LEDs (Light Emitting Diodes) field) to flash an Access Points LEDs in a distinct manner (different from its operational LED behavior) to allow an administrator to validate an Access Point has received its configuration from its managing controller or service platform. Enabling this feature allows an administrator to validate an Access Point has received its configuration
(perhaps remotely at the site of deployment) without having to log into the managing controller or service platform. This feature is disabled by default. 5 Select the Capable option (within the RF Domain Manager section) to designate this specific profile managed device as being capable of being the RF Domain manager. The default value is enabled. 6 Select the Priority check box (within the RF Domain Manager section) to set a priority value for this specific profile managed device. Once enabled, use the spinner control to set a device priority between 1 - 255. The higher the number set, the higher the priority in the RF Domain manager election process. 7 Configure a Root Path Monitor Interval, between 1 and 65,535 seconds, to specify how often to check if the meshpoint is up or down. Set the Additional Port value (within the RADIUS Dynamic Authorization field) between 1 and 65,535 seconds, or to 1700 to enable a CISCO Identity Services Engine (ISE) Authentication, Authorization and Accounting
(AAA) server to dynamically authenticate a client. Wireless Controller and Service Platform System Reference Guide 8 - 235 Profile Configuration When a client requests access to a CISCO ISE RADIUS server supported network, the server presents the client with a URL where a devices compliance is checked for definition file validity (this form of file validity checking is called posture). If the client device complies, it is allowed access to the network. 8 Select OK to save the changes made to the profiles advanced miscellaneous configuration. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 8 - 236 9 RF Domains About RF Domains A controller or service platform's configuration is composed of numerous elements including RF Domains, profiles, policies, WLANs and device specific configurations. RF Domains are used to assign regulatory, location and relevant policies to controllers and service platforms. RF Domains are required, and each controller or service platform must be assigned at least one default RF Domain. RF Domains allow administrators to assign configuration data to multiple devices deployed in a common coverage area, such as in a floor, building or site. Each RF Domain contains policies that can determine a Smart RF or WIPS configuration. RF Domains enable administrators to override WLAN SSID name and VLAN assignments. This enables the deployment of a global WLAN across multiple sites and unique SSID name or VLAN assignments to groups of Access Points servicing the global WLAN. This WLAN override technique eliminates the requirement for defining and managing a large number of individual WLANs and profiles. A configuration contains (at a minimum) one default RF Domain and can optionally use additional user defined RF Domains:
Default RF Domain - Automatically assigned to each controller or service platform and associated Access Point by default. User Defined RF Domains - Created by administrators and manually assigned to individual controller or service platforms, but can be automatically assigned to Access Points using adoption policies. Each controller and service platform is assigned to only one RF Domain at a time. However, a user defined RF Domain can be assigned to multiple controllers or service platforms as required. User defined RF Domains can be manually assigned or automatically assigned to Access Points using an AP provisioning policy. Default RF Domains Each controller and service platform utilizes a default RF Domain. Access Points are assigned to this default RF Domain as they are discovered by the controller or service platform. The default RF Domain can be used for single site deployments, where regional, regulatory and RF policies are common between devices. When regional, regulatory or RF policies need to be device specific, user defined RF Domains are recommended. A default RF Domain can also omit configuration parameters to prohibit regulatory configuration from automatically being inherited by devices as they are discovered by the controller or service platform. This is desirable in multi-site deployments with devices spanning multiple countries. Omitting specific configuration parameters eliminates the risk of an incorrect country code from being automatically assigned to a device. User Defined RF Domains Configure and deploy user defined RF Domains for single or multiple sites when controllers or service platforms require unique regulatory and regional configurations, or unique Smart RF and WIPS policies. User defined RF Domains can be used to:
Assign unique Smart RF or WIPS policies to Access Points deployed on different floors or buildings within a site. Assign unique regional or regulatory configurations to Access Points deployed in different states or countries. Wireless Controller and Service Platform System Reference Guide 9 - 1 RF Domains Assign unique WLAN SSIDs and/or VLAN IDs to sites assigned a common WLAN without having to define individual WLANs for each site. User defined RF Domains must be manually assigned to controllers or service platforms, but can be manually or automatically assigned to Access Points. Manual RF Domain assignment can be performed using the CLI or UI by modifying each device's individual configuration and assigning a specific RF Domain to the device. Automatic RF Domain assignments can be made using an AP provisioning policy which can assign specific RF Domains to Access Points based on an Access Points model, serial number, VLAN, DHCP option, IP address or MAC address. Automatic RF Domain assignments are useful in large deployments, as they enable plug-n-play Access Point deployments by automatically applying RF Domains to remote Access Points. 9.1 Managing RF Domains Managing RF Domains entails configuring individual RF Domains as required and managing them as a collective set. To review the configurations of existing RF Domains:
1 Select Configuration > RF Domains from the Web UI The RF Domain screen displays within the main portion of the Web UI, and the RF Domain Browser displays in the lower, left-hand, portion of the Web UI. 2 Refer to the RF Domain screen to review high-level configuration data for existing RF Domain policies. Figure 9-1 RF Domains screen 3 Use the following (read only) information to determine whether a new RF Domain policy requires creation, or an existing RF Domain requires edit or deletion:
RF Domain Lists each policys name, as assigned when it was created. The RF Domain name cannot be changed as part of the edit process. Only one RF Domain can be assigned to a controller or service platform. Wireless Controller and Service Platform System Reference Guide 9- 2 RF Domains Location Contact Time Zone Country Displays the physical location assigned to the RF Domain. The name could be as specific as the floor of a building, or as generic as an entire site. The location defines the physical area where a common set of devices are deployed using the policys RF Domain configuration. Lists the contact (or administrator) assigned to respond to events created by, or impacting, RF Domain member devices. Displays the geographic time zone set for each RF Domain policy. RF Domains can be assigned unique country codes and time zone information for upload by devices deployed and managed across different states or countries, thus making them ideal for configurations across different geographical areas. Displays the two-digit country code set for the policy. The country code must be set accurately to avoid illegal operation, as device radios transmit in specific channels unique to their country of operation. 4 Refer to the RF Domain Browser to expand each existing RF Domain policy and review the device MAC addresses operating within the location defined and are using the configuration defined for the policy. Figure 9-2 RF Domain Browser 5 Once the data within the RF Domain screen and RF Domain Browser is reviewed, determine whether a new policy requires creation, or if an existing policy requires edit or deletion. The management of RF Domains entails the following:
RF Domain Basic Configuration RF Domain Sensor Configuration RF Client Name Configuration RF Domain Overrides RF Domain Network Alias 9.1.1 RF Domain Basic Configuration To set a RD Domain basic configuration:
1 Select Configuration > RF Domains from the Web UI. 2 From the RF Domain screen, either select the Add button or highlight an existing RF Domain and select Edit. An RF Domain configuration can be permanently removed by highlighting it from the list and selecting Delete. An existing RF Domain can also be modified by selecting it directly from the RF Domain Browser. Wireless Controller and Service Platform System Reference Guide 9 - 3 If adding or modifying an existing RF Domain, the RF Domain Basic Configuration screen displays by default. RF Domains 3 Define the following Basic Configuration parameters for the RF Domain:
Figure 9-3 RF Domain - Basic Configuration screen RF Domain Location Contact Time Zone Country Latitude Coordinate If creating a new RF Domain, assign it a name representative of its intended function. The name cannot exceed 32 characters. The name cannot be changed as part of the edit process. Assign the physical location of the controller or service platform RF Domain. This name could be as specific as the floor of a building, or as generic as an entire site. The location defines the physical area where a common set of device configurations are deployed and managed by the RF Domain policy. Provide the name of the contact (or administrator) assigned to respond to events created by or impacting the RF Domain. Set the geographic time zone set for the RF Domain. RF Domains can be assigned unique country codes and time zone information for upload by devices deployed and managed across different states or countries, thus making them ideal for configurations across different geographical areas. Define the two-digit country code set for the RF Domain. The country code must be set accurately to avoid a devices illegal operation, as device radios transmit in specific channels unique to the country of operation. Configures the of the RF Domains latitude in order to fix its exact geographical location on a map. Use this option to define the geographical area where a common set of device configurations are deployed and managed by this RF Domain policy. Wireless Controller and Service Platform System Reference Guide 9- 4 RF Domains Longitude Coordinate VLAN for Traffic Control Controller Managed Configures the of the RF Domains longitude in order to fix its exact geographical location on a map. Use this option to define the geographical area where a common set of device configurations are deployed and managed by this RF Domain policy. Select the check box to enable a spinner control used for specifying the VLAN (within a range of 1 - 4,094) used for traffic control within this RF Domain. Select the check box to enable management of the RF Domain for adopted wireless clients by the controller or service platform.This option is disabled by default. When a radio fails or is faulty, a Smart RF policy can used provide automatic recovery by instructing neighboring Access Points to increase their transmit power to compensate for the coverage loss. Once correct Access Point placement has been established, Smart-RF can optionally be leveraged for automatic detector radio selection. Smart-RF uses detector radios to monitor RF events and can be used to ensure adequate detector coverage is available. For an overview of Smart RF and instructions on how to create a Smart RF policy that can be used with a RF Domain, see Smart RF Policy on page 6-79. 4 Define the following SMART RF parameters for the RF Domain:
SMART RF Policy Override Channel List 2.4 GHz Override Channel List 5 GHz Assign an existing Smart RF Policy to the RF Domain, or if none exist create a new one. Use the Smart RF Policy drop-down menu to navigate to existing Smart RF policies and select the one best suited to the function of the RF Domain. If none exist, select the Create icon and provide the required parameters to define a Smart RF configuration that can be used with the RF Domain. An existing policy can be edited by selecting the policy from the drop-down menu and selecting the Edit icon. Select an override list of channels Smart RF can use for channel compensations on 2.4 GHz radios. Select an override list of channels Smart RF can use for channel compensations on 5 GHz radios. 5 Define the following Smart Scan values:
Enable Dynamic Channel 2.4 GHz Channels 5 GHz Channels Enable this setting to configuration the dynamic channel listing mode for smart scans in the 2.4 and 5 GHz bands. This setting is disabled by default. Set the list of 2.4 GHz mode channels sent in smart scans responses to clients. Set the list of 5 GHz mode channels sent in smart scans responses to clients. 6 Assign an existing Wireless IPS (WIPS) policy to the RF Domain, or if none exist create a new one. Use the WIPS Policy drop-down menu to navigate to existing WIPS policies and select the one best suited to the function of the RF Domain. If none exist, select the Create icon and provide the required parameters to define a WIPS configuration that can be used with the RF Domain. An existing policy can be edited by selecting the policy from the drop-down menu and selecting the Edit icon. A WIPS policy provides protection against wireless threats and acts as a key layer of security complementing wireless VPNs, encryption and authentication. a WIPS policy uses a dedicated sensor for actively detecting and Wireless Controller and Service Platform System Reference Guide 9 - 5 RF Domains locating rogue AP devices. After detection, WIPS uses mitigation techniques to block the devices by manual termination, air lockdown, or port suppression. For an overview of WIPS and instructions on how to create a WIPS policy that can be used with a RF Domain, see Configuring a WIPS Policy on page 10-52. 7 Refer to the Statistics field to define the Update Interval (from 0, 5 - 300 seconds) used to statistics update interval for this specific RF Domain. A value of zero is permissible to enable auto mode. Use auto mode, the update interval is automatically set by the RF Domain manager based on the RF Domains current load. 8 Use the Licenses drop-down menu to obtain and leverage feature licenses from RF Domain member devices. 9 Select OK to save the changes to the Basic Configuration, or select Reset to revert to the last saved configuration. 9.1.2 RF Domain Sensor Configuration The Wireless Intrusion Protection System (WIPS) protects the network, wireless clients and Access Point radio traffic from attacks and unauthorized access. WIPS provides tools for standards compliance and around-the-clock wireless network security in a distributed environment. WIPS allows administrators to identify and accurately locate attacks, rogue devices and network vulnerabilities in real time and permits both a wired and wireless lockdown of wireless device connections upon acknowledgment of a threat. In addition to AirDefense sensors, an Access Point radio can function as a sensor and upload data to an external WIPS server. Unique WIPS server configurations are used by RF Domains to ensure a WIPS server is available to support the unique data protection needs of individual RF Domains. WIPS is not supported on a WLAN basis, rather sensor functionality is supported on the Access Point radio(s) available to each managed WLAN. When an Access Point radio is functioning as a WIPS sensor, its able to scan in sensor mode across all legal channels within 2.4 and 5.0 GHz. Sensor support requires an AirDefense WIPS Server on the network. Sensor functionality is not provided by the Access Point alone. The Access Point works in conjunction with a dedicated WIPS server. The AP7522, AP7532, AP7562, AP8432 and AP8533 model Access Points can also function as L-Sense sensors. L-
Sense is a highly scalable indoor locationing platform that gathers location-related analytics, such as visitor trends, peak and off-peak times, dwell time, heat-maps, etc. to enable entrepreneurs deeper visibility at a venue. To enable the location tracking system, the L-Sense server should be up and running and the RF Domain Sensor configuration should point to the L-sense server. To define a sensor configuration for an RF Domains group of member devices:
1 From the RF Domain screen, either select the Add button or highlight an existing policy and select Edit. An existing policy can also be modified by selecting it directly from the RF Domain Browser. 2 Select the Sensor item from within the RF Domain screen. Wireless Controller and Service Platform System Reference Guide 9- 6 RF Domains 3 Select the + Add Row button to populate the Location Tracking System table with up to one L-Sense server Figure 9-4 RF Domain - Sensor screen credentials. Server Id Use the spinner control to assign a numerical ID for the Location Tracking Sensor (L-Sense) resource. As of now only one (1) L-Sense sever can be configured. IP Address/Hostname Provide the numerical (non DNS) IP address or hostname of the L-Sense server used by the RF Domain member devices. A hostname cannot exceed 64 characters or contain an underscore. When configured, Access Points (supporting L-Sense) post location-
related analytics to the L-Sense server. Use the spinner control to specify the port for the L-Sense server. This is the port on which the L-Sense server is reachable. The default port is 443. Port Port 4 Select the + Add Row button to populate the ADSP Appliance Configuration table with up to three rows for ADSP server credentials:
Server Id Use the spinner control to assign a numerical ID for up to three WIPS server resources. The server with the lowest defined ID is the first reached by the controller or service platform. The default ID is 1. IP Address/Hostname Provide the numerical (non DNS) IP address or hostname of each server used as a WIPS sensor server by RF Domain member devices. A hostname cannot exceed 64 characters or contain an underscore. Use the spinner control to specify the port of each WIPS sensor server utilized by RF member devices. The default port is 443. Wireless Controller and Service Platform System Reference Guide 9 - 7 RF Domains 5 Select the Enable NSight Sensor option, within the NSight Sensor field, to enable the sensor module. This option is disabled by default. 6 Select OK to save the changes to the ADSP appliance sensor configuration, or select Reset to revert to the last saved configuration. 9.1.3 RF Client Name Configuration The Client Name Configuration screen displays clients connected to RF Domain member Access Points adopted by networked controllers or service platforms. Use the screen to associate administrator assigned client names to specific connected client MAC addresses for improved client management. To define a client name configuration used with RF Domain member devices:
1 From the RF Domain screen, either select the Add button or highlight an existing policy and select Edit. An existing policy can also be modified by selecting it directly from the RF Domain browser. 2 Select the Client Name Configuration item from within the RF Domain screen. Figure 9-5 RF Domain Client Configuration screen 3 Either select the + Add Row button to create a new client configuration or highlight an existing configuration and select the Delete icon to remove it. 4 Enter the clients factory coded MAC address. 5 Assign a Name to the RF Domain member Access Points connected client to assist in its easy recognition. 6 Select OK to save the changes to the configuration, or select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 9- 8 RF Domains 9.1.4 RF Domain Overrides Each WLAN provides associated wireless clients with a Service Set Identifier (SSID). This has limitations, because it requires wireless clients associate with different SSIDs to obtain QoS and security policies. However, a WiNG managed RF Domain can have WLANs assigned and advertise a single SSID, but allow users to inherit different QoS or security policies. Use the Override SSID screen to assign WLANs an override SSID as needed for the RF Domain. Controllers and service platforms allow the mapping of a WLAN to more than one VLAN. When a wireless client associates with a WLAN, it is assigned a VLAN in such a way that users are load balanced across VLANs. The VLAN is assigned from the pool representative of the WLAN. Clients are tracked per VLAN, and assigned to the least used/loaded VLAN. Client VLAN usage is tracked on a per-WLAN basis. To define an override SSID and override VLAN configuration used with a RF Domain:
1 From the RF Domain screen, either select the Add button or highlight an existing policy and select Edit. An existing policy can also be modified by selecting it directly from the RF Domain Browser. 2 Select the Overrides item from within the RF Domain screen. Figure 9-6 RF Domain Override SSID screen The Overrides screen is partitioned into two tabs, with the Override SSID screen displayed by default. 3 Either select the + Add Row button to create a new Override SSID configuration. Highlight an existing Sensor Server Configuration and select the Delete icon to remove it from the table. 4 Use the WLAN drop-down menu to select an existing WLAN to be supplied an override SSID. If a WLAN configuration has not been defined, youll need to select the Create button and define at least one complete WLAN configuration. For detailed information on the steps required to create a WLAN, see Wireless LAN Policy on page 6-2. 5 Enter the name of the SSID to use with this WLAN. Wireless Controller and Service Platform System Reference Guide 9 - 9 RF Domains 6 Select OK to save the changes to the Override SSID configuration, or select Reset to Revert to the last saved configuration. 7 Select the Override WPA2 Key tab. The Override WPA2 Key screen enables an administrator to override a WLANs existing WPA2 PSK at the RF Domain level (not the profile level). WPA2 is a newer 802.11i standard that provides even stronger wireless security than Wi-Fi Protected Access (WPA) and WEP. 8 Select the + Add Row button to populate the screen with a row for selecting an existing WLAN to override with Figure 9-7 RF Domain Override WPA2 PSK screen a new WPA2 key. WLAN WPA2 Key Use the drop-down menu to selecting an existing WLAN whose key is to be overridden at the RF Domain level. A new WLAN configuration can be defined by selecting the Create icon, or an existing WLAN configuration can be modified by selecting the Edit icon. Enter either an alphanumeric string of 8 to 64 ASCII characters or 64 HEX characters as the primary string both transmitting and receiving authenticators must share in this new override PSK. The alphanumeric string allows character spaces. The string is converted to a numeric value. This passphrase saves the administrator from entering the 256-bit key each time keys are generated. 9 Select OK to save the changes to the Override WPA2 Key configuration, or select Reset to Revert to the last saved configuration. 10 Select the Override WEP128 Keys tab. The Override WEP128 Keys screen enables an administrator to override a WLANs existing WEP128 Keys at the RF Domain level (not the profile level). WEP 128 uses a 104 bit key which is concatenated with a 24-bit initialization vector (IV) to form the RC4 traffic key. WEP may be all a small-business user needs for the simple encryption of wireless data on the WLAN. However, networks that require more security are at risk from a WEP flaw. WEP is only recommended if there are client devices incapable of using higher forms of security. The existing 802.11 standard alone offers administrators no effective method to update keys. Wireless Controller and Service Platform System Reference Guide 9- 10 The screen displays existing WLANs whose WEP128 key configuration can be overridden at the RF Domain level. Either select Add to create a new WEP128 key configuration, or select an existing WEP128 Key and the Edit button to modify the selected keys existing key algorithm. The screen populates with the parameters required to override a WEP 128 configuration for the selected WLAN. RF Domains 11 Define the following settings for the WEP 128 key override:
Figure 9-8 RF Domain Override WEP128 Keys screen Generate Keys Keys 1-4 Restore Default WEP Keys Specify a 4 to 32 character RF Domain override Pass Key and click the Generate button. The pass key can be any alphanumeric string. Wireless devices and their connected clients use the algorithm to convert an ASCII string to the same hexadecimal number. Clients without adapters need to use WEP keys manually configured as hexadecimal numbers. Use the Key #1-4 areas to specify key numbers. For WEP 128 (104-bit key), the keys are 26 hexadecimal characters in length. Select one of these keys for default activation by clicking its radio button. Selecting Show displays a key in exposed plain text. If you feel it necessary to restore the WEP algorithm back to its default settings, click the Restore Default WEP Keys button. Default WEP 128 keys are as follows:
Key 1 101112131415161718191A1B1C Key 2 202122232425262728292A2B2C Key 3 303132333435363738393A3B3C Key 4 404142434445464748494A4B4C 12 Select OK to save the changes to the Override WEP128 Key configuration, or select Reset to Revert to the last saved configuration. 13 Select the Override VLAN tab. Wireless Controller and Service Platform System Reference Guide 9 - 11 The Override VLAN screen lists those WLANs available for override. RF Domains 14 Either select Add to define a new VLAN override configuration, choose an existing WLAN and select Edit to change the override VLAN and limit or select Delete to remove a WLANs override VLAN configuration. Figure 9-9 RF Domain Override VLAN screen Figure 9-10 RF Domain Override VLAN Add screen 15 Use the VLAN spinner control to change the VLANs for an existing WLAN client connection or select the + Add Row button to add additional VLANs for WLAN client connection. 16 Use the Wireless Client Limit spinner control to set the client user limit for the VLAN. The maximum allowed client limit is 8192 per VLAN. VLANs can be defined from 1 - 4094. The default setting is 0. Wireless Controller and Service Platform System Reference Guide 9- 12 RF Domains 17 Select OK to save the changes to the Override VLAN configuration, or select Reset to Revert to the last saved configuration. 18 Select the Override WLAN Shutdown tab. 19 Select the + Add Row button to populate the screen with a row for selecting an existing WLAN to override the WLAN mode of operation. 20 Provide the following parameters:
Figure 9-11 RF Domain Override Override WLAN Shutdown Add screen WLAN Shutdown Use the drop-down menu to select an existing WLAN whose mode of operation is to be overridden at the RF Domain level. Select to shut down the WLAN operation on all mapped radios. When selected, the RF Domains Access Points, mapped to the selected WLAN, stop beaconing the WLAN's SSID. 21 Select OK to save the changes to the Override WLAN Shutdown configuration, or select Reset to Revert to the last saved configuration. 9.1.5 RF Domain Network Alias With large deployments, the configuration of remote sites utilizes a set of shared attributes, of which a small set of attributes are unique for each location. For such deployments, maintaining separate configuration (WLANs, profiles, policies and ACLs) for each remote site is complex. Migrating any global change to a particular configuration item to all the remote sites is a complex and time consuming operation. Wireless Controller and Service Platform System Reference Guide 9 - 13 RF Domains Also, this practice does not scale gracefully for quick growing deployments. An alias enables an administrator to define a configuration item, such as a hostname, as an alias once and use the defined alias across different configuration items such as multiple ACLs. Once a configuration item, such as an ACL, is utilized across remote locations, the Alias used in the configuration item (ACL) is modified to meet local deployment requirement. Any other ACL or other configuration items using the modified alias also get modified, simplifying maintenance at the remote deployment. Aliases have scope depending on where the Alias is defined. Alias are defined with the following scopes:
Global aliases are defined from the Configuration > Network > Alias screen. Global aliases are available for use globally across all devices, profiles and RF Domains in the system. Profiles aliases are defined from the Configuration > Devices > System Profile > Network > Alias screen. Profile aliases are available for use to a specific group of wireless controllers or Access Points. Alias values defined in a profile override the alias values defined within global aliases. RF Domain aliases are defined from the Configuration > Devices > RF Domain > Alias screen. RF Domain aliases are available for use for a site as a RF Domain is site specific. RF Domain alias values override alias values defined in a global alias or a profile alias configuration. Device aliases are defined from the Configuration > Devices > Device Overrides > Network > Alias screen. Device aliases are utilized by a singular device only. Device alias values override global, profile or RF Domain alias configurations. Using an alias, configuration changes made at a remote location override any updates at the management center. For example, if an network alias defines a network range as 192.168.10.0/24 for the entire network, and at a remote deployment location, the local network range is 172.16.10.0/24, the network alias can be overridden at the deployment location to suit the local requirement. For the remote deployment location, the network alias work with the 172.16.10.0/24 network. Existing ACLs using this network alias need not be modified and will work with the local network for the deployment location. This simplifies ACL definition and management while taking care of specific local deployment requirements. For more information, refer to the following:
RF Domain Basic Alias RF Domain Network Group Alias RF Domain Network Service Alias 9.1.5.1 RF Domain Basic Alias A basic alias is a set of configurations consisting of VLAN, Host, Network and Address Range alias configurations. A VLAN alias is a configuration for optimal VLAN re-use and management for local and remote deployments. A host alias configuration is for a particular host devices IP address. A network alias configuration is utilized for an IP address on a particular network. An address range alias is a configuration for a range of IP addresses. To set a network basic alias configuration for a RF Domain:
1 Select Configuration > RF Domains from the Web UI. The RF Domain screen displays within the main portion of the Web UI, and the RF Domain Browser displays in the lower, left-hand, portion of the Web UI. 2 From the RF Domain screen, either select the Add button or highlight an existing RF Domain and select Edit. An existing policy can also be modified by selecting it directly from the RF Domain browser. Wireless Controller and Service Platform System Reference Guide 9- 14 3 Expand the Network menu item and select Alias. The Alias screen displays with the Basic Alias tab displayed by default. RF Domains 4 Select + Add Row to define VLAN Alias settings:
Figure 9-12 RF Domain Network Basic Alias screen Use the Vlan Alias field to create unique aliases for VLANs that can be utilized at different deployments. For example, if a VLAN ID is set as 10 for the central network, and the VLAN is set as 26 at a remote location, the VLAN can be overridden at the remote location using an alias. At the remote location, the network is functional with an ID of 26, but utilizes the name defined at the central local network. A new VLAN need not be created specifically at the remote location. Name Vlan If adding a new VLAN Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Use the spinner control to set a numeric VLAN ID from 1 - 4094. 5 Select + Add Row to define Address Range Alias settings:
Use the Address Range Alias field to create aliases for IP address ranges that can be utilized at different deployments. For example, if an ACL defines a pool of network addresses as 192.168.10.10 through 192.168.10.100 for an entire network, and a remote locations network range is 172.16.13.20 through 172.16.13.110, Wireless Controller and Service Platform System Reference Guide 9 - 15 RF Domains the remote locations ACL can be overridden using an alias. At the remote location, the ACL works with the 172.16.13.20-110 address range. A new ACL need not be created specifically for the remote deployment location. Name Start IP End IP If adding a new Address Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Set a starting IP address used with a range of addresses utilized with the address range alias. Set an ending IP address used with a range of addresses utilized with the address range alias. 6 Select + Add Row to define String Alias settings:
Use the String Alias field to create aliases for strings that can be utilized at different deployments. For example, if the main domain at a remote location is called loc1.domain.com and at another deployment location it is called loc2.domain.com, the alias can be overridden at the remote location to suit the local (but remote) requirement. At one remote location, the alias functions with the loc1.domain.com domain and at the other with the loc2.domain.com domain. Name Value If adding a new String Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Provide a 255 character maximum string value to use in the alias. 7 Select + Add Row to define Host Alias settings:
Use the Host Alias field to create aliases for hosts that can be utilized at different deployments. For example, if a central network DNS server is set a static IP address, and a remote locations local DNS server is defined, this host can be overridden at the remote location. At the remote location, the network is functional with a local DNS server, but uses the name set at the central network. A new host need not be created at the remote location. This simplifies creating and managing hosts and allows an administrator to better manage specific local requirements. Name Host If adding a new Host Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Set the numeric IP address set for the host. 8 Select + Add Row to define Network Alias settings:
Use the Network Alias field to create aliases for IP networks that can be utilized at different deployments. For example, if a central network ACL defines a network as 192.168.10.0/24, and a remote locations network range is 172.16.10.0/24, the ACL can be overridden at the remote location to suit their local (but remote) requirement. At the remote location, the ACL functions with the 172.16.10.0/24 network. A new ACL need not be created specifically for the remote deployment. This simplifies ACL definition and allows an administrator to better manage specific local requirements. Name Network If adding a new Network Alias, provide it a distinguishing name up to 32 characters. The alias name always starts with a dollar sign ($). Provide a network address in the form of host/mask. 9 Select OK when completed to update the set of basic alias rules. Select Reset to revert the screen back to its last saved configuration. Wireless Controller and Service Platform System Reference Guide 9- 16 RF Domains 9.1.5.2 RF Domain Network Group Alias A network group alias is a set of configurations consisting of host and network configurations. Network configurations are complete networks in the form of 192.168.10.0/24 or an IP address range in the form of 192.168.10.10-192.168.10.20. Host configurations are in the form of a single IP address, 192.168.10.23. A network group alias can contain multiple definitions for a host, network, and IP address range. A maximum of eight (8) Host entries, eight (8) network entries and eight (8) IP addresses range entries can be configured inside a network group alias. A maximum of 32 network group alias entries can be created. To set a network group alias configuration for a RF Domain:
1 Select Configuration > RF Domains from the Web UI. The RF Domain screen displays within the main portion of the Web UI, and the RF Domain Browser displays in the lower, left-hand, portion of the Web UI. 2 From the RF Domain screen, either select the Add button or highlight an existing RF Domain and select Edit. An existing policy can also be modified by selecting it directly from the RF Domain browser. 3 Expand the Network menu item and select Alias. 4 Select the Network Group Alias tab. The screen displays the attributes of existing network group alias configurations. Name Host Network Figure 9-13 RF Domain Network Group Alias screen Displays the administrator assigned name used with the network group alias. Displays all the host aliases configured in the listed network group alias. Displays a blank column if no host alias is defined. Displays all network aliases configured in the listed network group alias. Displays a blank column if no network alias is defined. 5 Select Add to create a new policy, Edit to modify the attributes of an existing policy or Delete to remove obsolete policies. Wireless Controller and Service Platform System Reference Guide 9 - 17 6 Select the added row to expand it into configurable parameters for defining the network alias rule. RF Domains 7 If adding a new Network Alias Rule, provide it a name up to 32 characters. The network group alias name Figure 9-14 RF Domain Network Group Alias Add screen always starts with a dollar sign ($). 8 Define the following network group alias parameters:
Host Network Specify the Host IP address for up to eight IP addresses supporting network aliasing. Select the down arrow to add the IP address to the table. Specify the netmask for up to eight IP addresses supporting network aliasing. Subnets can improve network security and performance by organizing hosts into logical groups. Applying the subnet mask to an IP address separates the address into a host address and an extended network address. Select the down arrow to add the mask to the table. 9 Within the Range table, use the + Add Row button to specify the Start IP address and End IP address for the alias range or double-click on an existing an alias range entry to edit it. 10 Select OK when completed to update the network alias rules. Select Reset to revert the screen back to its last saved configuration. 9.1.5.3 RF Domain Network Service Alias A network service alias is a set of configurations that consist of protocol and port mappings. Both source and destination ports are configurable. For each protocol, up to 2 source port ranges and up to 2 destination port ranges can be configured. A maximum of 4 protocol entries can be configured per network service alias. Use a service alias to associate more than one IP address to a network interface, providing multiple connections to a network from a single IP node. Wireless Controller and Service Platform System Reference Guide 9- 18 RF Domains To define a service alias configuration for a RF Domain:
1 Select Configuration > RF Domains from the Web UI. The RF Domain screen displays within the main portion of the Web UI, and the RF Domain Browser displays in the lower, left-hand, portion of the Web UI. 2 From the RF Domain screen, either select the Add button or highlight an existing RF Domain and select Edit. An existing policy can also be modified by selecting it directly from the RF Domain browser. 3 Expand the Network menu item and select Alias. 4 Select the Network Service Alias tab. The screen displays existing network service alias configurations. Figure 9-15 RF Domain Network Service Alias screen 5 Select Add to create a new policy, Edit to modify the attributes of an existing policy or Delete to remove obsolete policies. 6 Select the added row to expand it into configurable parameters for defining the service alias rule. Wireless Controller and Service Platform System Reference Guide 9 - 19 RF Domains Figure 9-16 RF Domain Network Service Alias Add screen 7 If adding a new Network Service Alias Rule, provide it a name up to 32 characters. Ensure a $ precedes the name. 8 Select + Add Row and provide the following configuration parameters:
Protocol Source Port
(Low and High) Destination Port
(Low and High) Specify the protocol for which the alias has to be created. Use the drop down to select the protocol from eigrp, gre, icmp, igmp, ip, vrrp, igp, ospf, tcp and udp. Select other if the protocol is not listed. When a protocol is selected, its protocol number is automatically selected. This field is only relevant if the protocol is either tcp or udp. Specify the source ports for this protocol entry. A range of ports can be specified. Select the Enter Ranges button next to the field to enter a lower and higher port range value. Up to eight (8) such ranges can be specified. This field is only relevant if the protocol is either tcp or udp. Specify the destination ports for this protocol entry. A range of ports can be specified. Select the Enter Ranges button next to the field to enter a lower and higher port range value. Up to eight (8) such ranges can be specified. 9 Within the Range field, use the + Add Row button to specify the Start IP address and End IP address for the service alias range or double-click on an existing service alias range entry to edit it. 10 Select OK when completed to update the service alias rules. Select Reset to revert the screen back to its last saved configuration. Wireless Controller and Service Platform System Reference Guide 9- 20 RF Domains 9.1.6 RF Domain Deployment Considerations Before defining RF Domain policies, refer to the following deployment guidelines to ensure the configurations are optimally effective:
Controllers or service platforms utilizes a default RF Domain. Access Points are assigned to this default RF Domain as they are discovered. The default RF Domain can be used for single site deployments, where regional, regulatory and RF policies are common between devices. User defined RF Domains must be manually assigned to controllers or service platforms, but can be manually or automatically assigned to Access Points. A Rogue AP detection configuration is a central component of an RF Domain policy, as it provides the RF Domain policy with the means to filter potentially threatening devices from operating with devices approved within the managed network. WIPS is not supported on a WLAN basis, rather sensor functionality is supported on the radio(s) available to each WLAN. When planning sensor coverage, a minimum of 1 detector radio is recommended per 4 Access Points. To ensure effective placement, LANPlanner can be used to provide predictive planning services and visualization to ensure adequate radio coverage is provided based on site application and device requirements. LANPlanner provides visualization tools ensuring adequate radio coverage for client radios and sensors. A physical site survey should also be performed to verify client radio coverage, before a final deployment. Both default and user defined RF Domains contain policies and configuration parameters. Changes made to policies or configuration parameters are automatically inherited by all the devices assigned to the RF Domain. Wireless Controller and Service Platform System Reference Guide 9 - 21 10 Security When protecting wireless traffic to and from a wireless controller or service platform, the administrator should not lose sight of the security solution in it's entirety, since the chain is as weak as its weakest link. A WiNG managed network provides seamless data protection and user validation to protect and secure data at each vulnerable point in the network. WiNG managed wireless devices support a Layer 2 wired/wireless firewall and Wireless Intrusion Protection System (WIPS) capabilities at the WLAN, while additionally strengthened with a premium multi-vendor overlay security solution from Air Defense with 24x7 dedicated protection. This security is offered at the most granular level, with role, location and device categorization based network access control available to users based on identity as well as the security posture of the client device. For more information, see:
Wireless Firewall Configuring IP Firewall Rules Wireless Client Roles Device Fingerprinting Intrusion Prevention EX3500 Time Range 10.1 Wireless Firewall A firewall is a mechanism enforcing network access control, and is considered a first line of defense in protecting proprietary information within the network. The means by which this is accomplished varies, but in principle, a firewall can be thought of as mechanisms both blocking and permitting data traffic within the network. Firewalls implement uniquely defined access control policies, so if you don't have an idea of what kind of access to allow or deny, a firewall is of little value, and in fact could provide a false sense of network security. With WiNG managed wireless controllers and Access Points, Firewalls are configured to protect against unauthenticated logins from outside the network. This helps prevent hackers from accessing managed wireless clients. Well designed Firewalls block traffic from outside the network, but permit authorized users to communicate freely with outside the network. Firewalls can be implemented in both hardware and software, or a combination of both. All messages entering or leaving the wireless controller or Access Point pass through the firewall, which examines each message and blocks those not meeting the security criteria (rules) defined. Firewall rules define the traffic permitted or denied within the network. Rules are processed by a firewall supported device from first to last. When a rule matches the network traffic a controller or service platform is processing, the firewall uses that rule's action to determine whether traffic is allowed or denied. Rules comprise conditions and actions. A condition describes a traffic stream of packets. Define constraints on the source and destination device, the service (for example, protocols and ports), and the incoming interface. An action describes what should occur to packets matching the conditions set. For example, if the packet stream meets all conditions, traffic is permitted, authenticated and sent to the destination device. Additionally, MAC rule based firewall filtering can be deployed to apply firewall policies to traffic being bridged by centrally managed radios. MAC filtering can be employed to permit or restrict traffic exchanged between hosts, hosts residing on separate WLANs or hosts forwarding traffic to wired devices. Wireless Controller and Service Platform System Reference Guide 10 - 1 Security For more information, refer to the following:
Configuring a Firewall Policy Configuring MAC Firewall Rules Firewall Deployment Considerations 10.1.1 Configuring a Firewall Policy Wireless Firewall To configure a firewall on the wireless controller or service platform:
1 Select Configuration > Security > Wireless Firewall > Firewall Policy to display existing firewall policies. The Wireless Firewall screen lists existing firewall policies. An existing policy can be selected and applied. The user has the option of displaying the configurations of each policy, or referring to the Wireless Firewall Browser and selecting individual polices for review. 2 Refer to the following configuration data for existing wireless firewall policies:
Figure 10-1 Wireless Firewall Policy screen Firewall Policy Status Proxy ARP Displays the name assigned to the policy when created. The name cannot be modified as part of the edit process. Displays a green check mark if the policy has been enabled. A red X designates the policy as disabled. Displays a green check mark if Proxy ARP routing has been enabled. A red X designates Proxy ARP as disabled. 3 Select Add to create a new Wireless Firewall policy, Edit to modify the attributes of an existing policy or Delete to remove obsolete policies from the list of those available. For information on adding and editing Wireless Firewall policies, see Adding and Editing Wireless Firewall Policies on page 10-3. Wireless Controller and Service Platform System Reference Guide 10 - 2 Security 10.1.1.1 Adding and Editing Wireless Firewall Policies Configuring a Firewall Policy To add or edit a firewall policy:
1 Select Configuration > Security > Wireless Firewall > Firewall Policy to display existing firewall policies. 2 Select Add to create a new Wireless Firewall policy. Select an existing policy and click Edit to modify the attributes of that policy. The Denial of Services tab displays by default. 3 When adding a new policy, first enter a name for the Firewall Policy. The name must not exceed 64 characters. Once a name is specified, click OK to enable the other parameters within the screen. The Wireless Firewall Policy configuration is divided into the following tabs:
Firewall Policy Denial of Service Firewall Policy Storm Control Firewall Policy Advanced Settings 10.1.1.1.1 Adding and Editing Wireless Firewall Policies Firewall Policy Denial of Service A denial of service (DoS) attack is an attempt to make a computer or network resource unavailable to its intended users. Although the means to carry out a DoS attack will vary, it generally consists of a concerted effort of one or more persons attempting to prevent a device, site or service from functioning temporarily or indefinitely. Most DoS attacks involve saturating the target device with external communications requests so it cannot respond to legitimate traffic or respond so slowly the device becomes unavailable in respect to its defined data rate. DoS attacks are implemented by either forcing targeted devices to reset or consuming the devices resources so it can no longer provide service. To define a denial of service configuration for a Firewall policy:
Wireless Controller and Service Platform System Reference Guide 10 - 3 1 Select the Denial of Service tab from the Firewall Policy configuration page. Security Figure 10-2 Wireless Firewall Add/Edit Denial of Service screen 2 The Settings window contains a list of all of the Denial of Service (DoS) attacks that the wireless controllers firewall has filters for. Each DoS filter contains the following four items:
Event Enable Action Log Level The Event column lists the name of each DoS attack. Checking Enable box sets the Firewall Policy to filter the associated DoS attack based on the selection in the Action column. If a Denial of Service filter is enabled, chose an action from the drop-down menu to determine how the Firewall Policy treats the associated DoS attack. Log and Drop - An entry for the associated DoS attack is added to the log and then the packets are dropped. Log Only - An entry for the associated DoS attack is added to the log. No further action is taken. Drop Only - The DoS packets is dropped. No further action is taken. To enable logging to the system log, check the box in the Log Level column. Then select a standard Syslog level from the Log Level drop-down menu. Wireless Controller and Service Platform System Reference Guide 10 - 4 Denial of Service Event Attacks Table 3 Refer to the following for a summary of each Denial of Service attack the firewall can filter. Security Ascend Broadcast/Multicast ICMP Chargen Fraggle FTP Bounce Invalid Protocol IP Spoof LAND Option Route Router Advertisement 4 The Ascend DoS attacks are a series of attacks that target known vulnerabilities in various versions of Ascend routers. Broadcast or Multicast ICMP DoS attacks are a series of attacks that take advantage of ICMP behavior in response to echo replies. These usually involve spoofing the source address of the target and sending ICMP broadcast or multicast echo requests to the rest of the network and in the process flooding the target machine with replies. The Chargen attack establishes a Telnet connection to port 19 and attempts to use the character generator service to create a string of characters which is then directed to the DNS service on port 53 to disrupt DNS services. The Fraggle DoS attack uses a list of broadcast addresses to send spoofed UDP packets to each broadcast address echo port (port 7). Each of those addresses that have port 7 open will respond to the request generating a lot of traffic on the network. For those that do not have port 7 open they will send an unreachable message back to the originator, further clogging the network with more traffic. The FTP Bounce DoS attack uses a vulnerability in the FTP PORT command as a way to scan ports on a target machine by using another machine in the middle. Attackers may use vulnerability in the endpoint implementation by sending invalid protocol fields, or may misuse the misinterpretation of endpoint software. This can lead to inadvertent leakage of sensitive network topology information, call hijacking, or a DoS attack. IP Spoof is a category of DoS attack that sends IP packets with forged source addresses. This can hide the identity of the attacker. The LAND DoS attack sends spoofed packets containing the SYN flag to the target destination using the target port and IP address as both the source and destination. This will either crash the target system or result in high resource utilization slowing down all other processes. Enables the IP Option Route denial of service check in the firewall. In this attack, the attacker uses ICMP to redirect the network router function to some other host. If that host can not provide router services, a DoS of network communications occurs as routing stops. This can also be modified to single out a specific system, so that only that system is subject to attack (because only that system sees the 'false' router). By providing router services from a compromised host, the attacker can also place themselves in a man-in-the-middle situation and take control of any open channel at will (as mentioned earlier, this is often used with TCP packet forgery and spoofing to intercept and change open TELNET sessions). Wireless Controller and Service Platform System Reference Guide 10 - 5 Security Router Solicit Smurf Snork TCP Bad Sequence TCP FIN Scan The ICMP Router Solicitation scan is used to actively find routers on a network. Of course, a hacker could set up a protocol analyzer to detect routers as they broadcast routing information on the network. In some instances, however, routers may not send updates. For example, if the local network does not have other routers, the router may be configured to not send routing information packets onto the local network. ICMP offers a method for router discovery. Clients send ICMP router solicitation multicasts onto the network, and routers must respond (as defined in RFC 1122). By sending ICMP router solicitation packets (ICMP type 9) on the network and listening for ICMP router discovery replies (ICMP type 10), hackers can build a list of all of the routers that exist on a network segment. Hackers often use this scan to locate routers that do not reply to ICMP echo requests. The Smurf DoS Attack sends ICMP echo requests to a list of broadcast addresses in a row, and then repeats the requests, thus flooding the network. The Snork DoS attack uses UDP packet broadcasts to consume network and system resources. Enables a TCP Bad Sequence denial of service check in the firewall. Hackers use the TCP FIN scan to identify listening TCP port numbers based on how the target device reacts to a transaction close request for a TCP port (even though no connection may exist before these close requests are made). This type of scan can get through basic firewalls and boundary routers that filter on incoming TCP packets with the Finish (FIN) and ACK flag combination. The TCP packets used in this scan include only the TCP FIN flag setting. If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target device discards the FIN and sends no reply. Wireless Controller and Service Platform System Reference Guide 10 - 6 Security TCP Intercept TCP IP TTL Zero TCP Null Scan TCP Post SYN A SYN-flooding attack occurs when a hacker floods a server with a barrage of requests for connection. Because these messages have unreachable return addresses, the connections cannot be established. The resulting volume of unresolved open connections eventually overwhelms the server and can cause it to deny service to valid requests, thereby preventing legitimate users from connecting to a Web site, accessing email, using FTP service, and so on. The TCP intercept feature helps prevent SYN-flooding attacks by intercepting and validating TCP connection requests. In intercept mode, the TCP intercept software intercepts TCP synchronization (SYN) packets from clients to servers that match an extended access list. The software establishes a connection with the client on behalf of the destination server, and if successful, establishes the connection with the server on behalf of the client and knits the two half-connections together transparently. Thus, connection attempts from unreachable hosts will never reach the server. The software continues to intercept and forward packets throughout the duration of the connection. The number of SYNs per second and the number of concurrent connections proxied depends on the platform, memory, processor, and other factors. In the case of illegitimate requests, the softwares aggressive timeouts on half-open connections and its thresholds on TCP connection requests protect destination servers while still allowing valid requests. When establishing a security policy using TCP intercept, you can choose to intercept all requests or only those coming from specific networks or destined for specific servers. You can also configure the connection rate and threshold of outstanding connections. Optionally operate TCP intercept in watch mode, as opposed to intercept mode. In watch mode, the software passively watches the connection requests flowing through the router. If a connection fails to get established in a configurable interval, the software intervenes and terminates the connection attempt. The TCP IP TTL Zero DoS attack sends spoofed multicast packets onto the network which have a Time To Live (TTL) of 0. This causes packets to loop back to the spoofed originating machine, and can cause the network to overload. Hackers use the TCP NULL scan to identify listening TCP ports. This scan also uses a series of strangely configured TCP packets, which contain a sequence number of 0 and no flags. Again, this type of scan can get through some firewalls and boundary routers that filter incoming TCP packets with standard flag settings. If the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is open, the target discards the TCP NULL scan, sending no reply. A remote attacker may be attempting to avoid detection by sending a SYN frame with a different sequence number than the original SYN. This can cause an Intrusion Detection System (IDS) to become unsynchronized with the data in a connection. Subsequent frames sent during the connection are ignored by the IDS. Wireless Controller and Service Platform System Reference Guide 10 - 7 Security TCP Packet Sequence TCP XMAS Scan TCP Header Fragment Twinge UDP Short Header WINNUKE Hop Limit Zero Multicast ICMPv6 TCP Intercept Mobility An attempt to predict the sequence number used to identify packets in a TCP connection, which can be used to counterfeit packets. The attacker hopes to correctly guess the sequence number used by the sending host. If successful, they can send counterfeit packets to the receiving host which will seem to originate from the sending host, even though the counterfeit packets may originate from some third host controlled by the attacker. The TCP XMAS Scan floods the target system with TCP packets including the FIN, URG, and PUSH flags. This is used to determine details about the target system and can crash a system. Enables the TCP Header Fragment denial of service check in the firewall. The Twinge DoS attack sends ICMP packets and cycles through using all ICMP types and codes. This can crash some Windows systems. Enables the UDP Short Header denial of service check in the firewall. The WINNUKE DoS attack sends a large amount of data to UDP port 137 to crash the NETBIOS service on windows and can also result on high CPU utilization on the target machine. Hop limits within IPv6 packets is set to 0 preventing hops as needed. ICMPv6 packets contain multicast L2 DMACs. Detect IPv6 TCP packet with mobility option home address option (HAO) or route header (RO) type one set and do not generate syn cookies for such packets. 5 Events can be individually enabled or collectively enabled/disabled using the Enable All Events and Disable All Events buttons. 6 Select OK to update the Denial of Service settings. Select Reset to revert to the last saved configuration. 10.1.1.1.2 Firewall Policy Storm Control Adding and Editing Wireless Firewall Policies The firewall maintains a facility to control packet storms. Storms are packet bombardments that exceed the high threshold value configured for an interface. During a storm, packets are throttled until the rate falls below the configured rate, severely impacting performance for the RF Domain manager interface. Thresholds are configured in terms of packets per second. To define a storm control configuration for a Firewall policy:
Wireless Controller and Service Platform System Reference Guide 10 - 8 1 Select the Storm Control tab from the Firewall Policy configuration page. Security 2 Refer to the Storm Control Settings field to set the following:
Figure 10-3 Wireless Firewall Add/Edit Storm Control screen Traffic Type Interface Type Interface Name Use the drop-down menu to define the traffic type for which the Storm Control configuration applies. Options include ARP, Broadcast, Multicast and Unicast. Use the drop-down menu to define the interface for which the Storm Control configuration is applied. Only the specified interface uses the defined filtering criteria. Options include Ethernet, WLAN and Port Channel. Use the drop-down menu to refine the interface selection to a specific WLAN or physical port. This helps with threshold configuration for potentially impacted interfaces. Packets per Second Select the check box to activate the spinner control used for specifying the packets per second threshold for activating the Storm Control mechanism. 3 Select + Add Row as needed to add additional Storm Control configurations for other traffic types or interfaces. Select the Delete icon as required to remove selected rows. 4 Refer to the Storm Control Logging field to define how storm events are logged. Traffic Type Use the drop-down menu to define the traffic type for which the Storm Control logging configuration applies. Options include ARP, Broadcast, Multicast and Unicast. Wireless Controller and Service Platform System Reference Guide 10 - 9 Security Logging Select the check box to activate the spinner control used for specifying the standard log level used if a Storm Control attack is detected. The default log level is Warning. 5 Select + Add Row as needed to add additional Storm Control log entries for other interfaces. Select the Delete icon as required to remove selected rows. 6 Select OK to update the Storm Control settings. Select Reset to revert to the last saved configuration. 10.1.1.1.3 Firewall Policy Advanced Settings Adding and Editing Wireless Firewall Policies To define a firewall policy Advanced Configuration:
1 Select the Advanced Settings tab from the Firewall Policy configuration page. The Advanced Settings screen displays Common and IPv6 Settings tabs with the Common displayed by default. Use these screens to define common IPv4 settings and settings unique to an IPv6 firewall. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. These hosts require firewall packet protection unique to IPv6 traffic, as IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters. Figure 10-4 Wireless Firewall Add/Edit Advanced Common Settings screen 2 Refer to the Firewall Status radio buttons to define the firewall as either Enabled or Disabled. The firewall is enabled by default. Wireless Controller and Service Platform System Reference Guide 10 - 10 If disabling the firewall, a confirmation prompt displays stating NAT, wireless hotspot, proxy ARP, deny-static-
wireless-client and deny-wireless-client sending not permitted traffic excessively will be disabled. 3 Refer to the General field to enable or disable the following firewall configuration parameters:
Security Enable Proxy ARP DHCP Broadcast to Unicast L2 Stateful Packet Inspection IPMAC Conflict Enable IPMAC Conflict Logging IPMAC Conflict Action IPMAC Routing Conflict Enable IPMAC Routing Conflict Logging IPMAC Routing Conflict Action DNS Snoop Entry Timeout IP TCP Adjust MSS TCP MSS Clamping Max Fragments/
Datagram Max Defragmentations/
Host Select this check box to allow the Firewall Policy to use Proxy ARP responses for this policy on behalf of another device. Proxy ARP allows the firewall to handle ARP routing requests for devices behind the firewall. This feature is enabled by default. Select this check box to enable the conversion of broadcast DHCP offers to unicast. Converting DHCP broadcast traffic to unicast traffic can help reduce network traffic loads. This feature is disabled by default. Select the check box to enable stateful packet inspection for RF Domain manager routed interfaces within the Layer 2 firewall. This feature is disabled by default. When multiple devices on the network have the same IP or MAC address this can create routing issues for traffic being passed through the firewall. To avoid these issues, enable Conflict Detection to enable IP and MAC conflict detection. This feature is disabled by default. Select this option to enable logging for IP and MAC address conflict detection. This feature is disabled by default. Use the drop-down menu to set the action taken when an attack is detected. Options include Log Only, Drop Only or Log and Drop. The default setting is Log and Drop. Select this option to enable IPMAC Routing Conflict detection. This is also known as a Hole-196 attack in the network. This feature helps to detect if the client is sending routed packets to the correct router-mac-address. Select enable logging for IPMAC Routing Conflict detection. This feature is disabled by default. Use the drop-down menu to set the action taken when an attack is detected. Options include Log Only, Drop Only or Log and Drop. The default setting is Log and Drop. Select this option and set a timeout, in seconds, for DNS Snoop Entry. DNS Snoop Entry stores information such as Client to IP Address and Client to Default Gateway(s) and uses this information to detect if the client is sending routed packets to a wrong MAC address. Select this option and adjust the value for the maximum segment size
(MSS) for TCP segments on the router. Set a value between 472 bytes and 1,460 bytes to adjust the MSS segment size. The default value is 472 bytes. Select this option to enable TCP MSS Clamping. TCP MSS Clamping allows for the configuration of the maximum segment size of packets at a global level. Set a value for the maximum number of fragments (between 2 and 8,129) allowed in a datagram before it is dropped. The default value is 140 fragments. Set a value for the maximum number of defragmentations, between 1 and 16,384 allowed per host before it is dropped. The default value is 8. Wireless Controller and Service Platform System Reference Guide 10 - 11 Security Min Length Required Virtual Defragmentation Virtual Defragmentation Timeout Select this option and set a minimum length, between 8 bytes and 1,500 bytes, to enforce a minimum packet size before being subject to fragment based attack prevention. Select this option to enable IPv4 and IPv6 virtual defragmentation to help prevent fragment based attacks, such as tiny fragments or large number of fragments. Set a virtual defragmentation timeout from 1- 60 seconds applicable to both IPv4 and IPv6 packets. 4 Refer to the Firewall Enhanced Logging field to set the following parameters:
Log Dropped ICMP Packets Log Dropped Malformed Packets Enable Verbose Logging Use the drop-down menu to define how dropped ICMP packets are logged. Logging can be rate limited for one log instance every 20 seconds. Options include Rate Limited, All or None. The default setting is None. Use the drop-down menu to define how dropped malformed packets are logged. Logging can be rate limited for one log instance every 20 seconds. Options include Rate Limited, All or None. The default setting is None. Check this box to enable verbose logging mode for the firewall. 5 The firewall policy allows traffic filtering at the application layer using the Application Layer Gateway feature. The Application Layer Gateway provides filters for the following common protocols FTP ALG TFTP ALG PPTP ALG SIP ALG SCCP ALG Facetime ALG DNS ALG Select this option to allow FTP traffic through the firewall using its default ports. This feature is enabled by default. Select this option to allow TFTP traffic through the firewall using its default ports. This feature is enabled by default. Select this option to allow PPTP traffic through the firewall using its default ports. The Point-to-Point Tunneling Protocol (PPTP) is a network protocol that enables the secure transfer of data from a remote client to an enterprise server by creating a VPN across TCP/IP-based data networks. PPTP encapsulates PPP packets into IP datagrams for transmission over the Internet or other public TCP/IP-based networks. This feature is enabled by default. Select this option to allow SIP traffic through the firewall using its default ports. This feature is enabled by default. Select this option to allow SCCP traffic through the firewall using its default ports. This feature is enabled by default. Select this option to allow FaceTime traffic through the firewall using its default ports. This feature is enabled by default. Enable this option to allow DNS traffic through the firewall using its default ports. This feature is enabled by default. 6 Select the Enable Stateful DHCP Checks check box to enable the stateful checks of DHCP packet traffic through the firewall. The default setting is enabled. When enabled, all DHCP traffic flows are inspected. 7 Define Flow Timeout intervals for the following flow types impacting the Firewall:
TCP Close Wait Define a flow timeout value in either Seconds (1 - 32,400), Minutes
(1 - 540) or Hours (1 - 9). The default setting is 10 seconds. Wireless Controller and Service Platform System Reference Guide 10 - 12 Security TCP Established TCP Reset TCP Setup Define a flow timeout value in either Seconds (1 - 32,400), Minutes
(1 - 540) or Hours (1 - 9). The default setting is 90 minutes. Define a flow timeout value in either Seconds (1 - 32,400), Minutes
(1 - 540) or Hours (1 - 9). The default setting is 10 seconds. Define a flow timeout value in either Seconds (1 - 32,400), Minutes
(1 - 540) or Hours (1 - 9). The default setting is 10 seconds. Stateless TCP Flow Define a flow timeout value in either Seconds (1 - 32,400), Minutes Stateless FIN/
RESET Flow ICMP UDP Any Other Flow
(1 - 540) or Hours (1 - 9). The default setting is 90 seconds. Define a flow timeout value in either Seconds (1 - 32,400), Minutes
(1 - 540) or Hours (1 - 9). The default setting is 10 seconds. Define a flow timeout value in either Seconds (1 - 32,400), Minutes
(1 - 540) or Hours (1 - 9). The default setting is 30 seconds. Define a flow timeout value in either Seconds (1 - 32,400), Minutes
(1 - 540) or Hours (1 - 9). The default setting is 30 seconds. Define a flow timeout value in either Seconds (1 - 32,400), Minutes
(1 - 540) or Hours (1 - 9). The default setting is 30 seconds. 8 Refer to the TCP Protocol Checks field to set the following parameters:
Check TCP states where a SYN packet tears down the flow Check unnecessary resends of TCP packets Check Sequence Number in ICMP Unreachable error packets Check Acknowledgment Number in RST packets Check Sequence Number in RST packets Select the check box to allow a SYN packet to delete an old flow in TCP_FIN_FIN_STATE and TCP_CLOSED_STATE and create a new flow. The default setting is enabled. Select the check box to enable the checking of unnecessary resends of TCP packets. The default setting is enabled. Select the check box to enable sequence number checks in ICMP unreachable error packets when an established TCP flow is aborted. The default setting is enabled. Select the check box to enable the checking of the acknowledgment number in RST packets which aborts a TCP flow in the SYN state. The default setting is enabled. Select the check box to check the sequence number in RST packets which abort an established TCP flow. The default setting is enabled. 9 Select OK to update the firewall policys advanced common settings. Select Reset to revert to the last saved configuration. 10 Select the IPv6 Settings tab. Wireless Controller and Service Platform System Reference Guide 10 - 13 Security Figure 10-5 Wireless Firewall Add/Edit Advanced IPv6 Settings screen 11 Refer to the IPv6 Firewall Enable option to provide firewall support to IPv6 packet streams. This setting is enabled by default. Disabling IPv6 firewall support also disables proxy neighbor discovery. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. These hosts require firewall packet protection unique to IPv6 traffic, as IPv6 addresses are composed uniquely of eight groups of four hexadecimal digits separated by colons. 12 Select IPv6 Rewrite Flow Label to provide flow label rewrites for each IPv6 packet. A flow is a sequence of packets from a particular source to a particular (unicast or multicast) destination. The flow label helps keep packet streams from looking like one massive flow. Flow label rewrites are disabled by default and must be manually enabled. Flow label re-writes enable the re-classification of packets belonging to a specific flow. The flow label does nothing to eliminate the need for packet filtering. This setting is disabled by default. 13 Select Enable Proxy ND to generate neighbor discovery responses on behalf of another controller, service platform or Access Point managed device. When enabled, any IPv6 packet received on an interface is parsed to see whether it is known to be a neighbor solicitation. This setting is enabled by default. Wireless Controller and Service Platform System Reference Guide 10 - 14 Security 14 Use the Event table to enable individual IPv6 unique events. IPv6 events can be individually enabled or collectively enabled/disabled using the Enable All Events and Disable All Events buttons. The Description area displays a brief description of the selected event. Event Enable Action Log Level The Event column lists the name of each IPv6 specific event subject to logging. Checking Enable sets the firewall policy to filter the associated IPv6 event based on the selection in the Action column. If a filter is enabled, choose an action from the drop-down menu to determine how the firewall treats the associated IPv6 event. Log and Drop - An entry for the associated IPv6 event is added to the log and then the packets are dropped. Log Only - An entry for the associated IPv6 event is added to the log. No further action is taken. Drop Only - The packet is dropped. No further action is taken. To enable logging to the system log, check the box in the Log Level column. Then select a standard Syslog level from the Log Level drop-down menu. 15 Select OK to update the firewall policys advanced IPv6 settings. Select Reset to revert to the last saved configuration. 10.1.2 Configuring MAC Firewall Rules Wireless Firewall Use MAC based firewalls like Access Control Lists (ACLs) to filter/mark packets based on the IP from which they arrive, as opposed to filtering packets on Layer 2 ports. Optionally filter Layer 2 traffic on a physical Layer 2 interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to packet traffic. NOTE: Once defined, a set of MAC firewall rules must be applied to an interface to be a functional filtering tool. To add or edit a MAC based Firewall Rule policy:
Wireless Controller and Service Platform System Reference Guide 10 - 15 1 Select Configuration > Security > Wireless Firewall > MAC Firewall Rules to display existing IP Firewall Rule policies. Security Figure 10-6 MAC Firewall Rules screen 2 Select + Add Row to create a new MAC Firewall Rule. Select an existing policy and click Edit to modify the attributes of that rules configuration. 3 Select the added row to expand it into configurable parameters for defining the MAC based firewall rule. Wireless Controller and Service Platform System Reference Guide 10 - 16 Security Figure 10-7 MAC Firewall Rules Add/Edit screen 4 If adding a new MAC Firewall Rule, provide a name up to 32 characters to help describe its filtering configuration. 5 Select a rule to modify it. Set the following parameters for the MAC firewall rule:
Allow VLAN ID Match 802.1P Source and Destination MAC Every MAC firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria. The following actions are supported:
Deny - Instructs the firewall to prevent a packet from proceeding to its destination when filter conditions are met. Permit - Instructs the firewall to allow a packet to proceed to its destination when filter conditions are met. Enter a VLAN ID representative of the shared SSID each user employs to interoperate within the network (once authenticated by the local RADIUS server). The VLAN ID can be between 1 and 4094. Configures IP DSCP to 802.1p priority mapping for untagged frames. Use the spinner control to define a setting between 0 - 7. Enter both Source and Destination MAC addresses. The source IP address and destination MAC address are used as basic matching criteria. Provide a subnet mask if using a mask. Wireless Controller and Service Platform System Reference Guide 10 - 17 Security Action Traffic Class Ethertype Precedence Description The following actions are supported:
Log - Events are logged for archive and analysis. Mark - Modifies certain fields inside the packet and then permits them. Therefore, mark is an action with an implicit permit.
- VLAN 802.1p priority.
- DSCP bits in the IP header.
- TOS bits in the IP header. Mark, Log - Conducts both mark and log functions. Select this option to enable a spinner control for traffic class prioritization. Devices that originate a packet must identify a class or priority for packets. Devices use the traffic class field in the MAC header to set this priority. Use the drop-down menu to specify an Ethertype of either ipv6, arp, wisp, or monitor 8021q. An EtherType is a two-octet field within an Ethernet frame. It is used to indicate which protocol is encapsulated in the payload of an Ethernet frame. Use the spinner control to specify a precedence for this MAC firewall rule between 1 - 1500. Rules with lower precedence are always applied first to packets. Provide a description (up to 64 characters) for the rule to help differentiate the it from others with similar configurations. 6 Select + Add Row as needed to add additional MAC firewall Rule configurations. Select the - Delete Row icon as required to remove selected MAC firewall Rules. 7 Select EX3500 MAC ACL tab to define MAC firewall rules specific to the EX3500 switch. Select the added row to expand it into configurable parameters for defining the MAC based firewall rule for this model switch. Wireless Controller and Service Platform System Reference Guide 10 - 18 Security 8 Select a rule to modify it. Define the following parameters for the MAC firewall rule:
Figure 10-8 EX3500 MAC ACL Add/Edit screen Allow VLAN ID VLAN Mask Source and Destination MAC Ethertype Ethertype Mask Packet Type Every EX3500 MAC ACL firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria. The following actions are supported:
Deny - Instructs the firewall to prevent a packet from proceeding to its destination. Permit - Instructs the firewall to allow a packet to proceed to its destination. Enter a VLAN ID representative of the shared SSID each user employs to interoperate within the network (once authenticated by the local RADIUS server). The VLAN ID can be between 1 and 4094. Enter a VLAN ID bit mask value. Enter both Source and Destination MAC addresses. The source MAC address and destination MAC address are used as basic matching criteria. Provide a subnet mask if using a mask. Use the spinner control to specify an Ethertype. An EtherType is a two-
octet field within an Ethernet frame. It is used to indicate which protocol is encapsulated in the payload of an Ethernet frame. Select a value in the range 0 - 65535. This field is enabled by default. The default value is 1. Use the spinner control to specify the Ethertype Mask. Select a value in the range 0 - 65535. This field is enabled by default. The default value is 1. Use the drop-down menu to select the packet type. Packet type can be one of all, tagged-eth2 or untagged-eth2 Wireless Controller and Service Platform System Reference Guide 10 - 19 Security Time Range Precedence Use this field to select a time range when this ACL will be enabled. For more information, see EX3500 Time Range on page 10-64. Use the spinner control to specify a precedence for this MAC firewall rule between 1 - 1500. Rules with lower precedence are always applied first to packets. 9 Select OK when completed to update the MAC firewall Rules. Select Reset to revert the screen to its last saved configuration. 10.1.3 Firewall Deployment Considerations Configuring a Firewall Policy Before defining a firewall configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective:
Firewalls implement access control policies, so if you don't have an idea of what kind of access to allow or deny, a firewall is of little value. It's important to recognize the firewall's configuration is a mechanism for enforcing a network access policy. A role based firewall requires an advanced security license to apply inbound and outbound firewall policies to users and devices Firewalls cannot protect against tunneling over application protocols to poorly secured wireless clients. Firewalls should be deployed on WLANs implementing weak encryption to minimize access to trusted networks and hosts in the event the WLAN is compromised. Firewalls should be enabled when providing managed Hotspot guest access. Firewall policies should be applied to Hotspot enabled WLANs to prevent guest user traffic from being routed to trusted networks and hosts. 10.2 Configuring IP Firewall Rules Wireless Firewall IP based firewalls function like Access Control Lists (ACLs) to filter/mark packets, as opposed to filtering packets on layer 2 ports. IP firewalls implement uniquely defined access control policies, so if you don't have an idea of what kind of access to allow or deny, a firewall is of little value, and could provide a false sense of network security. IP based firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying an IP ACL. Firewall rules are processed by a firewall supported device from first to last. When a rule matches the network traffic a controller or service platform is processing, the firewall uses that rule's action to determine whether traffic is allowed or denied. NOTE: Once defined, a set of IP Firewall rules must be applied to an interface to be a functional filtering tool. There are separate policy creation mechanisms for IPv4 and IPv6 traffic. With either IPv4 or IPv6, create access rules for traffic entering a controller, service platform or Access Point interface, because if you are going to deny specific types of packets, its recommended you do it before the controller, service platform or Access Point spends time processing them, since access rules are processed before other types of firewall rules. Wireless Controller and Service Platform System Reference Guide 10 - 20 Security IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. For more information, see:
Setting an IPv4 or IPv6 Firewall Policy Setting an IP SNMP ACL Policy Network Group Alias Network Service Alias EX3500 ACL Standard EX3500 ACL Extended 10.2.1 Setting an IPv4 or IPv6 Firewall Policy Before defining a firewall configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective:
1 Select Configuration > Security > IP Firewall. 2 Expand the IP Firewall menu item and select either the IPv4 ACL or IPv6 ACL menu options. Either the IPv4 Firewall Rules or the IPv6 Firewall Rules screens display the existing polices defined thus far. Figure 10-9 IP Firewall Rules screen 3 Select Add to create a new IPv4 or IPv6 firewall rule. Select an existing policy and click Edit to modify the attributes of that policys configuration. 4 Select the added row to expand it into configurable parameters for defining the IPv4 or IPv6 based firewall policy. Wireless Controller and Service Platform System Reference Guide 10 - 21 Security Figure 10-10 IP v4 Firewall Rules Add screen Figure 10-11 IP v6 Firewall Rules Add screen IP firewall configurations can either be modified as a collective group of variables or selected and updated individually as their filtering attributes require a more refined update. a. Select the Edit Rule icon to the left of a particular IP firewall rule configuration to update its parameters collectively. Wireless Controller and Service Platform System Reference Guide 10 - 22 Security b. Click the icon within the Description column (top right-hand side of the screen) and select IP filter values as needed to add criteria into the configuration of the IP ACL. Figure 10-12 IP Firewall Rules Add Criteria screen Figure 10-13 IP Firewall Rules Add Criteria screen NOTE: Only those selected IP ACL filter attributes display. Each value can have its current setting adjusted by selecting that IP ACLs column to display a pop-up to adjust that one value. 5 Define the following IP firewall rule settings as required:
Precedence Action Source Specify or modify a precedence for this IP policy between 1-5000. Rules with lower precedence are always applied to packets first. If modifying a precedence to apply a higher integer, it will move down the table to reflect its lower priority. Every IP Firewall rule is made up of matching criteria rules. The action defines the packets disposition if it matches the specified criteria. The following actions are supported:
Deny - Instructs the Firewall to restrict a packet from proceeding to its destination. Permit - Instructs the Firewall to allow a packet to proceed to its destination. Select the source IP address used as basic matching criteria for this IP ACL rule. Wireless Controller and Service Platform System Reference Guide 10 - 23 Security Destination Protocol Mark Log Enable Description Determine whether filtered packet destinations for this IP firewall rule do not require any classification (any), are designated as a set of configurations consisting of protocol and port mappings (an alias), set as a numeric IP address (host) or defined as network IP and mask. Selecting alias requires a destination network group alias be available or created. Set a service alias as a set of configurations consisting of protocol and port mappings. Both source and destination ports are configurable. Set an alphanumeric service alias (beginning with a $) and include the protocol as relevant. Select an IP Firewall rules Mark checkbox to enable or disable event marking and set the rules 8021p or dscp level (from 0 - 7). Select an IP Firewall rules Log checkbox to enable or disable event logging for this rules usage. This option displays for IPv4 based firewalls only. Select an IPv4 firewall rules Enable or Disable icon to determine this rules inclusion with the IP firewall policy. Lists the administrator assigned description applied to the IP ACL rule. Select a description within the table to modify its character string as filtering changes warrant. Select the icon within the Description table header to launch a Select Columns screen used to add or remove IP ACL criteria from the table. 6 Select Add to add additional IP Firewall Rule configurations. Select Remove to remove selected IP Firewall Rules as they become obsolete for filtering network access permissions. 7 Select OK when completed to update the IP Firewall rules. Select Reset to revert the screen back to its last saved configuration. 10.2.2 Setting an IP SNMP ACL Policy SNMP performs network management functions using a data structure called a Management Information Base
(MIB). SNMP is widely implemented but not very secure, since it uses only text community strings for accessing controller or service platform configuration files. Use SNMP ACLs to help reduce SNMPs vulnerabilities, as SNMP traffic can be exploited to produce a denial of service (DoS). To create an IP SNMP ACL:
1 Select Configuration > Security > IP Firewall. 2 Expand the IP Firewall menu item and select IP SNMP ACL. Wireless Controller and Service Platform System Reference Guide 10 - 24 Security 3 Select Add to create a new SNMP firewall rule. Select an existing policy and click Edit to modify the attributes of that policys configuration. Existing policies can be removed by highlighting them and selecting Delete. Figure 10-14 IP Firewall Rules screen Figure 10-15 IP SNMP ACL Add screen 4 Provide a new IP SNMP ACL a Name up to 32 characters in length to help distinguish this ACL from others with similar rules. 5 Select + Add Row to launch a sub screen where the ACLs permit/deny and network type rules can be applied. Allow Type Select this option to allow the SNMP MIB object traffic. The default setting is to permit SNMP traffic. Define whether the permit or deny ACL rule applied to the ACL is specific to a Host IP address, a Network address and subnet mask or is applied to Any. The default setting is Network. Wireless Controller and Service Platform System Reference Guide 10 - 25 Security 6 Select Add to add additional IP Firewall Rule configurations. Select Remove to remove selected IP Firewall Rules as they become obsolete for filtering network access permissions. 7 Select OK when completed to update the IP Firewall rules. Select Reset to revert the screen back to its last saved configuration. 10.2.3 Network Group Alias Configuring IP Firewall Rules A network group alias is a set of configurations consisting of host and network configurations. Network configurations are complete networks in the form of 192.168.10.0/24 or an IP address range in the form of 192.168.10.10-192.168.10.20. Host configurations are in the form of a single IP address, 192.168.10.23. A network group alias can contain multiple definitions for a host, network, and IP address range. A maximum of eight (8) Host entries, eight (8) network entries and eight (8) IP addresses range entries can be configured inside a network group alias. A maximum of 32 network group alias entries can be created. To set a network group alias configuration for an IP Firewall:
1 Select Configuration > Security > IP Firewall > Network Group Alias from the Web UI. 2 Select the Add button, or highlight an existing Network Group Alias and select Edit. Name Host Network Figure 10-16 IP Firewall Network Group Alias screen Displays the administrator assigned name associated with the network group alias. Displays all the host aliases in the listed network group alias. Displays a blank column if no host alias is defined. Displays all network aliases in the listed network group alias. Displays a blank column if no network alias is defined. 3 Select Add to create a new policy, Edit to modify the attributes of an existing policy or Delete to remove obsolete policies. Use Copy to create a copy of the selected policy and modify it for further use. Use Rename to rename the selected policy. 4 Either use the Add button to create an new Network Group Alias or select an existing policy and click Edit to edit it. Wireless Controller and Service Platform System Reference Guide 10 - 26 Security Figure 10-17 Network Group Alias Add screen If adding a new Network Alias Rule, provide it a name up to 32 characters. The network group alias name always starts with a dollar sign ($). 5 Define the following network group alias parameters:
Host Network Specify the Host IP address for up to eight IP addresses supporting network aliasing. Select the down arrow to add the IP address to the table. Specify the netmask for up to eight IP addresses supporting network aliasing. Subnets can improve network security and performance by organizing hosts into logical groups. Applying the subnet mask to an IP address separates the address into a host address and an extended network address. Select the down arrow to add the mask to the table. 6 Within the Range table, use the + Add Row button to specify the Start IP address and End IP address for the alias range or double-click on an existing an alias range entry to edit it. 7 Select OK when completed to update the network alias rules. Select Reset to revert the screen back to its last saved configuration. 10.2.4 Network Service Alias Configuring IP Firewall Rules A Network Service Alias is a set of configurations that consist of protocol and port mappings. Both source and destination ports are configurable. For each protocol, up to 2 source port ranges and up to 2 destination port ranges can be configured. A maximum of 4 protocol entries can be configured per network service alias. Wireless Controller and Service Platform System Reference Guide 10 - 27 Security Use a service alias to associate more than one IP address to a network interface, providing multiple connections to a network from a single IP node. To define a service alias configuration for an IP Firewall:
1 Select Configuration > Security > IP Firewall > Network Service Alias from the Web UI. The Network Service Alias screen displays within the main portion of the Web UI. 2 From the Network Service Alias screen, either select the Add button or highlight an existing alias and select Edit. Figure 10-18 IP Firewall Network Service Alias screen 3 Select Add to create a new policy, Edit to modify the attributes of an existing policy or Delete to remove obsolete policies. Use Copy to create a copy of the selected policy and modify it for further use. Use Rename to rename the selected policy. 4 Either use the Add button to create an new Network Service Alias or select an existing alias and Edit to modify it. Figure 10-19 IP Firewall Network Service Alias Add screen If adding a new Network Service Alias name, provide it a name up to 32 characters. Ensure a $ precedes the name. 5 Select + Add Row and provide the following configuration parameters:
Protocol Specify the protocol for which the alias is created. Use the drop down to select the protocol from eigrp, gre, icmp, igmp, ip, vrrp, igp, ospf, tcp and udp. Select other if the protocol is not listed. When a protocol is selected, its protocol number is automatically selected. Wireless Controller and Service Platform System Reference Guide 10 - 28 Security Source Port
(Low and High) Destination Port
(Low and High) This field is only relevant if the protocol is either tcp or udp. Specify the source ports for this protocol entry. A range of ports can be specified. Select the Enter Ranges button next to the field to enter a lower and higher port range value. Up to eight (8) ranges can be specified. This field is only relevant if the protocol is either tcp or udp. Specify the destination ports for this protocol entry. A range of ports can be specified. Select the Enter Ranges button next to the field to enter a lower and higher port range value. Up to eight (8) such ranges can be specified. 6 Within the Range field, use the + Add Row button to specify the Start IP address and End IP address for the service alias range or double-click on an existing service alias range entry to edit it. 7 Select OK when completed to update the service alias rules. Select Reset to revert the screen back to its last saved configuration. 10.2.5 EX3500 ACL Standard Configuring IP Firewall Rules A Standard ACL for EX3500 is a policy-based ACL that either prevents or allows specific clients from using the device. An ACL affords a system administrator the ability to grant or restrict client access by specifying that traffic from a specific host or a specific network to either be denied or permitted. To define a standard ACL for EX3500:
1 Select Configuration > Security > IP Firewall > EX3500 ACL Standard from the Web UI. The EX3500 ACL Standard screen displays within the main portion of the Web UI. Figure 10-20 EX3500 ACL Standard screen 2 Select Add to create a new ACL, Edit to modify the attributes of an existing ACL or Delete to remove obsolete ACLs. Use Copy to create a copy of the selected ACL and modify it for further use. Use Rename to rename the selected ACL. 3 Either use the Add button to create an new EX3500 Standard ACL or select an existing ACL and click Edit to edit it. The following screen displays. Wireless Controller and Service Platform System Reference Guide 10 - 29 Security Figure 10-21 EX3500 ACL Standard - Add/Edit screen 4 If adding a new EX3500 ACL Standard, provide it a name up to 32 characters. 5 To add a new standard rule, click Add Row. Figure 10-22 EX3500 ACL Standard - Add Standard Rule screen 6 Provide the following details:
Source IP Address Allow Time Range Use this drop-down menu to provide the source information. Source IP address can be one of Any, Host or Network. When selecting Host provide the IP address of the host device. When selecting Network, provide the IP address of the network along with the mask. Use this drop-down menu to indicate the action to be performed. Select from Permit or Deny. From the drop-down menu select the pre-configured time range to use for this ACL. Select None to indicate no preference. For more information on time ranges, see EX3500 Time Range on page 10-64. 7 Select OK when completed to update the EX3500 Standard ACL. Select Reset to revert the screen back to its last saved configuration. Wireless Controller and Service Platform System Reference Guide 10 - 30 Security 10.2.6 EX3500 ACL Extended Configuring IP Firewall Rules An extended ACL is comprised of access control entries (ACEs). Each ACE specifies a source and destination for matching and filtering traffic to the EX3500 switch. An ACL affords a system administrator the ability to grant or restrict client access by specifying that traffic from a specific host or a specific network to either be denied or permitted. IP based firewalls function like Access Control Lists (ACLs) to filter/mark packets, as opposed to filtering packets on layer 2 ports. IP firewalls implement uniquely defined access control policies, so if you do not have an idea of what kind of access to allow or deny, a firewall is of little value, and could provide a false sense of network security. IP based firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying an IP ACL. Firewall rules are processed by a firewall supported device from first to last. When a rule matches the network traffic a controller or service platform is processing, the firewall uses that rule's action to determine whether traffic is allowed or denied. To configure an extended ACL on EX3500:
1 Select Configuration > Security > IP Firewall > EX3500 ACL Extended from the Web UI. Figure 10-23 EX3500 ACL Extended screen 2 Select Add to create a new ACL, Edit to modify the attributes of an existing ACL or Delete to remove obsolete ACLs. Use Copy to create a copy of the selected ACL and modify it for further use. Use Rename to rename the selected ACL. 3 Either use the Add button to create an new EX3500 Extended ACL or select an existing ACL and click Edit to edit it. The following screen displays. Wireless Controller and Service Platform System Reference Guide 10 - 31 Security Figure 10-24 EX3500 ACL Extended - Add/Edit screen EX3500 extended ACL configurations can either be modified as a collective group of variables or selected and updated individually if their filtering attributes require a more refined update. a Select the Edit Rule icon to the left of a particular IP firewall rule configuration to update its parameters collectively. Figure 10-25 EX3500 ACL Extended - Add Criteria screen b Click the icon located at the top right-hand side of the screen and select the values as needed to add/hide criteria to the configuration of the extended ACL. Figure 10-26 EX3500 ACL Extended - Select Fields screen Wireless Controller and Service Platform System Reference Guide 10 - 32 4 Define the following Extended ACL rule settings as required:
Security Precedence Action Source Destination Protocol Time Range DSCP IP Header Precedence Specify or modify a precedence for this ACL between 1-128. Rules with lower precedence are always applied to packets first. If modifying a precedence to apply a higher integer, it will move down the table to reflect its lower priority. Every ACL rule is made up of matching criteria rules. The action defines the action to be performed if it matches the specified criteria. The following actions are supported:
Deny - Instructs the Firewall to restrict a packet from proceeding to its destination. Permit - Instructs the Firewall to allow a packet to proceed to its destination. Use this drop-down menu to provide the source information. Source IP address can be one of Any, Host or Network. When selecting Host provide the IP address of the host device. When selecting Network, provide the IP address of the network along with the mask. Use this drop-down menu to provide the destination information. Destination IP address can be one of Any, Host or Network. When selecting Host provide the IP address of the host device. When selecting Network, provide the IP address of the network along with the mask. Set a service alias as a set of configurations consisting of protocol and port mappings. Both source and destination ports are configurable. Depending on the selected protocol, other fields might become visible and can be configured. Use the drop-down menu to configure a time range when this ACL is applicable. For more information on configuring Time Ranges, see EX3500 Time Range. Differentiated Services Code Point is a mechanism that specifies a simple mechanism for classifying and manage network traffic and provide a QoS mechanism. Use the spinner to select a value in the range 0-63. Use this value to classify and mark packets that match the criteria specified in this extended ACL rule. Either DSCP or IP Header Precedence can be configured. Both these fields cannot be configured together. Use this field to set the precedence value in the IP Header. Use the spinner to select a value in the range 0-7. Use this value to classify and mark packets that match the criteria specified in this extended ACL rule. Either DSCP or IP Header Precedence can be configured. Both these fields cannot be configured together. 5 Select OK when completed to update the EX3500 Extended ACL. Select Reset to revert the screen back to its last saved configuration. 10.3 Wireless Client Roles Define wireless client roles to filter clients from based on matching policies. Matching policies (much like ACLs) are sequential collections of permit and deny conditions that apply to packets received from connected clients. When a packet is received from a client, the controller or service platform compares the fields in the packet against Wireless Controller and Service Platform System Reference Guide 10 - 33 Security applied matching policy rules to verify the packet has the required permissions to be forwarded, based on the criteria specified. If a packet does not meet any of the criteria specified, the packet is dropped. Additionally, wireless client connections are also managed by granting or restricting access by specifying a range of IP or MAC addresses to include or exclude from connectivity. These MAC or IP access control mechanisms are configured as Firewall Rules to further refine client filter and matching criteria. 10.3.1 Configuring a Clients Role Policy Wireless Client Roles To configure a wireless clients role policy and matching criteria:
1 Select Configuration > Security > Wireless Client Roles.The Wireless Client Roles screen displays the name of those client role policies created thus far. 2 Select Add to create a new Wireless Client Role policy, Edit to modify an existing policy or Delete to remove a policy. The LDAP Settings tab displays by default. Figure 10-27 Wireless IPS screen Wireless Controller and Service Platform System Reference Guide 10 - 34 Security 3 In the Configuration section define the following LDAP server parameters:
Figure 10-28 Wireless Client LDAP Settings screen LDAP Query Dead Period Timeout If LDAP attributes are enabled for the selected wireless client role policy, select an LDAP query mode of either Internal (Self) or Through Wireless Controller. Select Internal (Self) to use local LDAP server resources configured in the LDAP Server Options. When using an external LDAP server, select the Dead Period between 60 and 300 seconds. The Dead Period is the timeout value before the system will attempt to rebind with the LDAP server. When using an external LDAP server, select a Timeout value to specify how long of a delay between request and responses before LDAP bind and queries will be timed out. 4 In the LDAP Server Options section use the + Add Row button to add an LDAP server to the list or double-click on an existing LDAP server entry to edit it. When adding or editing the LDAP server options define the following parameters:
ServerId Host Bind DN Base DN Bind Password When adding or editing an LDAP server entry, enter the LDAP server ID as either 1 or 2. When adding or editing an LDAP server entry, enter the LDAP server's fully qualified domain name or IP address in the Host field When adding or editing an LDAP server entry, enter the LDAP server's bind distinguished name in the Bind DN field. When adding or editing an LDAP server entry, enter the LDAP server's base distinguished name in the Base DN field. When adding or editing an LDAP server entry, enter the password for bind. Click the Show button to display the password. Wireless Controller and Service Platform System Reference Guide 10 - 35 Security Port When adding or editing an LDAP server entry, enter the LDAP server port number. To select from a list of frequently used services and their corresponding port numbers, use the drop-down menu and select a service. 5 Click on the Roles tab. If no policies have been created, a default wireless client role policy can be applied. The Roles screen lists existing policies. Any of these existing policies can be selected and edited or a new role can be added. 6 Refer to the following configuration data for existing roles:
Figure 10-29 Wireless Client Roles screen Role Name Precedence Displays the name assigned to the client role policy when it was initially created. Displays the precedence number associated with each role. Precedence numbers determine the order a role is applied. Roles with lower numbers are applied before those with higher numbers. Precedence numbers are assigned when a role is created or modified, and two or more roles can share the same precedence. 7 Select Add to create a new wireless client role policy, Edit to modify the attributes of a selected policy or Delete to remove obsolete policies from the list of those available. The Role Policy Roles screen displays with the Settings tab displayed by default. Wireless Controller and Service Platform System Reference Guide 10 - 36 Security Figure 10-30 Wireless Client Roles screen - Settings tab 8 If creating a new role, assign it a Role Name to help differentiate it from others that may have a similar configuration. The role policy name cannot exceed 64 characters. The name cannot be modified as part of the edit process. 9 Within the Role Precedence field, use the spinner control to set a numerical precedence value between 1 -
10,000. Precedence determines the order a role is applied. Roles with lower numbers are applied before those with higher numbers. While theres no default precedence for a role, two or more roles can share the same precedence. 10 Use the Discovery Policy drop-down menu to specify the Bonjour Gateway. Bonjour provides a method to discover services on a local area network (LAN). Bonjour allows users to set up a network without any configuration. Services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with a special DNS configuration, it can be extended to find services across broadcast domains. 11 Within the Client Identity field, define the client type (Android etc.) used as matching criteria within the client role policy. Create new client identity types or edit existing ones as required. Wireless Controller and Service Platform System Reference Guide 10 - 37 12 Refer to the Match Expressions field to create filter rules based on AP locations, SSIDs and RADIUS group Security memberships. AP Location Use the drop-down menu to specify the location of an Access Point matched in a RF Domain or the Access Points resident configuration. Select one of the following filter options:
Exact - The role is only applied to Access Points with the exact location string specified in the role. Contains - The role is only applied to Access Points whose location contains the location string specified in the role. Does Not Contain - The role is only applied to Access Points whose location does not contain the location string specified in the role. Any - The role is applied to any Access Point location. This is the default setting. Group Configuration SSID Configuration Use the drop-down menu to define a wireless client filter option based on how the SSID is specified in a WLAN. Select one of the following options:
Exact - The role is only applied when the exact SSID string specified in the role. Contains - The role is only applied when the SSID contains the string specified in the role. Does Not Contain - The role is applied when the SSID does not contain the string specified in the role. Any - The role is applied to any SSID Location. This is the default setting. Use the drop-down menu to define a wireless client filter option based on how the RADIUS group name matches the provided expression. Select one of the following options:
Exact - The role is only applied when the exact Radius Group Name string is specified in the role. Contains - The role is applied when the Radius Group Name contains the string specified in the role. Does Not Contain - The role is applied when the Radius Group Name does not contain the string specified in the role Any - The role is applied to any RADIUS group name. This is the default setting. Use the drop-down menu to define a filter option based on how the RADIUS user name (1-255 characters in length) matches the provided expression. Select one of the following options:
Exact - The role is only applied when the exact Radius user string is specified in the role. Starts With - The role is applied when the Radius user starts with the string specified in the role. Contains - The role is applied when the Radius user contains the string specified in the role. Does Not Contain - The role is applied when the Radius user does not contain the string specified in the role. Any - The role is applied to any RADIUS user name. This is the default setting. Radius User 13 Use the Wireless Client Filter parameter to define a wireless client MAC address filter that is applied to each role. Select the Any radio button to use any MAC address. The default is Any. Wireless Controller and Service Platform System Reference Guide 10 - 38 Security 14 Refer to the Captive Portal Connection parameter to define when wireless clients are authenticated when making a captive portal authentication request. Secure guest access is referred to as captive portal. A captive portal is guest access policy for providing temporary and restrictive access to the wireless network. Existing captive portal policies can be applied to a WLAN to provide secure guest access. 15 Select the Pre-Login check box to conduct captive portal client authentication before the client is logged. Select Post-Login to have the client share authentication credentials after it has logged into the network. Select Any (the default setting) makes no distinction on whether authentication is conducted before or after the client has logged in. 16 Use the Authentication / Encryption field to set the authentication and encryption filters applied to this wireless client role. The options for both authentication and encryption are:
Equals - The role is only applied when the authentication and encryption type matches the exact method(s) specified by the radio button selections. Not Equals - The role is only applied when the authentication and encryption type does not match the exact method(s) specified by the radio button selections. Any - The role is applied to any type. This is the default setting for both authentication and encryption. 17 Use the + (plus sign) to the left of the LDAP Attributes label to expand it. Set the following LDAP Attributes for the role policy:
The following filter criteria applies to each LDAP attribute:
Exact - The role is only applied when the exact string is specified in the role. Contains - The role is applied when the LDAP attribute contains the string specified in the role. Does Not Contain - The role is applied when the LDAP attribute does not contain the string specified in the role. Any - The role is applied to any LDAP attribute. This is the default setting. City Company Country Department Email Employee id State Title Member Of Enter a 2-31 character name of the city filtered in the role. Enter a 2-31 character name of the organizational company filtered in the role. Enter a 2-31 character name of the country (co) filtered in the role. Enter a 2-31 character name of the organizational department filtered in the role. Enter a 2-31 character description of the Email address filtered in the role. Enter a 2-31 character name of the employee ID filtered in the role. Enter a 2-31 character name of the state filtered in the role. Enter a 2-31 character name of the job or organizational title filtered in the role. Provide a 64 character maximum description of the group membership in the role. 18 Select OK to update the Settings screen. Select Reset to revert to the last saved configuration. 19 Select the Firewall Rules tab to set default Firewall rules for Inbound and Outbound IP and MAC Firewall rules. Wireless Controller and Service Platform System Reference Guide 10 - 39 Security Figure 10-31 Wireless Client Roles screen - Firewall Rules tab A firewall is a mechanism enforcing access control, and is considered a first line of defense in protecting proprietary information within the network. The means by which this is accomplished varies, but in principle, a firewall can be thought of as mechanisms both blocking and permitting data traffic based on inbound and outbound IP and MAC rules. IP based firewall rules are specific to source and destination IP addresses and the unique rules and precedence orders assigned. Both IP and non-IP traffic on the same Layer 2 interface can be filtered by applying both an IP ACL and a MAC. Additionally, administrators can filter Layer 2 traffic on a physical Layer 2 interface using MAC addresses. A MAC firewall rule uses source and destination MAC addresses for matching operations, where the result is a typical allow, deny or mark designation to packet traffic. 20 Set the Vlan ID (from 1 - 4094) for the virtual LAN used by clients matching the IP or MAC inbound and outbound rules of this policy. 21 Use the drop-down to select the appropriate Application Policy to use with this firewall rule. An application policy defines the rules or actions executed on recognized HTTP (Facebook), enterprise (Webex) and peer-to-
peer (gaming) applications or application-categories. Wireless Controller and Service Platform System Reference Guide 10 - 40 Security 22 Select the URL Filter used as the content filter for the Firewall Rule. If a policy requires creation, select the Create icon. If an existing policy requires modification, select the Edit icon button and update this existing policy as needed. A URL filter is comprised of several filter rules. To construct a filter rule, either whitelist or blacklist a filter level, category type, category or a custom category. A whitelist bans all sites except the categories and lists defined in the whitelist. The blacklist allows all sites except the categories and lists defined in the blacklist. 23 Enter a 32 character maximum Name for the URL filter and select Continue. 24 Select Add to create a new Web filter rule configuration, or select an exiting configuration then Edit to modify Figure 10-32 Wireless Client Roles screen - Web Filter Rules tab the attributes of an existing Web filter rule. For more information on Web filters, see Web Filtering on page 7-67. Wireless Controller and Service Platform System Reference Guide 10 - 41 Security 25 Define the following filter rule settings:
Figure 10-33 Wireless Client Roles screen - Add/Edit Web Filter Rules Precedence Method Filter Type Category Category Type Level URL List Set a precedence (priority) from 1 - 500 for the filter rules utilization versus other filter rules. 1 is the highest priority and 500 the lowest. Select either whitelist or Blacklist to specify whether the rule is for inclusion or exclusion. A whitelist bans all sites except the categories and URL lists defined in the whitelist. The blacklist allows all sites except the categories and URL lists defined in the blacklist. If the Filter Type is set to category, use the drop down menu to select from a list of predefined categories to align with the whitelist or blacklist Method designation and the precedence assigned. A category is a pre-defined URL list available in the WiNG software. If category is selected as the Filter Type, the Category drop-down menu becomes enabled for the selection of an existing URL type or whitelist or blacklist. Categories are based on an external database, and cannot be modified or removed. Custom categories can be created with the URL List and added to the database. When category_type is selected as the Filter Type, select an existing category type (adult-content, security-risk etc.) and either blacklist or whitelist the URLs in that category type. There are 12 category types available. Basic, Low, Medium, medium-high and High filter levels are available. Each level is pre-configured to use a set of category types. The user cannot change the categories in the category types used for these pre-configured filter-level settings, and add/modify/remove the category types mapped to the filter-level setting. URL lists are customized categories included in the custom filter-level setting. URL lists enable an administrator to blacklist or whitelist URLs in addition to the built-in categories. Wireless Controller and Service Platform System Reference Guide 10 - 42 Security Description Enter a 80 character maximum description for this Web filter rule to help differentiate it from others with similar category include or exclude rule configurations. 26 Select OK to save the changes to the Web Filter Rule. Select Exit to close the screen without saving the updates. 27 Select the URL Error Page tab to define the configuration and layout of a URL error page launched when a Web filter rule is invoked and an error page needs to be displayed to a user instead of theyre expected Web page. Figure 10-34 Wireless Client Roles screen - Web Filter Rules URL Error Page 28 Set the following URL Error Page display properties:
Name Description Page Path Provide a 32 character maximum name for the title of the blocking page. The name should help convey that this page is launched to prevent the clients requested page from displaying. Provide a 80 character maximum description of the page to help differentiate it from other pages with similar page restriction properties. Set the path to the page sent back to the client browser explaining the reason for blocking the clients requested URL. It can be generated internally at the time the page is sent, or be a URL to an External Web server if the administrator chooses to utilize a customized page. The default setting is Internal, requiring the administrator to define the page configuration within the fields in the Internal Page Configuration portion of the screen. Wireless Controller and Service Platform System Reference Guide 10 - 43 Security External Page URL Internal Page Title Internal Page Header Internal Page Content Internal Page Footer Internal Page Org Name Internal Page Org Structure Internal Page Logo 1 Internal Page Logo 2 If External is selected as the Page Path, provide a 511 character maximum External Page URL used as the Web link designation of the externally hosted blocking page. Either enter a 255 character maximum title for the URL blocking page or use the existing default text (This URL may have been filtered). Either enter a 255 character maximum header for the top of the URL blocking page or use the existing default text (The requested URL could not be retrieved). Enter a 255 character maximum set of text used as the main body (middle portion) of the blocking page. Optionally use the default message (The site you have attempted to reach may be considered inappropriate for access). Either enter a 255 character maximum footer for the bottom of the URL blocking page or use the existing default text (If you have any questions contact your IT department). Enter a 255 character maximum organizational name responsible for the URL blocking page. The default organizational name (Your Organizational Name) is not very practical, and is just a guideline for customization. Enter a 255 character maximum organizational signature responsible for the URL blocking page. The default organizational signature (Your Organizational Name, All Rights Reserved) is not very practical, and is just a guideline for customization. Provide the location and filename of a small graphic image displayed in the blocking page. Provide the location and filename of a main graphic image displayed in the blocking page. 29 Specify an IP Inbound or IP Outbound firewall rule by selecting a rule from the drop-down menu and use the spinner control to assign the rule Precedence. Rules with lower precedence are always applied first to packets.If no IP Inbound or Outbound rules exist meeting the required firewall filtering criteria, select the Create button to set the inbound or outbound rule criteria. Select the + Add Row button or Delete icon as needed to add or remove IP firewall rules. Define the following parameters to create a new Inbound or Outbound IP firewall rule. For more information, refer to Configuring IP Firewall Rules on page 10-20. Wireless Controller and Service Platform System Reference Guide 10 - 44 Security Figure 10-35 Wireless Client Roles screen - IP Firewall Policy screen Precedence Action Source Destination Protocol Mark Log Specify or modify a precedence for this IP policy between 1-5000. Rules with lower precedence are always applied to packets first. If modifying a precedence to apply a higher integer, it will move down the table to reflect its lower priority. Every IP Firewall rule is made up of matching criteria rules. The action defines the packets disposition if it matches the specified criteria. The following actions are supported:
Deny - Instructs the Firewall to restrict a packet from proceeding to its destination. Permit - Instructs the Firewall to allow a packet to proceed to its destination. Select the source IP address used as basic matching criteria for this IP ACL rule. Determine whether filtered packet destinations for this IP firewall rule do not require any classification (any), are designated as a set of configurations consisting of protocol and port mappings (an alias), set as a numeric IP address (host) or defined as network IP and mask. Selecting alias requires a destination network group alias be available or created. Set a service alias as a set of configurations consisting of protocol and port mappings. Both source and destination ports are configurable. Set an alphanumeric service alias (beginning with a $) and include the protocol as relevant. Select an IP Firewall rules Mark checkbox to enable or disable event marking and set the rules 8021p or dscp level (from 0 - 7). Select an IP Firewall rules Log checkbox to enable or disable event logging for this rules usage. Wireless Controller and Service Platform System Reference Guide 10 - 45 Security Enable Description Select an IP Firewall rules Enable or Disable icon to determine this rules inclusion with the IP firewall policy. Lists the administrator assigned description applied to the IP ACL rule. Select a description within the table to modify its character string as filtering changes warrant. Select the icon within the Description table header to launch a Select Columns screen used to add or remove IP ACL criteria from the table. 30 Select OK to save the updates to the Inbound or Outbound IP Firewall rule. Select Reset to revert to the last saved configuration. 31 If required, select existing Inbound and Outbound MAC Firewall Rules using the drop-down menu. If no rules exist, select Create to display a screen where Inbound or Outbound Firewall rules can be created. 32 Define the following parameters required to create an Inbound or Outbound MAC Firewall rule:
Figure 10-36 MAC Firewall Rules - ACL Settings screen MAC Firewall Rules Allow VLAN ID If creating a new MAC Firewall rule, assign it a name (up to 64 characters) to help differentiate it from others that may have similar configurations. Every MAC Firewall rule is made up of matching criteria rules. The action defines what to do with the packet if it matches the specified criteria. The following actions are supported:
Deny - Instructs the Firewall to prohibit a packet from proceeding to its destination when filter conditions are met. Permit - Instructs the Firewall to allow a packet to proceed to its destination when filter conditions are met. Enter a VLAN ID representative of the shared SSID each user employs to interoperate within the network (once authenticated by the local RADIUS server). The VLAN ID can be between1 and 4094. Wireless Controller and Service Platform System Reference Guide 10 - 46 Security Match 802.1P Source /
Destination MAC Action Traffic Class Ethertype Precedence Description Configures IP DSCP to 802.1p priority mapping for untagged frames. Use the spinner control to define a setting between 0-7. Enter both Source and Destination MAC addresses as basic matching criteria. The following actions are supported:
Log - Logs the event when this rule is applied to a wireless clients association attempt. Mark - Modifies certain fields inside the packet and then permits them. Therefore, mark is an action with an implicit permit.
- VLAN 802.1p priority.
- DSCP bits in the header.
- TOS bits in the header. Mark, Log Applies both log and mark actions. Select this option to enable a spinner control for traffic class prioritization. Devices that originate a packet must identify a class or priority for packets. Devices use the traffic class field in the MAC header to set this priority. Use the drop-down menu to specify an Ethertype. An EtherType is a two-
octet field within an Ethernet frame. Its used to indicate which protocol is encapsulated in the payload of an Ethernet frame. Use the spinner control to specify a precedence for this MAC policy between 1-1500. Rules with lower precedence are always applied first to packets. More than one rule can share the same precedence value. Provide a description for the rule to differentiate the IP Firewall Rule from others with similar configurations. This should be more descriptive then simply re-applying the name of the rule. 33 Select OK to save the updates to the MAC Firewall rule. Select Reset to revert to the last saved configuration. 10.4 Device Fingerprinting With an increase in Bring Your Own Device (BYOD) corporate networks, theres a parallel increase in the number of possible attack scenarios within the network. BYOD devices are inherently unsafe, as the organizations security mechanisms do not extend to these personal devices deployed in the corporate wireless network. Organizations can protect their network by limiting how and what these BYODs can access on and through the corporate network. Device fingerprinting assists administrators by controlling how BYOD devices access a corporate wireless domain. Device fingerprinting uses DHCP options sent by the client in request or discover packets to derive a unique signature specific to device class. For example, Apple devices have a different signature from Android devices. The signature is used to classify the devices and assign permissions and restrictions on each device class. NOTE: Ensure DHCP is enabled on the WLAN on which device fingerprinting is to be enabled. Wireless Controller and Service Platform System Reference Guide 10 - 47 Security To define a device fingerprinting configuration on controllers, service platforms and Access Points:
1 Select Configuration. 2 Select Security 3 Select Device Fingerprinting. The Client Identity screen displays by default populated with existing client identity configurations. Figure 10-37 Security - Device Fingerprinting - Client Identity screen 4 Select Add to create a new client identity policy, Edit to modify a selected policy or Delete to remove obsolete policies from the list of those available. Select Rename to change the name of an existing client identity policy or Copy a policy to a different location. Client identity policies use signatures to identify and group clients. Signatures are sets of attributes unique to the device model and manufacturer. Once identified, signatures classify and assign network access permissions collectively without having to administer multiple devices individually. 5 If adding a new client identity configuration, define a 32 character maximum name and select the OK button at the bottom of the screen to enable the remainder of the screens editable parameters. 6 Select the + Add Row button to add a new signature in the client identity. Wireless Controller and Service Platform System Reference Guide 10 - 48 Security Figure 10-38 Security - Device Fingerprining - Client Signature 7 Optionally select Pre-defined and choose from a list of pre-defined client identities. Once selected, the DHCP Match Criteria field is populated with fingerprints for the selected client identity. 8 To create a custom identity configuration, select Custom and provide a name in the adjacent field. Select the OK button at the bottom of the screen. 9 Provide the following information for each device signature configuration:
Index Message Type Match Option Use the spinner control to assign an index (numeric identifier) for this signature. A maximum of 16 signatures can be created. Use the drop-down menu to designate the DHCP message type matched for signatures. Request Looks for a signature in DHCP request messages. This is the default value. Discover Looks for a signature in DHCP discover messages. Options are passed in DHCP discover and request messages as Option Code, Option Type, and Option Value sets. When Option Codes is selected, the Option Code passed in the DHCP discover/request is extracted and a fingerprint is derived. The derived fingerprint is used to identify the device. Option Indicates a specific DHCP Option is used to identify a device. When selected, a text box is enabled to input the DHCP Option used for fingerprinting. Option Codes Indicates the Option Code passed in the DHCP request and discover message is used for matching. Wireless Controller and Service Platform System Reference Guide 10 - 49 Security Match Type Value Format Option Value Use the drop-down menu to select how signatures are matched. Available options include:
Exact The complete signature string matches the string specified in the Option Value field. Starts-with The signature is checked if it starts with the string specified in the Option Value field. Contains The signature is checked if it contains the string specified in the Option Value field. Use the drop-down menu to select the character format of the value being checked. The value can be either ASCII or Hexadecimal. Use this text box to set the 64 character maximum DHCP option value to match. 10 Use the DHCP Match Message Type drop-down menu (from the Settings field at the bottom of the screen) to specify the DHCP message type configured option values are matched against. The following options are available:
Discover - Looks for a signature in DHCP discover messages. Request - Looks for a signature in DHCP request messages. This is the default value. Any - The fingerprint is checked with either the DHCP request or the DHCP discover message. All - The fingerprint is checked with both the DHCP request and the DHCP discover message. 11 Select OK to save the changes. Select Reset to revert to the last saved configuration. 12 Expand the Device Fingerprinting menu item on the left-hand side of the screen and select Client Identity Group. Figure 10-39 Security - Device Fingerprining - Client Identity Group An identity group is a collection of client identity variables. Each client identity in the group is set a value indicating its priority when device fingerprinting. Device fingerprinting relies on specific information sent by a client when acquiring an IP address and configuration information from a DHCP server. Device fingerprinting uses the DHCP options sent by the wireless client in DHCP request or discover packets to derive a signature specific to a device class. For Wireless Controller and Service Platform System Reference Guide 10 - 50 Security example, Apple devices have a different signature from Android devices. The signature is used to classify the devices and assign permissions and restrictions on each class. 13 Select Add to create a new policy, Edit to modify the attributes of an existing policy or Delete to remove obsolete policies from the list of those available. Select Rename to change the name of an existing policy or Copy a policy to a different location. Client identity group policies configure the signatures used to identify clients and use the signatures to classify and assign network access permissions. 14 If adding a new client identity group, provide a 32 character maximum name and select the OK button at the bottom of the screen. 15 Select the + Add Row button to populate the screen Client Identity and Precedence parameters. Figure 10-40 Security - Device Fingerprining - Client Identity Group - New Client Identity Group 16 Select the Client Identity policy to include in this group from the drop-down menu. 17 Use the Precedence spinner control to set the sequence (or priority) each listed client identity is checked or matched. Lower integers are assigned the highest priority. 18 Click OK to save the changes. Select Reset to revert to the last saved configuration. 10.5 Intrusion Prevention Wireless Intrusion Protection Systems (WIPS) provides continuous protection against wireless threats and acts as an additional layer of security complementing wireless VPNs and encryption and authentication policies. WIPS is supported through the use of dedicated sensor devices designed to actively detect and locate unauthorized AP devices. After detection, they use mitigation techniques to block the devices by manual termination or air lockdown. Wireless Controller and Service Platform System Reference Guide 10 - 51 Security Unauthorized APs are untrusted Access Points connected to a LAN that accept client associations. They can be deployed for illegal wireless access to a corporate network, implanted with malicious intent by an attacker, or could just be misconfigured Access Points that do not adhere to corporate policies. An attacker can install an unauthorized AP with the same ESSID as the authorized WLAN, causing a nearby client to associate to it. The unauthorized AP can then steal user credentials from the client, launch a man-in-the middle attack or take control of wireless clients to launch denial-of-service attacks. WiNG managed wireless controllers and Access Points support unauthorized AP detection, location and containment natively. A WIPS server can alternatively be deployed (in conjunction with the wireless controller) as a dedicated solution within a separate enclosure. When used within a wireless controller managed network and its associated Access Point radios, a WIPS deployment provides the following enterprise class security management features and functionality:
Threat Detection - Threat detection is central to a wireless security solution. Threat detection must be robust enough to correctly detect threats and swiftly help protect the wireless controller managed wireless network. Rogue Detection and Segregation - A WIPS supported wireless controller distinguishes itself by both identifying and categorizing nearby Access Points. WIPS identifies threatening versus non-threatening Access Points by segregating Access Points attached to the network (unauthorized APs) from those not attached to the network
(neighboring Access Points). The correct classification of potential threats is critical in order for administrators to act promptly against rogues and not invest in a manual search of neighboring Access Points to isolate the few attached to the network. Locationing - Administrators can define the location of wireless clients as they move throughout a site. This allows for the removal of potential rogues though the identification and removal of their connected Access Points. WEP Cloaking - WEP Cloaking protects organizations using the Wired Equivalent Privacy (WEP) security standard to protect networks from common attempts used to crack encryption keys. There are several freeware WEP cracking tools available and 23 known attacks against the original 802.11 encryption standard; even 128-bit WEP keys take only minutes to crack. WEP Cloaking module enables organizations to operate WEP encrypted networks securely and to preserve their existing investment in mobile devices. 10.5.1 Configuring a WIPS Policy Intrusion Prevention To configure a WIPS policy:
1 Select Configuration > Security > Intrusion Prevention. 2 Expand the Intrusion Prevention option within the Configuration > Security menu to display the WIPS Policy and Device Categorization items available. The Wireless IPS screen displays by default. The Wireless IPS screen lists existing WIPS policies if any are configured. Any of these existing WIPS policies can be selected and applied. Wireless Controller and Service Platform System Reference Guide 10 - 52 Security 3 Refer to the following for existing WIPS policies:
Figure 10-41 Wireless IPS screen WIPS Policy Status Interval to Throttle Duplicates Displays the name assigned to the WIPS policy when it was initially created. The name cannot be modified as part of the edit process. Displays a green checkmark if the listed WIPS policy is enabled and ready for use with a profile. A red X designated the listed WIPS policy as disabled. Displays the duration when event duplicates (redundant events) are not stored in event history. 4 Select Add to create a new WIPS policy, Edit to modify the attributes of a selected policy or Delete to remove obsolete policies from the list of those available. Select Rename to change the name of an existing policy or Copy a policy to a different location. If adding or editing an existing WIPS policy, the WIPS Policy screen displays with the Settings tab displayed by default. Wireless Controller and Service Platform System Reference Guide 10 - 53 Security Figure 10-42 WIPS Policy screen - Settings tab 5 If creating a new WIPS Policy, assign it name to help differentiate it from others that may have a similar configuration. The policy name cannot exceed 64 characters. The name cannot be modified as part of the edit process. 6 Within the Wireless IPS Status field, select either the Enabled or Disabled radio button to either activate or de-
activate the WIPS policy. The default setting is enabled. 7 Enter the Interval to Throttle Packets in either Seconds (1 - 86,400), Minutes (1 - 1,400), Hours (1 - 24) or Days
(1). This interval represents the duration event duplicates are not stored in history. The default setting is 2 minutes. 8 Refer to the Rogue AP Detection field to define the following detection settings for this WIPS policy:
Enable Rogue AP Detection Wait Time to Determine AP Status Ageout for AP Entries Select the checkbox to enable the detection of unauthorized
(unsanctioned) devices fro this WIPS policy. The default setting is disabled. Define a wait time in either Seconds (10 - 600) or Minutes (1 - 10) before a detected AP is interpreted as a rogue (unsanctioned) device, and potentially removed. The default interval is 1 minute. Set the interval the WIPS policy uses to ageout rogue devices. Set the policy in either Seconds (30 - 86,400), Minutes (1- 1,440), Hours
(1 - 24) or Days (1). The default setting is 5 minutes. Wireless Controller and Service Platform System Reference Guide 10 - 54 Security Interferer Threshold Specify a RSSI threshold (from -100 to -10 dBm) after which a detected Recurring Event Interval Air Termination Air Termination Channel Switch Air Termination Mode Access Point is classified as an interferer (rogue device). Set an interval that, when exceeded, duplicates a rogue AP event if the rogue devices is still active (detected) in the network. The default setting is 5 minutes. Select this option to enable the termination of detected rogue AP devices. Air termination lets you terminate the connection between your wireless LAN and any Access Point or client associated with it. If the device is an Access Point, all clients dis-associated with the Access Point. If the device is a client, its connection with the Access Point is terminated. This setting is disabled by default. Select this option to allow neighboring Access Points to switch channels for rogue AP termination. This setting is disabled by default. If termination is enabled, use the drop-down menu to specify the termination mode used on detected rogue devices. The default setting is manual. 9 Use the Device Categorization Policy drop-down menu to select a policy describing whether a device is filtered as sanctioned, a client or Access Point and the MAC and SSID addresses used as filtering mechanisms. If a policy requires creation, select the Create button. If an existing policy requires modification, select the Edit button and update the Device Categorization Policy as needed. 10 Select OK to update the settings. Select Reset to revert to the last saved configuration. 11 Select the WIPS Events tab to enable events, filters and threshold values for this WIPS policy. The Excessive tab displays by default. Wireless Controller and Service Platform System Reference Guide 10 - 55 Security Figure 10-43 WIPS Events screen - Excessive tab The Excessive tab lists a series of events that can impact the performance of the network. An administrator can enable or disable the filtering of each listed event and set the thresholds required for the generation of the event notification and filtering action. An Excessive Action Event is an event where an action is performed repetitively and continuously. DoS attacks come under this category. Use the Excessive Action Events table to select and configure the action taken when events are triggered. AP events can be globally enabled and disabled as required using the Enable All and Disable All buttons on the top-right-hand, side of the screen. 12 Set the configurations of the following Excessive Action Events:
Name Enable Displays the name of the excessive action event representing a potential threat to the network. This column lists the event being tracked against the defined thresholds set for interpreting the event as excessive or permitted. Displays whether tracking is enabled for each Excessive Action Event. Use the drop-down menu to enable/disable events as required. A green checkmark defines the event as enabled for tracking against its threshold values. A red X defines the event as disabled and not tracked by the WIPS policy. Each event is disabled by default. Events can be globally enabled and disabled as required using the Enable All and Disable All buttons on the top-right-hand, side of the screen. Wireless Controller and Service Platform System Reference Guide 10 - 56 Security Filter Expiration Client Threshold Radio Threshold Set the duration the anomaly causing client is filtered. This creates a special ACL entry and frames coming from the client are silently dropped. The default setting is 0 seconds. This value is applicable across the RF Domain. If a station is detected performing an attack and is filtered by one of the APs, the information is passed to the domain controller or service platform. The domain controller or service platform then propagates this information to all APs in the RF Domain. Set the client threshold after which the filter is triggered and an event generated. Set the radio threshold after which an event is recorded to the events history. 13 Select OK to save the updates to the to excessive actions configuration used by the WIPS policy. Select Reset to revert to the last saved configuration. 14 Select the MU Anomaly tab:
Figure 10-44 WIPS Events screen - MU Anomaly tab MU anomaly events are suspicious events by wireless clients that can compromise the security and stability of the network. Use this MU anomaly screen to configure the intervals clients can be filtered upon the generation of each defined event. MU events can be globally enabled and disabled as required using the Enable All and Disable All buttons on the top-right-hand, side of the screen. Wireless Controller and Service Platform System Reference Guide 10 - 57 Security 15 Set the configurations of the following MU Anomaly Events configurations:
Name Enable Filter Expiration Displays the name of the MU anomaly event representing a potential threat to the network. This column lists the event being tracked against the defined thresholds set for interpreting the event as excessive or permitted. Displays whether tracking is enabled for each event. Use the drop-down menu to enable/disable events as required. A green checkmark defines the event as enabled for tracking against its threshold values. A red X defines the event as disabled and not tracked by the WIPS policy. Each event is disabled by default. MU events can be globally enabled and disabled as required using the Enable All and Disable All buttons on the top-right-hand, side of the screen. Set the duration the anomaly causing client is filtered. This creates a special ACL entry and frames coming from the client are silently dropped. The default setting is 0 seconds. For each violation, define a time to filter value in seconds which determines how long received packets are ignored from an attacking device once a violation has been triggered. Ignoring frames from an attacking device minimizes the effectiveness of the attack and the impact to the site until permanent mitigation can be performed. 16 Select OK to save the updates to the MU anomaly configuration used by the WIPS policy. Select Reset to revert to the last saved configuration. 17 Select the AP Anomaly tab. AP anomaly events are suspicious frames sent by a neighboring APs. Use this screen to determine whether an event is enabled for tracking. Figure 10-45 WIPS Events screen - AP Anomaly tab Wireless Controller and Service Platform System Reference Guide 10 - 58 Security AP events can be globally enabled and disabled as required using the Enable All and Disable All buttons on the top-right-hand, side of the screen. 18 Set the following AP Anomaly Events parameters:
Name Enable Displays the name of the AP anomaly event representing a potential threat to the network. This column lists the event being tracked against the defined thresholds set for interpreting the event as excessive or permitted. Displays whether tracking is enabled for each AP anomaly event. Use the drop-down menu to enable/disable events as required. A green checkmark defines the event as enabled for tracking against its threshold values. A red X defines the event as disabled and not tracked by the WIPS policy. Each event is disabled by default. AP events can be globally enabled and disabled as required using the Enable All and Disable All buttons on the top-right-hand, side of the screen. 19 Select OK to save the updates to the AP anomaly configuration used by the WIPS policy. Select Reset to revert to the last saved configuration. 20 Select the WIPS Signatures tab. A WIPS signature is the set or parameters, or pattern, used by WIPS to identify and categorize particular sets of attack behaviors in order to classify them 21 The WIPS Signatures screen displays the following read-only data:
Figure 10-46 WIPS Signatures screen Name Signature BSSID MAC Lists the name (in the top left-hand corner) assigned to each signature when it was created. A signature name cannot be modified as part of the edit process. Displays whether the signature is enabled. A green checkmark defines the signature as enabled. A red X defines the signature as disabled. Each signature is disabled by default. Displays each BSS ID MAC address used for matching purposes and potential device exclusion. Wireless Controller and Service Platform System Reference Guide 10 - 59 Security Source MAC Destination MAC Frame Type to Match Match on SSID Displays each source MAC address of the packet examined for matching purposes and potential device exclusion. Displays each destination MAC address of the packet examined for matching purposes and potential device exclusion. Lists the frame types specified for matching with the WIPS signature. Lists each SSID used for matching purposes. 22 Select Add to create a new WIPS signature, Edit to modify the attributes of a selected WIPS signature or Delete to remove obsolete signatures from the list of those available. Figure 10-47 WIPS Signatures Configuration screen 23 If adding a new WIPS signature, define a Name to distinguish it from others with similar configurations. The name cannot exceed 64 characters. 24 Set the following network address information for a new or modified WIPS Signature:
Enable Signature BSSID MAC Source MAC Destination MAC Frame Type to Match Select the check box to enable the WIPS signature for use with the profile. The default signature is enabled. Define a BSS ID MAC address used for matching and filtering with the signature. Define a source MAC address for packets examined for matching, filtering and potential device exclusion using the signature. Set a destination MAC address for the packet examined for matching, filtering and potential device exclusion with the signature. Use the drop-down menu to select a frame type for matching and filtering with the WIPS signature. Wireless Controller and Service Platform System Reference Guide 10 - 60 Security Match on SSID SSID Length Set the SSID used for matching and filtering with the signature. Ensure its specified properly or the SSID wont be properly filtered. Set the character length of the SSID used for matching and filtering with this signature. The maximum length is 32 characters. 25 Refer to Thresholds field to set signature threshold limitations used as filtering criteria. Wireless Client Threshold Radio Threshold Specify the threshold limit per client that, when exceeded, signals the event. The configurable range is from 1 - 65,535. Specify the threshold limit per radio that, when exceeded, signals the event. The configurable range is from 1 - 65,535. 26 Set a Filter Expiration (from 1 - 86,400 seconds) that specifies the duration a client is excluded from RF Domain manager radio association when responsible for triggering a WIPS event. 27 Refer to the Payload table to set a numerical index pattern and offset for the WIPS signature. Select + Add Row and provide an Index, Pattern and Offset variable for the payload. 28 Select OK to save the updates to the WIPS Signature configuration. Select Reset to revert to the last saved configuration. 10.5.2 Configuring a WIPS Device Categorization Policy Intrusion Prevention Having devices properly classified can help suppress unnecessary unsanctioned AP alarms and allow an administrator to focus on the alarms and devices actually behaving in a suspicious manner. An intruder with a device erroneously authorized could potentially perform activities that harm your organization while appearing to be legitimate. WIPS enables devices to be categorized as Access Points, then defined as sanctioned or unsanctioned within the network. Sanctioned Access Points are generally known to you and conform with your organizations security policies. Unsanctioned devices have been detected as interoperating within the managed network, but are not approved. These devices should be filtered to avoid jeopardizing data. To categorize Access Points as sanctioned or unsanctioned:
1 Select Configuration > Security > Intrusion Prevention. 2 Expand the Intrusion Prevention option within the Configuration > Security menu and select Device Categorization. Wireless Controller and Service Platform System Reference Guide 10 - 61 Security The Device Categorization screen lists those device authorization policies defined thus far. Figure 10-48 WIPS Device Categorization screen 3 Select Add to create a new policy, Edit to modify the attributes of a selected existing policy or Delete to remove obsolete policies from those available. Select Rename to change the name of a policy or Copy a policy to a different location. Wireless Controller and Service Platform System Reference Guide 10 - 62 Security Figure 10-49 WIPS Device Categorization Configuration screen 4 If creating a new Device Categorization policy, provide it a Name (up to 64 characters) to distinguish this policy from others with similar configurations. Select OK to save the name and enable the remaining parameters on the screen. 5 Select + Add Row to populate the Marked Devices field with parameters for adding an Access Points MAC address, SSID, Access Point designation and network authorization. Select the red (-) Delete Row icon as needed to remove an individual table entry. 6 Define the following parameters to add a device to a list of devices categorized as sanctioned or unsanctioned for network operation:
Index Classification Device Type MAC Address Use the spinner controls to set the numerical Index number for each Device Categorization Name. Use the drop-down menu to designate the target device as either sanctioned (True) or unsanctioned (False). The default setting is False, categorizing this device as unsanctioned. Thus, each added device requires authorization. A green checkmark designates the device as sanctioned, while a red X defines the device as unsanctioned. Use the drop-down menu to designate the target device as either an Access Point (True) or other (False). The default setting is False, categorizing this device as other than an Access Point. A green checkmark designates the device as an Access Point, while a red X defines the categorized device as other than an Access Point. Enter the factory coded MAC address of the target device. This address is hard coded by the device manufacturer and cannot be modified. The MAC address will be defined as sanctioned or unsanctioned as part of the device categorization process. Wireless Controller and Service Platform System Reference Guide 10 - 63 Security SSID Enter the SSID of the target device requiring categorization. The SSID cannot exceed 32 characters. 7 Select OK to save the updates to the Marked Devices List. Select Reset to revert to the last saved configuration. 10.5.3 Intrusion Detection Deployment Considerations Before configuring WIPS support on the wireless controller, refer to the following deployment guidelines to ensure the configuration is optimally effective:
WIPS is best utilized when deployed in conjunction with a corporate or enterprise wireless security policy. Since an organizations security goals vary, the security policy should document site specific concerns. The WIPS system can then be modified to support and enforce these additional security policies WIPS reporting tools can minimize dedicated administration time. Vulnerability and activity reports should automatically run and be distributed to the appropriate administrators. These reports should highlight areas to be to investigated and minimize the need for network monitoring. It's important to keep your WIPS system Firmware and Software up to date. A quarterly system audit can ensure firmware and software versions are current. Only a trained wireless network administrator can determine the criteria used to authorize or ignore devices. You may want to consider your organizations overall security policy and your tolerance for risk versus users need for network access. Some questions that may be useful in deciding how to classify a device are:
Does the device conform to any vendor requirements you have?
What is the signal strength of the device? Is it likely the device is outside your physical radio coverage area?
Is the detected Access Point properly configured according to your organizations security policies?
Controller or service platform visibility to all deployed VLANs is recommended. If an external L3 device has been deployed for routing services, each VLAN should be 802.1Q tagged to the controller or service platform to allow the detection any unsanctioned APs physically connected to the network. Trusted and known Access Points should be added to an sanctioned AP list. This will minimize the number of unsanctioned AP alarms received. 10.6 EX3500 Time Range An EX3500 Time Range is a set of configurations consisting of periodic and absolute time ranges. Periodic time ranges can be configured to reoccur daily, weekly, weekends and on specific weekdays, such as Sunday. Absolute time ranges can be configured for a range of days during a particular period. Absolute time ranges do not reoccur. The EX3500 time ranges are used when configuring EX3500 MAC ACL firewall rules. For more information, see Configuring MAC Firewall Rules on page 10-15. To set an EX3500 switch periodic or absolute time ranges:
Wireless Controller and Service Platform System Reference Guide 10 - 64 1 Select Configuration > Security > EX3500 Time Ranges. Security The Time Range screen displays within the main portion of the Web UI. Figure 10-50 EX3500 Time Range screen 2 Select Add to create a new policy. Edit to modify the attributes of an existing time range or Delete to remove obsolete time ranges. Use Copy to create a copy of the selected time range and modify it for further use. Use Rename to rename the selected time range. 3 Either use the Add button to create an new EX3500 Time Range or select an existing range and click Edit to modify it. Figure 10-51 EX3500 Time Range - Periodic Time Range screen The Periodic Time Range tab displays by default. 4 If adding a new EX3500 Time Range, provide it a name up to 32 characters. Wireless Controller and Service Platform System Reference Guide 10 - 65 Security 5 Select Add to provide the following parameters:
Precedence Start Day Start Hour Start Minute End Day End Hour End Minute Specify or modify a precedence value for this periodic time range policy. Rules with lower precedence are always applied first. If modifying a precedence to apply a higher integer, it moves down the table to reflect its lower priority. Select a precedence value in the range 1-7. Specify the periodic time ranges start day. Day value can be one of daily, weekend, weekdays, sunday, monday, tuesday, wednesday, thursday, friday or saturday. Specify a start day from one of the above values. Specify the periodic time ranges start hour. Hours are specified in 24 hour format. Use the spinner to select the appropriate hour. Specify the periodic time ranges start minute. Use the spinner to select the appropriate minute. Specify the periodic time ranges end day. End day is the day when the time period ends. The options available for this field changes depending on the choice made in the Start Day field. Specify the periodic time ranges end hour. Hours are specified in 24 hour format. In most cases, this value cannot be lower than the value specified in the Start Hour field. Use the spinner to select the correct end hour value. Specify the periodic time ranges end minute. In most cases, this value cannot be lower than the value specified in the Start Minute field. Use the spinner to select the correct end. 6 Select OK to save the updates. Select Reset to revert to the last saved configuration. 7 Select the Absolute Time Range to configure a time range that is absolute and occurs only once. 8 Select Enable to enable this feature. Absolute time range can only be configured when Enabled. Figure 10-52 EX3500 Time Range - Absolute Time Range screen Wireless Controller and Service Platform System Reference Guide 10 - 66 Security 9 Configure the following parameters:
Start Year Start Month Start Day Start Hour Start Minute End Period End Year End Month End Day End Hour End Minute Specify the absolute time ranges start year. Use the spinner control to select the year. Select a year in the range 2013-2037. Specify the absolute time ranges start month. Use the drop-down menu to select the month. Specify the absolute time ranges start day. Day value can be one of daily, weekend, weekdays, sunday, monday, tuesday, wednesday, thursday, friday or saturday. Specify a start day from one of the above values. Specify the absolute time ranges start hour. Hours are specified in 24 hour format. Use the spinner to select the appropriate hour. Specify the absolute time ranges start minute. Use the spinner to select the appropriate minute. Select the option to set specific end periods for each of the Year, Month, Day, Hour and Minute values available for start time definitions. Specify the absolute time ranges end year. Use the spinner control to select the year. Select a year in the range 2013-2037. End year cannot be earlier than the value specified in the Start Year field. Specify the absolute time ranges end month. Use the drop-down menu to select the month. Specify the absolute time ranges end day. End day is the day when the time period ends. The options available for this field changes depending on the choice made in the Start Day field. Specify the absolute time ranges end hour. Hours are specified in 24 hour format. In most cases, this value cannot be lower than the value specified in the Start Hour field. Use the spinner to select the correct end hour value. Specify the absolute time ranges end minute. In most cases, this value cannot be lower than the value specified in the Start Minute field. Use the spinner to select the correct end. 10 Select OK when completed to update the EX3500 Time Range. Select Reset to revert back to its last saved configuration. Wireless Controller and Service Platform System Reference Guide 10 - 67 11 Services Controllers and service platforms natively support services to provide guest user access to the network, lease DHCP IP addresses to requesting clients and provide RADIUS client authentication. For more information, refer to the following:
Configuring Captive Portal Policies Setting the Guest Management Configuration Setting the DHCP Configuration Setting the Bonjour Gateway Configuration DHCPv6 Server Policy Setting the RADIUS Configuration URL Lists 11.1 Configuring Captive Portal Policies Services A captive portal is an access policy for providing guests temporary and restrictive access to the controller or service platform managed network. A captive portal policy provides secure authenticated controller or service platform access using a standard Web browser. Captive portals provides authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the network. Once logged into the captive portal, additional Terms and Agreement, Welcome, Fail and No Service pages provide the administrator with a number of options on captive portal screen flow and user appearance. Captive portal authentication is used primarily for guest or visitor access, but is increasingly used to provide authenticated access to private network resources when 802.1X EAP is not a viable option. Captive portal authentication does not provide end-user data encryption, but it can be used with static WEP, WPA-PSK or WPA2-
PSK encryption. Authentication for captive portal access requests is performed using a username and password pair, authenticated by an integrated RADIUS server. Authentication for private network access is conducted either locally on the requesting wireless client, or centrally at a datacenter. Captive portal uses a Web provisioning tool to create guest user accounts directly on the controller or service platform. The connection medium defined for the Web connection is either HTTP or HTTPS. Both HTTP and HTTPS use a request and response procedure clients follow to disseminate information to and from requesting wireless clients. Refer to the following sections for configuring Captive Portal Policy parameters:
Configuring a Captive Portal Policy Creating DNS Whitelists Captive Portal Deployment Considerations Wireless Controller and Service Platform System Reference Guide 11 - 1 Services 11.1.1 Configuring a Captive Portal Policy Configuring Captive Portal Policies To configure a guest access captive portal policy:
1 Select Configuration > Services. The upper, left-hand, side of the user interface displays a Services menu pane where Captive Portal, DHCP and RADIUS configuration options can be selected. 2 Select Captive Portals. The Captive Portal screen displays the configurations of existing policies. New policies can be created, existing policies can be modified or existing policies deleted. 3 Refer to the following captive portal policy parameters to determine whether a new policy requires creation, or an existing policy requires edit or deletion:
Figure 11-1 Captive Portal Policy screen Captive Portal Policy Captive Portal Server Host Captive Portal IPv6 Server Captive Portal Server Mode Hosting VLAN Interface Displays the name assigned to the captive portal policy when initially created. A policy name cannot be modified as part of the edit process. Lists the IP address (non DNS hostname) of the external (fixed) server validating user permissions for the listed captive portal policy. This item remains empty if the captive portal is hosted locally. Lists the IPv6 formatted IP address (non DNS hostname) of the external
(fixed) IPv6 server validating user permissions for the listed captive portal policy. This item remains empty if the captive portal is hosted locally. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Lists each policys hosting mode as either Internal (Self) or External (Fixed). If the mode is Internal (Self), the controller or service platform is maintaining the captive portal locally, while External (Fixed) means the captive portal is being hosted on an external server resource. Lists the VLAN (from 0 - 4,096) a client utilizes for controller or service platform interoperation when the Captive Portal Server Mode is set to Centralized Controller. Wireless Controller and Service Platform System Reference Guide 11 - 2 Services Connection Mode Simultaneous Access Web Page Source AAA Policy Lists each policys connection mode as either HTTP or HTTPS. Both HTTP and HTTPS use the same Uniform Resource Identifier (URI), so requesting clients can be identified. However. the use of HTTPS is recommended, as it affords transmissions some measure of data protection HTTP cannot provide. Displays the number of users permitted at one time for each listed policy. A captive portal can support from 1-8192 users simultaneously. Displays whether the captive portal HTML pages are maintained Internally, Externally (on an external system you define) or are Advanced pages maintained and customized by the network administrator. Internal is the default setting. Lists each AAA policy used to authorize captive portal access requests. When a captive portal policy is created or modified, a AAA policy must be defined and applied to effectively authorize, authenticate and account user requests for captive portal access. 4 Select Add to create a new captive portal policy, Edit to modify an existing policy or Delete to remove an existing captive portal policy. Select Rename to change the name of an existing policy or Copy a policy to a different location. A Basic Configuration screen displays by default. Define the policys security, access and whitelist basic configuration before actual HTML pages can be defined for guest user access requests. Wireless Controller and Service Platform System Reference Guide 11 - 3 Services 5 Define the following Settings for the captive portal policy:
Figure 11-2 Captive Portal Policy Basic Configuration screen Captive Portal Policy Captive Portal Server Mode Hosting VLAN Interface Captive Portal Server Host If creating a new policy, assign a name representative of its access permissions, location or intended wireless client user base. If editing an existing captive portal policy, the policy name cannot be modified. The name cannot exceed 32 characters. Set the mode as either Internal (Self), Centralized or Centralized Controller. Select the Internal (Self) radio button to maintain the captive portal configuration (Web pages) internally. Select the Centralized radio button if the captive portal is supported on an external server. Select the Centralized Controller radio button if the captive portal is supported on a centralized controller or service platform. The default value is Internal (Self). When using the Centralized Controller server mode, specify the VLAN, between 0 and 4096 for client communication. Select 0 to use the default client VLAN. 0 is the default setting. Set a numeric IP address (or DNS hostname) for the server validating guest user permissions for the captive portal policy. This option is only available if hosting the captive portal on an External (Fixed) server resource. Wireless Controller and Service Platform System Reference Guide 11 - 4 Services Captive Portal IPv6 Server Connection Mode Simultaneous Access If using Centralized server mode, select this option to define an IPv6 formatted address of the controller, service platform or Access Point resource hosting the captive portal. Select either HTTP or HTTPS to define the connection medium to the Web server. The use of HTTPs is recommended, as is affords some additional data protection HTTP cannot provide. The default value however is HTTP. Select the checkbox and use the spinner control to set from 1-8192 users
(client MAC addresses) allowed simultaneous access to the captive portal and its resources. 6 Use the AAA Policy drop-down menu to select the Authentication, Authorization and Accounting (AAA) policy used to validate user credentials and provide captive portal access to the network. If no AAA policies exist, one must be created by selecting the Create icon, or an existing AAA policy can be selected and modified by selected it from the drop-down menu and selecting the Edit icon. 7 Set the following Access parameters to define access, RADIUS lookup information and whether the Login pages contain agreement terms that must be accepted before access is granted to controller or service platform resources using the captive portal:
Access Type Select the authentication scheme applied to clients requesting captive portal guest access to the WiNG network. Within the WiNG UI theres 6 options. The WiNG CLI uses 5 options. User interface options include:
No authentication required - Requesting clients are redirected to the captive portal Welcome page without authentication. RADIUS Authentication - A requesting clients user credentials require authentication before access to the captive portal is permitted. This is the default setting. Registration - A requesting clients user credentials require authentication through social media credential exchange. Email Access - Clients use E-mail username and passwords for authenticating their captive portal session. Optionally set whether E-mail access requests are RADIUS validated. Mobile Access - Mobile clients use their devices access permissions for authenticating their captive portal session. Optionally set whether mobile access requests are RADIUS validated. Other Access - Requesting guest clients use a different means of captive portal session access (aside from E-mail or mobile device permissions). Optionally set whether these other access requests are RADIUS validated. Lookup Information When either E-mail Access, Mobile Access or Other Access is selected as Terms and Conditions page the access type, provide a 1-32 character lookup information string used as a customized authentication mechanism. Optionally select Validate with RADIUS to invoke a RADIUS lookup and syslog event log entry during captive portal user credential exchanges. Select this option to include terms that must be adhered to for clients requesting captive portal access. These terms are included in the Terms and Conditions page when No authentication required is selected as the access type, otherwise the terms appear in the Login page. The default setting is disabled. Wireless Controller and Service Platform System Reference Guide 11 - 5 Services 8 Set the following Social Media Authentication parameters to utilize a requesting clients social media profile for captive portal registration:
Facebook Google If selected, the requesting clients guest user Facebook social media profile
(collected from the social media server) is registered on the device. Captive portal authentication then becomes a fallback mechanism to enforce guest registration through social authentication. This option is disabled by default. If selected, the requesting clients guest user Google social media profile
(collected from the social media server) is registered on the device. Captive portal authentication then becomes a fallback mechanism to enforce guest registration through social authentication.This option is disabled by default. 9 Refer to the Bypass field to enable or disable Bypass Captive Portal Detection capabilities. If enabled, captive portal detection requests are bypassed. This feature is disabled by default. 10 Set the following Client Settings to define client VLAN assignments, and the duration clients are allowed captive portal access and when theyre timed out due to inactivity:
Radius VLAN Assignment Select this option to enable client VLAN assignments using the RADIUS server. If, as part of the authentication process, the RADIUS server returns a clients VLAN-ID in a RADIUS access-accept packet, and this feature is enabled, all client traffic is forwarded on the post authentication VLAN. If disabled, the RADIUS servers VLAN assignment is ignored and the VLAN configuration defined within the WLAN configuration is used instead. This feature is disabled by default. When this option is selected, a specific VLAN is assigned to the client upon successful authentication. The available range is from 1 - 4,096. Post Authentication VLAN Client Access Time Use the spinner control to define the duration wireless clients are allowed Inactivity Timeout access to using the captive portal policy when there is no session time value defined for the RADIUS response. Set an interval from 10 - 10,800 minutes. The default interval is 1,440 minutes. Use the drop-down menu to specify an interval in either Minutes
(1 - 1,440) or Seconds (60 - 86,400) that, when exceeded, times out the session. The default is 10 minutes. 11 Define the following Loyalty App settings to allow administrators to detect and report a captive portal clients usage of a selected (preferred) loyalty application:
Enable App Name Select this option to report a captive portal clients loyalty application presence and store this information in the captive portals user database. The clients loyalty application detection occurs on the Access Point to which the client is associated and allows a retail administrator to assess whether a captive portal client is using specific retail (loyalty) applications in their captive portal. This setting is enabled by default. Use the drop-down menu to select an existing application to track for loyalty utilization by captive portal clients. This enables an administrator to assess whether patrons are accessing an application as expected in specific retail environments. To create an application if none exists suiting the specific reporting needs of captive portal clients, see Application on page 7-58. 12 Use the DNS Whitelist parameter to create a set of allowed destination IP addresses. These allowed DNS destination IP addresses are called a Whitelist. Wireless Controller and Service Platform System Reference Guide 11 - 6 Services To effectively host captive portal pages on an external Web server, the IP address of the destination Web server(s) should be in the Whitelist. 13 Refer to the drop-down menu of existing DNS White List entries to select a policy to be applied to this captive portal policy. If no DNS Whitelist entries exist, select the Create or Edit icons and follow the sub-steps below:
a. If creating a new Whitelist, assign it a name up to 32 characters. Use the + Add Row button to populate the Whitelist with Host and IP Index values. Figure 11-3 Captive Portal Whitelist screen b. Provide a numerical IP address or Hostname within the DNS Entry parameter for each destination IP address or host included in the Whitelist. Hostnames cannot contain an underscore. c. Use the Match Suffix parameter to match any hostname or domain name as a suffix. The default setting is disabled. d. If necessary, select the radio button of an existing Whitelist entry and select the - Delete icon to remove the entry from the Whitelist. 14 Set the following Accounting parameters to define how accounting is conducted for clients entering and exiting the captive portal. Accounting is the method of collecting and sending security server information for billing, auditing and reporting user data; such as captive portal start and stop times, executed commands (such as PPP), number of packets and number of bytes. Accounting enables wireless network administrators to track captive portal services users are consuming. Enable RADIUS Accounting Select this option to use an external RADIUS resource for AAA accounting. When selected, a AAA Policy field displays. This setting is disabled by default. Wireless Controller and Service Platform System Reference Guide 11 - 7 Services Enable Syslog Accounting Syslog Host Syslog Port Select this option to log information about the use of remote access services by users using an external syslog resource. This information is of great assistance in partitioning local versus remote users. Remote user information can be archived to an external location for periodic network and user administration. This feature is disabled by default. When syslog accounting is enabled, use the drop-down menu to determine whether an IP address or Hostname is used as a syslog host. The IP address or hostname of an external server resource is required to route captive portal syslog events to that destination external resource destination. A hostname cannot contain an underscore. When syslog accounting is enabled, define the numerical syslog port the used to route traffic with the external syslog server. The default port is 514. 15 Set the following Data Limit parameters values to define a data limit for clients accessing the network using the restrictions of a captive portal:
Limit Action Select this option to enable data limits for captive portal clients. Specify the maximum amount of data, in MegaBytes, allowed for each captive portal client. When a user reaches this threshold, from 1 and 102,400 MegaBytes, it triggers the specified action. When a captive portal client reaches its data usage limit, a specified log action is executed. Available actions are Log Only and log-and-disconnect. When Log Only is selected, an entry is added to the log file any time a captive portal client exceeds the data limit. When log-and-disconnect is selected, an entry is added to the log file when the data limit is exceeded and the client is disconnected from the captive portal. 16 Set the Logout FQDN as the FQDN address to logout of the captive portal session from the client (for example, logout.guest.com). 17 Set the following Localization settings to add a URL to trigger a one-time redirect on demand. The defined URL is triggered from a mobile application to derive location information from the wireless network so an application can be localized to a particular store or region. FQDN Response Provide the FQDN address (for example, local.guestaccess.com) used to obtain localization parameters for a client. Enter a 512 character maximum response message directed back to the client for localization HTTP requests. 18 Refer to the Destination Ports for Redirection parameter (within the Redirection Ports field), and enter destination ports (separated by commas, or using a dash for a range) for consideration when re-directing client connections. Standard ports 80 and 443 are always considered for client connections regardless of whats entered by the administrator. 19 Select the Web Page tab to create locally or externally hosted HTML pages. The Login page displays by default. Wireless Controller and Service Platform System Reference Guide 11 - 8 Services Figure 11-4 Captive Portal Policy Internal Web Page screen The Login screen prompts the user for a username and password to access the captive portal and proceed to either the Terms and Conditions page (if used) or the Welcome page. The Terms and Conditions page provides conditions that must be agreed to before captive portal access is permitted. The Welcome page asserts a user has logged in successfully and can access the captive portal. The Welcome Back oage greets returning users. The Fail page asserts authentication attempt has failed, the user is not allowed to access the Internet (using this captive portal) and must provide the correct login information again to access the Internet. The No Service page asserts the captive portal service is temporarily unavailable due to technical reasons. Once the services become available, the captive portal user is automatically connected back to the services available through the captive portal. 20 Select the location where the captive portal Login, Terms and Conditions, Welcome, Fail, No Service and Registration Web pages are hosted. Available sources include Internal, External and Advanced. If Internal is selected, provide the information for each of the screens. If Advanced is selected, follow the on-screen instructions to upload custom Web pages. If Externally hosted is selected, provide the URLs for each of the necessary pages in the fields below. 21 Provide the following information for the Login, Terms and Conditions, Welcome, Welcome Back, Fail, No Service and Registration tabs:
Title Text Organization Name Set any organizational specific name or identifier which clients see during login. The Organization Name setting is only available for the Login page. Set the title text displayed on the pages when wireless clients access captive portal pages. The text should be in the form of a page title describing the respective function of each page and should be unique to each function. Wireless Controller and Service Platform System Reference Guide 11 - 9 Services Header Text Login Message Footer Text Main Logo URL Small Logo URL Signature Provide header text unique to the function of each page. Specify a message containing unique instructions or information for the users who access the Login, Terms and Condition, Welcome, Fail, No Service or Registration pages. In the case of the Terms and Agreement page, the message can be the conditions requiring agreement before captive portal access is permitted. Provide a footer message displayed on the bottom of each page. The footer text should be any concluding message unique to each page before accessing the next page in the succession of hotspot Web pages. The Main Logo URL is the URL for the main logo image displayed on the screens. Use the Browse button to navigate to the location of the target file. Optionally select the Use as banner option to designate the selected main logo as the pages banner as well. The banner option is disabled by default. The Small Logo URL is the URL for a small logo image displayed on the screens. Use the Browse button to navigate to the location of the target file. Provide the copyright and legal signature associated with the usage of the captive portal and the usage of the organization name provided. The Signature setting is only available for the Login page. 22 Refer to the right-hand side of each screen to define how the Org Name Signature Background Color, Org Name. Signature Text Color, Body Background Color and Body Text Color display for current screen. Select the box to the right of each of these four items to launch a color palette where screen colors can be selected uniquely. Select Preview Page to review your color selections before committing the updates to captive portal screens. Each of the Login, Terms and Conditions, Welcome, Fail, No Service and Registration screens can have their background and signature colors set uniquely. Figure 11-5 Captive Portal Page Color Palette screen 23 When setting the properties of the Registration screen, refer to the bottom portion of the screen to define email, country, gender, mobile, zip, street and name filters used as additional authentication criteria. Guest users are redirected to the registration portal on association to the captive portal SSID. Users are displayed an internal
(or) externally hosted registration page where the guest user must complete the registration process if not previously registered. These fields are customizable to meet the needs of retailers providing guest access. The captive portal sends a message to the user (on the phone number or Email address provided at registration) containing an access code. The user inputs the access code and the captive portal verifies the code before returning the Welcome page and providing access. This allows a retailer to verify the phone number or Email address is correct and can be traced back to a specific individual. Wireless Controller and Service Platform System Reference Guide 11 - 10 Services Figure 11-6 Registration screen customizable filters 24 Select OK to save the changes made within any of the Internal Page screens. Selecting Reset reverts the settings back to the last saved configuration. 25 Select Advanced to use a custom-developed directory full of Web page content can be copied in and out of the controller or service platform. Please use the File Transfers sub-menu in the Operations page to transfer files to the appropriate devices serving up the Web pages. 26 Select the Externally Hosted radio button if hosting the captive portal on an external server resource. Select Web Page Auto Upload to automatically launch the advanced pages for requesting clients upon association. This setting is disabled by default. Select Redirect the user to externally hosted URL to use an externally hosted server resource and its login permissions for logging into the advanced page. This setting is disabled by default. Wireless Controller and Service Platform System Reference Guide 11 - 11 Services Figure 11-7 Captive Portal Policy Externally Hosted Web Page screen Login URL Agreement URL Welcome URL Fail URL Acknowledgement URL No Service URL Registration URL Define the complete URL for the location of the Login screen. The Login screen prompts the user for a username and password to access either the Terms and Conditions or Welcome page. Define the complete URL for the location of the Terms and Conditions page. The Terms and Conditions page provides conditions that must be agreed to before wireless client access is provided. Define the complete URL for the location of the Welcome page. The Welcome page asserts the user has logged in successfully and can access network resources via the captive portal. Define the complete URL for the location of the Fail page. The Fail page asserts authentication attempt has failed, and the client cannot access the captive portal.The client needs to provide correct login information to regain access. Define the complete URL to the location of the Acknowledgement page. The Acknowledgement URL is needed by returning users whose MAC addresses has been validated previously, but must accept the conditions of the captive portal again. Define the complete URL to the location of the No URL page. The No Service URL is needed by users encountering difficulties connecting to the external resource used to host the captive portal pages. Define the complete URL to the location of the Registration page. The Registration URL is supported by NX9500, NX9600 and NX75XX service platform models as an adopting controller verifying (registering) user information before client access is provided to captive portal managed Internet resources. 27 Select OK when completed to update the captive portals advanced configuration. Select Reset to revert the screen back to its last saved configuration. Wireless Controller and Service Platform System Reference Guide 11 - 12 Services 11.1.2 Creating DNS Whitelists Configuring Captive Portal Policies A DNS whitelist is used in conjunction with a captive portal to provide access services to wireless clients. Use the whitelist to create a set of allowed destination IP addresses within the captive portal. To effectively host hotspot pages on an external Web server, the IP address of the destination Web server(s) should be in the whitelist. To define the whitelist:
1 Select Configuration > Services. The upper, left-hand, side of the user interface displays a Services menu pane where Captive Portal, DHCP and RADIUS configuration options can be selected. 2 Select Captive Portals. The Captive Portal screen displays the configurations of existing policies. New policies can be created, existing policies can be modified or existing policies deleted. 3 Select DNS Whitelist Figure 11-8 Captive Portal DNS Whitelist screen 4 Review the names of existing whitelists and click Add to create a new whitelist entry or select an existing whitelist and click Edit to modify it. 5 Use the DNS Whitelist parameter to create a set of allowed destination IP addresses. To effectively host pages on an external Web server, the IP address of the destination Web server(s) should be in the whitelist. 6 Refer to the drop-down menu of existing whitelist entries to select a policy to be applied to this captive portal policy. If no entries exist, select the Create or Edit icons and follow the sub-steps below:
a. If creating a new Whitelist, assign it a name up to 32 characters. Select the + Add Row button to populate the Whitelist with Host and IP Index values. Wireless Controller and Service Platform System Reference Guide 11 - 13 Services Figure 11-9 Captive Portal Whitelist screen b. Provide a Hostname or numeric IPv4 Address or IPv6 Address within the DNS Entry parameter for each destination IP address or host included in the Whitelist. IPv6 formatted addresses are composed of eight groups of four hexadecimal digits separated by colons. c. Use the Match Suffix parameter to match any hostname or domain name as a suffix. The default setting is disabled. d. If necessary, select the radio button of an existing Whitelist entry and select the - Delete icon to remove the entry from the Whitelist. 11.1.3 Captive Portal Deployment Considerations Configuring Captive Portal Policies Before defining a captive portal configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective:
The architecture should consider the number of wireless clients allowed and the services provided. Each topology has benefits and disadvantages which should taken into consideration to meet each deployment's requirements. Captive portal authentication uses secure HTTPS to protect user credentials, but doesnt typically provide encryption for user data once they have been authenticated. For private access applications, WPA2 (with a strong passphrase) should be enabled to provide strong encryption. Guest user traffic should be assigned a dedicated VLAN, separate from other internal networks. Guest access configurations should include firewall policies to ensure logical separation is provided between guest and internal networks so internal networks and hosts are not reachable from guest devices. Wireless Controller and Service Platform System Reference Guide 11 - 14 Services Guest access services should be defined in a manner whereby end-user traffic doesnt cause network congestion. A valid certificate should be issued and installed on all devices providing captive portal access to the WLAN and wireless network. The certificate should be issued from a public certificate authority ensuring guests can access the captive portal without browser errors. 11.2 Setting the Guest Management Configuration Services Establish a guest management configuration to redirect guest users to a registration portal upon association to the captive portal SSID, The guest users are redirected to an internally (or) externally hosted registration page
(registration.html) where the guest user can complete the registration process if not previously registered. The internal captive portal adds a new registration page thats customizable based on business requirement. A guest management policy is for configuration of E-mail host and SMS gateway related commands along with the credentials required for sending passcode to guest via email and SMS. Configure up to 32 different guest management policies. Each guest management policy allows an administrator to configure the SMS gateway, SMS message body, E-mail SMTP server, E-mail subject contents and E-mail message body. At any point of time, there can be only one guest management policy active per device. Guest registration is supported on NX90000 series service platforms as an adopting controller with up to 2 million user identity entries. Guest registration is supported on NX75000 series service platforms as an adopting controller with up to 1 million user identity entries. Guest management and registration is not supported on all other WiNG supported platforms. NOTE: An option to backup the guest registration configuration is not available in the user interface. To backup the guest user database, a guest-database-
backup command must be invoked using the CLI. For more information, refer to the WiNG CLI Reference Guide available from www.extremenetworks.com/
support. Refer to the following sections for configuring Guest Management parameters:
Email SMS SMS SMTP DB Export To set the guest management configuration:
Wireless Controller and Service Platform System Reference Guide 11 - 15 1 Select Configuration > Services > Guest Management. Services 2 Review the following (at a high level) to determine if a new guest management requires creation, an existing guest management configuration requires modification or requires deletion:
Figure 11-10 Guest Management screen Name Email Enable SMS Enable SMS SMTP Enable DB Export Enable Lists the name(s) of up to 32 guest user policies created on the service platform for registering guest user credentials. A green check mark defines Email as enabled for guest management, a red X defines Email as disabled. Guest users can register themselves with their E-mail credentials as a primary key for authentication; captive portal system provides the pass code for their registration and the guest users needs to use the registered email/mobile/member id and the received pass code for further login to the captive portal. A green check mark defines SMS as enabled for guest management, a red X defines SMS as disabled.SMS enables guest users to registers themselves with their E-mail or mobile device ID as the primary key for authentication. The captive portal provides the passcode for registration, and the guest users utilizes use their registered E-mail or mobile device ID and received passcode for login to the captive portal. A green check mark defines SMS SMTP as enabled for guest management, a red X defines SMS SMTP as disabled. Optionally configure an E-mail host server (for example: smtp.gmail.com) along with sender related credentials and the recipient gateway E-mail address to which the message is E-mailed. The gateway server converts the E-mail into SMS and sends the message to guest userss mobile device. A green check mark indicates that exporting the guest user database is enabled for this device. When enabled, the list of guest users on the captive portal can be periodically exported to an external server. 3 Select Add to create a new guest management configuration, choose an existing configuration and select the Edit button to modify its properties or choose an existing guest management and select Delete to remove it from those available. Select Rename to change the name of an existing guest management configuration or Copy a configuration to a different location. Select Replace to replace an existing Guest Management policy with a new policy. Wireless Controller and Service Platform System Reference Guide 11 - 16 Services 11.2.1 Email Setting the Guest Management Configuration Guest users can register themselves with their E-mail credentials as a primary key for authentication; captive portal system provides the pass code for their registration and the guest users needs to use the registered email/mobile/
member id and the received pass code for further login to the captive portal. To define a guest management configuration using E-mail as the primary key for authentication:
1 Select Configuration > Services > Guest Management. Review existing guest management configurations to determine whether new E-mail configuration requires creation or an existing guest user configuration requires modification or deletion. 2 Select the Email tab. Figure 11-11 Guest Management screen - Email tab Wireless Controller and Service Platform System Reference Guide 11 - 17 3 Set the following E-mail guest user network address and message content information required for notifying a guest with a passcode using E-mail:
Services Enable Host Sender Security Username Password Subject Message Enable this option so guest users can register themselves with their E-mail credentials as a primary key for authentication; captive portal system provides the pass code for their registration and the guest users needs to use the registered E-
mail/mobile/member id and the received pass code for further login to the captive portal. This setting is disabled by default and must be enabled to define the required settings. Define a hostname or IPv4 formatted IP address of the SMTP server resource used for guest management E-mail traffic, guest user credential validation and passcode reception. Optionally create an alias to define the host once and use the alias across different configuration items. Provide a 100 character maximum sender name for the guest user receiving the passcode required for registering their guest E-mail credentials. Use the drop-down menu to select ssl or starttls as the E-mail host server user authentication validation scheme for this particular username and password combination. Optionally select None to apply to no additional user authentication beyond the required username and password combination. Provide a unique 100 character maximum username unique to this guest management configuration. This username will require its own password and must be correctly provided to receive the required passcode for registering guest E-mail credentials. Define a 63 character maximum password that must be correctly provided with the unique username to receive the required passcode for registering guest E-mail credentials. Enter the 100 character maximum E-mail subject for the E-mail message sent to the guest user along with the required passcode. You can use the tag GM_NAME in the subject which is replaced by the guest users name. Create the 1024 character maximum message content for the E-mail sent to the guest user along with the passcode. You can use the following tags in the message body. GM_NAME indicates the guest users name in the message. This tag is replaced by the guest users name when the E-mail is created. GM_PASSCODE - indicates the password assigned to the user. The tag is replaced by the actual password when the E-mail is created. CR-NL - indicates a line break. When used, the word next to this tag starts on a new line when the E-mail is created. 4 Select OK to save the updates to the guest management E-Mail configuration. Select Reset to revert the screen back to its last saved configuration. 11.2.2 SMS SMS enables guest users to registers themselves with their E-mail or mobile device ID as the primary key for authentication. The captive portal provides the passcode for registration, and the guest users utilizes use their registered E-mail or mobile device ID and received passcode for login to the captive portal. NOTE: When utilizing SMS, the WLANs authentication type should be None and the registration type should be enabled as user registration. Captive portal authentication must always enforce guest registration. Wireless Controller and Service Platform System Reference Guide 11 - 18 Services SMS is similar to MAC address based self registration, but in addition a captive portal sends a SMS message to the user on the mobile phone number provided at registration containing an access code. The user then inputs the access code on the user screen. The captive portal verifies the code, returns the Welcome page and provides access. This allows the administrator to verify the phone number provided and can be traced back to a specific individual should the need arise. The default gateway used with SMS is Clickatell. A passcode can be sent with SMS to the guest user directly using Clickatell, or the passcode can be sent via E-mail to the SMS Clickatell gateway server, and Clickatell sends the passcode SMS to the guest user. To define a guest management configuration using SMS:
1 Select Configuration > Services > Guest Management. Review existing guest management configurations to determine whether new configuration requires creation or an existing guest user configuration requires modification or deletion. 2 Select the SMS tab. 3 Set the following SMS guest user network and message content information required for notifying a guest with Figure 11-12 Guest Management screen - SMS tab a passcode:
Enable Host Select this option to enable guest users to registers themselves with their E-mail or mobile device ID as the primary key for authentication. This setting is disabled by default and must be enabled to define the required settings. By default, clickatell is the only host SMS gateway server resource. Upon receiving the passcode E-mail, the SMS gateway sends the actual notification passcode SMS to the guest user. Wireless Controller and Service Platform System Reference Guide 11 - 19 Services Username Password API Id User Agent Source Number Message Provide a unique 32 character maximum username unique to this SMS guest management configuration. This username will require its own password and must be correctly provided to receive the required passcode for registering guest user credentials with SMS. Define a 63 character maximum password that must be correctly provided with the unique username to receive the required passcode for registering guest user credentials with SMS. Set a 32 character maximum API Id for the configuration of the clickatell api_id
(http/smtp api_id). Select the user agent for configuring the clickatell SMS gateway server and its related credentials for sending the passcode to guests. Set a 32 character maximum source-address from the number associated with clickatell. It can be a large integer or short code. The source number is only applicable to certain countries (like the United States). Create the 1024 character maximum message content for the SMS based request sent to the guest user along with the passcode. 4 Select OK to save the updates to the guest management SMS configuration. Select Reset to revert the screen back to its last saved configuration. 11.2.3 SMS SMTP Optionally configure an E-mail host server (for example: smtp.gmail.com) along with sender related credentials and the recipient gateway E-mail address to which the message is E-mailed. The gateway server converts the E-mail into SMS and sends the message to guest userss mobile device. When sending an E-mail, the E-mail client interacts with a SMTP server to handle the content transmission. The SMTP server on the host may have conversations with other SMTP servers to deliver the Email. To define a guest management configuration using SMS SMTP:
1 Select Configuration > Services > Guest Management. Review existing guest management configurations to determine whether new configuration requires creation or an existing guest user configuration requires modification or deletion. 2 Select the SMS SMTP tab. Wireless Controller and Service Platform System Reference Guide 11 - 20 Services 3 Set the following SMS SMTP guest user network and message content information required for notifying a guest Figure 11-13 Guest Management screen - SMS SMTP tab with a passcode:
Enable Host Sender Security Enable this setting to configure an E-mail host server (for example:
smtp.gmail.com) along with sender related credentials and the recipient gateway E-
mail address to which the message is E-mailed. This setting is disabled by default and must be enabled to define the required settings. Define a hostname or IPv4 formatted IP address of the SMS gateway server resource used for guest management E-mail traffic, guest user credential validation and passcode reception. Consider providing the host as an alias. An alias enables an administrator to define a configuration item, such as a hostname, as an alias once and use the alias across different configuration items. Provide a 100 character maximum sender name for the guest user receiving the passcode required for registering their guest E-mail credentials using SMTP. Use the drop-down menu to select ssl or starttls as the SMTP server user authentication validation scheme for this particular username and password combination. Optionally select None to apply to no additional user authentication beyond the required username and password combination. The default value is ssl. Wireless Controller and Service Platform System Reference Guide 11 - 21 Services Username Password Email of Recipient Subject Message Provide a unique 64 character maximum username unique to this SMTP guest management configuration. This username requires its own password and must be correctly provided to receive the required passcode for registering guest user credentials. Define a 64 character maximum password that must be correctly provided with the unique username to receive the required passcode for registering guest user credentials with SMTP. Enter a 64 character maximum E-mail address for the recipient of guest management E-mail traffic. Enter a 100 character maximum E-mail subject for the E-mail message sent to the guest user along with the required passcode. Enter a 1024 character maximum E-mail message per the message format required by the gateway server. The sms-over-smtp message format is the required format from clickatell while sending E-mail to the SMS gateway server. Select OK to save the updates to the guest management SMS SMTP configuration. Select Reset to revert the screen back to its last saved configuration. 11.2.4 DB Export Setting the Guest Management Configuration Optionally configure the guest user database export parameters. The guest user database can be periodically exported to an external server for backup and analysis. To define the database export parameters:
1 Select Configuration > Services > Guest Management. Review existing guest management configurations to determine whether new configuration requires creation or an existing guest user configuration requires modification or deletion. 2 Select the DB Export tab. Wireless Controller and Service Platform System Reference Guide 11 - 22 Services 3 Set the following DB Export parameters:
Figure 11-14 Guest Management screen - DB Export tab Enable Start Time Frequency Format Last Visit Time URL Directory Enable this setting to configure the guest user database to an external server for backup and analysis. This setting is disabled by default and must be enabled to define the required settings. Define the start time when the first database backup occurs. The first run of the guest user database backup is always the current day. Use the spinner controls to set the start hour and minute. Use the AM/PM options to configure the exact hour. The default value is 12:00 AM. Define the backup frequency. This is the time interval between two consecutive backups. Use the spinner control to set the value between 1 hour and 168 hours. The default frequency is 4 hours. Guest user database can be exported in the following formats:
CSV JSON Select the appropriate export format. The default export format is CSV. Use this field to filter or restrict the amount of data that is exported. Use the spinner to set a value in the range 1 - 168 hours. When set, any data that is older than the set period - from when the database is being backed up - is not exported. The default value is 4 hours. Use the field to provide the URL to which the guest user database is exported. Select the Advanced link to expose fields for setting the remote servers URL. Wireless Controller and Service Platform System Reference Guide 11 - 23 Services Protocol Port Host Path/File Select the protocol used for exporting the guest user database. Available options include:
tftp ftp sftp http cf usb1-4 Use the spinner control to set the port. This option is not valid for cf and usb1-4. Provide the hostname string or numeric IP address of the server to export the guest user database to. Hostnames cannot include an underscore character. This option is not valid for cf and usb1-4. Select IPv4 Address to use an IPv4 formatted address as the host. Select IPv6 Address to use an IPv6 formatted address as the host. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Specify the path on the remote server where the guest user database file is copied to. Enter the complete relative path to the file on the remote server. 4 Select OK to save the updates to the guest management DB Export configuration. Select Reset to revert the screen back to its last saved configuration. 11.3 Setting the DHCP Configuration Services Dynamic Host Configuration Protocol (DHCP) allows hosts on an IP network to request and be assigned IP addresses and discover information about the network where they reside. Each subnet can be configured with its own address pool. Whenever a DHCP client requests an IP address, the DHCP server assigns an IP address from that subnets address pool. When the onboard DHCP server allocates an address for a DHCP client, the client is assigned a lease, which expires after an pre-determined interval. Before a lease expires, wireless clients (to which leases are assigned) are expected to renew them to continue to use the addresses. Once the lease expires, the client is no longer permitted to use the leased IP address. The DHCP server ensures all IP addresses are unique, and no IP address is assigned to a second client while the first client's assignment is valid (its lease has not yet expired). Therefore, IP address management is conducted by the internal DHCP server, not by an administrator. The internal DHCP server groups wireless clients based on defined user-class options. Clients with a defined set of user class values are segregated by class. A DHCP server can associate multiple classes to each pool. Each class in a pool is assigned an exclusive range of IP addresses. DHCP clients are compared against classes. If the client matches one of the classes assigned to the pool, it receives an IP address from the range assigned to the class. If the client doesn't match any of the classes in the pool, it receives an IP address from a default pool range (if defined). Multiple IP addresses for a single VLAN allow the configuration of multiple IP addresses, each belonging to different subnet. Class configuration allows a DHCP client to obtain an address from the first pool to which the class is assigned. Numerous DHCP network address credentials can have an alias applied. An alias enables an administrator to define a configuration item (such as a IP address or domain name) once, and then use this single alias across different configurable values. For example, if a central network DNS server is set a static IP address, and a remote locations Wireless Controller and Service Platform System Reference Guide 11 - 24 Services local DNS server is defined, this host can be overridden at the remote location. At the remote location, the network is functional with a local DNS server, but uses the name set at the central network. A new host need not be created at the remote location. This simplifies creating and managing hosts and allows an administrator to better manage specific local requirements. An alias name always starts with a dollar sign ($) and should not exceed 32 characters. An alias thats applied to a DHCP configuration can be either a Global, Profile, RF Domain or Device alias. For more information on aliases and their application, see Setting a Profiles Alias Configuration on page 8-
155. NOTE: DHCP server updates are only implemented when the controller or service platform is restarted. Refer to the following sections for more information on configuring DHCP parameters:
Defining DHCP Pools Defining DHCP Server Global Settings DHCP Class Policy Configuration DHCP Deployment Considerations To access and review the local DHCP server configuration:
1 Select Configuration > Services > DHCP Server Policy. The DHCP Server screen displays. Clients with a defined set of user class values are segregated by class. A DHCP server can associate multiple classes to each pool. Each class in a pool is assigned an exclusive range of IP addresses. DHCP clients are then compared against classes. 2 Review the following DHCP server configurations (at a high level) to determine whether a new server policy requires creation, an existing policy requires modification or an existing policy requires deletion:
Figure 11-15 DHCP Server Policy screen DHCP Server Policy Lists the name assigned to each DHCP server policy when it was initially created. The name assigned to a DHCP server policy cannot be modified as part of the policy edit process. However, obsolete policies can be deleted as needed. Wireless Controller and Service Platform System Reference Guide 11 - 25 Services Ignore BOOTP Requests Ping Timeout A green checkmark within this column means this policy has been set to ignore BOOTP requests. A red X defines the policy as accepting BOOTP requests. BOOTP (boot protocol) requests boot remote systems within the controller or service platform managed network. BOOTP messages are encapsulated inside UDP messages and are forwarded by the controller or service platform. This parameter can be changed within the DHCP server Global Settings screen. Lists the interval (from 1 -10 seconds) for a DHCP server ping timeout. The timeout is used to intermittently ping and discover whether a client requested IP address is already in use. This parameter can be changed within the DHCP Server Global Settings screen. 3 Select Add to create a new DHCP server policy, choose an existing policy and select the Edit button to modify the policys properties or choose an existing policy and select Delete to remove the policy from those available. Adding or Editing a DHCP server policy displays the DHCP Server Policy screen by default. Select Rename to change the name of an existing policy or Copy a policy to a different location. 11.3.1 Defining DHCP Pools Setting the DHCP Configuration DHCP services are available for specific IP interfaces. A pool (or range) of IP network addresses and DHCP options can be created for each IP interface defined. This range of addresses can be made available to DHCP enabled wireless devices on either a permanent or leased basis. DHCP options are provided to each DHCP client with a DHCP response and provide DHCP clients information required to access network resources (default gateway, domain name, DNS server and WINS server configuration). An option exists to identify the vendor and functionality of a DHCP client. The information is a variable-length string of characters (or octets) with a meaning specified by the vendor of the DHCP client. To define the parameters of a DHCP pool:
Wireless Controller and Service Platform System Reference Guide 11 - 26 1 Select Configuration > Services > DHCP Server Policy. The DHCP Server screen displays the DHCP Pool tab by default. Services Figure 11-16 DHCP Server Policy screen - DHCP Pool tab 2 Review the following DHCP pool configurations to determine if an existing pool can be used as is, a new one requires creation or edit, or a pool requires deletion:
DHCP Pool Subnet Domain Name Boot File Lease Time Displays the name assigned to the network pool when created. The DHCP pool name represents the group of IP addresses used to assign to DHCP clients upon request. The name assigned cannot be modified as part of the edit process. However, if the network pool configuration is obsolete it can be deleted. Displays the network address or alias used by clients requesting DHCP resources. Displays the domain name or alias used with this network pool. Domain Name Services (DNS) convert human readable host names into IP addresses. Host names are not case sensitive and can contain alphabetic or numeric letters or a hyphen. A fully qualified domain name (FQDN) consists of a host name plus a domain name. For example, computername.domain.com. Boot files (Boot Protocol) are used to boot remote systems over the network. BOOTP messages are encapsulated inside UDP messages, so requests and replies can be forwarded. Each DHCP network pool can use a different file as needed. If a lease time has been defined for a listed network pool, it displays in an interval from 1 - 31,622,399 seconds. DHCP leases provide addresses for defined times to various clients. If a client does not use the leased address for the defined time, that IP address can be re-assigned to another DHCP client. 3 Select Add to create a new DHCP pool, Edit to modify an existing pools properties or Delete to remove a pool from amongst those available. Wireless Controller and Service Platform System Reference Guide 11 - 27 Services Figure 11-17 DHCP Pools screen - Basic Settings tab If adding or editing a DHCP pool, the DHCP Pool screen displays the Basic Settings tab by default. Define the required parameters for the Basic Settings, Static Bindings and Advanced tabs to complete the creation of the DHCP pool. 4 Set the following General parameters, or aliases, from within the Basic Settings tab. An alias enables an administrator to define a configuration item (such as a IP address or domain name) once, and then use this single alias across different configurable values. DHCP Pool If adding a new pool, a name is required. The pool is the range of IP addresses defined for DHCP assignment or lease. The name assigned cannot be modified as part of the edit process. However, if the network pool configuration is obsolete it can be deleted. The name cannot exceed 32 characters. Wireless Controller and Service Platform System Reference Guide 11 - 28 Services Subnet Domain Name DNS Servers Lease Time Default Routers Define the IP address/Subnet Mask or IP alias used for DHCP discovery and requests between the local DHCP server and clients. The IP address and subnet mask (or its alias) is required to match the addresses of the layer 3 interface for the addresses to be supported through that interface. If setting a subnet IP alias, ensure it begins with a dollar sign ($) and does not exceed 32 characters. A numeric IP address is the default setting, not an alias. Provide the domain name or domain alias used with this pool. Domain names are not case sensitive and can contain alphabetic or numeric letters or a hyphen. A fully qualified domain name (FQDN) consists of a host name plus a domain name. For example, computername.domain.com. If setting a domain name alias, ensure it begins with a dollar sign ($) and does not exceed 32 characters. An actual domain name is the default setting, not an alias. Define one (or a group) of Domain Name Servers (DNS) to translate domain names to IP addresses. An alias can alternatively be applied for a DNS server IP address. Up to 8 IP addresses can be supported.If setting a DNS IP alias, ensure it begins with a dollar sign ($) and does not exceed 32 characters. An actual DNS IP address is the default setting, not an alias. DHCP leases provide addresses for defined times to various clients. If a client does not use the leased address within the defined time, that IP address can be re-assigned to another DHCP supported client. Select this option to assign a lease in either Seconds (1 - 31,622,399), Minutes (1 -
527,040), Hours (1 - 8,784) or Days (1 - 366). The default setting is enabled, with a lease time of 1 day. After a DHCP client has booted, the client begins sending packets to its default router. Set the IP address or IP alias for one or more routers used to map host names into IP addresses for clients. Up to 8 default router IP addresses are supported. If setting a default router IP alias, ensure it begins with a dollar sign ($) and does not exceed 32 characters. An actual router IP address is the default setting, not an alias. 5 Use the IP Address Ranges field define the range of included (starting and ending IP addresses) addresses for this particular pool. a. Select the + Add Row button at the bottom of the IP addresses field to add a new range. Select the radio button of an existing IP address range and select the Delete icon to remove it from the list of those available. b. Enter a viable range of IP addresses in the IP Start and IP End columns. This is the range of addresses available for assignment to requesting clients. c. Select the Create icon or Edit icon within the Class Policy column to display the DHCP Server Policy screen if a class policy is not available from the drop-down menu. 6 Refer to the Excluded IP Address Range field and select the +Add Row button. Add ranges of IP address to exclude from lease to requesting clients. Having ranges of unavailable addresses is a good practice to ensure IP address resources are in reserve. Select the Delete icon as needed to remove an excluded address range. 7 Select OK to save the updates to the DHCP Pool Basic Settings tab. Select Reset to revert to the last saved configuration. 8 Select the Static Bindings tab from within the DHCP Pools screen. A binding is a collection of configuration parameters, including an IP address, associated with, or bound to, a DHCP client. Bindings are managed by DHCP servers. DHCP bindings automatically map a device MAC address to an IP address using a pool of DHCP supplied addresses. Static bindings assign IP addresses without creating Wireless Controller and Service Platform System Reference Guide 11 - 29 numerous host pools with manual bindings. Static host bindings use a text file the DHCP server reads. It eliminates the need for a lengthy configuration file and reduces the space required to maintain address pools. Services 9 Review the following to determine if a static binding can be used as is, a new binding requires creation or edit, or if a binding requires deletion:
Figure 11-18 DHCP Pools screen - Static Bindings tab Client Identifier Type Value IP Address Lists whether the reporting client is using a hardware address or client identifier as its identifier type within requests to the DHCP server. Lists the hardware address or client identifier assigned to the client when added or last modified. Displays the IP address of the client on this interface thats currently using the pool name listed. 10 Select Add to create a new static binding configuration, Edit to modify an existing static binding configuration or Delete to remove a static binding from amongst those available. Wireless Controller and Service Platform System Reference Guide 11 - 30 Services Figure 11-19 Static Bindings Add screen 11 Set the following General parameters or aliases to complete the creation of the static binding configuration. An alias enables an administrator to define a configuration item (such as a IP address or domain name) once, and then use this single alias across different configurable values. IP Address Domain Name Set an IP address of the client using this host pool for DHCP resources. The IP option is selected by default. Optionally select Alias to provide an IP alias beginning with a dollar sign ($) and not exceeding 32 characters. Provide a domain name of the current interface. Domain names arent case sensitive and can contain alphabetic or numeric letters or a hyphen. A fully qualified domain name (FQDN) consists of a host name plus a domain name. For example, computername.domain.com. The Name option is selected by default. Optionally select Alias to provide a domain name alias beginning with a dollar sign ($) and not exceeding 32 characters. Wireless Controller and Service Platform System Reference Guide 11 - 31 Services Boot File Enter the name of the boot file used with this pool. Boot files (Boot Protocol) can be used to boot remote systems over the network. BOOTP messages are encapsulated inside UDP messages so requests and replies can be forwarded. Each DHCP network pool can use a different file as needed. The IP option is selected by default. Optionally select Alias to provide a boot file IP alias beginning with a dollar sign ($) and not exceeding 32 characters. BOOTP Next Server Provide the numerical IP address or alias of the server providing BOOTP resources. BOOTP (boot protocol) requests boot remote systems within the controller or service platform managed network. BOOTP messages are encapsulated inside UDP messages and are forwarded by the controller or service platform. The IP option is selected by default. Optionally select Alias to provide a next BOOTP server IP alias beginning with a dollar sign ($) and not exceeding 32 characters. Provide the name of the client requesting DHCP Server support. Unicast packets are sent from one location to another location (there's just one sender, and one receiver). Select this option to forward unicast messages to just a single device within this network pool. This settings is disabled by default. Client Name Enable Unicast 12 Define the following NetBIOS parameters to complete the creation of the static binding configuration:
NetBIOS Node Type Set the NetBios Node Type used with this particular pool. The following options are available:
Broadcast - Uses broadcasting to query nodes on the network for the owner of a NetBIOS name. Peer-to-Peer - Uses directed calls to communicate with a known NetBIOS name server (such as a WINS server), for the IP address of a NetBIOS machine. Mixed - A mixed node using broadcasted queries to find a node, and failing that, queries a known p-node name server for the address. Hybrid - A combination of two or more nodes. Undefined - No node type is applied. Specify a numerical IP address of a single or group of NetBIOS WINS servers available to requesting clients. A maximum of 8 server IP addresses can be assigned. The IP option is selected by default. Optionally select Alias to provide a NetBIOS server IP alias beginning with a dollar sign ($) and not exceeding 32 characters. NetBIOS Servers 13 Refer to the Static Routes Installed on Clients field to set Destination IP and Gateway addresses enabling the assignment of static IP addresses without creating numerous host pools with manual bindings. This eliminates the need for a long configuration file and reduces the space required in NVRAM to maintain address pools. Select the + Add Row button to add individual destinations. Select the Delete icon to remove it from the list of those available. 14 Refer to the DHCP Option Values table to set Global DHCP options. A set of global DHCP options applies to all clients, whereas a set of subnet options applies only to the clients on a specified subnet. If you configure the same option in more than one set of options, the precedence of the option type decides which the DHCP server supports a client. a. Select the + Add Row button to add individual options. Assign each a Global DHCP Option Name to help differentiate it from others with similar configurations. Select the radio button of an existing option and select the
- Delete button to remove it from the list of those available. Wireless Controller and Service Platform System Reference Guide 11 - 32 Services b. Assign a Value to each option with codes from 1 - 254. A vendor-specific option definition only applies to the vendor class for which it is defined. 15 Within the Network field, define one or group of DNS Servers and Default Routers to translate domain names to IP addresses. Up to 8 IP addresses can be provided. The IP option is selected by default for both DNS Servers and Default Routers. Optionally select Alias to provide an IP alias beginning with a dollar sign ($) and not exceeding 32 characters. 16 Select OK when completed to update the static bindings configuration. Select Reset to revert the screen back to its last saved configuration. 17 Select the Advanced tab to define additional NetBIOS and Dynamic DNS parameters. 18 The addition or edit of the DHCP pools advanced settings requires the following General parameters be set:
Figure 11-20 DHCP Pools screen - Advanced tab Boot File Enter the name of the boot file used with this pool. Boot files (Boot Protocol) can be used to boot remote systems over the network. BOOTP messages are encapsulated inside UDP messages so requests and replies can be forwarded. Each pool can use a different file as needed. Wireless Controller and Service Platform System Reference Guide 11 - 33 Services BOOTP Next Server Provide the numerical IP address or alias of the server providing BOOTP resources. BOOTP (boot protocol) requests boot remote systems within the controller or service platform managed network. BOOTP messages are encapsulated inside UDP messages and are forwarded by the controller or service platform. The IP option is selected by default. Optionally select Alias to provide a next BOOTP server IP alias beginning with a dollar sign ($) and not exceeding 32 characters. Unicast packets are sent from one location to another location (there's just one sender, and one receiver). Select this option to forward unicast messages to just a single device within the network pool. This setting is disabled by default. Enable Unicast 19 Set the following NetBIOS parameters for the network pool:
NetBIOS Node Type NetBIOS Servers Set the NetBIOS Node Type used with this pool. The following types are available:
Broadcast - Uses broadcasting to query nodes on the network for the owner of a NetBIOS name. Peer-to-Peer - Uses directed calls to communicate with a known NetBIOS name server, such as a WINS server, for the IP address of a NetBIOS machine. Mixed - Mixed uses broadcasted queries to find a node, and failing that, queries a known p-node name server for the address. Hybrid - Is a combination of two or more nodes. Undefined - No NetBIOS Node Type is used. Specify a numerical IP address of a single or group of NetBIOS WINS servers. A maximum of 8 server IP addresses can be assigned. The IP option is selected by default. Optionally select Alias to provide a NetBIOS server IP alias beginning with a dollar sign ($) and not exceeding 32 characters. 20 Refer to the DHCP Option Values table to set global DHCP options applicable to all clients, whereas a set of subnet options applies to just the clients on a specified subnet. a Select the + Add Row button to add individual options. Assign each a Global DHCP Option Name to help differentiate it from others with similar configurations. Select the radio button of an existing option and select Delete to remove it from the list. b Assign a Value to each option from 1 - 254. A vendor-specific option definition only applies to the vendor class for which its defined. 21 Define the following set of Dynamic DNS (Not Applicable for Static Bindings) parameters used with the network pool configuration. Using DDNS controllers and service platforms can instruct a DNS server to change, in real time (ad-hoc) the active DNS configuration of its configured hostnames, addresses or other information stored in DNS. DDNS Domain Name Enter a domain name for DDNS updates representing the forward zone in DDNS TTL DDNS Multi User Class the DNS server. For example, test.net. The Name option is selected by default. Optionally select Alias to provide a DDNS domain name alias beginning with a dollar sign ($) and not exceeding 32 characters. Select this option to set a TTL (Time to Live) to specify the validity of DDNS records. The maximum value configurable is 864000 seconds. Select the check box to associate the user class option names with a multiple user class. This allows the user class to transmit multiple option values to DHCP servers supporting multiple user class options. Wireless Controller and Service Platform System Reference Guide 11 - 34 Services Update DNS DDNS Server Set if DNS is updated from a client or a server. Select either Do Not Update, Update from Server or Update from Client. The default setting is Do Not Update, implying that no DNS updates occur at all. Specify a numerical IP address of one or two DDNS servers. Dynamic DNS
(DDNS) prompts a computer or network to obtain a new IP address lease and dynamically associate a hostname with that address, without having to manually enter the change every time. Since there are situations where an IP address can change, it helps to have a way of automatically updating hostnames that point to the new address every time. The IP option is selected by default. Optionally select Alias to provide a DDNS server IP alias beginning with a dollar sign ($) and not exceeding 32 characters. 22 Click the + Add Row button and enter a Destination and Gateway IP Address to add Static Routes Installed on Clients. 23 Select OK to save the updates to the DHCP pools Advanced settings. Select Reset to revert the screen back to its last saved configuration. 11.3.2 Defining DHCP Server Global Settings Setting the DHCP Configuration Set a DHCP server global configuration by defining whether BOOTP requests are ignored and DHCP global server options. To define DHCP server global settings:
1 Select DHCP Server Policy from within Services menu pane. Add or Edit an existing policy. 2 Select the Global Settings tab. Wireless Controller and Service Platform System Reference Guide 11 - 35 Services 3 Set the following parameters within the Configuration field:
Figure 11-21 DHCP Server Policy screen - Global Settings tab Ignore BOOTP Requests Ping Timeout Select the checkbox to ignore BOOTP requests. BOOTP (boot protocol) requests boot remote systems within the network. BOOTP messages are encapsulated inside UDP messages and forwarded. This feature is disabled by default, so unless selected, BOOTP requests are forwarded. Set an interval (from 1 -10 seconds) for the DHCP server ping timeout. The timeout is the intermittent ping and discover interval to discern whether a client requested IP address is already used. 4 Set the following Activation Criteria for the DHCP server policy:
Criteria Select the Criteria option to invoke a drop-down menu to determine when the DHCP daemon is invoked. Options include vrrp-master, cluster-master, and rf-domain-manager. A VRRP master responds to ARP requests, forwards packets with a destination link MAC layer address equal to the virtual router MAC layer address, rejects packets addressed to the IP associated with the virtual router and accepts packets addressed to the IP associated with the virtual router. The solitary cluster master is the cluster member elected, using a priority assignment scheme, to provide management configuration and Smart RF data to other cluster members. Cluster requests go through the elected master before dissemination to other cluster members. The RF Domain manager is the elected member of the RF Domain capable of storing and provisioning configuration and firmware images for other members of the RF Domain. Wireless Controller and Service Platform System Reference Guide 11 - 36 Services 5 Refer to the Global DHCP Server Options field. a. Use the + Add Row button at the bottom of the field to add a new global DHCP server option. Select the radio button of an existing global DHCP server option and select the Delete icon to remove it from the list of those available. b. Use the Type drop-down menu to specify whether the DHCP option is being defined as a numerical IP address or ASCII or Hex string. Highlight an entry from within the Global Options screen and click the Remove button to delete the name and value. 6 Select OK to save the updates to the DHCP server global settings. Select Reset to revert the screen back to its last saved configuration. 11.3.3 DHCP Class Policy Configuration Setting the DHCP Configuration The local DHCP server assigns IP addresses to DHCP enabled wireless clients based on user class option names. Clients with a defined set of user class option names are identified by their user class name. The DHCP server can assign IP addresses from as many IP address ranges as defined by the administrator. The DHCP user class associates a particular range of IP addresses to a device in such a way that all devices of that type are assigned IP addresses from the defined range. Refer to the DHCP Class Policy screen to review existing DHCP class names and their current multiple user class designations. Multiple user class options enable a user class to transmit option values to DHCP servers supporting multiple user class options. Either add a new class policy, edit the configuration of an existing policy or permanently delete a policy as required. To review DHCP class policies:
1 Select DHCP Server Policy from within Services menu pane. Add or Edit an existing policy. 2 Select the Class Policy tab. Figure 11-22 DHCP Server Policy screen - Class Policy tab Wireless Controller and Service Platform System Reference Guide 11 - 37 Services 3 Refer to the following to determine whether a new class policy requires creation, an existing class policy requires edit or an existing policy requires deletion:
DHCP Class Name Multiple User Class Support Displays client names grouped by the class name assigned when the class policy was created. A green check mark in this column defines multiple user class support as enabled from the listed DHCP class name. A red X defines multiple user class support as disabled. Multiple user class support can be enabled/
disabled for existing class names by editing the class names configuration. 4 Select Add to create a new DHCP class policy, Edit to update an existing policy or Delete to remove an existing policy. Figure 11-23 DHCP Class Name Add screen 5 If adding a new DHCP Class Name, assign a name representative of the device class supported. The DHCP user class name should not exceed 32 characters. 6 Select a row within the Value column to enter a 32 character maximum value string. 7 Select the Multiple User Class check box to enable multiple option values for the user class. This allows the user class to transmit multiple option values to DHCP servers supporting multiple user class options. 8 Select OK to save the updates to this DHCP class policy. Select Reset to revert the screen back to its last saved configuration. 11.3.4 DHCP Deployment Considerations Setting the DHCP Configuration Before defining an internal DHCP server configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective:
Wireless Controller and Service Platform System Reference Guide 11 - 38 Services DHCP option 189 is required when AP650 Access Points are deployed over a layer 3 network and require layer 3 adoption. DHCP services are not required for AP650 Access Points connected to a VLAN thats local to the controller or service platform. DHCPs lack of an authentication mechanism means a DHCP server cannot check if a client or user is authorized to use a given user class. This introduces a vulnerability when using user class options. For example, if a user class is used to assign a special parameter (for example, a database server), there is no way to authenticate a client and its impossible to check if a client is authorized to use this parameter. Ensure traffic can pass on UDP ports 67 and 68 for clients receiving DHCP information. 11.4 Setting the Bonjour Gateway Configuration Services Bonjour is Apples zero-configuration networking (Zeroconf) implementation. Zeroconf is a group of technologies that include service discovery, address assignment and hostname resolution. Bonjour locates the devices (printers, computers etc.) and services these computers provide over a local network. Bonjour provides a method to discover services on a local area network (LAN). Bonjour allows users to set up a network without any configuration. Services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with a special DNS configuration, it can be extended to find services across broadcast domains. NOTE: Up to eight (8) Bonjour discovery policies can be configured. The following options can be configured:
Configuring a Bonjour Discovery Policy Configuring a Bonjour Forwarding Policy 11.4.1 Configuring a Bonjour Discovery Policy Setting the Bonjour Gateway Configuration The Bonjour discovery policy configures how Bonjour services are located. It configures the VLANs on which these services can be found. To display Bonjour discovery policy information:
1 Select Configuration. 2 Select Services. 3 Select Bonjour Gateway to expand its submenu. 4 Select Discovery Policy. Wireless Controller and Service Platform System Reference Guide 11 - 39 Services The Discovery Policy screen displays the name of the configured Bonjour discovery policies. Figure 11-24 Bonjour - Discovery Policy screen 5 Select an existing policy and select Edit to modify its configuration or select Add to create a new configuration. Optionally Rename a policy or Copy a policy to a different location. 6 Select the + Add Row button to add a rule configuration. These are the services discoverable by the Bonjour Figure 11-25 Bonjour - Discovery Policy - Add/Edit Policy screen gateway. Wireless Controller and Service Platform System Reference Guide 11 - 40 Services 7 Set the following discovery attributes for the discovery policy configuration:
Service Name VLAN Type Service VLANs Instance Name Define the service that can be discovered by the Bonjour gateway. Predefined Use the drop-down menu to select from a list of predefined Apple services (Scanner, Printer, HomeSharing etc.). Alias Use an existing alias to define a service not available in the predefined list. Use the drop-down menu to select the VLAN type. Local Indicates the VLAN(s) defined in Service VLAN field uses a local bridging mode. tunneled Indicates the VLAN(s) defined in Service VLAN field are shared tunnel VLANs. Provide a VLAN or a list of VLANs on which the selected service is discoverable. Optionally, specify the selected Bonjour services instance name. When specified, the Bonjour service discovery queries contain the instance name. of the service to be discovered. You can either directly specify the string value to be used as a match criteria, or use a string alias (for example, $BONJOUR-
STRING) to identify the string to match. If using a string alias, ensure that it is existing and configured. For information on configuring a string alias, see Network Basic Alias on page 7-48. This option is useful especially in large distributed, enterprise networks. Use it to create different instances of a Bonjour service for the different organizations or departments (VLANS) within your network. Creating instances allows you to advertise specific service instances for a specific set of VLANs, instead of advertising top-level Bonjour Services to various allocated VLAN(s). 8 Select OK to save the updates to this Bonjour Discovery Policy. Select Reset to revert to the last saved configuration. 11.4.2 Configuring a Bonjour Forwarding Policy Setting the Bonjour Gateway Configuration A Bonjour forwarding policy enables the discovery of services on VLANs not visible to the device running the Bonjour Gateway. Bonjour forwarding enables the forwarding of Bonjour advertisements across VLANs to enable the Bonjour gateway to build a list of services and VLANs where services are available. NOTE: Only one (1) Bonjour forwarding policy is configurable. NOTE: There must be Layer 2 connectivity between devices for forwarding to work. To display Bonjour forwarding policy information:
1 Select Configuration. 2 Select Services. 3 Select Bonjour Gateway to expand its submenu. Wireless Controller and Service Platform System Reference Guide 11 - 41 4 Select Forwarding Policy. Services The screen displays the name of existing Bonjour forwarding policies. Figure 11-26 Bonjour Gateway - Forwarding Policy screen 5 Select an existing policy and select Edit to modify its configuration or select Add to create a new configuration. Wireless Controller and Service Platform System Reference Guide 11 - 42 Services Figure 11-27 Bonjour Gateway - Forwarding Policy - Add screen 6 Select the + Add Row button to add a forwarding rule to the Bonjour Forwarding Policy. Advertisements from VLANs that contain services are forwarded to VLANs containing clients. From VLANs To VLANs Rule ID From VLANs are virtual interfaces where the Apple services are available. Enter a VLAN ID or a range of VLANs. Aliases can also be used. To VLANs are virtual interfaces where clients for the services are available. Enter a VLAN ID or a range of VLANs. Aliases can also be used. Use the spinner to set a unique rule ID (from 1 - 16) for this rule. This acts as numerical differentiator from other indexes. 7 Select OK to save the updates to this Bonjour Gateway Forwarding policy. Select Reset to revert to the last saved configuration. 11.5 DHCPv6 Server Policy Services DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. DHCPv6 servers pass IPv6 network addresses to IPv6 clients. The DHCPv6 address assignment feature manages non-duplicate addresses in the correct prefix based on the network where the host is connected. Assigned addresses can be from one or multiple pools. Additional options, such as the default domain and DNS name-server Wireless Controller and Service Platform System Reference Guide 11 - 43 Services address, can be passed back to the client. Address pools can be assigned for use on a specific interface or on multiple interfaces, or the server can automatically find the appropriate pool. NOTE: DHCPv6 server updates are only implemented when the controller, service platform or service platform is restarted. Refer to the following for more information on configuring the DHCPv6 Server Policy parameters:
Defining DHCPv6 Options DHCPv6 Pool Configuration To access and review the local DHCPv6 server configuration:
1 Select Configuration > Services > DHCPv6 Server Policy. The DHCPv6 Server Policy screen displays. 2 Review the following DHCPv6 server configurations (at a high level) to determine whether a new server policy requires creation, an existing policy requires modification or an existing policy requires deletion:
Figure 11-28 DHCPv6 Server Policy screen DHCPv6 Server Policy Name Restrict Vendor Options Server Preference Lists the name assigned to each DHCPv6 server policy when it was initially created. The name assigned to a DHCPv6 server policy cannot be modified as part of the policy edit process. However, obsolete policies can be deleted, copied (archived) or renamed as needed. A green checkmark within this column means this policy has been set to restrict vendor DHCP options. A red "X" defines the policy as accepting all DHCP vendor options. Vendor specific DHCPv6 options are only applicable to the vendor class defined. Lists the server preference (from 0 - 255) specified for each DHCPv6 server policy. The default value is 0. 3 Select Add to create a new DHCPv6 server policy, choose an existing policy and select the Edit button to modify the policys properties or choose an existing policy and select Delete to remove the policy from those available. Adding or Editing a DHCP server policy displays the DHCPv6 Server Policy Name screen by default. Optionally Rename or Copy a policy to a different location. Wireless Controller and Service Platform System Reference Guide 11 - 44 Services 11.5.1 Defining DHCPv6 Options DHCPv6 Server Policy DHCPv6 services are available for specific IP interfaces. A pool (or range) of IPv6 network addresses and DHCPv6 options can be created for each IPv6 interface defined. This range of addresses can be made available to DHCPv6 enabled devices on either a permanent or leased basis. DHCPv6 options are provided to each client with a DHCPv6 response and provide DHCPv6 clients information required to access network resources (default gateway, domain name, DNS server and WINS server configuration). An option exists to identify the vendor and functionality of a DHCPv6 client. The information is a variable-length string of characters (or octets) with a meaning specified by the vendor of the DHCPv6 client. To set DHCPv6 options:
1 Select Configuration > Services > DHCPv6 Server Policy. 2 Select Add to create a new policy or Edit to modify the policys properties of a selected DHCPv6 server policy. Select + Add Row to populate the screen with editable rows for DHCPv6 option configuration. Figure 11-29 DHCP v6Server Policy - DHCPv6 Options tab 3 Select Restrict Vendor Options to restrict the use of vendor specific DHCPv6 options. This limits the use of vendor specific DHCP options in this specific DHCPv6 policy. 4 Use the spinner control to select a DHCPv6 Server Preference from 0 - 255. The default value is 0. Wireless Controller and Service Platform System Reference Guide 11 - 45 Services 5 Set the following DHCPv6 Option configuration parameters:
Name Code Type Vendor Enter a name to associate with the new DHCP option. This name should describe the new option's function. Use the spinner control to specify a DHCP option code (from 0 - 254) for the option. Only one code for each DHCPv6 option of the same value can be used in each DHCPv6 server policy. Use the drop-down menu to select the DHCP option type for the new option. The option can be either ASCII, which sends an ASCII compliant string to the client, ipv6 which sends an IPv6 compatible address to the client or Hex String which sends a hexadecimal string to the client. Use the spinner control to specify the numeric Vendor ID for the new option. Each vendor should have a unique vendor ID used by the DHCPv6 server to issue vendor specific DHCP options. 6 Select OK to save the updates to the DHCPv6 options. Select Reset to revert the screen back to its last saved configuration. 11.5.2 DHCPv6 Pool Configuration DHCPv6 Server Policy A DHCPv6 pool includes information about available configuration parameters and policies controlling the assignment of the parameters to requesting clients from the pool. To create a DHCPv6 pool configuration:
1 Select Configuration > Services > DHCPv6 Server Policy. The DHCPv6 Options tab displays by default. 2 Select Add to create a new policy or Edit to modify the policys properties of a selected DHCPv6 server policy. Select + Add Row to populate the screen with editable rows for DHCPv6 option configuration. 3 Select the DHCPv6 Pool tab. Wireless Controller and Service Platform System Reference Guide 11 - 46 Services 4 Set the following parameters within the Configuration field:
Figure 11-30 DHCP Server Policy - DHCPv6 Pool tab Name DNS Server Domain Name Network Refresh Time SIP Domain Name SIP Servers Lists the administrator assigned name of the IPv6 pool resource from which IPv6 formatted addresses can be issued to DHCPv6 client requests. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Displays the address of the DNS server resource utilized with the DHCPv6 pool. Displays the hostname of the domain associated with the DHCPv6 pool. Displays the IPv6 formatted address and mask utilized with the DHCPv6 address pool. The address can be configured in the add or edit screen. Displays the time, in seconds, between refreshes of the DHCPv6 address pool. Displays the domain name associated with the Session Initiation Protocol
(SIP) server which is used to prioritize voice and video traffic on a network. SIP is an application-layer control protocol that can establish, modify and terminate multimedia sessions or calls. A SIP system has several components (user agents, proxy servers, redirect servers, and registrars). User agents can contain SIP clients; proxy servers always contain SIP clients. Displays the IPv6 formatted address of the SIP server associated with the DHCP pool. 5 Select Add to create a new DHCPv6 pool configuration or Edit to modify the policys properties of a selected DHCPv6 pool. Delete obsolete policies as warranted. Wireless Controller and Service Platform System Reference Guide 11 - 47 Services 6 Set the following General DHCPv6 pool parameters:
Figure 11-31 DHCP Server Policy - DHCPv6 Pool - Add/Edit screen Name DNS Server Domain Name Network Refresh Time SIP Domain Name SIP Servers Provide as administrator assigned name for the IPv6 pool resource from which IPv6 formatted addresses can be issued to DHCPv6 client requests. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Enter the IPv6 formatted address of the DNS server utilized by the DHCP pool. Enter the hostname or hostnames of the domain(s) utilized with the DHCP pool. A hostname cannot contain an underscore. Enter the IPv6 formatted address and mask associated with the DHCPv6 pool. Use the spinner control to set the time, in seconds, between refreshes of the DHCPv6 address pool. The refresh time can be set from 600 -
4,294,967,295 seconds. Configure the domain name or domain names associated with the Session Initiation Protocol (SIP) servers used to prioritize voice and video traffic on a network. SIP is an application-layer control protocol that can establish, modify and terminate multimedia sessions or calls. A SIP system has several components (user agents, proxy servers, redirect servers, and registrars). User agents can contain SIP clients; proxy servers always contain SIP clients. Configure the IPv6 formatted address or addresses of the SIP servers associated with the DHCP pool. Wireless Controller and Service Platform System Reference Guide 11 - 48 Services 7 If using DHCPv6 options in the pool, set the following within the DHCPv6 Options Value table Name Value Use the drop-down menu to select an existing DHCP option name from the existing options configured in DHCPv6 Options. If no suitable option is available click the create button to define a new option. Enter or modify the numeric ID setting for the selected DHCP option. 8 Click OK to save the changes. Select Reset to revert to the last saved configuration. 11.6 Setting the RADIUS Configuration Services Remote Authentication Dial-In User Service (RADIUS) is a client/server protocol and software enabling remote access servers to authenticate users and authorize their access. RADIUS is a distributed client/server system that secures networks against unauthorized access. RADIUS clients send authentication requests to the local RADIUS server containing user authentication and network service access information. RADIUS enables centralized management of authentication data (usernames and passwords). When a client attempts to associate to the RADIUS supported controller or service platform, authentication requests are sent to the RADIUS server. Authentication and encryption takes place through the use of a shared secret password (not transmitted over the network). The local RADIUS server stores the user database locally, and can optionally use a remote user database. It ensures higher accounting performance. It allows the configuration of multiple users, and assign policies for the group authorization. The local enforcement of user-based policies is configurable. User policies include dynamic VLAN assignment and access restrictions based on time of day. A certificate is required for EAP TTLS,PEAP and TLS RADIUS authentication (configured with the RADIUS service). Dynamic VLAN assignment is achieved based on the RADIUS server response. A user who associates to WLAN1
(mapped to VLAN1) can be assigned a different VLAN after authentication with the RADIUS server. This dynamic VLAN assignment overrides the WLAN's VLAN ID to which the user associates. To view RADIUS configurations:
1 Select Configuration tab from the main menu. 2 Select the Services tab from the Configuration menu. The upper, left-hand side pane of the User interface displays the RADIUS option. The RADIUS Group screen displays (by default). For information on creating the groups, user pools and server policies needed to validate user credentials against a server policy configuration, refer to the following:
Creating RADIUS Groups Defining User Pools Configuring RADIUS Server Policies RADIUS Deployment Considerations Wireless Controller and Service Platform System Reference Guide 11 - 49 Services 11.6.1 Creating RADIUS Groups Setting the RADIUS Configuration The RADIUS server allows the configuration of user groups with common user policies. User group names and associated users are stored in a local database. The user ID in the received access request is mapped to the specified group for authentication. RADIUS groups allows the enforcement of the following policies managing user access. Assign a VLAN to the user upon successful authentication Define a start and end of time in (HH:MM) when the user is allowed to authenticate Define the list of SSIDs to which a user belonging to this group is allowed to associate Define the days of the week the user is allowed to login Rate limit traffic To access RADIUS Groups menu:
1 Select the Configuration tab from the main menu. 2 Select the Services tab from the Configuration menu. 3 Select RADIUS > Groups from the Configuration > Services menu. The browser displays a list of the existing groups. 4 Select a group from the Group Browser to view the following read-only information for existing groups:
Figure 11-32 RADIUS Group screen Guest User Group RADIUS Group Policy Displays the group name or identifier assigned to each listed group when it was created. The name cannot exceed 32 characters or be modified as part of the group edit process. Specifies whether a user group only has guest access and temporary permissions to the local RADIUS server. The terms of the guest access can be set uniquely for each group. A red X designates the group as having permanent access to the local RADIUS server. Guest user groups cannot be made management groups with unique access and role permissions. A green checkmark designates this RADIUS user group as a management group. Management groups can be assigned unique access and role permissions. Management Group Wireless Controller and Service Platform System Reference Guide 11 - 50 Services Role VLAN Time Start Time Stop If a group is listed as a management group, it may also have a unique role assigned. Available roles include:
monitor - Read-only access. helpdesk - Helpdesk/support access network-admin - Wired and wireless access security-admin - Grants full read/write access system-admin - System administrator access Displays the groupss VLAN ID. The VLAN ID is representative of the shared SSID each group member (user) employs to interoperate within the network (once authenticated by the local RADIUS server). Specifies the time users within each listed group can access local RADIUS resources. Specifies the time users within each listed group lose access to local RADIUS resources. 5 To modify the settings of an existing group, select the group and click the Edit button.To delete an obsolete group, select the group and click the Delete button. Optionally Rename or Copy group configurations as needed. 11.6.1.1 Creating RADIUS Groups To create a RADIUS group:
1 Select the Configuration tab from the main menu. 2 Select the Services tab from the Configuration menu. 3 Select RADIUS > Groups from the Configuration > Services menu. 4 Click the Add to create a new RADIUS group, Edit to modify the configuration of an existing group or Delete to permanently remove a selected group. Figure 11-33 RADIUS Group Policy Add screen Wireless Controller and Service Platform System Reference Guide 11 - 51 5 Define the following Settings to define the user group configuration:
Services RADIUS Group Policy If creating a new RADIUS group, assign it a name to help differentiate it Guest User Group VLAN WLAN SSID Rate Limit from Air Rate Limit to Air Management Group Access Role Inactivity Timeout Session Time from others with similar configurations. The name cannot exceed 32 characters or be modified as part of a RADIUS group edit process. Select this option to assign only guest access and temporary permissions to the local RADIUS server. Guest user groups cannot be made management groups with unique access and role permissions. Select this option to assign a specific VLAN to this RADIUS user group. Ensure Dynamic VLAN assignment (single VLAN) is enabled for the WLAN in order for the VLAN assignment to work properly. Assign a list of SSIDs users within this RADIUS group are allowed to associate with. An SSID cannot exceed 32 characters. Assign WLAN SSIDs representative of the configurations a guest user will need to access. The parameter is not available if this RADIUS group is a management group. Select the checkbox to set the rate limit for clients within the RADIUS group. Use the spinner to set value from 100-1,000,000 kbps. Setting a value of 0 disables rate limiting. Select the checkbox to set the rate limit from clients within the RADIUS group. Use the spinner to set value from 100-1,000,000 kbps. Setting a value of 0 disables rate limiting. Select this option to designate this RADIUS group as a management group. This feature is disabled by default. If set as management group, assign member roles (System-Admin, Help Desk etc.) using the Role drop-
down menu. Select those interfaces (Web, SSH, Telnet or Console) to apply to the RADIUS Group Policy. The conditions defined within the policy are applied to authentication requests on these interfaces only. If a group is listed as a management group, it may also have a unique role assigned. Available roles include:
monitor - Read-only access. helpdesk - Helpdesk/support access. network-admin - Wired and wireless access. security-admin - Grants full read/write access. system-admin - System administrator access. Enable this option to set an inactivity timeout from 60 - 86,400 seconds. If a frame is not received from a client within the set time, the current session is terminated. Enable this option to set a client session time from 5 - 144,000 minutes. This is the session time a client is granted upon successful authentication. Upon experation, the RADIUS session is terminated. 6 Set the Schedule to configure access times and dates. Time Start Time Stop To schedule an access time, select the Restrict Access by Time option. Use the spinner control to set the time (in HH:MM format) RADIUS group members are allowed access the RADIUS server resources. Select either the AM or PM radio button to set the time as morning or evening. Use the spinner control to set the time (in HH:MM format) RADIUS group members are denied access to RADIUS server resources. Select either the AM or PM radio button to set the time as morning or evening. If already logged in, the RADIUS group user is deauthenticated from the WLAN. Wireless Controller and Service Platform System Reference Guide 11 - 52 Services Days Optionally select the Restrict Access by Day Of Week option, and select the Days RADIUS group members can access RADIUS resources. This is an additional means of refining the access permissions of RADIUS group members. 7 Select OK to save the changes. Select Reset to revert to the last saved configuration. 11.6.2 Defining User Pools Setting the RADIUS Configuration A user pool defines policies for individual user access to local RADIUS resources. User or pools provide a convenient means of providing RADIUS resources based on the pools unique permissions (either temporary or permanent). A pool can contain a single user or group of users. To configure a RADIUS user pool and unique user IDs:
1 Select Configuration from the main menu. 2 Select Services tab from the Configuration screen. 3 Select RADIUS > User Pools from the Configuration > Services menu. The RADIUS User Pool screen lists the default pool along with any other admin created user pool. 4 Select Add to create a new user pool, Edit to modify the configuration of an existing pool or Delete to remove a Figure 11-34 RADIUS User Pool screen selected pool. 5 If creating a new pool, assign it a name up to 32 characters and select Continue. The name should be representative of the users comprising the pool and/or the temporary or permanent access privileges assigned. Wireless Controller and Service Platform System Reference Guide 11 - 53 Services 6 Refer to the following User Pool configurations to discern when specific user IDs have access to RADIUS resources:
Figure 11-35 RADIUS User Pool Add screen User Id Guest User Group Email ID Telephone Start Date Start Time Expiry Date Expiry Time Access Duration
(days:hrs:mins:secs) Displays the unique string identifying this user. This is the ID assigned to the user when created and cannot be modified with the rest of the configuration. Specifies (with a green check) the user has guest access and temporary permissions to the local RADIUS server. The terms of the guest access can be set uniquely for each user. A red X designates the user as having permanent access to the local RADIUS server. Displays the group name each configured user ID is a member. Displays the Email address (in 64 characters or less) of the client user
(user ID) requesting authentication validation to the controller or service platform using this user pool. Lists the 12 character maximum telephone number of the client user (user ID) requesting authentication validation to the controller or service platform using this user pool. Lists the month, day and year the listed user ID can access local RADIUS server resources. Lists the time the listed user ID can access local RADIUS server resources. The time is only relevant to the range defined by the start and expiry date. Lists the month, day and year the listed user Id can no longer access
(expires) local RADIUS server resources. Displays the time the listed user loses access to RADIUS server resources. The time is only relevant to the range defined by the start and expiry date. Displays the amount of time a user is allowed access when time based access privilege are applied. The duration cannot exceed 365 days. Wireless Controller and Service Platform System Reference Guide 11 - 54 Services Data Limit (KB) Committed Downlink Rate (kbps) Committed Uplink Rate (kbps) Reduced Downlink Rate (kbps) Reduced Uplink Rate
(kbps) Lists the total amount of bandwidth (in KiloBytes) consumable by each guest user. Displays the download speed (in KiloBytes) allocated to the guest user. When bandwidth is available, the user can download data at the specified rate. If a guest user has a bandwidth based policy and exceeds the specified Data Limit, their speed is throttled to the Reduced Downlink Rate. Displays the upload speed (in KiloBytes) allocated to the guest user. When bandwidth is available, the user can download data at the specified rate. If a guest user has a bandwidth based policy and exceeds the specified Data Limit, their speed is throttled to the Reduced Uplink Rate. Displays the reduced speed the guest utilizes (in KiloBytes) when exceeding their specified data limit, if applicable. If a guest user has a bandwidth based policy and exceeds the specified Data Limit, their speed is throttled to the Reduced Downlink Rate. Displays the reduced speed the guest utilizes (in KiloBytes) when exceeding their specified data limit, if applicable. If a guest user has a bandwidth based policy and exceeds the specified Data Limit, their speed is throttled to the Reduced Uplink Rate. 7 Select the Add button to add a new RADIUS user, Edit to modify the configuration of an existing user or Delete to remove an existing user Id. Figure 11-36 RADIUS User screen Wireless Controller and Service Platform System Reference Guide 11 - 55 Services 8 Refer the following Settings to create a new user Id with unique access privileges:
User Id Password Guest User Group Email ID Telephone Assign a unique character string identifying this user. The Id cannot exceed 64 characters. Provide a password unique to this user ID. The password cannot exceed 32 characters. Select the Show checkbox to expose the passwords actual character string, leaving the option unselected displays the password as a string of asterisks (*). Select the checkbox to designate this user as a guest with temporary access. The guest user must be assigned unique access times to restrict their access. If the user Id has been defined as a guest, use the Group to assign the user a group with temporary access privileges. If the user is defined as a permanent user, select a group from the group list. If theres no groups listed relevant to the users intended access, select the Create link (or icon for guests) and create a new group configuration suitable for the user Ids membership. Enter the Email address (in 64 characters or less) of the client user (user ID) requesting authentication validation to the controller or service platform using this user pool. Provide the 12 character maximum telephone number of the client user
(user ID) requesting authentication validation to the controller or service platform using this user pool. 9 Refer the following Time settings to define time based guest user access privileges:
Start Date Start Time Expiry Date Expiry Time Access Duration Enter a start date, or use the calendar icon to select a starting date for the user's credentials to start working. Enter a start time, or use the spinner controls to select a starting time for the user's credentials to start working. Use the AM and PM buttons to apply a morning or afternoon/evening designation. Enter an end date, or use the calendar icon to define an expiration date for the user's credentials. Selecting this option enables the Til Expiry radio button. If using the Til Expiry option, enter an end time, or use the spinner controls to select an ending time for the user's credentials to expire. Use the AM and PM buttons to apply a morning or afternoon/evening designation. Specify the time a user can access the system when time based access privilege are applied. Select Til Expiry to allow user access until their configured expiry date and time are met. To limit the time a user can access the captive portal during their configured time period, specify the Days, Minutes and Seconds the user is allowed access. The Access Duration cannot exceed 365 days. 10 To allow the guest user unlimited data usage select Unlimited. To limit bandwidth, select Limited and refer to the Data field to create bandwidth based access privileges:
Data Limit Use the spinner control to specify the maximum bandwidth consumable by the guest user. Once a value is configured, select the measurement as either GB (Gigabytes) or MB (Megabytes). Wireless Controller and Service Platform System Reference Guide 11 - 56 Services Committed Downlink Rate Reduced Downlink Rate Committed Uplink Rate Use the spinner control to specify the download speed dedicated to the guest user. When bandwidth is available, the user can download data at the specified rate. Once a value is configured, select the measurement as either MBPS (Megabytes per second) or KBPS (Kilobytes per second). If a guest user has a bandwidth based policy and exceeds the specified Data Limit, their speed is throttled to the defined Reduced Downlink Rate. Use the spinner control to specify a reduced speed for guest operation when theyve exceeded their specified data limit, if applicable. If a guest user has a bandwidth based policy and exceeds the specified Data Limit, their speed is throttled to the Reduced Downlink Rate. Once a value is configured, select the measurement as either MBPS (Megabytes per second) or KBPS (Kilobytes per second). Use the spinner control to specify the upload speed dedicated to the guest user. When bandwidth is available, the user is able to upload data at the specified rate. Once a value is configured, select the measurement as either MBPS (Megabytes per second) or KBPS (Kilobytes per second). If a guest user has a bandwidth based policy and exceeds the specified Data Limit, their speed is throttled to the Reduced Uplink Rate. Reduced Uplink Rate Use the spinner control to specify a reduced speed for guest operation when theyve exceed their specified data limit, if applicable. If a guest user has a bandwidth based policy and exceeds the specified Data Limit, their speed is throttled to the Reduced Uplink Rate. Once a value is configured, select the measurement as either MBPS (Megabytes per second) or KBPS
(Kilobytes per second). 11 Select OK to save the user Ids group membership configuration. Select Reset to revert to the last saved configuration. 11.6.3 Configuring RADIUS Server Policies Setting the RADIUS Configuration A RADIUS server policy is a unique authentication and authorization configuration for receiving user connection requests, authenticating users and returning the configuration information necessary to deliver service to the requesting client and user. The client is the entity with authentication information requiring validation. The local RADIUS server has access to a database of authentication information used to validate the client's authentication request. The RADIUS server ensures the information is correct using an authentication scheme like PAP, CHAP or EAP. The user's proof of identification is verified, along with, optionally, other information. A RADIUS server policy can also use an external LDAP resource to verify user credentials. To review RADIUS existing server policies, manage the creation of new policies of manage the modification of existing policies:
1 Select Configuration from the main menu. 2 Select Services tab from the Configuration screen. 3 Select RADIUS > Server Policy from the Configuration > Services menu. The Server Policy Browser lists existing server policies by group or randomly. A policy can be selected and modified from the browser. 4 Refer to the RADIUS Server screen to review high-level server policy configuration data. Wireless Controller and Service Platform System Reference Guide 11 - 57 Services 5 Select a server policy from the Server Policy Browser. The user has the option of adding a new policy, modifying an existing one, or deleting a policy. Figure 11-37 RADIUS Server Policy screen RADIUS Server Policy RADIUS User Pools Default Source Default Fallback Lists the administrator assigned policy name defined upon creation of the server policy. Lists the user pools assigned to this server policy. These are the client users who an administrator has assigned to each listed group and who must adhere to its network access requirements before granted access to controller or service platform resources. Displays the RADIUS resource designated for user authentication requests. Options include Local (resident controller or service platform RADIUS server resources) or LDAP (designated remote LDAP resource). States whether a fallback is enabled providing a revert back to local RADIUS resources if the designated external LDAP resource were to fail or become unavailable. A green checkmark indicates Default Fallback is enabled. A red X indicates its disabled. Default Fallback is disabled by default. Wireless Controller and Service Platform System Reference Guide 11 - 58 Services Authentication Type CRL Validation Lists the local EAP authentication scheme used with this policy. The following EAP authentication types are supported by the local RADIUS and remote LDAP servers:
All Enables both TTLS and PEAP. TLS - Uses TLS as the EAP type. TTLS and MD5 - The EAP type is TTLS with default authentication using MD5. TTLS and PAP - The EAP type is TTLS with default authentication using PAP. TTLS and MSCHAPv2 - The EAP type is TTLS with default authentication using MSCHAPv2. PEAP and GTC - The EAP type is PEAP with default authentication using GTC. PEAP and MSCHAPv2 - The EAP type is PEAP with default authentication using MSCHAPv2. However, when user credentials are stored on an LDAP server, the RADIUS server cannot conduct PEAP-MSCHAPv2 authentication on its own, as it is not aware of the password. Use LDAP agent settings to locally authenticate the user. Additionally, an authentication utility (such as Samba) must be used to authenticate the user. Samba is an open source software used to share services between Windows and Linux machine. Specifies whether a Certificate Revocation List (CRL) check is made. A green checkmark indicates CRL validation is enabled. A red X indicates its disabled. A CRL is a list of revoked certificates issued and subsequently revoked by a Certification Authority (CA). Certificates can be revoked for a number of reasons including failure or compromise of a device using a certificate, a compromise of a certificate key pair or errors within an issued certificate. The mechanism used for certificate revocation depends on the CA. 6 Select the Copy button to copy the settings of a selected (existing) RADIUS server configuration to a new or existing policy. When selected, a small dialogue displays prompting the administrator to enter the name of policy to copy the existing policy settings to. Enter the name of the RADIUS server policy receiving the existing server policy settings within the Copy To field and select the Copy button to initiate the configuration copy operation. This feature streamlines the creation of RADIUS server policies using the attributes of existing server policies. 7 An existing RADIUS server policy can be renamed at any time by selecting it from amongst the listed policies and selecting the Rename button. This allows an administrator to simply rename a server policy without having to create (or edit) a new policy with all the same settings. 8 Select either Add to create a new RADIUS server policy, Edit to modify an existing policy or Delete to permanently remove a policy. Wireless Controller and Service Platform System Reference Guide 11 - 59 Services The Server Policy tab displays by default. Figure 11-38 RADIUS Server Policy screen - Server Policy tab 9 If creating a new policy, assign it a RADIUS Server Policy name up to 32 characters. 10 Configure the following Settings required in the creation or modification of the server policy:
RADIUS User Pools LDAP Server Dead Period LDAP Groups LDAP Group Verification Select the user pools (groups of existing client users) to apply to this server policy. If there is not an existing user pool configuration suitable for the deployment, select the Create link and define a new configuration. Set an interval in either Seconds (0 - 600) or Minutes (0 - 10) for planned LDAP server inactivity. A dead period is only implemented when additional LDAP servers are configured and available for LDAP failover. The default setting is 5 minutes. Use the drop-down menu to select LDAP groups to apply the server policy configuration. Select the Create or Edit icons to either create a new group or modify an existing group. Use the arrow icons to add and remove groups as required. Select the checkbox to set the LDAP group search configuration. Wireless Controller and Service Platform System Reference Guide 11 - 60 Services LDAP Chase Referral Local Realm Select this option to enable the chasing of referrals from an external LDAP server resource. An LDAP referral is a controller or service platforms way of indicating to a client it does not hold the section of the directory tree where a requested content object resides. The referral is the controller or service platforms direction to the client a different location is more likely to hold the object, which the client uses as the basis for a DNS search for a domain controller. Ideally, referrals always reference a domain controller that indeed holds the object. However, it is possible for the domain controller to generate another referral, although it usually does not take long to discover the object does not exist and inform the client. This feature is disabled by default. Define the LDAP performing authentication using information from an LDAP server. User information includes user name, password, and groups to which the user belongs. 11 Set the following Authentication parameters to define server policy authorization settings. Default Source Default Fallback Authentication Type Do Not Verify Username Select the RADIUS resource for user authentication with this server policy. Options include Local for the local user database or LDAP for a remote LDAP resource. The default setting is Local. Define whether a fallback is enabled providing a revert back to local RADIUS resources if the designated external LDAP resource were to fail or become unavailable. The default fallback feature is disabled by default. Use the drop-down menu to select the EAP authentication scheme used with this policy. The following EAP authentication types are supported by the local RADIUS and remote LDAP servers:
All Enables all authentication schemes. TLS - Uses TLS as the EAP type TTLS and MD5 - The EAP type is TTLS with default authentication using MD5. TTLS and PAP - The EAP type is TTLS with default authentication using PAP. TTLS and MSCHAPv2 - The EAP type is TTLS with default authentication using MSCHAPv2. PEAP and GTC - The EAP type is PEAP with default authentication using GTC. PEAP and MSCHAPv2 - The EAP type is PEAP with default authentication using MSCHAPv2. However, when user credentials are stored on an LDAP server, the RADIUS server cannot conduct PEAP-MSCHAPv2 authentication on its own, as it is not aware of the password. Use LDAP agent settings to locally authenticate the user. Additionally, an authentication utility (such as Samba) must be used to authenticate the user. Samba is an open source software used to share services between Windows and Linux machine. Select this option to use certificate expiration as matching criteria, as opposed to the hostname. This setting is disabled by default. Wireless Controller and Service Platform System Reference Guide 11 - 61 Services Enable EAP Termination Enable CRL Validation Bypass CRL Check Allow Expired URL Select this option to enable EAP termination with this RADIUS server policy. This setting is disabled by default. Select this option to enable a Certificate Revocation List (CRL) check. Certificates can be checked and revoked for a number of reasons including failure or compromise of a device using a certificate, a compromise of a certificate key pair or errors within an issued certificate. This option is disabled by default. Select the option to bypass a certificate revocation list (CRL) check when a CRL is not detected. This setting is enabled by default. A CRL is a list of certificates that have been revoked or are no longer valid. Select this option to allow the use of an expired CRL. This option is enabled by default. 12 Select + Add Row within the Authentication field to define the following Authentication Data Source rules for the RADIUS server policy:
Precedence SSID Source Fallback Use the spinner control to set the numeric precedence (priority) for this authentication data source rule. Rules with the lowest precedence receive the highest priority. Set the value between 1 -
5000. This value is mandatory. Enter or modify the SSID associated with the authentication data source rule. The maximum number of characters is 32. Do not use any of these characters (< > | " & \ ? ,). Use the drop-down menu to define the RADIUS data source for this authentication data source rule as Local or LDAP. Select this option to fallback to the Local resource for RADIUS data authentication from LDAP for this authentication data source rule. 13 If using LDAP as the default authentication source, select + Add Row to set LDAP Agent settings. When a user's credentials are stored on an external LDAP server, the controller or service platforms local RADIUS server cannot successfully conduct PEAP-MSCHAPv2 authentication, since it is not aware of the users credentials maintained on the external LDAP server resource. Therefore, up to two LDAP agents can be provided locally so remote LDAP authentication can be successfully accomplished on the remote LDAP resource (using credentials maintained locally). Username Password Retry Timeout Redundancy Domain Name Enter a 63 character maximum username for the LDAP servers domain administrator. This is the username defined on the LDAP server for RADIUS authentication requests. Enter and confirm the 32 character maximum password (for the username provided above). The successful verification of the password maintained on the controller or service platform enables PEAP-MSCHAPv2 authentication using the remote LDAP server resource. Set the number of Seconds (60 - 300) or Minutes (1 - 5) to wait between LDAP server access requests when attempting to join the remote LDAP servers domain. The default settings is one minute. Define the Primary or Secondary LDAP agent configuration used to connect to the LDAP server domain. Enter the name of the domain (from 1 - 127 characters) to which the remote LDAP server resource belongs. Wireless Controller and Service Platform System Reference Guide 11 - 62 14 Set the following Session Resumption/Fast Reauthentication settings to define how server policy sessions are re-established once terminated and require cached data to resume:
Services Enable Session Resumption Select the checkbox to control volume and the duration cached Cached Entry Lifetime Maximum Cache Entries data is maintained by the server policy upon the termination of a server policy session. The availability and quick retrieval of the cached data speeds up session resumption. This setting is disabled by default. If enabling session resumption, use the spinner control to set the lifetime (1 - 24 hours) cached data is maintained by the RADIUS server policy. The default setting is 1 hour. If enabling session resumption, use the spinner control to define the maximum number of entries maintained in cache for this RADIUS server policy. The default setting is 128. 15 Select OK to save the settings to the server policy configuration. Select Reset to revert to the last saved configuration. Refer to the following to add RADIUS clients, proxy server configurations, LDAP server configurations and review deployment considerations impacting the effectiveness of the RADIUS supported deployment:
Configuring RADIUS Clients Configuring a RADIUS Proxy Configuring an LDAP Server Configuration 11.6.3.1 Configuring RADIUS Clients Configuring RADIUS Server Policies A RADIUS client is a mechanism to communicate with a central server to authenticate users and authorize access to the network. The client and server share a secret (a password). That shared secret, followed by the request authenticator, is put through a MD5 hash to create a 16 octet value which is XORed with the password entered by the user. If the user password is greater than 16 octets, additional MD5 calculations are performed, using the previous ciphertext instead of the request authenticator. The server receives a RADIUS access request packet and verifies the server possesses a shared secret for the client. If the server does not possess a shared secret for the client, the request is dropped. If the client received a verified access accept packet, the username and password are considered correct, and the user is authenticated. If the client receives a verified access reject message, the username and password are considered to be incorrect, and the user is not authenticated. To define a RADIUS client configuration:
Wireless Controller and Service Platform System Reference Guide 11 - 63 1 Select the Client tab from the RADIUS Server Policy screen. Services Figure 11-39 RADIUS Server Policy screen - Client tab 2 Select the + Add Row button to add a table entry for a new clients IP address, mask and shared secret. To delete a client entry, select the Delete icon on the right-hand side of the table entry. 3 Specify the IP Address and mask of the RADIUS client authenticating with the RADIUS server. 4 Specify a Shared Secret for authenticating the RADIUS client. Shared secrets verify RADIUS messages with RADIUS enabled device configured with the same shared secret. Select the Show checkbox to expose the shared secrets actual character string, leaving the option unselected displays the shared secret as a string of asterisks (*). 5 Click OK button to save the server policys client configuration. Click the Reset button to revert to the last saved configuration. 11.6.3.2 Configuring a RADIUS Proxy Configuring RADIUS Server Policies A users access request is sent to a proxy server if it cannot be authenticated by local RADIUS resources. The proxy server checks the information in the user access request and either accepts or rejects the request. If the proxy server accepts the request, it returns configuration information specifying the type of connection service required to authenticate the user. The RADIUS proxy appears to act as a RADIUS server to the NAS, whereas the proxy appears to act as a RADIUS client to the RADIUS server. When the RADIUS server receives a request for a user name containing a realm, the server references a table of configured realms. If the realm is known, the server proxies the request to the RADIUS server. The behavior of the proxying server is configuration-dependent on most servers. In addition, the proxying server can be configured to add, remove or rewrite requests when they are proxied. To define a proxy configuration:
Wireless Controller and Service Platform System Reference Guide 11 - 64 1 Select the Proxy tab from the RADIUS Server Policy screen. Services Figure 11-40 RADIUS Server Policy screen - Proxy tab 2 Enter the Proxy server retry delay time in the Proxy Retry Delay field. Enter a value from 5 -10 seconds. This is the interval the RADIUS server waits before making an additional connection attempt. The default delay interval is 5 seconds. 3 Enter the Proxy server retry count value in the Proxy Retry Count field. Set from 3 - 6 to define the number of retries sent to the proxy server before giving up the request. The default retry count is 3 attempts. 4 Select the + Add Row button to add a RADIUS server proxy realm name and network address. To delete a proxy server entry, select the Delete icon on the right-hand side of the table entry. 5 Enter the realm name in the Realm Name field. The realm name cannot exceed 50 characters. When the RADIUS server receives a request for a user name with a realm, the server references a table of realms. If the realm is known, the server proxies the request to the RADIUS server. 6 Enter the Proxy server IP address in the IP Address field. This is the address of server checking the information in the user access request and either accepting or rejecting the request on behalf of the local RADIUS server. 7 Enter the TCP/IP port number for the server that acts as a data source for the proxy server in the Port Number field. Use the spinner to select a value between 1024 - 65535. The default port is 1812. 8 Enter the RADIUS client shared secret password in the Shared Secret field. This password is for authenticating the RADIUS proxy. Select the Show checkbox to expose the shared secrets actual character string, leaving the option unselected displays the shared secret as a string of asterisks (*). 9 Click the OK button to save the changes. Click the Reset button to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 11 - 65 Services 11.6.3.3 Configuring an LDAP Server Configuration Configuring RADIUS Server Policies Administrators have the option of using RADIUS server resources to authenticate users against an external LDAP server resource. Using an external LDAP user database allows the centralization of user information and reduces administrative user management overhead making the RADIUS authorization process more secure and efficient. RADIUS is not just a database. Its a protocol for asking intelligent questions to a user database (like LDAP). LDAP however is just a database of user credentials that can be used optionally with the RADIUS server to free up resources and manage user credentials from a secure remote location. Local RADIUS resources provide the tools to perform user authentication and authorize users based on complex checks and logic. Theres no way to perform such complex authorization checks from a LDAP user database alone. To configure an LDAP server configuration for use with the RADIUS server:
1 Select the LDAP tab from the RADIUS Server screen. Figure 11-41 RADIUS Server Policy screen - LDAP tab NOTE: If using LDAP for external authentication, PEAP-MSCHAPv2 can only be used if the LDAP server returns the password as plain text. PEAP-MSCHAPv2 is not supported if the LDAP server returns encrypted passwords. This restriction does not apply for Microsoft's Active Directory Server. 2 Refer to the following to determine whether an LDAP server can be used as is, a server configuration requires creation or modification or a configuration requires deletion and permanent removal. Redundancy IP Address Displays whether the listed LDAP server IP address has been defined as a primary or secondary server resource. Designating at least one secondary server is a good practice to ensure RADIUS resources are available if a primary server were to become unavailable. Displays the IP address of the external LDAP server acting as the data source for the RADIUS server. Wireless Controller and Service Platform System Reference Guide 11 - 66 Services Port Timeout Lists the physical port number used by the RADIUS server to secure a connection with the remote LDAP server resource. Lists the number of seconds (1- 10) this server session waits for a connection before aborting the connection attempt with the listed RADIUS server resource. 3 Click the Add button to add a new LDAP server configuration, Edit to modify an existing LDAP server configuration or Delete to remove a LDAP server from the list of those available. 4 Set the following Network address information required for the connection to an external LDAP server resource:
Figure 11-42 LDAP Server Add screen Redundancy IP Address Login Port Timeout Define whether this LDAP server is a primary or secondary server resource. Primary servers are always queried for connection first. However, designating at least one secondary server is a good practice to ensure RADIUS user information is available if a primary server were to become unavailable. Set the 128 character maximum IP address or FQDN of the external LDAP server acting as the data source for the RADIUS server. Define a unique login name used for accessing the remote LDAP server resource. Consider using a unique login name for each LDAP server provided to increase the security of the connection to the remote LDAP server. Use the spinner control to set the physical port number used by the RADIUS server to secure a connection with the remote LDAP server. Set an interval from 1 - 10 seconds the local RADIUS server uses as a wait period for a response from the primary or secondary LDAP server. The default setting is 10 seconds. Wireless Controller and Service Platform System Reference Guide 11 - 67 5 Set the following Access address information required for the connection to the external LDAP server resource:
Services Secure Mode Bind DN Base DN Bind Password Password Attribute Specify the security mode when connecting to an external LDAP server. Use start-tls or tls-mode to connect. The start-tls mode provides a way to upgrade a plain text connection to an encrypted connection using TLS. Default port value for start-tls is 389. Default port value for stls-mode is 636. Specify the distinguished name to bind with the LDAP server. The DN is the name that uniquely identifies an entry in the LDAP directory. A DN is made up of attribute value pairs, separated by commas. Specify a distinguished name (DN) that establishes the base object for the search. The base object is the point in the LDAP tree at which to start searching. LDAP DNs begin with the most specific attribute (usually some sort of name), and continue with progressively broader attributes, often ending with a country attribute. The first component of the DN is referred to as the Relative Distinguished Name (RDN). It identifies an entry distinctly from any other entries that have the same parent. Enter a valid password for the LDAP server. Select the Show checkbox to expose the passwords actual character string, leaving the option unselected displays the password as a string of asterisks
(*). The password cannot 32 characters. Enter the LDAP server password attribute. The password cannot exceed 64 characters. 6 Set the following Attributes for LDAP groups to optimally refine group queries:
Group Attribute Group Filter Group Membership Attribute LDAP systems have the facility to poll dynamic groups. In an LDAP dynamic group, an administrator can specify search criteria. All users matching the search criteria are considered a member of this dynamic group. Specify a group attribute used by the LDAP server. An attribute could be a group name, group ID, password or group membership name. Specify the group filters used by the LDAP server. This filter is typically used for security role-to-group assignments and specifies the property to look up groups in the directory service. Specify the group member attribute sent to the LDAP server when authenticating users. 7 Click the OK button to save the changes to the LDAP server configuration. Select Reset to revert to the last saved configuration. 11.6.4 RADIUS Deployment Considerations Setting the RADIUS Configuration Before defining the RADIUS server configuration, refer to the following deployment guidelines to ensure the configuration is optimally effective:
Each RADIUS client should use a different shared secret. If a shared secret is compromised, only the one client poses a risk, as opposed all the additional clients that potentially share the secret password. Consider using an LDAP server as a database of user credentials that can be used optionally with the RADIUS server to free up resources and manage user credentials from a secure remote location. Wireless Controller and Service Platform System Reference Guide 11 - 68 Services 11.7 URL Lists Services URL Lists are used to select highly utilized URLs for smart caching. The selected URLs are monitored and routed according to existing cache content policies. To configure a URL Lists policy:
1 Select Configuration tab from the main menu. 2 Select the Services tab from the Configuration menu. The upper, left-hand, side of the user interface displays a Services menu pane where Captive Portal, DHCP Server Policy, RADIUS and Smart Caching configuration options can be selected. 3 Select URL Lists. The URL Lists screen displays existing policies. New policies can be created, existing policies can be modified, deleted or copied. Figure 11-43 Smart Caching - URL List Name screen 4 Refer to the URL List Name table to review the administrator assigned name applied to the URL list policy upon creation. 5 Select Add to create a URL lists policy. Select an existing policy and click Edit to modify, Delete to remove or Copy to copy the settings of a selected (existing) URL lists policy. 11.7.1 Adding or Editing URL Lists URL Lists Use the URL Entries screen to define URLs for smart caching. These URLs are monitored and routed according to existing cache content policies. To add URLs to those available for smart caching:
Wireless Controller and Service Platform System Reference Guide 11 - 69 1 From the URL List screen, select Add to create a URL lists policy or Edit to modify an existing policy. Services Figure 11-44 URL List Name - Add/Edit screen 2 Select + Add Row to display configurable parameters for defining a URL and its depth. 3 If creating a new URL lists policy, assign it a Name. If editing an existing URL Lists policy, the policy name cannot be modified. The name cannot exceed 32 characters. 4 Set the following URL Lists parameters:
URL Depth Set the requested URL monitored and routed according to existing cache content policies.This value is mandatory. Select the number of levels to be cached. Since Web sites have different parameters to uniquely identify specific content, the same content may be stored on multiple origin servers. Smart caching uses subsets of these parameters to recognize that the content is the same and serves it from cache. The available range is from 1 - 10. This value is mandatory. 5 Select OK to save the URL Entries list configuration. Select Reset to revert to the last saved configuration. Wireless Controller and Service Platform System Reference Guide 11 - 70 12 Management Access Controllers and service platforms have mechanisms to allow/deny device access for separate interfaces and protocols (HTTP, HTTPS, Telnet, SSH or SNMP). Management access can be enabled/disabled as required for unique policies. The Management Access functionality is not meSNMPv1ant to function as an ACL (in routers or other firewalls), where administrators specify and customize specific IPs to access specific interfaces. Controllers and service platforms can be managed using multiple interfaces (SNMP, CLI and Web UI). By default, management access is unrestricted, allowing management access to any enabled IP interface from any host using any enabled management service. To enhance security, administrators can apply various restrictions as needed to:
Restrict SNMP, CLI and Web UI access to specific hosts or subnets Disable un-used and insecure interfaces as required within managed access profiles. Disabling un-used management services can dramatically reduce an attack footprint and free resources on managed devices Provide authentication for management users Apply access restrictions and permissions to management users Management restrictions can be applied to meet specific policies or industry requirements requiring only certain devices or users be granted access to critical infrastructure devices. Management restrictions can also be applied to reduce the attack footprint of the device when guest services are deployed. 12.1 Viewing Management Access Policies Management Access policies display in the lower left-hand side of the screen. Existing policies can be updated as management permissions change, or new policies can be added as needed. To view existing Management Access policies:
1 Select Configuration > Management > Management Policy to display the main Management Policy screen and Management Browser. 2 Select a policy from the Management Browser or refer to the Management screen (displayed by default) to review existing Management Access policy configurations at a higher level. Wireless Controller and Service Platform System Reference Guide 12 - 1 Management Access The Management Policy screen displays existing management policies and their unique protocol support configurations. Figure 12-1 Management Browser screen Figure 12-2 Management Policy screen 3 Refer to the following Management access policy configurations to discern whether these existing policies can be used as is, require modification or a new policy requires creation:
A green check mark indicates controller or service platform device access is allowed using the listed protocol. A red X indicates device access is denied using the listed protocol. Management Policy Telnet SSHv2 Displays the name of the Management Access policy assigned when initially created. The name cannot be updated when modifying a policy. Telnet provides a command line interface to a remote host over TCP. Telnet provides no encryption, but it does provide a measure of authentication. SSH (Secure Shell) version 2, like Telnet, provides a command line interface to a remote host. However, all SSH transmissions are encrypted, increasing their security. Wireless Controller and Service Platform System Reference Guide 12 - 2 Management Access HTTP HTTPS SNMPv1 SNMPv2 SNMPv3 FTP HTTP (Hypertext Transfer Protocol) provides access to the devices GUI using a Web browser. This protocol is not very secure. HTTPS (Hypertext Transfer Protocol Secure) provides fairly secure access to the devices GUI using a Web browser. Unlike HTTP, HTTPS uses encryption for transmission, and is therefore more secure. SNMP (Simple Network Management Protocol) exposes a devices management data so it can be managed remotely. Device data is exposed as variables that can be accessed and modified. SNMP is generally used to monitor a systems performance and other parameters. SNMP v1 is easy to set up, and only requires a plain text. It does not support 64 bit counters, only 32 bit counters, and that provides little security. SNMP v2 is identical to version 1, but it adds support for 64 bit counters. Most devices support SNMP v2c automatically. However, there are some devices that require you to explicitly enable v2, and that poses no risk. SNMP v3 adds security to the 64 bit counters provided with SNMP v2. SNMP v3 adds both encryption and authentication, which can be used together or separately. Its setup is more complex than just defining a community string. But if you require security, SNMP v3 is recommended. FTP (File Transfer Protocol) is a standard protocol for files transfers over a TCP/IP network. 4 If its determined a Management Access policy requires creation or modification, refer to Adding or Editing a Management Access Policy on page 12-3. If necessary, select an existing Management Access policy and select Delete to permanently remove it from the list of those available. Optionally Rename or Copy a policy as needed. 12.1.1 Adding or Editing a Management Access Policy Viewing Management Access Policies To add a new Management Access policy, or edit an existing configuration:
1 Select Configuration > Management > Management Policy to display the main Management Policy screen and Management Browser. Existing policies can be modified by either selecting a policy from the Management Browser and selecting the Edit button. New policies can be created by selecting the Add button from the bottom right-hand side of the Management screen. 2 A name must be supplied to the new policy before the Administrators, Access Control, Authentication, SNMP and SNMP Traps tabs become enabled and the policys configuration defined. The name cannot exceed 32 characters. 3 Select OK to commit the new policy name. Once the new name is defined, the screens four tabs become enabled, with the contents of the Administrators tab displayed by default. Refer to the following to define the configuration of the new Management Access policy:
Creating an Administrator Configuration - Use the Administrators tab to create specific users, assign them permissions to specific protocols and set specific administrative roles for the network. Wireless Controller and Service Platform System Reference Guide 12 - 3 Management Access Setting an Allowed Location Configuration - Use the Allowed Locations tab to administrate user roles supported in both WiNG and NSight, as a user logging into the NSight UI should also have an access control restriction based on the role theyre assigned in that application. Setting the Access Control Configuration - Use the Access Control tab to enable/disable specific protocols and interfaces. Again, this kind of access control is not meant to function as an ACL, but rather as a means to enable/disable specific protocols (HTTP, HTTPS, Telnet etc.) for each Management Access policy. Setting the Authentication Configuration - Refer to the Authentication tab to set the authentication scheme used to validate user credentials with this policy. Setting the SNMP Configuration - Refer to the SNMP tab to enable SNMPv2, SNMPv3 or both and define specific community strings for this policy. SNMP Trap Configuration - Use the SNMP Traps tab to enable trap generation for the policy and define trap receiver configurations. T5 PowerBroadband SNMP - Use the T5 PowerBroadband tab set a unique SNMP configuration for T5 controller models. For deployment considerations and recommendations impacting a controller or service platforms Management Access policy configuration, refer to Management Access Deployment Considerations on page 12-36. 12.1.1.1 Creating an Administrator Configuration Adding or Editing a Management Access Policy Management services (Telnet, SSHv2, HTTP, HTTPs and FTP) require administrators enter a valid username and password which is authenticated locally or centrally on a RADIUS server. SNMPv3 also requires a valid username and password which is authenticated by the SNMPv3 module. For CLI and Web UI users, the controller or service platform also requires user role information to know what permissions to assign. If local authentication is used, associated role information is defined on the controller or service platform when the user account is created. If RADIUS is used, role information is supplied using RADIUS vendor specific return attributes. If no role information is supplied by RADIUS, the controller or service platform applies default read-only permissions. Administrators can limit users to specific management interfaces. During authentication, the controller or service platform looks at the users access assignment to determine if the user has permissions to access an interface:
If local authentication is used, role information is defined on the controller or service platform when the user account is created. If RADIUS is used, role information is supplied by RADIUS using vendor specific return attributes. The controller or service platform also supports multiple RADIUS server definitions as well as fallback to provide authentication in the event of failure. If the primary RADIUS server is unavailable, the controller or service platform authenticates with the next RADIUS sever, as defined in the AAA policy. If a RADIUS server is not reachable, the controller or service platform can fall back to the local database for authentication. If both RADIUS and local authentication services are unavailable, read-only access can be optionally provided. The controller or service platform authenticates users using the integrated local database. When user credentials are presented the controller or service platform validates the username and password against the local database and assigns permissions based on the associated roles assigned. The controller or service platform can also deny the authentication request if the user is attempting to access a management interface not specified in the accounts access mode list. Use the Administrators tab to review existing administrators, their access medium and their administrative role within the network. New administrators can be added, existing administrative configurations modified or deleted as required. Wireless Controller and Service Platform System Reference Guide 12 - 4 Management Access 1 Refer to the following to review the high-level configurations of existing administrators. Figure 12-3 Management Policy screen - Administrators tab User Name Access Type Role Displays the name assigned to the administrator upon creation of their account. The name cannot be modified as part of the administrator configuration edit process. Lists the Web UI, Telnet, SSH or Console access type assigned to each listed administrator. A single administrator can have any one (or all) of these roles assigned at the same time. Lists the Superuser, System, Network, Security, Monitor, Help Desk, Web User, Device Provisioning or Vendor Admin role assigned to each listed administrator. An administrator can only be assigned one role at a time. 2 Select Add to create a new administrator configuration, Edit to modify an existing configuration or Delete to permanently remove an Administrator from the list of those available. Wireless Controller and Service Platform System Reference Guide 12 - 5
1 2 3 4 | WiNG 5.9.1 System Reference Guide Part 3 | Users Manual | 5.48 MiB |
Management Access Figure 12-4 Administrators screen 3 If creating a new administrator, enter a user name in the User Name field. This is a mandatory field for new administrators and cannot exceed 32 characters. Optimally assign a name representative of the user and role. 4 Provide a strong password for the administrator within the Password field, once provided, Reconfirm the password to ensure its accurately entered. This is a mandatory field. 5 Select Access options to define the permitted access for the user. Access modes can be assigned to management user accounts to restrict which management interfaces the user can access. A management user can be assigned one or more access roles allowing access to multiple management interfaces. If required, all four options can be selected and invoked simultaneously. Web UI Telnet SSH Console Select this option to enable access to the devices Web User Interface. Select this option to enable access to the device using TELNET. Select this option to enable access to the device using SSH. Select this option to enable access to the devices console. 6 Select the Administrator Role for the administrator using this profile. Only one role can be assigned. Superuser System Network Security Select this option to assign complete administrative rights to the user. This entails all the roles listed for all the other administrative roles. The System role provides permissions to configure general settings like NTP, boot parameters, licenses, perform image upgrades, auto install, manager redundancy/clustering and control access. The Network role provides privileges to configure all wired and wireless parameters like IP configuration, VLANs, L2/L3 security, WLANs, radios, and captive portal. Select Security to set the administrative rights for a security administrator allowing configuration of all security parameters. Wireless Controller and Service Platform System Reference Guide 12 - 6 Management Access Monitor Help Desk Web User Device Provisioning Vendor Admin Select Monitor to assign permissions without any administrative rights. The Monitor option provides read-only permissions. Assign this role to someone who typically troubleshoots and debugs problems reported by the customer. The Help Desk manager typically runs troubleshooting utilities (like a sniffer), executes service commands, views/retrieves logs and reboots the controller or service platform. However, Help Desk personnel are not allowed to conduct controller or service platform reloads. Select Web User to assign the administrator privileges needed to add users for authentication. Select Device Provisioning to assign an administrator privileges to update (provision) device configuration files or firmware. Such updates run the risk of overwriting and losing a devices existing configuration unless the configuration is properly archived. Select this option to create a vendor-admin user role group so this particular user type can access offline device-registration portal data. Vendors are assigned username/password credentials for securely on-
boarding devices. Devices are moved to a vendor allowed VLAN immediately after this on-boarding process, so vendors do require unique administration roles. When the Vendor-Admin role is selected, provide the vendors Group name for RADIUS authentication. The vendor's RADIUS group takes precedence over the statically configured group for device registration. 7 Select the OK button to save the administrators configuration. Select Reset to revert to the last saved configuration. 12.1.1.2 Setting an Allowed Location Configuration Adding or Editing a Management Access Policy Extreme Networks WiNG and NSight applications may have the same users with different permissions defined in each application. Various user roles are supported in WiNG (superuser, system-admin, network-admin, security-
admin, device-provisioning-admin, helpdesk and monitor). With NSight, a user logging into the NSight UI should also have an access control restriction based on the role theyre assigned. For example, a WiNG user with helpdesk privileges should have access to only the site (RF Domain) in which the helpdesk is situated, and the location tree should contain only one RF Domain. Similarly, when a user responsible for a set of sites logs in NSight, their location tree needs to contain the RF Domains for which theyre responsible. To set an allowed location configuration:
Wireless Controller and Service Platform System Reference Guide 12 - 7 1 Select the Allowed Locations tab from the Management Policy screen. Management Access The Allowed Locations screen lists existing users and their permitted locations. Figure 12-5 Management Policy screen - Allowed Locations tab 2 Select Add to create a new allowed location, Edit to modify an existing location or Delete to permanently remove a user name and location from the list of those available. 3 Set the following allowed location parameters:
Figure 12-6 Adding Allowed Locations screen Name Define a 32 character maximum user name whose access is a mapped to a specific site (RF Domain). Wireless Controller and Service Platform System Reference Guide 12 - 8 Management Access Locations Create locations and use the navigation arrows to move them into the list of those enabled once saved. 4 Select OK to update the allowed location configuration. Select Reset to the last saved configuration. 12.1.1.3 Setting the Access Control Configuration Adding or Editing a Management Access Policy Restricting remote access to a controller or service platform ensures only trusted hosts can communicate with enabled management services. This ensures only trusted hosts can perform management tasks and provide protection from brute force attacks from hosts attempting to break into the controller or service platform managed network. Administrators can permit management connections to be established on any IP interface on the controller or service platform (including IP interfaces used to provide captive portal guest access). Administrators can restrict management access by limiting access to a specific host (IP address), subnet, or ACL on the controller or service platform. Refer to the Access Control tab to allow/deny management access to the network using strategically selected protocols (HTTP, HTTPS, Telnet, SSH or SNMP). Access options can be either enabled or disabled as required. Disabling unused interfaces is recommended to close unnecessary security holes. The Access Control tab is not meant to function as an ACL (in routers or other firewalls), where you can specify and customize specific IPs to access specific interfaces. Source hosts - Management access can be restricted to one or more hosts by specifying their IP addresses Source subnets - Management access can be restricted to one or more subnets IP ACL - Management access can be based on the policies defined in an IP based ACL In the following example, a controller has two IP interfaces defined with VLAN10 hosting management and network services and VLAN70 providing guest services. For security the guest network is separated from all trusted VLANs by a firewall. Interface Description IP Address Management VLAN10 VLAN70 Services Guest Yes Yes Yes No By default, management services are accessible on both VLAN10 and VLAN70, and thats not desirable to an administrator. By restricting access to VLAN10, the controller only accepts management sessions on VLAN10. Management access on VLAN70 is longer available. Administrators can secure access to a controller or service platform by disabling less secure interfaces. By default, the CLI, SNMP and FTP disable interfaces that do not support encryption or authentication. However, Web management using HTTP is enabled. Insecure management interfaces such as Telnet, HTTP and SNMP should be disabled, and only secure management interfaces, like SSH and HTTPS should be used to access the controller or service platform managed network. The following table demonstrates some interfaces provide better security than others:
Access Type Telnet SNMPv2 Encrypted No No Authenticated Yes No Default State Disabled Enabled Wireless Controller and Service Platform System Reference Guide 12 - 9 Management Access SNMPv3 HTTP HTTPS FTP SSHv2 Yes No Yes No Yes Yes Yes Yes Yes Yes Enabled Disabled Disabled Disabled Disabled To set an access control configuration for the Management Access policy:
1 Select the Access Control tab from the Management Policy screen. Figure 12-7 Management Policy screen - Access Control tab Wireless Controller and Service Platform System Reference Guide 12 - 10 Management Access 2 Set the following parameters required for Telnet access:
Enable Telnet Telnet Port Select the checkbox to enable Telnet device access. Telnet provides a command line interface to a remote host over TCP. Telnet provides no encryption, but it does provide a measure of authentication. Telnet access is disabled by default. Set the port on which Telnet connections are made (1 - 65,535). The default port is 23. Change this value using the spinner control next to this field or by entering the port number in the field. 3 Set the following parameters required for SSH access:
Enable SSHv2 SSHv2 Port Select the checkbox to enable SSH device access. SSH (Secure Shell) version 2, like Telnet, provides a command line interface to a remote host. SSH transmissions are encrypted and authenticated, increasing the security of transmission. SSH access is disabled by default. Set the port on which SSH connections are made. The default port is 22. Change this value using the spinner control next to this field or by entering the port number in the field. 4 Set the following HTTP/HTTPS parameters:
Enable HTTP Enable HTTPS Select the checkbox to enable HTTP device access. HTTP provides limited authentication and no encryption. Select the checkbox to enable HTTPS device access. HTTPS
(Hypertext Transfer Protocol Secure) is more secure plain HTTP. HTTPS provides both authentication and data encryption as opposed to just authentication (as is the case with HTTP). NOTE: If the a RADIUS server is not reachable, HTTPS or SSH management access to the controller or service platform may be denied. 5 Select the Enable Rest Server option, within the Rest Server field, to facilitate device on-boarding. When selected, the REST server allows vendor-specific users access to the online device registration portal. All requests and responses to and from the on-boarding portal are handled by the REST server through restful Application Programming Interface (API) transactions. The REST server serves the Web pages used to associate a devices MAC address with a specific vendor group. This option is enabled by default. 6 Set the following parameters required for FTP access:
Enable FTP FTP Username FTP Password FTP Root Directory Select the checkbox to enable FTP device access. FTP (File Transfer Protocol) is the standard protocol for transferring files over a TCP/IP network. FTP requires administrators enter a valid username and password authenticated locally. FTP access is disabled by default. Specify a username required when logging in to the FTP server. The username cannot exceed 32 characters. Specify a password required when logging in to the FTP server. Reconfirm the password in the field provided to ensure it has been entered correctly. The password cannot exceed 63 characters. Provide the complete path to the root directory in the space provided. The default setting has the root directory set to flash:/
Wireless Controller and Service Platform System Reference Guide 12 - 11 Management Access 7 Set the following General parameters:
Idle Session Timeout Message of the Day Specify an inactivity timeout for management connection attempts (in seconds) from 0 - 4,320. Enter message of the day text (no longer then 255 characters) displayed at login for clients connecting via the CLI. 8 Set the following Access Restrictions parameters:
Filter Type IP Access List Source Hosts Source Subnets Logging Policy Select a filter type for access restriction. Options include IP Access List, Source Address or None. To restrict management access to specific hosts, select Source Address as the filter type and provide the allowed addresses within the Source Hosts field. If the selected filter type is IP Access List, select an access list from the drop-down menu or select the Create button to define a new one. IP based firewalls function like Access Control Lists (ACLs) to filter/
mark packets based on the IP from which they arrive, as opposed to filtering packets on layer 2 ports. IP firewalls implement uniquely defined access control policies, so if you don't have an idea of what kind of access to allow or deny, a firewall is of little value, and could provide a false sense of network security. If the selected filter type is Source Address, enter an IP Address or IP Addresses for the source hosts. To restrict management access to specific hosts, select Source Address as the filter type and provide the allowed addresses within the Source Hosts field. If the selected filter type is Source Address, enter a source subnet or subnets for the source hosts. To restrict management access to specific subnets, select Source Address as the filter type and provide the allowed addresses within the Source Subnets field. If the selected filter is Source Address, enter a logging policy for administrative access. Options includes None, Denied Requests or All. Wireless Controller and Service Platform System Reference Guide 12 - 12 9 Set the User Lockout Settings. Click the Add Row button and configure the following role-based user-account Management Access lockout and unlock criteria:
Role Lockout Time Number of Password Attempts Specify the user-role for which account lockout is to be enabled. The options are:
device-provisioning-admin helpdesk monitor network-admin security-admin system-admin vendor-admin web-suer-admin Note, you can enable account lockout for multiple roles. After specifying the role/roles, set the Lockout Time and Number of Password Attempts. User-account lockout is individually applied to each account within the specified role/roles. For example, consider the monitor role having two users: user1 and user2. The Number of Password Attempts and Lockout Time is set at 5 attempts and 10 minutes respectively. In this scenario, user2 makes 5 consecutive, failed login attempts, and the user2 account is locked out for 10 minutes. However, during this lockout time the user1 account remains active. Specify the maximum time for which an account remains locked. Specify a value from 0 to 600 minutes. The value 0 indicates that the account is permanently locked. Specify the maximum number of consecutive, failed attempts allowed before an account is locked. Specify a value from 1 to 100. 10 Select OK to update the access control configuration. Select Reset to the last saved configuration. 12.1.1.4 Setting the Authentication Configuration Adding or Editing a Management Access Policy Refer to the Authentication tab to define how user credential validation is conducted on behalf of a Management Access policy. If utilizing an external authentication resource, an administrator can optionally apply a TACACS policy. Terminal Access Controller Access - Control System+ (TACACS+) is a protocol created by CISCO to provide access control to network devices (routers, network access servers or other networked devices) through one or more centralized servers. TACACS provides separate authentication, authorization, and accounting services running on different servers. To configure an external authentication resource:
Wireless Controller and Service Platform System Reference Guide 12 - 13 1 Select the Authentication tab from the Management Policy screen. Management Access 2 Define the following settings to authenticate management access requests:
Figure 12-8 Management Policy screen - Authentication tab Local RADIUS AAA Policy TACACS AAA TACACS Policy Select whether the authentication server resource is centralized
(local), or whether an external authentication resource is deployed for validating user access. Local is enabled by default. If local authentication is disabled, define whether the RADIUS server is External or Fallback. Define the AAA policy used to authenticate user validation requests to the controller or service platform managed network. Select the Create icon as needed to define a new AAA policy or select the Edit icon to modify an existing policy. If local authentication is disabled, optionally select Authentication or Fallback (only one authentication or fallback option can be selected) or Accounting and Authorization. TACACS policies control user access to devices and network resources while providing separate accounting, authentication, and authorization services. Select an existing AAA TACACS policy (if available), or select Create to define a new policy or Edit to modify an existing one. 3 Select OK to update the authentication configuration. Select Reset to the last saved configuration. 12.1.1.5 Setting the SNMP Configuration Adding or Editing a Management Access Policy Optionally use the Simple Network Management Protocol (SNMP) to communicate with devices within the network. SNMP is an application layer protocol that facilitates the exchange of management information between the controller or service platform and a managed device. SNMP enabled devices listen on port 162 (by default) for SNMP packets from the controller or service platforms management server. SNMP uses read-only and read-write community strings as an authentication mechanism to monitor and configure supported devices. The read-only Wireless Controller and Service Platform System Reference Guide 12 - 14 Management Access community string is used to gather statistics and configuration parameters from a supported wireless device. The read-write community string is used by a management server to set device parameters. SNMP is generally used to monitor a systems performance and other parameters. SNMP Version Encrypted SNMPv1 SNMPv2 SNMPv3 No No Yes Authenticated No No Yes Default State Disabled Enabled Enabled To configure SNMP Management Access:
1 Select the SNMP tab from the Management Policy screen. 2 Enable or disable SNMP v1, SNMPv2 and SNMPv3. Figure 12-9 Management Policy screen - SNMP tab Enable SNMPv1 SNMP v1exposes a devices management data so it can be managed remotely. Device data is exposed as variables that can be accessed and modified as text strings, with version 1 being the original
(rudimentary) implementation. SNMPv1 is enabled by default. Wireless Controller and Service Platform System Reference Guide 12 - 15 Management Access Enable SNMPv2 Enable SNMPv3 Select the checkbox to enable SNMPv2 support. SNMPv2 provides device management using a hierarchical set of variables. SNMPv2 uses Get, GetNext, and Set operations for data management. SNMPv2 is enabled by default. Select the checkbox to enable SNMPv3 support. SNMPv3 adds security and remote configuration capabilities to previous versions. The SNMPv3 architecture introduces the user-based security model
(USM) for message security and the view-based access control model
(VACM) for access control. The architecture supports the concurrent use of different security, access control and message processing techniques. SNMPv3 is enabled by default. 3 Set the SNMP v1/v2 Community String configuration. Use the + Add Row function as needed to add additional SNMP v1/2 community strings, or select an existing community strings radio button and select the Delete icon to remove it. Community Access Control IP SNMP ACL Define a public or private community designation. By default, SNMPv2 community strings on most devices are set to public, for the read-only community string, and private for the read-write community string. Set the access permission for each community string used by devices to retrieve or modify information. Available options include:
Read Only - Allows a remote device to retrieve information. Read-Write - Allows a remote device to modify settings. Set the IP SNMP ACL used along with community string. Use the drop-down menu to select an existing ACL. Use the Create icon to create and add a new ACL. Select an existing ACL and the Edit icon to update an existing ACL. 4 Set the SNMPv3 Users configuration. Use the + Add Row function as needed to add additional SNMPv3 user configurations, or select a SNMP users radio button and select the Delete icon to remove the user. User Name Authentication Encryption Password Use the drop-down menu to define a user name of snmpmanager, snmpoperator or snmptrap. Displays the authentication scheme used with the listed SNMPv3 user. The listed authentication scheme ensures only trusted and authorized users and devices can access the network. Displays the encryption scheme used with the listed SNMPv3 user. Provide the users password in the field provided. Select the Show check box to display the actual character string used in the password, while leaving the check box unselected protects the password and displays each character as *. 5 Select OK to update the SNMP configuration. Select Reset to revert to the last saved configuration. 12.1.1.6 SNMP Trap Configuration Adding or Editing a Management Access Policy The managed network can use SNMP trap receivers for fault notifications. SNMP traps are unsolicited notifications triggered by thresholds (or actions), and are therefore an important fault management tool. A SNMP trap receiver is the destination of SNMP messages (external to the controller or service platform). A trap is like a Syslog message, just over another protocol (SNMP). A trap is generated when a device consolidates event Wireless Controller and Service Platform System Reference Guide 12 - 16 Management Access information and transmits the information to an external repository. The trap contains several standard items, such as the SNMP version, community etc. SNMP trap notifications exist for most controller or service platform operations, but not all are necessary for day-
to-day operation. To define a SNMP trap configuration for receiving events at a remote destination:
1 Select the SNMP Traps tab from the Management Policy screen. Figure 12-10 Management Policy screen - SNMP Traps tab 2 Select the Enable Trap Generation checkbox to enable trap generation using the trap receiver configuration defined. This feature is disabled by default. 3 Refer to the Trap Receiver table to set the configuration of the external resource dedicated to receiving trap information. Select Add Row + as needed to add additional trap receivers. Select the Delete icon to permanently remove a trap receiver. IP Address Port Version Trap Community Sets the IP address of the external server resource dedicated to receiving the SNMP traps on behalf of the controller or service platform. Set the port of the server resource dedicated to receiving SNMP traps. The default port is port 162. Sets the SNMP version to use to send SNMP traps. SNMPv2 is the default. Provide a 32 character maximum trap community string. The community string functions like a user id or password allowing access to controller or Access Point resources. If the community string is correct, the controller or Access Point provides with the requested information. If the community string is incorrect, the device controller or Access Point discards the request and does not respond. Community strings are used only by devices which support SNMPv1 and SNMPv2c. SNMPv3 uses username/password authentication, along with an encryption key. The default setting is public. Wireless Controller and Service Platform System Reference Guide 12 - 17 Management Access 4 Select OK to update the SNMP Trap configuration. Select Reset to revert to the last saved configuration. 12.1.1.7 T5 PowerBroadband SNMP Adding or Editing a Management Access Policy A T5 controller, once enabled as a supported external device, can provide data to WiNG to assist in a T5s management within a WiNG supported subnet populated by both types of devices. To define a T5 controller power broadband SNMP configuration:
1 Select the T5 Power Broadband tab from the Management Policy screen. 2 Set the following SNMP settings:
Figure 12-11 Management Policy screen - T5 PowerBroadband tab Contact Enable Server Location Traps Set a 64 character maximum contact name for the administration of T5 controller SNMP events. Select this option to enable SNMP event management for the T5 controller. This setting is disabled by default. Set a 64 character maximum location for the SNMP resource dedicated to T5 controller support. Select this option for SNMP trap support for the T5 controller. A trap is like a Syslog message, just over another protocol (SNMP). A trap is generated when a device consolidates event information and transmits the information to an external repository. The trap contains several standard items, such as the SNMP version, community etc. Wireless Controller and Service Platform System Reference Guide 12 - 18 Management Access 3 Set the SNMP v1/v2c Community String configuration for T5 controller usage. Use the + Add Row function as needed to add additional SNMP v1/2 community strings, or select an existing community strings radio button and select the Delete icon to remove it. Community Access IP Set a 32 character maximum SNMP community string. Set the access permission for each community string used by devices to retrieve or modify information. Available options include:
Read Only - Allows a remote device to retrieve information. Read-Write - Allows a remote device to modify settings. Set the IP address of the SNMP manager. 4 Use the Host table to define up to 4 SNMP receiver resource IP addresses. 5 Select OK to update the configuration. Select Reset to revert to the last saved configuration. 12.2 EX3500 Management Policies The EX3500 series switch is a Gigabit Ethernet Layer 2 switch with either 24 or 48 10/100/1000-BASE-T ports, and four Small Form Factor Pluggable (SFP) transceiver slots for fiber connectivity. Each 10/100/1000 Mbps port supports both the IEEE 802.3af and IEEE 802.3at-2009 PoE standards. Each EX3500 series switch includes an SNMP-based management agent, which provides both in-band and out-of-band access for management. An EX3500 series switch utilizes an embedded HTTP Web agent and command line interface (CLI) somewhat different from the WiNG operating system, while still enabling the EX3500 series switch to provide WiNG controllers PoE and port management resources. Going forward NX9600, NX9500, NX7500, NX5500 WiNG managed services platforms and WiNG VMs can discover, adopt and partially manage EX3500 series Ethernet switches, as DHCP option 193 has been added to support external device adoption. DHCP option 193 is a simplified form of DHCP options 191 and 192 used by WiNG devices currently. DHCP option 193 supports pool1, hello-interval and adjacency-hold-time parameters. NOTE: WiNG can partially manage an EX3500 without using DHCP option 193. In this case the EX3500 must be directly configured to specify the IPv4 addresses of potential WiNG adopters, using the EX3500 controller host ip address CLI command. WiNG service platforms leave the proprietary operating system running the EX3500 switches unmodified, and partially manage them utilizing standardized WiNG interfaces. WiNG service platforms use a translation layer to communicate with EX3500 series switches. To set EX3500 management settings for user EX3500 user group creation, authentication, password management and SNMP:
1 Select Configuration. 2 Select Management. 3 Refer to the upper, left-hand, portion of the UI and select EX3500 Management Policy. Wireless Controller and Service Platform System Reference Guide 12 - 19 Management Access Figure 12-12 EX3500 Management Policy screen The screen lists those EX3500 management policies created thus far. Select Add to create a new EX3500 management policy, Edit to modify the attributes of a policy or Delete to remove an obsolete list from those available. Existing lists can be copied or renamed as needed. For more information, refer to the following:
EX3500 User Groups EX3500 Authentication EX3500 Exec Password Management EX3500 System Settings EX3500 SNMP Management EX3500 SNMP Users 12.2.1 EX3500 User Groups EX3500 switch user groups are stored in a local database on the WiNG service platform. Each user group can be assigned unique access levels and passswords to provide administrative priority. To set an EX3500 user group configuration:
1 Select Configuration. 2 Select Management. 3 Refer to the upper, left-hand, portion of the UI and select EX3500 Management Policy. 4 The screen lists those EX3500 management policies created thus far. Select Add to create a new EX3500 management policy, Edit to modify an existing policy or Delete to remove an obsolete policy. Existing lists can be copied or renamed as needed. 5 If creating a new EX35000 user group, assign it a Name up to 32 characters. Select Continue. Wireless Controller and Service Platform System Reference Guide 12 - 20 Management Access Figure 12-13 EX3500 Management Policy User Group screen 6 Select Add to create a new EX3500 user group, Edit to modify an existing group or Delete to remove an obsolete group. Set the following User Group attributes:
Access Level Figure 12-14 User Group Add/Edit screen Use the spinner control to set an access level from 0 - 15 serving as the access priority of each user group requesting access and interoperability with an EX3500 switch. Access level 0 corresponds to a guest user with minimal access to commands while access level 15 corresponds to an administrator user with full access to all commands. Wireless Controller and Service Platform System Reference Guide 12 - 21 Management Access Hash Type Admin Password Select either 0 or 7 to define the hash in plain text (0) or encrypted characters (7). Create a 32 character maximum password for the EX3500 user group. 7 Select OK when completed to update the EX3500 user group configuration. Select Reset to revert the screen back to its last saved configuration. 12.2.2 EX3500 Authentication Management access to an EX3500 switch can be enabled/disabled as required using separate interfaces and protocols (HTTP, SSH). Disabling un-used and insecure interfaces and unused management services can dramatically reduce an attack footprint and free resources within an EX3500 management policy. To authenticate an EX3500 management policy:
1 Select Configuration from the Web UI. 2 Select Management. 3 Refer to the upper, left-hand, portion of the UI and select EX3500 Management Policy. 4 The screen lists those EX3500 management policies created thus far. Select Add to create a new EX3500 management policy, Edit to modify an existing policy or Delete to remove an obsolete policy. Existing lists can be copied or renamed as needed. 5 Select the Authentication tab. 6 Select the following HTTP server settings to authenticating a HTTP connection to an EX3500:
Figure 12-15 EX35000 Management Policy Authentication screen Server Port Secure Server When selected, access the EX3500 using HTTP from any Windows PC, Linux PC or other device that uses HTTP. This setting is enabled by default. Set the HTTP port number from 1 - 65,535. The default port is 80. Select this option to secure HTTP over a designated secure port. Wireless Controller and Service Platform System Reference Guide 12 - 22 Management Access Secure Port Use the spinner control to select a secure port from 1 - 65, 535. 7 Select the following SSH server settings to authenticate a SSH connection to an EX3500:
Server Retries for SSH Server Key Time Out When selected, access the EX3500 using SSH from any Windows PC, Linux PC or other device that uses SSH. This setting is enabled by default. Set the maximum number of retries, from 1 - 5, for connection to the SSH server resource. The default setting is 3. Set the SSH server key length from 512 - 1,024. The default length is 768. Set the inactivity timeout for the SSH server resource from 1 - 120 seconds. When this setting is exceeded, the SSH server resource becomes unreachable and must be reauthenticated. The default value is 120 seconds. 8 Select OK when completed to update the EX3500 authentication configuration. Select Reset to revert the screen back to its last saved configuration. 12.2.3 EX3500 Exec Password Management Each EX3500 management policy can have a unique exec password with its own privilege level assigned. Utilize these passwords as specific EX3500 management sessions require priority over others. To administrate EX3500 management passwords and their privileges:
1 Select Configuration from the Web UI. 2 Select Management. 3 Refer to the upper, left-hand, portion of the UI and select EX3500 Management Policy. 4 The screen lists those EX3500 management policies created thus far. Select Add to create a new EX3500 management policy, Edit to modify an existing policy or Delete to remove an obsolete policy. Existing lists can be copied or renamed as needed. 5 Select the Exec Password tab. Wireless Controller and Service Platform System Reference Guide 12 - 23 Management Access Figure 12-16 EX35000 Management Policy Exec Password screen 6 Select Add to create a new EX3500 exec password, Edit to modify an existing password configuration or Delete to remove an obsolete password. Figure 12-17 EX35000 Management Policy Exec Password Add/Edit screen 7 Assign a privilege level from 0 - 15. 0 provides the least access, while level 15 provides the most access. The commands available at each level vary. 8 Select the following Exec Password settings:
Hash Type Select either 0 or 7 to define the hash in plain text (0) or encrypted characters (7). Wireless Controller and Service Platform System Reference Guide 12 - 24 Management Access Exec Privilege Password Create a 32 character maximum password for the EX3500 exec password. 9 Select OK when completed to update the EX3500 exec password. Select Reset to revert the screen back to its last saved configuration. 12.2.4 EX3500 System Settings An EX3500 management policy can be customized to include high and low alarm thresholds for EX3500 memory and CPU utilization. The Memory and CPU rising and falling thresholds control when the EX3500 generates SNMP traps if these thresholds are exceeded. A trap is generated when the utilization exceeds the rising threshold, and another trap is generated after the utilization drops below the falling threshold. These thresholds do not protect the resource, they provide notification of an excessive use of the resource. To administrate EX3500 management policy memory and CPU threshold settings:
1 Select Configuration from the Web UI. 2 Select Management. 3 Refer to the upper, left-hand, portion of the UI and select EX3500 Management Policy. 4 The screen lists those EX3500 management policies created thus far. Select Add to create a new EX3500 management policy, Edit to modify an existing policy or Delete to remove an obsolete policy. Existing lists can be copied or renamed as needed. 5 Select the System tab. 6 Set the following Memory - Alarm Configuration threshold settings:
Figure 12-18 EX35000 Management Policy System screen Falling Threshold Rising Threshold Set the threshold for clearing the EX3500 memory utilization alarm. Once the rising threshold is exceeded, the memory utilization must drop below this threshold for the alarm to clear. The threshold is set as a percentage from 1 - 100, with a default of 90. Set the threshold for EX3500 memory utilization as too high. The threshold is set as a percentage from 1 - 100, with a default of 95. Wireless Controller and Service Platform System Reference Guide 12 - 25 Management Access 7 Set the following CPU - Alarm Configuration threshold settings:
Falling Threshold Rising Threshold Set the threshold for clearing the EX3500 CPU (processor) utilization alarm. Once the rising threshold is exceeded, the CPU (processor) utilization must drop below this threshold for the alarm to clear. The threshold is set as a percentage from 1 - 100, with a default of 70. Set the notification threshold for EX3500 CPU (processor) utilization as too high. The threshold is set as a percentage from 1 - 100, with a default of 90. 8 Select OK when completed to update the EX3500 system threshold settings. Select Reset to revert the screen back to its last saved configuration. 12.2.5 EX3500 SNMP Management Optionally use the Simple Network Management Protocol (SNMP) with the EX3500 management policy for statistics gathering, or to fully manage the EX3500. SNMP is an application layer protocol that facilitates the exchange of management information between the controller or service platform and a managed device. SNMP enabled devices listen on port 161 (by default) for SNMP packets from the controller or service platforms management server. SNMP uses read-only and read-write community strings as an authentication mechanism to monitor and configure supported devices. The read-only community string is used to gather statistics and configuration parameters from a supported wireless device. The read-write community string is used by a management server to set device parameters. SNMP is generally used to monitor a systems performance and other parameters. To the EX3500s SNMP management policy configuration:
1 Select Configuration from the Web UI. 2 Select Management. 3 Refer to the upper, left-hand, portion of the UI and select EX3500 Management Policy. 4 The screen lists those EX3500 management policies created thus far. Select Add to create a new EX3500 management policy, Edit to modify an existing policy or Delete to remove an obsolete policy. Existing lists can be copied or renamed as needed. 5 Select the SNMP tab. Wireless Controller and Service Platform System Reference Guide 12 - 26 Management Access 6 Set the following SNMP settings:
Figure 12-19 EX35000 Management Policy SNMP screen Enable Contact Local Engine ID Location Select the checkbox to enable SNMPv1, SNMPv2 or SNMPv3 support. The SNMP version utilized is selected and mapped to a user group within the Group table. Define a 255 character maximum SNMP contact name for responsible for the WiNG administration of the EX3500 switch. Set a 64 character maximum local engine ID. The local engine ID is the administratively unique identifier of an SNMPv3 engine used for identification, not addressing. There are two parts of an engine ID: prefix and suffix. The prefix is formatted according to the specifications defined in RFC 3411. Assign a 255 character maximum EX3500 switch location reflecting the switchs physical deployment location. Wireless Controller and Service Platform System Reference Guide 12 - 27 Management Access 7 Select + Add Row and set the following Community Strings:
Name Access Define a public or private community designation. By default, SNMPv2 community strings on most devices are set to public, for the read-only community string, and private for the read-write community string. Set the access permission for each community string used by devices to retrieve or modify information. Available options include:
Read Only - Allows a remote device to retrieve information. Read-Write - Allows a remote device to modify settings. 8 Select + Add Row and set the following Group settings for SNMP management of the EX3500:
Group Name Authentication Version Notify View Read View Write View Define a 32 character maximum name for this SNMP group. A maximum of 17 groups can be set for EX3500 model switches. If utilizing SNMPv3 as the version for this group, select whether auth, noauth or priv is applied to this group as a credential exchange and validation mechanism. This setting is not enabled if utilizing either SNMPv1 or SNMPv2. Apply either SNMPv1, SNMPv2 or SNMPv3 to this EX3500 SNMP group. SNMP v2 is identical to version 1, but it adds support for 64 bit counters. Most devices support SNMP v2c automatically. However, there are some devices that require you to explicitly enable v2, and that poses no risk. SNMP v3 adds security to the 64 bit counters provided with SNMP v2. SNMP v3 adds both encryption and authentication, which can be used together or separately. Its setup is more complex than just defining a community string. But if you require security, SNMP v3 is recommended. Set a 32 character maximum notify string to restrict and filter the objects in the notification. Set an optional 32 character maximum string indicating that users who belong to this group have read access to the EX3500 switch. Set an optional 32 character maximum string indicating that users who belong to this group have write access to the EX3500 switch. 9 Set the following SNMP Traps for SNMP event management of the EX3500:
Authentication Enable SNMP Trap Link Up Down Select the checkbox to enable trap generation for user authentication events when accessing a EX3500 switch from a WiNG managed controller. This feature is disabled by default. Select the checkbox to enable EX3500 MAC generation traps. When enabled a trap is generated when a dynamic MAC address is added or removed to/from the switch's address table. This feature is disabled by default. Select this option to generate a trap a when either a link is established or broken between the EX3500 switch and a connected device (WiNG managed or not). 10 Refer to the SNMP View table and select + Add Row to include or exclude up to 31 SNMP views. View Name Enter a 32 alphanumeric character maximum name to identify the EX3500 SNMP MIB view. A view is a set of MIB view subtrees, or a family of subtrees, where each is a subtree within the managed object naming tree. Create MIB views to control the OID range that SNMPv3 users can access. Wireless Controller and Service Platform System Reference Guide 12 - 28 Management Access OID Tree View Access Provide an OID string to include or exclude from the view. The OID string is 128 characters in length. Designate whether view access is included or excluded for the subtree or family of subtrees from the MIB view. If creating an excluded view subtree, consider creating a corresponding included entry with the same view name to allow subtrees outside of the excluded subtree to be included. 11 Refer to the Notify Filter table and select + Add Row to set up to 5 remote resources for archive and retrieval. Name Remote Host Enter a 26 character maximum name for the filter. Notifications indicate erroneous user authentication requests, restarts, connection closures, connection loss to a neighbor router or other events. Provide a destination IP address for a remote server resource for trap filters. 12 Refer to the Remote Engine table and select + Add Row to set up to 5 remote IDs and addresses. Remote Engine IP Remote Engine Id Enter a remote engine IP address for the remote SNMP agent of the device where the user resides. Provide an Id 9 - 64 characters in length. If configuring the EX3500 management for SNMP V3, is it necessary to configure an engine ID, as passwords are localized using the SNMP ID of the SNMP engine. The remote agent's SNMP engine ID is needed when computing authentication from a password. 13 Refer to the Host table and select + Add Row to set the trap receiver host configuration. Authentication Community String Inform IP Retry Timeout UDP Port If using SNMPv3, define the authentication scheme for user credential validation as either auth, noauth or priv. Provide the 1 - 32 character text community strings for accessing EX3500 switch configuration files. SNMP uses read-only and read-write community strings as an authentication mechanism to monitor and configure supported devices. Enable this option to enable an EX3500 switch to send inform requests to SNMP managers.Traps are not as reliable than informs since an acknowledgment is not sent from the receiving end when a trap is received. A SNMP manager that receives an inform acknowledges the message with an SNMP response. Define the trap receivers IP address. Set the number of server connection retries (from 1 - 255). When no response is received after the last retry attempt, the connection session is terminated with the trap receiver IP address. Configures the duration (in seconds) the host connection process is shutdown temporarily before a reset of the process is attempted for the set number of retries. Set the port of the server resource dedicated to receiving EX3500 switch SNMP traps. The default port is port 162. Wireless Controller and Service Platform System Reference Guide 12 - 29 Management Access Version Set whether SNMP version 1, 2 or 3 is used with this dedicated host. Versions 1 and 2 provide no data security. SNMPv3 adds security and remote configuration capabilities to previous versions. The SNMPv3 architecture introduces the user-based security model (USM) for message security and the view-based access control model (VACM) for access control. 12.2.6 EX3500 SNMP Users An EX3500 SNMP management session utilizes unique SNMP users with specific authentication and privacy parameters. To administrate EX3500 SNMP users and their permissions:
1 Select Configuration from the Web UI. 2 Select Management. 3 Refer to the upper, left-hand, portion of the UI and select EX3500 Management Policy. 4 The screen lists those EX3500 management policies created thus far. Select Add to create a new EX3500 management policy, Edit to modify an existing policy or Delete to remove an obsolete policy. Existing lists can be copied or renamed as needed. 5 Select the SNMP User tab. Figure 12-20 EX3500 SNMP User screen 6 Review the following EX3500 SNMP user credentials to determine whether a new user requires creation on an existing user configuration needs modification:
User Name Displays the 32 character maximum SNMP user name assigned the specific SNMP version and remote SNMP server resource listed. More than one user can be assigned to the same EX3500 SNMP user group. Wireless Controller and Service Platform System Reference Guide 12 - 30 Management Access Version Remote IP Address Group Name Lists whether SNMPv1, SNMPv2 or SNMPv3 is applied to this EX3500 SNMP user. SNMP v2 is identical to version 1, but it adds support for 64 bit counters. Most devices support SNMP v2c automatically. However, there are some devices that require you to explicitly enable v2, and that poses no risk. SNMP v3 adds security to the 64 bit counters provided with SNMP v2. SNMP v3 adds both encryption and authentication, which can be used together or separately. Its setup is more complex than just defining a community string. But if you require security, SNMP v3 is recommended. Lists the remote server resource designated for receiving SNMP trap and inform event messages for the listed SNMP user. Lists the 32 character maximum name assigned to this SNMP group, as SNMP access rights are organized by groups. The trap group name can be any string and is embedded in the community name field of a trap. A maximum of 17 groups can be set for EX3500 model switches. 7 Select Add to create a new user configuration or Edit to modify the attributes of an existing EX3500 SNMP user configuration. 8 Set the following SNMP user credentials for the EX3500 SNMP user:. Figure 12-21 EX3500 SNMP User Add/Edit screen User Name Version Enter a 32 character maximum SNMP user name for EX3500 SNMP session management. Use the drop-down menu to define whether SNMPv1, SNMPv2 or SNMPv3 is applied to this EX3500 SNMP user configuration. SNMP v2 is identical to version 1, but it adds support for 64 bit counters. Most devices support SNMP v2c automatically. However, there are some devices that require you to explicitly enable v2, and that poses no risk. SNMP v3 adds security to the 64 bit counters provided with SNMP v2. SNMP v3 adds both encryption and authentication, which can be used together or separately. Its setup is more complex than just defining a community string. But if you require security, SNMP v3 is recommended. Wireless Controller and Service Platform System Reference Guide 12 - 31 Management Access Remote IP Address Group Name Encryption Authentication Authentication Password Private Type Private Password Set the remote server resource IP address designated for receiving SNMP trap and inform event messages for this SNMP user. Enter a 32 character maximum for a SNMP group. The group name can be any string and is embedded in the community name field of a SNMP trap. When using SNMPv3, the Encryption option becomes available to scramble packet contents and prevent them from exposure to unauthorized sources. When using SNMPv3, the Authentication option becomes available to ensure messaging is from a valid source. SNMPv3 uses the user-based security model (USM) for message security and the view-based access control model (VACM) for access control. USM specifies authentication and encryption. VACM specifies access-control rules. Enter a 8 - 40 character ASCII authentication password. The selected authentication password ensures only trusted and authorized users can access an EX3500 SNMP management session. Use the drop-down menu to specify the privacy type. The Advanced Encryption Standard (AES) is utilized as one of the privacy protocol options for SNMPv3 messages in either an aes128, aes192 or aes256 format and are recommended. 3DES and des56 are also options, but are considered somewhat insecure and vulnerable to brute-force-attacks. Enter a 8 - 64 character ASCII password to secure the privacy type selected. 9 Select OK when completed to update the EX3500 SNMP user settings. Select Reset to revert the screen back to its last saved configuration. 12.3 Hierarchical Tree Tree Setup is unique because it is not a policy (which is reused in other objects), but rather a global configuration that represents the tree displayed for Dashboard, Operations and Statistics. However since it is set as a configuration, it follows the standard configuration methods, and requires a Commit before it taking effect and a Save to become persistent across reboots. ADSP can run as a virtual machine on NX9500 and NX9510 model service platforms. WiNG communicates with ADSP using a single sign-on (SSO) authentication mechanism. Once the user is logged in, WiNG gains access to ADSP without being prompted to login again at ADSP. There is no synchronization between the WiNG and ADSP databases. ADSP has its own user database stored locally within its virtual machine. This local database is accessed if a user logs directly into ADSP. WiNG and ADSP must be consistent in the manner events are reported up through a network hierarchy to ensure optimal interoperability and event reporting. To provide such consistency, WiNG has added support for an ADSP-
like hierarchal tree. The tree resides within WiNG, and ADSP reads it from WiNG and displays the network hierarchy in its own ADSP interface. The hierarchal tree can also be used to launch ADSP modules (like Spectrum Analyzer) directly from WiNG. NOTE: The Hierarchical tree is available on both controllers and service platforms, but not Access Points. WiNG uses the following containers within the tree to be consistent with ADSPs hierarchy conventions:
Wireless Controller and Service Platform System Reference Guide 12 - 32 Management Access Country Region City Campus Hierarchy rules are enforced in the containers. For example, a city can be created under a country or region, but not vice versa. An RF Domain can be placed in any container. However, there cannot be any additional containers under the RF Domain. WiNGs RF Domains already use areas and floors, and these will continue to work as they currently do. Floors are also numbered to be consistent with ADSPs usage. To configure a hierarchal tree to use with ADSP:
1 Select Configuration. 2 Select Management. 3 Refer to the upper, left-hand, portion of the UI and select Tree Setup. The Tree Setup screen displays with a System node that requires population with the containers to represent the deployment shared between WiNG and ADSP. The Country, Region, City and Campus containers can be defined in any order, but at least one of these containers is required within the hierarchy before the RF Domain can be added and the hierarchy defined as valid. Figure 12-22 Hierarchal Tree screen 4 To add a Country, Region, City or Campus to the tree, select System from the upper, left-hand, portion of the Tree Setup screen. An add child link displays on the right-hand side of the display. If adding a Country, select a deployment country from the Type drop-down menu and use the Name drop-
down menu to scroll to the country of deployment where the RF Domain resides. Adding a country first is a good idea since regions, city and campus can all be added as child items in the tree structure. However, the selected country is an invalid tree node until a RF Domain is applied. Wireless Controller and Service Platform System Reference Guide 12 - 33 Management Access If adding a region, select Region from the Type drop-down menu and use the Name parameter to enter its name. Select Add to display the region. A city and campus can be added as child items in the tree structure under a region. An RF Domain can be mapped anywhere down the hierarchy for a region and not just directly under a Country. For example, a region can have city and campus and one RF Domain mapped. If adding a City, select City from the Type drop-down menu and use the Name parameter to enter its name. Select Add to display the city. Only a campus can be added as a child item under a city. The city is an invalid tree node until a RF Domain is applied somewhere within the directory tree. If adding a Campus, select Campus from the Type drop-down menu and use the Name parameter to enter its name. Select Add to display the campus. A Campus is the last node in the hierarchy before A RF Domain, and it cannot be valid unless it has a RF Domain mapped to it. NOTE: If a complete tree configuration has been saved and exported for archive to remote location, it can be imported back into the Tree Setup screen and utilized without having to re-configure the containers and RF Domain of that tree. Select Import to utilize and existing tree configuration. NOTE: If a tree container (country, region, city or campus) has a red box around it, it either has invalid attributes or a RF Domain requires addition. 5 Select the add RF Domain link at the right-hand side of any container to display an Unmapped RF Domain screen. 6 Provide the default RF Domain name whose deployment area and floor is mapped graphically, and whose events are shared between WiNG and ADSP. Select Add to display the RF Domain within its respective place in the tree hierarchy. A default RF Domain can also be dragged into the tree from the right-hand side of the screen. Once the RF Domain is in the tree, select the add child link at the right-hand side of the RF Domain to display a screen where the RF Domain deployment Area and Floor are defined. Once define, select Add to populate the tree with the Area and Floor. Provide the Map URL to upload the floor plan created under an Area. Each area can have multiple floors NOTE: While the MAP URL graphic file represents the RF Domains physical device deployment area, devices cannot be dragged into topology or manipulated. To define a network topology that allows an administrator to add devices and manipulate locations, refer to Network View on page 4-27. 7 Edit a tree node at any time by selecting it from amongst the Tree Setup screen, and referring to the right-hand side of the screen where a field displays to modify the container. 8 Optionally, select Tree Import Export Template to upload a template.csv file if one is needed for container configuration. A sample of the tree template is provided here for reference. Row Description record type (folder),server,Name,Description,Type,Floor Number,Path(slash delimited),Command(add|delete) Actual Row is CSV file Wireless Controller and Service Platform System Reference Guide 12 - 34 Management Access folder,localhost,US,Country Description,Country,, folder,localhost,Southeast,Region Description,Region,,US folder,localhost,Alpharetta,City Description,City,,US/Southeast folder,localhost,Sanctuary Park,Campus Description,Campus,,US/Southeast/Alpharetta folder,localhost,The Falls 1125,Domain Description,RFDomain,,US/Southeast/Alpharetta/Sanctuary Park folder,localhost,Queens,,Area,,US/Southeast/Alpharetta/Sanctuary Park/The Falls 1125 folder,localhost,FloorQLab,,Floor,1,US/Southeast/Alpharetta/Sanctuary Park/The Falls 1125/Queens folder,localhost,FloorSLab,,Floor,2,US/Southeast/Alpharetta/Sanctuary Park/The Falls 1125/Queens folder,localhost,FloorTLab,,Floor,3,US/Southeast/Alpharetta/Sanctuary Park/The Falls 1125/Queens In the CSV file, configure specific tree node properties. Index 1 : Record Type. This value is always 'folder'. Import/export allows the configuration of folder nodes only. Leaf nodes cannot be configured like devices. Index 2 : Server Name. This value is always 'localhost' as we are supporting the import/export from localhost only. Index 3 : Name. This configures the name/label of the tree node. This is the value which is visible to the user in Tree node. Index 4 : Description. This configures the additional information in form, which user wants to store with the Tree node. Index 5 : Type. This configures the type of the Tree node. Type can take one of the value "country, region, city, campus, rfdomain, area, floor". Index 6 : Floor Number. This is configures the floor number. This is applicable only for the floor node. Index 7 : Path. This is /'(slash delimited) from the 'root'. Index 8 : add|delete. Allows manipulation of the node. If no value is specified, the default is 'add' . If value is
'delete' then reference node is removed. 9 Select Import Tree Structure to optionally import a .csv file with pre-defined the containers and RF Domain. Importing an existing tree saves an administrator from creating a new one from the beginning. 10 Once the tree topology is defined to your satisfaction, select Export Tree Structure to archive the tree topology
(in .csv file format) to a defined location. The exported tree topology can be re-imported and automatically displayed within the Tree Setup screen at any time. 11 Select OK to update the tree setup configuration. Select Reset to revert to the last saved configuration. NOTE: Since the tree is set as a configuration, it follows standard configuration methods, and requires a Commit before it taking effect and A Save to become persistent across reboots. Wireless Controller and Service Platform System Reference Guide 12 - 35 Management Access 12.4 Management Access Deployment Considerations Before defining a access control configuration as part of a Management Access policy, refer to the following deployment guidelines to ensure the configuration is optimally effective:
Unused management protocols should be disabled to reduce a potential attack against managed resources. For example, if a device is only being managed by the Web UI and SNMP, there is no need to enable CLI interfaces. Use management interfaces providing encryption and authentication. Management services like HTTPS, SSH and SNMPv3 should be used when possible, as they provide both data privacy and authentication. By default, SNMPv2 community strings on most devices are set to public for the read-only community string and private for the read-write community string. Legacy devices may use other community strings by default. SNMPv3 should be used for SNMP device management, as it provides both encryption, and authentication. Enabling SNMP traps can provide alerts for isolated attacks at both small managed radio deployments or distributed attacks occurring across multiple managed sites. Whenever possible, centralized RADIUS management should be enabled. This provides better management and control of management usernames and passwords and allows administrators to quickly change credentials in the event of a security breach. Wireless Controller and Service Platform System Reference Guide 12 - 36 13 Diagnostics Resident diagnostic capabilities enable administrators to understand how devices are performing and troubleshoot issues impacting device performance. Performance and diagnostic information is collected and measured on controllers and service platforms for any anomalies potentially causing a key processes to fail. Numerous tools are available within the Diagnostics menu. Some filter events, others allow you to view logs and manage files generated when hardware or software issues are detected. The diagnostics are managed as follows:
Fault Management Crash Files Advanced Diagnostics 13.1 Fault Management Fault management enables user's administering multiple sites to assess how individual devices are performing and review issues impacting the network. Use the Fault Management screens to administrate errors generated by the controller or service platform, Access Point or wireless client. To assess the Fault Management configuration:
1 Select Diagnostics > Fault Management. The Filter Events screen displays by default. Use this screen to configure how events are tracked. By default, all events are enabled, and an administrator has to turn off events that do not require tracking. Use the Filter Events screen to create filters for managing detected events. Events can be filtered based on severity, module received, source MAC, device MAC and client MAC address. Figure 13-1 Fault Management Filter Events screen Wireless Controller and Service Platform System Reference Guide 13 - 1 Diagnostics 2 Define the following Customize Event Filters parameters for the Fault Management configuration:
Severity Module Source Message Substring Set the filtering severity. Select from the following:
All Severities All events are displayed, irrespective of their severity Critical Only critical events are displayed Error Only errors and above are displayed Warning Only warnings and above are displayed Informational Only informational and above events are displayed Select the module from which events are tracked. When a module is selected, events from other modules are not tracked. Remember this when interested in events generated by a particular module. Individual modules can be selected (such as TEST, LOG, FSM etc.) or all modules can be tracked by selecting All Modules. Set the MAC address of the source device to be tracked. Setting a MAC address of 00:00:00:00:00:00 allows all devices to be tracked. Optionally append a text message (substring) to the event filter to assist the administrator in distinguishing this filter from others with similar attributes. NOTE: Leave the fields to a default value of 00:00:00:00:00:00 to track all MAC addresses. 3 Select the Add to Active Filters button to create a new filter and add it to the Active Event Filters table. When added, the filter uses the current configuration defined in the Customize Event Filters field. 4 Refer to the Active Event Filters table to set the following parameters for the Fault Management configuration:
a. To activate all the events in the Active Events Filters table, select the Enable All Events button. To stop event generation, select Disable All Events. b. To enable an event in the Active Event Filters table, click the event to select it. Then, select the Activate Defined Filter(s) button. NOTE: Filters cannot be persisted across sessions. They have to be created every time a new session is established. 5 Select View Events from the upper, left-hand, side of the Diagnostics > Fault Management menu. Wireless Controller and Service Platform System Reference Guide 13 - 2 Diagnostics Figure 13-2 Fault Management View Events screen Use the View Events screen to track and troubleshoot events using the source and severity levels defined in the Configure events screen. 6 Define the following Customize Event Filters parameters for the Fault Management configuration:
Timestamp Module Message Severity Source Hostname Displays the Timestamp (time zone specific) when the fault occurred. Displays the module used to track the event. Events detected by other module are not tracked. Displays error or status messages for each event listed. Displays the severity of the event as defined for tracking from the Configuration screen. Severity options include:
All Severities All events are displayed irrespective of their severity Critical Only critical events are displayed Error Only errors and above are displayed Warning Only warnings and above are displayed Info Only informational and above events are displayed Displays the MAC address of the tracked source device. Lists the administrator assigned hostname of the tracked source device. 7 Select Clear All to clear events and begin new event data gathering. 8 Select Event History from the upper, left-hand, side of the Diagnostics > Fault Management menu. Wireless Controller and Service Platform System Reference Guide 13 - 3 Diagnostics Figure 13-3 Fault Management Event History screen The Event History screen displays events for controllers, service platforms and Access Points. The Controller(s) tab displays by default. Information on this tab can be filtered by controllers and service platforms, then further by a RF Domain. Similarly, the Access Point(s) tab displays information for each RF Domain on the Access Point and this information can be further filtered on the devices adopted by this Access Point. 9 Within the Controller(s) tab, select the controller from the Select a Controller field to filter events to display. To filter messages further, select a RF Domain from the Filter by RF Domain field. 10 Within the Access Point(s) tab, select the RF Domain from the Select a RF Domain field to filter events to display. To filter messages further, select a device from the Filter by Device field. 11 Select Fetch Historical Events from the lower, right-hand, side of the UI to populate the table with either device or RF Domain events. The following event data is fetched and displayed:
Timestamp Module Message Severity Source Hostname Displays the Timestamp (time zone specific) when the fault occurred. Displays the module used to track the event. Events detected by other module are not tracked. Displays error or status messages for each event listed. Displays the severity of the event as defined for tracking from the Configuration screen. Severity options include:
All Severities All events are displayed irrespective of their severity Critical Only critical events are displayed Error Only errors and above are displayed Warning Only warnings and above are displayed Info Only informational and above events are displayed Displays the MAC address of the source device tracked by the selected module. Lists the administrator assigned hostname of the source device tracked by the selected module. Wireless Controller and Service Platform System Reference Guide 13 - 4 Diagnostics RF Domain Displays the RF Domain membership of the source device tracked by the selected module. 12 Select Clear All to clear events and begin new event data gathering. 13.2 Crash Files Use the Crash Files screen to review files created when a controller or service platform encounters a critical error or malfunction. Use crash files to troubleshoot issues specific to the device on which a crash event was generated. These are issues impacting the core (distribution layer). Once reviewed, files can be deleted or transferred for archive. Crash files can be sent to a support team to expedite issues with the reporting device. 1 Select Diagnostics > Crash Files to display the crash file information. Once a target device has been selected its crash file information displays in the viewer on the right. 2 Refer to the following crash file information for the selected device. Figure 13-4 Crash Files information File Name Size Last Modified Actions Displays the name of the file generated when a crash event occurred. This is the file available for copy to an external location for archive and remote administration. Lists the size of the crash file, as this information is often needed when copying files to an external location. Displays the Timestamp (time zone specific) when the most recent update to the file occurred. Displays the action taken in direct response to the detected crash event. 3 Select Copy to copy a selected crash file to an external location. Select Delete to remove a selected crash file. Wireless Controller and Service Platform System Reference Guide 13 - 5 Diagnostics 13.3 Advanced Diagnostics Refer to Advanced UI Diagnostics to review and troubleshoot any potential issue with the resident User Interface
(UI). The UI Diagnostics screen provides diagnostic tools to identify and correct issues with the UI. Diagnostics can also be performed at the device level for the Access Point radios and connected clients. 13.3.1 UI Debugging Advanced Diagnostics Use the UI Debugging screen to view debugging information for a selected device. To review device debugging information:
1 Select Diagnostics > Advanced > UI Debugging to display the UI Debugging menu options. The UI debugging information displays within the NETCONF Viewer by default. Figure 13-5 UI Debugging screen - NETCONF Viewer 2 Use the NETCONF Viewer to review NETCONF information. NETCONF is a proprietary tag-based configuration protocol for devices. Messages are exchanged using XML tags. 3 The Real Time NETCONF Messages area lists an XML representation of any message generated by the system. The main display area of the screen is updated in real time. 4 Refer to the Request Response and Time Taken fields on the bottom of the screen to assess the time to receive and respond to requests. The time is displayed in microseconds. 5 Use the Clear button to clear the contents of the Real Time NETCONF Messages area. Use the Find parameter and the Next button to search for message variables in the Real Time NETCONF Messages area. Wireless Controller and Service Platform System Reference Guide 13 - 6 Diagnostics 13.3.2 Viewing UI Logs Advanced Diagnostics Use the UI logs to periodically assess user interface (UI) events by type, category and severity to assess whether any administrative corrective actions are warranted. To view UI log information:
1 Select Diagnostics > Advanced > View UI Logs to display the Flex Logs and Error Logs screens. The Flex Logs screen displays by default, but both tabs list the same information for either UI logs or UI error logs respectively. 2 Refer to the following UI event or error log parameters:
Figure 13-6 View UI Logs screen - Flex Logs tab Sequence Date/Time Type Category Displays a numeric number for the generation of the listed UI events. If changing the data display from a sequential display, these numbers can be used to assess the chronology of the UI event generation. Lists the date and time when each listed UI log event occurred. Use this information to assess whether time was factor in the generation of one or more events and whether their timestamp increases their significance. Displays each listed log entrys event or error type. Some events are DEBUG while others are INFO. Categorize collectively as specific events warrant additional administration. Lists each event or errors system defined category as a means of further filtering specific events or system collected error logs. This is helpful when assess whether specific events or errors impact multiple UI functions. Wireless Controller and Service Platform System Reference Guide 13 - 7 Diagnostics Message Displays the system generated message for the functions impacted by each listed UI or error. Use this data in combination with the date, type and category to assess whether specific messages are related and their significance worthy of immediate administration. 3 Select Clear All to remove all the log or error entries from the screen and begin a new data collection. 13.3.3 Viewing UI Sessions Advanced Diagnostics Refer to the View Sessions screen to assess specific user interface sessions by individual user.s To view UI session information:
1 Select Diagnostics > Advanced > View Sessions. 2 Refer to the following UI session data to assess its significance:
Figure 13-7 View Sessions Screen Cookie From Role Start Time User Displays a numeric session cookie which identifies the session corresponding to it. This information can be used to further filter specific user sessions to the network route used. Lists the numeric IP address used by each listed user as their network identifier into the WiNG user interface. Displays each users defined administrative role. Each role has different access and administrative privileges. Lists the time each listed user began their WiNG interface UI session. Does this start time correspond to a known UI event or error condition?
Displays each users SNMP administrative access protocol and their session permissions. 3 Select a specific user session and Delete to remove the selected session from those listed for administration. Wireless Controller and Service Platform System Reference Guide 13 - 8 14 Operations The functions within the controller or service platforms Operations menu allow firmware and configuration files management and certificate generation for managed devices. In a clustered environment, these operations can be performed on one controller or service platform, then propagated to each member of the cluster and onwards to the devices managed by each cluster member. A certificate links identity information with a public key enclosed in the certificate. Device certificates can be imported and exported to and from the controller or service platform to a secure remote location for archive and retrieval as they are required for application to other managed devices. Self Monitoring At Run Time RF Management (Smart RF) is an innovation designed to simplify RF configurations for new deployments, while (over time) providing on-going deployment optimization and radio performance improvements. The Smart RF functionality scans the managed network to determine the best channel and transmit power for each managed Access Point radio. Smart RF policies can be applied to specific RF Domains, to add site specific deployment configurations and self recovery values to groups of devices within pre-defined physical RF coverage areas. For more information, refer to the following:
Device Operations Certificates Smart RF 14.1 Device Operations Updated device firmware and configuration files are periodically released to the Support Web site. If an Access Points (or its associated devices) firmware is older than the version on the Web site, update to the latest firmware version for full feature functionality and optimal controller or service platform utilization. Additionally, selected devices can either have a primary or secondary firmware image applied or fallback to a selected firmware image if an error occurs in the update process. For more information, refer to the following:
Operations Summary on page 14-1 Adopted Device Upgrades Using the File Management Browser Restarting Adopted Devices Captive Portal Configuration Crypto CMP Certificate RAID Operations Re-elect Controller 14.1.1 Operations Summary Device Operations The Summary screen displays by default when Operations is selected from the controller or service platforms main menu bar. Wireless Controller and Service Platform System Reference Guide 1 Operations The Summary screen displays firmware information for a specific device selected from either the RF Domain or Network tabs on the left-hand side of the screen. NOTE: When displaying the Summary screen at the RF Domain level of the UIs hierarchal tree, the screen does not display a field for a devices Primary and Secondary firmware image. At the RF Domain level, the Summary screen just lists the Hostname, MAC Address, Online status, Device Type and Is Controller designations for the devices comprising the selected RF Domain. A RF Domain must be selected from the hierarchal tree and expanded to list the devices comprising the RF Domain. From there, individual controllers, service platforms and Access Points can be selected and their properties modified. Figure 14-1 Device Details screen Wireless Controller and Service Platform System Reference Guide 2 1 Refer to the following to determine whether a firmware image needs to be updated for the selected device, or a device requires a restart or revert to factory default settings. Operations Version Build Date Install Date Fallback Current Boot Upgrade Status Firmware Upgrade Reload Displays the primary and secondary firmware image version from the wireless controller. Displays the date the primary and secondary firmware image was built for the selected device. Displays the date the firmware was installed for the selected device. Lists whether fallback is currently enabled for the selected device. When enabled, the device reverts back to the last successfully installed firmware image if something were to happen in its next firmware upgrade that would render the device inoperable. Lists firmware image for the device on the current boot. Displays the status of the last firmware upgrade performed for each listed device managed by this controller or service platform. Select this option to display the firmware upgrade window for the selected device. Select the Apply button to perform the function. Select this option to restart the selected device. Selecting this option restarts the target device using the specified options in the settings window. Restarting a device resets all data collection values to zero. Select the Reload button to perform the function. 2 Refer to the device table for basic information for known device types. The device table displays the Device Type, Controller status, Online, Offline and Total device counts. 14.1.1.1 Upgrading Device Firmware Operations Summary Controllers and service platforms can conduct firmware updates on behalf of their managed devices. To update the firmware of a managed device:
1 Select a device from the browser. 2 Select the Firmware Upgrade button. 3 By default, the Firmware Upgrade screen displays the server parameters for the target device firmware file. Figure 14-2 Firmware Update screen Wireless Controller and Service Platform System Reference Guide 3 Operations 4 Provide the following information to accurately define the location of the target device firmware file:
Protocol Port Host User Name Password Path/File Select the protocol used for updating the device firmware. Available options include:
tftp ftp sftp http cf usb1-4 Use the spinner control or manually enter the value to define the port used by the protocol for firmware updates. This option is not valid for cf or usb1-4. Provide the hostname or numeric IPv4 or IPv6 formatted address of the server used to update the firmware. This option is not valid for cf and usb1-4. A hostname cannot contain an underscore. Define the user name used to access either a FTP or SFTP server. Specify the password for the user account to access a FTP or a SFTP server. Specify the path to the firmware file. Enter the complete relative path to the file on the server. 5 Select Apply to start the firmware update. Select Abort to terminate the firmware update. Select Close to close the upgrade popup. The upgrade continues in the background. 14.1.2 Adopted Device Upgrades Device Operations An administrator can designate controllers, service platforms or Access Points as RF Domain managers capable of receiving firmware files from the NOC (NX7500 or NX9000 series service platforms) then provisioning other devices within their same RF Domain. Controllers, service platforms and Access Points can now all update the firmware of different device models within their RF Domain. However, firmware updates cannot be made simultaneously to devices in different site deployments. To administer a device upgrade and administrate upgrade status and history:
1 Select the Operations. 2 Ensure Devices is selected from the Operations menu on the top, left-hand, side of the screen. 3 Expand the System node on the left-hand side of the screen, select a RF Domain and one of its member devices. 4 Select the Adopted Device Upgrade tab. The screen displays with the Device Upgrade List selected by default. Wireless Controller and Service Platform System Reference Guide 4 Operations 5 Select a controller, service platform or Access Point model from the Device Type List drop-down menu. This is the device model intended to provision firmware to the devices selected within the All Devices table below. Figure 14-3 Device Upgrade List screen NOTE: If selecting the Device Upgrade screen from the RF Domain level of the UIs hierarchal tree, theres an additional Upgrade from Controller option to the right of the Device Type List. Select this option to provision selected device models within the same RF Domain from this RF Domain manager. If expanding a RF Domain and selecting a member device, the upgrade tab is entitled Adopted Device Upgrade, as an upgrade is made from an elected RF Domain Manager device. Theres also an additional Device Image File screen to select the device image type and set the transfer protocol. 6 Use the Scheduled Upgrade Time option to set when the upgrade occurs. To perform an upgrade immediately, select Now. To schedule the upgrade to take place at a specified time, enter a date and time in the appropriate fields. 7 Refer to the Scheduled Reboot Time option to schedule when an updated device is rebooted to implement the updated firmware. To reboot immediately, select Now. To schedule the reboot to take place at a future time to keep the device in service, enter a date and time in the appropriate fields. Use the No Reboot option to keep from rebooting after an upgrade. Select Staggered Reboot to avoid upgrading devices simultaneously and risk bringing down the network. When selected, devices are rebooted incrementally to preserve network availability. Select Force Upgrade to initiate an Access Point firmware upgrade and reboot at the present time. NOTE: The Scheduled Upgrade Time and Scheduled Reboot Time are your local systems time. Theyre not the Access Point, controller, service platform or VX time and are not synched with the device. Wireless Controller and Service Platform System Reference Guide 5 Operations Use the All Devices table to select controller, service platform and Access Point models for firmware updates from the device model selected from the Device Type List. Refer to the MAC Address and Device Type values to help determine the specific models available for upgrade within the RF domain. Use the Version and Upload Version values to assess each listed devices current firmware as well as the firmware version available to a device upgrade. 8 Select Device Image File. Figure 14-4 Device Image File screen 9 Select a controller, service platform or Access Point model from the Device Image Type drop-down menu. Selecting All makes each controller, service platform and Access Point model images available for updates on those specific models. 10 Select the Basic link to enter a URL pointing to the location of the controller, service platform or Access Point image files for the device update(s). 11 Selecting Advanced lists additional options for the devices firmware image file location:
Protocol Port Select the protocol for device firmware file management and transfer. Available options include:
tftp ftp sftp http cf Designate the port for transferring the firmware files used in the upgrade operation. Enter the port number directly or use the spinner control. Wireless Controller and Service Platform System Reference Guide 6 Operations Host Path / File Specify a numerical IP address or textual Hostname of the resource used to transfer files to the devices designated for a firmware update. A hostname cannot contain an underscore. Define the path to the file on the file repository resource. Enter the complete relative path to the file. 12 Select the Load Image button to upload the device firmware in preparation of an upgrade. The firmware image is loaded to the flash/upgrade directory (not the flash/cache directory). If the NOC pushes the image, then it is loaded to flash/cache/upgrade. 13 Select Upgrade Status to assess the administration, scheduling and progress of device firmware updates. 14 Refer to the Upgrade Status field to assess the completion of in-progress upgrades. Figure 14-5 Upgrade Status screen Number of devices currently being upgraded Number of devices currently being booted Lists the number of firmware upgrades currently in-progress and downloading for selected devices. Once the device has the image it requires a reboot to implement the firmware image. Lists the number devices currently booting after receiving an upgrade image. The reboot is required to implement the new image and renders the device offline during that period. Using the Device Upgrade List, reboots can be staggered or placed on hold to ensure device remains in service. Number of devices waiting in queue to be upgraded Lists the number of devices waiting to receive a firmware image from their provisioning controller, service platform or Access Point. Each device can have its own upgrade time defined, so the upgrade queue could be staggered. Wireless Controller and Service Platform System Reference Guide 7 Operations Number of devices waiting in queue to be upgraded Lists the number of devices waiting to reboot before actively utilizing its upgraded image. The Device Upgrade List list allows an administrator to disable or stagger a reboot time, so device reboots may not occur immediately after an upgrade. The reboot operation renders the device offline until completed so reboots can scheduled for periods of reduced load. Number of devices marked for cancellation Lists the number of upgrades that have been manually cancelled during the upgrade operation. 15 Refer to the following status reported for each current or scheduled upgrade operation:
Device Type Hostname MAC Address Result Upgrade Time Reboot Time Progress Retries Last Status Upgraded By Displays the model number of devices pending an upgrade. Each listed device is provisioned an image file unique to that model. Lists the factory encoded MAC address of a device either currently upgrading or in the queue of scheduled upgrades. Lists the factory encoded MAC address of a device either currently upgrading or in the queue of scheduled upgrades. Lists the state of an upgrade operation (downloading, waiting for a reboot etc.). Displays whether an upgrade is immediate or set by an administrator for a specific time. Staggering upgrades is helpful to ensure a sufficient number of devices remain in service at any given time while others are upgrading. Displays whether a reboot is immediate or time set by an administrator for a specific time. Reboots render the device offline, so planning reboots carefully is central to ensuring a sufficient number of devices remain in service. Lists the number of specific device types currently upgrading. Displays the number of retries, if any, needed for an in-progress firmware upgrade operation. Lists the last reported upgrade and reboot status of each listed in progress or planned upgrade operation. Lists the model of the controller, service platform or Access Point RF Domain manager thats provisioning an image to a listed device. 16 Optionally select Cancel (from the lower, right-hand corner of the screen) to cancel the upgrade of devices under the selected RF Domain. The Cancel button is enabled only if there are device undergoing upgrade and theyre are selected for cancellation. 17 Select Upgrade History. Wireless Controller and Service Platform System Reference Guide 8 Operations 18 Refer to the following Upgrade History status:
Figure 14-6 Upgrade History screen Hostname Device Type MAC Address Result Time Retries Upgraded By Last Status Displays the administrator assigned Hostname for each listed controller, service platform or Access Point thats received an update. Displays the controller, service platform or Access Point model upgraded by a firmware update operation. Displays the device Media Access Control (MAC) or hardware address for a device thats received an update. Displays the upgrade result for each listed device. Displays the time and date of the last status received from an upgraded device. Displays the number of retries, if any, needed for the firmware upgrade operation. Displays the administrator credentials responsible for initiating each listed upgrade operation. Displays the last status update received for devices that have been upgraded. 19 Select the Clear History button to clear the current update information for each listed device and begin new data collections. Wireless Controller and Service Platform System Reference Guide 9 Operations 14.1.3 Using the File Management Browser Device Operations Controllers and service platforms maintain a File Browser allowing an administrator to review the files residing on a controller or service platforms internal or external memory resource. Directories can be created and maintained for each File Browser location and folders and files can be moved and deleted as an administrator interprets necessary. NOTE: The File Management tab is not available at the RF Domain level of the UIs hierarchal tree. A RF Domain must be selected and expanded to display the RF Domains member devices. Once expanded, selected a RF Domain member device to ensure the File Management UI option is available. To administer files for managed devices and memory resources:
1 Select the Operations > Devices > File Management. Figure 14-7 File Browser screen - flash 2 Refer to the following to determine whether a file needs to be deleted or included in a new folder for the selected internal (flash, system, nvram) or external (cf, USB1-4) memory resource. The following display for each available memory resource:
File Name Size (Kb) Displays the name of the file residing on the selected flash, system, nvram or usb1-4 location. The name cannot be modified from this location. Displays the size of the file in kb. Use this information to help determine whether the file should be moved or deleted in respect to available system memory. Wireless Controller and Service Platform System Reference Guide 10 Operations Last Modified Lists a timestamp for the last time each listed file was modified. Use this information to determine the files relevance or whether it should be deleted. File Type Displays the type for each file including binary, text or empty. 3 If needed, use the Create Folder utility to create a folder that servers as a directory for some or all of the files for a selected memory resource. 4 Select Transfer File to invoke a subscreen where the local or server file source and target (destination) are defined as well as the file transfer protocol and external destination location or resource. For more information, see Managing File Transfers on page 14-11. 5 Optionally, use the Delete Folder or Delete File buttons to remove a folder or file from within the controller, service platform or Access Points current memory resource. 14.1.3.1 Managing File Transfers Device Operations Controllers and service platforms can administer files on managed devices. Transfer files from a device to this controller, to a remote server or from a remote server to the controller. An administrator can transfer logs, configurations and crash dumps. To administer files for managed devices:
1 Select the Operations > Devices > File Management 2 Select the Transfer File button. Figure 14-8 File Transfers screen Wireless Controller and Service Platform System Reference Guide 11 3 Set the following file management source and target directions as well as the configuration parameters of the required file management activity:
Operations Source File Protocol Port Host User Name Password Path / File Target Select the source of the file transfer. Select Server to indicate the source of the file is a remote server. Select Local to indicate the source of the file is local to this controller or service platform. If the source is Local, enter the name of the file to be transferred. Select the protocol for file management. Available options include:
tftp ftp sftp http cf usb1-4 This parameter is required only when Server is selected as the Source. Specify the port for transferring files. This option is not available for cf, and usb1-4. Enter the port number directly or use the spinner control. This parameter is required only when Server is selected as the Source. If needed, specify a hostname or numeric IP address of the serve transferring the file. This option is not valid for cf and usb1-4. If a hostname is provided, an IP Address is not needed. A hostname cannot contain an underscore. This field is only available when Server is selected in the From field. Provide a user name to access a FTP or a SFTP server. This parameter is required only when Server is selected as the Source, and the selected protocol is ftp or sftp. Provide a password to access the FTP or SFTP server. This parameter is required only when Server is selected as the Source, and the selected protocol is ftp or sftp. Define the path to the file on the server. Enter the complete relative path to the file. This parameter is required only when Server is selected as the Source. Select the target destination to transfer the file. Select Server if the destination is a remote server, then provide a URL to the location of the server resource or select Advanced and provide the same network address information described above. Select Local if the destination is this controller or service platform. 4 Select Copy to begin the file transfer. Selecting Reset reverts the screen to its last saved configuration. Wireless Controller and Service Platform System Reference Guide 12 Operations 14.1.4 Restarting Adopted Devices Device Operations Adopted devices may periodically require restarting to implement firmware updates or other maintenance activities. NOTE: The Adopted Device Restart tab is not available at the RF Domain level of the UIs hierarchal tree. A RF Domain must be selected and expanded to display the RF Domains member devices. Once expanded, selected a RF Domain member device to ensure the Adopted Device Restart option is available. To restart controller or service platform adopted Access Points:
1 Select the Operations > Devices > Adopted Device Restart. 2 The Adopted AP Restart table displays the following information for each Adopted AP:
Figure 14-9 Adopted Device Restart screen Hostname MAC Address Type Version Reason Displays the specified Hostname for each known Access Point. Displays the primary Media Access Control (MAC) or hardware address for each known Access Point. Displays the Access Point model number for each adopted Access Point. Displays the current firmware version for each adopted Access Point. Lists the administrator defined reason an adopted device has been queued for a restart. Wireless Controller and Service Platform System Reference Guide 13 Operations 3 To restart an Access Point (or Access Points), select the checkbox to the left of each Access Point to restart and configure the following options:
Force Reload Delay (Seconds) Message Reload Status To force a reload of an Access Point or Access Points, select the Force Reload checkbox next to each AP. Specify the amount of time, in seconds, before the Access Point restart should be executed. Delaying the restart may allow a selected Access Point to complete its current duty cycle. Displays any messages associated with each adopted Access Point Click the Reload Status button next to each adopted Access Point to display their current status information. 14.1.5 Captive Portal Configuration Device Operations A captive portal is an access policy that provides temporary and restrictive access to the controller or service platform managed wireless network. A captive portal policy provides secure authenticated access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access the wireless network. Once logged into the captive portal, additional Terms and Agreement, Welcome, Fail and No Service pages provide the administrator with a number of options on screen flow and appearance. Captive portal authentication is used primarily for guest or visitor access to the network, but is increasingly used to provide authenticated access to private network resources when 802.1X EAP is not a viable option. Captive portal authentication does not provide end-user data encryption, but it can be used with static WEP, WPA-PSK or WPA2-
PSK encryption. The Captive Portal Pages enable the management of the client access request pages and their transfer to the controller or service platform managed wireless network. To manage captive portal pages:
1 Select the Operations > Devices > Captive Portal Pages. The AP Upload List displays by default. Use the AP Upload List to provide connected Access Points with specific captive portal configurations so they can successfully provision login, welcome and condition pages to requesting clients attempting to access the wireless network using a captive portal. Wireless Controller and Service Platform System Reference Guide 14 Operations Figure 14-10 Captive Portal Pages - AP Upload List screen 2 Use the Captive Portal List drop-down menu to select an existing captive portal configuration to upload to an Access Point and display to requesting client devices as they login and adhere to the terms required set for access. NOTE: If selecting the Captive Portal Pages screen from the System and RF Domain levels of the UIs hierarchal tree, theres an additional Upload from Controller option to the right of the Captive Portal List drop-down menu. Select this option to upload existing captive portal pages from this devices managing controller or service platform. 3 Use Scheduled Upload Time to set the time of the captive portal page upload. Select Now to immediately start. Use the date, hour and minute spinner controls to set a future date and time for the upload. NOTE: The Scheduled Upload Time is your local systems time. Its not the Access Point, controller, service platform or VX time and it is not synched with the device. The All Devices table lists the hostname and MAC address of devices adopted by this Access Point. 4 At the device level, use the arrow buttons (>> > < <<) to move selected devices from the All Devices table to the Upload List table. The Upload List table displays the Access Points to which the captive portal pages are applied. 5 Select Upload from the lower right-hand side of the screen to upload the captive portal pages to the designated Access Points. 6 Select the CP Pages Image File tab. Wireless Controller and Service Platform System Reference Guide 15 Operations Figure 14-11 Captive Portal Pages - CP Page Image File screen 7 Use the Captive Portal List drop-down menu to select an existing policy. This policy contains the image (or set of login and conditions pages) requesting clients will navigate and complete before granted access to the network using the unique permissions of the captive portal. 8 Set the following protocols, ports and network address information for sending image files to captive portal provisioning Access Points:
Protocol Host Port User Name Define the protocol (transfer medium) used to forward the image files to the Access Points provisioning captive portal files to requesting clients. Available options include:
tftp ftp sftp http The protocol parameter is required only when Server is selected as the Source and the Advanced option is used. If needed, specify a Hostname of the server transferring the file. This option is not valid for cf, usb1, and usb2. If a hostname is provided, an IP Address is not needed. A hostname cannot contain an underscore. This field is only available when Server is selected in the From field. Specify the port for transferring files. Enter the port number directly or use the spinner control. Provide a user name to access the FTP or SFTP server. This parameter is required only when the selected protocol is ftp or sftp. Wireless Controller and Service Platform System Reference Guide 16 Operations Password Path/File Provide a password to access the FTP or SFTP server. This parameter is required only when the selected protocol is ftp or sftp. Define the path to the file on the server. Enter the complete relative path to the file. 9 Select Load Image to upload the image file. Optionally, refer to the Load Image Status field to review the status of the current upload. 10 Select the Status tab. Figure 14-12 Captive Portal Pages - Status screen 11 Refer to the Status tab to review the progress of Captive Portal Pages upload. Hostname MAC State Progress Retries Last Status Displays the hostname of the recipient device to which the captive portal files are directed. Displays the factory encoded MAC address of the recipient device. Displays the target devices current operational state within the controller or service platform managed network. Displays the completion progress of each captive portal upload operation. Lists the number of retries needed to upload the captive portal files to each listed device. Displays the last known status of the captive portal page uploaded to each listed device. 12 Select Clear History to clear the history displayed in the Status tab and begin new data collections. Wireless Controller and Service Platform System Reference Guide 17 Operations 14.1.6 Crypto CMP Certificate Device Operations Certificate Management Protocol (CMP) is an Internet protocol to obtain and manage digital certificates in a Public Key Infrastructure (PKI) network. A Certificate Authority (CA) issues the certificates using the defined CMP. Using CMP, a device can communicate to a CMP supported CA server, initiate a certificate request and download the required certificates from the CA server. CMP supports multiple request options through for device communicating to a CMP supported CA server. The device can initiate a request for getting the certificates from the server. It can also auto update the certificates which are about to expire. The CMP client on the controller, service platform or Access Point triggers a request for the configured CMS CA server. Once the certificate is validated and confirmed from the CA server it is saved on the device and becomes part of the trustpoint. During the creation of the CMP policy the trustpoint is assigned a name and client information. An administrator can use a manually created trustpoint for one service (like HTTPs) and use the CMP generated trustpoint for RADIUS EAP certificate based authentication. To assess existing certificates and, if necessary, renew a certificate:
1 Select Operations > Devices > Crypto CMP Certificate. This option is selectable at the controller level. 2 Review the following Crypto CMP certificate information to assess whether a certificate requires renewal:
Figure 14-13 Crypto CMP Certificate screen Hostname Lists the administrator assigned hostname of the CMP resource requesting a certificate renewal from the CMP CA server. MAC Address Lists the hardware encoded MAC address of the CMP server resource. Wireless Controller and Service Platform System Reference Guide 18 Operations Trust Point Name Trust Point Valid Until Lists the 32 character maximum name assigned to the target trustpoint. A trustpoint represents a CA/identity pair containing the identity of the CA, CA specific configuration parameters, and an association with an enrolled identity certificate. The expiration of the CMP certificate is checked once a day. When a certificate is about to expire a certificate renewal can initiated with the server via an existing IPsec tunnel. If the tunnel is not established, the CMP renewal request is not sent. 3 Select Trigger Certificate Renewal to begin update the credentials of the certificate. If a renewal succeeds, the newly obtained certificate overwrites an existing certificate. If the renewal fails, an error is logged. 4 Select Refresh to update the screen to the last saved configuration. 14.1.7 RAID Operations Device Operations An administrator can configure a NX7530 or a NX9000 series RAID supported service platform with respect to both its collective drive array as well as individual drive behavior and diagnostics. The service platforms array alarm can be silenced, drive LEDs can be illuminated and stopped, drive consistency (integrity) checks can be made and the array can be prepared for drive replacements. NOTE: RAID controller drive arrays are available within NX7530 and NX9000 series service platforms (NX9000, NX9500 and NX9510 models) only. However, they can be administrated on behalf of a profile by a different model service platform or controller. To administrate the service platforms drive array and its member drives:
NOTE: The RAID tab is not available at the RF Domain level of the UIs hierarchal tree. A RF Domain must be selected and expanded to display the RF Domains member devices. Once expanded, selected a RF Domain member NX7530, NX9000, NX9500 or NX9510 model device to ensure the RAID option is available. Wireless Controller and Service Platform System Reference Guide 19 1 Select Operations > Devices > RAID. Operations 2 Conduct the following array diagnostic operations from within the RAID Manage Array field:
Figure 14-14 RAID screen silence locate-stop check-start Select silence to stop (silence) the service platforms RAID controller array alarm. When a drive is rendered offline for any reason, the service platforms array controller alarm is invoked. Select locate-stop to stop the LEDs of all the drives within the array. Select check-start to initiate a consistency check on the RAID array. 3 Conduct the following drive diagnostic operations from within the RAID Manage Drive field:
remove install spare locate Select remove to prepare a selected drive for physically removing it from the drive array. The remove command can be applied to either an online or hot spare drive. Once a new drive is installed, it must be prepared for active array utilization. Select install to dedicate a selected drive to repair a degraded array and begin an array rebuild operation. Select spare to define a selected unused drive as a hot spare that can be dedicate as an active array drive if one of the two online array drives were to fail. Select locate to flash a selected drives LED so it can easily located within the drive array. 4 Select Execute to initiate the selected command from either the RAID Manage Array or RAID Manage Drive fields. To view the service platforms current RAID array status, drive utilization and consistency check information, refer to RAID Statistics on page 15-114. Wireless Controller and Service Platform System Reference Guide 20 Operations 14.1.8 Re-elect Controller Device Operations Use the Controller Re-election screen to identity available Access Point resources within a selected RF Domain and optionally make some, or all, of the Access Points available to initiate tunnel connections. NOTE: Take care when selecting Access Points for controller re-election, as client connections may be broken on upon re-election. Ensure an elected Access Point's client load can be compensated by another Access Point in the same RF Domain. To re-elect controller adoption resources for tunnel establishment:
NOTE: The Re-elect Controller tab is only available at the RF Domain level of the UIs hierarchal tree and is not available for individual controllers, service platforms and Access Points. 1 Select Operations. 2 Ensure a RF Domain is selected from the Operations menu on the top, left-hand, side of the screen. Otherwise, the Re-elect Controller screen cannot be located, as it does not display at either the system or device levels of the hierarchal tree. 3 Select the Re-elect Controller tab. Wireless Controller and Service Platform System Reference Guide 21 Operations Figure 14-15 Re-elect Controller screen 4 Refer to the Available APs column, and use the > button to move the selected Access Point into the list of Selected APs available for RF Domain Manager candidacy. Use the >> button to move all listed Access Points into the Selected APs table. The re-election process can be achieved through the selection of an individual Access Point, or through the selection of several Access Points with a specific Tunnel Controller Name matching the selected Access Points. 5 Select Re-elect to designate the Selected AP(s) as resources capable of tunnel establishment. 14.2 Certificates A certificate links identity information with a public key enclosed in the certificate. A certificate authority (CA) is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate. A browser must contain this CA certificate in its Trusted Root Library so it can trust certificates signed by the CA's private key. Depending on the public key infrastructure, the digital certificate includes the owner's public key, the certificate expiration date, the owner's name and other public key owner information. Wireless Controller and Service Platform System Reference Guide 22 Operations Each certificate is digitally signed by a trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters and an association with an enrolled identity certificate. SSH keys are a pair of cryptographic keys used to authenticate users instead of, or in addition to, a username/
password. One key is private and the other is public key. Secure Shell (SSH) public key authentication can be used by a client to access managed resources, if properly configured. A RSA key pair must be generated on the client. The public portion of the key pair resides with the controller or service platform, while the private portion remains on a secure local area of the client. For more information on the certification activities support by the controller or service platform, refer to the following:
Certificate Management RSA Key Management Certificate Creation Generating a Certificate Signing Request 14.2.1 Certificate Management Certificates If not wanting to use an existing certificate or key with a selected device, an existing stored certificate can be leveraged from a different managed device for use with the target device. Device certificates can be imported and exported to and from the controller or service platform to a secure remote location for archive and retrieval as they are required for application to other managed devices. To configure trustpoints for use with certificates:
1 Select Operations > Manage Certificates. 2 Select a device from amongst those displayed in either the RF Domain or Network panes on the left-hand side of the screen. Wireless Controller and Service Platform System Reference Guide 23 Operations Figure 14-16 Manage Certificates screen 3 Select a device from amongst those displayed to review its certificate usage within the controller or service platform managed network. 4 Refer to the All Certificate Details to review the certificates properties, self-signed credentials, validity period and CA information. 5 To import a certificate to the controller or service platform, select the Import button from the bottom of the Manage Certificates screen. An Import New Trustpoint screen displays where CA certificates, CRLs and signed certificates can optionally be imported to the controller or service platform once the network credentials of the file transfer have been defined. Wireless Controller and Service Platform System Reference Guide 24 Operations Figure 14-17 Import New Trustpoint screen 6 To optionally import a CA certificate to the controller or service platform, select the Import CA button from the Import New Trustpoint screen. A CA is a network authority that issues and manages security credentials and public keys for message encryption. The CA signs all digital certificates it issues with its own private key. The corresponding public key is contained within the certificate and is called a CA certificate. Wireless Controller and Service Platform System Reference Guide 25 Operations 7 Define the following configuration parameters required for the Import CA of the CA certificate:
Figure 14-18 Import New Trustpoint - Import CA screen Trustpoint Name URL Enter the 32 character maximum name assigned to the target trustpoint signing the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA specific configuration parameters, and an association with an enrolled identity certificate. Provide the complete URL to the location of the trustpoint. If needed, select Advanced to expand the dialog to display network address information to the location of the target trustpoint. The number of additional fields populating the screen is dependent on the selected protocol. Advanced / Basic Click the Advanced or Basic link to switch between a basic URL and an advanced location to specify trustpoint location. Protocol Select the protocol used for importing the target CA certificate. Available options include:
tftp ftp sftp http cf usb 1-4 Port Use the spinner control to set the port. This option is not valid for cf and usb1
- 4. Wireless Controller and Service Platform System Reference Guide 26 Operations Host Path/File Cut and Paste Provide the hostname or numeric IP4 or IPv6 formatted IP address of the server used to export the trustpoint. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Providing a host is not required for cf and usb1-4. A hostname cannot contain an underscore. Specify the path or filename of the CA certificate. Enter the complete relative path to the file on the server. Select the Cut and Paste radio button to simply copy an existing trustpoint into the cut and paste field. When pasting, no additional network address information is required. 8 Select OK to import the defined CA certificate. Select Cancel to revert the screen to its last saved configuration. 9 Select the Import CRL button from the Import New Trustpoint screen to optionally import a CRL to the controller or service platform. If a certificate displays within the Certificate Management screen with a CRL, that CRL can be imported into the controller or service platform. A certificate revocation list (CRL) is a list of certificates that have been revoked or are no longer valid. A certificate can be revoked if the CA had improperly issued a certificate, or if a private-
key is compromised. The most common reason for revocation is the user no longer being in sole possession of the private key. For information on creating a CRL to use with a trustpoint, refer to Setting the Profiles Certificate Revocation List (CRL) Configuration on page 8-166. Figure 14-19 Import New Trustpoint - Import CRL screen Wireless Controller and Service Platform System Reference Guide 27 10 Define the following configuration parameters required for the Import of the CRL:
Operations Trustpoint Name From Network URL Protocol Port Host Path/File Cut and Paste Enter the 32 character maximum name assigned to the target trustpoint signing the certificate. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate. Select the From Network radio button to provide network address information to the location of the target CRL. The number of additional fields that populate the screen is also dependent on the selected protocol. This is the default setting. Provide the complete URL to the location of the CRL. If needed, select Advanced to expand the dialog to display network address information to the location of the CRL. The number of additional fields that populate the screen is also dependent on the selected protocol. Select the protocol used for importing the CRL. Available options include:
tftp ftp sftp http cf usb1-4 Use the spinner control to set the port. This option is not valid for cf and usb1-4. Provide the hostname or numeric IP4 or IPv6 formatted IP address of the server used to export the trustpoint. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Providing a host is not required for cf and usb1-4. A hostname cannot contain an underscore. Specify the path to the CRL. Enter the complete relative path to the file on the server. Select the Cut and Paste radio button to simply copy an existing CRL into the cut and paste field. When pasting a CRL, no additional network address information is required. 11 Select OK to import the CRL. Select Cancel to revert the screen to its last saved configuration. 12 To import a signed certificate to the controller or service platform, select Import Signed Cert from the Import New Trustpoint screen. Signed certificates (or root certificates) avoid the use of public or private CAs. A self-signed certificate is an identity certificate signed by its own creator, thus the certificate creator also signs off on its legitimacy. The lack of mistakes or corruption in the issuance of self signed certificates is central. Self-signed certificates cannot be revoked which may allow an attacker who has already gained access to monitor and inject data into a connection to spoof an identity if a private key has been compromised. However, CAs have the ability to revoke a compromised certificate, preventing its further use. Wireless Controller and Service Platform System Reference Guide 28 Operations Figure 14-20 Import New Trustpoint - Import Signed Cert 13 Define the following parameters required for the Import of the Signed Certificate:
Trustpoint Name From Network URL Protocol Port Enter the 32 character maximum trustpoint name with which the certificate should be associated. Select the From Network radio button to provide network address information to the location of the signed certificate. The number of additional fields that populate the screen is dependent on the selected protocol. From Network is the default setting. Provide the complete URL to the location of the signed certificate. If needed, select Advanced to expand the dialog to display network address information to the location of the signed certificate. The number of additional fields populating the screen is dependent on the selected protocol. Select the protocol for importing the signed certificate. Available options include:
tftp ftp sftp http cf usb1-4 Use the spinner control to set the port. This option is not valid for cf and usb1-4. Wireless Controller and Service Platform System Reference Guide 29 Operations Host Path/File Cut and Paste Provide the hostname or numeric IP4 or IPv6 formatted IP address of the server used to import the trustpoint. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Providing a host is not required for cf and usb1-4. A hostname cannot contain an underscore. Specify the path to the signed certificate. Enter the complete relative path to the file on the server. Select the Cut and Paste radio button to simply copy an existing signed certificate into the cut and paste field. When pasting a signed certificate, no additional network address information is required. 14 Select OK to import the signed certificate. Select Cancel to revert the screen to its last saved configuration. 15 To optionally export a trustpoint from the controller or service platform to a remote location, select the Export button from the Certificate Management screen. Once a certificate has been generated on the controller or service platforms authentication server, export the self signed certificate. A digital CA certificate is different from a self signed certificate. The CA certificate contains the public and private key pairs. The self certificate only contains a public key. Export the self certificate for publication on a Web server or file server for certificate deployment or export it in to an active directory group policy for automatic root certificate deployment. 16 Define the following configuration parameters required for the Export of the trustpoint. Figure 14-21 Certificate Management - Export Trustpoint screen Trustpoint Name Enter the 32 character maximum name assigned to the trustpoint. The trustpoint signing the certificate can be a certificate authority, corporation or individual. Wireless Controller and Service Platform System Reference Guide 30 Operations URL Protocol Port Host Provide the complete URL to the location of the trustpoint. If needed, select Advanced to expand the dialog to display network address information to the location of the trustpoint. The number of additional fields that populate the screen is dependent on the selected protocol. Select the protocol used for exporting the target trustpoint. Available options include:
tftp ftp sftp http cf usb1-4 Use the spinner control to set the port. This option is not valid for cf and usb1-4. Provide the hostname or numeric IPv4 or IPv6 formatted address of the server used to export the trustpoint. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Providing a host is not required for cf and usb1-4. A hostname cannot contain an underscore. Path/File Specify the path to the trustpoint. Enter the complete relative path to the file on the server. 17 Select OK to export the defined trustpoint. Select Cancel to revert the screen to its last saved configuration. 18 To optionally delete a trustpoint, select the Delete button from within the Certificate Management screen. Provide the trustpoint name within the Delete Trustpoint screen and optionally select Delete RSA Key to remove the RSA key along with the trustpoint. Select OK to proceed with the deletion, or Cancel to revert to the Certificate Management screen. 14.2.2 RSA Key Management Certificates Refer to the RSA Keys screen to review existing RSA key configurations applied to managed devices. If an existing key does not meet the needs of a pending certificate request, generate a new key or import/export an existing key to and from a remote location. Rivest, Shamir, and Adleman (RSA) is an algorithm for public key cryptography. Its an algorithm that can be used for certificate signing and encryption. When a device trustpoint is created, the RSA key is the private key used with the trustpoint. To review existing device RSA key configurations, generate additional keys or import/export keys to and from remote locations:
Wireless Controller and Service Platform System Reference Guide 31 1 Select RSA Keys tab from the Certificate Management screen. Operations 2 Select a listed device to review its current RSA key configuration. Figure 14-22 Certificate Management - RSA Keys screen Each key can have its size and character syntax displayed. Once reviewed, optionally generate a new RSA key, import a key from a selected device, export a key from the controller or service platform to a remote location or delete a key from a selected device. 3 Select Generate Key to create a new key with a defined size. Wireless Controller and Service Platform System Reference Guide 32 Operations 4 Define the following configuration parameters required for the Import of the key:
Figure 14-23 Certificate Management - Generate RSA Keys screen Key Name Key Size Enter the 32 character maximum name assigned to the RSA key. Set the size of the key as either 2048 (bits) or 4096 (bits). Leaving this value at the default setting of 2048 is recommended to ensure optimum functionality. 5 Select OK to generate the RSA key. Select Cancel to revert the screen to its last saved configuration. 6 To optionally import a CA certificate to the controller or service platform, select the Import button from the Certificate Management > RSA Keys screen. Wireless Controller and Service Platform System Reference Guide 33 Operations 7 Define the following parameters required for the Import of the RSA key:
Figure 14-24 Certificate Management - Import New RSA Key screen Key Name Key Passphrase URL Enter the 32 character maximum name assigned to identify the RSA key. Define the key used by both the controller or service platform and the server (or repository) of the RSA key. Select the Show to expose the actual characters used in the passphrase. Leaving the Show unselected displays the passphrase as a series of asterisks *. Provide the complete URL to the location of the RSA key. If needed, select Advanced to expand the dialog to display network address information to the location of the target key. The number of additional fields that populate the screen is dependent on the selected protocol. Advanced / Basic Select either the Advanced or Basic link to switch between a basic URL and an advanced location to specify key location. Protocol Select the protocol used for importing the target key. Available options include:
tftp ftp sftp http cf usb1-4 Port Use the spinner control to set the port. This option is not valid for cf and usb1-4. Wireless Controller and Service Platform System Reference Guide 34 Operations Host Provide the hostname or numeric IPv4 or IPv6 formatted address of the server used to import the RSA key. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Providing a host is not required for cf and usb1-4. A hostname cannot contain an underscore. Path/File Specify the path to the RSA key. Enter the complete relative path to the key on the server. 8 Select OK to import the defined RSA key. Select Cancel to revert the screen to its last saved configuration. 9 To optionally export a RSA key from the controller or service platform to a remote location, select the Export button from the Certificate Management > RSA Keys screen. Export the key to a redundant RADIUS server to import it without generating a second key. If theres more than one RADIUS authentication server, export the certificate and dont generate a second key unless you want to deploy two root certificates. 10 Define the following configuration parameters required for the Export of the RSA key. Figure 14-25 Certificate Management - Export RSA Key screen Key Name Key Passphrase Enter the 32 character maximum name assigned to the RSA key. Define the key passphrase used by both the controller or service platform and the server. Select Show to expose the actual characters used in the passphrase. Leaving the Show unselected displays the passphrase as a series of asterisks *. Wireless Controller and Service Platform System Reference Guide 35 Operations URL Protocol Port Host Provide the complete URL to the location of the key. If needed, select Advanced to expand the dialog to display network address information to the location of the target key. The number of additional fields that populate the screen is dependent on the selected protocol. Select the protocol used for exporting the RSA key. Available options include:
tftp ftp sftp http cf usb1-4 Use the spinner control to set the port. This option is not valid for cf and usb1-4. Provide the hostname or numeric IPv4 or IPv6 formatted address of the server used to export the RSA key. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Providing a host is not required for cf and usb1-4. A hostname cannot contain an underscore. Path/File Specify the path to the key. Enter the complete relative path to the key on the server. 11 Select OK to export the defined RSA key. Select Cancel to revert the screen to its last saved configuration. 12 To optionally delete a key, select the Delete button from within the Certificate Management > RSA Keys screen. Provide the key name within the Delete RSA Key screen and select Delete Certificates to remove the certificate. Select OK to proceed with the deletion, or Cancel to revert back to the Certificate Management screen. 14.2.3 Certificate Creation Certificates The Create Certificate screen provides the facility for creating new self-signed certificates. Self signed certificates
(often referred to as root certificates) do not use public or private CAs. A self signed certificate is a certificate signed by its own creator, with the certificate creator responsible for its legitimacy. To create a self-signed certificate that can be applied to a managed device:
Wireless Controller and Service Platform System Reference Guide 36 1 Select the Create Certificate tab the Certificate Management screen. Operations 2 Define the following configuration parameters required to Create New Self-Signed Certificate:
Figure 14-26 Certificate Management - Create Certificate screen Certificate Name RSA Key Enter the 32 character maximum name assigned to identify the name of the trustpoint associated with the certificate. A trustpoint represents a CA/
identity pair containing the identity of the CA, CA-specific configuration parameters, and an association with an enrolled identity certificate. To create a new RSA key, select Create New to define a 32 character maximum name used to identify the RSA key. Set the size of the key (2048, 4096 bits). Leave this value at the default setting of 2048 to ensure optimum functionality. To use an existing key, select Use Existing and select a key from the drop-down menu. 3 Set the following Certificate Subject Name parameters required for the creation of the certificate:
Certificate Subject Name Select either auto-generate to automatically create the certificate's subject credentials or user-configured to manually enter the credentials of the self signed certificate. The default setting is auto-generate. Country (C) Define the Country used in the certificate. The field can be modified by the user to other values. This is a required field and must not exceed 2 characters. Wireless Controller and Service Platform System Reference Guide 37 Operations State (ST) City (L) Enter a State/Prov. for the state or province name used in the certificate. This is a required field. Enter a City to represent the city used in the certificate. This is a required field. Organization (O) Define an Organization for the organization represented in the certificate. This is a required field. Organizational Unit
(OU) Enter an Org. Unit for the organization unit represented in the certificate. This is a required field. Common Name (CN) If theres a common name (IP address) for the organizational unit issuing the certificate, enter it here. 4 Select the following Additional Credentials required for the generation of the self signed certificate:
Email Address Domain Name Provide an Email Address used as the contact address for issues relating to this certificate request. Enter a fully qualified domain name (FQDN) is an unambiguous domain name that specifies the node's position in the DNS tree hierarchy absolutely. To distinguish an FQDN from a regular domain name, a trailing period is added. For example, somehost.example.com. An FQDN differs from a regular domain name by its absoluteness, since a suffix is not added. IP Address Specify the IP address used as the destination for certificate requests. 5 Select the Generate Certificate button at the bottom of the Create Certificate screen to produce the certificate. 14.2.4 Generating a Certificate Signing Request Certificates A certificate signing request (CSR) is a message from a requestor to a certificate authority to apply for a digital identity certificate. The CSR is composed of a block of encrypted text generated on the server the certificate will be used on. It contains information included in the certificate, including organization name, common name
(domain name), locality, and country. A RSA key must be either created or applied to the certificate request before the certificate can be generated. A private key is not included in the CSR, but is used to digitally sign the completed request. The certificate created with a particular CSR only worked with the private key generated with it. If the private key is lost, the certificate is no longer functional.The CSR can be accompanied by other identity credentials required by the certificate authority, and the certificate authority maintains the right to contact the applicant for additional information. If the request is successful, the CA sends an identity certificate digitally signed with the private key of the CA. To create a CSR:
1 Select Operations > Certificates. 2 Select a device from amongst those displayed in either the RF Domain or Network panes on the left-hand side of the screen. 3 Select Create CSR. Wireless Controller and Service Platform System Reference Guide 38 Operations 4 Define the following configuration parameters required to Create New Certificate Signing Request (CSR):
Figure 14-27 Create CSR screen RSA Key To create a new RSA key, select Create New to define a 32 character maximum name used to identify the RSA key. Set a 2,048 bit key. To use an existing key, select Use Existing and select a key from the drop-down menu. 5 Set the following Certificate Subject Name parameters:
Certificate Subject Name Country (C) State (ST) City (L) Select either the auto-generate radio button to automatically create the certificate's subject credentials or select user-configured to manually enter the credentials of the self signed certificate. The default setting is auto-
generate. Define the Country used in the CSR. The field can be modified by the user to other values. This is a required field and must not exceed 2 characters. Enter a State/Prov. for the state or province name used in the CSR. This is a required field. Enter a City to represent the city name used in the CSR. This is a required field. Organization (O) Define an Organization for the organization used in the CSR. This is a required field. Wireless Controller and Service Platform System Reference Guide 39 Operations Organizational Unit
(OU) Enter an Org. Unit for the name of the organization unit used in the CSR. This is a required field. Common Name (CN) If theres a common name (IP address) for the organizational unit issuing the certificate, enter it here. 6 Select the following Additional Credentials required for the generation of the CSR:
Email Address Domain Name Provide an email address used as the contact address for issues relating to this CSR. Enter a fully qualified domain name (FQDN) is an unambiguous domain name that specifies the node's position in the DNS tree hierarchy absolutely. A trailing period is added to distinguish an FQDN from a regular domain name. For example, somehost.example.com. An FQDN differs from a regular domain name by its absoluteness, since a suffix is not added. IP Address Specify the IP address used as the controller or service platform destination for certificate requests. 7 Select the Generate CSR button at the bottom of the screen to produce the CSR. 14.3 Smart RF Self Monitoring At Run Time RF Management (Smart RF) is an innovation designed to simplify RF configurations for new deployments, while (over time) providing on-going deployment optimization and radio performance improvements. The Smart RF functionality scans the managed network to determine the best channel and transmit power for each wireless controller managed Access Point radio. Smart RF policies can be applied to specific RF Domains, to apply site specific deployment configurations and self recovery values to groups of devices within pre-defined physical RF coverage areas. Smart RF also provides self recovery functions by monitoring the managed network in real-time and provides automatic mitigation from potentially problematic events such as radio interference, coverage holes and radio failures. Smart RF employs self recovery to enable a WLAN to better maintain wireless client performance and site coverage during dynamic RF environment changes, which typically require manual reconfiguration to resolve. Smart RF is supported in standalone and clustered environments. In standalone environments, the individual controller or service platform manages the calibration and monitoring phases. In clustered environments, a single controller or service platform is elected a Smart Scan master and the remaining cluster members operate as Smart RF clients. In cluster operation, the Smart Scan master coordinates calibration and configuration and during the monitoring phase receives information from the Smart RF clients. Smart RF calibration can be triggered manually or continues at run-time, all the time. Smart RF is supported on wireless controllers managing Access Points in either standalone or clustered environments. Within the Operations node, Smart RF is managed within selected RF Domains, using the Access Points that comprise the RF Domain and their respective radio and channel configurations as the basis to conduct Smart RF calibration operations. Wireless Controller and Service Platform System Reference Guide 40 Operations 14.3.1 Managing Smart RF for an RF Domain Smart RF When calibration is initiated, Smart RF instructs adopted radios (within a selected RF Domain) to beacon on a specific legal channel, using a specific transmit power setting. Smart RF measures the signal strength of each beacon received from both managed and unmanaged neighboring APs to define a RF map of the neighboring radio coverage area. Smart RF uses this information to calculate each managed radios RF configuration as well as assign radio roles, channel and power. Within a well planned RF Domain, any associated radio should be reachable by at least one other radio. The Smart RF feature records signals received from its neighbors. Access Point to Access Point distance is recorded in terms of signal attenuation. The information is used during channel assignment to minimize interference. To conduct Smart RF calibration for an RF Domain:
1 Select Operations > Smart RF. 2 Expand the System mode in the upper, left-hand, side of the user interface to display the RF Domains available for Smart RF calibration. 3 Select a RF Domain from amongst those displayed. The Smart RF screen displays information specific to the devices within the selected RF Domain using data from the last interactive calibration. 4 Refer to the following to determine whether a Smart RF calibration or an interactive calibration is required:
Figure 14-28 Smart RF screen Hostname AP MAC Address Displays the assigned Hostname for each member of the RF Domain. Displays the hardware encoded MAC address assigned to each Access Point radio within the selected RF Domain. This value cannot be modified as past of a calibration activity. Wireless Controller and Service Platform System Reference Guide 41 Operations Radio MAC Address Radio Index Old Channel Channel Old Power Power Smart Sensor State Type Displays the hardware encoded MAC address assigned to each Access Point radio within the selected RF Domain. This value cannot be modified as past of a calibration activity. Displays a numerical index assigned to each listed Access Point radio when it was added to the managed network. This index helps distinguish this radio from others within this RF Domain with similar configurations. This value is not subject to change as a result of a calibration activity, but each listed radio index can be used in Smart RF calibration. Lists the channel originally assigned to each listed Access Point MAC address within this RF Domain. This value may have been changed as part an Interactive Calibration process applied to this RF Domain. Compare this Old Channel against the Channel value to right of it (in the table) to determine whether a new channel assignment was warranted to compensate for a coverage hole. Lists the current channel assignment for each listed Access Point, as potentially updated by an Interactive Calibration. Use this data to determine whether a channel assignment was modified as part of an Interactive Calibration. If a revision was made to the channel assignment, a coverage hole was detected on the channel as a result of a potentially failed or under performing Access Point radio within this RF Domain. Lists the transmit power assigned to each listed Access Point MAC address within this RF Domain. The power level may have been increased or decreased as part an Interactive Calibration process applied to this RF Domain. Compare this Old Power level against the Power value to right of it (in the table) to determine whether a new power level was warranted to compensate for a coverage hole. This column displays the transmit power level for the listed Access Point MAC address after an Interactive Calibration resulted in an adjustment. This is the new power level defined by Smart RF to compensate for a coverage hole. Defines whether a listed Access Point is smart sensor on behalf of the other Access Point radios comprising the RF Domain. Displays the current state of the Smart RF managed Access Point radio. Possible states include: Normal, Offline and Sensor. Displays the radio type (802.11an, 802.11bgn etc.) of each listed Access Point radio within the selected RF Domain. 5 Select the Refresh button to (as needed) to update the contents of the Smart RF screen and the attributes of the devices within the selected RF Domain. 6 Select the Clear Config button to remove a displayed Smart RF configuration. 7 Select the Clear History button to revert the statistics counters to zero to begin a new assessment. Wireless Controller and Service Platform System Reference Guide 42 15 Statistics This chapter describes statistics displayed by the graphical user interface (GUI). Statistics are available for controllers or service platforms and their managed devices. A Smart RF statistical history is available to assess adjustments made to device configurations to compensate for detected coverage holes or device failures. Statistics display detailed information about controller or service platform peers, health, device inventories, wireless clients associations, adopted AP information, rogue APs and WLANs. Access Point statistics can be exclusively displayed to validate connected Access Points, their VLAN assignments and their current authentication and encryption schemes. Wireless client statistics are available for an overview of client health. Wireless client statistics includes RF quality, traffic utilization and user details. Use this information to assess if configuration changes are required to improve network performance. Guest access statistics are also available for the periodic review of wireless clients requesting the required pass code, authentication and access into the WiNG managed guest network. For more information, see:
System Statistics RF Domain Statistics Controller Statistics Access Point Statistics Wireless Client Statistics Guest Access Statistics NOTE: NOC controllers (NX9000, NX9500, NX9510, NX7500, and RFS6000) can utilize an analytics developer interface as an additional tool available to administrators to review specific APIs in granular detail. For more information, see Analytics Developer Interface on page 15-332. 15.1 System Statistics Statistics The System screen displays information supporting managed devices or peer controllers. Use this information to asses the overall state of the devices comprising the system. Systems data is organized as follows:
Inventory Health Adopted Devices Pending Adoptions Offline Devices Device Upgrade Licenses WIPS Summary Wireless Controller and Service Platform System Reference Guide 15 - 1 Statistics 15.1.1 Health System Statistics The Health screen displays the overall performance of the controller or service platform managed network
(system). This includes device availability, overall RF quality, resource utilization and network threat perception. To display the health of the wireless controller managed network:
1 Select the Statistics menu from the Web UI. 2 Select the System node from the left navigation pane. 3 Select Health from the left-hand side of the UI. Figure 15-1 System - Health screen 4 The Devices field displays the total number of devices in the controller or service platform managed network. The pie chart is a proportional view of how many devices are functional and currently online. Green indicates online devices and red offline devices detected within the controller or service platform managed network. 5 The Offline Devices table displays a list of detected devices in the network that are currently offline but available as potential managed resources. The table displays the number of offline devices within each impacted RF Domain. Assess whether the configuration of a particular RF Domain is contributing to an excessive number of offline devices. Wireless Controller and Service Platform System Reference Guide 15 - 2 Statistics 6 The Traffic Utilization table displays the top 5 RF Domains with the most effective resource utilization. Utilization is dependent on the number of devices connected to the RF Domain. Top 5 RF Domain Client Count Displays the top 5 RF Domains in terms of usage index. Utilization index is a measure of how efficiently the domain is utilized. This value is defined as a percentage of current throughput relative to the maximum possible throughput. The values are:
0-20 Very low utilization 20-40 Low utilization 40-60 Moderate utilization 60 and above High utilization Displays the name of the RF Domain. Displays the number of wireless clients associated with the RF Domain. 7 The Device Types table displays the kinds of devices detected within the system. Each device type displays the number currently online and offline. 8 Use the RF Quality table to isolate poorly performing radio devices within specific RF Domains. This information is a starting point to improving the overall quality of the wireless controller managed network.The RF Quality area displays the RF Domain performance. Quality indices are:
0 50 (Poor) 50 75 (Medium) 75 100 (Good). The RF Quality field displays the following:
Worst 5 RF Domain Displays five RF Domains with the lowest quality indices in the wireless controller managed network. The value can be interpreted as:
0-50 Poor quality 50-75 Medium quality 75-100 Good quality Displays the name of the RF Domain wherein system statistics are polled for the poorly performing device. 9 The System Security table defines a Threat Level as an integer value indicating a potential threat to the system. Its an average of the threat indices of all the RF Domains managed by the wireless controller. Threat Level RF Domain Displays the threat perception value. This value can be interpreted as:
0-2 Low threat level 3-4 Moderate threat level 5 High threat level Displays the name of the target RF Domain for which the threat level is displayed. 10 Select Refresh at any time to update the statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 3 Statistics 15.1.2 Inventory System Statistics The Inventory screen displays information about the physical hardware managed within the system by its member controller or service platforms. Use this information to assess the overall performance of wireless controller managed devices. To display the inventory statistics:
1 Select the Statistics menu from the Web UI. 2 Select the System node from the left navigation pane. 3 Select Inventory from the left-hand side of the UI. Figure 15-2 System - Inventory screen 4 The Devices field displays an exploded pie chart depicting controller, service platform and Access Point device type distribution by model. The device on the left displays managing controller models. Select View Legends to assess connected Access Points. Use this information to assess whether these are the correct models for the original deployment objective. 5 The Radios table displays radios deployed within the wireless controller managed network. This area displays the total number of managed radios and top 5 RF Domains in terms of radio count. The Total Radios value is the total number of radios in this system. Top Radio Count RF Domain Last Update Displays the radios index of each listed top radio. Displays the name of the RF Domain the listed radios belong. The RF Domain displays as a link that can be selected to display configuration and network address information in greater detail. Displays the UTC timestamp when each listed client was last seen on the network. Wireless Controller and Service Platform System Reference Guide 15 - 4 Statistics 6 The Clients table displays the total number of wireless clients managed by the controller or service platform. This Top Client Count table lists the top 5 RF Domains, in terms of the number of wireless clients adopted:
Top Client Count RF Domain Last Update Displays the client index of each listed top performing client. Displays the name of the client RF Domain. Displays the UTC timestamp when the client count was last reported. 7 Select Refresh to update the statistics counters to their latest values. 15.1.3 Adopted Devices System Statistics The Adopted Devices screen displays a list of devices adopted to the wireless controller managed network (entire system). Use this screen to view a list of devices and their current status. To view adopted AP statistics:
1 Select the Statistics menu from the Web UI. 2 Select the System node from the left navigation pane. 3 Select Adopted Devices from the left-hand side of the UI. The Adopted Devices screen provides the following:
Figure 15-3 System - Adopted Devices screen Adopted Device Type Displays administrator assigned hostname of the adopted device. Select the adopted device link to display configuration and network address information in greater detail. Displays the adopted Access Points model type. Wireless Controller and Service Platform System Reference Guide 15 - 5 Statistics RF Domain Name Model Number Config Status Config Errors Adopter Hostname Adoption Time Startup Time Refresh Displays the domain the adopted AP has been assigned to. Select the RF Domain to display configuration and network address information in greater detail. Lists the model number of each AP thats been adopted to the controller or service platform since this screen was last refreshed. Displays the configuration file version in use by each listed adopted device. Use this information to determine whether an upgrade would increase the functionality of the adopted device. Lists any errors encountered when the listed device was adopted by the controller or service platform. Lists the administrator hostname assigned to the adopting controller or service platform. Displays a timestamp for each listed device that reflects when the device was adopted by the controller or service platform. Provides a date stamp when the adopted device was restarted post adoption. Select Refresh to update the statistics counters to their latest values. 15.1.4 Pending Adoptions System Statistics The Pending Adoptions screen displays those devices detected within the controller or service platform coverage area, but have yet to be adopted by the controller or service platform. Review these devices to assess whether they could provide radio coverage to wireless clients needing support. To view pending AP adoptions to the controller or service platform:
1 Select the Statistics menu from the Web UI. 2 Select the System node from the left navigation pane. 3 Select Pending Adoptions from the left-hand side of the UI. Wireless Controller and Service Platform System Reference Guide 15 - 6 Statistics The Pending Adoptions screen displays the following:
Figure 15-4 System - Pending Adoptions screen MAC Address Type IP Address VLAN Reason Discovery Option Last Seen Add to Devices Refresh Displays the MAC address of the device pending adoption. Select the MAC address to view device configuration and network address information in greater detail. Displays the AP type. Displays the current IP Address of the device pending adoption. Displays the VLAN the device pending adoption will use as a virtual interface with its adopting controller or service platform. Displays a status (reason) as to why the device is pending adoption. Displays the discovery option code for each AP listed pending adoption. Displays the date and time stamp of the last time the device was seen. Click the arrow next to the date and time to toggle between standard time and UTC. Select a listed AP and select the Add to Devices button to begin the adoption process for this detected AP. Click the Refresh button to update the list of pending adoptions. 15.1.5 Offline Devices System Statistics The Offline Devices screen displays a list of devices in the controller or service platform managed network or RF Domain that are currently offline. Review the contents of this screen to help determine whether an offline status is still warranted. To view offline device potentially available for adoption by the controller or service platform:
Wireless Controller and Service Platform System Reference Guide 15 - 7 1 Select the Statistics menu from the Web UI. 2 Select the System node from the left navigation pane. 3 Select Offline Devices from the left-hand side of the UI. Statistics The Ofp indentfline Devices screen provides the following:
Figure 15-5 System - Offline Devices screen Hostname MAC Address Type RF Domain Name Reporter Area Floor Connected To Last Update Refresh Lists the administrator assigned hostname provided when the device was added to the controller or service platform managed network. Displays the factory encoded MAC address of each listed offline device. Displays the offline Access Points model type. Displays the name of the offline devices RF Domain membership, if applicable. Select the RF Domain to display configuration and network address information in greater detail. Displays the hostname of the device reporting the listed device as offline. Select the reporting device name to display configuration and network address information in greater detail. Lists the administrator assigned deployment area where the offline device has been detected. Lists the administrator assigned deployment floor where the offline device has been detected. Lists the offlines devices connected controller, service platform or peer model Access Point. Displays the date and time stamp of the last time the device was detected within the controller or service platform managed network. Click the arrow next to the date and time to toggle between standard time and UTC. Select Refresh to update the statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 8 Statistics 15.1.6 Device Upgrade System Statistics The Device Upgrade screen displays available licenses for devices within a cluster. It displays the total number of AP licenses. To view a licenses statistics within the controller or service platform managed network:
1 Select the Statistics menu from the Web UI. 2 Select the System node from the left navigation pane. 3 Select Device Upgrade from the left-hand side of the UI. 4 Select Device Upgrade from the left-hand side of the UI. Figure 15-6 System - Device Upgrade screen Upgraded By Device Type Device Hostname History ID Last Update Status Time Last Upgraded Retries Count Displays the MAC address of the controller, service platform or peer model Access Point that performed an upgrade. Displays the model type of the adopting controller, service platform or Access Point. An updating Access Point must be of the same model as the Access Point receiving the update. List the administrator assigned hostname of the device receiving an update. Displays a unique timestamp for the upgrade event. Displays the initiation, completion or error status of each listed upgrade operation. Lists the date and time of each upgrade operation. Displays the number of retries required in an update operation. Wireless Controller and Service Platform System Reference Guide 15 - 9 Statistics State Clear History Refresh Displays the done or failed state of an upgrade operation. Select Clear History to clear the screen of its current status and begin a new data collection. Select Refresh to update the screens statistics counters to their latest values. 15.1.7 Licenses System Statistics The Licenses statistics screen displays available licenses for devices within a cluster. It displays the total number of AP licenses. Native (local) and Guest license utilization can now be separately tracked as well. To view a licenses statistics within the controller or service platform managed network:
1 Select the Statistics menu from the Web UI. 2 Select the System node from the left navigation pane. 3 Select Licenses from the left-hand side of the UI. 4 The Local Licenses table provides the following information:
Figure 15-7 System - Licenses screen Cluster/Hostname Lists the administrator assigned cluster hostname whose license count and utilization is tallied in this Local Licenses table. Wireless Controller and Service Platform System Reference Guide 15 - 10 Statistics AP Licenses Installed Lent AP Licenses Total AP Licenses AP License Usage Remaining AP Licenses AAP Licenses Installed Lent AAP Licenses Total AAP Licenses AAP Licenses Usage Remaining AAP Licenses Validity Lists the number of Access Point connections available to this controller or service platform under the terms of the current license. Displays the number of Access Point licenses lent (from this controller or service platform) to a cluster member to compensate for an Access Points license deficiency. Displays the total number of Access Point connection licenses currently available to this controller or service platform. Lists the number of Access Point connections currently utilized by this controller or service platform out of the total available under the terms of the current license. Lists the remaining number of AP licenses available from the pooled license capabilities of all the members of the cluster. Lists the number of Adaptive Access Point connections available to this controller or service platform under the terms of the current license. Displays the number of Adaptive Access Point licenses lent (from this controller or service platform) to a cluster member to compensate for an Access Point licenses deficiency. Displays the total number of Adaptive Access Point connection licenses currently available to this controller or service platform. Lists the number of Adaptive Access Point connections currently utilized by this controller or service platform out of the total available under the terms of the current license. Lists the remaining number of AAP licenses available from the pooled license capabilities of all the members of the cluster. Displays validity information for the licenses legal usage with the controller or service platform. 5 The Global Licenses table provides the following information:
Cluster AP Adoption Licenses Cluster Total AP Licenses Displays the total number of Access Point adoption licenses available to Displays the current number of Access Point adoption licenses utilized by controller or service platform connected Access Points within a cluster. Cluster AAP Adoption Licenses Cluster Total AAP Licenses controller or service platform connected Access Points within a cluster. Displays the current number of Adaptive Access Point adoption licenses utilized by controller or service platform connected Access Points within a cluster. Displays the total number of Adaptive Access Point adoption licenses available to controller or service platform connected Access Points within a cluster. 6 The AP Licenses table provides the following information:
Cluster Maximum AP Lists the maximum number of Access Points permitted in a cluster under the terms of the current license. 7 The Featured Licenses area provides the following information:
Hostname Displays the administrator assigned hostname of the controller, service platform or Access Point whose potentially implemented a advanced security, WIPS or Analytics feature licenses. Wireless Controller and Service Platform System Reference Guide 15 - 11 Statistics Advanced Security Hotspot Analytics Displays whether the separately licensed Advanced Security application is installed for each hostname. Displays whether a separately licensed Analytics application is installed for supported NX9500 and NX9510 service platforms. 8 Select the Details tab. Refer to the Details screen to further assess the total number of cluster member licenses available, cluster memberships, current utilization versus total licenses available, borrowed licenses, remaining licenses and license validity. 9 Refer to the following license utilization data:
Cluster/Hostname AP Licenses Installed Borrowed AP Licenses Total AP Licenses AP Licenses Usage Remaining AP Licenses AAP Licenses Installed Borrowed AAP Licenses Total AAP Licenses AAP Licenses Usage Remaining AAP Licenses Validity Refresh Lists the administrator assigned cluster hostname whose license count and utilization is listed and tallied for member controllers, service platforms or Access Points. Lists the number of Access Point connections available to this controller or service or peer Access Point under the terms of the current license. Displays the number of Access Point licenses temporarily borrowed from a cluster member to compensate for an AP license deficiency. Displays the total number of Access Point connection licenses currently available to clustered devices. Lists the number of Access Point connections currently utilized out of the total available under the terms of current licenses. Lists the remaining number of AP licenses available from the pooled license capabilities of cluster members. Lists the number of Adaptive Access Point connections available under the terms of current licenses. Displays the number of Adaptive Access Point licenses temporarily borrowed from a cluster member to compensate for an AAP license deficiency. Displays the total number of Adaptive Access Point connection licenses currently available to clustered devices. Lists the number of Adaptive Access Point connections currently utilized out of the total available under the terms of the current licenses. Lists the remaining number of AAP licenses available from the pooled license capabilities of all the members of the cluster. Displays validity information for the licenses legal usage by cluster member devices. Select Refresh to update the screens statistics counters to their latest values. 15.1.8 WIPS Summary System Statistics The Wireless Intrusion Protection System (WIPS) provides continuous protection against wireless threats and acts as an additional layer of security complementing wireless VPNs and existing encryption and authentication policies. Controllers and service platforms support WIPS through the use of dedicated sensor devices, designed to Wireless Controller and Service Platform System Reference Guide 15 - 12 Statistics actively detect and locate unauthorized AP devices. After detection, they use mitigation techniques to block devices using manual termination, air lockdown or port suppression. The WIPS Summary screen lists RF Domains residing in the system and reports the number of unauthorized and interfering devices contributing to the potential poor performance of the RF Domains network traffic. Additionally, the number of WIPS events reported by each RF Domain is also listed to help an administrator better mitigate risks to the network. To review and assess the impact of rogue and interfering Access Points, as well as the occurrence of WIPS events within the controller or service platforms managed system:
1 Select the Statistics menu from the Web UI. 2 Select the System node from the left navigation pane. 3 Select WIPS Summary from the left-hand side of the UI. 4 Refer to the following WIPS data reported for each RF Domain in the system:
Figure 15-8 System - WIPS Summary screen RF Domain Number of Rogue APs Lists the RF Domain within the system reporting rogue and interfering Access Point event counts. Use this information to assess whether a particular RF Domain is reporting an excessive number of events or a large number of potentially invasive rogue Access Points versus the other RF Domains within the controller, service platform or Access Point managed system. Displays the number of unsanctioned devices in each listed RF Domain. Unsanctioned devices are those devices detected within the listed RF Domain, but have not been deployed by a administrator as a known and approved controller or service platform managed device. Wireless Controller and Service Platform System Reference Guide 15 - 13 Statistics Number of Interfering APs Number of WIPS Events Displays the number of devices exceeding the interference threshold in each listed RF Domain. Each RF Domain utilizes a WIPS policy with a set interference threshold (from -100 to -10 dBm). When a device exceeds this noise value, its defined as an interfering Access Point capable of disrupting the signal quality of other sanctioned devices operating below an approved RSSI maximum value. Lists the number of devices triggering a WIPS event within each listed RF Domain.Each RF Domain utilizes a WIPS policy where excessive, MU and AP events can have their individual values set for event generation. An administrator can enable or disable the filtering of each listed event and set the thresholds required for the generation of the event notification and filtering action. 5 Select the WIPS Report button to launch a sub-screen to filter how WIPS reports are generated for the system. Figure 15-9 System - WIPS Summary screen Select Summary to capture all WIPS data or just select Only Rogue APs, Only Interferer APs for All APs to refine event reporting to a specific type of WIPS activity. Select Generate Report to compile and archive the results of the query. 6 Select Refresh to update the screens statistics counters to their latest values. 15.2 RF Domain Statistics Statistics The RF Domain screens display status for a selected RF domain. This includes the RF Domain health and device inventory, wireless clients and Smart RF functionality. RF Domains allow administrators to assign regional, regulatory and RF configuration to devices deployed in a common coverage area such as on a building floor, or site. Each RF Domain contains regional, regulatory and sensor server configuration parameters and may also be assigned policies that determine Access, SMART RF and WIPS configuration. Use the following information to obtain an overall view of the performance of the selected RF Domain and troubleshoot issues with the domain or any member device. Inventory Health Devices AP Detection Wireless Clients Device Upgrade Wireless LANs Wireless Controller and Service Platform System Reference Guide 15 - 14 Statistics Radios Bluetooth Mesh Mesh Point SMART RF WIPS Captive Portal Application Visibility (AVC) Coverage Hole Summary Coverage Hole Details 15.2.1 Health RF Domain Statistics The Health screen displays general status information for a selected RF Domain, including data polled from all its members. To display the health of a controller or service platforms RF Domain:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3 Select Health from the RF Domain menu. Wireless Controller and Service Platform System Reference Guide 15 - 15 Statistics Figure 15-10 RF Domain - Health screen 4 The Domain field displays the name of the RF Domain manager. The RF Domain manager is the focal point for the radio system and acts as a central registry of applications, hardware and capabilities. It also serves as a mount point for all the different pieces of the hardware system file. 5 The Devices field displays the total number of online versus offline devices in the RF Domain, and an exploded pie chart depicts their status. 6 The Radio Quality field displays information on the RF Domains RF quality. The RF quality index is the overall effectiveness of the RF environment as a percentage of the connect rate in both directions, as well as the retry and error rate. This area also lists the worst 5 performing radios in the RF Domain. The RF Quality Index can be interpreted as:
0-20 Very poor quality 20-40 Poor quality 40-60 Average quality 60-100 Good quality Wireless Controller and Service Platform System Reference Guide 15 - 16 Statistics 7 Refer to the Radio Quality table for RF Domain member radios requiring administration to improve performance:
Worst 5 Radios Radio ID Radio Type Displays five radios with the lowest average quality in the RF Domain. Lists each radios administrator defined hostname and its radio designation (radio 1, radio 2 or radio 3). Displays the radio type as either 5 GHz or 2.4 GHz. 8 Refer to the Client Quality table for RF Domain connected clients requiring administration to improve performance:
Worst 5 Clients Client MAC Vendor Displays the five clients having the lowest average quality indices. Displays the hardcoded radio MAC of the wireless client. Displays the vendor name of the wireless client. 9 Refer to the WLAN Utilization field to assess the following:
Total WLANs Top 5 WLAN Name SSID Displays the total number of WLANs managed by RF Domain member Access Points. Displays the five RF Domain utilized WLANs with the highest average quality indices. Displays the WLAN Name for each of the Top 5 WLANs in the Access Point RF Domain. Lists the SSD utilized by each listed top 5 performing RF Domain WLANs. 10 The Radio Traffic Utilization area displays the following:
Max. User Rate Top 5 Radios Radio ID Radio Type Displays the maximum recorded user rate in kbps. Displays five radios with the best average quality in the RF Domain. Lists each radios administrator defined hostname and its radio designation (radio 1, radio 2 or radio 3). Displays the radio type as either 5 GHz or 2.4 GHz. 11 Refer to the Client Traffic Utilization table:
Top 5 Clients Client MAC Vendor Displays the five clients having the highest average quality indices. Displays the clients hardcoded MAC address used a hardware identifier. Lists each clients manufacturer. 12 The Wireless Security area indicates the security of the transmission between WLANs and the wireless clients they support. This value indicates the vulnerability of the WLANs. RF Domain Threat Level Indicates the threat from the wireless clients trying to find network vulnerabilities within the Access Point RF Domain. The threat level is represented by an integer. Wireless Controller and Service Platform System Reference Guide 15 - 17 Statistics Rogue APs WIPS Events Lists the number of unauthorized Access Points detected by RF Domain member devices. Lists the number of WIPS events generated by RF Domain member devices. 13 The Traffic Statistics statistics table displays the following information for transmitted and received packets:
Total Bytes Total Packets User Data Rate Bcast/Mcast Packets Management Packets Tx Dropped Packets Rx Errors Displays the total bytes of data transmitted and received within the Access Point RF Domain. Lists the total number of data packets transmitted and received within the Access Point RF Domain. Lists the average user data rate within the Access Point RF Domain. Displays the total number of broadcast/multicast packets transmitted and received within the Access Point RF Domain. This is the total number of management packets processed within the Access Point RF Domain. Lists total number of dropped data packets within the Access Point RF Domain. Displays the number of errors encountered during data transmission within the Access Point RF Domain. The higher the error rate, the less reliable the connection or data transfer. 14 The SMART RF Activity area displays the following:
Time Period Power Changes Channel Changes Coverage Changes Lists the time period when Smart RF calibrations or adjustments were made to compensate for radio coverage holes or interference. Displays the total number of radio transmit power changes that have been made using SMART RF within the Access Point RF Domain. Displays the total number of radio transmit channel changes that have been made using SMART RF within the Access Point RF Domain. Displays the total number of radio coverage area changes that have been made using SMART RF within the Access Point RF Domain. 15.2.2 Inventory RF Domain Statistics The Inventory screen displays an inventory of RF Domain member Access Points, connected wireless clients, wireless LAN utilization and radio availability. To display RF Domain inventory statistics:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3 Select Inventory from the RF Domain menu. Wireless Controller and Service Platform System Reference Guide 15 - 18 Statistics Figure 15-11 RF Domain - Inventory screen 4 The Device Types table displays the total members in the RF Domain. The exploded pie chart depicts the distribution of RF Domain members by controller and Access Point model type. 5 The Radios by Band field displays the total number of radios using 802.11an and 802.11bgn bands within the RF Domain. The number of radios designated as sensors is also represented. 6 The Radios by Channel field displays the radio channels utilized by RF Domain member devices in two separate charts. One chart displays for 5 GHz channels and the other for 2.4 GHz channels. 7 The Top 5 Radios by Clients table displays the highest 5 performing wireless clients connected to RF Domain members. Total Wireless Clients AP Name Displays the total number of clients connected to RF Domain members. Displays the clients connected and reporting Access Point. The name displays as a link that can be selected to display Access Point data in greater detail. Wireless Controller and Service Platform System Reference Guide 15 - 19 Statistics Client Count Radio Id Radio Band Location List the number of connected clients to each listed RF Domain member Access Point. Lists each radios administrator defined hostname and its radio designation (radio 1, radio 2 etc.). The name displays as a link that can be selected to display Access Point data in greater detail. Lists each clients operational radio band. Displays system assigned deployment location for the client. 8 Refer to the WLANs table to review RF Domain WLAN, radio and client utilization. Use this information to help determine whether the WLANs within this RF Domain have an optimal radio and client utilization. 9 The Clients by Band bar graph displays the total number of RF Domain member clients by their IEEE 802.11 radio type. 10 The Clients by Channel pie charts displays the channels used by RF Domain member clients using 5GHz and 2.4GHz radios. 11 Periodically select Refresh to update the contents of the screen to their latest values. 15.2.3 Devices RF Domain Statistics The Devices screen displays RF Domain member hardware data, connected client counts, radio data and network IP address. To display RF Domain member device statistics:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3 Select Devices from the RF Domain menu. Wireless Controller and Service Platform System Reference Guide 15 - 20 Statistics Device AP MAC Address Type Client Count Radio Count IP Address Refresh Figure 15-12 RF Domain - Devices screen Displays the system assigned name of each device thats a member of the RF Domain. The name displays as a link that can be selected to display configuration and network address information in greater detail. Displays each devices factory encoded MAC address as its hardware identifier. Displays each device model within the selected RF Domain. Displays the number of clients connected with each listed device. Supported Access Point models support up to 256 clients per Access Point, with the exception of AP6521 model, which only supports 128. Displays the number of radios on each listed device. Displays the IP address each listed device is using as a network identifier. Select the Refresh button to update the statistics counters to their latest values. 15.2.4 AP Detection RF Domain Statistics The AP Detection screen displays information about detected Access Points that are not members of a RF Domain. They could be authorized devices or potential rogue devices. To view device information on detected Access Points:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3 Select AP Detection from the RF Domain menu. Wireless Controller and Service Platform System Reference Guide 15 - 21 Statistics The AP Detection screen displays the following:
Figure 15-13 RF Domain - AP Detection screen MAC Address Channel SSID First Seen Displays the hardware encoded MAC address of each listed Access Point detected by a RF Domain member device. The MAC address is set at the factory and cannot be modified via the management software. The MAC address displays as a link that can be selected to display RF Domain member device information in greater detail. Displays the channel of operation used by the detected Access Point. The channel must be utilized by both the Access Point and its connected client and be approved for the target deployment country. Displays the Service Set ID (SSID) of the network to which the detected Access Point belongs. Provides a timestamp when the detected Access Point was first detected by a RF Domain member device. Top Reporter Hostname Lists the administrator assigned hostname of the top performing RF Vendor VLAN RSSI Is Interferer Domain member detecting the listed Access Point MAC address. Consider this top performer the best resource for information on the detected Access Point and its potential threat. Lists the manufacturer of the detected Access Point as an additional means of assessing its potential threat to the members of this RF Domain and its potential for interoperability with RF Domain device members. Lists the numeric VLAN ID (virtual interface) the detected Access Point was detected on by members of this RF Domain. Displays the Received Signal Strength Indicator (RSSI) of the detected Access Point. Use this variable to help determine whether a device connection would improve network coverage or add noise. Lists whether the detected device exceeds the administrator defined RSSI threshold (from -100 to -10 dBm) determining whether a detected Access Point is classified as an interferer. Wireless Controller and Service Platform System Reference Guide 15 - 22 Statistics Is Rogue Termination Active Terminate Clear All WIPS Report Refresh Displays whether the detected device has been classified as a rogue device whose detection threatens the interoperation of RF Domain member devices. Lists whether Air Termination is active and applied to the detected Access Point. Air termination lets you terminate the connection between your wireless LAN and any Access Point or client associated with it. If the device is an Access Point, all clients dis-associated with the Access Point. If the device is a client, its connection with the Access Point is terminated. Air Termination is disabled by default. Select the Terminate button to remove the selected Access Point from RF Domain membership. Select Clear All to reset the statistics counters to zero and begin a new data collection. Select WIPS Report launch a subscreen to save a WIPS report (in PDF format) to a specified location. This is a recommended practice to capture RF Domain member Access Point client connection terminations in a format that can be archived externally. Select the Refresh button to update the statistics counters to their latest values. 15.2.5 Wireless Clients RF Domain Statistics The Wireless Clients screen displays device information for wireless clients connected to RF Domain member Access Points. Review this content to determine whether a client should be removed from Access Point association within the selected RF Domain. To review a RF Domains connected wireless clients:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3 Select Wireless Clients from the RF Domain menu. Wireless Controller and Service Platform System Reference Guide 15 - 23 Statistics The Wireless Clients screen displays the following:
Figure 15-14 RF Domain - Wireless Clients screen MAC Address IP Address IPv6 Address Hostname Role Client Identity Vendor Band AP Hostname Radio MAC WLAN Displays the hostname (MAC address) of each listed wireless client. This address is hard-coded at the factory and can not be modified. The address displays as a link that can be selected to display RF Domain member device and network address information in greater detail. Displays the current IP address the wireless client is using for a network identifier. Displays the current IPv6 formatted IP address a listed wireless client is using as a network identifier. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Displays the unique administrator assigned hostname when the clients configuration was originally set. Lists the role assigned to each controller, service platform or Access Point managed client. Lists the clients operating system vendor identity (Android, Windows etc.) Displays the vendor (or manufacturer) of the wireless client. Lists the 2.4 or 5 GHz radio band the listed client is currently utilizing with its connected Access Point, controller or service platform within the RF Domain. Displays the administrator assigned hostname of the Access Point to which the client is connected. Lists the hardware encoded MAC address of the Access Point radio to which the client is currently connected within the RF Domain. Displays the name of the WLAN the wireless client is currently using for its interoperation within the RF Domain. Wireless Controller and Service Platform System Reference Guide 15 - 24 Statistics VLAN Last Active RF Domain Name Disconnect All Clients Disconnect Client Refresh Displays the VLAN ID the clients connected Access Point has defined for use as a virtual interface. Displays the time when this wireless client was last detected by a RF Domain member. Lists each clients RF Domain membership as defined by its connected Access Point and associated controller or service platform. Select the Disconnect All Clients button to terminate each listed clients connection and RF Domain membership. Select a specific client MAC address and select the Disconnect Client button to terminate this clients connection and RF Domain membership. Select the Refresh button to update the statistics counters to their latest values. 15.2.6 Device Upgrade RF Domain Statistics The Device Upgrade screen reports information about devices receiving updates the RF Domain member provisioning the device. Use this screen to assess version data and upgrade status. To view wireless device upgrade data for RF Domain members:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3 Select Device Upgrade from the RF Domain menu. The Device Upgrade screen displays the following for RF Domain member devices:
Figure 15-15 RF Domain - Device Upgrade screen Upgraded By Lists the name of the device performing an update on behalf of a RF Domain member peer device. Wireless Controller and Service Platform System Reference Guide 15 - 25 Statistics Type Device Hostname History Id Last Update Status Time Last Upgrade Retries Count State Clear History Refresh Displays the model of the device receiving an update. An updating Access Point must be of the same model as the Access point receiving the update. Lists the administrator assigned hostname of each device receiving an update from a RF Domain member. Lists the RF Domain member devices MAC address along with a history ID appended to it for each upgrade operation. Displays the last status message from the RF Domain member device performing the upgrade operation. Displays a timestamp for the last successful upgrade. Lists the number of retries needed for each listed RF Domain member update operation. Lists whether the upgrade operation is completed, in-progress, failed or whether an update was made without a device reboot. Select Clear History to remove the upgrade records for RF Domain member devices. Unlike the Refresh function (that updates existing data), Clear History removes the update record from the screen. Select the Refresh button to update the statistics counters to their latest values. 15.2.7 Wireless LANs RF Domain Statistics The Wireless LANs screen displays the name, network identification and radio quality information for the WLANs currently being utilized by RF Domain members. To view wireless LAN statistics for RF Domain members:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3 Select Wireless LANs from the RF Domain menu. Wireless Controller and Service Platform System Reference Guide 15 - 26 Statistics The Wireless LANs screen displays the following:
Figure 15-16 RF Domain - Wireless LANs screen WLAN Name SSID Traffic Index Radio Count Tx Bytes Tx User Data Rate Rx Bytes Rx User Data Rate Disconnect All Clients Refresh Displays the name assigned to each WLAN upon its creation within the controller or service platform managed network. Displays the Service Set ID (SSID) assigned to the WLAN upon its creation within the controller or service platform managed network. Displays the traffic utilization index of each listed WLAN, which measures how efficiently the traffic medium is used. Its defined as the percentage of current throughput relative to the maximum possible throughput. Traffic indices are: 0 20 (very low utilization), 20 40 (low utilization), 40 60
(moderate utilization), and 60 and above (high utilization). Displays the number of radios deployed in each listed WLAN by RF Domain member devices. Displays the average number of packets (in bytes) sent on each listed RF Domain member WLAN. Displays the average data rate per user for packets transmitted on each listed RF Domain member WLAN. Displays the average number of packets (in bytes) received on each listed RF Domain member WLAN. Displays the average data rate per user for packets received on each listed RF Domain member WLAN. Select the Disconnect All Clients button to terminate each listed clients WLAN membership from this RF Domain. Select the Refresh button to update the statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 27 Statistics 15.2.8 Radios RF Domain Statistics The Radio screens displays information on RF Domain member Access Point radios. Use these screens to troubleshooting radio issues negatively impacting RF Domain performance. For more information, refer to the following:
Status RF Statistics Traffic Statistics 15.2.8.1 Status To view the RF Domain radio statistics:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3 Expand Radios from the RF Domain menu and select Status. The Radio Status screen displays the following:
Figure 15-17 RF Domain - Radio Status screen Radio Radio MAC Radio Type Access Point AP Type State Displays the name assigned to each listed RF Domain member Access Point radio. Each name displays as a link that can be selected to display radio information in greater detail. Displays the MAC address as a numerical value factory hardcoded to each listed RF Domain member Access Point radio. Defines whether the radio is operating within the 2.4 or 5 GHz radio band. Displays the user assigned name of the RF Domain member Access Point to which the radio resides. Lists the model type of each RF Domain member Access Point. Displays the radios current operational state. Wireless Controller and Service Platform System Reference Guide 15 - 28 Statistics Channel Current
(Config) Power Current
(Config) Clients Refresh Displays the current channel each listed RF Domain member Access Point radio is broadcasting on. Displays the current power level the radio is using for its transmissions. Displays the number of clients currently connected to each listed RF Domain member Access Point radio. Supported models can manage up to 256 clients per radio. Select the Refresh button to update the statistics counters to their latest values. 15.2.8.2 RF Statistics To view the RF Domain radio statistics:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3 Expand Radios from the RF Domain menu and select RF Statistics. The RF Statistics screen displays the following:
Figure 15-18 RF Domain - Radio RF Statistics screen Radio Signal Noise SNR Tx Physical Layer Rate Displays the name assigned to each listed RF Domain member radio. Each name displays as a link that can be selected to display radio information in greater detail. Displays the power of listed RF Domain member radio signals in dBm. Lists the level of noise (in - X dbm format) reported by each listed RF Domain member Access Point. Displays the signal to noise ratio (SNR) of each listed RF Domain member radio. Displays the data transmit rate for each RF Domain member radios physical layer. The rate is displayed in Mbps. Wireless Controller and Service Platform System Reference Guide 15 - 29 Statistics Rx Physical Layer Rate Avg Retry Number Error Rate RF Quality Index Refresh 15.2.8.3 Traffic Statistics Displays the data receive rate for each RF Domain member radios physical layer. The rate is displayed in Mbps. Displays the average number of retries for each RF Domain member radio. Displays the average number of retries per packet. A high number indicates possible network or hardware problems. Displays an integer (and performance icon) that indicates the overall RF performance for each listed radio. The RF quality indices are:
0 50 (Poor) 50 75 (Medium) 75 100 (Good) Select the Refresh button to update the statistics counters to their latest values. The Traffic Statistics screen displays transmit and receive data as well as data rate and packet drop and error information for RF Domain member radios. Individual RF Domain member radios can be selected and to information specific to that radio as troubleshoot requirements dictate. 1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3 Expand Radios from the RF Domain menu and select Traffic Statistics. The Radio Traffic screen displays the following:
Figure 15-19 RF Domain - Radio Traffic Statistics screen Radio Displays the name assigned to each listed RF Domain member Access Point radio. Each name displays as a link that can be selected to display radio information in greater detail. Wireless Controller and Service Platform System Reference Guide 15 - 30 Statistics Tx Bytes Rx Bytes Tx Packets Rx Packets Tx User Data Rate Rx User Data Rate Tx Dropped Traffic Index Refresh 15.2.9 Bluetooth RF Domain Statistics Displays the total number of bytes transmitted by each RF Domain member Access Point radio. This includes all user data as well as any management overhead data. Displays the total number of bytes received by each RF Domain member Access Point radio. This includes all user data as well as any management overhead data. Displays the total number of packets transmitted by each RF Domain member Access Point radio. This includes all user data as well as any management overhead packets. Displays the total number of packets received by each RF Domain member Access Point radio. This includes all user data as well as any management overhead packets. Displays the rate (in kbps) user data is transmitted by each RF Domain member Access Point radio. This rate only applies to user data and does not include any management overhead. Displays the rate (in kbps) user data is received by each RF Domain member Access Point radio. This rate only applies to user data and does not include any management overhead. Displays the total number of transmitted packets which have been dropped by each RF Domain member Access Point radio. This includes all user data as well as any management overhead packets that were dropped. Displays the traffic utilization index of RF Domain member Access Point radios, which measures how efficiently the traffic medium is utilized within this RF Domain. Its defined as the percentage of current throughput relative to the maximum possible throughput. Traffic indices are: 0 20
(very low utilization), 20 40 (low utilization), 40 60 (moderate utilization) and 60 and above (high utilization). Select the Refresh button to update the statistics counters to their latest values. AP-8432 and AP-8533 model Access Points utilize a built in Bluetooth chip for specific Bluetooth functional behaviors in a WiNG managed network. AP-8432 and AP-8533 models support both Bluetooth classic and Bluetooth low energy technology. These platforms can use their Bluetooth classic enabled radio to sense other Bluetooth enabled devices and report device data (MAC address, RSSI and device calls) to an ADSP server for intrusion detection. If the device presence varies in an unexpected manner, ADSP can raise an alarm. AP-8432 and AP-8533 model Access Points support Bluetooth beaconing to emit either iBeacon or Eddystone-
URL beacons. The Access Points Bluetooth radio sends non-connectable, undirected low-energy (LE) advertisement packets on a periodic basis. These advertisement packets are short, and sent on Bluetooth advertising channels that conform to already-established iBeacon and Eddystone-URL standards. To view Bluetooth radio statistics for RF Domain member Access Points:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. Wireless Controller and Service Platform System Reference Guide 15 - 31 3 Select Bluetooth. Statistics The RF Domain Bluetooth screen displays the following:
Figure 15-20 RF Domain - Bluetooth screen Name Alias Radio State Off Reason Radio MAC Hostname Device MAC AP Location Radio Mode Beacon Period Beacon Type Last Error Refresh Lists the name of the Access Points Bluetooth radio. If an alias has been defined for the Access Point its listed here. The alias value is expressed in the form of <hostname>:
B<Bluetooth_radio_number>. If the administrator has defined a hostname for the Access Point, its used in place of the Access Points default hostname. Displays the current operational state (On/Off) of the Bluetooth radio. If the Bluetooth radio is offline, this field states the reason. Lists the Bluetooth radios factory encoded MAC address serving as this devices hardware identifier on the network. Lists the hostname set for the Access Point as its network identifier. Lists the Access Points factory encoded MAC address serving as this devices hardware identifier on the network. Lists the Access Points administrator assigned deployment location. Lists an Access Points Bluetooth radio functional mode as either bt-
sensor or le-beacon. Lists the Bluetooth radios beacon transmission period from 100 -10,000 milliseconds. Lists the type of beacon currently configured. Lists descriptive text on any error thats preventing the Bluetooth radio from operating. Select Refresh to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 32 Statistics 15.2.10 Mesh RF Domain Statistics Mesh networking enables users to wirelessly access broadband applications anywhere (even in a moving vehicle). Initially developed for secure and reliable military battlefield communications, mesh technology supports public safety, public access and public works. Mesh technology reduces the expense of wide-scale networks, by leveraging Wi-Fi enabled devices already deployed. To view Mesh statistics for RF Domain member Access Point and their connected clients:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3 Select Mesh. The RF Domain Mesh screen displays the following:
Figure 15-21 RF Domain - Mesh screen Client Client Radio MAC Portal Portal Radio MAC Connect Time Refresh Displays the configured hostname for each mesh client connected to a RF Domain member Access Point. Displays the hardware encoded MAC address for each mesh client connected to a RF Domain member Access Point. Displays a numerical portal Index ID for the each mesh client connected to a RF Domain member Access Point. Displays the hardware encoded MAC address for each radio in the RF Domain mesh network. Displays the total connection time for each listed client in the RF Domain mesh network. Select the Refresh button to update the statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 33 Statistics 15.2.11 Mesh Point RF Domain Statistics To view Mesh Point statistics for RF Domain member Access Point and their connected clients:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3 Select Mesh Point. The MCX Geographical View displays by default. Figure 15-22 RF Domain - Mesh Point MCX Geographical View screen The MCX Geographical View screen displays a map where icons of each device in the RF Domain are overlaid. This provides a geographical overview of the location of each RF Domain member device. 4 Use the N , W, S and E buttons to move the map in the North, West, South and East directions respectively. The slider next to these buttons enables zooming in and out of the view. The available fixed zoom levels are World, Country, State, Town, Street and House. 5 Use the Maximize button to maximize this view to occupy the complete screen. Use the Refresh button to update the status of the screen. 6 Select the MCX Logical View tab to view a logical representation of the Meshpoint. Wireless Controller and Service Platform System Reference Guide 15 - 34 Statistics Figure 15-23 RF Domain - Mesh Point MCX Logical View screen The Concentric and hierarchical buttons define how the mesh point is displayed in the MCX Logical View screen. In the Concentric mode, the mesh is displayed as a concentric arrangement of devices with the root mesh at the centre and the other mesh device arranged around it. In the hierarchical arrangement, the root node of the mesh is displayed at the top of the mesh tree and the relationship of the mesh nodes are displayed as such. Use the Meshpoint Name drop down to select a mesh point to see the graphical representation of that mesh point. The view can further be filtered based on the values Neighbor or Path selected in the Meshpoint View field. 7 Select the Device Type tab. Wireless Controller and Service Platform System Reference Guide 15 - 35 Statistics Figure 15-24 RF Domain - Mesh Point Device Type screen The Root field displays the Mesh ID and MAC Address of the configured root mesh points in the RF Domain. 8 The Non Root field displays the Mesh ID and MAC Address of all configured non-root mesh points in the RF Domain. displays the Mesh ID and MAC Address of all configured non-root mesh points in the RF Domain. 9 The Mesh Point Details field on the bottom portion of the screen displays tabs for General, Path, Root, Multicast Path, Neighbors, Security and Proxy. Refer to the following:
The General tab displays the following:
Mesh Point Name MAC Hostname Configured As Root Is Root Displays the name of each configured mesh point in the RF Domain. Displays the MAC Address of each configured mesh point in the RF Domain. Displays the administrator assigned hostname for each configured mesh point in the RF Domain. Indicates whether a mesh point is configured to act as a root device.
(Yes/No). A root mesh point is defined as a mesh point connected to the WAN and provides a wired backhaul to the network (Yes/No). Wireless Controller and Service Platform System Reference Guide 15 - 36 Statistics Meshpoint Identifier Interface ID Radio Interface Next Hop IFID Next Hops Use Time Root Hops Root MP ID Root Bound Time IFID Count The MP identifier is used to distinguish between other mesh points both on the same device and on other devices. This is used by a user to setup the preferred root configuration. The IFID uniquely identifies an interface associated with the MPID. Each mesh point on a device can be associated with one or more interfaces. Uniquely identifies the radio interface on which the Mesh Point operates. Lists the ID of the interface on which the next hop for the mesh network can be found. Lists the time when the next hop in the mesh network topology was last utilized. Number of hops to a root and should not exceed 4 in general practice. If using the same interface to both transmit and receive, then you will get approximately half the performance every additional hop out. Displays the ID of the root device for this mesh point. Displays the duration this mesh point has been connected to the mesh root. Displays the number of Interface IDs (IFIDs) associated with all the configured mesh points in the RF Domain. The Path tab displays the following:
Mesh Point Name Meshpoint Identifier Destination Addr Next Hop IFID Is Root MiNT ID Hops Mobility Metric State Binding Displays the name of each configured mesh point in the RF Domain. The identifier is used to distinguish between other mesh points both on the same device and on other devices. This is used by a user to setup the preferred root configuration. The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID. The Interface ID of the mesh point that traffic is being directed to. A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network (Yes/No). Displays the MiNT Protocol ID for the global mint area identifier. This area identifier separates two overlapping mint networks and need only be configured if the administrator has two mint networks that share the same packet broadcast domain. Number of hops to a root and should not exceed 4 in general practice. If using the same interface to both transmit and receive, then you will get approximately half the performance every additional hop out. Displays whether the mesh point is a mobile or static node. Displays True when the device is mobile and False when the device is not mobile. A measure of the quality of the path. A lower value indicates a better path. Indicates whether the path is currently Valid of Invalid. Indicates whether the path is bound or unbound. Wireless Controller and Service Platform System Reference Guide 15 - 37 Statistics Timeout Sequence The timeout interval in mili-seconds. The interpretation this value will vary depending on the value of the state. The sequence number also known as the destination sequence number. It is updated whenever a mesh point receives new information about the sequence number from RREQ, RREP, or RERR messages that may be received related to that destination. The Root tab displays the following:
Mesh Point Name Recommended Root MPID Next Hop IFID Radio Interface Bound Metric Interface Bias Neighbor Bias Root Bias Displays the name of each configured mesh point in the RF Domain. Displays the root that is recommended by the mesh routing layer. The MP identifier is used to distinguish between other mesh points both on the same device and on other devices. This is used by a user to setup the preferred root configuration. The IFID of the next hop. The IFID is the MAC Address on the destination device. This indicates the interface that is used by the device to communicate with this neighbor. The values are 2.4 and 5.8, indicating the frequency of the radio that is used to communicate with the neighbor. Indicates whether the root is bound or unbound. Displays the computed path metric between the neighbor and their root mesh point. This field lists any bias applied because of the Preferred Root Interface Index. This field lists any bias applied because of the Preferred Root Next-
Hop Neighbor IFID. This field lists any bias applied because of the Preferred Root MPID. The Multicast Path tab displays the following:
Mesh Point Name Subscriber Name Subscriber MPID Group Address Timeout Displays the name of each configured mesh point in the RF Domain. The identifier is used to distinguish between other mesh points both on the same device and on other devices. This is used by a user to setup the preferred root configuration. Lists the subscriber ID to distinguish between other mesh point neighbor devices in the RF Domain. Displays the MAC address used for the Group in the mesh point. The timeout interval in seconds. The interpretation this value will vary depending on the value of the state. If the state is Init or In Progress, the timeout duration has no significance. If the state is Enabled, the timeout duration indicates the amount of time left before the security validity check is initiated. If the state is Failed, the timeout duration is the amount of time after which the system will retry. The Neighbors tab displays the following:
Mesh Point Name Displays the name of each configured mesh point in the RF Domain. Wireless Controller and Service Platform System Reference Guide 15 - 38 Statistics Destination Addr Neighbor MP ID Neighbor IFID Root MP ID Is Root Mobility Radio Interface Mesh Root Hops Resourced Link Quality Link Metric Root Metric Displays the MeshID (MAC Address) of each mesh point in the RF Domain. The MAC Address that the device uses to define the mesh point in the device that the neighbor is a part of. It is used to distinguish the device that is the neighbor. The MAC Address used by the interface on the neighbor device to communicate with this device. This may define a particular radio or Ethernet port that communicates with this device over the mesh. The MAC Address of the neighbor's root mesh point. A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network. Yes if the mesh point that is the neighbor is a root mesh point or No if the mesh point that is the neighbor is not a root mesh point. Displays whether the Mesh Point is a mobile or static node. Displays True when the device is mobile and False when the device is not mobile. This indicates the interface that is used by the device to communicate with this neighbor. The values are 2.4 and 5.8, indicating the frequency of the radio that is used to communicate with the neighbor. The number of devices between the neighbor and its root mesh point. If the neighbor is a root mesh point, this value will be 0. If the neighbor is not a root mesh point but it has a neighbor that is a root mesh point, this value will be 1. Each mesh point between the neighbor and its root mesh point is counted as 1 hop. Displays whether the mesh point has been resourced or not. The Mesh Connex neighbor table can contain more neighbors than the AP supports. If the neighbor is resourced, it will take away a one of the resources for a wireless client device to be used for meshing. Displays True when the device is resourced and False when the device is not. An abstract value depicting the quality of the mesh link between the device and the neighbor. The range is from 0 (weakest) to 100
(strongest). This value shows the computed path metric from the device to the neighbor mesh point using this interface. The lower the number the better the possibility that the neighbor will be chosen as the path to the root mesh point. The computed path metric between the neighbor and their root mesh point. Wireless Controller and Service Platform System Reference Guide 15 - 39 Statistics The rank is the level of importance and is used for automatic resource management. 8 The current next hop to the recommended root. 7 Any secondary next hop to the recommended root to has a good potential route metric. 6 A next hop to an alternate root node. 5 A downstream node currently hopping through to get to the root. 4 A downstream node that could hop through to get to the root, but is currently not hopping through any node (look at authentication, as this might be an issue). 3 A downstream node that is currently hopping through a different node to get to the root, but could potentially have a better route metric if it hopped through this node. 2 Reserved for active peer to peer routes and is not currently used. 1 - A neighbor bound to the same recommended root but does not have a potential route metric as good as the neighbors ranked 8 and 7. 0 A neighbor bound to a different root node.
-1 Not a member of the mesh as it has a different mesh ID. All client devices hold a rank of 3 and can replace any mesh devices lower than that rank. Displays the number of miliseconds since the mesh point last heard from this neighbor. Rank Age The Security tab displays the following:
Mesh Point Name Mesh Point Identifier Radio Interface Interface ID State Timeout Displays the name of each configured mesh point in the RF Domain. The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID. This indicates the interface that is used by the device to communicate with this neighbor. The values are 2.4 and 5.8, indicating the frequency of the radio that is used to communicate with the neighbor. The IFID uniquely identifies an interface associated with the MPID. Each mesh point on a device can be associated with one or more interfaces. Displays the Link State for each mesh point:
Init - indicates the link has not been established or has expired. Enabled - indicates the link is available for communication. Failed - indicates the attempt to establish the link failed and cannot be retried yet. In Progress - indicates the link is being established but is not yet available. Displays the maximum value in seconds that the link is allowed to stay in the In Progress state before timing out. Wireless Controller and Service Platform System Reference Guide 15 - 40 Statistics Keep Alive Yes indicates that the local MP will act as a supplicant to authenticate the link and not let it expire (if possible). No indicates that the local MP does not need the link and will let it expire if not maintained by the remote MP. The Proxy tab displays the following:
Mesh Point Name Destination Addr Proxy Address Age Proxy Owner Persistence VLAN Displays the name of each configured mesh point in the RF Domain. The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID. Displays the MAC Address of the proxy used in the mesh point. Displays the age of the proxy connection for each of the mesh points in the RF Domain. The owners (MPID) is used to distinguish the neighbor device. Displays the persistence (duration) of the proxy connection for each of the mesh points in the RF Domain. The VLAN ID used as a virtual interface with this proxy. A value of 4095 indicates that there is no VLAN ID. 10 Select the Device Brief Info tab from the top of the screen. The Device Brief Info screen is divided into 2 fields, All Roots and Mesh Points and MeshPoint Details. Wireless Controller and Service Platform System Reference Guide 15 - 41 Statistics The All Roots and Mesh Points field displays the following:
Figure 15-25 RF Domain - Mesh Point Device Brief Info screen MAC Mesh Point Name Hostname Configured as Root Is Root Destination Addr Root Hops IFID Count Displays the MAC Address of each configured mesh point in the RF Domain. Displays the name of each configured mesh point in the RF Domain. Displays the administrator assigned hostname for each configured mesh point in the RF Domain. A root mesh point is defined as a mesh point connected to the WAN, providing a wired backhaul to the network (Yes/No). Indicates whether the current mesh point is a root meshpoint (Yes/
No). The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID. The number of devices between the selected mesh point and the destination device. Displays the number of Interface IDs (IFIDs) associated with all the configured mesh points in the RF Domain. Wireless Controller and Service Platform System Reference Guide 15 - 42 11 The MeshPoint Details field on the bottom portion of the screen displays tabs for General, Path, Root, Multicast Path, Neighbors, Security and Proxy. Refer to the following:
The General tab displays the following:
Statistics Mesh Point Name MAC Hostname Configured as Root Is Root Mesh Point Identifier Next Hop IFID Next Hops Use Time Root Hops Root MP ID Root Bound time IFID Count Displays the name of each configured mesh point in the RF Domain. Displays the MAC Address of each configured mesh point in the RF Domain. Displays the hostname for each configured mesh point in the RF Domain. A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network (Yes/No). A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network (Yes/No). The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID. Identifies the ID of the interface on which the next hop for the mesh network can be found. Lists the time when the next hop in the mesh network topology was last utilized. Number of hops to a root and should not exceed 4 in general practice. If using the same interface to both transmit and receive, then you will get approximately half the performance every additional hop out. Lists the interface ID of the interface on which the next hop for the mesh network can be found. Displays the duration this mesh point has been connected to the mesh root. Displays the number of Interface IDs (IFIDs) associated with all the configured mesh points in the RF Domain. The Path tab displays the following:
Mesh Point Name Destination Addr Destination Is Root MiNT ID Next Hop IFID Hops Displays the name of each configured mesh point in the RF Domain. The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID. The MAC Address used by the interface on the neighbor device to communicate with this device. This may define a particular radio or Ethernet port that communicates with this device over the mesh. A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network (Yes/No). Displays the MiNT Protocol ID for the global mint area identifier. This area identifier separates two overlapping mint networks and need only be configured if the administrator has two mint networks that share the same packet broadcast domain. The Interface ID of the mesh point that traffic is being directed to. Number of hops to a root and should not exceed 4 in general practice. If using the same interface to both transmit and receive, then you will get approximately half the performance every additional hop out. Wireless Controller and Service Platform System Reference Guide 15 - 43 Statistics Mobility Metric State Binding Timeout Sequence Displays whether the mesh point is a mobile or static node. Displays True when the device is mobile and False when the device is not mobile. A measure of the quality of the path. A lower value indicates a better path. Indicates whether the path is currently Valid of Invalid. Indicates whether the path is bound or unbound. The timeout interval in seconds. The interpretation this value will vary depending on the value of the state. If the state is Init or In Progress, the timeout duration has no significance. If the state is Enabled, the timeout duration indicates the amount of time left before the security validity check is initiated. If the state is Failed, the timeout duration is the amount of time after which the system will retry. The sequence number also known as the destination sequence number. It is updated whenever a mesh point receives new information about the sequence number from RREQ, RREP, or RERR messages that may be received related to that destination. The Root tab displays the following:
Mesh Point Name Recommended Root MPID Next Hop IFID Radio Interface Bound Metric Interface Bias Neighbor Bias Root Bias Displays the name of each configured mesh point in the RF Domain. Displays the root that is recommended by the mesh routing layer. The MP identifier is used to distinguish between other mesh points both on the same device and on other devices. This is used by a user to setup the preferred root configuration. The IFID of the next hop. The IFID is the MAC Address on the destination device. This indicates the interface that is used by the device to communicate with this neighbor. The values are 2.4 and 5.8, indicating the frequency of the radio that is used to communicate with the neighbor. Indicates whether the root is bound or unbound. Displays the computed path metric between the neighbor and their root mesh point. This field lists any bias applied because of the preferred root Interface Index. This field lists any bias applied because of the preferred root next-hop Neighbor IFID. This field lists any bias applied because of the preferred root MPID. The Multicast Path tab displays the following:
Mesh Point Name Subscriber Name Subscriber MPID Group Address Displays the name of each configured mesh point in the RF Domain. Lists the subscriber name is used to distinguish between other mesh point neighbors both on the same device and on other devices. Lists the subscriber ID to distinguish between other mesh point neighbors both on the same device and on other devices. Displays the MAC address used for the Group in the mesh point. Wireless Controller and Service Platform System Reference Guide 15 - 44 Statistics Path Timeout The timeout interval in seconds. The interpretation this value will vary depending on the value of the state. If the state is Init or In Progress, the timeout duration has no significance. If the state is Enabled, the timeout duration indicates the amount of time left before the security validity check is initiated. If the state is Failed, the timeout duration is the amount of time after which the system will retry. The Neighbors tab displays the following:
Mesh Point Name Mesh Point Identifier Neighbor MP ID Neighbor IFID Root MP ID Is Root Mobility Radio Interface Mesh Root Hops Resourced Link Quality Link Metric Root Metric Displays the name of each configured mesh point in the RF Domain. The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID. The MAC Address that the device uses to define the mesh point in the device that the neighbor is a part of. It is used to distinguish the device that is the neighbor. The MAC Address used by the interface on the neighbor device to communicate with this device. This may define a particular radio or Ethernet port that communicates with this device over the mesh. The mesh point ID of the neighbor's root mesh point. A root mesh point is defined as a mesh point that is connected to the WAN and provides a wired backhaul to the network. Yes if the mesh point that is the neighbor is a root mesh point or No if the mesh point that is the neighbor is not a root mesh point. Displays whether the mesh point is a mobile or static node. Displays True when the device is mobile and False when the device is not mobile. This indicates the interface that is used by the device to communicate with this neighbor. The values are 2.4 and 5.8, indicating the frequency of the radio that is used to communicate with the neighbor. The number of devices between the neighbor and its root mesh point. If the neighbor is a root mesh point, this value will be 0. If the neighbor is not a root mesh point but it has a neighbor that is a root mesh point, this value will be 1. Each mesh point between the neighbor and its root mesh point is counted as 1 hop. Displays whether the mesh point has been resourced or not. The Mesh Connex neighbor table can contain more neighbors than the AP supports. If the neighbor is resourced, it will take away a one of the resources for a wireless client device to be used for meshing. Displays True when the device is resourced and False when the device is not. An abstract value depicting the quality of the mesh link between the device and the neighbor. The range is from 0 (weakest) to 100
(strongest). This value shows the computed path metric from the device to the neighbor mesh point using this interface. The lower the number the better the possibility that the neighbor will be chosen as the path to the root mesh point. The computed path metric between the neighbor and their root mesh point. Wireless Controller and Service Platform System Reference Guide 15 - 45 Statistics The rank is the level of importance and is used for automatic resource management. 8 The current next hop to the recommended root. 7 Any secondary next hop to the recommended root to has a good potential route metric. 6 A next hop to an alternate root node. 5 A downstream node currently hopping through to get to the root. 4 A downstream node that could hop through to get to the root, but is currently not hopping through any node (look at authentication, as this might be an issue). 3 A downstream node that is currently hopping through a different node to get to the root, but could potentially have a better route metric if it hopped through this node. 2 Reserved for active peer to peer routes and is not currently used. 1 - A neighbor bound to the same recommended root but does not have a potential route metric as good as the neighbors ranked 8 and 7. 0 A neighbor bound to a different root node.
-1 Not a member of the mesh as it has a different mesh ID. All client devices hold a rank of 3 and can replace any mesh devices lower than that rank. Displays the number of miliseconds since the mesh point last heard from this neighbor. Rank Age The Security tab displays the following:
Mesh Point Name Mesh Point Identifier Radio Interface Interface ID State Timeout Displays the name of each configured mesh point in the RF Domain. The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID. This indicates the interface that is used by the device to communicate with this neighbor. The values are 2.4 and 5.8, indicating the frequency of the radio that is used to communicate with the neighbor. The IFID uniquely identifies an interface associated with the MPID. Each mesh point on a device can be associated with one or more interfaces. Displays the Link State for each mesh point:
Init - indicates the link has not been established or has expired. Enabled - indicates the link is available for communication. Failed - indicates the attempt to establish the link failed and cannot be retried yet. In Progress - indicates the link is being established but is not yet available. Displays the maximum value in seconds that the link is allowed to stay in the In Progress state before timing out. Wireless Controller and Service Platform System Reference Guide 15 - 46 Statistics Keep Alive Yes indicates the local MP acts as a supplicant to authenticate the link and not let it expire (if possible). No indicates that the local MP does not need the link and will let it expire if not maintained by the remote MP. The Proxy tab displays the following:
Mesh Point Name Mesh Point Identifier Proxy Address Age Proxy Owner VLAN Displays the name of each configured mesh point in the RF Domain. The destination is the endpoint of mesh path. It may be a MAC address or a mesh point ID. Displays the MAC Address of the proxy used in the mesh point. Displays the age of the proxy connection for each of the mesh points in the RF Domain. The owner (MPID) is used to distinguish the device that is the neighbor. The VLAN ID used as a virtual interface with this proxy. A value of 4095 indicates that there is no VLAN ID. 12 Select Device Data Transmit. Wireless Controller and Service Platform System Reference Guide 15 - 47 Statistics 13 Review the following transmit and receive statistics for Mesh nodes:
Figure 15-26 RF Domain - Mesh Point Device Data Transmit screen Data Bytes (Bytes):
Transmitted Bytes Data Bytes (Bytes):
Received Bytes Data Bytes (Bytes):
Total Bytes Data Packets Throughput (Kbps):
Transmitted Packets Data Packets Throughput (Kbps):
Received Packets Data Packets Throughput (Kbps):
Total Packets Displays the total amount of data, in Bytes, transmitted by mesh points in the RF Domain. Displays the total amount of data, in Bytes, received by mesh points in the RF Domain. Displays the total amount of data, in Bytes, transmitted and received by mesh points in the RF Domain. Displays the total amount of data, in packets, transmitted by mesh points in the RF Domain. Displays the total amount of data, in packets, received by mesh points in the RF Domain. Displays the total amount of data, in packets, transmitted and received by mesh points in the RF Domain. Wireless Controller and Service Platform System Reference Guide 15 - 48 Statistics Data Rates (bps):
Transmit Data Rate Data Rates (bps):
Receive Data Rate Data Rates (bps): Total Data Rate Packets Rate (pps):
Transmitting Packet rate Packets Rate (pps):
Received Packet rate Packets Rate (pps):
Total Packet Rate Data Packets Dropped and Errors: Tx Dropped Data Packets Dropped and Errors: Rx Errors Broadcast Packets: Tx Bcast/Mcast Pkts Broadcast Packets: Rx Bcast/Mcast Pkts Broadcast Packets: Total Bcast/Mcast Pkts Management Packets:
Transmitted by the node Management Packets:
Received by the node Management Packets:
Total Through the domain Data Indicators: Traffic Index Data Indicators: Max User Rate Data Distribution:
Neighbor Count Data Distribution: Radio Count Displays the average data rate, in kbps, for all data transmitted by mesh points in the RF Domain. Displays the average data rate, in kbps, for all data received by mesh points in the RF Domain. Displays the average data rate, in kbps, for all data transmitted and received by mesh points in the RF Domain. Displays the average packet rate, in packets per second, for all data transmitted and received by mesh points in the RF Domain. Displays the average packet rate, in packets per second, for all data received and received by mesh points in the RF Domain. Displays the average data packet rate, in packets per second, for all data transmitted and received by mesh points in the RF Domain. Displays the total number of transmissions that were dropped mesh points in the RF Domain. Displays the total number of receive errors from mesh points in the RF Domain. Displays the total number of broadcast and multicast packets transmitted from mesh points in the RF Domain. Displays the total number of broadcast and multicast packets received from mesh points in the RF Domain. Displays the total number of broadcast and multicast packets transmitted and received from mesh points in the RF Domain. Displays the total number of management packets transmitted through the mesh point node. Displays the total number of management packets received through the mesh point node. Displays the total number of management packets that were transmitted and received through the mesh point node. Displays True of False to indicate whether or not a traffic index is present. Displays the maximum user throughput rate for mesh points in the RF Domain. Displays the total number of neighbors known to the mesh points in the RF Domain. Displays the total number of neighbor radios known to the mesh points in the RF Domain. 15.2.12 SMART RF RF Domain Statistics When invoked by an administrator, Self-Monitoring At Run Time (Smart RF) instructs Access Point radios to change to a specific channel and begin beaconing using the maximum available transmit power. Within a well-
planned deployment, any RF Domain member Access Point radio should be reachable by at least one other radio. Smart RF records signals received from its neighbors as well as signals from external, un-managed radios. AP-to-
Wireless Controller and Service Platform System Reference Guide 15 - 49 Statistics AP distance is recorded in terms of signal attenuation. The information from external radios is used during channel assignment to minimize interference. To view the Smart RF summary for RF Domain member Access Point radios:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3 Select SMART RF from the RF Domain menu. 4 Expand the SMART RF menu and select Summary. The summary screen enables administrators to assess the efficiency of RF Domain member device channel distributions, sources of interference potentially requiring Smart RF adjustments, top performing RF Domain member device radios and the number of power, channel and coverage changes required as part of a Smart RF performance compensation activity. Figure 15-27 RF Domain - Smart RF Summary screen 5 The Channel Distribution field lists how RF Domain member devices are utilizing different channels to optimally support connect devices and avoid congestion and interference with neighboring devices. Assess whether the channel spectrum is being effectively utilized and whether channel changes are warranted to improve RF Domain member device performance. 6 Review the Top 10 interference table to assess RF Domain member devices whose level of interference exceeds the threshold set (from -100 to -10 dBm) for acceptable performance. Interferer Lists the administrator defined name of the interfering RF Domain member device. Wireless Controller and Service Platform System Reference Guide 15 - 50 Statistics Vendor Radio Radio MAC Channel RSSI Displays the vendor name (manufacturer) of the interfering RF Domain member device radio. Lists each offending devices radio name contributing to the top 10 interference listing. Displays the factory encoded hardware MAC address assigned to the RF Domain member device radio. Displays the channel each of the 10 poorly performing RF Domain member devices was detected on. Numerous interfering devices on the same channel could define the need for better channel segregation to reduce the levels of detected interference. Lists a relative signal strength indication (RSSI) in dBm for those RF Domain member devices falling into the poorest performing 10 devices based on the administrator defined threshold value. 7 Review the Top 5 Active Radios to assess the significance of any Smart RF initiated compensations versus their reported top performance. Radio MAC RF Band AP Name Power Changes Channel Changes Coverage Changes Lists the hardware encoded MAC address of each listed top performing RF Domain member device radio. Displays the top performing radios operation band. This may help administrate whether more changes were required in the 2.4 GHz band then 5 GHz or vice versa. Lists the administrator assigned Access Point name used to differentiate from other RF Domain member Access Point radios. The name displays in the form of a link that can be selected to display device information in greater detail. Displays the number of Smart RF initiated power level changes reported for this top performing RF Domain member radio. Displays the number of Smart RF initiated channel changes reported for this top performing RF Domain member radio. Displays the number of Smart RF initiated coverage changes reported for this top performing RF Domain member radio. 8 Refer to the SMART RF Activity table to view the trending of Smart RF compensations. Time Period Power Changes Lists the frequency Smart RF activity is trended for the RF Domain. Trending periods include the Current Hour, Last 24 Hours or the Last Seven Days. Comparing Smart RF adjustments versus the last seven days enables an administrator to assess whether periods of interference and poor performance were relegated to just specific periods. Displays the number of Smart RF initiated power level changes needed for RF Domain member devices during each of the three trending periods. Determine whether power compensations were relegated to known device outages or if compensations were consistent over the course of a day or week. Wireless Controller and Service Platform System Reference Guide 15 - 51 Statistics Channel Changes Coverage Changes Lists the number of Smart RF initiated channel changes needed for RF Domain member devices during each of the three trending periods. Determine if channel adjustments were relegated to known device count increases or decreases over the course of a day or week. Displays the number of Smart RF initiated coverage changes needed for RF Domain member devices during each of the three trending periods. Determine if coverage changes were relegated to known device failures or known periods of interference over the course of a day or week. 9 Select Refresh to update the Summary to its latest RF Domain Smart RF information. 10 Select Details from the RF Domain menu. Refer to the General field to review the radio's factory encoded hardware MAC address, the radio index assigned by the administrator, the 802.11 radio type, its current operational state, the radio's AP hostname assigned by an administrator, its current operating channel and power. Figure 15-28 RF Domain - Smart RF Details screen Refer to the Neighbors table to review the attributes of neighbor radio resources available for Smart RF radio compensations for other RF Domain member device radios. Individual Access Point hostnames can be selected and the RF Domain member radio can be reviewed in greater detail. Attenuation is a measure of the reduction of signal strength during transmission. Attenuation is the opposite of amplification, and is normal when a signal is sent from one point to another. If the signal attenuates too much, it becomes unintelligible. Attenuation is measured in decibels. The radio's current operating channel is also displayed, as is the radio's hard coded MAC address transmit power level and administrator assigned ID. Select Refresh at any time to update the Details screen to its latest values. 11 Select the Energy Graph tab Use the Energy Graph to review the radios operating channel, noise level and neighbor count. This information helps assess whether Smart RF neighbor recovery is needed in respect to poorly performing radios. Wireless Controller and Service Platform System Reference Guide 15 - 52 Statistics 12 Select Smart RF History to review the descriptions and types of Smart RF events impacting RF Domain member devices. Figure 15-29 RF Domain - Smart RF Energy Graph Figure 15-30 RF Domain - Smart RF History screen Wireless Controller and Service Platform System Reference Guide 15 - 53 Statistics The SMART RF History screen displays the following RF Domain member historical data:
Time Type Description Refresh Displays a time stamp when Smart RF status was updated on behalf of a Smart RF adjustment within the selected RF Domain. Lists a high-level description of the Smart RF activity initiated for a RF Domain member device. Provides a more detailed description of the Smart RF event in respect to the actual Smart RF calibration or adjustment made to compensate for detected coverage holes and interference. Select the Refresh button to update the statistics counters to their latest values. 15.2.13 WIPS RF Domain Statistics Refer to the Wireless Intrusion Protection Software (WIPS) screens to review a client blacklist and events reported by a RF Domain member Access Point. For more information, see:
WIPS Client Blacklist WIPS Events 15.2.13.1 WIPS Client Blacklist WIPS The Client Blacklist displays clients detected by WIPS and removed from RF Domain utilization. Blacklisted clients are not allowed to associate to RF Domain member Access Point radios. To view the WIPS client blacklist:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3 Expand the WIPS menu item and select Client Blacklist. Wireless Controller and Service Platform System Reference Guide 15 - 54 Statistics The WIPS Client Blacklist screen displays the following:
Figure 15-31 RF Domain - WIPS Client Blacklist screen Event Name Blacklisted Client Time Blacklisted Total Time Time Left Refresh Displays the name of the blacklisting wireless intrusion event detected by a RF Domain member Access Point. Displays the MAC address of the unauthorized (blacklisted) client intruding the RF Domain. Displays the time when the wireless client was blacklisted by a RF Domain member Access Point. Displays the time the unauthorized (now blacklisted) device remained in the RF Domain. Displays the time the blacklisted client remains on the list. Select the Refresh button to update the statistics counters to their latest values. 15.2.13.2 WIPS Events WIPS Refer to the WIPS Events screen to assess WIPS events detected by RF Domain member Access Point radios and reported to the controller or service platform. To view the rogue Access Point statistics:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3 Expand the WIPS menu item and select WIPS Events. Wireless Controller and Service Platform System Reference Guide 15 - 55 Statistics The WIPS Events screen displays the following:
Figure 15-32 RF Domain - WIPS Events screen Event Name Reporting AP Originating Device Detector Radio Time Reported Clear All Refresh Displays the event name of the intrusion detected by a RF Domain member Access Point. Displays the MAC address of the RF Domain member Access Point reporting the event. Displays the MAC address of the device generating the event. Displays the radio number detecting the WIPS event. Displays a time stamp of when the event was reported by the RF Domain member Access Point radio. Select the Clear All button to clear the statistics counters and begin a new data collection. Select the Refresh button to update the statistics counters to their latest values. 15.2.14 Captive Portal RF Domain Statistics A captive portal is guest access policy for providing guests temporary and restrictive access to the controller or service platform managed wireless network. Captive portal authentication is used primarily for guest or visitor access to the network, but is increasingly being used to provide authenticated access to private network resources when 802.1X EAP is not a viable option. Captive portal authentication does not provide end-user data encryption, but it can be used with static WEP, WPA-PSK or WPA2-PSK encryption. To view the RF Domain captive portal statistics:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3 Select Captive Portal from the RF Domain menu. Wireless Controller and Service Platform System Reference Guide 15 - 56 Statistics The screen displays the following Captive Portal data for requesting clients:
Figure 15-33 RF Domain - Captive Portal Client MAC Hostname Client IP Client IPv6 Captive Portal Port Name Authentication WLAN VLAN Displays the MAC address of each listed client requesting captive portal access to the controller or service platform managed network. This address can be selected to display client information in greater detail. Lists the administrator assigned hostname of the device requesting captive portal access to networks RF Domain resources. Displays the IPv4 formatted address of each listed client using its connected RF Domain member Access Point for captive portal access. Displays any IPv6 formatted address of any listed client using its connected RF Domain member Access Point for captive portal access. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Lists the name of the RF Domain captive portal currently utilized by each listed client. Lists the name virtual port used for captive portal session direction. Displays the authentication status of requesting clients attempting to connect to the controller or service platform via the captive portal. Displays the name of the WLAN the requesting client would use for interoperation with the controller or service platform. Displays the name of the VLAN the client would use as a virtual interface for captive portal operation with the controller or service platform. Wireless Controller and Service Platform System Reference Guide 15 - 57 Statistics Remaining Time Refresh Displays the time after which a connected client is disconnected from the captive portal. Select the Refresh button to update the statistics counters to their latest values. 15.2.15 Application Visibility (AVC) RF Domain Statistics RF Domain member devices inspect every byte of each application header packet allowed to pass through the WiNG managed network. When an application is recognized and classified by the WiNG application recognition engine, administrator defined actions can be applied to that specific application. For information on categorizing, filtering and logging the application data allowed to proliferate the WiNG managed network, refer to Application Policy on page 7-54 and Application on page 7-58. To view the RF Domain application utilization statistics:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3 Select Application Visibility (AVC) from the RF Domain menu. Figure 15-34 RF Domain - Application Visibility Wireless Controller and Service Platform System Reference Guide 15 - 58 Statistics 4 Refer to the Top Applications graph to assess the most prolific, and allowed, application data passing through RF Domain member devices. Total Bytes Bytes Uploaded Bytes Downloaded Displays the top ten RF Domain member utilized applications in respect to total data bytes passing through the RF Domain member WiNG managed network. These are only the administrator allowed applications approved for proliferation within the RF Domain member device. Displays the top ten RF Domain member applications in respect to total data bytes uploaded through the RF Domain member WiNG managed network. If this application data is not aligned with application utilization expectations, consider allowing or denying additional applications and categories or adjusting their precedence
(priority). Displays the top ten RF Domain member applications in respect to total data bytes downloaded from the RF Domain member WiNG managed network. If this application data is not aligned with application utilization expectations, consider allowing or denying additional applications and categories or adjusting their precedence
(priority). 5 Refer to the Application Detailed Stats table to assess specific application data utilization:
Application Name Uploaded Downloaded Num Flows Clear Application Stats Refresh Lists the RF Domain member allowed application name whose data
(bytes) are passing through the WiNG managed network. Displays the number of uploaded application data (in bytes) passing the through the WiNG managed network. Displays the number of downloaded application data (in bytes) passing the through the WiNG managed network. Lists the total number of application data flows passing through RF Domain member devices for each listed application. An application flow can consist of packets in a specific connection or media stream. Application packets with the same source address/port and destination address/port are considered one flow. Select this option to clear the application assessment data counters and begin a new assessment. Select the Refresh button to update the statistics counters to their latest values. 6 Select the Category tab. Categories are existing WiNG or user defined application groups (video, streaming, mobile, audio etc.) that assist administrators in filtering (allowing or denying) application data. For information on categorizing application data, refer to Application Policy on page 7-54 and Application on page 7-58. Wireless Controller and Service Platform System Reference Guide 15 - 59 Statistics 7 Refer to the Top Categories graph to assess the most prolific, and allowed, application data categories utilized Figure 15-35 RF Domain - Application Category Visibility by RF Domain member devices. Total Bytes Bytes Uploaded Bytes Downloaded Displays the top ten RF Domain member application categories in respect to total data bytes passing through the RF Domain member WiNG managed network. These are only the administrator allowed application categories approved for proliferation within the RF Domain. Displays the top ten RF Domain member application categories in respect to total data bytes uploaded through the RF Domain member WiNG managed network. If this category data is not aligned with application utilization expectations, consider allowing or denying additional categories or adjusting their precedence (priority). Displays the top ten RF Domain member application categories in respect to total data bytes downloaded from the RF Domain member WiNG managed network. If this category data is not aligned with application utilization expectations, consider allowing or denying additional categories and categories or adjusting their precedence
(priority). 8 Refer to the Category Detailed Stats table to assess specific application category data utilization:
Category Name Lists the RF Domain member allowed category whose application data
(in bytes) is passing through the WiNG managed network. Wireless Controller and Service Platform System Reference Guide 15 - 60 Statistics Uploaded Downloaded Num Flows Clear Application Stats Refresh Displays the number of uploaded application category data (in bytes) passing the through the WiNG managed network. Displays the number of downloaded application category data (in bytes) passing the through the WiNG managed network. Lists the total number of application category data flows passing through RF Domain member devices. A category flow can consist of packets in a specific connection or media stream. Packets with the same source address/port and destination address/port are considered one flow. Select this option to clear the application category assessment data counters and begin a new assessment. Select the Refresh button to update the statistics counters to their latest values. 15.2.16 Coverage Hole Summary RF Domain Statistics Periodically refer to a selected RF Domains coverage hole summary to assess the RF Domain member Access Point radios reporting coverage hole adjustments. When coverage hole recovery is enabled and a deployment area radio coverage hole is detected, Smart RF determines the radios power increase compensation required based on a reporting clients signal to noise (SNR) ratio. If a clients SNR is above the administrator threshold, its connected Access Points transmit power is increased until the noise rate falls below the threshold. To view a RF Domains coverage hole summary:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. 3 Select Coverage Hole Detection from the RF Domain menu and expand this item to display its submenu options. 4 Select Summary. Wireless Controller and Service Platform System Reference Guide 15 - 61 Statistics The screen displays the following RF Domain coverage hole summarization data:
Figure 15-36 RF Domain - Coverage Hole Summary AP Hostname Coverage Hole Incidents Count Clear Coverage Incidents Refresh Displays each RF Domain member Access Point hostname reporting a coverage hole compensation event. This can be helpful in assessing whether specific Access Points consistently report coverage holes and whether additional Access Point placements are required to compensate for poorly performing radios. Lists each reporting Access Points coverage hole incident count since the screen was last cleared. Periodically assess whether a specific Access Points high incident count over a trended repeatable period warrants additional Access Point placements in that same radio coverage area to reduce a coverage hole. Select this option to clear the statistics counters and begin a new coverage hole summary for RF Domain member Access Point radios. Select the Refresh button to update the statistics counters to their latest values. 15.2.17 Coverage Hole Details RF Domain Statistics In addition to the RF Domains Coverage Hole Summary, a specific Access Points coverage hole history can be reviewed in detail. Consider using different RF Domain member Access Points or their connected clients to help validate the data reported before compensating for the coverage hole by increasing the radio transmit power of neighboring Access Points. To review specific RF Domain member Access Point coverage hole information:
1 Select the Statistics menu from the Web UI. 2 Select a RF Domain from under the System node on the top, left-hand side, of the screen. Wireless Controller and Service Platform System Reference Guide 15 - 62 3 Select Coverage Hole Detection from the RF Domain menu and expand this item to display its submenu options. 4 Select Detail. Statistics Figure 15-37 RF Domain - Coverage Hole Details 5 Use the Filtered By option to define whether the RF Domains coverage hole details are provided by a selected Access Point (AP) or by a specific RF Domain member Access Points connected Client. Consider filtering by different RF Domain member devices to validate the accuracy of a reported coverage hole before increasing the transmit power of neighboring radios to compensate. 6 Refer to the Enter MAC Address parameter to define a RF Domain member Access Point MAC address or Hostname or just a client MAC address. This is the selected device reporting coverage hole details to the listed RF Domain member Access Point. 7 Select Filter to begin the coverage hole data collection using the Access Point or client details provided. Refer to the following to review the data reported:
Hostname Radio BSSID Client MAC RSSI Lists the administrator assigned hostname used as each listed Access Points network identifier. This is the Access Point whose client(s) are reporting coverage hole RSSI data. Lists the Access Point radio receiving and reporting coverage hole RSSI data from the listed client MAC. Each supported Access Point has at least two radios, with the exception of AP6521 model, which is a single-
radio model. Displays the basic service set identifier (BSSID) included in an Access Points wireless packet transmissions. Packets need to go to their correct destination. While a SSID keeps packets within the correct WLAN theres usually multiple Access Points within each WLAN. A BSSID identifies the correct Access Point and its connected clients. Lists each connected clients hardware encoded MAC address. This is the client reporting coverage hole RSSI data to its connected Access Point radio. Displays the Received Signal Strength Indicator (RSSI) of the detecting Access Radio or client. Wireless Controller and Service Platform System Reference Guide 15 - 63 Statistics Date-Time Clear Coverage Incidents Refresh Displays the date and time when each listed Access Point received its coverage hole indecent information. Select this option to clear the statistics counters and begin a new coverage hole assessment for RF Domain member Access Point radios. Select the Refresh button to update the statistics counters to their latest values. 15.3 Controller Statistics Statistics The Wireless Controller screen displays information about peer controllers or service platforms and their connected Access Points. As members of a cluster, a controller or service platform manages its own network and is ready to assume the load of an offline peer. The screen displays detailed statistics which include network health, inventory of devices, wireless clients, adopted APs, rogue APs and WLANs. For more information, refer to the following:
Health Device Cluster Peers Web-Filtering Application Visibility (AVC) Application Policy Device Upgrade Mirroring Adoption AP Detection Guest User Wireless LANs Policy Based Routing Radios Mesh RAID Statistics Border Gateway Protocol (BGP) Statistics Power Status PPPoE OSPF L2TPv3 VRRP Critical Resources LDAP Agent Status Mint Links Guest Users GRE Tunnels Dot1x Network DHCPv6 Relay & Client Interfaces Wireless Controller and Service Platform System Reference Guide 15 - 64 Statistics DHCP Server Firewall VPN Viewing Certificate Statistics WIPS Statistics Sensor Server Bonjour Services Captive Portal Statistics Network Time 15.3.1 Health Controller Statistics The Health screen displays details such as hostname, device name, RF Domain name, radio RF quality and client RF quality. To view controller or service platform device health data:
1 Select the Statistics tab from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Health from the left-hand side of the UI. Wireless Controller and Service Platform System Reference Guide 15 - 65 Statistics The Device Details field displays the following:
Figure 15-38 Wireless Controller - Health screen Hostname Device MAC Primary IP Type RF Domain Name Model Number Version Uptime CPU RAM Displays the administrator assigned hostname of the controller or service platform. Displays the MAC address of the controller. Lists the network address used by this controller or service platform as a network identifier. Displays the RFS series controller or NX series service platform type. Displays the controllers domain membership. The name displays in the form of a link that can be selected to display a detailed description of the RF Domain configuration. Displays the RFS series controller or NX series service platform type. Displays the version of the image running on the controller or service platform. Displays the cumulative time since the controller or service platform was last rebooted or lost power. Displays the controller or service platform processor name. Displays the CPU memory in use. Wireless Controller and Service Platform System Reference Guide 15 - 66 Statistics System Clock Displays the system clock information. The Access Point Health (w/ cluster members) chart shows how many Access Points are online and how many are offline. These are APs with cluster members directly managed by the wireless controller. This data does not include Access Points associated to other controllers or service platforms in the same cluster. The Radio RF Quality Index field displays RF quality (overall effectiveness of the RF environment). Use this table to assess radio performance for improvement ideas. The RF Quality Index field displays the following:
RF Quality Index Radio Id Radio Type Displays the five radios with the lowest average quality. Displays the hardware encoded MAC address of the radio. Displays the radio type used by this Access Point. The Radio Utilization Index field measures how efficiently the traffic medium is used. Its defined as the percentage of the current throughput relative to the maximum relative possible throughput:
Total Bytes Total Packets Total Dropped Displays the total bytes of data transmitted and received by the controller or service platform since the screen was last refreshed. Lists the total number of data packets transmitted and received by the controller or service platform since the screen was last refreshed. List the number of dropped data packets by a controller or service platform managed Access Point radio since the screen was last refreshed. The Client RF Quality Index field displays the RF quality of the clients. Use this table to troubleshoot radios not optimally performing:
Worst 5 Client MAC Retry Rate Displays the five client radios with the lowest quality indices. Displays the MAC address of the client. Displays the excessive retry rate of each listed controller or service platform managed client. 4 Select Refresh to update the statistics counters to their latest values. 15.3.2 Device Controller Statistics The Device statistics screen provides detailed information about the selected device. To view controller or service platform device statistics:
1 Select the Statistics tab from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Device from the left-hand side of the UI. Wireless Controller and Service Platform System Reference Guide 15 - 67 Statistics The System field displays the following:
Figure 15-39 Wireless Controller - Device screen Model Number Serial Number Version Boot Partition Fallback Enabled Fallback Image Triggered Next Boot Displays the model number for the selected controller or service platform. Displays the serial number factory encoded on the controller or service platform at the factory. Displays the unique alphanumeric firmware version name for the controller or service platform firmware. Displays the boot partitioning type. Displays whether fallback is enabled. The fallback feature enables a user to store both a legacy and new firmware version in memory. You can test the new software and use an automatic fallback mechanism, which loads the old version, if the new version fails. Displays whether the fallback image has been triggered. The fallback is a legacy software image stored in device memory. This allows an user to test a new version and revert to the older version if needed. Designates this version as the version used the next time the controller or service platform is booted. The System Resources field displays the following:
Available Memory (MB) Displays the available memory (in MB) available on the selected controller or service platform. Wireless Controller and Service Platform System Reference Guide 15 - 68 Statistics Total Memory (MB) Currently Free RAM Displays the controller or service platforms total memory. Displays the Access Points free RAM space. If its very low, free up some space by closing some processes. Displays the recommended RAM required for routine operation. Recommended Free RAM Current File Descriptors Displays the controller or service platforms current file description. Maximum File Current File Descriptors CPU Load 1 Minute Displays the controller or service platforms maximum file description. Lists the typical controller or service platform processor load over 1 minute. Lists the typical controller or service platform processor load over 5 minutes. Lists the typical controller or service platform processor load over 15 minutes. CPU Load 5 Minutes CPU Load 15 Minutes The Upgrade Status field displays firmware upgrade statistics. The table provides the following:
Upgrade Status Upgrade Status Time Displays whether the image upgrade was successful. Displays the time of the upgrade. The IP Domain field displays the following:
IP Domain Name Displays the name of the IP Domain service used with the selected controller or service platform. IP Domain Lookup state Lists the current state of the lookup operation. The Fan Speed field displays the following:
Number Speed (Hz) Displays the number of fans supported on the this controller or service platform. Displays the fan speed in Hz. The Temperature field displays the following:
Number Temperature Displays the number of temperature elements used by the controller or service platform. Displays the current temperature (in Celsius) to assess a potential Access Point overheat condition. The Kernal Buffers field displays the following:
Buffer Size Current Buffers Maximum Buffers Lists the sequential buffer size. Displays the current buffers available to the selected controller or service platform. Lists the maximum buffers available to the selected controller or service platform. Wireless Controller and Service Platform System Reference Guide 15 - 69 Statistics The Firmware Images field displays the following:
Primary Build Date Primary Install Date Primary Version Secondary Build Date Secondary Install Date Secondary Version FGPA Version PoE Version Firmware Displays the build date when this version was created. Displays the date this version was installed on the controller or service platform. Displays the primary version string. Displays the build date when this secondary version was created. Displays the date this secondary version was installed on the controller or service platform. Displays the secondary version string. Displays the version of FGPA firmware used by the controller or service platform. Lists the Power-Over-Ethernet (PoE) version firmware. The AP Licenses field displays the following:
AP Licenses AP Adoptions AP License Displays the number of AP licenses currently available on the controller or service platform. This value represents the maximum number of licenses the controller or service platform can adopt. Displays the number of Access Points adopted by this controller or service platform. Displays the license string of the AP. The AAP Licenses field displays the following:
AAP Licenses AAP Adoptions AAP License Displays the number of AAP licenses currently available on the controller or service platform. This value represents the maximum number of licenses the controller or service platform can adopt. Displays the number of adaptive Access Points adopted by this controller or service platform. Displays the license string of the adaptive Access Point. The Additional Licenses area displays the following information:
ADSEC WIPS Hotspot Analytics Displays Advanced Security licenses. This enables the Role Based firewall and increases the number of IP Sec VPN tunnels. The maximum number of IP Sec VPN tunnels varies by platform. Displays the number of WIPS licenses utilized by the controller or service platform. Displays whether an advanced hotspot analytics license is in use and applied to the controller or service platform. The IP Name Servers table displays the following:
Name Server Type Displays any custom Name Server mappings on the controller or service platform. Displays the type of DNS mapping, if any, on the controller or service platform. Wireless Controller and Service Platform System Reference Guide 15 - 70 Statistics The IPv6 Name Servers table displays the following:
Name Server Type Displays any custom IPv6 formatted IP address Name Server mappings on the controller or service platform. Displays the type of DNS mapping, if any, on the controller or service platform. The IPv6v Hop Limit table displays the following:
Hop Limit Lists the maximum number of times IPv6 traffic can hop. The IPv6 header contains a hop limit field that controls the number of hops a datagram can be sent before being discarded (similar to the TTL field in an IPv4 header). The IPv6 Delegated Prefixes table displays the following:
IPv6 Delegated Prefix Prefix Name DHCPv6 Client State Interface Name T1 timer (seconds) T2 timer (seconds) Last Refreshed
(seconds) Preferred Lifetime
(seconds) If IPv6, prefix delegation is used to assign a network address prefix, configuring the controller or service platform with the prefix. Lists the 32 character maximum name for the IPv6 delegated prefix used as an easy to remember alias for an entire IPv6 address. Displays the current DHCPv6 client state as impacted by the IPv6 delegated prefix. Lists the interface over which IPv6 prefix delegation occurs. Lists the amount of time in seconds before the DHCP T1 (delay before renew) timer expires. Lists the amount of time in seconds before the DHCP T2 (delay before rebind) timer expires. Lists the time, in seconds, since IPv6 prefix delegation has been updated. Lists is the time in seconds (relative to when the packet is sent) the IPv6 formatted addresses remains in a preferred state on the selected interface. The preferred lifetime must always be less than or equal to the valid lifetime. Valid Lifetime (seconds) Displays the time in seconds (relative to when the packet is sent) the IPv6 formatted address remains in a valid state on the selected interface. The valid lifetime must always be greater than or equal to the preferred lifetime. 15.3.3 Cluster Peers Controller Statistics Refer to the Cluster Peers screen to review device address and version information for peer devices within a cluster. To view controller or service platform cluster peer statistics:
1 Select the Statistics tab from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Cluster Peers from the left-hand side of the UI. Wireless Controller and Service Platform System Reference Guide 15 - 71 Statistics The Cluster Peers screen displays the following:
Figure 15-40 Wireless Controller - Cluster Peers screen Wireless Controller MAC Address Type RF Domain Name Online Version Refresh Displays the IP addresses of current cluster member controller or service platform. The name displays in the form of a link that can be selected to display a detailed description of the controller or service platforms configuration. Displays the MAC addresses of current cluster members. Displays the type of cluster peer (by controller or service platform model). Displays each members RF Domain name. The name displays in the form of a link that can be selected to display a detailed description of the RF Domains configuration. Displays whether a controller or service platform is online. If online, a green check mark displays, if it is offline a red X displays. Displays the numeric firmware version currently running on the controller or service platform. Use this version as the basis for comparison on whether newer versions are available from the support site that may provide increased functionality and a broader feature set. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.4 Web-Filtering Controller Statistics The Web-Filtering screen displays information on Web requests for content and whether the requests were blocked or approved based on URL filter settings defined for the selected controller or service platform. A URL filter is comprised of several filter rules. A whitelist bans all sites except the categories and URL lists defined in the whitelist. The blacklist allows all sites except the categories and URL lists defined in the blacklist. To view this controllers Web filter statistics:
Wireless Controller and Service Platform System Reference Guide 15 - 72 1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Web-Filtering. Statistics The Web-Filtering Requests field displays the following information:
Figure 15-41 Wireless Controller - Web Filtering screen Total Blocks Total Requests Total URL Cache Entries Lists the number of Web request hits against content blocked in the URL blacklist. Lists the total number of requests for URL content cached locally on this controller or service platform. Displays the number of chached URL data entries made on this controller or service platform on the request of requesting clients requiring URL data managed by the controller or service platform and their respective whitelist or blacklist. The Top Categories field helps administrators assess the content most requested, blocked and approved based on the defined whitelist and blacklist permissions:
Top Categories -
Requested Lists those Web content categories most requested by clients managed by this controller or service platform. Use this information to assess whether the permissions defined in the blacklist and whitelist optimally support these client requests for cached Web content. Wireless Controller and Service Platform System Reference Guide 15 - 73 Statistics Top Categories -
Blocked Top Categories -
Approved Lists those Web content categories blocked most often for requesting clients managed by this controller or service platform. Use this information to periodically assess whether the permissions defined in the blacklist and whitelist still restrict the desired cached Web content from requesting clients. Remember, a whitelist bans all sites except the categories and URL lists defined in the whitelist. The blacklist allows all sites except the categories and URL lists defined in the blacklist. Lists those Web content categories approved most often on behalf of requesting clients managed by this controller or service platform. Periodically review this information to assess whether this cached and available Web content still adheres to your organizations standards for client access. The Web Filter Status field displays the following information:
Name Blacklist Category VLAN WLAN Displays the name of the filter whose URL rule set has been invoked. Lists the blacklist category whose URL filter rule set has caused data to be filtered to a requesting client. Periodically assess whether these rules are still relevant to the data requirements of requesting clients. Lists the impacted controller or service platform VLAN whose Web data traffic has been filtered based on the restrictions in the listed blacklist category. Lists the impacted controller or service platform WLAN whose Web data traffic has been filtered based on the restrictions in the listed blacklist category. Periodically assess whether clients are segregated to the correct WLAN based on their cached Web data requirements and impending filter rules. 4 Periodically select Refresh to update this screen to its latest values. 15.3.5 Application Visibility (AVC) Controller Statistics Controllers and service platforms can inspect every byte of each application header packet allowed to pass their managed radio devices. When an application is recognized and classified by the WiNG application recognition engine, administrator defined actions can be applied to that specific application. For information on categorizing, filtering and logging the application data allowed to proliferate the controller or service platform managed network, refer to Application Policy on page 7-54 and Application on page 7-58. To view controller or service platform application utilization statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Application Visibility (AVC). Wireless Controller and Service Platform System Reference Guide 15 - 74 Statistics 4 Refer to the Top Applications graph to assess the most prolific, and allowed, application data passing through Figure 15-42 Controller - Application Visibility the controller and service platform. Total Bytes Bytes Uploaded Bytes Downloaded Displays the top ten utilized applications in respect to total data bytes passing through the controller or service platform managed network. These are only the administrator allowed applications approved for proliferation within the controller or service platform managed network. Displays the top ten applications in respect to total data bytes uploaded through the controller or service platform managed network. If this application data is not aligned with application utilization expectations, consider allowing or denying additional applications and categories or adjusting their precedence (priority). Displays the top ten applications in respect to total data bytes downloaded from the controller or service platform managed network. If this application data is not aligned with application utilization expectations, consider allowing or denying additional applications and categories or adjusting their precedence (priority). 5 Refer to the Application Detailed Stats table to assess specific application data utilization:
Application Name Uploaded Lists the allowed application name whose data (bytes) are passing through the controller or service platform managed network Displays the number of uploaded application data (in bytes) passing the through the controller or service platform managed network. Wireless Controller and Service Platform System Reference Guide 15 - 75 Statistics Downloaded Num Flows Clear Application Stats Refresh Displays the number of downloaded application data (in bytes) passing the through the controller or service platform managed network. Lists the total number of application data flows passing through the controller or service platform for each listed application. An application flow can consist of packets in a specific connection or media stream. Application packets with the same source address/port and destination address/port are considered one flow. Select this option to clear the application assessment data counters and begin a new assessment. Selecting this option will not clear category stats, just application stats. Select the Refresh button to update the statistics counters to their latest values. 6 Select the Category tab. Categories are existing WiNG or user defined application groups (video, streaming, mobile, audio etc.) that assist administrators in filtering (allowing or denying) application data. For information on categorizing application data, refer to Application Policy on page 7-54 and Application on page 7-58. Figure 15-43 Controller - Application Category Visibility Wireless Controller and Service Platform System Reference Guide 15 - 76 Statistics 7 Refer to the Top Categories graph to assess the most prolific, and allowed, application data categories utilized by the controller or service platform. Total Bytes Bytes Uploaded Bytes Downloaded Displays the top ten application categories in respect to total data bytes passing through the controller or service platform managed network. These are only the administrator allowed application categories approved for proliferation within the controller or service platform managed network. Displays the top ten application categories in respect to total data bytes uploaded through the controller or service platform managed network. If this category data is not aligned with application utilization expectations, consider allowing or denying additional categories or adjusting their precedence (priority). Displays the top ten application categories in respect to total data bytes downloaded from the controller or service platform managed network. If this category data is not aligned with application utilization expectations, consider allowing or denying additional categories and categories or adjusting their precedence (priority). 8 Refer to the Category Detailed Stats table to assess specific application category data utilization:
Category Name Uploaded Downloaded Num Flows Clear Category Stats Refresh Lists the allowed category whose application data (in bytes) is passing through the controller or service platform network. Displays the number of uploaded application category data (in bytes) passing the through the controller or service platform managed network. Displays the number of downloaded application category data (in bytes) passing the through the controller or service platform managed network. Lists the total number of application category data flows passing through controller or service platform managed devices. A category flow can consist of packets in a specific connection or media stream. Packets with the same source address/port and destination address/
port are considered one flow. Select this option to clear the application category assessment data counters and begin a new assessment. Selecting this option will not clear application stats, just category stats. Select the Refresh button to update the statistics counters to their latest values. 15.3.6 Application Policy Controller Statistics When an application is recognized and classified by the WiNG application recognition engine, administrator defined actions can be applied to that specific application. An application policy defines the rules or actions executed on recognized HTTP (Facebook), enterprise (Webex) and peer-to-peer (gaming) applications or application-categories. For each rule defined, a precedence is assigned to resolve conflicting rules for applications and categories. A deny rule is exclusive, as no other action can be combined with a deny. An allow rule is redundant with other actions, Wireless Controller and Service Platform System Reference Guide 15 - 77 Statistics since the default action is allow. An allow rule is useful when wanting to deny packets for a category, but wanting to allow a few applications in the same category to proceed. In such a cases, add an allow rule for applications with a higher precedence then a deny rule for that category. Mark actions mark packets for a recognized application and category with DSCP/8021p values used for QoS. Rate-
limits create a rate-limiter applied to packets recognized for an application and category. Ingress and egress rates need to be specified for the rate-limiter, but both are not required. Mark and rate-limit are the only two actions that can be combined for an application and category. All other combinations are invalid. To view controller or service platform application policy statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Application Policy. 4 Refer to the Rules table to review the results of the application policies put in place thus far from this managing Figure 15-44 Controller - Application Policy controller or service platform. Action Type Precedence Displays the action executed on the listed application. Allow - Allows packets for a specific application and its defined category type (social networking etc.). This is the default Deny - Denies (restricts) the action applied to a specific application or a specific application category Mark - Marks recognized packets with DSCP/8021p value Rate-limit - Rate limits packets from specific application types. Displays the application policy type applied. Lists the priority (from 1 - 256) for the application policy rule. The lower the value, the higher the priority assigned to this rules enforcement action and the category and application assigned. A precedence also helps resolve conflicting rules for applications and categories. Wireless Controller and Service Platform System Reference Guide 15 - 78 Statistics Action Hit Count Refresh Displays the number of times each listed application policy action has been triggered. Select the Refresh button to update the statistics counters to their latest values. 15.3.7 Device Upgrade Controller Statistics The Device Upgrade screen displays information about the devices receiving updates within the controller or service platform managed network. Use this screen to gather version data, install firmware images, boot an image and upgrade status. Controllers, service platforms or Access Points can be RF domain managers capable of receiving device firmware files from the NOC (NX7500 or NX9000 series service platforms) then provisioning other devices within their same RF domain. Controllers, service platforms and Access Points can now all update the firmware of different device models within their RF domain. However, firmware updates cannot be made simultaneously to devices in different site deployments. To view the upgrade statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Device Upgrade. The Upgrade screen displays the following information:
Figure 15-45 Wireless Controller - Device Upgrade screen Device Hostname Type State Displays the administrator assigned hostname of the device receiving the update. Displays the model type of the device receiving a firmware update from the provisioning controller or service platform. Displays the current state of the Access Point upgrade (done, failed etc.). Wireless Controller and Service Platform System Reference Guide 15 - 79 Statistics Time Last Upgraded Displays the date and time of the last successful upgrade operation. Retries Count Upgraded By Displays the number of retries made in an update operation. Displays the MAC address of the controller or service platform that performed the upgrade operation. Displays the status of the last upgrade operation (Start Upgrade, Update error etc.). Select the Clear History button to clear the screen of its current status and begin a new data collection. Select the Refresh button to update the screens statistics counters to their latest values. Last Update Status Clear History Refresh 15.3.8 Mirroring Controller Statistics NX4524 and NX6524 model service platforms have the ability to mirror data packets transmitted or received on any of their GE ports (GE port 1 - 24). Both transmit and receive packets can be mirrored from a source to a destination port as needed to provide traditional spanning functionality on the 24 GE ports. Port mirroring is not supported on NX4500 or NX6500 models, as they only utilize GE ports 1 - 2. Additionally, port mirroring is not supported on uplink (up) ports or wired ports on any controller or service platform model. To view NX4524 or NX6524 model service platform port mirroring statistics:
1 Select the Statistics tab from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Mirroring from the left-hand side of the UI. Figure 15-46 Wireless Controller - Mirroring screen Wireless Controller and Service Platform System Reference Guide 15 - 80 Statistics The Mirroring screen displays the following statistical data:
Source Destination Direction Refresh Lists the GE port (1 - 24) used as the data source to span packets to the selected destination port. The packets spanned from the selected source to the destination depend on whether Inbound, Outbound or Any was selected as the direction. A source port cannot be a destination port. Displays the GE port (1 - 24) used as the port destination to span packets from the selected source. The destination port serves as a duplicate image of the source port and can be used to send packets to a network diagnostic without disrupting the behavior on the original port. The destination port transmits only mirrored traffic and does not forward received traffic. Additionally, address learning is disabled on the destination port. Lists the direction data packets are spanned from the selected source to the defined destination. Packets spanned from the source to the destination depend on whether Inbound (received packets only), Outbound (transmitted packets only) or Any (packets in either direction) was selected. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.9 Adoption Controller Statistics The Adoption screens lists Access Points adopted by the controller or service platform, and includes model, RF Domain membership, configuration status and device uptime information. For additional AP adoption information, including an adoption history and pending adoptions, see:
AP Adoption History Pending Adoptions To view device adoption statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Adoption > Adopted Devices from the left-hand side of the UI. Wireless Controller and Service Platform System Reference Guide 15 - 81 Statistics The Adopted Devices screen displays the following:
Figure 15-47 Wireless Controller - Adopted Devices screen Device Type RF Domain Name Model Number Status Errors Adopter Hostname Adoption Time Startup Time Refresh Displays the name assigned to the adopted device by the management software. The Access Point name displays as a link that can be selected to display configuration and network address information in greater detail. Lists the model type of each Access Point managed by the selected controller or service platform (the controller or service platform listed in the Adopter Hostname column). Displays the RF Domain memberships of each listed adopted device. Displays the model number of the adopted device. Lists whether an adopted Access Point has been configured
(provisioned) by its connected Access Point or service platform. Lists any errors encountered when the each listed Access Point was adopted by the controller or service platform. Lists the hostname assigned to the adopting controller or service platform. Displays a timestamp for each listed Access Point reflecting when the device was adopted by the controller or service platform. Lists the time the adopted device was last started up and detected on the network. Select the Refresh button to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 82 Statistics 15.3.9.1 AP Adoption History Controller Statistics The AP Adoption History screen displays a list of devices adopted to the controller or service platform managed network. Use this screen to view a list of devices and their current status. To view adopted AP Adoption History statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Adoption > AP Adoption History from the left-hand side of the UI. The AP Adoption History screen displays the following Figure 15-48 Wireless Controller - AP Adoption History screen Event Name AP MAC Address Reason Event Time Refresh Displays the current adoption status of each AP as either adopted or un-
adopted. Displays the Media Access Control (MAC) address of each Access Point that the controller or service platform has attempted to adopt. Displays the adoption reason message string for each event in the adoption history statistics table. Displays the day, date and time for each Access Point adoption attempt by this controller or service platform. Select the Refresh button to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 83 Statistics 15.3.9.2 Pending Adoptions Controller Statistics The Pending Adoptions screen displays devices still pending (awaiting) adoption to the controller or service platform managed network. Review this data to assess whether adoption is still beneficial and to troubleshoot issues preventing adoption. To view adopted AP statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Adoption > Pending Adoptions from the left-hand side of the UI. The Pending Adoptions screen provides the following Figure 15-49 Wireless Controller - Pending Adoptions screen MAC Address Type IP Address VLAN Reason Discovery Option Last Seen Add to Devices Refresh Displays the MAC address of the device pending adoption. Displays the APs model type. Displays the current IP address of the device pending adoption. Displays the current VLAN number (virtual interface ID) of the device pending adoption. Displays the status code as to why the device is still pending adoption. Displays the discovery option code for each AP listed pending adoption. Displays the date and time stamp of the last time the device was seen. Click the arrow next to the date and time to toggle between standard time and UTC. Select a device from amongst those displayed and select Add to Devices to validate the adoption of the selected device and begin the process of connecting the device to the controller or service platform managed network. Select Refresh to update the statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 84 Statistics 15.3.10 AP Detection Controller Statistics The AP Detection screen displays potentially hostile Access Points, their SSIDs, reporting AP, and so on. Continuously revalidating the credentials of detected devices reduces the possibility of an Access Point hacking into the controller or service platform managed network. To view AP detection statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select AP Detection from the left-hand side of the UI. The AP Detection screen displays the following:
Figure 15-50 Wireless Controller - AP Detection screen Unsanctioned AP Reporting AP SSID AP Mode Radio Type Channel RSSI Displays the MAC address of unsanctioned APs detected within the controller or service platform radio coverage area. Unsanctioned APs are detected APs without deployment approval. Lists the Access Point whose radio detected the unsanctioned AP. The Access Point displays as a link that can be selected to display configuration and network address information in greater detail. Displays the SSID of each unsanctioned AP. Displays the operating mode of the unsanctioned device. Displays the unsanctioned APs radio type. The radio can be 802.11b, 802.11bg, 802.1bgn, 802.11a or 802.11an. Displays the channel where the unsanctioned AP was detected. Lists the Received Signal Strength Indicator (RSSI) for each listed AP. Wireless Controller and Service Platform System Reference Guide 15 - 85 Statistics Last Seen Clear All Refresh Displays when the unsanctioned AP was last seen by the detecting AP. Select Clear All to clear all the screens statistic counters and begin detecting new Access Points. Select Refresh to update the statistics counters to their latest values. 15.3.11 Guest User Controller Statistics The Guest User screen displays read only device information for guest clients associated with the selected controller or service platform. Use this information to assess if configuration changes are required to improve network performance. To view a controller or service platforms connected guest user client statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Guest User from the left-hand side of the UI. The Guest User screen displays the following:
Figure 15-51 Wireless Controller - Guest User screen Client MAC IP Address IPv6 Address Displays the hardcoded MAC address assigned to the guest client at the factory and can not be modified. The address displays as a link that can be selected to display configuration and network address information in greater detail. Displays the unique IP address of the guest client. Use this address as necessary throughout the applet for filtering and device intrusion recognition and approval. Displays the current IPv6 formatted IP address a listed guest client is using as a network identifier. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Wireless Controller and Service Platform System Reference Guide 15 - 86 Statistics Hostname Role Client Identity Vendor Band AP Hostname Radio MAC WLAN VLAN Last Active Disconnect Client Refresh Displays the hostname (MAC addresses) of connected guest clients. The hostname displays as a link that can be selected to display configuration and network address information in greater detail. Lists the guest clients defined role within the controller or service platform managed network. Displays the unique vendor identity of the listed device as it appears to its adopting controller or service platform. Displays the name of the client vendor (manufacturer). Displays the 2.4 or 5 GHz radio band on which the listed guest client operates. Displays the administrator assigned hostname of the Access Point to which this guest client is associated. Displays the MAC address of the radio which the guest client is connected. Displays the name of the WLAN the guest client is currently assigned for its Access Point interoperation. Displays the VLAN ID the guest clients connected Access Point has defined as a virtual interface. Displays the time when this guest client was last seen (or detected) by a device within the controller or service platform managed network. Select a specific client and select the Disconnect Client button to terminate this guest clients connection to its controller or service platform connected Access Point radio. Select Refresh to update the statistics counters to their latest values. 15.3.12 Wireless LANs Controller Statistics The Wireless LANs statistics screen displays performance statistics for each controller or service platform managed WLAN. Use this information to assess if configuration changes are required to improve connected Access Point and client performance. To view the wireless LAN statistics for the controller or service platform:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Wireless LANs from the left-hand side of the UI. Wireless Controller and Service Platform System Reference Guide 15 - 87 Statistics The Wireless LANs screen displays the following:
Figure 15-52 Wireless Controller - Wireless LANs screen WLAN Name SSID Traffic Index Radio Count Tx Bytes Tx User Data Rate Rx Bytes Rx User Data Rate Disconnect All Clients Refresh Displays the name of the WLANs the controller or service platform is currently utilizing for client connections and QoS segregation. Displays the Service Set ID each listed WLAN is using as an identifier. Displays the traffic utilization index, which measures how efficiently the traffic medium is used. Its defined as the percentage of current throughput relative to the maximum possible throughput. Traffic indices are:
0 20 (very low utilization) 20 40 (low utilization) 40 60 (moderate utilization) 60 and above (high utilization) Displays the number of radios currently in use by devices utilizing the listed controller or service platform managed WLAN. Displays data transmit activity (in bytes) on each listed WLAN. Displays the average user data rate on each listed WLAN. Displays the data received in bytes on each listed WLAN. Displays the average user data rate for packets received by controller or service platform connected devices using this WLAN. Select Disconnect All Clients to terminate the all client WLAN memberships. Select Refresh to update the statistics counters to their latest values. 15.3.13 Policy Based Routing Controller Statistics The Policy Based Routing statistics screen displays statistics for selective path packet redirection. PBR can optionally mark traffic for preferential services (QoS). PBR is applied to incoming routed packets, and a route-map Wireless Controller and Service Platform System Reference Guide 15 - 88 Statistics is created containing a set of filters and associated actions. Based on the actions defined in the route-map, packets are forwarded to the next relevant hop. Route-maps are configurable under a global policy called routing-policy, and applied to profiles and devices. To review controller PBR statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Policy Based Routing. The Policy Based Routing screen displays the following:
Figure 15-53 Wireless Controller - Policy Based Routing screen Precedence Primary Next Hop IP Primary Next Hop State Secondary Next Hop IP Secondary Next Hop State Lists the numeric precedence (priority) assigned to each listed PBR configuration. A route-map consists of multiple entries, each carrying a precedence value. An incoming packet is matched against the route-map with the highest precedence (lowest numerical value). Lists the IP address of the virtual resource that, if available, is used with no additional route considerations. Displays whether the primary hop is being applied to incoming routed packets. If the primary hop is unavailable, a second resource is used. This column lists the address set for the alternate route in the election process. Displays whether the secondary hop is being applied to incoming routed packets. Wireless Controller and Service Platform System Reference Guide 15 - 89 Statistics Default Next Hop IP Default Next Hop State Refresh If a packet subjected to PBR does not have an explicit route to the destination, the configured default next hop is used. This is either the IP address of the next hop or the outgoing interface. Only one default next hop is available. The difference between the next hop and the default next-hop is in case of former, PBR occurs first, then destination based routing. In case of the latter, the order is reverse. Displays whether the default hop is being applied to incoming routed packets. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.14 Radios Controller Statistics The radio Status screen provides radio association data, including radio ID, connected APs, radio type, quality index and Signal to Noise Ratio (SNR). To view the radio statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Radio from the left-hand side of the UI. The Radios Status screen provides the following information:
Figure 15-54 Wireless Controller - Radio Status screen Radio Radio MAC Displays the model and numerical value assigned to the radio as its unique identifier. Optionally, select the listed radio (it displays as a link) to display radio configuration information in greater detail. Displays the MAC address assigned to the radio as its unique hardware identifier. Wireless Controller and Service Platform System Reference Guide 15 - 90 Statistics Radio Type Access Point AP Type State Channel Current
(Config) Power Current
(Config) Clients Refresh Defines whether the radio is operating in the 2.4 GHz or 5 GHz radio band. Displays the administrator assigned system name of each listed Access Point. Optionally, select the listed Access Point to display Access Point configuration information in greater detail. Lists the model type of the Access Point housing the listed radio. Displays the current operational state (On/Off) of each radio. Displays the administrator configured channel each listed radio is broadcasting on. Displays the administrator configured power level the radio is using for its transmissions. Displays the number of wireless clients associated with each listed radio. Select Refresh to update the statistics counters to their latest values. 4 Select RF Statistics from the expanded Radios menu. The RF Statistics screen provides the following information:
Figure 15-55 Wireless Controller - Radio RF Statistics screen Radio Signal SNR Tx Physical Layer Rate Rx Physical Layer Rate Avg Retry Rate Displays the name assigned to each listed radio. Each radio name displays as a link that can be selected to display radio information in greater detail. Displays the power of each listed radio signal in dBm. Displays the signal to noise ratio (SNR) of each listed radio. SNR is a measure that compares the level of a desired signal to the level of background noise. It is defined as the ratio of signal power to the noise power. A ratio higher than 1:1 indicates more signal than noise. Displays the data transmit rate for each radios physical layer. The rate is displayed in Mbps. Displays the data receive rate for each radios physical layer. The rate is displayed in Mbps. Displays the average number of retries for each radio. Wireless Controller and Service Platform System Reference Guide 15 - 91 Statistics Error Rate Quality Index Refresh Displays the average number of retries per packet. A high number indicates possible network or hardware problems. Displays the clients RF quality. The RF quality index is the overall effectiveness of the RF environment, as a percentage of the connect rate in both directions as well as the retry rate and the error rate. RF quality index value can be interpreted as:
0 20 - very poor quality 20 40 - poor quality 40 60 - average quality 60 100 - good quality Select Refresh to update the statistics counters to their latest values. 5 Select Traffic Statistics from the expanded Radios menu. The Traffic Statistics screen provides the following information:
Figure 15-56 Wireless Controller - Radio Traffic Statistics screen Radio Tx Bytes Rx Bytes Tx Packets Rx Packets Tx User Data Rate Rx User Data Rate Tx Dropped Displays the name assigned to each listed radio. Each radio name displays as a link that can be selected to display radio configuration and network address information in greater detail. Displays the amount of transmitted data in bytes for each radio. Displays the amount of received data in bytes for each radio. Displays the amount of transmitted data in packets for each radio. Displays the amount of received data in packets for each radio. Displays the average speed in kbps of data transmitted to users for each radio. Displays the average speed (in kbps of data) received from users for each radio. Displays the number of transmissions (packets) dropped by each listed radio. An excessive number of drops and a high error rate could be an indicator to lighten the radios current load. Wireless Controller and Service Platform System Reference Guide 15 - 92 Statistics Traffic Index Refresh 15.3.15 Mesh Controller Statistics Displays the traffic utilization index of each listed radio, which measures how efficiently the traffic medium is used. Its defined as the percentage of current throughput relative to the maximum possible throughput. Traffic indices are: 0 20 (very low utilization), 20 40 (low utilization), 40 60
(moderate utilization), and 60 and above (high utilization). Select Refresh to update the statistics counters to their latest values. The Mesh screen provides detailed statistics on each of Mesh capable client within the selected controller or service platforms radio coverage area. To view Mesh statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Mesh from the left-hand side of the UI. The Mesh screen displays the following:
Figure 15-57 Wireless Controller - Mesh screen Client Client Radio MAC Displays the name assigned to each mesh client when added to the controller or service platform managed network. Displays the factory encoded Media Access Control (MAC) address of each device within the controller or service platform managed mesh network. Wireless Controller and Service Platform System Reference Guide 15 - 93 Statistics Portal Portal Radio MAC Connect Time Refresh Mesh portals are mesh enabled devices connected to an external network that forward traffic in and out. Mesh devices must find paths to a portal to access the Internet. When multiple portals exist, the Mesh point must select one. Lists the MAC addresses of those Access Points serving as mesh portals. Displays the total (elapsed) connection time for each client within the controller or service platform managed mesh network. Select Refresh to update the statistics counters to their latest value. 15.3.16 Interfaces Controller Statistics The Interface screen provides detailed statistics on each of the interfaces available on the selected controller or service platform. Use this screen to review the statistics for each interface. Interfaces vary amongst supported hardware model controllers and service platforms. To review controller or service platform interface statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Interfaces menu from the left-hand side of the UI. 4 Select General. Interface Statistics support the following:
Figure 15-58 Wireless Controller - General Interface screen Wireless Controller and Service Platform System Reference Guide 15 - 94 Statistics IPv6 Address General Interface Details Multicast Groups Joined Network Graph 15.3.16.1 General Interface Details Interfaces The General tab provides information on a selected controller or service platform interface such as its MAC address, type and TX/RX statistics. The General table displays the following:
Name Interface MAC Address IP Address IP Address Type Secondary IP Hardware Type Index Access Setting Access VLAN Native VLAN Tagged Native VLAN Allowed VLANs Administrative Status Operational Status Displays the name of the controller or service platform interface ge1, up 1etc. Displays the MAC address of the interface. IP address of the interface. Displays the IP address type, either IPv4 or IPv6. Displays a list of secondary IP resources assigned to this interface. Displays the networking technology. Displays the unique numerical identifier for the interface. Displays the VLAN mode as either Access or Trunk. Displays the tag assigned to the native VLAN. The native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Additionally, the native VLAN is the VLAN untagged traffic is directed over when using a port in trunk mode. When a frame is tagged, the 12 bit frame VLAN ID is added to the 802.1Q header so upstream Ethernet devices know which VLAN ID the frame belongs to. The device reads the 12 bit VLAN ID and forwards the frame to the appropriate VLAN. When a frame is received with no 802.1Q header, the upstream device classifies the frame using the default or native VLAN assigned to the Trunk port. A native VLAN allows an Ethernet device to associate untagged frames to a VLAN when no 802.1Q frame is included in the frame. Displays the list of allowed virtual interface(s) on this interface. Displays whether the interface is currently UP or DOWN. Lists whether the selected interface is currently UP (operational) or DOWN. The IPv6 Mode and MTU table displays the following information:
IPv6 Mode IPv6 MTU Lists the current IPv6 mode is utilized. Lists the IPv6 formatted largest packet size that can be sent over the interface. Wireless Controller and Service Platform System Reference Guide 15 - 95 Statistics The Specification table displays the following information:
Media Type Protocol MTU Mode Metric Maximum Speed Admin Speed Operator Speed Admin Duplex Setting Current Duplex Setting Displays the physical connection type of the interface. Medium types include:
Copper - Used on RJ-45 Ethernet ports Optical - Used on fibre optic gigabit Ethernet ports Displays the routing protocol used by the interface. Displays the maximum transmission unit (MTU) setting configured on the interface. The MTU value represents the largest packet size that can be sent over the interface. 10/100 Ethernet ports have a maximum setting of 1500. The mode can be either:
Access The Ethernet interface accepts packets only from native VLANs. Trunk The Ethernet interface allows packets from a list of VLANs you can add to the trunk. Displays the metric associated with the interfaces route. Displays the maximum speed the interface uses to transmit or receive data. Displays the speed the port can transmit or receive. This value can be either 10, 100, 1000 or Auto. This value is the maximum port speed in Mbps. Auto indicates the speed is negotiated between connected devices. Displays the current speed of data transmitted and received over the interface. Displays the administrators duplex setting. Displays the interface as either half duplex, full duplex or unknown. The Traffic table displays the following:
Good Octets Sent Good Octets Received Displays the number of octets (bytes) with no errors sent by the interface. Displays the number of octets (bytes) with no errors received by the interface. Displays the number of good packets transmitted. Good Packets Sent Good Packets Received Displays the number of good packets received. Mcast Pkts Sent Mcast Pkts Received Displays the number of multicast packets sent through the interface. Displays the number of multicast packets received through the interface. Displays the number of unicast packets sent through the interface. Displays the number of unicast packets received through the interface. Displays the number of broadcast packets sent through the interface. Displays the number of broadcast packets received through the interface. Displays the number of packet fragments transmitted or received through the interface. Ucast Pkts Sent Ucast Pkts Received Bcast Pkts Sent Bcast Pkts Received Packet Fragments Wireless Controller and Service Platform System Reference Guide 15 - 96 Statistics Jabber Pkts Displays the number of packets transmitted through the interface larger than the MTU. The Errors table displays the following:
Bad Pkts Received Collisions Late Collisions Excessive Collisions Drop Events Tx Undersize Pkts Oversize Pkts MAC Transmit Error MAC Receive Error Bad CRC Displays the number of bad packets received through the interface. Displays the number of collisions over the selected interface. A late collision is any collision that occurs after the first 64 octets of data have been sent. Late collisions are not normal, and usually the result of out of specification cabling or a malfunctioning device. Displays the number of excessive collisions. Excessive collisions occur when the traffic load increases to the point a single Ethernet network cannot handle it efficiently. Displays the number of dropped packets transmitted or received through the interface. Displays the number of undersized packets transmitted through the interface. Displays the number of oversized packets transmitted through the interface. Displays the number of failed transmits due to an internal MAC sublayer error (thats not a late collision), due to excessive collisions or a carrier sense error. Displays the number of received packets that failed due to an internal MAC sublayer (thats not a late collision), an excessive number of collisions or a carrier sense error. Displays the CRC error. The CRC is the 4 byte field at the end of every frame. The receiving station uses it to interpret if the frame is valid. If the CRC value computed by the interface does not match the value at the end of frame, it is considered as a bad CRC. The Receive Errors table displays the following:
Rx Frame Errors Rx Length Errors Rx FIFO Errors Rx Missed Errors Rx Over Errors Displays the number of frame errors received at the interface. A frame error occurs when data is received, but not in an expected format. Displays the number of length errors received at the interface. Length errors are generated when the received frame length was either less or over the Ethernet standard. Displays the number of FIFO errors received at the interface. First-in First-out queueing is an algorithm that involves buffering and forwarding of packets in the order of arrival. FIFO entails no priority. There is only one queue, and all packets are treated equally. An increase in FIFO errors indicates a probable hardware malfunction. Displays the number of missed packets. Packets are missed when the hardware received FIFO has insufficient space to store an incoming packet. Displays the number of overflow errors received. Overflows occur when a packet size exceeds the allocated buffer size. Wireless Controller and Service Platform System Reference Guide 15 - 97 Statistics The Transmit Errors field displays the following:
Tx Errors Tx Dropped Tx Aborted Errors Tx Carrier Errors Tx FIFO Errors Tx Heartbeat Errors Tx Window Errors Refresh 15.3.16.2 IPv6 Address Interfaces Displays the number of packets with errors transmitted on the interface. Displays the number of transmitted packets dropped from the interface. Displays the number of packets aborted on the interface because a clear-to-send request was not detected. Displays the number of carrier errors on the interface. This generally indicates bad Ethernet hardware or bad cabling. Displays the number of FIFO errors transmitted at the interface. First-
in First-Out queueing is an algorithm that involves the buffering and forwarding of packets in the order of arrival. FIFO uses no priority. There is only one queue, and all packets are treated equally. An increase in the number of FIFO errors indicates a probable hardware malfunction. Displays the number of heartbeat errors. This generally indicates a software crash, or packets stuck in an endless loop. Displays the number of window errors transmitted. TCP uses a sliding window flow control protocol. In each TCP segment, the receiver specifies the amount of additional received data (in bytes) the receiver is willing to buffer for the connection. The sending host can send only up to that amount. If the sending host transmits more data before receiving an acknowledgment, it constitutes a window error. Select Refresh to update the statistics counters to their latest value. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. To view controller or service platform IPv6 address utilization:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Interfaces menu from the left-hand side of the UI. 4 Select the IPv6 Address tab. Wireless Controller and Service Platform System Reference Guide 15 - 98 Statistics 5 The IPv6 Addresses table displays the following:
Figure 15-59 Wireless Controller - Interface IPv6 Address screen IPv6 Addresses Status Address Type Preferred Lifetime
(seconds) Lists the IPv6 formatted addresses currently utilized by the controller or service platform in the selected interface. Lists the current utilization status of each IPv6 formatted address currently in use by this controller or service platforms selected interface. Lists whether the address is unicast or multicast in its utilization over the selected controller or service platform interface. Lists is the time in seconds (relative to when the packet is sent) the IPv6 formatted addresses remains in a preferred state on the selected interface. The preferred lifetime must always be less than or equal to the valid lifetime. Valid Lifetime (seconds) Displays the time in seconds (relative to when the packet is sent) the IPv6 formatted address remains in a valid state on the selected interface. The valid lifetime must always be greater than or equal to the preferred lifetime. 6 Select the Link Local Address & Traffic Report tab to assess data traffic and errors discovered in transmitted and received IPv6 formatted data packets. Wireless Controller and Service Platform System Reference Guide 15 - 99 Statistics 7 Verify the following Local Link Address data for the IPv6 formatted address:
Figure 15-60 Wireless Controller - Interface IPv6 Address screen Address Status Preferred Lifetime
(seconds) Lists the IPv6 local link address. IPv6 requires a link local address assigned to every interface the IPv6 protocol is enabled on, even when one or more routable addresses are assigned. Lists the IPv6 local link address utilization status and its current availability. Lists is the time in seconds (relative to when the packet is sent) the local link addresses remains in the preferred state on the selected interface. The preferred lifetime must always be less than or equal to the valid lifetime. Valid Lifetime (seconds) Displays the time in seconds (relative to when the packet is sent) the local link addresses remains in the valid state on the selected interface. The valid lifetime must always be greater than or equal to the preferred lifetime. 8 Verify the following IPv6 formatted Traffic data:
Packets In Packets Out Bytes In Bytes Out Lists the number of IPv6 formatted data packets received on the selected controller or service platform interface since the screen was last refreshed. Lists the number of IPv6 formatted data packets transmitted on the selected controller or service platform interface since the screen was last refreshed. Displays the number of octets (bytes) with no errors received by the selected interface. Displays the number of octets (bytes) with no errors sent by the selected interface. Wireless Controller and Service Platform System Reference Guide 15 - 100 Statistics Bad Packets Received Bad CRC Collisions Displays the number of bad IPv6 formatted packets received through the interface. Displays the CRC error. The CRC is the 4 byte field at the end of every frame. The receiving station uses it to interpret if the frame is valid. If the CRC value computed by the interface does not match the value at the end of frame, it is considered as a bad CRC. Displays the number of collisions over the selected interface. Excessive collisions occur when the traffic load increases to the point a single Ethernet network cannot handle it efficiently. A late collision is any collision that occurs after the first 64 octets of data have been sent. Late collisions are not normal, and usually the result of out of specification cabling or a malfunctioning device. 9 Review the following Receive Errors for IPv6 formatted data traffic:
Receive Length Errors Receive Over Errors Receive Frame Errors Receive FIFO Errors Receive Missed Errors Displays the number of IPv6 length errors received at the interface. Length errors are generated when the received IPv6 frame length was either less or over the Ethernet standard. Displays the number of IPv6 overflow errors received. Overflows occur when a packet size exceeds the allocated buffer size. Displays the number of IPv6 frame errors received at the interface. A frame error occurs when data is received, but not in an expected format. Displays the number of IPv6 FIFO errors received at the interface. First-in First-out queueing is an algorithm that involves buffering and forwarding of packets in the order of arrival. FIFO entails no priority. There is only one queue, and all IPv6 formatted packets are treated equally. An increase in FIFO errors indicates a probable hardware malfunction. Displays the number of missed IPv6 formatted packets. Packets are missed when the hardware received FIFO has insufficient space to store an incoming packet. 10 Review the following Transmit Errors for IPv6 formatted data traffic:
Transmit Errors Displays the number of IPv6 formatted data packets with errors transmitted on the interface. Transmit Aborted Errors Displays the number of IPv6 formatted packets aborted on the Transmit Carrier Errors Transmit FIFO Errors Transmit Heartbeat Errors interface because a clear-to-send request was not detected. Displays the number of IPv6 formatted carrier errors on the interface. This generally indicates bad Ethernet hardware or bad cabling. Displays the number of IPv6 formatted FIFO errors transmitted at the interface. First-in First-Out queueing is an algorithm that involves the buffering and forwarding of packets in the order of arrival. FIFO uses no priority. There is only one queue, and all packets are treated equally. An increase in the number of FIFO errors indicates a probable hardware malfunction. Displays the number of IPv6 formatted heartbeat errors. This generally indicates a software crash, or packets stuck in an endless loop. Wireless Controller and Service Platform System Reference Guide 15 - 101 Statistics Transmit Window Errors Displays the number of IPv6 formatted window errors transmitted. TCP uses a sliding window flow control protocol. In each TCP segment, the receiver specifies the amount of additional received data (in bytes) the receiver is willing to buffer for the connection. The sending host can send only up to that amount. If the sending host transmits more data before receiving an acknowledgment, it constitutes a window error. Select Refresh to update the statistics counters to their latest value. Refresh 15.3.16.3 Multicast Groups Joined Interfaces Multicast groups scale to a larger set of destinations by not requiring prior knowledge of who or how many destinations there are. Multicast devices uses their infrastructure efficiently by requiring the source to send a packet only once, even if delivered to a large number of devices. Devices replicate a packet to reach multiple receivers only when necessary. Controllers and service platforms are free to join or leave a multicast group at any time. There are no restrictions on the location or members in a multicast group. A host may be a member of more than one multicast group at any given time and does not have to belong to a group to send messages to members of a group. To view the controller or service platform multicast group memberships on the selected interface:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Interfaces menu from the left-hand side of the UI. 4 Select Multicast Groups Joined. Wireless Controller and Service Platform System Reference Guide 15 - 102 Statistics Figure 15-61 Wireless Controller - Interface Multicast Groups Joined screen 5 The screen displays the following:
Group Users Lists the name of existing multicast groups whose current members share multicast packets with one another on this selected interface as a means of collective interoperation. Lists the number of devices currently interoperating on this interface in each listed multicast group. Any single device can be a member of more then one group at a time. 6 Periodically select Refresh to update the screens counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 103 Statistics 15.3.16.4 Network Graph Interfaces The Network Graph tab displays statistics the controller or service platform continuously collects for its interfaces. Even when the interface statistics graph is closed, data is still collected. Display the interface statistics graph periodically for assessing the latest interface information. Up to three different stats can be selected and displayed within the graph. To view a detailed graph for an interface, select an interface and drop it on to the graph. The graph displays Port Statistics as the Y-axis and the Polling Interval as the X-axis. Use the Polling Interval from the drop-down menu to define the intervals for which data is displayed on the graph. To view the Interface Statistics graph:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Interfaces menu from the left-hand side of the UI. 4 Select Network Graph. Use the Parameters drop-down menu to specify whats trended in the graph. Figure 15-62 Wireless Controller - Interface Network Graph screen Wireless Controller and Service Platform System Reference Guide 15 - 104 Statistics 15.3.17 Border Gateway Protocol (BGP) Statistics Controller Statistics Border Gateway Protocol (BGP) is an inter-ISP routing protocol which establishes routes between ISPs. ISPs use BGP to exchange routing and reachability information between Autonomous Systems (AS) on the Internet. BGP makes routing decisions based on paths, network policies and/or rules configured by network administrators. The primary role of a BGP system is to exchange network reachability information with other BGP peers. This information includes information on AS that the reachability information traverses. This information is sufficient to create a graph of AS connectivity from which routing decisions can be created and rules enforced. An Autonomous System (AS) is a set of routers under the same administration that use Interior Gateway Protocol
(IGP) and common metrics to define how to route packets within the AS. AS uses inter-AS routing to route packets to other ASs. For an external AS, an AS appears to have a single coherent interior routing plan and presents a consistent picture of the destinations reachable through it. Routing information exchanged through BGP supports only destination based forwarding (it assumes a router forwards packets based on the destination address carried in the IP header of the packet). BGP uses TCP as its transport protocol. This eliminates the need to implement explicit update fragmentation, retransmission, acknowledgement, and sequencing. BGP listens on TCP port 179. The error notification mechanism used in BGP assumes that TCP supports a graceful close (all outstanding data is delivered before the connection is closed). NOTE: BGP is only supported on RFS6000 and NX9500 model controllers and service platforms. BGP statistics are available to assist an administrator in assessing the status of the service platformss BGP feature and its neighbor BGP peers. Much of the configuration information can be filtered from the Route Filters screen. To review BGP statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select BGP from the left-hand side of the UI. The BGP Summary tab displays by default. Wireless Controller and Service Platform System Reference Guide 15 - 105 Statistics The Summary tab displays the following:
Figure 15-63 Wireless Controller - BGP - Summary screen Neighbor ASN Msg Sent Msg Received In Queue Out Queue Status Uptime Lists the IP address of neighbor BGP supported devices. Lists the Autonomous System Number (ASN) assigned to each listed neighbor BGP peer. ASN is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packets Lists the number of messages sent out of this BGP peer. Lists the number of messages received by this BGP peer. Lists the number of messages in the controller or service platform queue that have not yet been read (processed). Lists the number of messages in the controller or service platform queue that have not yet been sent. Displays the status of each listed BGP neighbor as Active or Disabled. Displays the time duration in HH:MM:SS format since the connection to this neighbor BGP peer was established. 4 Periodically select Refresh to update the screens counters to their latest value. 5 Select the Neighbor tab. Wireless Controller and Service Platform System Reference Guide 15 - 106 Statistics The Neighbor tab displays the following BGP neighbor information:
Figure 15-64 Wireless Controller - BGP - Neighbor screen Neighbor Remote AS Local AS MD5 Enabled Link Type Status Uptime Remote Router Hold Time Keepalive Lists the IP address of neighbor BGP supported peer controllers or service platforms. Each IP address displays as a link to display BGP supported device data in greater detail. Lists the AS number configured on this BGP neighbor. An Autonomous System (AS) is a set of routers under the same administration that use Interior Gateway Protocol (IGP) and common metrics to define how to route packets within the AS. Lists the AS number (1 - 4,294,967,295) configured on this BGP wireless controller or service platforms. A green check defines MD5 authentication enabled on the listed BGP neighbor. A red X means disabled. MD5 is a message digest algorithm using a cryptographic hash producing a 128-bit (16-byte) hash value, usually expressed in text as a 32 digit hexadecimal number. MD5 has been utilized in a wide variety of cryptographic applications, and is also commonly used to verify data integrity. Lists the type of BGP link. Displays internal if the link type is iBGP. Displays external if the link type is eBGP. iBGP exchanges routing table information between routers within an autonomous system. eBGP exchanges routing table information between hosts outside an autonomous system. Displays the current Active or Inactive state of each listed BGP neighbor device. Displays the uptime for each listed BGP neighbor. Lists the IP address used by the BGP remote router resource as a network identifier. Displays the duration, in seconds, for the hold (delay) of packet transmissions to each listed BGP neighbor device. Displays the duration, in seconds, for the keep alive timer used to maintain the connection to each listed BGP neighbor device. Wireless Controller and Service Platform System Reference Guide 15 - 107 Clear Routes Select the Clear Retries item (within the table) this to reset and clear all routes received from this BGP neighbor. 6 Optionally select the IP address of a listed BGP neighbor device to launch the following screen for more granular device information for the selected peer device:
Statistics Figure 15-65 Wireless Controller - BGP - Neighbor - Statistics screen The BGP neighbor Statistics screen displays route information for the following kinds of routes:
Advertised Displays route information for routes advertised to the selected neighbor device. Received Displays route information for routes received from the selected neighbor device. Routes Displays the route information for routes learned from the selected neighbor device. 7 Refer to the following for details on the displayed route. The fields are common to all the screens. Route Status Network Next Hop Displays the status of this route. Route statuses include:
Suppressed This route has been suppressed. Damped This route has been damped due to flapping. History - This route is kept in memory to retain flap-dampening statistics. This route is not currently announced by the peer. Valid This route is a valid route. Best This route is the best route of all the routes utilized. RIB Failure - A route with better administrative distance is already present, a memory failure exists or the number of routes in VPN routing/forwarding
(VRF) exceeds the route-limit configured under the VRF instance. Removed This route has been removed from the routes list and is no longer available to BGP supported neighbor devices. Displays network information for this route. Displays the IP address of the next hop in this route. Wireless Controller and Service Platform System Reference Guide 15 - 108 Statistics Local Pref Weight Metric AS-Path Origin Lists the IP address of this controller or service platforms preferred next hop for the route. Displays the weight assigned to this route. Weight is used to decide the preferred route when the same route is learned from multiple neighbors. The route with the highest weight is always chosen. Lists a measure (metric) of the quality of the path. A lower value indicates a better path. Displays the AS Path information for this route. Displays the IP address of the routes origin. 8 Select the Refresh button to update the information displayed in this screen to the latest values. Use the Exit button to exit to the Neighbor screen. 9 Select Route Filters tab. This screen provides eight (8) different filters for viewing route statistics. Route statistics can be filtered on eight (8) different parameters. Figure 15-66 Wireless Controller - BGP - Route Filter screen The Route Filters tab supports the following route filters:
BGP Stats Details Routes are filtered on BGP statistics details. Community List Routes are filtered on the community lists included in each route. Community Routes are filtered on the community information included in each route, Expanded Community List Routes are filtered on the expanded community information included in each route. Prefix List Routes are filtered on the prefix list included in each route. Filter List Routes are filtered on the filter list included in each route. Regular Expression Routes are filtered based on regular expressions. Route Map Routes are filtered on the route map information included in each route. 10 Select BGP Stats Detail from the Select Filter Type list. Wireless Controller and Service Platform System Reference Guide 15 - 109 Statistics Figure 15-67 Wireless Controller - BGP - Route Filter - BGP Stats Detail 11 Use the Type Specific Network field to filter statistics based on the provided IP or Network information. Select Show Details to display the list of filtered routes. Route Status Network Next Hop Local Pref Weight Metric Path Origin Displays the status of this route. Route status options include:
Suppressed This route has been suppressed. Damped This route has been damped due to flapping. History - This route is kept in memory to retain flap-dampening statistics. This route is not currently announced by the peer. Valid This route is a valid route. Best This route is the best route of all routes. RIB Failure A route with better administrative distance is already present, a memory failure exists or the number of routes in VPN routing/forwarding
(VRF) exceeds the route-limit configured under the VRF instance. Removed This route has been removed from the routes list. Displays network information for this route. Displays the IP address of the next hop resource utilized in this route. Lists the IP address of this controller or service platforms preferred next hop for this route. The local preference indicates the preferred path when there are multiple paths to the same destination. The path having the highest preference value is preferred. The preference value is sent to all routers and access servers in the local AS. Displays the weight assigned to this route. Weight is used to decide the preferred route when the same route is learned from multiple neighbors. The route with the highest weight is always chosen. Lists a measure (metric) of the quality of the path. A lower value indicates a better path. This value is the Multi Exit Discriminator (MED) evaluated by BGP during the best path selection process. Displays path information for this route. Displays the IP address of the origin for this route. 12 Select Community List from the Select Filter Type list. Wireless Controller and Service Platform System Reference Guide 15 - 110 Statistics Figure 15-68 Wireless Controller - BGP - Route Filter - Community List 13 Use the Type Community List field to filter the statistics based on the community type of the route. Select Show Details to display the list of filtered routes. NOTE: The following table is common to these filter types:
Community List Community Prefix List Filter List Regular Expression Route Map Route Status Network Next Hop Local Pref Weight Metric AS-Path Origin Displays the status of this route. The route status could be one of:
Suppressed This route has been suppressed. Damped This route has been damped due to flapping. History - This route is kept in memory to retain flap-dampening statistics. This route is not currently announced by the peer. Valid This route is a valid route. Best This route is the best route of all routes. RIB Failure A route with better administrative distance is already present, a memory failure exists or the number of routes in VPN routing/forwarding
(VRF) exceeds the route-limit configured under the VRF instance. Removed This route has been removed from the routes list. Displays network information for this route. Displays the IP address of the next hop in this route. Lists the IP address of this controller or service platforms preferred next hop for this route. The local preference indicates the preferred path when there are multiple paths to the same destination. The path having the highest preference value is preferred. This preference value is sent to all routers and access servers in the local AS. Displays the weight assigned to this route. Weight is used to decide the preferred route when the same route is learned from multiple neighbors. The route with the highest weight is always chosen. Lists a measure of the quality of the path. A lower value indicates a better path. This value is the Multi Exit Discriminator (MED) evaluated by BGP during the best path selection process. Displays AS path information for this route. Displays the IP address of the origin for this route. Wireless Controller and Service Platform System Reference Guide 15 - 111 Select Community from the Select Filter Type list. Statistics 14 Use the Type Community drop-down menu to filter the statistics based on the community of the route. Routes Figure 15-69 Wireless Controller - BGP - Route Filter - Community local-AS - Displays routes that prevent the transmission of packets outside the local AS. can be filtered on:
no-advertise - Displays routes not advertised to any peer, either internal or external. no-export - Displays routes not advertised to BGP peers, keeping this route within an AS. aa:nn - Filters routes based on the AS Number specified. The first part (aa) represents the AS number. The second part (nn) represents a 2-byte number. Routes matching this number are filtered. 15 Select Show Details to display the list of filtered routes. 16 Select Prefix List from the Select Filter Type list. 17 Use the Type Prefix list field to filter the statistics based on the prefix of the route. Select Show Details to Figure 15-70 Wireless Controller - BGP - Route Filter - Prefix List display the list of filtered routes. 18 Select Filter List from the Select Filter Type list. 19 Use the Type Filter List field to filter the statistics based on the filter list of the route. Select Show Details to Figure 15-71 Wireless Controller - BGP - Route Filter - Filter List display the list of filtered routes. 20 Select Regular Expression from the Select Filter Type list. Figure 15-72 Wireless Controller - BGP - Route Filter - Regular Expression Wireless Controller and Service Platform System Reference Guide 15 - 112 21 Use the Type Regular Expression field to filter the routes based on regular expressions. Select Show Details to display the list of filtered routes. 22 Select Route Map from the Select Filter Type list. Statistics Figure 15-73 Wireless Controller - BGP - Route Filter - Route Map 23 Use the Type Route Map field to filter the routes based on route maps (enhanced packet filters). Select Show Details to display the list of filtered routes. 24 Select Expanded Community List from the Select Filter Type list. Figure 15-74 Wireless Controller - BGP - Route Filter - Expanded Community 25 Use the Type Expanded list to filter routes based on route-maps. Select Show Details to display a list of filtered routes. 26 Select State tab. The State screen displays the following:
Figure 15-75 Wireless Controller - BGP - State Maximum Routes Allowed Routes Received Current Ignore Count Ignore Count Allowed Reset Time Lists the maximum number of routes allowed on the selected BGP wireless controller or service platforms. Lists the number of routes received from all the BGP peers. Lists the number of times the BGP daemon has been put in the Ignore state. Lists the maximum number of times the BGP daemon can be put in an Ignore state before entering permanent ignore state. Lists the time after which ignore state count is reset to 0 and BGP daemon continues in the state it was in previously. Wireless Controller and Service Platform System Reference Guide 15 - 113 Statistics Ignore Time Current State Lists the time duration after which BGP daemon shall exit the Ignore state. Lists the current state of this BGP route utilized on the wireless controller or service platforms. Select Refresh to update the statistic counters to their latest values. 15.3.18 RAID Statistics Controller Statistics RAID statistics are available to assist an administrator in assessing the status of the service platforms RAID array, including each physical drive. The information within the RAID statistics screen is polled by the service platform from the RAID controller hardware, then forwarded to the WiNG operating system. NOTE: RAID controller drive arrays are available within NX7500 and NX9000 series service platforms (NX9000, NX9500 and NX9510 models) only. However, they can be administrated on behalf of a profile by a different model service platform or controller. For information on setting the service platform drive array configuration as well as the diagnostic behavior of its member drives, refer to RAID Operations on page 14-19. To view RAID statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select RAID from the left-hand side of the UI. Wireless Controller and Service Platform System Reference Guide 15 - 114 Statistics 4 The Status field displays the following:
Figure 15-76 Wireless Controller - RAID Status screen Size State Alarm Enable Lists the size of the RAID drive array. The size is the total physical memory space available on the two physical drives comprising the active RAID controller. Displays whether the drive array is currently in an optimal operation state or degraded, and in need of administration to perform diagnostics and perhaps prepare a standby drive for hot spare replacement. Displays whether the RAID alarm has been enabled to sound the service platforms chassis alarm upon detection of a RAID controller degradation event. The RAID alarm is enabled by default. For information on enabling or disabling the service platform RAID alarm, see General Profile Configuration on page 8-5. 5 Refer to the Last Check field to assess the time, progress and results of the RAID arrays most recent consistency check:
Date Result Progress Lists the date and time of the RAID controllers most recent consistency check on the integrity of the drive array. Displays true for a successful RAID array consistency check and false for a failed consistency check. A false indication would trigger the service platforms chassis alarm if RAID alarm is enabled. Displays the progress of an in process consistency check in both percentage complete and minutes utilized (for example, 78%/116min). Wireless Controller and Service Platform System Reference Guide 15 - 115 Statistics 6 Use the Physical Drives field to assess the RAID arrays drive utilization and whether the drives are currently online:
Slot State Lists RAID arrays drive slot utilization. Since there is only one RAID array controller reporting status to the service platform, its important to know if other drive slots house hot spare drives available as additional resources should one of the dedicated drives fail. Displays whether a physical slot within the RAID array has a drive installed, and whether the drive is currently online. 7 Select Refresh at any time to update either the screens statistic counters to their latest value. 15.3.19 Power Status Controller Statistics Periodically review the controller or service platform power status to assess the power budget and PoE capability
(if supported). PoE is supported on RFS4000 and RFS6000 model controllers. To view Power Status statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Power Status from the left-hand side of the UI. Wireless Controller and Service Platform System Reference Guide 15 - 116 Statistics The Power Status provides the following information for supported controllers or service platforms:
Figure 15-77 Wireless Controller - Power Status screen Device Temperature PoE Enabled Power Limit Port Name Priority System Voltage Displays the administrator assigned device name for the controller or service platform. Displays the internal system temperature for the controller or service platform. Displays whether or not Power over Ethernet (PoE) is enabled for the controller or service platform. When enabled, the controller or service platform supports 802.3af PoE on each of its ge ports. The PoE allows users to monitor port power consumption and configure power usage limits and priorities for each ge port. Displays the total watts available for Power over Ethernet on the controller or service platform. The value should be between 0 - 40 watts. Displays the GE port name on the controller or service platform. Displays the power priority for the listed port as either Critical, High or Low. This is the priority assigned to this port versus the power requirements of the other supports available on the controller or service platform. Displays the total current system voltage for the controller or service platform. Wireless Controller and Service Platform System Reference Guide 15 - 117 Statistics System Guard Band Power Budget Power Consumption Non-Standard PoE power budget Port Name Voltage Current Power Class Type Port Status Refresh Displays the amount of voltage allocated to a System Guard Band. A System Guard Band is an amount of voltage allocated to prevent power loss or cycling on connected PoE devices when the power draw goes above the PoE Power Budget. Displays the total amount of voltage on the controller or service platform allocated for use in Power over Ethernet. Displays the current amount of power being consumed by PoE devices on the controller or service platform. Displays the amount of voltage allocated to non 802.3af or 802.3at PoE devices. Displays the GE port name for each PoE capable port on the controller or service platform. Displays the voltage in use by each PoE capable port on the controller or service platform. Displays the amount of current in milliwatts being used by each PoE capable port on the controller or service platform. Displays whether or not each PoE capable port on the controller or service platform is providing power. Displays the PoE class type including 802.3af, 802.3at and non-
standard PoE types. Displays the status of each PoE capable port on the controller or service platform. It will display either Enabled or Disabled. Select Refresh to update the statistics counters to their latest value. 15.3.20 PPPoE Controller Statistics The PPPoE statistics screen displays stats derived from the PPPoE capable controller or service platforms access to high-speed data and broadband networks. PPPoE uses standard encryption, authentication, and compression methods as specified by the PPPoE protocol. PPPoE enables point-to-points connection to an ISP over existing Ethernet interface. Power over Ethernet is supported on RFS4000 and RFS6000 model controllers. When enabled, the controller supports 802.3af PoE on each of its ge ports. To review a selected controller or service platforms PPPoE statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select PPPoE from the left-hand side of the UI. Wireless Controller and Service Platform System Reference Guide 15 - 118 Statistics The Configuration Information field screen displays the following:
Figure 15-78 Wireless Controller - PPPoE screen Username Shutdown Service Displays whether a high speed client mode point-to-point connection has been enabled using the PPPoE protocol. A green checkmark defines the connection as enabled. A red X defines the connection as shutdown. Lists the 128 character maximum PPPoE client service name provided by the service provider. Displays the PPPoE VLAN (client local network) connected to the DSL modem. This is the local network connected to DSL modem. Client Idle Timeout DSL Modem Network (VLAN) Authentication Type Lists authentication type used by the PPPoE client whose credentials must be shared by its peer. Supported authentication options include None, PAP, CHAP, MSCHAP, and MSCHAP-v2. Displays the 64 character maximum username used for authentication support by the PPPoE client. Displays the 64 character maximum password used for authentication by the PPPoE client. The controller or service platform uses the listed timeout so it does not sit idle waiting for input from a PPPoE client and the server that may never come. If a keep alive is utilized (enabled displays a green checkmark, disabled a red X) the point-to-point connect to the PPPoE client is continuously maintained and not timed out. Displays the PPPoE client maximum transmission unit (MTU) from 500 -
1,492. The MTU is the largest physical packet size in bytes a network can transmit. Any messages larger than the MTU are divided into smaller packets before being sent. A PPPoE client should be able to maintain its point-to-point connection for this defined MTU size. Maximum Transmission Unit
(MTU) Keep Alive Password Wireless Controller and Service Platform System Reference Guide 15 - 119 Statistics 4 Refer to the Connection Status field. The Connection Status table lists the MAC address, SID, Service information, MTU and status of each route destination peer. To provide this point-to-point connection, each PPPoE session learns the Ethernet address of a remote PPPoE client, and establishes a session. PPPoE uses both a discover and session phase to identify a client and establish a point-to-point connection. By using such a connection, a wireless WAN failover is available to maintain seamless network access if the Wired WAN were to fail 5 Select the Refresh button to update the screens statistics counters to their latest values. 15.3.21 OSPF Controller Statistics Open Shortest Path First (OSPF) is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets. Refer to the following for detailed descriptions of the tabs available within the OSPF statistics screen:
OSPF Summary OSPF Neighbors OSPF Area Details OSPF Route Statistics OSPF Interface OSPF State 15.3.21.1 OSPF Summary OSPF To view OSPF summary statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select OSPF from the left-hand side of the UI. Wireless Controller and Service Platform System Reference Guide 15 - 120 Statistics The Summary tab describes the following data fields:
Figure 15-79 Wireless Controller - OSPF Summary tab General ABR/ASBR Details SPF The general field displays the router ID assigned for this OSPF connection, RFC compliance information and LSA data. Lists Autonomous System Boundary Router (ASBR) data relevant to OSPF routing, including the ASBR, ABR and ABR type. An Area Border Router
(ABR) is a router that connects one or more areas to the main backbone network. It is considered a member of all areas it is connected to. An ABR keeps multiple copies of the link-state database in memory, one for each area to which that router is connected An ASBR is a router connected to more than one Routing protocol and exchanges routing information with routers in other protocols. ASBRs typically also run an exterior routing protocol (for example, BGP), or use static routes, or both. An ASBR is used to distribute routes received from other, external ASs throughout its own autonomous system. Routers in other areas use ABR as next hop to access external addresses. Then the ABR forwards packets to the ASBR announcing the external addresses Refer to the SPF field to assess the status of the shortest path forwarding
(SFF) execution, last SPF execution, SPF delay, SPF due in, SPF hold multiplier, SPF hold time, SPF maximum hold time and SPF timer due flag. Wireless Controller and Service Platform System Reference Guide 15 - 121 Statistics Stub Router The summary screen displays information relating to stub router advertisements and shutdown and startup times. An OSPF stub router advertisement allows a new router into a network without immediately routing traffic through the new router and allows a graceful shut down or reload a router without dropping packets that are destined for other networks. This feature introduces three configuration options that allow you to configure a router that is running the OSPF protocol to advertise a maximum or infinite metric to all neighbors. 4 Select the Refresh button to update the statistics counters to their latest values. 15.3.21.2 OSPF Neighbors OSPF OSPF establishes neighbor relationships to exchange routing updates with other routers. A controller or service platform supporting OSPF sends hello packets to discover neighbors and elect a designated router. The hello packet includes link state information and list of neighbors. OSPF is savvy with layer 2 topologies. If on a point-to-
point link, OSPF knows it is sufficient, and the link stays up. If on a broadcast link, the router waits for election before determining if the link is functional. To view OSPF neighbor statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select OSPF from the left-hand side of the UI. 4 Select the Neighbor Info tab. Figure 15-80 Wireless Controller - OSPF Neighbor Info tab Wireless Controller and Service Platform System Reference Guide 15 - 122 The Neighbor Info tab describes the following:
Statistics Router ID Neighbor Priority IF Name Neighbor Address Request Count Retransmit Count Dead Time Displays the router ID assigned for this OSPF connection. The router is a level three Internet Protocol packet switch. This ID must be established in every OSPF instance. If not explicitly configured, the highest logical IP address is duplicated as the router identifier. However, since the router identifier is not an IP address, it does not have to be a part of any routable subnet in the network. Displays each listed neighbors priority in respect to becoming the designated router managing the OSPF connection. The designated router is the router interface elected among all routers on a particular multi-access network segment. Lists the name assigned to the router interface used to support connections amongst OSPF enabled neighbors. Lists the IP address of the neighbor sharing the router interface with each listed router ID. Lists the connection request count (hello packets) to connect to the router interface, discover neighbors and elect a designated router. Lists the connection retransmission count attempted in order to connect to the router interface, discover neighbors and elect a designated router. A designated router (DR) is the router interface elected among all routers on a particular multi-access network segment, generally assumed to be broadcast. Lists the dead time between neighbors in the network topology that are currently utilizing the listed router ID. Displays the self-neighbor status assessment used to discover neighbors and elect a designated router. Self Neighbor State Source Address Displays the single source address used by all neighbor routers to obtain topology and connection status. This form of multicasting significantly reduces network load. Summary Count Routes that originate from other areas are called summary routes. Summary routes are not flooded in a totally stubby or NSSA totally stubby area. 5 Select the Refresh button to update the statistics counters to their latest values. 15.3.21.3 OSPF Area Details OSPF An OSPF network is subdivided into routing areas (with 32 bit area identifiers) to simplify administration and optimize traffic utilization. Areas are logical groupings of hosts and networks, including routers having interfaces connected to an included network. Each area maintains a separate link state database whose information may be summarized towards the rest of the network. An OSPF Area contains a set of routers exchanging Link State Advertisements (LSAs) with others in the same area. Areas limit LSAs and encourage aggregate routes. Areas are identified by 32-bit IDs, expressed either in decimal, or octet-based dot-decimal notation. To view OSPF area statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select OSPF from the left-hand side of the UI. Wireless Controller and Service Platform System Reference Guide 15 - 123 4 Select the Area Details tab. Statistics The Area Details tab describes the following:
Figure 15-81 Wireless Controller - OSPF Area Details tab OSPF Area ID OSPF INF Fully adj numbers Auth Type Total LSA Router LSA Network LSA Summary LSA ASBR Summary LSA Lists the connection request count (hello packets) to connect to the router interface, discover neighbors and elect a designated router. Lists the interface ID (virtual interface for dynamic OSPF routes) supporting each listed OSPF area ID. Fully adjusted numbers strip away the effects of other non OSPF and LSA factors and events, leaving only relevant OSPF area network route events counted. Lists the authentication schemes used to validate the credentials of dynamic route connections and their areas. Lists the Link State Advertisements (LSAs) of all entities using the dynamic route (in any direction) in the listed area ID. Lists the Link State Advertisements of the router supporting each listed area ID. The router LSA reports active router interfaces, IP addresses, and neighbors. Displays which routers are joined together by the designated router on a broadcast segment (e.g. Ethernet). Type 2 LSAs are flooded across their own area only. The link state ID of the type 2 LSA is the IP interface address of the designated route. The summary LSA is generated by ABR to leak area summary address info into another areas. ABR generates more than one summary LSA for an area if the area addresses cannot be properly aggregated by only one prefix. Originated by ABRs when an ASBR is present to let other areas know where the ASBR is. These are supported just like summary LSAs. Wireless Controller and Service Platform System Reference Guide 15 - 124 Statistics NSSA LSA Opaque Area LSA CSUM Opaque link CSUM Routers in a Not-so-stubby-area (NSSA) do not receive external LSAs from Area Border Routers, but are allowed to send external routing information for redistribution. They use type 7 LSAs to tell the ABRs about these external routes, which the Area Border Router then translates to type 5 external LSAs and floods as normal to the rest of the OSPF network. Redistribution into an NSSA area creates a special type of LSA known as TYPE 7, which can exist only in an NSSA area. An NSSA ASBR generates this LSA, and an NSSA ABR router translates it into type 5 LSA which gets propagated into the OSPF domain. Displays the Type-10 opaque link area checksum with the complete contents of the LSA. Displays the Type-10 opaque link checksum with the complete contents of the LSA. 5 Select the Refresh button to update the statistics counters to their latest values. 15.3.21.4 OSPF Route Statistics OSPF Refer to the Routes tab to assess the status of OSPF Border Routes, External Routes, Network Routes and Router Routes. To view OSPF route statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select OSPF from the left-hand side of the UI. 4 Select the Routes tab. Border Routes display by default. An area border router (ABR) connects (links) more than one area. Usually an ABR is used to connect non-
backbone areas to the backbone. If OSPF virtual links are used an ABR will also be used to connect the area using the virtual link to another non-backbone area. Border routes use internal OSPF routing table entries to an ABR or Autonomous System Boundary Router (ASBR). Border routers maintain an LSDB for each area supported. They also participate in the backbone. 5 Refer to External Routes tab. Wireless Controller and Service Platform System Reference Guide 15 - 125 Statistics Figure 15-82 Wireless Controller - OSPF External Routes tab External routes are external to area, originate from other routing protocols (or different OSPF processes) and are inserted into OSPF using redistribution. A stub area is configured not to carry external routes. Each external route can be tagged by the advertising router, enabling the passing of additional information between routers. Each external route can also be tagged by the advertising router, enabling the passing of additional information between routers on the boundary of the autonomous system. The External route tab displays a list of external routes, the area impacted, cost, path type, tag and type 2 cost. Cost factors may be the distance of a router (round-trip time), network throughput of a link, or link availability and reliability, expressed as simple unit-less numbers. This provides a dynamic process of traffic load balancing between routes of equal cost. 6 Refer to the Network Routes tab. Wireless Controller and Service Platform System Reference Guide 15 - 126 Statistics Figure 15-83 Wireless Controller - OSPF Network Routes tab Network routes support more than two routers, with the capability of addressing a single physical message to all attached routers (broadcast). Neighboring routers are discovered dynamically using OSPF hello messages. This use of the hello protocol takes advantage of broadcast capability. An OSPF network route makes further use of multicast capabilities, if they exist. Each pair of routers on the network is assumed to communicate directly. The network tab displays the network name, impacted OSPF area, cost, destination and path type. 7 Select the Router Routes tab. Wireless Controller and Service Platform System Reference Guide 15 - 127 Statistics Figure 15-84 Wireless Controller - OSPF Router Routes tab An internal (or router) route connects to one single OSPF area. All of its interfaces connect to the area in which it is located and does not connect to any other area. 8 Select the Refresh button (within any of the four OSPF Routes tabs) to update the statistics counters to their latest values 15.3.21.5 OSPF Interface OSPF An OSPF interface is the connection between a router and one of its attached networks. An interface has state information associated with it, which is obtained from the underlying lower level protocols and the routing protocol itself. A network interface has associated a single IP address and mask (unless the network is an unnumbered point-to-point network). An interface is sometimes also referred to as a link. To view OSPF interface statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select OSPF from the left-hand side of the UI. 4 Select the OSPF Interface tab. Wireless Controller and Service Platform System Reference Guide 15 - 128 Statistics The OSPF Interface tab describes the following:
Figure 15-85 Wireless Controller - OSPF Interface tab Interface Name Displays the IP addresses and mask defined as the virtual interface for Interface Index Bandwidth(kb) Interface flags MTU OSPF Enabled UP/DOWN dynamic OSPF routes. Zero config and DHCP can be used to generate route addresses, or a primary and secondary address can be manually provided. Lists the numerical index used for the OSPF interface. This interface ID is in the hello packets establishing the OSPF network connection. Lists the OSPF interface bandwidth (in Kbps) from 1 - 10,000,000. Displays the flag used to determine the interface status and how to proceed. Lists the OSPF interface maximum transmission unit (MTU) size. The MTU is the largest physical packet size (in bytes) a network can transmit. Any packets larger than the MTU are divided into smaller packets before being sent. Lists whether OSPF has been enabled for each listed interface. OSPF is disabled by default. Displays whether the OSPF interface (the dynamic route) is currently up or down for each listed interface. An OSPF interface is the connection between a router and one of its attached networks. 5 Select the Refresh button to update the statistics counters to their latest values. 15.3.21.6 OSPF State OSPF An OSPF enabled controller or service platform sends hello packets to discover neighbors and elect a designated router for dynamic links. The hello packet includes link state data periodically updated on all OSPF members. The controller or service platform tracks link state information to help assess the health of the OSPF dynamic route. Wireless Controller and Service Platform System Reference Guide 15 - 129 Statistics To view OSPF state statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select OSPF from the left-hand side of the UI. 4 Select the OSPF State tab. The OSPF State tab describes the following:
Figure 15-86 Wireless Controller - OSPF State tab OSPF state OSPF ignore state count Displays the OSPF link state amongst neighbors within the OSPF topology. Link state information is maintained in a link-state database (LSDB) which is a tree image of the entire network topology. Identical copies of the LSDB are periodically updated through flooding on all OSPF supported nodes. Flooding is the part of the OSPF protocol that distributes and synchronizes the link-
state database between OSPF routers. Lists the number of times state requests have been ignored between the controller or service platform and its peers within this OSPF supported broadcast domain. Displays the timeout that, when exceeded, prohibits the controller or service platform from detecting changes to the OSPF link state. OSPF ignore state monitor timeout OSPF ignore state timeout OSPF max ignore state count OSPF max routes States the maximum number of routes negotiated amongst neighbors within Displays the timeout that, when exceeded, returns the controller or service platform back to state assessment amongst neighbors in the OSPF topology. Displays whether an OSPF state timeout is being ignored and not utilized in the transmission of state update requests amongst neighbors within the OSPF topology. the OSPF topology. Wireless Controller and Service Platform System Reference Guide 15 - 130 Statistics OSPF routes received Lists the routes received and negotiated amongst neighbors within the OSPF topology. 5 Select the Refresh button to update the statistics counters to their latest values. 15.3.22 L2TPv3 Controller Statistics Use L2TP V3 to create tunnels for transporting layer 2 frames. L2TP V3 enables a controller or service platform to create tunnels for transporting Ethernet frames to and from bridge VLANs and physical ports. L2TP V3 tunnels can be defined between WING devices and other devices supporting the L2TP V3 protocol. To review a selected controller or service platforms L2TPv3 statistics:
6 Select the Statistics menu from the Web UI. 7 Select a Wireless Controller node from the left navigation pane. 8 Select L2TPv3 Tunnels. Figure 15-87 Wireless Controller - L2TPv3 screen Wireless Controller and Service Platform System Reference Guide 15 - 131 The L2TPv3 screen displays the following:
Statistics Tunnel Name Local Address Peer Address Tunnel State Peer Host Name Peer Control Connection ID Control Connection ID Up Time Encapsulation Protocol Critical Resource VRRP Group Displays the name of each listed L2TPv3 tunnel assigned upon creation. Each listed tunnel name can be selected as a link to display session data specific to that tunnel. The Sessions screen displays cookie size information as well as psuedowire information specific to the selected tunnel. Data is also available to define whether the tunnel is a trunk session and whether tagged VLANs are used. The number of transmitted, received and dropped packets also display to provide a throughput assessment of the tunnel connection. Each listed session name can also be selected as a link to display VLAN information specific to that session. The VLAN Details screen lists those VLANs used an interface in L2TP tunnel establishment. Lists the IP address assigned as the local tunnel end point address, not the tunnel interfaces IP address. This IP is used as the tunnel source IP address. If a local address is not specified, the source IP address is chosen automatically based on the tunnel peer IP address. Lists the IP address of the L2TP tunnel peer establishing the tunnel connection. States whether the tunnel is Idle (not utilized by peers) or is currently active. Lists the assigned peer hostname used as matching criteria in the tunnel establishment process. Displays the numeric identifier for the tunnel session. This is the peer pseudowire ID for the session. This source and destination IDs are exchanged in session establishment messages with the L2TP peer. Displays the router ID(s) sent in tunnel establishment messages with a potential peer device. Lists the amount of time the L2TP connection has remained established amongst peers sharing the L2TPv3 tunnel connection. The Up Time is displayed in a Days: Hours: Minutes: Seconds: format. If D:0 H:0 M:0 S:0 is displayed, the tunnel connection is not currently established. Displays either IP or UDP as the peer encapsulation protocol. The default setting is IP. UDP uses a simple transmission model without implicit handshakes. Tunneling is also called encapsulation. Tunneling works by encapsulating a network protocol within packets carried by the second network. Displays monitored critical resources. Critical resources are device IP addresses or interface destinations interopreted as critical to the health of the network. Critical resources allow for the continuous monitoring of these defined addresses. A critical resource, if not available, can result in the network suffering performance degradation. A critical resource can be a gateway, AAA server, WAN interface or any hardware or service on which the stability of the network depends. Lists a VRRP group ID (if utilized). A VRRP group is only enabled when the establishment criteria is set to vrrp-master. A VRRP master responds to ARP requests, forwards packets with a destination link MAC layer address equal to the virtual router MAC layer address, rejects packets addressed to the IP associated with the virtual router and accepts packets addressed to the IP associated with the virtual router. Wireless Controller and Service Platform System Reference Guide 15 - 132 Statistics Establishment Criteria Refresh Displays the tunnel establishment criteria for this tunnel. Tunnel establishment involves exchanging 3 message types (SCCRQ, SCCRP and SCCN) with the peer. Tunnel IDs and capabilities are exchanged during the tunnel establishment with the host. Select the Refresh button to update the screens statistics counters to their latest value. 9 To view per-session statistics for a specific L2TPv3 tunnel, click the Tunnel Name link. The sessions for the selected L2TPv3 tunnel are displayed. 10 Click the VLAN ID of the desired session to display session statistics. 15.3.23 VRRP Controller Statistics The VRRP statistics screen displays Virtual Router Redundancy Protocol (VRRP) configuration statistics supporting router redundancy in a wireless network requiring high availability. To review a selected controller or service platforms VRRP statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select VRRP. Figure 15-88 Wireless Controller - VRRP screen Wireless Controller and Service Platform System Reference Guide 15 - 133 4 Refer to the Global Error Status field to review the various sources of packet errors logged during the implementation of the virtual route. Errors include the mismatch of authentication credentials, invalid packet checksums, invalid packet types, invalid virtual route IDs, TTL errors, packet length errors and invalid (non matching) VRRP versions. 5 Refer to the Router Operations Summary for the following status:
Statistics VRID Virtual IP Address Master IP Address Interface Name Version State Clear Router Status Clear Global Error Status Refresh Lists a numerical index (1 - 254) used to differentiate VRRP configurations. The index is assigned when a VRRP configuration is initially defined. This ID identifies the virtual router a packet is reporting status for. The ID displays as a link that can optionally selected to list the IDs VRRP information in greater detail. Lists the virtual interface IP address used as the redundant gateway address for the virtual route. Displays the IP address of the elected VRRP master. A VRRP master (once elected) responds to ARP requests, forwards packets with a destination link layer MAC address equal to the virtual router MAC address, rejects packets addressed to the IP address associated with the virtual router and accepts packets addressed to the IP address associated with the virtual router. Displays the interfaces selected to supply VRRP redundancy failover support. Display VRRP version 3 (RFC 5798) or 2 (RFC 3768) as selected to set the router redundancy. Version 3 supports sub-second (centisecond) VRRP failover and support services over virtual IP. Displays the current state of each listed virtual router ID. Select the Clear Router Status button to clear the Router Operations Summary table values to zero and begin new data collections. Select the Clear Global Error Status button to clear the Global Error Status table values to zero and begin new data collections. Select the Refresh button to update the screens statistics counters to their latest values. 6 Optionally select a VRID to list the IDs VRRP information in greater detail. Wireless Controller and Service Platform System Reference Guide 15 - 134 Statistics 7 The Configuration field lists the following for the selected VRID:
Figure 15-89 Wireless Controller - VRRP VRID Detail screen VRID Interface Version Priority Delta Priority Lists this selected IDs assigned ID. The index is assigned when a VRRP configuration is initially defined. This ID identifies the virtual router a packet is reporting status for. Displays the interfaces selected to supply VRRP redundancy failover support. Displays the VRRP version scheme used with the configuration. VRRP version 3 (RFC 5798) and 2 (RFC 3768) are selectable to set the router redundancy. Version 3 supports sub-second (centisecond) VRRP failover and support services over virtual IP. For more information on the VRRP protocol specifications (available publicly) refer to http://www.ietf.org/rfc/
rfc3768.txt (version 2) and http://www.ietf.org/rfc/rfc5798.txt (version 3). Lists the IDs numerical value (from 1 - 254) used for the virtual router master election process. The higher the numerical value, the higher the priority in the election process. Displays the configured priority (by the set value) when the monitored interface is down. When critical resource monitoring, the configured value is incremented by the value defined. Lists the critical resource down action applied to this listed VRID. Lists the number of virtual interface IP address used as the redundant gateway address for the virtual route. CRM Down Action No. of Virtual IP Address Virtual IP Addresses Lists the virtual interface IP address set as the redundant gateway address for the virtual route. Wireless Controller and Service Platform System Reference Guide 15 - 135 Statistics Advertisement Interval Sync Group Preempt Preempt Delay Lists the interval for unsolicited router assignments.The advertisement interval is the minimum interval between sending router updates. Sending too many updates creates flapping of routes leading to possible disruption. Lists whether a VRRP sync group is assigned to this VRRP IDs group of virtual IP addresses. This triggers VRRP failover if an advertisement is not received from the virtual masters that are part of this VRRP sync group. Lists whether preempt is enabled for the selected ID. Preempt ensures a high priority backup router is available to preempt a lower priority backup router resource. The default setting is enabled. When selected, the preempt delay option becomes enabled to set the actual delay interval for pre-emption. This setting determines if a node with a higher priority can take over all the Virtual IPs from the nodes with a lower priority. If preempt is enabled, this item lists the delay interval (in seconds) for pre-
emption. 8 The Operational State field lists the following for the selected VRID:
Virtual MAC Address Lists the alpha numeric virtual MAC address utilized by the selected VRID. Local IP Address This address represents an alternative to an interface IP address. The last byte of the address (XX) is the VRID, which is different for each virtual router in the network Displays the critical resource currently utilized by the selected VRID. Lists operational network status of the critical resource used by this VRID. Lists any sync failures detected with the sync group of virtual IP addresses. Lists the operational network status of the interfaces selected to supply VRRP redundancy failover support. Critical Resource CRM Status Sync Group Failure Interface Status 9 The Router Status field lists the following router performance and error data:
Master Transitions Master Reason Advertisement Pkts Received Advertisement Interval Errors Advertisement Pkts Sent Received Pkts in Init State Lists the number of transitions to master router designation that have occurred with this VRIDs router. Displays an event message in respect the dedicated VRRP routers availability. Lists the number of router advertisements received by this selected VRID. Router advertisements are periodically sent to hosts or sent in response to solicitation requests. Router advertisements contain prefixes used for link determination, address configuration and maximum hop limits. Lists this VRIDs number of advertisement prefix errors for link determination, address configuration and maximum hop limits. Lists the number of router advertisements sent by this selected VRID. Router advertisements are periodically sent to hosts or sent in response to solicitation requests. Router advertisements contain prefixes used for link determination, address configuration and maximum hop limits. Lists the number of packets received by the selected VRID when a router receives a hello packet but the local router ID is not listed in the received neighbor field. This means bidirectional communication is not been established. Wireless Controller and Service Platform System Reference Guide 15 - 136 Statistics Received Pkts with Priority Zero Sent Pkts with Priority Zero Address List Errors Lists this VRIDs number of received packets with a value of zero. Lists this VRIDs number of sent packets with a value of zero. Lists the number of router event errors detected where an address that could not be resolved and bidirectional communication could not be established. 10 Refer to the Monitor Interface field to assess the names of this VRIDs interface utilization and their respective statuses. 15.3.24 Critical Resources Controller Statistics The Critical Resources statistics screen displays a list of device IP addresses on the network (gateways, routers etc.). These defined IP addresses are critical to the health of the controller or service platform managed network. These device addresses are pinged regularly by the Access Point. If there is a connectivity issue, an event is generated stating a critical resource is unavailable. To view controller or service platform Critical Resource statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Critical Resource from the left-hand side of the UI. Figure 15-90 Wireless Controller - Critical Resource screen 4 Refer to the General field to assess the Monitor Interval and Monitor Using Flows Interval used to poll for updates from the critical resource IP listed for Source IP For Port-Limited Monitoring. Monitoring Retries before Marking Resource as DOWN are the number of retry connection attempts permitted before this listed resource is defined as down (offline). Wireless Controller and Service Platform System Reference Guide 15 - 137 Statistics 5 Refer to the following List of Critical Resources:
Critical Resource Name Via Status Error Reason Mode Refresh Lists the name of the resource being monitored by the controller or service platform. Lists the VLAN used by the critical resource as a virtual interface. the VLAN displays as a link than can be selected to list configuration and network address information in greater detail. Defines the operational state of each listed critical resource VLAN interface (Up or Down). Provides an error status as to why the critical resource is not available over its designated VLAN. Defines the operational state of each listed critical resource (up or down). Select Refresh to update the statistics counters to their latest values. 15.3.25 LDAP Agent Status Controller Statistics When LDAP has been specified as an external resource (as opposed to local RADIUS resources) to validate PEAP-
MS-CHAP v2 authentication requests, user credentials and password information needs to be made available locally to successfully connect to the external LDAP server. Up to two LDAP Agents (primary and secondary external resources) can be defined as external resources for PEAP-MS-CHAP v2 authentication requests. For more information on setting LDAP agents as part of the RADIUS server policy, see Configuring RADIUS Server Policies on page 11-57. To view controller or service platform LDAP agent statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select LDAP Agent Status from the left-hand side of the UI. Figure 15-91 Wireless Controller - LDAP Agent Status screen Wireless Controller and Service Platform System Reference Guide 15 - 138 Statistics The LDAP Agent Status screen displays the following:
LDAP Agent Primary LDAP Agent Secondary Message Status Refresh 15.3.26 Mint Links Controller Statistics Lists the primary IP address of a remote LDAP server resource used by the controller or service platform to validate PEAP-MS-CHAP v2 authentication requests. When a RADIUS server policys data source is set to LDAP, this is the first resource for authentication requests. Lists the secondary IP address of a remote LDAP server resource used by the controller or service platform to validate PEAP-MS-CHAP v2 authentication requests. When a RADIUS server policys data source is set to LDAP, this is the second resource for authentication requests. Displays any system message generated in the controller or service platforms connection with the primary or secondary LDAP agent. If theres a problem with the username and password used to connection to the LDAP agent it would be listed here. Displays whether the controller or service platform has successfully joined the remote LDAP server domain designated to externally validate PEAP-MS-CHAP v2 authentication requests. Select Refresh to update the statistics counters to their latest values. Wireless controllers and Access Points use the MiNT protocol as the primary means of device discovery and communication for Access point adoption and management. MiNT provides a mechanism to discover neighbor devices in the network, and exchange packets between devices regardless of how these devices are connected (L2 or L3). MiNT provides the means to secure communications at the transport layer. Using MiNT, a device can be configured to only communicate with other authorized (MiNT enabled) devices of the same model. MiNT links can be established over a VLAN (Among Access Points on a VLAN) or IP (remote access point to controller). MiNT Links are automatically created between controllers and Access Points during adoption using MLCP (MiNT Link Creation Protocol). They can also be manually created between a controller and Access Point (or) between Access Points. MiNT links are manually created between controllers while configuring a cluster. Level 2 (or) remote MiNT links are controller aware links, and requires IP network for communication. This level 2 MiNT links at access points are intended for remote Adaptive AP deployment and management from NOC. With Level2 MiNT links, access points are only aware of the controllers and not about other Access points. Level 2 MiNT links also provide partitioning, between Access Points deployed at various remote sites. To view controller or service platform Mint link statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Mint Links from the left-hand side of the UI. Wireless Controller and Service Platform System Reference Guide 15 - 139 Statistics Figure 15-92 Wireless Controller - Mint Links screen The Mint Links screen lists the name of the impacted VLAN or link in the form of a link that can be selected to display more granular information about that VLAN. A green check mark or a red X defines whether the listed VLAN is listening to traffic, forced to stay up or unused with the Mint link. The level column specifies whether the listed Mint link is traditional switching link (level 2) or a routing link (level 3). The type column defines whether the listed Mint link is a VLAN or an IPv4 or IPv6 type network address. The dis column lists how each link was discovered. Refer to the secure column to assess whether the listed links are isolated between peers. The local ip column lists the IP address assigned as the links end point address, not the interfaces IP address. The natted column lists whether the link is NAT enabled or disabled for modifying network address information in IP packet headers in transit. The cost defines the cost for a packet to travel from its originating port to its end point destination. The hello seq number and hello interval define the interval between hello keep alive messages between link end points. While the adj hold time sets the time after the last hello packet when the connected between end points is defined as lost. The static and dynamic link columns state whether each listed link is static route using a manually configured route entry, or a dynamic route characterized by its destination The rim column defines whether the listed link is managed remotely. The control vlan column states whether the listed link has enabled as a control VLAN. Lastly, the clustering column states whether listed link members discover and establish connections to other peers and provide self-healing in the event of cluster member failure. 4 Periodically select Refresh to update the screens data counters to their latest values. 5 If needed, select a Mint link from the name column to display more granular information for that link. Wireless Controller and Service Platform System Reference Guide 15 - 140 Statistics Figure 15-93 Wireless Controller - Mint Link Details screen The first table lists the Mint links name and level specifying whether the Mint link is traditional switching link
(level 2) or a routing link (level 3). The cost defines the cost for a packet to travel from its originating port to its end point destination. The hello interval lists the time between hello keep alive messages between link end points. The adj hold time sets the time after the last hello packet when the connected between end points is defined as lost. The Adjacencies table lists neighbor devices by their hardware identifiers and operational state to help determine their availability as Mint link end points and peers. The up time lists the selected links detection on the network and the last hello lists when the last hello message was exchanged. 6 Periodically select Refresh to update the statistics counters to their latest values. 15.3.27 Guest Users Controller Statistics A captive portal is an access policy for providing guests temporary and restrictive access to the wireless network. A captive portal configuration provides secure authenticated access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the network. Captive portals can have their access durations set by an administrator to either provide temporary access to the controller or service platform managed network or provide access without limitations. For information on setting captive portal duration and authentication settings, refer to Configuring Captive Portal Policies on page 11-1. To view the controller or service platform guest user utilization:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Guest Users from the left-hand side of the UI. Wireless Controller and Service Platform System Reference Guide 15 - 141 Statistics The Guest Users screen describes the following:
Figure 15-94 Wireless Controller Guest Users screen Name Configured Time
(days:hrs:mins:secs) Lists the administrator assigned name of the client utilizing the controller or service platform for guest access to the wireless network. Displays the restricted permissions each listed client was initially configured for their captive portal guest user session with this managing controller or service platform. Displays the time each listed client has remaining in their captive portal guest user session with this managing controller or service platform. Lists the maximum configured bandwidth consumable by the listed guest user (in kilobytes). Remaining Time
(days:hrs:mins:secs) Configured Kilobytes Remaining Kilobytes Lists the remaining bandwidth available to the listed guest user (in Configured Downlink Rate
(kbps) Configured Uplink Rate (kbps) Current Downlink Rate (Kbps) kilobytes). This is the difference between the configured (maximum) bandwidth and the userss current utilization. Specifies the download speed configured for the listed guest user. When bandwidth is available, the user can download data at the specified rate
(in kilobytes per second). If a guest user has a bandwidth based policy and exceeds the specified data limit, their speed is throttled to the defined reduced downlink rate. For more information, refer to Defining User Pools on page 11-53. Specifies the upload speed dedicated to the listed guest user. When bandwidth is available, the user is able to upload data at the specified rate
(in kilobytes per second). If a guest user has a bandwidth based policy and exceeds the specified data limit, their speed is throttled to the reduced uplink rate. For more information, refer to Defining User Pools on page 11-53. Lists the listed guest users current downlink rate in kbps. Use this information to assess whether this users configured downlink rate is adequate for their session requirements and whether their reduced downlink rate need adjustment if the configured downlink rate is exceeded. For more information, refer to Defining User Pools on page 11-
53. Wireless Controller and Service Platform System Reference Guide 15 - 142 Statistics Current Uplink Rate
(Kbps) Refresh Lists the listed guest users current uplink rate in kbps. Use this information to assess whether this users configured uplink rate is adequate for their session requirements and whether their reduced uplink rate need adjustment if the configured uplink rate is exceeded. For more information, refer to Defining User Pools on page 11-53. Select the Refresh button to update the screens statistics counters to their latest value. 15.3.28 GRE Tunnels Controller Statistics Generic Routing Encapsulation (GRE) is one of the available tunneling mechanisms which uses IP as the transport protocol and can be used for carrying many different passenger protocols. The tunnels behave as virtual point-to-
point links that have two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint. Use the GRE Tunnel screen to view information on the traffic flow in a GRE tunnel. To view the GRE Tunnel statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select GRE Tunnels from the left-hand side of the UI. The GRE Tunnels screen describes the following:
Figure 15-95 Wireless Controller GRE Tunnel screen GRE State Displays the current operational state of the GRE tunnel. Wireless Controller and Service Platform System Reference Guide 15 - 143 Statistics Peer IP Address Tunnel Id Total Packets Received Total Packets Sent Total Packets Dropped Clear Refresh Displays the IP address of the peer device on the remote end of the GRE tunnel. Displays the session ID of an established GRE tunnel. This ID is only viable while the tunnel is operational and does not carry to subsequent sessions. Displays the total number of packets received from a peer at the remote end of the GRE tunnel. Displays the total number of packets sent from this controller or service platform to a peer at the remote end of the GRE tunnel. Lists the number of packets dropped from tunneled exchanges between this controller or service platform and a peer at the remote end of the VPN tunnel Select Clear to revert the screen counters to zero and begin a new data collection. Select the Refresh button to update the screens statistics counters to their latest value. 15.3.29 Dot1x Controller Statistics Dot1x (or 802.1x) is an IEEE standard for network authentication. Devices supporting Dot1x allow the automatic provision and connection to the wireless network without launching a Web browser at login. When within range of a Dot1x network, a device automatically connects and authenticates without needing to manually login. To view the Dot1x statistics:
1 Select the Statistics menu from the Web UI. 2 Select the Wireless Controller node from the left navigation pane. 3 Select Dot1x from the left-hand side of the UI. Wireless Controller and Service Platform System Reference Guide 15 - 144 Statistics 4 Refer to the following Dot1xAuth statistics:
Figure 15-96 Wireless Controller Dot1x screen AAA Policy Guest Vlan Control Lists the AAA policy currently being utilized for authenticating user requests. Lists whether guest VLAN control has been allowed (or enabled). This is the VLAN traffic is bridged on if the port is unauthorized and guest VLAN globally enabled. A green checkmark designates guest VLAN control as enabled. A red X defines guest VLAN control as disabled. System Auth Control Lists whether Dot1x authorization is globally enabled for the controller or service platform. A green checkmark designates Dot1x authorization globally enabled. A red X defines Dot1x as globally disabled. 5 Review the following Dot1x Auth Ports utilization information:
Name Auth SM Auth VLAN BESM Client MAC Lists the controller or service platform ge ports subject to automatic connection and authentication using Dot1x. Lists whether Dot1x authentication is forced over the listed port. Lists the numeric VLAN ID used as a virtual interface for authentication requests over the listed port. Lists whether an authentication request is pending on the listed port. Lists the MAC address of requesting clients seeking authentication over the listed port. Wireless Controller and Service Platform System Reference Guide 15 - 145 Statistics Guest VLAN Host Pstatus Lists the guest VLAN utilized for the listed port. This is the VLAN traffic is bridged on if the port is unauthorized and guest VLAN globally enabled. Lists whether the host is a single entity or not. Lists whether the listed port has been authorized for Dot1x network authentication. 6 Refer to the MacAuth table to assess the AAA policy applied to MAC authorization requests. 7 Review the following MAC Auth Ports utilization information:
Name Authorized Enabled MAC Auth Lists the controller or service platform ge ports subject to automatic connection and MAC authentication using Dot1x. Lists whether MAC authorization using Dot1x has been authorized
(permitted) on the listed ge port. A green checkmark designates Dot1x authorization as permitted. A red X defines authorization as disabled. Lists whether MAC authorization using Dot1x has been enabled on the listed ge port. A green checkmark designates Dot1x authorization as allowed. A red X defines authorization as disabled. Lists the ports factory encoded MAC address. 8 Select the Refresh button to update the screens statistics counters to their latest value. 15.3.30 Network Controller Statistics Use the Network screen to view information for ARP, DHCP, Routing, MLD and Bridging. Each of these screens provides enough data to troubleshoot issues related to the following:
ARP Entries Route Entries Default Routes Bridge IGMP MLD LACP Traffic Shaping DHCP Options Cisco Discovery Protocol Link Layer Discovery Protocol MSTP IPv6 Neighbor Discovery 15.3.30.1 ARP Entries Network The Address Resolution Protocol (ARP) is a networking protocol for determining a network hosts hardware address when its IP address or network layer address is known. To view the ARP entries on the network statistics screen:
Wireless Controller and Service Platform System Reference Guide 15 - 146 1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Networks menu from the left-hand side of the UI. 4 Select ARP. Statistics The ARP Entries screen displays the following:
Figure 15-97 Wireless Controller - Network ARP screen IP Address ARP MAC Address Type VLAN Refresh Displays the IP address of the client being resolved on behalf of the controller or service platform. Displays the MAC address of the device where an IP address is being resolved. Defines whether the entry was added statically or created dynamically in respect to network traffic. Entries are typically static. Displays the name of the virtual interface where the IP address was found. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.30.2 Route Entries Network The Route Entries screen displays data for routing packets to a defined destination. When an existing destination subnet does not meet the needs of the network, add a new destination subnet, subnet mask and gateway as needed for either IPv4 or IPv6 formatted data packets. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity. Wireless Controller and Service Platform System Reference Guide 15 - 147 Statistics IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for devices on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. To view the route entries:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Network menu from the left-hand side of the UI. 4 Select Route Entries. The IPv4 Route Entries tab displays by default. The IPv4 Route Entries screen provides the following information:
Figure 15-98 Wireless Controller - IPv4 Route Entries screen Destination Distance Route Flags Gateway Interface Displays the IPv4 formatted address of the destination route address. Lists the hop distance to a desired route. Devices regularly send neighbors their own assessment of the total cost to get to all known destinations. A neighboring device examines the information and compares it to their own routing data. Any improvement on whats already known is inserted in that devices own routing tables. Over time, each networked device discovers the optimal next hop for each destination. Lists the IPv4 formatted IP address used for routing packets to a defined destination. The flag signifies the condition of the direct or indirect route. Displays the gateway IP address used to route packets to the destination subnet. Displays the name of the controller interface or VLAN utilized by the destination subnet. Wireless Controller and Service Platform System Reference Guide 15 - 148 Statistics Metric Refresh Lists the metric (or cost) of the route to select (or predict) the best route. The metric is computed using a routing algorithm, and covers information bandwidth, network delay, hop count, path cost, load, MTU, reliability, and communication cost. Select Refresh to update the display to the latest values. 5 Select the IPv6 Route Entries tab to review route data for IPv6 formatted traffic. The IPv6 Route Entries screen provides the following information:
Figure 15-99 Wireless Controller - IPv6Route Entries screen Destination Gateway Interface Flag Refresh Displays the IPv6 formatted address of the destination route address. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Displays the gateway IP address used to route packets to the destination subnet. Displays the name of the controller interface or VLAN utilized by the destination subnet. The flag signifies the condition of the direct or indirect route. Select Refresh to update the display to the latest values. 15.3.30.3 Default Routes Network In an IPv6 supported environment unicast routing is always enabled. A controller or service platform routes IPv6 formatted traffic between interfaces as long as the interfaces are enabled for IPv6 and ACLs allow IPv6 formatted traffic. However, an administrator can add a default routes as needed. Static routes are manually configured. They work fine in simple networks. However, static routes with topology changes require an administrator to manually configure and modify the corresponding route revisions. Default routes are useful, as they forward packets that match no specific routes in the routing table. Wireless Controller and Service Platform System Reference Guide 15 - 149 Statistics To view controller or service platform default routes:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Network menu from the left-hand side of the UI. 4 Select Default Routes. The IPv4 Default Routes tab displays by default. The IPv4 Default Routes screen provides the following information:
Figure 15-100 Wireless Controller - IPv4 Default Routes screen DNS Server Gateway Address Installed Metric Monitor Mode Source Monitoring Status Refresh Lists the address of the DNS server providing IPv4 formatted address assignments on behalf of the controller or service platform. Lists the IP address of the gateway resource used with the listed route. A green checkmark defines the listed route as currently installed on the controller or service platform. A red X defines the route as not currently installed and utilized. The metric (or cost) could be the distance of a router (round-trip time), link throughput or link availability. Displays where in the network the route is monitored for utilization status. Lists whether the route is static or an administrator defined default route. Static routes are manually configured. Static routes work adequately in simple networks. However, static routes with topology changes require an administrator to manually configure and modify the corresponding route revisions. Default routes are useful, as they forward packets that match no specific routes in the routing table. Lists whether the defined IPv4 route is currently reachable on the controller or service platform managed network. If not, perhaps a topology change has occurred to a static route requiring a default route be utilized. Select Refresh to update the display to the latest values. Wireless Controller and Service Platform System Reference Guide 15 - 150 5 Select the IPv6 Default Routes tab to review default route availabilities for IPv6 formatted traffic. Statistics The IPv6 Default Routes screen provides the following information:
Figure 15-101 Wireless Controller - IPv6 Default Routes screen Gateway Address Installed Interface Name Lifetime Preference Source Status Refresh 15.3.30.4 Bridge Network Lists the IP address of the gateway resource used with the listed route. A green checkmark defines the listed IPv6 default route as currently installed on the controller or service platform. A red X defines the route as not currently installed and utilized. Displays the interface on which the IPv6 default route is being utilized. Lists the lifetime representing the valid usability of the default IPv6 route. Displays the administrator defined IPv6 preferred route for IPv6 traffic. Lists whether the route is static or an administrator defined default route. Static routes are manually configured. Static routes work adequately in simple networks. However, static routes with topology changes require an administrator to manually configure and modify the corresponding route revisions. Default routes are useful, as they forward packets that match no specific routes in the routing table. Lists whether the defined IPv6 route is currently reachable on the controller or service platform managed network. If not, perhaps a topology change has occurred to a static route requiring a default route be utilized. Select Refresh to update the display to the latest values. Bridging is a forwarding technique making no assumption about where a particular network address is located. It depends on flooding and the examination of source addresses in received packet headers to locate unknown devices. Once a device is located, its location is stored in a table to avoid broadcasting to that device again. Wireless Controller and Service Platform System Reference Guide 15 - 151 Statistics Bridging is limited by its dependency on flooding, and is used in local area networks only. A bridge and a controller or service platform are very similar, since a controller or service platform is a bridge with a number of ports. To view network bridge information:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Network menu from the left-hand side of the UI. 4 Select Bridge. The Bridge screen displays the following:
Figure 15-102 Wireless Controller - Network Bridge screen Bridge Name MAC Address Interface VLAN Forwarding Refresh Displays the numeric ID of the network bridge. Displays the MAC address of each listed bridge. Displays the controller or service platform physical port interface the bridge uses to transfer packets. Interface availability is slightly different amongst supported controller and service platform models. Displays the VLAN the bridge is using as a virtual interface within the controller or service platform managed network. Displays whether the bridge is forwarding packets. Select Refresh to update the statistics counters to the latest values. 15.3.30.5 IGMP Network Internet Group Management Protocol (IGMP) is a protocol used for managing members of IP multicast groups. The Access Point listens to IGMP network traffic and forwards the IGMP multicast packets to radios on which the Wireless Controller and Service Platform System Reference Guide 15 - 152 Statistics interested hosts are connected. On the wired side of the network, the Access Point floods all the wired interfaces. This feature reduces unnecessary flooding of multicast traffic in the network. To view network IGMP configuration options:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Network menu from the left-hand side of the UI. 4 Select IGMP. The Group field describes the following:
Figure 15-103 Wireless Controller - Network IGMP screen VLAN Group Address Port Members Version Displays the group VLAN where the multicast transmission is conducted. Displays the Multicast Group ID supporting the statistics displayed. This group ID is the multicast address hosts are listening to. Displays the ports on which multicast clients have been discovered. For example, ge1, radio1, etc. Ports can vary somewhat amongst supported controller and service platform models. Displays each listed group IGMP version compatibility as either version 1, 2 or 3. The Multicast Router (MRouter) field describes the following:
VLAN Learn Mode Port Members Displays the group VLAN where the multicast transmission is conducted. Displays the learning mode used by the router as either Static or PIM-
DVMRP. Displays the physical ports on which multicast clients have been discovered by the multicast router. For example, ge1, radio1, etc. Ports can vary somewhat amongst supported controller and service platform models. Wireless Controller and Service Platform System Reference Guide 15 - 153 Statistics MiNT IDs Query Interval Version Refresh Lists MiNT IDs for each listed VLAN. MiNT provides the means to secure Access Point profile communications at the transport layer. Using MiNT, an Access Point can be configured to only communicate with other authorized (MiNT enabled) Access Points of the same model. Lists the IGMP query interval implemented when the querier functionality is enabled. The default value is 60 seconds. Lists the multicast router IGMP version compatibility as either version 1, 2 or 3. The default setting is 3. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.30.6 MLD Network Multicast Listener Discovery (MLD) snooping enables a controller, service platform or Access Point to examine MLD packets and make forwarding decisions based on content. MLD is used by IPv6 devices to discover devices wanting to receive multicast packets destined for specific multicast addresses. MLD uses multicast listener queries and multicast listener reports to identify which multicast addresses have listeners and join multicast groups. MLD snooping caps the flooding of IPv6 multicast traffic on controller, service platform or Access Point VLANs. When enabled, MLD messages are examined between hosts and multicast routers and to discern which hosts are receiving multicast group traffic. The controller, service platform or Access Point then forwards multicast traffic only to those interfaces connected to interested receivers instead of flooding traffic to all interfaces. To view network MLD configuration options:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Network menu from the left-hand side of the UI. 4 Select MLD. Wireless Controller and Service Platform System Reference Guide 15 - 154 Statistics The Multicast Listener Discovery (MLD) Group field describes the following:
Figure 15-104 Wireless Controller - Network MLD screen VLAN Group Address Port Members Version Displays the group VLAN where the MLD groups multicast transmission is conducted. Displays the Multicast Group ID supporting the statistics displayed. This group ID is the multicast address hosts are listening to. Displays the ports on which MLD multicast clients have been discovered. For example, ge1, radio1, etc. Ports can vary somewhat amongst supported controller and service platform models. Displays each listed groups version compatibility as either version 1, 2 or 3. The IPv6 Multicast Router (MRouter) field describes the following:
VLAN MiNT IDs Learn Mode Port Members Query Interval Version Refresh Displays the group VLAN where the multicast transmission is conducted. Lists MiNT IDs for each listed VLAN. MiNT provides the means to secure communications at the transport layer. Using MiNT, a controller or service platform can be configured to only communicate with other authorized
(MiNT enabled) devices. Displays the learning mode used by the router as either Static or PIM-
DVMRP. Displays the physical ports on which multicast clients have been discovered by the multicast router. For example, ge1, radio1, etc. Ports can vary somewhat amongst supported controller and service platform models. Lists the query interval implemented when the querier functionality is enabled. The default value is 60 seconds. Lists the multicast router version compatibility as either version 1, 2 or 3. The default setting is 3. Select the Refresh button to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 155 Statistics 15.3.30.7 LACP Network Link Aggregation Control Protocol (LACP) is used to dynamically determine if link aggregation is possible and then to automatically configure the aggregation. LACP is a part of the IEEE 802.1ad standard and allows the switch to dynamically reconfigure the link aggregation groups (LAGs). A LAG is enabled only if the LACP determines that the remote device is also using LACP and is able to join the LAG. To view network LACP statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Network menu from the left-hand side of the UI. 4 Select LACP. The System and Aggregator Statistics tab displays by default. Figure 15-105 Wireless Controller - Network LACP - System And Aggregator Statistics screen The System field describes the following:
System Identifier System Priority Displays the MAC address of the device. Displays the systems LACP priority value. The Aggregator Statistics field describes the following:
Aggregator Name Displays the name of the port channel configured on this device. Wireless Controller and Service Platform System Reference Guide 15 - 156 Statistics Interface LACPDU Sent LACPDU Received Marker Sent Marker Received Packets Error Sent Packets Error Received Displays the name of the interface for which these statistics are being displayed. Displays the number of Link Aggregation Control Protocol Data Units
(LACPDUs) sent from this device. Displays the number of LACPDUs received by this device. Displays the number of marker packets sent. Marker packets are sent to the remote device to ensure that all frames transmitted through the link have been received. Displays the number of marker packet responses received from the remote device. Displays the total number packets transmitted with error Displays the total number packets received with error Figure 15-106 Wireless Controller - Network LACP screen - Aggregator Details tab 5 Select the Aggregator Details tab. This field describes the following:
Aggregator Name Interface MAC Address Displays the name of the link aggregator (LAG). Displays the name of the interface that is a member of the LAG. Displays the MAC address of the physical interface. Wireless Controller and Service Platform System Reference Guide 15 - 157 Statistics MUX machine state Displays the state of the multiplexer state machine for the aggregation port. The values are:
attached Displays the state as attached, when the multiplexer state machine is initiating the process of attaching the port to the selected aggregator. detached Displays the state as detached, when the multiplexer state machine is initiating the process of detaching the port from the aggregator. collecting/distributing Displays the state as collecting/distributing. Collecting and distributing states are merged together to form a combined state (coupled control). Because independent control is not possible, the coupled control state machine does not wait for the partner to signal that collection has started before enabling both collection and distribution. 15.3.30.8 Traffic Shaping Network Traffic shaping regulates network data transfers to ensure a specific performance level. Traffic shaping delays the flow of packets defined as less important than prioritized traffic streams. Traffic shaping enables traffic control out an interface to match its flow to the speed of a remote targets interface and ensure traffic conforms applied policies. Traffic can be shaped to meet downstream requirements and eliminate network congestion when data rates are in conflict. Apply traffic shaping to specific applications to apply application categories. When application and ACL rules are conflicting, an application takes precedence over an application category, then ACLs. To view network the controller or service platforms traffic shaping configuration:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Network menu from the left-hand side of the UI. 4 Select Traffic Shaping. The Status screen displays by default, and lists the controller or service platforms traffic shaping status. Wireless Controller and Service Platform System Reference Guide 15 - 158 Statistics Figure 15-107 Wireless Controller - Network Traffic Shaping screen 5 Select Statistics. 6 Refer to the following Traffic Shaping statistics:
Rate Priority Packets Sent Packets Delayed Packets Dropped Current Length Current Latency Refresh The rate configuration controls the maximum traffic rate sent or received on an interface. Consider this form of rate limiting on interfaces at the edge of a network to limit traffic into or out of the network. Traffic within the set limit is sent and traffic exceeding the set limit is dropped or sent with a different priority. Lists the traffic shaper queue priority. There are 8 queues (0 - 7), and traffic is queued in each based on incoming packets 802.1p markings. Provides a baseline of the total number of packets sent to assess packet delays and drops as a result of the filter rules applied in the traffic shaping configuration. Lists the packets defined as less important than prioritized traffic streams and delayed as a result of traffic shaping filter rules applied. Lists the packets defined as less important than prioritized traffic streams, delayed and eventually dropped as a result of traffic shaping filter rules applied. Lists the packet length of the data traffic shaped to meet downstream requirements. Traffic shaping latency is the time limit after which packets start dropping as a result of the traffic prioritization filter rules applied. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.30.9 DHCP Options Network Controllers and service platforms contain an internal Dynamic Host Configuration Protocol (DHCP) server. The DHCP server can provide the dynamic assignment of IP addresses automatically from existing address pools. This Wireless Controller and Service Platform System Reference Guide 15 - 159 Statistics is a protocol that includes IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host. Some of these parameters include IP address, gateway and network mask. To view network DHCP options:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Network menu from the left-hand side of the UI. 4 Select DHCP Options. The DHCP Options screen describes the following:
Figure 15-108 Wireless Controller - Network DHCP Options screen Server Information Image File Configuration Legacy Adoption Adoption Refresh Lists server information specific to each DHCP server resource available to requesting clients for the dynamic assignment of IP addresses. Displays the image file name. BOOTP or the bootstrap protocol can be used to boot diskless clients. An image file is sent from the boot server. The file contains the operating system image. DHCP servers can be configured to support BOOTP. Displays the name of the configuration file on the DHCP server. Displays legacy (historical) device adoption information. Displays pending (current) adoption information. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.30.10 Cisco Discovery Protocol Network The Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer network protocol implemented in Cisco networking equipment and used to share information about network devices. To view a controller or service platforms CDP Statistics:
Wireless Controller and Service Platform System Reference Guide 15 - 160 1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Network menu from the left-hand side of the UI. 4 Select Cisco Discovery Protocol. Statistics The Cisco Discovery Protocol screen displays the following:
Figure 15-109 Wireless Controller - Network CDP screen Capabilities Device ID Local Port Platform Port ID TTL Clear Neighbors Refresh Displays the capabilities code for Cisco neighbors. Displays the configured device ID or name for each device in the table. Displays the local port name for each CDP capable device. Displays the model number of the CDP capable device. Displays the identifier for the local port. Displays the time to live (TTL) for each CDP connection. Click Clear Neighbors to remove all known CDP neighbors from the table. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.30.11 Link Layer Discovery Protocol Network The Link Layer Discovery Protocol (LLDP) or IEEE 802.1AB is a vendor-neutral data link layer protocol used by network devices for advertising of (announcing) their identity, capabilities, and interconnections on a IEEE 802 LAN network. The protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity Discovery. To view a controller or service platforms Link Layer Discovery Protocol statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. Wireless Controller and Service Platform System Reference Guide 15 - 161 3 Expand the Network menu from the left-hand side of the UI. 4 Select Link Layer Discovery Protocol. Statistics The Link Layer Discovery Protocol screen displays the following:
Figure 15-110 Wireless Controller - Network LLDP screen Displays the Access Point capabilities code. Displays the configured device ID or name for each device in the table. Capabilities Device ID Enabled Capabilities Displays which LLDP capabilities are currently utilized by the listed device. Local Port Platform Displays the physical local port name for each LLDP capable device. Displays the model number of the LLDP capable device and its firmware load. Displays the identifier for the local port. Displays the time to live (TTL) for each LLDP connection. Click Clear Neighbors to remove all known LLDP neighbors from the table. Select the Refresh button to update the screens statistics counters to their latest values. Port ID TTL Clear Neighbors Refresh 15.3.30.12 IPv6 Neighbor Discovery Network IPv6 neighbor discovery uses ICMP messages and solicited multicast addresses to find the link layer address of a neighbor on the same local network, verify the neighbors reachability and track neighboring devices. Upon receiving a neighbor solicitation message, the destination replies with neighbor advertisement (NA). The source address in the advertisement is the IPv6 address of the device sending the message. The destination address in the advertisement message is the IPv6 address of the device sending the neighbor solicitation. The data portion of the NA includes the link layer address of the node sending the neighbor advertisement. Neighbor solicitation messages also verify the availability of a neighbor once its the link layer address is identified. When a node wants to verify the reachability of a neighbor, the destination address in a neighbor solicitation message is the unicast address of the neighbor. Wireless Controller and Service Platform System Reference Guide 15 - 162 Statistics A neighbor is interpreted as reachable when an acknowledgment is returned indicating packets have been received and processed. If packets are reaching the device, theyre also reaching the next hop neighbor, providing a confirmation the next hop is reachable. To view a controller or service platforms IPv6 neighbor statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Network menu from the left-hand side of the UI. 4 Select IPv6 Neighbor Discovery. The IPv6 Neighbor screen displays the following:
Figure 15-111 Wireless Controller - Network IPv6 Neighbor screen IPv6 Address MAC Address Type VLAN Lists an IPv6 IP address for neighbor discovery. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via CMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Lists the factory encoded hardware MAC address of the neighbor device using an IPv6 formatted IP address as its network identifier. Displays the device type for the neighbor solicitation. Neighbor solicitations request the link layer address of a target node while providing the senders own link layer address to the target. Neighbor solicitations are multicast when the node needs to resolve an address and unicast when the node seeks to verify the reachability of a neighbor. Options include Host, Router and DHCP Server. Lists the virtual interface (from 1 - 4094) used for the required neighbor advertisements and solicitation messages used for neighbor discovery. Wireless Controller and Service Platform System Reference Guide 15 - 163 Statistics Refresh Select the Refresh button to update the screens statistics counters to their latest values. 15.3.30.13 MSTP Network The Multiple Spanning Tree Protocol (MSTP) provides an extension to RSTP to optimize the usefulness of VLANs. MSTP allows for a separate spanning tree for each VLAN group, and blocks all but one of the possible alternate paths within each spanning tree topology. If theres just one VLAN in the Access Point managed network, a single spanning tree works fine. However, if the network contains more than one VLAN, the network topology defined by single STP would work, but its possible to make better use of the alternate paths available by using an alternate spanning tree for different VLANs or groups of VLANs. MSTP includes all of its spanning tree information in a single Bridge Protocol Data Unit (BPDU) format. BPDUs are used to exchange information bridge IDs and root path costs. Not only does this reduce the number of BPDUs required to communicate spanning tree information for each VLAN, but it also ensures backward compatibility with RSTP. MSTP encodes additional region information after the standard RSTP BPDU as well as a number of MSTI messages. Each MSTI messages conveys spanning tree information for each instance. Each instance can be assigned a number of configured VLANs. The frames assigned to these VLANs operate in this spanning tree instance whenever they are inside the MST region. To avoid conveying their entire VLAN to spanning tree mapping in each BPDU, the Access Point encodes an MD5 digest of their VLAN to an instance table in the MSTP BPDU. This digest is used by other MSTP supported devices to determine if the neighboring device is in the same MST region as itself. To view a controller or service platforms MSTP statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Network menu from the left-hand side of the UI. 4 Select MSTP. Wireless Controller and Service Platform System Reference Guide 15 - 164 Statistics Figure 15-112 Wireless Controller - Network MSTP screen The MST Config field displays the name assigned to the MSTP configuration, its digest, format ID, name and revision. The MST Bridge field lists the filters and guards that have been enabled and whether Cisco interoperability if enabled. The MST Bridge Port Detail field lists specific controller or service platform port status and their current state. 15.3.31 DHCPv6 Relay & Client Controller Statistics DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. DHCPv6 relay agents receive messages from clients and forward them a DHCPv6 server. The server sends responses back to the relay agent and the relay agent sends the responses to the client on the local link. To assess the DHCPv6 relay configuration:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select DHCP Relay & Client from the left-hand side of the UI. Wireless Controller and Service Platform System Reference Guide 15 - 165 Statistics 4 The DHCPv6 Relay Status tables defines the following:
Figure 15-113 Wireless Controller - DHCPv6 Relay and Client screen Interfaces State Displays the controller or service platform interface used for DHCPv6 relay. Displays the current operational state of the DHCPv6 server to assess its availability as a viable IPv6 provisioning resource. 5 The DHCPv6 Client Received Options tables defines the following:
Client Identifier Server Identifier DNS Servers Domain Name Interface Lists whether the reporting client is using a hardware address or client identifier as its identifier type within requests to the DHCPv6 server. Displays the server identifier supporting client DHCPv6 relay message reception. Lists the DNS server resources supporting relay messages received from clients. Lists the domain to which the remote server resource belongs. Displays the interfaces dedicated to client DHCPv6 relay message reception. Refresh Time (Seconds) Lists the time (in seconds) since the data populating the DHCPv6 Server Preference SIP Domain Name SIP Server Enterprise ID client received options table has been refreshed. Lists the preferred DHCPv6 server resource supporting relay messages received from clients. Lists the SIP domain name supporting DHCPv6 client telephone extensions or voice over IP systems. Displays the SIP server name supporting DHCPv6 telephone extensions or voice over IP systems. Lists the enterprise ID associated with DHCPv6 received client options. Wireless Controller and Service Platform System Reference Guide 15 - 166 Statistics 6 Refer to the Vendor Options table for the following:
Code Data Lists the relevant numeric DHCP vendor code. Lists the supporting data relevant to the listed DHCP vendor code. 7 Select the Refresh button to update the screens statistics counters to their latest values. 15.3.32 DHCP Server Controller Statistics Controllers and service platforms contain an internal Dynamic Host Configuration Protocol (DHCP) server. DHCP can provide IP addresses automatically. DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host-specific configuration parameters (IP address, network mask gateway etc.) from a DHCP server to a host. To review DHCP server statistics, refer to the following:
Viewing General DHCP Information Viewing DHCP Binding Information Viewing DHCP Server Networks Information 15.3.32.1 Viewing General DHCP Information DHCP Server To view General DHCP status and binding information for both DHCPv4 and DHCPv6:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller from the left navigation pane. 3 Expand the DHCP Server menu from the left-hand side of the UI. 4 Select General. Figure 15-114 Wireless Controller - DHCP Server General screen Wireless Controller and Service Platform System Reference Guide 15 - 167 Statistics 5 The DHCPv4 Status and DHCPv6 Status tables defines the following:
Interfaces State Displays the controller or service platform interface used with the DHCPv4 or DHCPv6 resource for IP address provisioning. Displays the current operational state of the DHCPv4 or DHCPv6 server to assess its availability as a viable IP provisioning resource. 6 The DDNS Bindings table displays the following:
IP Address Name Displays the IP address assigned to the requesting client. Displays the domain name mapping corresponding to the listed IP address. 7 The DHCP Manual Bindings table displays the following:
IP Address Client Id Displays the IP address for clients requesting DHCP provisioning resources. Displays the clients ID used to differentiate requesting clients. 8 Select the Refresh button to update the screens statistics counters to their latest values. 15.3.32.2 Viewing DHCP Binding Information DHCP Server The DHCP Binding screen displays DHCP binding information such as expiry time, client IP addresses and their MAC address. Controllers and service platforms build and maintain a DHCP snooping table (DHCP binding database). A controller or service platform uses the snooping table to identify and filter untrusted messages. The DHCP binding database keeps track of DHCP addresses assigned to ports, as well as filtering DHCP messages from untrusted ports. Incoming packets received on untrusted ports, are dropped if the source MAC address does not match the MAC in the binding table. To view the DHCP binding information:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the DHCP Server menu from the left-hand side of the UI. 4 Select Bindings. Wireless Controller and Service Platform System Reference Guide 15 - 168 Statistics The Bindings screen displays the following:
Figure 15-115 Wireless Controller - DHCP Server Bindings screen Expiry Time IP Address DHCP MAC Address Clear Clear All Refresh Displays the expiration of the lease used by the client for controller or service platform DHCP resources. Displays the IP address of each listed client requesting DHCP services. Displays the MAC address of each listed client requesting DHCP services. Select a table entry and select Clear to remove the client from the list of devices requesting DHCP services from the controller or service platform. Select Clear All to remove all listed clients from the list of requesting clients. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.32.3 Viewing DHCP Server Networks Information DHCP Server The DHCP server maintains a pool of IP addresses and client configuration parameters (default gateway, domain name, name servers etc). On receiving a valid client request, the server assigns the requestor an IP address, a lease
(the validity of time), and other IP configuration parameters. The Networks screen provides network pool information such as the subnet for the addresses you want to use from the pool, the pool name, the used addresses and the total number of addresses. To view the DHCP Server Networks information:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the DHCP Server menu from the left-hand side of the UI. 4 Select Networks. Wireless Controller and Service Platform System Reference Guide 15 - 169 Statistics The Networks screen displays the following:
Figure 15-116 Wireless Controller - DHCP Server Networks screen Name Subnet Address Used Addresses Total Addresses Refresh Displays the name of the virtual network (VLAN) from which IP addresses can be issued to DHCP client requests on the listed controller or service platform interface. Displays the subnet for the IP addresses used from the network pool. Displays the number of host IP addresses allocated by the DHCP server. Displays the total number of IP addresses available in the network pool for requesting clients. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.33 Firewall Controller Statistics A firewall is designed to block unauthorized access while permitting authorized communications. Its a device or a set of devices configured to permit or deny computer applications based on a set of rules. For more information, refer to the following:
Viewing Packet Flow Statistics Viewing Denial of Service Statistics IP Firewall Rules IPv6 Firewall Rules MAC Firewall Rules NAT Translations Viewing DHCP Snooping Statistics IPv6 Neighbor Snooping Wireless Controller and Service Platform System Reference Guide 15 - 170 Statistics 15.3.33.1 Viewing Packet Flow Statistics Firewall The Packet Flows screen displays data traffic packet flow utilization. The chart lists the different protocol flows supported, and displays a proportional view of the flows in respect to their percentage of data traffic utilized. The Total Active Flows field displays the total number of flows supported by the controller or service platform. To view the packet flow statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Firewall menu from the left-hand side of the UI. 4 Select Packets Flows. Select Clear All to revert the statistics counters to zero and begin a new data collection, or select Refresh to update the display to the latest values. 15.3.33.2 Viewing Denial of Service Statistics Firewall Figure 15-117 Firewall Packet Flows A denial-of-service attack (DoS attack), or distributed denial-of-service attack, is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out a DoS attack may vary, it generally consists of a concerted effort to prevent an Internet site or service from functioning efficiently. One common attack involves saturating the targets (victims) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service. The Denial of Service screen displays attack type, number of occurrences, and time of last occurrence. To view the denial of service statistics:
Wireless Controller and Service Platform System Reference Guide 15 - 171 1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Firewall menu from the left-hand side of the UI. 4 Select Denial of Service. Statistics The Denial of Service screen displays the following:
Figure 15-118 Wireless Controller - Firewall DoS screen Attack Type Count Last Occurrence Clear All Refresh Displays the DoS attack type. The controller or service platform supports enabling or disabling 24 different DoS attack filters. Displays the number of times each DoS attack was observed by the controller or service platforms firewall. Displays the amount of time since the DoS attack has been observed by the controller or service platforms firewall. Select Clear All to revert the statistics counters to zero and begin a new data collection. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.33.3 IP Firewall Rules Firewall Create firewall rules to let any computer send IPv4 traffic to, or receive traffic from, programs, system services, computers or users. Firewall rules can be created to provide one of the three actions listed below that match the rules criteria:
Allow a connection Allow a connection only if it is secured through the use of Internet Protocol security Block a connection Rules can be created for either inbound or outbound traffic. To view existing IPv4 firewall rules:
Wireless Controller and Service Platform System Reference Guide 15 - 172 1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Firewall menu from the left-hand side of the UI. 4 Select IP Firewall Rules. Statistics The IP Firewall Rules screen displays the following:
Figure 15-119 Wireless Controller - Firewall IP Firewall Rules screen Precedence Friendly String Hit Count Refresh Displays the precedence (priority) applied to packets. Every rule has a unique precedence value between 1 - 5000. You cannot add two rules with the same precedence value. This is a string that provides more information as to the contents of the rule. This is for information purposes only. Displays the number of times each IP ACL has been triggered. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.33.4 IPv6 Firewall Rules Firewall IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. These hosts require firewall packet protection unique to IPv6 traffic, as IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet layer configuration parameters. Allow an IPv6 formatted connection Allow a connection only if it is secured through the use of IPv6 security Block a connection and exchange of IPv6 formatted packets Wireless Controller and Service Platform System Reference Guide 15 - 173 Statistics To view existing IPv6 firewall rules:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Firewall menu from the left-hand side of the UI. 4 Select IPv6 Firewall Rules. The IPv6 Firewall Rules screen displays the following:
Figure 15-120 Wireless Controller - Firewall IPv6 Firewall Rules screen Precedence Friendly String Hit Count Refresh Displays the precedence (priority) applied to IPV6 formatted packets. Unlike IPv4, IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Every rule has a unique precedence value between 1 -
5000. You cannot add two rules with the same precedence value. This is a string that provides more information as to the contents of the IPv6 specific IP rule. This is for information purposes only. Displays the number of times each IPv6 ACL has been triggered. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.33.5 MAC Firewall Rules Firewall The ability to allow or deny client access by MAC address ensures malicious or unwanted users are unable to bypass security filters. Firewall rules can use one of the three following actions based on a rule criteria:
Allow a connection Allow a connection only if it is secured through the MAC firewall security Block a connection To view MAC firewall rules:
Wireless Controller and Service Platform System Reference Guide 15 - 174 1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Firewall menu from the left-hand side of the UI. 4 Select MAC Firewall Rules. Statistics The MAC Firewall Rules screen displays the following:
Figure 15-121 Wireless Controller - Firewall MAC Firewall Rules screen Precedence Friendly String Hit Count Refresh Displays the precedence (priority) applied to packets. The rules within an Access Control Entries (ACL) list are based on their precedence values. Every rule has a unique precedence value between 1 and 5000. You cannot add two rules with the same precedence value. This string provides more information as to the contents of the rule. This is for information purposes only. Displays the number of times each WLAN ACL has been triggered. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.33.6 NAT Translations Firewall Network Address Translation (NAT) is a technique to modify network address information within IP packet headers in transit. This enables mapping one IP address to another to protect wireless controller managed network address credentials. With typical deployments, NAT is used as an IP masquerading technique to hide private IP addresses behind a single, public facing, IP address. NAT can provide a profile outbound Internet access to wired and wireless hosts connected to either an Access Point or a wireless controller. Many-to-one NAT is the most common NAT technique for outbound Internet access. Many-to-one NAT allows an Access Point or wireless controller to translate one or more internal private IP addresses to a single, public facing, IP address assigned to a 10/100/1000 Ethernet port or 3G card. To assess the controller or service platforms NAT configuration and statistics. Wireless Controller and Service Platform System Reference Guide 15 - 175 1 Select the Statistics menu from the Web UI. 2 Select an Access Point node from the left navigation pane. Expand the Firewall menu from the left-hand side of the UI. 3 Select NAT Translations. Statistics 4 The NAT Translations screen displays the following:
Figure 15-122 Wireless Controller - Firewall NAT Translation screen Protocol Forward Source IP Displays the translation protocol as either TCP, UDP or ICMP. Displays the internal network IP address for forward facing NAT translations. Forward Source Port Displays the internal network (virtual) port for forward facing NAT Forward Dest IP Forward Dest Port Reverse Source IP translations. Displays the external network destination IP address for forward facing NAT translations. Displays the external network destination port for forward facing NAT translations. Displays the internal network IP address for reverse facing NAT translations. Reverse Source Port Displays the internal network port for reverse facing NAT translations. Reverse Dest IP Displays the external network destination IP address for reverse facing NAT translations. Displays the external network destination port for reverse facing NAT translations. Reverse Dest Port Wireless Controller and Service Platform System Reference Guide 15 - 176 Statistics Refresh Select the Refresh button to update the screens statistics counters to their latest values. 15.3.33.7 Viewing DHCP Snooping Statistics Firewall When DHCP servers are allocating IP addresses to the clients, DHCP snooping can strengthen the security on the LAN allowing only clients with specific IP/MAC addresses. To view the DHCP snooping statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Firewall menu from the left-hand side of the UI. 4 Select DHCP Snooping. The DHCP Snooping screen displays the following:
Figure 15-123 Wireless Controller - Firewall DHCP Snooping screen MAC Address Node Type IP Address Netmask VLAN Displays the MAC address of the client. Displays the NetBios node with an IP pool from which IP addresses can be issued to client requests on this interface. Displays the IP address used for DHCP discovery and requests between the DHCP server and DHCP clients. Displays the subnet mask used for DHCP discovery and requests between the DHCP server and DHCP clients. Displays the controller or service platform virtual interface ID used for a new DHCP configuration. Wireless Controller and Service Platform System Reference Guide 15 - 177 Statistics Lease Time Time Elapsed Since Last Update Clear All Refresh When a DHCP server allocates an address for a DHCP client, the client is assigned a lease (which expires after a designated interval defined by the administrator). The lease is the time an IP address is reserved for re-connection after its last use. Using short leases, DHCP can dynamically reconfigure networks in which there are more computers than available IP addresses. This is useful, for example, in education and customer environments where client users change frequently. Use longer leases if there are fewer users. Displays the amount of time elapsed since the DHCP server was last updated. Select Clear All to revert the counters to zero and begin a new data collection. Select the Refresh button to update the screens counters to their latest values. 15.3.33.8 IPv6 Neighbor Snooping Firewall IPv6 snooping bundles layer 2 IPv6 hop security features, such as IPv6 neighbor discovery (ND) inspection, IPv6 address gleaning and IPv6 device tracking. When IPv6 ND is configured on a device, packet capture instructions redirect the ND protocol and DHCP for IPv6 traffic up to the controller for inspection. A database of connected IPv6 neighbors is created from the IPv6 neighbor snoop. The database is used by IPv6 to validate the link layer address, IPv6 address and prefix binding of the neighbors to prevent spoofing and potential redirect attacks. To review IPv6 neighbor snooping statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Expand the Firewall menu from the left-hand side of the UI. 4 Select IPv6 Neighbor Snooping. Wireless Controller and Service Platform System Reference Guide 15 - 178 Statistics Figure 15-124 Wireless Controller - Firewall IPv6 Neighbor Snooping screen The IPv6 Neighbor Snooping screen displays the following:
MAC Address Node Type IPv6 Address VLAN Mint Id Snoop Id Time Elapsed Since Last Update Clear Neighbors Refresh Displays the hardware encoded MAC address of an IPv6 client reporting to the controller or service platform. Displays the NetBios node type from an IPv6 address pool from which IP addresses can be issued to requesting clients. Displays the IPv6 address used for DHCPv6 discovery and requests between the DHCPv6 server and DHCP clients. Displays the controller or service platform virtual interface ID used for a new DHCPv6 configuration. Lists MiNT IDs for each listed VLAN. MiNT provides the means to secure communications at the transport layer. Using MiNT, a device can be configured to only communicate with other authorized (MiNT enabled) devices of the same model. Lists a numeric snooping ID associated with each packet inspection snooping session conducted by the controller or service platform. Displays the amount of time elapsed since the DHCPv6 server was last updated. Select Clear Neighbors to revert the counters to zero and begin a new data collection. Select the Refresh button to update the screens counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 179 Statistics 15.3.34 VPN Controller Statistics IPSec VPN provides a secure tunnel between two networked peer controllers or service platforms. Administrators can define which packets are sent within the tunnel, and how they are protected. When a tunnelled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination. Tunnels are sets of security associations (SA) between two peers. SAs define the protocols and algorithms applied to sensitive packets and specify the keying mechanisms used by tunnelled peers. SAs are unidirectional and exist in both the inbound and outbound direction. SAs are established per the rules and conditions of defined security protocols (AH or ESP). Crypto maps combine the elements comprising IPSec SAs. Crypto maps also include transform sets. A transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected traffic. One crypto map is utilized for each IPsec peer, however for remote VPN deployments one crypto map is used for all the remote IPsec peers. Internet Key Exchange (IKE) protocol is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE automatically negotiates IPSec SAs, and enables secure communications without time consuming manual pre-
configuration. VPN statistics are partitioned into the following:
IKESA IPSec 15.3.34.1 IKESA VPN The IKESA screen allows for the review of individual peer security association statistics. 1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select VPN and expand the menu to reveal its sub menu items. 4 Select IKESA. Wireless Controller and Service Platform System Reference Guide 15 - 180 Statistics Review the following VPN peer security association statistics:
Figure 15-125 Wireless Controller - VPN IKESA screen Peer Version State Lifetime Local IP Address Clear/Clear All Refresh Lists IDs for peers sharing security associations (SA) for tunnel interoperability. When a peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its destination. Displays each peers IKE version used for auto IPSec secure authentication with the IPSec gateway and other controllers or service platforms. Lists the online or offline state of each listed peers SA. Displays the lifetime for the duration of each listed peer IPSec VPN security association. Once the set value is exceeded, the association is timed out. Displays each listed peers local tunnel end point IP address. This address represents an alternative to an interface IP address. Select Clear to remove a selected peer. Select the Clear All button to clear each peer of its current status and begin a new data collection. Select the Refresh button to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 181 Statistics 15.3.34.2 IPSec VPN Use the IPSec VPN screen to assess tunnel status between networked peers. To view IPSec VPN status for tunnelled peers:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select VPN and expand the menu to reveal its sub menu items. 4 Select IPSec. Review the following VPN peer security association statistics:
Figure 15-126 Wireless Controller - VPN IPSec screen Peer Local IP Address Protocol State SPI In SPI Out Mode Lists IP addresses for peers sharing security associations (SA) for tunnel interoperability. When a peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its destination. Displays each listed peers local tunnel end point IP address. This address represents an alternative to an interface IP address. Lists the security protocol used with the VPN IPSec tunnel connection. SAs are unidirectional, existing in each direction and established per security protocol. Options include ESP and AH. Lists the state of each listed peers security association. Lists stateful packet inspection (SPI) status for incoming IPSec tunnel packets. SPI tracks each connection traversing the IPSec VPN tunnel and ensures they are valid. Lists SPI status for outgoing IPSec tunnel packets. SPI tracks each connection traversing the IPSec VPN tunnel and ensures they are valid. Displays the IKE mode. IPSEC has two modes in IKEv1 for key exchanges. Aggressive mode requires 3 messages be exchanged between the IPSEC peers to setup the SA, Main requires 6 messages Wireless Controller and Service Platform System Reference Guide 15 - 182 Statistics Clear All Refresh Select the Clear All button to clear each peer of its current status and begin a new data collection. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.35 Viewing Certificate Statistics Controller Statistics The Secure Socket Layer (SSL) protocol is used to ensure secure transactions between Web servers and browsers. This protocol uses a third-party, a certificate authority, to identify one end or both ends of the transactions. A browser checks the certificate issued by the server before establishing a connection. For more information, see:
Viewing Trustpoints Statistics Viewing the RSA Key Details 15.3.35.1 Viewing Trustpoints Statistics Viewing Certificate Statistics Each certificate is digitally signed by a trustpoint. The trustpoint signing the certificate can be a certificate authority, corporate or individual. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-
specific configuration parameters and an association with an enrolled identity certificate. To view controller or service platform trustpoint statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Certificate and expand the menu to reveal its sub menu items. 4 Select Trustpoint. Wireless Controller and Service Platform System Reference Guide 15 - 183 Statistics The Certificate Details field displays the following:
Figure 15-127 Wireless Controller - Certificates Trustpoint screen Subject Name Alternate Subject Name Issuer Name Serial Number RSA Key Used IS CA Is Self Signed Server Certification Present CRL Present Describes the entity to which the certificate is issued. Lists alternate subject information about the certificate as provided to the certificate authority. Displays the name of the organization issuing the certificate. Lists the unique serial number of the certificate. Displays the name of the key pair generated separated, or automatically when selecting a certificate. Indicates whether this certificate is an authority certificate (Yes/No). Displays whether the certificate is self-signed (Yes/No). Displays whether a server certification is present or not (Yes/No). Displays whether a Certificate Revocation List (CRL) is present (Yes/No). A CRL contains a list of subscribers paired with digital certificate status. The list displays revoked certificates along with the reasons for revocation. The date of issuance and the entities that issued the certificate are also included. Wireless Controller and Service Platform System Reference Guide 15 - 184 Statistics The Validity field displays the following:
Valid From Valid Until Displays the certificates issue date stating the beginning of the certificates validity. Displays the certificates expiration date. The Certificate Authority (CA) Details field displays the following:
Subject Name Alternate Subject Name Issuer Name Serial Number Displays information about the entity to which the certificate is issued. This section provides alternate information about the certificate as provided to the certificate authority. This field is used to provide more information that supports information provided in the Subject Name field. Displays the organization issuing the certificate. Lists the unique serial number of each certificate issued. The Certificate Authority Validity field displays the following:
Validity From Validity Until Displays the date when the validity of a CA begins. Displays the date when the validity of a CA expires. 5 Select the Refresh button to update the screens statistics counters to their latest values. 15.3.35.2 Viewing the RSA Key Details Viewing Certificate Statistics Rivest, Shamir, and Adleman (RSA) is an algorithm for public key cryptography. Its the first algorithm known to be suitable for signing as well as encryption. The RSA Keys screen displays a list of RSA keys installed in the selected Access Point. RSA Keys are generally used for establishing a SSH session, and are a part of the certificate set used by RADIUS, VPN and HTTPS. To view the RSA Key details:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Certificate and expand the menu to reveal its sub menu items. 4 Select RSA Keys. Wireless Controller and Service Platform System Reference Guide 15 - 185 Statistics Figure 15-128 Wireless Controller - Certificates RSA Keys screen The RSA Key Details field describes the size (in bits) of the desired key. If not specified, a default key size of 1024 is used. The RSA Public Key field describes the public keys character set used for encrypting messages. This key is known to everyone. 5 Select the Refresh button to update the screens statistics counters to their latest values. 15.3.36 WIPS Statistics Controller Statistics Wireless Intrusion Protection System (WIPS) detects the presence of unauthorized Access Points. Unauthorized attempts to access the WLAN is generally accompanied by intruding clients finding network vulnerabilities. Basic forms of this behavior can be monitored and reported without a dedicated WIPS deployment. When the parameters exceed a configurable threshold, the controller or service platform generates a SNMP trap and reports the result via the management interfaces. Basic WIPS functionality does not require monitoring APs and does not perform off-channel scanning. For more information, see:
Viewing the Client Blacklist Viewing WIPS Event Statistics 15.3.36.1 Viewing the Client Blacklist WIPS Statistics This Client Blacklist displays blacklisted clients detected using WIPS. Blacklisted clients are not allowed to associate to connected devices within the controller or service platform managed network. To view the client blacklist screen:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. Wireless Controller and Service Platform System Reference Guide 15 - 186 3 Select WIPS and expand the menu to reveal its sub menu items. 4 Select Client Blacklist. Statistics The Client Blacklist screen displays the following:
Figure 15-129 Wireless Controller - WIPS Client Blacklist screen Event Name Blacklisted Client Time Blacklisted Total Time Time Left Refresh Displays the name of the detected wireless intrusion resulting in a blacklisting of the client from controller or service platform resources. Displays the MAC address of the intruding client device pending exclusion from the controller or service platform managed network. Displays the time this client was blacklisted. Displays the duration the unauthorized device remained in the WLAN. Displays the duration after which the blacklisted client is removed from the blacklist. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.36.2 Viewing WIPS Event Statistics The WIPS Events screen displays event information for rogue Access Point intrusions within the controller or service platform managed network. To view WIPS event statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select WIPS and expand the menu to reveal its sub menu items. Wireless Controller and Service Platform System Reference Guide 15 - 187 4 Select WIPS Events Statistics The WIPS Events screen displays the following:
Figure 15-130 Wireless Controller - WIPS Events screen Event Name Reporting AP Originating Device Detector Radio Time Reported Clear All Refresh Displays the name of the detected intrusion event. Displays the hostname of the AP reporting each intrusion. The Access Point displays as a link that can be selected to provide configuration and network address information in greater detail. Displays the MAC address of the intruder AP. Displays which AP radio is making the intrusion detection. Displays the time when the intruding AP was detected. Select Clear All to reset the statistics counters to zero and begin a new data collection. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.37 Sensor Server Controller Statistics Sensor servers allow the monitor and download of data from multiple sensors and remote locations using Ethernet, TCP/IP or serial communication. Repeaters are available to extend the transmission range and combine sensors with various frequencies on the same receiver. To view the Sensor Server statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Sensor Servers from the left-hand side of the controller or service platform UI. Wireless Controller and Service Platform System Reference Guide 15 - 188 Statistics The Sensor Servers screen displays the following:
Figure 15-131 Wireless Controller - Sensor Server screen IP Address/
Hostname Port Status Refresh Displays a list of sensor server IP addresses. These are sensor resources available to the controller or service platform. Displays the port on which this server is listening. Displays whether the server is connected or not connected. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.38 Bonjour Services Controller Statistics Bonjour is Apples zero-configuration networking (Zeroconf) implementation. Zeroconf is a group of technologies including service discovery, address assignment and hostname resolution. Bonjour locates the devices (printers, computers etc.) and services these computers provide over a local network. Bonjour provides a method to discover services on a LAN. Bonjour allows users to set up a network without any configuration. Services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with a special DNS configuration, it can be extended to find services across broadcast domains. To view the Bonjour service statistics:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Bonjour Services from the left-hand side of the controller or service platform UI. Wireless Controller and Service Platform System Reference Guide 15 - 189 Statistics Refer to the following Bonjour service utilization stats:
Figure 15-132 Wireless Controller - Bonjour Services screen Service Name Instance Name IP Address Port Vlan Vlan Type Expiry Refresh Lists the services discoverable by the Bonjour gateway. Services can either be pre-defined Apple services (scanner, printer etc.) or an alias not available on the predefined list. Lists the name of each Bonjour service instance (session) utilized by the controller or service platform. Lists the network IP address utilized by the listed Bonjour service providing resources to the controller or service platform. Displays the port used to secure a connection with the listed Bonjour service. Lists the VLAN(s) on which a listed Bonjour service is routable. Lists the VLAN type as either a local bridging mode or a shared tunnel. Lists the expiration date of the listed Bonjour service, and its availability to discover resources on the LAN. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.39 Captive Portal Statistics Controller Statistics A captive portal redirects an HTTP client to a Web page (usually for authentication purposes) before authenticating for Internet access. A captive portal turns a Web browser into an authenticator. This is done by Wireless Controller and Service Platform System Reference Guide 15 - 190 Statistics intercepting packets (regardless of the address or port) until the user opens a browser and attempts to access the Internet. At that time, the browser is redirected to a Web page requiring authentication. To view the controller or service platform captive portal statistics:
1 Select the Statistics tab from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Captive Portal from the left-hand side of the controller or service platform UI. The Captive Portal screen displays the following:
Figure 15-133 Wireless Controller - Captive Portal screen Client MAC Client IP Client IPv6 Captive Portal Port Name Authentication WLAN VLAN Remaining Time Refresh Displays the requesting clients MAC address. The MAC displays as a link that can be selected to display client configuration and network address information in greater detail. Displays the requesting clients IPv4 formatted IP address. Displays the requesting clients IPv6 formatted IP address. Displays the captive portal name that each listed client is utilizing for guest access to controller resources. Lists the controller or service platform port name supporting the captive portal connection with the listed client MAC address. Displays the authentication status of the requesting client. Displays the name of the WLAN the client belongs to. Displays the name of the requesting clients VLAN interface. Displays the time after which the client is disconnected from the captive portal managed Internet. Select the Refresh button to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 191 Statistics 15.3.40 Network Time Controller Statistics Network Time Protocol (NTP) is central to networks that rely on their controller or service platform to supply system time. Without NTP, system time is unpredictable, which can result in data loss, failed processes and compromised security. With network speed, memory, and capability increasing at an exponential rate, the accuracy, precision, and synchronization of network time is essential in a controller or service platform managed network. The controller or service platform can use a dedicated server to supply system time. The controller or service platform can also use several forms of NTP messaging to sync system time with authenticated network traffic. 15.3.40.1 Viewing NTP Status Network Time The NTP Status screen displays performance (status) information relative to the NTP association status. Verify the NTP status to assess the controller or service platforms current NTP resource. To view the NTP status of a managed network:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Network Time. 4 Select NTP Status. Refer to the NTP Status table to review the accuracy and performance of the controller or service platforms synchronization with an NTP server. Figure 15-134 Wireless Controller - NTP Status screen Clock Offset Displays the time differential between the controller or service platform time and the NTP resource. Wireless Controller and Service Platform System Reference Guide 15 - 192 Statistics Frequency Leap Precision Reference Time Reference Root Delay Root Dispersion Stratum Refresh An SNTP server clocks skew (difference) for the controller or service platform and the dedicated NTP resource. Indicates if a second is added or subtracted to SNTP packet transmissions, or if transmissions are synchronized. Displays the precision of the controllers time clock (in Hz). The values that normally appear in this field range from -6 for mains-frequency clocks to -20 for microsecond clocks. Displays the time stamp the local clock was last set or corrected. Displays the address of the time source the controller or service platform is synchronized to. The total round-trip delay in seconds. This variable can take on both positive and negative values, depending on relative time and frequency offsets. The values that normally appear in this field range from negative values (a few milliseconds) to positive values (several hundred milliseconds). The difference between the time on the root NTP server and its reference clock. The reference clock is the clock used by the NTP server to set its own clock. Displays how many hops the controller or service platform is from its current NTP resource. Select the Refresh button to update the screens statistics counters to their latest values. 15.3.40.2 Viewing NTP Associations Network Time The interaction between the controller or service platform and an SNTP server constitutes an association. SNTP associations can be either peer associations (the controller or service platform synchronizes to another system or allows another system to synchronize to it), or a server associations (only the controller or service platform synchronizes to the SNTP resource, not the other way around). To view the NTP associations:
1 Select the Statistics menu from the Web UI. 2 Select a Wireless Controller node from the left navigation pane. 3 Select Network Time. 4 Select NTP Associations. Wireless Controller and Service Platform System Reference Guide 15 - 193 Statistics The NTP Associations screen provides the controller or service platforms current NTP associations:
Figure 15-135 Wireless Controller - NTP Association screen Delay Time Display Offset Poll Reach Reference IP Address Server IP Address State Status Time Refresh Displays the round-trip delay (in seconds) for SNTP broadcasts between the SNTP server and the controller or service platform. Displays the time difference between the peer NTP server and the onboard wireless controller clock. Displays the calculated offset between the controller or service platform and the SNTP server. The controller or service platform adjusts its clock to match the servers time. The offset gravitates towards zero overtime, but never completely reduces its offset to zero. Displays the maximum interval between successive messages (in seconds) to the nearest power of two. Displays the status of the last eight SNTP messages. If an SNTP packet is lost, the lost packet is tracked over the next eight SNTP messages. Displays the address of the time source the controller or service platform is synchronized to. Displays the numerical IP address of the SNTP resource (server) providing SNTP updates to the controller. Displays the NTP association status code. Displays the NTP peers current status. Displays the timestamp of the last NTP packet received from the NTP peer. Select the Refresh button to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 194 Statistics 15.4 Access Point Statistics Statistics The Access Point statistics screens displays controller or service platform connected Access Point performance, health, version, client support, radio, mesh, interface, DHCP, firewall, WIPS, sensor, captive portal, NTP and load information. Access point statistics consists of the following:
Interfaces Health Device Web-Filtering Application Visibility (AVC) Device Upgrade Adoption AP Detection Guest User Wireless LANs Policy Based Routing Radios Mesh RTLS PPPoE Bluetooth OSPF L2TPv3 Tunnels VRRP Critical Resources LDAP Agent Status Mint Links Guest Users GRE Tunnels Dot1x Network DHCPv6 Relay & Client DHCP Server Firewall VPN Certificates WIPS Sensor Servers Bonjour Services Captive Portal Network Time Load Balancing Environmental Sensors (AP8132 Models Only) Wireless Controller and Service Platform System Reference Guide 15 - 195 Statistics 15.4.1 Health Access Point Statistics The Health screen displays a selected Access Points hardware version and software version. Use this information to fine tune the performance of an Access Point. This screen should also be the starting point for troubleshooting an Access Point since its designed to present a high level display of Access Point performance efficiency. To view the Access Point health:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Health. The Device Details field displays the following information:
Figure 15-136 Access Point - Health screen Hostname Device MAC Primary AP Type Model Number Displays the APs unique name as assigned within the controller or service platform managed network. A hostname is assigned to a device connected to a computer network. Displays the MAC address of the AP. This is factory assigned and cannot be changed. Displays the IP address of assigned to this device either through DHCP or through static IP assignment. Displays the Access Points model type. Displays the Access Points model number to help further differentiate the Access Point from others of the same model series and defined country of operation. Wireless Controller and Service Platform System Reference Guide 15 - 196 Statistics RF Domain Name Version Uptime CPU RAM System Clock Displays the Access Points RF Domain membership. Unlike a controller or service platform, an Access Point can only belong to one RF Domain based on its model. The domain name appears as a link that can be selected to show RF Domain utilization in greater detail. Displays the Access Points current firmware version. Use this information to assess whether an upgrade is required for better compatibility. Displays the cumulative time since the Access Point was last rebooted or lost power. Displays the processor core. Displays the free memory available with the RAM. Displays the system clock information. The Radio RF Quality Index field displays the following:
RF Quality Index Radio Id Radio Type Displays Access Point radios and their quality indices. RF quality index indicates the overall RF performance. The RF quality indices are:
0 50 (poor) 50 75 (medium) 75 100 (good) Displays a radios hardware encoded MAC address The ID appears as a link that can be selected to show radio utilization in greater detail. Identifies whether the radio is a 2.4 or 5 GHz. The Radio Utilization Index field displays the following:
Total Bytes Total Packets Total Dropped Displays the total bytes of data transmitted and received by the Access Point since the screen was last refreshed. Lists the total number of data packets transmitted and received by the Access Point since the screen was last refreshed. List the number of dropped data packets by an Access Point radio since the screen was last refreshed. The Client RF Quality Index field displays the following:
Worst 5 Client MAC Retry Rate Displays clients having lowest RF quality within the network. Displays the MAC addresses of the clients with the lowest RF indices. Displays the average number of retries per packet. A high number indicates possible network or hardware problems. 4 Select the Refresh button as needed to update the screens statistics counters to their latest values. 15.4.2 Device Access Point Statistics The Device screen displays basic information about the selected Access Point. Use this screen to gather version information, such as the installed firmware image version, the boot image and upgrade status. Wireless Controller and Service Platform System Reference Guide 15 - 197 Statistics To view the device statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Device. The System field displays the following:
Figure 15-137 Access Point - Device screen Model Number Serial Number Version Boot Partition Fallback Enabled Fallback Image Triggered Displays the model of the selected Access Point to help distinguish its exact SKU and country of operation. Displays the numeric serial number set for the Access Point. Displays the software (firmware) version on the Access Point. Displays the boot partition type. Displays whether this option is enabled. This method enables a user to store a known legacy version and a new version in device memory. The user can test the new software, and use an automatic fallback, which loads the old version on the Access Point if the new version fails. Displays whether the fallback image was triggered. The fallback image is an old version of a known and operational software stored in device memory. This allows a user to test a new version of software. If the new version fails, the user can use the old version of the software. Wireless Controller and Service Platform System Reference Guide 15 - 198 Next Boot Designates this version as the version used the next time the AP is booted. The System Resources field displays the following:
Statistics Displays the available memory (in MB) available on the Access Point. Available Memory
(MB) Total Memory (MB) Displays the Access Points total memory. Currently Free RAM Displays the Access Points free RAM space. If its very low, free up some space by closing some processes. Displays the recommended RAM required for routine operation. Displays the Access Points current file description. Recommended Free RAM Current File Descriptors Maximum File Descriptors CPU Load 1 Minute Lists this Access Points CPU utilization over a 1 minute span. CPU Load 5 Minutes Lists this Access Points CPU utilization over a 5 minute span. CPU Load 15 Minutes Lists this Access Points CPU utilization over a 15 minute span. Displays the Access Points maximum file description. The Upgrade Status field displays the following:
Upgrade Status Displays the status of the last firmware upgrade performed by this controller or service platform. Upgrade Status Time Lists a time stamp defining the occurrence of the most recent upgrade operation. The Fan Speed field displays the following:
Number Speed (Hz) Displays the number of fans supported on the this Access Point. Displays the fan speed in Hz. The Temperature field displays the following:
Number Temperature Displays the number of temperature elements used by the Access Point. Displays the current temperature (in Celsius) to assess a potential Access Point overheat condition. The Kernal Buffers field displays the following:
Buffer Size Current Buffers Maximum Buffers Lists the sequential buffer size. Displays the current buffers available to the selected Access Point. Lists the maximum buffers available to the selected Access Point. The IP Domain field displays the following:
Number Displays the number of fans supported on the this Access Point. Wireless Controller and Service Platform System Reference Guide 15 - 199 Statistics Speed (Hz) Displays the fan speed in Hz. The IP Name Servers field displays the following:
Name Server Type Displays the names of the servers designated to provide DNS resources to this Access Point. Displays the type of server for each server listed. The Firmware Images field displays the following:
Primary Build Date Primary Install Date Primary Version Secondary Build Date Secondary Install Date Secondary Version FPGA Version PoE Firmware Version Displays the build date when this Access Point firmware version was created. Displays the date this version was installed. Displays the primary version string. Displays the build date when this version was created. Displays the date this secondary version was installed. Displays the secondary version string. Displays whether a FPGA supported firmware load is being utilized. Displays whether a PoE supported firmware load is being utilized. The IPv6 Name Servers field displays the following:
Name Server Type List the IPv6 name server hosting a network service for providing responses to queries against a directory. The IPv6 name server maps a human recognizable identifier to a systems internal identifier. This service is performed by the server in response to a network service protocol request. Lists the type of IPv6 name server mapping a human readable identifier to system identifier. The Sensor Lock field displays the following:
Sensor Lock Displays whether a lock has been applied to Access Point sensor capabilities. The Power Management field displays the following:
Power Management Mode Power Management Status Ethernet Power Status Radio Power Status Displays the power mode currently invoked by the selected Access Point. Lists the power status of the Access Point. Displays the Access Points Ethernet power status. Displays the power status of the Access Points radios. Wireless Controller and Service Platform System Reference Guide 15 - 200 Statistics The IPv6v Hop Limit table displays the following:
Hop Limit Lists the maximum number of times IPv6 traffic can hop. The IPv6 header contains a hop limit field that controls the number of hops a datagram can be sent before being discarded (similar to the TTL field in an IPv4 header). The IPv6 Delegated Prefixes table displays the following:
IPv6 Delegated Prefix Prefix Name DHCPv6 Client State Interface Name T1 timer (seconds) T2 timer (seconds) Last Refreshed
(seconds) Preferred Lifetime
(seconds) In IPv6, prefix delegation is used to assign a network address prefix, configuring the controller or service platform with the prefix. Lists the name assigned to the IPv6 delegated prefix. Displays the current DHCPv6 client state as impacted by the IPv6 delegated prefix. Lists the interface over which IPv6 prefix delegation occurs. Lists the amount of time in seconds before the DHCP T1 (delay before renew) timer expires. Lists the amount of time in seconds before the DHCP T2 (delay before rebind) timer expires. Lists the time, in seconds, since IPv6 prefix delegation has been updated. Lists is the time in seconds (relative to when the packet is sent) the IPv6 formatted addresses remains in a preferred state on the selected interface. The preferred lifetime must always be less than or equal to the valid lifetime. Valid Lifetime (seconds) Displays the time in seconds (relative to when the packet is sent) the IPv6 formatted address remains in a valid state on the selected interface. The valid lifetime must always be greater than or equal to the preferred lifetime. 4 Select Refresh to update the statistics counters to their latest values. 15.4.3 Web-Filtering Access Point Statistics The Web-Filtering screen displays information on Web requests for content and whether the requests were blocked or approved based on URL filter settings defined for the selected Access Point. A URL filter is comprised of several filter rules. A whitelist bans all sites except the categories and URL lists defined in the whitelist. The blacklist allows all sites except the categories and URL lists defined in the blacklist. To view this Access Points Web filter statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Web-Filtering. Wireless Controller and Service Platform System Reference Guide 15 - 201 Statistics The Web-Filtering Requests field displays the following information:
Figure 15-138 Access Point - Web Filtering screen Total Blocks Total Requests Total URL Cache Entries Lists the number of Web request hits against content blocked in the URL blacklist. Lists the total number of requests for URL content cached locally on this Access Point. Displays the number of chached URL data entries made on this Access Point on the request of requesting clients requiring URL data managed by the Access Point and their respective whitelist or blacklist. The Top Categories field helps administrators assess the content most requested, blocked or approved based on the defined whitelist and blacklist permissions:
Top Categories -
Requested Lists those Web content categories most requested by clients managed by this Access Point. Use this information to assess whether the permissions defined in the blacklist and whitelist optimally support these client requests for cached Web content. Wireless Controller and Service Platform System Reference Guide 15 - 202 Statistics Top Categories -
Blocked Top Categories -
Approved Lists those Web content categories blocked most often for requesting clients managed by this Access Point. Use this information to periodically assess whether the permissions defined in the blacklist and whitelist still restrict the desired cached Web content from requesting clients. Remember, a whitelist bans all sites except the categories and URL lists defined in the whitelist. The blacklist allows all sites except the categories and URL lists defined in the blacklist. Lists those Web content categories approved most often on behalf of requesting clients managed by this Access Point. Periodically review this information to assess whether this cached and available Web content still adheres to your organizations standards for client access. The Web Filter Status field displays the following information:
Name Blacklist Category VLAN WLAN Displays the name of the filter whose URL rule set has been invoked. Lists the blacklist category whose URL filter rule set has caused data to be filtered to a requesting client. Periodically assess whether these rules are still relevant to the data requirements of requesting clients. Lists the impacted Access Point VLAN whose Web data traffic has been filtered based on the restrictions in the listed blacklist category. Lists the impacted Access Point WLAN whose Web data traffic has been filtered based on the restrictions in the listed blacklist category. Periodically assess whether clients are segregated to the correct WLAN based on their cached Web data requirements and impending filter rules. 4 Periodically select Refresh to update this screen to its latest values. 15.4.4 Application Visibility (AVC) Access Point Statistics Access Points can inspect every byte of each application header packet allowed to pass to their connected clients. When an application is recognized and classified by the WiNG application recognition engine, administrator defined actions can be applied to that specific application. For information on categorizing, filtering and logging the application data allowed to proliferate the WiNG network, refer to Application Policy on page 7-54 and Application on page 7-58. To view Access Point application utilization statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Application Visibility (AVC). Wireless Controller and Service Platform System Reference Guide 15 - 203 Statistics 4 Refer to the Top Applications graph to assess the most prolific, and allowed, application data passing through Figure 15-139 Access Point - Application Visibility the Access Point. Total Bytes Bytes Uploaded Bytes Downloaded Displays the top ten utilized applications in respect to total data bytes passing through the Access Point. These are only the administrator allowed applications approved for proliferation within the Access Point managed network. Displays the top ten applications in respect to total data bytes uploaded through the Access Point managed network. If this application data is not aligned with application utilization expectations, consider allowing or denying additional applications and categories or adjusting their precedence (priority). Displays the top ten applications in respect to total data bytes downloaded from the Access Point managed network. If this application data is not aligned with application utilization expectations, consider allowing or denying additional applications and categories or adjusting their precedence (priority). 5 Refer to the Application Detailed Stats table to assess specific application data utilization:
Application Name Uploaded Lists the allowed application name whose data (bytes) are passing through the Access Point managed network. Displays the number of uploaded application data (in bytes) passing the through the Access Point managed network. Wireless Controller and Service Platform System Reference Guide 15 - 204 Statistics Downloaded Num Flows Clear Application Stats Refresh Displays the number of downloaded application data (in bytes) passing the through the Access Point managed network. Lists the total number of application data flows passing through the Access Point for each listed application. An application flow can consist of packets in a specific connection or media stream. Application packets with the same source address/port and destination address/port are considered one flow. Select this option to clear the application assessment data counters and begin a new assessment. Select the Refresh button to update the statistics counters to their latest values. 6 Select the Category tab. Categories are existing WiNG or user defined application groups (video, streaming, mobile, audio etc.) that assist administrators in filtering (allowing or denying) application data. For information on categorizing application data, refer to Application Policy on page 7-54 and Application on page 7-58. 7 Refer to the Top Categories graph to assess the most prolific, and allowed, application data categories utilized Figure 15-140 Access Point - Application Category Visibility by the Access Point. Total Bytes Displays the top ten application categories in respect to total data bytes passing through the Access Point managed network. These are only the administrator allowed application categories approved for proliferation within the Access Point managed network. Wireless Controller and Service Platform System Reference Guide 15 - 205 Statistics Bytes Uploaded Bytes Downloaded Displays the top ten application categories in respect to total data bytes uploaded through the controller or service platform managed network. If this category data is not aligned with application utilization expectations, consider allowing or denying additional categories or adjusting their precedence (priority). Displays the top ten application categories in respect to total data bytes downloaded from the Access Point managed network. If this category data is not aligned with application utilization expectations, consider allowing or denying additional categories and categories or adjusting their precedence (priority). 8 Refer to the Category Detailed Stats table to assess specific application category data utilization:
Category Name Uploaded Downloaded Num Flows Clear Application Stats Refresh 15.4.5 Device Upgrade Access Point Statistics Lists the allowed category whose application data (in bytes) is passing through the Access Point managed network. Displays the number of uploaded application category data (in bytes) passing the through the Access Point managed network. Displays the number of downloaded application category data (in bytes) passing the through the Access Point managed network. Lists the total number of application category data flows passing through Access Point connected clients. A category flow can consist of packets in a specific connection or media stream. Packets with the same source address/port and destination address/port are considered one flow. Select this option to clear the application category assessment data counters and begin a new assessment. Select the Refresh button to update the statistics counters to their latest values. The Device Upgrade screen displays information about devices receiving updates and the devices used to provision them. Use this screen to gather version data, install firmware images, boot an image and upgrade status. To view the device upgrade statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Device Upgrade. Wireless Controller and Service Platform System Reference Guide 15 - 206 Statistics The Upgrade screen displays the following information:
Figure 15-141 Access Point - Device Upgrade screen Device Hostname Type Displays the administrator assigned hostname of the Access Point receiving the update. Displays the Access Point model type of the device receiving a firmware update from the provisioning Access Point. Displays the current state of the Access Point upgrade (done, failed etc.). State Time Last Upgraded Displays the date and time of the last successful Access Point firmware Retries Count Upgraded By Last Update Status Clear History Refresh upgrade operation. Displays the number of retries made in an Access Point firmware update operation. Displays the MAC address of the Access Point that performed the upgrade operation. Displays the status of the last upgrade operation (Start Upgrade, Update Error etc.). Select the Clear History button to clear the screen of its current status and begin a new data collection. Select the Refresh button to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 207 15.4.6 Adoption Access Point Statistics Access point adoption stats are available for both currently adopted and Access Points pending adoption. Historical data can be also be fetched for adopted Access Points. Statistics For more information, refer to the following:
Adopted APs AP Adoption History AP Self Adoption History Pending Adoptions 15.4.6.1 Adopted APs Adoption The Adopted APs screen lists Access Points adopted by the selected Access Point, their RF Domain memberships and network service information. To view adopted Access Point statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Expand the Adoption menu item. 4 Select Adopted APs. The Adopted APs screen displays the following:
Figure 15-142 Access Point - Adopted APs screen Access Point Type Displays the name assigned to the adopted Access Point as part of its device configuration. Lists the each listed Access Point type adopted by this Access Point. Wireless Controller and Service Platform System Reference Guide 15 - 208 Statistics RF Domain Name Model Number Status Errors Adopted By Adoption time Startup Time Refresh Displays each Access Points RF Domain membership. An Access Point can only share RF Domain membership with other Access Points of the same model. Displays each listed Access Points numeric model (AP6532, AP6562, etc.). Displays each listed Access Points configuration status to help determine its service role. Lists any configuration errors that may be hindering a clean adoption. Lists the adopting Access Point. Displays each listed Access Points time of adoption. Displays each listed Access Points in service time since last offline. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.6.2 AP Adoption History Adoption The AP Adoption History screen displays a list of peer Access Points and their adoption event status. To review a selected Access Points adoption history:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand the a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Expand the Adoption menu item. 4 Select AP Adoption History. Figure 15-143 Access Point - AP Adoption History screen Wireless Controller and Service Platform System Reference Guide 15 - 209 Statistics The Adopted Devices screen describes the following historical data for adopted Access Points:
Event Name AP MAC Address Reason Event Time Refresh Displays the adoption status of each listed Access Point as either adopted or un-adopted. Displays the MAC address of each Access Point this Access Point has attempted to adopt. Displays the reason code for each event listed. Displays day, date and time for each Access Point adoption attempt. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.6.3 AP Self Adoption History Adoption The AP Self Adoption History displays an event history of peer Access Points that have adopted to the selected Access Point. 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand the a RF Domain, select a controller, and select one of its connected Access Points. 3 Expand the Adoption menu item. 4 Select AP Self Adoption History. The AP Self Adoption History screen describes the following historical data for adopted Access Points:
Figure 15-144 Access Point - AP Self Adoption History screen Event History MAC Reason Displays the self adoption status of each AP as either Adopted or un-
adopted. Displays the hardware encoded Media Access Control (MAC) of the auto adopted Access Point. Displays the adoption reason code for an Access Points auto adoption. Wireless Controller and Service Platform System Reference Guide 15 - 210 Statistics Adoption Time Refresh Displays a timestamp for the Access Points auto-adoption by the controller or service platform. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.6.4 Pending Adoptions Adoption The Pending Adoptions screen displays a list of devices yet to be adopted to this peer Access Point, or Access Points in the process of adoption. To view pending Access Point statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand the a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Expand the Adoption menu item. 4 Select Pending Adoptions. The Pending Adoptions screen provides the following:
Figure 15-145 Access Point - Pending Adoptions screen MAC Address Type IP Address VLAN Reason Discovery Option Displays the MAC address of the device pending adoption. Displays the Access Points model type. Displays the current network IP Address of the device pending adoption. Displays the current VLAN used as a virtual interface by device pending adoption. Displays the status as to why the device is still pending adoption and has not yet successfully connected to this Access Point. Displays the discovery option code for each AP listed pending adoption. Wireless Controller and Service Platform System Reference Guide 15 - 211 Statistics Last Seen Refresh Displays the date and time stamp of the last time the device was seen. Click the arrow next to the date and time to toggle between standard time and UTC. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.7 AP Detection Access Point Statistics The AP Detection screen displays potentially hostile Access Points, their SSIDs, reporting AP, and so on. Continuously revalidating the credentials of detected devices reduces the possibility of an Access Point hacking into the network. To view the AP detection statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select AP Detection. The AP Detection screen displays the following:
Figure 15-146 Access Point - AP Detection Unsanctioned AP Reporting AP SSID AP Mode Radio Type Displays the MAC address of a detected Access Point that is yet to be authorized for interoperability within the Access Point managed network. Displays the hardware encoded MAC address of the radio used by the detecting Access Point. Select an Access Point to display configuration and network address information in greater detail. Displays the WLAN SSID the unsanctioned Access Point was detected on. Displays the operating mode of the unsanctioned Access Point. Displays the type of the radio on the unsanctioned Access Point. The radio can be 802.11b, 802.11bg, 802.1bgn, 802.11a or 802.11an. Wireless Controller and Service Platform System Reference Guide 15 - 212 Statistics Channel RSSI Last Seen Clear All Refresh Displays the channel the unsanctioned Access Point is currently transmitting on. Lists a relative signal strength indication (RSSI) for a detected (and perhaps unsanctioned) Access Point. Displays the time (in seconds) the unsanctioned Access Point was last seen on the network. Select the Clear All button to clear the screen of its current status and begin a new data collection. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.8 Guest User Access Point Statistics The Guest User screen displays credential information for wireless clients associated with an Access Point. Use this information to assess if configuration changes are required to improve network performance. To view guest user statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Guest User. The Guest User screen displays the following client information:
Figure 15-147 Access Point - Guest User screen Client MAC Displays the hardcoded MAC address assigned to the guest client at the factory. The address displays as a link that can be selected to display configuration and network address information in greater detail. Wireless Controller and Service Platform System Reference Guide 15 - 213 Statistics IP Address IPv6 Address Hostname Role Client Identity Vendor Band AP Hostname Radio MAC WLAN VLAN Last Active Disconnect Client Refresh Displays the unique IP address of the guest client. Use this address as necessary throughout the applet for filtering and device intrusion recognition and approval. Displays the current IPv6 formatted IP address a listed guest client is using as a network identifier. IPv6 is the latest revision of the Internet Protocol
(IP) designed to replace IPv4. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Displays the hostname (MAC addresses) of connected guest clients. The hostname displays as a link that can be selected to display configuration and network address information in greater detail. Lists the guest clients defined role within the Access Point managed network. Displays the unique identity of the listed guest client as it appears to its adopting Access Point. Displays the name of the client vendor (manufacturer). Displays the 802.11 radio band on which the listed guest client operates. Displays the administrator assigned hostname of the Access Point to which this Access Point is adopted. Displays the MAC address of the radio which the wireless client is using. Displays the name of the WLAN the Access Point's using with each listed guest client. Use this information to determine if the client's WLAN assignment best suits its intended deployment in respect to the WLAN's QoS objective. Displays the VLAN ID each listed guest client is currently mapped to as a virtual interface for Access Point interoperability. Displays the time when this guest client was last seen (or detected) by a device within the Access Point managed network. Select a specific client MAC address and select the Disconnect Client button to terminate this clients connection to its Access Point. Select the Refresh button to update the screen's statistics counters to their latest values. 15.4.9 Wireless LANs Access Point Statistics The Wireless LANs screen displays an overview of Access Point WLAN utilization. This screen displays Access Point WLAN assignment, SSIDs, traffic utilization, number of radios the Access Point is utilizing on the WLAN and transmit and receive statistics. To review a selected Access Points WLAN statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Wireless LANs. Wireless Controller and Service Platform System Reference Guide 15 - 214 Statistics The Wireless LANs screen displays the following:
Figure 15-148 Access Point - Wireless LANs screen WLAN Name SSID Traffic Index Radio Count Tx Bytes Tx User Data Rate Rx Bytes Rx User Data Rate Disconnect All Clients Refresh Displays the name of the WLAN the Access Point is currently using for client transmissions. Displays each listed WLANs Service Set ID (SSID) used as the WLANs network identifier. Displays the traffic utilization index, which measures how efficiently the WLANs traffic medium is used. Its defined as the percentage of current throughput relative to maximum possible throughput. Traffic indices are:
0 20 (very low utilization) 20 40 (low utilization) 40 60 (moderate utilization) 60 and above (high utilization) Displays the cumulative number of peer Access Point radios deployed within each listed WLAN. Displays the average number of transmitted bytes sent on each listed WLAN. Displays the transmitted user data rate in kbps for each listed WLAN. Displays the average number of packets in bytes received on each listed WLAN. Displays the received user data rate on each listed WLAN. Select an WLAN then Disassociate All Clients to terminate the client connections within that WLAN. Select the Refresh button to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 215 Statistics 15.4.10 Policy Based Routing Access Point Statistics The Policy Based Routing statistics screen displays statistics for selective path packet redirection. PBR can optionally mark traffic for preferential services (QoS). PBR is applied to incoming routed packets, and a route-map is created containing a set of filters and associated actions. Based on the actions defined in the route-map, packets are forwarded to the next relevant hop. Route-maps are configurable under a global policy called routing-policy, and applied to profiles and devices. To review Access Point PBR statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Policy Based Routing. The Policy Based Routing screen displays the following:
Figure 15-149 Access Point - Policy Based Routing screen Precedence Primary Next Hop IP Primary Next Hop State Lists the numeric precedence (priority) assigned to each listed PBR configuration. A route-map consists of multiple entries, each carrying a precedence value. An incoming packet is matched against the route-map with the highest precedence (lowest numerical value). Lists the IP address of the virtual resource that, if available, is used with no additional route considerations. Displays whether the primary hop is applied to incoming routed packets (UP/
UNREACHABLE). Wireless Controller and Service Platform System Reference Guide 15 - 216 Statistics Secondary Next Hop IP Secondary Next Hop State Default Next Hop IP Default Next Hop State Refresh If the primary hop is unavailable, a second resource is used. This column lists the address set for the alternate route in the election process. Displays whether the secondary hop is applied to incoming routed packets
(UP/UNREACHABLE). If a packet subjected to PBR does not have an explicit route to the destination, the configured default next hop is used. This is either the IP address of the next hop or the outgoing interface. Only one default next hop is available. The difference between the next hop and the default next-hop is in case of former, PBR occurs first, then destination based routing. In case of the latter, the order is reverse. Displays whether the default hop is being applied to incoming routed packets. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.11 Radios Access Point Statistics The Radio statistics screens display information on Access Point radios. The actual number of radios depend on the Access Point model and type. This screen displays information on a per radio basis. Use this information to refine and optimize the performance of each radio and therefore improve network performance. The Access Points radio statistics screens provide details about associated radios. It provides radio ID, radio type, RF quality index etc. Use this information to assess the overall health of radio transmissions and Access Point placement. Each of these screens provide enough statistics to troubleshoot issues related to the following three areas:
Status RF Statistics Traffic Statistics Individual Access Point radios display as selectable links within each of the three Access Point radio screens. To review a radios configuration in greater detail, select the link within the Radio column of either the Status, RF Statistics or Traffic Statistics screens. Additionally, navigate the Traffic, WMM TSPEC, Wireless LANs and Graph options available on the upper, left-hand side, of the screen to review radio traffic utilization, WMM QoS settings, WLAN advertisement and radio graph information in greater detail. This information can help determine whether the radio is properly configured in respect to its intended deployment objective. Wireless Controller and Service Platform System Reference Guide 15 - 217 Statistics 15.4.11.1 Status Use the Status screen to review Access Point radio stats in detail. Use the screen to assess radio type, operational state, operating channel and current power to assess whether the radio is optimally configured. To view Access Point radio statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Expand the Radios menu item. 4 Select Status. The radio Status screen provides the following information:
Figure 15-150 Access Point - Radio Status screen Radio Radio MAC Radio Type State Channel Current
(Config) Power Current
(Config) Clients Refresh Displays the name assigned to the radio as its unique identifier. The name displays in the form of a link that can be selected to launch a detailed screen containing radio throughout data. Displays the factory encoded hardware MAC address assigned to the radio. Displays the radio as supporting the 2.4 or 5 GHZ radio band or functioning as a sensor device. Lists a radios On/Off operational designation. Displays the configured channel each listed radio is set to transmit and receive on. Displays the configured power each listed radio is using to transmit and receive. Displays the number of connected clients currently utilizing the listed Access Point radio. Select the Refresh button to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 218 Statistics 15.4.11.2 RF Statistics Use the RF Statistics screen to review Access Point radio transmit and receive statistics, error rate and RF quality. To view Access Point radio RF statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Expand the Radios menu item. 4 Select RF Statistics. The RF Statistics screen lists the following:
Figure 15-151 Access Point - Radio RF Statistics screen Radio Signal SNR Tx Physical Layer Rate Rx Physical Layer Rate Avg Retry Number Error Rate Displays the name assigned to the radio as its unique identifier. The name displays in the form of a link that can be selected to launch a detailed screen containing radio throughout data. Displays the radios current power level in - dBm. Displays the signal to noise ratio of the radios associated wireless clients. Displays the data transmit rate for the radios physical layer. The rate is displayed in Mbps. Displays the data receive rate for the radios physical layer. The rate is displayed in Mbps. Displays the average number of retries per packet. A high number indicates possible network or hardware problems. Assess the error rate in respect to potentially high signal and SNR values to determine whether the error rate coincides with a noisy signal. Displays the total number of received packets which contained errors for the listed radio. Wireless Controller and Service Platform System Reference Guide 15 - 219 Statistics Quality Index Quality Index Refresh Displays the traffic utilization index of the radio. This is expressed as an integer value. 0 20 indicates very low utilization, and 60 and above indicate high utilization. Displays an integer that indicates overall RF performance. The RF quality indices are:
0 50 (poor) 50 75 (medium) 75 100 (good) Select the Refresh button to update the screens statistics counters to their latest values. 15.4.11.3 Traffic Statistics Refer to the Traffic Statistics screen to review Access Point radio transmit and receive statistics, data rate, and packets dropped during both transmit and receive operations. To view the Access Point radio traffic statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Expand Radios. 4 Select Traffic Statistics. The Traffic Statistics screen displays the following:
Figure 15-152 Access Point - Radio Traffic Statistics screen Radio Displays the name assigned to the radio as its unique identifier. The name displays in the form of a link that can be selected to launch a detailed screen containing radio throughout data. Wireless Controller and Service Platform System Reference Guide 15 - 220 Statistics Tx Bytes Rx Bytes Tx Packets Rx Packets Tx User Data Rate Rx User Data Rate Tx Dropped Traffic Index Refresh 15.4.12 Mesh Access Point Statistics Displays the total number of bytes transmitted by each listed radio. This includes all user data as well as any management overhead data. Displays the total number of bytes received by each listed radio. This includes all user data as well as any management overhead data. Displays the total number of packets transmitted by each listed radio. This includes all user data as well as any management overhead packets. Displays the total number of packets received by each listed radio. This includes all user data as well as any management overhead packets. Displays the rate (in kbps) user data is transmitted by each listed radio. This rate only applies to user data and does not include management overhead. Displays the rate (in kbps) user data is received by the radio. This rate only applies to user data and does not include management overhead. Displays the total number of transmitted packets dropped by each listed radio. This includes all user data as well as management overhead packets that were dropped. This area displays the traffic index, which measures how efficiently the traffic medium is utilized. Its defined as the percentage of current throughput relative to the maximum possible throughput.The indices include:
0 20 (Very low utilization) 20 40 (Low utilization) 40 60 (Moderate utilization) 60 and above (High utilization) Select the Refresh button to update the screens statistics counters to their latest values. The Mesh screen provides detailed statistics on each Mesh capable client available within the selected Access Points radio coverage area. To view the Mesh statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Mesh. Wireless Controller and Service Platform System Reference Guide 15 - 221 Statistics The Mesh screen describes the following:
Figure 15-153 Access Point - Mesh screen Client Client Radio MAC Portal Portal Radio MAC Connect Time Refresh Displays the system assigned name of each member of the mesh network. Displays the MAC address of each client radio in the mesh network. Mesh points connected to an external network and forward traffic in and out are Mesh Portals. Mesh points must find paths to a Portal to access the Internet. When multiple Portals exist, the Mesh point must select one. Lists the MAC addresses of those Access Points serving as mesh portals. Displays the elapsed connection time for each listed client in the mesh network. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.13 Interfaces Access Point Statistics The Interface screen provides detailed statistics on each of the interfaces available on the selected Access Point. Use this screen to review the statistics for each interface. Interfaces vary amongst supported Access Point models. To review Access Point interface statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Interfaces. The General tab displays by default. Wireless Controller and Service Platform System Reference Guide 15 - 222 Statistics Figure 15-154 Access Point- General Interface screen Interface Statistics support the following:
IPv6 Address General Interface Details Multicast Groups Joined Network Graph 15.4.13.1 General Interface Details Interfaces The General tab provides information on a selected Access Point interface such as its MAC address, type and TX/
RX statistics. The General table displays the following:
Name Interface MAC Address IP Address IP Address Type Secondary IP Hardware Type Index Access VLAN Access Setting Administrative Status Operational Status Displays the name of the Access Point interface ge1, vlan1 etc. Displays the MAC address of the interface. IP address of the interface. Displays the IP address type, either IPv4 or IPv6. Displays a list of secondary IP resources assigned to this interface. Displays the networking technology. Displays the unique numerical identifier for the interface. Displays the tag assigned to the native VLAN. Displays the VLAN mode as either Access or Trunk. Displays whether the interface is currently UP or DOWN. Lists whether the selected interface is currently UP (operational) or DOWN. Wireless Controller and Service Platform System Reference Guide 15 - 223 Statistics The IPv6 Mode and MTU table displays the following:
IPv6 Mode IPv6 MTU Lists the current IPv6 mode utilized. Lists the IPv6 formatted largest packet size that can be sent over the interface. The Specification table displays the following information:
Media Type Protocol MTU Mode Metric Maximum Speed Admin Speed Operator Speed Admin Duplex Setting Current Duplex Setting Displays the physical connection type of the interface. Medium types include:
Copper - Used on RJ-45 Ethernet ports Optical - Used on fibre optic gigabit Ethernet ports Displays the routing protocol used by the interface. Displays the maximum transmission unit (MTU) setting configured on the interface. The MTU value represents the largest packet size that can be sent over a link. 10/100 Ethernet ports have a maximum setting of 1500. Lists whether traffic on the listed port is Layer 2 or Layer 3. Displays the metric associated with the interfaces route. Displays the maximum speed the interface uses to transmit or receive data. Displays the speed the port can transmit or receive. This value can be either 10, 100, 1000 or Auto. This value is the maximum port speed in Mbps. Auto indicates the speed is negotiated between connected devices. Displays the current speed of data transmitted and received over the interface. Displays the administrators duplex setting. Displays the interface as either half duplex, full duplex or unknown. The Traffic table displays the following:
Good Octets Sent Good Octets Received Displays the number of octets (bytes) with no errors sent by the interface. Displays the number of octets (bytes) with no errors received by the interface. Displays the number of good packets transmitted. Good Packets Sent Good Packets Received Displays the number of good packets received. Mcast Pkts Sent Mcast Pkts Received Displays the number of multicast packets sent through the interface. Displays the number of multicast packets received through the interface. Displays the number of unicast packets sent through the interface. Displays the number of unicast packets received through the interface. Displays the number of broadcast packets sent through the interface. Displays the number of broadcast packets received through the interface. Ucast Pkts Sent Ucast Pkts Received Bcast Pkts Sent Bcast Pkts Received Wireless Controller and Service Platform System Reference Guide 15 - 224 Statistics Packet Fragments Jabber Pkts Displays the number of packet fragments transmitted or received through the interface. Displays the number of packets transmitted through the interface larger than the MTU. The Errors table displays the following:
Bad Pkts Received Collisions Late Collisions Excessive Collisions Drop Events Tx Undersize Pkts Oversize Pkts MAC Transmit Error MAC Receive Error Bad CRC Displays the number of bad packets received through the interface. Displays the number of collisions over the selected interface. A late collision is any collision that occurs after the first 64 octets of data have been sent. Late collisions are not normal, and usually the result of out of specification cabling or a malfunctioning device. Displays the number of excessive collisions. Excessive collisions occur when the traffic load increases to the point a single Ethernet network cannot handle it efficiently. Displays the number of dropped packets transmitted or received through the interface. Displays the number of undersized packets transmitted through the interface. Displays the number of oversized packets transmitted through the interface. Displays the number of failed transmits due to an internal MAC sublayer error (thats not a late collision), due to excessive collisions or a carrier sense error. Displays the number of received packets that failed due to an internal MAC sublayer (thats not a late collision), an excessive number of collisions or a carrier sense error. Displays the CRC error. The CRC is the 4 byte field at the end of every frame. The receiving station uses it to interpret if the frame is valid. If the CRC value computed by the interface does not match the value at the end of frame, it is considered as a bad CRC. The Receive Errors table displays the following:
Rx Frame Errors Rx Length Errors Rx FIFO Errors Rx Missed Errors Rx Over Errors Displays the number of frame errors received at the interface. A frame error occurs when data is received, but not in an expected format. Displays the number of length errors received at the interface. Length errors are generated when the received frame length was either less or over the Ethernet standard. Displays the number of FIFO errors received at the interface. First-in First-out queueing is an algorithm that involves buffering and forwarding of packets in the order of arrival. FIFO entails no priority. There is only one queue, and all packets are treated equally. An increase in FIFO errors indicates a probable hardware malfunction. Displays the number of missed packets. Packets are missed when the hardware received FIFO has insufficient space to store an incoming packet. Displays the number of overflow errors received. Overflows occur when a packet size exceeds the allocated buffer size. Wireless Controller and Service Platform System Reference Guide 15 - 225 Statistics The Transmit Errors field displays the following:
Tx Errors Tx Dropped Tx Aborted Errors Tx Carrier Errors Tx FIFO Errors Tx Heartbeat Errors Tx Window Errors Displays the number of packets with errors transmitted on the interface. Displays the number of transmitted packets dropped from the interface. Displays the number of packets aborted on the interface because a clear-to-send request was not detected. Displays the number of carrier errors on the interface. This generally indicates bad Ethernet hardware or bad cabling. Displays the number of FIFO errors transmitted at the interface. First-
in First-Out queueing is an algorithm that involves the buffering and forwarding of packets in the order of arrival. FIFO uses no priority. There is only one queue, and all packets are treated equally. An increase in the number of FIFO errors indicates a probable hardware malfunction. Displays the number of heartbeat errors. This generally indicates a software crash, or packets stuck in an endless loop. Displays the number of window errors transmitted. TCP uses a sliding window flow control protocol. In each TCP segment, the receiver specifies the amount of additional received data (in bytes) the receiver is willing to buffer for the connection. The sending host can send only up to that amount. If the sending host transmits more data before receiving an acknowledgment, it constitutes a window error. 4 Select the Refresh button to update the screens statistics counters to their latest values. 15.4.13.2 IPv6 Address Interfaces IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. To view IPv6 address utilization:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Expand the Interfaces menu from the left-hand side of the UI. 4 Select IPv6 Address. Wireless Controller and Service Platform System Reference Guide 15 - 226 Statistics 5 The IPv6 Addresses table displays the following:
Figure 15-155 Access Point - Interface IPv6 Address screen IPv6 Addresses Status Address Type Preferred Lifetime
(seconds) Lists the IPv6 formatted addresses currently utilized by the Access Point on the selected interface. Lists the current utilization status of each IPv6 formatted address currently in use by this controller or Access Points selected interface. Lists whether the address is unicast or multicast in its utilization over the selected Access Point interface. Lists is the time in seconds (relative to when the packet is sent) the IPv6 formatted addresses remains in a preferred state on the selected interface. The preferred lifetime must always be less than or equal to the valid lifetime Valid Lifetime (seconds) Displays the time in seconds (relative to when the packet is sent) the IPv6 formatted address remains in a valid state on the selected interface. The valid lifetime must always be greater than or equal to the preferred lifetime. 6 Select the Link Local Address & Traffic Report tab to assess data traffic and errors discovered in transmitted and received IPv6 formatted data packets. Wireless Controller and Service Platform System Reference Guide 15 - 227 Statistics 7 Verify the following Local Link Address data for the IPv6 formatted address:
Figure 15-156 Access Point - Interface IPv6 Address screen Address Status Preferred Lifetime
(seconds) Lists the IPv6 local link address. IPv6 requires a link local address assigned to every interface the IPv6 protocol is enabled on, even when one or more routable addresses are assigned. Lists the IPv6 local link address utilization status and its current availability. Lists is the time in seconds (relative to when the packet is sent) the local link addresses remains in the preferred state on the selected interface. The preferred lifetime must always be less than or equal to the valid lifetime. Valid Lifetime (seconds) Displays the time in seconds (relative to when the packet is sent) the local link addresses remains in the valid state on the selected interface. The valid lifetime must always be greater than or equal to the preferred lifetime. 8 Verify the following IPv6 formatted Traffic data:
Packets In Packets Out Refresh Lists the number of IPv6 formatted data packets received on the selected Access Point interface since the screen was last refreshed. Lists the number of IPv6 formatted data packets transmitted on the selected Access Point interface since the screen was last refreshed. Periodically select Refresh to update the screens counters to their latest values. 9 Review the following Receive Errors for IPv6 formatted data traffic:
Receive Length Errors Displays the number of IPv6 length errors received at the interface. Length errors are generated when the received IPv6 frame length was either less or over the Ethernet standard. Wireless Controller and Service Platform System Reference Guide 15 - 228 Statistics Receive Over Errors Receive Frame Errors Receive FIFO Errors Receive Missed Errors Displays the number of IPv6 overflow errors received. Overflows occur when a packet size exceeds the allocated buffer size. Displays the number of IPv6 frame errors received at the interface. A frame error occurs when data is received, but not in an expected format. Displays the number of IPv6 FIFO errors received at the interface. First-in First-out queueing is an algorithm that involves buffering and forwarding of packets in the order of arrival. FIFO entails no priority. There is only one queue, and all IPv6 formatted packets are treated equally. An increase in FIFO errors indicates a probable hardware malfunction. Displays the number of missed IPv6 formatted packets. Packets are missed when the hardware received FIFO has insufficient space to store an incoming packet. 10 Review the following Transmit Errors for IPv6 formatted data traffic:
Transmit Errors Displays the number of IPv6 formatted data packets with errors transmitted on the interface. Transmit Aborted Errors Displays the number of IPv6 formatted packets aborted on the Transmit Carrier Errors Transmit FIFO Errors Transmit Heartbeat Errors Transmit Window Errors Displays the number of IPv6 formatted window errors transmitted. interface because a clear-to-send request was not detected. Displays the number of IPv6 formatted carrier errors on the interface. This generally indicates bad Ethernet hardware or bad cabling. Displays the number of IPv6 formatted FIFO errors transmitted at the interface. First-in First-Out queueing is an algorithm that involves the buffering and forwarding of packets in the order of arrival. FIFO uses no priority. There is only one queue, and all packets are treated equally. An increase in the number of FIFO errors indicates a probable hardware malfunction. Displays the number of IPv6 formatted heartbeat errors. This generally indicates a software crash, or packets stuck in an endless loop. TCP uses a sliding window flow control protocol. In each TCP segment, the receiver specifies the amount of additional received data (in bytes) the receiver is willing to buffer for the connection. The sending host can send only up to that amount. If the sending host transmits more data before receiving an acknowledgment, it constitutes a window error. Select Refresh to update the statistics counters to their latest value. Refresh 15.4.13.3 Multicast Groups Joined Interfaces Multicast groups scale to a larger set of destinations by not requiring prior knowledge of who or how many destinations there are. Multicast devices uses their infrastructure efficiently by requiring the source to send a packet only once, even if delivered to a large number of devices. Devices replicate a packet to reach multiple receivers only when necessary. Access Points are free to join or leave a multicast group at any time. There are no restrictions on the location or members in a multicast group. A host may be a member of more than one multicast group at any given time and does not have to belong to a group to send messages to members of a group. Wireless Controller and Service Platform System Reference Guide 15 - 229 Statistics To view the Access Points multicast group memberships on the selected interface:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Interfaces. 4 Select Multicast Groups Joined. 5 The screen displays the following:
Figure 15-157 Access Point - Interface Multicast Groups Joined screen Group Users Lists the name of existing multicast groups whose current members share multicast packets with one another on this selected interface as a means of collective interoperation. Lists the number of devices currently interoperating on this interface in each listed multicast group. Any single device can be a member of more then one group at a time. 6 Periodically select Refresh to update the screens counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 230 Statistics 15.4.13.4 Network Graph Interfaces The Network Graph displays statistics the Access Point continuously collects for its interfaces. Even when the interface statistics graph is closed, data is still collected. Display the interface statistics graph periodically for assessing the latest interface information. Up to three different stats can be selected and displayed within the graph. To view a detailed graph for an interface, select an interface and drop it on to the graph. The graph displays Port Statistics as the Y-axis and the Polling Interval as the X-axis. Use the Polling Interval from the drop-down menu to define the intervals data is displayed on the graph. To view the Interface Statistics graph:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Interfaces. 4 Select Network Graph. Use the Parameters drop-down menu to specify interface values to trend. Figure 15-158 Access Point- Interface Network Graph screen Wireless Controller and Service Platform System Reference Guide 15 - 231 Statistics 15.4.14 RTLS Access Point Statistics The real time locationing system (RTLS) enables accurate location determination and presence detection capabilities for Wi-Fi-based devices, Wi-Fi-based active RFID tags and passive RFID tags. While the operating system does not support locationing locally, it does report the locationing statistics of both Aeroscout and Ekahau tags. To review a selected Access Points RTLS statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select RTLS. Figure 15-159 Access Point - RTLS screen The Access Point RTLS screen displays the following for Aeroscout tags:
Engine IP Engine Port Send Count Recv Count Tag Reports Nacks Lists the IP address of the Aeroscout locationing engine. Displays the port number of the Aeroscout engine. Lists the number location determination packets sent by the locationing engine. Lists the number location determination packets received by the locationing engine. Displays the number of tag reports received from locationing equipped radio devices supporting RTLS. Displays the number of Nack (no acknowledgement) frames received from RTLS supported radio devices providing locationing services. Wireless Controller and Service Platform System Reference Guide 15 - 232 Statistics Acks Lbs AP Status AP Notifications Send Errors Displays the number of Ack (acknowledgment) frames received from RTLS supported radio devices providing locationing services. Displays the number of location based service (LBS) frames received from RTLS supported radio devices providing locationing services. Provides the status of peer APs providing locationing assistance. Displays a count of the number of notifications sent to Access Points that may be available to provide RTLS support. Lists the number of send errors received by the RTLS initiating Access Point. Error Message Count Displays a cumulative count of error messages received from RTLS enabled Access Point radios. The Access Point RTLS screen displays the following for Ekahau tags:
Tag Reports Displays the number of tag reports received from locationing equipped radio devices supporting RTLS. 4 Select the Refresh button to update the screens statistics counters to their latest values. 15.4.15 PPPoE Access Point Statistics The PPPoE statistics screen displays stats derived from the APs access to high-speed data and broadband networks. PPPoE uses standard encryption, authentication, and compression methods as specified by the PPPoE protocol. PPPoE enables Access Points to establish a point-to-point connection to an ISP over existing Ethernet interface. To review a selected Access Points PPPoE statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select PPPoE. Wireless Controller and Service Platform System Reference Guide 15 - 233 Statistics The Configuration Information field screen displays the following:
Figure 15-160 Access Point - PPPoE screen Shutdown Service Displays whether a high speed client mode point-to-point connection has been enabled using the PPPoE protocol. Lists the 128 character maximum PPPoE client service name provided by the service provider. Displays the PPPoE VLAN (client local network) connected to the DSL modem. This is the local network connected to DSL modem. DSL Modem Network (VLAN) Authentication Type Lists authentication type used by the PPPoE client whose credentials must Username Password Client Idle Timeout Keep Alive Maximum Transmission Unit
(MTU) be shared by its peer Access Point. Supported authentication options include None, PAP, CHAP, MSCHAP, and MSCHAP-v2. Displays the 64 character maximum username used for authentication support by the PPPoE client. Displays the 64 character maximum password used for authentication by the PPPoE client. The Access Point uses the listed timeout so it does not sit idle waiting for input from the PPPoE client and the server, that may never come. If a keep alive is utilized, the point-to-point connect to the PPPoE client is continuously maintained and not timed out. Displays the PPPoE client maximum transmission unit (MTU) from 500 -
1,492. The MTU is the largest physical packet size in bytes a network can transmit. Any messages larger than the MTU are divided into smaller packets before being sent. A PPPoE client should be able to maintain its point-to-point connection for this defined MTU size. 4 Refer to the Connection Status field. The Connection Status table lists the MAC address, SID, Service information, MTU and status of each route destination peer. To provide this point-to-point connection, each PPPoE session learns the Ethernet address of Wireless Controller and Service Platform System Reference Guide 15 - 234 Statistics a remote PPPoE client, and establishes a session. PPPoE uses both a discover and session phase to identify a client and establish a point-to-point connection. By using such a connection, a Wireless WAN failover is available to maintain seamless network access if the Access Points Wired WAN were to fail. 5 Select the Refresh button to update the screens statistics counters to their latest values. 15.4.16 Bluetooth Access Point Statistics AP-8432 and AP-8533 model Access Points utilize a built in Bluetooth chip for specific Bluetooth functional behaviors in a WiNG managed network. AP-8432 and AP-8533 models support both Bluetooth classic and Bluetooth low energy technology. These platforms can use their Bluetooth classic enabled radio to sense other Bluetooth enabled devices and report device data (MAC address, RSSI and device calls) to an ADSP server for intrusion detection. If the device presence varies in an unexpected manner, ADSP can raise an alarm. AP-8432 and AP-8533 model Access Points support Bluetooth beaconing to emit either iBeacon or Eddystone-
URL beacons. The Access Points Bluetooth radio sends non-connectable, undirected low-energy (LE) advertisement packets on a periodic basis. These advertisement packets are short, and sent on Bluetooth advertising channels that conform to already-established iBeacon and Eddystone-URL standards. To view Bluetooth radio statistics for an Access Point:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Point 3 Select Bluetooth. The Access Points Bluetooth screen displays the following:
Figure 15-161 Access Point - Bluetooth screen Name Lists the name of the Access Points Bluetooth radio. Wireless Controller and Service Platform System Reference Guide 15 - 235 Statistics Alias Radio State Off Reason Radio MAC Hostname Device MAC AP Location Radio Mode Beacon Period Beacon Type Last Error Refresh If an alias has been defined for the Access Point its listed here. The alias value is expressed in the form of <hostname>:
B<Bluetooth_radio_number>. If the administrator has defined a hostname for the Access Point, its used in place of the Access Points default hostname. Displays the current operational state (On/Off) of the Bluetooth radio. If the Bluetooth radio is offline, this field states the reason. Lists the Bluetooth radios factory encoded MAC address serving as this devices hardware identifier on the network. Lists the hostname set for the Access Point as its network identifier. Lists the Access Points factory encoded MAC address serving as this devices hardware identifier on the network. Lists the Access Points administrator assigned deployment location. Lists an Access Points Bluetooth radio functional mode as either bt-
sensor or le-beacon. Lists the Bluetooth radios beacon transmission period from 100 -10,000 milliseconds. Lists the type of beacon currently configured. Lists descriptive text on any error thats preventing the Bluetooth radio from operating. Select Refresh to update the screens statistics counters to their latest values. 15.4.17 OSPF Access Point Statistics Open Shortest Path First (OSPF) is a link-state interior gateway protocol (IGP). OSPF routes IP packets within a single routing domain (autonomous system), like an enterprise LAN. OSPF gathers link state information from neighbor routers and constructs a network topology. The topology determines the routing table presented to the Internet Layer which makes routing decisions based solely on the destination IP address found in IP packets. Refer to the following for detailed descriptions of the tabs available within the OSPF statistics screen:
OSPF Summary OSPF Neighbors OSPF Area Details OSPF Route Statistics OSPF Route Statistics OSPF State Wireless Controller and Service Platform System Reference Guide 15 - 236 Statistics 15.4.17.1 OSPF Summary OSPF To view OSPF summary statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an Access Point for statistical observation. 3 Select OSPF. The Summary tab displays by default. The Summary tab describes the following information fields:
Figure 15-162 Access Point - OSPF Summary tab General The general field displays the router ID assigned for this OSPF connection, RFC compliance information and LSA data. Wireless Controller and Service Platform System Reference Guide 15 - 237 Statistics ABR/ASBR Details SPF Stub Router Lists Autonomous System Boundary Router (ASBR) data relevant to OSPF routing, including the ASBR, ABR and ABR type. An Area Border Router
(ABR) is a router that connects one or more areas to the main backbone network. It is considered a member of all areas it is connected to. An ABR keeps multiple copies of the link-state database in memory, one for each area to which that router is connected An ASBR is a router connected to more than one Routing protocol and exchanges routing information with routers in other protocols. ASBRs typically also run an exterior routing protocol (for example, BGP), or use static routes, or both. An ASBR is used to distribute routes received from other, external ASs throughout its own autonomous system. Routers in other areas use ABR as next hop to access external addresses. Then the ABR forwards packets to the ASBR announcing the external addresses. Refer to the SPF field to assess the status of the shortest path forwarding
(SFF) execution, last SPF execution, SPF delay, SPF due in, SPF hold multiplier, SPF hold time, SPF maximum hold time and SPF timer due flag. The summary screen displays information relating to stub router advertisements and shutdown and startup times. An OSPF stub router advertisement allows a new router into a network without immediately routing traffic through the new router and allows a graceful shut down or reload a router without dropping packets that are destined for other networks. This feature introduces three configuration options that allow you to configure a router that is running the OSPF protocol to advertise a maximum or infinite metric to all neighbors. 4 Select the Refresh button to update the statistics counters to their latest values. 15.4.17.2 OSPF Neighbors OSPF OSPF establishes neighbor relationships to exchange routing updates with other routers. An Access Point supporting OSPF sends hello packets to discover neighbors and elect a designated router. The hello packet includes link state information and list of neighbors. OSPF is savvy with layer 2 topologies. If on a point-to-point link, OSPF knows it is sufficient, and the link stays up. If on a broadcast link, the router waits for election before determining if the link is functional. To view OSPF neighbor statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an Access Point for statistical observation. 3 Select OSPF. 4 Select the Neighbor Info tab. Wireless Controller and Service Platform System Reference Guide 15 - 238 Statistics The Neighbor Info tab describes the following:
Figure 15-163 Access Point - OSPF Neighbor Info tab Router ID Neighbor Priority IF Name Neighbor Address Request Count Retransmit Count Dead Time Displays the router ID assigned for this OSPF connection. The router is a level three Internet Protocol packet switch. This ID must be established in every OSPF instance. If not explicitly configured, the highest logical IP address is duplicated as the router identifier. However, since the router identifier is not an IP address, it does not have to be a part of any routable subnet in the network. Displays each listed neighbors priority in respect to becoming the designated router managing the OSPF connection. The designated router is the router interface elected among all routers on a particular multi-access network segment. Lists the name assigned to the router interface used to support connections amongst OSPF enabled neighbors. Lists the IP address of the neighbor sharing the router interface with each listed router ID. Lists the connection request count (hello packets) to connect to the router interface, discover neighbors and elect a designated router. Lists the connection retransmission count attempted in order to connect to the router interface, discover neighbors and elect a designated router. A designated router (DR) is the router interface elected among all routers on a particular multi-access network segment, generally assumed to be broadcast. Lists the dead time between neighbors in the network topology that are currently utilizing the listed router ID. Displays the self-neighbor status assessment used to discover neighbors and elect a designated router. Self Neighbor State Source Address Displays the single source address used by all neighbor routers to obtain topology and connection status. This form of multicasting significantly reduces network load. Wireless Controller and Service Platform System Reference Guide 15 - 239 Statistics Summary Count Routes that originate from other areas are called summary routes. Summary routes are not flooded in a totally stubby or NSSA totally stubby area. 5 Select the Refresh button to update the statistics counters to their latest values. 15.4.17.3 OSPF Area Details OSPF An OSPF network is subdivided into routing areas (with 32 bit area identifiers) to simplify administration and optimize traffic utilization. Areas are logical groupings of hosts and networks, including routers having interfaces connected to an included network. Each area maintains a separate link state database whose information may be summarized towards the rest of the network. An OSPF Area contains a set of routers exchanging Link State Advertisements (LSAs) with others in the same area. Areas limit LSAs and encourage aggregate routes. Areas are identified by 32-bit IDs, expressed either in decimal, or octet-based dot-decimal notation. To view OSPF area statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an Access Point for statistical observation. 3 Select OSPF. 4 Select the Area Details tab. The Area Details tab describes the following:
Figure 15-164 Access Point - OSPF Area Details tab OSPF Area ID OSPF INF Displays either the integer (numeric ID) or IP address assigned to the OSPF area as a unique identifier. Lists the interface ID (virtual interface for dynamic OSPF routes) supporting each listed OSPF area ID. Wireless Controller and Service Platform System Reference Guide 15 - 240 Statistics Fully adj numbers Auth Type Total LSA Router LSA Network LSA Summary LSA ASBR Summary LSA NSSA LSA Opaque Area LSA CSUM Opaque link CSUM Fully adjusted numbers strip away the effects of other non OSPF and LSA factors and events, leaving only relevant OSPF area network route events counted. Lists the authentication schemes used to validate the credentials of dynamic route connections and their areas. Lists the Link State Advertisements (LSAs) of all entities using the dynamic route (in any direction) in the listed area ID. Lists the Link State Advertisements of the router supporting each listed area ID. The router LSA reports active router interfaces, IP addresses, and neighbors. Displays which routers are joined together by the designated router on a broadcast segment (e.g. Ethernet). Type 2 LSAs are flooded across their own area only. The link state ID of the type 2 LSA is the IP interface address of the designated route. The summary LSA is generated by ABR to leak area summary address info into another areas. ABR generates more than one summary LSA for an area if the area addresses cannot be properly aggregated by only one prefix. Originated by ABRs when an ASBR is present to let other areas know where the ASBR is. These are supported just like summary LSAs. Routers in a Not-so-stubby-area (NSSA) do not receive external LSAs from Area Border Routers, but are allowed to send external routing information for redistribution. They use type 7 LSAs to tell the ABRs about these external routes, which the Area Border Router then translates to type 5 external LSAs and floods as normal to the rest of the OSPF network. Redistribution into an NSSA area creates a special type of LSA known as TYPE 7, which can exist only in an NSSA area. An NSSA ASBR generates this LSA, and an NSSA ABR router translates it into type 5 LSA which gets propagated into the OSPF domain. Displays the Type-10 opaque link area checksum with the complete contents of the LSA. Type-10 Opaque LSAs are not flooded beyond the borders of their associated area. Displays the Type-10 opaque link checksum with the complete contents of the LSA. 5 Select the Refresh button to update the statistics counters to their latest values. 15.4.17.4 OSPF Route Statistics OSPF Refer to the Routes tab to assess the status of OSPF Border Routes, External Routes, Network Routes and Router Routes. To view OSPF route statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an Access Point for statistical observation. 3 Select OSPF. Wireless Controller and Service Platform System Reference Guide 15 - 241 Statistics 4 Select the Routes tab. The Border Routers tab display by default. An area border router (ABR) connects (links) more than one area. Usually an ABR is used to connect non-
backbone areas to the backbone. If OSPF virtual links are used an ABR will also be used to connect the area using the virtual link to another non-backbone area. Border routes use internal OSPF routing table entries to an ABR or Autonomous System Boundary Router (ASBR). Border routers maintain an LSDB for each area supported. They also participate in the backbone. 5 Refer to External Routes tab. Figure 15-165 Access Point - OSPF External Routes tab External routes are external to area, originate from other routing protocols (or different OSPF processes) and are inserted into OSPF using redistribution. A stub area is configured not to carry external routes. Each external route can be tagged by the advertising router, enabling the passing of additional information between routers. Each external route can also be tagged by the advertising router, enabling the passing of additional information between routers on the boundary of the autonomous system. The External route tab displays a list of external routes, the area impacted, cost, path type, tag and type 2 cost. Cost factors may be the distance of a router (round-trip time), network throughput of a link, or link availability and reliability, expressed as simple unit-less numbers. This provides a dynamic process of traffic load balancing between routes of equal cost. 6 Refer to the Network Routes tab. Wireless Controller and Service Platform System Reference Guide 15 - 242 Statistics Figure 15-166 Access Point - OSPF Network Routes tab Network routes support more than two routers, with the capability of addressing a single physical message to all attached routers (broadcast). Neighboring routers are discovered dynamically using OSPF hello messages. This use of the hello protocol takes advantage of broadcast capability. An OSPF network route makes further use of multicast capabilities, if they exist. Each pair of routers on the network is assumed to communicate directly. The network tab displays the network name, impacted OSPF area, cost, destination and path type. 7 Select the Router Routes tab. Figure 15-167 Access Point - OSPF Router Routes tab Wireless Controller and Service Platform System Reference Guide 15 - 243 Statistics An internal (or router) route connects to one single OSPF area. All of its interfaces connect to the area in which it is located and does not connect to any other area. 8 Select the Refresh button (within any of the four OSPF Routes tabs) to update the statistics counters to their latest values. 15.4.17.5 OSPF Interface OSPF An OSPF interface is the connection between a router and one of its attached networks. An interface has state information associated with it, which is obtained from the underlying lower level protocols and the routing protocol itself. A network interface has associated a single IP address and mask (unless the network is an unnumbered point-to-point network). An interface is sometimes also referred to as a link. To view OSPF interface statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an Access Point for statistical observation. 3 Select OSPF. 4 Select the OSPF Interface tab. The OSPF Interface tab describes the following:
Figure 15-168 Access Point - OSPF Interface tab Interface Name Displays the IP addresses and mask defined as the virtual interface for Interface Index Bandwidth (kb) Interface Flags dynamic OSPF routes. Zero config and DHCP can be used to generate route addresses, or a primary and secondary address can be manually provided. Lists the numerical index used for the OSPF interface. This interface ID is in the hello packets establishing the OSPF network connection. Lists the OSPF interface bandwidth (in Kbps) in the range of 1 - 10,000,000. Displays the flag used to determine the interface status. Wireless Controller and Service Platform System Reference Guide 15 - 244 Statistics MTU OSPF Enabled UP/DOWN Lists the OSPF interface maximum transmission unit (MTU) size. The MTU is the largest physical packet size (in bytes) a network can transmit. Any packets larger than the MTU are divided into smaller packets before being sent. Lists whether OSPF has been enabled for each listed interface. OSPF is disabled by default. Displays whether the OSPF interface (the dynamic route) is currently up or down for each listed interface. An OSPF interface is the connection between a router and one of its attached networks. 5 Select the Refresh button to update the statistics counters to their latest values. 15.4.17.6 OSPF State OSPF An OSPF enabled Access Point sends hello packets to discover neighbors and elect a designated router for dynamic links. The hello packet includes link state data maintained on each Access Point and is periodically updated on all OSPF members. The Access Point tracks link state information to help assess the health of the OSPF dynamic route. To view OSPF state statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen), expand the default node and select an Access Point for statistical observation. 3 Select OSPF. 4 Select the OSPF State tab. Figure 15-169 Access Point OSPF - State tab Wireless Controller and Service Platform System Reference Guide 15 - 245 The OSPF State tab describes the following:
Statistics OSPF state Displays the OSPF link state amongst neighbors within the OSPF topology. Link state information is maintained in a link-state database (LSDB) which is a tree image of the entire network topology. Identical copies of the LSDB are periodically updated through flooding on all OSPF supported nodes. Flooding is the part of the OSPF protocol that distributes and synchronizes the link-
state database between OSPF routers. Lists the number of times state requests have been ignored between the Access Point and its peers within this OSPF supported broadcast domain. Displays the timeout that, when exceeded, prohibits the Access Point from detecting changes to the OSPF link state. OSPF ignore state count OSPF ignore state monitor timeout OSPF ignore state timeout OSPF max ignore state count OSPF max routes States the maximum number of routes negotiated amongst neighbors within Displays the timeout that, when exceeded, returns the Access Point back to state assessment amongst neighbors in the OSPF topology. Displays whether an OSPF state timeout is being ignored and not utilized in the transmission of state update requests amongst neighbors within the OSPF topology. OSPF routes received the OSPF topology. Lists the routes received and negotiated amongst neighbors within the OSPF topology. 5 Select the Refresh button to update the statistics counters to their latest values. 15.4.18 L2TPv3 Tunnels Access Point Statistics Access Points use L2TP V3 to create tunnels for transporting layer 2 frames. L2TP V3 enables an Access Point to create tunnels for transporting Ethernet frames to and from bridge VLANs and physical ports. L2TP V3 tunnels can be defined between WING devices and other devices supporting the L2TP V3 protocol. To review a selected Access Points L2TPv3 statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select L2TPv3. Wireless Controller and Service Platform System Reference Guide 15 - 246 Statistics The Access Point L2TPv3 Tunnels screen displays the following:
Figure 15-170 Access Point - L2TPv3 screen Tunnel Name Local Address Peer Address Tunnel State Peer Host Name Peer Control Connection ID Displays the name of each listed L2TPv3 tunnel assigned upon creation. Each listed tunnel name can be selected as a link to display session data specific to that tunnel. The Sessions screen displays cookie size information as well as psuedowire information specific to the selected tunnel. Data is also available to define whether the tunnel is a trunk session and whether tagged VLANs are used. The number of transmitted, received and dropped packets also display to provide a throughput assessment of the tunnel connection. Each listed session name can also be selected as a link to display VLAN information specific to that session. The VLAN Details screen lists those VLANs used an Access Point interface in L2TP tunnel establishment. Lists the IP address assigned as the local tunnel end point address, not the tunnel interfaces IP address. This IP is used as the tunnel source IP address. If a local address is not specified, the source IP address is chosen automatically based on the tunnel peer IP address. Lists the IP address of the L2TP tunnel peer establishing the tunnel connection. States whether the tunnel is Idle (not utilized by peers) or is currently active. Lists the assigned peer hostname used as matching criteria in the tunnel establishment process. Displays the numeric identifier for the tunnel session. This is the peer pseudowire ID for the session. This source and destination IDs are exchanged in session establishment messages with the L2TP peer. CTRL Connection ID Displays the router ID(s) sent in tunnel establishment messages with a Up Time potential peer device. Lists the amount of time the L2TP connection has remained established amongst peers sharing the L2TPv3 tunnel connection. The Up Time is displayed in a Days: Hours: Minutes: Seconds: format. If D:0 H:0 M:0 S:0 is displayed, the tunnel connection is not currently established. Wireless Controller and Service Platform System Reference Guide 15 - 247 Statistics Encapsulation Protocol Critical Resource VRRP Group Establishment Criteria Refresh Displays either IP or UDP as the peer encapsulation protocol. The default setting is IP. UDP uses a simple transmission model without implicit handshakes. Tunneling is also called encapsulation. Tunneling works by encapsulating a network protocol within packets carried by the second network. Lists critical resources for this tunnel. Critical resources are device IP addresses on the network (gateways, routers etc.). These IP addresses are critical to the health of the network. These device addresses are pinged regularly by Access Points. If theres a connectivity issue, an event is generated stating a critical resource is unavailable. Displays the VRRP group name if configured. VRRP configurations support router redundancy in a wireless network requiring high availability. Displays the tunnel establishment criteria for this tunnel. Tunnel establishment involves exchanging 3 message types (SCCRQ, SCCRP and SCCN) with the peer. Tunnel IDs and capabilities are exchanged during the tunnel establishment with the host. Select the Refresh button to update the screens statistics counters to their latest value. 15.4.19 VRRP Access Point Statistics The VRRP statistics screen displays Virtual Router Redundancy Protocol (VRRP) configuration statistics supporting router redundancy in a wireless network requiring high availability. To review a selected Access Points VRRP statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select VRRP. Wireless Controller and Service Platform System Reference Guide 15 - 248 Statistics Figure 15-171 Access Point - VRRP screen 4 Refer to the Global Error Status field to review the various sources of packet errors logged during the implementation of the virtual route. Errors include the mismatch of authentication credentials, invalid packet checksums, invalid packet types, invalid virtual route IDs, TTL errors, packet length errors and invalid (non matching) VRRP versions. 5 Refer to the Router Operations Summary for the following status:
VRID Virtual IP Address Master IP Address Interface Name Version State Clear Router Status Clear Global Error Status Refresh Lists a numerical index (1 - 254) used to differentiate VRRP configurations. The index is assigned when a VRRP configuration is initially defined. This ID identifies the virtual router a packet is reporting status for. Lists the virtual interface IP address used as the redundant gateway address for the virtual route. Displays the IP address of the elected VRRP master. A VRRP master (once elected) responds to ARP requests, forwards packets with a destination link layer MAC address equal to the virtual router MAC address, rejects packets addressed to the IP address associated with the virtual router and accepts packets addressed to the IP address associated with the virtual router. Displays the interfaces selected on the Access Point to supply VRRP redundancy failover support. Display VRRP version 3 (RFC 5798) or 2 (RFC 3768) as selected to set the router redundancy. Version 3 supports sub-second (centisecond) VRRP failover and support services over virtual IP. Displays the current state of each listed virtual router ID. Select the Clear Router Status button to clear the Router Operations Summary table values to zero and begin new data collections. Select the Clear Global Error Status button to clear the Global Error Status table values to zero and begin new data collections. Select the Refresh button to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 249 Statistics 15.4.20 Critical Resources Access Point Statistics The Critical Resources statistics screen displays a list of device IP addresses on the network (gateways, routers etc.). These IP addresses are critical to the health of the controller or service platform managed network. These device addresses are pinged regularly by managed Access Points. If theres a connectivity issue, an event is generated stating a critical resource is unavailable. Thus, each devices VLAN, ping mode and state is displayed for the administrator. To review a selected Access Points critical resource statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Critical Resources. Figure 15-172 Access Point - Critical Resources screen 4 Refer to the General field to assess the Monitor Interval and Monitor Using Flows Interval used to poll for updates from the critical resource IP listed for Source IP For Port-Limited Monitoring. Monitoring Retries before Marking Resource as DOWN are the number of retry connection attempts permitted before this listed resource is defined as down (offline). The Access Point Critical Resource screen displays the following:
Critical Resource Name Via Lists the name of the critical resource monitored by the Access Point. Critical resources are device IP addresses on the network (gateways, routers etc.). These IP addresses are critical to the health of the network. These device addresses are pinged regularly by Access Points. If theres a connectivity issue, an event is generated stating a critical resource is unavailable. Lists the VLAN used by the critical resource as a virtual interface. The critical resource displays as a link than can be selected to list configuration and network address information in greater detail. Wireless Controller and Service Platform System Reference Guide 15 - 250 Statistics Status Error Reason Mode Refresh Defines the operational state of each listed critical resource VLAN interface
(either Up or Down). Provides an error status as to why the critical resource is not available over its designated VLAN. Displays the operational mode of each listed critical resource. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.21 LDAP Agent Status Access Point Statistics When LDAP has been specified as an external resource (as opposed to local Access Point RADIUS resources) to validate PEAP-MS-CHAP v2 authentication requests, user credentials and password information needs to be made available locally to successfully connect to the external LDAP server. Up to two LDAP Agents (primary and secondary external resources) can be defined as external resources for PEAP-MS-CHAP v2 authentication requests. AP6521 model Access Point does not support this feature in Standalone AP or Controller AP mode. However, AP6521 model is supported when adopted and managed by a controller or service platform. For more information on setting LDAP agents as part of the RADIUS server policy, see Configuring RADIUS Server Policies on page 11-57. To view Access Point LDAP agent statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select LDAP Agent Status. Figure 15-173 Access Point - LDAP Agent Status screen Wireless Controller and Service Platform System Reference Guide 15 - 251 Statistics The LDAP Agent Status screen displays the following:
LDAP Agent Primary LDAP Agent Secondary Message Status Refresh 15.4.22 Mint Links Access Point Statistics Lists the primary IP address of a remote LDAP server resource used by the Access Point to validate PEAP-MS-CHAP v2 authentication requests. When a RADIUS server policys data source is set to LDAP, this is the first resource for authentication requests. Lists the secondary IP address of a remote LDAP server resource used by the Access Point to validate PEAP-MS-CHAP v2 authentication requests. When a RADIUS server policys data source is set to LDAP, this is the second resource for authentication requests. Displays any system message generated in the Access Points connection with the primary or secondary LDAP agent. If theres a problem with the username and password used to connection to the LDAP agent, it would be listed here. Displays whether the Access Point has successfully joined the remote LDAP server domain designated to externally validate PEAP-MS-CHAP v2 authentication requests. Select Refresh to update the statistics counters to their latest values. Wireless controllers and Access Points use the MiNT protocol as the primary means of device discovery and communication for Access point adoption and management. MiNT provides a mechanism to discover neighbor devices in the network, and exchange packets between devices regardless of how these devices are connected (L2 or L3). MiNT provides the means to secure communications at the transport layer. Using MiNT, a device can be configured to only communicate with other authorized (MiNT enabled) devices of the same model. MiNT links can be established over a VLAN (Among Access Points on a VLAN) or IP (remote access point to controller). MiNT Links are automatically created between controllers and Access Points during adoption using MLCP (MiNT Link Creation Protocol). They can also be manually created between a controller and Access Point (or) between Access Points. MiNT links are manually created between controllers while configuring a cluster. Level 2 (or) remote MiNT links are controller aware links, and requires IP network for communication. This level 2 MiNT links at access points are intended for remote Adaptive AP deployment and management from NOC. With Level2 MiNT links, access points are only aware of the controllers and not about other Access points. Level 2 MiNT links also provide partitioning, between Access Points deployed at various remote sites. To view an Access Points Mint links:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Mint Links from the left-hand side of the UI. Wireless Controller and Service Platform System Reference Guide 15 - 252 Statistics Figure 15-174 Access Point - Mint Links screen The Mint Links screen lists the name of the impacted VLAN or link in the form of a link that can be selected to display more granular information about that VLAN. A green check mark or a red X defines whether the listed VLAN is listening to traffic, forced to stay up or unused with the Mint link. The level column specifies whether the listed Mint link is traditional switching link (level 2) or a routing link (level 3). The type column defines whether the listed Mint link is a VLAN or an IPv4 or IPv6 type network address. The dis column lists how each link was discovered. Refer to the secure column to assess whether the listed links are isolated between peers. The local ip column lists the IP address assigned as the links end point address, not the interfaces IP address. The natted column lists whether the link is NAT enabled or disabled for modifying network address information in IP packet headers in transit. The cost defines the cost for a packet to travel from its originating port to its end point destination. The hello seq number and hello interval define the interval between hello keep alive messages between link end points. While the adj hold time sets the time after the last hello packet when the connected between end points is defined as lost. The static and dynamic link columns state whether each listed link is static route using a manually configured route entry, or a dynamic route characterized by its destination The rim column defines whether the listed link is managed remotely. The control vlan column states whether the listed link has enabled as a control VLAN. Lastly, the clustering column states whether listed link members discover and establish connections to other peers and provide self-healing in the event of cluster member failure. 4 Periodically select Refresh to update the screens data counters to their latest values. 5 If needed, select a Mint link from the name column to display more granular information for that link. Wireless Controller and Service Platform System Reference Guide 15 - 253 Statistics Figure 15-175 Access Point - Mint Link Details screen The first table lists the Mint links name and level specifying whether the Mint link is traditional switching link
(level 2) or a routing link (level 3). The cost defines the cost for a packet to travel from its originating port to its end point destination. The hello interval lists the time between hello keep alive messages between link end points. The adj hold time sets the time after the last hello packet when the connected between end points is defined as lost. The Adjacencies table lists neighbor devices by their hardware identifiers and operational state to help determine their availability as Mint link end points and peers. The up time lists the selected links detection on the network and the last hello lists when the last hello message was exchanged. 6 Periodically select Refresh to update the statistics counters to their latest values. 15.4.23 Guest Users Access Point Statistics A captive portal is an access policy for providing guests temporary and restrictive access to the wireless network. A captive portal configuration provides secure authenticated access using a standard Web browser. Captive portals provide authenticated access by capturing and re-directing a wireless user's Web browser session to a captive portal login page where the user must enter valid credentials to access to the network. Captive portals can have their access durations set by an administrator to either provide temporary access to the Access Point managed network or provide access without limitations. For information on setting captive portal duration and authentication settings, refer to Configuring Captive Portal Policies on page 11-1. To view current Access Point guest user utilization:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. Wireless Controller and Service Platform System Reference Guide 15 - 254 3 Select Guest Users. Statistics The Guest Users screen describes the following:
Figure 15-176 Access Point Guest Users screen Name Configured Time
(days:hrs:mins:secs) Lists the administrator assigned name of the client utilizing the Access Point for guest access to the WiNG managed wireless network. Displays the restricted permissions each listed client was initially configured for their captive portal guest user session with this managing Access Point. Displays the time each listed client has remaining in their captive portal guest user session with this Access Point. Lists the maximum configured bandwidth consumable by the listed guest user (in kilobytes). Remaining Time
(days:hrs:mins:secs) Configured Kilobytes Remaining Kilobytes Lists the remaining bandwidth available to the listed guest user (in Configured Downlink Rate
(kbps) Configured Uplink Rate (kbps) kilobytes). This is the difference between the configured (maximum) bandwidth and the userss current utilization. Specifies the download speed configured for the listed guest user. When bandwidth is available, the user can download data at the specified rate
(in kilobytes per second). If a guest user has a bandwidth based policy and exceeds the specified data limit, their speed is throttled to the defined reduced downlink rate. For more information, refer to Defining User Pools on page 11-53. Specifies the upload speed dedicated to the listed guest user. When bandwidth is available, the user is able to upload data at the specified rate
(in kilobytes per second). If a guest user has a bandwidth based policy and exceeds the specified data limit, their speed is throttled to the reduced uplink rate. For more information, refer to Defining User Pools on page 11-53. Wireless Controller and Service Platform System Reference Guide 15 - 255 Statistics Current Downlink Rate (Kbps) Current Uplink Rate
(Kbps) Refresh Lists the listed guest users current downlink rate in kbps. Use this information to assess whether this users configured downlink rate is adequate for their session requirements and whether their reduced downlink rate need adjustment if the configured downlink rate is exceeded. For more information, refer to Defining User Pools on page 11-
53. Lists the listed guest users current uplink rate in kbps. Use this information to assess whether this users configured uplink rate is adequate for their session requirements and whether their reduced uplink rate need adjustment if the configured uplink rate is exceeded. For more information, refer to Defining User Pools on page 11-53. Select the Refresh button to update the screens statistics counters to their latest value. 15.4.24 GRE Tunnels Access Point Statistics Generic Routing Encapsulation (GRE) is one of the available tunneling mechanisms which uses IP as the transport protocol and can be used for carrying many different passenger protocols. The tunnels behave as virtual point-to-
point links that have two endpoints identified by the tunnel source and tunnel destination addresses at each endpoint. To review a selected Access Points GRE statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select GRE Tunnels. Wireless Controller and Service Platform System Reference Guide 15 - 256 Statistics The Access Point GRE Tunnels screen displays the following:
Figure 15-177 Access Point - GRE Tunnels screen GRE State Peer IP Address Tunnel Id Total Packets Received Total Packets Sent Total Packets Dropped Refresh Displays the current operational state of the GRE tunnel. Displays the IP address of the peer device on the remote end of the GRE tunnel. Displays the session ID of an established GRE tunnel. This ID is only viable while the tunnel is operational. Displays the total number of packets received from a peer at the remote end of the GRE tunnel. Displays the total number of packets sent from this Access Point to a peer at the remote end of the GRE tunnel. Lists the number of packets dropped from tunneled exchanges between this Access Point and a peer at the remote end of the VPN tunnel Select the Refresh button to update the screens statistics counters to their latest value. 15.4.25 Dot1x Access Point Statistics Dot1x (or 802.1x) is an IEEE standard for network authentication. Devices supporting Dot1x allow the automatic provision and connection to the wireless network without launching a Web browser at login. When within range of a Dot1x network, a device automatically connects and authenticates without needing to manually login. To view the Dot1x statistics:
Wireless Controller and Service Platform System Reference Guide 15 - 257 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Dot1x from the left-hand side of the UI. Statistics 4 Refer to the following Dot1xAuth statistics:
Figure 15-178 Access Point Dot1x screen AAA Policy Guest Vlan Control Lists the AAA policy currently being utilized for authenticating user requests. Lists whether guest VLAN control has been allowed (or enabled). This is the VLAN traffic is bridged on if the port is unauthorized and guest VLAN globally enabled. A green checkmark designates guest VLAN control as enabled. A red X defines guest VLAN control as disabled. System Auth Control Lists whether Dot1x authorization is globally enabled for the Access Point. A green checkmark designates Dot1x authorization globally enabled. A red X defines Dot1x as globally disabled. 5 Review the following Dot1x Auth Ports utilization information:
Name Lists the Access Point ge ports subject to automatic connection and authentication using Dot1x. Wireless Controller and Service Platform System Reference Guide 15 - 258 Statistics Auth SM Auth VLAN BESM Client MAC Guest VLAN Host Pstatus Lists the current authentication state of the listed port. Lists the virtual interface utilized post authentication. Lists whether an authentication request is pending on the listed port. Lists the MAC address of requesting clients seeking authentication over the listed port. Lists the guest VLAN utilized for the listed port. This is the VLAN traffic is bridged on if the port is unauthorized and guest VLAN globally enabled. Lists whether the host is a single entity or not. Lists whether the listed port has been authorized for Dot1x network authentication. 6 Refer to the MacAuth table to assess the AAA policy applied to MAC authorization requests. 7 Review the following MAC Auth Ports utilization information:
Name Authorized Enabled MAC Auth Lists the Access Point ge ports subject to automatic connection and MAC authentication using Dot1x. Lists whether MAC authorization using Dot1x has been authorized
(permitted) on the listed ge port. A green checkmark designates Dot1x authorization as authorized. A red X defines authorization as disabled. Lists whether MAC authorization using Dot1x has been enabled on the listed ge port. A green checkmark designates Dot1x authorization as allowed. A red X defines authorization as disabled. Lists the MAC address corresponding to the listed Access Point port interface on which authentication requests are made. 8 Select the Refresh button to update the screens statistics counters to their latest value. 15.4.26 Network Access Point Statistics Use the Network screen to view information for performance statistics for ARP, DHCP, Routing and Bridging.For more information, refer to the following:
ARP Entries Route Entries Default Routes Bridge IGMP MLD Traffic Shaping DHCP Options Cisco Discovery Protocol Link Layer Discovery Protocol MSTP IPv6 Neighbor Discovery Wireless Controller and Service Platform System Reference Guide 15 - 259 Statistics 15.4.26.1 ARP Entries Network Address Resolution Protocol (ARP) is a protocol for mapping an IP address to a device address recognized in the local network. An address is 32 bits long. In an Ethernet local area network, however, addresses for attached devices are 48 bits long. (The physical machine address is also known as a MAC address.) A table, usually called the ARP cache, is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions. To view an Access Points ARP statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Network and expand the menu to reveal its submenu items. 4 Select ARP Entries. The ARP Entries screen describes the following:
Figure 15-179 Access Point - Network ARP screen IP Address ARP MAC Address Type VLAN Refresh Displays the IP address of the client resolved on behalf of the Access Point. Displays the MAC address corresponding to the IP address being resolved. Lists the type of ARP entry. Displays the system assigned VLAN ID where an IP address was found. Select the Refresh button to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 260 Statistics 15.4.26.2 Route Entries Network The Route Entries screen displays data for routing packets to a defined destination. When an existing destination subnet does not meet the needs of the network, add a new destination subnet, subnet mask and gateway as needed for either IPv4 or IPv6 formatted data packets. IPv4 operates as a best effort delivery method, as it does not guarantee delivery, and does not ensure proper sequencing or duplicate delivery (unlike (TCP). IPv4 hosts can use link local addressing to provide local connectivity. IPv6 is the latest revision of the Internet Protocol (IP) designed to replace IPv4. IPV6 provides enhanced identification and location information for devices on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. To view IPv4 and IPv6 route entries:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Network and expand the menu to reveal its sub menu items. 4 Select Route Entries. The IPv4 Route Entries tab displays by default. The IPv4 Route Entries screen lists the following:
Figure 15-180 Access Point - Network IPv4 Route Entries screen Destination Displays the IPv4 formatted address of the destination route address. Wireless Controller and Service Platform System Reference Guide 15 - 261 Statistics Distance Route Flags Gateway Interface Metric Refresh Lists the hop distance to a desired route. Devices regularly send neighbors their own assessment of the total cost to get to all known destinations. A neighboring device examines the information and compares it to their own routing data. Any improvement on whats already known is inserted in that devices own routing tables. Over time, each networked device discovers the optimal next hop for each destination. Lists the IPv4 formatted IP address used for routing packets to a defined destination. The flag signifies the condition of the direct or indirect route. Displays the gateway IP address used to route packets to the destination subnet. Displays the name of the controller interface or VLAN utilized by the destination subnet. Lists the metric (or cost) of the route to select (or predict) the best route. The metric is computed using a routing algorithm, and covers information bandwidth, network delay, hop count, path cost, load, MTU, reliability, and communication cost. Select Refresh to update the display to the latest values. 5 Select the IPv6 Route Entries tab to review route data for IPv6 formatted traffic. The IPv6 Route Entries screen lists the following:
Figure 15-181 Wireless Controller - IPv6 Route Entries screen Destination Gateway Interface Flag Refresh Displays the IPv6 formatted address of the destination route address. Displays the gateway IP address used to route packets to the destination subnet. Displays the name of the controller interface or VLAN utilized by the destination subnet. The flag signifies the condition of the direct or indirect route. Select Refresh to update the display to the latest values. Wireless Controller and Service Platform System Reference Guide 15 - 262 Statistics 15.4.26.3 Default Routes Network In an IPv6 supported environment unicast routing is always enabled. A controller or service platform routes IPv6 formatted traffic between interfaces as long as the interfaces are enabled for IPv6 and ACLs allow IPv6 formatted traffic. However, an administrator can add a default routes as needed. Static routes are manually configured. They work fine in simple networks. However, static routes with topology changes require an administrator to manually configure and modify the corresponding route revisions. Default routes are useful, as they forward packets that match no specific routes in the routing table. To view Access Point default routes:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Network and expand the menu to reveal its sub menu items. 4 Select Default Routes. The IPv4 Default Routes tab displays by default. The IPv4 Default Routes screen provides the following information:
Figure 15-182 Access Point - IPv4 Default Routes screen DNS Server Gateway Address Installed Metric Lists the address of the DNS server providing IPv4 formatted address assignments on behalf of the Access Point. Lists the IP address of the gateway resource used with the listed route. A green checkmark defines the listed route as currently installed on the Access Point. A red X defines the route as not currently installed and utilized. The metric (or cost) could be the distance of a router (round-trip time), link throughput or link availability. Wireless Controller and Service Platform System Reference Guide 15 - 263 Statistics Monitor Mode Source Monitoring Status Refresh Displays where in the network the route is monitored for utilization status. Lists whether the route is static, a DHCP-Client or an administrator defined default route. Static routes are manually configured. Static routes work adequately in simple networks. However, static routes with topology changes require an administrator to manually configure and modify the corresponding route revisions. Default routes are useful, as they forward packets that match no specific routes in the routing table. Lists whether the defined IPv4 route is currently reachable on the Access Point managed network. If not, perhaps a topology change has occurred to a static route requiring a default route be utilized. Select Refresh to update the display to the latest values. 5 Select the IPv6 Default Routes tab to review default route availabilities for IPv6 formatted traffic. The IPv6 Default Routes screen provides the following information:
Figure 15-183 Wireless Controller - IPv6 Default Routes screen Gateway Address Installed Interface Name Lifetime Preference Lists the IP address of the gateway resource used with the listed route. A green checkmark defines the listed IPv6 default route as currently installed on the Access Point. A red X defines the route as not currently installed and utilized. Displays the interface on which the IPv6 default route is being utilized. Lists the lifetime representing the valid usability of the default IPv6 route. Displays the administrator defined IPv6 preferred route for IPv6 traffic. Wireless Controller and Service Platform System Reference Guide 15 - 264 Statistics Lists whether the route is static or an administrator defined default route. Static routes are manually configured. Static routes work adequately in simple networks. However, static routes with topology changes require an administrator to manually configure and modify the corresponding route revisions. Default routes are useful, as they forward packets that match no specific routes in the routing table. Lists whether the defined IPv6 route is currently reachable on the Access Point managed network. If not, perhaps a topology change has occurred to a static route requiring a default route be utilized. Select Refresh to update the display to the latest values. Source Status Refresh 15.4.26.4 Bridge Network Bridging is a forwarding technique used in networks. Bridging makes no assumption about where a particular address is located. It relies on the flooding and examination of source addresses in received packet headers to locate unknown devices. Once a device is located, its location is stored in a table to avoid broadcasting to that device again. Bridging is limited by its dependency on flooding, and is used in local area networks only. A bridge and an Access Point are very much alike, as an Access Point can be viewed as a bridge with a number of ports. The Bridge screen provides details about the Integrate Gateway Server (IGS), which is a router connected to an Access Point. The IGS performs the following:
Issues IP addresses Throttles bandwidth Permits access to other networks Times out old logins The Bridging screen also provides information about the Multicast Router (MRouter), which is a router program that distinguishes between multicast and unicast packets and how they should be distributed along the Multicast Internet. Using an appropriate algorithm, a multicast router instructs a switching device what to do with the multicast packet. To view an Access Points Bridge statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Network and expand the menu to reveal its sub menu items. 4 Select Bridge. Wireless Controller and Service Platform System Reference Guide 15 - 265 Statistics 5 Review the following bridge configuration attributes:
Figure 15-184 Access Point - Network Bridge screen Bridge Name MAC Address Interface VLAN Forwarding Displays the numeric ID of the network bridge. Displays the MAC address of the bridge selected. Displays the interface (Access Point physical port name) where the bridge transferred packets. Supported Access Points models have different port configurations. Displays the VLAN the bridge uses a virtual interface. Displays whether the bridge is forwarding packets. 6 Select Refresh to update the counters to their latest values. 15.4.26.5 IGMP Network Internet Group Management Protocol (IGMP) is a protocol used for managing members of IP multicast groups. The Access Point listens to IGMP network traffic and forwards the IGMP multicast packets to radios on which the interested hosts are connected. On the wired side of the network, the Access Point floods all the wired interfaces. This feature reduces unnecessary flooding of multicast traffic in the network To view a networks IGMP configuration:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Network and expand the menu to reveal its sub menu items. 4 Select IGMP. Wireless Controller and Service Platform System Reference Guide 15 - 266 Statistics The Group field displays the following:
Figure 15-185 Access Point - Network IGMP screen VLAN Group Address Port Members Version Displays the group VLAN where the multicast transmission is conducted. Displays the Multicast Group ID supporting the statistics displayed. This group ID is the multicast address that hosts are listening to. Displays the ports on which multicast clients have been discovered by the Access Point. For example, ge1, radio1, etc. Displays each listed group IGMP version compatibility as either version 1, 2 or 3. The Multicast Router (MRouter) field displays the following:
VLAN Learn Mode Port Members MiNT IDs Query Interval Version Refresh Displays the group VLAN where the multicast transmission is conducted. Displays the learning mode used by the router as either Static or PIM-DVMRP. Displays the ports on which multicast clients have been discovered by the multicast router. For example, ge1, radio1, etc. Lists MiNT IDs for each listed VLAN. MiNT provides the means to secure Access Point profile communications at the transport layer. Using MiNT, an Access Point can be configured to only communicate with other authorized (MiNT enabled) Access Points of the same model. Lists the IGMP query interval implemented when the querier functionality is enabled. The default value is 60 seconds. Lists the multicast router IGMP version compatibility as either version 1, 2 or 3. The default setting is 3. Select the Refresh button to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 267 Statistics 15.4.26.6 MLD Network Multicast Listener Discovery (MLD) snooping enables a controller, service platform or Access Point to examine MLD packets and make forwarding decisions based on content. MLD is used by IPv6 devices to discover devices wanting to receive multicast packets destined for specific multicast addresses. MLD uses multicast listener queries and multicast listener reports to identify which multicast addresses have listeners and join multicast groups. MLD snooping caps the flooding of IPv6 multicast traffic on controller, service platform or Access Point VLANs. When enabled, MLD messages are examined between hosts and multicast routers and to discern which hosts are receiving multicast group traffic. The controller, service platform or Access Point then forwards multicast traffic only to those interfaces connected to interested receivers instead of flooding traffic to all interfaces. To view network MLD configuration options:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Network and expand the menu to reveal its sub menu items. 4 Select MLD. Figure 15-186 Access Point - Network MLD screen Wireless Controller and Service Platform System Reference Guide 15 - 268 Statistics The Multicast Listener Discovery (MLD) Group field describes the following:
VLAN Group Address Port Members Version Displays the group VLAN where the MLD groups multicast transmission is conducted. Displays the Multicast Group ID supporting the statistics displayed. This group ID is the multicast address hosts are listening to. Displays the ports on which MLD multicast clients have been discovered. For example, ge1, radio1, etc. Ports can vary somewhat amongst supported Access Point models. Displays each listed groups version compatibility as either version 1, 2 or 3. The IPv6 Multicast Router (MRouter) field describes the following:
VLAN MiNT IDs Learn Mode Port Members Query Interval Version Refresh Displays the group VLAN where the multicast transmission is conducted. Lists MiNT IDs for each listed VLAN. MiNT provides the means to secure communications at the transport layer. Using MiNT, an Access Point can be configured to only communicate with other authorized (MiNT enabled) devices. Displays the learning mode used by the router as either Static or PIM-
DVMRP. Displays the physical ports on which multicast clients have been discovered by the multicast router. For example, ge1, radio1, etc. Ports can vary somewhat amongst supported Access Point models. Lists the query interval implemented when the querier functionality is enabled. The default value is 60 seconds. Lists the multicast router version compatibility as either version 1, 2 or 3. The default setting is 3. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.26.7 Traffic Shaping Network Traffic shaping regulates network data transfers to ensure a specific performance level. Traffic shaping delays the flow of packets defined as less important than prioritized traffic streams. Traffic shaping enables traffic control out an interface to match its flow to the speed of a remote targets interface and ensure traffic conforms applied policies. Traffic can be shaped to meet downstream requirements and eliminate network congestion when data rates are in conflict. Apply traffic shaping to specific applications to apply application categories. When application and ACL rules are conflicting, an application takes precedence over an application category, then ACLs. To view network Access Point traffic shaping configuration:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Expand the Network menu from the left-hand side of the UI. 4 Select Traffic Shaping. The Status screen displays by default, and lists the Access Points traffic shaping status. Wireless Controller and Service Platform System Reference Guide 15 - 269 Statistics Figure 15-187 Access Point - Network Traffic Shaping Statistics screen 5 Select Statistics. 6 Refer to the following Traffic Shaping statistics:
Rate Priority Packets Sent Packets Delayed Packets Dropped Current Length Current Latency Refresh The rate configuration controls the maximum traffic rate sent or received on an interface. Consider this form of rate limiting on interfaces at the edge of a network to limit traffic into or out of the network. Traffic within the set limit is sent and traffic exceeding the set limit is dropped or sent with a different priority. Lists the traffic shaper queue priority. There are 8 queues (0 - 7), and traffic is queued in each based on incoming packets 802.1p markings. Provides a baseline of the total number of packets sent to assess packet delays and drops as a result of the filter rules applied in the traffic shaping configuration. Lists the packets defined as less important than prioritized traffic streams and delayed as a result of traffic shaping filter rules applied. Lists the packets defined as less important than prioritized traffic streams, delayed and eventually dropped as a result of traffic shaping filter rules applied. Lists the packet length of the data traffic shaped to meet downstream requirements. Traffic shaping latency is the time limit after which packets start dropping as a result of the traffic prioritization filter rules applied. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.26.8 DHCP Options Network Supported Access Points can use a DHCP server resource to provide the dynamic assignment of IP addresses automatically. This is a protocol that includes IP address allocation and delivery of host-specific configuration parameters from a DHCP server to a host. Some of these parameters are IP address, gateway and network mask. Wireless Controller and Service Platform System Reference Guide 15 - 270 Statistics The DHCP Options screen provides the DHCP server name, image file on the DHCP server, and its configuration. To view a networks DHCP Options:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Network and expand the menu to reveal its sub menu items. 4 Select DHCP Options. The DHCP Options screen displays the following:
Figure 15-188 Access Point - Network DHCP Options screen Server Information Image File Configuration Legacy Adoption Adoption Refresh Displays the DHCP server hostname used on behalf of the Access Point. Displays the image file name. BOOTP or the bootstrap protocol can be used to boot diskless clients. An image file is sent from the boot server. The image file contains the image of the operating system the client will run. DHCP servers can be configured to support BOOTP. Displays the name of the configuration file on the DHCP server. Displays historical device adoption information on behalf of the Access Point. Displays adoption information on behalf of the Access Point. Select the Refresh button to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 271 Statistics 15.4.26.9 Cisco Discovery Protocol Network The Cisco Discovery Protocol (CDP) is a proprietary Data Link Layer network protocol implemented in Cisco networking equipment and used to share information about network devices. To view an Access Points CDP statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Network and expand the menu to reveal its sub menu items. 4 Select Cisco Discovery Protocol. The Cisco Discovery Protocol screen displays the following:
Figure 15-189 Access Point - Network CDP screen Capabilities Device ID Local Port Platform Port ID TTL Clear Neighbors Refresh Displays the capabilities code for the device as either Router, Trans Bridge, Source Route Bridge, Host, IGMP or Repeater. Displays the configured device ID or name for each listed device. Displays the local port name (Access Point physical port) for each CDP capable device. Supported Access Point models have unique port configurations. Displays the model number of the CDP capable device interoperating with the Access Point. Displays the Access Points numeric identifier for the local port. Displays the time to live (TTL) for each CDP connection. Select Clear Neighbors to remove CDP neighbors from the table and begin a new data collection. Select Refresh to update the statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 272 Statistics 15.4.26.10 Link Layer Discovery Protocol Network The Link Layer Discovery Protocol (LLDP) or IEEE 802.1AB is a vendor-neutral Data Link Layer protocol used by network devices for advertising of (announcing) their identity, capabilities, and interconnections on a IEEE 802 LAN network. The protocol is formally referred to by the IEEE as Station and Media Access Control Connectivity Discovery. To view a networks Link Layer Discovery Protocol statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Network and expand the menu to reveal its sub menu items. 4 Select Link Layer Discovery. The Link Layer Discovery Protocol screen displays the following:
Figure 15-190 Access Point - Network LLDP screen Capabilities Device ID Enabled Capabilities Displays which device capabilities are currently enabled. Local Port Displays the capabilities code for the device. Displays the configured device ID or name for each device in the table. Displays the local port name (Access Point physical port) for each LLDP capable device. Supported Access Point models have unique port configurations. Displays the model number of the LLDP capable device interoperating with the Access Point. Displays the identifier for the local port. Displays the time to live (TTL) for each LLDP connection. Select Clear Neighbors to remove all known LDP neighbors from the table. Select Refresh to update the statistics counters to their latest values. Platform Port ID TTL Clear Neighbors Refresh Wireless Controller and Service Platform System Reference Guide 15 - 273 Statistics 15.4.26.11 IPv6 Neighbor Discovery Network IPv6 neighbor discovery uses ICMP messages and solicited multicast addresses to find the link layer address of a neighbor on the same local network, verify the neighbors reachability and track neighboring devices. Upon receiving a neighbor solicitation message, the destination replies with neighbor advertisement (NA). The source address in the advertisement is the IPv6 address of the device sending the message. The destination address in the advertisement message is the IPv6 address of the device sending the neighbor solicitation. The data portion of the NA includes the link layer address of the node sending the neighbor advertisement. Neighbor solicitation messages also verify the availability of a neighbor once its the link layer address is identified. When a node wants to verify the reachability of a neighbor, the destination address in a neighbor solicitation message is the unicast address of the neighbor. A neighbor is interpreted as reachable when an acknowledgment is returned indicating packets have been received and processed. If packets are reaching the device, theyre also reaching the next hop neighbor, providing a confirmation the next hop is reachable. To view an Access Points IPv6 neighbor statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Expand the Network menu from the left-hand side of the UI. 4 Select IPv6 Neighbor Discovery Figure 15-191 Access Point - Network IPv6 Neighbor screen Wireless Controller and Service Platform System Reference Guide 15 - 274 Statistics The IPv6 Neighbor screen displays the following:
IPv6 Address MAC Address Type VLAN Refresh 15.4.26.12 MSTP Network Lists an IPv6 IP address for neighbor discovery. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery protocol via CMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Lists the factory encoded hardware MAC address of the neighbor device using an IPv6 formatted IP address as its network identifier. Displays the device type for the neighbor solicitation. Neighbor solicitations request the link layer address of a target node while providing the senders own link layer address to the target. Neighbor solicitations are multicast when the node needs to resolve an address and unicast when the node seeks to verify the reachability of a neighbor. Options include Host, Router and DHCP Server. Lists the virtual interface (from 1 - 4094) used for the required neighbor advertisements and solicitation messages used for neighbor discovery. Select the Refresh button to update the screens statistics counters to their latest values. The Multiple Spanning Tree Protocol (MSTP) provides an extension to RSTP to optimize the usefulness of VLANs. MSTP allows for a separate spanning tree for each VLAN group, and blocks all but one of the possible alternate paths within each spanning tree topology. If theres just one VLAN in the Access Point managed network, a single spanning tree works fine. However, if the network contains more than one VLAN, the network topology defined by single STP would work, but its possible to make better use of the alternate paths available by using an alternate spanning tree for different VLANs or groups of VLANs. MSTP includes all of its spanning tree information in a single Bridge Protocol Data Unit (BPDU) format. BPDUs are used to exchange information bridge IDs and root path costs. Not only does this reduce the number of BPDUs required to communicate spanning tree information for each VLAN, but it also ensures backward compatibility with RSTP. MSTP encodes additional region information after the standard RSTP BPDU as well as a number of MSTI messages. Each MSTI messages conveys spanning tree information for each instance. Each instance can be assigned a number of configured VLANs. The frames assigned to these VLANs operate in this spanning tree instance whenever they are inside the MST region. To avoid conveying their entire VLAN to spanning tree mapping in each BPDU, the Access Point encodes an MD5 digest of their VLAN to an instance table in the MSTP BPDU. This digest is used by other MSTP supported devices to determine if the neighboring device is in the same MST region as itself. To view a controller or service platforms MSTP statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. Wireless Controller and Service Platform System Reference Guide 15 - 275 3 Expand the Network menu from the left-hand side of the UI. 4 Select MSTP. Statistics Figure 15-192 Access Point- Network MSTP screen The MST Config field displays the name assigned to the MSTP configuration, its digest, format ID, name and revision. The MST Bridge field lists the filters and guards that have been enabled and whether Cisco interoperability if enabled. The MST Bridge Port Detail field lists specific Access Point port status and their current state. 15.4.27 DHCPv6 Relay & Client Access Point Statistics DHCPv6 is a networking protocol for configuring IPv6 hosts with IP addresses, IP prefixes or other configuration attributes required on an IPv6 network. DHCPv6 relay agents receive messages from clients and forward them a DHCPv6 server. The server sends responses back to the relay agent, and the relay agent sends the responses to the client on the local link To assess an Access Points DHCPv6 relay configuration:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. Wireless Controller and Service Platform System Reference Guide 15 - 276 3 Select DHCP Relay & Client from the left-hand side of the UI. Statistics 4 The DHCPv6 Status tables defines the following:
Figure 15-193 Access Point - DHCPv6 Relay and Client screen Interfaces State Displays the Access Point interface used for DHCPv6 relay. Displays the current operational state of the DHCPv6 server to assess its availability as a viable IPv6 provisioning resource. 5 The DHCPv6 Status tables defines the following:
Client Identifier Server Identifier DNS Servers Domain Name Interface Lists whether the reporting client is using a hardware address or client identifier as its identifier type within requests to the DHCPv6 server. Displays the server identifier supporting client DHCPv6 relay message reception. Lists the DNS server resources supporting relay messages received from clients. Lists the domain to which the remote server resource belongs. Displays the interfaces dedicated to client DHCPv6 relay message reception. Refresh Time (Seconds) Lists the time (in seconds) since the data populating the DHCPv6 Server Preference SIP Domain Name client received options table has been refreshed. Lists the preferred DHCPv6 server resource supporting relay messages received from clients. Lists the SIP domain name supporting DHCPv6 client telephone extensions or voice over IP systems. Wireless Controller and Service Platform System Reference Guide 15 - 277 Statistics SIP Server Enterprise ID Displays the SIP server name supporting DHCPv6 telephone extensions or voice over IP systems. Lists the enterprise ID associated with DHCPv6 received client options. 6 Refer to the Vendor Options table for the following:
Code Data Lists the relevant numeric DHCP vendor code. Lists the supporting data relevant to the listed DHCP vendor code. 15.4.28 DHCP Server Access Point Statistics Access Points utilize an internal Dynamic Host Configuration Protocol (DHCP) server. DHCP can provide IP addresses automatically. DHCP is a protocol that includes mechanisms for IP address allocation and delivery of host-specific configuration parameters (IP address, network mask gateway etc.) from a DHCP server to a host. To review DHCP server statistics, refer to the following:
Viewing General DHCP Information Viewing DHCP Binding Information Viewing DHCP Server Networks Information 15.4.28.1 Viewing General DHCP Information DHCP Server To view General DHCP status and binding information for both DHCPv4 and DHCPv6:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Expand the DHCP Server menu from the left-hand side of the UI. 4 Select General. Wireless Controller and Service Platform System Reference Guide 15 - 278 Statistics 5 The DHCPv4 Status and DHCPv6 Status tables defines the following:
Figure 15-194 Access Point - DHCP Server General screen Interfaces State Displays the Access Point interface used with the DHCPv4 or DHCPv6 resource for IP address provisioning. Displays the current operational state of the DHCPv4 or DHCPv6 server to assess its availability as a viable IP provisioning resource. 6 The DDNS Bindings table displays the following:
IP Address Name Displays the IP address assigned to the requesting client. Displays the domain name mapping corresponding to the listed IP address. 7 The DHCP Manual Bindings table displays the following:
IP Address Client Id Displays the IP address for clients requesting DHCP provisioning resources. Displays the clients ID used to differentiate requesting clients. 8 Select the Refresh button to update the screens statistics counters to their latest values. 15.4.28.2 Viewing DHCP Binding Information DHCP Server The DHCP Binding screen displays DHCP binding information such as expiry time, client IP addresses and their MAC address. Access Points build and maintain a DHCP snooping table (DHCP binding database). An Access Point uses the snooping table to identify and filter untrusted messages. The DHCP binding database keeps track of DHCP Wireless Controller and Service Platform System Reference Guide 15 - 279 Statistics addresses assigned to ports, as well as filtering DHCP messages from untrusted ports. Incoming packets received on untrusted ports, are dropped if the source MAC address does not match the MAC in the binding table. To view the DHCP binding information:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Expand the DHCP Server menu from the left-hand side of the UI. 4 Select Bindings. The Bindings screen displays the following:
Figure 15-195 Access Point - DHCP Server Bindings screen Expiry Time IP Address DHCP MAC Address Clear Clear All Refresh Displays the expiration of the lease used by the client for Access Point DHCP resources. Displays the IP address of each listed client requesting DHCP services. Displays the MAC address of each listed client requesting DHCP services. Select a table entry and select Clear to remove the client from the list of devices requesting DHCP services from the Access Point. Select Clear All to remove all listed clients from the list of requesting clients. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.28.3 Viewing DHCP Server Networks Information DHCP Server The DHCP server maintains a pool of IP addresses and client configuration parameters (default gateway, domain name, name servers etc). On receiving a valid client request, the server assigns the requestor an IP address, a lease
(the validity of time), and other IP configuration parameters. Wireless Controller and Service Platform System Reference Guide 15 - 280 Statistics The Networks screen provides network pool information such as the subnet for the addresses you want to use from the pool, the pool name, the used addresses and the total number of addresses. To view the DHCP Server Networks information:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Expand the DHCP Server menu from the left-hand side of the UI. 4 Select Networks. The Networks screen displays the following:
Figure 15-196 Access Point - DHCP Server Networks screen Name Subnet Address Used Addresses Total Addresses Displays the name of the virtual network (VLAN) from which IP addresses can be issued to DHCP client requests on the listed Access Point interface. Displays the subnet for the IP addresses used from the network pool. Displays the number of host IP addresses allocated by the DHCP server. Displays the total number of IP addresses available in the network pool for requesting clients. 5 Select the Refresh button to update the screens statistics counters to their latest values. 15.4.29 Firewall Access Point Statistics A firewall is a part of a computer system or network designed to block unauthorized access while permitting authorized communications. Its a device or set of devices configured to permit or deny access to the controller or service platform managed network based on a defined set of rules. This screen is partitioned into the following:
Packet Flows Wireless Controller and Service Platform System Reference Guide 15 - 281 Statistics Denial of Service IP Firewall Rules IPv6 Firewall Rules MAC Firewall Rules NAT Translations DHCP Snooping IPv6 Neighbor Snooping 15.4.29.1 Packet Flows Firewall The Packet Flows screen displays data traffic packet flow utilization. The chart represents the different protocol flows supported, and displays a proportional view of the flows in respect to their percentage of data traffic utilized. The Total Active Flows graph displays the total number of flows supported. Other bar graphs display for each individual packet type. To view Access Point packet flows statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Firewall and expand the menu to reveal its sub menu items. 4 Select Packet Flows. 5 Periodically select Refresh to update the statistics counters to their latest values. Clear All clears all the statistics counters and begins a new data collection. Figure 15-197 Access Point - Firewall Packet Flows screen Wireless Controller and Service Platform System Reference Guide 15 - 282 Statistics 15.4.29.2 Denial of Service Firewall A denial-of-service attack (DoS attack) or distributed denial-of-service attack is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out a DoS attack may vary, it generally consists of concerted efforts to prevent an Internet site or service from functioning efficiently. One common method involves saturating the targets machine with external communications requests, so it cannot respond to legitimate traffic or responds so slowly as to be rendered effectively unavailable. DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consume its resources so it cant provide its intended service. The DoS screen displays the types of attack, number of times it occurred and the time of last occurrence. To view Access Point DoS attack information:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Firewall and expand the menu to reveal its sub menu items. 4 Select Denial of Service. The Denial of Service screen displays the following:
Figure 15-198 Access Point - Firewall Denial of Service screen Attack Type Count Last Occurrence Displays the Denial of Service (DoS) attack type. Displays the number of times the Access Points firewall has detected each listed DoS attack. Displays the when the attack event was last detected by the Access Point firewall. Wireless Controller and Service Platform System Reference Guide 15 - 283 Statistics Clear All Refresh Select the Clear All button to clear the screen of its current status and begin a new data collection. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.29.3 IP Firewall Rules Firewall Create firewall rules to let any computer to send IPv4 formatted traffic to, or receive traffic from, programs, system services, computers or users. Firewall rules can be created to take one of the three actions listed below that match the rules criteria:
Allow an IPv4 connection Allow an IPv4 connection only if it is secured through the use of Internet Protocol security Block a connection Rules can be created for either inbound or outbound IPv4 formatted packet traffic. To view IPv4 firewall rules:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Firewall and expand the menu to reveal its sub menu items. 4 Select IP Firewall Rules. The IP Firewall Rules screen displays the following:
Figure 15-199 Access Point - Firewall IP Firewall Rules screen Precedence Displays the precedence value applied to packets. The rules within an Access Control Entries (ACL) list are based on precedence values. Every rule has a unique precedence value between 1 and 5000. You cannot add two rules with the same precedence. Wireless Controller and Service Platform System Reference Guide 15 - 284 Statistics Friendly String Hit Count Refresh The friendly string provides information as to which firewall the rules apply. Displays the number of times each firewall rule has been triggered. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.29.4 IPv6 Firewall Rules Firewall IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. These hosts require firewall packet protection unique to IPv6 traffic, as IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet layer configuration parameters. Allow an IPv6 formatted connection Allow a connection only if it is secured through the use of IPv6 security Block a connection and exchange of IPv6 formatted packets To view existing IPv6 firewall rules:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Expand the Firewall menu from the left-hand side of the UI. 4 Select IPv6 Firewall Rules. Figure 15-200 Access Point- Firewall IPv6 Firewall Rules screen Wireless Controller and Service Platform System Reference Guide 15 - 285 Statistics The IPv6 Firewall Rules screen displays the following:
Precedence Friendly String Hit Count Refresh Displays the precedence (priority) applied to IPV6 formatted packets. Unlike IPv4, IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. Every rule has a unique precedence value between 1 -
5000. You cannot add two rules with the same precedence value. This is a string that provides more information as to the contents of the IPv6 specific IP rule. This is for information purposes only. Displays the number of times each IPv6 ACL has been triggered. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.29.5 MAC Firewall Rules Firewall The ability to allow or deny Access Point connectivity by client MAC address ensures malicious or unwanted clients are unable to bypass the Access Points security filters. Firewall rules can be created to support one of the three actions listed below that match the rules criteria:
Allow a connection Allow a connection only if its secured through the MAC firewall security Block a connection To view the Access Points MAC Firewall Rules:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Firewall and expand the menu to reveal its sub menu items. 4 Select MAC Firewall Rules. Wireless Controller and Service Platform System Reference Guide 15 - 286 Statistics The MAC Firewall Rules screen displays the following information:
Figure 15-201 Access Point - Firewall MAC Firewall Rules screen Precedence Friendly String Hit Count Refresh Displays a precedence value, which are applied to packets. The rules within an Access Control Entries (ACL) list are based on their precedence. Every rule has a unique precedence between 1 and 5000. You cannot add two rules with the same precedence value. This is a string that provides information as to which firewall the rules apply. Displays the number of times each WLAN ACL has been triggered. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.29.6 NAT Translations Firewall Network Address Translation (NAT) is a technique to modify network address information within IP packet headers in transit. This enables mapping one IP address to another to protect wireless controller managed network address credentials. With typical deployments, NAT is used as an IP masquerading technique to hide private IP addresses behind a single, public facing, IP address. NAT can provide a profile outbound Internet access to wired and wireless hosts connected to either an Access Point or a wireless controller. Many-to-one NAT is the most common NAT technique for outbound Internet access. Many-to-one NAT allows an Access Point or wireless controller to translate one or more internal private IP addresses to a single, public facing, IP address assigned to a 10/100/1000 Ethernet port or 3G card. Wireless Controller and Service Platform System Reference Guide 15 - 287 Statistics To view the Firewalls NAT translations:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Firewall and expand the menu to reveal its sub menu items. 4 Select NAT Translations. The NAT Translations screen displays the following:
Figure 15-202 Access Point - Firewall NAT Translation screen Protocol Forward Source IP Forward Source Port Displays the source port for the forward NAT flow (contains ICMP ID if it is Lists the NAT translation IP protocol as either TCP, UDP or ICMP. Displays the source IP address for the forward NAT flow. Forward Dest IP Forward Dest Port an ICMP flow). Displays the destination IP address for the forward NAT flow. Destination port for the forward NAT flow (contains ICMP ID if it is an ICMP flow). Displays the source IP address for the reverse NAT flow. Reverse Source IP Reverse Source Port Displays the source port for the reverse NAT flow (contains ICMP ID if it is Reverse Dest IP Reverse Dest Port Refresh an ICMP flow). Displays the destination IP address for the reverse NAT flow. Displays the destination port for the reverse NAT flow (contains ICMP ID if it is an ICMP flow). Select the Refresh button to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 288 Statistics 15.4.29.7 DHCP Snooping Firewall When DHCP servers are allocating IP addresses to clients on the LAN, DHCP snooping can be configured to better enforce the security on the LAN to allow only clients with specific IP/MAC addresses. 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Firewall and expand the menu to reveal its sub menu items. 4 Select DHCP Snooping. The DHCP Snooping screen displays the following:
Figure 15-203 Access Point - Firewall DHCP Snooping screen MAC Address Node Type IP Address Netmask VLAN Lease Time Displays the MAC address of the client requesting DHCP resources from the controller or service platform. Displays the NetBios node from which IP addresses can be issued to client requests on this interface. Displays the IP address used for DHCP discovery, and requests between the DHCP server and DHCP clients. Displays the subnet mask used for DHCP discovery, and requests between the DHCP server and DHCP clients. Displays the VLAN used as a virtual interface for the newly created DHCP configuration. When a DHCP server allocates an address for a DHCP client, the client is assigned a lease (which expires after a designated interval defined by the administrator). The lease time is the time an IP address is reserved for re-
connection after its last use. Using very short leases, DHCP can dynamically reconfigure networks in which there are more computers than there are available IP addresses. This is useful, for example, in education and customer environments where client users change frequently. Use longer leases if there are fewer users. Wireless Controller and Service Platform System Reference Guide 15 - 289 Statistics Time Elapsed Since Last Updated Clear All Refresh Displays the time the server was last updated. Select the Clear All button to clear the screen of its current status and begin a new data collection. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.29.8 IPv6 Neighbor Snooping Firewall Access Points listen to IPv6 formatted network traffic and forward IPv6 packets to radios on which the interested hosts are connected. To review IPv6 neighbor snooping statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Expand the Firewall menu from the left-hand side of the UI. 4 Select IPv6 Neighbor Snooping. The IPv6 Neighbor Snooping screen displays the following:
Figure 15-204 Access Point- Firewall IPv6 Neighbor Snooping screen MAC Address Node Type IPv6 Address VLAN Displays the MAC address of the IPv6 client. Displays the NetBios node with an IPv6 address pool from which IP addresses can be issued to client requests on this interface. Displays the IPv6 address used for DHCPv6 discovery and requests between the DHCPv6 server and DHCP clients. Displays an Access Point virtual interface ID used for a new DHCPv6 configuration. Wireless Controller and Service Platform System Reference Guide 15 - 290 Statistics Mint Id Snoop Id Time Elapsed Since Last Update Clear Neighbors Refresh Lists MiNT IDs for each listed VLAN. MiNT provides the means to secure communications at the transport layer. Using MiNT, a device can be configured to only communicate with other authorized (MiNT enabled) devices of the same model. Lists the numeric snooping session ID generated when Access Points listen to IPv6 formatted network traffic and forward IPv6 packets to radios. Displays the amount of time elapsed since the DHCPv6 server was last updated. Select Clear Neighbors to revert the counters to zero and begin a new data collection. Select the Refresh button to update the screens counters to their latest values. 15.4.30 VPN Access Point Statistics IPSec VPN provides a secure tunnel between two networked peer controllers or service platforms. Administrators can define which packets are sent within the tunnel, and how they are protected. When a tunnelled peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its remote peer destination. Tunnels are sets of security associations (SA) between two peers. SAs define the protocols and algorithms applied to sensitive packets and specify the keying mechanisms used by tunnelled peers. SAs are unidirectional and exist in both the inbound and outbound direction. SAs are established per the rules and conditions of defined security protocols (AH or ESP). Crypto maps combine the elements comprising IPSec SAs. Crypto maps also include transform sets. A transform set is a combination of security protocols, algorithms and other settings applied to IPSec protected traffic. One crypto map is utilized for each IPsec peer, however for remote VPN deployments one crypto map is used for all the remote IPsec peers. Internet Key Exchange (IKE) protocol is a key management protocol standard used in conjunction with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration simplicity for the IPSec standard. IKE automatically negotiates IPSec SAs, and enables secure communications without time consuming manual pre-
configuration. VPN statistics are partitioned into the following:
IKESA IPSec 15.4.30.1 IKESA VPN The IKESA screen allows for the review of individual peer security association statistics. 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. Wireless Controller and Service Platform System Reference Guide 15 - 291 3 Select VPN and expand the menu to reveal its sub menu items. 4 Select IKESA. Statistics 5 Review the following VPN peer security association statistics:
Figure 15-205 Access Point - VPN IKESA screen Peer Version State Lifetime Local IP Address Clear All Refresh Lists peer IDs for peers sharing security associations (SA) for tunnel interoperability. When a peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its destination. Displays each peers IKE version used for auto IPSec secure authentication with the IPSec gateway and other controllers or service platforms. Lists the state of each listed peers security association (whether established or not). Displays the lifetime for the duration of each listed peer IPSec VPN security association. Once the set value is exceeded, the association is timed out. Displays each listed peers local tunnel end point IP address. This address represents an alternative to an interface IP address. Select the Clear All button to clear each peer of its current status and begin a new data collection. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.30.2 IPSec VPN Use the IPSec VPN screen to assess tunnel status between networked peers. To view IPSec VPN status for tunnelled peers:
Wireless Controller and Service Platform System Reference Guide 15 - 292 Statistics 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points 3 Select VPN and expand the menu to reveal its sub menu items. 4 Select IPSec. 5 Review the following VPN peer security association statistics:
Figure 15-206 Access Point - VPN IPSec screen Peer Local IP Address Protocol State SPI In SPI Out Mode Clear All Refresh Lists IP addresses for peers sharing security associations (SAs) for tunnel interoperability. When a peer sees a sensitive packet, it creates a secure tunnel and sends the packet through the tunnel to its destination. Displays each listed peers local tunnel end point IP address. This address represents an alternative to an interface IP address. Lists the security protocol used with the VPN IPSec tunnel connection. SAs are unidirectional, existing in each direction and established per security protocol. Options include ESP and AH. Lists the state of each listed peers security association. Lists stateful packet inspection (SPI) status for incoming IPSec tunnel packets. SPI tracks each connection traversing the IPSec VPN tunnel and ensures they are valid. Lists SPI status for outgoing IPSec tunnel packets. SPI tracks each connection traversing the IPSec VPN tunnel and ensures they are valid. Displays the IKE mode. IPSEC has two modes in IKEv1 for key exchanges. Aggressive mode requires 3 messages be exchanged between the IPSEC peers to setup the SA, Main requires 6 messages. Select the Clear All button to clear each peer of its current status and begin a new data collection. Select the Refresh button to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 293 Statistics 15.4.31 Certificates Access Point Statistics The Secure Socket Layer (SSL) protocol ensures secure transactions between Web servers and browsers. SSL uses a third-party certificate authority to identify one (or both) ends of a transaction. A browser checks the certificate issued by the server before establishing a connection. This screen is partitioned into the following:
Trustpoints RSA Keys 15.4.31.1 Trustpoints Certificates Each certificate is digitally signed by a trustpoint. The trustpoint signing the certificate can be a certificate authority, corporate or individual. A trustpoint represents a CA/identity pair containing the identity of the CA, CA-
specific configuration parameters and an association with an enrolled identity certificate. 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points 3 Select Certificates and expand the menu to reveal its sub menu items. 4 Select Trustpoints. Wireless Controller and Service Platform System Reference Guide 15 - 294 Statistics The Certificate Details field displays the following:
Figure 15-207 Access Point - Certificate Trustpoint screen Subject Name Alternate Subject Name Issuer Name Serial Number RSA Key Used IS CA Is Self Signed Server Certificate Present CRL Present Lists details about the entity to which the certificate is issued. Displays alternative details to the information specified under the Subject Name field. Displays the name of the organization issuing the certificate. The unique serial number of the certificate issued. Displays the name of the key pair generated separately, or automatically when selecting a certificate. Indicates whether this certificate is an authority certificate (Yes/No). Displays whether the certificate is self-signed (Yes/No). Displays whether a server certification is present or not (Yes/No). Displays whether a Certificate Revocation List (CRL) is present (Yes/No). A CRL contains a list of subscribers paired with digital certificate status. The list displays revoked certificates along with the reasons for revocation. The date of issuance and the entities that issued the certificate are also included. Wireless Controller and Service Platform System Reference Guide 15 - 295 Statistics 5 Refer to the Validity field to assess the certificate duration beginning and end dates. 6 Review the Certificate Authority (CA) Details and Validity information to assess the subject and certificate duration periods. 7 Periodically select the Refresh button to update the screens statistics counters to their latest values. 15.4.31.2 RSA Keys Certificates Rivest, Shamir, and Adleman (RSA) is an algorithm for public key cryptography. Its the first algorithm known to be suitable for signing, as well as encryption. The RSA Keys screen displays a list of RSA keys installed in the selected Access Point. RSA Keys are generally used for establishing a SSH session, and are a part of the certificate set used by RADIUS, VPN and HTTPS. To view the RSA Key details:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points 3 Select Certificates and expand the menu to reveal its sub menu items. 4 Select RSA Keys. Figure 15-208 Access Point - Certificate RSA Keys screen The RSA Key Details field displays the size (in bits) of the desired key. If not specified, a default key size of 1024 is used. The RSA Public Key field lists the public key used for encrypting messages. 5 Periodically select the Refresh button to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 296 Statistics 15.4.32 WIPS Access Point Statistics A Wireless Intrusion Prevention System (WIPS) monitors the radio spectrum for the presence of unauthorized Access Points and take measures to prevent an intrusion. Unauthorized attempts to access a controller or service platform managed WLAN is generally accompanied by anomalous behavior as intruding clients try to find network vulnerabilities. Basic forms of this behavior can be monitored and reported without a dedicated WIPS. When the parameters exceed a configurable threshold, a SNMP trap is generated that reports the results via management interfaces. The WIPS screens provide details about the blacklisted clients (unauthorized Access Points) intruded into the network. Details include the name of the blacklisted client, the time when the client was blacklisted, the total time the client remained in the network, etc. The screen also provides WIPS event details. For more information, see:
WIPS Client Blacklist WIPS Events 15.4.32.1 WIPS Client Blacklist WIPS This Client Blacklist displays blacklisted clients detected by this Access Point using WIPS. Blacklisted clients are not allowed to associate to this Access Points. To view the WIPS client blacklist for this Access Point:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select WIPS and expand the menu to reveal its sub menu items. 4 Select Client Blacklist. Figure 15-209 Access Point - WIPS Client Blacklist screen Wireless Controller and Service Platform System Reference Guide 15 - 297 Statistics The WIPS Client Blacklist screen displays the following:
Event Name Blacklisted Client Time Blacklisted Total Time Time Left Refresh Displays the name of the event that resulted in the blacklisting. Displays the MAC address of the unauthorized and blacklisted device intruding this Access Points radio coverage area. Displays the time when the client was blacklisted by this Access Point. Displays the time the unauthorized (now blacklisted) device remained in this Access Points WLAN. Displays the time the blacklisted client remains on the list. Select the Refresh button to update the statistics counters to their latest values. 15.4.32.2 WIPS Events WIPS To view the WIPS events statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select WIPS and expand the menu to reveal its sub menu items. 4 Select WIPS Events. The WIPS Events screen provides the following:
Figure 15-210 Access Point - WIPS Events screen Event Name Reporting AP Originating Device Detector Radio Displays the name of the detected wireless intrusion event. Displays the MAC address of the Access Point reporting the listed intrusion. Displays the MAC address of the intruding device. Displays the number of the detecting Access Point radio. Wireless Controller and Service Platform System Reference Guide 15 - 298 Statistics Time Reported Clear All Refresh Displays the time when the intrusion event was detected. Select the Clear All button to clear the screen of its current status and begin a new data collection. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.33 Sensor Servers Access Point Statistics Sensor servers allow the monitor and download of data from multiple sensors and remote locations using Ethernet TCP/IP or serial communication. Repeaters are available to extend the transmission range and combine sensors with various frequencies on the same receiver. To view the network address and status information of the sensor server resources available to the Access Point:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Sensor Servers. The Sensor Servers screen displays the following:
Figure 15-211 Access Point - Sensor Servers screen IP Address/
Hostname Port Status Refresh Displays a list of sensor server IP addresses or administrator assigned hostnames. These are the server resources available to the Access Point for the management of data uploaded from dedicated sensors. Displays the numerical port where the sensor server is listening. Unconnected server resources are not able to provide sensor reporting. Displays whether the server resource is connected or not. Select the Refresh button to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 299 Statistics 15.4.34 Bonjour Services Access Point Statistics Bonjour is Apples zero-configuration networking (Zeroconf) implementation. Zeroconf is a group of technologies that include service discovery, address assignment and hostname resolution. Bonjour locates the devices (printers, computers etc.) and services these computers provide over a local network. Bonjour provides a method to discover services on a LAN. Bonjour allows users to set up a network without any configuration. Services such as printers, scanners and file-sharing servers can be found using Bonjour. Bonjour only works within a single broadcast domain. However, with a special DNS configuration, it can be extended to find services across broadcast domains. To view the Bonjour service statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Bonjour Services from the left-hand side of the Access Point UI. Refer to the following Bonjour service utilization stats.:
Figure 15-212 Access Point - Bonjour Services screen Service Name Instance Name Lists the services discoverable by the Bonjour gateway. Services can either be pre-defined Apple services (scanner, printer etc.) or an alias not available on the predefined list. Lists the name of each Bonjour service instance (session) utilized by the Access Point. Wireless Controller and Service Platform System Reference Guide 15 - 300 Statistics IP Address Port Vlan Vlan Type Expiry Refresh Lists the network IP address utilized by the listed Bonjour service providing resources to the Access Point. Displays the port used to secure a connection with the listed Bonjour service. Lists the VLAN(s) on which a listed Bonjour service is routable. Lists the VLAN type as either a local bridging mode or a shared tunnel. Lists the expiration date of the listed Bonjour service, and its availability to discover resources on the LAN. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.35 Captive Portal Access Point Statistics A captive portal forces a HTTP client to use a special Web page for authentication before using the Internet. A captive portal turns a Web browser into a client authenticator. This is done by intercepting packets regardless of the address or port, until the user opens a browser and tries to access the Internet. At that time, the browser is redirected to a Web page. To view the captive portal statistics of an Access Point:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Captive Portal. The Captive Portal screen displays the following:
Figure 15-213 Access Point - Captive Portal screen Client MAC Displays the requesting clients MAC address. The MAC displays as a link that can be selected to display client configuration and network address information in greater detail. Wireless Controller and Service Platform System Reference Guide 15 - 301 Statistics Client IP Client IPv6 Captive Portal Port Name Authentication WLAN VLAN Remaining Time Refresh Displays the requesting clients IPv4 formatted IP address. Displays the requesting clients IPv6 formatted IP address. Displays the captive portal name that each listed client is utilizing for guest access to Access Point resources. Lists the Access Point port name supporting the captive portal connection with the listed client MAC address. Displays the authentication status of the requesting client. Displays the name of the WLAN the client belongs to. Displays the name of the requesting clients VLAN interface. Displays the time after which the client is disconnected from the captive portal managed Internet. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.36 Network Time Access Point Statistics Network Time Protocol (NTP) is central to networks that rely on their Access Point(s) to supply system time. Without NTP, Access Point supplied network time is unpredictable, which can result in data loss, failed processes, and compromised security. With network speed, memory, and capability increasing at an exponential rate, the accuracy, precision, and synchronization of network time is essential in an Access Point managed enterprise network. The Access Point can use a dedicated server to supply system time. The Access Point can also use several forms of NTP messaging to sync system time with authenticated network traffic. The Network Time screen provides detailed statistics of an associated NTP Server of an Access Point. Use this screen to review the statistics for each Access Point. The Network Time statistics screen consists of two tabs:
NTP Status NTP Association 15.4.36.1 NTP Status Network Time To view the Network Time statistics of an Access Point:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Network Time. Wireless Controller and Service Platform System Reference Guide 15 - 302 Statistics The NTP Status tab displays by default with the following information:
Figure 15-214 Access Point - NTP Status screen Clock Offset Frequency Leap Precision Reference Time Reference Root Delay Root Dispersion Stratum Refresh Displays the time differential between the Access Points time and its NTP resources time. Indicates the SNTP server clocks skew (difference) for the Access Point. Indicates if a second is added or subtracted to SNTP packet transmissions, or if transmissions are synchronized. Displays the precision of the time clock (in Hz). The values that normally appear in this field range from -6, for mains-frequency clocks, to -20 for microsecond clocks. Displays the time stamp the Access Points clock was last synchronized or corrected. Displays the address of the time source the Access Point is synchronized to. The total round-trip delay in seconds. This variable can take on both positive and negative values, depending on relative time and frequency offsets. The values that normally appear in this field range from negative values (a few milliseconds) to positive values (several hundred milliseconds). The difference between the time on the root NTP server and its reference clock. The reference clock is the clock used by the NTP server to set its own clock. Displays how many hops the Access Point is from its current NTP time resource. Select the Refresh button to update the screens statistics counters to their latest values. Wireless Controller and Service Platform System Reference Guide 15 - 303 Statistics 15.4.36.2 NTP Association Network Time The interaction between the Access Point and an NTP server constitutes an association. NTP associations can be either peer associations (the Access Point synchronizes to another system or allows another system to synchronize to it), or a server associations (only the Access Point synchronizes to the NTP resource, not the other way around). To view the Access Points NTP association statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Network Time. 4 Select the NTP Association tab. The NTP Association screen displays the following:
Figure 15-215 Access Point - NTP Association screen Delay Time Display Offset Poll Reach Displays the round-trip delay (in seconds) for broadcasts between the NTP server and the Access Point. Displays the time difference between the peer NTP server and the Access Points clock. Displays the calculated offset between the Access Point and the NTP server. The Access Point adjusts its clock to match the servers time value. The offset gravitates towards zero, but never completely reduces its offset to zero. Displays the maximum interval between successive messages (in seconds) to the nearest power of two. Displays the status of the last eight SNTP messages. If an SNTP packet is lost, the lost packet is tracked over the next eight SNTP messages. Wireless Controller and Service Platform System Reference Guide 15 - 304 Statistics Reference IP Address Server IP Address State Status Time Refresh Displays the address of the time source the Access Point is synchronized to. Displays the numerical IP address of the SNTP resource (server) providing SNTP updates to the Access Point. Displays the NTP association status code. Displays how many hops the Access Point is from its current NTP time source. Displays the time of the last statistics update. Select the Refresh button to update the screens statistics counters to their latest values. 15.4.37 Load Balancing Access Point Statistics An Access Point load can be viewed in a graph and filtered to display different load attributes. The Access Points entire load can be displayed, as well as the separate loads on the 2.4 and 5 GHz radio bands. The channels can also be filtered for display. Each element can either be displayed individually or collectively in the graph. To view the Access Points load balance in a filtered graph format:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Load Balancing. Wireless Controller and Service Platform System Reference Guide 15 - 305 Statistics The Load Balancing screen displays the following:
Figure 15-216 Access Point - Load Balancing screen Load Balancing Client Requests Events Select any of the options to display any or all of the following information in the graph below: AP Load, 2.4GHz Load, 5GHz Load, and Channel. The graph section displays the load percentages for each of the selected variables over a period of time, which can be altered using the slider below the upper graph. The Client Request Events displays the Time, Client, Capability, State, WLAN and Requested Channels for all client request events on the Access Point. Supported Access Points can support up to 256 clients per Access Point. Wireless Controller and Service Platform System Reference Guide 15 - 306 Statistics 15.4.38 Environmental Sensors (AP8132 Models Only) Access Point Statistics A sensor module is a USB environmental sensor extension to an AP8132 model Access Point. It provides a variety of sensing mechanisms, allowing the monitoring and reporting of the radio coverage area. The output of the sensor's detection mechanisms are viewable using either the Environmental Sensor screen. To view an AP8132 model Access Points environmental statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, and select one of its connected Access Points. 3 Select Environment. Figure 15-217 Access Point - Environmental Sensor screen (Light tab) The Light tab displays by default, with additional Temperature, Motion and Humidity tabs available for unique sensor reporting. Each of these sensor measurements helps the administrator determine whether the immediate deployment area is occupied by changes in the Access Point's environment. 4 Refer to the Light table to assess the sensor's detected light intensity within the Access Points immediate deployment area. Light intensity is measured by the sensor in lumens. The table displays the Current Light Intensity (lumens) and a 20 Minute Average of Light Intensity (lumens). Compare these two items to determine whether the deployment location remains consistently lit, as an administrator can power off the Access Points radios when no activity is detected in the immediate deployment area. For more information, see Profile Environmental Sensor Configuration (AP8132 Only) on page 8-222. Wireless Controller and Service Platform System Reference Guide 15 - 307 Statistics 5 Refer to the Light Intensity Trend Over Last Hour graph to assess the fluctuation in lighting over the last hour. Use this graph to assess the deployment areas light intensity of particular hours of the day as needed to conjunction with the daily graph immediately below it. 6 Refer to the Light Intensity Trend Over Last Day graph to assess whether lighting is consistent across specific hours of the day. Use this information to help determine whether the Access Point can be upgraded or powered off during specific hours of the day. 7 Select the Temperature tab. Figure 15-218 Access Point - Environmental Sensor screen (Temperature tab) 8 Refer to the Temperature table to assess the sensor's detected temperature within the Access Points immediate deployment area. Temperature is measured in centigrade. The table displays the Current Temperature (centigrade) and a 20 Minute Average Temperature (centigrade). Compare these two items to determine whether the deployment location remains consistently heated. For more information on enabling the sensor, see Profile Environmental Sensor Configuration (AP8132 Only) on page 8-222. 9 Refer to the Temperature Trend Over Last Hour graph to assess the fluctuation in ambient temperature over the last hour. Use this graph in combination with the Light and Motions graphs (in particular) to assess the deployment areas activity level. 10 Refer to the Temperature Trend Over Last Day graph to assess whether deployment area temperature is consistent across specific hours of the day. Use this information to help determine whether the Access Point can be upgraded or powered off during specific hours of the day. 11 Select the Motion tab. Wireless Controller and Service Platform System Reference Guide 15 - 308 Statistics Figure 15-219 Access Point - Environmental Sensor screen (Motion tab) 12 Refer to the Motion table to assess the sensor's detected movement within the Access Points immediate deployment area. Motion is measured in intervals. The table displays the Current Motion (count per interval) and a 20 Minute Average Motion (count per interval). Compare these two items to determine whether the Access Points deployment location remains consistently occupied by client users. For more information on enabling the sensor, see Profile Environmental Sensor Configuration (AP8132 Only) on page 8-222. 13 Refer to the Motion Trend Over Last Hour graph to assess the fluctuation in user movement over the last hour. Use this graph in combination with the Light and Temperature graphs (in particular) to assess the deployment areas activity level. 14 Refer to the Motion Trend Over Last Day graph to assess whether deployment area user movement is consistent across specific hours of the day. Use this information to help determine whether the Access Point can be upgraded or powered off during specific hours of the day. 15 Select the Humidity tab. Wireless Controller and Service Platform System Reference Guide 15 - 309 Statistics Figure 15-220 Access Point - Environmental Sensor screen (Humidity tab) 16 Refer to the Humidity table to assess the sensor's detected humidity fluctuations within the Access Points immediate deployment area. Humidity is measured in percentage. The table displays the Current Humidity (percent) and a 20 Minute Average Humidity (percent). Compare these two items to determine whether the deployment location remains consistently humid (often a by-product of temperature). For more information on enabling the sensor, see Profile Environmental Sensor Configuration (AP8132 Only) on page 8-222. 17 Refer to the Humidity Trend Over Last Hour graph to assess the fluctuation in humidity over the last hour. Use this graph in combination with the Temperature and Motions graphs (in particular) to assess the deployment areas activity levels. 18 Refer to the Humidity Trend Over Last Day graph to assess whether deployment area humidity is consistent across specific hours of the day. Use this information to help determine whether the Access Point can be upgraded or powered off during specific hours of the day. 15.5 Wireless Client Statistics Statistics The wireless client statistics display read-only statistics for a client selected from within its connected Access Point and controller or service platform directory. It provides an overview of the health of wireless clients in the controller or service platform managed network. Use this information to assess if configuration changes are required to improve client performance. Wireless clients statistics can be assessed using the following criteria:
Health Wireless Controller and Service Platform System Reference Guide 15 - 310 Statistics Details Traffic WMM TSPEC Association History Graph 15.5.1 Health Wireless Client Statistics The Health screen displays information on the overall performance of a selected wireless client. To view the health of a wireless client:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, an Access Point, then a connected client. 3 Select Health. The Wireless Client field displays the following:
Figure 15-221 Wireless Client - Health screen Client MAC Hostname Vendor Displays the factory encoded MAC address of the selected wireless client. Lists the hostname assigned to the client when initially managed by the controller, service platform or Access Point. Displays the vendor name (manufacturer) of the wireless client. Wireless Controller and Service Platform System Reference Guide 15 - 311 Statistics State IP Address WLAN Radio MAC VLAN Displays the current operational state of the wireless client. The clients state can be idle, authenticated, roaming, associated or blacklisted. Displays the IP address the selected wireless client is currently utilizing as a network identifier. Displays the clients connected Access Point WLAN membership. This is the WLAN whose QoS settings should account for the clientss radio traffic objective. Displays the Access Point radio MAC address the wireless client is connected to on the network. Displays the VLAN ID the Access Point has defined for use as a virtual interface with the client. The User Details field displays the following:
Username Authentication Encryption Displays the unique name of the administrator or operator managing the clients connected Access Point, controller or service platform. Lists the authentication scheme applied to the client for interoperation with the Access Point. Lists the encryption scheme applied to the client for interoperation with the Access Point. Captive Portal Auth. Displays whether captive portal authentication is enabled for the client as a guest access medium to the controller or service platform managed network. The RF Quality Index field displays the following:
RF Quality Index Average Retry Number SNR Signal Noise Error Rate Displays information on the RF quality for the selected wireless client. The RF quality index is the overall effectiveness of the RF environment as a percentage of the connect rate in both directions, as well as the retry and error rate. RF quality index can be interpreted as:
0 20 (Very poor quality) 20 40 (Poor quality) 40 60 (Average quality) 60 100 (Good quality) Displays the average number of retries per packet. A high number indicates possible network or hardware problems. Displays the signal to noise (SNR) ratio of the connected wireless client. Displays the power of the radio signals in - dBm. Displays the disturbing influences on the signal by interference of signals in - dBm. Displays the number of received bit rates altered due to noise, interference and distortion. Its a unitless performance measure. The Association field displays the following:
AP Hostname Lists the administrator assigned device name of the clients connected Access Point. Wireless Controller and Service Platform System Reference Guide 15 - 312 Statistics AP Radio Radio ID Radio Number Radio Type Displays the MAC address of the clients connected Access Point. Lists the target Access Point that houses the radio. Select the Access Point to view performance information in greater detail. Lists the hardware encoded MAC address the radio uses as a hardware identifier that further distinguishes the radio from others within the same device. Displays the Access Points radio number (either 1, 2 or 3) to which the selected client is associated. Displays the radio type. The radio can be 802.11b, 802.11bg, 802.11bgn, 802.11a or 802.11an. 4 The Traffic Utilization field displays statistics on the traffic generated and received by the selected client. This area displays the traffic index, which measures how efficiently the traffic medium is utilized. Its defined as the percentage of current throughput relative to the maximum possible throughput. Traffic indices are:
0 20 (Very low utilization) 20 40 (Low utilization) 40 60 (Moderate utilization) 60 and above (High utilization) The Traffic Utilization table displays the following:
Total Bytes Displays the total bytes processed by the Access Points connected wireless client. Displays the total number of packets processed by the wireless client. Displays the average user data rate in both directions. Total Packets User Data Rate Physical Layer Rate Displays the average packet rate at the physical layer in both directions. Tx Dropped Packets Displays the number of packets dropped during transmission. Rx Errors Displays the number of errors encountered during data transmission. The higher the error rate, the less reliable the connection or data transfer between the client and connected Access Point. 5 Select the Refresh button to update the screens statistics counters to their latest values. 15.5.2 Details Wireless Client Statistics The Details screen provides granular performance information for a selected wireless client. To view the details screen of a connected wireless client:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, an Access Point, then a connected client. 3 Select Details. Wireless Controller and Service Platform System Reference Guide 15 - 313 Statistics The Wireless Client field displays the following:
Figure 15-222 Wireless Client - Details screen SSID Hostname Device Type RF Domain OS Browser Type Role Displays the clients Service Set ID (SSID). Lists the hostname assigned to the client when initially managed by the controller, service platform or Access Point managed network. Displays the client device type providing the details to the operating system. Displays the RF Domain to which the connected client is a member via its connected Access Point, controller or service platform. The RF Domain displays as a link that can be selected to display configuration and network address information in greater detail. Lists the clients operating system (Android etc.). Displays the browser type used by the client to facilitate its wireless connection. Lists the client manufacturer (or vendor). Lists the clients defined role in the controller, service platform or Access Point managed network. Wireless Controller and Service Platform System Reference Guide 15 - 314 Statistics Role Policy Client Identity Client Identity Precedence Protected Management Frames Transmit Power Management Lists the user role set for the client as it became a controller, service platform or Access Point managed device. Displays the unique vendor identity of the listed device as it appears to its adopting controller or service platform. Lists the numeric precedence this client uses in establishing its identity amongst its peers. A green checkmark defines management frames as protected between this client and its associated Access Point radio. A red X states that management frames are disabled for the client and its connected radio. Lists the number power management frames exchanged between this client and its connected Access Point radio. Lists zero when disabled. The User Details field displays the following:
Username Authentication Encryption Displays the unique name of the administrator or operator managing the clients connected Access Point. Lists the authentication scheme applied to the client for interoperation with its connected Access Point radio. Lists the encryption scheme applied to the client for interoperation with its connected Access Point radio. Captive Portal Auth. Displays whether captive portal authentication is enabled. When enabled, a restrictive set of access permissions may be in effect. The Connection field displays the following:
Idle Time Last Active Last Association Session Time SM Power Save Mode Power Save Mode WMM Support 40 MHz Capable Displays the time for which the wireless client remained idle. Displays the time in seconds the wireless client was last interoperating with its connected Access Point. Displays the duration the wireless client was in association with its connected Access Point. Displays the duration for which a session can be maintained by the wireless client without it being dis-associated from the Access Point. Displays whether this feature is enabled on the wireless client. The spatial multiplexing (SM) power save mode allows an 802.11n client to power down all but one of its radios. This power save mode has two sub modes of operation: static operation and dynamic operation. Displays whether this feature is enabled or not. To prolong battery life, the 802.11 standard defines an optional Power Save Mode, which is available on most 80211 clients. End users can simply turn it on or off via the card driver or configuration tool. With power save off, the 802.11 network card is generally in receive mode listening for packets and occasionally in transmit mode when sending packets. These modes require the 802.11 NIC to keep most circuits powered-up and ready for operation. Displays whether WMM is enabled or not in order to provide data packet type prioritization between the Access Point and connected client. Displays whether the wireless client has 802.11n channels operating at 40 MHz. Wireless Controller and Service Platform System Reference Guide 15 - 315 Statistics Max Physical Rate Max User Rate MC2UC Streams Displays the maximum data rate at the physical layer. Displays the maximum permitted user data rate. Lists the number or multicast to unicast data streams detected. The Association field displays the following:
AP BSS Radio Number Radio Type Rate Displays the MAC address of the clients connected Access Point. Displays the Basic Service Set (BSS) the Access Point belongs to. A BSS is a set of stations that can communicate with one another. Displays the Access Point radio the wireless client is connected to. Displays the radio type. The radio can be 802.11b, 802.11bg, 802.11bgn, 802.11a or 802.11an. Displays the permitted data rate for Access Point and client interoperation. The 802.11 Protocol field displays the following:
High-Throughput RIFS Negotiated Fast BSS Transition Unscheduled APSD AID Max AMSDU Size Max AMPDU Size Interframe Spacing Displays whether high throughput is supported. High throughput is a measure of the successful packet delivery over a communication channel. Displays whether this feature is supported. RIFS is a required 802.11n feature that improves performance by reducing the amount of dead time between OFDM transmissions. Lists whether Fast BSS transition is negotiated. This indicates support for a seamless fast and secure client handoff between two Access Points, controllers or service platforms. Displays whether APSD is supported. APSD defines an unscheduled service period, which is a contiguous period of time during which the Access Point is expected to be awake. Displays the Association ID (AID) established by an AP. 802.11 association enables the Access Point to allocate resources and synchronize with a client. A client begins the association process by sending an association request to an Access Point. This association request is sent as a frame. This frame carries information about the client and the SSID of the network it wishes to associate. After receiving the request, the Access Point considers associating with the client, and reserves memory space for establishing an AID for the client. Displays the maximum size of AMSDU. AMSDU is a set of Ethernet frames to the same destination that are wrapped in a 802.11n frame. This values is the maximum AMSDU frame size in bytes. Displays the maximum size of AMPDU. AMPDU is a set of Ethernet frames to the same destination that are wrapped in an 802.11n MAC header. AMPDUs are used in a very noisy environment to provide reliable packet transmission. This value is the maximum AMPDU size in bytes. Displays the interval between two consecutive Ethernet frames. Wireless Controller and Service Platform System Reference Guide 15 - 316 Statistics Short Guard Interval Displays the guard interval in micro seconds. Guard intervals prevent interference between data transmissions. The guard interval is the space between characters being transmitted. The guard interval eliminates inter-
symbol interference (ISI). ISI occurs when echoes or reflections from one character interfere with another character. Adding time between transmissions allows echo's and reflections to settle before the next character is transmitted. A shorter guard interval results in shorter character times which reduces overhead and increases data rates by up to 10%. 4 Select the Refresh button to update the screens statistics counters to their latest values. 15.5.3 Traffic Wireless Client Statistics The traffic screen provides an overview of client traffic utilization in both the transmit and receive directions. This screen also displays a RF quality index. To view the traffic statistics of a wireless clients:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, an Access Point, then a connected client. 3 Select Traffic. Figure 15-223 Wireless Client - Traffic screen Traffic Utilization statistics employ an index, which measures how efficiently the traffic medium is used. Its defined as the percentage of current throughput relative to the maximum possible throughput. Traffic indices are:
Wireless Controller and Service Platform System Reference Guide 15 - 317 0 20 (Very low utilization) 20 40 (Low utilization) 40 60 (Moderate utilization) 60 and above (High utilization) This screen also provides the following:
Statistics Total Bytes Total Packets Displays the total bytes processed (in both directions) by the Access Points connected client. Displays the total number of data packets processed (in both directions) by the Access Points connected wireless client. Displays the average user data rate. User Data Rate Packets per Second Displays the packets processed per second. Physical Layer Rate Displays the data rate at the physical layer level. Bcast/Mcast Packets Displays the total number of broadcast/multicast packets processed by Management Packets Tx Dropped Packets Displays the clients number of dropped packets while transmitting to its the client. Displays the number of management (overhead) packets processed by the client. Tx Retries Rx Errors Rx Actions Rx Probes connected Access Point. Displays the total number of client transmit retries with its connected Access Point. Displays the errors encountered by the client during data transmission. The higher the error rate, the less reliable the connection or data transfer between client and connected Access Point. Displays the number of receive actions during data transmission with the clients connected Access Point. Displays the number of probes sent. A probe is a program or other device inserted at a key juncture in a for network for the purpose of monitoring or collecting data about network activity. Rx Power Save Poll Displays the power save using the Power Save Poll (PSP) mode. Power Save Poll is a protocol, which helps to reduce the amount of time a radio needs to powered. PSP allows the WiFi adapter to notify the Access Point when the radio is powered down. The Access Point holds any network packet to be sent to this radio. The RF Quality Index area displays the following information:
RF Quality Index Retry Rate Displays information on the RF quality of the selected wireless client. The RF quality index is the overall effectiveness of the RF environment as a percentage of the connect rate in both directions as well as the retry rate and the error rate. The RF quality index value can be interpreted as:
0 20 (Very low utilization) 20 40 (Low utilization) 40 60 (Moderate utilization) 60 and above (High utilization) Displays the average number of retries per packet. A high number indicates possible network or hardware problems. Wireless Controller and Service Platform System Reference Guide 15 - 318 Statistics SNR (dBm) Signa (dBm) Noise (dBm) Error Rate (ppm) MOS Score R-Value Displays the connected clients signal to noise ratio (SNR). A high SNR could warrant a different Access Point connection to improve performance. Displays the power of the radio signals in - dBm. Displays the disturbing influences on the signal in - dBm. Displays the number of received bit rates altered due to noise, interference and distortion. Its a unitless performance measure. Displays average voice call quality using the Mean Opinion Score (MOS) call quality scale. The MOS scale rates call quality on a scale of 1-5, with higher scores being better. If the MOS score is lower than 3.5, its likely users will not be satisfied with the voice quality of their call. R-value is a number or score used to quantitatively express the quality of speech in communications systems. This is used in digital networks that carry Voice over IP (VoIP) traffic. The R-value can range from 1 (worst) to 100 (best) and is based on the percentage of users who are satisfied with the quality of a test voice signal after it has passed through a network from a source (transmitter) to a destination (receiver). The R-value scoring method accurately portrays the effects of packet loss and delays in digital networks carrying voice signals. 4 Select the Refresh button to update the screens statistics counters to their latest values. 15.5.4 WMM TSPEC Wireless Client Statistics The 802.11e Traffic Specification (TSPEC) provides a set of parameters that define the characteristics of the traffic stream, (operating requirement and scheduling etc.). The sender TSPEC specifies parameters available for packet flows. Both sender and the receiver use TSPEC. The TSPEC screen provides information about TSPEC counts and TSPEC types utilized by the selected wireless client. To view the TSPEC statistics:
1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, an Access Point, then a connected client. 3 Select WMM TSPEC. Wireless Controller and Service Platform System Reference Guide 15 - 319 Statistics The top portion of the screen displays the TSPEC stream type and whether the client has roamed. The Ports Stats field displays the following:
Figure 15-224 Wireless Client - WMM TSPEC screen Sequence Number Direction Type Request Time Used Time TID Lists a sequence number thats unique to this WMM TSPEC uplink or downlink data stream. Displays whether the WMM TSPEC data stream is in the uplink or downlink direction. Lists each sequence numbers request time for WMM TSPEC traffic in the specified direction. This is time allotted for a request before packets are actually sent. Displays the time the client used TSPEC. The client sends a delete traffic stream (DELTS) message when it has finished communicating. Displays the parameter for defining the traffic stream. TID identifies data packets as belonging to a unique traffic stream. 4 Periodically select Refresh to update the screen to its latest values. 15.5.5 Association History Wireless Client Statistics Refer to the Association History screen to review this clients Access Point connections. Hardware device identification, operating channel and GHz band data is listed for each Access Point. The Association History can help determine whether the client has connected to its target Access Point and maintained its connection, or has roamed and been supported by unplanned Access Points in the controller or service platform managed network. To view a selected clients association history:
Wireless Controller and Service Platform System Reference Guide 15 - 320 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, an Access Point, then a connected client. 3 Select Association History. Statistics Refer to the following to discern this clients Access Point association history:
Figure 15-225 Wireless Client - Association History screen Access Point BSSID Channel Band Time Lists the Access Point MAC address this client has connected to, and is being managed by. Displays the BSSID of each previously connected Access Point. Lists the channel shared by both the Access Point and client for interoperation, and to avoid congestion with adjacent channel traffic. Lists the 2.4 or 5GHz radio band this clients and its connect Access Point are using for transmit and receive operations. Lists the historical connection time between each listed Access Point and this client. 4 Select Refresh to update the screen to its latest values. 15.5.6 Graph Wireless Client Statistics Use the client Graph to assess a connected clients radio performance and diagnose performance issues that may be negatively impact performance. Up to three selected performance variables can be charted at one time. The graph uses a Y-axis and a X-axis to associate selected parameters with their performance measure. To view a graph of this clients statistics:
Wireless Controller and Service Platform System Reference Guide 15 - 321 Statistics 1 Select the Statistics menu from the Web UI. 2 Select System from the navigation pane (on the left-hand side of the screen). Expand a RF Domain, select a controller or service platform, an Access Point then a connected client. 3 Select Graph. 4 Use the Parameters drop down menu to define from 1- 3 variables assessing client signal noise, transmit or receive values. 5 Use the Polling Interval drop-down menu to define the interval the chart is updated. Options include 30 seconds, 1 minute, 5 minutes, 20 minutes or 1 hour. 30 seconds is the default value. 6 Select an available point in the graph to list the selected performance parameter, and display that parameters Figure 15-226 Wireless Client - Graph value and a time stamp of when it occurred. 15.6 Guest Access Statistics Statistics Guest client statistics are uniquely available for wireless clients requesting the required pass code, authentication and access into the WiNG managed guest client network Guest Access statistics can be assessed for the following:
Guest Access Cumulative Statistics Social Media Statistics Reports Notifications Guest Access Database Wireless Controller and Service Platform System Reference Guide 15 - 322 Statistics 15.6.1 Guest Access Cumulative Statistics Guest Access Statistics The Statistics screen displays information on the WiNG managed guest client network. Its includes browser utilization, new versus returning user trends, client user age, client operating system, device type proliferation and gender trending. To view a cumulative set of client guest access statistics:
1 Select the Statistics menu from the Web UI. 2 Select Guest Access above the navigation pane (on the upper left-hand side of the screen, directly to the right of System). 3 Select Statistics. 4 Refer to the top of the screen to configure how the following trending periods and user filters are set for guest access statistics trending and reporting:
Figure 15-227 Guest Access - Statistics screen Timeline RF Domain Use the drop-down menu to specify whether statistics are gathered for 1-
Day, 1-Month, 1-Week, 2-Hours, 30-Mins or 5-Hours. Timelines support the latest time period from present. For example, specifying 30-Mins displays statistics for the most recent 30 minutes trended. Use the drop-down menu to select a single RF Domain from which to filter guest access statistics. Optionally select All to include data from each RF Domain supported. Wireless Controller and Service Platform System Reference Guide 15 - 323 Statistics WLAN Use the drop down menu to filter guest access statistics to a specific WLAN. A single WLAN can belong to more then one RF Domain. 5 Refer to the following to assess guest client browser, operating system, age, gender and new versus returning status to assess whether guest client utilization is in line with WiNG guest access deployment objectives:
Device Browser Displays guest user browser utilization in pie-chart format. Each client browser type (Chrome, Firefox, Safari and Internet Explorer) detected within the defined trending period displays uniquely in its own color for easy differentiation. The number of guest clients utilizing each browser also displays numerically. User Walk-in Trends Walk-in trending enables an administrator to filter new guest access Age Range Operating System Visitors Customer Loyalty App Devices Gender clients versus return guest clients out of the total reported for the trending period and selected RF Domain and WLAN. New guest users
(blue), return guests (red) or total guests can either be collectively displayed or individually displayed by selecting one, two or all three of the options. Displays guest user age differentiation in pie-chart format. Age ranges are uniquely color coded as Less Than 18, 18 to 20, 21 to 24, 25 to 34, 35 to 44, 45 to 54, 55 to 64 and Greater Than 64. Each age group detected within the trending period displays uniquely in its own color for easy differentiation. Each age range also displays numerically. Periodically assess whether the age ranges meet expectations for guest client access within the WiNG managed guest network. Displays guest client operating system utilization in pie-chart format. Each client operating system type (Android, Windows 7, Windows 8, Apple iOS and Macintosh) displays uniquely in its own color for easy differentiation. The number of guest clients utilizing each operating system also displays numerically. Displays return guest clients versus new guest clients in pie-chart format. Both new and returning clients display uniquely in their own color for easy differentiation. Periodically assess whether the number of returning guest clients is line with the guest networks deployment objectives in respect to the RF Domain(s) and WLAN(s) selected for trending. Graphically displays the number of guest clients with loyalty application presence enabled. Loyalty application detection occurs on the Access Point to which the client is associated, allowing a retail administrator to assess whether a captive portal client is using specific retail (loyalty) applications in their captive portal. This setting is enabled by default. Displays guest client device type utilization in pie-chart format. Each client device type (Windows PC, Macintosh, Apple iPad, Android Mobile and Motorola Droid) displays uniquely in its own color for easy differentiation. The number of each device type detected also displays numerically to help assess their proliferation with WiNG managed guest network. Displays guest client gender in pie-chart format. Detected male and female guest users display uniquely in their own color for easy differentiation. Guest clients whose gender is unspecified also displays to help assess the undetermined gender client count out of total. The number of male, female and unspecified guest clients also displays numerically. Wireless Controller and Service Platform System Reference Guide 15 - 324 Statistics 6 Select the Refresh button to update the screens statistics counters to their latest values. 15.6.2 Social Media Statistics Guest Access Statistics Device registration using social media login credentials requires user validation through the guest user's social media account. The guest user authenticates with an administrator configured social media server like Facebook or Google. Upon successful authentication, the guest user's social media profile data (collected from the social media server) is registered on the device. To view guest access social media utilization for guest clients:
1 Select the Statistics menu from the Web UI. 2 Select Guest Access above the navigation pane (on the upper left-hand side of the screen, directly to the right of System). 3 Select Social. 4 Refer to the top of the screen to configure how the following trending periods and user filters are set for guest Figure 15-228 Guest Access - Social screen access social media trending:
Timeline Use the drop-down menu to specify whether social media statistics are gathered for 1-Day, 1-Month, 1-Week, 2-Hours, 30-Mins or 5-Hours. Timelines support the latest time period from present. For example, specifying 30-Mins displays statistics for the most recent 30 minutes trended. Wireless Controller and Service Platform System Reference Guide 15 - 325 Statistics RF Domain WLAN Use the drop-down menu to select a single RF Domain from which to filter social media guest access statistics. Optionally select All to include data from each RF Domain supported. Use the drop down menu to filter guest access social media statistics to a specific WLAN. A single WLAN can belong to more then one RF Domain. The data displays in bar graph format, with the total number of social media authenticating clients listed in green, and those currently online displayed in orange for both Google and Facebook authenticating clients. Refer to the Local graph to assess those clients requiring captive portal authentication as a fallback mechanism for guest registration through social media authentication. 5 Periodically select Refresh to update the statistics counters to their latest values. 15.6.3 Reports Guest Access Statistics Report queries can be filtered and run to obtain information on targeted guest clients within the WiNG guest network. To generate customized guest client reports:
1 Select the Statistics menu from the Web UI. 2 Select Guest Access above the navigation pane (on the upper left-hand side of the screen, directly to the right of System). 3 Select Reports. Figure 15-229 Guest Access - Reports screen 4 Select the drop-down menu at the top, left-hand, side of the screen to define whether the guest clients report data is fetched based on its MAC, Name, Mobile, Email, Member or Time. Once provided, enter an appropriate search string to generate a report for the target guest client. When completed with the reports search strings, select Get Data. Wireless Controller and Service Platform System Reference Guide 15 - 326 Statistics 5 Refer to the User Data table to review the following report output:
MAC Name Email Mobile Source Displays the factory encoded hardware MAC address assigned to this guest client at the factory by the manufacturer. This is the guest clients hardware identifier added to the guest user database. If the guest client requests access later, this MAC address is validated against the guest user database, and the client is allowed access to the WiNG managed guest network. Lists the name used for guest access authentication and pass code generation. Lists the E-Mail address used for guest access authentication and the receipt of the required passcode. Lists the guest clients registered mobile number used for guest access authentication requests and the receipt of the required passcode. Lists the source (Facebook, Google) whose username and password were used as the clientss social media authenticator. 15.6.4 Notifications Guest Access Statistics For each registered guest user, a passcode is sent by E-mail, SMS or both. A guest management policy defines E-
mail host and SMS gateway commands, along with credentials required for sending a passcode to guest client via E-mail and SMS Users can configure up to 32 different guest management policies. Each policy enables the user to configure the SMS gateway, SMS message body, E-mail SMTP server, E-mail subject contents and E-mail message body. There can be only one guest management policy active per device at any one time. The short message service (SMS) is the text messaging service component of phone, E-Mail and mobile systems. SMS uses standardized communications protocols to allow fixed or mobile phone devices to exchange text messages. To review guest client notification statistics:
1 Select the Statistics menu from the Web UI. 2 Select Guest Access above the navigation pane (on the upper left-hand side of the screen, directly to the right of System). 3 Select Notification. Wireless Controller and Service Platform System Reference Guide 15 - 327 Statistics 4 Review the following Clickatell Gateway information. By default, clickatell is the host SMS gateway server resource for guest access. Figure 15-230 Guest Access - Notification screen Status Session ID Message ID Last SMS Time Last SMS Number Displays an icon as a visual indicator of the gateway status. Green defines the gateway as available. Red indicates the gateway is down and unavailable. Lists an event ID for the clickatell gateway session credential and passcode exchange. Lists the unique SMS message ID created for the successful message exchange with the clickatell host SMS gateway server. Lists the timestamp appended to the sent time of the clickatell SMS gateway message. Lists the numeric status code returned in response to a SMS gateway server guest access request. Last SMS Sent Status Lists the associated status strings returned in response to a SMS gateway server guest access request. Wireless Controller and Service Platform System Reference Guide 15 - 328 Statistics Last SMS Authentication Status Lists the SMS authentication credential and validation message exchange status for the listed clieckatell gateway session ID. 5 Review the following SMS to SMTP Gateway information. Last E-Mail Time Last E-Mail To Last E-Mail Status Displays the most recent E-Mailed passcode to a guest via SMS. SMS enables guest users to register with their E-Mail or mobile device ID as the primary key for authentication. Lists the recipient of the most recent SMS to SMTP server credential E-mail exchange containing the required passcode for the registered guest. Lists the completion status of the most recent server SMS to SMTP gateway credential exchange containing the required passcode for the authenticating guest client. 6 Review the following Email Gateway information. Last E-Mail Time Last E-Mail To Last E-Mail Status Displays the time of the most recent E-Mailed passcode to a guest access requesting client. Guest users can register with their E-mail credentials as the primary means of authentication. Lists the recipient of this sessions server E-Mail credential exchange containing the required passcode for the authenticating guest client. Lists the completion status of the most recent server E-Mail credential exchange containing the required passcode for the authenticating guest client. 15.6.5 Guest Access Database Guest Access Statistics Refer to the Database screen to periodically import or export guest access information to and from a WiNG managed device. The import or export of the guest access database is supported in JSON format only. Archiving guest access utilization data is a good way to assess periods of high and low utilization and better plan for client guest access consumption of controller or Access Point network resources. To administrate the guest access database:
1 Select the Statistics menu from the Web UI. 2 Select Guest Access above the navigation pane (on the upper left-hand side of the screen, directly to the right of System). 3 Select Database. Wireless Controller and Service Platform System Reference Guide 15 - 329 Statistics Figure 15-231 Guest Access - Database Import/Export screen 4 Select Export to archive guest access data (in JSON or CSV format) to a designated remote location, or Import to upload guest access utilization data back to the WiNG managed controller, service platform or Access Point. 5 If conducting an Export operation, provide the following to refine the data exported:
Format Timeline RF Domain WLAN Define whether the guest access data is exported in JSON or CSV format. JavaScript Object Notation (JSON) is an open standard format using text to export data objects consisting of attribute value pairs. A comma-
separated values (CSV) file stores tabular data in plain text. Plain text means that the file is interpreted a sequence of characters, so that it is human-readable with a standard text editor. Each line of the file is a data record. Each record consists of one or more fields, separated by commas. Use the drop-down menu to specify whether guest access statistics are exported for the previous 1-Day, 1-Month, 1-Week, 2-Hours, 30-Mins or 5-
Hours. Timelines support the latest time period from present. For example, specifying 30-Mins exports statistics trended over the most recent 30 minutes. Use the drop-down menu to select a single RF Domain from which to filter social media guest access statistics. Optionally select All to include data from each RF Domain supported. Use the drop down menu to filter guest access social media statistics to a specific WLAN. A single WLAN can belong to more then one RF Domain. Wireless Controller and Service Platform System Reference Guide 15 - 330 6 When exporting or importing guest access data (regardless or format), provide the following URL data to accurately configure the remote host. Statistics Format Port Host User Name Password Path/File Select the data transfer protocol used for exporting or importing guest access data. Available options include:
tftp ftp sftp Use the spinner control to set the virtual port for the for the export or import operation. Provide a textual hostname or numeric IP address of the server used for guest access data transfer operations. Hostnames cannot include an underscore character. Select IPv4 Address to use an IPv4 formatted address as the host. Select IPv6 Address to use an IPv6 formatted address as the host. IPV6 provides enhanced identification and location information for computers on networks routing traffic across the Internet. IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. If using FTP or SFTP and the data transfer protocol, enter the username required by the remote FTP or SFTP server resource. If using FTP or SFTP and the data transfer protocol, enter the password required by the remote FTP or SFTP server resource. Specify the path to the server resource where guest access data is either exported or imported. Enter the complete relative path to the file on the server. If electing to use SFTP as the file transfer protocol, its recommended the path/file be set using the command line interface (CLI). 7 When the URL data is accurately entered, select the Export or Import button respectively to initiate the operation. 8 Optionally select the Delete tab to purge either all or part of the guest user database. Figure 15-232 Guest Access - Database Deletion screen Wireless Controller and Service Platform System Reference Guide 15 - 331 Statistics 9 Select All to remove the contents of the entire database. Select Any to invoke a drop-down menu where Mac, Name, Mobile, Email or a WLAN can be selected to refine the database removal to just a selected entity. Enter the name of the MAC address, user, mobile number or WLAN you wish to remove from the database, then select Delete. 15.7 Analytics Developer Interface Statistics The analytics developer interface is an additional tool available to administrators to review specific APIs in granular detail. The developer interface is available to elected NOC controllers or service platforms capable of provisioning all of its peer controllers, service platforms and adopted devices. NOC controllers include NX9000, NX9500, NX9510, NX7500, and RFS6000 models. To access the developer interface:
1 Connect to controller using its existing IP address, but append /stats to the end of the IP address as follows:
http://<CONTROLLER_IP_ADDRESS>/stats or https://<CONTROLLER_IP_ADDRESS>/stats The following login screen displays for the developer interface:
2 Provide the same Username and Password credentials youre currently utilizing for a typical controller login. Once the login credentials are successfully entered, the following screen displays:
Figure 15-233 Developer Interface - Login screen Figure 15-234 Developer Interface - Main screen Refer to the following for more detailed descriptions of the functionality available to administrators using the analytics developer interface:
Download REST API Toolkit API Assessment 15.7.1 Download REST API Toolkit Analytics Developer Interface Sample Representational State Transfer (REST) code can be downloaded from the toolkit. REST is a software design schema for Web application development. Wireless Controller and Service Platform System Reference Guide 15 - 332 To download sample REST API code:
1 Select Download REST api toolkit from the Web UI. A File Download screen displays prompting for the desired location of the download or whether the files should be opened directly. Statistics 2 Open the zip archive and review the Readme file to assess the contents and how they can be leveraged for API Figure 15-235 Developer Interface -File Download screen creation and modification. Sample Ruby Client A sample ruby client is provided as part of this package. The Ruby client can be used as a sample to pull statistics data from NXAnalytics. The response from NXAnalytics is in JSON format. Contents Readme.txt file. Ruby script files:
NXAStatsClient.rb NXARESTClient.rb NXAResultsJSONParser.rb NXALogin.rb NXAException.rb NXAConstants.rb NXAConnectionParams.rb Wireless Controller and Service Platform System Reference Guide 15 - 333 Statistics Requirements To Run Sample Ruby Client Ruby 2.0 or above. The sample has been tested with Ruby 2.0. To download Ruby use the following:
https://www.ruby-lang.org/en/downloads/or http://rubyinstaller.org/
Additional Ruby Gems needed to run the sample client are the following.
- ipaddress
- json
- rest-client Please install the gems before running the sample client. How To Run the Program From Command Line ruby NXAStatsClient <IPAddress Of Controller>
<Protocol[http|https]> <Port [8080|443]>
<Stats_Type>[wlan | rfdomain | radio | client | captive-portal | client-assoc-disassoc]
<lookback_duration_in_seconds [ 1 - 2592000]>
<username> <password>
<number_of_results_to_return [ 1 - 100]>
Sample:
ruby NXAStatsClient 172.20.33.45 https 443 rfdomain 600 admin admin 30 Wireless Controller and Service Platform System Reference Guide 15 - 334 Statistics How To Run the Program From IDE If you are using Eclipse or APTANA or any other IDE please do the following.
- Choose appropriate network proxy settings
- Configure IDE to choose appropriate Ruby interpreter
- Create a Ruby project
- Copy the Ruby files as part of package to the new Ruby project
- Define the arguments required for the main Ruby program
- Run the main Ruby program 15.7.2 API Assessment Analytics Developer Interface Refer to the toolkits API functionality to review a collection of APIs for specific feature groups, including captive portals, client associations and disassociations, client stats, RF Domains. To review the toolkits built-in set of APIs:
1 Select API from the Web UI. 2 Select an available feature from the catalog of features. Figure 15-236 Developer Interface - API Wireless Controller and Service Platform System Reference Guide 15 - 335 An administrator can either launch a query for a selected feature or select catalog to expose the schema for a selected feature. 3 Select query to display the NX2 Raw Query Interface. Statistics 4 Select Go to initiate the query for the selected item. Figure 15-237 Developer Interface - API Raw Query Interface Wireless Controller and Service Platform System Reference Guide 15 - 336 Statistics Figure 15-238 Developer Interface - API Raw Query Results The results of the query display the values currently set for the selected feature. This information cannot be manipulated as a configurable API attribute, though this information can be utilized as criteria for API attribute creation. 5 From the NX2 Features Interface, select a feature from those available and select catalog. Wireless Controller and Service Platform System Reference Guide 15 - 337 Statistics Figure 15-239 Developer Interface - API Catalog The catalog item selection displays the values currently set for the selected feature. As with queries, this information cannot be manipulated as a configurable API attribute, though this information can be utilized as criteria for API attribute creation. Wireless Controller and Service Platform System Reference Guide 15 - 338 16 Analytics A NX9500 and NX9510 model service platforms can provide granular and robust analytic reporting for a RFS4000 and RFS6000 controller managed network. Using analytics, data is collected and reported at varying intervals. Analytic data is culled from WLANs at either the system, RF Domain, controller/service platform or Access Point level. Analytics can parse and process events within the NOC managed network as events are received. The analytics display resembles the Health and Inventory pages available to controllers and Access Points, though Analytics provides performance information at a far more granular level. The analytics user interface populates information within a data store, with multiple displays partitioned by performance function. The data store is a customizable display managed with just the content the administrator wants viewed. The data store is purged after 90 days if no administration is conducted sooner. A separate analytics license is enforced at the NOC. The license restricts the number of Access Point streams processed at the NOC or forwarded to partner systems for further processing. The analytics feature can be turned on at select APs by enabling them in configuration. This way the customer can enable analytics on a select set of APs and not the entire system as long as the number of APs on which it is enabled is less than or equal to the total number of AP analytics licenses available at the NOC controller. For more information, see:
System Analytics RF Domain Analytics Wireless Controller Analytics Access Point Analytics Analytic Event Monitoring 16.1 System Analytics Analytics can be administrated at the system level to include all RF Domains, their controller or service platform memberships, adopted Access Points and their connected clients. For information on monitoring analytic events, refer to Analytic Event Monitoring. To administrate analytics system-wide:
1 Select Statistics from the Web UI. 2 Select the Analytics menu item directly to the right of the System menu item within Statistics. The analytics screen displays with Captive Portal data displayed by default. Refer to the arrow icon located in the top, right-hand, side of each panel to define whether the display is in Chart format, a Table or whether you would like the output for that parameter saved as a PDF report at a user specified location. Wireless Controller and Service Platform System Reference Guide 16 - 1 Analytics Figure 16-1 System Analytics - Captive Portal screen 3 Refer to the upper, right-hand, portion of the analytics interface and define the trending period for the data displayed. Options include Last 1 Day, Last 3 Days, Last 1 Week, Last 2 Weeks, Last 3 Weeks, Last 1 Month, Last 2 Months or Last 3 Months. Today is the default setting for trending analytics data. 4 Refer to the following Captive Portal analytic data trended and reported in real-time on the selected interval:
Device Types Device OS Browser Types Displays a pie chart (by default) of the captive portal clients (smart phones, tablets, laptops etc.). Select the table icon from the top, right-
hand, side of the field to display the data in table format. Both the pie chart and table display the device type and the percentage of those devices only within the captive portal. Displays a pie chart (by default) of connected devices (using captive portal authentication), differentiated by their operating system (Windows, Linux, Android etc.). Select the table icon from the top, right-hand, side of the field to display the data in table format. Both the pie chart and table display the OS type and the percentage of that device OS type only within the captive portal. Displays a pie chart (by default) of the browser types utilized by captive portal authenticated devices. Select the table icon from the top, right-
hand, side of the field to display the data in table format. Both the pie chart and table display the OS type by percentage of utilization only within the captive portal. Wireless Controller and Service Platform System Reference Guide 16 - 2 Analytics Top X URLs Search Terms Normalized URLs Unique vs Repeat Users Reports the top visited URLs by connected clients using captive portal authentication. Use the spinner control to refine the number of URLs reported, then select Reload to update the display. Set whether the content is displayed as a chart or as a table. Lists the number of unique clients who searched for using a search term. Each display option lists the search term and the number of times each term was searched by a connected captive portal client. For example, if theres two clients (clients A and B), and client A searched for
"extremenetworks" 5 times and B searched for "extremenetworks" 2 times. The count would be 2 and not 7. As with URLs, search terms are normalized (aggregated daily). Reports URLs visited most often, normalized (aggregated daily), by devices using captive portal authentication. Select the arrow to the left of each listed URL timestamp to populate the URL and Count columns with the specific URLs visited and the number of times theyve been visited. Displays a breakdown of repeat versus new users to the captive portal. Both a chart and a table display are available, each with a timestamp of when the data was collected. Device Count Per AP Displays the number of top performing Access Points reporting Clients in WLAN connected client counts using captive portal authentication. Displays the number of managed WLANs reporting connected client counts. Client analytics are trended every 75 minutes. 5 Select Client Analytics to display analytic level data for connected wireless clients. NOTE: Be sure to select the Search button adjacent to the Search for Wireless Client parameter to ensure the tables are populated and refreshed with detected wireless clients. Client analytics are trended every 75 minutes. Wireless Controller and Service Platform System Reference Guide 16 - 3 Analytics 6 Refer to the following Client Analytics trended at the selected interval:
Figure 16-2 System Analytics - Client Analytics screen Hostname Mac Address IP Address RF Domain Access Point Lists the administrator assigned hostname set for each listed client when connected to the controller, service platform or Access Point managed network. Displays the factory encoded MAC address for the listed client as a hardware manufacturing ID. Lists the IP addresses the client is using as a wireless network identifier within the controller, service platform or Access Point managed network. Lists the clients current RF Domain membership. RF Domains allow administrators to assign regional, regulatory and RF configuration to devices deployed in a common coverage area such as on a building floor, or site. Each RF Domain contains regional, regulatory and sensor server configuration parameters and may also be assigned policies that determine access, Smart RF and WIPS configuration. Displays an administrator assigned hostname for each listed Access Point whose radio is providing a network connection for the wireless network. Wireless Controller and Service Platform System Reference Guide 16 - 4 The Client Analytics screen contains Web Activity, Traffic and RF displays within the lower half of the screen. Each of these analytics display an administrators choice of graphical or tabled data for the clients Web activity, SNR, network interference, signal quality and packet retries. Analytics 7 The Web Activity field displays by default with the following content trended in the selected interval:
Figure 16-3 System Analytics - Client Web Activity screen Bandwidth URL Visited Search Terms Displays the clients Web activity bandwidth utilization in Bits per second
(Bps) in either chart or table format. Displays URLs visited by a selected client in either chart or table format. Either display contains the Web destination URL and the number of times the URL was accessed by the client. Displays terms used as search Web search criteria by connected clients in either chart or table format. Either display contains the search item and the number of times the term was searched by the client. 8 Select Traffic. Wireless Controller and Service Platform System Reference Guide 16 - 5 Analytics 9 Refer to the following client Traffic analytics trended at the selected interval:
Figure 16-4 System Analytics - Client Traffic screen Tx/Rx Bps Displays the Bits per second (Bps) speed of data both transmitted from and received at the listed client, in either chart or table format. Signal to Noise Ratio Displays the connected clients signal to noise ratio (SNR) and a time stamp of its reporting. A high SNR could warrant a different Access Point connection to improve performance. Displays the connected clients transmit and receive data rate in either chart or table format. Tx/Rx Rate 10 Select RF. Figure 16-5 System Analytics - Client RF screen Wireless Controller and Service Platform System Reference Guide 16 - 6 Analytics 11 Refer to the following client RF analytics trended in the selected interval:
RF Quality Index Average Retries Displays the overall effectiveness of the system-wide RF environment as a percentage of the connect rate in both directions. The RF quality index value can be interpreted as:
0 20 (Very low utilization) 20 40 (Low utilization) 40 60 (Moderate utilization) 60 and above (High utilization) Displays the rate of client connection retry attempts and a timestamp of their occurrence in either chart or table format. A high number indicates potential network or hardware issues. 12 Select Smart RF to display system-level power and channel compensation analytics:
13 Refer to the following system-wide power level, channel and coverage Smart RF analytics trended in real-time at the administrator defined interval:
Figure 16-6 System Analytics - Smart RF screen Power Level Changes Displays the number of Smart RF power level compensations made for the systems RF Domains during the defined analytic reporting interval. This helps an administrator assess the device power changes needed to accommodate a potentially failed or poorly performing device and provides an overall insight into the overall duty cycle requirements of a particular RF Domain. Displays the number of Smart RF channel change compensations made for the systems RF Domains during the defined analytic reporting interval. Displays the number of Smart RF coverage change compensations made for the systems RF Domains during the defined analytic reporting interval. Coverage Changes Channel Changes Wireless Controller and Service Platform System Reference Guide 16 - 7 Analytics 16.2 RF Domain Analytics Additional analytics are available at the RF Domain level of the user interface for trending data for specific groups of RF Domain member devices. RF Domain analytics are trended every 60 minutes. For information on monitoring analytic events, refer to Analytic Event Monitoring. To administrate RF Domain level analytics:
1 Select Statistics from the Web UI. 2 Select the Analytics menu item directly to the right of the System menu item within Statistics. 3 Expand the System hierarchy on the left-hand side of the user interface and select a RF Domain. The Analytics screen displays with the Captive Portal tab displayed by default. This is the same data presented at the system level of the user interface. For more information on captive portal analytics, see System Analytics on page 16-1. 4 Select Traffic to assess throughput and bandwidth utilization information reported collectively for selected RF Domain member devices. Use the WLAN drop-down menu to refine whether traffic statistics are reported for a particular RD Domain WLAN or reported collectively for all WLANs. Refer to the arrow icon located in the top, right-hand, side of each panel to define whether the display is in Chart format, a Table or whether you would like the output for that parameter saved as a PDF report at a user specified location. Wireless Controller and Service Platform System Reference Guide 16 - 8 Analytics Figure 16-7 RF Domain Analytics - Traffic screen 5 Refer to the upper, right-hand, portion of the analytics interface and define the trending period for the data displayed. Options include Yesterday, Last 24 Hours, Last 3 Days, Last 1 Week, Last 2 Weeks, Last 3 Weeks, Last 1 Month, Last 2 Months or Last 3 Months. Today is the default setting for trending analytics data. 6 Refer to the following Traffic analytic data trended and reported for RF Domain member devices:
Throughput Tx/Rx Bps Bandwidth Usage Average Client Count per AP Client Count Lists RF Domain member device throughput (in Mbps) as an overall indicator of RF traffic activity of all RF Domain member devices. Assess whether specific times of the day require additional RF domain member device support to adequately support RF traffic requirements. Displays transmit and receive data (in Bps) for RF Domain member devices over the listed trending period. Lists RF Domain member bandwidth utilization (in Kbps) to help an administrator assess periods os sustainable versus unsustainable activity. Displays RF Domain member Access Points and their connected client counts. Assess whether particular client counts are excessive, and whether loads can be better distributed amongst RF Domain member Access Points. Client analytics are trended every 75 minutes. Lists RF Domain member Access Point connected client counts. Use the trending data to assess periods of high versus low client connection activity. Client analytics are trended every 75 minutes. Wireless Controller and Service Platform System Reference Guide 16 - 9 Wireless Traffic Distribution Displays a chart of unicast versus management frames transmitted by RF Domain member devices. 7 Select RF to display RF Domain member device RF quality, detected network interference (noise) and device connection retries. Analytics 8 Refer to the following RF analytics trended for a selected RF Domain:
Figure 16-8 RF Domain Analytics - RF screen RF Quality Index Displays the trended graph of the effectiveness of a selected RF Domains RF environment as a percentage of the connect rate in both directions. The RF quality index value can be interpreted as:
0 20 (Very low utilization) 20 40 (Low utilization) 40 60 (Moderate utilization) 60 and above (High utilization). Signal to Noise Ratio Displays a selected RF Domains connected client signal to noise ratio Retry Rate
(SNR) and a time stamp of its reporting. A high SNR could warrant power compensation to account for poorly performing radios. Lists the number of retry attempts for requesting client connections to RF Domain member device radios. Wireless Controller and Service Platform System Reference Guide 16 - 10
1 2 3 4 | WiNG 5.9.1 System Reference Guide Part 4 | Users Manual | 753.64 KiB |
Analytics 9 Select Client Analytics to display analytic level data for connected wireless clients. This data is the same client analytic data available at the system level of the user interface, only displayed for the selected RF Domain as opposed to the entire system. For more information on client analytics, see System Analytics on page 16-1. NOTE: When trending client analytics, be sure to select the Search button adjacent to the Search for Wireless Client parameter to ensure the tables are populated with detected wireless clients. Client analytics are trended every 75 minutes. 10 Select Smart RF. 11 Refer to the following RF Domain power level, channel and coverage adjustment Smart RF analytics:
Figure 16-9 RF Domain Analytics - Smart RF screen Total Channel Changes Total Power Changes Lists the total trended number of power compensations required by RF Domain member radios to account for the power load requirements of offline or poor performing radios. Lists the total trended number of channel compensations required by RF Domain member radios to account for the channel support requirements offline or poor performing radios. Displays the total trended number of coverage compensations required by RF Domain member radios to account for the load requirements of offline or poor performing radios. Lists the total trended number of power compensations made by individual RF domain member Access Points to account for the power load requirements of offline or poor performing radios. Power Changes by AP Total Coverage Changes Wireless Controller and Service Platform System Reference Guide 16 - 11 Analytics Channel Changes by AP Coverage changes by AP Lists the total trended number of channel compensations made by individual RF domain member Access Points to account for the channel support requirements of offline or poor performing radios. Displays the total trended number of coverage compensations made by individual RF domain member Access Points to account for the load requirements of offline or poor performing radios. Power Level Changes Lists all the power level changes made by RF Domain member radios Channel Changes Coverage Changes Coverage Changes by Client separately within the same to graph help administrators assess periods of power compensations by numerous devices within the same RF Domain. Provides a timeline (using the selected trending period) when channel changes occur amongst RF Domain member connected clients. Use this data to assess whether multiple device channel changes occur at the same time and whether the channel ch nag es are to the same channel. RF Domain channel analytics are trended every 90 minutes. Provides a timeline (using the selected trending period) when coverage changes occur amongst RF Domain member connected clients. Use this data to assess whether multiple device coverage changes occur at the same time. channels currently being utilized by RF Domain member devices. This is helpful to assess whether devices are utilizing channels properly spaced to avoid interference. RF Domain channel analytics are trended every 90 minutes. Lists the factory encoded MAC addresses of connected clients that have made Smart RF initiated coverage changes with RF Domain member devices. Channel Distribution Displays a chart for both the 2.4 and 5 GHz radio bands showing the 16.3 Wireless Controller Analytics Refined analytics are available at the individual controller or service platform level of the user interface for trending data for specific controllers or service platforms undergoing configuration updates. Wireless controller analytics are trended every 75 minutes. For information on monitoring analytic events, refer to Analytic Event Monitoring. A facility is also available for the comparison of configuration files to assess the specific updates made to configurations. To review analytics for individual controllers or service platforms:
1 Select Statistics from the Web UI. 2 Select the Analytics menu item directly to the right of the System menu item within Statistics. 3 Expand the System hierarchy on the left-hand side of the user interface, expand a RF Domain and select a wireless controller. Wireless Controller and Service Platform System Reference Guide 16 - 12 Analytics Figure 16-10 Wireless Controller Analytics screen 4 Optionally select the Resource Usage button to display a subscreen trending the service platforms RAM Usage
(in MB) and Disk Usage (in GB). Periodically revisit the service platforms resource usage to assess whether resources are jeopardized at certain times of the day or repeatable patterns are observable that can assist in administration. 5 Refer to the following analytic data trended for the selected controller or service platform:
Timestamp User Comments Displays a timestamp when an update was made to the selected controller or service platforms configuration. Lists the user name initiating the controller update. Lists any comments made relative to a configuration update. 6 Select the Diff Files button to display the updates made to the selected controller or service platforms configuration versus the previous configuration utilized. 16.4 Access Point Analytics Refined analytics are available at the individual Access Point level of the user interface for trending data for specific Access Points. For information on monitoring analytic events, refer to Analytic Event Monitoring. To review analytics for individual Access Points:
1 Select Statistics from the Web UI. 2 Select the Analytics menu item directly to the right of the System menu item within Statistics. Wireless Controller and Service Platform System Reference Guide 16 - 13 Analytics 3 Expand the System hierarchy on the left-hand side of the user interface, expand a RF Domain and select an member Access Point. The Access Point analytics screen displays with Traffic tab displayed by default. 4 Use the Radio drop-down menu to refine whether traffic statistics are reported an Access Points 2.4 or 5 GHz radio. Refer to the arrow icon located in the top, right-hand, side of each panel to define whether the display is in Chart format, a Table or whether you would like the output for that parameter saved as a PDF report at a user specified location. Figure 16-11 Access Point Analytics - Traffic screen 5 Refer to the upper, right-hand, portion of the analytics interface and define the trending period for the data displayed. Options include Last 1 Day, Last 3 Days, Last 1 Week, Last 2 Weeks, Last 3 Weeks, Last 1 Month, Last 2 Months or Last 3 Months. Today is the default setting for trending analytics data. 6 Refer to the following Traffic analytic data trended for the selected Access Point:
Data Transmit Rate Tx/Rx BPs Bandwidth Usage Lists the selected Access Points throughput (in Mbps) as an indicator of RF traffic activity on the selected 2.4 or 5 GHz radio. Displays transmit and receive data (in Bps) for the selected Access Point radio over the defined trending period. Lists Access Point radio bandwidth utilization (in Kbps) to help an administrator assess periods os sustainable versus unsustainable activity for the selected 2.4 or 5 GHz Access Point radio. Wireless Controller and Service Platform System Reference Guide 16 - 14 Analytics Clients by Radio Client Count Wireless Traffic Distribution Displays a pie chart depicting the ratio of clients operating on different 802.11 bands (11BGN, 11AN etc.). This client data is trended every 75 minutes. Lists the selected Access Points connected client count. Use this trending data to assess periods of high versus low client connection activity, and whether this particular Access Point is properly load balanced. Displays a chart depicting the ratio of unicast versus management frames transmitted by the selected Access Point. 7 Select RF to display Access Point RF quality analytics. 8 Refer to the following RF analytics trended for a selected Access Point:
Figure 16-12 Access Point Analytics - RF screen RF Quality Index Displays the trended graph of the effectiveness of a selected Access Points RF environment as a percentage of the connect rate in both directions. The RF quality index value can be interpreted as:
0 20 (Very low utilization) 20 40 (Low utilization) 40 60 (Moderate utilization) 60 and above (High utilization). Signal to Noise Ratio Displays a selected Access Points connected client signal to noise ratio
(SNR) and a time stamp of its reporting. A high SNR could warrant power compensation to account for poorly performing Access Point radios. Wireless Controller and Service Platform System Reference Guide 16 - 15 Analytics Retry Rate Lists the number of retry attempts for requesting client connections to the selected Access Points radios. 16.5 Analytic Event Monitoring Display the Event Monitor on the bottom portion of the analytic display, at any time or place in the user interface hierarchy, to review individual analytic events by their severity, originating device, reporting module and timestamp
(occurrence). Review the following within the Event Monitor to assess if an individual event requires further administration to improve network performance:
Figure 16-13 Analytic Event Monitor Severity Message From Module Mnemonic Time Lists the severity for each analytic event. Severity levels include Emergency, Alert, Critical, Errors, Warning, Notice, Info and Debug. Displays an event description to assist the administrator in assessing the significance of the event and (in conjunction with the severity) whether corrective action is immediately needed. Displays the hardware encoded MAC address of the device impacted by the listed event. Lists the module from which analytic events are tracked and reported. Lists the service platform or controller mnemonic that translates the listed event into a string thats meaningful to the network administrator. Displays the date and time when each listed event was detected within the network. Wireless Controller and Service Platform System Reference Guide 16 - 16 17 WiNG Events WiNG outputs an event message for configuration changes and status updates to enable an administrator to assess the success or failure of specific configuration activities. Use the information in this chapter to review system generated event messages and their descriptions. Each listed event can have customized notification settings defined and saved as part of an event policy. Thus, policies can be configured and administrated in respect to specific sets of client association, authentication/
encryption and performance events. Once policies are defined, they can be mapped to device profiles strategically as the likelihood of an event applies to particular devices. By default, there's no enabled event policy and one needs to be created and implemented. For more information on the UIs descriptions of events, refer to Fault Management on page 13-1. 17.1 Event Messages To review event history messages:
1 Select Configuration > Diagnostics > Fault Management > Event History to display the Event History screen. 2 Select Fetch Historical Events to display the diagnostic events in the Event History table. 3 Refer to the following (read only) information to assess logged diagnostic events. ADOPT-SERVICESNMP_SUCCESS6 ADOPT-SERVICESNMP_FAILURE6 ADOPT-
SERVICETUT_TEMPERATURE_ALARM_RAISED
([str]) ADOPT-
SERVICETUT_TEMPERATURE_ALARM_CLEARED([str
]) ADOPT-
SERVICETUT_TEMPERATURE_ALARM_CLEARED([str
]) ADOPT-SERVICETUT_FAN_ALARM_CLEARED5IPX
([str]) ADOPT-
SERVICETUT_PWRCTRL_ALARM_RAISED5IPX ([str]) ADOPT-
SERVICETUT_PWRCTRL_ALARM_CLEARED5IPX
([str]) ADOPT-
SERVICETUT_LINE_POWER_ALARM_RAISED5IPX
([str]) Line power alarm raised on id [str]
ADOPT-
SERVICETUT_LINE_POWER_ALARM_CLEARED5IPX
([str]) Line power alarm cleared on id [str]
ADOPT-SERVICETUT_WLAN_CLIENT_ASSOC6IPX
([str]) Client [str] on interface index [str] associated SNMP framework success SNMP framework failure Temperature alarm raised on sensor Temperature alarm cleared on sensor Temperature alarm cleared on sensor Fan alarm cleared on ID Power controller alarm raised Power controller alarm cleared Line power alarm raised Line power alarm cleared Client associated Wireless Controller and Service Platform System Reference Guide 17 - 1 WiNG Events Association failed for client on specified interface index Client on interface index authenticated Client on interface index deauthenticated with status code Authentication failed for client on interface index with status code Interface with operational status and power levels RF monitor status changed to on interface Failed to raise WiNG event Access Point firmware not on controller Client disassociated ADOPT-SERVICETUT_WLAN_CLIENT_DISASSOC6IPX
([str]) Client [str] on interface index [str]
disassociated with status code [str], [str]
ADOPT-
SERVICETUT_WLAN_CLIENT_ASSOC_FAILURE3IPX
([str]) Association failed for Client [str] on interface index [str] with status code [str], [str]
ADOPT-SERVICETUT_WLAN_CLIENT_AUTH6IPX
([str]) ADOPT-SERVICETUT_WLAN_CLIENT_DEAUTH6 IPX
([str]) ADOPT-
SERVICETUT_WLAN_CLIENT_AUTH_FAILURE3IPX
([str]) ADOPT-
SERVICETUT_RADIO_ADAPTIVE_POWER_CHANGE5 IPX ([str]) ADOPT-
SERVICETUT_RF_MONITOR_MODE_CHANGE5 IPX
([str]) ADOPT-SERVICEIPX_EVENT_FAILURE3IPX ([str]) AP NO_IMAGE_FILE [str] firmware image is not present on controller AP IMAGE_PARSE_FAILURE Format of [str] firmware image on controller is invalid AP LEGACY_AUTO_UPDATE Legacy Access Point
[str] [mac] being updated AP AP_ADOPTED [str] [mac] adopted AP AP_UNADOPTED [str] [mac] un-adopted AP AP_RESET_DETECTED 6 [str] [mac] reset itself AP AP_RESET_REQUEST 6 [str] [mac] reset request Access Point user requested reset AP AP_TIMEOUT 6 str] [mac] timed out, reset sent to AP AP ADOPTED Access Point([qstr]/[qstr]/[dev]) at rf-
domain:[qstr] adopted and configured. Radios:
Count=[str], Bss: [str]
AP UNADOPTED Access Point([qstr]/[qstr]/[dev]) at rf-domain:[qstr] unadopted. Radios: Count=[str], Bss:
[str]
APADOPTED_TO_CONTROLLER Joined successfully with controller [qstr]([str]) APONLINE Access Point [dev] is now online. Offline Reason is [str]. Offline count is [int]
APOFFLINE Access Point [dev] is now offline. Offline Reason is [str]. Offline count is [int]
Access Point adopted Access Point unadopted Access Point reset detected Invalid Access Point firmware file Legacy Access Point updated Access Point unadopted Access Point timed out Access Point offline Access Point online Access Point adopted to controller Access Point adopted and configured Wireless Controller and Service Platform System Reference Guide 17 - 2 WiNG Events APOFFLINE Device [dev]([str]) is offline, last seen:[int] minutes ago on switchport [str]
APRESET Reset Access Point mac [dev], [str]
APADOPTION_REDIRECTED Access Point([qstr]/
[qstr]/[dev]) cdp:[qstr] lldp:[qstr] redirected to the controller host/pair [qstr] - [qstr]
APAP_AUTOUP_TIMEOUT4 AUTOUPGRADE: [str]
mac [str] Autoupgrade timed out APAP_AUTOUP_REBOOT5 AUTOUPGRADE: [str]
mac [str] Autoupgrade rebooting APAP_AUTOUP_NO_NEED6 AUTOUPGRADE: [str]
mac [str] ver [str] Autoupgrade not required or not available APAP_AUTOUP_NEEDED6 AUTOUPGRADE: [str]
mac [str] ver [str] Autoupgrade will be applied APAP_AUTOUP_DONE5 AUTOUPGRADE: [str] mac
[str] Autoupgrade complete APAP_AUTOUP_FAIL4 AUTOUPGRADE: [str] mac
[str] Autoupgrade failed APAP_AUTOUP_VER6 AUTOUPGRADE: version [str]
available for [str] equipment AAA RADIUS_DISCON_MSG Received Radius dynamic authorization Disconnect Message for [qstr]
from server [qstr]
AAA RADIUS_VLAN_UPDATE6 Assigning Radius server specified vlan [uint] to client [qstr] on wlan
[qstr]
AAA RADIUS_SESSION_NOT_STARTED5 Radius server indicates session time has not started for client
[qstr]
AAA RADIUS_SESSION_EXPIRED5 Radius server indicates session has already expired for client [qstr]
ADV-WIPS ADV-WIPS-EVENT-14 Detected DoS Deauthentication attack against [mac] [str]
ADV-WIPSADV-WIPS-EVENT-24 Detected DoS Disassociation attack against [mac] [str]
ADV-WIPSADV-WIPS-EVENT-34 Detected DoS EAP failure spoof attack by [mac] [str]
ADV-WIPSADV-WIPS-EVENT-104 Detected ID-Theft out of sequence attack for [mac] [str]
ADV-WIPSADV-WIPS-EVENT-114 Detected possible ID-Theft EAPoL Success spoof attack by [mac] [str]
ADV-WIPSADV-WIPS-EVENT-124 Detected possible WLAN-Jack attack by [mac] [str]
ADV-WIPSADV-WIPS-EVENT-134 Detected possible ESSID-Jack attack against [mac] [str]
Adopted device offline Access Point reset Access Point redirected Time out while auto upgrading an AP Rebooting AP after upgrade Auto upgrade not initiated Auto upgrade is initiated on AP Auto upgrade successful Failed auto upgrade attempt Available Access Point firmware versions for auto upgrade Received RADIUS disconnect request Client VLAN updated by RADIUS Start time from RADIUS resource not yet valid Session time from RADIUS resource already expired DoS Deauthentication attack DoS disassociation attack EAP failure spoof attack ID theft out of sequence attack Possible ID theft EAPoL success spoof attack Possible WLAN jack attack Possible ESSID jack attack Wireless Controller and Service Platform System Reference Guide 17 - 3 WiNG Events ADV-WIPSADV-WIPS-EVENT-144 Detected possible Monkey-Jack attack by [mac] [str]
ADV-WIPSADV-WIPS-EVENT-164 Detected possible NULL Probe Response attack by [mac] [str]
ADV-WIPSADV-WIPS-EVENT-1054 Sanctioned MU
[mac] detected associated with unsanctioned/
neighboring AP [str]
ADV-WIPSADV-WIPS-EVENT-1094 Multicast all systems traffic found from [mac] [str]
ADV-WIPSADV-WIPS-EVENT-11044 Multicast all routers traffic found from [mac] [str]
ADV-WIPSADV-WIPS-EVENT-1114 Multicast OSPF all traffic found from [mac] [str]
ADV-WIPSADV-WIPS-EVENT-1124 Multicast OSPF Deisgnated Routers traffic found from [mac] [str]
ADV-WIPSADV-WIPS-EVENT-1134 Multicast RIP-2 Routers traffic found from [mac] [str]
ADV-WIPSADV-WIPS-EVENT-1144 Multicast IGRP Routers traffic found from [mac] [str]
ADV-WIPSADV-WIPS-EVENT-1154 Multicast DHCP Server Relay Agent traffic found from [mac] [str]
ADV-WIPSADV-WIPS-EVENT-1164 Multicast VRRP Agent traffic found from [mac] [str]
ADV-WIPSADV-WIPS-EVENT-1174 Multicast HSRP Agent traffic found from [mac] [str]
ADV-WIPSADV-WIPS-EVENT-1184 Multicast IGMP traffic found from [mac] [str]
ADV-WIPSADV-WIPS-EVENT-1194 Detected NETBIOS traffic from [mac] [str]
ADV-WIPSADV-WIPS-EVENT-1204 Detected STP traffic from [mac] [str]
ADV-WIPSADV-WIPS-EVENT-1134 Multicast RIP-2 Routers traffic found from [mac] [str]
ADV-WIPSADV-WIPS-EVENT-1214 Detected IPX traffic from [mac] [str]
ADV-WIPSADV-WIPS-EVENT-1424 Detected possible Probe Response attack by [mac] [str]
ADV-WIPSADV-WIPS-EVENT-2214 Detected Invalid Management Frames from [mac] [str]
ADV-WIPSADV-WIPS-EVENT-264 Detected DoS RTS flood attack against [mac] [str]
ADV-WIPSADV-WIPS-EVENT-2224 Detected Invalid Channel Advertisement for [mac] [str]
ADV-WIPSADV-WIPS-EVENT-634 Detected Windows ZERO Configuration Memory Leak on [mac] [str]
Possible monkey jack attack Possible NULL probe response attack Sanctioned MU detected associated with unsanctioned/neighboring AP Multicast all systems traffic Multicast all routers traffic Multicast OSPF all traffic Multicast OSPF designated routers traffic Multicast RIP 2 routers traffic Multicast IGRP routers traffic Multicast DHCP server relay agent traffic Multicast VRRP agent traffic Multicast HSRP agent traffic Multicast IGMP traffic Detected NETBIOS traffic Detected STP traffic Multicast RIP 2 routers traffic Detected IPX traffic Possible probe response attack Invalid management frames DoS RTS flood attack Invalid channel advertisement Windows ZERO configuration memory leak Wireless Controller and Service Platform System Reference Guide 17 - 4 WiNG Events ADV-WIPSADV-WIPS-EVENT-2204 Detected Unauthorized Bridge [mac] [str]
APSW_CONN_LOST0 Lost connectivity with controller after config update. Rebooting and reverting to older working configuration AAARADIUS_DISCON_MSG5 Received Radius dynamic authorization Disconnect Message for [qstr]
from server [qstr]
AAA RADIUS_VLAN_UPDATE6 Assigning Radius server specified vlan [uint] to client [qstr] on wlan
[qstr]
AAA RADIUS_SESSION_NOT_STARTED5 Radius server indicates session time has not started for client
[qstr]
AAA RADIUS_SESSION_EXPIRED5 Radius server indicates session has already expired for client [qstr]
CAPTIVE-PORTAL AUTH_SUCCESS6 Captive-portal authentication success for client [mu] ([qstr-ip]) user
[qstr]
ADV-WIPSADV-WIPS-EVENT-264 Detected DoS RTS flood attack against [mac] [str]
ADV-WIPSADV-WIPS-EVENT-2224 Detected Invalid Channel Advertisement for [mac] [str]
ADV-WIPSADV-WIPS-EVENT-634 Detected Windows ZERO Configuration Memory Leak on [mac] [str]
ADV-WIPSADV-WIPS-EVENT-2204 Detected Unauthorized Bridge [mac] [str]
APSW_CONN_LOST0 Lost connectivity with controller after config update. Rebooting and reverting to older working configuration AAA RADIUS_DISCON_MSG5 Received Radius dynamic authorization Disconnect Message for [qstr]
from server [qstr]
AAA RADIUS_VLAN_UPDATE6 Assigning Radius server specified vlan [uint] to client [qstr] on wlan
[qstr]
AAA RADIUS_SESSION_NOT_STARTED5 Radius server indicates session time has not started for client
[qstr]
AAA RADIUS_SESSION_EXPIRED5 Radius server indicates session has already expired for client [qstr]
CAPTIVE-PORTAL AUTH_SUCCESS6 Captive-portal authentication success for client [mu] ([qstr-ip]) user
[qstr]
CAPTIVE-PORTAL AUTH_FAILED6 Captive-portal authentication failed for client [mu] ([qstr-ip]) CAPTIVE-PORTAL SESSION_TIMEOUT6 Captive-
portal session timed out for client [mu] ([qstr-ip]) Unauthorized bridge Controller connectivity lost Received RADIUS disconnect request Client VLAN updated by RADIUS resource Start time from RADIUS resource not yet valid Session time from RADIUS resource already expired Authentication success DoS RTS flood attack Invalid channel advertisement Windows ZERO configuration memory leak Unauthorized bridge Controller connectivity lost Received RADIUS resource disconnect request Client VLAN updated by RADIUS Start time from RADIUS resource not yet valid Session time from RADIUS resource already expired Authentication success Authentication failed Session timed out Wireless Controller and Service Platform System Reference Guide 17 - 5 WiNG Events CAPTIVE-PORTAL CLIENT_DISCONNECT6 Captive-
portal session disconnected for client [mu] ([qstr-ip]) CAPTIVE-PORTAL PURGE_CLIENT6 Captive-portal:
Purge client [mu] by new client [mu] for user [qstr]
CAPTIVE-PORTAL FLEX_LOG_ACCESS6 [qstr]: [qstr]
allowed access for client [mu] ([qstr-ip]) CAPTIVE-PORTAL INACTIVITY_TIMEOUT6 Captive-
portal session cleared for client [mu] ([qstr-ip]) after inactivity timeout CAPTIVE-PORTAL ALLOW_ACCESS6 Captive-portal allow access for client [mu] ([qstr-ip]) CAPTIVE-PORTAL CLIENT_REMOVED6 Captive-
portal session removed for client [mu] ([qstr-ip]) on policy change/admin action CAPTIVE-PORTAL PAGE_CRE_FAILED3 Page creation failed for policy [qstr], file [qstr], Error [qstr]
CAPTIVE-PORTAL DATA_LIMIT_EXCEED6 Data limit exceed, Usage:[int] KBytes, Action:[str], client [mu]
([ip]) CAPTIVE-PORTAL VLAN_SWITCH6 Client [mu] ([ip]) switching from vlan [int] to vlan [int]
CAPTIVE-PORTAL SERVER_MONITOR_STATE_CHANGE6 Captive-portal policy [qstr]: service monitor [str] server status changing from [qstr] to [qstr]
CAPTIVE-PORTAL NO_SERVICE_PAGE_SENT6 Captive-portal sent no service page to client [mu]
([ip]) as [str] server is down CERTMGRRSA_KEY_ACTIONS_SUCCESS6 [str] of RSA key [str] successful CERTMGRRSA_KEY_ACTIONS_FAILURE3 [str] of RSA key [str] failed: [str]
CERTMGRCA_CERT_ACTIONS_SUCCESS6 [str] of CA certificate for trustpoint [str] successful CERTMGRCA_CERT_ACTIONS_FAILURE3 [str] of CA certificate for trustpoint [str] failed: [str]
CERTMGRSRV_CERT_ACTIONS_SUCCESS6 [str] of Server Certificate of trustpoint [str] successful CERTMGRSVR_CERT_ACTIONS_FAILURE3 [str] of Server Certificate of trustpoint [str] failed: [str]
CERTMGRCSR_EXPORT_SUCCESS6 Export of Certificate Signing Request for [str] successful CERTMGRCSR_EXPORT_FAILURE3 Export of Certificate Signing Request for [str] failed: [str]
CERTMGRCRL_ACTIONS_SUCCESSS6 [str] of CRL for trustpoint [str] successful Client disconnected Client purged Flex log access granted for client Client timed out due to inactivity Client allowed access Client removed due to admin changes Page creation failure Client data limit exceeded Client VLAN switch Captive portal server monitor state changed No service page sent to client Successful completion of RSA key related actions
(import, export etc.) Failure of RSA key related actions (import, export etc.) Successful completion of CA certificate related actions (import, export etc.) Failure of CA certificate actions (import, export etc.) Successful completion of server certificate actions
(import, export etc.) Failure of server certificate actions (import, export etc.) Successful export of certificate signing request Failed to export certificate signing request Successful completion of certificate revocation list action Wireless Controller and Service Platform System Reference Guide 17 - 6 CERTMGRCRL_ACTIONS_FAILURE3 [str] of CRL for trustpoint [str] failed: [str]
CERTMGRDELETE_TRUSTPOINT_ACTION6 Deletion of trustpoint [str] successful CERTMGRIMPORT_TRUSTPOINT6 Import of Trustpoint [str] [str]
CERTMGREXPORT_TRUSTPOINT6 Export of Trustpoint [str] [str]//
CERTMGRCERT_EXPIRY4 [str] certificate for trustpoint [str] [str]
CERTMGRCA_KEY_ACTIONS_SUCCESS6 [str] of CA private key for trustpoint [str] successful CERTMGRCA_KEY_ACTIONS_FAILURE3 [str] of CA private key for trustpoint [str] failed: [str]
CLUSTERCMASTER_CFG_UPDATE_FAIL3 Cluster master config update to [str] failed, Err: [str]
CLUSTERMAX_EXCEEDED4 Max cluster members
([uint]) exceeded, clustering will not function properly until corrected CLUSTERSTATE_CHANGE4 Active cluster member changed. Present active [str]. Previous active [str]. CLUSTERSTATE_CHANGE_INACTIVE4 Member [str]
(load[int]) changing state from Active to Standby. New member [str] standby load [int]. CLUSTERSTATE_CHANGE_ACTIVE4 Member [str]
(load[int]) changing state from Standby to Active. New member [str] standby load [int]
CLUSTERSTATE_RETAIN_ACTIVE4 Member [str]
(load[int]) retaining Active state. New member [str]
standby load [int]
CRM CRITICAL_RESOURCE_UP5 Critical Resource
[str] is UP CRM CRITICAL_RESOURCE_DOWN 5 Critical Resource [str] is DOWN CERTMGR-LITE INVALIDCACERT5 CA Certificate imported for the trustpoint [str] is invalid CERTMGR-LITE INVALIDSERVCERT5 Server Certificate imported for the trustpoint [str] is invalid CERTMGR-LITE INVALIDCERTCRL5 Certificate Crl Imported for trustpoint [str] is invalid CERTMGR-LITE CERTEXPIRED5 [str] Certificate of trustpoint [str] is expired//
CERTMGR-LITE INVALIDCERTKEY5 Private key imported for trustpoint [str] is not valid CERTMGR-LITE INVALIDRSAKEY5 Rsakey imported is not valid [str] is invalid//
WiNG Events Certificate revocation list action failure Deletion of trustpoint Import of trustpoint Export of trustpoint Certificate expiration Successful completion of CA private key actions Failure of CA private key actions Cluster master config update failed Max cluster count exceeded Active cluster membership change Cluster member change from active to standby Cluster member change from standby to active Cluster member retaining active state Critical resource is up Critical resource is down CA certificate is invalid Server certificate is invalid CRL is invalid Certificate is expired Private key is invalid RSA key import operation Wireless Controller and Service Platform System Reference Guide 17 - 7 WiNG Events RSA key cannot be decrypted with provided password Certificate imported for trustpoint Private key imported for trustpoint Certificate requested generated Self signed certificate generated Certificate manager general error Certificate about to expire Certificate renew failure reason RSA Key deleted RSA key imported Trustpoint deleted RSA key generated CERTMGR-LITE KEYDECRYPTFAILE4 Rsakey cannot be decrypted with the password provided CERTMGR-LITE CERTIMPORTED6 [str] Certificate imported for the trustpoint [str]
CERTMGR-LITE CERTKEYIMPORTED6 Private key imported for the trustpoint [str]
CERTMGR-LITE RSAKEYIMPORTED6 Rsakey imported with the name [str]
CERTMGR-LITE DELETETRUSTPOINT6Trustpoint [str]
is deleted CERTMGR-LITE DELETERSAKEY6 Rsakey [str] is deleted CERTMGR-LITE CERTREQUESTGEN6 Certificate request generated for the trustpoint [str]
CERTMGR-LITE CERTSELFSIGNEDGEN6 Selfsigned certificate generated for the trustpoint [str]
CERTMGR-LITE RSAKEYGEN6 Rsa key [str]
generated CERTMGR-LITE ERROR5 [str]
CERTMGR-LITE CERT_EXPIRY4 [str] certificate for trustpoint [str] [str]
CERTMGR CERT_RENEW_FAILED1 Certificate renew in field failed reason [str]
DHCPSVRDHCPSVR_STOP6 DHCP server is stopped DHCP server stopped DIAGWD_RESET_SYS2 The system has been RESET by the Watchdog DIAGCPU_USAGE_TOO_HIGH4 CPU Usage too high. Limit of [int]*(0.1%) exceeded. Current CPU usage is
[int]*(0.1%) DIAGCPU_USAGE_TOO_HIGH_RECOVER4 CPU Usage too high recover. Limit is [int]*(0.1%) DIAGCPU_LOAD4 [str] minute average load limit exceeded, value is [str]% limit is [str]% (top processes: [str]) DIAGRAM_USAGE6 [str], pid [uint], has exceeded ram usage limit [uint].[uint]%, now using
[uint].[uint]%
DIAGMEM_USAGE_TOO_HIGH6 Memory Usage too high. Current Usage is [int]*(0.1%). Memory Usage Threshold is [int]*(0.1%) DIAGMEM_USAGE_TOO_HIGH_RECOVER6 Memory Usage too high recover. Current Usage is [int]*(0.1%). Memory Usage Threshold is [int]*(0.1%) DIAGBUF_USAGE6 [uint] byte buffer usage greater than expected, [uint] used, warning level [uint]
Log watchdog reset Memory usage too high Log CPU load detected as too high Current CPU usage is too high CPU average load limit exceeded Memory usage detected as too high Log buffer usage greater than anticipated Log processor RAM usage has exceeded RAM limit Wireless Controller and Service Platform System Reference Guide 17 - 8 WiNG Events Log head cache usage greater than anticipated Log destination cache usage greater than anticipated Log RAM space less than limit DIAGHEAD_CACHE_USAGE6 socket buffer head cache usage is greater than expected, usage [uint], warning level [uint]
DIAGIP_DEST_USAGE6 IP destination cache usage is greater than expected, usage [uint], warning level
[uint]
DIAGFREE_RAM6 Free RAM, [str]% is less than limit
[str]%. Top Memory process: [str]/[uint] using
[uint].[uint]% , [str]/[uint] using [uint].[uint]%, [str]/
[uint] using [uint].[uint]%
DIAGFREE_FLASH_DISK4 Free [str] file system space, [str]% is less than limit [str]%
DIAGDISK_USAGE4 Disk usage too high DIAGNEW_LED_STATE6 LED state message [str]
from module [str]
DIAGFREE_FLASH_INODES4 [uint] Free INodes on
[str] file system is less than limit [uint]
DIAGFREE_NVRAM_DISK4 Free [str] file system space, [str]% is less than limit [str]%
DIAGFREE_NVRAM_INODES4 [uint] Free INodes on
[str] file system is less than limit [uint]
DIAGFREE_RAM_DISK4 Free [str] file system space,
[str]% is less than limit [str]%
DIAGFREE_RAM_INODES4 [uint] Free INodes on
[str] file system is less than limit [uint]
DIAGFD_COUNT4 FD Usage [uint] is over limit [uint] HUMM DIAGDISK_USAGE4 Disk usage too high DIAGNEW_LED_STATE6 LED state message [str]
from module [str]]
DIAGLED_IDENTIFY6 LED identify sequence [str]
DHCPSVRRELAY_NO_IFACE4 Dhcp relay cannot be allowed on interface [str] as it does not exist DHCPSVRRELAY_IFACE_NO_IP4 Dhcp relay cannot be allowed on interface [str] as it does not have an IP address DHCPSVRRELAY_START6 DHCP relay agent started on [str]
DHCPSVRRELAY_STOP6 DHCP relay agent stopped DHCPSVRDHCPSVR_START6 DHCP server is started DHCP server started DIAGFAN_UNDERSPEED4 Fan [str] under speed:
[uint] RPM is under limit [uint] RPM DIAGELAPSED_TIME7 Elapsed time since last diag run appears to be zero DIAGAUTOGEN_TECH_SPRT6 Auto generated tech-
support dump file [str] [str]
Log free disk space less than limit Log disk usage too high Log LED message from module Log INodes less than system limit Log file system space less than limit Log free INodes on file system less than limit Log free file system space less than limit LOG_FREE_VARFS_INODES Log disk utilization usage too high Log LED state message from module Log identification sequence No interface for DHCP relay No IP address on DHCP relay interface DHCP relay agent started DHCP relay agent stopped Fan speed under set RPM limit Log elapsed time since last diagnostic run Log generation of tech support dump file Wireless Controller and Service Platform System Reference Guide 17 - 9 WiNG Events Log PoE manager intialization failure Log power consumption exceeds power budget limit Log PoE state change Log RAID array degraded Log RAID array management error Log power supply failure Log HDD failure Log voltage sensor under low limit Log voltage sensor over high limit Log temperature sensor under low limit Log temperature sensor over high limit Log temperature sensor over max limit Log watchdog state 802.1X authentication successful DIAGPOE_INIT_FAIL3 Could not initialize the PoE manager DIAGPOE_POWER_LEVEL4 POE power consumption is [uint]W which exceeds [uint]% of [uint]W power budget DIAGPOE_READ_FAIL3 Could not read from the PoE Log PoE read failure DIAGPOE_STATE_CHANGE4 port [uint] POE state changed to [str]
DIAGRAID_DEGRADED4 RAID array is degraded DIAGRAID_ERROR4 RAID array management error
[uint]
DIAGPWRSPLY_FAIL4 Power supply failure, no longer redundant DIAGHDD_FAILING4 HDD is failing DIAGUNDER_VOLTAGE4 Voltage [str]V under low limit [str]V DIAGOVER_VOLTAGE4 Voltage [str]V over high limit
[str]V DIAGLOW_TEMP6 Temp sensor [str] [str]C under low limit [str]C DIAGHIGH_TEMP4 Temp sensor [str] [str]C over high limit [str]C DIAGOVER_TEMP0 Temp sensor [str] [str]C over maximum limit [str]C Shutdown switch DIAGWD_STATE_CHANGE6 Watchdog is now [str]
DOT1X DOT1X_SUCCESS 6 Client [qstr] 802.1x/EAP authentication success on interface [qstr]//802.1x authentication successful DOT1X DOT1X_FAILED 5 Client [qstr] failed 802.1x/
EAP authentication on interface [qstr]//802.1x authentication failure DOT11COUNTRY_CODE 5 Country of operation configured to [str]
DOT11 COUNTRY_CODE_ERROR 1 Error setting country of operation. [str]
DOT11CLIENT_ASSOCIATED 6 Client [qstr] associated to wlan [qstr] ssid [qstr] on radio [qstr]
DOT11CLIENT_DISASSOCIATED 6 Client [qstr]
disassociated from wlan [qstr] radio [qstr]: [str]
(reason code:[uint]) DOT11CLIENT_DENIED_ASSOC 5 Client [qstr] denied association on radio [qstr] [str]: [str]
DOT11CLIENT_ASSOC_IGNORED 6 Client [qstr]
ignored association on radio [qstr] [str]: [str]
DOT11WPA_WPA2_SUCCESS 6 Client [qstr]
completed [str] handshake on wlan [qstr] radio [qstr]
Client disassociated 802.1X authentication failed Country of operation configured Error setting country of operation Client associated event Client denied association Client ignored association Client completed WPA/WPA2 handshake Wireless Controller and Service Platform System Reference Guide 17 - 10 DOT11WPA_WPA2_FAILED 5 Client [qstr] failed [str]
handshake on wlan [qstr] radio [qstr]
DOT11WPA_WPA2_KEY_ROTN 6 Rotating wpa/wpa2 group keys on wlan [qstr] /
DOT11TKIP_MIC_FAIL_REPORT 5 TKIP message integrity check failure reported by [mac] on wlan
[qstr]
DOT11TKIP_MIC_FAILURE 5 TKIP message integrity check failed in packet from [mac] on wlan [qstr]
DOT11TKIP_CNTRMEAS_START 4 Initiating TKIP countermeasures on wlan [qstr] ssid [qstr]
DOT11TKIP_CNTRMEAS_END 4 TKIP countermeasures ended on wlan [qstr] ssid [qstr] //
DOT11EAP_SUCCESS 6 Client [qstr] 802.1x/EAP
(type:[str]) authentication success on wlan [qstr]
radio [qstr] username [str]
DOT11EAP_FAILED 5 Client [qstr] failed 802.1x/EAP authentication on wlan [qstr] radio [qstr]
DOT11EAP_CLIENT_TIMEOUT 5 Client [qstr] timeout attempting 802.1x/EAP authentication on wlan [qstr]
radio [qstr]
DOT11EAP_SERVER_TIMEOUT 5 Radius server [str]
timeout authenticating client [qstr] on wlan [qstr]
radio [qstr]
DOT11EAP_CACHED_KEYS 6 Key Cache used for client [qstr] on wlan [qstr] radio [qstr]. Skipping 802.1x DOT11EAP_OPP_CACHED_KEYS 6 Opportunistic Key Cache used for client [qstr] on wlan [qstr] radio
[qstr]. Skipping 802.1x. DOT11EAP_PREAUTH_SUCCESS 6 Client [qstr]
802.1x/EAP (type:[str]) pre-authentication success on wlan [qstr] bss [mac]
DOT11EAP_PREAUTH_FAILED 5 Client [qstr]
failed 802.1x/EAP pre-authentication on wlan [qstr]
bss [mac]
DOT11EAP_PREAUTH_CLIENT_TIMEOUT 5 Client
[qstr] timeout attempting 802.1x/EAP pre-
authentication on wlan [qstr]
DOT11EAP_PREAUTH_SERVER_TIMEOUT 5 Radius server [qstr] timeout pre-authenticating client [qstr]
on wlan [qstr]
DOT11 FT_ROAM_SUCCESS 6 Client [qstr] fast bss transition roam to wlan [qstr] ssid [qstr] on radio
[qstr]
DOT11 GAL_RX_REQUEST 6 Received request to validate [qstr] on global assoc-list [qstr] from [qstr]
on rf-domain [qstr]
WiNG Events Client failed WPA/WPA2 handshake Rotating WPA/WPA2 group keys on WLAN TKIP MIC failure report TKIP MIC check failed TKIP countermeasures initiated TKIP countermeasures ended EAP authentication success EAP authentication failure EAP authentication timed out RADIUS server timed out Key cache used for authentication Opportunistic key caching used for authentication EAP pre authentication success EAP pre-authentication failed EAP pre-authentication client timeout detected EAP pre-authentication server timeout detected Client fast BSS transition roam to WLAN SSD ID on radio Received request to validate global association request for RF Domain Wireless Controller and Service Platform System Reference Guide 17 - 11 WiNG Events DOT11 GAL_TX_RESPONSE 6 Sending global assoc-
list [qstr] response for [qstr] to [qstr] on rf-domain
[qstr], result: [str]
DOT11 GAL_VALIDATE_REQ 6 Sending global assoc-
list validation request to controller for [qstr]
DOT11 GAL_VALIDATE_FAILED 6 Received global assoc-list validation failure for [qstr]
DOT11 GAL_VALIDATE_SUCCESS 6 Received global assoc-list validation success for [qstr]
FWUFWUDONE6Firmware update successful, new version is [str]
FWUFWUABORTED6Firmware update aborted FWUFWUNONEED6Firmware update not required, running and update versions same [str]
FWUFWUSYSERR3Firmware update unsuccessful, system cmd [str] failed FWUFWUBADCONFIG3Firmware update unsuccessful, unable to read configuration file FWUFWUSERVERUNDEF3Firmware update unsuccessful, update server undefined FWUFWUFILEUNDEF3Firmware update unsuccessful, update file undefined FWUFWUSERVERUNREACHABLE3 Firmware update unsuccessful, server [str] unreachable FWUFWUCOULDNTGETFILE3 Firmware update unsuccessful, couldn't get file, [str] //
FWUFWUVERMISMATCH3 Firmware update unsuccessful, version mismatch, expected [str], actual
[str] //
FWUFWUPRODMISMATCH3 Firmware update unsuccessful, product mismatch, expected [str], actual [str]
FWUFWUCORRUPTEDFILE3 Firmware update unsuccessful, corrupted firmware file FWUFWUSIGNMISMATCH3 Firmware update unsuccessful, signature mismatch, [str]
FWUFWUUNSUPPORTEDHW 3 Firmware update unsuccessful, unsupported hardware FWU FWUUNSUPPORTEDMODELNUM 3 Firmware update unsuccessful, unsupported FIPS model number ISDN_EMERG 0 Emergency: [str]
ISDN_ALERT 1 Alert: [str]
ISDN_CRIT 2 Critical: [str]
ISDN_ERR 3 Error: [str]
Sending global association response for RF Domain Sending global association list validation to controller Received global association list validation failures Received global association list validation successes Update successfully completed Update aborted Update not required, running and update version are the same Update unsuccessful, system cmd failed Update unsuccessful, unable to read config file Update unsuccessful, server undefined Update unsuccessful, update file undefined Update unsuccessful, server unreachable Update unsuccessful, could not get file Update unsuccessful, version mismatch Update unsuccessful, product mismatch Update unsuccessful, corrupted file Update unsuccessful, signature mismatch Update unsuccessful, unsupported hardware version Update unsuccessful, unsupported FIPS model number ISDN emergency ISDN alert ISDN critical ISDN error Wireless Controller and Service Platform System Reference Guide 17 - 12 WiNG Events License count Mesh link down L2TPV3 tunnel is down License installation Default license installation License removed License installation failed Mesh link up ISDN warning ISDN notice ISDN information ISDN debug L2TPV3 tunnel is up ISDN_WARNING 4 Warning: [str]
ISDN_NOTICE 5 Notice: [str]
ISDN_INFO 6 Info: [str]
ISDN_DEBUG 7 Debug: [str]
L2TPV3 L2TPV3_TUNNEL_UP 5 L2TPV3 tunnel [str]
is UP L2TPV3 L2TPV3_TUNNEL_DOWN 5 L2TPV3 tunnel
[str] is DOWN LICMGRLIC_INSTALLED6 [str] license installed LICMGRLIC_INSTALL_DEFAULT6 [str] default license installed, count: [int]
LICMGRLIC_INSTALL_COUNT6 [str] license installed, count: [int]
LICMGRLIC_REMOVED6 [str] license removed LICMGRLIC_INVALID3 [str] license invalid Error: [str]
MESH MESH_LINK_UP 5 Mesh link up between radio
[qstr] and radio [qstr]
MESH MESH_LINK_DOWN 5 Mesh link down between radio [qstr] and radio [qstr]
MGMTLOG_KEY_DELETED 4 Rsakey [str] associated with ssh is deleted so ssh is restarted with default rsa key MGMTLOG_KEY_RESTORED6Rsakey [str] associated with ssh is added so ssh is restarted with new key MGMTLOG_TRUSTPOINT_DELETED4 Trustpoint [str]
associated with https is deleted or expired so https is restarted with default trustpoint MGMTLOG_HTTP_START5 [str] started in external mode MGMTLOG_HTTP_LOCAL_START5 thttpd started in localhost mode MGMTLOG_HTTPS_START5 stunnel started MGMTLOG_HTTPS_WAIT5 waiting for thttpd to start Waiting for Web server to start MGMTLOG_HTTP_INIT5[str] status started is [uint]
and external mode is [uint]
MESH MESHPOINT_LOOP_PREVENT_ON 4 Meshpoint [qstr] loop prevention on (port [str]), wired traffic is blocked MESH MESHPOINT_LOOP_PREVENT_OFF 4 Meshpoint loop prevention off (port [str]), all wired traffic is allowed MESH MESHPOINT_ROOT_CHANGE 6 Meshpoint
[qstr] root changed from [mac] to [mac] via next hop
[mac]
Secure Web server started Meshpoint root changed Wired traffic is blocked Wired traffic is allowed Web server started RSA key associated with SSH is deleted RSA key associated with SSH is added Trustpoint associated with HTTPS is deleted Web server started in external mode Web server started in local mode Wireless Controller and Service Platform System Reference Guide 17 - 13 WiNG Events MESH MESHPOINT_PATH_CHANGE 6 Meshpoint
[qstr] next hop changed from [mac] to [mac] for
[mac]
NSM IFUP4 Interface [str] is up NSM IFDOWN4 Interface [str] is down NSM DHCPIP6 Interface [str] acquired IP address [ip]/
[uint] via DHC NSM DHCPDEFRT6 Default route with gateway [ip]
learnt via DHC NSM DHCPIPCHG5 Interface [str] changed DHCP IP -
old IP: [ip]/[uint], new IP: [ip]/[uint]
NSM DHCPNODEFRT5 Interface [str] lost its DHCP default route NSM IFIPCFG3 Interface [str] IP address [str] Interface
[str]
NSM DHCPC_ERR3 Both, DHCP client and server are configured for interface [str]. DHCP Client has been enabled on the interface and dhcp server is shut down NSM DHCPIPNOADD5 Interface [str] lost its DHCP IP address to interface [str]'s overlapping static configured IP address NSM DHCPLSEXP5 Interface [str] lost its DHCP IP address [ip] due to lease expiration NSM DHCPNAK5 Interface [str] lost its DHCP IP address [ip], DHCP NAK response from server NSM NSM_NTP6 Look up host [str] [str]//
NSM IF_FAILOVER5 Interface [str] failover to Interface [str]
NSM IF_FAILBACK5 Interface [str] failback to Interface [str]
PM PROCSTART6 Starting process [str]
PM PROCRSTRT3 Process str]"is not responding. Restarting process PM PROCMAXRSTRT1 Process [str] reached its maximum number of allowed restarts PM PROCSYSRSTRT0 Process [str] reached its maximum number of allowed restarts. Rebooting the system. PM PROCSTOP5 Process [str] has been stopped PM PROCID5 Process [str] changed its PID from [int]
to [int]
PM STARTUPCOMPLETE5 System startup complete PM PROCNORESP4Process [str] is not responding
([uint]/[uint]) Meshpoint next hop changed Interface up Interface down Interface assigned DHCP IP address Default route learnt via DHCP DHCP Interface IP changed Interface no default route Interface IP address DHCP server-client config conflict DHCP IP overlaps static IP address Interace DHCP lease expired DHCP Server returned DHCP NAK response Translate host name Interface failover Interface failback Process started Process restarted Process reached max number of restarts Process reached max restarts. Rebooting system. Process has been stopped Process changed PID System startup completed Process is not responding Wireless Controller and Service Platform System Reference Guide 17 - 14 WiNG Events RADCONFRADIUSDSTART6 Radius Server Started RADCONFRADIUSDSTOP6 Radius Server Stopped RADCONF COULD_NOT_STOP_RADIUSD3 radiusd could not be stopped RADIORADIO_STATE_CHANGE 5 Radio [qstr]
changing state from [qstr] to [qstr]
RADIORADAR_SCAN_STARTED 6 Radar scan on primary channel [uint] freq [uint] MHz for a duration
[uint] secs on radio [qstr]
RADIORADAR_SCAN_COMPLETED 6 Radar scan done on primary channel [uint] freq [uint] MHz on radio [qstr]
RADIORADAR_DETECTED 4 Radar found on channel
[uint] freq [uint] MHz RADIORADAR_DET_INFO 4 Radar info: Radio: [qstr]. New channel: [uint] freq [uint] MHz. Scan time: [uint]
secs RADIORESUME_HOME_CHANNEL 6 Operation on home channel [uint] freq [uint] MHz resumes on radio
[qstr] after earlier radar detect RADIO ACS_SCAN_STARTED 6 ACS scan started on radio [qstr]
RADIO ACS_SCAN_COMPLETE 6 ACS scan done, channel [uint] selected on radio [qstr]
RADIO_ANTENNA_ERROR 3 antenna type [str] in is not supported on radio [uint] of device [str]
RADIOCHANNEL_COUNTRY_MISMATCH3 Channel
[str] not valid in country of operation [str] for [str]
[str]
SYSTEM HTTP_ERR3 [str] did not start SYSTEMLOGIN_FAIL_BAD_ROLE3 Log-in failed -
[qstr] is an undefined user role - user [qstr] from
[qstr]
SYSTEMLOGOUT6 Logged out user [qstr] with privilege [qstr] from [qstr]
SYSTEMWARM_START6 System Warm Start Reason :
[str] Timestamp: [str]
SYSTEMWARM_START_RECOVER6 Warm Start Recover. Reason: [str] Timestamp: [str]
SYSTEMCOLD_START6 System Cold start. System came up at [str]
SYSTEMSERVER_UNREACHABLE5 Server not reachable, trying authentication using local database. SYSTEMPERIODIC_HEART_BEAT3Periodic Heart Beat. Interval:[int]. Ip address [str]. RADIUS server started RADIUS server stopped RADIUS server failed to stop Radio state changed Radar scan started Radar scan completed Radar detected Radar info Radio resuming on home channel ACS scan started ACS scan complete Invalid (unsupported) antenna detected on this radio Channel and country of operation mismatch Web server did not start Failed login attempt - no such user role Logout event System warm start System wam start recovery System cold start Authentication using the local database Periodic heartbeat detected Wireless Controller and Service Platform System Reference Guide 17 - 15 SYSTEMCONFIG_COMMIT6Configuration commit by user [qstr] ([str]) from [qstr]
SYSTEMCONFIG_REVISION6Configuration revision updated to [str] from [str]
SYSTEMSYSTEM_AUTOUP_ENABLE6 Autoupgrade enabled for [str]
SYSTEMSYSTEM_AUTOUP_DISABLE6 Autoupgrade disabled for [str]
SYSTEMMAAT_LIGHT5MAAT Light module [str]
SYSTEMDEVUP_RFD_FAIL4Upgrade failed on mac
[str] in RF domain [str]
SMTPNOT SMTPAUTH5 Authentication failure for user: [str] on server [str].//
SMTPNOT NET 5 Network error contacting server:
[str]. SMTPNOT SMTPINFO6[str]. SMTPNOT CFG5 Error reading configuration file. SMTPNOT CFGINC5 Incomplete Configuration. SMTPNOT SMTPERR5 [str]. SMTPNOT PROTO5Protocol Error: [str]. SYSTEMPROC_STOP6 Stopping process [qstr]
SYSTEMCLOCK_RESET6 System clock reset, Time:
[str]
SYSTEMLOGIN5 Successfully logged in user [qstr]
with privilege [qstr] from [qstr]
SYSTEMLOGIN_FAIL3 Log-in failed for user [qstr]
from [qstr]
SYSTEMLOGIN_FAIL_ACCESS3 Log-in failed - user
[qstr] is not allowed access from [qstr]
VRRP VRRP_STATE_CHANGE 5 [str]: VRRP Group
[uint] transitioned to [str] state VRRP VRRP_VIP_SUBNET_MISMATCH 2 VRRP Group [uint] VIP [ip] does not overlap with any of the interface addresses VRRP VRRP_MONITOR_CHANGE 5 [str]: VRRP Group [uint] monitored [str] state change to [str];
priority change from [uint] to [uint]
WIPSUNSANCTIONED_AP_ACTIVE 6 Unsanctioned AP [mac] vendor [str] on channel [int] with rssi [int]
active from [str]
WIPSUNSANCTIONED_AP_INACTIVE 6 Unsanctioned AP [mac] vendor [str] inactive from
[str]
WiNG Events Configuration commit Configuration updated Auto upgrade module is enabled Auto upgrade module is disabled Notice on action on RIM radio(s) from Maat Light module Upgrade for device failed on rf-domain manager User authentication failure Cannot contact server SMTP information notice Cannot read configuration Incomplete configuration SMTP 5XX errors SMTP protocol errors Stopping process System clock reset Successful login Failed login attempt - user authentication failed Failed login attempt - access violation VRRP state transition VRRP IP not overlapping with interface addresses VRRP monitor link state change Unsanctioned AP active Unsanctioned AP inactive Wireless Controller and Service Platform System Reference Guide 17 - 16 WiNG Events WIPSUNSANCTIONED_AP_STATUS_CHANGE 6 Unsanctioned AP [mac] vendor [str] status has been administratively changed WIPSROGUE_AP_ACTIVE 4 Rogue AP [mac]
vendor [str] on channel [int] with vlan [int] and rssi
[int] active from [str] //
WIPSROGUE_AP_INACTIVE 4 Rogue AP [mac]
vendor [str] inactive from [str]
WIPSAIR_TERMINATION_INITIATED 4 Air termination of [mac] vendor [str] on channel [int]
initiated WIPSAIR_TERMINATION_ENDED 4 Air termination of [mac] vendor [str] ended Unsanctioned AP changed state Rogue AP active Rogue AP inactive Air termination initiated Air termination ended Wireless Controller and Service Platform System Reference Guide 17 - 17 A PUBLICLY AVAILABLE SOFTWARE A.1 General Information This document contains information regarding licenses, acknowledgments and required copyright notices for open source packages used in the following products:
Access Points AP6521, AP6522, AP6522M, AP6532, AP6562, AP7161, AP7502, AP7522, AP7532, AP7562, AP7602, AP7612, AP7622, AP7632, AP7662, AP8122, AP8132, AP8163, AP8232, AP8432 and AP8533. Wireless Controllers and Service Platforms Wireless Controllers RFS4000, RFS6000 Service Platforms NX5500, NX5500E, NX7500, NX75XX, NX7510E, NX9500, NX9510, NX9600, NX9610, VX9000, VX9000E Access Point, Wireless Controller, and Service Platform System Reference Guide A - 1 PUBLICLY AVAILABLE SOFTWARE A.2 Open Source Software Used The Support site, located at www.extremenetworks.com/support provides information and online assistance including developer tools, software downloads, product manuals, support contact information and online repair requests. Name Apache Web Server Asterisk accepts advas Version 1.3.41 URL http://www.apache.org/
1.2.24 1.2.10 0.2.3 http://www.asterisk.org/
http://registry.npmjs.org/accepts/-/
accepts-1.2.10.tgz http://advas.sourceforge.net/
License Apache License, Version 2.0 GNU General Public License 2.0 MIT License GNU General Public License, version 2 https://code.google.com/p/alivepdf/
MIT License https://pypi.python.org/pypi/APScheduler/ MIT License http://registry.npmjs.org/async/-/async-
MIT License 1.3.0.tgz http://www.gnu.org/software/autoconf/
GNU General Public License, version 2 alivepdf 0.1.4.9 apscheduler async autoconf automake bash binutils bison bluez 3.0.1 1.3.0 2.69 1.11.6 4.2 2.23 2.3 5.7 http://www.gnu.org/software/automake/
http://www.gnu.org/software/bash/
http://www.gnu.org/software/binutils/
http://www.gnu.org/software/bison/
http://www.bluez.org/
body-parser 1.13.2 bridge 1.0.4 bridge-utils 1.0.4 http://registry.npmjs.org/body-parser/-/
body-parser-1.13.2.tgz http://www.linuxfoundation.org/
collaborate/workgroups/networking/
bridge/
http://sourceforge.net/projects/bridge/
buffer-crc32 0.2.5 busybox 1.14.4 http://registry.npmjs.org/buffer-crc32/-/
buffer-crc32-0.2.5.tgz http://www.busybox.net/
GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 MIT License GNU General Public License, version 2 GNU General Public License, version 2 MIT License GNU General Public License, version 2 Access Point, Wireless Controller, and Service Platform System Reference Guide A - 2 Name bytes colors compression Version 2.1.0 1.1.2 1.5.1 conect-mongo 0.8.2 cookie 0.1.3 cookie-parser 1.3.5 cookie-signature 1.0.6 cuint cycle czjson dash debug depd dfu-util dhcp diffutils dmalloc dmidecode dnsmasq dosfstools dropbear 0.2.0 1.0.3 1.0.8 0.5.7 2.2.0 1.0.1 0.8 3.0.3 2.8.1 5.5.2 2.11 2.47 2.11 0.55 e2fsprogs 1.41.13 PUBLICLY AVAILABLE SOFTWARE URL http://registry.npmjs.org/bytes/-/bytes-
2.1.0.tgz http://registry.npmjs.org/colors/-/colors-
1.1.2.tgz http://registry.npmjs.org/compression/-/
compression-1.5.1.tgz http://registry.npmjs.org/connect-mongo/-
/connect-mongo-0.8.2.tgz http://registry.npmjs.org/cookie/-/cookie-
0.1.3.tgz http://registry.npmjs.org/cookie-parser/-/
cookie-parser-1.3.5.tgz http://registry.npmjs.org/cookie-signature/
-/cookie-signature-1.0.6.tgz http://registry.npmjs.org/cuint/-/cuint-
0.2.0.tgz https://registry.npmjs.org/cycle/-/cycle-
1.0.3.tgz https://pypi.python.org/pypi/czjson/1.0.8 License MIT License MIT License MIT License MIT License MIT License MIT License MIT License MIT License MIT License GNU Lesser General Public License 2.1 http://gondor.apana.org.au/~herbert/dash/ The BSD License https://registry.npmjs.org/debug/-/debug-
2.2.0.tgz http://registry.npmjs.org/depd/-/depd-
1.0.1.tgz http://dfu-util.gnumonks.org/
MIT License MIT License GNU General Public License, version 2 http://www.isc.org/software/dhcp ISC License http://www.gnu.org/software/diffutils/
http://dmalloc.com/
http://savannah.nongnu.org/projects/
dmidecode/
http://www.thekelleys.org.uk/dnsmasq/
doc.html http://www.daniel-baumann.ch/software/
dosfstools/
http://matt.ucc.asn.au/dropbear/
dropbear.html http://e2fsprogs.sourceforge.net/
GNU General Public License, version 2 None GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 DropBear License GNU General Public License, version 2 Access Point, Wireless Controller, and Service Platform System Reference Guide A - 3 PUBLICLY AVAILABLE SOFTWARE Name ejs engine.io escape-html Version 2.3.3 1.5.2 1.0.2 ethtool 2.6.35 event-loop-lag 1.1.0 express 4.13.1 express-session 1.11.3 eyes finalhandler flashrom 0.1.8 0.4.0 0.9.4 License URL http://registry.npmjs.org/ejs/-/ejs-2.3.3.tgz Apache License, Version 2.0 http://registry.npmjs.org/engine.io/-/
engine.io-1.5.2.tgz http://registry.npmjs.org/escape-html/-/
escape-html-1.0.2.tgz http://www.kernel.org/pub/software/
network/ethtool/
GNU General Public License, version 2 MIT License MIT License http://registry.npmjs.org/event-loop-lag/-/
event-loop-lag-1.1.0.tgz http://registry.npmjs.org/express/-/
express-4.13.1.tgz http://registry.npmjs.org/express-session/-
/express-session-1.11.3.tgz http://github.com/cloudhead/eyes.js http://registry.npmjs.org/finalhandler/-/
finalhandler-0.4.0.tgz http://flashrom.org/Flashrom MIT License MIT License MIT License MIT License MIT License GNU General Public License, version 2 flex fluks 4.5.1.21328 http://flex.sourceforge.net/
The BSD License 0.2 https://github.com/markuspeloquin/fluks MIT License freedos 4.5.1.21328 http://www.freedos.org/download/
freeipmi 1.1 http://www.gnu.org/software/freeipmi/
fresh futures gcc gdb gdbm genext2fs glib2 glibc 0.3.0 2.2.0 4.1.2 7.2 1.8.3 1.4.1 http://registry.npmjs.org/fresh/-/fresh-
0.3.0.tgz https://github.com/agronholm/
pythonfutures http://gcc.gnu.org/
http://www.gnu.org/software/gdb/
http://www.gnu.org/s/gdbm/
http://genext2fs.sourceforge.net/
2.30.2 http://www.gtk.org/
2.7 http://www.gnu.org/software/libc/
GNU General Public License, version 2 GNU General Public License, version 3 MIT License The BSD License GNU General Public License, version 2 GNU General Public License, version 3 GNU General Public License, version 2 GNU General Public License, version 2 GNU Lesser General Public License 2.1 GNU General Public License, version 2 Access Point, Wireless Controller, and Service Platform System Reference Guide A - 4 PUBLICLY AVAILABLE SOFTWARE URL http://registry.npmjs.org/has-binary-data/-
/has-binary-data-0.1.5.tgz http://sourceforge.net/projects/hdparm/
http://registry.npmjs.org/hooks/-/hooks-
0.3.2.tgz http://hostap.epitest.fi/hostapd/
http://sourceforge.net/projects/linux-
hotplug/
http://isteve.bofh.cz/~isteve/hotplug2/
http://www.lm-sensors.org/wiki/I2CTools http://registry.npmjs.org/iconv-lite/-/
iconv-lite-0.4.11.tgz http://sourceforge.net/projects/e1000/
License MIT License GNU General Public License, version 2 MIT License GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 MIT License GNU General Public License, version 2 http://code.google.com/p/ipaddr-py/
Apache License, Version 2.0 http://www.handhelds.org/sources.html GNU General Public License, version 2 http://ipmitool.sourceforge.net/
The BSD License http://www.linuxfoundation.org/
collaborate/workgroups/networking/
iproute2 http://www.netfilter.org/projects/iptables/
index.html http://ipxe.org/
GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 https://registry.npmjs.org/isstream/-/
isstream-0.1.2.tgz http://registry.npmjs.org/js-yaml/-/js-
yaml-3.3.1.tgz http://web.mit.edu/Kerberos/
http://kernel.org/pub/linux/utils/kernel/
kexec/
http://github.com/mongodb/libbson http://c-ares.haxx.se/
MIT License MIT License GNU General Public License, version 2 GNU General Public License, version 2 Apache License, Version 2.0 The BSD License Name has-binary-data 0.1.5 Version hdparm hooks hostapd hotplug hotplug2 i2ctools iconv-lite igb ipaddr ipkg-utils ipmitool iproute2 iptables ipxe isstream js-yaml 9.38 0.3.2 0.6.9 1.3 0.9 3.0.3 0.4.11 5.2.9.4 2.1.0 1.7 1.8.11 050816 1.4.3 1.0.0 0.1.2 3.3.1 kerberos None kexec-tools 2.0.3 libbson libcares 1.1.0 1.7.1 Access Point, Wireless Controller, and Service Platform System Reference Guide A - 5 PUBLICLY AVAILABLE SOFTWARE Name libcurl Version 7.30.0 URL http://curl.haxx.se/libcurl/
libdevmapper 2.02.66 ftp://sources.redhat.com/pub/lvm2/old libexpat libffi libgcrypt libgmp 2.0.0 3.0.7 1.4.5 4.2.2 http://expat.sourceforge.net/
http://sourceware.org/libffi/
ftp://ftp.gnupg.org/GnuPG/libgcrypt/
http://gmplib.org/
libgnutls 3.2.12 ftp://ftp.gnupg.org/GnuPG/gnutls/v3.0/
libgpg-error 1.6 ftp://ftp.gnupg.org/GnuPG/libgpg-error/
License The BSD License GNU Lesser General Public License 2.1 MIT License MIT License GNU Lesser General Public License 2.1 GNU Lesser General Public License, version 3.0 GNU Lesser General Public License, version 3.0 GNU Lesser General Public License 2.1 MIT License libharu libhttp-parser libiconv libjson libkerberos libncurses libnettle 2.1.0 None 1.14 0.10 0.1 5.4 2.7 http://libharu.org/
None http://savannah.gnu.org/projects/libiconv/ GNU General Public License MIT License 2.0 http://sourceforge.net/projects/libjson/
http://web.mit.edu/kerberos/dist/
The BSD License The BSD License http://www.gnu.org/software/ncurses/
MIT License http://www.lysator.liu.se/~nisse/nettle/
libnuma 2.0.10 https://github.com/numactl/numactl/
GNU Lesser General Public License 2.1 GNU Lesser General Public License, version 2.0 libpam libpcap libpcre libpopt libraryopt libreadline libtool 1.1.1 1.0.0 8.21 1.14 1.01 4.3 2.4.2 http://www.kernel.org/pub/linux/libs/
pam/
http://www.tcpdump.org/
ftp://ftp.csx.cam.ac.uk/pub/software/
programming/pcre/
http://freecode.com/projects/popt The BSD License The BSD License The BSD License MIT License http://sourceforge.net/projects/libraryopt/ GNU General Public License, version 2 http://cnswww.cns.cwru.edu/php/chet/
readline/rltop.html http://www.gnu.org/software/libtool/
GNU General Public License, version 2 GNU General Public License, version 2 Access Point, Wireless Controller, and Service Platform System Reference Guide A - 6 Name libusb libusb libvirt libxml2 libxslt lighttpd lilo linux linux ltp lxml lzma lzma lzo M2Crypto m4 madwifi mdadm 1.0.18 0.9.11 2.8.0 1.1.26 1.4.37 22.6 4.32 4.57 2.03 0.21.1 1.4.16 Version 0.1.12 URL http://www.libusb.org/
http://www.libusb.org/
http://libvirt.org/sources/
http://xmlsoft.org/
http://xmlsoft.org/xslt/
http://www.lighttpd.net/
PUBLICLY AVAILABLE SOFTWARE License GNU Lesser General Public License, version 2.0 GNU Lesser General Public License, version 2.0 GNU Lesser General Public License 2.1 MIT License MIT License MIT License http://lilo.alioth.debian.org/
The BSD License 2.6.28.9 http://www.kernel.org/
2.6.35.9 http://www.kernel.org/
lodash 3.10.0 log-timestamp 0.1.2 http://registry.npmjs.org/lodash/-/lodash-
3.10.0.tgz http://registry.npmjs.org/log-timestamp/-/
log-timestamp-0.1.2.tgz https://github.com/linux-test-project/ltp 20130904 2.3beta1 http://lxml.de/
http://www.7-zip.org/sdk.html http://www.7-zip.org/sdk.html http://www.oberhumer.com/opensource/
lzo/
GNU General Public License, version 2 http://chandlerproject.org/bin/view/
Projects/MeTooCrypto http://www.gnu.org/software/m4/
The BSD License GNU General Public License, version 2 trunk-r3314 http://madwifi-project.org/
The BSD License 3.2.2 http://neil.brown.name/blog/mdadm media-typer 0.3.0 memtester 4.0.8 http://registry.npmjs.org/media-typer/-/
media-typer-0.3.0.tgz http://pyropus.ca/software/memtester/
Access Point, Wireless Controller, and Service Platform System Reference Guide A - 7 GNU General Public License, version 2 GNU General Public License, version 2 MIT License MIT License GNU General Public License, version 2 The BSD License GNU Lesser General Public License, version 2.0 GNU Lesser General Public License, version 2.0 GNU General Public License, version 2 MIT License GNU General Public License, version 2 PUBLICLY AVAILABLE SOFTWARE Version 1.0.0 Name merge-
descriptors method-override 2.3.4 methods mii-diag 1.1.1 2.09 URL http://registry.npmjs.org/merge-
descriptors/-/merge-descriptors-1.0.0.tgz http://registry.npmjs.org/method-override/
-/method-override-2.3.4.tgz http://registry.npmjs.org/methods/-/
methods-1.1.1.tgz http://freecode.com/projects/mii-diag mkyaffs None http://www.yaffs.net/
mod_ssl 2.8.3.1-1.3.41 http://www.modssl.org/
http://github.com/mongodb/mongo-c-
driver http://github.com/mongodb/mongo-
python-driver http://www.mongodb.org/
License MIT License MIT License MIT License GNU General Public License, version 2 GNU General Public License, version 2 The BSD License Apache License, Version 2.0 Apache License, Version 2.0 GNU Lesser General Public License, version 3.0 MIT License MIT License http://registry.npmjs.org/mongoose/-/
mongoose-4.0.7.tgz http://registry.npmjs.org/mpath/-/mpath-
0.2.1.tgz http://registry.npmjs.org/mpromise/-/
mpromise-0.5.5.tgz http://registry.npmjs.org/mquery/-/
mquery-1.6.2.tgz http://registry.npmjs.org/ms/-/ms-0.7.1.tgz MIT License http://www.linux-mtd.infradead.org/
MIT License MIT License GNU General Public License, version 2 mongo-c-driver 1.1.0 mongo-python-
driver mongodb mongoose mpath mpromise mquery ms mtd 2.7.1 3.0.5 4.0.7 0.2.1 0.5.5 1.6.2 0.7.1 2009-05-05 mtd-utils 1.4.4 http://www.linux-mtd.infradead.org/
mtd-utils 2009-05-05 http://www.linux-mtd.infradead.org/
muri nano net-snmp no-vnc 1.1.0 1.2.4 5.3.0.1 None http://registry.npmjs.org/muri/-/muri-
1.1.0.tgz http://www.nano-editor.org/
http://net-snmp.sourceforge.net/
The BSD License http://kanaka.github.io/noVNC/
Mozilla Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 MIT License GNU General Public License, version 2 Access Point, Wireless Controller, and Service Platform System Reference Guide A - 8 PUBLICLY AVAILABLE SOFTWARE Name node-mongodb-
native node.js ntp numactl Version 1.4.35 0.12.7 4.2.6p4 2.0.10 URL http://github.com/mongodb/node-
mongodb-native http://nodejs.org/
http://www.ntp.org/index.html https://github.com/numactl/numactl/
Open Scales 2.2 http://openscales.org/
OpenStreetMap http://www.openstreetmap.org/
on-headers 1.0.0 openldap 2.4.40 http://registry.npmjs.org/on-headers/-/on-
headers-1.0.0.tgz http://www.openldap.org/foundation/
openllpd 0.0.3alpha http://openlldp.sourceforge.net/
openssh openssl openssl openssl openssl-fips 6.6p1 0.9.8zg 1.0.0i 1.0.1g 1.2.3 http://www.openssh.com/
http://www.openssl.org/
http://www.openssl.org/
http://www.openssl.org/
http://www.openssl.org/
openwrt trunk-r15025 http://www.openwrt.org/
opkg trunk-r4564 http://code.google.com/p/opkg/
oprofile ProGuard PyPDF2 parseurl 0.9.2 4.8 1.23 1.3.0 path-to-regexp 1.2.0 pciutils 3.1.8 http://oprofile.sourceforge.net/news/
http://proguard.sourceforge.net/
http://mstamy2.github.com/PyPDF2 http://registry.npmjs.org/parseurl/-/
parseurl-1.3.0.tgz http://registry.npmjs.org/path-to-regexp/-
/path-to-regexp-1.2.0.tgz http://mj.ucw.cz/sw/pciutils/
License Apache License, Version 2.0 MIT License The BSD License GNU General Public License, version 2 GNU Lesser General Public License, version 3.0 Creative Commons Attribution-ShareAlike License, version 3.0 MIT License The Open LDAP Public License GNU General Public License, version 2 The BSD License OpenSSL License OpenSSL License OpenSSL License OpenSSL License GNU General Public License, version 2 GNU General Public License, version 2 GNU Lesser General Public License 2.1 GNU General Public License, version 2 The BSD License MIT License MIT License GNU General Public License, version 2 Access Point, Wireless Controller, and Service Platform System Reference Guide A - 9 Name pdnsd picocom pillow ping pkg-config portmap posix ppp ppp preppy procname procps proxy-addr psmisc pure-ftpd pychecker pyparsing pytz pyxapi pyyaml qdbm qs quagga quilt Version 1.2.5 1.6 2.8.1 1.0 0.22 6.0 2.0.1 2.4.5 2.4.3 2.3.1 0.2 3.2.8 1.0.8 22.8 1.0.22 0.8.18 1.5.1 2014.10 0.1 3.11 1.8.77 4.0.0 0.99.16 0.47 PUBLICLY AVAILABLE SOFTWARE URL http://members.home.nl/p.a.rombouts/
pdnsd/
http://code.google.com/p/picocom/
License GNU General Public License, version 2 GNU General Public License, version 2 http://python-pillow.github.io/
None MIT License The BSD License http://pkg-config.freedesktop.org/wiki/
GNU General Public License, version 2 http://neil.brown.name/portmap/
http://registry.npmjs.org/posix/-/posix-
2.0.1.tgz http://ppp.samba.org/ppp/
http://ppp.samba.org/ppp/
https://bitbucket.org/rptlab/preppy http://code.google.com/p/procname/
http://procps.sourceforge.net/
http://registry.npmjs.org/proxy-addr/-/
proxy-addr-1.0.8.tgz http://sourceforge.net/projects/psmisc/
The BSD License MIT License The BSD License The BSD License The BSD License GNU Lesser General Public License, version 2.0 GNU General Public License, version 2 MIT License GNU General Public License, version 2 http://www.pureftpd.org/project/pure-ftpd The BSD License http://pychecker.sourceforge.net/
The BSD License http://sourceforge.net/projects/pyparsing/ The BSD License http://pythonhosted.org/pytz http://www.pps.jussieu.fr/%7Eylg/PyXAPI/ GNU General Public License, MIT License version 2 http://pyyaml.org/
http://qdbm.sourceforge.net/
MIT License GNU General Public License, version 2 http://registry.npmjs.org/qs/-/qs-4.0.0.tgz The BSD License http://www.quagga.net GNU General Public License, version 2 http://savannah.nongnu.org/projects/quilt/ GNU General Public License, version 2 Access Point, Wireless Controller, and Service Platform System Reference Guide A - 10 PUBLICLY AVAILABLE SOFTWARE Name radius Version 2.2.3 URL http://freeradius.org/
License GNU General Public License, version 2 range-parser 1.0.2 raw-body redis redis 2.1.2 3.0.3 0.12.1 regexp-clone 0.0.1 report-lab rp-pppoe rsync safestr samba sed semaphore 3.1.44 3.1.0 3.0.6 1.0.3 3.5.1 4.1.2 1.0.3 send 0.13.0 serve-static 1.10.0 setproctitle setuptools sliced smarttools snmpagent socket.io socket.io-
adapter 1.1.8 11.3.1 1.0.1 6.2 5.0.9 1.3.6 0.3.1 http://registry.npmjs.org/range-parser/-/
range-parser-1.0.2.tgz http://registry.npmjs.org/raw-body/-/raw-
body-2.1.2.tgz http://redis.io/
http://registry.npmjs.org/redis/-/redis-
0.12.1.tgz http://registry.npmjs.org/regexp-clone/-/
regexp-clone-0.0.1.tgz http://www.reportlab.com MIT License MIT License The BSD License MIT License MIT License The BSD License http://www.roaringpenguin.com/products/
pppoe GNU General Public License, version 2 http://rsync.samba.org/
http://www.zork.org/
http://www.samba.org http://www.gnu.org/software/sed/
http://registry.npmjs.org/semaphore/-/
semaphore-1.0.3.tgz http://registry.npmjs.org/send/-/send-
0.13.0.tgz http://registry.npmjs.org/serve-static/-/
serve-static-1.10.0.tgz http://code.google.com/p/py-setproctitle https://bitbucket.org/pypa/setuptools http://registry.npmjs.org/sliced/-/sliced-
1.0.1.tgz http://smartmontools.sourceforge.net GNU General Public License, version 3 The BSD License GNU General Public License, version 3 GNU General Public License, version 2 MIT License MIT License MIT License The BSD License Python License, Version 2
(Python-2.0) MIT License GNU General Public License, version 2 http://sourceforge.net/
http://registry.npmjs.org/socket.io/-/
socket.io-1.3.6.tgz http://registry.npmjs.org/socket.io-
adapter/-/socket.io-adapter-0.3.1.tgz The BSD License MIT License MIT License Access Point, Wireless Controller, and Service Platform System Reference Guide A - 11 PUBLICLY AVAILABLE SOFTWARE Name socket.io-
adapter-mongo Version 0.1.4 socket.io-client 1.3.6 socket.io-parser 2.2.4 sqlite3 squashfs 3070900 3.0 URL http://registry.npmjs.org/socket.io-
adapter-mongo/-/socket.io-adapter-
mongo-0.1.4.tgz http://registry.npmjs.org/socket.io-client/-/
socket.io-client-1.3.6.tgz http://registry.npmjs.org/socket.io-parser/-
/socket.io-parser-2.2.4.tgz http://www.sqlite.org/
http://squashfs.sourceforge.net/
squid 2.7.STABLE9 http://www.squid-cache.org/
stack-trace 0.0.9 stackless python 2.7.5 https://registry.npmjs.org/stack-trace/-/
stack-trace-0.0.9.tgz http://www.stackless.com/
License MIT License MIT License MIT License None GNU General Public License, version 2 GNU General Public License, version 2 MIT License GNU General Public License, version 2 sticky-session 0.1.0 strace stress 4.5.20 1.0.4 http://registry.npmjs.org/sticky-session/-/
sticky-session-0.1.0.tgz http://sourceforge.net/projects/strace/
MIT License The BSD License http://people.seas.harvard.edu/~apw/
stress/
strongswan 4.4.0 http://www.strongswan.org GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 stunnel svg2rlg sysstat tar tcpdump tinyproxy type-is tz u-boot 4.31 0.3 9.0.5 1.17 4.0.0 1.8.3 1.6.4 2014b trunk-2010-
03-30 http://www.stunnel.org/
http://code.google.com/p/svg2rlg/
The BSD License http://sebastien.godard.pagesperso-
orange.fr/
http://www.gnu.org/software/tar/
http://www.tcpdump.org/
https://banu.com/tinyproxy/
http://registry.npmjs.org/type-is/-/type-is-
1.6.4.tgz http://www.iana.org/time-zones/
repository/releases/
http://www.denx.de/wiki/U-Boot/
GNU General Public License, version 2 GNU General Public License, version 2 The BSD License GNU General Public License, version 2 MIT License GNU General Public License, version 2 GNU General Public License, version 2 Access Point, Wireless Controller, and Service Platform System Reference Guide A - 12 PUBLICLY AVAILABLE SOFTWARE Version trunk-2010-
05-10 URL http://www.denx.de/wiki/U-Boot/
0.9.29 http://www.uclibc.org/
0.9.30.2 http://www.uclibc.org/
http://www.openwrt.org/
https://launchpad.net/udev http://www.kernel.org/pub/linux/utils/
kernel/hotplug/
http://www.linux-usb.org/
License GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 http://www.kernel.org/pub/linux/utils/util-
linux/
GNU General Public License, version 2 http://registry.npmjs.org/utils-merge/-/
utils-merge-1.0.0.tgz http://valgrind.org/
http://registry.npmjs.org/validator/-/
validator-3.41.2.tgz http://registry.npmjs.org/vary/-/vary-
1.0.1.tgz http://wiki.sangoma.com/wanpipe-linux-
drivers https://github.com/nori0428/
mod_websocket http://www.gnu.org/software/wget/
http://registry.npmjs.org/winston/-/
winston-1.0.1.tgz http://www.hpl.hp.com/personal/
Jean_Tourrilhes/Linux/Tools.html MIT License GNU General Public License, version 2 MIT License MIT License GNU General Public License, version 2 MIT License GNU General Public License, version 3 MIT License GNU General Public License, version 2 http://hostap.epitest.fi/wpa_supplicant/
http://registry.npmjs.org/ws/-/ws-0.7.2.tgz MIT License http://wu-ftpd.therockgarden.ca/
The BSD License WU-FTPD Software License http://docs.vmd.citrix.com/XenServer/4.0.1/
api/client-examples/python/index.html GNU General Public License, version 2 Name u-boot uClibc uClibc uci udev udev usbutils util-linux utils-merge valgrind validator vary wanpipe websocket wget winston 0.7.5 147 r147 0.73 2.20 1.0.0 3.5.0 3.41.2 1.0.1 3.5.18 2.4 1.14 1.0.1 wireless_tools r29 wpa_supplicant 2.0 ws wuftpd XenAPI 0.7.2 1.0.21 None Access Point, Wireless Controller, and Service Platform System Reference Guide A - 13 PUBLICLY AVAILABLE SOFTWARE Name xen Version 4.1.5 URL http://www.xen.org/
xen-crashdump-
analyser 20130505 http://xenbits.xen.org/people/
andrewcoop/
xen-tools xxhashjs z3c-rml zlib zope-event 4.2.1 0.1.1 2.7.2 1.2.8 4.0.3 http://xen-tools.org/software/xen-tools/
http://registry.npmjs.org/xxhashjs/-/
xxhashjs-0.1.1.tgz http://pypi.python.org/pypi/z3c.rml http://www.zlib.net/
http://pypi.python.org/pypi/zope.event License GNU General Public License, version 2 GNU General Public License, version 2 GNU General Public License, version 2 MIT License Zope Public License (ZPL) Version 2.0 zlib License Zope Public License (ZPL) Version 2.0 zope-interface 4.1.1 http://pypi.python.org/pypi/zope.interface Zope Public License (ZPL) Version 2.1 zope-schema 4.4.2 http://pypi.python.org/pypi/zope.schema zwave 0.1 http://code.google.com/p/open-zwave/
Zope Public License (ZPL) Version 2.0 GNU Lesser General Public License, version 2.1 Access Point, Wireless Controller, and Service Platform System Reference Guide A - 14 PUBLICLY AVAILABLE SOFTWARE A.3 OSS Licenses A.3.1 Apache License, Version 2.0 Apache License Version 2.0, January 2004 http://www.apache.org/licenses TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION Definitions.
"License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means
(i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files.
"Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution."
Access Point, Wireless Controller, and Service Platform System Reference Guide A - 15 PUBLICLY AVAILABLE SOFTWARE
"Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity
(including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:
You must give any other recipients of the Work or Derivative Works a copy of this License; and You must cause any modified files to carry prominent notices stating that You changed the files; and You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 16 PUBLICLY AVAILABLE SOFTWARE Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS A.3.2 The BSD License Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
Redistributions of source code must retain the above copyright notice, and the entire permission notice in its entirety, including the disclaimer of warranties. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, ALL OF WHICH ARE HEREBY DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, Access Point, Wireless Controller, and Service Platform System Reference Guide A - 17 PUBLICLY AVAILABLE SOFTWARE STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF NOT ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. A.3.3 Creative Commons Attribution-ShareAlike License, version 3.0 Creative Commons Attribution-ShareAlike 3.0 Unported CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL SERVICES. DISTRIBUTION OF THIS LICENSE DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. REATIVE COMMONS MAKES NO WARRANTIES REGARDING THE INFORMATION PROVIDED, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM ITS USE License THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. TO THE EXTENT THIS LICENSE MAY BE CONSIDERED TO BE A CONTRACT, THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS. Definitions 1. "Adaptation" means a work based upon the Work, or upon the Work and other pre-existing works, such as a translation, adaptation, derivative work, arrangement of music or other alterations of a literary or artistic work, or phonogram or performance and includes cinematographic adaptations or any other form in which the Work may be recast, transformed, or adapted including in any form recognizably derived from the original, except that a work that constitutes a Collection will not be considered an Adaptation for the purpose of this License. For the avoidance of doubt, where the Work is a musical work, performance or phonogram, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered an Adaptation for the purpose of this License. 2. "Collection" means a collection of literary or artistic works, such as encyclopedias and anthologies, or performances, phonograms or broadcasts, or other works or subject matter other than works listed in Section 1(f) below, which, by reason of the selection and arrangement of their contents, constitute intellectual creations, in which the Work is included in its entirety in unmodified form along with one or more other contributions, each constituting separate and independent works in themselves, which together are assembled into a collective whole. A work that constitutes a Collection will not be considered an Adaptation (as defined below) for the purposes of this License. 3. "Creative Commons Compatible License" means a license that is listed at http://creativecommons.org/
compatiblelicenses that has been approved by Creative Commons as being essentially equivalent to this License, including, at a minimum, because that license: (i) contains terms that have the same purpose, meaning and effect as the License Elements of this License; and, (ii) explicitly permits the relicensing of adaptations of works made available under that license under this License or a Creative Commons jurisdiction license with the same License Elements as this License. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 18 PUBLICLY AVAILABLE SOFTWARE 4. "Distribute" means to make available to the public the original and copies of the Work or Adaptation, as appropriate, through sale or other transfer of ownership. 5. "License Elements" means the following high-level license attributes as selected by Licensor and indicated in the title of this License: Attribution, ShareAlike. 6. "Licensor" means the individual, individuals, entity or entities that offer(s) the Work under the terms of this License. 7. "Original Author" means, in the case of a literary or artistic work, the individual, individuals, entity or entities who created the Work or if no individual or entity can be identified, the publisher; and in addition
(i) in the case of a performance the actors, singers, musicians, dancers, and other persons who act, sing, deliver, declaim, play in, interpret or otherwise perform literary or artistic works or expressions of folklore;
(ii) in the case of a phonogram the producer being the person or legal entity who first fixes the sounds of a performance or other sounds; and, (iii) in the case of broadcasts, the organization that transmits the broadcast. 8. "Work" means the literary and/or artistic work offered under the terms of this License including without limitation any production in the literary, scientific and artistic domain, whatever may be the mode or form of its expression including digital form, such as a book, pamphlet and other writing; a lecture, address, sermon or other work of the same nature; a dramatic or dramatico-musical work; a choreographic work or entertainment in dumb show; a musical composition with or without words; a cinematographic work to which are assimilated works expressed by a process analogous to cinematography; a work of drawing, painting, architecture, sculpture, engraving or lithography; a photographic work to which are assimilated works expressed by a process analogous to photography; a work of applied art; an illustration, map, plan, sketch or three-dimensional work relative to geography, topography, architecture or science; a performance; a broadcast; a phonogram; a compilation of data to the extent it is protected as a copyrightable work; or a work performed by a variety or circus performer to the extent it is not otherwise considered a literary or artistic work. 9. "You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation. 10. "Publicly Perform" means to perform public recitations of the Work and to communicate to the public those public recitations, by any means or process, including by wire or wireless means or public digital performances; to make available to the public Works in such a way that members of the public may access these Works from a place and at a place individually chosen by them; to perform the Work to the public by any means or process and the communication to the public of the performances of the Work, including by public digital performance; to broadcast and rebroadcast the Work by any means including signs, sounds or images. 11. "Reproduce" means to make copies of the Work by any means including without limitation by sound or visual recordings and the right of fixation and reproducing fixations of the Work, including storage of a protected performance or phonogram in digital form or other electronic medium. 12. Fair Dealing Rights. Nothing in this License is intended to reduce, limit, or restrict any uses free from copyright or rights arising from limitations or exceptions that are provided for in connection with the copyright protection under copyright law or other applicable laws. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 19 PUBLICLY AVAILABLE SOFTWARE 13. License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below:
a. to Reproduce the Work, to incorporate the Work into one or more Collections, and to Reproduce the Work as incorporated in the Collections;
b. to create and Reproduce Adaptations provided that any such Adaptation, including any translation in any medium, takes reasonable steps to clearly label, demarcate or otherwise identify that changes were made to the original Work. For example, a translation could be marked "The original work was translated from English to Spanish," or a modification could indicate "The original work has been modified.";
c. to Distribute and Publicly Perform the Work including as incorporated in Collections; and, d. to Distribute and Publicly Perform Adaptations For the avoidance of doubt:
1. Non-waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme cannot be waived, the Licensor reserves the exclusive right to collect such royalties for any exercise by You of the rights granted under this License;
2. Waivable Compulsory License Schemes. In those jurisdictions in which the right to collect royalties through any statutory or compulsory licensing scheme can be waived, the Licensor waives the exclusive right to collect such royalties for any exercise by You of the rights granted under this License; and, 3. Voluntary License Schemes. The Licensor waives the right to collect royalties, whether individually or, in the event that the Licensor is a member of a collecting society that administers voluntary licensing schemes, via that society, from any exercise by You of the rights granted under this License. The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats. Subject to Section 8(f), all rights not expressly granted by Licensor are hereby reserved. 4. Restrictions. The license granted in Section 3 above is expressly made subject to and limited by the following restrictions:
a. You may Distribute or Publicly Perform the Work only under the terms of this License. You must include a copy of, or the Uniform Resource Identifier (URI) for, this License with every copy of the Work You Distribute or Publicly Perform. You may not offer or impose any terms on the Work that restrict the terms of this License or the ability of the recipient of the Work to exercise the rights granted to that recipient under the terms of the License. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties with every copy of the Work You Distribute or Publicly Perform. When You Distribute or Publicly Perform the Work, You may not impose any effective technological measures on the Work that restrict the ability of a recipient of the Work from You to exercise the rights granted to that recipient under the terms of the License. This Section 4(a) applies to the Work as incorporated in a Collection, but this does not require the Collection apart from the Work itself to be made subject to the terms of this License. If You create a Collection, upon notice from any Licensor You must, to the extent practicable, remove from the Collection any credit as required by Section 4(c), as requested. If You create an Adaptation, upon notice from any Licensor You must, to the extent practicable, remove from the Adaptation any credit as required by Section 4(c), as requested. b. You may Distribute or Publicly Perform an Adaptation only under the terms of: (i) this License; (ii) a later version of this License with the same License Elements as this License; (iii) a Creative Commons jurisdiction Access Point, Wireless Controller, and Service Platform System Reference Guide A - 20 PUBLICLY AVAILABLE SOFTWARE license (either this or a later license version) that contains the same License Elements as this License (e.g., Attribution-ShareAlike 3.0 US)); (iv) a Creative Commons Compatible License. If you license the Adaptation under one of the licenses mentioned in (iv), you must comply with the terms of that license. If you license the Adaptation under the terms of any of the licenses mentioned in (i), (ii) or (iii) (the "Applicable License"), you must comply with the terms of the Applicable License generally and the following provisions: (I) You must include a copy of, or the URI for, the Applicable License with every copy of each Adaptation You Distribute or Publicly Perform; (II) You may not offer or impose any terms on the Adaptation that restrict the terms of the Applicable License or the ability of the recipient of the Adaptation to exercise the rights granted to that recipient under the terms of the Applicable License; (III) You must keep intact all notices that refer to the Applicable License and to the disclaimer of warranties with every copy of the ork as included in the Adaptation You Distribute or Publicly Perform; (IV) when You Distribute or Publicly Perform the Adaptation, You may not impose any effective technological measures on the Adaptation that restrict the ability of a recipient of the Adaptation from You to exercise the rights granted to that recipient under the terms of the Applicable License. This Section 4(b) applies to the Adaptation as incorporated in a Collection, but this does not require the Collection apart from the Adaptation itself to be made subject to the terms of the Applicable License. c. If You Distribute, or Publicly Perform the Work or any Adaptations or Collections, You must, unless a request has been made pursuant to Section 4(a), keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of the Original Author (or pseudonym, if applicable) if supplied, and/or if the Original Author and/or Licensor designate another party or parties (e.g., a sponsor institute, publishing entity, journal) for attribution ("Attribution Parties") in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; (ii) the title of the Work if supplied; (iii) to the extent reasonably practicable, the URI, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work; and (iv) , consistent with Section 3(b), in the case of an Adaptation, a credit identifying the use of the Work in the Adaptation (e.g., "French translation of the Work by Original Author," or "Screenplay based on original Work by Original Author"). The credit required by this Section 4(c) may be implemented in any reasonable manner; provided, however, that in the case of a Adaptation or Collection, at a minimum such credit will appear, if a credit for all contributing authors of the Adaptation or Collection appears, then as part of these credits and in a manner at least as prominent as the credits for the other contributing authors. For the avoidance of doubt, You may only use the credit required by this Section for the purpose of attribution in the manner set out above and, by exercising Your rights under this License, You may not implicitly or explicitly assert or imply any connection with, sponsorship or endorsement by the Original Author, Licensor and/or Attribution Parties, as appropriate, of You or Your use of the Work, without the separate, express prior written permission of the Original Author, Licensor and/or Attribution Parties. d. Except as otherwise agreed in writing by the Licensor or as may be otherwise permitted by applicable law, if You Reproduce, Distribute or Publicly Perform the Work either by itself or as part of any Adaptations or Collections, You must not distort, mutilate, modify or take other derogatory action in relation to the Work which would be prejudicial to the Original Author's honor or reputation. Licensor agrees that in those jurisdictions (e.g. Japan), in which any exercise of the right granted in Section 3(b) of this License (the right to make Adaptations) would be deemed to be a distortion, mutilation, modification or other derogatory action prejudicial to the Original Author's honor and reputation, the Licensor will waive or not assert, as appropriate, this Section, to the fullest extent permitted by the applicable national law, to enable You to reasonably exercise Your right under Section 3(b) of this License (right to make Adaptations) but not otherwise. 5. Representations, Warranties and Disclaimer. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 21 PUBLICLY AVAILABLE SOFTWARE UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU. 6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 7. Termination. This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Adaptations or Collections from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License. Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above. 8. Miscellaneous. Each time You Distribute or Publicly Perform the Work or a Collection, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License. Each time You Distribute or Publicly Perform an Adaptation, Licensor offers to the recipient a license to the original Work on the same terms and conditions as the license granted to You under this License. If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the emainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable. No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent. This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of he Licensor and You. The rights granted under, and the subject matter referenced, in this License were drafted utilizing the terminology of the Berne Convention for the Protection of Literary and Artistic Works (as amended on September 28, 1979), the Rome Convention of 1961, the WIPO Copyright Treaty of 1996, the WIPO Access Point, Wireless Controller, and Service Platform System Reference Guide A - 22 PUBLICLY AVAILABLE SOFTWARE Performances and Phonograms Treaty of 1996 and the Universal Copyright Convention (as revised on July 24, 1971). These rights and subject matter take effect in the relevant jurisdiction in which the License terms are sought to be enforced according to the corresponding provisions of the implementation of those treaty provisions in the applicable national law. If the standard suite of rights granted under applicable copyright law includes additional rights not granted under this License, such additional rights are deemed to be included in the License; this License is not intended to restrict the license of any rights under applicable law. Creative Commons Notice Creative Commons is not a party to this License, and makes no warranty whatsoever in connection with the Work. Creative Commons will not be liable to You or any party on any legal theory for any damages whatsoever, including without limitation any general, special, incidental or consequential damages arising in connection to this license. Notwithstanding the foregoing two (2) sentences, if Creative Commons has expressly identified itself as the Licensor hereunder, it shall have all rights and obligations of Licensor. Except for the limited purpose of indicating to the public that the Work is licensed under the CCPL, Creative Commons does not authorize the use by either party of the trademark "Creative Commons" or any related trademark or logo of Creative Commons without the prior written consent of Creative Commons. Any permitted use will be in compliance with Creative Commons' then-current trademark usage guidelines, as may be published on its website or otherwise made available upon request from time to time. For the avoidance of doubt, this trademark restriction does not form part of the License. Creative Commons may be contacted at http://creativecommons.org/. A.3.4 DropBear License Dropbear contains a number of components from different sources, hence there are a few licenses and authors involved. All licenses are fairly non-restrictive. The majority of code is written by Matt Johnston, under the license below. Portions of the client-mode work are (c) 2004 Mihnea Stoenescu, under the same license:
Copyright (c) 2002-2004 Matt Johnston Portions copyright (c) 2004 Mihnea Stoenescu All rights reserved. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT Access Point, Wireless Controller, and Service Platform System Reference Guide A - 23 PUBLICLY AVAILABLE SOFTWARE HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. LibTomCrypt and LibTomMath are written by Tom St Denis, and are .
=====
sshpty.c is taken from OpenSSH 3.5p1, Copyright (c) 1995 Tatu Ylonen , Espoo, Finland All rights reserved
"As far as I am concerned, the code I have written for this software can be used freely for any purpose. Any derived versions of this software must be clearly marked as such, and if the derived work is incompatible with the protocol description in the RFC file, it must be called by a name other than "ssh" or
"Secure Shell". "
=====
loginrec.c loginrec.h atomicio.h atomicio.c and strlcat() (included in util.c) are from OpenSSH 3.6.1p2, and are licensed under the 2 point license. loginrec is written primarily by Andre Lucas, atomicio.c by Theo de Raadt. strlcat() is (c) Todd C. Miller
=====
Import code in keyimport.c is modified from PuTTY's import.c, licensed as follows:
PuTTY is copyright 1997-2003 Simon Tatham. Portions copyright Robert de Bath, Joris van Rantwijk, Delian Delchev, Andreas Schultz, Jeroen Massar, Wez Furlong, Nicolas Barry, Justin Bradford, and CORE SDI S.A. Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 24 PUBLICLY AVAILABLE SOFTWARE THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
-------------------------------------------------------------------------------
A.3.5 GNU General Public License, version 2 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-
1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it.
(Some other Free Software Foundation software is covered by the GNU Lesser General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program Access Point, Wireless Controller, and Service Platform System Reference Guide A - 25 PUBLICLY AVAILABLE SOFTWARE proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. A.3.6 GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
The modified work must itself be a software library. You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. IIf a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.
(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) Access Point, Wireless Controller, and Service Platform System Reference Guide A - 26 PUBLICLY AVAILABLE SOFTWARE These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, Access Point, Wireless Controller, and Service Platform System Reference Guide A - 27 PUBLICLY AVAILABLE SOFTWARE regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:
Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable
"work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided Access Point, Wireless Controller, and Service Platform System Reference Guide A - 28 PUBLICLY AVAILABLE SOFTWARE that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:
Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. Each time you redistribute the Library (or any work based on the library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only Access Point, Wireless Controller, and Service Platform System Reference Guide A - 29 PUBLICLY AVAILABLE SOFTWARE in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS A.3.7 GNU Lesser General Public License 2.1 GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 30 PUBLICLY AVAILABLE SOFTWARE
[This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1.]
Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Lesser General Public License, applies to some specially designated software packages--
typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things. To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights. We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library. To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 31 PUBLICLY AVAILABLE SOFTWARE We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License. In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system. Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run. Creative Commons Legal Code CC0 1.0 Universal CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law:
that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)
"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 32 PUBLICLY AVAILABLE SOFTWARE Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
The modified work must itself be a software library. You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.
(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 33 PUBLICLY AVAILABLE SOFTWARE You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:
Access Point, Wireless Controller, and Service Platform System Reference Guide A - 34 PUBLICLY AVAILABLE SOFTWARE Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable
"work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:
Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if Access Point, Wireless Controller, and Service Platform System Reference Guide A - 35 PUBLICLY AVAILABLE SOFTWARE you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. Each time you redistribute the Library (or any work based on the library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 36 PUBLICLY AVAILABLE SOFTWARE NO WARRANTY BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. A.3.8 CCO 1.0 Universal Creative Commons Legal Code CC0 1.0 Universal CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDELEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED HEREUNDER. Statement of Purpose The laws of most jurisdictions throughout the world automatically confer exclusive Copyright and Related Rights (defined below) upon the creator and subsequent owner(s) (each and all, an "owner") of an original work of authorship and/or a database (each, a "Work"). Certain owners wish to permanently relinquish those rights to a Work for the purpose of contributing to a commons of creative, cultural and scientific works ("Commons") that the public can reliably and without fear of later claims of infringement build upon, modify, incorporate in other works, reuse and redistribute as freely as possible in any form whatsoever and for any purposes, including without limitation commercial purposes. These owners may contribute to the Commons to promote the ideal of a free culture and the further production of creative, cultural and scientific works, or to gain reputation or greater distribution for their Work in part through the use and efforts of others. For these and/or other purposes and motivations, and without any expectation of additional consideration or compensation, the person associating CC0 with a Work (the "Affirmer"), to the extent that he or she is an owner of Copyright and Related Rights in the Work, voluntarily elects to apply CC0 to the Work and publicly distribute the Work under its terms, with knowledge of his or her Copyright and Related Rights in the Work and the meaning and intended legal effect of CC0 on those rights. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 37 PUBLICLY AVAILABLE SOFTWARE Copyright and Related Rights. A Work made available under CC0 may be protected by copyright and related or neighboring rights ("Copyright and Related Rights"). Copyright and Related Rights include, but are not limited to, the following:
the right to reproduce, adapt, distribute, perform, display, communicate, and translate a Work;
moral rights retained by the original author(s) and/or performer(s);
publicity and privacy rights pertaining to a person's image or likeness depicted in a Work;
rights protecting against unfair competition in regards to a Work, subject to the limitations in paragraph 4(a), below;
rights protecting the extraction, dissemination, use and reuse of data in a Work;
database rights (such as those arising under Directive 96/9/EC of the European Parliament and of the Council of 11 March 1996 on the legal protection of databases, and under any national implementation thereof, including any amended or successor version of such directive); and other similar, equivalent or corresponding rights throughout the world based on applicable law or treaty, and any national implementations thereof. Waiver. To the greatest extent permitted by, but not in contravention of, applicable law, Affirmer hereby overtly, fully, permanently, irrevocably and unconditionally waives, abandons, and surrenders all of Affirmer's Copyright and Related Rights and associated claims and causes of action, whether now known or unknown (including existing as well as future claims and causes of action), in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty (including future time extensions), (iii) in any current or future medium and for any number of copies, and (iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the
"Waiver"). Affirmer makes the Waiver for the benefit of each member of the public at large and to the detriment of Affirmer's heirs and successors, fully intending that such Waiver shall not be subject to revocation, rescission, cancellation, termination, or any other legal or equitable action to disrupt the quiet enjoyment of the Work by the public as contemplated by Affirmer's express Statement of Purpose. Public License Fallback. Should any part of the Waiver for any reason be judged legally invalid or ineffective under applicable law, then the Waiver shall be preserved to the maximum extent permitted taking into account Affirmer's express Statement of Purpose. In addition, to the extent the Waiver is so judged Affirmer hereby grants to each affected person a royalty-free, non transferable, non sublicensable, non exclusive, irrevocable and unconditional license to exercise Affirmer's Copyright and Related Rights in the Work (i) in all territories worldwide, (ii) for the maximum duration provided by applicable law or treaty
(including future time extensions), (iii) in any current or future medium and for any number of copies, and
(iv) for any purpose whatsoever, including without limitation commercial, advertising or promotional purposes (the License"). The License shall be deemed effective as of the date CC0 was applied by Affirmer to the Work. Should any part of the License for any reason be judged legally invalid or ineffective under applicable law, such partial invalidity or ineffectiveness shall not invalidate the remainder of the License, and in such case Affirmer hereby affirms that he or she will not (i) exercise any of his or her remaining Copyright and Related Rights in the Work or (ii) assert any associated claims and causes of action with respect to the Work, in either case contrary to Affirmer's express Statement of Purpose. Limitations and Disclaimers. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 38 PUBLICLY AVAILABLE SOFTWARE No trademark or patent rights held by Affirmer are waived, abandoned, surrendered, licensed or otherwise affected by this document. Affirmer offers the Work as-is and makes no representations or warranties of any kind concerning the Work, express, implied, statutory or otherwise, including without limitation warranties of title, merchantability, fitness for a particular purpose, non infringement, or the absence of latent or other defects, accuracy, or the present or absence of errors, whether or not discoverable, all to the greatest extent permissible under applicable law. Affirmer disclaims responsibility for clearing rights of other persons that may apply to the Work or any use thereof, including without limitation any person's Copyright and Related Rights in the Work. Further, Affirmer disclaims responsibility for obtaining any necessary consents, permissions or other rights required for any use of the Work. Affirmer understands and acknowledges that Creative Commons is not a party to this document and has no duty or obligation with respect to this CC0 or use of the Work. A.3.9 GNU General Public License, version 3 GNU GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU General Public License is a free, copyleft license for software and other kinds of works. The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. We, the Free Software Foundation, use the GNU General Public License for most of our software; it applies also to any other work released this way by its authors. You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. To protect your rights, we need to prevent others from denying you these rights or asking you to surrender the rights. Therefore, you have certain responsibilities if you distribute copies of the software, or if you modify it: responsibilities to respect the freedom of others. For example, if you distribute copies of such a program, whether gratis or for a fee, you must pass on to the recipients the same freedoms that you received. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. Developers that use the GNU GPL protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License giving you legal permission to copy, distribute and/or modify it. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 39 PUBLICLY AVAILABLE SOFTWARE For the developers' and authors' protection, the GPL clearly explains that there is no warranty for this free software. For both users' and authors' sake, the GPL requires that modified versions be marked as changed, so that their problems will not be attributed erroneously to authors of previous versions. Some devices are designed to deny users access to install or run modified versions of the software inside them, although the manufacturer can do so. This is fundamentally incompatible with the aim of protecting users' freedom to change the software. The systematic pattern of such abuse occurs in the area of products for individuals to use, which is precisely where it is most unacceptable. Therefore, we have designed this version of the GPL to prohibit the practice for those products. If such problems arise substantially in other domains, we stand ready to extend this provision to those domains in future versions of the GPL, as needed to protect the freedom of users. Finally, every program is threatened constantly by software patents. States should not allow patents to restrict development and use of software on general-purpose computers, but in those that do, we wish to avoid the special danger that patents applied to a free program could make it effectively proprietary. To prevent this, the GPL assures that patents cannot be used to render the program non-free. The precise terms and conditions for copying, distribution andmodification follow. TERMS AND CONDITIONS Definitions.
"This License" refers to version 3 of the GNU General Public License.
"Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks.
"The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as
"you". "Licensees" and "recipients" may be individuals or organizations. To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work. A "covered work" means either the unmodified Program or a work based on the Program. To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. 1. Source Code. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 40 PUBLICLY AVAILABLE SOFTWARE The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work. A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case o interfaces specified for a particular programming language, one that is widely used among developers working in that language. The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files forthe work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. The Corresponding Source for a work in source code form is that same work. 2. Basic Permissions. All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing i not allowed; section 10 makes it unnecessary. 3. Protecting Users' Legal Rights From Anti-Circumvention Law. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 41 PUBLICLY AVAILABLE SOFTWARE No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of echnological measures. 4. Conveying Verbatim Copies. You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. 5. Conveying Modified Source Versions. You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions:
a) The work must carry prominent notices stating that you modified it, and giving a relevant date. b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to "keep intact all notices". c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. 6. Conveying Non-Source Forms. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 42 PUBLICLY AVAILABLE SOFTWARE You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways:
a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product.
"Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 43 PUBLICLY AVAILABLE SOFTWARE If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules andprotocols for communication across the network. Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. 7. Additional Terms.
"Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms:
a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License;
or b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or d) Limiting the use for publicity purposes of names of licensors or authors of the material; or e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material
(or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 44 PUBLICLY AVAILABLE SOFTWARE All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. 8. Termination. You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. 9. Acceptance Not Required for Having Copies. You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives Access Point, Wireless Controller, and Service Platform System Reference Guide A - 45 PUBLICLY AVAILABLE SOFTWARE whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise ofights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. 11. Patents. A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version". A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any Access Point, Wireless Controller, and Service Platform System Reference Guide A - 46 PUBLICLY AVAILABLE SOFTWARE of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. 12. No Surrender of Others' Freedom. If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. 13. Use with the GNU Affero General Public License. Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU Affero General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the special requirements of the GNU Affero General Public License, section 13, concerning interaction through a network will apply to the combination as such. 14. Revised Versions of this License. The Free Software Foundation may publish revised and/or new versions of the GNU General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU General Public License, you may choose any version ever published by the Free Software Foundation. If the Program specifies that a proxy can decide which future versions of the GNU General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. 15. Disclaimer of Warranty. THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE Access Point, Wireless Controller, and Service Platform System Reference Guide A - 47 PUBLICLY AVAILABLE SOFTWARE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. Limitation of Liability. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OFSUCH DAMAGES. 17. Interpretation of Sections 15 and 16. If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. END OF TERMS AND CONDITIONS A.3.10 ISC License Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted, provided that the above copyright notice and this permission notice appear in all copies. THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OFTHIS SOFTWARE. A.3.11 GNU Lesser General Public License, version 3.0 GNU LESSER GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. This version of the GNU Lesser General Public License incorporates the terms and conditions of version 3 of the GNU General PublicLicense, supplemented by the additional permissions listed below. Additional Definitions. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 48 PUBLICLY AVAILABLE SOFTWARE As used herein, "this License" refers to version 3 of the GNU Lesser General Public License, and the "GNU GPL" refers to version 3 of the GNU General Public License.
"The Library" refers to a covered work governed by this License, other than an Application or a Combined Work as defined below. An "Application" is any work that makes use of an interface provided by the Library, but which is not otherwise based on the Library. Defining a subclass of a class defined by the Library is deemed a mode of using an interface provided by the Library. A "Combined Work" is a work produced by combining or linking an Application with the Library. The particular version of the Library with which the Combined Work was made is also called the "Linked Version". The "Minimal Corresponding Source" for a Combined Work means the Corresponding Source for the Combined Work, excluding any source code for portions of the Combined Work that, considered in isolation, are based on the Application, and not on the Linked Version. The "Corresponding Application Code" for a Combined Work means the object code and/or source code for the Application, including any data and utility programs needed for reproducing the Combined Work from the Application, but excluding the System Libraries of the Combined Work. 1. Exception to Section 3 of the GNU GPL. You may convey a covered work under sections 3 and 4 of this License without being bound by section 3 of the GNU GPL. 2. Conveying Modified Versions. If you modify a copy of the Library, and, in your modifications, a facility refers to a function or data to be supplied by an Application that uses the facility (other than as an argument passed when the facility is invoked), then you may convey a copy of the modified version:
a) under this License, provided that you make a good faith effort to ensure that, in the event an Application does not supply the function or data, the facility still operates, and performs whatever part of its purpose remains meaningful, or b) under the GNU GPL, with none of the additional permissions of this License applicable to that copy. 3. Object Code Incorporating Material from Library Header Files. The object code form of an Application may incorporate material from a header file that is part of the Library. You may convey such object code under terms of your choice, provided that, if the incorporated material is not limited to numerical parameters, data structure layouts and accessors, or small macros, inline functions and templates (ten or fewer lines in length), you do both of the following:
a) Give prominent notice with each copy of the object code that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the object code with a copy of the GNU GPL and this license document. 4. Combined Works. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 49 PUBLICLY AVAILABLE SOFTWARE You may convey a Combined Work under terms of your choice that, taken together, effectively do not restrict modification of the portions of the Library contained in the Combined Work and reverse engineering for debugging such modifications, if you also do each ofthe following:
a) Give prominent notice with each copy of the Combined Work that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the Combined Work with a copy of the GNU GPL and this license document. c) For a Combined Work that displays copyright notices during execution, include the copyright notice for the Library among these notices, as well as a reference directing the user to the copies of the GNU GPL and this license document. d) Do one of the following:
0) Convey the Minimal Corresponding Source under the terms of this License, and the Corresponding Application Code in a form suitable for, and under terms that permit, the user to recombine or relink the Application with a modified version of the Linked Version to produce a modified Combined Work, in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source. 1) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that
(a) uses at run time a copy of the Library already present on the user's computer system, and (b) will operate properly with a modified version of the Library that is interface-compatible with the Linked Version. e) Provide Installation Information, but only if you would otherwise be required to provide such information under section 6 of the GNU GPL, and only to the extent that such information is necessary to install and execute a modified version of the Combined Work produced by recombining or relinking the Application with a modified version of the Linked Version. (If you use option 4d0, the Installation Information must accompany the Minimal Corresponding Source and Corresponding Application Code. If you use option 4d1, you must provide the Installation Information in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source.) 5. Combined Libraries. You may place library facilities that are a work based on the Library side by side in a single library together with other library facilities that are not Applications and are not covered by this License, and convey such a combined library under terms of your choice, if you do both of the following:
a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities, conveyed under the terms of this License. b) Give prominent notice with the combined library that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 6. Revised Versions of the GNU Lesser General Public License. The Free Software Foundation may publish revised and/or new versions of the GNU Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library as you received it specifies that a certain numbered version of the GNU Lesser General Public License "or any later version" applies to it, you Access Point, Wireless Controller, and Service Platform System Reference Guide A - 50 PUBLICLY AVAILABLE SOFTWARE have the option of following the terms and conditions either of that published version or of any later version published by the Free Software Foundation. If the Library as you received it does not specify a version number of the GNU Lesser General Public License, you may choose any version of the GNU Lesser General Public License ever published by the Free Software Foundation. If the Library as you received it specifies that a proxy can decide whether future versions of the GNU Lesser General Public License shall apply, that proxy's public statement of acceptance of any version is permanent authorization for you to choose that version for the Library. A.3.12 GNU General Public License 2.0 GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Library General Public License, applies to some specially designated Free Software Foundation software, and to any other libraries whose authors decide to use it. You can use it for your libraries, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 51 PUBLICLY AVAILABLE SOFTWARE Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, thus in effect making the program proprietary software. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License, which was designed for utility programs. This license, the GNU Library General Public License, applies to certain designated libraries. This license is quite different from the ordinary one; be sure to read it in full, and don't assume that anything in it is the same as in the ordinary license. The reason we have a separate public license for some libraries is that they blur the distinction we usually make between modifying or adding to a program and simply using it. Linking a program with a library, without changing the library, is in some sense simply using the library, and is analogous to running a utility program or application program. However, in a textual and legal sense, the linked executable is a combined work, a derivative of the original library,and the ordinary General Public License treats it as such. Because of this blurred distinction, using the ordinary General Public License for libraries did not effectively promote software sharing, because most developers did not use the libraries. We concluded that weaker conditions might promote sharing better. However, unrestricted linking of non-free programs would deprive the users of those programs of all benefit from the free status of the libraries themselves. This Library General Public License is intended to permit developers of non-free programs to use free libraries, while preserving your freedom as a user of such programs to change the free libraries that are incorporated in them. (We have not seen how to achieve this as regards changes in header files, but we have achieved it as regards changes in the actual functions of the Library.) The hope is that this will lead to faster development of free libraries. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, while the latter only works together with the library. Note that it is possible for a library to be covered by the ordinary General Public License rather than by this special one. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library which contains notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Library General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law:
that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)
"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 52 PUBLICLY AVAILABLE SOFTWARE Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1 You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2 You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
The modified work must itself be a software library. You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. IIf, a facility in the modified Library, refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.
(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3 You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer Access Point, Wireless Controller, and Service Platform System Reference Guide A - 53 PUBLICLY AVAILABLE SOFTWARE version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4 You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5 A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6 As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:
Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-
readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 54 PUBLICLY AVAILABLE SOFTWARE
(It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7 You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:
Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8 You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9 You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10 Each time you redistribute the Library (or any work based on the library), the recipient automatically 11 receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason
(not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who Access Point, Wireless Controller, and Service Platform System Reference Guide A - 55 PUBLICLY AVAILABLE SOFTWARE receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12 If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13 The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14 If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15 BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY Access Point, Wireless Controller, and Service Platform System Reference Guide A - 56 PUBLICLY AVAILABLE SOFTWARE TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS A.3.13 GNU Lesser General Public License, version 2.0 GNU LIBRARY GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1991 Free Software Foundation, Inc. 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
[This is the first released version of the library GPL. It is numbered 2 because it goes with version 2 of the ordinary GPL.]
Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Library General Public License, applies to some specially designated Free Software Foundation software, and to any other libraries whose authors decide to use it. You can use it for your libraries, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library, or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link a program with the library, you must provide complete object files to the recipients so that they can relink them with the library, after making changes to the library and recompiling it. And you must show them these terms so they know their rights. Our method of protecting your rights has two steps: (1) copyright the library, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the library. Also, for each distributor's protection, we want to make certain that everyone understands that there is no warranty for this free library. If the library is modified by someone else and passed on, we want its recipients to know that what they have is not the original version, so that any problems introduced by others will not reflect on the original authors' reputations. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 57 PUBLICLY AVAILABLE SOFTWARE Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that companies distributing free software will individually obtain patent licenses, thus in effect transforming the program into proprietary software. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License, which wa designed for utility programs. This license, the GNU Library General Public License, applies to certain designated libraries. This license is quite different from the ordinary one; be sure to read it in full, and don't assume that anything in it is the same as in the ordinary license. The reason we have a separate public license for some libraries is that they blur the distinction we usually make between modifying or adding to a program and simply using it. Linking a program with a library, without changing the library, is in some sense simply using the library, and is analogous to running a utility program or application program. However, in a textual and legal sense, the linked executable is a combined work, a derivative of the original library, and the ordinary General Public License treats it as such. Because of this blurred distinction, using the ordinary General Public License for libraries did not effectively promote software sharing, because most developers did not use the libraries. We concluded that weaker conditions might promote sharing better. However, unrestricted linking of non-free programs would deprive the users of those programs of all benefit from the free status of the libraries themselves. This Library General Public License is intended to permit developers of non-free programs to use free libraries, while preserving your freedom as a user of such programs to change the free libraries that are incorporated in them. (We have not seen how to achieve this as regards changes in header files, but we have achieved it as regards changes in the actual functions of the Library.) The hope is that this will lead to faster development of free libraries. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, while the latter only works together with the library. Note that it is possible for a library to be covered by the ordinary General Public License rather than by this special one. TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License Agreement applies to any software library which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Library General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law:
that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".) Access Point, Wireless Controller, and Service Platform System Reference Guide A - 58 PUBLICLY AVAILABLE SOFTWARE
"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
* a) The modified work must itself be a software library.
* b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.
* c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.
* d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other han as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.
(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest you rights to work written entirely by you;
rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 59 PUBLICLY AVAILABLE SOFTWARE In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, s the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6. As an exception to the Sections above, you may also compile or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 60 PUBLICLY AVAILABLE SOFTWARE You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:
* a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)
* b) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.
* c) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.
* d) Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:
* a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above.
* b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by Access Point, Wireless Controller, and Service Platform System Reference Guide A - 61 PUBLICLY AVAILABLE SOFTWARE law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason
(not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose thatchoice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13. The Free Software Foundation may publish revised and/or new versions of the Library General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 62 PUBLICLY AVAILABLE SOFTWARE NO WARRANTY 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. A.3.14 GNU Lesser General Public License, version 2.1 GNU LESSER GENERAL PUBLIC LICENSE Version 2.1, February 1999 Copyright (C) 1991, 1999 Free Software Foundation, Inc. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. This is the first released version of the Lesser GPL. It also counts as the successor of the GNU Library Public License, version 2, hence the version number 2.1. Preamble The licenses for most software are designed to take away yourfreedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This license, the Lesser General Public License, applies to some specially designated software packages--
typically libraries--of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below. When we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 63 PUBLICLY AVAILABLE SOFTWARE To protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it. For example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights. We protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library. To protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others. Finally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license. Most GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs. When a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library. We call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances. For example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License. In other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 64 PUBLICLY AVAILABLE SOFTWARE Although the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library. The precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run. A.3.15 GNU LESSER GENERAL PUBLIC LICENSE ERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you". A "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables. The "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law:
that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)
"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library. Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does. 1 You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2 You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:
a. The modified work must itself be a software library. b. You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change. c. You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 65 PUBLICLY AVAILABLE SOFTWARE d. If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.
(For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library. In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3 You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices. Once this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy. This option is useful when you wish to copy part of the code of the Library into a program that is not a library. 4 You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange. If distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code. 5 A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License. However, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 66 PUBLICLY AVAILABLE SOFTWARE When a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law. If such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.) Otherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself. 6 As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications. You must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:
a. Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable
"work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.) b. Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that
(1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with. c. Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution. d. If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place. e. Verify that the user has already received a copy of these materials or that you have already sent this user a copy. For an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 67 PUBLICLY AVAILABLE SOFTWARE It may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute. 7 You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:
a. Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above. b. Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 8 You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 9 You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it. 10 Each time you redistribute the Library (or any work based on the library), the recipient automatically 11 receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason
(not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 68 PUBLICLY AVAILABLE SOFTWARE 12 If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 13 The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation. 14 If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 15 BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. A.3.16 MIT License Permission is hereby granted, without written agreement and without icense or royalty fees, to use, copy, modify, and distribute this software and its documentation for any purpose, provided that the above copyright notice and the following two paragraphs appear in all copies of this software. IN NO EVENT SHALL THE COPYRIGHT HOLDER BE LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OF THIS SOFTWARE AND ITS DOCUMENTATION, EVEN IF THE COPYRIGHT HOLDER HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 69 PUBLICLY AVAILABLE SOFTWARE THE COPYRIGHT HOLDER SPECIFICALLY DISCLAIMS ANY WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE SOFTWARE PROVIDED HEREUNDER IS ON AN "AS IS" BASIS, AND THE COPYRIGHT HOLDER HAS NO OBLIGATION TO PROVIDE MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR MODIFICATIONS. A.3.17 Mozilla Public License, version 2 Version 2.0 1. Definitions 1.1. Contributor means each individual or legal entity that creates, contributes to the creation of, or owns Covered Software. 1.2. Contributor Version means the combination of the Contributions of others (if any) used by a Contributor and that particular Contribution. 1.3. Contribution means Covered Software of a particular Contributor. 1.4. Covered Software means Source Code Form to which the initial Contributor has attached the notice in Exhibit A, the Executable Form of such Source Code Form, and Modifications of such Source Code Form, in each case including portions thereof. 1.5. Incompatible With Secondary Licenses means 1. that the initial Contributor has attached the notice described in Exhibit B to the Covered Software; or 2. that the Covered Software was made available under the terms of version 1.1 or earlier of the License, but not also under the terms of a Secondary License. 1.6. Executable Form means any form of the work other than Source Code Form. 1.7. Larger Work means a work that combines Covered Software with other material, in a separate file or files, that is not Covered Software. 1.8. License means this document. 1.9. Licensable means having the right to grant, to the maximum extent possible, whether at the time of the initial grant or subsequently, any and all of the rights conveyed by this License. 1.10. Modifications means any of the following:
1. any file in Source Code Form that results from an addition to, deletion from, or modification of the contents of Covered Software; or 2. any new file in Source Code Form that contains any Covered Software. 1.11. Patent Claims of a Contributor means any patent claim(s), including without limitation, method, process, and apparatus claims, in any patent Licensable by such Contributor that would be infringed, but for the grant of the License, by the making, using, selling, offering for sale, having made, import, or transfer of either its Contributions or its Contributor Version. 1.12. Secondary License means either the GNU General Public License, Version 2.0, the GNU Lesser General Public License, Version 2.1, the GNU Affero General Public License, Version 3.0, or any later versions of those licenses. 1.13. Source Code Form means the form of the work preferred for making modifications. 1.14. You (orYour) means an individual or a legal entity exercising rights under this License. For legal entities, You includes any entity that controls, is controlled by, or is under common control with You. For purposes of this definition, control means (a) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (b) ownership of more than fifty percent (50%) of the outstanding shares or beneficial ownership of such entity. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 70 PUBLICLY AVAILABLE SOFTWARE 2. License Grants and Conditions 2.1. Grants Each Contributor hereby grants You a world-wide, royalty-free, non-exclusive license:
1. under intellectual property rights (other than patent or trademark) Licensable by such Contributor to use, reproduce, make available, modify, display, perform, distribute, and otherwise exploit its Contributions, either on an unmodified basis, with Modifications, or as part of a Larger Work; and 2. under Patent Claims of such Contributor to make, use, sell, offer for sale, have made, import, and otherwise transfer either its Contributions or its Contributor Version. 2.2. Effective Date The licenses granted in Section 2.1 with respect to any Contribution become effective for each Contribution on the date the Contributor first distributes such Contribution. 2.3. Limitations on Grant Scope The licenses granted in this Section 2 are the only rights granted under this License. No additional rights or licenses will be implied from the distribution or licensing of Covered Software under this License. Notwithstanding Section 2.1(b) above, no patent license is granted by a Contributor:
1. for any code that a Contributor has removed from Covered Software; or 2. for infringements caused by: (i) Your and any other third partys modifications of Covered Software, or (ii) the combination of its Contributions with other software (except as part of its Contributor Version); or 3. under Patent Claims infringed by Covered Software in the absence of its Contributions. This License does not grant any rights in the trademarks, service marks, or logos of any Contributor
(except as may be necessary to comply with the notice requirements in Section 3.4). 2.4. Subsequent Licenses No Contributor makes additional grants as a result of Your choice to distribute the Covered Software under a subsequent version of this License (see Section 10.2) or under the terms of a Secondary License (if permitted under the terms of Section 3.3). 2.5. Representation Each Contributor represents that the Contributor believes its Contributions are its original creation(s) or it has sufficient rights to grant the rights to its Contributions conveyed by this License. 2.6. Fair Use This License is not intended to limit any rights You have under applicable copyright doctrines of fair use, fair dealing, or other equivalents. 2.7. Conditions Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted in Section 2.1. 3. Responsibilities 3.1. Distribution of Source Form All distribution of Covered Software in Source Code Form, including any Modifications that You create or to which You contribute, must be under the terms of this License. You must inform recipients that the Source Code Form of the Covered Software is governed by the terms of this License, and how they can obtain a copy of this License. You may not attempt to alter or restrict the recipients rights in the Source Code Form. 3.2. Distribution of Executable Form If You distribute Covered Software in Executable Form then:
Access Point, Wireless Controller, and Service Platform System Reference Guide A - 71 PUBLICLY AVAILABLE SOFTWARE 1. such Covered Software must also be made available in Source Code Form, as described in Section 3.1, and You must inform recipients of the Executable Form how they can obtain a copy of such Source Code Form by reasonable means in a timely manner, at a charge no more than the cost of distribution to the recipient; and 2. You may distribute such Executable Form under the terms of this License, or sublicense it under different terms, provided that the license for the Executable Form does not attempt to limit or alter the recipients rights in the Source Code Form under this License. 3.3. Distribution of a Larger Work You may create and distribute a Larger Work under terms of Your choice, provided that You also comply with the requirements of this License for the Covered Software. If the Larger Work is a combination of Covered Software with a work governed by one or more Secondary Licenses, and the Covered Software is not Incompatible With Secondary Licenses, this License permits You to additionally distribute such Covered Software under the terms of such Secondary License(s), so that the recipient of the Larger Work may, at their option, further distribute the Covered Software under the terms of either this License or such Secondary License(s). 3.4. Notices You may not remove or alter the substance of any license notices (including copyright notices, patent notices, disclaimers of warranty, or limitations of liability) contained within the Source Code Form of the Covered Software, except that You may alter any license notices to the extent required to remedy known factual inaccuracies. 3.5. Application of Additional Terms You may choose to offer, and to charge a fee for, warranty, support, indemnity or liability obligations to one or more recipients of Covered Software. However, You may do so only on Your own behalf, and not on behalf of any Contributor. You must make it absolutely clear that any such warranty, support, indemnity, or liability obligation is offered by You alone, and You hereby agree to indemnify every Contributor for any liability incurred by such Contributor as a result of warranty, support, indemnity or liability terms You offer. You may include additional disclaimers of warranty and limitations of liability specific to any jurisdiction. 4. Inability to Comply Due to Statute or Regulation If it is impossible for You to comply with any of the terms of this License with respect to some or all of the Covered Software due to statute, judicial order, or regulation then You must: (a) comply with the terms of this License to the maximum extent possible; and (b) describe the limitations and the code they affect. Such description must be placed in a text file included with all distributions of the Covered Software under this License. Except to the extent prohibited by statute or regulation, such description must be sufficiently detailed for a recipient of ordinary skill to be able to understand it. 5. Termination 5.1. The rights granted under this License will terminate automatically if You fail to comply with any of its terms. However, if You become compliant, then the rights granted under this License from a particular Contributor are reinstated (a) provisionally, unless and until such Contributor explicitly and finally terminates Your grants, and (b) on an ongoing basis, if such Contributor fails to notify You of the non-compliance by some reasonable means prior to 60 days after You have come back into compliance. Moreover, Your grants from a particular Contributor are reinstated on an ongoing basis if such Contributor notifies You of the non-compliance by some reasonable means, this is the first time You have received notice of non-compliance with this License from such Contributor, and You become compliant prior to 30 days after Your receipt of the notice. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 72 PUBLICLY AVAILABLE SOFTWARE 5.2. If You initiate litigation against any entity by asserting a patent infringement claim (excluding declaratory judgment actions, counter-claims, and cross-claims) alleging that a Contributor Version directly or indirectly infringes any patent, then the rights granted to You by any and all Contributors for the Covered Software under Section 2.1 of this License shall terminate. 5.3. In the event of termination under Sections 5.1 or 5.2 above, all end user license agreements
(excluding distributors and resellers) which have been validly granted by You or Your distributors under this License prior to termination shall survive termination. 6. Disclaimer of Warranty Covered Software is provided under this License on an as is? basis, without warranty of any kind, either expressed, implied, or statutory, including, without limitation, warranties that the Covered Software is free of defects, merchantable, fit for a particular purpose or non-infringing. The entire risk as to the quality and performance of the Covered Software is with You. Should any Covered Software prove defective in any respect, You (not any Contributor) assume the cost of any necessary servicing, repair, or correction. This disclaimer of warranty constitutes an essential part of this License. No use of any Covered Software is authorized under this License except under this disclaimer. 7. Limitation of Liability Under no circumstances and under no legal theory, whether tort (including negligence), contract, or otherwise, shall any Contributor, or anyone who distributes Covered Software as permitted above, be liable to You for any direct, indirect, special, incidental, or consequential damages of any character including, without limitation, damages for lost profits, loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses, even if such party shall have been informed of the possibility of such damages. This limitation of liability shall not apply to liability for death or personal injury resulting from such partys negligence to the extent applicable law prohibits such limitation. Some jurisdictions do not allow the exclusion or limitation of incidental or consequential damages, so this exclusion and limitation may not apply to You. 8. Litigation Any litigation relating to this License may be brought only in the courts of a jurisdiction where the defendant maintains its principal place of business and such litigation shall be governed by laws of that jurisdiction, without reference to its conflict-of-law provisions. Nothing in this Section shall prevent a partys ability to bring cross-claims or counter-claims. 9. Miscellaneous This License represents the complete agreement concerning the subject matter hereof. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. Any law or regulation which provides that the language of a contract shall be construed against the drafter shall not be used to construe this License against a Contributor. 10. Versions of the License 10.1. New Versions Mozilla Foundation is the license steward. Except as provided in Section 10.3, no one other than the license steward has the right to modify or publish new versions of this License. Each version will be given a distinguishing version number. 10.2. Effect of New Versions You may distribute the Covered Software under the terms of the version of the License under which You originally received the Covered Software, or under the terms of any subsequent version published by the license steward. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 73 PUBLICLY AVAILABLE SOFTWARE 10.3. Modified Versions If you create software not governed by this License, and you want to create a new license for such software, you may create and use a modified version of this License if you rename the license and remove any references to the name of the license steward (except to note that such modified license differs from this License). 10.4. Distributing Source Code Form that is Incompatible With Secondary Licenses If You choose to distribute Source Code Form that is Incompatible With Secondary Licenses under the terms of this version of the License, the notice described in Exhibit B of this License must be attached. Exhibit A - Source Code Form License Notice This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0. If a copy of the MPL was not distributed with this file, You can obtain one at http://mozilla.org/MPL/2.0/. You may add additional accurate notices of copyright ownership. Exhibit B - Incompatible With Secondary Licenses Notice This Source Code Form is Incompatible With Secondary Licenses, as defined by the Mozilla Public License, v. 2.0. A.3.18 The Open LDAP Public License The OpenLDAP Public License Version 2.8, 17 August 2003 Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met:
1. Redistributions in source form must retain copyright statements and notices, 2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and 3. Redistributions must contain a verbatim copy of this document. The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the license. THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 74 PUBLICLY AVAILABLE SOFTWARE The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders. OpenLDAP is a registered trademark of the OpenLDAP Foundation. Copyright 1999-2003 The OpenLDAP Foundation, Redwood City, California, USA. All Rights Reserved. Permission to copy and distribute verbatim copies of this document is granted. A.3.19 OpenSSL License OpenSSL License Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms with or without modification, are permitted provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. All advertising materials mentioning features or use of this software must display the following acknowledgment: This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org) 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contac openssl-
core@openssl.org 5. Products derived from this software may not be called "OpenSSL" nor may OpenSSL" appear in their names without prior written permission of the OpenSSL Project. 6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://
www.openssl.org)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes oftware written by Tim Hudson (tjh@cryptsoft.com). Access Point, Wireless Controller, and Service Platform System Reference Guide A - 75 PUBLICLY AVAILABLE SOFTWARE A.3.20 WU-FTPD Software License WU-FTPD SOFTWARE LICENSE Use, modification, or redistribution (including distribution of any modified or derived work) in any form, or on any medium, is permitted only if all the following conditions are met:
1. Redistributions qualify as "freeware" or "Open Source Software" under the following terms:
a. Redistributions are made at no charge beyond the reasonable cost of materials and delivery. Where redistribution of this software is as part of a larger package or combined work, this restriction applies only to the costs of materials and delivery of this software, not to any other costs associated with the larger package or combined work. b. Redistributions are accompanied by a copy of the Source Code or by an irrevocable offer to provide a copy of the Source Code for up to three years at the cost of materials and delivery. Such redistributions must allow further use, modification, and redistribution of the Source Code under substantially the same terms as this license. For the purposes of redistribution "Source Code" means all files included in the original distribution, including all modifications or additions, on a medium and in a form allowing fully working executable programs to be produced. 2. Redistributions of Source Code must retain the copyright notices as they appear in each Source Code file and the COPYRIGHT file, these license terms, and the disclaimer/limitation of liability set forth as paragraph 6 below. 3. Redistributions in binary form must reproduce the Copyright Notice, these license terms, and the disclaimer/limitation of liability set forth as paragraph 6 below, in the documentation and/or other materials provided with the distribution. For the purposes of binary distribution the"Copyright Notice"
refers to the following language:
Copyright (c) 1999,2000,2001 WU-FTPD Development Group. All rights reserved. Portions Copyright (c) 1980, 1985, 1988, 1989, 1990, 1991, 1993, 1994 The Regents of the University of California. Portions Copyright (c) 1993, 1994 Washington University in Saint Louis. Portions Copyright (c) 1996, 1998 Berkeley Software Design, Inc. Portions Copyright (c) 1998 Sendmail, Inc. Portions Copyright (c) 1983, 1995, 1996, 1997 Eric P. Allman. Portions Copyright (c) 1989 Massachusetts Institute of Technology. Portions Copyright (c) 1997 Stan Barber. Portions Copyright (c) 1991, 1992, 1993, 1994, 1995, 1996, 1997 Free Software Foundation, Inc. Portions Copyright (c) 1997 Kent Landfield. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 76 PUBLICLY AVAILABLE SOFTWARE Use and distribution of this software and its source code are governed by the terms and conditions of the WU-FTPD Software License ("LICENSE"). If you did not receive a copy of the license, it may be obtained online at http://www.wu-ftpd.org/
license.html 4. All advertising materials mentioning features or use of this software must display the following acknowledgement: "This product includes software developed by the WU-FTPD Development Group, the Washington University at Saint Louis, Berkeley Software Design, Inc., and their contributors."
5. Neither the name of the WU-FTPD Development Group, nor the names of any copyright holders, nor the names of any contributors may be used to endorse or promote products derived from this software without specific prior written permission. The names "wuftpd" and "wu-ftpd" are trademarks of the WU-
FTPD Development Group and the Washington University at Saint Louis. 6. Disclaimer/Limitation of Liability:
THIS SOFTWARE IS PROVIDED BY THE WU-FTPD DEVELOPMENT GROUP, THE COPYRIGHT HOLDERS, AND CONTRIBUTORS, "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE WU-FTPD DEVELOPMENT GROUP, THE COPYRIGHT HOLDERS, OR CONTRIBUTORS, BE LIABLE FOR ANY DIRECT, NDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 7. USE, MODIFICATION, OR REDISTRIBUTION, OF THIS SOFTWARE IMPLIES ACCEPTANCE OF ALL TERMS AND CONDITIONS OF THIS LICENSE. A.3.21 zlib License Copyright (C) 1995-2005 Jean-loup Gailly and Mark Adler This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required. 2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software. 3. This notice may not be removed or altered from any source distribution. Jean-loup Gailly Mark Adler Access Point, Wireless Controller, and Service Platform System Reference Guide A - 77 PUBLICLY AVAILABLE SOFTWARE jloup@gzip.org, madler@alumni.caltech.edu A.3.22 Python License, Version 2 (Python-2.0) PYTHON SOFTWARE FOUNDATION LICENSE VERSION 2
------ ---------------------------------------------------------------------------
This LICENSE AGREEMENT is between the Python Software Foundation ("PSF"), and the Individual or Organization ("Licensee") accessing and otherwise using this software ("Python") in source or binary form and its associated documentation. Subject to the terms and conditions of this License Agreement, PSF hereby grants Licensee a nonexclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python alone or in any derivative version, provided, however, that PSF's License Agreement and PSF's notice of copyright, i.e., "Copyright (c) 2001, 2002, 2003, 2004, 2005, 2006 Python Software Foundation; All Rights Reserved" are retained in Python alone or in any derivative version prepared by Licensee. In the event Licensee prepares a derivative work that is based on or incorporates Python or any part thereof, and wants to make the derivative work available to others as provided herein, then Licensee hereby agrees to include in any such work a brief summary of the changes made to Python. PSF is making Python available to Licensee on an "AS IS" basis. PSF MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, PSF MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. PSF SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF PYTHON FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF MODIFYING, DISTRIBUTING, OR OTHERWISE USING PYTHON,OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. This License Agreement will automatically terminate upon a material breach of its terms and conditions. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between PSF and Licensee. This License Agreement does not grant permission to use PSFtrademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party. By copying, installing or otherwise using Python, Licensee agrees to be bound by the terms and conditions of this License Agreement. A.3.23 BEOPEN.COM LICENSE AGREEMENT FOR PYTHON 2.0
------------------------------------------------------------------------------
BEOPEN PYTHON OPEN SOURCE LICENSE AGREEMENT VERSION 1 This LICENSE AGREEMENT is between BeOpen.com ("BeOpen"), having an office at 160 Saratoga Avenue, Santa Clara, CA 95051, and the Individual or Organization ("Licensee") accessing and otherwise using this software in source or binary form and its associated documentation ("the Software"). Access Point, Wireless Controller, and Service Platform System Reference Guide A - 78 PUBLICLY AVAILABLE SOFTWARE Subject to the terms and conditions of this BeOpen Python License Agreement, BeOpen hereby grants Licensee a non-exclusive,royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use the Software alone or in any derivative version, provided, however, that the BeOpen Python License is retained in the Software, alone or in any derivative version prepared by Licensee. BeOpen is making the Software available to Licensee on an "AS IS" basis. BEOPEN MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, BEOPEN MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF THE SOFTWARE WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. BEOPEN SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE SOFTWARE FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF USING, MODIFYING OR DISTRIBUTING THE SOFTWARE, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. This License Agreement will automatically terminate upon a material breach of its terms and conditions. This License Agreement shall be governed by and interpreted in all respects by the law of the State of California, excluding conflict of law provisions. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between BeOpen and Licensee. This License Agreement does not grant permission to use BeOpen trademarks or trade names in a trademark sense to endorse or promote products or services of Licensee, or any third party. As an exception, the "BeOpen Python" logos available at http://www.pythonlabs.com/logos.html may be used according to the permissions granted on that web page. By copying, installing or otherwise using the software, Licensee agrees to be bound by the terms and conditions of this License Agreement. A.3.24 CNRI OPEN SOURCE LICENSE AGREEMENT (for Python 1.6b1)
-----------------------------------------------------------------------------------------
IMPORTANT: PLEASE READ THE FOLLOWING AGREEMENT CAREFULLY. BY CLICKING ON "ACCEPT" WHERE INDICATED BELOW, OR BY COPYING, INSTALLING OR OTHERWISE USING PYTHON 1.6, beta 1 SOFTWARE, YOU ARE DEEMED TO HAVE AGREED TO THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT. This LICENSE AGREEMENT is between the Corporation for National Research Initiatives, having an office at 1895 Preston White Drive, Reston, VA 20191 ("CNRI"), and the Individual or Organization ("Licensee") accessing and otherwise using Python 1.6, beta 1 software in source or binary form and its associated documentation,as released at the www.python.org Internet site on August 4, 2000 ("Python 1.6b1"). Subject to the terms and conditions of this License Agreement, CNRI hereby grants Licensee a non-
exclusive, royalty-free, world-wide license to reproduce, analyze, test, perform and/or display publicly, prepare derivative works, distribute, and otherwise use Python 1.6b1 alone or in any derivative version, provided, however, that CNRIs License Agreement is retained in Python 1.6b1, alone or in any derivative version prepared by Licensee. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 79 PUBLICLY AVAILABLE SOFTWARE Alternately, in lieu of CNRIs License Agreement, Licensee may substitute the following text (omitting the quotes): "Python 1.6, beta 1, is made available subject to the terms and conditions in CNR Is License Agreement. This Agreement may be located on the Internet using the following unique, persistent identifier
(known as a handle): 1895.22/1011. This Agreement may also be obtained from a proxy server on the Internet using the URL:http://hdl.handle.net/1895.22/1011". In the event Licensee prepares a derivative work that is based on or incorporates Python 1.6b1 or any part thereof, and wants to make the derivative work available to the public as provided herein, then Licensee hereby agrees to indicate in any such work the nature of the modifications made to Python 1.6b1. CNRI is making Python 1.6b1 available to Licensee on an "AS IS" basis. CNRI MAKES NO REPRESENTATIONS OR WARRANTIES, EXPRESS OR IMPLIED. BY WAY OF EXAMPLE, BUT NOT LIMITATION, CNRI MAKES NO AND DISCLAIMS ANY REPRESENTATION OR WARRANTY OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR THAT THE USE OF PYTHON 1.6b1 WILL NOT INFRINGE ANY THIRD PARTY RIGHTS. CNRI SHALL NOT BE LIABLE TO LICENSEE OR ANY OTHER USERS OF THE SOFTWARE FOR ANY INCIDENTAL, SPECIAL, OR CONSEQUENTIAL DAMAGES OR LOSS AS A RESULT OF USING, MODIFYING OR DISTRIBUTING PYTHON 1.6b1, OR ANY DERIVATIVE THEREOF, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. This License Agreement will automatically terminate upon a material breach of its terms and conditions. This License Agreement shall be governed by and interpreted in all respects by the law of the State of Virginia, excluding conflict of law provisions. Nothing in this License Agreement shall be deemed to create any relationship of agency, partnership, or joint venture between CNRI and Licensee. This License Agreement does not grant permission to use CNRI trademarks or trade name in a trademark sense to endorse or promote products or services of Licensee, or any third party. By clicking on the "ACCEPT" button where indicated, or by copying, installing or otherwise using Python 1.6b1, Licensee agrees to be bound by the terms and conditions of this License Agreement. ACCEPT A.3.25 CWI LICENSE AGREEMENT FOR PYTHON 0.9.0 THROUGH 1.2
-----------------------------------------------------------------------------------------
Copyright (c) 1991 - 1995, Stichting Mathematisch Centrum Amsterdam, The Netherlands. All rights reserved. Permission to use, copy, modify, and distribute this software and its documentation for any purpose and without fee is hereby granted, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation, and that the name of Stichting Mathematisch Centrum or CWI not be used in advertising or publicity pertaining to distribution of the software without specific, written prior permission. STICHTING MATHEMATISCH CENTRUM DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL STICHTING MATHEMATISCH CENTRUM BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA Access Point, Wireless Controller, and Service Platform System Reference Guide A - 80 PUBLICLY AVAILABLE SOFTWARE OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. A.3.26 Zope Public License (ZPL) Version 2.0 Zope Public License (ZPL) Version 2.0
-----------------------------------------------
This software is Copyright (c) Zope Corporation (tm) and Contributors. All rights reserved. This license has been certified as open source. It has also been designated as GPL compatible by the Free Software Foundation (FSF). Redistribution and use in source and binary forms, with or without modification, are permitted provided that the, following conditions are met:
Redistributions in source code must retain the above copyright notice, this list of conditions, and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution. The name Zope Corporation (tm) must not be used to endorse or promote products derived from this software without prior written permission from Zope Corporation. The right to distribute this software or to use it for any purpose does not give you the right to use Servicemarks (sm) orTrademarks (tm) of Zope Corporation. Use of them is covered in a separate agreement (see http://www.zope.com/Marks). If any files are modified, you must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. Disclaimer THIS SOFTWARE IS PROVIDED BY ZOPE CORPORATION ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ZOPE CORPORATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. This software consists of contributions made by Zope Corporation and many individuals on behalf of Zope Corporation. Specific attributions are listed in the accompanying credits file. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 81 PUBLICLY AVAILABLE SOFTWARE A.3.27 Zope Public License (ZPL) Version 2.1 Zope Public License (ZPL) Version 2.1
--------------------------------------------------
A copyright notice accompanies this license document that identifies the copyright holders. This license has been certified as open source. It has also been designated as GPL compatible by the Free Software Foundation (FSF). Redistribution and use in source and binary forms, with or without modification, are permitted provided that the, following conditions are met:
Redistributions in source code must retain the above copyright notice, this list of conditions, and the following disclaimer. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution. The name Zope Corporation (tm) must not be used to endorse or promote products derived from this software without prior written permission from Zope Corporation. The right to distribute this software or to use it for any purpose does not give you the right to use Servicemarks (sm) orTrademarks (tm) of Zope Corporation. Use of them is covered in a separate agreement (see http://www.zope.com/Marks). If any files are modified, you must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. Disclaimer THIS SOFTWARE IS PROVIDED BY ZOPE CORPORATION ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL ZOPE CORPORATION OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Access Point, Wireless Controller, and Service Platform System Reference Guide A - 82
frequency | equipment class | purpose | ||
---|---|---|---|---|
1 | 2018-01-29 | 5745 ~ 5825 | NII - Unlicensed National Information Infrastructure TX | Class II permissive change or modification of presently authorized equipment |
2 | 2017-11-30 | 5745 ~ 5825 | NII - Unlicensed National Information Infrastructure TX | Original Equipment |
3 | 4950 ~ 4980 | TNB - Licensed Non-Broadcast Station Transmitter | ||
4 | 2412 ~ 2462 | DTS - Digital Transmission System |
app s | Applicant Information | |||||
---|---|---|---|---|---|---|
1 2 3 4 | Effective |
2018-01-29
|
||||
1 2 3 4 |
2017-11-30
|
|||||
1 2 3 4 | Applicant's complete, legal business name |
Extreme Networks, Inc.
|
||||
1 2 3 4 | FCC Registration Number (FRN) |
0019588359
|
||||
1 2 3 4 | Physical Address |
6480 Via Del Oro
|
||||
1 2 3 4 |
San Jose, California 95119
|
|||||
1 2 3 4 |
United States
|
|||||
app s | TCB Information | |||||
1 2 3 4 | TCB Application Email Address |
T******@TIMCOENGR.COM
|
||||
1 2 3 4 |
t******@siemic.com
|
|||||
1 2 3 4 | TCB Scope |
A4: UNII devices & low power transmitters using spread spectrum techniques
|
||||
1 2 3 4 |
B2: General Mobile Radio And Broadcast Services equipment in the following 47 CFR Parts 22 (non-cellular) 73, 74, 90, 95, 97, & 101 (all below 3 GHz)
|
|||||
app s | FCC ID | |||||
1 2 3 4 | Grantee Code |
QXO
|
||||
1 2 3 4 | Equipment Product Code |
AP3917E
|
||||
app s | Person at the applicant's address to receive grant or for contact | |||||
1 2 3 4 | Name |
T******** W****
|
||||
1 2 3 4 | Title |
Regulatory Compliance Manager
|
||||
1 2 3 4 | Telephone Number |
+1-60********
|
||||
1 2 3 4 | Fax Number |
1-603********
|
||||
1 2 3 4 |
w******@Extremenetworks.com
|
|||||
app s | Technical Contact | |||||
n/a | ||||||
app s | Non Technical Contact | |||||
n/a | ||||||
app s | Confidentiality (long or short term) | |||||
1 2 3 4 | Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?: | Yes | ||||
1 2 3 4 | Long-Term Confidentiality Does this application include a request for confidentiality for any portion(s) of the data contained in this application pursuant to 47 CFR § 0.459 of the Commission Rules?: | No | ||||
if no date is supplied, the release date will be set to 45 calendar days past the date of grant. | ||||||
app s | Cognitive Radio & Software Defined Radio, Class, etc | |||||
1 2 3 4 | Is this application for software defined/cognitive radio authorization? | No | ||||
1 2 3 4 | Equipment Class | NII - Unlicensed National Information Infrastructure TX | ||||
1 2 3 4 | TNB - Licensed Non-Broadcast Station Transmitter | |||||
1 2 3 4 | DTS - Digital Transmission System | |||||
1 2 3 4 | Description of product as it is marketed: (NOTE: This text will appear below the equipment class on the grant) | Wireless 802.11 a/ac+b/g/n Outdoor Access Point | ||||
1 2 3 4 | Wireless 802.11 a/ac+b/g/n Access Point | |||||
1 2 3 4 | Related OET KnowledgeDataBase Inquiry: Is there a KDB inquiry associated with this application? | Yes | ||||
1 2 3 4 | No | |||||
1 2 3 4 | Modular Equipment Type | Does not apply | ||||
1 2 3 4 | Purpose / Application is for | Class II permissive change or modification of presently authorized equipment | ||||
1 2 3 4 | Original Equipment | |||||
1 2 3 4 | Composite Equipment: Is the equipment in this application a composite device subject to an additional equipment authorization? | Yes | ||||
1 2 3 4 | Related Equipment: Is the equipment in this application part of a system that operates with, or is marketed with, another device that requires an equipment authorization? | No | ||||
1 2 3 4 | Grant Comments | Power output listed is conducted. Device operates with specific antennas in MIMO configurations as described in this filing. This device must be professionally installed. Marketing to the General Public is prohibited. Responsible parties must be provided with antenna installation and operating instructions to ensure RF exposure compliance. The antenna(s) used for this transmitter must be installed to provide a separation distance of at least 35 cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter, except the collocation as described in this filing or in accordance with FCC multi-transmitter product guidelines. This is a 2x2 MIMO device and contains 20, 40, and 80 MHz bandwidth modes. | ||||
1 2 3 4 | Power output listed is conducted. Device operates with specific antennas in MIMO configurations as described in this filing. This device must be professionally installed. Marketing to the General Public is prohibited. Responsible parties must be provided with antenna installation and operating instructions to ensure RF exposure compliance. The antenna(s) used for this transmitter must be installed to provide a separation distance of at least 35 cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter, except the collocation as described in this filing or in accordance with FCC multi-transmitter product guidelines. This is a 2x2 MIMO device and contains 20, 40 and 80MHz bandwidth. | |||||
1 2 3 4 | Power output listed is conducted. Device operates with specific antennas in MIMO configurations as described in this filing. This device must be professionally installed. Marketing to the General Public is prohibited. Responsible parties must be provided with antenna installation and operating instructions to ensure RF exposure compliance. The antenna(s) used for this transmitter must be installed to provide a separation distance of at least 35 cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter, except the collocation as described in this filing or in accordance with FCC multi-transmitter product guidelines. This is a 2x2 MIMO device and contains 5, 10 and 20MHz bandwidth. | |||||
1 2 3 4 | Power output listed is conducted. Device operates with specific antennas in MIMO configurations as described in this filing. This device must be professionally installed. Marketing to the General Public is prohibited. Responsible parties must be provided with antenna installation and operating instructions to ensure RF exposure compliance. The antenna(s) used for this transmitter must be installed to provide a separation distance of at least 35 cm from all persons and must not be co-located or operating in conjunction with any other antenna or transmitter, except the collocation as described in this filing or in accordance with FCC multi-transmitter product guidelines. This is a 2x2 MIMO device and contains 20 and 40MHz bandwidth. | |||||
1 2 3 4 | Is there an equipment authorization waiver associated with this application? | No | ||||
1 2 3 4 | If there is an equipment authorization waiver associated with this application, has the associated waiver been approved and all information uploaded? | No | ||||
app s | Test Firm Name and Contact Information | |||||
1 2 3 4 | Firm Name |
Bureau Veritas CPS (H.K.) Ltd., Taoyuan Branch
|
||||
1 2 3 4 | Name |
K******** L******
|
||||
1 2 3 4 | Telephone Number |
+886-******** Extension:
|
||||
1 2 3 4 | Fax Number |
+886-********
|
||||
1 2 3 4 |
k******@tw.bureauveritas.com
|
|||||
Equipment Specifications | |||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Line | Rule Parts | Grant Notes | Lower Frequency | Upper Frequency | Power Output | Tolerance | Emission Designator | Microprocessor Number | |||||||||||||||||||||||||||||||||
1 | 1 | 15E | CC MO | 5180 | 5240 | 0.41 | |||||||||||||||||||||||||||||||||||
1 | 2 | 15E | CC MO | 5745 | 5825 | 0.424 | |||||||||||||||||||||||||||||||||||
1 | 3 | 15E | CC MO | 5260 | 5320 | 0.248 | |||||||||||||||||||||||||||||||||||
1 | 4 | 15E | CC MO | 5500 | 5720 | 0.245 | |||||||||||||||||||||||||||||||||||
Line | Rule Parts | Grant Notes | Lower Frequency | Upper Frequency | Power Output | Tolerance | Emission Designator | Microprocessor Number | |||||||||||||||||||||||||||||||||
2 | 1 | 15E | 38 CC MO | 5180 | 5240 | 0.41 | |||||||||||||||||||||||||||||||||||
2 | 2 | 15E | 38 CC MO | 5745 | 5825 | 0.424 | |||||||||||||||||||||||||||||||||||
Line | Rule Parts | Grant Notes | Lower Frequency | Upper Frequency | Power Output | Tolerance | Emission Designator | Microprocessor Number | |||||||||||||||||||||||||||||||||
3 | 1 | 90Y | MO | 4942.5 | 4987.5 | 0.149 | 0.00002 % | 4M45G7D | |||||||||||||||||||||||||||||||||
3 | 2 | 90Y | MO | 4945 | 4985 | 0.169 | 0.00038 % | 9M00G7D | |||||||||||||||||||||||||||||||||
3 | 3 | 90Y | MO | 4950 | 4980 | 0.161 | 0.00023 % | 17M8G7D | |||||||||||||||||||||||||||||||||
Line | Rule Parts | Grant Notes | Lower Frequency | Upper Frequency | Power Output | Tolerance | Emission Designator | Microprocessor Number | |||||||||||||||||||||||||||||||||
4 | 1 | 15C | CC MO | 2412 | 2462 | 0.549 | |||||||||||||||||||||||||||||||||||
4 | 2 | 15C | CC | 2402 | 2480 | 0.001 | |||||||||||||||||||||||||||||||||||
4 | 3 | 15C | CC | 2405 | 2480 | 0.002 |
some individual PII (Personally Identifiable Information) available on the public forms may be redacted, original source may include additional details
This product uses the FCC Data API but is not endorsed or certified by the FCC